CVE version: 20061101 CVE Candidates as of 20231207 Candidates must be reviewed and accepted by the CVE Editorial Board before they can be added to the official CVE list. Therefore, these candidates may be modified or even rejected in the future. They are provided for use by individuals who have a need for an early numbering scheme for items that have not been fully reviewed by the Editorial Board. ====================================================== Name: CVE-1999-0001 Status: Candidate Phase: Modified(20051217) Reference: BUGTRAQ:19981223 Re: CERT Advisory CA-98.13 - TCP/IP Denial of Service Reference: CERT:CA-98-13-tcp-denial-of-service Reference: CONFIRM:http://www.openbsd.org/errata23.html#tcpfix Reference: OSVDB:5707 Reference: URL:http://www.osvdb.org/5707 ip_input.c in BSD-derived TCP/IP implementations allows remote attackers to cause a denial of service (crash or hang) via crafted packets. Current Votes: MODIFY(1) Frech NOOP(2) Northcutt, Wall REVIEWING(1) Christey Voter Comments: Christey> A Bugtraq posting indicates that the bug has to do with "short packets with certain options set," so the description should be modified accordingly. But is this the same as CVE-1999-0052? That one is related to nestea (CVE-1999-0257) and probably the one described in BUGTRAQ:19981023 nestea v2 against freebsd 3.0-Release The patch for nestea is in ip_input.c around line 750. The patches for CVE-1999-0001 are in lines 388&446. So, CVE-1999-0001 is different from CVE-1999-0257 and CVE-1999-0052. The FreeBSD patch for CVE-1999-0052 is in line 750. So, CVE-1999-0257 and CVE-1999-0052 may be the same, though CVE-1999-0052 should be RECAST since this bug affects Linux and other OSes besides FreeBSD. Frech> XF:teardrop(338) This assignment was based solely on references to the CERT advisory. Christey> The description for BID:190, which links to CVE-1999-0052 (a FreeBSD advisory), notes that the patches provided by FreeBSD in CERT:CA-1998-13 suggest a connection between CVE-1999-0001 and CVE-1999-0052. CERT:CA-1998-13 is too vague to be sure without further analysis. ====================================================== Name: CVE-1999-0002 Status: Entry Reference: BID:121 Reference: URL:http://www.securityfocus.com/bid/121 Reference: CERT:CA-98.12.mountd Reference: CIAC:J-006 Reference: URL:http://www.ciac.org/ciac/bulletins/j-006.shtml Reference: SGI:19981006-01-I Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19981006-01-I Reference: XF:linux-mountd-bo Buffer overflow in NFS mountd gives root access to remote attackers, mostly in Linux systems. ====================================================== Name: CVE-1999-0003 Status: Entry Reference: BID:122 Reference: URL:http://www.securityfocus.com/bid/122 Reference: CERT:CA-98.11.tooltalk Reference: NAI:NAI-29 Reference: SGI:19981101-01-A Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19981101-01-A Reference: SGI:19981101-01-PX Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19981101-01-PX Reference: XF:aix-ttdbserver Reference: XF:tooltalk Execute commands as root via buffer overflow in Tooltalk database server (rpc.ttdbserverd). ====================================================== Name: CVE-1999-0004 Status: Candidate Phase: Modified(19990621) Reference: CERT:CA-98.10.mime_buffer_overflows Reference: MS:MS98-008 Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1998/ms98-008 Reference: SUN:00175 Reference: XF:outlook-long-name MIME buffer overflow in email clients, e.g. Solaris mailtool and Outlook. Current Votes: ACCEPT(8) Baker, Cole, Collins, Dik, Landfield, Magdych, Northcutt, Wall MODIFY(1) Frech NOOP(1) Christey REVIEWING(1) Shostack Voter Comments: Frech> Extremely minor, but I believe e-mail is the correct term. (If you reject this suggestion, I will not be devastated.) :-) Christey> This issue seems to have been rediscovered in BUGTRAQ:20000515 Eudora Pro & Outlook Overflow - too long filenames again http://marc.theaimsgroup.com/?l=bugtraq&m=95842482413076&w=2 Also see BUGTRAQ:19990320 Eudora Attachment Buffer Overflow http://marc.theaimsgroup.com/?l=bugtraq&m=92195396912110&w=2 Christey> CVE-2000-0415 may be a later rediscovery of this problem for Outlook. Dik> Sun bug 4163471, Christey> ADDREF BID:125 Christey> BUGTRAQ:19980730 Long Filenames & Lotus Products URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221104526201&w=2 ====================================================== Name: CVE-1999-0005 Status: Entry Reference: BID:130 Reference: URL:http://www.securityfocus.com/bid/130 Reference: CERT:CA-98.09.imapd Reference: SUN:00177 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/177 Reference: XF:imap-authenticate-bo Arbitrary command execution via IMAP buffer overflow in authenticate command. ====================================================== Name: CVE-1999-0006 Status: Entry Reference: AUSCERT:AA-98.01 Reference: BID:133 Reference: URL:http://www.securityfocus.com/bid/133 Reference: CERT:CA-98.08.qpopper_vul Reference: SGI:19980801-01-I Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19980801-01-I Reference: XF:qpopper-pass-overflow Buffer overflow in POP servers based on BSD/Qualcomm's qpopper allows remote attackers to gain root access using a long PASS command. ====================================================== Name: CVE-1999-0007 Status: Entry Reference: CERT:CA-98.07.PKCS Reference: MS:MS98-002 Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1998/ms98-002 Reference: XF:nt-ssl-fix Information from SSL-encrypted sessions via PKCS #1. ====================================================== Name: CVE-1999-0008 Status: Entry Reference: CERT:CA-98.06.nisd Reference: ISS:June10,1998 Reference: SUN:00170 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/170 Reference: XF:nisd-bo-check Buffer overflow in NIS+, in Sun's rpc.nisd program. ====================================================== Name: CVE-1999-0009 Status: Entry Reference: BID:134 Reference: URL:http://www.securityfocus.com/bid/134 Reference: CERT:CA-98.05.bind_problems Reference: HP:HPSBUX9808-083 Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9808-083 Reference: SGI:19980603-01-PX Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19980603-01-PX Reference: SUN:00180 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/180 Reference: XF:bind-bo Inverse query buffer overflow in BIND 4.9 and BIND 8 Releases. ====================================================== Name: CVE-1999-0010 Status: Entry Reference: CERT:CA-98.05.bind_problems Reference: HP:HPSBUX9808-083 Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9808-083 Reference: SGI:19980603-01-PX Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19980603-01-PX Reference: XF:bind-dos Denial of Service vulnerability in BIND 8 Releases via maliciously formatted DNS messages. ====================================================== Name: CVE-1999-0011 Status: Entry Reference: CERT:CA-98.05.bind_problems Reference: HP:HPSBUX9808-083 Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9808-083 Reference: SGI:19980603-01-PX Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19980603-01-PX Reference: SUN:00180 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/180 Reference: XF:bind-axfr-dos Denial of Service vulnerabilities in BIND 4.9 and BIND 8 Releases via CNAME record and zone transfer. ====================================================== Name: CVE-1999-0012 Status: Entry Reference: CERT:CA-98.04.Win32.WebServers Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0012 Reference: XF:nt-web8.3 Some web servers under Microsoft Windows allow remote attackers to bypass access restrictions for files with long file names. ====================================================== Name: CVE-1999-0013 Status: Entry Reference: CERT:CA-98.03.ssh-agent Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0013 Reference: NAI:NAI-24 Reference: XF:ssh-agent Stolen credentials from SSH clients via ssh-agent program, allowing other local users to access remote accounts belonging to the ssh-agent user. ====================================================== Name: CVE-1999-0014 Status: Entry Reference: CERT:CA-98.02.CDE Reference: HP:HPSBUX9801-075 Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9801-075 Reference: SUN:00185 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/185 Unauthorized privileged access or denial of service via dtappgather program in CDE. ====================================================== Name: CVE-1999-0015 Status: Candidate Phase: Modified(20090302) Reference: CERT:CA-97.28.Teardrop_Land Reference: OVAL:oval:org.mitre.oval:def:5579 Reference: URL:https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5579 Reference: XF:teardrop Teardrop IP denial of service. Current Votes: ACCEPT(1) Wall MODIFY(1) Frech REVIEWING(1) Christey Voter Comments: Frech> XF: teardrop-mod Christey> Not sure how many separate "instances" of Teardrop there are. See: CVE-1999-0015, CVE-1999-0104, CVE-1999-0257, CVE-1999-0258 Christey> See the SCO advisory at: http://www.securityfocus.com/templates/advisory.html?id=1411 which may further clarify the issue. Christey> MSKB:Q154174 MSKB:Q154174 (CVE-1999-0015) and MSKB:Q179129 (CVE-1999-0104) indicate that CVE-1999-0015 was fixed in NT SP3, but CVE-1999-0104 was not. Thus CD:SF-LOC suggests that the problems keep separate candidates because one problem appears in a different version than the other. Christey> BID:124 http://www.securityfocus.com/bid/124 Consider MSKB:Q154174 http://support.microsoft.com/support/kb/articles/q154/1/74.asp Consider BUGTRAQ:19971113 Linux IP fragment overlap bug http://www.securityfocus.com/archive/1/8014 ====================================================== Name: CVE-1999-0016 Status: Entry Reference: CERT:CA-97.28.Teardrop_Land Reference: CISCO:http://www.cisco.com/warp/public/770/land-pub.shtml Reference: FREEBSD:FreeBSD-SA-98:01 Reference: HP:HPSBUX9801-076 Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9801-076 Reference: XF:95-verv-tcp Reference: XF:cisco-land Reference: XF:land Reference: XF:land-patch Reference: XF:ver-tcpip-sys Land IP denial of service. ====================================================== Name: CVE-1999-0017 Status: Entry Reference: CERT:CA-97.27.FTP_bounce Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0017 Reference: XF:ftp-bounce Reference: XF:ftp-privileged-port FTP servers can allow an attacker to connect to arbitrary ports on machines other than the FTP client, aka FTP bounce. ====================================================== Name: CVE-1999-0018 Status: Entry Reference: AUSCERT:AA-97.29 Reference: BID:127 Reference: URL:http://www.securityfocus.com/bid/127 Reference: CERT:CA-97.26.statd Reference: XF:statd Buffer overflow in statd allows root privileges. ====================================================== Name: CVE-1999-0019 Status: Entry Reference: CERT:CA-96.09.rpc.statd Reference: SUN:00135 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/135 Reference: XF:rpc-stat Delete or create a file via rpc.statd, due to invalid information. ====================================================== Name: CVE-1999-0020 Status: Candidate Phase: Modified(20050204) ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-0032. Reason: This candidate is a duplicate of CVE-1999-0032. Notes: All CVE users should reference CVE-1999-0032 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Current Votes: MODIFY(1) Frech NOOP(4) Levy, Northcutt, Shostack, Wall REJECT(2) Baker, Christey Voter Comments: Frech> XF:lpr-bo Christey> DUPE CVE-1999-0032, which includes XF:lpr-bo ====================================================== Name: CVE-1999-0021 Status: Entry Reference: BID:128 Reference: URL:http://www.securityfocus.com/bid/128 Reference: BUGTRAQ:19971010 Security flaw in Count.cgi (wwwcount) Reference: CERT:CA-97.24.Count_cgi Reference: XF:http-cgi-count Arbitrary command execution via buffer overflow in Count.cgi (wwwcount) cgi-bin program. ====================================================== Name: CVE-1999-0022 Status: Entry Reference: CERT:CA-97.23.rdist Reference: SUN:00179 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/179 Reference: XF:rdist-bo3 Reference: XF:rdist-sept97 Local user gains root privileges via buffer overflow in rdist, via expstr() function. ====================================================== Name: CVE-1999-0023 Status: Entry Reference: CERT:CA-96.14.rdist_vul Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0023 Reference: XF:rdist-bo Reference: XF:rdist-bo2 Local user gains root privileges via buffer overflow in rdist, via lookup() function. ====================================================== Name: CVE-1999-0024 Status: Entry Reference: CERT:CA-97.22.bind Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0024 Reference: NAI:NAI-11 Reference: XF:bind DNS cache poisoning via BIND, by predictable query IDs. ====================================================== Name: CVE-1999-0025 Status: Entry Reference: AUSCERT:AA-97.19.IRIX.df.buffer.overflow.vul Reference: BID:346 Reference: URL:http://www.securityfocus.com/bid/346 Reference: CERT:CA-1997-21 Reference: URL:http://www.cert.org/advisories/CA-1997-21.html Reference: CERT-VN:VU#20851 Reference: URL:http://www.kb.cert.org/vuls/id/20851 Reference: SGI:SGI:19970505-01-A Reference: SGI:SGI:19970505-02-PX Reference: XF:df-bo(440) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/440 root privileges via buffer overflow in df command on SGI IRIX systems. ====================================================== Name: CVE-1999-0026 Status: Entry Reference: AUSCERT:AA-97.20.IRIX.pset.buffer.overflow.vul Reference: CERT:CA-97.21.sgi_buffer_overflow Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0026 Reference: XF:pset-bo root privileges via buffer overflow in pset command on SGI IRIX systems. ====================================================== Name: CVE-1999-0027 Status: Entry Reference: AUSCERT:AA-97.21.IRIX.eject.buffer.overflow.vul Reference: CERT:CA-97.21.sgi_buffer_overflow Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0027 Reference: XF:eject-bo root privileges via buffer overflow in eject command on SGI IRIX systems. ====================================================== Name: CVE-1999-0028 Status: Entry Reference: AUSCERT:AA-97.22.IRIX.login.scheme.buffer.overflow.vul Reference: CERT:CA-97.21.sgi_buffer_overflow Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0028 Reference: XF:sgi-schemebo root privileges via buffer overflow in login/scheme command on SGI IRIX systems. ====================================================== Name: CVE-1999-0029 Status: Entry Reference: AUSCERT:AA-97.23-IRIX.ordist.buffer.overflow.vul Reference: CERT:CA-97.21.sgi_buffer_overflow Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0029 Reference: XF:ordist-bo root privileges via buffer overflow in ordist command on SGI IRIX systems. ====================================================== Name: CVE-1999-0030 Status: Candidate Phase: Proposed(19990623) Reference: AUSCERT:AA-97.24.IRIX.xlock.buffer.overflow.vul Reference: CERT:CA-97.21.sgi_buffer_overflow Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0030 Reference: SGI:19970508-02-PX Reference: XF:sgi-xlockbo root privileges via buffer overflow in xlock command on SGI IRIX systems. Current Votes: ACCEPT(3) Levy, Ozancin, Prosser NOOP(1) Baker RECAST(1) Frech REJECT(1) Christey Voter Comments: Frech> XF:xlock-bo (also add) As per xlock-bo, also appears on AIX, BSDI, DG/UX, FreeBSD, Solaris, and several Linii. Also, don't you mean to cite SGI:19970502-02-PX? The one you list is login/scheme. Levy> Notice that this xlock overflow is the same as in CA-97.13. CA-97.21 simply is a reminder. Christey> As pointed out by Elias, CA-97.21 states: "For more information about vulnerabilities in xlock... see CA-97.13" CA-97.13 = CVE-1999-0038. This may also be a duplicate with CVE-1999-0306. See exploits at: http://marc.theaimsgroup.com/?l=bugtraq&m=87602167418394&w=2 http://marc.theaimsgroup.com/?l=bugtraq&m=87602167418404&w=2 Sun also has this problem, at http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/150&type=0&nav=sec.sba ====================================================== Name: CVE-1999-0031 Status: Entry Reference: CERT:CA-97.20.javascript Reference: HP:HPSBUX9707-065 Reference: URL:http://www.codetalker.com/advisories/vendor/hp/hpsbux9707-065.html JavaScript in Internet Explorer 3.x and 4.x, and Netscape 2.x, 3.x and 4.x, allows remote attackers to monitor a user's web activities, aka the Bell Labs vulnerability. ====================================================== Name: CVE-1999-0032 Status: Entry Reference: AUSCERT:AA-96.12 Reference: BID:707 Reference: URL:http://www.securityfocus.com/bid/707 Reference: BUGTRAQ:19960813 Possible bufferoverflow condition in lpr, xterm and xload Reference: BUGTRAQ:19961025 Linux & BSD's lpr exploit Reference: CERT:CA-97.19.bsdlp Reference: CIAC:H-08 Reference: CIAC:I-042 Reference: URL:http://www.ciac.org/ciac/bulletins/i-042.shtml Reference: MLIST:[freebsd-security] 19961025 Vadim Kolontsov: BoS: Linux & BSD's lpr exploit Reference: MLIST:[linux-security] 19961122 LSF Update#14: Vulnerability of the lpr program. Reference: SGI:19980402-01-PX Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19980402-01-PX Reference: XF:bsd-lprbo Reference: XF:bsd-lprbo2 Reference: XF:lpr-bo Buffer overflow in lpr, as used in BSD-based systems including Linux, allows local users to execute arbitrary code as root via a long -C (classification) command line option. ====================================================== Name: CVE-1999-0033 Status: Candidate Phase: Modified(20040811) Reference: CERT:CA-97.18.at Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0033 Reference: SUN:00160 Reference: XF:sun-atbo Command execution in Sun systems via buffer overflow in the at program. Current Votes: ACCEPT(8) Baker, Cole, Collins, Dik, Hill, Northcutt, Shostack, Wall NOOP(1) Christey RECAST(1) Frech Voter Comments: Frech> This vulnerability also manifests itself for the following platforms: AIX, HPUX, IRIX, Solaris, SCO, NCR MP-RAS. In this light, please add the following: Reference: XF:at-bo Dik> Sun bug 1265200, 4063161 Christey> ADDREF SGI:19971102-01-PX ftp://patches.sgi.com/support/free/security/advisories/19971102-01-PX SCO:SB.97:01 ftp://ftp.sco.com/SSE/security_bulletins/SB.97:01a Christey> CIAC:F-15 http://ciac.llnl.gov/ciac/bulletins/f-15.shtml HP:HPSBUX9502-023 Christey> Add period to the end of the description. ====================================================== Name: CVE-1999-0034 Status: Entry Reference: CERT:CA-97.17.sperl Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0034 Reference: XF:perl-suid Buffer overflow in suidperl (sperl), Perl 4.x and 5.x. ====================================================== Name: CVE-1999-0035 Status: Entry Reference: AUSCERT:AA-97.03 Reference: CERT:CA-97.16.ftpd Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0035 Reference: XF:ftp-ftpd Race condition in signal handling routine in ftpd, allowing read/write arbitrary files. ====================================================== Name: CVE-1999-0036 Status: Entry Reference: AUSCERT:AA-97.12 Reference: CERT:CA-97.15.sgi_login Reference: CIAC:H-106 Reference: URL:http://www.ciac.org/ciac/bulletins/h-106.shtml Reference: OSVDB:990 Reference: URL:http://www.osvdb.org/990 Reference: SGI:19970508-02-PX Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19970508-02-PX Reference: XF:sgi-lockout(557) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/557 IRIX login program with a nonzero LOCKOUT parameter allows creation or damage to files. ====================================================== Name: CVE-1999-0037 Status: Entry Reference: CERT:CA-97.14.metamail Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0037 Reference: XF:metamail-header-commands Arbitrary command execution via metamail package using message headers, when user processes attacker's message using metamail. ====================================================== Name: CVE-1999-0038 Status: Entry Reference: CERT:CA-97.13.xlock Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0038 Reference: XF:xlock-bo Buffer overflow in xlock program allows local users to execute commands as root. ====================================================== Name: CVE-1999-0039 Status: Entry Reference: AUSCERT:AA-97.14 Reference: BID:374 Reference: URL:http://www.securityfocus.com/bid/374 Reference: BUGTRAQ:19970507 Re: SGI Advisory: webdist.cgi Reference: BUGTRAQ:19970507 Re: SGI Security Advisory 19970501-01-A - Vulnerability in Reference: CERT:CA-1997-12 Reference: URL:http://www.cert.org/advisories/CA-1997-12.html Reference: OSVDB:235 Reference: URL:http://www.osvdb.org/235 Reference: SGI:19970501-02-PX Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19970501-02-PX Reference: XF:http-sgi-webdist(333) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/333 webdist CGI program (webdist.cgi) in SGI IRIX allows remote attackers to execute arbitrary commands via shell metacharacters in the distloc parameter. ====================================================== Name: CVE-1999-0040 Status: Entry Reference: CERT:CA-97.11.libXt Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0040 Reference: XF:libXt-bo Buffer overflow in Xt library of X Windowing System allows local users to execute commands with root privileges. ====================================================== Name: CVE-1999-0041 Status: Entry Reference: CERT:CA-97.10.nls Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0041 Reference: XF:nls-bo Buffer overflow in NLS (Natural Language Service). ====================================================== Name: CVE-1999-0042 Status: Entry Reference: CERT:CA-97.09.imap_pop Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0042 Reference: NAI:NAI-21 Reference: XF:popimap-bo Buffer overflow in University of Washington's implementation of IMAP and POP servers. ====================================================== Name: CVE-1999-0043 Status: Entry Reference: CERT:CA-97.08.innd Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0043 Reference: XF:inn-controlmsg Command execution via shell metachars in INN daemon (innd) 1.5 using "newgroup" and "rmgroup" control messages, and others. ====================================================== Name: CVE-1999-0044 Status: Entry Reference: SGI:19970301-01-P Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19970301-01-P Reference: XF:sgi-fsdump fsdump command in IRIX allows local users to obtain root access by modifying sensitive files. ====================================================== Name: CVE-1999-0045 Status: Entry Reference: CERT:CA-97.07.nph-test-cgi_script Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0045 Reference: XF:http-cgi-nph List of arbitrary files on Web host via nph-test-cgi script. ====================================================== Name: CVE-1999-0046 Status: Entry Reference: CERT:CA-97.06.rlogin-term Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0046 Reference: XF:rlogin-termbo Buffer overflow of rlogin program using TERM environmental variable. ====================================================== Name: CVE-1999-0047 Status: Entry Reference: BID:685 Reference: URL:http://www.securityfocus.com/bid/685 Reference: CERT:CA-97.05.sendmail Reference: XF:sendmail-mime-bo2 MIME conversion buffer overflow in sendmail versions 8.8.3 and 8.8.4. ====================================================== Name: CVE-1999-0048 Status: Entry Reference: AUSCERT:AA-97.01 Reference: CERT:CA-97.04.talkd Reference: FREEBSD:FreeBSD-SA-96:21 Reference: SUN:00147 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/147 Reference: XF:netkit-talkd Reference: XF:talkd-bo Talkd, when given corrupt DNS information, can be used to execute arbitrary commands with root privileges. ====================================================== Name: CVE-1999-0049 Status: Entry Reference: CERT:CA-97.03.csetup Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0049 Reference: XF:sgi-csetup Csetup under IRIX allows arbitrary file creation or overwriting. ====================================================== Name: CVE-1999-0050 Status: Entry Reference: AUSCERT:AA-96.16.HP-UX.newgrp.Buffer.Overrun.Vulnerability Reference: CERT:CA-97.02.hp_newgrp Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0050 Reference: XF:hp-newgrpbo Buffer overflow in HP-UX newgrp program. ====================================================== Name: CVE-1999-0051 Status: Entry Reference: AUSCERT:AA-96.03 Reference: CERT:CA-97.01.flex_lm Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0051 Reference: XF:sgi-licensemanager Arbitrary file creation and program execution using FLEXlm LicenseManager, from versions 4.0 to 5.0, in IRIX. ====================================================== Name: CVE-1999-0052 Status: Entry Reference: FREEBSD:FreeBSD-SA-98:08 Reference: OSVDB:908 Reference: URL:http://www.osvdb.org/908 Reference: XF:freebsd-ip-frag-dos(1389) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1389 IP fragmentation denial of service in FreeBSD allows a remote attacker to cause a crash. ====================================================== Name: CVE-1999-0053 Status: Entry Reference: FREEBSD:FreeBSD-SA-98:07 Reference: OSVDB:6094 Reference: URL:http://www.osvdb.org/6094 TCP RST denial of service in FreeBSD. ====================================================== Name: CVE-1999-0054 Status: Entry Reference: SUN:00171 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/171 Reference: XF:sun-ftpd Sun's ftpd daemon can be subjected to a denial of service. ====================================================== Name: CVE-1999-0055 Status: Entry Reference: AIXAPAR:IX80543 Reference: URL:http://www-1.ibm.com/support/search.wss?rs=0&q=IX80543&apar=only Reference: RSI:RSI.0005.05-14-98.SUN.LIBNSL Reference: SUN:00172 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/172 Reference: XF:sun-libnsl Buffer overflows in Sun libnsl allow root access. ====================================================== Name: CVE-1999-0056 Status: Entry Reference: SUN:00174 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/174 Reference: XF:sun-ping Buffer overflow in Sun's ping program can give root access to local users. ====================================================== Name: CVE-1999-0057 Status: Entry Reference: HP:HPSBUX9811-087 Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9811-087 Reference: NAI:NAI-19 Reference: XF:vacation Vacation program allows command execution by remote users through a sendmail command. ====================================================== Name: CVE-1999-0058 Status: Entry Reference: BID:712 Reference: URL:http://www.securityfocus.com/bid/712 Reference: NAI:NAI-12 Reference: XF:http-cgi-phpbo Buffer overflow in PHP cgi program, php.cgi allows shell access. ====================================================== Name: CVE-1999-0059 Status: Entry Reference: BID:353 Reference: URL:http://www.securityfocus.com/bid/353 Reference: NAI:NAI-16 Reference: OSVDB:164 Reference: URL:http://www.osvdb.org/164 Reference: XF:irix-fam(325) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/325 IRIX fam service allows an attacker to obtain a list of all files on the server. ====================================================== Name: CVE-1999-0060 Status: Entry Reference: ASCEND:http://www.ascend.com/2695.html Reference: MISC:http://www.ascend.com/2695.html Reference: NAI:NAI-26 Reference: XF:ascend-config-kill Attackers can cause a denial of service in Ascend MAX and Pipeline routers with a malformed packet to the discard port, which is used by the Java Configurator tool. ====================================================== Name: CVE-1999-0061 Status: Candidate Phase: Proposed(19990630) Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0061 Reference: NAI:NAI-20 Reference: XF:bsd-lpd File creation and deletion, and remote execution, in the BSD line printer daemon (lpd). Current Votes: ACCEPT(3) Frech, Hill, Northcutt RECAST(1) Baker REVIEWING(1) Christey Voter Comments: Christey> This should be split into three separate problems based on the SNI advisory. But there's newer information to further complicate things. What do we do about this one? in 1997 or so, SNI did an advisory on this problem. In early 2000, it was still discovered to be present in some Linux systems. So an SF-DISCOVERY content decision might say that this is a long enough time between the two, so this should be recorded separately. But they're the same codebase... so if we keep them in the same entry, how do we make sure that this entry reflects that some new information has been discovered? The use of dot notation may help in this regard, to use one dot for the original problem as discovered in 1997, and another dot for the resurgence of the problem in 2000. Baker> We should merge these. Christey> Perhaps this should be NAI-19 instead of NAI-20? The original Bugtraq post for the SNI advisory suggests SNI-19: BUGTRAQ:19971002 SNI-19:BSD lpd vulnerability URL:SNI-19:BSD lpd vulnerability Also add: BUGTRAQ:19971021 SNI-19: BSD lpd vulnerabilities (UPDATE) URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87747479514310&w=2 However, archives of "NAI-0020" point to the lpd vuln. If I recall correctly, some of the NAI advisory numbers got switched when NAI acquired SNI. ====================================================== Name: CVE-1999-0062 Status: Entry Reference: NAI:NAI-28 Reference: OSVDB:7559 Reference: URL:http://www.osvdb.org/7559 Reference: XF:openbsd-chpass The chpass command in OpenBSD allows a local user to gain root access through file descriptor leakage. ====================================================== Name: CVE-1999-0063 Status: Entry Reference: AUSCERT:ESB-98.197 Reference: CISCO:http://www.cisco.com/warp/public/770/iossyslog-pub.shtml Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0063 Reference: XF:cisco-syslog-crash Cisco IOS 12.0 and other versions can be crashed by malicious UDP packets to the syslog port. ====================================================== Name: CVE-1999-0064 Status: Entry Reference: BUGTRAQ:May28,1997 Reference: MISC:https://marc.info/?l=bugtraq&m=87602167418428&w=2 Reference: XF:lquerylv-bo Buffer overflow in AIX lquerylv program gives root access to local users. ====================================================== Name: CVE-1999-0065 Status: Entry Reference: SUN:00181 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/181 Reference: XF:hp-dtmail Multiple buffer overflows in how dtmail handles attachments allows a remote attacker to execute commands. ====================================================== Name: CVE-1999-0066 Status: Entry Reference: BID:719 Reference: URL:http://www.securityfocus.com/bid/719 Reference: BUGTRAQ:19950731 SECURITY HOLE: "AnyForm" CGI Reference: XF:http-cgi-anyform AnyForm CGI remote execution. ====================================================== Name: CVE-1999-0067 Status: Entry Reference: AUSCERT:AA-96.01 Reference: BID:629 Reference: URL:http://www.securityfocus.com/bid/629 Reference: BUGTRAQ:19960923 PHF Attacks - Fun and games for the whole family Reference: CERT:CA-1996-06 Reference: URL:http://www.cert.org/advisories/CA-1996-06.html Reference: OSVDB:136 Reference: URL:http://www.osvdb.org/136 Reference: XF:http-cgi-phf phf CGI program allows remote command execution through shell metacharacters. ====================================================== Name: CVE-1999-0068 Status: Entry Reference: BID:713 Reference: URL:http://www.securityfocus.com/bid/713 Reference: BUGTRAQ:19971019 Vulnerability in PHP Example Logging Scripts Reference: OSVDB:3396 Reference: URL:http://www.osvdb.org/3396 Reference: XF:http-cgi-php-mylog CGI PHP mylog script allows an attacker to read any file on the target server. ====================================================== Name: CVE-1999-0069 Status: Entry Reference: OSVDB:8158 Reference: URL:http://www.osvdb.org/8158 Reference: SUN:00169 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/169 Reference: XF:sun-ufsrestore Solaris ufsrestore buffer overflow. ====================================================== Name: CVE-1999-0070 Status: Entry Reference: MLIST:[httpd-users] 20200814 [users@httpd] CVE NIST discrepancies Reference: URL:https://lists.apache.org/thread.html/rc5d27fc1e76dc5650e1a3f1db1de403120f4c2d041cb7352850455c2@%3Cusers.httpd.apache.org%3E Reference: XF:http-cgi-test test-cgi program allows an attacker to list files on the server. ====================================================== Name: CVE-1999-0071 Status: Entry Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0071 Reference: NAI:NAI-2 Reference: XF:http-apache-cookie Apache httpd cookie buffer overflow for versions 1.1.1 and earlier. ====================================================== Name: CVE-1999-0072 Status: Entry Reference: ERS:ERS-SVA-E01-1997:004.1 Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0072 Reference: XF:ibm-xdat Buffer overflow in AIX xdat gives root access to local users. ====================================================== Name: CVE-1999-0073 Status: Entry Reference: CERT:CA-95:14.Telnetd_Environment_Vulnerability Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0073 Reference: XF:linkerbug Telnet allows a remote client to specify environment variables including LD_LIBRARY_PATH, allowing an attacker to bypass the normal system libraries and gain root access. ====================================================== Name: CVE-1999-0074 Status: Entry Reference: MISC:https://www.cve.org/CVERecord?id=CVE-1999-0074 Reference: XF:seqport Listening TCP ports are sequentially allocated, allowing spoofing attacks. ====================================================== Name: CVE-1999-0075 Status: Entry Reference: BUGTRAQ:19961016 Re: ftpd bug? Was: bin/1805: Bug in ftpd Reference: OSVDB:5742 Reference: URL:http://www.osvdb.org/5742 Reference: XF:ftp-pasvcore PASV core dump in wu-ftpd daemon when attacker uses a QUOTE PASV command after specifying a username and password. ====================================================== Name: CVE-1999-0076 Status: Candidate Phase: Modified(19990925) Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0076 Reference: XF:ftp-args Buffer overflow in wu-ftp from PASV command causes a core dump. Current Votes: ACCEPT(3) Baker, Frech, Ozancin NOOP(1) Balinsky REVIEWING(1) Christey Voter Comments: Balinsky> Don't know what this is. Is this the LIST Core dump vulnerability? Christey> Need to add more references and details. ====================================================== Name: CVE-1999-0077 Status: Entry Reference: XF:tcp-seq-predict(139) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/139 Predictable TCP sequence numbers allow spoofing. ====================================================== Name: CVE-1999-0078 Status: Candidate Phase: Modified(19990621) Reference: CERT:CA-96.08.pcnfsd Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0078 Reference: XF:rpc-pcnfsd pcnfsd (aka rpc.pcnfsd) allows local users to change file permissions, or execute arbitrary commands through arguments in the RPC call. Current Votes: ACCEPT(5) Collins, Frech, Landfield, Northcutt, Shostack NOOP(1) Baker RECAST(1) Christey Voter Comments: Christey> This candidate should be SPLIT, since there are two separate software flaws. One is a symlink race and the other is a shell metacharacter problem. Christey> The permissions part of this vulnerability appears to overlap with CVE-1999-0353 Christey> SGI:20020802-01-I ====================================================== Name: CVE-1999-0079 Status: Entry Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0079 Reference: XF:ftp-pasv-dos Reference: XF:ftp-pasvdos Remote attackers can cause a denial of service in FTP by issuing multiple PASV commands, causing the server to run out of available ports. ====================================================== Name: CVE-1999-0080 Status: Entry Reference: BUGTRAQ:19950531 SECURITY: problem with some wu-ftpd-2.4 binaries (fwd) Reference: CERT:CA-95:16.wu-ftpd.vul Reference: MISC:https://archive.nanog.org/mailinglist/mailarchives/old_archive/1995-11/msg00385.html Reference: XF:ftp-execdotdot Certain configurations of wu-ftp FTP server 2.4 use a _PATH_EXECPATH setting to a directory with dangerous commands, such as /bin, which allows remote authenticated users to gain root access via the "site exec" command. ====================================================== Name: CVE-1999-0081 Status: Entry Reference: MISC:https://www.cve.org/CVERecord?id=CVE-1999-0081 Reference: XF:ftp-rnfr wu-ftp allows files to be overwritten via the rnfr command. ====================================================== Name: CVE-1999-0082 Status: Entry Reference: FARMERVENEMA:Improving the Security of Your Site by Breaking Into it Reference: URL:http://www.alw.nih.gov/Security/Docs/admin-guide-to-cracking.101.html Reference: XF:ftp-cwd CWD ~root command in ftpd allows root access. ====================================================== Name: CVE-1999-0083 Status: Entry Reference: MISC:https://www.cve.org/CVERecord?id=CVE-1999-0083 Reference: XF:cwdleak getcwd() file descriptor leak in FTP. ====================================================== Name: CVE-1999-0084 Status: Entry Reference: XF:nfs-mknod(78) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/78 Certain NFS servers allow users to use mknod to gain privileges by creating a writable kmem device and setting the UID to 0. ====================================================== Name: CVE-1999-0085 Status: Entry Reference: BUGTRAQ:19960821 rwhod buffer overflow Reference: XF:rwhod(119) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/119 Reference: XF:rwhod-vuln(118) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/118 Buffer overflow in rwhod on AIX and other operating systems allows remote attackers to execute arbitrary code via a UDP packet with a long hostname. ====================================================== Name: CVE-1999-0086 Status: Candidate Phase: Interim(19990630) Reference: ERS:ERS-SVA-E01-1998:001.1 Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0086 Reference: XF:ibm-routed AIX routed allows remote users to modify sensitive files. Current Votes: ACCEPT(2) Northcutt, Shostack MODIFY(2) Frech, Prosser NOOP(1) Baker REJECT(1) Christey Voter Comments: Frech> Reference: XF:ibm-routed Prosser> This vulnerability allows debug mode to be turned on which is the problem. Should this be more specific in the description? This one also affects SGI OSes, ref SGI Security Advisory 19981004-PX which is in the SGI cluster, shouldn't these be cross-referenced as the same vuln affects multiple OSes. Christey> This appears to be subsumed by CVE-1999-0215 ====================================================== Name: CVE-1999-0087 Status: Entry Reference: ERS:ERS-SVA-E01-1998:003.1 Reference: OSVDB:7992 Reference: URL:http://www.osvdb.org/7992 Reference: XF:ibm-telnetdos Denial of service in AIX telnet can freeze a system and prevent users from accessing the server. ====================================================== Name: CVE-1999-0088 Status: Candidate Phase: Proposed(19990617) Reference: ERS:ERS-SVA-E01-1998:004.1 Reference: URL:http://www-1.ibm.com/services/brs/brspwhub.nsf/advisories/852567CC004F9038852566BF007B6393/$file/ERS-SVA-E01-1998_004_1.txt IRIX and AIX automountd services (autofsd) allow remote users to execute root commands. Current Votes: ACCEPT(2) Northcutt, Shostack MODIFY(2) Frech, Prosser RECAST(1) Baker REVIEWING(1) Christey Voter Comments: Frech> ERS (and other references, BTW) explicitly stipulate 'local and remote'. Reference: XF:irix-autofsd Prosser> Include the SGI Alert as well since it is mentioned in the description. SGI Security Advisory 19981005-01-PX Christey> DUPE CVE-1999-0210? Christey> ADDREF CIAC:J-014 Baker> It does look very similar to 1999-0210. Perhaps they should be a single entry ====================================================== Name: CVE-1999-0089 Status: Candidate Phase: Interim(19990630) Reference: ERS:ERS-SVA-E01-1997:005.1 Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0089 Reference: XF:ibm-libDtSvc Buffer overflow in AIX libDtSvc library can allow local users to gain root access. Current Votes: ACCEPT(2) Northcutt, Shostack MODIFY(2) Frech, Prosser RECAST(1) Baker REVIEWING(1) Christey Voter Comments: Frech> Reference: XF:ibm-libDtSvc Prosser> The overflow is in the dtaction utility. Also affects dtaction in the CDE on versions of SunOS (SUN 164). Probably should be specific. Christey> Same Codebase as CVE-1999-0121, so the two entries should be merged. ====================================================== Name: CVE-1999-0090 Status: Entry Reference: ERS:ERS-SVA-E01-1997:005.1 Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0090 Reference: XF:ibm-rcp Buffer overflow in AIX rcp command allows local users to obtain root access. ====================================================== Name: CVE-1999-0091 Status: Entry Reference: ERS:ERS-SVA-E01-1997:005.1 Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0091 Reference: XF:ibm-writesrv Buffer overflow in AIX writesrv command allows local users to obtain root access. ====================================================== Name: CVE-1999-0092 Status: Candidate Phase: Proposed(19990623) Reference: ERS:ERS-SVA-E01-1997:006.1 Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0092 Various vulnerabilities in the AIX portmir command allows local users to obtain root access. Current Votes: ACCEPT(2) Baker, Bollinger MODIFY(1) Frech NOOP(1) Ozancin Voter Comments: Frech> XF:ibm-portmir ====================================================== Name: CVE-1999-0093 Status: Entry Reference: ERS:ERS-SVA-E01-1997:008.1 Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0093 Reference: XF:ibm-nslookup AIX nslookup command allows local users to obtain root access by not dropping privileges correctly. ====================================================== Name: CVE-1999-0094 Status: Entry Reference: ERS:ERS-SVA-E01-1997:007.1 Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0094 Reference: XF:ibm-piodmgrsu AIX piodmgrsu command allows local users to gain additional group privileges. ====================================================== Name: CVE-1999-0095 Status: Entry Reference: BID:1 Reference: URL:http://www.securityfocus.com/bid/1 Reference: CERT:CA-88.01 Reference: CERT:CA-93.14 Reference: FULLDISC:20190611 The Return of the WIZard: RCE in Exim (CVE-2019-10149) Reference: URL:http://seclists.org/fulldisclosure/2019/Jun/16 Reference: MLIST:[oss-security] 20190605 Re: CVE-2019-10149: Exim 4.87 to 4.91: possible remote exploit Reference: URL:http://www.openwall.com/lists/oss-security/2019/06/05/4 Reference: MLIST:[oss-security] 20190606 Re: CVE-2019-10149: Exim 4.87 to 4.91: possible remote exploit Reference: URL:http://www.openwall.com/lists/oss-security/2019/06/06/1 Reference: OSVDB:195 Reference: URL:http://www.osvdb.org/195 Reference: XF:smtp-debug The debug command in Sendmail is enabled, allowing attackers to execute commands as root. ====================================================== Name: CVE-1999-0096 Status: Entry Reference: CERT:CA-93.16 Reference: CERT:CA-95.05 Reference: CIAC:A-13 Reference: CIAC:A-14 Reference: SUN:00122 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/122&type=0&nav=sec.sba Reference: XF:smtp-dcod Sendmail decode alias can be used to overwrite sensitive files. ====================================================== Name: CVE-1999-0097 Status: Entry Reference: ERS:ERS-SVA-E01-1997:009.1 Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0097 Reference: XF:ibm-ftp The AIX FTP client can be forced to execute commands from a malicious server through shell metacharacters (e.g. a pipe character). ====================================================== Name: CVE-1999-0098 Status: Candidate Phase: Proposed(19990726) Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0098 Reference: XF:smtp-helo-bo Buffer overflow in SMTP HELO command in Sendmail allows a remote attacker to hide activities. Current Votes: MODIFY(2) Baker, Frech NOOP(1) Wall REVIEWING(1) Christey Voter Comments: Frech> (Accept XF reference.) Our references do not mention hiding activities. This issue can crash the SMTP server or execute arbitrary byte-code. Is there another reference available? Christey> Should this be merged with CVE-1999-0284, which is Sendmail with SMTP HELO? Christey> BUGTRAQ:19980522 about sendmail 8.8.8 HELO hole http://marc.theaimsgroup.com/?l=bugtraq&m=90221101925991&w=2 BUGTRAQ:19980527 about sendmail 8.8.8 HELO hole http://marc.theaimsgroup.com/?l=bugtraq&m=90221101926003&w=2 Baker> Apparently this XF reference is not for this issue, but for the other issue. This should be modified to have the Bugtraq references, and remove the XF reference. ====================================================== Name: CVE-1999-0099 Status: Entry Reference: CERT:CA-95.13.syslog.vul Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0099 Reference: XF:smtp-syslog Buffer overflow in syslog utility allows local or remote attackers to gain root privileges. ====================================================== Name: CVE-1999-0100 Status: Entry Reference: ERS:ERS-SVA-E01-1997:002.1 Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0100 Reference: XF:inn-controlmsg Remote access in AIX innd 1.5.1, using control messages. ====================================================== Name: CVE-1999-0101 Status: Entry Reference: CIAC:H-13 Reference: URL:http://ciac.llnl.gov/ciac/bulletins/h-13.shtml Reference: ERS:ERS-SVA-E01-1996:007.1 Reference: ERS:ERS-SVA-E01-1997:001.1 Reference: NAI:NAI-1 Reference: SUN:00137a Reference: XF:ghbn-bo Buffer overflow in AIX and Solaris "gethostbyname" library call allows root access through corrupt DNS host names. ====================================================== Name: CVE-1999-0102 Status: Entry Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0102 Reference: XF:slmail-fromheader-overflow Buffer overflow in SLmail 3.x allows attackers to execute commands using a large FROM line. ====================================================== Name: CVE-1999-0103 Status: Entry Reference: CERT:CA-96.01.UDP_service_denial Reference: MISC:https://ics-cert.us-cert.gov/advisories/ICSMA-18-233-01 Reference: XF:chargen Reference: XF:chargen-patch Reference: XF:echo Echo and chargen, or other combinations of UDP services, can be used in tandem to flood the server, a.k.a. UDP bomb or UDP packet storm. ====================================================== Name: CVE-1999-0104 Status: Candidate Phase: Modified(20180822) Reference: BID:80175 Reference: URL:http://www.securityfocus.com/bid/80175 Reference: CERT:CA-97.28.Teardrop_Land Reference: OVAL:oval:org.mitre.oval:def:5743 Reference: URL:https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5743 Reference: XF:teardrop-mod A later variation on the Teardrop IP denial of service attack, a.k.a. Teardrop-2. Current Votes: ACCEPT(2) Frech, Wall REVIEWING(1) Christey Voter Comments: Wall> Another reference is Microsoft Knowledge Base Q179129. Christey> Not sure how many separate "instances" of Teardrop there are. See: CVE-1999-0015, CVE-1999-0104, CVE-1999-0257, CVE-1999-0258 Christey> See the SCO advisory at: http://www.securityfocus.com/templates/advisory.html?id=1411 which may further clarify the issue. Christey> MSKB:Q179129 http://support.microsoft.com/support/kb/articles/q179/1/29.asp Christey> MSKB:Q179129 http://support.microsoft.com/support/kb/articles/q179/1/29.asp Note that the hotfix name is teardrop2, but the keywords included in the KB article specifically name bonk (CVE-1999-0258) and boink. Since teardrop2 was fixed in a slightly different version (at least in a separate patch) than Teardrop, CD:SF-LOC suggests keeping them separate. Christey> Add period to the end of the description. ====================================================== Name: CVE-1999-0105 Status: Candidate Phase: Proposed(19990726) Reference: MISC:https://www.cve.org/CVERecord?id=CVE-1999-0105 finger allows recursive searches by using a long string of @ symbols. Current Votes: MODIFY(3) Baker, Frech, Shostack NOOP(1) Christey REJECT(1) Northcutt Voter Comments: Shostack> fingerD Frech> XF:finger-bomb Christey> aka redirection or forwarding requests? (but then might overlap CVE-1999-0106) Baker> should change description to indicate the recursive searching can consume enough system resources to cause a DoS. ====================================================== Name: CVE-1999-0106 Status: Candidate Phase: Proposed(19990726) Reference: MISC:https://www.cve.org/CVERecord?id=CVE-1999-0106 Finger redirection allows finger bombs. Current Votes: ACCEPT(1) Northcutt MODIFY(2) Frech, Shostack RECAST(1) Baker REVIEWING(1) Christey Voter Comments: Shostack> fingerd allows redirection This is a larger modification, since there are two applications of the vulnerability, one that I can finger anonymously, and the other that I can finger bomb anonymously. Frech> XF:finger-bomb Christey> need more refs Baker> This should be merged with 1999-0105 ====================================================== Name: CVE-1999-0107 Status: Candidate Phase: Modified(19991223) Reference: BUGTRAQ:19971230 Apache DoS attack? Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0107 Reference: XF:apache-dos Buffer overflow in Apache 1.2.5 and earlier allows a remote attacker to cause a denial of service with a large number of GET requests containing a large number of / characters. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(3) Northcutt, Shostack, Wall REVIEWING(1) Levy REVOTE(1) Christey Voter Comments: Wall> - Although this is probably the phf hack. Frech> XF:apache-dos Christey> This sounds like the incident reported in: NTBUGTRAQ:20000810 Apache Distributed Denial of Service Levy> I belive this is the problem where sending lot of HTTP headers to apache resulted on a denial of service. BUGTRAQ: http://www.securityfocus.com/archive/1/10228 BUGTRAQ: http://www.securityfocus.com/archive/1/10516 ====================================================== Name: CVE-1999-0108 Status: Entry Reference: BUGTRAQ:19970527 another day, another buffer overflow.... Reference: URL:http://seclists.org/bugtraq/1997/May/191 Reference: XF:printers-bo The printers program in IRIX has a buffer overflow that gives root access to local users. ====================================================== Name: CVE-1999-0109 Status: Entry Reference: AUSCERT:AA-97.06 Reference: SUN:00140 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/140 Reference: XF:ffbconfig-bo Buffer overflow in ffbconfig in Solaris 2.5.1. ====================================================== Name: CVE-1999-0110 Status: Candidate Phase: Interim(19990810) ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-0315. Reason: This candidate's original description had a typo that delayed it from being detected as a duplicate of CVE-1999-0315. Notes: All CVE users should reference CVE-1999-0315 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Current Votes: MODIFY(1) Frech NOOP(4) Levy, Northcutt, Shostack, Wall REJECT(3) Baker, Christey, Dik Voter Comments: Frech> XF:fdformat-bo Christey> Duplicate of CVE-1999-0315 Dik> dup ====================================================== Name: CVE-1999-0111 Status: Entry Reference: MISC:https://www.cve.org/CVERecord?id=CVE-1999-0111 Reference: XF:rip RIP v1 is susceptible to spoofing. ====================================================== Name: CVE-1999-0112 Status: Entry Reference: BUGTRAQ:19970520 AIX 4.2 dtterm exploit Reference: XF:dtterm-bo(878) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/878 Buffer overflow in AIX dtterm program for the CDE. ====================================================== Name: CVE-1999-0113 Status: Entry Reference: BID:458 Reference: URL:http://www.securityfocus.com/bid/458 Reference: BUGTRAQ:19940729 -froot??? (AIX rlogin bug) Reference: CERT:CA-94.09.bin.login.vulnerability Reference: CIAC:E-26 Reference: XF:rlogin-froot Some implementations of rlogin allow root access if given a -froot parameter. ====================================================== Name: CVE-1999-0114 Status: Candidate Phase: Modified(20000106) Reference: BUGTRAQ:19951226 filter (elm package) security hole Reference: BUGTRAQ:19990912 elm filter program Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0114 Reference: XF:elm-filter2 Local users can execute commands as other users, and read other users' files, through the filter command in the Elm elm-2.4 mail package using a symlink attack. Current Votes: ACCEPT(7) Armstrong, Bishop, Blake, Cole, Landfield, Shostack, Wall MODIFY(2) Baker, Frech NOOP(3) Christey, Northcutt, Ozancin REVIEWING(1) Levy Voter Comments: Frech> XF:elm-filter2 CHANGE> [Wall changed vote from NOOP to ACCEPT] Landfield> with Frech modifications Baker> ADD REF http://www.cert.org/ftp/cert_bulletins/VB-95:10a.elm Official Advisory Christey> The correct URL is http://www.cert.org/vendor_bulletins/VB-95:10a.elm Need to make sure that this CERT advisory describes the right problem, especially since the CERT advisory is dated December 18, 1995 and the original Bugtraq post was December 26, 1995. Christey> BID:1802 URL:http://www.securityfocus.com/bid/1802 BID:1802 doesn't include the 1999 posting - does Security Focus think that the 1999 post describes a different vulnerability? Christey> XF:elm-filter2 isn't on the X-Force web site. How about XF:elm-filter(402) ? Its references point to the December 26, 1995 BUgtraq post. Also consider CIAC:G-36 and CERT:VB-95:10 Frech> DELREF:XF:elm-filter2(711) ADDREF:XF:elm-filter(402) ====================================================== Name: CVE-1999-0115 Status: Entry Reference: BID:1800 Reference: URL:http://www.securityfocus.com/bid/1800 Reference: BUGTRAQ:19970909 AIX bugfiler Reference: XF:ibm-bugfiler AIX bugfiler program allows local users to gain root access. ====================================================== Name: CVE-1999-0116 Status: Entry Reference: CERT:CA-96.21.tcp_syn.flooding Reference: SGI:19961202-01-PX Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19961202-01-PX Reference: SUN:00136 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/136 Denial of service when an attacker sends many SYN packets to create multiple connections without ever sending an ACK to complete the connection, aka SYN flood. ====================================================== Name: CVE-1999-0117 Status: Entry Reference: CERT:CA-92:07.AIX.passwd.vulnerability Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0117 Reference: XF:ibm-passwd AIX passwd allows local users to gain root access. ====================================================== Name: CVE-1999-0118 Status: Entry Reference: BUGTRAQ:19981119 RSI.0011.11-09-98.AIX.INFOD Reference: URL:http://marc.info/?l=bugtraq&m=91158980826979&w=2 Reference: XF:aix-infod AIX infod allows local users to gain root access through an X display. ====================================================== Name: CVE-1999-0119 Status: Candidate Phase: Proposed(19990728) Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/11 Windows NT 4.0 beta allows users to read and delete shares. Current Votes: MODIFY(1) Frech NOOP(2) Baker, Northcutt REJECT(1) Wall Voter Comments: Wall> Reject based on beta copy. Frech> XF:nt-beta(11) Reconsider reject, because this beta was in widespread use. ====================================================== Name: CVE-1999-0120 Status: Entry Reference: CERT:CA-94.06.utmp.vulnerability Reference: SUN:00126 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/126 Reference: XF:utmp-write Sun/Solaris utmp file allows local users to gain root access if it is writable by users other than root. ====================================================== Name: CVE-1999-0121 Status: Candidate Phase: Proposed(19990617) Reference: ERS:ERS-SVA-E01-1997:005.1 Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0121 Reference: SUN:00164 Buffer overflow in dtaction command gives root access. Current Votes: ACCEPT(2) Dik, Northcutt MODIFY(3) Baker, Frech, Prosser REVIEWING(1) Christey Voter Comments: Frech> Reference: XF:dtaction-bo Reference: XF:sun-dtaction Prosser> Buffer overflow also affects /usr/dt/bin/dtaction in libDtSvc.a library in AIX 4.x, but reference for this Sun vulnerability should only reflect the Sun Bulletin or the CIAC I-032 version of the Sun Bulletin Christey> This is the Same Codebase as CVE-1999-0089, so the two entries should be merged. Frech> Replace sun-dtaction(732) with dtaction-bo(879) Baker> Merge with 1999-0089 ====================================================== Name: CVE-1999-0122 Status: Entry Reference: BUGTRAQ:Jul21,1999 Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0122 Reference: XF:lchangelv-bo Buffer overflow in AIX lchangelv gives root access. ====================================================== Name: CVE-1999-0123 Status: Candidate Phase: Modified(20000105) Reference: BUGTRAQ:19951222 mailx-5.5 (slackware /bin/mail) security hole Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0123 Reference: XF:linux-mailx Race condition in Linux mailx command allows local users to read user files. Current Votes: ACCEPT(3) Baker, Frech, Ozancin NOOP(1) Wall ====================================================== Name: CVE-1999-0124 Status: Entry Reference: CERT:CA-93:11.UMN.UNIX.gopher.vulnerability Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0124 Reference: XF:gopher-vuln Vulnerabilities in UMN gopher and gopher+ versions 1.12 and 2.0x allow an intruder to read any files that can be accessed by the gopher daemon. ====================================================== Name: CVE-1999-0125 Status: Entry Reference: SGI:19980605-01-PX Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19980605-01-PX Reference: XF:sgi-mailx-bo Buffer overflow in SGI IRIX mailx program. ====================================================== Name: CVE-1999-0126 Status: Entry Reference: CERT:VB-98.04.xterm.Xaw Reference: CIAC:J-010 Reference: URL:http://www.ciac.org/ciac/bulletins/j-010.shtml Reference: XF:xfree86-xaw Reference: XF:xfree86-xterm-xaw SGI IRIX buffer overflow in xterm and Xaw allows root access. ====================================================== Name: CVE-1999-0127 Status: Candidate Phase: Proposed(19990623) Reference: AUSCERT:AA-96.04 Reference: CERT:CA-96.27.hp_sw_install Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0127 Reference: XF:hpux-swinstall swinstall and swmodify commands in SD-UX package in HP-UX systems allow local users to create or overwrite arbitrary files to gain root access. Current Votes: ACCEPT(2) Baker, Prosser MODIFY(1) Frech NOOP(1) Christey Voter Comments: Frech> (keep current XF: reference, and add) XF:hpux-sqwmodify Christey> Perhaps this should be split, per SF-LOC. Christey> CIAC:H-81 http://ciac.llnl.gov/ciac/bulletins/h-81.shtml HP:HPSBUX9707-064 references CERT:CA-96.27 http://ciac.llnl.gov/ciac/bulletins/h-81.shtml The original AUSCERT advisory says that the programs "create files in an insecure manner" and "Exploit details involving this vulnerability have been made publicly available." which leads one to assume that the following original Bugtraq post provides the details for a standard symlink problem: BUGTRAQ:19961005 swinst,bug http://marc.theaimsgroup.com/?l=bugtraq&m=87602167419941&w=2 ====================================================== Name: CVE-1999-0128 Status: Entry Reference: CERT:CA-96.26.ping Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0128 Reference: XF:ping-death Oversized ICMP ping packets can result in a denial of service, aka Ping o' Death. ====================================================== Name: CVE-1999-0129 Status: Entry Reference: CERT:CA-96.25.sendmail_groups Reference: MISC:http://www.cert.org/advisories/CA-1996-25.html Sendmail allows local users to write to a file and gain group permissions via a .forward or :include: file. ====================================================== Name: CVE-1999-0130 Status: Entry Reference: BID:716 Reference: URL:http://www.securityfocus.com/bid/716 Reference: CERT:CA-96.24.sendmail.daemon.mode Reference: XF:sendmail-daemon-mode Local users can start Sendmail in daemon mode and gain root privileges. ====================================================== Name: CVE-1999-0131 Status: Entry Reference: BID:717 Reference: URL:http://www.securityfocus.com/bid/717 Reference: CERT:CA-96.20.sendmail_vul Reference: XF:smtp-875bo Buffer overflow and denial of service in Sendmail 8.7.5 and earlier through GECOS field gives root access to local users. ====================================================== Name: CVE-1999-0132 Status: Entry Reference: CERT:CA-1996-19 Reference: URL:http://www.cert.org/advisories/CA-1996-19.html Reference: OSVDB:11723 Reference: URL:http://www.osvdb.org/11723 Reference: XF:expreserve(401) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/401 Expreserve, as used in vi and ex, allows local users to overwrite arbitrary files and gain root access. ====================================================== Name: CVE-1999-0133 Status: Entry Reference: CERT:CA-96.18.fm_fls Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0133 Reference: XF:fmaker-logfile fm_fls license server for Adobe Framemaker allows local users to overwrite arbitrary files and gain root access. ====================================================== Name: CVE-1999-0134 Status: Entry Reference: AUSCERT:AL-96.04 Reference: CERT:CA-96.17.Solaris_vold_vul Reference: OSVDB:8159 Reference: URL:http://www.osvdb.org/8159 Reference: XF:sol-voldtmp vold in Solaris 2.x allows local users to gain root access. ====================================================== Name: CVE-1999-0135 Status: Entry Reference: AUSCERT:AL-96.03 Reference: CERT:CA-96.16.Solaris_admintool_vul Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0135 Reference: XF:sun-admintool admintool in Solaris allows a local user to write to arbitrary files and gain root access. ====================================================== Name: CVE-1999-0136 Status: Entry Reference: AUSCERT:AL-96.02 Reference: CERT:CA-96.15.Solaris_KCMS_vul Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0136 Reference: XF:sol-KCMSvuln Kodak Color Management System (KCMS) on Solaris allows a local user to write to arbitrary files and gain root access. ====================================================== Name: CVE-1999-0137 Status: Entry Reference: CERT:CA-96.13.dip_vul Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0137 Reference: XF:dip-bo Reference: XF:linux-dipbo The dip program on many Linux systems allows local users to gain root access via a buffer overflow. ====================================================== Name: CVE-1999-0138 Status: Entry Reference: CERT:CA-96.12.suidperl_vul Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0138 Reference: XF:sperl-suid The suidperl and sperl program do not give up root privileges when changing UIDs back to the original users, allowing root access. ====================================================== Name: CVE-1999-0139 Status: Entry Reference: OSVDB:8205 Reference: URL:http://www.osvdb.org/8205 Reference: RSI:RSI.0012.12-03-98.SOLARIS.MKCOOKIE Reference: XF:sol-mkcookie Buffer overflow in Solaris x86 mkcookie allows local users to obtain root access. ====================================================== Name: CVE-1999-0140 Status: Candidate Phase: Proposed(19990630) Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0140 Denial of service in RAS/PPTP on NT systems. Current Votes: ACCEPT(1) Hill MODIFY(2) Frech, Meunier NOOP(1) Baker REJECT(1) Christey Voter Comments: Meunier> Add "pptp invalid packet length in header" to distinguish from other vulnerabilities in RAS/PPTP on NT systems resulting in DOS, that might be discovered in the future. Frech> XF:nt-ras-bo ONLY IF reference is to MS:MS99-016 Christey> According to my mappings, this is not the MS:MS99-016 problem referred to by Andre. However, I have yet to dig up a source. CHANGE> [Christey changed vote from NOOP to REVIEWING] CHANGE> [Christey changed vote from REVIEWING to REJECT] Christey> This is too general to know which problem is being discussed. More precise candidates should be created. Christey> Consider adding BID:2111 ====================================================== Name: CVE-1999-0141 Status: Entry Reference: CERT:CA-96.07.java_bytecode_verifier Reference: SUN:00134 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/134 Reference: XF:http-java-applet Java Bytecode Verifier allows malicious applets to execute arbitrary commands as the user of the applet. ====================================================== Name: CVE-1999-0142 Status: Entry Reference: CERT:CA-96.05.java_applet_security_mgr Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0142 Reference: XF:http-java-appletsecmgr The Java Applet Security Manager implementation in Netscape Navigator 2.0 and Java Developer's Kit 1.0 allows an applet to connect to arbitrary hosts. ====================================================== Name: CVE-1999-0143 Status: Entry Reference: CERT:CA-96.03.kerberos_4_key_server Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0143 Reference: XF:kerberos-bf Kerberos 4 key servers allow a user to masquerade as another by breaking and generating session keys. ====================================================== Name: CVE-1999-0144 Status: Candidate Phase: Modified(20010301) Reference: BID:2237 Reference: URL:http://www.securityfocus.com/bid/2237 Reference: BUGTRAQ:19970612 Re: Denial of service (qmail-smtpd) Reference: URL:http://marc.info/?l=bugtraq&m=87602558319029&w=2 Reference: BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack Reference: URL:http://marc.info/?l=bugtraq&m=87602558319024&w=2 Reference: MISC:http://cr.yp.to/qmail/venema.html Reference: MISC:http://www.ornl.gov/its/archives/mailing-lists/qmail/1997/06/threads.html Reference: XF:qmail-rcpt(208) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/208 Denial of service in Qmail by specifying a large number of recipients with the RCPT command. Current Votes: ACCEPT(4) Baker, Frech, Hill, Meunier REVIEWING(1) Christey Voter Comments: Christey> DUPE CVE-1999-0418 and CVE-1999-0250? Christey> Dan Bernstein, author of Qmail, says that this is not a vulnerability in qmail because Unix has built-in resource limits that can restrict the size of a qmail process; other limits can be specified by the administrator. See http://cr.yp.to/qmail/venema.html Significant discussion of this issue took place on the qmail list. The fundamental question appears to be whether application software should set its own limits, or rely on limits set by the parent operating system (in this case, UNIX). Also, some people said that the only problem was that the suggested configuration was not well documented, but this was refuted by others. See the following threads at http://www.ornl.gov/its/archives/mailing-lists/qmail/1997/06/threads.html "Denial of service (qmail-smtpd)" "qmail-dos-2.c, another denial of service" "[PATCH] denial of service" "just another qmail denial-of-service" "the UNIX way" "Time for a reality check" Also see Bugtraq threads on a different vulnerability that is related to this topic: BUGTRAQ:19990903 Web servers / possible DOS Attack / mime header flooding http://archives.neohapsis.com/archives/bugtraq/1998_3/0742.html Baker> http://cr.yp.to/qmail/venema.html Berstein rejects this as a vulnerability, claiming this is a slander campaign by Wietse Venema. His page states this is not a qmail problem, rather it is a UNIX problem that many apps can consume all available memory, and that the administrator is responsible to set limits in the OS, rather than expect applications to individually prevent memory exhaustion. CAN 1999-0250 does appear to be a duplicate of this entry, based on the research I have done so far. There were two different bugtraq postings, but the second one references the first, stating that the new exploit uses perl instead of shell scripting to accomplish the same attack/exploit. Baker> http://www.securityfocus.com/archive/1/6970 http://www.securityfocus.com/archive/1/6969 http://cr.yp.to/qmail/venema.html Should probably reject CVE-1999-0250, and add these references to this Candidate. Baker> http://www.securityfocus.com/bid/2237 CHANGE> [Baker changed vote from REVIEWING to ACCEPT] Christey> qmail-dos-1.c, as published by Wietse Venema (CVE-1999-0250) in "BUGTRAQ:19970612 Denial of service (qmail-smtpd)", does not use any RCPT commands. Instead, it sends long strings of "X" characters. A followup by "super@UFO.ORG" includes an exploit that claims to do the same thing; however, that exploit does not send long strings of X characters - it sends a large number of RCPT commands. It appears that super@ufo.org followed up to the wrong message. NOTE: the ufo.org domain was purchased by another party in 2003, so the current owner is not associated with any statements by "super@ufo.org" that were made before 2003. qmail-dos-2.c, as published by Wietse Venema (CVE-1999-0144) in "BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack" sends a large number of RCPT commands. ADDREF BID:2237 ADDREF BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack ADDREF BUGTRAQ:19970612 Re: Denial of service (qmail-smtpd) Also see a related thread: BUGTRAQ:19990308 SMTP server account probing http://marc.theaimsgroup.com/?l=bugtraq&m=92100018214316&w=2 This also describes a problem with mail servers not being able to handle too many "RCPT TO" requests. A followup message notes that application-level protection is used in Sendmail to prevent this: BUGTRAQ:19990309 Re: SMTP server account probing http://marc.theaimsgroup.com/?l=bugtraq&m=92101584629263&w=2 The person further says, "This attack can easily be prevented with configuration methods." ====================================================== Name: CVE-1999-0145 Status: Entry Reference: BUGTRAQ:19950206 sendmail wizard thing... Reference: URL:http://www2.dataguard.no/bugtraq/1995_1/0332.html Reference: CERT:CA-1990-11 Reference: URL:http://www.cert.org/advisories/CA-1990-11.html Reference: CERT:CA-1993-14 Reference: URL:http://www.cert.org/advisories/CA-1993-14.html Reference: FARMERVENEMA:Improving the Security of Your Site by Breaking Into it Reference: URL:http://www.alw.nih.gov/Security/Docs/admin-guide-to-cracking.101.html Reference: FULLDISC:20190611 The Return of the WIZard: RCE in Exim (CVE-2019-10149) Reference: URL:http://seclists.org/fulldisclosure/2019/Jun/16 Reference: MLIST:[oss-security] 20190605 Re: CVE-2019-10149: Exim 4.87 to 4.91: possible remote exploit Reference: URL:http://www.openwall.com/lists/oss-security/2019/06/05/4 Reference: MLIST:[oss-security] 20190606 Re: CVE-2019-10149: Exim 4.87 to 4.91: possible remote exploit Reference: URL:http://www.openwall.com/lists/oss-security/2019/06/06/1 Sendmail WIZ command enabled, allowing root access. ====================================================== Name: CVE-1999-0146 Status: Entry Reference: BID:1975 Reference: URL:http://www.securityfocus.com/bid/1975 Reference: BUGTRAQ:19970715 Bug CGI campas Reference: XF:http-cgi-campas(298) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/298 The campas CGI program provided with some NCSA web servers allows an attacker to execute arbitrary commands via encoded carriage return characters in the query string, as demonstrated by reading the password file. ====================================================== Name: CVE-1999-0147 Status: Entry Reference: AUSCERT:AA-97.28 Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0147 Reference: XF:http-cgi-glimpse The aglimpse CGI program of the Glimpse package allows remote execution of arbitrary commands. ====================================================== Name: CVE-1999-0148 Status: Entry Reference: BID:380 Reference: URL:http://www.securityfocus.com/bid/380 Reference: SGI:19970501-02-PX Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19970501-02-PX Reference: XF:http-sgi-handler The handler CGI program in IRIX allows arbitrary command execution. ====================================================== Name: CVE-1999-0149 Status: Entry Reference: BID:373 Reference: URL:http://www.securityfocus.com/bid/373 Reference: BUGTRAQ:19970420 IRIX 6.x /cgi-bin/wrap bug Reference: OSVDB:247 Reference: URL:http://www.osvdb.org/247 Reference: SGI:19970501-02-PX Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19970501-02-PX Reference: XF:http-sgi-wrap(290) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/290 The wrap CGI program in IRIX allows remote attackers to view arbitrary directory listings via a .. (dot dot) attack. ====================================================== Name: CVE-1999-0150 Status: Entry Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0150 Reference: XF:perl-fingerd The Perl fingerd program allows arbitrary command execution from remote users. ====================================================== Name: CVE-1999-0151 Status: Entry Reference: CERT:CA-95.06.satan.vul Reference: CERT:CA-95.07a.REVISED.satan.vul Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0151 The SATAN session key may be disclosed if the user points the web browser to other sites, possibly allowing root access. ====================================================== Name: CVE-1999-0152 Status: Entry Reference: BUGTRAQ:19970811 dgux in.fingerd vulnerability Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0152 Reference: XF:dgux-fingerd The DG/UX finger daemon allows remote command execution through shell metacharacters. ====================================================== Name: CVE-1999-0153 Status: Entry Reference: OSVDB:1666 Reference: URL:http://www.osvdb.org/1666 Reference: XF:win-oob Windows 95/NT out of band (OOB) data denial of service through NETBIOS port, aka WinNuke. ====================================================== Name: CVE-1999-0154 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19970220 ! [ADVISORY] Major Security Hole in MS ASP Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0154 Reference: MSKB:Q163485 Reference: MSKB:Q164059 Reference: XF:http-iis-aspdot Reference: XF:http-iis-aspsource IIS 2.0 and 3.0 allows remote attackers to read the source code for ASP pages by appending a . (dot) to the end of the URL. Current Votes: ACCEPT(4) Foat, Frech, Stracener, Wall NOOP(3) Baker, Christey, Cole Voter Comments: Christey> This is the precursor to the problem that is identified in CVE-1999-0253. Christey> CIAC:H-48 URL:http://ciac.llnl.gov/ciac/bulletins/h-48.shtml CHANGE> [Foat changed vote from NOOP to ACCEPT] ====================================================== Name: CVE-1999-0155 Status: Entry Reference: CERT:CA-95.10.ghostscript Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0155 Reference: XF:gscript-dsafer The ghostscript command with the -dSAFER option allows remote attackers to execute commands. ====================================================== Name: CVE-1999-0156 Status: Candidate Phase: Proposed(19990714) Reference: MISC:https://www.cve.org/CVERecord?id=CVE-1999-0156 Reference: XF:ftp-pwless wu-ftpd FTP daemon allows any user and password combination. Current Votes: ACCEPT(2) Northcutt, Shostack NOOP(1) Baker RECAST(1) Frech REVIEWING(2) Christey, Prosser Voter Comments: Prosser> but so far can find no reference to this one Frech> Our records indicate that this does not necessarly affect just wu-ftp (ie, also affects IIS FTP server). Christey> The references for XF:ftp-pwless are not specific enough, e.g. in terms of version numbers. Perhaps this candidate should be rejected due to insufficient information. ====================================================== Name: CVE-1999-0157 Status: Entry Reference: CISCO:http://www.cisco.com/warp/public/770/nifrag.shtml Reference: OSVDB:1097 Reference: URL:http://www.osvdb.org/1097 Reference: XF:cisco-fragmented-attacks Cisco PIX firewall and CBAC IP fragmentation attack results in a denial of service. ====================================================== Name: CVE-1999-0158 Status: Entry Reference: CISCO:20010913 Cisco PIX Firewall Manager File Exposure Reference: URL:http://www.cisco.com/warp/public/770/pixmgrfile-pub.shtml Reference: OSVDB:685 Reference: URL:http://www.osvdb.org/685 Reference: XF:cisco-pix-file-exposure Cisco PIX firewall manager (PFM) on Windows NT allows attackers to connect to port 8080 on the PFM server and retrieve any file whose name and location is known. ====================================================== Name: CVE-1999-0159 Status: Entry Reference: CISCO:http://www.cisco.com/warp/public/770/ioslogin-pub.shtml Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0159 Reference: XF:cisco-ios-crash Attackers can crash a Cisco IOS router or device, provided they can get to an interactive prompt (such as a login). This applies to some IOS 9.x, 10.x, and 11.x releases. ====================================================== Name: CVE-1999-0160 Status: Entry Reference: CIAC:I-002A Reference: CISCO:19971001 Vulnerabilities in Cisco CHAP Authentication Reference: OSVDB:1099 Reference: URL:http://www.osvdb.org/1099 Reference: XF:cisco-chap Some classic Cisco IOS devices have a vulnerability in the PPP CHAP authentication to establish unauthorized PPP connections. ====================================================== Name: CVE-1999-0161 Status: Entry Reference: CISCO:http://www.cisco.com/warp/public/707/1.html Reference: OSVDB:797 Reference: URL:http://www.osvdb.org/797 Reference: XF:cisco-acl-tacacs In Cisco IOS 10.3, with the tacacs-ds or tacacs keyword, an extended IP access control list could bypass filtering. ====================================================== Name: CVE-1999-0162 Status: Entry Reference: CISCO:19950601 "Established" Keyword May Allow Packets to Bypass Filter Reference: MISC:https://www.cve.org/CVERecord?id=CVE-1999-0162 Reference: XF:cisco-acl-established The "established" keyword in some Cisco IOS software allowed an attacker to bypass filtering. ====================================================== Name: CVE-1999-0163 Status: Candidate Phase: Proposed(19990714) Reference: MISC:https://www.cve.org/CVERecord?id=CVE-1999-0163 Reference: XF:smtp-pipe In older versions of Sendmail, an attacker could use a pipe character to execute root commands. Current Votes: ACCEPT(2) Frech, Northcutt MODIFY(1) Prosser NOOP(2) Baker, Christey RECAST(1) Shostack Voter Comments: Shostack> there was a 'To: |' and a 'From: |' attack, which I think are seperate. Prosser> older vulnerability, but one additional reference is- The Ultimate Sendmail Hole List by Markus Hübner @ bau2.uibk.ac.at/matic/buglist.htm '|PROGRAM ' Christey> Description needs to be more specific to distinguish between this and CVE-1999-0203, as alluded to by Adam Shostack ====================================================== Name: CVE-1999-0164 Status: Entry Reference: AUSCERT:AA-95.07 Reference: CERT:CA-95.09.Solaris.ps.vul Reference: OSVDB:8346 Reference: URL:http://www.osvdb.org/8346 Reference: XF:sol-pstmprace A race condition in the Solaris ps command allows an attacker to overwrite critical files. ====================================================== Name: CVE-1999-0165 Status: Candidate Phase: Modified(20040811) Reference: MISC:https://www.cve.org/CVERecord?id=CVE-1999-0165 Reference: XF:nfs-cache NFS cache poisoning. Current Votes: ACCEPT(3) Baker, Frech, Northcutt MODIFY(1) Shostack NOOP(1) Prosser REVIEWING(1) Christey Voter Comments: Shostack> need more data Christey> need more refs Christey> Add period to the end of the description. ====================================================== Name: CVE-1999-0166 Status: Entry Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0166 Reference: XF:nfs-cd NFS allows users to use a "cd .." command to access other directories besides the exported file system. ====================================================== Name: CVE-1999-0167 Status: Entry Reference: CERT:CA-91.21.SunOS.NFS.Jumbo.and.fsirand Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0167 Reference: XF:nfs-guess In SunOS, NFS file handles could be guessed, giving unauthorized access to the exported file system. ====================================================== Name: CVE-1999-0168 Status: Entry Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0168 Reference: XF:nfs-portmap The portmapper may act as a proxy and redirect service requests from an attacker, making the request appear to come from the local host, possibly bypassing authentication that would otherwise have taken place. For example, NFS file systems could be mounted through the portmapper despite export restrictions. ====================================================== Name: CVE-1999-0169 Status: Candidate Phase: Proposed(19990714) Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0169 Reference: XF:nfs-uid NFS allows attackers to read and write any file on the system by specifying a false UID. Current Votes: ACCEPT(2) Frech, Northcutt MODIFY(1) Baker REJECT(1) Shostack Voter Comments: Shostack> this is not a vulnerability but a design feature. Baker> Maybe we should reword it so that it is clear that this was a problem to something like: "A remote attacker could read/write files to the system with root-level permissions on NFS servers that fail to properly check the UID." ====================================================== Name: CVE-1999-0170 Status: Entry Reference: MISC:https://www.cve.org/CVERecord?id=CVE-1999-0170 Reference: XF:nfs-ultrix Remote attackers can mount an NFS file system in Ultrix or OSF, even if it is denied on the access list. ====================================================== Name: CVE-1999-0171 Status: Candidate Phase: Proposed(19990714) Reference: MISC:https://www.cve.org/CVERecord?id=CVE-1999-0171 Reference: XF:syslog-flood Denial of service in syslog by sending it a large number of superfluous messages. Current Votes: ACCEPT(2) Frech, Northcutt NOOP(1) Baker REJECT(2) Christey, Shostack Voter Comments: Shostack> design issue, not a vulnerability. Alternately, add: DOS on server by opening a large number of telnet sessions.. Christey> Duplicate of CVE-1999-0566 ====================================================== Name: CVE-1999-0172 Status: Entry Reference: BUGTRAQ:Aug02,1995 Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0172 Reference: XF:http-cgi-formmail-exe FormMail CGI program allows remote execution of commands. ====================================================== Name: CVE-1999-0173 Status: Entry Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0173 Reference: XF:http-cgi-formmail-use FormMail CGI program can be used by web servers other than the host server that the program resides on. ====================================================== Name: CVE-1999-0174 Status: Entry Reference: BUGTRAQ:19970208 view-source Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0174 Reference: XF:http-cgi-viewsrc The view-source CGI program allows remote attackers to read arbitrary files via a .. (dot dot) attack. ====================================================== Name: CVE-1999-0175 Status: Entry Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0175 Reference: XF:http-nov-convert The convert.bas program in the Novell web server allows a remote attackers to read any file on the system that is internally accessible by the web server. ====================================================== Name: CVE-1999-0176 Status: Entry Reference: BUGTRAQ:Jul10,1997 Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0176 Reference: XF:http-webgais-query The Webgais program allows a remote user to execute arbitrary commands. ====================================================== Name: CVE-1999-0177 Status: Entry Reference: BUGTRAQ:19970904 [Alert] Website's uploader.exe (from demo) vulnerable Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0177 Reference: NTBUGTRAQ:19970904 [Alert] Website's uploader.exe (from demo) vulnerable Reference: NTBUGTRAQ:19970905 Re: FW: [Alert] Website's uploader.exe (from demo) vulnerable Reference: XF:http-website-uploader The uploader program in the WebSite web server allows a remote attacker to execute arbitrary programs. ====================================================== Name: CVE-1999-0178 Status: Entry Reference: BID:2078 Reference: URL:http://www.securityfocus.com/bid/2078 Reference: BUGTRAQ:19970106 Re: signal handling Reference: URL:http://archives.neohapsis.com/archives/bugtraq/1997_1/0021.html Reference: OSVDB:8 Reference: URL:http://www.osvdb.org/8 Reference: XF:http-website-winsample(295) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/295 Buffer overflow in the win-c-sample program (win-c-sample.exe) in the WebSite web server 1.1e allows remote attackers to execute arbitrary code via a long query string. ====================================================== Name: CVE-1999-0179 Status: Entry Reference: MSKB:Q140818 Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q140818 Reference: XF:nt-35 Reference: XF:nt-351 Reference: XF:nt-samba-dotdot Windows NT crashes or locks up when a Samba client executes a "cd .." command on a file share. ====================================================== Name: CVE-1999-0180 Status: Entry Reference: MISC:https://www.cve.org/CVERecord?id=CVE-1999-0180 Reference: XF:rsh-null in.rshd allows users to login with a NULL username and execute commands. ====================================================== Name: CVE-1999-0181 Status: Entry Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0181 Reference: XF:walld The wall daemon can be used for denial of service, social engineering attacks, or to execute remote commands. ====================================================== Name: CVE-1999-0182 Status: Entry Reference: CERT:VB-97.10.samba Reference: CIAC:H-110 Reference: URL:http://www.ciac.org/ciac/bulletins/h-110.shtml Reference: XF:nt-samba-bo Samba has a buffer overflow which allows a remote attacker to obtain root access by specifying a long password. ====================================================== Name: CVE-1999-0183 Status: Entry Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0183 Reference: XF:linux-tftp Linux implementations of TFTP would allow access to files outside the restricted directory. ====================================================== Name: CVE-1999-0184 Status: Entry Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0184 Reference: XF:dns-updates When compiled with the -DALLOW_UPDATES option, bind allows dynamic updates to the DNS server, allowing for malicious modification of DNS records. ====================================================== Name: CVE-1999-0185 Status: Entry Reference: SUN:00156 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/156 Reference: XF:sun-ftpd/logind In SunOS or Solaris, a remote user could connect from an FTP server's data port to an rlogin server on a host that trusts the FTP server, allowing remote command execution. ====================================================== Name: CVE-1999-0186 Status: Candidate Phase: Modified(20071119) Reference: CONFIRM:http://support.novell.com/cgi-bin/search/searchtid.cgi?/10080762.htm Reference: SUN:00178 Reference: XF:snmp-backdoor-access In Solaris, an SNMP subagent has a default community string that allows remote attackers to execute arbitrary commands as root, or modify system parameters. Current Votes: ACCEPT(2) Baker, Dik MODIFY(1) Frech NOOP(1) Wall REVIEWING(1) Christey Voter Comments: Frech> Change XF:snmp-backdoor-access to XF:sol-hidden-commstr Add ISS:Hidden Community String in SNMP Implementation Christey> What is the proper level of abstraction to use here? Should we have a separate entry for each different default community string? See: http://cve.mitre.org/Board_Sponsors/archives/msg00242.html and http://cve.mitre.org/Board_Sponsors/archives/msg00250.html http://cve.mitre.org/Board_Sponsors/archives/msg00251.html Until the associated content decisions have been approved by the Editorial Board, this candidate cannot be accepted for inclusion in CVE. Christey> ADDREF BID:177 Christey> ISS:19981102 Hidden community string in SNMP implementation http://xforce.iss.net/alerts/advise11.php Change description to include "hidden" Christey> XF:snmp-backdoor-access is missing. ====================================================== Name: CVE-1999-0187 Status: Candidate Phase: Modified(20050204) ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-0022. Reason: This candidate is a duplicate of CVE-1999-0022. Notes: All CVE users should reference CVE-1999-0022 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Current Votes: ACCEPT(2) Hill, Northcutt RECAST(3) Baker, Frech, Prosser REJECT(1) Dik REVIEWING(1) Christey Voter Comments: Prosser> The Sun Patches in Ref roll-up fixes for an earlier BO in rdist lookup( )(ref CERT 96.14)as well as the BO in rdist function expstr() (ref CERT 97-23) and various vendor bulletins. However both of these rdist BO's affect many more OSs than just Sun, i.e., BSD/OS 2.1, DEC OSF's, AIX, FreeBSD, SCO, SGI, etc. Believe this falls into the SF-codebase content decision Frech> XF:rdist-bo (error msg formation) XF:rdist-bo2 (execute code) XF:rdist-bo3 (execute user-created code) XF:rdist-sept97 (root from local) Christey> Duplicate of CVE-1999-0022 (SUN:00179 is referenced in CERT:CA-97.23.rdist), but as Mike and Andre noted, there are multiple flaws here, so a RECAST may be necessary. Dik> As currently phrasedm thissa duplicate of CVE-1999-0022 Baker> Based on our new philosophy, this should be recast/merged or re-described. ====================================================== Name: CVE-1999-0188 Status: Entry Reference: SUN:00182 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/182 Reference: XF:sun-passwd-dos The passwd command in Solaris can be subjected to a denial of service. ====================================================== Name: CVE-1999-0189 Status: Entry Reference: NAI:NAI-15 Reference: SUN:00142 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/142 Reference: XF:rpc-32771 Solaris rpcbind listens on a high numbered UDP port, which may not be filtered since the standard port number is 111. ====================================================== Name: CVE-1999-0190 Status: Entry Reference: SUN:00167 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/167 Reference: XF:sun-rpcbind Solaris rpcbind can be exploited to overwrite arbitrary files and gain root access. ====================================================== Name: CVE-1999-0191 Status: Entry Reference: OSVDB:275 Reference: URL:http://www.osvdb.org/275 Reference: XF:http-cgi-newdsn IIS newdsn.exe CGI script allows remote users to overwrite files. ====================================================== Name: CVE-1999-0192 Status: Entry Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0192 Reference: SNI:SNI-20 Reference: XF:bsd-tel-tgetent Buffer overflow in telnet daemon tgetent routing allows remote attackers to gain root access via the TERMCAP environmental variable. ====================================================== Name: CVE-1999-0193 Status: Candidate Phase: Proposed(19990714) Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0193 Denial of service in Ascend and 3com routers, which can be rebooted by sending a zero length TCP option. Current Votes: ACCEPT(5) Bishop, Cole, Northcutt, Ozancin, Shostack MODIFY(2) Baker, Blake NOOP(4) Armstrong, Frech, Landfield, Wall REVIEWING(2) Christey, Levy Voter Comments: Frech> possibly XF:ascend-kill I can't find a reference that lists both routers in the same reference. Wall> Comment: There is a reference about the zero length TCP option in BugTraq on Feb 5, 1999 and it mentions Cisco, but not directly Ascend or 3Com. CIAC Advisory I-038 mentions vulnerabilities in Ascend, but does not mention TCP. CIAC Advisory I-052 mentions 3Com vulnerabilities, but not TCP. Too confusing withour better references. Landfield> What are the references for this ? I cannot find a means to check it out. CHANGE> [Frech changed vote from REVIEWING to NOOP] Frech> Cannot reconcile to our database without further references. Blake> I'm with Andre. I only remember and can find reference to the Ascend issue. Do we have a refernce to the 3Coms? If not, that should be removed from the description. Baker> http://xforce.iss.net/static/614.php Misc Defensive Info http://www.securityfocus.com/archive/1/5682 Misc Offensive Info http://www.securityfocus.com/archive/1/5647 Misc Defensive Info http://www.securityfocus.com/archive/1/5640 Misc Defensive Info CHANGE> [Armstrong changed vote from REVIEWING to NOOP] ====================================================== Name: CVE-1999-0194 Status: Entry Reference: MISC:https://www.cve.org/CVERecord?id=CVE-1999-0194 Reference: XF:comsat Denial of service in in.comsat allows attackers to generate messages. ====================================================== Name: CVE-1999-0195 Status: Candidate Phase: Modified(19991130) Reference: BUGTRAQ:19990128 rpcbind: deceive, enveigle and obfuscate Reference: MISC:https://www.cve.org/CVERecord?id=CVE-1999-0195 Denial of service in RPC portmapper allows attackers to register or unregister RPC services or spoof RPC services using a spoofed source IP address such as 127.0.0.1. Current Votes: ACCEPT(2) Balinsky, Shostack MODIFY(1) Frech NOOP(3) Baker, Northcutt, Wall REVIEWING(2) Christey, Levy Voter Comments: Frech> XF:rpcbind-spoof Christey> CVE-1999-0195 = CVE-1999-0461 ? If this is approved over CVE-1999-0461, make sure it gets XF:pmap-sset ====================================================== Name: CVE-1999-0196 Status: Entry Reference: BID:2077 Reference: URL:http://www.securityfocus.com/bid/2077 Reference: BUGTRAQ:19970704 Vulnerability in websendmail Reference: OSVDB:237 Reference: URL:http://www.osvdb.org/237 Reference: XF:http-webgais-smail websendmail in Webgais 1.0 allows a remote user to access arbitrary files and execute arbitrary code via the receiver parameter ($VAR_receiver variable). ====================================================== Name: CVE-1999-0197 Status: Candidate Phase: Proposed(19990726) Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/8378 finger 0@host on some systems may print information on some user accounts. Current Votes: ACCEPT(1) Baker MODIFY(2) Frech, Shostack REJECT(1) Northcutt Voter Comments: Shostack> fingerd may respond to 'finger 0@host' with account info Frech> Need more reference to establish this 'exposure'. CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:finger-unused-accounts(8378) We're entering it into our database solely to track competition. The only references seem to be product listings: http://hq.mcafeeasap.com/vulnerabilities/vuln_data/1000.asp (1002 Finger 0@host check) http://www.ipnsa.com/ipnsa_vuln.htm?step=1000 (Finger 0@host check) http://cgi.nessus.org/plugins/dump.php3?id=10069 (Finger zero at host feature) ====================================================== Name: CVE-1999-0198 Status: Candidate Phase: Proposed(19990726) Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/8378 finger .@host on some systems may print information on some user accounts. Current Votes: ACCEPT(1) Baker MODIFY(2) Frech, Shostack REJECT(1) Northcutt Voter Comments: Shostack> as above Frech> Need more reference to establish this 'exposure'. CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:finger-unused-accounts(8378) We're entering it into our database solely to track competition. The only references seem to be product listings: http://hq.mcafeeasap.com/vulnerabilities/vuln_data/1000.asp (1004 Finger .@target-host check) http://www.ipnsa.com/ipnsa_vuln.htm?step=1000 (Finger .@target-host check ) http://cgi.nessus.org/plugins/dump.php3?id=10072 (Finger dot at host feature) ====================================================== Name: CVE-1999-0199 Status: Candidate Reference: MISC:https://ftp.gnu.org/gnu/glibc/glibc-2.2.tar.gz Reference: MISC:https://github.com/bminor/glibc/commit/2864e767053317538feafa815046fff89e5a16be#diff-94e8c502f255fdfc346df0e29fd4ef40 Reference: MISC:https://www.cee.studio/tdelete.html manual/search.texi in the GNU C Library (aka glibc) before 2.2 lacks a statement about the unspecified tdelete return value upon deletion of a tree's root, which might allow attackers to access a dangling pointer in an application whose developer was unaware of a documentation update from 1999. ====================================================== Name: CVE-1999-0200 Status: Candidate Phase: Modified(19991130) Reference: MISC:http://www.microsoft.com/technet/support/kb.asp?ID=137853 Reference: MSKB:Q137853 Windows NT FTP server (WFTP) with the guest account enabled without a password allows an attacker to log into the FTP server using any username and password. Current Votes: ACCEPT(1) Baker MODIFY(2) Frech, Shostack NOOP(2) Northcutt, Wall REJECT(1) Christey REVIEWING(1) Levy Voter Comments: Shostack> WFTP is not sufficient; is this wu-, ws-, war-, or another? Frech> Other have mentioned this before, but it may be WU-FTP. POSSIBLY XF:ftp-exec; does this have to do with the Site Exec allowing root access without anon FTP or a regular account? POSSIBLY XF:wu-ftpd-exec;same as above conditions, but instead from a non-anon FTP account and gain root privs. Christey> added MSKB reference CHANGE> [Christey changed vote from REVOTE to REJECT] Christey> The MSKB article may have confused things even more. There were reports of problems in a Windows-based FTP server called WFTP (http://www.wftpd.com/) that is not a Microsft FTP server. It's best to just kill this candidate where it stands and start fresh. ====================================================== Name: CVE-1999-0201 Status: Entry Reference: MISC:https://www.cve.org/CVERecord?id=CVE-1999-0201 Reference: XF:ftp-home A quote cwd command on FTP servers can reveal the full path of the home directory of the "ftp" user. ====================================================== Name: CVE-1999-0202 Status: Entry Reference: MISC:https://www.cve.org/CVERecord?id=CVE-1999-0202 Reference: XF:ftp-exectar The GNU tar command, when used in FTP sessions, may allow an attacker to execute arbitrary commands. ====================================================== Name: CVE-1999-0203 Status: Entry Reference: CERT:CA-95.08 Reference: CIAC:E-03 Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0203 Reference: XF:smtp-sendmail-version5 In Sendmail, attackers can gain root privileges via SMTP by specifying an improper "mail from" address and an invalid "rcpt to" address that would cause the mail to bounce to a program. ====================================================== Name: CVE-1999-0204 Status: Entry Reference: CIAC:F-13 Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0204 Reference: XF:ident-bo Sendmail 8.6.9 allows remote attackers to execute root commands, using ident. ====================================================== Name: CVE-1999-0205 Status: Candidate Phase: Modified(19990925) Reference: BUGTRAQ:19990708 SM 8.6.12 Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0205 Denial of service in Sendmail 8.6.11 and 8.6.12. Current Votes: ACCEPT(2) Hill, Northcutt MODIFY(2) Frech, Prosser NOOP(1) Baker REVIEWING(2) Christey, Ozancin Voter Comments: Frech> XF:sendmail-alias-dos Prosser> additional source Bugtraq "Re: SM 8.6.12" http://www.securityfocus.com Christey> The Bugtraq thread does not provide any proof, including a comment by Eric Allman that he hadn't been provided any details either. See http://www.securityfocus.com/templates/archive.pike?list=1&date=1995-07-8&thread=199507131402.KAA02492@bedbugs.net.ohio-state.edu for the thread. Christey> Change Bugtraq reference date to 19950708. ====================================================== Name: CVE-1999-0206 Status: Entry Reference: AUSCERT:AA-96.06a Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0206 Reference: XF:sendmail-mime-bo MIME buffer overflow in Sendmail 8.8.0 and 8.8.1 gives root access. ====================================================== Name: CVE-1999-0207 Status: Entry Reference: CERT:CA-94.11.majordomo.vulnerabilities Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0207 Reference: XF:majordomo-exe Remote attacker can execute commands through Majordomo using the Reply-To field and a "lists" command. ====================================================== Name: CVE-1999-0208 Status: Entry Reference: CERT:CA-95.17.rpc.ypupdated.vul Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0208 Reference: XF:rpc-update rpc.ypupdated (NIS) allows remote users to execute arbitrary commands. ====================================================== Name: CVE-1999-0209 Status: Entry Reference: BID:8 Reference: URL:http://www.securityfocus.com/bid/8 Reference: CERT:CA-90.05.sunselection.vulnerability Reference: XF:selsvc The SunView (SunTools) selection_svc facility allows remote users to read files. ====================================================== Name: CVE-1999-0210 Status: Entry Reference: BID:235 Reference: URL:http://www.securityfocus.com/bid/235 Reference: BUGTRAQ:19971126 Solaris 2.5.1 automountd exploit (fwd) Reference: URL:http://marc.info/?l=bugtraq&m=88053459921223&w=2 Reference: BUGTRAQ:19990103 SUN almost has a clue! (automountd) Reference: URL:http://marc.info/?l=bugtraq&m=91547759121289&w=2 Reference: CERT:CA-99-05 Reference: URL:http://www.cert.org/advisories/CA-99-05-statd-automountd.html Reference: HP:HPSBUX9910-104 Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9910-104 Automount daemon automountd allows local or remote users to gain privileges via shell metacharacters. ====================================================== Name: CVE-1999-0211 Status: Entry Reference: BID:24 Reference: URL:http://www.securityfocus.com/bid/24 Reference: CERT:CA-94.02.REVISED.SunOS.rpc.mountd.vulnerability Extra long export lists over 256 characters in some mount daemons allows NFS directories to be mounted by anyone. ====================================================== Name: CVE-1999-0212 Status: Entry Reference: CIAC:I-048 Reference: URL:http://www.ciac.org/ciac/bulletins/i-048.shtml Reference: SUN:00168 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/168 Reference: XF:sun-mountd Solaris rpc.mountd generates error messages that allow a remote attacker to determine what files are on the server. ====================================================== Name: CVE-1999-0213 Status: Candidate Phase: Modified(20001009) Reference: MISC:http://www.securityfocus.com/archive/1/9749 Reference: SUNBUG:4305859 Reference: XF:sun-libnsl libnsl in Solaris allowed an attacker to perform a denial of service of rpcbind. Current Votes: ACCEPT(6) Blake, Cole, Dik, Hill, Landfield, Ozancin MODIFY(3) Baker, Frech, Levy NOOP(4) Armstrong, Bishop, Meunier, Wall REVIEWING(1) Christey Voter Comments: Frech> XF:sun-libnsl Dik> Sun bug #4305859 Baker> http://xforce.iss.net/static/1204.php Misc Defensive Info http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/172&type=0&nav=sec.sba Vendor Info http://www-1.ibm.com/services/continuity/recover1.nsf/advisories/A1050E354364BF498525680F0077E414/$file/ERS-OAR-E01-1998_074_1.txt Vendor Info http://www.securityfocus.com/archive/1/9749 Misc Defensive Info Christey> I don't think this is the bug that everyone thinks it is. This candidate came from CyberCop Scanner 2.4/2.5, which only reports this as a DoS problem. If SUN:00172 is an advisory for this, then it may be a duplicate of CVE-1999-0055. There appears to be overlap with other references as well. HOWEVER, this particular one deals with a DoS in rpcbind - which isn't mentioned in the sources for CVE-1999-0055. Levy> BID 148 ====================================================== Name: CVE-1999-0214 Status: Entry Reference: MISC:https://www.cve.org/CVERecord?id=CVE-1999-0214 Reference: XF:icmp-unreachable Denial of service by sending forged ICMP unreachable packets. ====================================================== Name: CVE-1999-0215 Status: Entry Reference: CIAC:J-012 Reference: URL:http://www.ciac.org/ciac/bulletins/j-012.shtml Reference: SGI:19981004-01-PX Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19981004-01-PX Reference: XF:ripapp Routed allows attackers to append data to files. ====================================================== Name: CVE-1999-0216 Status: Candidate Phase: Modified(19991203) Reference: BUGTRAQ:19971130 Linux inetd.. Reference: HP:HPSBUX9803-077 Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0216 Reference: XF:hp-inetd Reference: XF:linux-inetd-dos Denial of service of inetd on Linux through SYN and RST packets. Current Votes: ACCEPT(1) Hill MODIFY(2) Baker, Frech RECAST(1) Meunier Voter Comments: Meunier> The location of the vulnerability, whether in the Linux kernel or the application, is debatable. Any program making the same (reasonnable) assumption is vulnerable, i.e., implements the same vulnerability: "Assumption that TCP-three-way handshake is complete after calling Linux kernel function accept(), which returns socket after getting SYN. Result is process death by SIGPIPE" Moreover, whether it results in DOS (to third parties) depends on the process that made the assumption. I think that the present entry should be split, one entry for every application that implements the vulnerability (really describing threat instances, which is what other people think about when we talk about vulnerabilities), and one entry for the Linux kernel that allows the vulnerability to happen. Frech> XF:hp-inetd XF:linux-inetd-dos Baker> Since we have an hpux bulletin, the description should not specifically say Linux, should it? It applies to mulitple OS and should be likely either modified, or in extreme case, recast ====================================================== Name: CVE-1999-0217 Status: Entry Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0217 Reference: XF:udp-bomb Malicious option settings in UDP packets could force a reboot in SunOS 4.1.3 systems. ====================================================== Name: CVE-1999-0218 Status: Entry Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0218 Reference: XF:portmaster-reboot Livingston portmaster machines could be rebooted via a series of commands. ====================================================== Name: CVE-1999-0219 Status: Entry Reference: BID:269 Reference: URL:http://www.securityfocus.com/bid/269 Reference: BUGTRAQ:19990909 Exploit: Serv-U Ver2.5 FTPd Win9x/NT Reference: NTBUGTRAQ:19990503 Buffer overflows in FTP Serv-U 2.5 Reference: URL:http://marc.info/?l=ntbugtraq&m=92574916930144&w=2 Reference: NTBUGTRAQ:19990504 Re: Buffer overflows in FTP Serv-U 2.5 Reference: URL:http://marc.info/?l=ntbugtraq&m=92582581330282&w=2 Reference: XF:ftp-servu(205) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/205 Buffer overflow in FTP Serv-U 2.5 allows remote authenticated users to cause a denial of service (crash) via a long (1) CWD or (2) LS (list) command. ====================================================== Name: CVE-1999-0220 Status: Candidate Phase: Proposed(19990728) Reference: MISC:https://www.cve.org/CVERecord?id=CVE-1999-0220 Attackers can do a denial of service of IRC by crashing the server. Current Votes: NOOP(2) Baker, Northcutt REJECT(2) Christey, Frech Voter Comments: Frech> Would reconsider if any references were available. Christey> No references available, combined with extremely vague description, equals REJECT. ====================================================== Name: CVE-1999-0221 Status: Entry Reference: MISC:https://www.cve.org/CVERecord?id=CVE-1999-0221 Reference: XF:ascend-150-kill Denial of service of Ascend routers through port 150 (remote administration). ====================================================== Name: CVE-1999-0222 Status: Candidate Phase: Proposed(19990714) Reference: MISC:http://www.securityfocus.com/archive/1/60159 Denial of service in Cisco IOS web server allows attackers to reboot the router using a long URL. Current Votes: ACCEPT(1) Baker MODIFY(3) Frech, Levy, Shostack NOOP(3) Balinsky, Northcutt, Wall RECAST(1) Ziese REJECT(1) Christey Voter Comments: Shostack> I follow cisco announcements and problems pretty closely, and haven't seen this. Source? Frech> XF:cisco-web-crash Christey> XF:cisco-web-crash has no additional references. I can't find any references in Bugtraq or Cisco either. This bug is supposedly tested by at least one security product, but that product's database doesn't have any references either. So a question becomes, how did it make it into at least two security companies' databases? Levy> BUGTGRAQ: http://www.securityfocus.com/archive/1/60159 BID 1154 Ziese> The vulnerability is addressed by a vendor acknowledgement. This one, if recast to reflect that "...after using a long url..." should be replaced with "...A defect in multiple releases of Cisco IOS software will cause a Cisco router or switch to halt and reload if the IOS HTTP service is enabled, browsing to "http://router-ip/anytext?/" is attempted, and the enable password is supplied when requested. This defect can be exploited to produce a denial of service (DoS) attack." Then I can accept this and mark it as "Verfied by my Company". If it can't be recast because this (long uri) is diffferent then our release (special url construction). CHANGE> [Christey changed vote from REVIEWING to REJECT] Christey> Elias Levy's suggested reference is CVE-2000-0380. I don't think that Kevin's description is really addressing this either. The lack of references and a specific description make this candidate unusable, so it should be rejected. ====================================================== Name: CVE-1999-0223 Status: Entry Reference: BID:1878 Reference: URL:http://www.securityfocus.com/bid/1878 Reference: BUGTRAQ:19961109 Syslogd and Solaris 2.4 Reference: CONFIRM:http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?patchid=103291&collection=fpatches Reference: SUNBUG:1249320 Reference: XF:sol-syslogd-crash Solaris syslogd crashes when receiving a message from a host that doesn't have an inverse DNS entry. ====================================================== Name: CVE-1999-0224 Status: Entry Reference: MISC:https://www.cve.org/CVERecord?id=CVE-1999-0224 Reference: XF:nt-messenger Denial of service in Windows NT messenger service through a long username. ====================================================== Name: CVE-1999-0225 Status: Entry Reference: MSKB:Q180963 Reference: URL:http://www.microsoft.com/technet/support/kb.asp?ID=180963 Reference: NAI:19980214 Windows NT Logon Denial of Service Reference: URL:http://www.nai.com/nai_labs/asp_set/advisory/25_windows_nt_dos_adv.asp Reference: XF:nt-logondos Windows NT 4.0 allows remote attackers to cause a denial of service via a malformed SMB logon request in which the actual data size does not match the specified size. ====================================================== Name: CVE-1999-0226 Status: Candidate Phase: Proposed(19990728) Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0226 Windows NT TCP/IP processes fragmented IP packets improperly, causing a denial of service. Current Votes: ACCEPT(1) Northcutt MODIFY(1) Frech NOOP(1) Baker REJECT(1) Christey Voter Comments: Christey> Too general, and no references. Frech> XF:nt-frag(528) See reference from BugTraq Mailing List, "A New Fragmentation Attack" at http://www.securityfocus.com/templates/archive.pike?list=1&date=1997-07-8&ms g=Pine.SUN.3.94.970710054440.11707A-100000@dfw.dfw.net ====================================================== Name: CVE-1999-0227 Status: Entry Reference: MSKB:Q154087 Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q154087 Reference: XF:nt-lsass-crash Access violation in LSASS.EXE (LSA/LSARPC) program in Windows NT allows a denial of service. ====================================================== Name: CVE-1999-0228 Status: Entry Reference: MSKB:Q162567 Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q162567 Reference: XF:nt-rpc-ver Denial of service in RPCSS.EXE program (RPC Locator) in Windows NT. ====================================================== Name: CVE-1999-0229 Status: Candidate Phase: Modified(19991228) Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0229 Reference: MSKB:Q115052 Denial of service in Windows NT IIS server using ..\.. Current Votes: ACCEPT(2) Baker, Shostack MODIFY(2) Frech, Wall NOOP(1) Northcutt REJECT(1) Christey REVIEWING(1) Levy Voter Comments: Wall> Denial of service in Windows NT IIS Server 1.0 using ..\... Source: Microsoft Knowledge Base Article Q115052 - IIS Server. Frech> XF:http-dotdot (not necessarily IIS?) Christey> DELREF XF:http-dotdot - it deals with a read/access dot dot problem. Christey> This actually looks like XF:iis-dot-dot-crash(1638) http://xforce.iss.net/static/1638.php If so, include the version number (2.0) CHANGE> [Christey changed vote from REVOTE to REJECT] Christey> Bill Wall intended to suggest Q155052, but the affected IIS version there is 1.0; the effect is to read files, so this sounds like a directory traversal problem, instead of an inability to process certain strings. As a result, this candidate is too general, since it could apply to 2 different problems, so it should be REJECTed. Christey> Consider adding BID:2218 ====================================================== Name: CVE-1999-0230 Status: Entry Reference: CISCO:http://www.cisco.com/warp/public/770/pwbuf-pub.shtml Reference: OSVDB:1102 Reference: URL:http://www.osvdb.org/1102 Buffer overflow in Cisco 7xx routers through the telnet service. ====================================================== Name: CVE-1999-0231 Status: Candidate Phase: Modified(19991207) Reference: BUGTRAQ:19990317 Re: SLMail 2.6 DoS - Imail also Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0231 Buffer overflow in IP-Switch IMail and Seattle Labs Slmail 2.6 packages using a long VRFY command, causing a denial of service and possibly remote access. Current Votes: ACCEPT(2) Baker, Levy NOOP(3) Christey, Landfield, Northcutt RECAST(1) Frech REVIEWING(1) Ozancin Voter Comments: Frech> XF:slmail-vrfyexpn-overflow (for Slmail v3.2 and below) XF:smtp-vrfy-bo (many mail packages) Northcutt> (There is no way I will have access to these systems) Christey> Some sources report that VRFY and EXPN are both affected. ====================================================== Name: CVE-1999-0232 Status: Candidate Phase: Modified(19991220) Reference: MISC:https://www.cve.org/CVERecord?id=CVE-1999-0232 Buffer overflow in NCSA WebServer (version 1.5c) gives remote access. Current Votes: ACCEPT(2) Hill, Northcutt MODIFY(1) Frech NOOP(1) Prosser REJECT(1) Baker REVIEWING(1) Christey Voter Comments: Frech> Unable to provide a match due to vague/insufficient description/references. Possible matches are: XF:ftp-ncsa (probably not, considering you've mentioned the webserver.) XF:http-ncsa-longurl (highest probability) Christey> CVE-1999-0235 is the one associated with XF:http-ncsa-longurl More research is necessary for this one. Baker> Since this has no references at all, and is vague and we have a CAN for the most likely issue, we should kill this one ====================================================== Name: CVE-1999-0233 Status: Entry Reference: MSKB:Q148188 Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q148188 Reference: MSKB:Q155056 Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q155056 Reference: XF:http-iis-cmd IIS 1.0 allows users to execute arbitrary commands using .bat or .cmd files. ====================================================== Name: CVE-1999-0234 Status: Entry Reference: CERT:CA-96.22.bash_vuls Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0234 Reference: XF:bash-cmd Bash treats any character with a value of 255 as a command separator. ====================================================== Name: CVE-1999-0235 Status: Candidate Phase: Modified(19991220) Reference: CERT:CA-95:04 Reference: CIAC:F-11 Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0235 Buffer overflow in NCSA WebServer (1.4.1 and below) gives remote access. Current Votes: ACCEPT(3) Hill, Northcutt, Prosser MODIFY(1) Frech REJECT(2) Baker, Christey Voter Comments: Frech> XF:http-ncsa-longurl Christey> CVE-1999-0235 has the same ref's as CVE-1999-0267 Baker> Not to mention, the X-force listings of http-ncsa-longurl and http-port both refer to the same problem. This should be rejected as 1999-0267 is the same problem. ====================================================== Name: CVE-1999-0236 Status: Entry Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0236 Reference: XF:http-scriptalias ScriptAlias directory in NCSA and Apache httpd allowed attackers to read CGI programs. ====================================================== Name: CVE-1999-0237 Status: Entry Reference: CERT:VB-97.02 Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0237 Reference: XF:http-cgi-guestbook Remote execution of arbitrary commands through Guestbook CGI program. ====================================================== Name: CVE-1999-0238 Status: Candidate Phase: Proposed(19990623) Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0238 Reference: XF:http-cgi-phpfileread php.cgi allows attackers to read any file on the system. Current Votes: ACCEPT(5) Baker, Collins, Frech, Northcutt, Prosser NOOP(1) Christey Voter Comments: Prosser> additional source AUSCERT External Security Bulletin ESB-97.047 http://www.auscert.org.au Christey> ADDREF BUGTRAQ:19970416 Update on PHP/FI hole URL:http://www.dataguard.no/bugtraq/1997_2/0069.html The attacker specifies the filename as an argument to the program. Add "PHP/FI" to description to facilitate search. AUSCERT URL is ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-97.047 Christey> Consider adding BID:2250 ====================================================== Name: CVE-1999-0239 Status: Entry Reference: OSVDB:122 Reference: URL:http://www.osvdb.org/122 Reference: XF:fastrack-get-directory-list Netscape FastTrack Web server lists files when a lowercase "get" command is used instead of an uppercase GET. ====================================================== Name: CVE-1999-0240 Status: Candidate Phase: Proposed(19990728) Reference: MISC:https://www.cve.org/CVERecord?id=CVE-1999-0240 Some filters or firewalls allow fragmented SYN packets with IP reserved bits in violation of their implemented policy. Current Votes: ACCEPT(1) Northcutt NOOP(1) Baker REJECT(1) Frech Voter Comments: Frech> Would reconsider if any references were available. ====================================================== Name: CVE-1999-0241 Status: Candidate Phase: Modified(19990925) Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0241 Reference: XF:http-xguess-cookie Guessable magic cookies in X Windows allows remote attackers to execute commands, e.g. through xterm. Current Votes: ACCEPT(3) Hill, Northcutt, Proctor MODIFY(2) Frech, Prosser NOOP(1) Baker REVIEWING(1) Christey Voter Comments: Frech> Also add to references: XF:sol-mkcookie Prosser> additional source Bugtraq "X11 cookie hijacker" http://www.securityfocus.com Christey> The cookie hijacker thread has to do with stealing cookies through a file with bad permissions. I'm not sure the X-Force reference identifies this problem either. Christey> CIAC:G-04 URL:http://ciac.llnl.gov/ciac/bulletins/g-04.shtml SGI:19960601-01-I URL:ftp://patches.sgi.com/support/free/security/advisories/19960601-01-I CERT:VB-95:08 ====================================================== Name: CVE-1999-0242 Status: Candidate Phase: Modified(20000106) Reference: BUGTRAQ:19951222 mailx-5.5 (slackware /bin/mail) security hole Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0242 Reference: XF:linux-pop3d Remote attackers can access mail files via POP3 in some Linux systems that are using shadow passwords. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(4) Christey, Northcutt, Shostack, Wall REVIEWING(1) Levy Voter Comments: Frech> Ambiguous description: need more detail. Possibly: XF:linux-pop3d (mktemp() leads to reading e-mail) Christey> At first glance this might look like CVE-1999-0123 or CVE-1999-0125, however this particular candidate arises out of a brief mention of the problem in a larger posting which discusses CVE-1999-0123 (which may be the same bug as CVE-1999-0125). See the following phrase in the Bugtraq post: "one such example of this is in.pop3d" However, the original source of this candidate's description explicitly mentions shadowed passwords, though it has no references to help out here. ====================================================== Name: CVE-1999-0243 Status: Candidate Phase: Proposed(19990714) Reference: MISC:http://www.geocrawler.com/archives/3/92/1996/9/0/2217716/ Linux cfingerd could be exploited to gain root access. Current Votes: ACCEPT(1) Shostack NOOP(4) Baker, Levy, Northcutt, Wall REJECT(2) Christey, Frech Voter Comments: Christey> This has no sources; neither does the original database that this entry came from. It's a likely duplicate of CVE-1999-0813. Frech> I disagree on the dupe; see Linux-Security Mailing List, "[linux-security] Cfinger (Yet more :)" at http://www.geocrawler.com/archives/3/92/1996/9/0/2217716/. Seems as if v1.2.3 is vulnerable, perhaps 1.3.0 also. CVE-1999-0813 pertains to 1.4.x and below and shows up two years later. CHANGE> [Frech changed vote from REVIEWING to REJECT] Frech> If the reference I previously supplied is correct, then it appears as if the poster modified the source using authorized access to make it vulnerable. Modifying the source in this manner does not qualify as being listed a vulnerability. I disagree on the dupe; see Linux-Security Mailing List, "[linux-security] Cfinger (Yet more :)" at http://www.geocrawler.com/archives/3/92/1996/9/0/2217716/. Seems as if v1.2.3 is vulnerable, perhaps 1.3.0 also. CVE-1999-0813 pertains to 1.4.x and below and shows up two years later. ====================================================== Name: CVE-1999-0244 Status: Entry Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0244 Reference: NAI:NAI-23 Reference: XF:radius-accounting-overflow Livingston RADIUS code has a buffer overflow which can allow remote execution of commands as root. ====================================================== Name: CVE-1999-0245 Status: Entry Reference: BUGTRAQ:19950907 Linux NIS security problem hole and fix Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0245 Reference: XF:linux-plus Some configurations of NIS+ in Linux allowed attackers to log in as the user "+". ====================================================== Name: CVE-1999-0246 Status: Candidate Phase: Proposed(19990630) Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0246 Reference: XF:hp-remote HP Remote Watch allows a remote user to gain root access. Current Votes: ACCEPT(4) Frech, Hill, Northcutt, Prosser NOOP(1) Baker RECAST(1) Christey Voter Comments: Frech> Comment: Determine if it's RemoteWatch or Remote Watch. Christey> HP:HPSBUX9610-039 alludes to multiple vulnerabilities in Remote Watch (the advisory uses two words, not one, for the "Remote Watch" name) ADDREF BUGTRAQ:19961015 HP/UX Remote Watch (was Re: BoS: SOD remote exploit) URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=199610151351.JAA18241@grymoire.crd.ge.com Prosser> agree that the advisory mentions two vulnerabilities in Remote Watch, one being a socket connection and other with the showdisk utility which seems to be a suid vulnerability. Never get much details on this anywhere since the recommendation is to remove the program since it is obsolete and superceded by later tools. Believe the biggest concern here is to just not run the tool at all. Christey> CIAC:H-16 Also, http://www.cert.org/vendor_bulletins/VB-96.20.hp And possibly AUSCERT:AA-96.07 at ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-96.07.HP-UX.Remote.Watch.vul Christey> Also BUGTRAQ:19961013 BoS: SOD remote exploit http://marc.theaimsgroup.com/?l=bugtraq&m=87602167419969&w=2 Include "remwatch" in the description to facilitate search. ====================================================== Name: CVE-1999-0247 Status: Entry Reference: BID:1443 Reference: URL:http://www.securityfocus.com/bid/1443 Reference: NAI:19970721 INN news server vulnerabilities Reference: URL:http://www.nai.com/nai_labs/asp_set/advisory/17_inn_avd.asp Reference: XF:inn-bo Buffer overflow in nnrpd program in INN up to version 1.6 allows remote users to execute arbitrary commands. ====================================================== Name: CVE-1999-0248 Status: Entry Reference: CONFIRM:http://www.uni-karlsruhe.de/~ig25/ssh-faq/ssh-faq-6.html#ss6.1 Reference: MISC:http://oliver.efri.hr/~crv/security/bugs/mUNIXes/ssh2.html A race condition in the authentication agent mechanism of sshd 1.2.17 allows an attacker to steal another user's credentials. ====================================================== Name: CVE-1999-0249 Status: Candidate Phase: Proposed(19990714) Reference: MISC:https://www.cve.org/CVERecord?id=CVE-1999-0249 Windows NT RSHSVC program allows remote users to execute arbitrary commands. Current Votes: ACCEPT(1) Baker MODIFY(2) Frech, Wall NOOP(2) Northcutt, Shostack RECAST(1) Christey REVIEWING(1) Levy Voter Comments: Wall> Windows NT Rshsvc.exe from the Windows NT Resource Kit allows remote users to execute arbitrary commands. Source: rshsvc.txt from the Windows NT Resource Kit. Frech> XF:rsh-svc Christey> MSKB:Q158320, last reviewed in January 1999, refers to a case where remote users coming from authorized machines are allowed access regardless of what .rhosts says. XF:rsh-svc refers to a bug circa 1997 where any remote entity could execute commands as system. ====================================================== Name: CVE-1999-0250 Status: Candidate Phase: Modified(20010301) Reference: BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack Reference: URL:http://marc.info/?l=bugtraq&m=87602558319024&w=2 Reference: MISC:http://cr.yp.to/qmail/venema.html Reference: MISC:http://www.ornl.gov/its/archives/mailing-lists/qmail/1997/06/threads.html Reference: XF:qmail-leng Denial of service in Qmail through long SMTP commands. Current Votes: ACCEPT(2) Hill, Meunier MODIFY(1) Frech REJECT(1) Baker REVIEWING(1) Christey Voter Comments: Frech> XF:qmail-rcpt Christey> DUPE CVE-1999-0418 and CVE-1999-0144? Christey> Dan Bernstein, author of Qmail, says that this is not a vulnerability in qmail because Unix has built-in resource limits that can restrict the size of a qmail process; other limits can be specified by the administrator. See http://cr.yp.to/qmail/venema.html Significant discussion of this issue took place on the qmail list. The fundamental question appears to be whether application software should set its own limits, or rely on limits set by the parent operating system (in this case, UNIX). Also, some people said that the only problem was that the suggested configuration was not well documented, but this was refuted by others. See the following threads at http://www.ornl.gov/its/archives/mailing-lists/qmail/1997/06/threads.html "Denial of service (qmail-smtpd)" "qmail-dos-2.c, another denial of service" "[PATCH] denial of service" "just another qmail denial-of-service" "the UNIX way" "Time for a reality check" Also see Bugtraq threads on a different vulnerability that is related to this topic: BUGTRAQ:19990903 Web servers / possible DOS Attack / mime header flooding http://archives.neohapsis.com/archives/bugtraq/1998_3/0742.html Baker> This appears to be the same vulnerability listed in CAN 1999-0144. In reading through both bugtraq postings, the one that is referenced by 0144 is based on a shell code exploit to cause memory exhaustion. The bugtraq posting referenced by this entry refers explicitly to the prior posting for 0144, and states that the same effect could be accomplished by a perl exploit, which was then attached. Baker> http://www.securityfocus.com/archive/1/6969 CVE-1999-0144 http://www.securityfocus.com/archive/1/6970 CVE-1999-0250 Both references should be added to CVE-1999-0144, and CVE-1999-0250 should likely be rejected. CHANGE> [Baker changed vote from REVIEWING to REJECT] Christey> XF:qmail-leng no longer exists; check with Andre to see if they regarded it as a duplicate as well. qmail-dos-1.c, as published by Wietse Venema (CVE-1999-0250) in "BUGTRAQ:19970612 Denial of service (qmail-smtpd)", does not use any RCPT commands. Instead, it sends long strings of "X" characters. A followup by "super@UFO.ORG" includes an exploit that claims to do the same thing; however, that exploit does not send long strings of X characters - it sends a large number of RCPT commands. It appears that super@ufo.org followed up to the wrong message. qmail-dos-2.c, as published by Wietse Venema (CVE-1999-0144) in "BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack" sends a large number of RCPT commands. ADDREF BUGTRAQ:19970612 Denial of service (qmail-smtpd) ADDREF BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack Also see a related thread: BUGTRAQ:19990308 SMTP server account probing http://marc.theaimsgroup.com/?l=bugtraq&m=92100018214316&w=2 This also describes a problem with mail servers not being able to handle too many "RCPT TO" requests. A followup message notes that application-level protection is used in Sendmail to prevent this: BUGTRAQ:19990309 Re: SMTP server account probing http://marc.theaimsgroup.com/?l=bugtraq&m=92101584629263&w=2 The person further says, "This attack can easily be prevented with configuration methods." ====================================================== Name: CVE-1999-0251 Status: Entry Reference: MISC:https://www.cve.org/CVERecord?id=CVE-1999-0251 Reference: XF:talkd-flash Denial of service in talk program allows remote attackers to disrupt a user's display. ====================================================== Name: CVE-1999-0252 Status: Entry Reference: MISC:https://www.cve.org/CVERecord?id=CVE-1999-0252 Reference: XF:smtp-listserv Buffer overflow in listserv allows arbitrary command execution. ====================================================== Name: CVE-1999-0253 Status: Candidate Phase: Modified(20000106) Reference: L0PHT:19970319 Reference: MISC:http://www.securityfocus.com/bid/1814 Reference: XF:http-iis-2e IIS 3.0 with the iis-fix hotfix installed allows remote intruders to read source code for ASP programs by using a %2e instead of a . (dot) in the URL. Current Votes: ACCEPT(9) Armstrong, Baker, Bishop, Blake, Cole, Collins, Frech, Landfield, Northcutt MODIFY(1) LeBlanc NOOP(3) Ozancin, Prosser, Wall REVIEWING(1) Christey Voter Comments: Christey> This is a problem that was introduced after patching a previous dot bug with the iis-fix hotfix (see CVE-1999-0154). Since the hotfix introduced the problem, this should be treated as a seaprate issue. Wall> Agree with the comment. LeBlanc> - this one is so old, I don't remember it at all and can't verify or deny the issue. If you can find some documentation that says we fixed it (KB article, hotfix, something), then I would change this to ACCEPT CHANGE> [Christey changed vote from NOOP to REVIEWING] Christey> BID:1814 URL:http://www.securityfocus.com/bid/1814 ====================================================== Name: CVE-1999-0254 Status: Candidate Phase: Proposed(19990726) Reference: ISS:Hidden SNMP community in HP OpenView Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0254 Reference: XF:hpov-hidden-snmp-comm A hidden SNMP community string in HP OpenView allows remote attackers to modify MIB tables and obtain sensitive information. Current Votes: ACCEPT(2) Baker, Frech NOOP(1) Wall REVIEWING(1) Christey Voter Comments: Christey> What is the proper level of abstraction to use here? Should we have a separate entry for each different default community string? See: http://cve.mitre.org/Board_Sponsors/archives/msg00242.html and http://cve.mitre.org/Board_Sponsors/archives/msg00250.html http://cve.mitre.org/Board_Sponsors/archives/msg00251.html Until the associated content decisions have been approved by the Editorial Board, this candidate cannot be accepted for inclusion in CVE. ====================================================== Name: CVE-1999-0255 Status: Candidate Phase: Proposed(19990623) Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0255 Buffer overflow in ircd allows arbitrary command execution. Current Votes: ACCEPT(3) Baker, Hill, Northcutt MODIFY(1) Frech NOOP(1) Prosser REJECT(1) Christey Voter Comments: Frech> XF:irc-bo Christey> This is too general and doesn't have any references. The XF reference doesn't appear toe xist any more. Perhaps this reference would help: BUGTRAQ:19970701 ircd buffer overflow Baker> It appears that the XForce entry has been corrected, and there is a patch posted in the original bugtraq post. ====================================================== Name: CVE-1999-0256 Status: Entry Reference: OSVDB:875 Reference: URL:http://www.osvdb.org/875 Reference: XF:war-ftpd Buffer overflow in War FTP allows remote execution of commands. ====================================================== Name: CVE-1999-0257 Status: Candidate Phase: Proposed(19990726) Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0257 Nestea variation of teardrop IP fragmentation denial of service. Current Votes: ACCEPT(1) Wall MODIFY(1) Frech REVIEWING(1) Christey Voter Comments: Frech> XF:nestea-linux-dos Christey> Not sure how many separate "instances" of Teardrop and its ilk. Also see comments on CVE-1999-0001. See: CVE-1999-0015, CVE-1999-0104, CVE-1999-0257, CVE-1999-0258 Is CVE-1999-0001 the same as CVE-1999-0052? That one is related to nestea (CVE-1999-0257) and probably the one described in BUGTRAQ:19981023 nestea v2 against freebsd 3.0-Release The patch for nestea is in ip_input.c around line 750. The patches for CVE-1999-0001 are in lines 388&446. So, CVE-1999-0001 is different from CVE-1999-0257 and CVE-1999-0052. The FreeBSD patch for CVE-1999-0052 is in line 750. So, CVE-1999-0257 and CVE-1999-0052 may be the same, though CVE-1999-0052 should be RECAST since this bug affects Linux and other OSes besides FreeBSD. Also see BUGTRAQ:19990909 CISCO and nestea. Finally, note that there is no fundamental difference between nestea and nestea2/nestea-v2; they are different ports that exploit the same problem. The original nestea advisory is at http://www.technotronic.com/rhino9/advisories/06.htm but notice that the suggested fix is in line 375 of ip_fragment.c, not ip_input.c. Christey> See the SCO advisory at: http://www.securityfocus.com/templates/advisory.html?id=1411 which may further clarify the issue. Christey> BUGTRAQ:19980501 nestea does other things http://marc.theaimsgroup.com/?l=bugtraq&m=90221101925819&w=2 BUGTRAQ:19980508 nestea2 and HP Jet Direct cards. URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221101925870&w=2 BUGTRAQ:19981027 nestea v2 against freebsd 3.0-Release URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90951521507669&w=2 Nestea source code is in MISC:http://oliver.efri.hr/~crv/security/bugs/Linux/ipfrag6.html ====================================================== Name: CVE-1999-0258 Status: Candidate Phase: Proposed(19990726) Reference: MISC:https://marc.info/?l=ntbugtraq&m=88901842000424&w=2 Bonk variation of teardrop IP fragmentation denial of service. Current Votes: MODIFY(2) Frech, Wall REVIEWING(1) Christey Voter Comments: Wall> Reference Q179129 Frech> XF:teardrop-mod Christey> Not sure how many separate "instances" of Teardrop there are. See: CVE-1999-0015, CVE-1999-0104, CVE-1999-0257, CVE-1999-0258 Christey> See the SCO advisory at: http://www.securityfocus.com/templates/advisory.html?id=1411 which may further clarify the issue. Christey> BUGTRAQ:19980108 bonk.c URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88429524325956&w=2 NTBUGTRAQ:19980108 bonk.c URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=88433857200304&w=2 NTBUGTRAQ:19980109 Re: Bonk.c URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=88441302913269&w=2 NTBUGTRAQ:19980304 Update on wide-spread NewTear Denial of Service attacks URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=88901842000424&w=2 BUGTRAQ:19980304 Update on wide-spread NewTear Denial of Service attacks URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88903296104349&w=2 CIAC:I-031a http://ciac.llnl.gov/ciac/bulletins/i-031a.shtml CERT summary CS-98.02 implies that bonk, boink, and newtear all exploit the same vulnerability. ====================================================== Name: CVE-1999-0259 Status: Entry Reference: BUGTRAQ:19970523 cfingerd vulnerability Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0259 Reference: XF:cfinger-user-enumeration cfingerd lists all users on a system via search.**@target. ====================================================== Name: CVE-1999-0260 Status: Entry Reference: BUGTRAQ:19961224 jj cgi Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0260 Reference: XF:http-cgi-jj The jj CGI program allows command execution via shell metacharacters. ====================================================== Name: CVE-1999-0261 Status: Candidate Phase: Modified(20000827) Reference: BUGTRAQ:19980504 Netmanage Holes Reference: MISC:http://www.insecure.org/sploits/netmanage.chameleon.overflows.html Netmanager Chameleon SMTPd has several buffer overflows that cause a crash. Current Votes: ACCEPT(1) Baker MODIFY(2) Frech, Landfield NOOP(3) Christey, Northcutt, Ozancin Voter Comments: Frech> XF:chamelion-smtp-dos Landfield> - Specify what "a crash" means. Christey> ADDREF XF:chameleon-smtp-dos ? (but it's not on the web site) Christey> Consider adding BID:2387 ====================================================== Name: CVE-1999-0262 Status: Entry Reference: BID:2056 Reference: URL:http://www.securityfocus.com/bid/2056 Reference: BUGTRAQ:19980804 PATCH: faxsurvey Reference: BUGTRAQ:19980804 remote exploit in faxsurvey cgi-script Reference: XF:http-cgi-faxsurvey(1532) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1532 Hylafax faxsurvey CGI script on Linux allows remote attackers to execute arbitrary commands via shell metacharacters in the query string. ====================================================== Name: CVE-1999-0263 Status: Entry Reference: SUN:00173 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/173 Reference: XF:sun-sunwadmap Solaris SUNWadmap can be exploited to obtain root access. ====================================================== Name: CVE-1999-0264 Status: Entry Reference: BUGTRAQ:Jan27,1998 Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0264 Reference: XF:http-htmlscript-file-access htmlscript CGI program allows remote read access to files. ====================================================== Name: CVE-1999-0265 Status: Entry Reference: ISS:ICMP Redirects Against Embedded Controllers Reference: MSKB:Q154174 Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q154174 Reference: XF:icmp-redirect ICMP redirect messages may crash or lock up a host. ====================================================== Name: CVE-1999-0266 Status: Entry Reference: BID:1995 Reference: URL:http://www.securityfocus.com/bid/1995 Reference: BUGTRAQ:19980303 Vulnerabilites in some versions of info2www CGI Reference: XF:http-cgi-info2www The info2www CGI script allows remote file access or remote command execution. ====================================================== Name: CVE-1999-0267 Status: Entry Reference: CERT:CA-95.04.NCSA.http.daemon.for.unix.vulnerability Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0267 Reference: XF:http-port Buffer overflow in NCSA HTTP daemon v1.3 allows remote command execution. ====================================================== Name: CVE-1999-0268 Status: Entry Reference: BUGTRAQ:19980630 Security vulnerabilities in MetaInfo products Reference: BUGTRAQ:19980703 Followup to MetaInfo vulnerabilities Reference: OSVDB:110 Reference: URL:http://www.osvdb.org/110 Reference: OSVDB:3969 Reference: URL:http://www.osvdb.org/3969 Reference: XF:metaweb-server-dot-attack MetaInfo MetaWeb web server allows users to upload, execute, and read scripts. ====================================================== Name: CVE-1999-0269 Status: Entry Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0269 Reference: XF:netscape-server-pageservices Netscape Enterprise servers may list files through the PageServices query. ====================================================== Name: CVE-1999-0270 Status: Entry Reference: BID:64 Reference: URL:http://www.securityfocus.com/bid/64 Reference: BUGTRAQ:19980317 IRIX performer_tools bug Reference: CIAC:I-041 Reference: URL:http://www.ciac.org/ciac/bulletins/i-041.shtml Reference: OSVDB:134 Reference: URL:http://www.osvdb.org/134 Reference: SGI:19980401-01-P Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19980401-01-P Reference: XF:sgi-pfdispaly(810) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/810 Directory traversal vulnerability in pfdispaly.cgi program (sometimes referred to as "pfdisplay") for SGI's Performer API Search Tool (performer_tools) allows remote attackers to read arbitrary files. ====================================================== Name: CVE-1999-0271 Status: Candidate Phase: Modified(19990925) Reference: BUGTRAQ:19980115 pnserver exploit.. Reference: BUGTRAQ:19980817 Re: Real Audio Server Version 5 bug? Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0271 Progressive Networks Real Video server (pnserver) can be crashed remotely. Current Votes: ACCEPT(3) Baker, Blake, Northcutt MODIFY(1) Frech NOOP(1) Prosser REVIEWING(1) Christey Voter Comments: Christey> Problem confirmed by RealServer vendor (URL listed in Bugtraq posting), but may be multiple codebases since several Real Audio servers are affected. Also, this may be the same as BUGTRAQ:19991105 RealNetworks RealServer G2 buffer overflow. See CVE-1999-0896 CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> ADDREF XF:realvideo-telnet-dos ====================================================== Name: CVE-1999-0272 Status: Entry Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0272 Reference: XF:slmail-username-bo Denial of service in Slmail v2.5 through the POP3 port. ====================================================== Name: CVE-1999-0273 Status: Entry Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0273 Reference: XF:sun-telnet-kill Denial of service through Solaris 2.5.1 telnet by sending ^D characters. ====================================================== Name: CVE-1999-0274 Status: Entry Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0274 Reference: NAI:NAI-5 Reference: XF:nt-dns-dos Denial of service in Windows NT DNS servers through malicious packet which contains a response to a query that wasn't made. ====================================================== Name: CVE-1999-0275 Status: Entry Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0275 Reference: MS:Q169461 Reference: XF:nt-dnscrash Reference: XF:nt-dnsver Denial of service in Windows NT DNS servers by flooding port 53 with too many characters. ====================================================== Name: CVE-1999-0276 Status: Entry Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0276 Reference: SEKURE:sekure.01-99.msql Reference: XF:msql-debug-bo mSQL v2.0.1 and below allows remote execution through a buffer overflow. ====================================================== Name: CVE-1999-0277 Status: Entry Reference: CERT:CA-96.23.workman_vul Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0277 Reference: XF:workman The WorkMan program can be used to overwrite any file to get root access. ====================================================== Name: CVE-1999-0278 Status: Entry Reference: MS:MS98-003 Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1998/ms98-003 Reference: OVAL:oval:org.mitre.oval:def:913 Reference: URL:https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A913 Reference: XF:iis-asp-data-check In IIS, remote attackers can obtain source code for ASP files by appending "::$DATA" to the URL. ====================================================== Name: CVE-1999-0279 Status: Entry Reference: BUGTRAQ:19971217 CGI security hole in EWS (Excite for Web Servers) Reference: BUGTRAQ:19980115 Excite announcement Reference: CERT:VB-98.01.excite Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0279 Reference: XF:excite-cgi-search-vuln Excite for Web Servers (EWS) allows remote command execution via shell metacharacters. ====================================================== Name: CVE-1999-0280 Status: Entry Reference: CIAC:H-38 Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0280 Reference: NTBUGTRAQ:19970317 Internet Explorer Bug #4 Reference: XF:http-ie-lnkurl Remote command execution in Microsoft Internet Explorer using .lnk and .url files. ====================================================== Name: CVE-1999-0281 Status: Entry Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0281 Reference: XF:http-iis-longurl Denial of service in IIS using long URLs. ====================================================== Name: CVE-1999-0282 Status: Candidate Phase: Modified(20050830) ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-1584, CVE-1999-1586. Reason: This candidate combined references from one issue with the description from another issue. Notes: Users should consult CVE-1999-1584 and CVE-1999-1586 to obtain the appropriate name. All references and descriptions in this candidate have been removed to prevent accidental usage. Current Votes: ACCEPT(2) Baker, Dik MODIFY(1) Frech NOOP(1) Ozancin RECAST(1) Prosser REJECT(1) Christey Voter Comments: Frech> XF:sun-loadmodule XF:sun-modload (CERT CA-93.18 very old!) Prosser> Believe the reference given, 95-12, is referencing a later loadmodule(8) setuid problem in the X11/NeWS windowing system. There is an earlier, similar setuid vulnerability in the CA-93.18, CIAC G-02 advisories for the SunOS 4.1.x/Solbourne and OpenWindow 3.0. In fact, there may be the same as the HP patches are 100448-02 for the 93 loadmodule/modload vulnerability and 100448-03 for the 95 loadmodule vulnerability which normally indicated a patch update. Looks like the original patch either didn't completely fix the problem or it resurfaced in X11 NeWS. Can't tell much beyond that and this is my opinion only as have no way to check it. Which one is this CVE referencing? I accept both. Dik> There are three similar Sun bug ids associated with the patches. 1076118 loadmodule has a security vulnerability 1148753 loadmodule has a security vulnerability 1222192 loadmodule has a security vulnerability as well as: 1137491 Ancient stuff. Christey> Add period to the end of the description. CHANGE> [Christey changed vote from NOOP to REVIEWING] Christey> This is distinct from CVE-1999-1584 - CVE-1999-1584 is for CA-93.18. CHANGE> [Christey changed vote from REVIEWING to REJECT] Christey> This candidate combines two separate issues. It uses the CERT alert reference from 1995, from one issue, but a description that is associated with a separate issue. ====================================================== Name: CVE-1999-0283 Status: Candidate Phase: Modified(19991203) Reference: BUGTRAQ:19970716 Viewable .jhtml source with JavaWebServer Reference: URL:http://marc.info/?l=bugtraq&m=88256790401004&w=2 The Java Web Server would allow remote users to obtain the source code for CGI programs. Current Votes: ACCEPT(7) Baker, Blake, Cole, Collins, Dik, Northcutt, Wall MODIFY(1) Frech NOOP(5) Armstrong, Bishop, Christey, Landfield, Prosser REVIEWING(1) Ozancin Voter Comments: Wall> Acknowledged by vendor at http://www.sun.com/software/jwebserver/techinfo/jws112info.html. Baker> Vulnerability Reference (HTML) Reference Type http://www.securityfocus.com/archive/1/7260 Misc Defensive Info http://www.sun.com/software/jwebserver/techinfo/jws112info.html Vendor Info Christey> BID:1891 URL:http://www.securityfocus.com/bid/1891 Christey> Add version number (1.1 beta) and details of attack (appending a . or a \) The Sun URL referenced by Dave Baker no longer exists, so I wasn't able to verify that it addressed the problem described in the Bugtraq post. This might not even be Sun's "Java Web Server," as CVE-2001-0186 describes some product called "Free Java Web Server" Dik> There appears to be some confusion. The particular bug seems to be on in JWS 1.1beta or 1.1 which was fixed in 1.1.2 (get foo.jthml source by appending "." of "\" to URL) There are other bugs that give access and that require a configuration change. http://www.sun.com/software/jwebserver/techinfo/security_advisory.html Christey> Need to make sure to create CAN's for the other bugs, as documented in: NTBUGTRAQ:19980724 Alert: New Source Bug Affect Sun JWS http://marc.theaimsgroup.com/?l=ntbugtraq&m=90222454131622&w=2 BUGTRAQ:19980725 Alert: New Source Bug Affect Sun JWS http://marc.theaimsgroup.com/?l=bugtraq&m=90221104526086&w=2 The reported bugs are: 1) file read by appending %20 2) Directly call /servlet/file URL:http://www.sddt.com/cgi-bin/Subscriber?/library/98/07/24/tbd.html #2 is explicitly mentioned in the Sun advisory for CVE-1999-0283. CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:javawebserver-cgi-source(5383) ====================================================== Name: CVE-1999-0284 Status: Candidate Phase: Proposed(19990623) Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0284 Reference: XF:smtp-helo-bo Denial of service to NT mail servers including Ipswitch, Mdaemon, and Exchange through a buffer overflow in the SMTP HELO command. Current Votes: ACCEPT(2) Blake, Northcutt MODIFY(3) Frech, Levy, Ozancin NOOP(1) Baker REVIEWING(1) Christey Voter Comments: Frech> "Windows NT-based mail servers" (A trademark thing, and for clarification) XF:mdaemon-helo-bo XF:lotus-notes-helo-crash XF:slmail-helo-overflow XF:smtp-helo-bo (mentions several products) XF:smtp-exchangedos Levy> - Need one per software. Each one should be its own vulnerability. Ozancin> => Windows NT is correct Christey> These are probably multiple codebases, so we'll need to use dot notation. Also need to see if this should be merged with CVE-1999-0098 (Sendmail SMTP HELO). ====================================================== Name: CVE-1999-0285 Status: Candidate Phase: Proposed(19990630) Reference: MISC:https://www.cve.org/CVERecord?id=CVE-1999-0285 Denial of service in telnet from the Windows NT Resource Kit, by opening then immediately closing a connection. Current Votes: ACCEPT(1) Hill NOOP(2) Baker, Wall REJECT(2) Christey, Frech Voter Comments: Christey> No references, no information. CHANGE> [Frech changed vote from REVIEWING to REJECT] Frech> No references; closest documented match is with CVE-2001-0346, but that's for Windows 2000. ====================================================== Name: CVE-1999-0286 Status: Candidate Phase: Proposed(19990714) Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0286 In some NT web servers, appending a space at the end of a URL may allow attackers to read source code for active pages. Current Votes: ACCEPT(3) Armstrong, Cole, Shostack MODIFY(3) Blake, Levy, Wall NOOP(5) Baker, Bishop, Landfield, Northcutt, Ozancin REJECT(1) Frech REVIEWING(1) Christey Voter Comments: Wall> In some NT web servers, appending a dot at the end of a URL may allows attackers to read source code for active pages. Source: MS Knowledge Base Article Q163485 - "Active Server Pages Script Appears in Browser" Frech> In the meantime, reword description as 'Windows NT' (trademark issue) Christey> Q163485 does not refer to a space, it refers to a dot. However, I don't have other references. Reading source code with a dot appended is in CVE-1999-0154, which will be proposed. A subsequent bug similar to the dot bug is CVE-1999-0253. Levy> NTBUGTRAQ: http://www.securityfocus.com/archive/2/22014 NTBUGTRAQ: http://www.securityfocus.com/archive/2/22019 BID 273 Blake> Reference: http://www.allaire.com/handlers/index.cfm?ID=10967 CHANGE> [Christey changed vote from NOOP to REVIEWING] CHANGE> [Frech changed vote from REVIEWING to REJECT] Frech> BID articles) ====================================================== Name: CVE-1999-0287 Status: Candidate Phase: Proposed(19990714) Reference: MISC:https://marc.info/?l=ntbugtraq&m=92368828704896&w=2 Vulnerability in the Wguest CGI program. Current Votes: MODIFY(2) Frech, Shostack NOOP(4) Blake, Levy, Northcutt, Wall REJECT(2) Baker, Christey Voter Comments: Shostack> allows file reading Frech> XF:http-cgi-webcom-guestbook Christey> CVE-1999-0287 is probably a duplicate of CVE-1999-0467. In NTBUGTRAQ:19990409 Webcom's CGI Guestbook for Win32 web servers Mnemonix says that he had previously reported on a similar problem. Let's refer to the NTBugtraq posting as CVE-1999-0467. We will refer to the "previous report" as CVE-1999-0287, which could be found at: http://oliver.efri.hr/~crv/security/bugs/NT/httpd41.html 0287 describes an exploit via the "template" hidden variable. The exploit describes manually editing the HTML form to change the filename to read from the template variable. The exploit as described in 0467 encodes the template variable directly into the URL. However, hidden variables are also encoded into the URL, which would have looked the same to the web server regardless of the exploit. Therefore 0287 and 0467 are the same. Christey> BID:2024 ====================================================== Name: CVE-1999-0288 Status: Entry Reference: BUGTRAQ:19970801 WINS flooding Reference: BUGTRAQ:19970815 Re: WINS flooding Reference: MISC:http://safenetworks.com/Windows/wins.html Reference: MSKB:155701 Reference: NTBUGTRAQ:19970801 WINS flooding Reference: XF:nt-winsupd-fix(1233) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1233 The WINS server in Microsoft Windows NT 4.0 before SP4 allows remote attackers to cause a denial of service (process termination) via invalid UDP frames to port 137 (NETBIOS Name Service), as demonstrated via a flood of random packets. ====================================================== Name: CVE-1999-0289 Status: Entry Reference: MISC:https://www.cve.org/CVERecord?id=CVE-1999-0289 The Apache web server for Win32 may provide access to restricted files when a . (dot) is appended to a requested URL. ====================================================== Name: CVE-1999-0290 Status: Entry Reference: BUGTRAQ:19980221 WinGate DoS Reference: BUGTRAQ:19980326 WinGate Intermediary Fix/Update Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0290 Reference: XF:wingate-dos The WinGate telnet proxy allows remote attackers to cause a denial of service via a large number of connections to localhost. ====================================================== Name: CVE-1999-0291 Status: Entry Reference: MISC:https://www.cve.org/CVERecord?id=CVE-1999-0291 Reference: XF:wingate-unpassworded The WinGate proxy is installed without a password, which allows remote attackers to redirect connections without authentication. ====================================================== Name: CVE-1999-0292 Status: Entry Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0292 Reference: XF:nt-winpopup Denial of service through Winpopup using large user names. ====================================================== Name: CVE-1999-0293 Status: Entry Reference: CISCO:http://www.cisco.com/warp/public/770/aaapair-pub.shtml Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0293 Reference: XF:cisco-ios-aaa-auth AAA authentication on Cisco systems allows attackers to execute commands without authorization. ====================================================== Name: CVE-1999-0294 Status: Entry Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0294 Reference: XF:nt-wins-snmp2 All records in a WINS database can be deleted through SNMP for a denial of service. ====================================================== Name: CVE-1999-0295 Status: Entry Reference: SUN:00157 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/157 Reference: XF:sun-sysdef Solaris sysdef command allows local users to read kernel memory, potentially leading to root privileges. ====================================================== Name: CVE-1999-0296 Status: Entry Reference: SUN:00162 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/162 Reference: XF:sun-volrmmount Solaris volrmmount program allows attackers to read any file. ====================================================== Name: CVE-1999-0297 Status: Entry Reference: AUSCERT:AA-96.21 Reference: CIAC:H-17 Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0297 Reference: NAI:NAI-3 Reference: XF:vixie-cron Buffer overflow in Vixie Cron library up to version 3.0 allows local users to obtain root access via a long environmental variable. ====================================================== Name: CVE-1999-0298 Status: Candidate Phase: Modified(20000524) Reference: NAI:19970205 Vulnerabilities in Ypbind when run with -ypset/-ypsetme Reference: URL:http://www.nai.com/nai_labs/asp_set/advisory/06_ypbindsetme_adv.asp ypbind with -ypset and -ypsetme options activated in Linux Slackware and SunOS allows local and remote attackers to overwrite files via a .. (dot dot) attack. Current Votes: ACCEPT(4) Cole, Dik, Levy, Northcutt MODIFY(1) Frech NOOP(3) Baker, Christey, Shostack Voter Comments: Christey> ADDREF BID:1441 URL:http://www.securityfocus.com/bid/1441 Dik> If you run with "-ypset", then you're always insecure. With ypsetme, only root on the local host can run ypset in Solaris 2.x+. Probably true for SunOS 4, hence my vote. CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> ADDREF XF:ypbind-ypset-root CHANGE> [Dik changed vote from REVIEWING to ACCEPT] Dik> This vulnerability does exist in SunOS 4.x in non default configurations. In Solaris 2.x, the vulnerability only applies to files named "cache_binding" and not all files ending in .2 Both releases are not vulnerable in the default configuration (both disabllow ypset by default which prevents this problem from occurring) ====================================================== Name: CVE-1999-0299 Status: Entry Reference: NAI:NAI-9 Reference: OSVDB:6093 Reference: URL:http://www.osvdb.org/6093 Buffer overflow in FreeBSD lpd through long DNS hostnames. ====================================================== Name: CVE-1999-0300 Status: Entry Reference: SUN:00155 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/155 Reference: XF:sun-niscache nis_cachemgr for Solaris NIS+ allows attackers to add malicious NIS+ servers. ====================================================== Name: CVE-1999-0301 Status: Entry Reference: AUSCERT:AUSCERT-97.17 Reference: SUN:00149 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/149 Reference: XF:sun-ps2bo Buffer overflow in SunOS/Solaris ps command. ====================================================== Name: CVE-1999-0302 Status: Entry Reference: SUN:00176 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/176 Reference: XF:sun-ftp-server SunOS/Solaris FTP clients can be forced to execute arbitrary commands from a malicious FTP server. ====================================================== Name: CVE-1999-0303 Status: Entry Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0303 Reference: RSI:RSI.0002.05-18-98.BNU.UUCPD Reference: XF:bnu-uucpd-bo Buffer overflow in BNU UUCP daemon (uucpd) through long hostnames. ====================================================== Name: CVE-1999-0304 Status: Entry Reference: FREEBSD:FreeBSD-SA-98:02 Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0304 Reference: XF:bsd-mmap mmap function in BSD allows local attackers in the kmem group to modify memory through devices. ====================================================== Name: CVE-1999-0305 Status: Entry Reference: MISC:http://www.openbsd.org/advisories/sourceroute.txt Reference: OPENBSD:Feb15,1998 "IP Source Routing Problem" Reference: OSVDB:11502 Reference: URL:http://www.osvdb.org/11502 Reference: XF:bsd-sourceroute(736) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/736 The system configuration control (sysctl) facility in BSD based operating systems OpenBSD 2.2 and earlier, and FreeBSD 2.2.5 and earlier, does not properly restrict source routed packets even when the (1) dosourceroute or (2) forwarding variables are set, which allows remote attackers to spoof TCP connections. ====================================================== Name: CVE-1999-0306 Status: Candidate Phase: Proposed(19990714) Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0306 Reference: XF:hp-xlock buffer overflow in HP xlock program. Current Votes: ACCEPT(3) Baker, Frech, Northcutt MODIFY(1) Prosser NOOP(1) Shostack REJECT(1) Christey Voter Comments: Prosser> This is another of those with multiple affected OSs. Refs: CA-97.13, http://207.237.120.45/linux/xlock-exploit.txt, HPSBUX9711-073, SGI 19970502-02-PX, Sun Bulletin 000150 Christey> XF:hp-xlock points to SGI:19970502-02-PX which says this is the same problem as in CERT:CA-97.13, which is CVE-1999-0038. ====================================================== Name: CVE-1999-0307 Status: Candidate Phase: Modified(19991207) Reference: BUGTRAQ:19961116 This week: turn me on, dead man Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0307 Reference: XF:hpux-cstm-bo Buffer overflow in HP-UX cstm program allows local users to gain root privileges. Current Votes: ACCEPT(2) Frech, Northcutt NOOP(3) Baker, Prosser, Shostack RECAST(1) Christey Voter Comments: Prosser> only ref I can find is an old SOD exploit on www.outpost9.com Christey> MERGE CVE-1999-0336 (the exact exploit works with both cstm and mstm, which are clearly part of the same package, so CD:SF-EXEC says to merge them.) Also, there does not seem to be any recognition of this problem by HP. The only other information besides the Bugtraq post is the SOD exploit. See the original post: http://www.securityfocus.com/templates/archive.pike?list=1&date=1996-11-15&msg=Pine.LNX.3.91.961116112242.15276J-100000@underground.org ====================================================== Name: CVE-1999-0308 Status: Entry Reference: CIAC:H-03: HP-UX suid Vulnerabilities Reference: HP:HPSBUX9410-018 Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9410-018 Reference: XF:hpux-gwind-overwrite HP-UX gwind program allows users to modify arbitrary files. ====================================================== Name: CVE-1999-0309 Status: Entry Reference: CIAC:H-27: HP-UX vgdisplay Buffer Overrun Vulnerability Reference: HP:HPSBUX9702-056 Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9702-056 Reference: XF:hpux-vgdisplay HP-UX vgdisplay program gives root access to local users. ====================================================== Name: CVE-1999-0310 Status: Entry Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0310 Reference: XF:ssh-1225 SSH 1.2.25 on HP-UX allows access to new user accounts. ====================================================== Name: CVE-1999-0311 Status: Entry Reference: HP:HPSBUX9612-042 Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9612-042 Reference: XF:hpux-fpkg2swpk fpkg2swpk in HP-UX allows local users to gain root access. ====================================================== Name: CVE-1999-0312 Status: Entry Reference: CERT:CA-93:01.REVISED.HP.NIS.ypbind.vulnerability Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0312 Reference: XF:nis-ypbind HP ypbind allows attackers with root privileges to modify NIS data. ====================================================== Name: CVE-1999-0313 Status: Entry Reference: BID:214 Reference: URL:http://www.securityfocus.com/bid/214 Reference: MISC:http://www.securityfocus.com/bid/213/exploit Reference: OSVDB:936 Reference: URL:http://www.osvdb.org/936 Reference: SGI:19980701-01-P Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19980701-01-P Reference: XF:sgi-disk-bandwidth(1441) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1441 disk_bandwidth on SGI IRIX 6.4 S2MP for Origin/Onyx2 allows local users to gain root access using relative pathnames. ====================================================== Name: CVE-1999-0314 Status: Entry Reference: BID:213 Reference: URL:http://www.securityfocus.com/bid/213 Reference: MISC:http://www.securityfocus.com/bid/213/exploit Reference: OSVDB:6788 Reference: URL:http://www.osvdb.org/6788 Reference: SGI:19980701-01-P Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19980701-01-P Reference: XF:sgi-ioconfig(1199) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1199 ioconfig on SGI IRIX 6.4 S2MP for Origin/Onyx2 allows local users to gain root access using relative pathnames. ====================================================== Name: CVE-1999-0315 Status: Entry Reference: SUN:00138 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/138 Reference: XF:fdformat-bo Buffer overflow in Solaris fdformat command gives root access to local users. ====================================================== Name: CVE-1999-0316 Status: Entry Reference: CIAC:G-08 Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0316 Reference: XF:linux-splitvt Buffer overflow in Linux splitvt command gives root access to local users. ====================================================== Name: CVE-1999-0317 Status: Candidate Phase: Modified(19991216) Reference: BUGTRAQ:19990818 slackware-3.5 /bin/su buffer overflow Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0317 Reference: XF:su-bo Buffer overflow in Linux su command gives root access to local users. Current Votes: ACCEPT(3) Frech, Hill, Northcutt NOOP(1) Prosser RECAST(1) Baker REVIEWING(1) Christey Voter Comments: Christey> DUPE CVE-1999-0845? Also, ADDREF XF:unixware-su-username-bo A report summary by Aleph One states that nobody was able to confirm this problem on any Linux distribution. Baker> If this is the same as the unixware, the n it is a dupe of 1999-0845. There is about a two and half month difference in the bugtraq reporting of these. Sounds like the same bug however... Christey> XF:su-bo no longer seems to exist. How about XF:linux-subo(734) ? http://xforce.iss.net/static/734.php BID:475 also seems to describe the same problem (http://www.securityfocus.com/bid/475) in which case, vsyslog is blamed in: BUGTRAQ:19971220 Linux vsyslog() overflow http://www.securityfocus.com/archive/1/8274 ====================================================== Name: CVE-1999-0318 Status: Entry Reference: BUGTRAQ:19961125 Security Problems in XMCD Reference: BUGTRAQ:19961125 XMCD v2.1 released (was: Security Problems in XMCD) Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0318 Reference: XF:xmcd-envbo Buffer overflow in xmcd 2.0p12 allows local users to gain access through an environmental variable. ====================================================== Name: CVE-1999-0319 Status: Candidate Phase: Proposed(19990623) Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0319 Reference: XF:xmcd-tiflestr Buffer overflow in xmcd 2.1 allows local users to gain access through a user resource setting. Current Votes: ACCEPT(3) Frech, Hill, Northcutt NOOP(2) Baker, Prosser REVIEWING(1) Christey Voter Comments: Christey> BUGTRAQ:19961126 Security Problems in XMCD 2.1 A followup to this post says that xmcd is not suid here. ====================================================== Name: CVE-1999-0320 Status: Entry Reference: SUN:00166 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/166 Reference: XF:sun-rpc.cmsd SunOS rpc.cmsd allows attackers to obtain root access by overwriting arbitrary files. ====================================================== Name: CVE-1999-0321 Status: Entry Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0321 Reference: XF:sun-kcms-configure-bo Buffer overflow in Solaris kcms_configure command allows local users to gain root access. ====================================================== Name: CVE-1999-0322 Status: Entry Reference: FREEBSD:FreeBSD-SA-97:05 Reference: OSVDB:6092 Reference: URL:http://www.osvdb.org/6092 Reference: XF:freebsd-open The open() function in FreeBSD allows local attackers to write to arbitrary files. ====================================================== Name: CVE-1999-0323 Status: Entry Reference: FREEBSD:FreeBSD-SA-98:04 Reference: NETBSD:1998-003 Reference: URL:ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/advisories/NetBSD-SA1998-003.txt.asc Reference: XF:bsd-mmap FreeBSD mmap function allows users to modify append-only or immutable files. ====================================================== Name: CVE-1999-0324 Status: Entry Reference: CIAC:H-31 Reference: HP:HPSBUX9702-053 Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9702-053 Reference: XF:hp-ppllog ppl program in HP-UX allows local users to create root files through symlinks. ====================================================== Name: CVE-1999-0325 Status: Entry Reference: HP:HPSBUX9406-013 Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9406-013 Reference: XF:hp-vhe vhe_u_mnt program in HP-UX allows local users to create root files through symlinks. ====================================================== Name: CVE-1999-0326 Status: Entry Reference: HP:HPSBUX9710-071 Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9710-071 Reference: XF:hp-mediainit Vulnerability in HP-UX mediainit program. ====================================================== Name: CVE-1999-0327 Status: Entry Reference: SGI:19971103-01-PX Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19971103-01-PX Reference: XF:sgi-syserr SGI syserr program allows local users to corrupt files. ====================================================== Name: CVE-1999-0328 Status: Entry Reference: SGI:19971103-01-PX Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19971103-01-PX Reference: XF:sgi-permtool SGI permissions program allows local users to gain root privileges. ====================================================== Name: CVE-1999-0329 Status: Entry Reference: SGI:19980602-01-PX Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19980602-01-PX Reference: XF:sgi-mediad SGI mediad program allows local users to gain root access. ====================================================== Name: CVE-1999-0330 Status: Candidate Phase: Modified(20000105) Reference: BUGTRAQ:19940101 (No Subject) Reference: MISC:https://marc.info/?l=bugtraq&m=87602558319119&w=2 Reference: XF:bdash-bo Linux bdash game has a buffer overflow that allows local users to gain root access. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(3) Northcutt, Shostack, Wall REVIEWING(1) Levy Voter Comments: Frech> XF:bdash-bo ====================================================== Name: CVE-1999-0331 Status: Candidate Phase: Modified(20040811) Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0331 Reference: XF:msie-bo Buffer overflow in Internet Explorer 4.0(1). Current Votes: ACCEPT(2) Baker, Northcutt MODIFY(2) Frech, Shostack RECAST(1) Prosser REJECT(2) Christey, LeBlanc Voter Comments: Shostack> this is a high cardinality item Prosser> needs to be more specific. Frech> Replace reference with XF:iemk-bug (msie-bo is obsolete and a vague duplicate) Description (from xfdb): Some versions of Internet Explorer for Windows contain a vulnerability that may crash the broswer when a malicious web site contains a certain kind of URL (that begins with "mk://") with more characters than the browser supports. Christey> The description is too vague. LeBlanc> too vague Christey> Add period to the end of the description. ====================================================== Name: CVE-1999-0332 Status: Entry Reference: MSKB:Q184346 Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q184346 Reference: XF:nt-netmeeting Buffer overflow in NetMeeting allows denial of service and remote command execution. ====================================================== Name: CVE-1999-0333 Status: Candidate Phase: Modified(19990925) Reference: HP:HPSBUX9810-085 Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0333 Reference: RSI:RSI.0009.09-08-98.HP-UX.OMNIBACK Reference: XF:omniback-remote HP OpenView Omniback allows remote execution of commands as root via spoofing, and local users can gain root access via a symlink attack. Current Votes: ACCEPT(2) Baker, Frech MODIFY(1) Prosser RECAST(1) Christey Voter Comments: Prosser> additional source HP Security Bulletin 85 http://us-support.external.hp.com http://europe-support.external.hp.com Christey> Two separate bugs, so SF-LOC says this candidate should be split Christey> ADDREF CIAC:J-007 URL:http://ciac.llnl.gov/ciac/bulletins/j-007.shtml ====================================================== Name: CVE-1999-0334 Status: Entry Reference: CERT:CA-93.19.Solaris.Startup.vulnerability Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0334 Reference: XF:sol-startup In Solaris 2.2 and 2.3, when fsck fails on startup, it allows a local user with physical access to obtain root access. ====================================================== Name: CVE-1999-0335 Status: Entry ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-0032. Reason: This candidate is a duplicate of CVE-1999-0032. Notes: All CVE users should reference CVE-1999-0032 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. ====================================================== Name: CVE-1999-0336 Status: Candidate Phase: Modified(19991207) Reference: BUGTRAQ:19961116 This week: turn me on, dead man Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0336 Reference: XF:hpux-mstm-bo Buffer overflow in mstm in HP-UX allows local users to gain root access. Current Votes: ACCEPT(2) Frech, Northcutt NOOP(3) Baker, Prosser, Shostack RECAST(1) Christey Voter Comments: Prosser> same as CVE-1999-0307, only ref I can find is an old SOD exploit on www.outpost9.com Christey> MERGE CVE-1999-0307 (the exact exploit works with both cstm and mstm, which are clearly part of the same package, so CD:SF-EXEC says to merge them.) Also, there does not seem to be any recognition of this problem by HP. The only other information besides the Bugtraq post is the SOD exploit. ====================================================== Name: CVE-1999-0337 Status: Entry Reference: CERT:CA-94.10.IBM.AIX.bsh.vulnerability.html Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0337 Reference: XF:ibm-bsh AIX batch queue (bsh) allows local and remote users to gain additional privileges when network printing is enabled. ====================================================== Name: CVE-1999-0338 Status: Entry Reference: CERT:CA-94.03.AIX.performance.tools Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0338 Reference: XF:ibm-perf-tools AIX Licensed Program Product performance tools allow local users to gain root access. ====================================================== Name: CVE-1999-0339 Status: Entry Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0339 Reference: RSI:RSI.0007.05-26-98 Reference: XF:sol-sun-libauth Buffer overflow in the libauth library in Solaris allows local users to gain additional privileges, possibly root access. ====================================================== Name: CVE-1999-0340 Status: Entry Reference: KSRT:005 Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0340 Reference: XF:linux-crond Buffer overflow in Linux Slackware crond program allows local users to gain root access. ====================================================== Name: CVE-1999-0341 Status: Entry Reference: KSRT:006 Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0341 Reference: XF:linux-deliver Buffer overflow in the Linux mail program "deliver" allows local users to gain root access. ====================================================== Name: CVE-1999-0342 Status: Entry Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0342 Reference: REDHAT:http://www.redhat.com/corp/support/errata/rh42-errata-general.html#pam Reference: XF:linux-pam-passwd-tmprace Linux PAM modules allow local users to gain root access using temporary files. ====================================================== Name: CVE-1999-0343 Status: Entry Reference: BUGTRAQ:19981002 Announcements from The Palace (fwd) Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0343 Reference: XF:palace-malicious-servers-vuln A malicious Palace server can force a client to execute arbitrary programs. ====================================================== Name: CVE-1999-0344 Status: Entry Reference: MS:MS98-009 Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1998/ms98-009 Reference: MSKB:Q190288 Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q190288 Reference: XF:nt-priv-fix NT users can gain debug-level access on a system process using the Sechole exploit. ====================================================== Name: CVE-1999-0345 Status: Candidate Phase: Proposed(19990728) Reference: MISC:http://www.securityfocus.com/archive/1/62170 Jolt ICMP attack causes a denial of service in Windows 95 and Windows NT systems. Current Votes: ACCEPT(2) Blake, Cole MODIFY(2) Frech, Wall NOOP(4) Bishop, Landfield, Northcutt, Ozancin RECAST(1) Meunier REJECT(4) Armstrong, Baker, LeBlanc, Levy REVIEWING(1) Christey Voter Comments: Wall> Invalid ICMP datagram fragments causes a denial of service in Windows 95 and Windows NT systems. Reference: Q154174. Jolt is also known as sPING, ICMP bug, Icenewk, and Ping of Death. It is a modified teardrop 2 attack. Frech> XF:nt-ssping ADDREF XF:ping-death ADDREF XF:teardrop-mod ADDREF XF:mpeix-echo-request-dos Christey> I can't tell whether the Jolt exploit at: http://www.securityfocus.com/templates/archive.pike?list=1&date=1997-06-28&msg=Pine.BSF.3.95q.970629163422.3264A-200000@apollo.tomco.net is exploiting any different flaw than teardrop does. CHANGE> [Christey changed vote from NOOP to REVIEWING] Baker> Jolt (original) is basically just a fragmented oversized ICMP that kills Win boxes ala Ping of Death. Teardrop is altering the offset in fragmented tcp packets so that the end of subsequent fragments is inside first packet... Teardrop 2 is UDP packets, if I remember right. Seems like Jolt (original, not jolt 2) is just exploit code that creates a ping of death (CVE 1999-0128) Levy> I tend to agree with Baker. CHANGE> [Armstrong changed vote from REVIEWING to REJECT] Armstrong> This code does not use fragment overlap. It is simply a large ICMP echo request. Christey> See the SCO advisory at: http://www.securityfocus.com/templates/advisory.html?id=1411 which may further clarify the issue. LeBlanc> This is a hodge-podge of DoS attacks. Jolt isn't the same thing as ping of death - POD was an oversized ICMP packet, Jolt froze Linux and Solaris (and I think not NT), IIRC Jolt2 did get NT boxes. Teardrop and teardrop2 were related attacks (usually ICMP frag attacks), but each of these is a distinct vulnerability, affected a discrete group of systems, and should have distinct CVE numbers. CVE entries should be precise as to what the problem is. Meunier> I agree with Leblanc in that Jolt is multi-faceted. Jolt has characteristics of Ping of Death AND teardrop, but it doesn't do either exactly. Moreover, it sends a truncated IP fragment. I disagree with Armstrong; jolt uses overlapping fragments. It's not a simple ping of death either. It may be that the author's intent was to construct a "super attack" somehow combining elements of other vulnerabilities to try to make it more potent. In any case it succeeded in confusing the CVE board :-). I notice that Jolt uses echo replies (type 0) instead of echo requests (to get past firewalls?). Jolt is peculiar in that it also sends numerous overlapping fragments. The "Pascal Simulator" :-) says it sends: - 172 fragments of length 400 with offset starting at 5120 and increasing by about 47 (odd arithmetic of 5120 OR ((n* 380) > > 3)), which eventually results in sending fragments inside an already covered area once ((n* 380) > > 3) is greater than 5120, which occurs when n is reaches 108. This would look a bit like TearDrop if fragments were reassembled on-the-fly. - 1 fragment such that the total length of all the fragments is greater than 65535 (my calculation is 172*380 + 418 = 65778; the comment about 65538 must be wrong). The last packet is size 418 according to the IP header but the buffer is of size 400. The sendto takes as argument the size of the buffer so a truncated packet is sent. So, I am not sure if the problem is because the last packet doesn't extend to the payload it says it has or because the total size of all fragments is greater than 65535. The author says it may take more than one sending, so perhaps this has to do with an incorrect error handling and recovery. One would need to experiment and isolate each of those characteristics and test them independently. Inasmuch as each of those things is likely a different vulnerability, then I agree with Leblanc that this entry should be split. I'll try that if I ever get bored. Jolt 2 should also have a different entry (see below). Jolt 2 runs in an infinite loop, sending the same fragmented IP packet, which can pretend to be "ICMP" or "UDP" data; however this is meaningless, as it's just a late fragment of an IP packet. The attack works only as long as packets are sent. According to http://www.securityfocus.com/archive/1/62170 the packets are truncated, and would overflow over the 65535 byte limit, which is similar to Jolt. Note that Jolt does send that much data whereas jolt2 doesn't. Since jolt2 is simpler and narrower than jolt, and it has weaker consequences, I believe that it's a different vulnerability. "Jolt 2 vulnerability causes a temporary denial-of-service in Windows-type OSes" would be a title for it. ====================================================== Name: CVE-1999-0346 Status: Entry Reference: BID:713 Reference: URL:http://www.securityfocus.com/bid/713 Reference: BUGTRAQ:19971019 Vulnerability in PHP Example Logging Scripts Reference: OSVDB:3397 Reference: URL:http://www.osvdb.org/3397 Reference: XF:http-cgi-php-mlog CGI PHP mlog script allows an attacker to read any file on the target server. ====================================================== Name: CVE-1999-0347 Status: Candidate Phase: Modified(20051028) Reference: BUGTRAQ:19990126 Javascript ecurity bug in Internet Explorer Reference: URL:http://marc.info/?l=bugtraq&m=91745430007021&w=2 Reference: NTBUGTRAQ:19990126 Javascript ecurity bug in Internet Explorer Reference: URL:http://marc.info/?l=ntbugtraq&m=91756771207719&w=2 Internet Explorer 4.01 allows remote attackers to read local files and spoof web pages via a "%01" character in an "about:" Javascript URL, which causes Internet Explorer to use the domain specified after the character. Current Votes: ACCEPT(4) Baker, LeBlanc, Levy, Northcutt MODIFY(2) Frech, Prosser REVIEWING(1) Christey Voter Comments: Prosser> this is a modified Cross-Frame vulnerability that circumvents the original Cross-Frame Patch. Addressed in MS Bulletin MS99.012 http://www.microsoft.com/security/bulletins/ms99-012.asp Christey> Duplicate of CVE-1999-0490? LeBlanc> If Prosser is correct that this is MS99-012, accept Christey> BUGTRAQ:19990126 Javascript ecurity bug in Internet Explorer URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91745430007021&w=2 NTBUGTRAQ:19990128 Javascript %01 bug in Internet Explorer URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=91756771207719&w=2 BID:197 URL:http://www.securityfocus.com/bid/197 CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:ie-window-spoof(2069) ====================================================== Name: CVE-1999-0348 Status: Entry Reference: MSKB:Q197003 Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q197003 Reference: NTBUGTRAQ:Jan27,1999 Reference: OSVDB:930 Reference: URL:http://www.osvdb.org/930 IIS ASP caching problem releases sensitive information when two virtual servers share the same physical directory. ====================================================== Name: CVE-1999-0349 Status: Entry Reference: BUGTRAQ:Jan27,1999 Reference: EEYE:IIS Remote FTP Exploit/DoS Attack Reference: URL:http://www.eeye.com/html/Research/Advisories/IIS%20Remote%20FTP%20Exploit/DoS%20Attack.html Reference: MS:MS99-003 Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-003 Reference: MSKB:Q188348 Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q188348 Reference: XF:iis-remote-ftp A buffer overflow in the FTP list (ls) command in IIS allows remote attackers to conduct a denial of service and, in some cases, execute arbitrary commands. ====================================================== Name: CVE-1999-0350 Status: Entry Reference: L0PHT:Feb8,1999 Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0350 Reference: XF:clearcase-temp-race Race condition in the db_loader program in ClearCase gives local users root access by setting SUID bits. ====================================================== Name: CVE-1999-0351 Status: Entry Reference: INFOWAR:01 Reference: MISC:http://attrition.org/security/advisory/misc/infowar/iw_sec_01.txt Reference: XF:pasv-pizza-thief-dos(3389) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3389 FTP PASV "Pizza Thief" denial of service and unauthorized data access. Attackers can steal data by connecting to a port that was intended for use by a client. ====================================================== Name: CVE-1999-0352 Status: Candidate Phase: Proposed(19990721) Reference: ISS:Multiple vulnerabilities in ControlIT(tm) (formerly Remotely Possible/32) enterprise management software Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0352 Reference: XF:controlit-passwd-encrypt ControlIT 4.5 and earlier (aka Remotely Possible) has weak password encryption. Current Votes: ACCEPT(2) Baker, Frech NOOP(2) Northcutt, Wall RECAST(1) Ozancin Voter Comments: Ozancin> Can we combine this with CVE-1999-0356 - ControlIT(tm) 4.5 and earlier uses weak encryption. ====================================================== Name: CVE-1999-0353 Status: Entry Reference: CIAC:J-026 Reference: URL:http://www.ciac.org/ciac/bulletins/j-026.shtml Reference: HP:HPSBUX9902-091 Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9902-091 Reference: XF:pcnfsd-world-write rpc.pcnfsd in HP gives remote root access by changing the permissions on the main printer spool directory. ====================================================== Name: CVE-1999-0354 Status: Candidate Phase: Proposed(19990623) Reference: MS:MS99-002 Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-002 Reference: NTBUGTRAQ:Jan27,1999 Internet Explorer 4.x or 5.x with Word 97 allows arbitrary execution of Visual Basic programs to the IE client through the Word 97 template, which doesn't warn the user that the template contains executable content. Also applies to Outlook when the client views a malicious email message. Current Votes: ACCEPT(3) Baker, Ozancin, Wall MODIFY(1) Frech NOOP(1) Christey Voter Comments: Frech> XF:word97-template-macro Christey> CHANGEREF NTBUGTRAQ:19990127 IE 4/5/Outlook + Word 97 security hole URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=91747570922757&w=2 BID:196 http://www.securityfocus.com/bid/196 Christey> MSKB:Q214652 http://support.microsoft.com/support/kb/articles/q214/6/52.asp ====================================================== Name: CVE-1999-0355 Status: Entry Reference: ISS:Multiple vulnerabilities in ControlIT(tm) (formerly Remotely Possible/32) enterprise management software Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0355 Reference: XF:controlit-reboot Local or remote users can force ControlIT 4.5 to reboot or force a user to log out, resulting in a denial of service. ====================================================== Name: CVE-1999-0356 Status: Candidate Phase: Proposed(19990721) Reference: ISS:Multiple vulnerabilities in ControlIT(tm) (formerly Remotely Possible/32) enterprise management software Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0356 Reference: XF:controlit-bookfile-access ControlIT v4.5 and earlier uses weak encryption to store usernames and passwords in an address book. Current Votes: ACCEPT(2) Baker, Frech NOOP(2) Northcutt, Wall RECAST(1) Ozancin ====================================================== Name: CVE-1999-0357 Status: Entry Reference: BUGTRAQ:19990125 Win98 crash? Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0357 Reference: XF:win98-oshare-dos Windows 98 and other operating systems allows remote attackers to cause a denial of service via crafted "oshare" packets, possibly involving invalid fragmentation offsets. ====================================================== Name: CVE-1999-0358 Status: Entry Reference: BUGTRAQ:19990125 Digital Unix 4.0 exploitable buffer overflows Reference: URL:http://www.securityfocus.com/archive/1/12121 Reference: CIAC:J-027 Reference: URL:http://www.ciac.org/ciac/bulletins/j-027.shtml Reference: COMPAQ:SSRT0583U Reference: XF:du-inc Digital Unix 4.0 has a buffer overflow in the inc program of the mh package. ====================================================== Name: CVE-1999-0359 Status: Candidate Phase: Proposed(20010214) Reference: BUGTRAQ:19990127 UNIX shell modem access vulnerabilities Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0359 Reference: XF:ptylogin-dos ptylogin in Unix systems allows users to perform a denial of service by locking out modems, dial out with that modem, or obtain passwords. Current Votes: ACCEPT(2) Cole, Frech MODIFY(1) Baker Voter Comments: Frech> XF:ptylogin-dos Baker> Should say "... lock out a modem, ..." rather than "... locking out modems..." ====================================================== Name: CVE-1999-0360 Status: Candidate Phase: Modified(20000530) Reference: BUGTRAQ:19990130 Security Advisory for Internet Information Server 4 with Site Reference: URL:http://marc.info/?l=bugtraq&m=91763097004101&w=2 Reference: NTBUGTRAQ:Jan29,1999 MS Site Server 2.0 with IIS 4 can allow users to upload content, including ASP, to the target web site, thus allowing them to execute commands remotely. Current Votes: ACCEPT(6) Blake, Cole, Collins, Landfield, Northcutt, Wall MODIFY(3) Baker, Frech, LeBlanc NOOP(4) Armstrong, Christey, Ozancin, Prosser Voter Comments: Christey> I can't find the original Bugtraq posting (it appears that mnemonix discovered the problem). LeBlanc> - if there was a fix or a KB article, I'd ACCEPT. A vuln based on a BUGTRAQ posting we can't find could be anything. Baker> Vulnerability Reference (HTML) Reference Type http://www.securityfocus.com/archive/1/12218 Misc Defensive InfoVulnerability Reference (HTML) Reference Type THis is the URL for the Bugtraq posting. It was cross posted to NT Bugtraq as well, but identical text. It was Mnemonix... Christey> BID:1811 URL:http://www.securityfocus.com/bid/1811 Christey> CHANGEREF BUGTRAQ add "Server 2." to the subject. Also standardize NTBUGTRAQ reference title. Christey> Add "uploadn.asp" to the description. CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:siteserver-user-dir-permissions(5384) ====================================================== Name: CVE-1999-0361 Status: Candidate Phase: Proposed(19990728) Reference: BUGTRAQ:Jan29,1999 Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0361 NetWare version of LaserFiche stores usernames and passwords unencrypted, and allows administrative changes without logging. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(2) Northcutt, Wall Voter Comments: Frech> XF:compulink-pw-laserfiche(1679) Normalize BUGTRAQ reference to: BUGTRAQ:19990129 Compulink LaserFiche Client/Server - unencrypted passwords ====================================================== Name: CVE-1999-0362 Status: Entry Reference: BID:217 Reference: URL:http://www.securityfocus.com/bid/217 Reference: EEYE:AD02021999 Reference: URL:http://www.eeye.com/html/Research/Advisories/AD02021999.html Reference: XF:wsftp-remote-dos WS_FTP server remote denial of service through cwd command. ====================================================== Name: CVE-1999-0363 Status: Entry Reference: BID:328 Reference: URL:http://www.securityfocus.com/bid/328 Reference: BUGTRAQ:Feb02,1999 Reference: XF:plp-lpc-bo SuSE 5.2 PLP lpc program has a buffer overflow that leads to root compromise. ====================================================== Name: CVE-1999-0364 Status: Candidate Phase: Modified(20000426) Reference: BUGTRAQ:19990204 Microsoft Access 97 Stores Database Password as Plaintext Reference: URL:http://marc.info/?l=bugtraq&m=91816470220259&w=2 Microsoft Access 97 stores a database password as plaintext in a foreign mdb, allowing access to data. Current Votes: ACCEPT(2) Baker, LeBlanc MODIFY(1) Frech NOOP(2) Northcutt, Wall Voter Comments: CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:access-weak-passwords(1774) An older published reference (from our own Adam) would be better: ailab.coderpunks Newsgroup, 1998/06/23 "Re: MS Access 2.0" http://x15.dejanews.com/[ST_rn=ps]/getdoc.xp?AN=365308578&CONTEXT=9192 07028.1462108427&hitnum=1 ====================================================== Name: CVE-1999-0365 Status: Entry Reference: BUGTRAQ:Feb04,1999 Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0365 Reference: XF:metamail-header-commands The metamail package allows remote command execution using shell metacharacters that are not quoted in a mailcap entry. ====================================================== Name: CVE-1999-0366 Status: Entry Reference: MS:MS99-004 Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-004 Reference: MSKB:Q214840 Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q214840 Reference: XF:nt-sp4-auth-error In some cases, Service Pack 4 for Windows NT 4.0 can allow access to network shares using a blank password, through a problem with a null NT hash value. ====================================================== Name: CVE-1999-0367 Status: Entry Reference: NETBSD:1999-002 Reference: OSVDB:7571 Reference: URL:http://www.osvdb.org/7571 NetBSD netstat command allows local users to access kernel memory. ====================================================== Name: CVE-1999-0368 Status: Entry Reference: CERT:CA-99.03 Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0368 Reference: NETECT:palmetto.ftpd Reference: XF:palmetto-ftpd-bo Buffer overflows in wuarchive ftpd (wu-ftpd) and ProFTPD lead to remote root access, a.k.a. palmetto. ====================================================== Name: CVE-1999-0369 Status: Entry Reference: SUN:00183 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/183 Reference: XF:sun-sdtcm-convert-bo The Sun sdtcm_convert calendar utility for OpenWindows has a buffer overflow which can gain root access. ====================================================== Name: CVE-1999-0370 Status: Candidate Phase: Modified(19991210) Reference: BID:165 Reference: URL:http://www.securityfocus.com/bid/165 Reference: SUN:00184 In Sun Solaris and SunOS, man and catman contain vulnerabilities that allow overwriting arbitrary files. Current Votes: ACCEPT(4) Baker, Dik, Northcutt, Prosser MODIFY(1) Frech REVIEWING(1) Christey Voter Comments: Frech> Reference: XF:sun-man Christey> ADDREF CIAC:J-028 Is the Linux man symlink problem the same as the one for Sun? See BUGTRAQ:19990602 /tmp symlink problems in SuSE Linux 6.1 Also see BID:305 Dik> sun bug 4154565 ====================================================== Name: CVE-1999-0371 Status: Entry Reference: BUGTRAQ:19990211 Lynx /tmp problem Reference: CERT:VB-97.05.lynx Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0371 Reference: XF:lynx-temp-files-race Lynx allows a local user to overwrite sensitive files through /tmp symlinks. ====================================================== Name: CVE-1999-0372 Status: Entry Reference: MS:MS99-005 Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-005 Reference: MSKB:Q217004 Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q217004 Reference: XF:nt-backoffice-setup The installer for BackOffice Server includes account names and passwords in a setup file (reboot.ini) which is not deleted. ====================================================== Name: CVE-1999-0373 Status: Entry Reference: ISS:Buffer Overflow in "Super" package in Debian Linux Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0373 Reference: XF:linux-super-bo Reference: XF:linux-super-logging-bo Buffer overflow in the "Super" utility in Debian GNU/Linux, and other operating systems, allows local users to execute commands as root. ====================================================== Name: CVE-1999-0374 Status: Entry Reference: BUGTRAQ:Feb16,1999 Reference: DEBIAN:19990215 Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0374 Reference: XF:linux-cfengine-symlinks Debian GNU/Linux cfengine package is susceptible to a symlink attack. ====================================================== Name: CVE-1999-0375 Status: Entry Reference: BUGTRAQ:Feb16,1999 Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0375 Reference: NAI:February 16, 1999 Reference: XF:nfr-webd-overflow Buffer overflow in webd in Network Flight Recorder (NFR) 2.0.2-Research allows remote attackers to execute commands. ====================================================== Name: CVE-1999-0376 Status: Entry Reference: BUGTRAQ:Feb20,1999 Reference: L0PHT:Feb18,1999 Reference: MS:MS99-006 Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-006 Reference: XF:nt-knowndlls-list Local users in Windows NT can obtain administrator privileges by changing the KnownDLLs list to reference malicious programs. ====================================================== Name: CVE-1999-0377 Status: Entry Reference: BUGTRAQ:Feb22,1999 Reference: SECTRACK:1033881 Reference: URL:http://www.securitytracker.com/id/1033881 Process table attack in Unix systems allows a remote attacker to perform a denial of service by filling a machine's process tables through multiple connections to network services. ====================================================== Name: CVE-1999-0378 Status: Entry Reference: BUGTRAQ:19990222 BlackHats Advisory -- InterScan VirusWall Reference: BUGTRAQ:19990225 Patch for InterScan VirusWall for Unix now available Reference: OSVDB:6167 Reference: URL:http://www.osvdb.org/6167 Reference: XF:viruswall-http-request InterScan VirusWall for Solaris doesn't scan files for viruses when a single HTTP request includes two GET commands. ====================================================== Name: CVE-1999-0379 Status: Entry Reference: BID:498 Reference: URL:http://www.securityfocus.com/bid/498 Reference: BUGTRAQ:19990223 Microsoft Security Bulletin (MS99-007) Reference: MS:MS99-007 Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-007 Reference: OSVDB:1019 Reference: URL:http://www.osvdb.org/1019 Reference: XF:win-resourcekit-taskpads Microsoft Taskpads allows remote web sites to execute commands on the visiting user's machine via certain methods that are marked as Safe for Scripting. ====================================================== Name: CVE-1999-0380 Status: Entry Reference: BID:497 Reference: URL:http://www.securityfocus.com/bid/497 Reference: BUGTRAQ:19990225 ALERT: SLMail 3.2 (and 3.1) with the Remote Administration Service Reference: URL:http://marc.info/?l=bugtraq&m=91996412724720&w=2 Reference: NTBUGTRAQ:199902225 ALERT: SLMail 3.2 (and 3.1) with the Remote Administration Service Reference: URL:http://marc.info/?l=ntbugtraq&m=91999015212415&w=2 Reference: NTBUGTRAQ:SLmail 3.2 Build 3113 (Web Administration Security Fix) Reference: URL:http://marc.info/?l=ntbugtraq&m=92110501504997&w=2 Reference: XF:slmail-ras-ntfs-bypass(5392) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/5392 SLMail 3.1 and 3.2 allows local users to access any file in the NTFS file system when the Remote Administration Service (RAS) is enabled by setting a user's Finger File to point to the target file, then running finger on the user. ====================================================== Name: CVE-1999-0381 Status: Candidate Phase: Proposed(19990726) Reference: BID:342 Reference: URL:http://www.securityfocus.com/bid/342 Reference: BUGTRAQ:19990225 SUPER buffer overflow Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.3.96.990225011801.12757A-100000@eleet Reference: XF:linux-super-logging-bo super 3.11.6 and other versions have a buffer overflow in the syslog utility which allows a local user to gain root access. Current Votes: ACCEPT(7) Baker, Blake, Cole, Frech, Landfield, Levy, Ozancin MODIFY(1) Bishop NOOP(2) Armstrong, Wall REVIEWING(1) Christey Voter Comments: Christey> Is this the same as CVE-1999-0373? They both have the same X-Force reference. BID:342 suggests that there are two. http://www.debian.org/security/1999/19990215a suggests that there are two. However, CVE-1999-0373 is written up in a fashion that is too general; and both XF:linux-super-bo and XF:linux-super-logging-bo refer to CVE-1999-0373. CVE-1999-0373 may need to be split. Frech> From what I can surmise, ISS released the original advisory (attached to linux-super-bo), and Sekure SDI expanded on it by releasing another related overflow in syslog (which is linux-super-logging-bo). When I was originally assigning these issues, I placed both XF references and the ISS advisory on the -0373 candidate, since there was nothing else available. Based on the information above, I'd request that XF:linux-super-logging-bo be removed from CVE-1999-0373. Christey> Given Andre's feedback, these are different issues. CVE-1999-0373 does not need to be split because the ISS reference is sufficient to distinguish that CVE from this candidate; however, the CVE-1999-0373 description should probably be modified slightly. Bishop> (as indicated by Christey) CHANGE> [Cole changed vote from NOOP to ACCEPT] CHANGE> [Christey changed vote from NOOP to REVIEWING] Christey> There are 2 bugs, as confirmed by the super author at: BUGTRAQ:19990226 Buffer Overflow in Super (new) http://www.securityfocus.com/archive/1/12713 BID:397 also seems to cover this one, and it may cover CVE-1999-0373 as well. ====================================================== Name: CVE-1999-0382 Status: Entry Reference: MS:MS99-008 Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-008 Reference: XF:nt-screen-saver The screen saver in Windows NT does not verify that its security context has been changed properly, allowing attackers to run programs with elevated privileges. ====================================================== Name: CVE-1999-0383 Status: Entry Reference: BID:183 Reference: URL:http://www.securityfocus.com/bid/183 Reference: BUGTRAQ:19990103 Tigris vulnerability Reference: OSVDB:267 Reference: URL:http://www.osvdb.org/267 Reference: XF:acc-tigris-login ACC Tigris allows public access without a login. ====================================================== Name: CVE-1999-0384 Status: Entry Reference: MS:MS99-001 Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-001 Reference: XF:forms-vuln-patch The Forms 2.0 ActiveX control (included with Visual Basic for Applications 5.0) can be used to read text from a user's clipboard when the user accesses documents with ActiveX content. ====================================================== Name: CVE-1999-0385 Status: Entry Reference: ISS:LDAP Buffer overflow against Microsoft Directory Services Reference: MS:MS99-009 Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-009 Reference: XF:ldap-exchange-overflow Reference: XF:ldap-mds-dos The LDAP bind function in Exchange 5.5 has a buffer overflow that allows a remote attacker to conduct a denial of service or execute commands. ====================================================== Name: CVE-1999-0386 Status: Entry Reference: MS:MS99-010 Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-010 Reference: OSVDB:111 Reference: URL:http://www.osvdb.org/111 Reference: XF:pws-file-access Microsoft Personal Web Server and FrontPage Personal Web Server in some Windows systems allows a remote attacker to read files on the server by using a nonstandard URL. ====================================================== Name: CVE-1999-0387 Status: Entry Reference: BID:829 Reference: URL:http://www.securityfocus.com/bid/829 Reference: MS:MS99-052 Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-052 Reference: MSKB:Q168115 Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q168115 Reference: XF:9x-plaintext-pwd A legacy credential caching mechanism used in Windows 95 and Windows 98 systems allows attackers to read plaintext network passwords. ====================================================== Name: CVE-1999-0388 Status: Entry Reference: L0PHT:Jan3,1999 Reference: OSVDB:3186 Reference: URL:http://www.osvdb.org/3186 Reference: XF:datalynx-suguard-relative-paths DataLynx suGuard trusts the PATH environment variable to execute the ps command, allowing local users to execute commands as root. ====================================================== Name: CVE-1999-0389 Status: Candidate Phase: Modified(19991207) Reference: BID:324 Reference: URL:http://www.securityfocus.com/bid/324 Reference: BUGTRAQ:19990103 [SECURITY] New versions of netstd fixes buffer overflows Reference: DEBIAN:19990104 Buffer overflow in the bootp server in the Debian Linux netstd package. Current Votes: ACCEPT(3) Baker, Ozancin, Stracener MODIFY(1) Frech REVIEWING(1) Christey Voter Comments: Christey> Is CVE-1999-0389 a duplicate of CVE-1999-0798? CVE-1999-0389 has January 1999 dates associated with it, while CVE-1999-0798 was reported in late December. Also, is this the same line of code as CVE-1999-0914? Both are in the netstd package, it could look like a library problem. However, deep in the changelog in the netstd_3.07-7slink.3.diff on Debian, Herbert Xu includes the following entry: +netstd (3.07-7slink.1) frozen; urgency=high + + * bootpd: Applied patch from Redhat as well as a fix for the overflow in + report() (fixes #30675). + * netkit-ftp: Applied patch from RedHat that fixes some obscure overflow + bugs. + + -- Herbert Xu Sat, 19 Dec 1998 14:36:48 +1100 This tells me that two separate bugs are involved. Note that Red Hat posted *some* fix for *some* bootp problem in June 1998. See: http://www.redhat.com/support/errata/rh42-errata-general.html#bootp Frech> XF:debian-netstd-bo Christey> Further analysis indicates that this is a duplicate of CVE-1999-0799 CHANGE> [Christey changed vote from REJECT to REVIEWING] Christey> The fix information for BID:324 suggests that there are two overflows, one of which is in handle_request (bootpd.c) and is likely related to a file name; but there is another issue in report (report.c) which also looks like a straightforward overflow, which would suggest that this is not a duplicate of CVE-1999-0798 or CVE-1999-0799. Note: see comments for CVE-1999-0798 which explain how that candidate is not related to CVE-1999-0799. ====================================================== Name: CVE-1999-0390 Status: Entry Reference: BID:187 Reference: URL:http://www.securityfocus.com/bid/187 Reference: BUGTRAQ:19990104 Dosemu/S-Lang Overflow + sploit Reference: CALDERA:CSSA-1999-006.1 Reference: URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-1999-006.1.txt Buffer overflow in Dosemu Slang library in Linux. ====================================================== Name: CVE-1999-0391 Status: Entry Reference: L0PHT:Jan. 5, 1999 Reference: MISC:https://marc.info/?l=bugtraq&m=91552769809542&w=2 The cryptographic challenge of SMB authentication in Windows 95 and Windows 98 can be reused, allowing an attacker to replay the response and impersonate a user. ====================================================== Name: CVE-1999-0392 Status: Entry Reference: BUGTRAQ:Jan10,1999 Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0392 Reference: XF:http-cgic-library-bo Buffer overflow in Thomas Boutell's cgic library version up to 1.05. ====================================================== Name: CVE-1999-0393 Status: Entry Reference: BUGTRAQ:19981212 ** Sendmail 8.9.2 DoS - exploit ** get what you want! Reference: BUGTRAQ:19990121 Sendmail 8.8.x/8.9.x bugware Reference: URL:http://marc.info/?l=bugtraq&m=91694391227372&w=2 Reference: XF:sendmail-parsing-redirection Remote attackers can cause a denial of service in Sendmail 8.8.x and 8.9.2 by sending messages with a large number of headers. ====================================================== Name: CVE-1999-0394 Status: Candidate Phase: Proposed(19990728) Reference: BUGTRAQ:19990115 DPEC Online Courseware Reference: MISC:https://marc.info/?l=bugtraq&m=91651770630788&w=2 DPEC Online Courseware allows an attacker to change another user's password without knowing the original password. Current Votes: ACCEPT(1) Baker NOOP(1) Christey REJECT(1) Frech Voter Comments: Frech> If I understand the issue, this HIGHCARD involves insecure web programming. If I don't understand, mark this as my first NOOP. Christey> CONFIRM:http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26msg%3D19990803132618.16407.qmail%40securityfocus.com ADDREF BID:565 URL:http://www.securityfocus.com/vdb/bottom.html?vid=565 ====================================================== Name: CVE-1999-0395 Status: Entry Reference: ISS:19990118 Vulnerability in the BackWeb Polite Agent Protocol Reference: URL:http://xforce.iss.net/alerts/advise17.php Reference: XF:backweb-polite-agent-protocol A race condition in the BackWeb Polite Agent Protocol allows an attacker to spoof a BackWeb server. ====================================================== Name: CVE-1999-0396 Status: Entry Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0396 Reference: NETBSD:1999-001 Reference: OPENBSD:Feb17,1999 Reference: XF:netbsd-tcp-race A race condition between the select() and accept() calls in NetBSD TCP servers allows remote attackers to cause a denial of service. ====================================================== Name: CVE-1999-0397 Status: Candidate Phase: Proposed(19990728) Reference: BUGTRAQ:Jan21,1999 Reference: L0PHT:Jan21,1999 Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0397 The demo version of the Quakenbush NT Password Appraiser sends passwords across the network in plaintext. Current Votes: ACCEPT(1) Northcutt MODIFY(1) Frech NOOP(1) Baker REJECT(1) Wall Voter Comments: Wall> Reject based on beta copy. Frech> XF:quakenbush-pw-appraiser(1652) ====================================================== Name: CVE-1999-0398 Status: Candidate Phase: Modified(20000106) Reference: BUGTRAQ:19990123 SSH 1.x and 2.x Daemon Reference: BUGTRAQ:19990124 SSH Daemon Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0398 Reference: XF:ssh-exp-account-access In some instances of SSH 1.2.27 and 2.0.11 on Linux systems, SSH will allow users with expired accounts to login. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech Voter Comments: Frech> Followups to the bugtraq message (1/24/99) indicate that 1.2.27 was not yet released. v1.2.26 should be substituted in the description for '27. XF:ssh-exp-account-access ====================================================== Name: CVE-1999-0399 Status: Candidate Phase: Modified(20000105) Reference: BUGTRAQ:19990124 Mirc 5.5 'DCC Server' hole Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0399 Reference: XF:mirc-dcc-metachar-filename The DCC server command in the Mirc 5.5 client doesn't filter characters from file names properly, allowing remote attackers to place a malicious file in a different location, possibly allowing the attacker to execute commands. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech Voter Comments: Frech> XF:mirc-dcc-metachar-filename ====================================================== Name: CVE-1999-0400 Status: Candidate Phase: Modified(20000105) Reference: BID:344 Reference: URL:http://www.securityfocus.com/bid/344 Reference: BUGTRAQ:19990127 2.2.0 SECURITY (fwd) Reference: XF:linux-kernel-ldd-dos Denial of service in Linux 2.2.0 running the ldd command on a core file. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech Voter Comments: Frech> BUGTRAQ:Jan27,1999 (http://www.securityfocus.com/templates/archive.pike?list=1&date=1999-01-22& msg=Pine.LNX.4.05.9901270538380.539-100000@vitelus.com) XF:linux-kernel-ldd-dos ====================================================== Name: CVE-1999-0401 Status: Candidate Phase: Modified(20000105) Reference: BUGTRAQ:19990202 [patch] /proc race fixes for 2.2.1 (fwd) Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0401 Reference: XF:linux-race-condition-proc A race condition in Linux 2.2.1 allows local users to read arbitrary memory from /proc files. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech Voter Comments: Frech> XF:linux-race-condition-proc ====================================================== Name: CVE-1999-0402 Status: Entry Reference: BUGTRAQ:Feb2,1999 Reference: DEBIAN:19990220 Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0402 Reference: XF:wget-permissions wget 1.5.3 follows symlinks to change permissions of the target file instead of the symlink itself. ====================================================== Name: CVE-1999-0403 Status: Entry Reference: BUGTRAQ:19990204 Cyrix bug: freeze in hell, badboy Reference: URL:http://marc.info/?l=bugtraq&m=91821080015725&w=2 Reference: XF:cyrix-hang A bug in Cyrix CPUs on Linux allows local users to perform a denial of service. ====================================================== Name: CVE-1999-0404 Status: Entry Reference: BUGTRAQ:Feb14,1999 Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0404 Reference: XF:mailmax-bo Buffer overflow in the Mail-Max SMTP server for Windows systems allows remote command execution. ====================================================== Name: CVE-1999-0405 Status: Entry Reference: BUGTRAQ:Feb18,1999 Reference: DEBIAN:19990220a Reference: HERT:002 Reference: OSVDB:3163 Reference: URL:http://www.osvdb.org/3163 Reference: XF:lsof-bo A buffer overflow in lsof allows local users to obtain root privilege. ====================================================== Name: CVE-1999-0406 Status: Candidate Phase: Proposed(19990728) Reference: BUGTRAQ:Feb19,1999 Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0406 Reference: XF:digital-networker-bo Digital Unix Networker program nsralist has a buffer overflow which allows local users to obtain root privilege. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech Voter Comments: Frech> In description, change 'which' to 'that'. ====================================================== Name: CVE-1999-0407 Status: Entry Reference: BUGTRAQ:19990209 ALERT: IIS4 allows proxied password attacks over NetBIOS Reference: URL:http://marc.info/?l=bugtraq&m=91983486431506&w=2 Reference: BUGTRAQ:19990209 Re: IIS4 allows proxied password attacks over NetBIOS Reference: URL:http://marc.info/?l=bugtraq&m=92000623021036&w=2 Reference: XF:iis-iisadmpwd By default, IIS 4.0 has a virtual directory /IISADMPWD which contains files that can be used as proxies for brute force password attacks, or to identify valid users on the system. ====================================================== Name: CVE-1999-0408 Status: Entry Reference: BID:337 Reference: URL:http://www.securityfocus.com/bid/337 Reference: BUGTRAQ:19990225 Cobalt root exploit Reference: XF:cobalt-raq-history-exposure Files created from interactive shell sessions in Cobalt RaQ microservers (e.g. .bash_history) are world readable, and thus are accessible from the web server. ====================================================== Name: CVE-1999-0409 Status: Entry Reference: BID:319 Reference: URL:http://www.securityfocus.com/bid/319 Reference: BUGTRAQ:19990304 Linux /usr/bin/gnuplot overflow Reference: XF:gnuplot-home-overflow Buffer overflow in gnuplot in Linux version 3.5 allows local users to obtain root access. ====================================================== Name: CVE-1999-0410 Status: Entry Reference: BID:293 Reference: URL:http://www.securityfocus.com/bid/293 Reference: BUGTRAQ:Mar5,1999 Reference: XF:sol-cancel The cancel command in Solaris 2.6 (i386) has a buffer overflow that allows local users to obtain root access. ====================================================== Name: CVE-1999-0411 Status: Candidate Phase: Proposed(19990726) Reference: BUGTRAQ:Feb19,1999 Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0411 Reference: XF:sco-startup-scripts Several startup scripts in SCO OpenServer Enterprise System v 5.0.4p, including S84rpcinit, S95nis, S85tcp, and S89nfs, are vulnerable to a symlink attack, allowing a local user to gain root access. Current Votes: MODIFY(2) Baker, Frech NOOP(2) Christey, Wall Voter Comments: Frech> Neither XFDB nor the BugTraq article (incidentally, shows up as 7 March, not 19 February) does not mention gaining root access... it says a local user could "delete or overwrite arbitrary files on the system." Baker> By overwriting arbitrary files, one could then gain root access. I agree with a minor description change to reflect this. Christey> Normalize Bugtraq reference to: BUGTRAQ:19990307 Little exploit for startup scripts (SCO 5.0.4p). http://marc.theaimsgroup.com/?l=bugtraq&m=92087765014242&w=2 Also, SCO:SB-99.17 ftp://ftp.sco.com/SSE/security_bulletins/SB-99.17c ====================================================== Name: CVE-1999-0412 Status: Entry Reference: BID:501 Reference: URL:http://www.securityfocus.com/bid/501 Reference: BUGTRAQ:Feb19,1999 Reference: XF:iis-isapi-execute In IIS and other web servers, an attacker can attack commands as SYSTEM if the server is running as SYSTEM and loading an ISAPI extension. ====================================================== Name: CVE-1999-0413 Status: Entry Reference: SGI:19990301-01-PX Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19990301-01-PX Reference: XF:irix-font-path-overflow A buffer overflow in the SGI X server allows local users to gain root access through the X server font path. ====================================================== Name: CVE-1999-0414 Status: Entry Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0414 Reference: NAI:Linux Blind TCP Spoofing Reference: XF:linux-blind-spoof In Linux before version 2.0.36, remote attackers can spoof a TCP connection and pass data to the application layer before fully establishing the connection. ====================================================== Name: CVE-1999-0415 Status: Entry Reference: CIAC:J-034 Reference: URL:http://ciac.llnl.gov/ciac/bulletins/j-034.shtml Reference: CISCO:19990311 Cisco 7xx TCP and HTTP Vulnerabilities Reference: URL:http://www.cisco.com/warp/public/770/7xxconn-pub.shtml Reference: ISS:19990311 Remote Reconfiguration and Denial of Service Vulnerabilities in Cisco 700 ISDN Routers Reference: XF:cisco-router-commands Reference: XF:cisco-web-config The HTTP server in Cisco 7xx series routers 3.2 through 4.2 is enabled by default, which allows remote attackers to change the router's configuration. ====================================================== Name: CVE-1999-0416 Status: Entry Reference: CIAC:J-034 Reference: URL:http://ciac.llnl.gov/ciac/bulletins/j-034.shtml Reference: CISCO:19990311 Cisco 7xx TCP and HTTP Vulnerabilities Reference: URL:http://www.cisco.com/warp/public/770/7xxconn-pub.shtml Reference: ISS:19990311 Remote Reconfiguration and Denial of Service Vulnerabilities in Cisco 700 ISDN Routers Reference: XF:cisco-web-crash Vulnerability in Cisco 7xx series routers allows a remote attacker to cause a system reload via a TCP connection to the router's TELNET port. ====================================================== Name: CVE-1999-0417 Status: Entry Reference: BID:448 Reference: URL:http://www.securityfocus.com/bid/448 Reference: BUGTRAQ:Mar9,1999 Reference: OSVDB:1001 Reference: URL:http://www.osvdb.org/1001 Reference: XF:solaris-psinfo-crash 64 bit Solaris 7 procfs allows local users to perform a denial of service. ====================================================== Name: CVE-1999-0418 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19990308 SMTP server account probing Reference: URL:http://marc.info/?l=bugtraq&m=92100018214316&w=2 Denial of service in SMTP applications such as Sendmail, when a remote attacker (e.g. spammer) uses many "RCPT TO" commands in the same connection. Current Votes: ACCEPT(1) Cole MODIFY(1) Frech NOOP(3) Baker, Foat, Wall REVIEWING(1) Christey Voter Comments: Christey> DUPE CVE-1999-0144 and CVE-1999-0250? Frech> XF:smtp-rctpto-dos(7499) ====================================================== Name: CVE-1999-0419 Status: Candidate Phase: Modified(20000105) Reference: BUGTRAQ:19990319 Microsoft's SMTP service broken/stupid Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0419 Reference: XF:smtp-4xx-error-dos When the Microsoft SMTP service attempts to send a message to a server and receives a 4xx error code, it quickly and repeatedly attempts to redeliver the message, causing a denial of service. Current Votes: ACCEPT(1) Baker MODIFY(2) Frech, LeBlanc REVIEWING(1) Christey Voter Comments: Frech> XF:smtp-4xx-error-dos LeBlanc> - if we can find a KB or something that shows that this wasn't just user error, I'd vote ACCEPT. Christey> David Lemson, Microsoft SMTP Service Program Manager, posted a followup that said "We have confirmed this as a problem..." http://marc.theaimsgroup.com/?l=bugtraq&m=92171608127206&w=2 ====================================================== Name: CVE-1999-0420 Status: Entry Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0420 Reference: NETBSD:1999-006 umapfs allows local users to gain root privileges by changing their uid through a malicious mount_umap program. ====================================================== Name: CVE-1999-0421 Status: Entry Reference: BID:338 Reference: URL:http://www.securityfocus.com/bid/338 Reference: ISS:Short-Term High-Risk Vulnerability During Slackware 3.6 Network Installations Reference: OSVDB:981 Reference: URL:http://www.osvdb.org/981 Reference: XF:linux-slackware-install During a reboot after an installation of Linux Slackware 3.6, a remote attacker can obtain root access by logging in to the root account without a password. ====================================================== Name: CVE-1999-0422 Status: Entry Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0422 Reference: NETBSD:1999-007 In some cases, NetBSD 1.3.3 mount allows local users to execute programs in some file systems that have the "noexec" flag set. ====================================================== Name: CVE-1999-0423 Status: Entry Reference: HP:HPSBUX9903-093 Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9903-093 Reference: XF:hp-hpterm-files Vulnerability in hpterm on HP-UX 10.20 allows local users to gain additional privileges. ====================================================== Name: CVE-1999-0424 Status: Entry Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0424 Reference: SUSE:Mar18,1999 Reference: XF:netscape-talkback-overwrite talkback in Netscape 4.5 allows a local user to overwrite arbitrary files of another user whose Netscape crashes. ====================================================== Name: CVE-1999-0425 Status: Entry Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0425 Reference: SUSE:Mar18,1999 Reference: XF:netscape-talkback-kill talkback in Netscape 4.5 allows a local user to kill an arbitrary process of another user whose Netscape crashes. ====================================================== Name: CVE-1999-0426 Status: Candidate Phase: Proposed(19990728) Reference: BUGTRAQ:19990319 The default permissions on /dev/kmem is insecure. Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0426 The default permissions of /dev/kmem in Linux versions before 2.0.36 allows IP spoofing. Current Votes: MODIFY(1) Frech NOOP(1) Baker REJECT(1) Christey Voter Comments: Frech> XF:linux-dev-kmem-spoof Christey> DUPE CVE-1999-0414 XF:linux-dev-kmem-spoof does not exist. Christey> *Now* XF:linux-dev-kmem-spoof(3500) exists... ====================================================== Name: CVE-1999-0427 Status: Candidate Phase: Proposed(19990728) Reference: BUGTRAQ:19990320 Eudora Attachment Buffer Overflow Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0427 Reference: XF:eudora-long-attachments Eudora 4.1 allows remote attackers to perform a denial of service by sending attachments with long file names. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(1) Christey Voter Comments: Frech> Change version number to 4.2beta. Second to last paragraph in bugtraq reference states: "Both the Win 95 and Win NT versions, along with the 4.2 beta of Eudora are affected." Christey> This issue seems to have been rediscovered in BUGTRAQ:20000515 Eudora Pro & Outlook Overflow - too long filenames again http://marc.theaimsgroup.com/?l=bugtraq&m=95842482413076&w=2 Also see BUGTRAQ:19990320 Eudora Attachment Buffer Overflow http://marc.theaimsgroup.com/?l=bugtraq&m=92195396912110&w=2 Is this a duplicate/subsumed by CVE-1999-0004? ====================================================== Name: CVE-1999-0428 Status: Entry Reference: BUGTRAQ:19990322 OpenSSL/SSLeay Security Alert Reference: OSVDB:3936 Reference: URL:http://www.osvdb.org/3936 Reference: XF:ssl-session-reuse OpenSSL and SSLeay allow remote attackers to reuse SSL sessions and bypass access controls. ====================================================== Name: CVE-1999-0429 Status: Entry Reference: BUGTRAQ:19990323 Reference: URL:http://marc.info/?l=bugtraq&m=92221437025743&w=2 Reference: BUGTRAQ:19990324 Re: LNotes encryption Reference: URL:http://marc.info/?l=bugtraq&m=92241547418689&w=2 Reference: BUGTRAQ:19990326 Lotus Notes Encryption Bug Reference: URL:http://marc.info/?l=bugtraq&m=92246997917866&w=2 Reference: BUGTRAQ:19990326 Re: Lotus Notes security advisory Reference: URL:http://marc.info/?l=bugtraq&m=92249282302994&w=2 Reference: XF:lotus-client-encryption The Lotus Notes 4.5 client may send a copy of encrypted mail in the clear across the network if the user does not set the "Encrypt Saved Mail" preference. ====================================================== Name: CVE-1999-0430 Status: Entry Reference: CISCO:Cisco Catalyst Supervisor Remote Reload Reference: ISS:Remote Denial of Service Vulnerability in Cisco Catalyst Series Ethernet Switches Reference: OSVDB:1103 Reference: URL:http://www.osvdb.org/1103 Reference: XF:cisco-catalyst-crash Cisco Catalyst LAN switches running Catalyst 5000 supervisor software allows remote attackers to perform a denial of service by forcing the supervisor module to reload. ====================================================== Name: CVE-1999-0431 Status: Candidate Phase: Modified(20000106) Reference: BUGTRAQ:19990324 DoS for Linux 2.1.89 - 2.2.3: 0 length fragment bug Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0431 Reference: XF:linux-zerolength-fragment Linux 2.2.3 and earlier allow a remote attacker to perform an IP fragmentation attack, causing a denial of service. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(1) Christey Voter Comments: Frech> XF:linux-zerolength-fragment Christey> Consider adding BID:2247 ====================================================== Name: CVE-1999-0432 Status: Entry Reference: HP:HPSBUX9903-094 Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9903-094 Reference: XF:hp-ftp ftp on HP-UX 11.00 allows local users to gain privileges. ====================================================== Name: CVE-1999-0433 Status: Entry Reference: BUGTRAQ:19990321 X11R6 NetBSD Security Problem Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0433 Reference: SUSE:Mar28,1999 Reference: XF:xfree86-temp-directories XFree86 startx command is vulnerable to a symlink attack, allowing local users to create files in restricted directories, possibly allowing them to gain privileges or cause a denial of service. ====================================================== Name: CVE-1999-0434 Status: Candidate Phase: Proposed(19990728) Reference: BID:359 Reference: URL:http://www.securityfocus.com/bid/359 Reference: BUGTRAQ:19990331 Bug in xfs XFree86 xfs command is vulnerable to a symlink attack, allowing local users to create files in restricted directories, possibly allowing them to gain privileges or cause a denial of service. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(1) Christey Voter Comments: Frech> XF:xfree86-xfs-symlink-dos Christey> Is this the same problem as CVE-1999-0433? CVE-1999-0433 deals with a symlink attack on one file (/tmp/.X11-unix), while xfs (this candidate) deals with /tmp/.font-unix XF:xfree86-xfs-symlink-dos doesn't exist. Christey> ADDREF DEBIAN:19990331 symbolic link can be used to make any file world readable Note: Debian's advisory says that this is not a problem for Debian. ====================================================== Name: CVE-1999-0435 Status: Candidate Phase: Proposed(19990623) Reference: HP:HPSBUX9903-096 Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0435 MC/ServiceGuard and MC/LockManager in HP-UX allows local users to gain privileges through SAM. Current Votes: ACCEPT(2) Baker, Ozancin MODIFY(1) Frech NOOP(1) Christey Voter Comments: Frech> XF:hp-servicegaurd Christey> ADDREF CIAC:J-039 Christey> Note the typo in Andre's suggested reference. Normalize to XF:hp-serviceguard(2046) ====================================================== Name: CVE-1999-0436 Status: Entry Reference: HP:HPSBUX9903-095 Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9903-095 Reference: XF:hp-desms-servers Domain Enterprise Server Management System (DESMS) in HP-UX allows local users to gain privileges. ====================================================== Name: CVE-1999-0437 Status: Entry Reference: ISS:WebRamp Denial of Service Attacks Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0437 Reference: XF:webramp-device-crash Remote attackers can perform a denial of service in WebRamp systems by sending a malicious string to the HTTP port. ====================================================== Name: CVE-1999-0438 Status: Entry Reference: ISS:WebRamp Denial of Service Attacks Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0438 Reference: XF:webramp-ipchange Remote attackers can perform a denial of service in WebRamp systems by sending a malicious UDP packet to port 5353, changing its IP address. ====================================================== Name: CVE-1999-0439 Status: Entry Reference: BUGTRAQ:19990405 Re: [SECURITY] new version of procmail with security fixes Reference: CALDERA:CSSA-1999:007 Reference: DEBIAN:19990422 Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0439 Reference: XF:procmail-overflow Buffer overflow in procmail before version 3.12 allows remote or local attackers to execute commands via expansions in the procmailrc configuration file. ====================================================== Name: CVE-1999-0440 Status: Entry Reference: BID:1939 Reference: URL:http://www.securityfocus.com/bid/1939 Reference: BUGTRAQ:19990405 Security Hole in Java 2 (and JDK 1.1.x) Reference: URL:http://marc.info/?l=bugtraq&m=92333596624452&w=2 Reference: CONFIRM:http://java.sun.com/pr/1999/03/pr990329-01.html Reference: XF:java-unverified-code The byte code verifier component of the Java Virtual Machine (JVM) allows remote execution through malicious web pages. ====================================================== Name: CVE-1999-0441 Status: Entry Reference: BID:509 Reference: URL:http://www.securityfocus.com/bid/509 Reference: EEYE:AD02221999 Reference: URL:http://www.eeye.com/html/Research/Advisories/AD02221999.html Reference: XF:wingate-redirector-dos Remote attackers can perform a denial of service in WinGate machines using a buffer overflow in the Winsock Redirector Service. ====================================================== Name: CVE-1999-0442 Status: Entry Reference: BID:327 Reference: URL:http://www.securityfocus.com/bid/327 Reference: BUGTRAQ:19990107 really silly ff.core exploit for Solaris Reference: BUGTRAQ:19990108 ff.core exploit on Solaris (2.)7 Reference: BUGTRAQ:19990408 Solaris7 and ff.core Solaris ff.core allows local users to modify files. ====================================================== Name: CVE-1999-0443 Status: Candidate Phase: Proposed(19990728) Reference: BUGTRAQ:19990409 Patrol security bugs Reference: URL:http://www.securityfocus.com/archive/1/13204 Reference: XF:bmc-patrol-replay Patrol management software allows a remote attacker to conduct a replay attack to steal the administrator password. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech Voter Comments: Frech> Change "Patrol management software" to "The PATROL management product from BMC Software". ====================================================== Name: CVE-1999-0444 Status: Candidate Phase: Modified(20000106) Reference: BUGTRAQ:19990412 ARP problem in Windows9X/NT Reference: MISC:https://marc.info/?l=bugtraq&m=92394891221029&w=2 Reference: XF:windows-arp-dos Remote attackers can perform a denial of service in Windows machines using malicious ARP packets, forcing a message box display for each packet or filling up log files. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech Voter Comments: Frech> ADDREF: XF:windows-arp-dos ====================================================== Name: CVE-1999-0445 Status: Entry Reference: CISCO:Cisco IOS(R) Software Input Access List Leakage with NAT Reference: OSVDB:1104 Reference: URL:http://www.osvdb.org/1104 Reference: XF:cisco-natacl-leakage In Cisco routers under some versions of IOS 12.0 running NAT, some packets may not be filtered by input access list filters. ====================================================== Name: CVE-1999-0446 Status: Entry Reference: NETBSD:1999-008 Reference: OSVDB:7051 Reference: URL:http://www.osvdb.org/7051 Reference: XF:netbsd-vfslocking-panic Local users can perform a denial of service in NetBSD 1.3.3 and earlier versions by creating an unusual symbolic link with the ln command, triggering a bug in VFS. ====================================================== Name: CVE-1999-0447 Status: Entry Reference: HP:HPSBMP9904-006 Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBMP9904-006 Reference: XF:mpeix-debug Local users can gain privileges using the debug utility in the MPE/iX operating system. ====================================================== Name: CVE-1999-0448 Status: Entry Reference: BUGTRAQ:19990121 IIS 4 Request Logging Security Advisory Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0448 Reference: XF:iis-http-request-logging IIS 4.0 and Apache log HTTP request methods, regardless of how long they are, allowing a remote attacker to hide the URL they really request. ====================================================== Name: CVE-1999-0449 Status: Entry Reference: BID:193 Reference: URL:http://www.securityfocus.com/bid/193 Reference: BUGTRAQ:19990125 Re: [NTSEC] IIS 4 Advisory - ExAir sample site DoS Reference: BUGTRAQ:19990126 IIS 4 Advisory - ExAir sample site DoS Reference: NTBUGTRAQ:19990126 IIS 4 Advisory - ExAir sample site DoS Reference: OSVDB:2 Reference: URL:http://www.osvdb.org/2 Reference: OSVDB:3 Reference: URL:http://www.osvdb.org/3 Reference: OSVDB:4 Reference: URL:http://www.osvdb.org/4 Reference: XF:iis-exair-dos The ExAir sample site in IIS 4 allows remote attackers to cause a denial of service (CPU consumption) via a direct request to the (1) advsearch.asp, (2) query.asp, or (3) search.asp scripts. ====================================================== Name: CVE-1999-0450 Status: Candidate Phase: Modified(20090622) Reference: BID:194 Reference: URL:http://www.securityfocus.com/bid/194 Reference: BUGTRAQ:19990122 Perl.exe and IIS security advisory In IIS, an attacker could determine a real path using a request for a non-existent URL that would be interpreted by Perl (perl.exe). Current Votes: ACCEPT(2) Ozancin, Wall NOOP(2) Baker, Christey REJECT(2) Frech, LeBlanc Voter Comments: Frech> Can't find in database. Christey> This looks like another discovery of CVE-2000-0071 LeBlanc> - I just tried to repro this based on the BUGTRAQ vuln information, and it does not repro - GET /bogus.pl HTTP/1.0 HTTP/1.1 404 Object Not Found Server: Microsoft-IIS/5.0 Date: Thu, 05 Oct 2000 21:04:20 GMT Content-Length: 3243 Content-Type: text/html No path is returned whatsoever. This may have been a problem on some version of IIS in the past, but the BUGTRAQ ID says all versions are vulnerable. Let's try and figure out what version had the problem, whether it is intrinsic to IIS or the result of adding a 3rd party implementation of perl, and when it got fixed, then we can try again. CHANGE> [Frech changed vote from REVIEWING to REJECT] Christey> Add "no-such-file.pl" as an example to the desc, to facilitate search (it's used by CGI scanners and in the original example) ====================================================== Name: CVE-1999-0451 Status: Candidate Phase: Proposed(19990726) Reference: BID:343 Reference: URL:http://www.securityfocus.com/bid/343 Reference: BUGTRAQ:Jan19,1999 Denial of service in Linux 2.0.36 allows local users to prevent any server from listening on any non-privileged port. Current Votes: ACCEPT(2) Baker, Ozancin MODIFY(1) Frech NOOP(1) Wall Voter Comments: CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:linux-ports-dos(8364) ====================================================== Name: CVE-1999-0452 Status: Candidate Phase: Proposed(19990726) Reference: MISC:https://www.cve.org/CVERecord?id=CVE-1999-0452 A service or application has a backdoor password that was placed there by the developer. Current Votes: ACCEPT(2) Baker, Wall REJECT(1) Frech Voter Comments: Frech> Much too broad. Also may be HIGHCARD (or will be in the future). Baker> I think we want to address this using the dot notation idea. We do need to address this, just not a separate entry for every single occurance. ====================================================== Name: CVE-1999-0453 Status: Candidate Phase: Modified(20040512) Reference: BUGTRAQ:19990118 Remote Cisco Identification Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0453 An attacker can identify a CISCO device by sending a SYN packet to port 1999, which is for the Cisco Discovery Protocol (CDP). Current Votes: ACCEPT(2) Baker, Balinsky MODIFY(1) Frech NOOP(2) Northcutt, Wall REVIEWING(1) Christey Voter Comments: Frech> XF:cisco-ident(2289) ADDREF BUGTRAQ:19990118 Remote Cisco Identification In description, probably better to use "Cisco" as product/company name. Balinsky> CiscoSecure IDS has a signature for this...ID 3602 Cisco IOS Identity. Christey> There may be a slight abstraction problem here, e.g. look at the candidate for queso/nmap; also see followup Bugtraq post from "Basement Research" on 19990120 which says that there are many other features in Cisco products that allow remote identification. Christey> fix typo: "Dicsovery" ====================================================== Name: CVE-1999-0454 Status: Candidate Phase: Proposed(19990728) Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/2048 A remote attacker can sometimes identify the operating system of a host based on how it reacts to some IP or ICMP packets, using a tool such as nmap or queso. Current Votes: MODIFY(1) Frech NOOP(2) Christey, Wall REJECT(2) Baker, Northcutt Voter Comments: Northcutt> Nmap and queso are the tip of the iceberg and not the most advanced ways to accomplish this. To pursue making the world signature free is as much a vulnerability as having signatures, nay more. Frech> XF:decod-nmap(2053) XF:decod-queso(2048) Christey> Add "fingerprinting" to facilitate search. Some references: MISC:http://www.insecure.org/nmap/nmap-fingerprinting-article.html BUGTRAQ:19981228 A few more fingerprinting techniques - time and netmask http://marc.theaimsgroup.com/?l=bugtraq&m=91489155019895&w=2 BUGTRAQ:19990222 Preventing remote OS detection http://marc.theaimsgroup.com/?l=bugtraq&m=91971553006937&w=2 BUGTRAQ:20000901 ICMP Usage In Scanning v2.0 - Research Paper http://marc.theaimsgroup.com/?l=bugtraq&m=96791499611849&w=2 BUGTRAQ:20000912 Using the Unused (Identifying OpenBSD, http://marc.theaimsgroup.com/?l=bugtraq&m=96879267724690&w=2 BUGTRAQ:20000912 The DF Bit Playground (Identifying Sun Solaris & OpenBSD OSs) http://marc.theaimsgroup.com/?l=bugtraq&m=96879481129637&w=2 BUGTRAQ:20000816 TOSing OSs out of the window / Fingerprinting Windows 2000 with http://marc.theaimsgroup.com/?l=bugtraq&m=96644121403569&w=2 BUGTRAQ:20000609 p0f - passive os fingerprinting tool http://marc.theaimsgroup.com/?l=bugtraq&m=96062535628242&w=2 Baker> I think we can probably reject this as the corollary is that you can identify OS from a IP/TCP packet sent by a system, looking at various parts of the SYN packet. Unless we believe that all systems should always use identical packet header/identical responses, in which case the protocol should not permit variation. ====================================================== Name: CVE-1999-0455 Status: Candidate Phase: Modified(19991210) Reference: ALLAIRE:ASB-001 Reference: BID:115 Reference: URL:http://www.securityfocus.com/bid/115 Reference: XF:coldfusion-expression-evaluator The Expression Evaluator sample application in ColdFusion allows remote attackers to read or delete files on the server via exprcalc.cfm, which does not restrict access to the server properly. Current Votes: ACCEPT(3) Balinsky, Frech, Ozancin MODIFY(1) Wall NOOP(1) Baker REVIEWING(1) Christey Voter Comments: Wall> The reference should be ASB99-01 (Expression Evaluator Security Issues) make application plural since there are three sample applications (openfile.cfm, displayopenedfile.cfm, and exprcalc.cfm). Christey> The CD:SF-EXEC and CD:SF-LOC content decisions apply here. Since there are 3 separate "executables" with the same (or similar) problem, we need to make sure that CD:SF-EXEC determines what to do here. There is evidence that some of these .cfm scripts have an "include" file, and if so, then CD:SF-LOC says that we shouldn't make separate entries for each of these scripts. On the other hand, the initial L0pht discovery didn't include all 3 of these scripts, and as far as I can tell, Allaire had patched the first problem before the others were discovered. So, CD:DISCOVERY-DATE may argue that we should split these because the problems were discovered and patched at different times. In any case, this candidate can not be accepted until the Editorial Board has accepted the CD:SF-EXEC, CD:SF-LOC, and CD:DISCOVERY-DATE content decisions. ====================================================== Name: CVE-1999-0457 Status: Entry Reference: BID:317 Reference: URL:http://www.securityfocus.com/bid/317 Reference: BUGTRAQ:Jan17,1999 Reference: DEBIAN:19990117 Reference: XF:ftpwatch-vuln Linux ftpwatch program allows local users to gain root privileges. ====================================================== Name: CVE-1999-0458 Status: Entry Reference: BUGTRAQ:Jan6,1999 Reference: OSVDB:915 Reference: URL:http://www.osvdb.org/915 Reference: XF:l0phtcrack-temp-files L0phtcrack 2.5 used temporary files in the system TEMP directory which could contain password information. ====================================================== Name: CVE-1999-0459 Status: Candidate Phase: Proposed(19990728) Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0459 Reference: XF:linux-milo-halt Local users can perform a denial of service in Alpha Linux, using MILO to force a reboot. Current Votes: ACCEPT(1) Frech NOOP(2) Baker, Northcutt REJECT(1) Wall Voter Comments: Wall> Reject based on beta copy. ====================================================== Name: CVE-1999-0460 Status: Candidate Phase: Proposed(19990726) Reference: BID:312 Reference: URL:http://www.securityfocus.com/bid/312 Reference: BUGTRAQ:19990218 Linux autofs overflow in 2.0.36+ Buffer overflow in Linux autofs module through long directory names allows local users to perform a denial of service. Current Votes: ACCEPT(2) Baker, Ozancin MODIFY(1) Frech NOOP(1) Wall Voter Comments: CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:linux-autofs-bo(8365) ====================================================== Name: CVE-1999-0461 Status: Candidate Phase: Proposed(19990728) Reference: MISC:https://www.cve.org/CVERecord?id=CVE-1999-0461 Versions of rpcbind including Linux, IRIX, and Wietse Venema's rpcbind allow a remote attacker to insert and delete entries by spoofing a source address. Current Votes: MODIFY(1) Frech RECAST(1) Baker REVIEWING(1) Christey Voter Comments: Frech> ADDREF XF:pmap-sset Christey> CVE-1999-0195 = CVE-1999-0461 ? If this is approved over CVE-1999-0195, make sure it gets XF:pmap-sset Baker> THis does appear to be a duplicate. We should accept 1999-0195, since it already has the votes and get rid of this one ====================================================== Name: CVE-1999-0462 Status: Candidate Phase: Proposed(19990728) Reference: BID:339 Reference: URL:http://www.securityfocus.com/bid/339 Reference: BUGTRAQ:19990114 Secuity hole with perl (suidperl) and nosuid mounts on Linux suidperl in Linux Perl does not check the nosuid mount option on file systems, allowing local users to gain root access by placing a setuid script in a mountable file system, e.g. a CD-ROM or floppy disk. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(1) Christey Voter Comments: Frech> XF:perl-suidperl-bo Christey> XF:perl-suidperl-bo doesn't exist. ====================================================== Name: CVE-1999-0463 Status: Entry Reference: SGI:19981201-01-PX Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19981201-01-PX Reference: XF:sgi-fcagent-dos Remote attackers can perform a denial of service using IRIX fcagent. ====================================================== Name: CVE-1999-0464 Status: Entry Reference: BUGTRAQ:19990104 Tripwire mess.. Reference: URL:http://marc.info/?l=bugtraq&m=91553066310826&w=2 Reference: CONFIRM:http://marc.info/?l=bugtraq&m=91592136122066&w=2 Reference: OSVDB:6609 Reference: URL:http://www.osvdb.org/6609 Local users can perform a denial of service in Tripwire 1.2 and earlier using long filenames. ====================================================== Name: CVE-1999-0465 Status: Candidate Phase: Proposed(19990728) Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0465 Reference: XF:http-img-overflow Remote attackers can crash Lynx and Internet Explorer using an IMG tag with a large width parameter. Current Votes: ACCEPT(2) Frech, Northcutt NOOP(1) Baker REJECT(2) LeBlanc, Wall Voter Comments: Wall> Reject based on client-side DoS LeBlanc> Client side DOS ====================================================== Name: CVE-1999-0466 Status: Entry Reference: NETBSD:1999-009 Reference: OSVDB:905 Reference: URL:http://www.osvdb.org/905 The SVR4 /dev/wabi special device file in NetBSD 1.3.3 and earlier allows a local user to read or write arbitrary files on the disk associated with that device. ====================================================== Name: CVE-1999-0467 Status: Candidate Phase: Modified(20000106) Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0467 Reference: NTBUGTRAQ:19990409 Webcom's CGI Guestbook for Win32 web servers Reference: XF:http-cgi-webcom-guestbook The Webcom CGI Guestbook programs wguest.exe and rguest.exe allow a remote attacker to read arbitrary files using the "template" parameter. Current Votes: ACCEPT(4) Blake, Frech, Landfield, Ozancin NOOP(3) Baker, Christey, Northcutt Voter Comments: Christey> CVE-1999-0287 is probably a duplicate of CVE-1999-0467. In NTBUGTRAQ:19990409 Webcom's CGI Guestbook for Win32 web servers Mnemonix says that he had previously reported on a similar problem. Let's refer to the NTBugtraq posting as CVE-1999-0467. We will refer to the "previous report" as CVE-1999-0287, which can be found at: http://oliver.efri.hr/~crv/security/bugs/NT/httpd41.html 0287 describes an exploit via the "template" hidden variable. The exploit describes manually editing the HTML form to change the filename to read from the template variable. The exploit as described in 0467 encodes the template variable directly into the URL. However, hidden variables are also encoded into the URL, which would have looked the same to the web server regardless of the exploit. Therefore 0287 and 0467 are the same. Christey> The CD:SF-EXEC content decision also applies here. We have 2 programs, wguest.exe and rguest.exe, which appear to have the same problem. CD:SF-EXEC needs to be accepted by the Editorial Board before this candidate can be converted into a CVE entry. When finalized, CD:SF-EXEC will decide whether this candidate should be split or not. Christey> BID:2024 ====================================================== Name: CVE-1999-0468 Status: Entry Reference: BUGTRAQ:Apr9,1999 Reference: MS:MS99-012 Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-012 Reference: XF:ie-scriplet-fileread Internet Explorer 5.0 allows a remote server to read arbitrary files on the client's file system using the Microsoft Scriptlet Component. ====================================================== Name: CVE-1999-0469 Status: Candidate Phase: Proposed(19990728) Reference: BUGTRAQ:19990409 IE 5.0 security vulnerabilities - %01 bug again Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0469 Reference: XF:ie-window-spoof Internet Explorer 5.0 allows window spoofing, allowing a remote attacker to spoof a legitimate web site and capture information from the client. Current Votes: ACCEPT(1) Wall NOOP(2) Baker, Northcutt REJECT(3) Christey, Frech, LeBlanc Voter Comments: Wall> Reference: Microsoft Security Bulletin MS99-012 Christey> DUPE CVE-1999-0488 Frech> Defer to Christey's vote. However, XF:ie-mshtml-crossframe(2216) assigned to CVE-1999-0488. LeBlanc> Duplicate ====================================================== Name: CVE-1999-0470 Status: Entry Reference: BID:482 Reference: URL:http://www.securityfocus.com/bid/482 Reference: BUGTRAQ:19990409 New Novell Remote.NLM Password Decryption Algorithm with Exploit Reference: XF:netware-remotenlm-passwords A weak encryption algorithm is used for passwords in Novell Remote.NLM, allowing them to be easily decrypted. ====================================================== Name: CVE-1999-0471 Status: Entry Reference: BUGTRAQ:Apr9,1999 Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0471 Reference: XF:winroute-config The remote proxy server in Winroute allows a remote attacker to reconfigure the proxy without authentication through the "cancel" button. ====================================================== Name: CVE-1999-0472 Status: Entry Reference: BUGTRAQ:Apr7,1999 Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0472 Reference: XF:netcache-snmp The SNMP default community name "public" is not properly removed in NetApps C630 Netcache, even if the administrator tries to disable it. ====================================================== Name: CVE-1999-0473 Status: Entry Reference: BID:145 Reference: URL:http://www.securityfocus.com/bid/145 Reference: BUGTRAQ:19990407 rsync 2.3.1 release - security fix Reference: CALDERA:CSSA-1999:010.0 Reference: DEBIAN:19990823 Reference: XF:rsync-permissions The rsync command before rsync 2.3.1 may inadvertently change the permissions of the client's working directory to the permissions of the directory being transferred. ====================================================== Name: CVE-1999-0474 Status: Entry Reference: BUGTRAQ:Apr5,1999 Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0474 Reference: XF:icq-webserver-read The ICQ Webserver allows remote attackers to use .. to access arbitrary files outside of the user's personal directory. ====================================================== Name: CVE-1999-0475 Status: Entry Reference: BUGTRAQ:Apr5,1999 Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0475 Reference: XF:procmail-race A race condition in how procmail handles .procmailrc files allows a local user to read arbitrary files available to the user who is running procmail. ====================================================== Name: CVE-1999-0476 Status: Candidate Phase: Proposed(19990721) Reference: BUGTRAQ:19990331 Potential vulnerability in SCO TermVision Windows 95 client Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0476 Reference: XF:sco-termvision-password A weak encryption algorithm is used for passwords in SCO TermVision, allowing them to be easily decrypted by a local user. Current Votes: ACCEPT(3) Baker, Frech, Ozancin NOOP(3) LeBlanc, Northcutt, Wall ====================================================== Name: CVE-1999-0477 Status: Candidate Phase: Modified(19991210) Reference: BID:115 Reference: URL:http://www.securityfocus.com/bid/115 Reference: L0PHT:Cold Fusion App Server Reference: XF:coldfusion-expression-evaluator The Expression Evaluator in the ColdFusion Application Server allows a remote attacker to upload files to the server via openfile.cfm, which does not restrict access to the server properly. Current Votes: ACCEPT(4) Baker, Christey, Frech, Ozancin REJECT(1) Wall Voter Comments: Wall> Duplicate of 0455 Christey> CVE-1999-0477 and CVE-1999-0455 were discovered at different times. Also, the attack was different. So "Same Attack" and "Same Time of Discovery" dictate that these should remain separate. ====================================================== Name: CVE-1999-0478 Status: Entry Reference: HP:HPSBUX9904-097 Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9904-097 Reference: XF:sendmail-headers-dos Denial of service in HP-UX sendmail 8.8.6 related to accepting connections. ====================================================== Name: CVE-1999-0479 Status: Entry Reference: HP:HPSBUX9903-092 Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9903-092 Reference: XF:netscape-server-dos Denial of service Netscape Enterprise Server with VirtualVault on HP- UX VVOS systems. ====================================================== Name: CVE-1999-0480 Status: Candidate Phase: Modified(20000106) Reference: BUGTRAQ:19980315 Midnight Commander /tmp race Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0480 Local attackers can conduct a denial of service in Midnight Commander 4.x with a symlink attack. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(1) Christey Voter Comments: Frech> XF:midnight-commander-symlink-dos Christey> XF:midnight-commander-symlink-dos(3505) ====================================================== Name: CVE-1999-0481 Status: Entry Reference: OPENBSD:Mar22,1999 Reference: OSVDB:7556 Reference: URL:http://www.osvdb.org/7556 Denial of service in "poll" in OpenBSD. ====================================================== Name: CVE-1999-0482 Status: Entry Reference: OPENBSD:Mar21,1999 Reference: OSVDB:7557 Reference: URL:http://www.osvdb.org/7557 OpenBSD kernel crash through TSS handling, as caused by the crashme program. ====================================================== Name: CVE-1999-0483 Status: Entry Reference: OPENBSD:Feb25,1999 Reference: OSVDB:6129 Reference: URL:http://www.osvdb.org/6129 OpenBSD crash using nlink value in FFS and EXT2FS filesystems. ====================================================== Name: CVE-1999-0484 Status: Entry Reference: OPENBSD:Feb23,1999 Reference: OSVDB:6130 Reference: URL:http://www.osvdb.org/6130 Buffer overflow in OpenBSD ping. ====================================================== Name: CVE-1999-0485 Status: Entry Reference: OPENBSD:Feb19,1999 Reference: OSVDB:7558 Reference: URL:http://www.osvdb.org/7558 Reference: XF:openbsd-ipintr-race Remote attackers can cause a system crash through ipintr() in ipq in OpenBSD. ====================================================== Name: CVE-1999-0486 Status: Candidate Phase: Modified(20000106) Reference: BUGTRAQ:19990420 AOL Instant Messenger URL Crash Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0486 Denial of service in AOL Instant Messenger when a remote attacker sends a malicious hyperlink to the receiving client, potentially causing a system crash. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(1) Christey Voter Comments: Frech> XF:aol-im. Christey> XF:aol-im appears to be related to the problem discussed in BUGTRAQ:19980224 AOL Instant Messanger Bug This one is related to BUGTRAQ:19990420 AOL Instant Messenger URL Crash ====================================================== Name: CVE-1999-0487 Status: Entry Reference: MS:MS99-011 Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-011 Reference: XF:ie-dhtml-control The DHTML Edit ActiveX control in Internet Explorer allows remote attackers to read arbitrary files. ====================================================== Name: CVE-1999-0488 Status: Candidate Phase: Modified(19991205) Reference: MS:MS99-012 Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-012 Internet Explorer 4.0 and 5.0 allows a remote attacker to execute security scripts in a different security context using malicious URLs, a variant of the "cross frame" vulnerability. Current Votes: ACCEPT(2) Baker, Landfield MODIFY(2) Frech, Wall NOOP(2) Christey, Ozancin Voter Comments: Frech> XF:ie-mshtml-crossframe Wall> (source: MSKB:Q168485) Christey> CVE-1999-0469 appears to be a duplicate; prefer this one over that one, since this one has an MS advisory. Confirm with Microsoft that these are really duplicates. Also review CVE-1999-0487, which appears to be a similar bug. ====================================================== Name: CVE-1999-0489 Status: Candidate Phase: Modified(19991205) Reference: MS:MS99-015 Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-015 MSHTML.DLL in Internet Explorer 5.0 allows a remote attacker to paste a file name into the file upload intrinsic control, a variant of "untrusted scripted paste" as described in MS:MS98-013. Current Votes: ACCEPT(1) Levy MODIFY(1) Wall NOOP(2) Baker, Ozancin RECAST(1) Prosser REJECT(1) Christey REVIEWING(1) Frech Voter Comments: Frech> Wasn't Untrusted scripted paste MS98-015? I can find no mention of a clipboard in either. I cannot proceed on this one without further clarification. Wall> (source: MS:MS99-012) Prosser> agree with Andre here. The Untrusted Scripted paste vulnerability was originally addressed in MS98-015 and it is in the file upload intrinsic control in which an attacker can paste the name of a file on the target's drive in the control and a form submission would then send that file from the attacked machine to the remote web site. This one has nothing to do with the clipboard. What the advisory mentioned here, MS99-012, does is replace the MSHTML parsing engine which is supposed to fix the original Untrusted Scripted Paste issue and a variant, as well as the two Cross-Frame variants and a privacy issue in IMG SRC. The vulnerability that allowed reading of a user's clipboard is the Forms 2.0 Active X control vulnerability discussed in MS99-01 Christey> The advisory should have been listed as MS99-012. CVE-1999-0468 describes the untrusted scripted paste problem in MS99-012. Frech> Pending response to guidance request. 12/6/01. ====================================================== Name: CVE-1999-0490 Status: Candidate Phase: Modified(19991205) Reference: MS:MS99-012 Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-012 MSHTML.DLL in Internet Explorer 5.0 allows a remote attacker to learn information about a local user's files via an IMG SRC tag. Current Votes: ACCEPT(2) Landfield, Wall MODIFY(1) Frech NOOP(2) Baker, Ozancin REVIEWING(1) Christey Voter Comments: Frech> XF:ie-scriplet-fileread Christey> Duplicate of CVE-1999-0347? ====================================================== Name: CVE-1999-0491 Status: Entry Reference: BID:119 Reference: URL:http://www.securityfocus.com/bid/119 Reference: BUGTRAQ:19990420 Bash Bug Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.4.10.9904202114070.6623-100000@smooth.Operator.org Reference: CALDERA:CSSA-1999-008.0 Reference: URL:ftp://ftp.calderasystems.com/pub/OpenLinux/security/CSSA-1999-008.0.txt The prompt parsing in bash allows a local user to execute commands as another user by creating a directory with the name of the command to execute. ====================================================== Name: CVE-1999-0492 Status: Candidate Phase: Proposed(19990726) Reference: BUGTRAQ:Apr23,1999 Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0492 The ffingerd 1.19 allows remote attackers to identify users on the target system based on its responses. Current Votes: ACCEPT(3) Armstrong, Collins, Northcutt MODIFY(4) Baker, Blake, Frech, Shostack NOOP(4) Christey, Cole, Landfield, Wall REVIEWING(1) Ozancin Voter Comments: Shostack> isn't that what finger is supposed to do? Landfield> Maybe we need a new category of "unsafe system utilities and protocols" Blake> Ffingerd 1.19 allows remote attackers to differentiate valid and invalid usernames on the target system based on its responses to finger queries. Christey> CHANGEREF BUGTRAQ [canonicalize] BUGTRAQ:19990423 Ffingerd privacy issues http://marc.theaimsgroup.com/?l=bugtraq&m=92488772121313&w=2 Here's the nature of the problem. (1) FFingerd allows users to decide not to be fingered, printing a message "That user does not want to be fingered" (2) If the fingered user does not exist, then FFingerd's intended default is to print that the user does not want to be fingered; however, the error message has a period at the end. Thus, ffingerd can allow someone to determine who valid users on the server are, *in spite of* the intended functionality of ffingerd itself. Thus this exposure should be viewed in light of the intended functionality of the application, as opposed to the common usage of the finger protocol in general. Also, the vendor posted a followup and said that a patch was available. See: http://marc.theaimsgroup.com/?l=bugtraq&m=92489375428016&w=2 Baker> Vulnerability Reference (HTML) Reference Type http://www.securityfocus.com/archive/1/13422 Misc Defensive Info CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:ffinger-user-info(5393) ====================================================== Name: CVE-1999-0493 Status: Entry Reference: BID:450 Reference: URL:http://www.securityfocus.com/bid/450 Reference: BUGTRAQ:19990103 SUN almost has a clue! (automountd) Reference: URL:http://marc.info/?l=bugtraq&m=91547759121289&w=2 Reference: CERT:CA-99-05 Reference: URL:http://www.cert.org/advisories/CA-99-05-statd-automountd.html Reference: CIAC:J-045 Reference: URL:http://www.ciac.org/ciac/bulletins/j-045.shtml Reference: SUN:00186 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/186&type=0&nav=sec.sba rpc.statd allows remote attackers to forward RPC calls to the local operating system via the SM_MON and SM_NOTIFY commands, which in turn could be used to remotely exploit other bugs such as in automountd. ====================================================== Name: CVE-1999-0494 Status: Entry Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0494 Reference: XF:wingate-pop3-user-bo Denial of service in WinGate proxy through a buffer overflow in POP3. ====================================================== Name: CVE-1999-0495 Status: Candidate Phase: Proposed(19990728) Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/837 A remote attacker can gain access to a file system using .. (dot dot) when accessing SMB shares. Current Votes: ACCEPT(6) Baker, Blake, Cole, Collins, Northcutt, Ozancin MODIFY(1) Frech NOOP(4) Armstrong, Bishop, Landfield, Wall REVIEWING(2) Christey, Levy Voter Comments: Frech> XF:nb-dotdotknown(837) References would be appreciated. We've got no reference for this issue; confidence rating is consequently low. Levy> Some refernces: http://www.securityfocus.com/archive/1/3894 http://www.securityfocus.com/archive/1/3533 http://www.securityfocus.com/archive/1/3535 ====================================================== Name: CVE-1999-0496 Status: Entry Reference: MSKB:Q146965 Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q146965 Reference: XF:nt-getadmin Reference: XF:nt-getadmin-present A Windows NT 4.0 user can gain administrative rights by forcing NtOpenProcessToken to succeed regardless of the user's permissions, aka GetAdmin. ====================================================== Name: CVE-1999-0497 Status: Candidate Phase: Modified(20040811) Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0497 Anonymous FTP is enabled. Current Votes: ACCEPT(1) Shostack MODIFY(1) Frech NOOP(2) Baker, Christey REJECT(1) Northcutt Voter Comments: Frech> ftp-anon(52) at http://xforce.iss.net/static/52.php ftp-anon2(543) at http://xforce.iss.net/static/543.php Christey> Add period to the end of the description. Baker> DOn't know about this, but it may be the only easy way to allow access to data for some folks. ====================================================== Name: CVE-1999-0498 Status: Candidate Phase: Modified(19990925) Reference: CERT:CA-91.18.Active.Internet.tftp.Attacks Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0498 TFTP is not running in a restricted directory, allowing a remote attacker to access sensitive information such as password files. Current Votes: ACCEPT(3) Blake, Hill, Northcutt MODIFY(1) Frech NOOP(1) Baker REVIEWING(1) Christey Voter Comments: Frech> XF:linux-tftp Christey> XF:linux-tftp refers to CVE-1999-0183 ====================================================== Name: CVE-1999-0499 Status: Candidate Phase: Proposed(19990721) Reference: MISC:https://www.cve.org/CVERecord?id=CVE-1999-0499 NETBIOS share information may be published through SNMP registry keys in NT. Current Votes: ACCEPT(5) Baker, Northcutt, Ozancin, Shostack, Wall MODIFY(1) Frech REJECT(1) LeBlanc Voter Comments: Frech> Change wording to 'Windows NT.' XF:snmp-netbios LeBlanc> Share info can be obtained via SNMP queries, but I question whether this is a vulnerability. The system can be configured not to do this, and one may argue that SNMP itself is an insecure configuration. Furthermore, the share information isn't published via registry keys - the description could refer to more than one actual issue. SNMP is meant to allow people to obtain information about systems. I'm willing to discuss this with the rest of the board. ====================================================== Name: CVE-1999-0501 Status: Candidate Phase: Proposed(19990714) Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0501 A Unix account has a guessable password. Current Votes: ACCEPT(3) Baker, Northcutt, Shostack RECAST(2) Frech, Meunier REVIEWING(1) Christey Voter Comments: Frech> Guessable falls into the class of CVE-1999-0502, since I can guess a default, null, etc. password. Suggest changing to something like "has an existing non-default password that can be guessed." I'm also including default passwords in this entry. In that vein, we show the following references: XF:user-password XF:passwd-username XF:default-unix-sync XF:default-unix-4dgifts XF:default-unix-bin XF:default-unix-daemon XF:default-unix-lp XF:default-unix-me XF:default-unix-nuucp XF:default-unix-root XF:default-unix-toor XF:default-unix-tour XF:default-unix-tty XF:default-unix-uucp Christey> This candidate is affected by the CD:CF-PASS content decision, which determines the appropriate level of abstraction to use for password problems. CD:CF-PASS needs to be accepted by the Editorial Board before this candidate can be converted into a CVE entry; the final version of CD:CF-PASS may require using a different LOA than this candidate is currently using. CHANGE> [Meunier changed vote from ACCEPT to RECAST] Meunier> This relates only to account password technology, so this candidate is independent of the operating system, application, web site or other application of this technology. The appropriate (natural) level of abstraction is therefore without specifying that it is for UNIX. Change the description to "An account has a guessable password other than default, null, blank." This should satisfy Andre's objection. This Candidate should be merged with any candidate relating to account password technology where "Unix" in the original description can be replaced by something else. ====================================================== Name: CVE-1999-0502 Status: Candidate Phase: Proposed(19990714) Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0502 A Unix account has a default, null, blank, or missing password. Current Votes: ACCEPT(4) Baker, Meunier, Northcutt, Shostack MODIFY(1) Frech REVIEWING(1) Christey Voter Comments: Frech> XF:passwd-blank XF:no-pass XF:dict XF:sgi-accounts XF:linux-caldera-lisa Christey> This candidate is affected by the CD:CF-PASS content decision, which determines the appropriate level of abstraction to use for password problems. CD:CF-PASS needs to be accepted by the Editorial Board before this candidate can be converted into a CVE entry; the final version of CD:CF-PASS may require using a different LOA than this candidate is currently using. ====================================================== Name: CVE-1999-0503 Status: Candidate Phase: Proposed(19990714) Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0503 A Windows NT local user or administrator account has a guessable password. Current Votes: ACCEPT(4) Baker, Meunier, Northcutt, Shostack MODIFY(1) Frech REVIEWING(1) Christey Voter Comments: Frech> Note: I am assuming that this entry includes Windows 2000 accounts and machine/service accounts listed in User Manager. XF:nt-guess-admin XF:nt-guess-user XF:nt-guess-guest XF:nt-guessed-operpwd XF:nt-guessed-powerwd XF:nt-guessed-disabled XF:nt-guessed-backup XF:nt-guessed-acctoper-pwd XF:nt-adminuserpw XF:nt-guestuserpw XF:nt-accountuserpw XF:nt-operator-userpw XF:nt-service-user-pwd XF:nt-server-oper-user-pwd XF:nt-power-user-pwd XF:nt-backup-operator-userpwd XF:nt-disabled-account-userpwd Christey> This candidate is affected by the CD:CF-PASS content decision, which determines the appropriate level of abstraction to use for password problems. CD:CF-PASS needs to be accepted by the Editorial Board before this candidate can be converted into a CVE entry; the final version of CD:CF-PASS may require using a different LOA than this candidate is currently using. ====================================================== Name: CVE-1999-0504 Status: Candidate Phase: Proposed(19990714) Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0504 A Windows NT local user or administrator account has a default, null, blank, or missing password. Current Votes: ACCEPT(4) Baker, Meunier, Northcutt, Shostack MODIFY(1) Frech REVIEWING(1) Christey Voter Comments: Frech> XF:nt-guestblankpw XF:nt-adminblankpw XF:nt-adminnopw XF:nt-usernopw XF:nt-guestnopw XF:nt-accountblankpw XF:nt-nopw XF:nt-operator-blankpwd XF:nt-server-oper-blank-pwd XF:nt-power-user-blankpwd XF:nt-backup-operator-blankpwd XF:nt-disabled-account-blankpwd Christey> This candidate is affected by the CD:CF-PASS content decision, which determines the appropriate level of abstraction to use for password problems. CD:CF-PASS needs to be accepted by the Editorial Board before this candidate can be converted into a CVE entry; the final version of CD:CF-PASS may require using a different LOA than this candidate is currently using. ====================================================== Name: CVE-1999-0505 Status: Candidate Phase: Proposed(19990714) Reference: MISC:https://www.cve.org/CVERecord?id=CVE-1999-0505 A Windows NT domain user or administrator account has a guessable password. Current Votes: ACCEPT(4) Baker, Meunier, Northcutt, Shostack MODIFY(1) Frech Voter Comments: Frech> XF:nt-guessed-domain-userpwd XF:nt-guessed-domain-guestpwd XF:nt-guessed-domain-adminpwd XF:nt-domain-userpwd XF:nt-domain-admin-userpwd XF:nt-domain-guest-userpwd XF:win2k-certpub-usrpwd XF:win2k-dhcpadm-usrpwd XF:win2k-dnsadm-usrpwd XF:win2k-entadm-usrpwd XF:win2k-schema-usrpwd XF:win2k-guessed-certpub XF:win2k-guessed-dhcpadm XF:win2k-guessed-dnsadm XF:win2k-guessed-entadm XF:win2k-guessed-schema ====================================================== Name: CVE-1999-0506 Status: Candidate Phase: Proposed(19990714) Reference: MISC:https://www.cve.org/CVERecord?id=CVE-1999-0506 A Windows NT domain user or administrator account has a default, null, blank, or missing password. Current Votes: ACCEPT(4) Baker, Meunier, Northcutt, Shostack MODIFY(1) Frech Voter Comments: Frech> XF:nt-domain-admin-blankpwd XF:nt-domain-admin-nopwd XF:nt-domain-guest-blankpwd XF:nt-domain-guest-nopwd XF:nt-domain-user-blankpwd XF:nt-domain-user-nopwd XF:win2k-certpub-blnkpwd XF:win2k-dhcpadm-blnkpwd XF:win2k-dnsadm-blnkpwd XF:win2k-entadm-blnkpwd XF:win2k-schema-blnkpwd ====================================================== Name: CVE-1999-0507 Status: Candidate Phase: Proposed(19990714) Reference: MISC:https://www.cve.org/CVERecord?id=CVE-1999-0507 An account on a router, firewall, or other network device has a guessable password. Current Votes: ACCEPT(4) Baker, Meunier, Northcutt, Shostack MODIFY(1) Frech Voter Comments: Frech> XF:firewall-tisopen XF:firewall-raptoropen XF:firewall-msopen XF:firewall-checkpointopen XF:firewall-ciscoopen ====================================================== Name: CVE-1999-0508 Status: Candidate Phase: Proposed(19990714) Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0508 An account on a router, firewall, or other network device has a default, null, blank, or missing password. Current Votes: ACCEPT(4) Baker, Meunier, Northcutt, Shostack MODIFY(1) Frech NOOP(1) Christey Voter Comments: Frech> Note: Because the distinction between network hardware and software is not distinct, the term 'network device' was liberally interpreted. Feel free to reject any of the below terms. XF:default-netranger XF:cayman-gatorbox XF:breezecom-default-passwords XF:default-portmaster XF:wingate-unpassworded XF:netopia-unpassworded XF:default-bay-switches XF:motorola-cable-default-pass XF:default-flowpoint XF:qms-2060-no-root-password XF:avirt-ras-password XF:webtrends-rtp-serv-install-password XF:cisco-bruteforce XF:cisco-bruteadmin XF:sambar-server-defaults XF:management-pfcuser XF:http-cgi-wwwboard-default Christey> DELREF XF:avirt-ras-password - does not fit CVE-1999-0508. ====================================================== Name: CVE-1999-0509 Status: Candidate Phase: Modified(20000114) Reference: CERT:CA-96.11 Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/146 Perl, sh, csh, or other shell interpreters are installed in the cgi- bin directory on a WWW site, which allows remote attackers to execute arbitrary commands. Current Votes: ACCEPT(2) Northcutt, Wall MODIFY(1) Frech NOOP(1) Baker REVIEWING(1) Christey Voter Comments: Christey> What is the right level of abstraction to use here? Should we combine all possible interpreters into a single entry, or have a different entry for each one? I've often seen Perl separated from other interpreters - is it included by default in some Windows web server configurations? Christey> Add tcsh, zsh, bash, rksh, ksh, ash, to support search. Frech> XF:http-cgi-vuln(146) ====================================================== Name: CVE-1999-0510 Status: Candidate Phase: Proposed(19990726) Reference: MISC:https://www.cve.org/CVERecord?id=CVE-1999-0510 A router or firewall allows source routed packets from arbitrary hosts. Current Votes: ACCEPT(2) Baker, Northcutt MODIFY(1) Frech Voter Comments: Frech> XF:source-routing ====================================================== Name: CVE-1999-0511 Status: Candidate Phase: Proposed(19990726) Reference: MISC:https://www.cve.org/CVERecord?id=CVE-1999-0511 IP forwarding is enabled on a machine which is not a router or firewall. Current Votes: ACCEPT(2) Baker, Northcutt MODIFY(1) Frech Voter Comments: Frech> XF:ip-forwarding ====================================================== Name: CVE-1999-0512 Status: Candidate Phase: Modified(20020427) Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0512 A mail server is explicitly configured to allow SMTP mail relay, which allows abuse by spammers. Current Votes: ACCEPT(3) Baker, Northcutt, Shostack MODIFY(1) Frech NOOP(1) Christey Voter Comments: Frech> XF:smtp-sendmail-relay(210) XF:ntmail-relay(2257) XF:exchange-relay(3107) (also assigned to CVE-1999-0682) XF:smtp-relay-uucp(3470) XF:sco-sendmail-spam(4342) XF:sco-openserver-mmdf-spam(4343) XF:lotus-domino-smtp-mail-relay(6591) XF:win2k-smtp-mail-relay(6803) XF:cobalt-poprelayd-mail-relay(6806) Candidate implicitly may refer to relaying settings enabled by default, or the bypass/circumvention of relaying. Both interpretations were used in assigning this candidate. Christey> The intention of this candidate is to cover configurations in which the admin has explicitly enabled relaying. Other cases in which the application *intends* to prvent relaying, but there is some specific input that bypasses/tricks it, count as vulnerabilities (or exposures?) and as such would be assigned different numbers. http://www.sendmail.org/~ca/email/spam.html seems like a good general resource, as does ftp://ftp.isi.edu/in-notes/rfc2505.txt Christey> I changed the description to make it more clear that the issue is that of explicit configuration, as opposed to being the result of a vulnerability. ====================================================== Name: CVE-1999-0513 Status: Entry Reference: CERT:CA-98.01.smurf Reference: FREEBSD:FreeBSD-SA-98:06 Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0513 Reference: XF:smurf ICMP messages to broadcast addresses are allowed, allowing for a Smurf attack that can cause a denial of service. ====================================================== Name: CVE-1999-0514 Status: Entry Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0514 Reference: XF:fraggle UDP messages to broadcast addresses are allowed, allowing for a Fraggle attack that can cause a denial of service by flooding the target. ====================================================== Name: CVE-1999-0515 Status: Candidate Phase: Proposed(19990728) Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0515 An unrestricted remote trust relationship for Unix systems has been set up, e.g. by using a + sign in /etc/hosts.equiv. Current Votes: ACCEPT(2) Baker, Northcutt MODIFY(1) Frech REJECT(1) Shostack Voter Comments: Shostack> Overly broad Frech> XF:rsh-equiv(111) Baker> Since this is unrestricted trust, I agree this is a problem ====================================================== Name: CVE-1999-0516 Status: Candidate Phase: Proposed(19990714) Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0516 An SNMP community name is guessable. Current Votes: ACCEPT(4) Baker, Meunier, Northcutt, Shostack MODIFY(1) Frech REVIEWING(1) Christey Voter Comments: Frech> XF:snmp-get-guess XF:snmp-set-guess XF:sol-hidden-commstr XF:hpov-hidden-snmp-comm Christey> This candidate is affected by the CD:CF-PASS content decision, which determines the appropriate level of abstraction to use for password problems. CD:CF-PASS needs to be accepted by the Editorial Board before this candidate can be converted into a CVE entry; the final version of CD:CF-PASS may require using a different LOA than this candidate is currently using. ====================================================== Name: CVE-1999-0517 Status: Candidate Phase: Proposed(19990714) Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0517 An SNMP community name is the default (e.g. public), null, or missing. Current Votes: ACCEPT(4) Baker, Meunier, Northcutt, Shostack MODIFY(1) Frech REVIEWING(1) Christey Voter Comments: Frech> XF:nt-snmp XF:snmp-comm XF:snmp-set-any XF:snmp-get-public XF:snmp-set-public XF:snmp-get-any Christey> This candidate is affected by the CD:CF-PASS content decision, which determines the appropriate level of abstraction to use for password problems. CD:CF-PASS needs to be accepted by the Editorial Board before this candidate can be converted into a CVE entry; the final version of CD:CF-PASS may require using a different LOA than this candidate is currently using. Christey> Consider adding BID:2112 ====================================================== Name: CVE-1999-0518 Status: Candidate Phase: Proposed(19990714) Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0518 A NETBIOS/SMB share password is guessable. Current Votes: ACCEPT(5) Baker, LeBlanc, Meunier, Northcutt, Shostack MODIFY(1) Frech Voter Comments: Frech> Change description term to NetBIOS. XF:nt-netbios-perm XF:sharepass XF:win95-smb-password XF:nt-netbios-dict ====================================================== Name: CVE-1999-0519 Status: Candidate Phase: Proposed(19990714) Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0519 A NETBIOS/SMB share password is the default, null, or missing. Current Votes: ACCEPT(5) Baker, LeBlanc, Meunier, Northcutt, Shostack MODIFY(1) Frech Voter Comments: Frech> Change description term to NetBIOS. XF:decod-smb-password-empty XF:nt-netbios-everyoneaccess XF:nt-netbios-guestaccess XF:nt-netbios-allaccess XF:nt-netbios-open XF:nt-netbios-write XF:nt-netbios-shareguest XF:nt-writable-netbios XF:nt-netbios-everyoneaccess-printer XF:nt-netbios-share-print-guest ====================================================== Name: CVE-1999-0520 Status: Candidate Phase: Proposed(19990803) Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/3 A system-critical NETBIOS/SMB share has inappropriate access control. Current Votes: ACCEPT(1) Wall MODIFY(1) Frech NOOP(1) Baker RECAST(1) Northcutt REJECT(1) LeBlanc REVIEWING(1) Christey Voter Comments: Northcutt> I think we need to enumerate the shares and or the access control Christey> One question is, what is "inappropriate"? It's probably very dependent on the policy of the enterprise on which this is found. And should writable shares be different from readable shares? (Or file systems, mail spools, etc.) Yes, the impact may be different, but we could have a large number of entries for each possible type of access. A content decision (CD:CF-DATA) needs to be reviewed and accepted by the Editorial Board in order to resolve this question. LeBlanc> Unacceptably vague - agree with Christey's comments. Frech> associated to: XF:nt-netbios-everyoneaccess(1) XF:nt-netbios-guestaccess(2) XF:nt-netbios-allaccess(3) XF:nt-netbios-open(15) XF:nt-netbios-write(19) XF:nt-netbios-shareguest(20) XF:nt-writable-netbios(26) XF:nb-rootshare(393) XF:decod-smb-password-empty(2358) ====================================================== Name: CVE-1999-0521 Status: Candidate Phase: Proposed(19990714) Reference: MISC:http://www.cert.org/advisories/CA-1992-13.html An NIS domain name is easily guessable. Current Votes: ACCEPT(4) Baker, Meunier, Northcutt, Shostack MODIFY(1) Frech NOOP(1) Christey Voter Comments: Frech> XF:nis-dom Christey> Consider http://www.cert.org/advisories/CA-1992-13.html as well as ftp://ciac.llnl.gov/pub/ciac/bulletin/c-fy92/c-25.ciac-sunos-nis-patch ====================================================== Name: CVE-1999-0522 Status: Candidate Phase: Proposed(19990803) Reference: CERT:CA-96.10 Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0522 The permissions for a system-critical NIS+ table (e.g. passwd) are inappropriate. Current Votes: ACCEPT(2) Baker, Wall NOOP(1) Christey RECAST(1) Northcutt Voter Comments: Northcutt> Why not say world readable, this is what you do further down in the file (world exportable in CVE-1999-0554) Christey> ADDREF AUSCERT:AA-96.02 ====================================================== Name: CVE-1999-0523 Status: Candidate Phase: Proposed(19990726) Reference: MISC:https://www.cve.org/CVERecord?id=CVE-1999-0523 ICMP echo (ping) is allowed from arbitrary hosts. Current Votes: MODIFY(1) Meunier NOOP(1) Baker REJECT(2) Frech, Northcutt Voter Comments: Northcutt> (Though I sympathize with this one :) CHANGE> [Frech changed vote from REVIEWING to REJECT] Frech> Ping is a utility that can be run on demand; ICMP echo is a message type. As currently worded, this candidate seems as if an arbitrary host is vulnerable because it is capable of running an arbitrary program or function (in this case, ping/ICMP echo). There are many programs/functions that 'shouldn't' be on a computer, from a security admin's perspective. Even if this were a vulnerability, it would be impacted by CD-HIGHCARD. Meunier> Every ICMP message type presents a vulnerability or an exposure, if access is not controlled. By that I mean not only those in RFC 792, but also those in RFC 1256, 950, and more. I think that the description should be changed to "ICMP messages are acted upon without any access control". ICMP is an error and debugging protocol. We complain about vendors leaving testing backdoors in their programs. ICMP is the equivalent for TCP/IP. ICMP should be in the dog house, unless you are trying to troubleshoot something. MTU discovery is just a performance tweak -- it's not necessary. I don't know of any ICMP message type that is necessary if the network is functional. Limited logging of ICMP messages could be useful, but acting upon them and allowing the modification of routing tables, the behavior of the TCP/IP stack, etc... without any form of authentication is just crazy. ====================================================== Name: CVE-1999-0524 Status: Candidate Phase: Modified(20161206) Reference: CONFIRM:http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705 Reference: CONFIRM:https://kc.mcafee.com/corporate/index?page=content&id=SB10053 Reference: MISC:http://descriptions.securescout.com/tc/11010 Reference: MISC:http://descriptions.securescout.com/tc/11011 Reference: MISC:http://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&externalId=1434 Reference: OSVDB:95 Reference: URL:http://www.osvdb.org/95 Reference: XF:icmp-netmask(306) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/306 Reference: XF:icmp-timestamp(322) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/322 ICMP information such as (1) netmask and (2) timestamp is allowed from arbitrary hosts. Current Votes: MODIFY(3) Baker, Frech, Meunier REJECT(1) Northcutt Voter Comments: Frech> XF:icmp-timestamp XF:icmp-netmask Meunier> If this is not merged with 1999-0523 as I commented for that CVE, then the description should be changed to "ICMP messages of types 13 and 14 (timestamp request and reply) and 17 and 18 (netmask request and reply) are acted upon without any access control". It's a more precise and correct language. I believe that this is a valid CVE entry (it's a common source of vulnerabilities or exposures) even though I see that the inferred action was "reject". Knowing the time of a host also allows attacks against random number generators that are seeded with the current time. I want to push to have it accepted. Baker> I agree with the description changes suggested by Pascal ====================================================== Name: CVE-1999-0525 Status: Candidate Phase: Proposed(19990726) Reference: MISC:https://www.cve.org/CVERecord?id=CVE-1999-0525 IP traceroute is allowed from arbitrary hosts. Current Votes: MODIFY(1) Frech NOOP(1) Baker REJECT(1) Northcutt Voter Comments: Frech> XF:traceroute ====================================================== Name: CVE-1999-0526 Status: Entry Reference: CERT-VN:VU#704969 Reference: URL:http://www.kb.cert.org/vuls/id/704969 Reference: XF:xcheck-keystroke An X server's access control is disabled (e.g. through an "xhost +" command) and allows anyone to connect to the server. ====================================================== Name: CVE-1999-0527 Status: Candidate Phase: Proposed(19990803) Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/6253 The permissions for system-critical data in an anonymous FTP account are inappropriate. For example, the root directory is writeable by world, a real password file is obtainable, or executable commands such as "ls" can be overwritten. Current Votes: ACCEPT(3) Baker, Northcutt, Wall MODIFY(1) Frech Voter Comments: Northcutt> That that starts to get specific :) Frech> ftp-writable-directory(6253) ftp-write(53) "writeable" in the description should be "writable." ====================================================== Name: CVE-1999-0528 Status: Candidate Phase: Proposed(19990726) Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/8372 A router or firewall forwards external packets that claim to come from inside the network that the router/firewall is in front of. Current Votes: ACCEPT(3) Baker, Meunier, Northcutt MODIFY(1) Frech Voter Comments: Frech> possibly XF:nisd-dns-fwd-check CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:firewall-external-packet-forwarding(8372) ====================================================== Name: CVE-1999-0529 Status: Candidate Phase: Proposed(19990726) Reference: MISC:https://www.cve.org/CVERecord?id=CVE-1999-0529 A router or firewall forwards packets that claim to come from IANA reserved or private addresses, e.g. 10.x.x.x, 127.x.x.x, 217.x.x.x, etc. Current Votes: ACCEPT(1) Frech MODIFY(2) Baker, Meunier REJECT(1) Northcutt Voter Comments: Northcutt> I have seen ISPs "assign" private addresses within their domain Meunier> A border router or firewall forwards packets that claim to come from IANA reserved or private addresses, e.g. 10.x.x.x, 127.x.x.x, 217.x.x.x, etc, outside of their area of validity. CHANGE> [Frech changed vote from REVIEWING to ACCEPT] Baker> I think the description should be modified to say they accept this type of traffic from an interface not residing on private/reserved network. ====================================================== Name: CVE-1999-0530 Status: Candidate Phase: Proposed(19990728) Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/778 A system is operating in "promiscuous" mode which allows it to perform packet sniffing. Current Votes: ACCEPT(2) Baker, Northcutt MODIFY(1) Frech REJECT(1) Shostack Voter Comments: Frech> XF:etherstatd(264) XF:sniffer-attack(778) XF:decod-packet-capture-remote(1072) XF:netmon-running(1448) XF:netxray3-probe(1450) XF:sol-snoop-getquota-bo(3670) (also assigned to CVE-1999-0974) Baker> Does pose a problem in non-switched environments ====================================================== Name: CVE-1999-0531 Status: Candidate Phase: Modified(20080731) ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "An SMTP service supports EXPN, VRFY, HELP, ESMTP, and/or EHLO." Current Votes: MODIFY(1) Frech NOOP(1) Christey RECAST(1) Shostack REJECT(1) Northcutt Voter Comments: Shostack> I think expn != vrfy, help, esmtp. Frech> XF:lotus-domino-esmtp-bo(4499) (also assigned to CVE-2000-0452 and CVE-2000-1046) XF:smtp-expn(128) XF:smtp-vrfy(130) XF:smtp-helo-bo(886) XF:smtp-vrfy-bo(887) XF:smtp-expn-bo(888) XF:slmail-vrfyexpn-overflow(1721) XF:smtp-ehlo(323) Perhaps add RCPT? If so, add XF:smtp-rcpt(1928) Christey> XF:smtp-vrfy(130) ? ====================================================== Name: CVE-1999-0532 Status: Candidate Phase: Proposed(19990726) Reference: MISC:https://www.cve.org/CVERecord?id=CVE-1999-0532 A DNS server allows zone transfers. Current Votes: MODIFY(1) Frech NOOP(1) Baker REJECT(1) Northcutt Voter Comments: Northcutt> (With split DNS implementations this is quite appropriate) Frech> XF:dns-zonexfer ====================================================== Name: CVE-1999-0533 Status: Candidate Phase: Proposed(19990726) Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0533 A DNS server allows inverse queries. Current Votes: MODIFY(1) Frech NOOP(1) Baker REJECT(1) Northcutt Voter Comments: Northcutt> (rule of thumb) Frech> XF:dns-iquery ====================================================== Name: CVE-1999-0534 Status: Candidate Phase: Proposed(19990721) Reference: MISC:https://www.cve.org/CVERecord?id=CVE-1999-0534 A Windows NT user has inappropriate rights or privileges, e.g. Act as System, Add Workstation, Backup, Change System Time, Create Pagefile, Create Permanent Object, Create Token Name, Debug, Generate Security Audit, Increase Priority, Increase Quota, Load Driver, Lock Memory, Profile Single Process, Remote Shutdown, Replace Process Token, Restore, System Environment, Take Ownership, or Unsolicited Input. Current Votes: ACCEPT(5) Baker, Christey, Ozancin, Shostack, Wall MODIFY(2) Frech, Northcutt Voter Comments: Northcutt> If we are going to write a laundry list put access to the scheduler in it. Christey> The list of privileges is very useful for lookup. Frech> XF:nt-create-token XF:nt-replace-token XF:nt-lock-memory XF:nt-increase-quota XF:nt-unsol-input XF:nt-act-system XF:nt-create-object XF:nt-sec-audit XF:nt-add-workstation XF:nt-manage-log XF:nt-take-owner XF:nt-load-driver XF:nt-profile-system XF:nt-system-time XF:nt-single-process XF:nt-increase-priority XF:nt-create-pagefile XF:nt-backup XF:nt-restore XF:nt-debug XF:nt-system-env XF:nt-remote-shutdown ====================================================== Name: CVE-1999-0535 Status: Candidate Phase: Proposed(19990721) Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0535 A Windows NT account policy for passwords has inappropriate, security- critical settings, e.g. for password length, password age, or uniqueness. Current Votes: ACCEPT(2) Shostack, Wall MODIFY(2) Baker, Frech RECAST(2) Northcutt, Ozancin Voter Comments: Northcutt> inappropriate implies there is appropriate. As a guy who has been monitoring networks for years I have deep reservations about justiying the existance of any fixed cleartext password. For appropriate to exist, some "we" would have to establish some criteria for appropriate passwords. Baker> Perhaps this could be re-worded a bit. The CVE CVE-1999-00582 specifies "...settings for lockouts". To remain consistent with the other, maybe it should specify "...settings for passwords" I think most people would agree that passwords should be at least 8 characters; contain letters (upper and lowercase), numbers and at least one non-alphanumeric; should only be good a limited time 30-90 days; and should not contain character combinations from user's prior 2 or 3 passwords. Suggested rewrite - A Windows NT account policy does not enforce reasonable minimum security-critical settings for passwords, e.g. passwords of sufficient length, periodic required password changes, or new password uniqueness Ozancin> What is appropriate? Frech> XF:nt-autologonpwd XF:nt-pwlen XF:nt-maxage XF:nt-minage XF:nt-pw-history XF:nt-user-pwnoexpire XF:nt-unknown-pwdfilter XF:nt-pwd-never-expire XF:nt-pwd-nochange XF:nt-pwdcache-enable XF:nt-guest-change-passwords ====================================================== Name: CVE-1999-0537 Status: Candidate Phase: Proposed(19990726) Reference: MISC:https://www.cve.org/CVERecord?id=CVE-1999-0537 A configuration in a web browser such as Internet Explorer or Netscape Navigator allows execution of active content such as ActiveX, Java, Javascript, etc. Current Votes: ACCEPT(1) Wall NOOP(1) Baker RECAST(1) Frech REJECT(1) LeBlanc Voter Comments: Frech> Good candidate for dot notation. XF:nav-java-enabled XF:nav-javascript-enabled XF:ie-active-content XF:ie-active-download XF:ie-active-scripting XF:ie-activex-execution XF:ie-java-enabled XF:netscape-javascript XF:netscape-java XF:zone-active-scripting XF:zone-activex-execution XF:zone-desktop-install XF:zone-low-channel XF:zone-file-download XF:zone-file-launch XF:zone-java-scripting XF:zone-low-java XF:zone-safe-scripting XF:zone-unsafe-scripting LeBlanc> Not a vulnerability. These are just checks for configuration settings that a user might have changed. I understand need to increase number of checks in a scanning product, but don't feel like these belong in CVE. Scanner vendors could argue that these entries are needed to keep a common language. Baker> Not sure about whether we should bother to include this type issue or not. It does provide a stepping stone for further actions, but in and of itself it isn't a specific vulnerability. ====================================================== Name: CVE-1999-0539 Status: Candidate Phase: Proposed(19990728) Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/723 A trust relationship exists between two Unix hosts. Current Votes: MODIFY(1) Frech NOOP(1) Baker REJECT(2) Northcutt, Shostack Voter Comments: Northcutt> Too non specific Frech> XF:trusted-host(341) XF:trust-remote-same(717) XF:trust-remote-root(718) XF:trust-remote-nonroot(719) XF:trust-remote-any(720) XF:trust-other-host(723) XF:trust-all-nonroot(726) XF:trust-any-remote(727) XF:trust-local-acct(728) XF:trust-local-any(729) XF:trust-local-nonroot(730) XF:trust-all-hosts(731) XF:nt-trusted-domain(1284) XF:rsagent-trusted-domainadded(1588) XF:trust-remote-user(2955) XF:user-trust-hosts(3074) XF:user-trust-other-host(3077) XF:user-trust-remote-account(3079) ====================================================== Name: CVE-1999-0541 Status: Candidate Phase: Proposed(19990714) Reference: MISC:https://www.cve.org/CVERecord?id=CVE-1999-0541 A password for accessing a WWW URL is guessable. Current Votes: ACCEPT(4) Baker, Meunier, Northcutt, Shostack MODIFY(1) Frech Voter Comments: Frech> XF:http-password ====================================================== Name: CVE-1999-0546 Status: Candidate Phase: Proposed(19990721) Reference: MISC:https://www.cve.org/CVERecord?id=CVE-1999-0546 The Windows NT guest account is enabled. Current Votes: ACCEPT(5) Baker, Northcutt, Ozancin, Shostack, Wall MODIFY(1) Frech Voter Comments: Frech> XF:nt-guest-account ====================================================== Name: CVE-1999-0547 Status: Candidate Phase: Proposed(19990728) Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/315 An SSH server allows authentication through the .rhosts file. Current Votes: ACCEPT(2) Baker, Shostack MODIFY(1) Frech NOOP(1) Northcutt Voter Comments: Frech> XF:sshd-rhosts(315) ====================================================== Name: CVE-1999-0548 Status: Candidate Phase: Proposed(19990728) Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0548 A superfluous NFS server is running, but it is not importing or exporting any file systems. Current Votes: ACCEPT(1) Shostack NOOP(1) Baker REJECT(1) Northcutt ====================================================== Name: CVE-1999-0549 Status: Candidate Phase: Proposed(19990630) Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0549 Windows NT automatically logs in an administrator upon rebooting. Current Votes: ACCEPT(1) Hill MODIFY(3) Blake, Frech, Ozancin NOOP(1) Wall REJECT(1) Baker Voter Comments: Wall> Don't know what this is. Don't think it is a vulnerability and would initially reject. This is different than just renaming the administrator account. Frech> Would appreciate more information on this one, as in a reference. Blake> Reference: XF:nt-autologin Ozancin> Needs more detail Baker> I tried to find the XF:nt-autologin reference, and got no matching records from their search engine. No refs, no details, should reject CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:nt-autologon(5) ====================================================== Name: CVE-1999-0550 Status: Candidate Phase: Proposed(19990726) Reference: MISC:https://www.cve.org/CVERecord?id=CVE-1999-0550 A router's routing tables can be obtained from arbitrary hosts. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech RECAST(1) Northcutt Voter Comments: Northcutt> Don't you mean obtained by arbitrary hosts Frech> XF:routed XF:decod-rip-entry XF:rip Baker> Concur with this as a security issue ====================================================== Name: CVE-1999-0551 Status: Entry Reference: HP:HPSBUX9804-078 Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9804-078 Reference: XF:hp-openmail HP OpenMail can be misconfigured to allow users to run arbitrary commands using malicious print requests. ====================================================== Name: CVE-1999-0554 Status: Candidate Phase: Proposed(19990803) Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0554 NFS exports system-critical data to the world, e.g. / or a password file. Current Votes: ACCEPT(2) Northcutt, Wall NOOP(1) Baker REVIEWING(1) Christey Voter Comments: Christey> A content decision (CD:CF-DATA) needs to be reviewed and accepted by the Editorial Board in order to resolve this question. ====================================================== Name: CVE-1999-0555 Status: Candidate Phase: Proposed(19990728) Reference: MISC:https://www.cve.org/CVERecord?id=CVE-1999-0555 A Unix account with a name other than "root" has UID 0, i.e. root privileges. Current Votes: NOOP(1) Baker REJECT(2) Northcutt, Shostack Voter Comments: Northcutt> This is very bogus ====================================================== Name: CVE-1999-0556 Status: Candidate Phase: Proposed(19990728) Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/876 Two or more Unix accounts have the same UID. Current Votes: NOOP(2) Baker, Christey REJECT(2) Northcutt, Shostack Voter Comments: Christey> XF:duplicate-uid(876) Christey> Add terms "duplicate" and "user ID" to facilitate search. ftp://ftp.auscert.org.au/pub/auscert/papers/unix_security_checklist ====================================================== Name: CVE-1999-0559 Status: Candidate Phase: Proposed(19990803) Reference: MISC:https://www.cve.org/CVERecord?id=CVE-1999-0559 A system-critical Unix file or directory has inappropriate permissions. Current Votes: ACCEPT(2) Baker, Wall RECAST(2) Northcutt, Shostack Voter Comments: Northcutt> Writable other than by root/bin/wheelgroup? ====================================================== Name: CVE-1999-0560 Status: Candidate Phase: Proposed(19990803) Reference: MISC:https://www.cve.org/CVERecord?id=CVE-1999-0560 A system-critical Windows NT file or directory has inappropriate permissions. Current Votes: ACCEPT(2) Baker, Wall RECAST(1) Northcutt Voter Comments: Northcutt> I think we should specify these ====================================================== Name: CVE-1999-0561 Status: Candidate Phase: Proposed(19990728) Reference: MISC:https://www.cve.org/CVERecord?id=CVE-1999-0561 IIS has the #exec function enabled for Server Side Include (SSI) files. Current Votes: NOOP(2) Baker, Northcutt RECAST(1) Shostack REJECT(1) LeBlanc Voter Comments: LeBlanc> Does not meet definition of a vulnerability. This function is just enabled. You can turn it off if you want. if you trust the people putting up your web pages, this isn't a problem. If you don't, this is just one of many things you need to change. ====================================================== Name: CVE-1999-0562 Status: Candidate Phase: Modified(20061101) Reference: OVAL:oval:org.mitre.oval:def:1023 Reference: URL:https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1023 The registry in Windows NT can be accessed remotely by users who are not administrators. Current Votes: ACCEPT(4) Baker, Ozancin, Shostack, Wall MODIFY(1) Frech RECAST(1) Northcutt Voter Comments: Northcutt> This isn't all or nothing, users may be allowed to access part of the registry. Frech> XF:nt-winreg-all XF:nt-winreg-net ====================================================== Name: CVE-1999-0564 Status: Candidate Phase: Proposed(19990728) Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0564 An attacker can force a printer to print arbitrary documents (e.g. if the printer doesn't require a password) or to become disabled. Current Votes: ACCEPT(2) Baker, Shostack NOOP(1) Northcutt ====================================================== Name: CVE-1999-0565 Status: Candidate Phase: Proposed(19990728) Reference: MISC:https://www.cve.org/CVERecord?id=CVE-1999-0565 A Sendmail alias allows input to be piped to a program. Current Votes: ACCEPT(1) Northcutt NOOP(1) Baker RECAST(1) Shostack REVIEWING(1) Christey Voter Comments: Shostack> Is this a default alias? Is my .procmailrc an instance of this? Christey> It is not entirely clear whether the simple fact that an alias pipes into a program should be considered a vulnerability. It all depends on the behavior of that particular program. This is one of a number of configuration-related issues from the "draft" CVE that came from vulnerability scanners. In general, when we get to general configuration and "policy," it becomes more difficult to use the current CVE model to represent them. So at the very least, this candidate (and similar ones) should be given close consideration and discussion before being added to the official CVE list. Because this candidate is related to general configuration issues, and we have not completely determined how to handle such issues in CVE, this candidate cannot be promoted to an official CVE entry until such issues are resolved. ====================================================== Name: CVE-1999-0566 Status: Entry Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0566 Reference: XF:ibm-syslogd Reference: XF:syslog-flood An attacker can write to syslog files from any location, causing a denial of service by filling up the logs, and hiding activities. ====================================================== Name: CVE-1999-0568 Status: Candidate Phase: Proposed(19990728) Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0568 rpc.admind in Solaris is not running in a secure mode. Current Votes: ACCEPT(1) Northcutt NOOP(2) Baker, Christey RECAST(2) Dik, Shostack Voter Comments: Shostack> are there secure modes? Dik> Several: 1) there is no "rpc.admind" daemon. there used to be a "admind" RPC daemon (100087/10) and there's now an "sadmind" daemon (100232/10) The switch over was somewhere around Solaris 2.4. 2) Neither defaults to "secure mode" 3) secure mode is "using secure RPC" which does proper over the wire authentication by specifying the "-S 2" option in inetd.conf (security level 2) Christey> XF:rpc-admind(626) http://xforce.iss.net/static/626.php MISC:http://pulhas.org/xploitsdb/mUNIXes/admind.html ====================================================== Name: CVE-1999-0569 Status: Candidate Phase: Modified(19991130) Reference: MISC:https://www.cve.org/CVERecord?id=CVE-1999-0569 A URL for a WWW directory allows auto-indexing, which provides a list of all files in that directory if it does not contain an index.html file. Current Votes: ACCEPT(1) Wall NOOP(2) Baker, Christey REJECT(1) Northcutt Voter Comments: Northcutt> I do this intentionally somethings in high content directories Christey> XF:http-noindex(90) ? ====================================================== Name: CVE-1999-0570 Status: Candidate Phase: Proposed(19990728) Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0570 Windows NT is not using a password filter utility, e.g. PASSFILT.DLL. Current Votes: ACCEPT(1) Northcutt MODIFY(1) Frech NOOP(2) Baker, Christey REJECT(1) Wall Voter Comments: Northcutt> Here we are crossing into the best practices arena again. However since passfilt does establish a measurable standard and since we aren't the ones defining the stanard, simply saying it should be employed I will vote for this. Frech> XF:nt-passfilt-not-inst(1308) XF:nt-passfilt-not-found(1309) Christey> Consider MSKB:Q161990 and MSKB:Q151082 ====================================================== Name: CVE-1999-0571 Status: Candidate Phase: Modified(20020312) Reference: BUGTRAQ:Feb5,1999 Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0571 A router's configuration service or management interface (such as a web server or telnet) is configured to allow connections from arbitrary hosts. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(2) Christey, Northcutt Voter Comments: CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:ascend-config-kill(889) XF:cisco-ios-crash(1238) XF:webramp-remote-access(1670) XF:ascom-timeplex-debug(1824) XF:netopia-unpassworded(1850) XF:cisco-web-crash(1886) XF:cisco-router-commands(1951) XF:motorola-cable-default-pass(2002) XF:default-flowpoint(2091) XF:netgear-router-idle-dos(4003) XF:cisco-cbos-telnet(4251) XF:routermate-snmp-community(4290) XF:cayman-router-dos(4479) XF:wavelink-authentication(5185) XF:ciscosecure-ldap-bypass-authentication(5274) XF:foundry-firmware-telnet-dos(5514) XF:netopia-view-system-log(5536) XF:cisco-webadmin-remote-dos(5595) XF:cisco-cbos-web-access(5626) XF:netopia-telnet-dos(6001) XF:cisco-sn-gain-access(6827) XF:cayman-dsl-insecure-permissions(6841) XF:linksys-etherfast-reveal-passwords(6949) XF:zyxel-router-default-password(6968) XF:cisco-cbos-web-config(7027) XF:prestige-wan-bypass-filter(7146) Christey> I changed the description to make it more explicit that this candidate is about router configuration, as opposed to vulnerabilities that accidentally make a configuration service accessible to anyone. ====================================================== Name: CVE-1999-0572 Status: Candidate Phase: Modified(20041017) Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/178 .reg files are associated with the Windows NT registry editor (regedit), making the registry susceptible to Trojan Horse attacks. Current Votes: ACCEPT(4) Baker, Ozancin, Shostack, Wall MODIFY(1) Frech NOOP(2) Christey, Northcutt Voter Comments: Northcutt> I don't quite get what this means, sorry Frech> XF:nt-regfile(178) Christey> MISC:http://security-archive.merton.ox.ac.uk/nt-security-199902/0087.html ====================================================== Name: CVE-1999-0575 Status: Candidate Phase: Proposed(19990721) Reference: MISC:https://www.cve.org/CVERecord?id=CVE-1999-0575 A Windows NT system's user audit policy does not log an event success or failure, e.g. for Logon and Logoff, File and Object Access, Use of User Rights, User and Group Management, Security Policy Changes, Restart, Shutdown, and System, and Process Tracking. Current Votes: ACCEPT(4) Christey, Ozancin, Shostack, Wall MODIFY(1) Frech RECAST(2) Baker, Northcutt Voter Comments: Northcutt> It isn't a great truth that you should enable all or the above, if you do you potentially introduce a vulnerbility of filling up the file system with stuff you will never look at. Ozancin> It is far less interesting what a user does successfully that what they attempt and fail at. Christey> The list of event types is very useful for lookup. Frech> XF:nt-system-audit XF:nt-logon-audit XF:nt-object-audit XF:nt-privil-audit XF:nt-process-audit XF:nt-policy-audit XF:nt-account-audit CHANGE> [Baker changed vote from REVIEWING to RECAST] ====================================================== Name: CVE-1999-0576 Status: Candidate Phase: Proposed(19990721) Reference: MISC:https://www.cve.org/CVERecord?id=CVE-1999-0576 A Windows NT system's file audit policy does not log an event success or failure for security-critical files or directories. Current Votes: ACCEPT(3) Baker, Shostack, Wall MODIFY(2) Frech, Ozancin REJECT(1) Northcutt Voter Comments: Northcutt> 1.) Too general are we ready to state what the security-critical files and directories are 2.) Does Ataris, Windows CE, PalmOS, Linux have such a capability Ozancin> Some files and directories are clearly understood to be critical. Others are unclear. We need to clarify that critical is. Frech> XF:nt-object-audit ====================================================== Name: CVE-1999-0577 Status: Candidate Phase: Proposed(19990721) Reference: MISC:https://www.cve.org/CVERecord?id=CVE-1999-0577 A Windows NT system's file audit policy does not log an event success or failure for non-critical files or directories. Current Votes: ACCEPT(2) Shostack, Wall MODIFY(3) Baker, Frech, Ozancin REJECT(1) Northcutt Voter Comments: Ozancin> It is far less interesting what a user does successfully that what they attempt and fail at. Perhaps only failure should be logged. Frech> XF:nt-object-audit CHANGE> [Baker changed vote from REVIEWING to MODIFY] Baker> Failure on non-critical files is what should be monitored. ====================================================== Name: CVE-1999-0578 Status: Candidate Phase: Proposed(19990721) Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/228 A Windows NT system's registry audit policy does not log an event success or failure for security-critical registry keys. Current Votes: ACCEPT(4) Baker, Ozancin, Shostack, Wall MODIFY(1) Frech REJECT(1) Northcutt Voter Comments: Ozancin> with reservation Again what is defined as critical CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:nt-object-audit(228) ====================================================== Name: CVE-1999-0579 Status: Candidate Phase: Proposed(19990721) Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/228 A Windows NT system's registry audit policy does not log an event success or failure for non-critical registry keys. Current Votes: ACCEPT(3) Baker, Shostack, Wall MODIFY(2) Frech, Ozancin REJECT(1) Northcutt Voter Comments: Ozancin> Again only failure may be of interest. It would be impractical to wad through the incredibly large amount of logging that this would generate. It could overwhelm log entries that you might find interesting. CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:nt-object-audit(228) ====================================================== Name: CVE-1999-0580 Status: Candidate Phase: Proposed(19990803) Reference: MISC:https://www.cve.org/CVERecord?id=CVE-1999-0580 The HKEY_LOCAL_MACHINE key in a Windows NT system has inappropriate, system-critical permissions. Current Votes: ACCEPT(1) Wall NOOP(1) Baker RECAST(1) Northcutt Voter Comments: Northcutt> I think we can define appropriate, take a look at the nt security .pdf and see if you can't see a way to phrase specific keys in a way that defines inappropriate. Baker> This is way vague... ====================================================== Name: CVE-1999-0581 Status: Candidate Phase: Proposed(19990803) Reference: MISC:https://www.cve.org/CVERecord?id=CVE-1999-0581 The HKEY_CLASSES_ROOT key in a Windows NT system has inappropriate, system-critical permissions. Current Votes: ACCEPT(1) Wall NOOP(1) Baker RECAST(1) Northcutt Voter Comments: Northcutt> I think we can define appropriate, take a look at the nt security .pdf and see if you can't see a way to phrase specific keys in a way that defines inappropriate. Baker> way too vague ====================================================== Name: CVE-1999-0582 Status: Candidate Phase: Proposed(19990721) Reference: MISC:https://www.cve.org/CVERecord?id=CVE-1999-0582 A Windows NT account policy has inappropriate, security-critical settings for lockout, e.g. lockout duration, lockout after bad logon attempts, etc. Current Votes: ACCEPT(3) Ozancin, Shostack, Wall MODIFY(2) Baker, Frech REJECT(1) Northcutt Voter Comments: Northcutt> The definition is? Baker> Maybe a rewording of this one too. I think most people would agree on some "minimum" policies like 3-5 bad attempts lockout for an hour or until the administrator unlocks the account. Suggested rewrite - A Windows NT account policy does not enforce reasonable minimum security-critical settings for lockouts, e.g. lockout duration, lockout after bad logon attempts, etc. Ozancin> with reservations What is appropriate? Frech> XF:nt-thres-lockout XF:nt-lock-duration XF:nt-lock-window XF:nt-perm-lockout XF:lockout-disabled ====================================================== Name: CVE-1999-0583 Status: Candidate Phase: Proposed(19990728) Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/1284 There is a one-way or two-way trust relationship between Windows NT domains. Current Votes: NOOP(2) Baker, Christey REJECT(2) Northcutt, Shostack Voter Comments: Christey> XF:nt-trusted-domain(1284) ====================================================== Name: CVE-1999-0584 Status: Candidate Phase: Proposed(19990728) Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/195 A Windows NT file system is not NTFS. Current Votes: ACCEPT(2) Northcutt, Wall MODIFY(1) Frech NOOP(2) Baker, Christey Voter Comments: Wall> NTFS partition provides the security. This could be re-worded to "A Windows NT file system is FAT" since it is either NTFS or FAT and FAT is less secure. Frech> XF:nt-filesys(195) Christey> MSKB:Q214579 MSKB:Q214579 http://support.microsoft.com/support/kb/articles/Q100/1/08.ASP ====================================================== Name: CVE-1999-0585 Status: Candidate Phase: Proposed(19990721) Reference: MISC:https://www.cve.org/CVERecord?id=CVE-1999-0585 A Windows NT administrator account has the default name of Administrator. Current Votes: ACCEPT(1) Ozancin MODIFY(1) Frech REJECT(3) Baker, Northcutt, Shostack REVIEWING(1) Wall Voter Comments: Wall> Some sources say this is not a vulnerability, but a warning. It just slows down the search for the admin account (SID = 500) which can always be found. Northcutt> I change this on all NT systems I am responsible for, but is root a vulnerability? Baker> There are ways to identify the administrator account anyway, so this is only a minor delay to someone that is knowledgeable. This, in and of itself, doesn't really strike me as a vulnerability, anymore than the root account on a Unix box. Shostack> (there is no way to hide the account name today) Frech> XF:nt-adminexists ====================================================== Name: CVE-1999-0586 Status: Candidate Phase: Proposed(19990728) Reference: MISC:https://www.cve.org/CVERecord?id=CVE-1999-0586 A network service is running on a nonstandard port. Current Votes: NOOP(1) Baker RECAST(1) Shostack REJECT(1) Northcutt Voter Comments: Shostack> Might be acceptable if clearer; is that a standard service on a non-standard port, or any service on an unassigned port? Baker> It might actually be an enhancement rather than a problem to run a service on a non-standard port ====================================================== Name: CVE-1999-0587 Status: Candidate Phase: Proposed(19990803) Reference: MISC:https://www.cve.org/CVERecord?id=CVE-1999-0587 A WWW server is not running in a restricted file system, e.g. through a chroot, thus allowing access to system-critical data. Current Votes: ACCEPT(1) Wall NOOP(1) Baker RECAST(1) Northcutt Voter Comments: Northcutt> While I would accept this for Unix, I am not sure this applies to NT, VMS, palm pilots, or commodore 64 ====================================================== Name: CVE-1999-0588 Status: Candidate Phase: Proposed(19990726) Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0588 A filter in a router or firewall allows unusual fragmented packets. Current Votes: MODIFY(2) Baker, Frech REJECT(1) Northcutt Voter Comments: Northcutt> I want to vote to accept this one, but unusual is a shade broad. Frech> XF:nt-rras XF:cisco-fragmented-attacks XF:ip-frag Baker> Perhaps we should use the word abnormally fragmented or some other descriptor. ====================================================== Name: CVE-1999-0589 Status: Candidate Phase: Proposed(19990803) Reference: MISC:https://www.cve.org/CVERecord?id=CVE-1999-0589 A system-critical Windows NT registry key has inappropriate permissions. Current Votes: ACCEPT(1) Wall NOOP(1) Baker RECAST(2) Christey, Northcutt Voter Comments: Northcutt> I think we can define appropriate, take a look at the nt security .pdf and see if you can't see a way to phrase specific keys in a way that defines inappropriate. Christey> Upon further reflection, this is too high-level for CVE. Specific registry keys with bad permissions is roughly equivalent to Unix configuration files that have bad permissions; those permission problems can be created by any vendor, not just a specific one. Therefore this candidate should be RECAST into each separate registry key that has this problem. ====================================================== Name: CVE-1999-0590 Status: Candidate Phase: Proposed(19990728) Reference: MISC:http://ciac.llnl.gov/ciac/bulletins/j-043.shtml A system does not present an appropriate legal message or warning to a user who is accessing it. Current Votes: ACCEPT(2) Baker, Northcutt MODIFY(1) Christey RECAST(1) Shostack Voter Comments: Christey> ADDREF CIAC:J-043 URL:http://ciac.llnl.gov/ciac/bulletins/j-043.shtml Also add "banner" to the description to facilitate search. Baker> Should be in place where ever it is possible ====================================================== Name: CVE-1999-0591 Status: Candidate Phase: Proposed(19990803) Reference: MISC:https://www.cve.org/CVERecord?id=CVE-1999-0591 An event log in Windows NT has inappropriate access permissions. Current Votes: ACCEPT(2) Baker, Wall RECAST(1) Northcutt Voter Comments: Northcutt> splain Lucy, splain ====================================================== Name: CVE-1999-0592 Status: Candidate Phase: Proposed(19990728) Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/1353 The Logon box of a Windows NT system displays the name of the last user who logged in. Current Votes: MODIFY(1) Frech NOOP(2) Baker, Christey REJECT(2) Northcutt, Wall Voter Comments: Wall> Information gathering, not vulnerability Northcutt> Ah a C2 weenie must have snuck this in, this can be a good thing not just vulnerability Frech> XF:nt-display-last-username(1353) Use it if you will. :-) If not, let us know so I can remove the CAN reference from our database. Christey> MSKB:Q114463 http://support.microsoft.com/support/kb/articles/q114/4/63.asp ====================================================== Name: CVE-1999-0593 Status: Candidate Phase: Modified(20091029) Reference: CONFIRM:http://technet.microsoft.com/en-us/library/cc722469.aspx Reference: MISC:http://www.microsoft.com/technet/archive/winntas/deploy/confeat/06wntpcc.mspx?mfr=true Reference: OSVDB:59333 Reference: URL:http://osvdb.org/59333 Reference: XF:nt-shutdown-without-logon(1291) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1291 The default setting for the Winlogon key entry ShutdownWithoutLogon in Windows NT allows users with physical access to shut down a Windows NT system without logging in. Current Votes: ACCEPT(1) Wall MODIFY(1) Frech NOOP(1) Baker REJECT(1) Northcutt Voter Comments: Wall> Still a denial of service. Northcutt> May well be appropriate Frech> XF:nt-shutdown-without-logon(1291) ====================================================== Name: CVE-1999-0594 Status: Candidate Phase: Proposed(19990728) Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/1294 A Windows NT system does not restrict access to removable media drives such as a floppy disk drive or CDROM drive. Current Votes: ACCEPT(1) Wall MODIFY(1) Frech NOOP(2) Baker, Christey REJECT(1) Northcutt Voter Comments: Wall> Perhaps it can be re-worded to "removable media drives such as a floppy disk drive or CDROM drive can be accessed (shared) in a Windows NT system." Northcutt> - what good is my NT w/o its floppy Frech> XF:nt-allocate-cdroms(1294) XF:nt-allocate-floppy(1318) Christey> MSKB:Q172520 URL:http://support.microsoft.com/support/kb/articles/q172/5/20.asp ====================================================== Name: CVE-1999-0595 Status: Candidate Phase: Proposed(19990728) Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/216 Reference: MSKB:Q182086 A Windows NT system does not clear the system page file during shutdown, which might allow sensitive information to be recorded. Current Votes: ACCEPT(2) Baker, Wall MODIFY(1) Frech NOOP(1) Northcutt Voter Comments: Frech> XF:nt-clearpage(216) XF:reg-pagefile-clearing(2551) ====================================================== Name: CVE-1999-0596 Status: Candidate Phase: Proposed(19990728) Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/2577 A Windows NT log file has an inappropriate maximum size or retention period. Current Votes: MODIFY(1) Frech NOOP(1) Baker REJECT(2) Northcutt, Wall Voter Comments: Northcutt> define appropriate Frech> XF:reg-app-log-small(2521) XF:reg-sec-log-maxsize(2577) XF:reg-sys-log-small(2586) ====================================================== Name: CVE-1999-0597 Status: Candidate Phase: Proposed(19990728) Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/1343 A Windows NT account policy does not forcibly disconnect remote users from the server when their logon hours expire. Current Votes: ACCEPT(1) Northcutt MODIFY(1) Frech NOOP(1) Baker REJECT(1) Wall Voter Comments: Frech> XF:nt-forced-logoff(1343) ====================================================== Name: CVE-1999-0598 Status: Candidate Phase: Proposed(19990726) Reference: MISC:http://www.robertgraham.com/mirror/Ptacek-Newsham-Evasion-98.html A network intrusion detection system (IDS) does not properly handle packets that are sent out of order, allowing an attacker to escape detection. Current Votes: ACCEPT(3) Armstrong, Baker, Northcutt NOOP(1) Frech REVIEWING(1) Christey Voter Comments: Frech> Waiting for CIEL. Christey> This is a design flaw, along with the other reported IDS problems; at least reference Ptacek/Newsham's paper. Christey> URL:http://www.robertgraham.com/mirror/Ptacek-Newsham-Evasion-98.html ====================================================== Name: CVE-1999-0599 Status: Candidate Phase: Proposed(19990726) Reference: MISC:http://www.robertgraham.com/mirror/Ptacek-Newsham-Evasion-98.html A network intrusion detection system (IDS) does not properly handle packets with improper sequence numbers. Current Votes: ACCEPT(2) Baker, Northcutt NOOP(1) Frech REVIEWING(1) Christey Voter Comments: Frech> Waiting for CIEL. Christey> This is a design flaw, along with the other reported IDS problems; at least reference Ptacek/Newsham's paper. Christey> URL:http://www.robertgraham.com/mirror/Ptacek-Newsham-Evasion-98.html ====================================================== Name: CVE-1999-0600 Status: Candidate Phase: Proposed(19990726) Reference: MISC:http://www.robertgraham.com/mirror/Ptacek-Newsham-Evasion-98.html A network intrusion detection system (IDS) does not verify the checksum on a packet. Current Votes: ACCEPT(2) Baker, Northcutt NOOP(1) Frech REVIEWING(1) Christey Voter Comments: Frech> Waiting for CIEL. Christey> This is a design flaw, along with the other reported IDS problems; at least reference Ptacek/Newsham's paper. Christey> URL:http://www.robertgraham.com/mirror/Ptacek-Newsham-Evasion-98.html ====================================================== Name: CVE-1999-0601 Status: Candidate Phase: Proposed(19990726) Reference: MISC:http://www.robertgraham.com/mirror/Ptacek-Newsham-Evasion-98.html A network intrusion detection system (IDS) does not properly handle data within TCP handshake packets. Current Votes: ACCEPT(2) Baker, Northcutt NOOP(1) Frech REVIEWING(1) Christey Voter Comments: Frech> Waiting for Godot, er, CIEL. Christey> This is a design flaw, along with the other reported IDS problems; at least reference Ptacek/Newsham's paper. Christey> URL:http://www.robertgraham.com/mirror/Ptacek-Newsham-Evasion-98.html ====================================================== Name: CVE-1999-0602 Status: Candidate Phase: Proposed(19990726) Reference: MISC:http://www.robertgraham.com/mirror/Ptacek-Newsham-Evasion-98.html A network intrusion detection system (IDS) does not properly reassemble fragmented packets. Current Votes: ACCEPT(2) Baker, Northcutt NOOP(1) Frech REVIEWING(1) Christey Voter Comments: Frech> Waiting for CIEL. Christey> This is a design flaw, along with the other reported IDS problems; at least reference Ptacek/Newsham's paper. Christey> URL:http://www.robertgraham.com/mirror/Ptacek-Newsham-Evasion-98.html ====================================================== Name: CVE-1999-0603 Status: Candidate Phase: Proposed(19990728) Reference: MISC:https://www.cve.org/CVERecord?id=CVE-1999-0603 In Windows NT, an inappropriate user is a member of a group, e.g. Administrator, Backup Operators, Domain Admins, Domain Guests, Power Users, Print Operators, Replicators, System Operators, etc. Current Votes: MODIFY(1) Frech NOOP(1) Baker REJECT(2) Northcutt, Wall Voter Comments: Frech> XF:nt-system-operator XF:nt-admin-group XF:nt-replicator XF:nt-print-operator XF:nt-power-user XF:nt-guest-in-group XF:nt-backup-operator XF:nt-domain-admin XF:nt-domain-guest XF:win2k-acct-oper-grp XF:win2k-admin-grp XF:win2k-backup-oper-grp XF:win2k-certpublishers-grp XF:win2k-dhcp-admin-grp XF:win2k-dnsadm-grp XF:win2k-domainadm-grp XF:win2k-entadm-grp XF:win2k-printoper-grp XF:win2k-replicator-grp XF:win2k-schemaadm-grp XF:win2k-serveroper-grp You asked for it... :-) Use or reject at your discretion. If rejected, please let us know so we can remove CAN references from database. ====================================================== Name: CVE-1999-0604 Status: Candidate Phase: Proposed(19990728) Reference: BUGTRAQ:19990420 Shopping Carts exposing CC data Reference: URL:http://marc.info/?l=bugtraq&m=92462991805485&w=2 An incorrect configuration of the WebStore 1.0 shopping cart CGI program "web_store.cgi" could disclose private information. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(2) Northcutt, Wall Voter Comments: Frech> XF:webstore-misconfig(3861) ====================================================== Name: CVE-1999-0605 Status: Candidate Phase: Proposed(19990728) Reference: BUGTRAQ:19990420 Shopping Carts exposing CC data Reference: URL:http://marc.info/?l=bugtraq&m=92462991805485&w=2 An incorrect configuration of the Order Form 1.0 shopping cart CGI program could disclose private information. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(3) Christey, Northcutt, Wall Voter Comments: Frech> XF:orderform-misconfig(3860) Christey> BID:2021 Christey> Mention affected files: order_log_v12.dat and order_log.dat fix version number (1.2) ====================================================== Name: CVE-1999-0606 Status: Candidate Phase: Proposed(19990728) Reference: BUGTRAQ:19990420 Shopping Carts exposing CC data Reference: URL:http://marc.info/?l=bugtraq&m=92462991805485&w=2 An incorrect configuration of the EZMall 2000 shopping cart CGI program "mall2000.cgi" could disclose private information. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(3) Christey, Northcutt, Wall Voter Comments: Frech> XF:ezmall2000-misconfig(3859) Christey> Add mall_log_files/order.log to desc ====================================================== Name: CVE-1999-0607 Status: Candidate Phase: Modified(20060608) Reference: BUGTRAQ:19990420 Shopping Carts exposing CC data Reference: URL:http://marc.info/?l=bugtraq&m=92462991805485&w=2 quikstore.cgi in QuikStore shopping cart stores quikstore.cfg under the web document root with insufficient access control, which allows remote attackers to obtain the cleartext administrator password and gain privileges. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(3) Christey, Northcutt, Wall Voter Comments: Frech> XF:quikstore-misconfig(3858) Christey> http://www.quikstore.com/help/pages/Security/security.htm says: "It is IMPORTANT that during the setup of the QuikStore program, you check to make sure that the cgi-bin or executable program directory of your web site not be viewable from the outside world. You don't want the users to have access to your programs or log files that could be stored there! ... If you can view or download these files from the browser, someone else can too" So is this a configuration problem? See the configuration file at http://www.quikstore.com/help/pages/Configuration/configparametersfull.htm The [DIRECTORY_PATHS] section identifies pathnames and describes how pathnames are constructed. It clearly uses relative pathnames, so all data is underneath the base directory!! If we call this a configuration problem, then maybe this (and all other "CGI-data-in-web-tree" configuration problems) should be combined. Christey> Consider adding BID:1983 ====================================================== Name: CVE-1999-0608 Status: Entry Reference: BUGTRAQ:19990420 Shopping Carts exposing CC data Reference: URL:http://marc.info/?l=bugtraq&m=92462991805485&w=2 Reference: CONFIRM:http://www.pdgsoft.com/Security/security.html. Reference: XF:pdgsoftcart-misconfig(3857) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3857 An incorrect configuration of the PDG Shopping Cart CGI program "shopper.cgi" could disclose private information. ====================================================== Name: CVE-1999-0609 Status: Candidate Phase: Proposed(19990728) Reference: BUGTRAQ:19990420 Shopping Carts exposing CC data Reference: URL:http://marc.info/?l=bugtraq&m=92462991805485&w=2 An incorrect configuration of the SoftCart CGI program "SoftCart.exe" could disclose private information. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(3) Christey, Northcutt, Wall Voter Comments: Frech> XF:softcart-misconfig(3856) Christey> Consider adding BID:2055 ====================================================== Name: CVE-1999-0610 Status: Candidate Phase: Proposed(19990728) Reference: BUGTRAQ:19990420 Shopping Carts exposing CC data Reference: URL:http://marc.info/?l=bugtraq&m=92462991805485&w=2 An incorrect configuration of the Webcart CGI program could disclose private information. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(2) Northcutt, Wall Voter Comments: Frech> Cite reference as: BUGTRAQ:19990424 Re: Shopping Carts exposing CC data URL: http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist% 3D1%26date%3D2000-08-22%26msg%3D3720E2B6.6031A2E7@datashopper.dk CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:webcart-data-exposure(8374) ====================================================== Name: CVE-1999-0611 Status: Candidate Phase: Proposed(19990803) Reference: MISC:https://www.cve.org/CVERecord?id=CVE-1999-0611 A system-critical Windows NT registry key has an inappropriate value. Current Votes: ACCEPT(1) Wall NOOP(1) Baker RECAST(1) Northcutt Voter Comments: Northcutt> I think we can define appropriate, take a look at the nt security .pdf and see if you can't see a way to phrase specific keys in a way that defines inappropriate. Baker> too vague ====================================================== Name: CVE-1999-0612 Status: Entry Reference: MISC:https://www.cve.org/CVERecord?id=CVE-1999-0612 Reference: XF:finger-out Reference: XF:finger-running A version of finger is running that exposes valid user information to any entity on the network. ====================================================== Name: CVE-1999-0613 Status: Candidate Phase: Proposed(19990721) Reference: MISC:https://www.cve.org/CVERecord?id=CVE-1999-0613 The rpc.sprayd service is running. Current Votes: ACCEPT(2) Baker, Ozancin MODIFY(1) Frech NOOP(1) Wall REJECT(1) Northcutt Voter Comments: Frech> XF:sprayd ====================================================== Name: CVE-1999-0614 Status: Candidate Phase: Modified(20080731) ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The FTP service is running." Current Votes: ACCEPT(2) Baker, Wall REJECT(1) Northcutt ====================================================== Name: CVE-1999-0615 Status: Candidate Phase: Modified(20080731) ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The SNMP service is running." Current Votes: ACCEPT(3) Baker, Prosser, Wall NOOP(1) Christey REJECT(1) Northcutt Voter Comments: Baker> Although newer versions on snmp are not as vulnerable as prior versions, this can still be a significant risk of exploitation, as seen in recent attacks on snmp services via automated worms Christey> XF:snmp(132) ? Prosser> This fits the "exposure" description although we also know there are many vulnerabilities in SNMP. This is more of a policy/best practice issue for administrators. If you need SNMP lock it down as tight as you can, if you don't need it, don't run it. ====================================================== Name: CVE-1999-0616 Status: Candidate Phase: Modified(20080731) ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The TFTP service is running." Current Votes: ACCEPT(2) Baker, Wall REJECT(1) Northcutt ====================================================== Name: CVE-1999-0617 Status: Candidate Phase: Modified(20080731) ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The SMTP service is running." Current Votes: ACCEPT(2) Baker, Wall REJECT(1) Northcutt ====================================================== Name: CVE-1999-0618 Status: Candidate Phase: Modified(19990921) Reference: MISC:https://www.cve.org/CVERecord?id=CVE-1999-0618 Reference: XF:rexec The rexec service is running. Current Votes: ACCEPT(4) Baker, Northcutt, Ozancin, Wall MODIFY(1) Frech Voter Comments: Frech> XF:decod-rexec XF:rexec ====================================================== Name: CVE-1999-0619 Status: Candidate Phase: Modified(20080731) ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The Telnet service is running." Current Votes: ACCEPT(2) Baker, Wall REJECT(1) Northcutt ====================================================== Name: CVE-1999-0620 Status: Candidate Phase: Modified(20080731) ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "A component service related to NIS is running." Current Votes: ACCEPT(2) Baker, Wall NOOP(1) Christey REJECT(1) Northcutt Voter Comments: Christey> XF:ypserv(261) ====================================================== Name: CVE-1999-0621 Status: Candidate Phase: Modified(20080731) ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "A component service related to NETBIOS is running." Current Votes: ACCEPT(2) Baker, Wall MODIFY(1) Frech REJECT(2) LeBlanc, Northcutt Voter Comments: LeBlanc> There is insufficient description to even know what this is. Lots of component services related to NetBIOS run, and usually do not constitute a problem. Frech> associated to: XF:nt-alerter(29) XF:nt-messenger(69) XF:reg-ras-gateway-enabled(2567) ====================================================== Name: CVE-1999-0622 Status: Candidate Phase: Modified(20080731) ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "A component service related to DNS service is running." Current Votes: ACCEPT(2) Baker, Wall REJECT(1) Northcutt ====================================================== Name: CVE-1999-0623 Status: Candidate Phase: Modified(20080731) ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The X Windows service is running." Current Votes: ACCEPT(2) Baker, Wall NOOP(1) Christey REJECT(1) Northcutt Voter Comments: Christey> Add "X11" to facilitate search. ====================================================== Name: CVE-1999-0624 Status: Candidate Phase: Interim(19990925) Reference: MISC:https://www.cve.org/CVERecord?id=CVE-1999-0624 Reference: XF:rstat-out Reference: XF:rstatd The rstat/rstatd service is running. Current Votes: ACCEPT(3) Baker, Northcutt, Ozancin MODIFY(1) Frech NOOP(2) Meunier, Wall Voter Comments: Frech> XF:rstat-out XF:rstatd ====================================================== Name: CVE-1999-0625 Status: Candidate Phase: Proposed(19990721) Reference: MISC:https://www.cve.org/CVERecord?id=CVE-1999-0625 The rpc.rquotad service is running. Current Votes: ACCEPT(3) Baker, Northcutt, Ozancin MODIFY(1) Frech NOOP(1) Wall Voter Comments: Frech> XF:rquotad ====================================================== Name: CVE-1999-0626 Status: Entry Reference: MISC:https://www.cve.org/CVERecord?id=CVE-1999-0626 Reference: XF:ruser Reference: XF:rusersd A version of rusers is running that exposes valid user information to any entity on the network. ====================================================== Name: CVE-1999-0627 Status: Entry Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0627 Reference: XF:rexd The rexd service is running, which uses weak authentication that can allow an attacker to execute commands. ====================================================== Name: CVE-1999-0628 Status: Entry Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0628 Reference: XF:rwhod The rwho/rwhod service is running, which exposes machine status and user information. ====================================================== Name: CVE-1999-0629 Status: Candidate Phase: Proposed(19990721) Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0629 The ident/identd service is running. Current Votes: ACCEPT(2) Baker, Ozancin MODIFY(1) Frech NOOP(2) Christey, Wall REJECT(1) Northcutt Voter Comments: Frech> possibly XF:identd? Christey> XF:ident-users(318) ? CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:identd-vuln(61) XF:ident-users(318) ====================================================== Name: CVE-1999-0630 Status: Candidate Phase: Proposed(19990804) Reference: MISC:http://support.microsoft.com/support/kb/articles/q189/2/71.asp The NT Alerter and Messenger services are running. Current Votes: ACCEPT(2) Baker, Wall NOOP(1) Christey REJECT(1) Northcutt Voter Comments: Christey> http://support.microsoft.com/support/kb/articles/q189/2/71.asp ====================================================== Name: CVE-1999-0631 Status: Candidate Phase: Modified(20080731) ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The NFS service is running." Current Votes: ACCEPT(2) Baker, Wall NOOP(1) Christey REJECT(1) Northcutt Voter Comments: Christey> XF:nfs-nfsd(76) ? Christey> Add rpc.mountd/mountd to facilitate search. ====================================================== Name: CVE-1999-0632 Status: Candidate Phase: Proposed(19990804) Reference: MISC:https://www.cve.org/CVERecord?id=CVE-1999-0632 The RPC portmapper service is running. Current Votes: ACCEPT(2) Baker, Wall REJECT(1) Northcutt ====================================================== Name: CVE-1999-0633 Status: Candidate Phase: Modified(20080731) ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The HTTP/WWW service is running." Current Votes: ACCEPT(2) Baker, Wall REJECT(1) Northcutt ====================================================== Name: CVE-1999-0634 Status: Candidate Phase: Modified(20080731) ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The SSH service is running." Current Votes: ACCEPT(2) Baker, Wall REJECT(1) Northcutt ====================================================== Name: CVE-1999-0635 Status: Candidate Phase: Modified(20060122) Reference: FULLDISC:20060116 ACT P202S VoIP wireless phone multiple undocumented ports/services Reference: URL:http://lists.grok.org.uk/pipermail/full-disclosure/2006-January/041434.html Reference: SECUNIA:18514 Reference: URL:http://secunia.com/advisories/18514 The echo service is running. Current Votes: ACCEPT(3) Baker, Northcutt, Wall REVIEWING(1) Christey Voter Comments: Northcutt> The method to my madness is echo is the common denom in the dos attack Christey> How much of this is an overlap with the echo/chargen flood problem (CVE-1999-0103)? If this is only an exposure because of CVE-1999-0103, then maybe this should be REJECTed. ====================================================== Name: CVE-1999-0636 Status: Candidate Phase: Proposed(19990804) Reference: MISC:https://www.cve.org/CVERecord?id=CVE-1999-0636 The discard service is running. Current Votes: ACCEPT(1) Baker NOOP(1) Wall REJECT(1) Northcutt ====================================================== Name: CVE-1999-0637 Status: Candidate Phase: Proposed(19990804) Reference: MISC:https://www.cve.org/CVERecord?id=CVE-1999-0637 The systat service is running. Current Votes: ACCEPT(2) Baker, Wall REJECT(1) Northcutt ====================================================== Name: CVE-1999-0638 Status: Candidate Phase: Proposed(19990804) Reference: MISC:https://www.cve.org/CVERecord?id=CVE-1999-0638 The daytime service is running. Current Votes: ACCEPT(1) Baker NOOP(1) Wall REJECT(1) Northcutt ====================================================== Name: CVE-1999-0639 Status: Candidate Phase: Proposed(19990804) Reference: MISC:https://www.cve.org/CVERecord?id=CVE-1999-0639 The chargen service is running. Current Votes: ACCEPT(2) Baker, Wall REJECT(1) Northcutt REVIEWING(1) Christey Voter Comments: Christey> How much of this is an overlap with the echo/chargen flood problem (CVE-1999-0103)? If this is only an exposure because of CVE-1999-0103, then maybe this should be REJECTed. ====================================================== Name: CVE-1999-0640 Status: Candidate Phase: Proposed(19990804) Reference: MISC:https://www.cve.org/CVERecord?id=CVE-1999-0640 The Gopher service is running. Current Votes: ACCEPT(2) Baker, Wall REJECT(1) Northcutt ====================================================== Name: CVE-1999-0641 Status: Candidate Phase: Proposed(19990804) Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0641 The UUCP service is running. Current Votes: ACCEPT(2) Baker, Wall REJECT(1) Northcutt ====================================================== Name: CVE-1999-0642 Status: Candidate Phase: Modified(20080731) ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "A POP service is running." Current Votes: ACCEPT(2) Baker, Wall REJECT(1) Northcutt ====================================================== Name: CVE-1999-0643 Status: Candidate Phase: Modified(20080731) ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The IMAP service is running." Current Votes: ACCEPT(2) Baker, Wall REJECT(1) Northcutt ====================================================== Name: CVE-1999-0644 Status: Candidate Phase: Modified(20080731) ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The NNTP news service is running." Current Votes: ACCEPT(2) Baker, Wall NOOP(1) Christey REJECT(1) Northcutt Voter Comments: Christey> XF:nntp-post(88) ? ====================================================== Name: CVE-1999-0645 Status: Candidate Phase: Modified(20080731) ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The IRC service is running." Current Votes: ACCEPT(2) Baker, Wall NOOP(1) Christey REJECT(1) Northcutt Voter Comments: Christey> XF:irc-server(767) ? ====================================================== Name: CVE-1999-0646 Status: Candidate Phase: Modified(20080731) ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The LDAP service is running." Current Votes: ACCEPT(2) Baker, Wall REJECT(1) Northcutt ====================================================== Name: CVE-1999-0647 Status: Candidate Phase: Modified(20080731) ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The bootparam (bootparamd) service is running." Current Votes: ACCEPT(2) Baker, Ozancin MODIFY(1) Frech NOOP(1) Wall REJECT(1) Northcutt Voter Comments: Frech> XF:bootp ====================================================== Name: CVE-1999-0648 Status: Candidate Phase: Modified(20080731) ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The X25 service is running." Current Votes: ACCEPT(2) Baker, Wall REJECT(1) Northcutt ====================================================== Name: CVE-1999-0649 Status: Candidate Phase: Modified(20080731) ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The FSP service is running." Current Votes: ACCEPT(1) Baker NOOP(1) Wall REJECT(1) Northcutt ====================================================== Name: CVE-1999-0650 Status: Candidate Phase: Modified(20060608) Reference: XF:netstat(72) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/72 The netstat service is running, which provides sensitive information to remote attackers. Current Votes: ACCEPT(2) Baker, Wall REJECT(1) Northcutt ====================================================== Name: CVE-1999-0651 Status: Candidate Phase: Proposed(19990804) Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/2995 The rsh/rlogin service is running. Current Votes: ACCEPT(2) Baker, Wall MODIFY(1) Frech NOOP(1) Christey REJECT(1) Northcutt Voter Comments: Christey> aka "shell" on UNIX systems (at least Solaris) in the /etc/inetd.conf file. Frech> associated to: XF:nt-rlogin(92) XF:rsh-svc(114) XF:rshd(2995) ====================================================== Name: CVE-1999-0652 Status: Candidate Phase: Modified(20080731) ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "A database service is running, e.g. a SQL server, Oracle, or mySQL." Current Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(1) Wall REJECT(1) Northcutt Voter Comments: Frech> XF:nt-sql-server(1289) XF:msql-detect(2211) XF:oracle-detect(2388) XF:sybase-detect-namedpipes(1461) ====================================================== Name: CVE-1999-0653 Status: Candidate Phase: Proposed(19990804) Reference: MISC:https://www.cve.org/CVERecord?id=CVE-1999-0653 A component service related to NIS+ is running. Current Votes: ACCEPT(2) Baker, Wall REJECT(1) Northcutt ====================================================== Name: CVE-1999-0654 Status: Candidate Phase: Proposed(19990728) Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0654 The OS/2 or POSIX subsystem in NT is enabled. Current Votes: ACCEPT(1) Wall MODIFY(1) Frech NOOP(2) Baker, Christey REJECT(1) Northcutt Voter Comments: Wall> These subsystems could still allow a process to persist across logins. Frech> XF:nt-posix(217) XF:nt-posix-sub-c2(2397) XF:nt-posix-sub-onceonly(2478) XF:nt-os2-sub(218) XF:nt-os2-sub-c2(2396) XF:nt-os2-sub-onceonly(2477) XF:nt-os2-registry(2550) Christey> s2-file-os2(1865) ====================================================== Name: CVE-1999-0655 Status: Candidate Phase: Modified(20080731) ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is not about any specific product, protocol, or design, so it is out of scope of CVE. Notes: the former description is: "A service may include useful information in its banner or help function (such as the name and version), making it useful for information gathering activities." Current Votes: ACCEPT(5) Baker, Frech, Northcutt, Ozancin, Wall Voter Comments: CHANGE> [Frech changed vote from REVIEWING to ACCEPT] ====================================================== Name: CVE-1999-0656 Status: Candidate Phase: Modified(20080731) Reference: MISC:http://ca.com/au/securityadvisor/vulninfo/Vuln.aspx?ID=1638 Reference: XF:linux-ugidd(348) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/348 The ugidd RPC interface, by design, allows remote attackers to enumerate valid usernames by specifying arbitrary UIDs that ugidd maps to local user and group names. Current Votes: ACCEPT(1) Baker NOOP(1) Wall REJECT(1) Northcutt ====================================================== Name: CVE-1999-0657 Status: Candidate Phase: Proposed(19990804) Reference: MISC:https://www.cve.org/CVERecord?id=CVE-1999-0657 WinGate is being used. Current Votes: ACCEPT(1) Baker NOOP(1) Wall REJECT(1) Northcutt ====================================================== Name: CVE-1999-0658 Status: Candidate Phase: Modified(20080731) ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "DCOM is running." Current Votes: ACCEPT(2) Baker, Wall REJECT(1) Northcutt ====================================================== Name: CVE-1999-0659 Status: Candidate Phase: Modified(20080731) ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "A Windows NT Primary Domain Controller (PDC) or Backup Domain Controller (BDC) is present." Current Votes: REJECT(3) Baker, Northcutt, Wall Voter Comments: Wall> Don't consider this a service or a problem. Baker> concur with wall on this ====================================================== Name: CVE-1999-0660 Status: Candidate Phase: Modified(20080730) ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is not about any specific product, protocol, or design, so it is out of scope of CVE. It might be more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "A hacker utility, back door, or Trojan Horse is installed on a system, e.g. NetBus, Back Orifice, Rootkit, etc." Current Votes: ACCEPT(4) Baker, Hill, Northcutt, Wall NOOP(1) Christey Voter Comments: Christey> Add "back door" to description. ====================================================== Name: CVE-1999-0661 Status: Candidate Phase: Modified(20050529) Reference: BID:5921 Reference: URL:http://www.securityfocus.com/bid/5921 Reference: BUGTRAQ:20020801 OpenSSH Security Advisory: Trojaned Distribution Files Reference: URL:http://marc.info/?l=bugtraq&m=102821663814127&w=2 Reference: BUGTRAQ:20020801 trojan horse in recent openssh (version 3.4 portable 1) Reference: URL:http://marc.info/?l=bugtraq&m=102820843403741&w=2 Reference: BUGTRAQ:20021009 Re: CERT Advisory CA-2002-28 Trojan Horse Sendmail Reference: URL:http://online.securityfocus.com/archive/1/294539 Reference: CERT:CA-1994-07 Reference: URL:http://www.cert.org/advisories/CA-1994-07.html Reference: CERT:CA-1994-14 Reference: URL:http://www.cert.org/advisories/CA-1994-14.html Reference: CERT:CA-1999-01 Reference: URL:http://www.cert.org/advisories/CA-1999-01.html Reference: CERT:CA-1999-02 Reference: URL:http://www.cert.org/advisories/CA-1999-02.html Reference: CERT:CA-2002-28 Reference: URL:http://www.cert.org/advisories/CA-2002-28.html Reference: XF:sendmail-backdoor(10313) Reference: URL:http://www.iss.net/security_center/static/10313.php A system is running a version of software that was replaced with a Trojan Horse at one of its distribution points, such as (1) TCP Wrappers 7.6, (2) util-linux 2.9g, (3) wuarchive ftpd (wuftpd) 2.2 and 2.1f, (4) IRC client (ircII) ircII 2.2.9, (5) OpenSSH 3.4p1, or (6) Sendmail 8.12.6. Current Votes: ACCEPT(4) Baker, Hill, Northcutt, Wall REVIEWING(1) Christey Voter Comments: Christey> Should add the specific CERT advisory references for well-known Trojaned software. TCP Wrappers -> CERT:CA-1999-01 CERT:CA-1999-02 includes util-linux wuarchive - CERT:CA-94.07 IRC client - CERT:CA-1994-14 Christey> BUGTRAQ:20020801 trojan horse in recent openssh (version 3.4 portable 1) Modify description to use dot notation. Christey> CERT:CA-2002-24 URL:http://www.cert.org/advisories/CA-2002-24.html XF:openssh-backdoor(9763) URL:http://www.iss.net/security_center/static/9763.php BID:5374 URL:http://www.securityfocus.com/bid/5374 CHANGE> [Christey changed vote from NOOP to REVIEWING] Christey> Add libpcap and tcpdump: BUGTRAQ:20021113 Latest libpcap & tcpdump sources from tcpdump.org contain a trojan URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103722456708471&w=2 CERT:CA-2002-30 URL:http://www.cert.org/advisories/CA-2002-30.html This CAN has been active for over 4 years. At this moment, my thinking is that we should SPLIT this CAN into each separate trojaned product, then create some criteria that restrict creation of new CANs to "widespread" or "important" products only. ====================================================== Name: CVE-1999-0662 Status: Candidate Phase: Proposed(19990804) Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0662 A system-critical program or library does not have the appropriate patch, hotfix, or service pack installed, or is outdated or obsolete. Current Votes: ACCEPT(4) Baker, Hill, Northcutt, Wall ====================================================== Name: CVE-1999-0663 Status: Candidate Phase: Proposed(19990804) Reference: MISC:https://www.cve.org/CVERecord?id=CVE-1999-0663 A system-critical program, library, or file has a checksum or other integrity measurement that indicates that it has been modified. Current Votes: ACCEPT(3) Baker, Hill, Wall RECAST(1) Northcutt Voter Comments: Northcutt> This needs to be worded carefully. 1. Rootkits evade checksum detection. 2. The modification could be positive (a patch) ====================================================== Name: CVE-1999-0664 Status: Candidate Phase: Proposed(19990803) Reference: MISC:https://www.cve.org/CVERecord?id=CVE-1999-0664 An application-critical Windows NT registry key has inappropriate permissions. Current Votes: ACCEPT(1) Wall NOOP(1) Baker RECAST(2) Christey, Northcutt Voter Comments: Northcutt> I think we can define appropriate, take a look at the nt security .pdf and see if you can't see a way to phrase specific keys in a way that defines inappropriate. Christey> Upon further reflection, this is too high-level for CVE. Specific registry keys with bad permissions is roughly equivalent to Unix configuration files that have bad permissions; those permission problems can be created by any vendor, not just a specific one. Therefore this candidate should be RECAST into each separate registry key that has this problem. ====================================================== Name: CVE-1999-0665 Status: Candidate Phase: Proposed(19990803) Reference: MISC:https://www.cve.org/CVERecord?id=CVE-1999-0665 An application-critical Windows NT registry key has an inappropriate value. Current Votes: ACCEPT(1) Wall NOOP(1) Baker RECAST(1) Northcutt Voter Comments: Northcutt> I think we can define appropriate, take a look at the nt security .pdf and see if you can't see a way to phrase specific keys in a way that defines inappropriate. Baker> very vague ====================================================== Name: CVE-1999-0667 Status: Candidate Phase: Proposed(19991222) Reference: MISC:https://marc.info/?l=bugtraq&m=87602880019797&w=2 The ARP protocol allows any host to spoof ARP replies and poison the ARP cache to conduct IP address spoofing or a denial of service. Current Votes: ACCEPT(2) Blake, Cole MODIFY(1) Stracener NOOP(2) Baker, Christey REJECT(1) Frech Voter Comments: Stracener> Add Ref: BUGTRAQ:19970919 Playing redir games with ARP and ICMP Frech> Cannot proceed without a reference. Too vague, and resembles XF:netbsd-arp: CVE-1999-0763: NetBSD on a multi-homed host allows ARP packets on one network to modify ARP entries on another connected network. CVE-1999-0764: NetBSD allows ARP packets to overwrite static ARP entries. Will reconsider if reference provides enough information to render a distinction. Christey> This particular vulnerability was exploited by an attacker during the ID'Net IDS test network exercise at the SANS Network Security '99 conference. The attacker adapted a publicly available program that was able to spoof another machine on the same physical network. See http://marc.theaimsgroup.com/?l=bugtraq&m=87602880019797&w=2 for the Bugtraq reference that Tom Stracener suggested. This generated a long thread on Bugtraq in 1997. Blake> I'll second Tom's request to add the reference, it's a very posting good and the vulnerability is clearly derivative of the work. (I do recall talking to the guy and drafting a description.) ====================================================== Name: CVE-1999-0668 Status: Entry Reference: BID:598 Reference: URL:http://www.securityfocus.com/bid/598 Reference: BUGTRAQ:19990821 IE 5.0 allows executing programs Reference: CIAC:J-064 Reference: URL:http://ciac.llnl.gov/ciac/bulletins/j-064.shtml Reference: MS:MS99-032 Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-032 Reference: MSKB:Q240308 Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q240308 Reference: XF:ms-scriptlet-eyedog-unsafe The scriptlet.typelib ActiveX control is marked as "safe for scripting" for Internet Explorer, which allows a remote attacker to execute arbitrary commands as demonstrated by Bubbleboy. ====================================================== Name: CVE-1999-0669 Status: Candidate Phase: Interim(19991229) Reference: CIAC:J-064 Reference: URL:http://ciac.llnl.gov/ciac/bulletins/j-064.shtml Reference: MS:MS99-032 Reference: MSKB:Q240308 Reference: XF:ms-scriptlet-eyedog-unsafe The Eyedog ActiveX control is marked as "safe for scripting" for Internet Explorer, which allows a remote attacker to execute arbitrary commands as demonstrated by Bubbleboy. Current Votes: ACCEPT(5) Baker, Cole, Ozancin, Prosser, Wall MODIFY(2) Frech, Stracener REVIEWING(1) Christey Voter Comments: Frech> XF:ms-scriptlet-eyedog-unsafe Stracener> Add Ref: MSKB Q240308 Christey> Should CVE-1999-0669 and 668 be merged? If not, then this is a reason for not merging CVE-1999-0988 and CVE-1999-0828. ====================================================== Name: CVE-1999-0670 Status: Candidate Phase: Proposed(19991208) Reference: CIAC:J-064 Reference: URL:http://ciac.llnl.gov/ciac/bulletins/j-064.shtml Reference: MS:MS99-032 Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-032 Buffer overflow in the Eyedog ActiveX control allows a remote attacker to execute arbitrary commands. Current Votes: ACCEPT(3) Ozancin, Prosser, Wall MODIFY(2) Frech, Stracener REJECT(2) Baker, Cole Voter Comments: Frech> XF:ie-eyedog-bo Cole> Based on the references and information listed this is the same as CVE-1999-0669 Stracener> Add Ref: MSKB Q240308 Baker> Duplicate ====================================================== Name: CVE-1999-0671 Status: Entry Reference: BID:572 Reference: URL:http://www.securityfocus.com/bid/572 Reference: XF:toxsoft-nextftp-cwd-bo Buffer overflow in ToxSoft NextFTP client through CWD command. ====================================================== Name: CVE-1999-0672 Status: Entry Reference: BID:573 Reference: URL:http://www.securityfocus.com/bid/573 Reference: XF:fujitsu-topic-bo Buffer overflow in Fujitsu Chocoa IRC client via IRC channel topics. ====================================================== Name: CVE-1999-0673 Status: Candidate Phase: Proposed(19991222) Reference: BID:574 Reference: URL:http://www.securityfocus.com/bid/574 Buffer overflow in ALMail32 POP3 client via From: or To: headers. Current Votes: ACCEPT(6) Baker, Blake, Cole, Collins, Levy, Wall MODIFY(2) Frech, Stracener NOOP(3) Armstrong, Landfield, Oliver REVIEWING(1) Ozancin Voter Comments: Stracener> AddRef: ShadowPenguinSecurity:PenguinToolbox,No.037 Frech> XF:almail-bo CHANGE> [Cole changed vote from NOOP to ACCEPT] ====================================================== Name: CVE-1999-0674 Status: Entry Reference: BID:570 Reference: URL:http://www.securityfocus.com/bid/570 Reference: BUGTRAQ:19990809 profil(2) bug, a simple test program Reference: CIAC:J-067 Reference: URL:http://www.ciac.org/ciac/bulletins/j-067.shtml Reference: FREEBSD:FreeBSD-SA-99:02 Reference: NETBSD:1999-011 Reference: OPENBSD:Aug 9,1999 Reference: XF:netbsd-profil The BSD profil system call allows a local user to modify the internal data space of a program via profiling and execve. ====================================================== Name: CVE-1999-0675 Status: Entry Reference: BID:576 Reference: URL:http://www.securityfocus.com/bid/576 Reference: BUGTRAQ:19990809 FW1 UDP Port 0 DoS Reference: URL:http://www.securityfocus.com/archive/1/23615 Reference: OSVDB:1038 Reference: URL:http://www.osvdb.org/1038 Reference: XF:checkpoint-port Check Point FireWall-1 can be subjected to a denial of service via UDP packets that are sent through VPN-1 to port 0 of a host. ====================================================== Name: CVE-1999-0676 Status: Entry Reference: BID:575 Reference: URL:http://www.securityfocus.com/bid/575 Reference: BUGTRAQ:19990808 sdtcm_convert Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=19990809134220.A1191@hades.chaoz.org Reference: XF:sun-sdtcm-convert sdtcm_convert in Solaris 2.6 allows a local user to overwrite sensitive files via a symlink attack. ====================================================== Name: CVE-1999-0677 Status: Candidate Phase: Modified(19991228) Reference: BID:577 Reference: URL:http://www.securityfocus.com/bid/577 Reference: BUGTRAQ:19990802 [LoWNOISE] Password hunting with webramp The WebRamp web administration utility has a default password. Current Votes: ACCEPT(3) Baker, Blake, Stracener MODIFY(2) Cole, Frech NOOP(2) Armstrong, Christey Voter Comments: Cole> I would add that is is not forced to be changed. Frech> XF:webramp-default-password Christey> This problem may have been detected in January 1999: BUGTRAQ:19990121 Re: WebRamp M3 remote network access bug http://marc.theaimsgroup.com/?l=bugtraq&m=91702375402055&w=2 ====================================================== Name: CVE-1999-0678 Status: Entry Reference: BID:318 Reference: URL:http://www.securityfocus.com/bid/318 Reference: BUGTRAQ:19990405 An issue with Apache on Debian Reference: XF:apache-debian-usrdoc A default configuration of Apache on Debian GNU/Linux sets the ServerRoot to /usr/doc, which allows remote users to read documentation files for the entire server. ====================================================== Name: CVE-1999-0679 Status: Entry Reference: BID:581 Reference: URL:http://www.securityfocus.com/bid/581 Reference: BUGTRAQ:19990813 w00w00's efnet ircd advisory (exploit included) Reference: CONFIRM:http://www.efnet.org/archive/servers/hybrid/ChangeLog Reference: XF:hybrid-ircd-minvite-bo Buffer overflow in hybrid-6 IRC server commonly used on EFnet allows remote attackers to execute commands via m_invite invite option. ====================================================== Name: CVE-1999-0680 Status: Entry Reference: BID:571 Reference: URL:http://www.securityfocus.com/bid/571 Reference: CIAC:J-057 Reference: URL:http://www.ciac.org/ciac/bulletins/j-057.shtml Reference: MS:MS99-028 Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-028 Reference: MSKB:Q238600 Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q238600 Reference: XF:nt-terminal-dos Windows NT Terminal Server performs extra work when a client opens a new connection but before it is authenticated, allowing for a denial of service. ====================================================== Name: CVE-1999-0681 Status: Entry Reference: BID:568 Reference: URL:http://www.securityfocus.com/bid/568 Reference: BUGTRAQ:19990807 Crash FrontPage Remotely... Reference: URL:http://archives.neohapsis.com/archives/bugtraq/1999-q3/0381.html Reference: XF:frontpage-pws-dos(3117) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3117 Buffer overflow in Microsoft FrontPage Server Extensions (PWS) 3.0.2.926 on Windows 95, and possibly other versions, allows remote attackers to cause a denial of service via a long URL. ====================================================== Name: CVE-1999-0682 Status: Entry Reference: BID:567 Reference: URL:http://www.securityfocus.com/bid/567 Reference: CIAC:J-056 Reference: URL:http://www.ciac.org/ciac/bulletins/j-056.shtml Reference: MS:MS99-027 Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-027 Reference: MSKB:Q237927 Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q237927 Reference: XF:exchange-relay Microsoft Exchange 5.5 allows a remote attacker to relay email (i.e. spam) using encapsulated SMTP addresses, even if the anti-relaying features are enabled. ====================================================== Name: CVE-1999-0683 Status: Entry Reference: BID:556 Reference: URL:http://www.securityfocus.com/bid/556 Reference: BUGTRAQ:19990729 Remotely Lock Up Gauntlet 5.0 Reference: OSVDB:1029 Reference: URL:http://www.osvdb.org/1029 Reference: XF:gauntlet-dos Denial of service in Gauntlet Firewall via a malformed ICMP packet. ====================================================== Name: CVE-1999-0684 Status: Candidate Phase: Proposed(19991214) Reference: HP:HPSBUX9904-097 Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0684 Denial of service in Sendmail 8.8.6 in HPUX. Current Votes: ACCEPT(2) Blake, Cole MODIFY(3) Frech, Prosser, Stracener NOOP(1) Baker REJECT(1) Christey Voter Comments: Stracener> Add Ref: CIAC: J-040 Prosser> Might change description to indicate DoS caused by multiple connections Christey> Andre's right. This is a duplicate of CVE-1999-0684. Frech> Without further information and/or references, this issue looks like an ambiguous version of CVE-1999-0478: Denial of service in HP-UX sendmail 8.8.6 related to accepting connections. (was REJECT) XF:hp-sendmail-connect-dos ====================================================== Name: CVE-1999-0685 Status: Entry Reference: BID:618 Reference: URL:http://www.securityfocus.com/bid/618 Reference: BUGTRAQ:19991209 Netscape communicator 4.06J, 4.5J-4.6J, 4.61e Buffer Overflow Buffer overflow in Netscape Communicator via EMBED tags in the pluginspage option. ====================================================== Name: CVE-1999-0686 Status: Entry Reference: BUGTRAQ:19990514 TGAD DoS Reference: BUGTRAQ:19990610 Re: VVOS/Netscape Bug Reference: CIAC:J-046 Reference: URL:http://www.ciac.org/ciac/bulletins/j-046.shtml Reference: HP:HPSBUX9906-098 Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9906-098 Reference: XF:hp-tgad-dos Denial of service in Netscape Enterprise Server (NES) in HP Virtual Vault (VVOS) via a long URL. ====================================================== Name: CVE-1999-0687 Status: Entry Reference: BID:637 Reference: URL:http://www.securityfocus.com/bid/637 Reference: BUGTRAQ:19990913 Vulnerability in ttsession Reference: CERT:CA-99-11 Reference: CIAC:K-001 Reference: URL:http://www.ciac.org/ciac/bulletins/k-001.shtml Reference: COMPAQ:SSRT0617U_TTSESSION Reference: HP:HPSBUX9909-103 Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9909-103 Reference: SUN:00192 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/192 Reference: XF:cde-ttsession-rpc-auth The ToolTalk ttsession daemon uses weak RPC authentication, which allows a remote attacker to execute commands. ====================================================== Name: CVE-1999-0688 Status: Entry Reference: BID:545 Reference: URL:http://www.securityfocus.com/bid/545 Reference: HP:HPSBUX9907-101 Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9907-101 Reference: XF:hp-sd-bo Buffer overflows in HP Software Distributor (SD) for HPUX 10.x and 11.x. ====================================================== Name: CVE-1999-0689 Status: Entry Reference: BID:636 Reference: URL:http://www.securityfocus.com/bid/636 Reference: BUGTRAQ:19990913 Vulnerability in dtspcd Reference: CERT:CA-99-11 Reference: HP:HPSBUX9909-103 Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9909-103 Reference: OVAL:oval:org.mitre.oval:def:1880 Reference: URL:https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1880 Reference: SUN:00192 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/192 Reference: XF:cde-dtspcd-file-auth The CDE dtspcd daemon allows local users to execute arbitrary commands via a symlink attack. ====================================================== Name: CVE-1999-0690 Status: Entry Reference: CIAC:J-053 Reference: URL:http://www.ciac.org/ciac/bulletins/j-053.shtml Reference: HP:HPSBUX9907-100 Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9907-100 Reference: XF:hp-cde-directory HP CDE program includes the current directory in root's PATH variable. ====================================================== Name: CVE-1999-0691 Status: Entry Reference: BID:635 Reference: URL:http://www.securityfocus.com/bid/635 Reference: BUGTRAQ:19990913 Vulnerability in dtaction Reference: CERT:CA-99-11 Reference: COMPAQ:SSRTO615U_DTACTION Reference: HP:HPSBUX9909-103 Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9909-103 Reference: OVAL:oval:org.mitre.oval:def:3078 Reference: URL:https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A3078 Reference: SUN:00192 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/192 Reference: XF:cde-dtaction-username-bo Buffer overflow in the AddSuLog function of the CDE dtaction utility allows local users to gain root privileges via a long user name. ====================================================== Name: CVE-1999-0692 Status: Entry Reference: CERT:CA-99-09 Reference: CIAC:J-052 Reference: URL:http://www.ciac.org/ciac/bulletins/j-052.shtml Reference: SGI:19990701-01-P Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19990701-01-P Reference: XF:sgi-arrayd The default configuration of the Array Services daemon (arrayd) disables authentication, allowing remote users to gain root privileges. ====================================================== Name: CVE-1999-0693 Status: Entry Reference: BID:641 Reference: URL:http://www.securityfocus.com/bid/641 Reference: CERT:CA-99-11 Reference: HP:HPSBUX9909-103 Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9909-103 Reference: OVAL:oval:org.mitre.oval:def:4374 Reference: URL:https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A4374 Reference: SUN:00192 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/192 Reference: XF:cde-dtsession-env-bo Buffer overflow in TT_SESSION environment variable in ToolTalk shared library allows local users to gain root privileges. ====================================================== Name: CVE-1999-0694 Status: Entry Reference: CIAC:J-055 Reference: URL:http://www.ciac.org/ciac/bulletins/j-055.shtml Reference: IBM:ERS-SVA-E01-1999:002.1 Reference: XF:aix-ptrace-halt Denial of service in AIX ptrace system call allows local users to crash the system. ====================================================== Name: CVE-1999-0695 Status: Entry Reference: BID:620 Reference: URL:http://www.securityfocus.com/bid/620 Reference: BUGTRAQ:19990904 [Sybase] software vendors do not think about old bugs Reference: OSVDB:1064 Reference: URL:http://www.osvdb.org/1064 Reference: XF:http-powerdynamo-dotdotslash The Sybase PowerDynamo personal web server allows attackers to read arbitrary files through a .. (dot dot) attack. ====================================================== Name: CVE-1999-0696 Status: Entry Reference: BUGTRAQ:19990709 Exploit of rpc.cmsd Reference: CERT:CA-99-08 Reference: CIAC:J-051 Reference: URL:http://www.ciac.org/ciac/bulletins/j-051.shtml Reference: COMPAQ:SSRT0614U_RPC_CMSD Reference: HP:HPSBUX9908-102 Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9908-102 Reference: SCO:SB-99.12 Reference: SUN:00188 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/188 Reference: SUNBUG:4230754 Reference: XF:sun-cmsd-bo Buffer overflow in CDE Calendar Manager Service Daemon (rpc.cmsd). ====================================================== Name: CVE-1999-0697 Status: Entry Reference: BID:621 Reference: URL:http://www.securityfocus.com/bid/621 Reference: BUGTRAQ:19990908 SCO 5.0.5 /bin/doctor nightmare Reference: XF:sco-doctor-execute SCO Doctor allows local users to gain root privileges through a Tools option. ====================================================== Name: CVE-1999-0698 Status: Candidate Phase: Proposed(19991222) Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0698 Denial of service in IP protocol logger (ippl) on Red Hat and Debian Linux. Current Votes: ACCEPT(6) Armstrong, Baker, Blake, Cole, Collins, Ozancin MODIFY(1) Frech NOOP(4) Landfield, Levy, Stracener, Wall REJECT(1) Christey Voter Comments: Stracener> Is the candidate referring to the denial of service problem mentioned in the changelogs for versions previous to 1.4.3-1 or does it pertain to some problem with or 1.4.8-1? Frech> Depending on the version, this could be any number of DoSes related to ippl. From http://www.larve.net/ippl/: 9 April 1999: version 1.4.3 released, correctly fixing a potential denial of service attack. 7 April 1999: version 1.4.2 released, fixing a potential denial of service attack. XF:linux-ippl-dos Christey> Changelog: http://pltplp.net/ippl/docs/HISTORY See comments for version 1.4.2 and 1.4.3 Another source: http://freshmeat.net/news/1999/04/08/923586598.html CHANGE> [Stracener changed vote from REVIEWING to NOOP] CHANGE> [Christey changed vote from NOOP to REJECT] Christey> As mentioned by others, this could apply to several different versions. Since the description is too vague, this CAN should be REJECTED and recast into other candidates. ====================================================== Name: CVE-1999-0699 Status: Entry Reference: BID:623 Reference: URL:http://www.securityfocus.com/bid/623 Reference: BUGTRAQ:19990908 [Security] Spoofed Id in Bluestone Sapphire/Web The Bluestone Sapphire web server allows session hijacking via easily guessable session IDs. ====================================================== Name: CVE-1999-0700 Status: Entry Reference: MS:MS99-026 Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-026 Reference: MSKB:Q237185 Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q237185 Reference: XF:nt-malformed-dialer Buffer overflow in Microsoft Phone Dialer (dialer.exe), via a malformed dialer entry in the dialer.ini file. ====================================================== Name: CVE-1999-0701 Status: Entry Reference: BID:626 Reference: URL:http://www.securityfocus.com/bid/626 Reference: MS:MS99-036 Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-036 Reference: MSKB:Q173039 Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q173039 Reference: XF:nt-install-unattend-file After an unattended installation of Windows NT 4.0, an installation file could include sensitive information such as the local Administrator password. ====================================================== Name: CVE-1999-0702 Status: Entry Reference: BID:627 Reference: URL:http://www.securityfocus.com/bid/627 Reference: BUGTRAQ:19990909 IE 5.0 security vulnerabilities - ImportExportFavorites - at least creating and overwriting files, probably executing programs Reference: MS:MS99-037 Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-037 Reference: MSKB:Q241361 Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q241361 Reference: XF:ie5-import-export-favorites Internet Explorer 5.0 and 5.01 allows remote attackers to modify or execute files via the Import/Export Favorites feature, aka the "ImportExportFavorites" vulnerability. ====================================================== Name: CVE-1999-0703 Status: Entry Reference: BUGTRAQ:19990805 4.4 BSD issue -- chflags Reference: CIAC:J-066 Reference: URL:http://www.ciac.org/ciac/bulletins/j-066.shtml Reference: FREEBSD:FreeBSD-SA-99:01 Reference: OPENBSD:Jul30,1999 Reference: XF:openbsd-chflags-fchflags-permitted OpenBSD, BSDI, and other Unix operating systems allow users to set chflags and fchflags on character and block devices. ====================================================== Name: CVE-1999-0704 Status: Entry Reference: BID:614 Reference: URL:http://www.securityfocus.com/bid/614 Reference: CALDERA:CSSA-1999:024.0 Reference: CERT:CA-99-12 Reference: DEBIAN:19991018 Reference: FREEBSD:SA-99:06 Reference: REDHAT:RHSA-1999:032-01 Reference: XF:amd-bo Buffer overflow in Berkeley automounter daemon (amd) logging facility provided in the Linux am-utils package and others. ====================================================== Name: CVE-1999-0705 Status: Entry Reference: BID:616 Reference: URL:http://www.securityfocus.com/bid/616 Reference: CALDERA:CSSA-1999-026 Reference: DEBIAN:19990907 Reference: REDHAT:RHSA1999033_01 Reference: SUSE:19990831 Security hole in INN Reference: XF:inn-inews-bo Buffer overflow in INN inews program. ====================================================== Name: CVE-1999-0706 Status: Entry Reference: BID:583 Reference: URL:http://www.securityfocus.com/bid/583 Reference: DEBIAN:19990807 Reference: SUSE:19990817 Security hole in i4l (xmonisdn) Linux xmonisdn package allows local users to gain root privileges by modifying the IFS or PATH environmental variables. ====================================================== Name: CVE-1999-0707 Status: Entry Reference: BID:493 Reference: URL:http://www.securityfocus.com/bid/493 Reference: CIAC:J-050 Reference: URL:http://www.ciac.org/ciac/bulletins/j-050.shtml Reference: HP:HPSBUX9906-099 Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9906-099 Reference: XF:hp-visualize-conference-ftp The default FTP configuration in HP Visualize Conference allows conference users to send a file to other participants without authorization. ====================================================== Name: CVE-1999-0708 Status: Entry Reference: BID:651 Reference: URL:http://www.securityfocus.com/bid/651 Reference: BUGTRAQ:19990921 BP9909-00: cfingerd local buffer overflow Buffer overflow in cfingerd allows local users to gain root privileges via a long GECOS field. ====================================================== Name: CVE-1999-0710 Status: Entry Reference: BID:2059 Reference: URL:http://www.securityfocus.com/bid/2059 Reference: BUGTRAQ:19990725 Redhat 6.0 cachemgr.cgi lameness Reference: CONFIRM:http://www.redhat.com/support/errata/archives/rh52-errata-general.html#squid Reference: DEBIAN:DSA-576 Reference: URL:http://www.debian.org/security/2004/dsa-576 Reference: FEDORA:FEDORA-2005-373 Reference: URL:http://www.redhat.com/archives/fedora-announce-list/2005-May/msg00025.html Reference: FEDORA:FLSA-2006:152809 Reference: URL:http://fedoranews.org/updates/FEDORA--.shtml Reference: REDHAT:RHSA-1999:025 Reference: URL:http://www.redhat.com/support/errata/RHSA-1999-025.html Reference: REDHAT:RHSA-2005:489 Reference: URL:http://www.redhat.com/support/errata/RHSA-2005-489.html Reference: XF:http-cgi-cachemgr(2385) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2385 The Squid package in Red Hat Linux 5.2 and 6.0, and other distributions, installs cachemgr.cgi in a public web directory, which allows remote attackers to use it as an intermediary to connect to other systems. ====================================================== Name: CVE-1999-0711 Status: Entry Reference: BUGTRAQ:19990430 *Huge* security hole in Oracle 8.0.5 with Intellegent agent installed Reference: URL:http://marc.info/?t=92550157100002&w=2&r=1 Reference: BUGTRAQ:19990506 Oracle Security Followup, patch and FAQ: setuid on oratclsh Reference: URL:http://marc.info/?l=bugtraq&m=92609807906778&w=2 Reference: XF:oracle-oratclsh The oratclsh interpreter in Oracle 8.x Intelligent Agent for Unix allows local users to execute Tcl commands as root. ====================================================== Name: CVE-1999-0712 Status: Candidate Phase: Proposed(19991214) Reference: CALDERA:CSSA-1999:009 Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0712 Reference: XF:linux-coas A vulnerability in Caldera Open Administration System (COAS) allows the /etc/shadow password file to be made world-readable. Current Votes: ACCEPT(4) Baker, Cole, Frech, Stracener MODIFY(1) Blake NOOP(1) Armstrong REVIEWING(1) Christey Voter Comments: Blake> This obscurely-written advisory seems to state that COAS will make the file world-readable, not that it allows the user to make it so. I hardly think that allowing the user to turn off security is a vulnerability. Christey> It's difficult to write the description based on what's in the advisory. If COAS inadvertently changes permissions without user confirmation, then it should be ACCEPTed with appropriate modification to the description. Christey> ADDREF BID:137 CHANGE> [Armstrong changed vote from REVIEWING to NOOP] ====================================================== Name: CVE-1999-0713 Status: Entry Reference: BUGTRAQ:19990404 Digital Unix 4.0E /var permission Reference: CIAC:J-044 Reference: URL:http://www.ciac.org/ciac/bulletins/j-044.shtml Reference: COMPAQ:SSRT0600U Reference: XF:cde-dtlogin The dtlogin program in Compaq Tru64 UNIX allows local users to gain root privileges. ====================================================== Name: CVE-1999-0714 Status: Entry Reference: COMPAQ:SSRT0588U Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0714 Reference: XF:du-edauth Vulnerability in Compaq Tru64 UNIX edauth command. ====================================================== Name: CVE-1999-0715 Status: Entry Reference: BUGTRAQ:19990519 Buffer Overruns in RAS allows execution of arbitary code as system Reference: MS:MS99-016 Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-016 Reference: MSKB:Q230677 Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q230677 Reference: XF:nt-ras-bo Buffer overflow in Remote Access Service (RAS) client allows an attacker to execute commands or cause a denial of service via a malformed phonebook entry. ====================================================== Name: CVE-1999-0716 Status: Entry Reference: MS:MS99-015 Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-015 Reference: MSKB:Q231605 Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q231605 Reference: XF:nt-helpfile-bo Buffer overflow in Windows NT 4.0 help file utility via a malformed help file. ====================================================== Name: CVE-1999-0717 Status: Entry Reference: MS:MS99-014 Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-014 Reference: MSKB:Q231304 Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q231304 Reference: XF:excel-virus-warning A remote attacker can disable the virus warning mechanism in Microsoft Excel 97. ====================================================== Name: CVE-1999-0718 Status: Entry Reference: BID:608 Reference: URL:http://www.securityfocus.com/bid/608 Reference: NTBUGTRAQ:19990823 IBM Gina security warning Reference: URL:http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind9908&L=ntbugtraq&F=&S=&P=5534 Reference: XF:ibm-gina-group-add(3166) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3166 IBM GINA, when used for OS/2 domain authentication of Windows NT users, allows local users to gain administrator privileges by changing the GroupMapping registry key. ====================================================== Name: CVE-1999-0719 Status: Entry Reference: BID:563 Reference: URL:http://www.securityfocus.com/bid/563 Reference: BUGTRAQ:19990802 Gnumeric potential security hole. Reference: REDHAT:RHSA-1999:023-01 Reference: XF:gnu-guile-plugin-export The Guile plugin for the Gnumeric spreadsheet package allows attackers to execute arbitrary code. ====================================================== Name: CVE-1999-0720 Status: Entry Reference: BID:597 Reference: URL:http://www.securityfocus.com/bid/597 Reference: BUGTRAQ:19990823 [Linux] glibc 2.1.x / wu-ftpd <=2.5 / BeroFTPD / lynx / vlock / mc / glibc 2.0.x Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=lcamtuf.4.05.9907041223290.355-300000@nimue.ids.pl Reference: XF:linux-pt-chown The pt_chown command in Linux allows local users to modify TTY terminal devices that belong to other users. ====================================================== Name: CVE-1999-0721 Status: Entry Reference: BINDVIEW:Phantom Technical Advisory Reference: CIAC:J-049 Reference: URL:http://www.ciac.org/ciac/bulletins/j-049.shtml Reference: MS:MS99-020 Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-020 Reference: MSKB:Q231457 Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q231457 Reference: XF:msrpc-lsa-lookupnames-dos Denial of service in Windows NT Local Security Authority (LSA) through a malformed LSA request. ====================================================== Name: CVE-1999-0722 Status: Entry Reference: BID:558 Reference: URL:http://www.securityfocus.com/bid/558 Reference: CERT:CA-99-10 Reference: XF:cobalt-raq2-default-config The default configuration of Cobalt RaQ2 servers allows remote users to install arbitrary software packages. ====================================================== Name: CVE-1999-0723 Status: Entry Reference: BID:478 Reference: URL:http://www.securityfocus.com/bid/478 Reference: CIAC:J-049 Reference: URL:http://www.ciac.org/ciac/bulletins/j-049.shtml Reference: MS:MS99-021 Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-021 Reference: MSKB:Q233323 Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q233323 Reference: NTBUGTRAQ:19990411 Death by MessageBox Reference: XF:nt-csrss-dos The Windows NT Client Server Runtime Subsystem (CSRSS) can be subjected to a denial of service when all worker threads are waiting for user input. ====================================================== Name: CVE-1999-0724 Status: Entry Reference: OPENBSD:Aug12,1999 Reference: OSVDB:6128 Reference: URL:http://www.osvdb.org/6128 Reference: XF:openbsd-uio_offset-bo Buffer overflow in OpenBSD procfs and fdescfs file systems via uio_offset in the readdir() function. ====================================================== Name: CVE-1999-0725 Status: Entry Reference: BID:477 Reference: URL:http://www.securityfocus.com/bid/477 Reference: MS:MS99-022 Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-022 Reference: MSKB:Q233335 Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q233335 Reference: XF:iis-double-byte-code-page(2302) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2302 When IIS is run with a default language of Chinese, Korean, or Japanese, it allows a remote attacker to view the source code of certain files, a.k.a. "Double Byte Code Page". ====================================================== Name: CVE-1999-0726 Status: Entry Reference: BID:499 Reference: URL:http://www.securityfocus.com/bid/499 Reference: MS:MS99-023 Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-023 Reference: MSKB:Q234557 Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q234557 Reference: XF:nt-malformed-image-header An attacker can conduct a denial of service in Windows NT by executing a program with a malformed file image header. ====================================================== Name: CVE-1999-0727 Status: Entry Reference: OPENBSD:19990608 Packets that should have been handled by IPsec may be transmitted as cleartext Reference: OSVDB:6127 Reference: URL:http://www.osvdb.org/6127 Reference: XF:openbsd-ipsec-cleartext A kernel leak in the OpenBSD kernel allows IPsec packets to be sent unencrypted. ====================================================== Name: CVE-1999-0728 Status: Entry Reference: MS:MS99-024 Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-024 Reference: MSKB:Q236359 Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q236359 Reference: XF:nt-ioctl-dos A Windows NT user can disable the keyboard or mouse by directly calling the IOCTLs which control them. ====================================================== Name: CVE-1999-0729 Status: Entry Reference: BID:601 Reference: URL:http://www.securityfocus.com/bid/601 Reference: CIAC:J-061 Reference: URL:http://www.ciac.org/ciac/bulletins/j-061.shtml Reference: ISS:19990823 Denial of Service Attack against Lotus Notes Domino Server 4.6 Reference: URL:http://xforce.iss.net/alerts/advise34.php Reference: OSVDB:1057 Reference: URL:http://www.osvdb.org/1057 Reference: XF:lotus-ldap-bo Buffer overflow in Lotus Notes LDAP (NLDAP) allows an attacker to conduct a denial of service through the ldap_search request. ====================================================== Name: CVE-1999-0730 Status: Entry Reference: DEBIAN:19990612 Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0730 The zsoelim program in the Debian man-db package allows local users to overwrite files via a symlink attack. ====================================================== Name: CVE-1999-0731 Status: Entry Reference: BID:489 Reference: URL:http://www.securityfocus.com/bid/489 Reference: BUGTRAQ:19990623 Security flaw in klock Reference: CALDERA:CSSA-1999:017 Reference: MISC:https://github.com/KDE/kde1-kdebase/commit/04906bd5de2f220bf100b605dad37b4a1d9a91a6 Reference: SUSE:19990629 Security hole in Klock The KDE klock program allows local users to unlock a session using malformed input. ====================================================== Name: CVE-1999-0732 Status: Entry Reference: DEBIAN:19990823b Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0732 Reference: XF:smtp-refuser-tmp The logging facility of the Debian smtp-refuser package allows local users to delete arbitrary files using symbolic links. ====================================================== Name: CVE-1999-0733 Status: Entry Reference: BID:490 Reference: URL:http://www.securityfocus.com/bid/490 Reference: BUGTRAQ:19990626 VMWare Advisory - buffer overflows Reference: BUGTRAQ:19990626 VMware Security Alert Reference: BUGTRAQ:19990705 Re: VMWare Advisory.. - exploit Reference: XF:vmware-bo Buffer overflow in VMWare 1.0.1 for Linux via a long HOME environmental variable. ====================================================== Name: CVE-1999-0734 Status: Entry Reference: CISCO:19990819 CiscoSecure Access Control Server for UNIX Remote Administration Vulnerability Reference: URL:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-19990819-dbaccess Reference: XF:ciscosecure-read-write(3133) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3133 A default configuration of CiscoSecure Access Control Server (ACS) allows remote users to modify the server database without authentication. ====================================================== Name: CVE-1999-0735 Status: Entry Reference: BID:300 Reference: URL:http://www.securityfocus.com/bid/300 Reference: CALDERA:CSSA-1999:016 Reference: ISS:KDE K-Mail File Creation Vulnerability Reference: REDHAT:RHSA-1999:015-01 Reference: URL:http://www.redhat.com/support/errata/RHSA1999015_01.html KDE K-Mail allows local users to gain privileges via a symlink attack in temporary user directories. ====================================================== Name: CVE-1999-0736 Status: Candidate Phase: Modified(20061101) Reference: L0PHT:May7,1999 Reference: MS:MS99-013 Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-013 Reference: MSKB:Q231368 Reference: MSKB:Q232449 Reference: OVAL:oval:org.mitre.oval:def:932 Reference: URL:https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A932 The showcode.asp sample file in IIS and Site Server allows remote attackers to read arbitrary files. Current Votes: ACCEPT(4) Ozancin, Prosser, Stracener, Wall MODIFY(2) Cole, Frech NOOP(1) Baker REVIEWING(1) Christey Voter Comments: Frech> XF:iis-samples-showcode Cole> There are several sample files that allow this. I would quote showcode.asp but make it more generic. Prosser> (Modify) Have a question on this and on the following three candidates as well. All of these are part of the file viewers utilities that allow unauthorized files reading, but MSKB Q231368 also mentioned the diagnostics program,Winmsdp.exe, as another vulnerable viewer in this same set of viewers. If we are going to split out the seperate viewer tools then shouldn't there should be a seperate CAN for Winmsdp.exe also. Christey> Mike's question basically touches on the CD:SF-EXEC content decision - what do you do when you have the same bug in multiple executables? CD:SF-EXEC needs to be reviewed and approved by the Editorial Board before we can decide what to do with this candidate. Christey> Mark Burnett says that Microsoft's mention of winmsdp.exe in MSKB:Q231368 may be an error, and that winmsdp.exe is a Microsoft Diagnostics Report Generator which may not even be installed as part of IIS. Also see http://www.securityfocus.com/focus/microsoft/iis/showcode.html Christey> ADDREF BID:167 URL:http://www.securityfocus.com/vdb/bottom.html?vid=167 Christey> MISC:http://p.ulh.as/xploitsdb/NT/iis38.html covers a showcode.asp directory traversal vulnerability and refers to the L0pht advisory. Mark Burnett's article is at: MISC:http://www.securityfocus.com/infocus/1317 ====================================================== Name: CVE-1999-0737 Status: Candidate Phase: Proposed(19991208) Reference: MS:MS99-013 Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-013 Reference: MSKB:Q231656 The viewcode.asp sample file in IIS and Site Server allows remote attackers to read arbitrary files. Current Votes: ACCEPT(4) Ozancin, Prosser, Stracener, Wall MODIFY(1) Frech NOOP(2) Baker, Christey REJECT(1) Cole Voter Comments: Frech> XF:iis-samples-viewcode Cole> I would combine this with the previous. Prosser> (modify) See comments in 0736 above Christey> See http://www.securityfocus.com/focus/microsoft/iis/showcode.html for additional details. Christey> Mark Burnett's article is at: MISC:http://www.securityfocus.com/infocus/1317 ====================================================== Name: CVE-1999-0738 Status: Candidate Phase: Proposed(19991208) Reference: MS:MS99-013 Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-013 Reference: MSKB:Q231368 Reference: MSKB:Q232449 The code.asp sample file in IIS and Site Server allows remote attackers to read arbitrary files. Current Votes: ACCEPT(4) Ozancin, Prosser, Stracener, Wall MODIFY(1) Frech NOOP(2) Baker, Christey REJECT(1) Cole Voter Comments: Frech> XF:iis-samples-code Cole> Same as above Prosser> (modify) See comments in 0736 above Christey> See http://www.securityfocus.com/focus/microsoft/iis/showcode.html for additional details. Christey> Mark Burnett's article is at: MISC:http://www.securityfocus.com/infocus/1317 ====================================================== Name: CVE-1999-0739 Status: Candidate Phase: Proposed(19991208) Reference: MS:MS99-013 Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-013 Reference: MSKB:Q231368 Reference: MSKB:Q232449 The codebrws.asp sample file in IIS and Site Server allows remote attackers to read arbitrary files. Current Votes: ACCEPT(4) Ozancin, Prosser, Stracener, Wall MODIFY(1) Frech NOOP(2) Baker, Christey REJECT(1) Cole Voter Comments: Frech> XF:iis-samples-codebrws Cole> Same as above. Prosser> (modify) See comments in 0736 above Christey> codebrw2.asp and Codebrw1.asp also need to be included somewhere. Also see http://www.securityfocus.com/focus/microsoft/iis/showcode.html Christey> Mark Burnett's article is at: MISC:http://www.securityfocus.com/infocus/1317 ====================================================== Name: CVE-1999-0740 Status: Entry Reference: BID:594 Reference: URL:http://www.securityfocus.com/bid/594 Reference: CALDERA:CSSA-1999:022 Reference: REDHAT:RHSA1999029_01 Reference: XF:linux-telnetd-term Remote attackers can cause a denial of service on Linux in.telnetd telnet daemon through a malformed TERM environmental variable. ====================================================== Name: CVE-1999-0741 Status: Candidate Phase: Proposed(19991222) Reference: BID:593 Reference: URL:http://www.securityfocus.com/bid/593 Reference: BUGTRAQ:19990818 QMS 2060 printer security hole Reference: XF:qms-2060-no-root-password QMS CrownNet Unix Utilities for 2060 allows root to log on without a password. Current Votes: ACCEPT(4) Baker, Frech, Levy, Stracener NOOP(2) Christey, Oliver Voter Comments: Christey> change description - anyone can log on *as* root Frech> (Note: this XF also cataloged under CVE-1999-0508.) ====================================================== Name: CVE-1999-0742 Status: Entry Reference: BID:480 Reference: URL:http://www.securityfocus.com/bid/480 Reference: DEBIAN:19990623 The Debian mailman package uses weak authentication, which allows attackers to gain privileges. ====================================================== Name: CVE-1999-0743 Status: Entry Reference: BUGTRAQ:19990819 Insecure use of file in /tmp by trn Reference: DEBIAN:19990823c Reference: SUSE:19990824 Security hole in trn Reference: XF:trn-symlinks(3144) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3144 Trn allows local users to overwrite other users' files via symlinks. ====================================================== Name: CVE-1999-0744 Status: Entry Reference: BID:603 Reference: URL:http://www.securityfocus.com/bid/603 Reference: ISS:Buffer Overflow in Netscape Enterprise and FastTrack Web Servers Buffer overflow in Netscape Enterprise Server and FastTrask Server allows remote attackers to gain privileges via a long HTTP GET request. ====================================================== Name: CVE-1999-0745 Status: Entry Reference: BID:590 Reference: URL:http://www.securityfocus.com/bid/590 Reference: CIAC:J-059 Reference: URL:http://www.ciac.org/ciac/bulletins/j-059.shtml Reference: IBM:ERS-SVA-E01-1999:003.1 Reference: XF:aix-pdnsd-bo Buffer overflow in Source Code Browser Program Database Name Server Daemon (pdnsd) for the IBM AIX C Set ++ compiler. ====================================================== Name: CVE-1999-0746 Status: Entry Reference: BID:587 Reference: URL:http://www.securityfocus.com/bid/587 Reference: BUGTRAQ:19990814 DOS against SuSE's identd Reference: SUSE:19990824 Security hole in netcfg Reference: XF:suse-identd-dos A default configuration of in.identd in SuSE Linux waits 120 seconds between requests, allowing a remote attacker to conduct a denial of service. ====================================================== Name: CVE-1999-0747 Status: Entry Reference: BID:589 Reference: URL:http://www.securityfocus.com/bid/589 Reference: BUGTRAQ:19990816 Symmetric Multiprocessing (SMP) Vulnerbility in BSDi 4.0.1 Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.BSI.4.10.9908170253560.19291-100000@saturn.psn.net Reference: XF:bsdi-smp-dos Denial of service in BSDi Symmetric Multiprocessing (SMP) when an fstat call is made when the system has a high CPU load. ====================================================== Name: CVE-1999-0748 Status: Candidate Phase: Proposed(19991214) Reference: MISC:http://www.redhat.com/support/errata/RHSA1999017_01.html Reference: REDHAT:RHSA-1999:017-01 Buffer overflows in Red Hat net-tools package. Current Votes: ACCEPT(4) Armstrong, Baker, Cole, Stracener MODIFY(1) Frech REJECT(1) Blake Voter Comments: Blake> RHSA-1999:017-01 describes "potential security problem fixed" in the absence of knowing whether or not the problems actually existed, I don't think we have an entry here. Frech> XF:redhat-net-tool-bo ====================================================== Name: CVE-1999-0749 Status: Entry Reference: BID:586 Reference: URL:http://www.securityfocus.com/bid/586 Reference: BUGTRAQ:19990815 telnet.exe heap overflow - remotely exploitable Reference: MS:MS99-033 Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-033 Reference: XF:win-ie5-telnet-heap-overflow Buffer overflow in Microsoft Telnet client in Windows 95 and Windows 98 via a malformed Telnet argument. ====================================================== Name: CVE-1999-0750 Status: Candidate Phase: Proposed(19991222) Reference: BID:630 Reference: URL:http://www.securityfocus.com/bid/630 Reference: BUGTRAQ:19990913 Hotmail security vulnerability - injecting JavaScript using 'STYLE' tag Hotmail allows Javascript to be executed via the HTML STYLE tag, allowing remote attackers to execute commands on the user's Hotmail account. Current Votes: ACCEPT(1) Levy MODIFY(2) Frech, Stracener NOOP(1) Baker Voter Comments: Stracener> Many sites are vulnerable to this problem. I recommend removing the explicit references to Hotmail and making the description more generic. Suggest: Javascript can be injected using the STYLE tag in an HTML formatted e-mail, allowing remote attackers to execute commands on user accounts. Frech> XF:hotmail-html-style-embed ====================================================== Name: CVE-1999-0751 Status: Entry Reference: BID:631 Reference: URL:http://www.securityfocus.com/bid/631 Reference: BUGTRAQ:19990913 Accept overflow on Netscape Enterprise Server 3.6 SP2 Reference: XF:netscape-accept-bo(3256) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3256 Buffer overflow in Accept command in Netscape Enterprise Server 3.6 with the SSL Handshake Patch. ====================================================== Name: CVE-1999-0752 Status: Entry Reference: BUGTRAQ:19990706 Netscape Enterprise Server SSL Handshake Bug Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0752 Denial of service in Netscape Enterprise Server via a buffer overflow in the SSL handshake. ====================================================== Name: CVE-1999-0753 Status: Entry Reference: BID:591 Reference: URL:http://www.securityfocus.com/bid/591 Reference: BUGTRAQ:19990817 Stupid bug in W3-msql Reference: XF:mini-sql-w3-msql-cgi The w3-msql CGI script provided with Mini SQL allows remote attackers to view restricted directories. ====================================================== Name: CVE-1999-0754 Status: Entry Reference: BID:255 Reference: URL:http://www.securityfocus.com/bid/255 Reference: BUGTRAQ:19990511 INN 2.0 and higher. Root compromise potential Reference: CALDERA:CSSA-1999-011.0 Reference: URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-1999-011.0.txt Reference: MISC:http://www.redhat.com/corp/support/errata/inn99_05_22.html Reference: SUSE:19990518 Security hole in INN Reference: XF:inn-innconf-env The INN inndstart program allows local users to gain privileges by specifying an alternate configuration file using the INNCONF environmental variable. ====================================================== Name: CVE-1999-0755 Status: Entry Reference: MS:MS99-017 Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-017 Reference: MSKB:Q230681 Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q230681 Reference: XF:nt-ras-pwcache Windows NT RRAS and RAS clients cache a user's password even if the user has not selected the "Save password" option. ====================================================== Name: CVE-1999-0756 Status: Entry Reference: ALLAIRE:ASB99-07 Reference: URL:http://www.allaire.com/handlers/index.cfm?ID=10968&Method=Full Reference: XF:coldfusion-admin-dos(2207) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2207 ColdFusion Administrator with Advanced Security enabled allows remote users to stop the ColdFusion server via the Start/Stop utility. ====================================================== Name: CVE-1999-0757 Status: Candidate Phase: Proposed(20010214) Reference: ALLAIRE:ASB99-08 Reference: URL:http://www.allaire.com/handlers/index.cfm?ID=10969&Method=Full Reference: XF:coldfusion-encryption(2208) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2208 The ColdFusion CFCRYPT program for encrypting CFML templates has weak encryption, allowing attackers to decrypt the templates. Current Votes: ACCEPT(3) Baker, Cole, Frech NOOP(1) Christey Voter Comments: Frech> XF:coldfusion-encryption Christey> BUGTRAQ:19990724 Re: New Allaire Security Zone Bulletins and KB Articles URL:http://www.securityfocus.com/archive/1/19471 Christey> ADDREF BID:275 URL:http://www.securityfocus.com/bid/275 ====================================================== Name: CVE-1999-0758 Status: Entry Reference: ALLAIRE:ASB99-06 Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0758 Reference: XF:netscape-space-view Netscape Enterprise 3.5.1 and FastTrack 3.01 servers allow a remote attacker to view source code to scripts by appending a %20 to the script's URL. ====================================================== Name: CVE-1999-0759 Status: Entry Reference: BID:634 Reference: URL:http://www.securityfocus.com/bid/634 Reference: BUGTRAQ:19990913 Many kind of POP3/SMTP server softwares for Windows have buffer overflow bug Reference: CONFIRM:http://www.crosswinds.net/~fuseware/faq.html#8 Reference: XF:fuseware-popmail-bo Buffer overflow in FuseMAIL POP service via long USER and PASS commands. ====================================================== Name: CVE-1999-0760 Status: Entry Reference: ALLAIRE:ASB99-10 Reference: URL:http://www.allaire.com/handlers/index.cfm?ID=11714&Method=Full Reference: BID:550 Reference: URL:http://www.securityfocus.com/bid/550 Reference: XF:coldfusion-server-cfml-tags(3288) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3288 Undocumented ColdFusion Markup Language (CFML) tags and functions in the ColdFusion Administrator allow users to gain additional privileges. ====================================================== Name: CVE-1999-0761 Status: Entry Reference: BID:644 Reference: URL:http://www.securityfocus.com/bid/644 Reference: FREEBSD:FreeBSD-SA-99:05 Reference: OSVDB:1074 Reference: URL:http://www.osvdb.org/1074 Reference: XF:freebsd-fts-lib-bo Buffer overflow in FreeBSD fts library routines allows local user to modify arbitrary files via the periodic program. ====================================================== Name: CVE-1999-0762 Status: Entry Reference: BUGTRAQ:19990524 Netscape Communicator JavaScript in security vulnerability Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0762 Reference: XF:netscape-title When Javascript is embedded within the TITLE tag, Netscape Communicator allows a remote attacker to use the "about" protocol to gain access to browser information. ====================================================== Name: CVE-1999-0763 Status: Entry Reference: NETBSD:1999-010 Reference: OSVDB:6540 Reference: URL:http://www.osvdb.org/6540 Reference: XF:netbsd-arp NetBSD on a multi-homed host allows ARP packets on one network to modify ARP entries on another connected network. ====================================================== Name: CVE-1999-0764 Status: Entry Reference: NETBSD:1999-010 Reference: OSVDB:6539 Reference: URL:http://www.osvdb.org/6539 Reference: XF:netbsd-arp NetBSD allows ARP packets to overwrite static ARP entries. ====================================================== Name: CVE-1999-0765 Status: Entry Reference: BID:262 Reference: URL:http://www.securityfocus.com/bid/262 Reference: BUGTRAQ:19990619 IRIX midikeys root exploit. Reference: SGI:19990501-01-A Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19990501-01-A Reference: XF:irix-midikeys SGI IRIX midikeys program allows local users to modify arbitrary files via a text editor. ====================================================== Name: CVE-1999-0766 Status: Entry Reference: BID:600 Reference: URL:http://www.securityfocus.com/bid/600 Reference: MS:MS99-031 Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-031 Reference: MSKB:Q240346 Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q240346 Reference: XF:msvm-verifier-java The Microsoft Java Virtual Machine allows a malicious Java applet to execute arbitrary commands outside of the sandbox environment. ====================================================== Name: CVE-1999-0767 Status: Candidate Phase: Proposed(19991214) Reference: MISC:https://marc.info/?l=bugtraq&m=87602167420557&w=2 Reference: SUN:00189 Buffer overflow in Solaris libc, ufsrestore, and rcp via LC_MESSAGES environmental variable. Current Votes: ACCEPT(4) Baker, Blake, Cole, Dik MODIFY(2) Frech, Stracener REVIEWING(2) Christey, Prosser Voter Comments: Stracener> Add Ref: CIAC: J-069 Frech> XF:sun-libc-lcmessages Prosser> BID 268 is an additional reference for this one as it has info on the Sun vulnerability. However, BID 268 also includes AIX in this vulnerability and refs APARS issued to fix a vulnerability in various 'nixs with the Natural Language Service environmental variables NSLPATH and PATH_LOCALE depending on the 'nix, ref CERT CA-97.10, CVE-1999-0041. However, Georgi Guninski reported a BO in AIX with LC_MESSAGES + mount, also refed in BID 268, so it is possible the AIX APARs fix an earlier, similar vulnerability to the Sun BO in LC_MESSAGES. This should probably be considered under a different CAN. Any ideas? Christey> Given that the buffer overflows in CVE-1999-0041 are NLSPATH and PATH_LOCALE, I'd say that's good evidence that this is not the same problem. But a buffer overflow in libc in LC_MESSAGES... We must ask if these are basically the same codebase. ADDREF CIAC:J-069 Christey> While the description indicates multiple programs, CD:SF-EXEC does not apply because the vulnerability was in libc, and rcp and ufsrestore were both statically linked against libc. Thus CD:SF-LOC applies, and a single candidate is maintained because the problem occurred in a library. Dik> Sun bug 4240566 Christey> I'm consulting with Casper Dik and Troy Bollinger to see if this should be combined with the AIX buffer overflows for LC_MESSAGES; current indications are that they should be split. Christey> For further consultation, consider this post, though it's associated with CVE-1999-0041: BUGTRAQ:19970213 Linux NLSPATH buffer overflow http://www.securityfocus.com/archive/1/6296 Also add "NLSPATH" and "PATH_LOCALE" to the description to facilitate search. ====================================================== Name: CVE-1999-0768 Status: Entry Reference: BID:602 Reference: URL:http://www.securityfocus.com/bid/602 Reference: REDHAT:RHSA-1999:030-02 Reference: SUSE:19990829 Security hole in cron Buffer overflow in Vixie Cron on Red Hat systems via the MAILTO environmental variable. ====================================================== Name: CVE-1999-0769 Status: Entry Reference: BID:611 Reference: URL:http://www.securityfocus.com/bid/611 Reference: CALDERA:CSSA-1999:023.0 Reference: DEBIAN:19990830 cron Reference: REDHAT:RHSA-1999:030-02 Reference: SUSE:19990829 Security hole in cron Vixie Cron on Linux systems allows local users to set parameters of sendmail commands via the MAILTO environmental variable. ====================================================== Name: CVE-1999-0770 Status: Entry Reference: BID:549 Reference: URL:http://www.securityfocus.com/bid/549 Reference: BUGTRAQ:19990729 Simple DOS attack on FW-1 Reference: CHECKPOINT:ACK DOS ATTACK Reference: OSVDB:1027 Reference: URL:http://www.osvdb.org/1027 Firewall-1 sets a long timeout for connections that begin with ACK or other packets except SYN, allowing an attacker to conduct a denial of service via a large number of connection attempts to unresponsive systems. ====================================================== Name: CVE-1999-0771 Status: Entry Reference: BUGTRAQ:19990526 Infosec.19990526.compaq-im.a Reference: COMPAQ:SSRT0612U Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0771 Reference: XF:management-agent-file-read The web components of Compaq Management Agents and the Compaq Survey Utility allow a remote attacker to read arbitrary files via a .. (dot dot) attack. ====================================================== Name: CVE-1999-0772 Status: Entry Reference: BUGTRAQ:19990527 Re: Infosec.19990526.compaq-im.a (New DoS and correction to my previous post) Reference: COMPAQ:SSRT0612U Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0772 Reference: XF:management-agent-dos Denial of service in Compaq Management Agents and the Compaq Survey Utility via a long string sent to port 2301. ====================================================== Name: CVE-1999-0773 Status: Entry Reference: BUGTRAQ:19990511 Solaris2.6 and 2.7 lpset overflow Reference: URL:http://www.netspace.org/cgi-bin/wa?A2=ind9905B&L=bugtraq&P=R2017 Reference: XF:sol-lpset-bo Buffer overflow in Solaris lpset program allows local users to gain root access. ====================================================== Name: CVE-1999-0774 Status: Entry Reference: BID:617 Reference: URL:http://www.securityfocus.com/bid/617 Reference: BUGTRAQ:19990830 Babcia Padlina Ltd. security advisory: mars_nwe buffer overf Reference: REDHAT:RHSA1999037_01 Reference: SUSE:19990916 Security hole in mars nwe Buffer overflows in Mars NetWare Emulation (NWE, mars_nwe) package via long directory names. ====================================================== Name: CVE-1999-0775 Status: Entry Reference: CISCO:19990610 Cisco IOS Software established Access List Keyword Error Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0775 Reference: XF:cisco-gigaswitch Cisco Gigabit Switch routers running IOS allow remote attackers to forward unauthorized packets due to improper handling of the "established" keyword in an access list. ====================================================== Name: CVE-1999-0776 Status: Candidate Phase: Proposed(19991214) Reference: NTBUGTRAQ:19990506 ".."-hole in Alibaba 2.0 Reference: URL:http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind9905&L=NTBUGTRAQ&P=R1533 Reference: XF:http-alibaba-dotdot Alibaba HTTP server allows remote attackers to read files via a .. (dot dot) attack. Current Votes: ACCEPT(4) Frech, Levy, Ozancin, Stracener MODIFY(1) Baker NOOP(6) Armstrong, Blake, Cole, Landfield, LeBlanc, Wall REVIEWING(1) Christey Voter Comments: Christey> This candidate is unconfirmed by the vendor. Posted by Arne Vidstrom. Blake> I'd like to change my vote on this from ACCEPT to NOOP. I did some digging and the vendor seems to have discontinued the product, so no information is available beyond Arne's post. Unless Andre has a copy in his archive and can test it, I think we have to leave it out. Wall> I agree with Blake. We have not seen the product and it has been discontinued. CHANGE> [Christey changed vote from NOOP to REVIEWING] Christey> If this is (or was) tested by some tool, we should ACCEPT it. Baker> http://www.securityfocus.com/bid/270 Christey> BID:270 URL:http://www.securityfocus.com/bid/270 ====================================================== Name: CVE-1999-0777 Status: Entry Reference: BID:658 Reference: URL:http://www.securityfocus.com/bid/658 Reference: MS:MS99-039 Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-039 Reference: MSKB:Q241407 Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q241407 Reference: MSKB:Q242559 Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q242559 Reference: XF:iis-ftp-no-access-files IIS FTP servers may allow a remote attacker to read or delete files on the server, even if they have "No Access" permissions. ====================================================== Name: CVE-1999-0778 Status: Entry Reference: BID:488 Reference: URL:http://www.securityfocus.com/bid/488 Reference: BUGTRAQ:19990626 KSR[T] #011: Accelerated-X Reference: KSRT:011 Reference: XF:accelx-display-bo Buffer overflow in Xi Graphics Accelerated-X server allows local users to gain root access via a long display or query parameter. ====================================================== Name: CVE-1999-0779 Status: Entry Reference: HP:HPSBUX9810-086 Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9810-086 Reference: XF:hp-sharedx Denial of service in HP-UX SharedX recserv program. ====================================================== Name: CVE-1999-0780 Status: Entry Reference: BUGTRAQ:19981118 Multiple KDE security vulnerabilities (root compromise) Reference: URL:http://marc.info/?l=bugtraq&m=91141486301691&w=2 Reference: XF:kde-klock-process-kill KDE klock allows local users to kill arbitrary processes by specifying an arbitrary PID in the .kss.pid file. ====================================================== Name: CVE-1999-0781 Status: Entry Reference: BUGTRAQ:19981118 Multiple KDE security vulnerabilities (root compromise) Reference: URL:http://marc.info/?l=bugtraq&m=91141486301691&w=2 Reference: XF:kde-klock-bindir-trojans KDE allows local users to execute arbitrary commands by setting the KDEDIR environmental variable to modify the search path that KDE uses to locate its executables. ====================================================== Name: CVE-1999-0782 Status: Entry Reference: BUGTRAQ:19981118 Multiple KDE security vulnerabilities (root compromise) Reference: URL:http://marc.info/?l=bugtraq&m=91141486301691&w=2 Reference: XF:kde-kppp-directory-create KDE kppp allows local users to create a directory in an arbitrary location via the HOME environmental variable. ====================================================== Name: CVE-1999-0783 Status: Entry Reference: CIAC:I-057 Reference: URL:http://www.ciac.org/ciac/bulletins/i-057.shtml Reference: FREEBSD:FreeBSD-SA-98:05 Reference: OSVDB:6090 Reference: URL:http://www.osvdb.org/6090 Reference: XF:freebsd-nfs-link-dos FreeBSD allows local users to conduct a denial of service by creating a hard link from a device special file to a file on an NFS file system. ====================================================== Name: CVE-1999-0784 Status: Candidate Phase: Proposed(20010214) Reference: BUGTRAQ:19981228 Oracle8 TNSLSNR DoS Reference: URL:http://archives.neohapsis.com/archives/bugtraq/1998_4/0764.html Reference: BUGTRAQ:19990104 Re: Fw:"NERP" DoS attack possible in Oracle Reference: URL:http://archives.neohapsis.com/archives/bugtraq/1999_1/0056.html Reference: NTBUGTRAQ:19980827 NERP DoS attack possible in Oracle Reference: URL:http://archives.neohapsis.com/archives/ntbugtraq/1998/msg00536.html Denial of service in Oracle TNSLSNR SQL*Net Listener via a malformed string to the listener port, aka NERP. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(1) Cole Voter Comments: Frech> XF:oracle-tnslsnr-dos(1551) ====================================================== Name: CVE-1999-0785 Status: Entry Reference: BID:254 Reference: URL:http://www.securityfocus.com/bid/254 Reference: BUGTRAQ:19990511 INN 2.0 and higher. Root compromise potential Reference: SUSE:19990518 Security hole in INN Reference: XF:inn-pathrun The INN inndstart program allows local users to gain root privileges via the "pathrun" parameter in the inn.conf file. ====================================================== Name: CVE-1999-0786 Status: Entry Reference: BID:659 Reference: URL:http://www.securityfocus.com/bid/659 Reference: BUGTRAQ:19990922 LD_PROFILE local root exploit for solaris 2.6 The dynamic linker in Solaris allows a local user to create arbitrary files via the LD_PROFILE environmental variable and a symlink attack. ====================================================== Name: CVE-1999-0787 Status: Entry Reference: BID:660 Reference: URL:http://www.securityfocus.com/bid/660 Reference: BUGTRAQ:19990917 A few bugs... Reference: URL:http://marc.info/?l=bugtraq&m=93760201002154&w=2 Reference: BUGTRAQ:19990924 [Fwd: Truth about ssh 1.2.27 vulnerability] Reference: URL:http://marc.info/?l=bugtraq&m=93832856804415&w=2 Reference: XF:ssh-socket-auth-symlink-dos The SSH authentication agent follows symlinks via a UNIX domain socket. ====================================================== Name: CVE-1999-0788 Status: Entry Reference: BID:662 Reference: URL:http://www.securityfocus.com/bid/662 Reference: BUGTRAQ:19990924 Multiple vendor Knox Arkiea local root/remote DoS Reference: URL:http://marc.info/?l=bugtraq&m=93837184228248&w=2 Reference: XF:arkiea-backup-nlserverd-remote-dos Arkiea nlservd allows remote attackers to conduct a denial of service. ====================================================== Name: CVE-1999-0789 Status: Entry Reference: BID:679 Reference: URL:http://www.securityfocus.com/bid/679 Reference: BUGTRAQ:19990928 Remote bufferoverflow exploit for ftpd from AIX 4.3.2 running on an RS6000 Reference: CIAC:J-072 Reference: URL:http://www.ciac.org/ciac/bulletins/j-072.shtml Reference: IBM:ERS-SVA-E01-1999:004.1 Reference: XF:aix-ftpd-bo Buffer overflow in AIX ftpd in the libc library. ====================================================== Name: CVE-1999-0790 Status: Entry Reference: MISC:http://home.netscape.com/security/notes/jscachebrowsing.html Reference: XF:netscape-javascript A remote attacker can read information from a Netscape user's cache via JavaScript. ====================================================== Name: CVE-1999-0791 Status: Entry Reference: BID:695 Reference: URL:http://www.securityfocus.com/bid/695 Reference: BUGTRAQ:19991006 KSR[T] Advisories #012: Hybrid Network's Cable Modems Reference: KSRT:012 Reference: XF:hybrid-anon-cable-modem-reconfig Hybrid Network cable modems do not include an authentication mechanism for administration, allowing remote attackers to compromise the system through the HSMP protocol. ====================================================== Name: CVE-1999-0792 Status: Candidate Phase: Modified(20000827) Reference: MISC:http://www2.merton.ox.ac.uk/~security/rootshell/0022.html ROUTERmate has a default SNMP community name which allows remote attackers to modify its configuration. Current Votes: ACCEPT(1) Baker MODIFY(2) Frech, Stracener NOOP(1) Christey REVIEWING(1) Levy Voter Comments: Stracener> Change the Ref to read: ROOTSHELL: Osicom Technologies ROUTERmate Security Advisory Frech> XF:routermate-snmp-community Christey> BUGTRAQ:19980914 [rootshell] Security Bulletin #23 URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90581019105693&w=2 ====================================================== Name: CVE-1999-0793 Status: Entry Reference: MS:MS99-043 Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-043 Reference: XF:ie-java-redirect Internet Explorer allows remote attackers to read files by redirecting data to a Javascript applet. ====================================================== Name: CVE-1999-0794 Status: Entry Reference: MS:MS99-044 Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-044 Reference: MSKB:Q241900 Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q241900 Reference: MSKB:Q241901 Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q241901 Reference: MSKB:Q241902 Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q241902 Reference: XF:excel-sylk Microsoft Excel does not warn a user when a macro is present in a Symbolic Link (SYLK) format file. ====================================================== Name: CVE-1999-0795 Status: Candidate Phase: Proposed(19991222) Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0795 Reference: NAI:NAI-27 The NIS+ rpc.nisd server allows remote attackers to execute certain RPC calls without authentication to obtain system information, disable logging, or modify caches. Current Votes: ACCEPT(2) Baker, Stracener MODIFY(1) Frech NOOP(1) Ozancin Voter Comments: Frech> XF:sun-nisplus ====================================================== Name: CVE-1999-0796 Status: Entry Reference: FREEBSD:SA-98.03 Reference: OSVDB:6089 Reference: URL:http://www.osvdb.org/6089 Reference: XF:freebsd-ttcp-spoof FreeBSD T/TCP Extensions for Transactions can be subjected to spoofing attacks. ====================================================== Name: CVE-1999-0797 Status: Entry Reference: CIAC:I-070 Reference: URL:http://www.ciac.org/ciac/bulletins/i-070.shtml Reference: ISS:19980629 Distributed DoS attack against NIS/NIS+ based networks. Reference: XF:sun-nis-nisplus NIS finger allows an attacker to conduct a denial of service via a large number of finger requests, resulting in a large number of NIS queries. ====================================================== Name: CVE-1999-0798 Status: Candidate Phase: Proposed(19991222) Reference: BUGTRAQ:19981204 bootpd remote vulnerability Reference: URL:http://marc.info/?l=bugtraq&m=91278867118128&w=2 Buffer overflow in bootpd on OpenBSD, FreeBSD, and Linux systems via a malformed header type. Current Votes: ACCEPT(3) Baker, Ozancin, Stracener MODIFY(1) Frech NOOP(1) Christey Voter Comments: Christey> Is CVE-1999-0389 a duplicate of CVE-1999-0798? CVE-1999-0389 has January 1999 dates associated with it, while CVE-1999-0798 was reported in late December. http://marc.theaimsgroup.com/?l=bugtraq&m=91278867118128&w=2 SCO appears to have acknowledged this as well: ftp://ftp.sco.com/SSE/security_bulletins/SB-99.01a The poster also claims that OpenBSD fixed this as well. Frech> XF:bootp-remote-bo Christey> Further analysis indicates that this is a duplicate of CVE-1999-0799 CHANGE> [Christey changed vote from REJECT to NOOP] Christey> What was I thinking? Brian Caswell pointed out that this is *not* the same bug as CVE-1999-0799. As reported in the 1998 Bugtraq post, the bug is in bootpd.c, and is related to providing an htype value that is used as an index into an array, and exceeds the intended boundaries of that array. ====================================================== Name: CVE-1999-0799 Status: Entry Reference: BUGTRAQ:19970725 Exploitable buffer overflow in bootpd (most unices) Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0799 Reference: XF:bootpd-bo Buffer overflow in bootpd 2.4.3 and earlier via a long boot file location. ====================================================== Name: CVE-1999-0800 Status: Entry Reference: ALLAIRE:ASB99-05 Reference: URL:http://www.allaire.com/handlers/index.cfm?ID=9602&Method=Full Reference: NTBUGTRAQ:19990211 ACFUG List: Alert: Allaire Forums GetFile bug Reference: URL:http://archives.neohapsis.com/archives/ntbugtraq/1998-1999/msg00332.html Reference: OSVDB:944 Reference: URL:http://www.osvdb.org/944 Reference: XF:allaire-forums-file-read(1748) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1748 The GetFile.cfm file in Allaire Forums allows remote attackers to read files through a parameter to GetFile.cfm. ====================================================== Name: CVE-1999-0801 Status: Entry Reference: BUGTRAQ:19990409 Patrol security bugs Reference: URL:http://www.securityfocus.com/archive/1/13204 Reference: XF:bmc-patrol-frames(2075) Reference: URL:http://www.iss.net/security_center/static/2075.php BMC Patrol allows remote attackers to gain access to an agent by spoofing frames. ====================================================== Name: CVE-1999-0802 Status: Entry Reference: BUGTRAQ:19990503 MSIE 5 FAVICON BUG Reference: MS:MS99-018 Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-018 Reference: MSKB:Q231450 Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q231450 Reference: XF:ie-favicon Buffer overflow in Internet Explorer 5 allows remote attackers to execute commands via a malformed Favorites icon. ====================================================== Name: CVE-1999-0803 Status: Entry Reference: BUGTRAQ:19990525 IBM eNetwork Firewall for AIX Reference: URL:http://marc.info/?l=bugtraq&m=92765973207648&w=2 Reference: OSVDB:962 Reference: URL:http://www.osvdb.org/962 Reference: XF:ibm-enfirewall-tmpfiles The fwluser script in AIX eNetwork Firewall allows local users to write to arbitrary files via a symlink attack. ====================================================== Name: CVE-1999-0804 Status: Entry Reference: BID:302 Reference: URL:http://www.securityfocus.com/bid/302 Reference: BUGTRAQ:19990601 Linux kernel 2.2.x vulnerability/exploit Reference: CALDERA:CSSA-1999:013 Reference: DEBIAN:19990607 Reference: REDHAT:19990603 Kernel Update Reference: SUSE:19990602 Denial of Service on the 2.2 kernel Denial of service in Linux 2.2.x kernels via malformed ICMP packets containing unusual types, codes, and IP header lengths. ====================================================== Name: CVE-1999-0805 Status: Candidate Phase: Proposed(20010214) Reference: BUGTRAQ:19990512 DoS with Netware 4.x's TTS Reference: URL:http://archives.neohapsis.com/archives/bugtraq/1999_2/0439.html Reference: XF:novell-tts-dos(2184) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2184 Novell NetWare Transaction Tracking System (TTS) in Novell 4.11 and earlier allows remote attackers to cause a denial of service via a large number of requests. Current Votes: ACCEPT(2) Baker, Frech NOOP(2) Christey, Cole Voter Comments: Christey> BID:276 URL:http://www.securityfocus.com/vdb/bottom.html?vid=276 Frech> XF:novell-tts-dos ====================================================== Name: CVE-1999-0806 Status: Entry Reference: BUGTRAQ:19990510 Solaris2.6,2.7 dtprintinfo exploits Reference: OSVDB:6552 Reference: URL:http://www.osvdb.org/6552 Reference: XF:cde-dtprintinfo Buffer overflow in Solaris dtprintinfo program. ====================================================== Name: CVE-1999-0807 Status: Entry Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0807 Reference: XF:netscape-dirsvc-password The Netscape Directory Server installation procedure leaves sensitive information in a file that is accessible to local users. ====================================================== Name: CVE-1999-0808 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19980518 DHCP 1.0 and 2.0 SECURITY ALERT! (fwd) Reference: URL:http://marc.info/?l=bugtraq&m=90221101925960&w=2 Reference: CIAC:I-053 Reference: URL:http://ciac.llnl.gov/ciac/bulletins/i-053.shtml Reference: MISC:ftp://ftp.isc.org/isc/dhcp/dhcp-1.0-history/dhcp-1.0.0-1.0pl1.diff.gz Multiple buffer overflows in ISC DHCP Distribution server (dhcpd) 1.0 and 2.0 allow a remote attacker to cause a denial of service (crash) and possibly execute arbitrary commands via long options. Current Votes: ACCEPT(4) Armstrong, Cole, Foat, Stracener MODIFY(1) Frech NOOP(1) Wall Voter Comments: Frech> XF:dhcp-remote-dos(7248) ====================================================== Name: CVE-1999-0809 Status: Entry Reference: BUGTRAQ:19990709 Communicator 4.[56]x, JavaScript used to bypass cookie settings Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0809 Netscape Communicator 4.x with Javascript enabled does not warn a user of cookie settings, even if they have selected the option to "Only accept cookies originating from the same server as the page being viewed". ====================================================== Name: CVE-1999-0810 Status: Entry Reference: BUGTRAQ:19990721 Samba 2.0.5 security fixes Reference: CALDERA:CSSA-1999:018.0 Reference: DEBIAN:19990731 Reference: DEBIAN:19990804 Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0810 Reference: REDHAT:RHSA-1999:022-02 Reference: SUSE:19990816 Security hole in Samba Denial of service in Samba NETBIOS name service daemon (nmbd). ====================================================== Name: CVE-1999-0811 Status: Entry Reference: BID:536 Reference: URL:http://www.securityfocus.com/bid/536 Reference: BUGTRAQ:19990721 Samba 2.0.5 security fixes Reference: CALDERA:CSSA-1999:018.0 Reference: DEBIAN:19990731 Samba Reference: REDHAT:RHSA-1999:022-02 Reference: SUSE:19990816 Security hole in Samba Reference: XF:samba-message-bo Buffer overflow in Samba smbd program via a malformed message command. ====================================================== Name: CVE-1999-0812 Status: Entry Reference: BUGTRAQ:19990721 Samba 2.0.5 security fixes Reference: CALDERA:CSSA-1999:018.0 Reference: DEBIAN:19990731 Reference: DEBIAN:19990804 Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0812 Reference: REDHAT:RHSA-1999:022-02 Reference: SUSE:19990816 Security hole in Samba Race condition in Samba smbmnt allows local users to mount file systems in arbitrary locations. ====================================================== Name: CVE-1999-0813 Status: Entry Reference: BUGTRAQ:19980724 CFINGERD root security hole Reference: BUGTRAQ:19990810 Severe bug in cfingerd before 1.4.0 Reference: DEBIAN:19990814 Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0813 Reference: XF:cfingerd-privileges Cfingerd with ALLOW_EXECUTION enabled does not properly drop privileges when it executes a program on behalf of the user, allowing local users to gain root privileges. ====================================================== Name: CVE-1999-0814 Status: Entry Reference: REDHAT:RHSA-1999:027 Reference: URL:http://www.redhat.com/support/errata/RHSA-1999-027.html Red Hat pump DHCP client allows remote attackers to gain root access in some configurations. ====================================================== Name: CVE-1999-0815 Status: Entry Reference: MSKB:Q196270 Reference: URL:http://support.microsoft.com/support/kb/articles/q196/2/70.asp Reference: OVAL:oval:org.mitre.oval:def:952 Reference: URL:https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A952 Reference: XF:nt-snmpagent-leak(1974) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1974 Memory leak in SNMP agent in Windows NT 4.0 before SP5 allows remote attackers to conduct a denial of service (memory exhaustion) via a large number of queries. ====================================================== Name: CVE-1999-0816 Status: Candidate Phase: Modified(20000313) Reference: BUGTRAQ:19980510 Security Vulnerability in Motorola CableRouters Reference: URL:http://www.netspace.org/cgi-bin/wa?A2=ind9805B&L=bugtraq&P=R1621 Reference: XF:motorola-cable-default-pass The Motorola CableRouter allows any remote user to connect to and configure the router on port 1024. Current Votes: ACCEPT(3) Baker, Cole, Stracener MODIFY(1) Frech NOOP(2) Christey, LeBlanc Voter Comments: Christey> This candidate is unconfirmed by the vendor. Frech> XF:motorola-cable-default-pass ====================================================== Name: CVE-1999-0817 Status: Entry Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0817 Reference: SUSE:19990915 Security hole in lynx Lynx WWW client allows a remote attacker to specify command-line parameters which Lynx uses when calling external programs to handle certain protocols, e.g. telnet. ====================================================== Name: CVE-1999-0818 Status: Candidate Phase: Proposed(19991208) Reference: BID:831 Reference: URL:http://www.securityfocus.com/bid/831 Reference: BUGTRAQ:19991130 another hole of Solaris7 kcms_configure Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=38433B7F5A.53F4SHADOWPENGUIN@fox.nightland.net Buffer overflow in Solaris kcms_configure via a long NETPATH environmental variable. Current Votes: ACCEPT(2) Armstrong, Stracener MODIFY(4) Cole, Dik, Frech, Prosser NOOP(1) Baker REVIEWING(1) Christey Voter Comments: Cole> This can cause code to be executed. Frech> XF:sol-kcms-conf-netpath-bo Dik> the bug has nothing to do with kcms_configure; it's a bug in libnsl.so. All set-uid executables that trigger this code path are vulnerable. Sun bug 4295834; fixed in Solaris 8. Prosser> Okay, I am confused. Based on Casper's comments and checking on the Sun patch site, I found the 4295834 bug(4295834 NETPATH security problem in libnsl) fixed in SunOS 5.4, Patch 101974-37(x86) 101973 (sparc). Multiple libnsl vulnerabilities was first reported in an 98 Sun Bulletin #00172 for 5.4 up through 2.6. Was this NETPATH a problem that resurfaced in 7 (looks like in 5.4 as well) and was fixed in 8? Christey> Need to dig up my offline email on this. Christey> May be a duplicate of CVE-1999-0321, whose sole reference (XF:sun-kcms-configure-bo) no longer exists. Also examine BID:452 and BUGTRAQ:19981223 Merry Christmas to Sun! (Was: L0pht NFR N-Code Modules Updated) which are the same as XF:sol-kcms-conf-p-bo(3652), which could be the new name for XF:sun-kcms-configure-bo. ====================================================== Name: CVE-1999-0819 Status: Entry Reference: BUGTRAQ:19991130 NTmail and VRFY Reference: URL:http://marc.info/?l=bugtraq&m=94398141118586&w=2 Reference: NTBUGTRAQ:19991130 NTmail and VRFY Reference: XF:nt-mail-vrfy NTMail does not disable the VRFY command, even if the administrator has explicitly disabled it. ====================================================== Name: CVE-1999-0820 Status: Entry Reference: BID:838 Reference: URL:http://www.securityfocus.com/bid/838 Reference: BUGTRAQ:19991130 Several FreeBSD-3.3 vulnerabilities Reference: OSVDB:5996 Reference: URL:http://www.osvdb.org/5996 Reference: XF:freebsd-seyon-dir-add FreeBSD seyon allows users to gain privileges via a modified PATH variable for finding the xterm and seyon-emu commands. ====================================================== Name: CVE-1999-0821 Status: Candidate Phase: Proposed(19991208) Reference: BID:838 Reference: URL:http://www.securityfocus.com/bid/838 Reference: BUGTRAQ:19991130 Several FreeBSD-3.3 vulnerabilities FreeBSD seyon allows local users to gain privileges by providing a malicious program in the -emulator argument. Current Votes: ACCEPT(2) Armstrong, Stracener MODIFY(1) Frech NOOP(2) Baker, Christey REJECT(1) Cole REVIEWING(1) Prosser Voter Comments: Cole> I would combine this with the previous. To me the general vulnerabilities are similar it is just the end result that changes. Frech> XF:freebsd-seyon-setgid Christey> ADDREF? CALDERA:CSSA-1999-037.0 ====================================================== Name: CVE-1999-0822 Status: Candidate Phase: Proposed(19991208) Reference: BID:830 Reference: URL:http://www.securityfocus.com/bid/830 Reference: BUGTRAQ:19991130 qpop3.0b20 and below - notes and exploit Reference: BUGTRAQ:19991130 serious Qpopper 3.0 vulnerability Buffer overflow in Qpopper (qpop) 3.0 allows remote root access via AUTH command. Current Votes: ACCEPT(4) Armstrong, Baker, Cole, Stracener MODIFY(1) Frech NOOP(1) Christey REVIEWING(1) Prosser Voter Comments: Frech> XF:qpopper-auth-bo Christey> ADDREF? DEBIAN:19991215 buffer overflow in qpopper v3.0 ADDREF XF:qpopper-auth-bo ====================================================== Name: CVE-1999-0823 Status: Entry Reference: BID:839 Reference: URL:http://www.securityfocus.com/bid/839 Reference: BUGTRAQ:19991130 Several FreeBSD-3.3 vulnerabilities Reference: OSVDB:1150 Reference: URL:http://www.osvdb.org/1150 Reference: XF:freebsd-xmindpath Buffer overflow in FreeBSD xmindpath allows local users to gain privileges via -f argument. ====================================================== Name: CVE-1999-0824 Status: Entry Reference: BID:833 Reference: URL:http://www.securityfocus.com/bid/833 Reference: BUGTRAQ:19991130 Subst.exe carelessness (fwd) Reference: NTBUGTRAQ:19991130 SUBST problem A Windows NT user can use SUBST to map a drive letter to a folder, which is not unmapped after the user logs off, potentially allowing that user to modify the location of folders accessed by later users. ====================================================== Name: CVE-1999-0825 Status: Candidate Phase: Modified(20000121) Reference: BID:849 Reference: URL:http://www.securityfocus.com/bid/849 Reference: BUGTRAQ:19991203 UnixWare read/modify users' mail Reference: BUGTRAQ:19991215 Recent postings about SCO UnixWare 7 Reference: BUGTRAQ:19991223 FYI, SCO Security patches available. The default permissions for UnixWare /var/mail allow local users to read and modify other users' mail. Current Votes: ACCEPT(4) Armstrong, Baker, Cole, Stracener MODIFY(1) Frech NOOP(1) Christey REVIEWING(1) Prosser Voter Comments: Frech> XF:sco-mail-permissions Christey> ADDREF ftp://ftp.sco.com/SSE/security_bulletins/SB-99.25a ====================================================== Name: CVE-1999-0826 Status: Entry Reference: BID:840 Reference: URL:http://www.securityfocus.com/bid/840 Reference: BUGTRAQ:19991130 Several FreeBSD-3.3 vulnerabilities Reference: OSVDB:1151 Reference: URL:http://www.osvdb.org/1151 Reference: XF:angband-bo Buffer overflow in FreeBSD angband allows local users to gain privileges. ====================================================== Name: CVE-1999-0827 Status: Candidate Phase: Proposed(19991208) Reference: BUGTRAQ:19991130 Default IE 5.0 security settings allow frame spoofing Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0827 By default, Internet Explorer 5.0 and other versions enables the "Navigate sub-frames across different domains" option, which allows frame spoofing. Current Votes: ACCEPT(4) Armstrong, Baker, LeBlanc, Stracener MODIFY(2) Cole, Frech REVIEWING(1) Prosser Voter Comments: Cole> The BID is 855. If I have the right vulnerability, this allows an attacker to access URL's of there choosing which could lead to a compromise of private information. Frech> XF:http-frame-spoof Question: Similar vulnerability to MS98-020 / CVE-1999-0869? LeBlanc> MSRC tells me this is patched in MS00-009 ====================================================== Name: CVE-1999-0828 Status: Candidate Phase: Modified(20000121) Reference: BID:853 Reference: URL:http://www.securityfocus.com/bid/853 Reference: BUGTRAQ:19991203 UnixWare and the dacread permission Reference: BUGTRAQ:19991204 UnixWare pkg* command exploits Reference: BUGTRAQ:19991220 SCO OpenServer Security Status Reference: BUGTRAQ:19991223 FYI, SCO Security patches available. UnixWare pkg commands such as pkginfo, pkgcat, and pkgparam allow local users to read arbitrary files via the dacread permission. Current Votes: ACCEPT(3) Armstrong, Baker, Stracener MODIFY(2) Cole, Frech REVIEWING(2) Christey, Prosser Voter Comments: Cole> This is BID 850. Christey> See comments on CVE-1999-0988. Perhaps these two should be merged. ftp://ftp.sco.com/SSE/security_bulletins/SB-99.28a loosely alludes to this problem; the README for patch SSE053 effectively confirms it. Frech> XF:sco-pkg-dacread-fileread ====================================================== Name: CVE-1999-0829 Status: Candidate Phase: Proposed(19991208) Reference: BUGTRAQ:19991201 HP Secure Web Console Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0829 HP Secure Web Console uses weak encryption. Current Votes: ACCEPT(2) Armstrong, Stracener MODIFY(1) Frech NOOP(2) Baker, Cole REVIEWING(1) Prosser Voter Comments: Cole> I could not find details on this using the above references. Frech> XF:hp-secure-console ====================================================== Name: CVE-1999-0830 Status: Candidate Phase: Proposed(19991208) Reference: BUGTRAQ:19991126 [w00giving '99 #6]: UnixWare 7's Xsco Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0830 Buffer overflow in SCO UnixWare Xsco command via a long argument. Current Votes: ACCEPT(3) Armstrong, Baker, Stracener MODIFY(3) Cole, Frech, Prosser REVIEWING(1) Christey Voter Comments: Cole> This is BID 824 and the BUGTRAQ reference is 19991125. Frech> XF:sco-unixware-xsco Christey> Confirmed by vendor, albeit vaguely: http://marc.theaimsgroup.com/?l=bugtraq&m=94581379905584&w=2 Prosser> agree with Steve on vendor confirmation, however not sure the fix ref'd in BID 824 (SSE041) is right. It lists fixes for libnsl and tcpip.so, nothing about xsco. SSE050b (ftp://ftp.sco.com/SSE/security_bulletins/SB-99.26b) fixes a buffer overflow in xsco on OpenServer (the vendor message Steve refers to) but not the UnixWare vulnerability reported on Bugtraq and in BID824. Anyone more familar with SCO shed some light on this? Are they the same codebase so fix would be same? From the SCO site it seems the UnixWare and OpenSever products are similar but have differences. CHANGE> [Christey changed vote from NOOP to REVIEWING] Christey> BID:824 http://www.securityfocus.com/bid/824 ====================================================== Name: CVE-1999-0831 Status: Entry Reference: BID:809 Reference: URL:http://www.securityfocus.com/bid/809 Reference: BUGTRAQ:19991130 [david@slackware.com: New Patches for Slackware 4.0 Available] Reference: CALDERA:CSSA-1999-035.0 Reference: URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-1999-035.0.txt Reference: REDHAT:RHSA1999055-01 Reference: SUSE:19991118 syslogd-1.3.33 (a1) Reference: XF:slackware-syslogd-dos Denial of service in Linux syslogd via a large number of connections. ====================================================== Name: CVE-1999-0832 Status: Entry Reference: BID:782 Reference: URL:http://www.securityfocus.com/bid/782 Reference: BUGTRAQ:19991109 undocumented bugs - nfsd Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.4.20.9911091058140.12964-100000@mail.zigzag.pl Reference: BUGTRAQ:19991130 [david@slackware.com: New Patches for Slackware 4.0 Available] Reference: CALDERA:CSSA-1999-033.0 Reference: URL:ftp://ftp.calderasystems.com/pub/OpenLinux/security/CSSA-1999-033.0.txt Reference: DEBIAN:19991111 buffer overflow in nfs server Reference: URL:http://www.debian.org/security/1999/19991111 Reference: REDHAT:RHSA-1999:053-01 Reference: URL:http://www.redhat.com/support/errata/rh42-errata-general.html#NFS Reference: SUSE:19991110 Security hole in nfs-server < 2.2beta47 within nkita Reference: URL:http://www.novell.com/linux/security/advisories/suse_security_announce_29.html Reference: XF:linux-nfs-maxpath-bo Buffer overflow in NFS server on Linux allows attackers to execute commands via a long pathname. ====================================================== Name: CVE-1999-0833 Status: Entry Reference: BID:788 Reference: URL:http://www.securityfocus.com/bid/788 Reference: CALDERA:CSSA-1999-034.1 Reference: URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-1999-034.1.txt Reference: CERT:CA-99-14 Reference: DEBIAN:19991116 Denial of service vulnerabilities in bind Reference: REDHAT:RHSA-1999:054-01 Reference: SUSE:19991111 Security hole in bind8 < 8.2.2p2 and bind4 < 4.9.7-REL Reference: XF:bind-nxt-bo Buffer overflow in BIND 8.2 via NXT records. ====================================================== Name: CVE-1999-0834 Status: Entry Reference: BID:843 Reference: URL:http://www.securityfocus.com/bid/843 Reference: BUGTRAQ:19991201 Security Advisory: Buffer overflow in RSAREF2 Reference: BUGTRAQ:19991202 OpenBSD sslUSA26 advisory (Re: CORE-SDI: Buffer overflow in RSAREF2) Reference: CERT:CA-99-15 Reference: XF:rsaref-bo Buffer overflow in RSAREF2 via the encryption and decryption functions in the RSAREF library. ====================================================== Name: CVE-1999-0835 Status: Entry Reference: BID:788 Reference: URL:http://www.securityfocus.com/bid/788 Reference: CALDERA:CSSA-1999-034.1 Reference: URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-1999-034.1.txt Reference: CERT:CA-99-14 Reference: DEBIAN:19991116 Denial of service vulnerabilities in bind Reference: REDHAT:RHSA-1999:054-01 Reference: SUSE:19991111 Security hole in bind8 < 8.2.2p2 and bind4 < 4.9.7-REL Reference: XF:bind-sigrecord-dos Denial of service in BIND named via malformed SIG records. ====================================================== Name: CVE-1999-0836 Status: Entry Reference: BID:842 Reference: URL:http://www.securityfocus.com/bid/842 Reference: BUGTRAQ:19991202 UnixWare 7 uidadmin exploit + discussion Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=19991202160111.20553.qmail@nwcst282.netaddress.usa.net Reference: SCO:SB-99.22a Reference: URL:ftp://ftp.sco.com/SSE/security_bulletins/SB-99.22a Reference: XF:unixware-uid-admin UnixWare uidadmin allows local users to modify arbitrary files via a symlink attack. ====================================================== Name: CVE-1999-0837 Status: Entry Reference: BID:788 Reference: URL:http://www.securityfocus.com/bid/788 Reference: CALDERA:CSSA-1999-034.1 Reference: URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-1999-034.1.txt Reference: CERT:CA-99-14 Reference: DEBIAN:19991116 Denial of service vulnerabilities in bind Reference: REDHAT:RHSA-1999:054-01 Reference: SUN:00194 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/194 Reference: SUSE:19991111 Security hole in bind8 < 8.2.2p2 and bind4 < 4.9.7-REL Reference: XF:bind-solinger-dos Denial of service in BIND by improperly closing TCP sessions via so_linger. ====================================================== Name: CVE-1999-0838 Status: Entry Reference: BID:859 Reference: URL:http://www.securityfocus.com/bid/859 Reference: BUGTRAQ:19991202 Remote DoS Attack in Serv-U FTP-Server v2.5a Vulnerability Reference: XF:servu-ftp-site-bo Buffer overflow in Serv-U FTP 2.5 allows remote users to conduct a denial of service via the SITE command. ====================================================== Name: CVE-1999-0839 Status: Entry Reference: BID:828 Reference: URL:http://www.securityfocus.com/bid/828 Reference: MS:MS99-051 Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-051 Reference: MSKB:Q246972 Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q246972 Reference: NTBUGTRAQ:19991130 Windows NT Task Scheduler vulnerability allows user to administrator elevation Reference: XF:ie-task-scheduler-privs Windows NT Task Scheduler installed with Internet Explorer 5 allows a user to gain privileges by modifying the job after it has been scheduled. ====================================================== Name: CVE-1999-0840 Status: Candidate Phase: Modified(20071022) Reference: BID:832 Reference: URL:http://www.securityfocus.com/bid/832 Reference: BUGTRAQ:19991129 Solaris7 dtmail/dtmailpr/mailtool Buffer Overflow Reference: URL:http://www.security-express.com/archives/bugtraq/1999-q4/0122.html Reference: MISC:http://www.securiteam.com/exploits/3J5QQPPQ0O.html Reference: XF:solaris-dtmail-overflow(3579) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3579 Reference: XF:solaris-dtmailpr-overflow(3580) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3580 Buffer overflow in CDE dtmail and dtmailpr programs allows local users to gain privileges via a long -f option. Current Votes: ACCEPT(4) Armstrong, Baker, Dik, Stracener MODIFY(1) Frech NOOP(1) Cole REVIEWING(1) Prosser Voter Comments: Cole> I went to 1129 and it looks like a reference for a different vulnerability. Frech> In the description, should dtmailptr be dtmailpr? XF:solaris-dtmailpr-overflow XF:solaris-dtmail-overflow Dik> sun bug: 4166321 ====================================================== Name: CVE-1999-0841 Status: Candidate Phase: Modified(20071022) Reference: BID:832 Reference: URL:http://www.securityfocus.com/bid/832 Reference: BUGTRAQ:19991129 Solaris7 dtmail/dtmailpr/mailtool Buffer Overflow Reference: URL:http://www.security-express.com/archives/bugtraq/1999-q4/0122.html Reference: MISC:http://www.securiteam.com/exploits/3J5QQPPQ0O.html Reference: XF:cde-mailtool-bo(3732) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3732 Buffer overflow in CDE mailtool allows local users to gain root privileges via a long MIME Content-Type. Current Votes: ACCEPT(5) Armstrong, Baker, Cole, Dik, Stracener MODIFY(1) Frech REVIEWING(1) Prosser Voter Comments: Frech> XF:cde-mailtool-bo Dik> bug 4163471 (Root access is only possible when mail is send to root and he uses dtmail to read it) ====================================================== Name: CVE-1999-0842 Status: Entry Reference: BID:827 Reference: URL:http://www.securityfocus.com/bid/827 Reference: BUGTRAQ:19991129 Symantec Mail-Gear 1.0 Web interface Server Directory Traversal Vulnerability Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=NCBBKFKDOLAGKIAPMILPCEAFCBAA.labs@ussrback.com Reference: NTBUGTRAQ:19991129 Symantec Mail-Gear 1.0 Web interface Server Directory Traversal Vulnerability Reference: OSVDB:1144 Reference: URL:http://www.osvdb.org/1144 Reference: XF:symantec-mail-dir-traversal Symantec Mail-Gear 1.0 web interface server allows remote users to read arbitrary files via a .. (dot dot) attack. ====================================================== Name: CVE-1999-0843 Status: Candidate Phase: Proposed(19991208) Reference: BUGTRAQ:19991104 Cisco NAT DoS (VD#1) Reference: BUGTRAQ:19991128 Re: Cisco NAT DoS (VD#1) Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0843 Denial of service in Cisco routers running NAT via a PORT command from an FTP client to a Telnet port. Current Votes: ACCEPT(3) Balinsky, Cole, Stracener MODIFY(1) Frech NOOP(2) Armstrong, Baker REVIEWING(3) Christey, Prosser, Ziese Voter Comments: Frech> XF:cisco-nat-dos Christey> Mike Prosser's REVIEWING vote expires July 17, 2000 Ziese> After reviewing http://www.cisco.com/warp/public/707/iostelnetopt-pub.shtml I can not confirm this exists unless it's restructred to describe a problem against IOS per se; not NAT per se. I am reviewing this and it may take some time. CHANGE> [Christey changed vote from NOOP to REVIEWING] Christey> Not sure if Kevin's suggested reference really describes this one. However, a followup email by Jim Duncan of Cisco does acknowledge the problem as discussed in the Bugtraq post: http://marc.theaimsgroup.com/?l=vuln-dev&m=94385601831585&w=2 The original post is: http://marc.theaimsgroup.com/?l=bugtraq&m=94184947504814&w=2 It could be that the researcher believed that the problem was NAT, but in fact it wasn't. I need to follow up with Ziese/Balinsky on this one. ====================================================== Name: CVE-1999-0844 Status: Candidate Phase: Proposed(19991208) Reference: BID:820 Reference: URL:http://www.securityfocus.com/bid/820 Reference: BID:823 Reference: URL:http://www.securityfocus.com/bid/823 Reference: BUGTRAQ:19991130 Fwd: RE: Multiples Remotes DoS Attacks in MDaemon Server v2.8.5.0 Vulnerability Reference: NTBUGTRAQ:19991124 Remote DoS Attack in WorldClient Server v2.0.0.0 Vulnerability Denial of service in MDaemon WorldClient and WebConfig services via a long URL. Current Votes: ACCEPT(2) Baker, Stracener MODIFY(2) Cole, Frech NOOP(1) Armstrong RECAST(1) Christey REVIEWING(1) Prosser Voter Comments: Cole> 823 and 820 are two different vulnerabilities and should be separated out. They are both buffer overflows but accomplish it in a different fashion and the end exploit is different. Frech> (RECAST?) XF:mdaemon-worldclient-dos XF:mdaemon-webconfig-dos Recast request: This is really two services exhibiting the same problem. Christey> as suggested by others. Also see confirmation at: http://mdaemon.deerfield.com/helpdesk/hotfix.cfm ====================================================== Name: CVE-1999-0845 Status: Candidate Phase: Proposed(19991208) Reference: BUGTRAQ:19991126 [w00giving '99 #5 and w00news]: UnixWare 7's su Reference: BUGTRAQ:19991128 SCO su patches Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0845 Reference: SCO:99.19 Buffer overflow in SCO su program allows local users to gain root access via a long username. Current Votes: ACCEPT(4) Armstrong, Cole, Prosser, Stracener MODIFY(1) Frech RECAST(1) Baker REVIEWING(1) Christey Voter Comments: Christey> DUPE CVE-1999-0317? Frech> XF:sco-su-username-bo Christey> ADDREF BID:826 CONFIRM:ftp://ftp.sco.com/SSE/sse039.tar.Z ====================================================== Name: CVE-1999-0846 Status: Candidate Phase: Proposed(19991208) Reference: BUGTRAQ:19991129 MDaemon 2.7 J DoS Reference: BUGTRAQ:19991130 Fwd: RE: Multiples Remotes DoS Attacks in MDaemon Server v2.8.5.0 Vulnerability Reference: MISC:https://marc.info/?l=bugtraq&m=94398020817351&w=2 Denial of service in MDaemon 2.7 via a large number of connection attempts. Current Votes: ACCEPT(5) Armstrong, Baker, Cole, Prosser, Stracener MODIFY(1) Frech REVIEWING(1) Christey Voter Comments: Frech> XF:mdaemon-dos Christey> CVE-1999-0844 is confirmed by MDaemon at http://mdaemon.deerfield.com/helpdesk/hotfix.cfm but there is no apparent confirmation for this problem, even though it was posted the same day. Prosser> Looks like from a follow-on message on Bugtraq from Nobuo <http://www.securityfocus.com/templates/archive.pike?list=1&date=1999-11-28&msg=199912011604.HJI39569.BX-NOJ@lac.co.jp> Deerfield sent a reply about the DoS problems in MDaemon 2.8.5, that also talks about fixing the 2.7 J DoS that Nobuo initially reported. Can't find the original message, so may have been limited distro. Looks like an upgrade to the latest release might be the final solution here. ====================================================== Name: CVE-1999-0847 Status: Entry Reference: BUGTRAQ:19991129 FICS buffer overflow Reference: MISC:https://marc.info/?l=bugtraq&m=94407791819019&w=2 Reference: XF:fics-board-bo Buffer overflow in free internet chess server (FICS) program, xboard. ====================================================== Name: CVE-1999-0848 Status: Entry Reference: BID:788 Reference: URL:http://www.securityfocus.com/bid/788 Reference: CALDERA:CSSA-1999-034.1 Reference: URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-1999-034.1.txt Reference: CERT:CA-99-14 Reference: DEBIAN:19991116 Denial of service vulnerabilities in bind Reference: REDHAT:RHSA-1999:054-01 Reference: SUN:00194 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/194 Reference: SUSE:19991111 Security hole in bind8 < 8.2.2p2 and bind4 < 4.9.7-REL Reference: XF:bind-fdmax-dos Denial of service in BIND named via consuming more than "fdmax" file descriptors. ====================================================== Name: CVE-1999-0849 Status: Entry Reference: BID:788 Reference: URL:http://www.securityfocus.com/bid/788 Reference: CALDERA:CSSA-1999-034.1 Reference: URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-1999-034.1.txt Reference: CERT:CA-99-14 Reference: DEBIAN:19991116 Denial of service vulnerabilities in bind Reference: REDHAT:RHSA-1999:054-01 Reference: SUN:00194 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/194 Reference: SUSE:19991111 Security hole in bind8 < 8.2.2p2 and bind4 < 4.9.7-REL Reference: XF:bind-maxdname-bo Denial of service in BIND named via maxdname. ====================================================== Name: CVE-1999-0850 Status: Candidate Phase: Proposed(19991208) Reference: BID:845 Reference: URL:http://www.securityfocus.com/bid/845 Reference: BUGTRAQ:19991202 Insecure default permissions for MailMan Professional Edition, version 3.0.18 The default permissions for Endymion MailMan allow local users to read email or modify files. Current Votes: ACCEPT(2) Cole, Stracener MODIFY(1) Frech NOOP(2) Armstrong, Baker REVIEWING(1) Prosser Voter Comments: Frech> XF:endymion-mailman-perms ====================================================== Name: CVE-1999-0851 Status: Entry Reference: BID:788 Reference: URL:http://www.securityfocus.com/bid/788 Reference: CALDERA:CSSA-1999-034.1 Reference: URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-1999-034.1.txt Reference: CERT:CA-99-14 Reference: DEBIAN:19991116 Denial of service vulnerabilities in bind Reference: REDHAT:RHSA-1999:054-01 Reference: SUN:00194 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/194 Reference: SUSE:19991111 Security hole in bind8 < 8.2.2p2 and bind4 < 4.9.7-REL Reference: XF:bind-naptr-dos Denial of service in BIND named via naptr. ====================================================== Name: CVE-1999-0852 Status: Candidate Phase: Proposed(19991208) Reference: BID:844 Reference: URL:http://www.securityfocus.com/bid/844 Reference: BUGTRAQ:19991202 WebSphere protections from installation IBM WebSphere sets permissions that allow a local user to modify a deinstallation script or its data files stored in /usr/bin. Current Votes: ACCEPT(3) Armstrong, Cole, Stracener MODIFY(1) Frech NOOP(1) Baker REVIEWING(1) Prosser Voter Comments: Frech> XF:websphere-protect ====================================================== Name: CVE-1999-0853 Status: Entry Reference: BID:847 Reference: URL:http://www.securityfocus.com/bid/847 Reference: ISS:19991201 Buffer Overflow in Netscape Enterprise and FastTrack Authentication Procedure Reference: XF:netscape-fasttrack-auth-bo Buffer overflow in Netscape Enterprise Server and Netscape FastTrack Server allows remote attackers to gain privileges via the HTTP Basic Authentication procedure. ====================================================== Name: CVE-1999-0854 Status: Entry Reference: BUGTRAQ:19991130 Ultimate Bulletin Board v5.3x? Bug Reference: BUGTRAQ:20000225 FW: Important UBB News For Licensed Users Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-02-22&msg=NDBBLKOPOLNKELHPDEFKIEPGCAAA.renzo.toma@veronica.nl Reference: CONFIRM:http://www.ultimatebb.com/home/versions.shtml Reference: XF:http-ultimate-bbs Ultimate Bulletin Board stores data files in the cgi-bin directory, allowing remote attackers to view the data if an error occurs when the HTTP server attempts to execute the file. ====================================================== Name: CVE-1999-0855 Status: Candidate Phase: Proposed(19991208) Reference: BID:834 Reference: URL:http://www.securityfocus.com/bid/834 Reference: BUGTRAQ:19991130 FreeBSD 3.3 gated-3.1.5 local exploit Buffer overflow in FreeBSD gdc program. Current Votes: ACCEPT(3) Armstrong, Prosser, Stracener MODIFY(2) Cole, Frech NOOP(2) Baker, Christey Voter Comments: Cole> The BID is 834 and the reference is 19991201 not 1130. Frech> XF:freebsd-gdc-bo Christey> ADDREF BID:780 ? ====================================================== Name: CVE-1999-0856 Status: Entry Reference: BUGTRAQ:19991202 Slackware 7.0 - login bug Reference: MISC:https://marc.info/?l=bugtraq&m=94416739411280&w=2 Reference: XF:slackware-remote-login login in Slackware 7.0 allows remote attackers to identify valid users on the system by reporting an encryption error when an account is locked or does not exist. ====================================================== Name: CVE-1999-0857 Status: Candidate Phase: Proposed(19991208) Reference: BID:835 Reference: URL:http://www.securityfocus.com/bid/835 Reference: BUGTRAQ:19991130 FreeBSD 3.3 gated-3.1.5 local exploit FreeBSD gdc program allows local users to modify files via a symlink attack. Current Votes: ACCEPT(3) Armstrong, Prosser, Stracener MODIFY(2) Cole, Frech NOOP(1) Baker Voter Comments: Cole> This is via debug output. Frech> XF:freebsd-gdc ====================================================== Name: CVE-1999-0858 Status: Entry Reference: BID:846 Reference: URL:http://www.securityfocus.com/bid/846 Reference: MS:MS99-054 Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-054 Reference: MSKB:Q247333 Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q247333 Reference: XF:ie-wpad-proxy-settings Internet Explorer 5 allows a remote attacker to modify the IE client's proxy configuration via a malicious Web Proxy Auto-Discovery (WPAD) server. ====================================================== Name: CVE-1999-0859 Status: Entry Reference: BID:837 Reference: URL:http://www.securityfocus.com/bid/837 Reference: BUGTRAQ:19991130 Solaris 2.x chkperm/arp vulnerabilities Reference: OSVDB:6994 Reference: URL:http://www.osvdb.org/6994 Reference: SUNBUG:4296166 Reference: XF:sol-arp-parse Solaris arp allows local users to read files via the -f parameter, which lists lines in the file that do not parse properly. ====================================================== Name: CVE-1999-0860 Status: Candidate Phase: Proposed(19991208) Reference: BID:837 Reference: URL:http://www.securityfocus.com/bid/837 Reference: BUGTRAQ:19991130 Solaris 2.x chkperm/arp vulnerabilities Solaris chkperm allows local users to read files owned by bin via the VMSYS environmental variable and a symlink attack. Current Votes: ACCEPT(2) Armstrong, Stracener MODIFY(2) Dik, Frech NOOP(2) Baker, Christey REJECT(1) Cole REVIEWING(1) Prosser Voter Comments: Cole> This is the same as the pervious. Frech> XF:sol-chkperm-vmsys Dik> include reference to Sun bug 4296167 Christey> Remove BID:837, which is for arp, not chkperm ====================================================== Name: CVE-1999-0861 Status: Entry Reference: MS:MS99-053 Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-053 Reference: MSKB:Q244613 Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q244613 Reference: XF:iis-ssl-isapi-filter Race condition in the SSL ISAPI filter in IIS and other servers may leak information in plaintext. ====================================================== Name: CVE-1999-0862 Status: Candidate Phase: Proposed(19991208) Reference: BUGTRAQ:19991202 PostgreSQL RPM's permission problems Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0862 Insecure directory permissions in RPM distribution for PostgreSQL allows local users to gain privileges by reading a plaintext password file. Current Votes: ACCEPT(3) Armstrong, Cole, Stracener MODIFY(1) Frech NOOP(1) Baker REVIEWING(1) Prosser Voter Comments: Frech> XF:postgresql-insecure-perms ====================================================== Name: CVE-1999-0863 Status: Candidate Phase: Proposed(19991208) Reference: BUGTRAQ:19970617 Seyon vulnerability - IRIX Reference: BUGTRAQ:19991108 FreeBSD 3.3's seyon vulnerability Reference: BUGTRAQ:19991130 Several FreeBSD-3.3 vulnerabilities Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0863 Buffer overflow in FreeBSD seyon via HOME environmental variable, -emulator argument, -modems argument, or the GUI. Current Votes: ACCEPT(4) Armstrong, Cole, Prosser, Stracener MODIFY(1) Frech NOOP(1) Baker REVIEWING(1) Christey Voter Comments: Frech> XF:freebsd-seyon-bo Christey> ADDREF? CALDERA:CSSA-1999-037.0 Christey> May be multiple bugs here, or a single library problem. CD:SF-LOC needs to be resolved before determining if this candidate should be SPLIT. Also see CVE-1999-0821. ====================================================== Name: CVE-1999-0864 Status: Entry Reference: BID:851 Reference: URL:http://www.securityfocus.com/bid/851 Reference: BUGTRAQ:19991202 UnixWare coredumps follow symlinks Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=19991203020720.13115.qmail@nwcst289.netaddress.usa.net Reference: BUGTRAQ:19991215 Recent postings about SCO UnixWare 7 Reference: URL:http://marc.info/?l=bugtraq&m=94530783815434&w=2 Reference: BUGTRAQ:19991220 SCO OpenServer Security Status Reference: URL:http://marc.info/?l=bugtraq&m=94581379905584&w=2 Reference: BUGTRAQ:19991223 FYI, SCO Security patches available. Reference: URL:http://marc.info/?l=bugtraq&m=94606167110764&w=2 Reference: XF:sco-coredump-symlink UnixWare programs that dump core allow a local user to modify files via a symlink attack on the ./core.pid file. ====================================================== Name: CVE-1999-0865 Status: Entry Reference: BID:860 Reference: URL:http://www.securityfocus.com/bid/860 Reference: BUGTRAQ:19991203 CommuniGatePro 3.1 for NT DoS Reference: URL:http://marc.info/?l=bugtraq&m=94426440413027&w=2 Reference: NTBUGTRAQ:19991203 CommuniGatePro 3.1 for NT Buffer Overflow Reference: URL:http://marc.info/?l=ntbugtraq&m=94454565726775&w=2 Reference: XF:communigate-pro-bo Buffer overflow in CommuniGatePro via a long string to the HTTP configuration port. ====================================================== Name: CVE-1999-0866 Status: Entry Reference: BID:848 Reference: URL:http://www.securityfocus.com/bid/848 Reference: BUGTRAQ:19991203 UnixWare gain root with non-su/gid binaries Reference: BUGTRAQ:19991215 Recent postings about SCO UnixWare 7 Reference: URL:http://marc.info/?l=bugtraq&m=94530783815434&w=2 Reference: BUGTRAQ:19991220 SCO OpenServer Security Status Reference: URL:http://marc.info/?l=bugtraq&m=94581379905584&w=2 Reference: BUGTRAQ:19991223 FYI, SCO Security patches available. Reference: URL:http://marc.info/?l=bugtraq&m=94606167110764&w=2 Reference: SCO:SB-99.24a Reference: URL:ftp://ftp.sco.com/SSE/security_bulletins/SB-99.24a Reference: XF:sco-xauto-bo Buffer overflow in UnixWare xauto program allows local users to gain root privilege. ====================================================== Name: CVE-1999-0867 Status: Entry Reference: BID:579 Reference: URL:http://www.securityfocus.com/bid/579 Reference: CIAC:J-058 Reference: URL:http://www.ciac.org/ciac/bulletins/j-058.shtml Reference: MS:MS99-029 Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-029 Reference: MSKB:Q238349 Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q238349 Reference: XF:http-iis-malformed-header Denial of service in IIS 4.0 via a flood of HTTP requests with malformed headers. ====================================================== Name: CVE-1999-0868 Status: Entry Reference: CERT:CA-97.08 Reference: MISC:https://www.cs.ait.ac.th/joomla3/index.php/security-advisories?CERT/CA97/msg00027.shtml Reference: XF:inn-ucbmail-shell-meta ucbmail allows remote attackers to execute commands via shell metacharacters that are passed to it from INN. ====================================================== Name: CVE-1999-0869 Status: Entry Reference: MS:MS98-020 Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1998/ms98-020 Reference: MSKB:167614 Reference: XF:http-frame-spoof Internet Explorer 3.x to 4.01 allows a remote attacker to insert malicious content into a frame of another web site, aka frame spoofing. ====================================================== Name: CVE-1999-0870 Status: Entry Reference: MS:MS98-015 Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1998/ms98-015 Reference: MSKB:169245 Reference: XF:ie-usp-cuartango Internet Explorer 4.01 allows remote attackers to read arbitrary files by pasting a file name into the file upload control, aka untrusted scripted paste. ====================================================== Name: CVE-1999-0871 Status: Entry Reference: MS:MS98-013 Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1998/ms98-013 Reference: OSVDB:7837 Reference: URL:http://www.osvdb.org/7837 Reference: XF:ie-crossframe-file-read(3668) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3668 Internet Explorer 4.0 and 4.01 allow a remote attacker to read files via IE's cross frame security, aka the "Cross Frame Navigate" vulnerability. ====================================================== Name: CVE-1999-0872 Status: Candidate Phase: Proposed(19991214) Reference: BID:611 Reference: URL:http://www.securityfocus.com/bid/611 Reference: BID:759 Reference: URL:http://www.securityfocus.com/bid/759 Reference: REDHAT:RHSA-1999:030-02 Buffer overflow in Vixie cron allows local users to gain root access via a long MAILTO environment variable in a crontab file. Current Votes: MODIFY(2) Cole, Frech NOOP(1) Baker REJECT(3) Blake, Christey, Stracener Voter Comments: Cole> 611 is the mail to listed above but 759 is for the mail from and should be listed as a separate vulenrability. Blake> This does not appear materially different from CVE-1999-0768 Christey> This is an apparent duplicate of CVE-1999-0768. REDHAT:RHSA-1999:030-02 describes two issues, one of which is CVE-1999-0768, and the other is CVE-1999-0769. Stracener> This is a duplicate of candidate CVE-1999-0768. Frech> XF:cron-sendmail-bo-root Christey> BID:759 is improperly assigned to this candidate and doesn't even describe it. It may have been inadvertently copied from CVE-1999-0873. ====================================================== Name: CVE-1999-0873 Status: Entry Reference: BID:759 Reference: URL:http://www.securityfocus.com/bid/759 Reference: XF:skyfull-mail-from-bo Buffer overflow in Skyfull mail server via MAIL FROM command. ====================================================== Name: CVE-1999-0874 Status: Entry Reference: CERT:CA-99-07 Reference: CIAC:J-048 Reference: URL:http://www.ciac.org/ciac/bulletins/j-048.shtml Reference: EEYE:AD06081999 Reference: URL:http://www.eeye.com/html/Research/Advisories/AD06081999.html Reference: MS:MS99-019 Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-019 Reference: MSKB:Q234905 Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q234905 Reference: OVAL:oval:org.mitre.oval:def:915 Reference: URL:https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A915 Reference: XF:iis-htr-overflow Buffer overflow in IIS 4.0 allows remote attackers to cause a denial of service via a malformed request for files with .HTR, .IDC, or .STM extensions. ====================================================== Name: CVE-1999-0875 Status: Entry Reference: BID:578 Reference: URL:http://www.securityfocus.com/bid/578 Reference: L0PHT:19990811 Reference: MSKB:Q216141 Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q216141 Reference: XF:irdp-gateway-spoof DHCP clients with ICMP Router Discovery Protocol (IRDP) enabled allow remote attackers to modify their default routes. ====================================================== Name: CVE-1999-0876 Status: Entry Reference: MSKB:Q176697 Reference: URL:http://support.microsoft.com/support/kb/articles/q176/6/97.asp Reference: MSKB:Q185959 Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q185959 Buffer overflow in Internet Explorer 4.0 via EMBED tag. ====================================================== Name: CVE-1999-0877 Status: Entry Reference: MS:MS99-042 Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-042 Reference: MSKB:Q243638 Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q243638 Reference: XF:ie-iframe-exec Internet Explorer 5 allows remote attackers to read files via an ExecCommand method called on an IFRAME. ====================================================== Name: CVE-1999-0878 Status: Entry Reference: AUSCERT:AA-1999.01 Reference: BID:599 Reference: URL:http://www.securityfocus.com/bid/599 Reference: CERT:CA-99-13 Reference: COMPAQ:SSRT0622 Reference: REDHAT:RHSA1999031_01 Reference: XF:wu-ftpd-dir-name Buffer overflow in WU-FTPD and related FTP servers allows remote attackers to gain root privileges via MAPPING_CHDIR. ====================================================== Name: CVE-1999-0879 Status: Entry Reference: CERT:CA-99-13 Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0879 Reference: XF:wuftp-message-file-root Buffer overflow in WU-FTPD and related FTP servers allows remote attackers to gain root privileges via macro variables in a message file. ====================================================== Name: CVE-1999-0880 Status: Entry Reference: CERT:CA-99-13 Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0880 Reference: XF:wuftp-site-newer-dos Denial of service in WU-FTPD via the SITE NEWER command, which does not free memory properly. ====================================================== Name: CVE-1999-0881 Status: Entry Reference: BID:743 Reference: URL:http://www.securityfocus.com/bid/743 Reference: BINDVIEW:Falcon Web Server Reference: BUGTRAQ:19991025 Falcon Web Server Reference: OSVDB:1127 Reference: URL:http://www.osvdb.org/1127 Reference: XF:falcon-path-parsing Falcon web server allows remote attackers to read arbitrary files via a .. (dot dot) attack. ====================================================== Name: CVE-1999-0882 Status: Candidate Phase: Proposed(19991214) Reference: BINDVIEW:Falcon Web Server Reference: BUGTRAQ:19991025 Falcon Web Server Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0882 Falcon web server allows remote attackers to determine the absolute path of the web root via long file names. Current Votes: ACCEPT(3) Baker, Blake, Stracener MODIFY(1) Frech NOOP(2) Armstrong, Cole Voter Comments: Frech> XF:falcon-server-long-filename ====================================================== Name: CVE-1999-0883 Status: Entry Reference: BID:742 Reference: URL:http://www.securityfocus.com/bid/742 Reference: BUGTRAQ:19991024 RFP9905: Zeus webserver remote root compromise Reference: OSVDB:1126 Reference: URL:http://www.osvdb.org/1126 Reference: XF:zeus-remote-root(3380) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3380 Zeus web server allows remote attackers to read arbitrary files by specifying the file name in an option to the search engine. ====================================================== Name: CVE-1999-0884 Status: Entry Reference: BID:742 Reference: URL:http://www.securityfocus.com/bid/742 Reference: BUGTRAQ:19991024 RFP9905: Zeus webserver remote root compromise Reference: OSVDB:8186 Reference: URL:http://www.osvdb.org/8186 Reference: XF:zeus-weak-password(3833) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3833 The Zeus web server administrative interface uses weak encryption for its passwords. ====================================================== Name: CVE-1999-0885 Status: Candidate Phase: Modified(20000313) Reference: BID:770 Reference: URL:http://www.securityfocus.com/bid/770 Reference: BUGTRAQ:19991103 More Alibaba Web Server problems... Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&date=1999-11-01&msg=01BF261F.928821E0.kerb@fnusa.com Reference: XF:alibaba-url-file-manipulation Alibaba web server allows remote attackers to execute commands via a pipe character in a malformed URL. Current Votes: ACCEPT(2) Baker, Stracener MODIFY(1) Frech NOOP(5) Armstrong, Blake, Christey, Cole, LeBlanc Voter Comments: Christey> This candidate is unconfirmed by the vendor. Blake> Same as CVE-1999-0776. Frech> XF:alibaba-url-file-manipulation Christey> CD:SF-LOC and CD:SF-EXEC may say to merge this candidate with the problems described in: BUGTRAQ:20000718 Multiple bugs in Alibaba 2.0 URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0237.html If so, then ADDREF BID:1485 as well. Christey> Include the names of the affected CGI's, including tst.bat, get32.exe, alibaba.pl, etc. ====================================================== Name: CVE-1999-0886 Status: Entry Reference: BID:645 Reference: URL:http://www.securityfocus.com/bid/645 Reference: MS:MS99-041 Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-041 Reference: MSKB:Q242294 Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q242294 Reference: XF:nt-rasman-pathname The security descriptor for RASMAN allows users to point to an alternate location via the Windows NT Service Control Manager. ====================================================== Name: CVE-1999-0887 Status: Entry Reference: BUGTRAQ:19991104 FTGate Version 2.1 Web interface Server Directory Traversal Vulnerability Reference: EEYE:AD05261999 Reference: URL:http://www.eeye.com/html/Research/Advisories/AD05261999.html Reference: OSVDB:1137 Reference: URL:http://www.osvdb.org/1137 FTGate web interface server allows remote attackers to read files via a .. (dot dot) attack. ====================================================== Name: CVE-1999-0888 Status: Entry Reference: BID:585 Reference: URL:http://www.securityfocus.com/bid/585 Reference: BUGTRAQ:19990817 Security Bug in Oracle Reference: XF:oracle-dbsnmp dbsnmp in Oracle Intelligent Agent allows local users to gain privileges by setting the ORACLE_HOME environmental variable, which dbsnmp uses to find the nmiconf.tcl script. ====================================================== Name: CVE-1999-0889 Status: Entry Reference: BUGTRAQ:19990810 Cisco 675 password nonsense Reference: OSVDB:39 Reference: URL:http://www.osvdb.org/39 Reference: XF:cisco-cbos-telnet Cisco 675 routers running CBOS allow remote attackers to establish telnet sessions if an exec or superuser password has not been set. ====================================================== Name: CVE-1999-0890 Status: Entry Reference: BID:694 Reference: URL:http://www.securityfocus.com/bid/694 Reference: BUGTRAQ:19990928 Team Asylum: iHTML Merchant Vulnerabilities Reference: CONFIRM:http://www.ihtmlmerchant.com/support_patches_feedback.htm Reference: XF:ihtml-merchant-file-access iHTML Merchant allows remote attackers to obtain sensitive information or execute commands via a code parsing error. ====================================================== Name: CVE-1999-0891 Status: Entry Reference: BID:674 Reference: URL:http://www.securityfocus.com/bid/674 Reference: CERT-VN:VU#37828 Reference: URL:http://www.kb.cert.org/vuls/id/37828 Reference: CIAC:K-002 Reference: URL:http://www.ciac.org/ciac/bulletins/k-002.shtml Reference: MS:MS99-040 Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-040 Reference: MSKB:Q242542 Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q242542 Reference: OSVDB:11274 Reference: URL:http://www.osvdb.org/11274 Reference: XF:ie-download-behavior The "download behavior" in Internet Explorer 5 allows remote attackers to read arbitrary files via a server-side redirect. ====================================================== Name: CVE-1999-0892 Status: Entry Reference: BUGTRAQ:19991018 Netscape 4.x buffer overflow Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0892 Buffer overflow in Netscape Communicator before 4.7 via a dynamic font whose length field is less than the size of the font. ====================================================== Name: CVE-1999-0893 Status: Entry Reference: BUGTRAQ:19991011 SCO OpenServer 5.0.5 overwrite /etc/shadow Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0893 Reference: XF:sco-openserver-userosa-script userOsa in SCO OpenServer allows local users to corrupt files via a symlink attack. ====================================================== Name: CVE-1999-0894 Status: Entry Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0894 Reference: REDHAT:RHSA1999042-01 Red Hat Linux screen program does not use Unix98 ptys, allowing local users to write to other terminals. ====================================================== Name: CVE-1999-0895 Status: Entry Reference: BID:725 Reference: URL:http://www.securityfocus.com/bid/725 Reference: BUGTRAQ:19991020 Checkpoint FireWall-1 V4.0: possible bug in LDAP authentication Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=19991020150002.21047.qmail@tarjan.mediaways.net Reference: OSVDB:1117 Reference: URL:http://www.osvdb.org/1117 Reference: XF:checkpoint-ldap-auth Firewall-1 does not properly restrict access to LDAP attributes. ====================================================== Name: CVE-1999-0896 Status: Entry Reference: BID:767 Reference: URL:http://www.securityfocus.com/bid/767 Reference: BUGTRAQ:19991109 RealNetworks RealServer G2 buffer overflow. Reference: MISC:http://service.real.com/help/faq/servg260.html Reference: XF:realserver-g2-pw-bo Buffer overflow in RealNetworks RealServer administration utility allows remote attackers to execute arbitrary commands via a long username and password. ====================================================== Name: CVE-1999-0897 Status: Entry Reference: BUGTRAQ:19980908 bug in iChat 3.0 (maybe others) Reference: URL:http://marc.info/?l=bugtraq&m=90538488231977&w=2 Reference: XF:ichat-file-read-vuln iChat ROOMS Webserver allows remote attackers to read arbitrary files via a .. (dot dot) attack. ====================================================== Name: CVE-1999-0898 Status: Entry Reference: BID:768 Reference: URL:http://www.securityfocus.com/bid/768 Reference: MS:MS99-047 Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-047 Reference: MSKB:Q243649 Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q243649 Reference: XF:nt-printer-spooler-bo Buffer overflows in Windows NT 4.0 print spooler allow remote attackers to gain privileges or cause a denial of service via a malformed spooler request. ====================================================== Name: CVE-1999-0899 Status: Entry Reference: BID:769 Reference: URL:http://www.securityfocus.com/bid/769 Reference: MS:MS99-047 Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-047 Reference: MSKB:Q243649 Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q243649 Reference: XF:nt-printer-spooler-bo The Windows NT 4.0 print spooler allows a local user to execute arbitrary commands due to inappropriate permissions that allow the user to specify an alternate print provider. ====================================================== Name: CVE-1999-0900 Status: Entry Reference: DEBIAN:19991027 nis Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0900 Reference: REDHAT:RHSA1999046-01 Reference: SUSE:19991023 Security hole in ypserv < 1.3.9 Buffer overflow in rpc.yppasswdd allows a local user to gain privileges via MD5 hash generation. ====================================================== Name: CVE-1999-0901 Status: Entry Reference: DEBIAN:19991027 nis Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0901 Reference: REDHAT:RHSA1999046-01 Reference: SUSE:19991023 Security hole in ypserv < 1.3.9 ypserv allows a local user to modify the GECOS and login shells of other users. ====================================================== Name: CVE-1999-0902 Status: Entry Reference: DEBIAN:19991027 nis Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0902 Reference: REDHAT:RHSA1999046-01 Reference: SUSE:19991023 Security hole in ypserv < 1.3.9 ypserv allows local administrators to modify password tables. ====================================================== Name: CVE-1999-0903 Status: Entry Reference: BUGTRAQ:19991025 IBM AIX Packet Filter module Reference: BUGTRAQ:19991027 Re: IBM AIX Packet Filter module (followup) Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0903 Reference: XF:aix-genfilt-filtering genfilt in the AIX Packet Filtering Module does not properly filter traffic to destination ports greater than 32767. ====================================================== Name: CVE-1999-0904 Status: Entry Reference: BID:771 Reference: URL:http://www.securityfocus.com/bid/771 Reference: BUGTRAQ:19991103 Remote DoS Attack in BFTelnet Server v1.1 for Windows NT Reference: XF:bftelnet-username-dos Buffer overflow in BFTelnet allows remote attackers to cause a denial of service via a long username. ====================================================== Name: CVE-1999-0905 Status: Entry Reference: BID:736 Reference: URL:http://www.securityfocus.com/bid/736 Reference: BUGTRAQ:19991020 Remote DoS in Axent's Raptor 6.0 Reference: OSVDB:1121 Reference: URL:http://www.osvdb.org/1121 Reference: XF:raptor-ipoptions-dos Denial of service in Axent Raptor firewall via malformed zero-length IP options. ====================================================== Name: CVE-1999-0906 Status: Entry Reference: BID:656 Reference: URL:http://www.securityfocus.com/bid/656 Reference: BUGTRAQ:19990923 SuSE 6.2 sccw overflow exploit Reference: SUSE:19990926 Security hole in sccw (Part II) Reference: XF:linux-sccw-bo Buffer overflow in sccw allows local users to gain root access via the HOME environmental variable. ====================================================== Name: CVE-1999-0907 Status: Entry Reference: BUGTRAQ:19990916 SuSE 6.2 /usr/bin/sccw read any file Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0907 Reference: SUSE:19990921 Security Hole in sccw-1.1 and earlier sccw allows local users to read arbitrary files. ====================================================== Name: CVE-1999-0908 Status: Entry Reference: BID:655 Reference: URL:http://www.securityfocus.com/bid/655 Reference: BUGTRAQ:19990921 solaris DoS Reference: XF:sun-tcp-mutex-enter-dos Denial of service in Solaris TCP streams driver via a malicious connection that causes the server to panic as a result of recursive calls to mutex_enter. ====================================================== Name: CVE-1999-0909 Status: Entry Reference: BID:646 Reference: URL:http://www.securityfocus.com/bid/646 Reference: MS:MS99-038 Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-038 Reference: MSKB:Q238453 Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q238453 Reference: NAI:Windows IP Source Routing Vulnerability Reference: XF:nt-ip-source-route Multihomed Windows systems allow a remote attacker to bypass IP source routing restrictions via a malformed packet with IP options, aka the "Spoofed Route Pointer" vulnerability. ====================================================== Name: CVE-1999-0910 Status: Candidate Phase: Proposed(19991208) Reference: BID:625 Reference: URL:http://www.securityfocus.com/bid/625 Reference: MS:MS99-035 Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-035 Microsoft Site Server and Commercial Internet System (MCIS) do not set an expiration for a cookie, which could then be cached by a proxy and inadvertently used by a different user. Current Votes: ACCEPT(4) Baker, Ozancin, Prosser, Wall MODIFY(2) Frech, Stracener REJECT(1) Cole Voter Comments: Frech> XF:siteserver-cis-cookie-cache Cole> Whether cookies are a vulnerbality is a debate for another time, the question here is whether the expiration feature is a vulnerability and I do not think it is because the underlying concerns for this are present even without this feature. The expiration feature does not add any new vulenrabilities that are not already present with cookies. Stracener> Add Ref: MSKB Q238647 ====================================================== Name: CVE-1999-0911 Status: Candidate Phase: Modified(20050309) Reference: BID:612 Reference: URL:http://www.securityfocus.com/bid/612 Reference: BUGTRAQ:19990827 ProFTPD Reference: BUGTRAQ:19990907 ProFTP-1.2.0pre4 buffer overflow -- once more Reference: DEBIAN:19990210 Reference: URL:http://www.debian.org/security/1999/19990210 Reference: FREEBSD:FreeBSD-SA-99:03 Buffer overflow in ProFTPD, wu-ftpd, and beroftpd allows remote attackers to gain root access via a series of MKD and CWD commands that create nested directories. Current Votes: ACCEPT(5) Baker, Blake, Cole, Prosser, Stracener MODIFY(1) Frech REVIEWING(1) Christey Voter Comments: Frech> XF:proftpd-long-dir-bo(3399) Christey> Not absolutely sure if this isn't the same as Palmetto (CVE-1999-0368), which describes a similar type of overflow. NETBSD:NetBSD-SA1999-003 may refer to CVE-1999-0368: ADDREF URL:ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/advisories/NetBSD-SA1999-003.txt.asc Christey> ADDREF CIAC:J-068 Include version numbers; too many wu-ftp/etc. problems were published in summer/fall 1999 ====================================================== Name: CVE-1999-0912 Status: Entry Reference: BID:653 Reference: URL:http://www.securityfocus.com/bid/653 Reference: BUGTRAQ:19990921 FreeBSD-specific denial of service Reference: OSVDB:1079 Reference: URL:http://www.osvdb.org/1079 Reference: XF:freebsd-vfscache-dos FreeBSD VFS cache (vfs_cache) allows local users to cause a denial of service by opening a large number of files. ====================================================== Name: CVE-1999-0913 Status: Candidate Phase: Proposed(19991214) Reference: BID:564 Reference: URL:http://www.securityfocus.com/bid/564 Reference: BUGTRAQ:19990804 NSW Dragon Fire gets drowned Reference: URL:http://marc.info/?l=bugtraq&m=93383593909438&w=2 dfire.cgi script in Dragon-Fire IDS allows remote users to execute commands via shell metacharacters. Current Votes: ACCEPT(2) Blake, Stracener MODIFY(1) Frech NOOP(4) Armstrong, Baker, Cole, LeBlanc REVIEWING(1) Christey Voter Comments: Christey> Some voters should use ABSTAIN. Frech> XF:dragon-fire-ids-metachar(3834) CHANGE> [Armstrong changed vote from REVIEWING to NOOP] ====================================================== Name: CVE-1999-0914 Status: Entry Reference: BID:324 Reference: URL:http://www.securityfocus.com/bid/324 Reference: BUGTRAQ:19990103 [SECURITY] New versions of netstd fixes buffer overflows Reference: DEBIAN:19990104 Buffer overflow in the FTP client in the Debian GNU/Linux netstd package. ====================================================== Name: CVE-1999-0915 Status: Entry Reference: BID:746 Reference: URL:http://www.securityfocus.com/bid/746 Reference: BUGTRAQ:19991028 URL Live! 1.0 WebServer Reference: OSVDB:1129 Reference: URL:http://www.osvdb.org/1129 URL Live! web server allows remote attackers to read arbitrary files via a .. (dot dot) attack. ====================================================== Name: CVE-1999-0916 Status: Entry Reference: ISS:19990629 Bad Permissions on Passwords Stored by WebTrends Software Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0916 WebTrends software stores account names and passwords in a file which does not have restricted access permissions. ====================================================== Name: CVE-1999-0917 Status: Entry Reference: MS:MS99-018 Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-018 Reference: MSKB:Q231452 Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q231452 Reference: XF:legacy-activex-local-drive The Preloader ActiveX control used by Internet Explorer allows remote attackers to read arbitrary files. ====================================================== Name: CVE-1999-0918 Status: Entry Reference: BID:514 Reference: URL:http://www.securityfocus.com/bid/514 Reference: BUGTRAQ:19990703 IGMP fragmentation bug in Windows 98/2000 Reference: MS:MS99-034 Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-034 Reference: MSKB:Q238329 Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q238329 Reference: XF:igmp-dos Denial of service in various Windows systems via malformed, fragmented IGMP packets. ====================================================== Name: CVE-1999-0919 Status: Candidate Phase: Modified(20020226) Reference: BUGTRAQ:19980510 Security Vulnerability in Motorola CableRouters Reference: URL:http://www.netspace.org/cgi-bin/wa?A2=ind9805B&L=bugtraq&P=R1621 Reference: XF:motorola-cable-crash(2004) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2004 A memory leak in a Motorola CableRouter allows remote attackers to conduct a denial of service via a large number of telnet connections. Current Votes: ACCEPT(2) Baker, Cole MODIFY(1) Frech NOOP(7) Armstrong, Christey, Landfield, LeBlanc, Ozancin, Stracener, Wall REVIEWING(1) Levy Voter Comments: Christey> This candidate is unconfirmed by the vendor. Frech> XF:motorola-cable-crash Christey> This has enough votes, but not the "confidence" yet (until we resolve the question of the amount of verification needed for CVE). ====================================================== Name: CVE-1999-0920 Status: Entry Reference: BID:283 Reference: URL:http://www.securityfocus.com/bid/283 Reference: BUGTRAQ:19990526 Remote vulnerability in pop2d Reference: DEBIAN:19990607a Reference: XF:pop2-fold-bo Buffer overflow in the pop-2d POP daemon in the IMAP package allows remote attackers to gain privileges via the FOLD command. ====================================================== Name: CVE-1999-0921 Status: Entry Reference: BID:1879 Reference: URL:http://www.securityfocus.com/bid/1879 Reference: BUGTRAQ:19990409 Patrol security bugs Reference: URL:http://www.securityfocus.com/archive/1/13204 Reference: XF:bmc-patrol-udp-dos(4291) Reference: URL:http://www.iss.net/security_center/static/4291.php BMC Patrol allows any remote attacker to flood its UDP port, causing a denial of service. ====================================================== Name: CVE-1999-0922 Status: Entry Reference: ALLAIRE:ASB99-02 Reference: URL:http://www.allaire.com/handlers/index.cfm?ID=8739&Method=Full Reference: XF:coldfusion-sourcewindow An example application in ColdFusion Server 4.0 allows remote attackers to view source code via the sourcewindow.cfm file. ====================================================== Name: CVE-1999-0923 Status: Candidate Phase: Proposed(20010214) Reference: ALLAIRE:ASB99-02 Reference: URL:http://www.allaire.com/handlers/index.cfm?ID=8739&Method=Full Sample runnable code snippets in ColdFusion Server 4.0 allow remote attackers to read files, conduct a denial of service, or use the server as a proxy for other HTTP calls. Current Votes: ACCEPT(2) Baker, Cole MODIFY(1) Frech NOOP(1) Christey Voter Comments: Frech> XF:coldfusion-source-display(1741) XF:coldfusion-syntax-checker(1742) XF:coldfusion-file-existence(1743) XF:coldfusion-sourcewindow(1744) Christey> List all affected runnable code snippets to facilitate search, which may include: viewexample.cfm (though could that be part of CVE-1999-0922?) ====================================================== Name: CVE-1999-0924 Status: Entry Reference: ALLAIRE:ASB99-02 Reference: URL:http://www.allaire.com/handlers/index.cfm?ID=8739&Method=Full Reference: OSVDB:3236 Reference: URL:http://www.osvdb.org/3236 Reference: XF:coldfusion-syntax-checker(1742) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1742 The Syntax Checker in ColdFusion Server 4.0 allows remote attackers to conduct a denial of service. ====================================================== Name: CVE-1999-0925 Status: Candidate Phase: Modified(20020829) Reference: BUGTRAQ:19980903 Web servers / possible DOS Attack / mime header flooding Reference: URL:http://marc.info/?l=bugtraq&m=90486243124867&w=2 UnityMail allows remote attackers to conduct a denial of service via a large number of MIME headers. Current Votes: ACCEPT(2) Baker, Stracener MODIFY(1) Frech NOOP(1) Christey REVIEWING(1) Levy Voter Comments: Frech> XF:unitymail-web-dos(1630) Christey> BID:1760 URL:http://www.securityfocus.com/bid/1760 Christey> Affected version is 2.0 Change date of Bugtraq post - it was 1998. ====================================================== Name: CVE-1999-0926 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19990903 Web servers / possible DOS Attack / mime header flooding Reference: URL:http://archives.neohapsis.com/archives/bugtraq/1998_3/0742.html Apache allows remote attackers to conduct a denial of service via a large number of MIME headers. Current Votes: ACCEPT(1) Cole MODIFY(1) Frech NOOP(3) Christey, Foat, Wall Voter Comments: Christey> BID:1760 URL:http://www.securityfocus.com/bid/1760 Frech> XF:unitymail-web-dos(1630) ====================================================== Name: CVE-1999-0927 Status: Entry Reference: BID:279 Reference: URL:http://www.securityfocus.com/bid/279 Reference: EEYE:AD05261999 Reference: URL:http://www.eeye.com/html/Research/Advisories/AD05261999.html Reference: XF:ntmail-fileread NTMail allows remote attackers to read arbitrary files via a .. (dot dot) attack. ====================================================== Name: CVE-1999-0928 Status: Entry Reference: BID:278 Reference: URL:http://www.securityfocus.com/bid/278 Reference: BUGTRAQ:19990525 Buffer overflow in SmartDesk WebSuite v2.1 Reference: XF:websuite-dos Buffer overflow in SmartDesk WebSuite allows remote attackers to cause a denial of service via a long URL. ====================================================== Name: CVE-1999-0929 Status: Candidate Phase: Interim(19991229) Reference: BUGTRAQ:19990616 Novell NetWare webservers DoS Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0929 Novell NetWare with Novell-HTTP-Server or YAWN web servers allows remote attackers to conduct a denial of service via a large number of HTTP GET requests. Current Votes: ACCEPT(4) Armstrong, Blake, Cole, Stracener MODIFY(1) Frech NOOP(1) Baker Voter Comments: Frech> XF:novell-webserver-dos(2287) ====================================================== Name: CVE-1999-0930 Status: Entry Reference: BID:1795 Reference: URL:http://www.securityfocus.com/bid/1795 Reference: BUGTRAQ:19980903 wwwboard.pl vulnerability Reference: CONFIRM:http://www.worldwidemart.com/scripts/faq/wwwboard/q5.shtml Reference: XF:http-cgi-wwwboard(2344) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2344 wwwboard allows a remote attacker to delete message board articles via a malformed argument. ====================================================== Name: CVE-1999-0931 Status: Entry Reference: BID:734 Reference: URL:http://www.securityfocus.com/bid/734 Reference: BUGTRAQ:19990930 Security flaw in Mediahouse Statistics Server v4.28 & 5.01 Reference: XF:mediahouse-stats-login-bo Buffer overflow in Mediahouse Statistics Server allows remote attackers to execute commands. ====================================================== Name: CVE-1999-0932 Status: Entry Reference: BID:735 Reference: URL:http://www.securityfocus.com/bid/735 Reference: BUGTRAQ:19990930 Security flaw in Mediahouse Statistics Server v4.28 & 5.01 Reference: XF:mediahouse-stats-adminpw-cleartext Mediahouse Statistics Server allows remote attackers to read the administrator password, which is stored in cleartext in the ss.cfg file. ====================================================== Name: CVE-1999-0933 Status: Entry Reference: BID:689 Reference: URL:http://www.securityfocus.com/bid/689 Reference: BUGTRAQ:19991001 RFP9904: TeamTrack webserver vulnerability Reference: OSVDB:1096 Reference: URL:http://www.osvdb.org/1096 TeamTrack web server allows remote attackers to read arbitrary files via a .. (dot dot) attack. ====================================================== Name: CVE-1999-0934 Status: Entry Reference: BID:2020 Reference: URL:http://www.securityfocus.com/bid/2020 Reference: EL8:19991215 Classifieds (classifieds.cgi) Reference: XF:http-cgi-classifieds-read(3102) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3102 classifieds.cgi allows remote attackers to read arbitrary files via shell metacharacters. ====================================================== Name: CVE-1999-0935 Status: Entry Reference: EL8:19991215 Classifieds (classifieds.cgi) Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0935 classifieds.cgi allows remote attackers to execute arbitrary commands by specifying them in a hidden variable in a CGI form. ====================================================== Name: CVE-1999-0936 Status: Entry Reference: EL8:19981203 BNBSurvey (survey.cgi) Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0936 BNBSurvey survey.cgi program allows remote attackers to execute commands via shell metacharacters. ====================================================== Name: CVE-1999-0937 Status: Entry Reference: EL8:19981203 BNBForm (bnbform.cgi) Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0937 BNBForm allows remote attackers to read arbitrary files via the automessage hidden form variable. ====================================================== Name: CVE-1999-0938 Status: Entry Reference: CERT:VN-99-03 Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0938 Reference: XF:sdr-execute MBone SDR Package allows remote attackers to execute commands via shell metacharacters in Session Initiation Protocol (SIP) messages. ====================================================== Name: CVE-1999-0939 Status: Entry Reference: BID:605 Reference: URL:http://www.securityfocus.com/bid/605 Reference: BUGTRAQ:19990826 [SECURITY] New versions of epic4 fixes possible DoS vulnerability Reference: DEBIAN:19990826 Denial of service in Debian IRC Epic/epic4 client via a long string. ====================================================== Name: CVE-1999-0940 Status: Entry Reference: CALDERA:CSSA-1999-031 Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0940 Reference: SUSE:19990927 Security hole in mutt Buffer overflow in mutt mail client allows remote attackers to execute commands via malformed MIME messages. ====================================================== Name: CVE-1999-0941 Status: Candidate Phase: Proposed(19991222) Reference: BUGTRAQ:19980728 mutt x.x Reference: URL:http://marc.info/?l=bugtraq&m=90221104526154&w=2 Mutt mail client allows a remote attacker to execute commands via shell metacharacters. Current Votes: ACCEPT(1) Stracener NOOP(2) Baker, Christey REJECT(1) Frech REVIEWING(1) Levy Voter Comments: Frech> References are vague, but seem to be identical to CVE-1999-0940 (XF:mutt-text-enriched-mime-bo). According to the references, the malformed messages consist of metacharacters. In addition, -0941's reference and -0940's SuSE reference both refer to fixes in 1.0pre3 release. Will reconsider vote if other clearer references are forthcoming. Christey> Modify to mention that the metachar's are in the Content-Type header. http://marc.theaimsgroup.com/?l=bugtraq&m=90221104526154&w=2 ====================================================== Name: CVE-1999-0942 Status: Entry Reference: BUGTRAQ:19991005 SCO UnixWare 7.1 local root exploit Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0942 Reference: XF:sco-unixware-dos7utils-root-privs UnixWare dos7utils allows a local user to gain root privileges by using the STATICMERGE environmental variable to find a script which it executes. ====================================================== Name: CVE-1999-0943 Status: Entry Reference: BID:720 Reference: URL:http://www.securityfocus.com/bid/720 Reference: BUGTRAQ:19991015 OpenLink 3.2 Advisory Buffer overflow in OpenLink 3.2 allows remote attackers to gain privileges via a long GET request to the web configurator. ====================================================== Name: CVE-1999-0944 Status: Candidate Phase: Proposed(19991222) Reference: BUGTRAQ:19991024 password leak in IBM WebSphere / HTTP Server / ikeyman Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0944 IBM WebSphere ikeyman tool uses weak encryption to store a password for a key database that is used for SSL connections. Current Votes: ACCEPT(2) Baker, Stracener MODIFY(1) Frech NOOP(2) Bollinger, Christey REVIEWING(1) Levy Voter Comments: Frech> XF:websphere-database-pwd-accessible Christey> ADDREF BID:1763 URL:http://www.securityfocus.com/bid/1763 ====================================================== Name: CVE-1999-0945 Status: Entry Reference: CIAC:I-080 Reference: URL:http://www.ciac.org/ciac/bulletins/i-080.shtml Reference: ISS:19980724 Denial of Service attacks against Microsoft Exchange 5.0 to 5.5 Reference: URL:http://xforce.iss.net/alerts/advise4.php Reference: MSKB:Q169174 Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q169174 Reference: XF:exchange-dos(1223) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1223 Buffer overflow in Internet Mail Service (IMS) for Microsoft Exchange 5.5 and 5.0 allows remote attackers to conduct a denial of service via AUTH or AUTHINFO commands. ====================================================== Name: CVE-1999-0946 Status: Entry Reference: BID:760 Reference: URL:http://www.securityfocus.com/bid/760 Reference: BUGTRAQ:19991102 Some holes for Win/UNIX softwares Reference: URL:http://marc.info/?l=bugtraq&m=94157187815629&w=2 Reference: XF:yamaha-midiplug-embed Buffer overflow in Yamaha MidiPlug via a Text variable in an EMBED tag. ====================================================== Name: CVE-1999-0947 Status: Entry Reference: BID:762 Reference: URL:http://www.securityfocus.com/bid/762 Reference: BUGTRAQ:19991102 Some holes for Win/UNIX softwares Reference: URL:http://marc.info/?l=bugtraq&m=94157187815629&w=2 AN-HTTPd provides example CGI scripts test.bat, input.bat, input2.bat, and envout.bat, which allow remote attackers to execute commands via shell metacharacters. ====================================================== Name: CVE-1999-0948 Status: Candidate Phase: Proposed(19991222) Reference: BID:757 Reference: URL:http://www.securityfocus.com/bid/757 Reference: BUGTRAQ:19991102 Some holes for Win/UNIX softwares Buffer overflow in uum program for Canna input system allows local users to gain root privileges. Current Votes: ACCEPT(2) Levy, Stracener MODIFY(1) Frech NOOP(2) Baker, Christey Voter Comments: Christey> CVE-1999-0948 and CVE-1999-0949 are extremely similar. uum (0948) is exploitable through a different set of options than canuum (0949). If it's the same generic option parsing routine used by both programs, then CD:SF-CODEBASE says to merge them. But if it's not, then CD:SF-LOC and CD:SF-EXEC says to split them. However, this is a prime example of how SF-EXEC might be modified - uum and canuum are clearly part of the same package, so in the absence of clear information, maybe we should merge them. Frech> XF:canna-uum-bo ====================================================== Name: CVE-1999-0949 Status: Candidate Phase: Proposed(19991222) Reference: BID:757 Reference: URL:http://www.securityfocus.com/bid/757 Reference: BUGTRAQ:19991102 Some holes for Win/UNIX softwares Buffer overflow in canuum program for Canna input system allows local users to gain root privileges. Current Votes: ACCEPT(2) Levy, Stracener MODIFY(1) Frech NOOP(2) Baker, Christey Voter Comments: Christey> CVE-1999-0948 and CVE-1999-0949 are extremely similar. uum (0948) is exploitable through a different set of options than canuum (0949). If it's the same generic option parsing routine used by both programs, then CD:SF-CODEBASE says to merge them. But if it's not, then CD:SF-LOC and CD:SF-EXEC says to split them. However, this is a prime example of how SF-EXEC might be modified - uum and canuum are clearly part of the same package, so in the absence of clear information, maybe we should merge them. Also review BID:758 and BID:757 - may need to change the BID here. Frech> XF:canna-uum-bo Christey> CHANGEREF BID:757 BID:758 Christey> The following page says that canuum is a "Japanese input tty frontend for Canna using uum," which suggests that it is, at the least, a different package, so perhaps this should stay SPLIT. http://wuarchive.wustl.edu/mirrors/NetBSD/NetBSD-current/pkgsrc/inputmethod/canuum/README.html ====================================================== Name: CVE-1999-0950 Status: Entry Reference: BID:747 Reference: URL:http://www.securityfocus.com/bid/747 Reference: BUGTRAQ:19991027 WFTPD v2.40 FTPServer remotely exploitable buffer overflow vulnerability Reference: XF:wftpd-mkd-bo Buffer overflow in WFTPD FTP server allows remote attackers to gain root access via a series of MKD and CWD commands that create nested directories. ====================================================== Name: CVE-1999-0951 Status: Entry Reference: BID:739 Reference: URL:http://www.securityfocus.com/bid/739 Reference: BUGTRAQ:19991022 Imagemap CGI overflow exploit Reference: OSVDB:3380 Reference: URL:http://www.osvdb.org/3380 Reference: XF:http-cgi-imagemap-bo Buffer overflow in OmniHTTPd CGI program imagemap.exe allows remote attackers to execute commands. ====================================================== Name: CVE-1999-0952 Status: Candidate Phase: Proposed(19991222) Reference: BUGTRAQ:19990126 Buffer overflow in Solaris 2.6/2.7 /usr/bin/lpstat Reference: URL:http://marc.info/?l=bugtraq&m=91759216618637&w=2 Buffer overflow in Solaris lpstat via class argument allows local users to gain root access. Current Votes: ACCEPT(3) Baker, Ozancin, Stracener MODIFY(2) Dik, Frech REVIEWING(1) Christey Voter Comments: Frech> XF:solaris-lpstat-bo Christey> It is unclear from Casper Dik's followup whether this is exploitable or not. Dik> Sunbug 4129917 (other reports in the same thread suggest that the then current patchd id fix the problem) Christey> Confirm with Casper Dik that the overflow is in the -c option, and if so, include it in the description to differentiate it from the lpstat -n buffer overflow. ====================================================== Name: CVE-1999-0953 Status: Entry Reference: BUGTRAQ:19980903 wwwboard.pl vulnerability Reference: BUGTRAQ:19990916 More fun with WWWBoard Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0953 WWWBoard stores encrypted passwords in a password file that is under the web root and thus accessible by remote attackers. ====================================================== Name: CVE-1999-0954 Status: Entry Reference: BID:649 Reference: URL:http://www.securityfocus.com/bid/649 Reference: BUGTRAQ:19990916 More fun with WWWBoard WWWBoard has a default username and default password. ====================================================== Name: CVE-1999-0955 Status: Entry Reference: CERT:CA-94.08 Reference: CIAC:E-17 Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0955 Reference: XF:ftp-exec Race condition in wu-ftpd and BSDI ftpd allows remote attackers to gain root access via the SITE EXEC command. ====================================================== Name: CVE-1999-0956 Status: Entry Reference: CERT:CA-93.02a Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0956 Reference: XF:next-netinfo The NeXT NetInfo _writers property allows local users to gain root privileges or conduct a denial of service. ====================================================== Name: CVE-1999-0957 Status: Entry Reference: BUGTRAQ:19970618 Security hole in MajorCool 1.0.3 Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0957 Reference: XF:majorcool-file-overwrite-vuln MajorCool mj_key_cache program allows local users to modify files via a symlink attack. ====================================================== Name: CVE-1999-0958 Status: Entry Reference: BUGTRAQ:19980112 Re: hole in sudo for MP-RAS. Reference: URL:http://marc.info/?l=bugtraq&m=88465708614896&w=2 Reference: XF:sudo-dot-dot-attack sudo 1.5.x allows local users to execute arbitrary commands via a .. (dot dot) attack. ====================================================== Name: CVE-1999-0959 Status: Entry Reference: AUSCERT:AA-97-05 Reference: BID:469 Reference: URL:http://www.securityfocus.com/bid/469 Reference: BUGTRAQ:19970209 IRIX: Bug in startmidi Reference: OSVDB:8447 Reference: URL:http://www.osvdb.org/8447 Reference: SGI:19980301-01-PX Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19980301-01-PX Reference: XF:irix-startmidi-file-creation(1634) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1634 IRIX startmidi program allows local users to modify arbitrary files via a symlink attack. ====================================================== Name: CVE-1999-0960 Status: Entry Reference: AUSCERT:AA-96.11 Reference: SGI:19980301-01-PX Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19980301-01-PX Reference: XF:irix-cdplayer-directory-create IRIX cdplayer allows local users to create directories in arbitrary locations via a command line option. ====================================================== Name: CVE-1999-0961 Status: Entry Reference: BUGTRAQ:19960921 Vunerability in HP sysdiag ? Reference: URL:http://marc.info/?l=bugtraq&m=87602167419906&w=2 Reference: CIAC:H-03 Reference: XF:hp-sysdiag-symlink HPUX sysdiag allows local users to gain root privileges via a symlink attack during log file creation. ====================================================== Name: CVE-1999-0962 Status: Entry Reference: AUSCERT:AA-96.13 Reference: HP:HPSBUX9701-045 Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9701-045 Reference: OSVDB:6415 Reference: URL:http://www.osvdb.org/6415 Reference: XF:hp-password-cmd-bo Buffer overflow in HPUX passwd command allows local users to gain root privileges via a command line option. ====================================================== Name: CVE-1999-0963 Status: Entry Reference: BUGTRAQ:19960517 BoS: SECURITY BUG in FreeBSD Reference: CERT:VB-96.06 Reference: OSVDB:6088 Reference: URL:http://www.osvdb.org/6088 Reference: XF:freebsd-mount-union-root FreeBSD mount_union command allows local users to gain root privileges via a symlink attack. ====================================================== Name: CVE-1999-0964 Status: Entry Reference: FREEBSD:FreeBSD-SA-97:01 Reference: OSVDB:6086 Reference: URL:http://www.osvdb.org/6086 Reference: XF:freebsd-setlocale-bo Buffer overflow in FreeBSD setlocale in the libc module allows attackers to execute arbitrary code via a long PATH_LOCALE environment variable. ====================================================== Name: CVE-1999-0965 Status: Entry Reference: CERT:CA-93.17 Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0965 Reference: XF:xterm Race condition in xterm allows local users to modify arbitrary files via the logging option. ====================================================== Name: CVE-1999-0966 Status: Entry Reference: L0PHT:19970127 Solaris libc - getopt(3) Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0966 Buffer overflow in Solaris getopt in libc allows local users to gain root privileges via a long argv[0]. ====================================================== Name: CVE-1999-0967 Status: Entry Reference: L0PHT:19971101 Microsoft Internet Explorer 4.0 Suite Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0967 Buffer overflow in the HTML library used by Internet Explorer, Outlook Express, and Windows Explorer via the res: local resource protocol. ====================================================== Name: CVE-1999-0968 Status: Entry Reference: BID:1927 Reference: URL:http://www.securityfocus.com/bid/1927 Reference: BUGTRAQ:19981226 bnc exploit Reference: URL:http://www.securityfocus.com/archive/1/11711 Reference: XF:bnc-proxy-bo(1546) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1546 Buffer overflow in BNC IRC proxy allows remote attackers to gain privileges. ====================================================== Name: CVE-1999-0969 Status: Entry Reference: ISS:19980929 "Snork" Denial of Service Attack Against Windows NT RPC Service Reference: MS:MS98-014 Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1998/ms98-014 Reference: MSKB:Q193233 Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q193233 Reference: NTBUGTRAQ:19980929 ISS Security Advisory: Snork Reference: XF:snork-dos The Windows NT RPC service allows remote attackers to conduct a denial of service using spoofed malformed RPC packets which generate an error message that is sent to the spoofed host, potentially setting up a loop, aka Snork. ====================================================== Name: CVE-1999-0970 Status: Candidate Phase: Modified(20020226) Reference: BID:1808 Reference: URL:http://www.securityfocus.com/bid/1808 Reference: BUGTRAQ:19990605 Remote Exploit (Bug) in OmniHTTPd Web Server Reference: URL:http://www.securityfocus.com/archive/1/14311 Reference: XF:omnihttpd-dos(2271) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2271 The OmniHTTPD visadmin.exe program allows a remote attacker to conduct a denial of service via a malformed URL which causes a large number of temporary files to be created. Current Votes: ACCEPT(3) Baker, Blake, Stracener MODIFY(1) Frech NOOP(1) Christey REVIEWING(1) Levy Voter Comments: Frech> XF:omnihttpd-dos Christey> Some sort of confirmation might be findable at: http://www.omnicron.ab.ca/httpd/docs/release.html Christey> See http://www.omnicron.ab.ca/index.html The August 16, 2000 news item says "This release fixes some security problems." It's for version 2.07, but the discloser didn't say what version was available. Other security fixes are in the release notes at http://www.omnicron.ab.ca/httpd/docs/release.html Notes for Professional Version 1.01 say "Patched up two security weaknesses." Notes for version 2.07 say "Fixes dot-appending vulnerability." Professional Alpha 7 says "Revamped CGI launching and security," Professional Alpha 4 says "Fixed SSI path mapping and security problems," Alpha 5 says "Security fixup." In other words, you can't tell whether they've fixed this bug or not. Christey> BID:1808 URL:http://www.securityfocus.com/bid/1808 ====================================================== Name: CVE-1999-0971 Status: Entry Reference: BUGTRAQ:19970722 Security hole in exim 1.62: local root exploit Reference: URL:http://www.securityfocus.com/archive/1/7301 Reference: XF:exim-include-overflow Buffer overflow in Exim allows local users to gain root privileges via a long :include: option in a .forward file. ====================================================== Name: CVE-1999-0972 Status: Entry Reference: BID:863 Reference: URL:http://www.securityfocus.com/bid/863 Reference: BUGTRAQ:19991209 xsw 1.24 remote buffer overflow Buffer overflow in Xshipwars xsw program. ====================================================== Name: CVE-1999-0973 Status: Entry Reference: BID:858 Reference: URL:http://www.securityfocus.com/bid/858 Reference: BUGTRAQ:19991206 [w00giving #8] Solaris 2.7's snoop Reference: BUGTRAQ:19991209 Clarification needed on the snoop vuln(s) (fwd) Buffer overflow in Solaris snoop program allows remote attackers to gain root privileges via a long domain name when snoop is running in verbose mode. ====================================================== Name: CVE-1999-0974 Status: Entry Reference: BID:864 Reference: URL:http://www.securityfocus.com/bid/864 Reference: BUGTRAQ:19991209 Clarification needed on the snoop vuln(s) (fwd) Reference: ISS:19991209 Buffer Overflow in Solaris Snoop Reference: SUN:00190 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/190 Buffer overflow in Solaris snoop allows remote attackers to gain root privileges via GETQUOTA requests to the rpc.rquotad service. ====================================================== Name: CVE-1999-0975 Status: Entry Reference: BID:868 Reference: URL:http://www.securityfocus.com/bid/868 Reference: BUGTRAQ:19991207 Local user can fool another to run executable. .CNT/.GID/.HLP M$WINNT The Windows help system can allow a local user to execute commands as another user by editing a table of contents metafile with a .CNT extension and modifying the topic action to include the commands to be executed when the .hlp file is accessed. ====================================================== Name: CVE-1999-0976 Status: Entry Reference: BID:857 Reference: URL:http://www.securityfocus.com/bid/857 Reference: BUGTRAQ:19991207 [Debian] New version of sendmail released Reference: OPENBSD:19991204 Reference: XF:sendmail-bi-alias Sendmail allows local users to reinitialize the aliases database via the newaliases command, then cause a denial of service by interrupting Sendmail. ====================================================== Name: CVE-1999-0977 Status: Entry Reference: BID:2354 Reference: URL:http://www.securityfocus.com/bid/2354 Reference: BID:866 Reference: URL:http://www.securityfocus.com/bid/866 Reference: BUGTRAQ:19991210 Re: Solaris sadmind Buffer Overflow Vulnerability Reference: BUGTRAQ:19991210 Solaris sadmind Buffer Overflow Vulnerability Reference: CERT:CA-99-16 Reference: OSVDB:2558 Reference: URL:http://www.osvdb.org/2558 Reference: SF-INCIDENTS:19991209 sadmind Reference: SUN:00191 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/191 Reference: XF:sol-sadmind-amslverify-bo Buffer overflow in Solaris sadmind allows remote attackers to gain root privileges using a NETMGT_PROC_SERVICE request. ====================================================== Name: CVE-1999-0978 Status: Entry Reference: BID:867 Reference: URL:http://www.securityfocus.com/bid/867 Reference: DEBIAN:19991209 htdig allows remote attackers to execute commands via filenames with shell metacharacters. ====================================================== Name: CVE-1999-0979 Status: Entry Reference: BID:869 Reference: URL:http://www.securityfocus.com/bid/869 Reference: BUGTRAQ:19991209 Fundamental flaw in UnixWare 7 security Reference: BUGTRAQ:19991215 Recent postings about SCO UnixWare 7 Reference: URL:http://marc.info/?l=bugtraq&m=94530783815434&w=2 The SCO UnixWare privileged process system allows local users to gain root privileges by using a debugger such as gdb to insert traps into _init before the privileged process is executed. ====================================================== Name: CVE-1999-0980 Status: Entry Reference: MS:MS99-055 Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-055 Reference: MSKB:Q246045 Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q246045 Windows NT Service Control Manager (SCM) allows remote attackers to cause a denial of service via a malformed argument in a resource enumeration request. ====================================================== Name: CVE-1999-0981 Status: Entry Reference: MS:MS99-050 Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-050 Reference: MSKB:Q246094 Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q246094 Internet Explorer 5.01 and earlier allows a remote attacker to create a reference to a client window and use a server-side redirect to access local files via that window, aka "Server-side Page Reference Redirect." ====================================================== Name: CVE-1999-0982 Status: Entry Reference: BUGTRAQ:19991206 Solaris WBEM 1.0: plaintext password stored in world readable file Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0982 The Sun Web-Based Enterprise Management (WBEM) installation script stores a password in plaintext in a world readable file. ====================================================== Name: CVE-1999-0983 Status: Candidate Phase: Proposed(19991214) Reference: BUGTRAQ:19991109 Whois.cgi - ADVISORY. Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0983 Whois Internic Lookup program whois.cgi allows remote attackers to execute commands via shell metacharacters in the domain entry. Current Votes: ACCEPT(3) Blake, Cole, Stracener MODIFY(1) Frech NOOP(1) Baker REVIEWING(1) Christey Voter Comments: Christey> More examination is required to determine if CVE-1999-0983, CVE-1999-0984, or CVE-1999-0985 are the same codebase. Frech> XF:whois-internic-shell-meta Christey> ADDREF BID:2000 Christey> The XF appears to be gone. Perhaps it's this one: XF:http-cgi-whois-meta(3798) ====================================================== Name: CVE-1999-0984 Status: Candidate Phase: Proposed(19991214) Reference: BUGTRAQ:19991109 Whois.cgi - ADVISORY. Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0984 Matt's Whois program whois.cgi allows remote attackers to execute commands via shell metacharacters in the domain entry. Current Votes: ACCEPT(2) Blake, Stracener MODIFY(1) Frech NOOP(2) Baker, Cole REVIEWING(1) Christey Voter Comments: Cole> How is this different than the previous? Christey> More examination is required to determine if CVE-1999-0983, CVE-1999-0984, or CVE-1999-0985 are the same codebase. Frech> XF:matts-whois-meta Christey> ADDREF BID:2000 Christey> XF reference is gone. Replace with http-cgi-matts-whois-meta(3799) ? ====================================================== Name: CVE-1999-0985 Status: Candidate Phase: Proposed(19991214) Reference: BUGTRAQ:19991109 Whois.cgi - ADVISORY. Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0985 CC Whois program whois.cgi allows remote attackers to execute commands via shell metacharacters in the domain entry. Current Votes: ACCEPT(2) Blake, Stracener MODIFY(1) Frech NOOP(2) Baker, Cole REVIEWING(1) Christey Voter Comments: Cole> I would combine all of these. Christey> More examination is required to determine if CVE-1999-0983, CVE-1999-0984, or CVE-1999-0985 are the same codebase. Frech> XF:cc-whois-meta Christey> ADDREF BID:2000 Frech> Change cc-whois-meta(3800) to http-cgi-ccwhois(3747) Christey> Replace XF reference with XF:cc-whois-meta(3800) ? ====================================================== Name: CVE-1999-0986 Status: Entry Reference: BID:870 Reference: URL:http://www.securityfocus.com/bid/870 Reference: BUGTRAQ:19991209 Big problem on 2.0.x? The ping command in Linux 2.0.3x allows local users to cause a denial of service by sending large packets with the -R (record route) option. ====================================================== Name: CVE-1999-0987 Status: Entry Reference: MSKB:Q237923 Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q237923 Reference: NTBUGTRAQ:19991118 NT System Policy for Win95 Not downloaded when adding a space after domain name Windows NT does not properly download a system policy if the domain user logs into the domain with a space at the end of the domain name. ====================================================== Name: CVE-1999-0988 Status: Candidate Phase: Modified(20000121) Reference: BUGTRAQ:19991204 UnixWare pkg* command exploits Reference: BUGTRAQ:19991215 Recent postings about SCO UnixWare 7 Reference: BUGTRAQ:19991220 SCO OpenServer Security Status Reference: BUGTRAQ:19991223 FYI, SCO Security patches available. Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0988 UnixWare pkgtrans allows local users to read arbitrary files via a symlink attack. Current Votes: ACCEPT(3) Baker, Blake, Cole MODIFY(1) Frech RECAST(1) Stracener REVIEWING(1) Christey Voter Comments: Stracener> The pkg* programs pkgtrans, pkginfo, pkgcat, pkginstall, and pkgparam can be used to mount etc/shadow printing attacks as a result of the "dacread" permission (cf. /etc/security/tcb/privs). The procedural differences between the individual exploits for each of these utilities are therefore inconsequential. CVE-1999-0988 should be merged with CVE-1999-0828. From the standpoint of maintaining consistency of the level of abstraction used in CVE, the co-existence of CANS 1999-0988/1999-0828 present two choices: either merge 0988 with 0828, or split 0828 into 4 distinct candidates, keeping 0988 intact. Due to the very small differences (in principle) between the exploits subsumed by 0828 and 0988 and the shared dacread permissions of the pkg* suite, I suggest a merge. Below is a summary of the data upon which my decision was based. utility exploit -------- ---------------------------------- pkgtrans --> symlink + dacread permission prob pkginfo --> truss (debugging utility) in conjunction with pkginfio -d etc/shadow. In this case, it captures the interaction between pkginfo the shadow file. Once again: dacread. pkgcat --> buffer overflow + dacread permission prob pkginstall -> buffer overflow + dacread permission prob pkgparam --> -f etc/shadow (works because of dacread). Christey> This is a tough one. While there are few procedural differences, one could view "assignment of an improper permission" as a "class" of problems along the lines of buffer overflows and the like. Just like some programs were fine until they got turned into CGI scripts, this could be an emerging pattern which should be given consideration. Consider the Eyedog and scriptlet.typelib ActiveX utilities being marked as safe for scripting (CVE-1999-0668 and 0669). ftp://ftp.sco.com/SSE/security_bulletins/SB-99.28a loosely alludes to this problem; the README for patch SSE053 effectively confirms it. Frech> XF:unixware-pkgtrans-symlink ====================================================== Name: CVE-1999-0989 Status: Entry Reference: BID:861 Reference: URL:http://www.securityfocus.com/bid/861 Reference: BUGTRAQ:19991205 new IE5 remote exploit Reference: NTBUGTRAQ:19991205 new IE5 remote exploit Buffer overflow in Internet Explorer 5 directshow filter (MSDXM.OCX) allows remote attackers to execute commands via the vnd.ms.radio protocol. ====================================================== Name: CVE-1999-0990 Status: Candidate Phase: Interim(19991229) Reference: BUGTRAQ:19991205 gdm thing Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0990 Error messages generated by gdm with the VerboseAuth setting allows an attacker to identify valid users on a system. Current Votes: ACCEPT(3) Blake, Cole, Stracener MODIFY(1) Frech NOOP(1) Baker Voter Comments: Frech> XF:verbose-auth-identify-user(3804) ====================================================== Name: CVE-1999-0991 Status: Entry Reference: BID:862 Reference: URL:http://www.securityfocus.com/bid/862 Reference: BUGTRAQ:19991206 Remote DoS Attack in GoodTech Telnet Server NT v2.2.1 Vulnerability Reference: NTBUGTRAQ:19991206 Remote DoS Attack in GoodTech Telnet Server NT v2.2.1 Vulnerability Buffer overflow in GoodTech Telnet Server NT allows remote users to cause a denial of service via a long login name. ====================================================== Name: CVE-1999-0992 Status: Entry Reference: HP:HPSBUX9912-107 Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9912-107 HP VirtualVault with the PHSS_17692 patch allows unprivileged processes to bypass access restrictions via the Trusted Gateway Proxy (TGP). ====================================================== Name: CVE-1999-0993 Status: Candidate Phase: Proposed(19991222) Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0993 Reference: NTBUGTRAQ:19991213 Changing ACL's in Exchange Server Modifications to ACLs (Access Control Lists) in Microsoft Exchange 5.5 do not take effect until the directory store cache is refreshed. Current Votes: ACCEPT(2) Stracener, Wall MODIFY(1) Frech NOOP(2) Baker, Cole REJECT(1) LeBlanc Voter Comments: Frech> XF:exchange-acl-changes(3916) LeBlanc> Not a vulnerability ====================================================== Name: CVE-1999-0994 Status: Entry Reference: BID:873 Reference: URL:http://www.securityfocus.com/bid/873 Reference: BINDVIEW:19991216 Windows NT's SYSKEY feature Reference: MS:MS99-056 Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-056 Reference: MSKB:Q248183 Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q248183 Windows NT with SYSKEY reuses the keystream that is used for encrypting SAM password hashes, allowing an attacker to crack passwords. ====================================================== Name: CVE-1999-0995 Status: Entry Reference: BID:875 Reference: URL:http://www.securityfocus.com/bid/875 Reference: MS:MS99-057 Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-057 Reference: MSKB:Q248185 Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q248185 Reference: NAI:19991216 Windows NT LSA Remote Denial of Service Windows NT Local Security Authority (LSA) allows remote attackers to cause a denial of service via malformed arguments to the LsaLookupSids function which looks up the SID, aka "Malformed Security Identifier Request." ====================================================== Name: CVE-1999-0996 Status: Entry Reference: BUGTRAQ:19991216 Infoseek Ultraseek Remote Buffer Overflow Reference: EEYE:AD19991215 Reference: URL:http://www.eeye.com/html/Research/Advisories/AD19991215.html Reference: NTBUGTRAQ:19991216 Infoseek Ultraseek Remote Buffer Overflow Reference: OSVDB:6490 Reference: URL:http://www.osvdb.org/6490 Reference: XF:infoseek-ultraseek-bo Buffer overflow in Infoseek Ultraseek search engine allows remote attackers to execute commands via a long GET request. ====================================================== Name: CVE-1999-0997 Status: Entry Reference: BUGTRAQ:19991220 Security vulnerability in certain wu-ftpd (and derivitives) configurations (fwd) Reference: DEBIAN:DSA-377 Reference: URL:http://www.debian.org/security/2003/dsa-377 Reference: XF:wuftp-ftp-conversion wu-ftp with FTP conversion enabled allows an attacker to execute commands via a malformed file name that is interpreted as an argument to the program that does the conversion, e.g. tar or uncompress. ====================================================== Name: CVE-1999-0998 Status: Entry Reference: BUGTRAQ:19991216 Cisco Security Advisory: Cisco Cache Engine Authentication Vulnerabilities Reference: CISCO:19991216 Cisco Cache Engine Authentication Vulnerabilities Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0998 Reference: XF:cisco-cache-engine-replace Cisco Cache Engine allows an attacker to replace content in the cache. ====================================================== Name: CVE-1999-0999 Status: Entry Reference: BID:817 Reference: URL:http://www.securityfocus.com/bid/817 Reference: MS:MS99-059 Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-059 Reference: MSKB:Q248749 Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q248749 Microsoft SQL 7.0 server allows a remote attacker to cause a denial of service via a malformed TDS packet. ====================================================== Name: CVE-1999-1000 Status: Entry Reference: BUGTRAQ:19991216 Cisco Security Advisory: Cisco Cache Engine Authentication Vulnerabilities Reference: CISCO:19991216 Cisco Cache Engine Authentication Vulnerabilities Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-1000 Reference: XF:cisco-cache-engine-performance The web administration interface for Cisco Cache Engine allows remote attackers to view performance statistics. ====================================================== Name: CVE-1999-1001 Status: Entry Reference: BUGTRAQ:19991216 Cisco Security Advisory: Cisco Cache Engine Authentication Vulnerabilities Reference: CISCO:19991216 Cisco Cache Engine Authentication Vulnerabilities Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-1001 Cisco Cache Engine allows a remote attacker to gain access via a null username and password. ====================================================== Name: CVE-1999-1002 Status: Candidate Phase: Modified(20030619) Reference: BUGTRAQ:19991216 Reinventing the wheel (aka "Decoding Netscape Mail passwords") Reference: URL:http://marc.info/?l=bugtraq&m=94536309217214&w=2 Reference: BUGTRAQ:19991220 Netscape password scrambling Reference: URL:http://marc.info/?l=bugtraq&m=94570673523998&w=2 Reference: MISC:http://www.rstcorp.com/news/bad-crypto.html Netscape Navigator uses weak encryption for storing a user's Netscape mail password. Current Votes: ACCEPT(4) Baker, Cole, Stracener, Wall MODIFY(1) Frech NOOP(1) Christey Voter Comments: Frech> XF:netscape-mail-encryption(3921) Christey> CHANGEREF make the RCA URL a "MISC" reference ====================================================== Name: CVE-1999-1003 Status: Candidate Phase: Proposed(19991222) Reference: BUGTRAQ:19991214 Local / Remote D.o.S Attack in War FTP Daemon 1.70 Vulnerability Reference: BUGTRAQ:19991216 Statement: Local / Remote D.o.S Attack in War FTP Daemon 1.70 Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-1003 War FTP Daemon 1.70 allows remote attackers to cause a denial of service by flooding it with connections. Current Votes: ACCEPT(3) Baker, Cole, Stracener MODIFY(1) Frech NOOP(1) Wall Voter Comments: Frech> XF:warftp-connection-flood ====================================================== Name: CVE-1999-1004 Status: Entry Reference: BUGTRAQ:19991217 NAV2000 Email Protection DoS Reference: URL:http://www.securityfocus.com/archive/1/38970 Reference: BUGTRAQ:19991220 Norton Email Protection Remote Overflow (Addendum) Reference: URL:http://www.securityfocus.com/archive/1/39194 Reference: CONFIRM:http://service1.symantec.com/SUPPORT/nav.nsf/df0a595864594c86852567ac0063608c/6206f660a1f2516a882568660082c930?OpenDocument&Highlight=0,poproxy Reference: OSVDB:6267 Reference: URL:http://www.osvdb.org/6267 Buffer overflow in the POP server POProxy for the Norton Anti-Virus protection NAV2000 program via a large USER command. ====================================================== Name: CVE-1999-1005 Status: Entry Reference: BID:879 Reference: URL:http://www.securityfocus.com/bid/879 Reference: BUGTRAQ:19991219 Groupewise Web Interface Reference: URL:http://marc.info/?l=bugtraq&m=94571433731824&w=2 Reference: OSVDB:3413 Reference: URL:http://www.osvdb.org/3413 Reference: XF:groupwise-web-read-files Groupwise web server GWWEB.EXE allows remote attackers to read arbitrary files with .htm extensions via a .. (dot dot) attack using the HELP parameter. ====================================================== Name: CVE-1999-1006 Status: Candidate Phase: Proposed(19991222) Reference: BUGTRAQ:19991219 Groupewise Web Interface Reference: URL:http://marc.info/?l=bugtraq&m=94571433731824&w=2 Groupwise web server GWWEB.EXE allows remote attackers to determine the real path of the web server via the HELP parameter. Current Votes: ACCEPT(4) Baker, Cole, Prosser, Stracener MODIFY(1) Frech NOOP(2) Christey, Wall Voter Comments: Frech> XF:groupwise-web-path Prosser> Pretty well confirmed by testing with responses to BugTraq list. additional ref: BugTraq ID 879 http://www.securityfocus.com/bid/879 Christey> A later discovery almost 2 years later is at: BUGTRAQ:20020227 SecurityOffice Security Advisory:// Novell GroupWise Web Access Path Disclosure Vulnerability http://marc.theaimsgroup.com/?l=bugtraq&m=101494830315071&w=2 CD:SF-LOC might suggest merging these together. ====================================================== Name: CVE-1999-1007 Status: Entry Reference: BID:872 Reference: URL:http://www.securityfocus.com/bid/872 Reference: BUGTRAQ:19991213 VDO Live Player 3.02 Buffer Overflow Reference: URL:http://marc.info/?l=bugtraq&m=94512259331599&w=2 Reference: XF:vdolive-bo-execute Buffer overflow in VDO Live Player allows remote attackers to execute commands on the VDO client via a malformed .vdo file. ====================================================== Name: CVE-1999-1008 Status: Entry Reference: BID:871 Reference: URL:http://www.securityfocus.com/bid/871 Reference: BUGTRAQ:19991215 FreeBSD 3.3 xsoldier root exploit Reference: MISC:http://marc.info/?l=freebsd-security&m=94531826621620&w=2 Reference: XF:unix-xsoldier-overflow xsoldier program allows local users to gain root access via a long argument. ====================================================== Name: CVE-1999-1009 Status: Candidate Phase: Proposed(19991222) Reference: BUGTRAQ:19991213 Privacy hole in Go Express Search Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-1009 The Disney Go Express Search allows remote attackers to access and modify search information for users by connecting to an HTTP server on the user's system. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(4) Balinsky, Cole, Stracener, Wall Voter Comments: Frech> XF:disney-search-info(3955) Balinsky> The go.express.com web site does not mention the existence of the Express web server mentioned in the advisory. There appears to be no way of verifying this. ====================================================== Name: CVE-1999-1010 Status: Entry Reference: BUGTRAQ:19991214 sshd1 allows unencrypted sessions regardless of server policy Reference: URL:http://marc.info/?l=bugtraq&m=94519142415338&w=2 Reference: XF:ssh-policy-bypass An SSH 1.2.27 server allows a client to use the "none" cipher, even if it is not allowed by the server policy. ====================================================== Name: CVE-1999-1011 Status: Entry Reference: BID:529 Reference: URL:https://www.securityfocus.com/bid/529 Reference: CIAC:J-054 Reference: URL:http://www.ciac.org/ciac/bulletins/j-054.shtml Reference: ISS:19990809 Vulnerabilities in Microsoft Remote Data Service Reference: MS:MS98-004 Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1998/ms98-004 Reference: MS:MS99-025 Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-025 Reference: OSVDB:272 Reference: URL:http://www.osvdb.org/272 Reference: XF:nt-iis-rds The Remote Data Service (RDS) DataFactory component of Microsoft Data Access Components (MDAC) in IIS 3.x and 4.x exposes unsafe methods, which allows remote attackers to execute arbitrary commands. ====================================================== Name: CVE-1999-1012 Status: Candidate Phase: Proposed(20010912) Reference: BID:173 Reference: URL:http://www.securityfocus.com/bid/173 Reference: BUGTRAQ:19990504 AS/400 Reference: URL:http://www.securityfocus.com/archive/1/13527 SMTP component of Lotus Domino 4.6.1 on AS/400, and possibly other operating systems, allows a remote attacker to crash the mail server via a long string. Current Votes: ACCEPT(1) Cole MODIFY(1) Frech NOOP(2) Foat, Wall Voter Comments: Frech> (Task 1770) CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:lotus-domino-smtp-dos(8790) ====================================================== Name: CVE-1999-1013 Status: Candidate Phase: Proposed(20010912) Reference: BID:673 Reference: URL:http://www.securityfocus.com/bid/673 Reference: BUGTRAQ:19990923 named-xfer hole on AIX (fwd) Reference: URL:http://marc.info/?l=bugtraq&m=93837026726954&w=2 named-xfer in AIX 4.1.5 and 4.2.1 allows members of the system group to overwrite system files to gain root access via the -f parameter and a malformed zone file. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:aix-named-xfer-root-access(3308) ====================================================== Name: CVE-1999-1014 Status: Entry Reference: BID:672 Reference: URL:http://www.securityfocus.com/bid/672 Reference: BUGTRAQ:19990913 Solaris 2.7 /usr/bin/mail Reference: URL:http://marc.info/?l=bugtraq&m=93727925026476&w=2 Reference: BUGTRAQ:19990927 Working Solaris x86 /usr/bin/mail exploit Reference: URL:http://marc.info/?l=bugtraq&m=93846422810162&w=2 Reference: SUNBUG:4276509 Reference: XF:sun-usrbinmail-local-bo(3297) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3297 Buffer overflow in mail command in Solaris 2.7 and 2.7 allows local users to gain privileges via a long -m argument. ====================================================== Name: CVE-1999-1015 Status: Candidate Phase: Proposed(20010912) Reference: BID:61 Reference: URL:http://www.securityfocus.com/bid/61 Reference: BUGTRAQ:19980408 AppleShare IP Mail Server Reference: URL:http://marc.info/?l=bugtraq&m=89200657216213&w=2 Buffer overflow in Apple AppleShare Mail Server 5.0.3 on MacOS 8.1 and earlier allows a remote attacker to cause a denial of service (crash) via a long HELO command. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:smtp-helo-bo(886) ====================================================== Name: CVE-1999-1016 Status: Candidate Phase: Modified(20040811) Reference: BID:606 Reference: URL:http://www.securityfocus.com/bid/606 Reference: NTBUGTRAQ:19990827 HTML code to crash IE5 and Outlook Express 5 Reference: URL:http://marc.info/?l=ntbugtraq&m=93578772920970&w=2 Microsoft HTML control as used in (1) Internet Explorer 5.0, (2) FrontPage Express, (3) Outlook Express 5, and (4) Eudora, and possibly others, allows remote malicious web site or HTML emails to cause a denial of service (100% CPU consumption) via large HTML form fields such as text inputs in a table cell. Current Votes: ACCEPT(2) Cole, Wall MODIFY(1) Frech NOOP(2) Christey, Foat Voter Comments: Frech> XF:ms-html-table-form-dos(3246) Frech> XF:ms-html-table-form-dos(3246) Christey> Add period to the end of the description. ====================================================== Name: CVE-1999-1017 Status: Candidate Phase: Proposed(20010912) Reference: BID:544 Reference: URL:http://www.securityfocus.com/bid/544 Reference: NTBUGTRAQ:19990728 Seattle Labs EMURL Vulnerability Reference: URL:http://marc.info/?l=ntbugtraq&m=93316253431588&w=2 Seattle Labs Emurl 2.0, and possibly earlier versions, stores e-mail attachments in a specific directory with scripting enabled, which allows a malicious ASP file attachment to execute when the recipient opens the message. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> (Task 2281) CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:emurl-attachment-execution(8794) ====================================================== Name: CVE-1999-1018 Status: Candidate Phase: Proposed(20010912) Reference: BID:543 Reference: URL:http://www.securityfocus.com/bid/543 Reference: BUGTRAQ:19990727 Linux 2.2.10 ipchains Advisory Reference: URL:http://marc.info/?l=bugtraq&m=93312523904591&w=2 IPChains in Linux kernels 2.2.10 and earlier does not reassemble IP fragments before checking the header information, which allows a remote attacker to bypass the filtering rules using several fragments with 0 offsets. Current Votes: ACCEPT(1) Cole MODIFY(1) Frech NOOP(2) Foat, Wall Voter Comments: Frech> XF:linux-ipchains-bypass-filter(6516) Frech> XF:linux-ipchains-bypass-filter(6516) ====================================================== Name: CVE-1999-1019 Status: Entry Reference: BID:495 Reference: URL:http://www.securityfocus.com/bid/495 Reference: BUGTRAQ:19990623 Cabletron Spectrum security vulnerability Reference: URL:http://marc.info/?l=bugtraq&m=93024398713491&w=2 Reference: BUGTRAQ:19990624 Re: Cabletron Spectrum security vulnerability Reference: URL:http://marc.info/?l=bugtraq&m=93024398513475&w=2 SpectroSERVER in Cabletron Spectrum Enterprise Manager 5.0 installs a directory tree with insecure permissions, which allows local users to replace a privileged executable (processd) with a Trojan horse, facilitating a root or Administrator compromise. ====================================================== Name: CVE-1999-1020 Status: Candidate Phase: Proposed(20010912) Reference: BID:484 Reference: URL:http://www.securityfocus.com/bid/484 Reference: BUGTRAQ:19980918 NMRC Advisory - Default NDS Rights Reference: URL:http://marc.info/?l=bugtraq&m=90613355902262&w=2 Reference: XF:novell-nds(1364) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1364 The installation of Novell Netware NDS 5.99 provides an unauthenticated client with Read access for the tree, which allows remote attackers to access sensitive information such as users, groups, and readable objects via CX.EXE and NLIST.EXE. Current Votes: ACCEPT(2) Cole, Frech NOOP(2) Foat, Wall ====================================================== Name: CVE-1999-1021 Status: Entry Reference: BID:47 Reference: URL:http://www.securityfocus.com/bid/47 Reference: CERT:CA-1992-15 Reference: URL:http://www.cert.org/advisories/CA-1992-15.html Reference: SUN:00117 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/117&type=0&nav=sec.sba Reference: XF:nfs-uid(82) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/82 NFS on SunOS 4.1 through 4.1.2 ignores the high order 16 bits in a 32 bit UID, which allows a local user to gain root access if the lower 16 bits are set to 0, as fixed by the NFS jumbo patch upgrade. ====================================================== Name: CVE-1999-1022 Status: Candidate Phase: Proposed(20010912) Reference: BID:464 Reference: URL:http://www.securityfocus.com/bid/464 Reference: BUGTRAQ:19941002 Reference: URL:http://www.securityfocus.com/archive/1/930 Reference: XF:sgi-serialports(2111) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2111 serial_ports administrative program in IRIX 4.x and 5.x trusts the user's PATH environmental variable to find and execute the ls program, which allows local users to gain root privileges via a Trojan horse ls program. Current Votes: ACCEPT(2) Cole, Frech NOOP(2) Christey, Foat Voter Comments: Christey> Note: CVE-1999-1310 is a duplicate of this candidate. CVE-1999-1310 will be REJECTed; this is the proper CAN to use. CIAC:F-01 URL:http://ciac.llnl.gov/ciac/bulletins/f-01.shtml SGI:19941001-01-P URL:ftp://patches.sgi.com/support/free/security/advisories/19941001-01-P MISC:http://www.netsys.com/firewalls/firewalls-9410/0019.html ====================================================== Name: CVE-1999-1023 Status: Candidate Phase: Proposed(20010912) Reference: BID:426 Reference: URL:http://www.securityfocus.com/bid/426 Reference: BUGTRAQ:19990610 Sun Useradd program expiration date bug Reference: URL:http://marc.info/?l=bugtraq&m=92904175406756&w=2 useradd in Solaris 7.0 does not properly interpret certain date formats as specified in the "-e" (expiration date) argument, which could allow users to login after their accounts have expired. Current Votes: ACCEPT(1) Dik MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Dik> sun bug: 4222400 Frech> XF:solaris-useradd-expired-accounts(8375) CONFIRM:(2.6)110883-01, (2.6_x86) 110884-01, (7)110869-01, (7_x86) 110870-01 ====================================================== Name: CVE-1999-1024 Status: Candidate Phase: Proposed(20010912) Reference: BID:313 Reference: URL:http://www.securityfocus.com/bid/313 Reference: BUGTRAQ:19990616 tcpdump 3.4 bug? Reference: URL:http://marc.info/?l=bugtraq&m=92955903802773&w=2 Reference: BUGTRAQ:19990617 Re: tcpdump 3.4 bug? Reference: URL:http://marc.info/?l=bugtraq&m=92963447601748&w=2 Reference: BUGTRAQ:19990620 Re: tcpdump 3.4 bug? (final) Reference: URL:http://marc.info/?l=bugtraq&m=92989907627051&w=2 ip_print procedure in Tcpdump 3.4a allows remote attackers to cause a denial of service via a packet with a zero length header, which causes an infinite loop and core dump when tcpdump prints the packet. Current Votes: ACCEPT(1) Cole MODIFY(1) Frech NOOP(2) Foat, Wall Voter Comments: Frech> XF:tcpdump-ipprint-dos(8373) ====================================================== Name: CVE-1999-1025 Status: Candidate Phase: Proposed(20010912) Reference: BID:294 Reference: URL:http://www.securityfocus.com/bid/294 Reference: BUGTRAQ:19981012 Annoying Solaris/CDE/NIS+ bug Reference: URL:http://marc.info/?l=bugtraq&m=90831127921062&w=2 Reference: SUNBUG:4115685 Reference: URL:http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fpatches%2F106027&zone_32=411568%2A%20 CDE screen lock program (screenlock) on Solaris 2.6 does not properly lock an unprivileged user's console session when the host is an NIS+ client, which allows others with physical access to login with any string. Current Votes: ACCEPT(4) Cole, Dik, Foat, Stracener MODIFY(1) Frech Voter Comments: Frech> XF:solaris-cde-nisplus-lock(7473) Dik> sun bug: 4115685 ====================================================== Name: CVE-1999-1026 Status: Candidate Phase: Proposed(20010912) Reference: BID:292 Reference: URL:http://www.securityfocus.com/bid/292 Reference: BUGTRAQ:19961220 Solaris 2.5 x86 aspppd (semi-exploitable-hole) Reference: URL:http://marc.info/?l=bugtraq&m=87602167420343&w=2 aspppd on Solaris 2.5 x86 allows local users to modify arbitrary files and gain root privileges via a symlink attack on the /tmp/.asppp.fifo file. Current Votes: ACCEPT(1) Cole MODIFY(1) Frech NOOP(1) Foat Voter Comments: Frech> XF:sun-aspppd-tmp-symlink(7173) ====================================================== Name: CVE-1999-1027 Status: Entry Reference: BID:290 Reference: URL:http://www.securityfocus.com/bid/290 Reference: BUGTRAQ:19980507 admintool mode 0777 in Solaris 2.6 HW3/98 Reference: URL:http://marc.info/?l=bugtraq&m=90221101925880&w=2 Reference: SUNBUG:4178998 Reference: XF:solaris-admintool-world-writable(7296) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/7296 Solaris 2.6 HW3/98 installs admintool with world-writable permissions, which allows local users to gain privileges by replacing it with a Trojan horse program. ====================================================== Name: CVE-1999-1028 Status: Entry Reference: BID:288 Reference: URL:http://www.securityfocus.com/bid/288 Reference: NTBUGTRAQ:19990528 DoS against PC Anywhere Reference: URL:http://marc.info/?l=ntbugtraq&m=92807524225090&w=2 Reference: XF:pcanywhere-dos(2256) Reference: URL:http://www.iss.net/security_center/static/2256.php Symantec pcAnywhere 8.0 allows remote attackers to cause a denial of service (CPU utilization) via a large amount of data to port 5631. ====================================================== Name: CVE-1999-1029 Status: Candidate Phase: Proposed(20010912) Reference: BID:277 Reference: URL:http://www.securityfocus.com/bid/277 Reference: BUGTRAQ:19990513 - J.J.F. / Hackers Team warns for SSHD 2.x brute force password hacking Reference: URL:http://marc.info/?l=bugtraq&m=92663402004280&w=2 Reference: XF:ssh2-bruteforce(2193) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2193 SSH server (sshd2) before 2.0.12 does not properly record login attempts if the connection is closed before the maximum number of tries, allowing a remote attacker to guess the password without showing up in the audit logs. Current Votes: ACCEPT(2) Cole, Frech NOOP(2) Foat, Wall ====================================================== Name: CVE-1999-1030 Status: Candidate Phase: Proposed(20010912) Reference: BID:267 Reference: URL:http://www.securityfocus.com/bid/267 Reference: BUGTRAQ:19990519 Denial of Service in Counter.exe version 2.70 Reference: URL:http://marc.info/?l=bugtraq&m=92713790426690&w=2 Reference: NTBUGTRAQ:19990519 Denial of Service in Counter.exe version 2.70 Reference: URL:http://marc.info/?l=ntbugtraq&m=92707671717292&w=2 counter.exe 2.70 allows a remote attacker to cause a denial of service (hang) via an HTTP request that ends in %0A (newline), which causes a malformed entry in the counter log that produces an access violation. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:http-cgi-counter-long(2196) Frech> XF:http-cgi-counter-long(2196) ====================================================== Name: CVE-1999-1031 Status: Candidate Phase: Proposed(20010912) Reference: BID:267 Reference: URL:http://www.securityfocus.com/bid/267 Reference: BUGTRAQ:19990519 Denial of Service in Counter.exe version 2.70 Reference: URL:http://marc.info/?l=bugtraq&m=92713790426690&w=2 Reference: NTBUGTRAQ:19990519 Denial of Service in Counter.exe version 2.70 Reference: URL:http://marc.info/?l=ntbugtraq&m=92707671717292&w=2 counter.exe 2.70 allows a remote attacker to cause a denial of service (hang) via a long argument. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:http-cgi-counter-long(2196) Frech> XF:http-cgi-counter-long(2196) ====================================================== Name: CVE-1999-1032 Status: Entry Reference: BID:26 Reference: URL:http://www.securityfocus.com/bid/26 Reference: CERT:CA-1991-11 Reference: URL:http://www.cert.org/advisories/CA-1991-11.html Reference: CIAC:B-36 Reference: URL:http://ciac.llnl.gov/ciac/bulletins/b-36.shtml Reference: XF:ultrix-telnet(584) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/584 Vulnerability in LAT/Telnet Gateway (lattelnet) on Ultrix 4.1 and 4.2 allows attackers to gain root privileges. ====================================================== Name: CVE-1999-1033 Status: Candidate Phase: Proposed(20010912) Reference: BID:252 Reference: URL:http://www.securityfocus.com/bid/252 Reference: BUGTRAQ:19990511 Outlook Express Win98 bug Reference: URL:http://marc.info/?l=bugtraq&m=92647407427342&w=2 Reference: BUGTRAQ:19990512 Outlook Express Win98 bug, addition. Reference: URL:http://marc.info/?l=bugtraq&m=92663402004275&w=2 Microsoft Outlook Express before 4.72.3612.1700 allows a malicious user to send a message that contains a .., which can inadvertently cause Outlook to re-enter POP3 command mode and cause the POP3 session to hang. Current Votes: ACCEPT(2) Cole, Wall MODIFY(1) Frech NOOP(1) Foat Voter Comments: Frech> (Task 2241) CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:outlook-pop3-dot-dos(8926) ====================================================== Name: CVE-1999-1034 Status: Entry Reference: BID:23 Reference: URL:http://www.securityfocus.com/bid/23 Reference: CERT:CA-1991-08 Reference: URL:http://www.cert.org/advisories/CA-1991-08.html Reference: CIAC:B-28 Reference: URL:http://www.ciac.org/ciac/bulletins/b-28.shtml Reference: XF:sysv-login(583) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/583 Vulnerability in login in AT&T System V Release 4 allows local users to gain privileges. ====================================================== Name: CVE-1999-1035 Status: Entry Reference: MS:MS98-019 Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1998/ms98-019 Reference: MSKB:Q192296 Reference: URL:http://support.microsoft.com/support/kb/articles/q192/2/96.asp Reference: XF:iis-get-dos(1823) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1823 IIS 3.0 and 4.0 on x86 and Alpha allows remote attackers to cause a denial of service (hang) via a malformed GET request, aka the IIS "GET" vulnerability. ====================================================== Name: CVE-1999-1036 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19980626 vulnerability in satan, cops & tiger Reference: URL:http://marc.info/?l=bugtraq&m=90221103125976&w=2 COPS 1.04 allows local users to overwrite or create arbitrary files via a symlink attack on temporary files in (1) res_diff, (2) ca.src, and (3) mail.chk. Current Votes: ACCEPT(1) Foat MODIFY(1) Frech NOOP(2) Cole, Wall Voter Comments: Frech> XF:cops-temp-file-symlink(7325) ====================================================== Name: CVE-1999-1037 Status: Entry Reference: BUGTRAQ:19980626 vulnerability in satan, cops & tiger Reference: URL:http://marc.info/?l=bugtraq&m=90221103125976&w=2 Reference: BUGTRAQ:19980627 Re: vulnerability in satan, cops & tiger Reference: URL:http://marc.info/?l=bugtraq&m=90221103125986&w=2 Reference: OSVDB:3147 Reference: URL:http://www.osvdb.org/3147 Reference: XF:satan-rexsatan-symlink(7167) Reference: URL:http://www.iss.net/security_center/static/7167.php rex.satan in SATAN 1.1.1 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/rex.$$ file. ====================================================== Name: CVE-1999-1038 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19980626 vulnerability in satan, cops & tiger Reference: URL:http://marc.info/?l=bugtraq&m=90221103125976&w=2 Tiger 2.2.3 allows local users to overwrite arbitrary files via a symlink attack on various temporary files in Tiger's default working directory, as defined by the WORKDIR variable. Current Votes: ACCEPT(1) Foat MODIFY(1) Frech NOOP(2) Cole, Wall Voter Comments: Frech> XF:tiger-workdir-symlink(7326) ====================================================== Name: CVE-1999-1039 Status: Candidate Phase: Proposed(20010912) Reference: SGI:19980502-01-P3030 Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19980502-01-P3030 Vulnerability in (1) diskalign and (2) diskperf in IRIX 6.4 patches 2291 and 2848 allow a local user to create root-owned files leading to a root compromise. Current Votes: ACCEPT(3) Cole, Foat, Stracener REJECT(1) Frech ====================================================== Name: CVE-1999-1040 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19980408 SGI O2 ipx security issue Reference: URL:http://marc.info/?l=bugtraq&m=89217373930054&w=2 Reference: CIAC:I-055 Reference: URL:http://ciac.llnl.gov/ciac/bulletins/i-055.shtml Reference: SGI:19980501-01-P Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19980501-01-P2869 Vulnerabilities in (1) ipxchk and (2) ipxlink in NetWare Client 1.0 on IRIX 6.3 and 6.4 allows local users to gain root access via a modified IFS environmental variable. Current Votes: ACCEPT(3) Cole, Foat, Stracener NOOP(1) Christey REJECT(1) Frech Voter Comments: Christey> This candidate and CVE-1999-1501 are duplicates. However, CVE-1999-1501 will be REJECTed in favor of this candidate. Add the following references: BID:70 URL:http://www.securityfocus.com/bid/70 BID:71 URL:http://www.securityfocus.com/bid/71 XF:irix-ipxchk-ipxlink-ifs-commands(7365) URL:http://xforce.iss.net/static/7365.php ====================================================== Name: CVE-1999-1041 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19980827 SCO mscreen vul. Reference: URL:http://www.securityfocus.com/archive/1/10420 Reference: BUGTRAQ:19980926 Root exploit for SCO OpenServer. Reference: URL:http://marc.info/?l=bugtraq&m=90686250717719&w=2 Reference: CERT:VB-98.10 Reference: URL:http://www.cert.org/vendor_bulletins/VB-98.10.sco.mscreen Reference: SCO:SB-98.05a Reference: URL:ftp://ftp.sco.com/SSE/security_bulletins/SB-98.05a Buffer overflow in mscreen on SCO OpenServer 5.0 and SCO UNIX 3.2v4 allows a local user to gain root access via (1) a long TERM environmental variable and (2) a long entry in the .mscreenrc file. Current Votes: ACCEPT(3) Cole, Foat, Stracener MODIFY(1) Frech NOOP(1) Wall REVIEWING(1) Christey Voter Comments: Frech> XF:sco-openserver-mscreen-bo(1379) Christey> Possible dupe with CVE-1999-1185. ====================================================== Name: CVE-1999-1042 Status: Candidate Phase: Proposed(20010912) Reference: CISCO:19980813 CRM Temporary File Vulnerability Reference: URL:http://www.cisco.com/warp/public/770/crmtmp-pub.shtml Cisco Resource Manager (CRM) 1.0 and 1.1 creates world-readable log files and temporary files, which may expose sensitive information, to local users such as user IDs, passwords and SNMP community strings. Current Votes: ACCEPT(3) Cole, Foat, Stracener MODIFY(1) Frech NOOP(1) Wall REJECT(3) Armstrong, Balinsky, Christey Voter Comments: Frech> XF:cisco-crm-file-vuln(1575) Armstrong> I think that this is the same as Can-1999-1126 Balinsky> This is the same as CVE-1999-1126. Merge them. Christey> DUPE CVE-1999-1126, as noted by others. This candidate will be rejected. CVE-1999-1126 will be promoted. ====================================================== Name: CVE-1999-1043 Status: Candidate Phase: Proposed(20010912) Reference: MS:MS98-007 Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1998/ms98-007 Microsoft Exchange Server 5.5 and 5.0 does not properly handle (1) malformed NNTP data, or (2) malformed SMTP data, which allows remote attackers to cause a denial of service (application error). Current Votes: ACCEPT(3) Cole, Foat, Wall MODIFY(1) Frech Voter Comments: Frech> XF:exchange-dos(1223) ====================================================== Name: CVE-1999-1044 Status: Entry Reference: CIAC:I-050 Reference: URL:http://ciac.llnl.gov/ciac/bulletins/i-050.shtml Reference: COMPAQ:SSRT0495U Reference: URL:http://ciac.llnl.gov/ciac/bulletins/i-050.shtml Reference: XF:dgux-advfs-softlinks(7431) Reference: URL:http://www.iss.net/security_center/static/7431.php Vulnerability in Advanced File System Utility (advfs) in Digital UNIX 4.0 through 4.0d allows local users to gain privileges. ====================================================== Name: CVE-1999-1045 Status: Entry Reference: BUGTRAQ:19980115 [rootshell] Security Bulletin #7 Reference: URL:http://marc.info/?l=bugtraq&m=88490880523890&w=2 Reference: BUGTRAQ:19980115 pnserver exploit.. Reference: URL:http://marc.info/?l=bugtraq&m=88492978527261&w=2 Reference: BUGTRAQ:19980817 Re: Real Audio Server Version 5 bug? Reference: URL:http://marc.info/?l=bugtraq&m=90338245305236&w=2 Reference: MISC:http://service.real.com/help/faq/serv501.html Reference: OSVDB:6979 Reference: URL:http://www.osvdb.org/6979 Reference: XF:realserver-pnserver-remote-dos(7297) Reference: URL:http://www.iss.net/security_center/static/7297.php pnserver in RealServer 5.0 and earlier allows remote attackers to cause a denial of service by sending a short, malformed request. ====================================================== Name: CVE-1999-1046 Status: Candidate Phase: Proposed(20010912) Reference: BID:504 Reference: URL:http://www.securityfocus.com/bid/504 Reference: BUGTRAQ:19990302 Multiple IMail Vulnerabilites Reference: URL:http://marc.info/?l=bugtraq&m=92038879607336&w=2 Reference: XF:imail-imonitor-overflow(1897) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1897 Buffer overflow in IMonitor in IMail 5.0 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long string to port 8181. Current Votes: ACCEPT(2) Cole, Frech NOOP(2) Foat, Wall ====================================================== Name: CVE-1999-1047 Status: Entry Reference: BUGTRAQ:19991018 Gauntlet 5.0 BSDI warning Reference: URL:http://marc.info/?l=bugtraq&m=94026690521279&w=2 Reference: BUGTRAQ:19991019 Re: Gauntlet 5.0 BSDI warning Reference: URL:http://marc.info/?l=bugtraq&m=94036662326185&w=2 Reference: XF:gauntlet-bsdi-bypass(3397) Reference: URL:http://www.iss.net/security_center/static/3397.php When BSDI patches for Gauntlet 5.0 BSDI are installed in a particular order, Gauntlet allows remote attackers to bypass firewall access restrictions, and does not log the activities. ====================================================== Name: CVE-1999-1048 Status: Entry Reference: BUGTRAQ:19970821 Buffer overflow in /bin/bash Reference: URL:http://marc.info/?l=bugtraq&m=87602746719555&w=2 Reference: BUGTRAQ:19980905 BASH buffer overflow, LiNUX x86 exploit Reference: URL:http://www.securityfocus.com/archive/1/10542 Reference: DEBIAN:19980909 problem with very long pathnames Reference: URL:http://www.debian.org/security/1998/19980909 Reference: OSVDB:8345 Reference: URL:http://www.osvdb.org/8345 Reference: XF:linux-bash-bo(3414) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3414 Buffer overflow in bash 2.0.0, 1.4.17, and other versions allows local attackers to gain privileges by creating an extremely large directory name, which is inserted into the password prompt via the \w option in the PS1 environmental variable when another user changes into that directory. ====================================================== Name: CVE-1999-1049 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19990222 Severe Security Hole in ARCserve NT agents (fwd) Reference: URL:http://marc.info/?l=bugtraq&m=91972006211238&w=2 ARCserve NT agents use weak encryption (XOR) for passwords, which allows remote attackers to sniff the authentication request to port 6050 and decrypt the password. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:arcserve-agent-passwords(1822) ====================================================== Name: CVE-1999-1050 Status: Candidate Phase: Proposed(20010912) Reference: BID:798 Reference: URL:http://www.securityfocus.com/bid/798 Reference: BID:799 Reference: URL:http://www.securityfocus.com/bid/799 Reference: BUGTRAQ:19991112 FormHandler.cgi Reference: URL:http://www.securityfocus.com/archive/1/34600 Reference: BUGTRAQ:19991116 Re: FormHandler.cgi Reference: URL:http://www.securityfocus.com/archive/1/34939 Reference: XF:formhandler-cgi-absolute-path(3550) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3550 Directory traversal vulnerability in Matt Wright FormHandler.cgi script allows remote attackers to read arbitrary files via (1) a .. (dot dot) in the reply_message_attach attachment parameter, or (2) by specifying the filename as a template. Current Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall REVIEWING(1) Christey Voter Comments: Christey> Abstraction and definition issue: CD:SF-LOC suggests combining issues of the same type. Some people refer to "directory traversal" and just mean .. problems; but there are other issues (specifying an absolute pathname, using C: drive letters, doing encodings) that, to my way of thinking, are "different." Perhaps this should be split. My brain hurts too much right now. There are a couple problems with the references and descriptions of CVE-1999-1050 and CVE-1999-1051. I'm interpreting the underlying nature of the problem(s) a little differently than others are. Some of it may be due to differing definitions or thoughts about what "directory traversal vulnerabilities" are. ====================================================== Name: CVE-1999-1051 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19991116 Re: FormHandler.cgi Reference: URL:http://www.securityfocus.com/archive/1/34939 Default configuration in Matt Wright FormHandler.cgi script allows arbitrary directories to be used for attachments, and only restricts access to the /etc/ directory, which allows remote attackers to read arbitrary files via the reply_message_attach attachment parameter. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall REVIEWING(1) Christey Voter Comments: Frech> XF:formhandler-cgi-reply-message(7782) Christey> I view one of these as a configuration issue: FormHandler.cgi *could* be configured to limit hard-coded pathnames to a single directory which, while being an information leak, would still be "reasonably secure." But by default, it's just not configured that way. My brain hurts too much right now. There are a couple problems with the references and descriptions of CVE-1999-1050 and CVE-1999-1051. I'm interpreting the underlying nature of the problem(s) a little differently than others are. Some of it may be due to differing definitions or thoughts about what "directory traversal vulnerabilities" are. ====================================================== Name: CVE-1999-1052 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19990824 Front Page form_results Reference: URL:http://marc.info/?l=bugtraq&m=93582550911564&w=2 Microsoft FrontPage stores form results in a default location in /_private/form_results.txt, which is world-readable and accessible in the document root, which allows remote attackers to read possibly sensitive information submitted by other users. Current Votes: ACCEPT(1) Wall MODIFY(1) Frech NOOP(2) Cole, Foat Voter Comments: Frech> XF:frontpage-formresults-world-readable(8362) ====================================================== Name: CVE-1999-1053 Status: Candidate Phase: Proposed(20010912) Reference: BID:776 Reference: URL:http://www.securityfocus.com/bid/776 Reference: BUGTRAQ:19991105 Guestbook.pl, sloppy SSI handling in Apache? (VD#2) Reference: URL:http://www.securityfocus.com/archive/1/33674 Reference: VULN-DEV:19990913 Guestbook perl script (long) Reference: URL:http://www.securityfocus.com/archive/82/27296 Reference: VULN-DEV:19990916 Re: Guestbook perl script (error fix) Reference: URL:http://www.securityfocus.com/archive/82/27560 guestbook.pl cleanses user-inserted SSI commands by removing text between "<!--" and "-->" separators, which allows remote attackers to execute arbitrary commands when guestbook.pl is run on Apache 1.3.9 and possibly other versions, since Apache allows other closing sequences besides "-->". Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:guestbook-cgi-command-execution(7783) ====================================================== Name: CVE-1999-1054 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19980925 Globetrotter FlexLM 'lmdown' bogosity Reference: URL:http://marc.info/?l=bugtraq&m=90675672323825&w=2 The default configuration of FLEXlm license manager 6.0d, and possibly other versions, allows remote attackers to shut down the server via the lmdown command. Current Votes: ACCEPT(1) Cole NOOP(2) Foat, Wall ====================================================== Name: CVE-1999-1055 Status: Entry Reference: BID:179 Reference: URL:http://www.securityfocus.com/bid/179 Reference: MS:MS98-018 Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1998/ms98-018 Reference: XF:excel-call(1737) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1737 Microsoft Excel 97 does not warn the user before executing worksheet functions, which could allow attackers to execute arbitrary commands by using the CALL function to execute a malicious DLL, aka the Excel "CALL Vulnerability." ====================================================== Name: CVE-1999-1056 Status: Candidate Phase: Modified(20050204) ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-1395. Reason: This candidate is a duplicate of CVE-1999-1395. Notes: All CVE users should reference CVE-1999-1395 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Current Votes: ACCEPT(3) Cole, Foat, Stracener MODIFY(1) Frech NOOP(1) Wall REJECT(1) Christey Voter Comments: Frech> XF:vms-monitor-gain-privileges(7136) Christey> DUPE CVE-1999-1395 This CAN is being rejected in favor of CVE-1999-1395 because CVE-1999-1395 has more references. ====================================================== Name: CVE-1999-1057 Status: Entry Reference: BID:12 Reference: URL:http://www.securityfocus.com/bid/12 Reference: CERT:CA-1990-07 Reference: URL:http://www.cert.org/advisories/CA-1990-07.html Reference: CIAC:B-04 Reference: URL:http://ciac.llnl.gov/ciac/bulletins/b-04.shtml Reference: XF:vms-analyze-processdump-privileges(7137) Reference: URL:http://www.iss.net/security_center/static/7137.php VMS 4.0 through 5.3 allows local users to gain privileges via the ANALYZE/PROCESS_DUMP dcl command. ====================================================== Name: CVE-1999-1058 Status: Candidate Phase: Proposed(20010912) Reference: BID:818 Reference: URL:http://www.securityfocus.com/bid/818 Reference: BUGTRAQ:19991122 Remote DoS Attack in Vermillion FTP Daemon (VFTPD) v1.23 Vulnerability Reference: URL:http://marc.info/?l=bugtraq&m=94329968617085&w=2 Reference: NTBUGTRAQ:19991122 Remote DoS Attack in Vermillion FTP Daemon (VFTPD) v1.23 Vulnerability Reference: URL:http://marc.info/?l=ntbugtraq&m=94337185023159&w=2 Reference: XF:vermillion-ftp-cwd-overflow(3543) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3543 Buffer overflow in Vermillion FTP Daemon VFTPD 1.23 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via several long CWD commands. Current Votes: ACCEPT(2) Cole, Frech NOOP(2) Foat, Wall ====================================================== Name: CVE-1999-1059 Status: Entry Reference: BID:36 Reference: URL:http://www.securityfocus.com/bid/36 Reference: CERT:CA-1992-04 Reference: URL:http://www.cert.org/advisories/CA-1992-04.html Reference: XF:att-rexecd(3159) Reference: URL:http://www.iss.net/security_center/static/3159.php Vulnerability in rexec daemon (rexecd) in AT&T TCP/IP 4.0 for various SVR4 systems allows remote attackers to execute arbitrary commands. ====================================================== Name: CVE-1999-1060 Status: Candidate Phase: Proposed(20010912) Reference: BID:340 Reference: URL:http://www.securityfocus.com/bid/340 Reference: BUGTRAQ:19990217 Tetrix 1.13.16 is Vulnerable Reference: URL:http://marc.info/?l=bugtraq&m=91937090211855&w=2 Buffer overflow in Tetrix TetriNet daemon 1.13.16 allows remote attackers to cause a denial of service and possibly execute arbitrary commands by connecting to port 31457 from a host with a long DNS hostname. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:tetrinet-dns-hostname-bo(7500) ====================================================== Name: CVE-1999-1061 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19971004 HP Laserjet 4M Plus DirectJet Problem Reference: URL:http://marc.info/?l=bugtraq&m=87602248518480&w=2 Reference: XF:laserjet-unpassworded(1876) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1876 HP Laserjet printers with JetDirect cards, when configured with TCP/IP, can be configured without a password, which allows remote attackers to connect to the printer and change its IP address or disable logging. Current Votes: ACCEPT(2) Cole, Frech NOOP(1) Foat Voter Comments: Frech> CONFIRM:http://www.hp.com/cposupport/printers/support_doc/bpl 02914.html ====================================================== Name: CVE-1999-1062 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19971004 HP Laserjet 4M Plus DirectJet Problem Reference: URL:http://marc.info/?l=bugtraq&m=87602248518480&w=2 Reference: XF:laserjet-unpassworded(1876) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1876 HP Laserjet printers with JetDirect cards, when configured with TCP/IP, allow remote attackers to bypass print filters by directly sending PostScript documents to TCP ports 9099 and 9100. Current Votes: ACCEPT(1) Cole MODIFY(1) Frech NOOP(1) Foat Voter Comments: Frech> DELREF:XF:laserjet-unpassworded(1876) ADDREF:XF:hp-printer-flood(1818) ====================================================== Name: CVE-1999-1063 Status: Candidate Phase: Proposed(20010912) Reference: BID:304 Reference: URL:http://www.securityfocus.com/bid/304 Reference: BUGTRAQ:19990601 whois_raw.cgi problem Reference: URL:http://www.securityfocus.com/archive/1/14019 Reference: XF:http-cgi-cdomain(2251) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2251 CDomain whois_raw.cgi whois CGI script allows remote attackers to execute arbitrary commands via shell metacharacters in the fqdn parameter. Current Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1064 Status: Candidate Phase: Proposed(20010912) Reference: BID:596 Reference: URL:http://www.securityfocus.com/bid/596 Reference: BUGTRAQ:19990822 Reference: URL:http://marc.info/?l=bugtraq&m=93555317429630&w=2 Reference: BUGTRAQ:19990824 Re: WindowMaker bugs (was sub:none ) Reference: URL:http://marc.info/?l=bugtraq&m=93582070508957&w=2 Multiple buffer overflows in WindowMaker 0.52 through 0.60.0 allow attackers to cause a denial of service and possibly execute arbitrary commands by executing WindowMaker with a long program name (argv[0]). Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:windowmaker-bo(3249) Frech> XF:windowmaker-bo(3249) ====================================================== Name: CVE-1999-1065 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19991104 Palm Hotsync vulnerable to DoS attack Reference: URL:http://marc.info/?l=bugtraq&m=94175465525422&w=2 Palm Pilot HotSync Manager 3.0.4 in Windows 98 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long string to port 14238 while the manager is in network mode. Current Votes: ACCEPT(1) Cole MODIFY(1) Frech NOOP(2) Foat, Wall Voter Comments: Frech> XF:palm-hotsync-bo(7785) ====================================================== Name: CVE-1999-1066 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19991222 Quake "smurf" - Quake War Utils Reference: URL:http://marc.info/?l=bugtraq&m=94589559631535&w=2 Quake 1 server responds to an initial UDP game connection request with a large amount of traffic, which allows remote attackers to use the server as an amplifier in a "Smurf" style attack on another host, by spoofing the connection request. Current Votes: MODIFY(1) Frech NOOP(4) Christey, Cole, Foat, Wall Voter Comments: Christey> This is apparently a problem with the connection protocol. See BUGTRAQ:19980522 NetQuake Protocol problem resulting in smurf like effect. URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221101925989&w=2 Frech> XF:quake-udp-connection-dos(7862) ====================================================== Name: CVE-1999-1067 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19970507 Re: SGI Security Advisory 19970501-01-A - Vulnerability in webdist.cgi Reference: URL:http://marc.info/?l=bugtraq&m=87602167420919&w=2 Reference: XF:sgi-machineinfo SGI MachineInfo CGI program, installed by default on some web servers, prints potentially sensitive system status information, which could be used by remote attackers for information gathering activities. Current Votes: ACCEPT(1) Frech NOOP(2) Cole, Foat Voter Comments: Frech> I'd be a lot more confident in this vote if there was a more concrete reference strongly associating webdist.cgi and machineinfo. ====================================================== Name: CVE-1999-1068 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19970723 DoS against Oracle Webserver 2.1 with PL/SQL stored procedures Reference: URL:http://marc.info/?l=bugtraq&m=87602661419366&w=2 Oracle Webserver 2.1, when serving PL/SQL stored procedures, allows remote attackers to cause a denial of service via a long HTTP GET request. Current Votes: MODIFY(1) Frech NOOP(2) Cole, Foat Voter Comments: Frech> XF:oracle-webserver-dos(1812) ====================================================== Name: CVE-1999-1069 Status: Candidate Phase: Proposed(20010912) Reference: BID:2126 Reference: URL:http://www.securityfocus.com/bid/2126 Reference: BUGTRAQ:19971108 Security bug in iCat Suite version 3.0 Reference: URL:http://www.securityfocus.com/archive/1/7943 Reference: XF:icat-carbo-server-vuln(1620) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1620 Directory traversal vulnerability in carbo.dll in iCat Carbo Server 3.0.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the icatcommand parameter. Current Votes: ACCEPT(2) Cole, Frech NOOP(1) Foat Voter Comments: Frech> iCat's site at http://www.icat.com/ is shut down, and no further support seems to be available. ====================================================== Name: CVE-1999-1070 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19980725 Annex DoS Reference: URL:http://www.securityfocus.com/archive/1/10021 Buffer overflow in ping CGI program in Xylogics Annex terminal service allows remote attackers to cause a denial of service via a long query parameter. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:annex-ping-crash(2090) ====================================================== Name: CVE-1999-1071 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19981130 Security bugs in Excite for Web Servers 1.1 Reference: URL:http://marc.info/?l=bugtraq&m=91248445931140&w=2 Reference: XF:excite-world-write(1417) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1417 Excite for Web Servers (EWS) 1.1 installs the Architext.conf authentication file with world-writeable permissions, which allows local users to gain access to Excite accounts by modifying the file. Current Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1072 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19981130 Security bugs in Excite for Web Servers 1.1 Reference: URL:http://marc.info/?l=bugtraq&m=91248445931140&w=2 Excite for Web Servers (EWS) 1.1 allows local users to gain privileges by obtaining the encrypted password from the world-readable Architext.conf authentication file and replaying the encrypted password in an HTTP request to AT-generated.cgi or AT-admin.cgi. Current Votes: NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1073 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19981130 Security bugs in Excite for Web Servers 1.1 Reference: URL:http://marc.info/?l=bugtraq&m=91248445931140&w=2 Excite for Web Servers (EWS) 1.1 records the first two characters of a plaintext password in the beginning of the encrypted password, which makes it easier for an attacker to guess passwords via a brute force or dictionary attack. Current Votes: NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1074 Status: Entry Reference: BID:98 Reference: URL:http://www.securityfocus.com/bid/98 Reference: BUGTRAQ:19980501 Warning! Webmin Security Advisory Reference: URL:http://www.securityfocus.com/archive/1/9138 Reference: CONFIRM:http://www.webmin.com/webmin/changes.html Webmin before 0.5 does not restrict the number of invalid passwords that are entered for a valid username, which could allow remote attackers to gain privileges via brute force password cracking. ====================================================== Name: CVE-1999-1075 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19980318 AIX 4.1.5 DoS attack (aka "Port 1025 problem") Reference: URL:http://marc.info/?l=bugtraq&m=89025820612530&w=2 inetd in AIX 4.1.5 dynamically assigns a port N when starting ttdbserver (ToolTalk server), but also inadvertently listens on port N-1 without passing control to ttdbserver, which allows remote attackers to cause a denial of service via a large number of connections to port N-1, which are not properly closed by inetd. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:aix-ttdbserver(813) CONFIRM:APAR IX70400 ====================================================== Name: CVE-1999-1076 Status: Candidate Phase: Proposed(20010912) Reference: BID:745 Reference: URL:http://www.securityfocus.com/bid/745 Reference: BUGTRAQ:19991026 Mac OS 9 Idle Lock Bug Reference: URL:http://marc.info/?l=bugtraq&m=94096348604173&w=2 Idle locking function in MacOS 9 allows local users to bypass the password protection of idled sessions by selecting the "Log Out" option and selecting a "Cancel" option in the dialog box for an application that attempts to verify that the user wants to log out, which returns the attacker into the locked session. Current Votes: ACCEPT(2) Cole, Foat MODIFY(1) Frech NOOP(1) Wall Voter Comments: Frech> XF:macos-idle-screenlock-bypass(7794) ====================================================== Name: CVE-1999-1077 Status: Candidate Phase: Proposed(20010912) Reference: BID:756 Reference: URL:http://www.securityfocus.com/bid/756 Reference: BUGTRAQ:19991101 Re: Mac OS 9 Idle Lock Bug Reference: URL:http://marc.info/?l=bugtraq&m=94149318124548&w=2 Idle locking function in MacOS 9 allows local attackers to bypass the password protection of idled sessions via the programmer's switch or CMD-PWR keyboard sequence, which brings up a debugger that the attacker can use to disable the lock. Current Votes: ACCEPT(2) Cole, Foat MODIFY(1) Frech NOOP(1) Wall Voter Comments: Frech> XF:macos-debug-screenlock-access(3426) ====================================================== Name: CVE-1999-1078 Status: Candidate Phase: Proposed(20010912) Reference: BID:547 Reference: URL:http://www.securityfocus.com/bid/547 Reference: NTBUGTRAQ:19990729 WS_FTP Pro 6.0 Weak Password Encryption Vulnerability Reference: URL:http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind9907&L=ntbugtraq&D=0&P=10370&F=P WS_FTP Pro 6.0 uses weak encryption for passwords in its initialization files, which allows remote attackers to easily decrypt the passwords and gain privileges. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:wsftp-weak-password-encryption(8349) ====================================================== Name: CVE-1999-1079 Status: Candidate Phase: Proposed(20010912) Reference: AIXAPAR:IX80470 Reference: URL:http://www-1.ibm.com/servlet/support/manager?rs=0&rt=0&org=apars&doc=08E0B1A1B85472A1852567C90031BB36 Reference: BID:439 Reference: URL:http://www.securityfocus.com/bid/439 Reference: BUGTRAQ:19990506 AIX Security Fixes Update Reference: URL:http://marc.info/?l=bugtraq&m=92601792420088&w=2 Reference: BUGTRAQ:19990825 AIX security summary Reference: URL:http://marc.info/?l=bugtraq&m=93587956513233&w=2 Vulnerability in ptrace in AIX 4.3 allows local users to gain privileges by attaching to a setgid program. Current Votes: ACCEPT(3) Cole, Foat, Stracener MODIFY(1) Frech Voter Comments: Frech> XF:aix-ptrace-setgid(7487) ====================================================== Name: CVE-1999-1080 Status: Entry Reference: BID:250 Reference: URL:http://www.securityfocus.com/bid/250 Reference: BUGTRAQ:19990510 SunOS 5.7 rmmount, no nosuid. Reference: URL:http://marc.info/?l=bugtraq&m=92633694100270&w=2 Reference: BUGTRAQ:19991011 Reference: URL:http://marc.info/?l=bugtraq&m=93971288323395&w=2 Reference: SUNBUG:4205437 Reference: XF:solaris-rmmount-gain-root(8350) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/8350 rmmount in SunOS 5.7 may mount file systems without the nosuid flag set, contrary to the documentation and its use in previous versions of SunOS, which could allow local users with physical access to gain root privileges by mounting a floppy or CD-ROM that contains a setuid program and running volcheck, when the file systems do not have the nosuid option specified in rmmount.conf. ====================================================== Name: CVE-1999-1081 Status: Candidate Phase: Proposed(20010912) Reference: MISC:http://www.roxanne.org/faqs/www-secure/wwwsf4.html#Q35 Reference: MISC:http://www.w3.org/Security/Faq/wwwsf8.html#Q87 Reference: XF:http-nov-files(2054) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2054 Vulnerability in files.pl script in Novell WebServer Examples Toolkit 2 allows remote attackers to read arbitrary files. Current Votes: ACCEPT(2) Cole, Frech NOOP(1) Foat ====================================================== Name: CVE-1999-1082 Status: Candidate Phase: Proposed(20010912) Reference: BID:699 Reference: URL:http://www.securityfocus.com/bid/699 Reference: BUGTRAQ:19991008 Jana webserver exploit Reference: URL:http://marc.info/?l=bugtraq&m=93941794201059&w=2 Directory traversal vulnerability in Jana proxy web server 1.40 allows remote attackers to ready arbitrary files via a "......" (modified dot dot) attack. Current Votes: ACCEPT(1) Cole MODIFY(1) Frech NOOP(2) Foat, Wall Voter Comments: Frech> XF:jana-server-directory-traversal(6513) ====================================================== Name: CVE-1999-1083 Status: Candidate Phase: Proposed(20010912) Reference: BID:699 Reference: URL:http://www.securityfocus.com/bid/699 Reference: BUGTRAQ:20000502 Security Bug in Jana HTTP Server Reference: URL:http://marc.info/?l=bugtraq&m=95730430727064&w=2 Directory traversal vulnerability in Jana proxy web server 1.45 allows remote attackers to ready arbitrary files via a .. (dot dot) attack. Current Votes: ACCEPT(1) Cole MODIFY(1) Frech NOOP(3) Christey, Foat, Wall Voter Comments: Frech> XF:jana-server-directory-traversal(6513) Christey> MODIFY description - the attack is of the form "/./../" (single dot followed by double-dot) ====================================================== Name: CVE-1999-1084 Status: Candidate Phase: Proposed(20010912) Reference: BID:1044 Reference: URL:http://www.securityfocus.com/bid/1044 Reference: CIAC:K-029 Reference: URL:http://www.ciac.org/ciac/bulletins/k-029.shtml Reference: MS:MS00-008 Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/2000/ms00-008 Reference: MSKB:Q103861 Reference: URL:http://support.microsoft.com/support/kb/articles/q103/8/61.asp Reference: NTBUGTRAQ:19980622 Yet another "get yourself admin rights exploit": Reference: URL:http://marc.info/?l=ntbugtraq&m=90222453431604&w=2 The "AEDebug" registry key is installed with insecure permissions, which allows local users to modify the key to specify a Trojan Horse debugger which is automatically executed on a system crash. Current Votes: ACCEPT(3) Cole, Foat, Wall MODIFY(1) Frech Voter Comments: Frech> XF:nt-registry-permissions(4111) ====================================================== Name: CVE-1999-1085 Status: Entry Reference: BUGTRAQ:19980612 CORE-SDI-04: SSH insertion attack Reference: URL:http://marc.info/?l=bugtraq&m=90221103125884&w=2 Reference: BUGTRAQ:19980703 UPDATE: SSH insertion attack Reference: URL:http://marc.info/?l=bugtraq&m=90221104525878&w=2 Reference: CERT-VN:VU#13877 Reference: URL:http://www.kb.cert.org/vuls/id/13877 Reference: CISCO:20010627 Multiple SSH Vulnerabilities Reference: XF:ssh-insert(1126) Reference: URL:http://www.iss.net/security_center/static/1126.php SSH 1.2.25, 1.2.23, and other versions, when used in in CBC (Cipher Block Chaining) or CFB (Cipher Feedback 64 bits) modes, allows remote attackers to insert arbitrary data into an existing stream between an SSH client and server by using a known plaintext attack and computing a valid CRC-32 checksum for the packet, aka the "SSH insertion attack." ====================================================== Name: CVE-1999-1086 Status: Candidate Phase: Proposed(20010912) Reference: BID:528 Reference: URL:http://www.securityfocus.com/bid/528 Reference: BUGTRAQ:19990715 NMRC Advisory: Netware 5 Client Hijacking Reference: URL:http://marc.info/?l=bugtraq&m=93214475111651&w=2 Novell 5 and earlier, when running over IPX with a packet signature level less than 3, allows remote attackers to gain administrator privileges by spoofing the MAC address in IPC fragmented packets that make NetWare Core Protocol (NCP) calls. Current Votes: ACCEPT(1) Cole MODIFY(1) Frech NOOP(2) Foat, Wall Voter Comments: Frech> XF:netware-ipx-session-spoof(2350) ====================================================== Name: CVE-1999-1087 Status: Entry Reference: CONFIRM:http://www.microsoft.com/Windows/Ie/security/dotless.asp Reference: MS:MS98-016 Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1998/ms98-016 Reference: MSKB:Q168617 Reference: URL:http://support.microsoft.com/support/kb/articles/q168/6/17.asp Reference: OSVDB:7828 Reference: URL:http://www.osvdb.org/7828 Reference: XF:ie-dotless(2209) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2209 Internet Explorer 4 treats a 32-bit number ("dotless IP address") in the a URL as the hostname instead of an IP address, which causes IE to apply Local Intranet Zone settings to the resulting web page, allowing remote malicious web servers to conduct unauthorized activities by using URLs that contain the dotless IP address for their server. ====================================================== Name: CVE-1999-1088 Status: Candidate Phase: Proposed(20010912) Reference: CIAC:H-21 Reference: URL:http://ciac.llnl.gov/ciac/bulletins/h-21.shtml Reference: HP:HPSBUX9701-050 Reference: XF:hp-chsh(2012) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2012 Vulnerability in chsh command in HP-UX 9.X through 10.20 allows local users to gain privileges. Current Votes: ACCEPT(4) Cole, Foat, Frech, Stracener ====================================================== Name: CVE-1999-1089 Status: Candidate Phase: Proposed(20010912) Reference: AUSCERT:AA-96.18 Reference: BUGTRAQ:19961209 the HP Bug of the Week! Reference: URL:http://marc.info/?l=bugtraq&m=87602167420285&w=2 Reference: CIAC:H-16 Reference: URL:http://ciac.llnl.gov/ciac/bulletins/h-16.shtml Reference: CIAC:H-21 Reference: URL:http://ciac.llnl.gov/ciac/bulletins/h-21.shtml Reference: HP:HPSBUX9701-049 Reference: XF:hp-chfn(2008) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2008 Buffer overflow in chfn command in HP-UX 9.X through 10.20 allows local users to gain privileges via a long command line argument. Current Votes: ACCEPT(4) Cole, Foat, Frech, Stracener ====================================================== Name: CVE-1999-1090 Status: Entry Reference: CERT:CA-1991-15 Reference: URL:http://www.cert.org/advisories/CA-1991-15.html Reference: XF:ftp-ncsa(1844) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1844 The default configuration of NCSA Telnet package for Macintosh and PC enables FTP, even though it does not include an "ftp=yes" line, which allows remote attackers to read and modify arbitrary files. ====================================================== Name: CVE-1999-1091 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19960903 Re: BoS: [BUG] Vulnerability in TIN Reference: URL:http://marc.info/?l=bugtraq&m=87602167419839&w=2 Reference: BUGTRAQ:19960903 [BUG] Vulnerability in TIN Reference: URL:http://marc.info/?l=bugtraq&m=87602167419835&w=2 Reference: BUGTRAQ:19970329 symlink bug in tin/rtin Reference: URL:http://marc.info/?l=bugtraq&m=87602167420726&w=2 Reference: XF:tin-tmpfile(431) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/431 UNIX news readers tin and rtin create the /tmp/.tin_log file with insecure permissions and follow symlinks, which allows attackers to modify the permissions of files writable by the user via a symlink attack. Current Votes: ACCEPT(1) Frech NOOP(2) Cole, Foat ====================================================== Name: CVE-1999-1092 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19991117 default permissions for tin Reference: URL:http://marc.info/?l=bugtraq&m=94286179032648&w=2 tin 1.40 creates the .tin directory with insecure permissions, which allows local users to read passwords from the .inputhistory file. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:tin-insecure-permissions(7796) Confirmed in changelog for 1.4.1 http://ftp.kreonet.re.kr/pub/tools/news/tin/v1.4/CHANGES ====================================================== Name: CVE-1999-1093 Status: Entry Reference: MS:MS98-011 Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1998/ms98-011 Reference: MSKB:Q191200 Reference: URL:http://support.microsoft.com/support/kb/articles/q191/2/00.asp Reference: XF:java-script-patch(1276) Reference: URL:http://www.iss.net/security_center/static/1276.php Buffer overflow in the Window.External function in the JScript Scripting Engine in Internet Explorer 4.01 SP1 and earlier allows remote attackers to execute arbitrary commands via a malicious web page. ====================================================== Name: CVE-1999-1094 Status: Entry Reference: BUGTRAQ:19980114 L0pht Advisory MSIE4.0(1) Reference: URL:http://marc.info/?l=bugtraq&m=88480839506155&w=2 Reference: MSKB:Q176697 Reference: URL:http://support.microsoft.com/support/kb/articles/q176/6/97.asp Reference: XF:iemk-bug(917) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/917 Buffer overflow in Internet Explorer 4.01 and earlier allows remote attackers to execute arbitrary commands via a long URL with the "mk:" protocol, aka the "MK Overrun security issue." ====================================================== Name: CVE-1999-1095 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19971006 KSR[T] Advisory #3: updatedb / crontabs Reference: URL:http://marc.info/?l=bugtraq&m=87619953510834&w=2 Reference: BUGTRAQ:19980302 overwrite any file with updatedb Reference: URL:http://marc.info/?l=bugtraq&m=88886870129518&w=2 Reference: BUGTRAQ:19980303 updatedb stuff Reference: URL:http://marc.info/?l=bugtraq&m=88890116304676&w=2 Reference: BUGTRAQ:19980303 updatedb: sort patch sort creates temporary files and follows symbolic links, which allows local users to modify arbitrary files that are writable by the user running sort, as observed in updatedb and other programs that use sort. Current Votes: MODIFY(1) Frech NOOP(3) Christey, Cole, Foat Voter Comments: Frech> XF:sort-tmp-file-symlink(7182) Christey> This issue clearly has a long history. CALDERA:CSSA-2002-SCO.21 URL:http://archives.neohapsis.com/archives/linux/caldera/2002-q2/0018.html CALDERA:CSSA-2002-SCO.2 URL:http://archives.neohapsis.com/archives/linux/caldera/2002-q1/0002.html (There are 2 Caldera advisories because one is for Open UNIX and UnixWare, and the other is for OpenServer) XF:openserver-sort-symlink(9218) URL:http://www.iss.net/security_center/static/9218.php ====================================================== Name: CVE-1999-1096 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19980516 kde exploit Reference: URL:http://marc.info/?l=bugtraq&m=90221101925954&w=2 Reference: BUGTRAQ:19980517 simple kde exploit fix Reference: URL:http://marc.info/?l=bugtraq&m=90221101925959&w=2 Reference: XF:kde-klock-home-bo(1644) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1644 Buffer overflow in kscreensaver in KDE klock allows local users to gain root privileges via a long HOME environmental variable. Current Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1097 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19990504 Microsoft Netmeeting Hole Reference: URL:http://marc.info/?l=bugtraq&m=92586457816446&w=2 Reference: XF:netmeeting-clipboard(2187) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2187 Microsoft NetMeeting 2.1 allows one client to read the contents of another client's clipboard via a CTRL-C in the chat box when the box is empty. Current Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1098 Status: Entry Reference: CERT:CA-1995-03 Reference: URL:http://www.cert.org/advisories/CA-1995-03.html Reference: CIAC:F-12 Reference: URL:http://www.ciac.org/ciac/bulletins/f-12.shtml Reference: OSVDB:4881 Reference: URL:http://www.osvdb.org/4881 Reference: XF:bsd-telnet(516) Reference: URL:http://www.iss.net/security_center/static/516.php Vulnerability in BSD Telnet client with encryption and Kerberos 4 authentication allows remote attackers to decrypt the session via sniffing. ====================================================== Name: CVE-1999-1099 Status: Entry Reference: BUGTRAQ:19961122 L0pht Kerberos Advisory Reference: URL:http://marc.info/?l=bugtraq&m=87602167420184&w=2 Reference: XF:kerberos-user-grab(65) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/65 Kerberos 4 allows remote attackers to obtain sensitive information via a malformed UDP packet that generates an error string that inadvertently includes the realm name and the last user. ====================================================== Name: CVE-1999-1100 Status: Entry Reference: CIAC:I-056 Reference: URL:http://ciac.llnl.gov/ciac/bulletins/i-056.shtml Reference: CISCO:19980616 PIX Private Link Key Processing and Cryptography Issues Reference: URL:http://www.cisco.com/warp/public/770/pixkey-pub.shtml Reference: XF:cisco-pix-parse-error(1579) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1579 Cisco PIX Private Link 4.1.6 and earlier does not properly process certain commands in the configuration file, which reduces the effective key length of the DES key to 48 bits instead of 56 bits, which makes it easier for an attacker to find the proper key via a brute force attack. ====================================================== Name: CVE-1999-1101 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19990219 Yet Another password storing problem (was: Re: Possible Netscape Crypto Security Flaw) Reference: URL:http://www.securityfocus.com/archive/1/12618 Kabsoftware Lydia utility uses weak encryption to store user passwords in the lydia.ini file, which allows local users to easily decrypt the passwords and gain privileges. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:lydia-ini-passwords(7501) ADDREF:http://www.kabsoftware.com/lydia_history.txt (Version History for Lydia, V3.3 - 11/24/00) ====================================================== Name: CVE-1999-1102 Status: Entry Reference: BUGTRAQ:19940307 8lgm Advisory Releases Reference: URL:http://www.aenigma.net/resources/maillist/bugtraq/1994/0091.htm Reference: CIAC:E-25a Reference: URL:http://ciac.llnl.gov/ciac/bulletins/e-25.shtml Reference: MISC:http://www.phreak.org/archives/security/8lgm/8lgm.lpr lpr on SunOS 4.1.1, BSD 4.3, A/UX 2.0.1, and other BSD-based operating systems allows local users to create or overwrite arbitrary files via a symlink attack that is triggered after invoking lpr 1000 times. ====================================================== Name: CVE-1999-1103 Status: Entry Reference: CERT:VB-96.05 Reference: URL:http://www.cert.org/vendor_bulletins/VB-96.05.dec Reference: CIAC:G-18 Reference: URL:http://ciac.llnl.gov/ciac/bulletins/g-18.shtml Reference: MISC:http://www.tao.ca/fire/bos/0209.html Reference: XF:osf-dxconsole-gain-privileges(7138) Reference: URL:http://www.iss.net/security_center/static/7138.php dxconsole in DEC OSF/1 3.2C and earlier allows local users to read arbitrary files by specifying the file with the -file parameter. ====================================================== Name: CVE-1999-1104 Status: Entry Reference: BUGTRAQ:19951205 Cracked: WINDOWS.PWL Reference: URL:http://marc.info/?l=bugtraq&m=87602167418931&w=2 Reference: BUGTRAQ:19980120 How to recover private keys for various Microsoft products Reference: URL:http://marc.info/?l=bugtraq&m=88536273725787&w=2 Reference: MSKB:Q140557 Reference: URL:http://support.microsoft.com/support/kb/articles/q140/5/57.asp Reference: NTBUGTRAQ:19980121 How to recover private keys for various Microsoft products Reference: URL:http://marc.info/?l=ntbugtraq&m=88540877601866&w=2 Reference: XF:win95-nbsmbpwl(71) Reference: URL:http://www.iss.net/security_center/static/71.php Windows 95 uses weak encryption for the password list (.pwl) file used when password caching is enabled, which allows local users to gain privileges by decrypting the passwords. ====================================================== Name: CVE-1999-1105 Status: Entry Reference: CONFIRM:http://www.zdnet.com/eweek/reviews/1016/tr42bug.html Reference: MISC:http://www.net-security.sk/bugs/NT/netware1.html Reference: XF:win95-netware-hidden-share(7231) Reference: URL:http://www.iss.net/security_center/static/7231.php Windows 95, when Remote Administration and File Sharing for NetWare Networks is enabled, creates a share (C$) when an administrator logs in remotely, which allows remote attackers to read arbitrary files by mapping the network drive. ====================================================== Name: CVE-1999-1106 Status: Candidate Phase: Proposed(20010912) Reference: BID:92 Reference: URL:http://www.securityfocus.com/bid/92 Reference: BUGTRAQ:19980429 Security hole in kppp Reference: URL:http://www.securityfocus.com/archive/1/9121 Reference: XF:kde-kppp-account-bo(1643) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1643 Buffer overflow in kppp in KDE allows local users to gain root access via a long -c (account_name) command line argument. Current Votes: ACCEPT(2) Cole, Frech NOOP(2) Foat, Wall ====================================================== Name: CVE-1999-1107 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19981118 Multiple KDE security vulnerabilities (root compromise) Reference: URL:http://marc.info/?l=bugtraq&m=91141486301691&w=2 Reference: XF:kde-kppp-path-bo(1650) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1650 Buffer overflow in kppp in KDE allows local users to gain root access via a long PATH environmental variable. Current Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1108 Status: Candidate Phase: Modified(20050204) ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-1107. Reason: This candidate is a duplicate of CVE-1999-1107. Notes: All CVE users should reference CVE-1999-1107 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Current Votes: ACCEPT(1) Cole NOOP(2) Foat, Wall REJECT(2) Christey, Frech Voter Comments: Frech> Has exactly the same attributes as CVE-1999-1107. Christey> DUPE CVE-1999-1107. ====================================================== Name: CVE-1999-1109 Status: Entry Reference: BID:904 Reference: URL:http://www.securityfocus.com/bid/904 Reference: BUGTRAQ:19991222 Re: procmail / Sendmail - five bugs Reference: URL:http://marc.info/?l=bugtraq&m=94632241202626&w=2 Reference: BUGTRAQ:20000113 Re: procmail / Sendmail - five bugs Reference: URL:http://marc.info/?l=bugtraq&m=94780566911948&w=2 Reference: XF:sendmail-etrn-dos(7760) Reference: URL:http://www.iss.net/security_center/static/7760.php Sendmail before 8.10.0 allows remote attackers to cause a denial of service by sending a series of ETRN commands then disconnecting from the server, while Sendmail continues to process the commands after the connection has been terminated. ====================================================== Name: CVE-1999-1110 Status: Candidate Phase: Proposed(20010912) Reference: BID:793 Reference: URL:http://www.securityfocus.com/bid/793 Reference: BUGTRAQ:19991114 IE 5.0 and Windows Media Player ActiveX object allow checking the existence of local files and directories Reference: URL:http://www.securityfocus.com/archive/1/34675 Windows Media Player ActiveX object as used in Internet Explorer 5.0 returns a specific error code when a file does not exist, which allows remote malicious web sites to determine the existence of files on the client. Current Votes: ACCEPT(1) Wall MODIFY(1) Frech NOOP(2) Cole, Foat Voter Comments: Frech> XF:ie-mediaplayer-activex(7800) ====================================================== Name: CVE-1999-1111 Status: Entry Reference: BID:786 Reference: URL:http://www.securityfocus.com/bid/786 Reference: BUGTRAQ:19911109 ImmuniX OS Security Alert: StackGuard 1.21 Released Reference: URL:http://marc.info/?l=bugtraq&m=94218618329838&w=2 Reference: XF:immunix-stackguard-bo(3524) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3524 Vulnerability in StackGuard before 1.21 allows remote attackers to bypass the Random and Terminator Canary security mechanisms by using a non-linear attack which directly modifies a pointer to a return address instead of using a buffer overflow to reach the return address entry itself. ====================================================== Name: CVE-1999-1112 Status: Candidate Phase: Proposed(20010912) Reference: BID:781 Reference: URL:http://www.securityfocus.com/bid/781 Reference: BUGTRAQ:19991109 Irfan view 3.07 buffer overflow Reference: URL:http://www.securityfocus.com/archive/1/34066 Reference: MISC:http://stud4.tuwien.ac.at/~e9227474/main2.html Reference: XF:irfan-view32-bo(3549) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3549 Buffer overflow in IrfanView32 3.07 and earlier allows attackers to execute arbitrary commands via a long string after the "8BPS" image type in a Photo Shop image header. Current Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1113 Status: Candidate Phase: Proposed(20010912) Reference: BID:75 Reference: URL:http://www.securityfocus.com/bid/75 Reference: BUGTRAQ:19980414 MacOS based buffer overflows... Reference: URL:http://marc.info/?l=bugtraq&m=89258194718577&w=2 Buffer overflow in Eudora Internet Mail Server (EIMS) 2.01 and earlier on MacOS systems allows remote attackers to cause a denial of service via a long USER command to port 106. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:eudora-ims-user-dos(7300) ====================================================== Name: CVE-1999-1114 Status: Entry Reference: AUSCERT:AA-96.17 Reference: URL:ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-96.17.suid_exec.vul Reference: BID:467 Reference: URL:http://www.securityfocus.com/bid/467 Reference: CIAC:H-15A Reference: URL:http://ciac.llnl.gov/ciac/bulletins/h-15a.shtml Reference: SGI:19980405-01-I Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19980405-01-I Reference: XF:ksh-suid_exec(2100) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2100 Buffer overflow in Korn Shell (ksh) suid_exec program on IRIX 6.x and earlier, and possibly other operating systems, allows local users to gain root privileges. ====================================================== Name: CVE-1999-1115 Status: Entry Reference: BID:7 Reference: URL:http://www.securityfocus.com/bid/7 Reference: CERT:CA-1990-04 Reference: URL:http://www.cert.org/advisories/CA-1990-04.html Reference: CIAC:A-30 Reference: URL:http://www.ciac.org/ciac/bulletins/a-30.shtml Reference: XF:apollo-suidexec-unauthorized-access(6721) Reference: URL:http://www.iss.net/security_center/static/6721.php Vulnerability in the /etc/suid_exec program in HP Apollo Domain/OS sr10.2 and sr10.3 beta, related to the Korn Shell (ksh). ====================================================== Name: CVE-1999-1116 Status: Entry Reference: BID:462 Reference: URL:http://www.securityfocus.com/bid/462 Reference: OSVDB:1009 Reference: URL:http://www.osvdb.org/1009 Reference: SGI:19970503-01-PX Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19970503-01-PX Reference: XF:sgi-runpriv(2108) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2108 Vulnerability in runpriv in Indigo Magic System Administration subsystem of SGI IRIX 6.3 and 6.4 allows local users to gain root privileges. ====================================================== Name: CVE-1999-1117 Status: Entry Reference: BID:455 Reference: URL:http://www.securityfocus.com/bid/455 Reference: BUGTRAQ:19961124 Reference: URL:http://marc.info/?l=bugtraq&w=2&r=1&s=lquerypv&q=b Reference: BUGTRAQ:19961125 AIX lquerypv Reference: URL:http://marc.info/?l=bugtraq&m=87602167420196&w=2 Reference: BUGTRAQ:19961125 lquerypv fix Reference: URL:http://marc.info/?l=bugtraq&m=87602167420195&w=2 Reference: CIAC:H-13 Reference: URL:http://ciac.llnl.gov/ciac/bulletins/h-13.shtml Reference: XF:ibm-lquerypv(1752) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1752 lquerypv in AIX 4.1 and 4.2 allows local users to read arbitrary files by specifying the file in the -h command line parameter. ====================================================== Name: CVE-1999-1118 Status: Entry Reference: BID:433 Reference: URL:http://www.securityfocus.com/bid/433 Reference: SUN:00165 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/165&type=0&nav=sec.sba Reference: XF:sun-ndd(817) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/817 ndd in Solaris 2.6 allows local users to cause a denial of service by modifying certain TCP/IP parameters. ====================================================== Name: CVE-1999-1119 Status: Entry Reference: BID:41 Reference: URL:http://www.securityfocus.com/bid/41 Reference: CERT:CA-1992-09 Reference: URL:http://www.cert.org/advisories/CA-1992-09.html Reference: XF:aix-anon-ftp(3154) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3154 FTP installation script anon.ftp in AIX insecurely configures anonymous FTP, which allows remote attackers to execute arbitrary commands. ====================================================== Name: CVE-1999-1120 Status: Entry Reference: BID:395 Reference: URL:http://www.securityfocus.com/bid/395 Reference: BUGTRAQ:19970104 Irix: netprint story Reference: URL:http://marc.info/?l=bugtraq&m=87602167420403&w=2 Reference: OSVDB:993 Reference: URL:http://www.osvdb.org/993 Reference: SGI:19961203-01-PX Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19961203-01-PX Reference: SGI:19961203-02-PX Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19961203-02-PX Reference: XF:sgi-netprint(2107) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2107 netprint in SGI IRIX 6.4 and earlier trusts the PATH environmental variable for finding and executing the disable program, which allows local users to gain privileges. ====================================================== Name: CVE-1999-1121 Status: Entry Reference: BID:38 Reference: URL:http://www.securityfocus.com/bid/38 Reference: CERT:CA-1992-06 Reference: URL:http://www.cert.org/advisories/CA-1992-06.html Reference: OSVDB:891 Reference: URL:http://www.osvdb.org/891 Reference: XF:ibm-uucp(554) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/554 The default configuration for UUCP in AIX before 3.2 allows local users to gain root privileges. ====================================================== Name: CVE-1999-1122 Status: Entry Reference: BID:3 Reference: URL:http://www.securityfocus.com/bid/3 Reference: CERT:CA-1989-02 Reference: URL:http://www.cert.org/advisories/CA-1989-02.html Reference: CIAC:CIAC-08 Reference: URL:http://www.ciac.org/ciac/bulletins/ciac-08.shtml Reference: SUNBUG:1019265 Reference: XF:sun-restore-gain-privileges(6695) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/6695 Vulnerability in restore in SunOS 4.0.3 and earlier allows local users to gain privileges. ====================================================== Name: CVE-1999-1123 Status: Candidate Phase: Proposed(20010912) Reference: BID:21 Reference: URL:http://www.securityfocus.com/bid/21 Reference: BID:22 Reference: URL:http://www.securityfocus.com/bid/22 Reference: CERT:CA-1991-07 Reference: URL:http://www.cert.org/advisories/CA-1991-07.html Reference: SUN:00107 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/107&type=0&nav=sec.sba Reference: XF:sun-sourcetapes(582) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/582 The installation of Sun Source (sunsrc) tapes allows local users to gain root privileges via setuid root programs (1) makeinstall or (2) winstall. Current Votes: ACCEPT(5) Cole, Dik, Foat, Frech, Stracener NOOP(1) Wall Voter Comments: Dik> sun bug: 1059621 ====================================================== Name: CVE-1999-1124 Status: Candidate Phase: Proposed(20010912) Reference: MISC:http://packetstorm.securify.com/mag/phrack/phrack54/P54-08 HTTP Client application in ColdFusion allows remote attackers to bypass access restrictions for web pages on other ports by providing the target page to the mainframeset.cfm application, which requests the page from the server, making it look like the request is coming from the local host. Current Votes: ACCEPT(2) Cole, Wall NOOP(1) Foat ====================================================== Name: CVE-1999-1125 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19970919 Instresting practises of Oracle [Oracle Webserver] Reference: URL:http://marc.info/?l=bugtraq&m=87602880019796&w=2 Oracle Webserver 2.1 and earlier runs setuid root, but the configuration file is owned by the oracle account, which allows any local or remote attacker who obtains access to the oracle account to gain privileges or modify arbitrary files by modifying the configuration file. Current Votes: MODIFY(1) Frech NOOP(2) Cole, Foat Voter Comments: Frech> XF:oracle-webserver-gain-root(7174) ====================================================== Name: CVE-1999-1126 Status: Candidate Phase: Proposed(20010912) Reference: CIAC:I-086 Reference: URL:http://ciac.llnl.gov/ciac/bulletins/i-086.shtml Reference: CISCO:19980813 CRM Temporary File Vulnerability Reference: URL:http://www.cisco.com/warp/public/770/crmtmp-pub.shtml Reference: XF:cisco-crm-file-vuln(1575) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1575 Cisco Resource Manager (CRM) 1.1 and earlier creates certain files with insecure permissions that allow local users to obtain sensitive configuration information including usernames, passwords, and SNMP community strings, from (1) swim_swd.log, (2) swim_debug.log, (3) dbi_debug.log, and (4) temporary files whose names begin with "DPR_". Current Votes: ACCEPT(5) Armstrong, Cole, Foat, Frech, Stracener NOOP(1) Wall REJECT(1) Balinsky Voter Comments: Balinsky> Duplicate of CVE-1999-1042 ====================================================== Name: CVE-1999-1127 Status: Entry Reference: MS:MS98-017 Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1998/ms98-017 Reference: MSKB:Q195733 Reference: URL:http://support.microsoft.com/support/kb/articles/Q195/7/33.asp Reference: XF:nt-spoolss(523) Reference: URL:http://www.iss.net/security_center/static/523.php Windows NT 4.0 does not properly shut down invalid named pipe RPC connections, which allows remote attackers to cause a denial of service (resource exhaustion) via a series of connections containing malformed data, aka the "Named Pipes Over RPC" vulnerability. ====================================================== Name: CVE-1999-1128 Status: Candidate Phase: Proposed(20010912) Reference: MISC:http://members.tripod.com/~unibyte/iebug3.htm Reference: MISC:http://oliver.efri.hr/~crv/security/bugs/NT/ie3.html Internet Explorer 3.01 on Windows 95 allows remote malicious web sites to execute arbitrary commands via a .isp file, which is automatically downloaded and executed without prompting the user. Current Votes: ACCEPT(1) Cole MODIFY(1) Frech NOOP(2) Christey, Foat Voter Comments: Frech> XF:http-ie-exec(462) Christey> DELREF MISC:http://oliver.efri.hr/~crv/security/bugs/NT/ie3.html ADDREF MISC:http://focus.silversand.net/vulner/allbug/ie3.html ====================================================== Name: CVE-1999-1129 Status: Candidate Phase: Proposed(20010912) Reference: BID:615 Reference: URL:http://www.securityfocus.com/bid/615 Reference: BUGTRAQ:19990901 VLAN Security Reference: URL:http://www.securityfocus.com/archive/1/26008 Reference: MISC:http://www.cisco.com/univercd/cc/td/doc/product/lan/28201900/1928v8x/eescg8x/aleakyv.htm Reference: XF:cisco-catalyst-vlan-frames(3294) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3294 Cisco Catalyst 2900 Virtual LAN (VLAN) switches allow remote attackers to inject 802.1q frames into another VLAN by forging the VLAN identifier in the trunking tag. Current Votes: ACCEPT(2) Foat, Frech NOOP(2) Cole, Wall Voter Comments: CHANGE> [Foat changed vote from NOOP to ACCEPT] ====================================================== Name: CVE-1999-1130 Status: Candidate Phase: Proposed(20010912) Reference: BID:559 Reference: URL:http://www.securityfocus.com/bid/559 Reference: BUGTRAQ:19990730 Netscape Enterprise Server yeilds source of JHTML Reference: URL:http://marc.info/?l=bugtraq&m=93346448121208&w=2 Reference: NTBUGTRAQ:19990730 Netscape Enterprise Server yeilds source of JHTML Reference: URL:http://marc.info/?l=ntbugtraq&m=93337389603117&w=2 Default configuration of the search engine in Netscape Enterprise Server 3.5.1, and possibly other versions, allows remote attackers to read the source of JHTML files by specifying a search command using the HTML-tocrec-demo1.pat pattern file. Current Votes: ACCEPT(1) Cole MODIFY(1) Frech NOOP(2) Foat, Wall Voter Comments: Frech> XF:netscape-enterprise-view-jhtml(8352) ====================================================== Name: CVE-1999-1131 Status: Entry Reference: CERT:VB-97.12 Reference: URL:http://www.cert.org/vendor_bulletins/VB-97.12.opengroup Reference: CIAC:I-060 Reference: URL:http://ciac.llnl.gov/ciac/bulletins/i-060.shtml Reference: SGI:19980601-01-PX Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19980601-01-PX Reference: XF:sgi-osf-dce-dos(1123) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1123 Buffer overflow in OSF Distributed Computing Environment (DCE) security demon (secd) in IRIX 6.4 and earlier allows attackers to cause a denial of service via a long principal, group, or organization. ====================================================== Name: CVE-1999-1132 Status: Entry Reference: BUGTRAQ:19981005 NMRC Advisory - Lame NT Token Ring DoS Reference: URL:http://marc.info/?l=bugtraq&m=90763508011966&w=2 Reference: MSKB:Q179157 Reference: URL:http://support.microsoft.com/support/kb/articles/Q179/1/57.asp Reference: NTBUGTRAQ:19981002 NMRC Advisory - Lame NT Token Ring DoS Reference: URL:http://marc.info/?l=ntbugtraq&m=90760603030452&w=2 Reference: XF:token-ring-dos(1399) Reference: URL:http://www.iss.net/security_center/static/1399.php Windows NT 4.0 allows remote attackers to cause a denial of service (crash) via extra source routing data such as (1) a Routing Information Field (RIF) field with a hop count greater than 7, or (2) a list containing duplicate Token Ring IDs. ====================================================== Name: CVE-1999-1133 Status: Candidate Phase: Modified(20020217) Reference: HP:HPSBUX9709-069 Reference: URL:http://marc.info/?l=bugtraq&m=87602880019776&w=2 Reference: XF:hp-vue-dt(499) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/499 HP-UX 9.x and 10.x running X windows may allow local attackers to gain privileges via (1) vuefile, (2) vuepad, (3) dtfile, or (4) dtpad, which do not authenticate users. Current Votes: ACCEPT(4) Cole, Foat, Frech, Stracener NOOP(1) Christey Voter Comments: Christey> CHANGEREF: chaneg XF reference to XF:hp-vue-dt(499) ====================================================== Name: CVE-1999-1134 Status: Candidate Phase: Modified(20020217) Reference: CIAC:E-23 Reference: URL:http://ciac.llnl.gov/ciac/bulletins/e-23.shtml Reference: HP:HPSBUX9404-008 Reference: URL:http://packetstorm.securify.com/advisories/hpalert/008 Reference: XF:hp-vue(2284) Reference: URL:http://www.iss.net/security_center/static/2284.php Vulnerability in Vue 3.0 in HP 9.x allows local users to gain root privileges, as fixed by PHSS_4038, PHSS_4055, and PHSS_4066. Current Votes: ACCEPT(3) Cole, Foat, Stracener MODIFY(1) Frech Voter Comments: Frech> XF:hp-vue(2284) Packetstorm URL is dead. Try another archive. ====================================================== Name: CVE-1999-1135 Status: Candidate Phase: Proposed(20010912) Reference: HP:HPSBUX9504-027 Reference: URL:http://packetstorm.securify.com/advisories/hpalert/027 Reference: XF:hp-vue(2284) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2284 Vulnerability in VUE 3.0 in HP 9.x allows local users to gain root privileges, as fixed by PHSS_4994 and PHSS_5438. Current Votes: ACCEPT(4) Cole, Foat, Frech, Stracener ====================================================== Name: CVE-1999-1136 Status: Entry Reference: BUGTRAQ:19980729 HP-UX Predictive & Netscape SSL Vulnerabilities Reference: URL:http://marc.info/?l=bugtraq&m=90221104526177&w=2 Reference: CIAC:I-081 Reference: URL:http://www.ciac.org/ciac/bulletins/i-081.shtml Reference: HP:HPSBMP9807-005 Reference: URL:http://cert.ip-plus.net/bulletin-archive/msg00040.html Reference: HP:HPSBUX9807-081 Reference: URL:http://www.codetalker.com/advisories/vendor/hp/hpsbux9807-081.html Reference: XF:mpeix-predictive(1413) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1413 Vulnerability in Predictive on HP-UX 11.0 and earlier, and MPE/iX 5.5 and earlier, allows attackers to compromise data transfer for Predictive messages (using e-mail or modem) between customer and Response Center Predictive systems. ====================================================== Name: CVE-1999-1137 Status: Entry Reference: CIAC:E-01 Reference: URL:http://www.ciac.org/ciac/bulletins/e-01.shtml Reference: OSVDB:6436 Reference: URL:http://www.osvdb.org/6436 Reference: SUN:00122 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/122&type=0&nav=sec.sba Reference: XF:sun-audio(549) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/549 The permissions for the /dev/audio device on Solaris 2.2 and earlier, and SunOS 4.1.x, allow any local user to read from the device, which could be used by an attacker to monitor conversations happening near a machine that has a microphone. ====================================================== Name: CVE-1999-1138 Status: Entry Reference: CERT:CA-1993-13 Reference: URL:http://www.cert.org/advisories/CA-1993-13.html Reference: XF:sco-homedir(546) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/546 SCO UNIX System V/386 Release 3.2, and other SCO products, installs the home directories (1) /tmp for the dos user, and (2) /usr/tmp for the asg user, which allows other users to gain access to those accounts since /tmp and /usr/tmp are world-writable. ====================================================== Name: CVE-1999-1139 Status: Entry Reference: BUGTRAQ:19970901 HP UX Bug :) Reference: URL:http://marc.info/?l=bugtraq&m=87602880019745&w=2 Reference: BUGTRAQ:19980121 HP-UX CUE, CUD and LAND vulnerabilities Reference: URL:http://security-archive.merton.ox.ac.uk/bugtraq-199801/0122.html Reference: CIAC:I-027B Reference: URL:http://www.ciac.org/ciac/bulletins/i-027b.shtml Reference: HP:HPSBUX9801-074 Reference: URL:http://www.codetalker.com/advisories/vendor/hp/hpsbux9801-074.html Reference: XF:hp-cue(2007) Reference: URL:http://www.iss.net/security_center/static/2007.php Character-Terminal User Environment (CUE) in HP-UX 11.0 and earlier allows local users to overwrite arbitrary files and gain root privileges via a symlink attack on the IOERROR.mytty file. ====================================================== Name: CVE-1999-1140 Status: Entry Reference: BUGTRAQ:19971214 buffer overflows in cracklib?! Reference: URL:http://marc.info/?l=bugtraq&m=88209041500913&w=2 Reference: CERT:VB-97.16 Reference: URL:http://www.cert.org/vendor_bulletins/VB-97.16.CrackLib Reference: XF:cracklib-bo(1539) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1539 Buffer overflow in CrackLib 2.5 may allow local users to gain root privileges via a long GECOS field. ====================================================== Name: CVE-1999-1141 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19970515 MicroSolved finds hole in Ascom Timeplex Router Security Reference: URL:http://marc.info/?l=bugtraq&m=87602167420981&w=2 Reference: XF:ascom-timeplex-debug(1824) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1824 Ascom Timeplex router allows remote attackers to obtain sensitive information or conduct unauthorized activities by entering debug mode through a sequence of CTRL-D characters. Current Votes: ACCEPT(1) Frech NOOP(2) Cole, Foat ====================================================== Name: CVE-1999-1142 Status: Entry Reference: CERT:CA-1992-11 Reference: URL:http://www.cert.org/advisories/CA-1992-11.html Reference: SUN:00116 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/116 Reference: XF:sun-env(3152) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3152 SunOS 4.1.2 and earlier allows local users to gain privileges via "LD_*" environmental variables to certain dynamically linked setuid or setgid programs such as (1) login, (2) su, or (3) sendmail, that change the real and effective user ids to the same user. ====================================================== Name: CVE-1999-1143 Status: Entry Reference: CIAC:H-065 Reference: URL:http://ciac.llnl.gov/ciac/bulletins/h-65.shtml Reference: SGI:19970504-01-PX Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19970504-01-PX Reference: XF:sgi-rld(2109) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2109 Vulnerability in runtime linker program rld in SGI IRIX 6.x and earlier allows local users to gain privileges via setuid and setgid programs. ====================================================== Name: CVE-1999-1144 Status: Entry Reference: HP:HPSBUX9701-051 Reference: URL:http://www.codetalker.com/advisories/vendor/hp/hpsbux9701-051.html Reference: XF:hp-mpower(2056) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2056 Certain files in MPower in HP-UX 10.x are installed with insecure permissions, which allows local users to gain privileges. ====================================================== Name: CVE-1999-1145 Status: Entry Reference: CIAC:H-21 Reference: URL:http://ciac.llnl.gov/ciac/bulletins/h-21.shtml Reference: HP:HPSBUX9701-044 Reference: URL:http://www.securityfocus.com/templates/advisory.html?id=1514 Reference: XF:hp-glanceplus(2059) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2059 Vulnerability in Glance programs in GlancePlus for HP-UX 10.20 and earlier allows local users to access arbitrary files and gain privileges. ====================================================== Name: CVE-1999-1146 Status: Entry Reference: HP:HPSBUX9405-011 Reference: URL:http://www.securityfocus.com/advisories/1555 Reference: XF:hp-glanceplus-gpm(2060) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2060 Vulnerability in Glance and gpm programs in GlancePlus for HP-UX 9.x and earlier allows local users to access arbitrary files and gain privileges. ====================================================== Name: CVE-1999-1147 Status: Entry Reference: BUGTRAQ:19981204 [SAFER-981204.DOS.1.3] Buffer Overflow in Platinum PCM 7.0 Reference: URL:http://marc.info/?l=bugtraq&m=91273739726314&w=2 Reference: BUGTRAQ:19981207 Re: [SAFER-981204.DOS.1.3] Buffer Overflow in Platinum PCM 7.0 Reference: OSVDB:3164 Reference: URL:http://www.osvdb.org/3164 Reference: XF:pcm-dos-execute(1430) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1430 Buffer overflow in Platinum Policy Compliance Manager (PCM) 7.0 allows remote attackers to execute arbitrary commands via a long string to the Agent port (1827), which is handled by smaxagent.exe. ====================================================== Name: CVE-1999-1148 Status: Entry Reference: MS:MS98-006 Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1998/ms98-006 Reference: MSKB:Q189262 Reference: URL:http://support.microsoft.com/support/kb/articles/Q189/2/62.ASP Reference: XF:iis-passive-ftp(1215) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1215 FTP service in IIS 4.0 and earlier allows remote attackers to cause a denial of service (resource exhaustion) via many passive (PASV) connections at the same time. ====================================================== Name: CVE-1999-1149 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19980716 S.A.F.E.R. Security Bulletin 980708.DOS.1.1 Reference: URL:http://marc.info/?l=bugtraq&m=90221104525993&w=2 Reference: XF:csm-proxy-dos(1422) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1422 Buffer overflow in CSM Proxy 4.1 allows remote attackers to cause a denial of service (crash) via a long string to the FTP port. Current Votes: ACCEPT(2) Cole, Frech NOOP(2) Foat, Wall ====================================================== Name: CVE-1999-1150 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19980630 Livingston Portmaster - ISN generation is loosy! Reference: URL:http://www.securityfocus.com/archive/1/9723 Reference: XF:portmaster-fixed-isn(1882) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1882 Livingston Portmaster routers running ComOS use the same initial sequence number (ISN) for TCP connections, which allows remote attackers to conduct spoofing and hijack TCP sessions. Current Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1151 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19980603 Compaq/Microcom 6000 DoS + more Reference: URL:http://marc.info/?l=bugtraq&m=90296493106214&w=2 Reference: XF:microcom-dos(2089) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2089 Compaq/Microcom 6000 Access Integrator does not cause a session timeout after prompting for a username or password, which allows remote attackers to cause a denial of service by connecting to the integrator without providing a username or password. Current Votes: ACCEPT(2) Cole, Frech NOOP(2) Foat, Wall ====================================================== Name: CVE-1999-1152 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19980603 Compaq/Microcom 6000 DoS + more Reference: URL:http://marc.info/?l=bugtraq&m=90296493106214&w=2 Compaq/Microcom 6000 Access Integrator does not disconnect a client after a certain number of failed login attempts, which allows remote attackers to guess usernames or passwords via a brute force attack. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:microcom-brute-force(7301) ====================================================== Name: CVE-1999-1153 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19981109 Several new CGI vulnerabilities Reference: URL:http://www.securityfocus.com/archive/1/11175 Reference: XF:cgi-perl-mail-programs(1400) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1400 HAMcards Postcard CGI script 1.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the recipient email address. Current Votes: ACCEPT(2) Cole, Frech NOOP(2) Foat, Wall ====================================================== Name: CVE-1999-1154 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19981109 Several new CGI vulnerabilities Reference: URL:http://www.securityfocus.com/archive/1/11175 Reference: MISC:http://lakeweb.com/scripts/ Reference: XF:cgi-perl-mail-programs(1400) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1400 LakeWeb Filemail CGI script allows remote attackers to execute arbitrary commands via shell metacharacters in the recipient email address. Current Votes: ACCEPT(2) Cole, Frech NOOP(3) Christey, Foat, Wall Voter Comments: Christey> I confirmed this problem via visual inspection of the source code in http://www.lakeweb.com/scripts/filemail.zip Line 82 has an insufficient check for shell metacharacters that doesn't exclude semicolons. Line 129 is the call where the metacharacters are injected. Need to add "filemail.pl" to the description. ====================================================== Name: CVE-1999-1155 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19981109 Several new CGI vulnerabilities Reference: URL:http://www.securityfocus.com/archive/1/11175 Reference: MISC:http://lakeweb.com/scripts/ Reference: XF:cgi-perl-mail-programs(1400) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1400 LakeWeb Mail List CGI script allows remote attackers to execute arbitrary commands via shell metacharacters in the recipient email address. Current Votes: ACCEPT(2) Cole, Frech NOOP(2) Foat, Wall ====================================================== Name: CVE-1999-1156 Status: Entry Reference: NTBUGTRAQ:19990517 Vulnerabilities in BisonWare FTP Server 3.5 Reference: XF:bisonware-port-crash(2254) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2254 BisonWare FTP Server 4.1 and earlier allows remote attackers to cause a denial of service via a malformed PORT command that contains a non- numeric character and a large number of carriage returns. ====================================================== Name: CVE-1999-1157 Status: Entry Reference: MSKB:Q192774 Reference: URL:http://support.microsoft.com/support/kb/articles/Q192/7/74.ASP Reference: XF:tcpipsys-icmp-dos(3894) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3894 Tcpip.sys in Windows NT 4.0 before SP4 allows remote attackers to cause a denial of service via an ICMP Subnet Mask Address Request packet, when certain multiple IP addresses are bound to the same network interface. ====================================================== Name: CVE-1999-1158 Status: Candidate Phase: Proposed(20010912) Reference: AUSCERT:AA-97.09 Reference: URL:ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-97.09.Solaris.passwd.buffer.overrun.vul Reference: SUN:00139 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/139&type=0&nav=sec.sba Buffer overflow in (1) pluggable authentication module (PAM) on Solaris 2.5.1 and 2.5 and (2) unix_scheme in Solaris 2.4 and 2.3 allows local users to gain root privileges via programs that use these modules such as passwd, yppasswd, and nispasswd. Current Votes: ACCEPT(4) Cole, Dik, Foat, Stracener MODIFY(1) Frech RECAST(1) Christey Voter Comments: Frech> XF:solaris-pam-bo(7432) Dik> sun bug: 4018347 Christey> These issues should be SPLIT per CD:SF-EXEC because the PAM problem appears in different Solaris versions than unix_scheme. ====================================================== Name: CVE-1999-1159 Status: Entry Reference: BUGTRAQ:19981229 ssh2 security problem (and patch) (fwd) Reference: URL:http://marc.info/?l=bugtraq&m=91495920911490&w=2 Reference: XF:ssh-privileged-port-forward(1471) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1471 SSH 2.0.11 and earlier allows local users to request remote forwarding from privileged ports without being root. ====================================================== Name: CVE-1999-1160 Status: Entry Reference: CIAC:H-33 Reference: URL:http://ciac.llnl.gov/ciac/bulletins/h-33.shtml Reference: HP:HPSBUX9702-055 Reference: URL:http://marc.info/?l=bugtraq&m=87602167420581&w=2 Reference: XF:hp-ftpd-kftpd(7437) Reference: URL:http://www.iss.net/security_center/static/7437.php Vulnerability in ftpd/kftpd in HP-UX 10.x and 9.x allows local and possibly remote users to gain root privileges. ====================================================== Name: CVE-1999-1161 Status: Entry Reference: AUSCERT:AA-97.07 Reference: BUGTRAQ:19961103 Re: Untitled Reference: URL:http://marc.info/?l=bugtraq&m=87602167420102&w=2 Reference: BUGTRAQ:19961104 ppl bugs Reference: URL:http://marc.info/?l=bugtraq&m=87602167420103&w=2 Reference: CIAC:H-32 Reference: URL:http://ciac.llnl.gov/ciac/bulletins/h-32.shtml Reference: HP:HPSBUX9704-057 Reference: URL:http://www.codetalker.com/advisories/vendor/hp/hpsbux9704-057.html Reference: XF:hp-ppl(7438) Reference: URL:http://www.iss.net/security_center/static/7438.php Vulnerability in ppl in HP-UX 10.x and earlier allows local users to gain root privileges by forcing ppl to core dump. ====================================================== Name: CVE-1999-1162 Status: Entry Reference: CERT:CA-1993-08 Reference: URL:http://www.cert.org/advisories/CA-1993-08.html Reference: XF:sco-passwd-deny(542) Reference: URL:http://www.iss.net/security_center/static/542.php Vulnerability in passwd in SCO UNIX 4.0 and earlier allows attackers to cause a denial of service by preventing users from being able to log into the system. ====================================================== Name: CVE-1999-1163 Status: Entry Reference: HP:HPSBUX9911-105 Reference: URL:http://marc.info/?l=bugtraq&m=94347039929958&w=2 Reference: XF:hp-ssp(7439) Reference: URL:http://www.iss.net/security_center/static/7439.php Vulnerability in HP Series 800 S/X/V Class servers allows remote attackers to gain access to the S/X/V Class console via the Service Support Processor (SSP) Teststation. ====================================================== Name: CVE-1999-1164 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19990625 Outlook denial of service Reference: URL:http://marc.info/?l=bugtraq&m=93041631215856&w=2 Microsoft Outlook client allows remote attackers to cause a denial of service by sending multiple email messages with the same X-UIDL headers, which causes Outlook to hang. Current Votes: ACCEPT(1) Wall MODIFY(1) Frech NOOP(2) Cole, Foat Voter Comments: Frech> XF:outlook-xuidl-dos(8356) ====================================================== Name: CVE-1999-1165 Status: Candidate Phase: Proposed(20010912) Reference: BID:535 Reference: URL:http://www.securityfocus.com/bid/535 Reference: BUGTRAQ:19950317 GNU finger 1.37 executes ~/.fingerrc with gid root Reference: URL:http://www.securityfocus.com/archive/1/2478 Reference: BUGTRAQ:19990721 old gnu finger bugs Reference: URL:http://marc.info/?l=bugtraq&m=93268249021561&w=2 GNU fingerd 1.37 does not properly drop privileges before accessing user information, which could allow local users to (1) gain root privileges via a malicious program in the .fingerrc file, or (2) read arbitrary files via symbolic links from .plan, .forward, or .project files. Current Votes: MODIFY(1) Frech NOOP(2) Cole, Foat Voter Comments: Frech> XF:gnu-finger-privilege-dropping(7175) ====================================================== Name: CVE-1999-1166 Status: Candidate Phase: Proposed(20010912) Reference: BID:523 Reference: URL:http://www.securityfocus.com/bid/523 Reference: BUGTRAQ:19990711 Linux 2.0.37 segment limit bug Reference: URL:http://www.securityfocus.com/archive/1/18156 Linux 2.0.37 does not properly encode the Custom segment limit, which allows local users to gain root privileges by accessing and modifying kernel memory. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> (Task 2253) CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:linux-segment-limit-privileges(11202) ====================================================== Name: CVE-1999-1167 Status: Entry Reference: CONFIRM:http://www.wired.com/news/technology/0,1282,20677,00.html Reference: MISC:http://www.wired.com/news/technology/0,1282,20636,00.html Reference: XF:thirdvoice-cross-site-scripting(7252) Reference: URL:http://www.iss.net/security_center/static/7252.php Cross-site scripting vulnerability in Third Voice Web annotation utility allows remote users to read sensitive data and generate fake web pages for other Third Voice users by injecting malicious Javascript into an annotation. ====================================================== Name: CVE-1999-1168 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19990220 ISS install.iss security hole Reference: URL:http://www.securityfocus.com/archive/1/12640 install.iss installation script for Internet Security Scanner (ISS) for Linux, version 5.3, allows local users to change the permissions of arbitrary files via a symlink attack on a temporary file. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:iss-temp-files(1793) ADDREF:http://www.securityfocus.com/archive/1/12679 ====================================================== Name: CVE-1999-1169 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19990204 NOBO denial of service Reference: URL:http://www.securityfocus.com/archive/1/12284 nobo 1.2 allows remote attackers to cause a denial of service (crash) via a series of large UDP packets. Current Votes: ACCEPT(1) Foat MODIFY(1) Frech NOOP(2) Cole, Wall Voter Comments: Frech> XF:nobo-udp-packet-dos(7502) ADDREF:http://www.securityfocus.com/archive/1/12378 ADDREF:http://web.cip.com.br/nobo/mudancas_en.html ====================================================== Name: CVE-1999-1170 Status: Candidate Phase: Proposed(20010912) Reference: BID:218 Reference: URL:http://www.securityfocus.com/bid/218 Reference: NTBUGTRAQ:19990204 WS FTP Server Remote DoS Attack Reference: URL:http://marc.info/?l=ntbugtraq&m=91816507920544&w=2 IPswitch IMail allows local users to gain additional privileges and modify or add mail accounts by setting the "flags" registry key to 1920. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:imail-registry(1725) ====================================================== Name: CVE-1999-1171 Status: Candidate Phase: Proposed(20010912) Reference: BID:218 Reference: URL:http://www.securityfocus.com/bid/218 Reference: NTBUGTRAQ:19990204 WS FTP Server Remote DoS Attack Reference: URL:http://marc.info/?l=ntbugtraq&m=91816507920544&w=2 IPswitch WS_FTP allows local users to gain additional privileges and modify or add mail accounts by setting the "flags" registry key to 1920. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:wsftp-registry(1726) ====================================================== Name: CVE-1999-1172 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19990114 security hole in Maximizer Reference: URL:http://www.securityfocus.com/archive/1/11947 By design, Maximizer Enterprise 4 calendar and address book program allows arbitrary users to modify the calendar of other users when the calendar is being shared. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall REVIEWING(1) Christey Voter Comments: Christey> The discloser does not provide enough details to fully understand what the problem is. This makes it difficult because if Maximizer has a concept of "users" and it is designed to allow any user to modify any other user's data, then this would not be a vulnerability or exposure, unless that "cross-user" capability could be used to violate system integrity, data confidentiality, or the like. There are some features of Maximizer 6.0 that, if abused, could allow someone to do some bad things. For example, an attacker could modify the email addresses for contacts to redirect sales to locations besides the customer. There's also a capability of assigning priorities and alarms, which could be susceptible to an "inconvenience attack" at the very least, as well as tie-ins to e-commerce capabilities. The critical question becomes: "how is this data shared" in the first place? If it's through a network share or other distribution method besides transferring the complete database between sites, then this may be accessible to any attacker who can mimic a Maximizer client (if there is such a thing as a client), and this could be a vulnerability or exposure according to the CVE definition. However, since the Maximizer functionality is unknown to me and not readily apparent from product documentation, it's hard to know what to do about this one. CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:maximizer-enterprise-calendar-modification(7590) ====================================================== Name: CVE-1999-1173 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19981218 wordperfect 8 for linux security Reference: URL:http://marc.info/?l=bugtraq&m=91404045014047&w=2 Corel Word Perfect 8 for Linux creates a temporary working directory with world-writable permissions, which allows local users to (1) modify Word Perfect behavior by modifying files in the working directory, or (2) modify files of other users via a symlink attack. Current Votes: NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1174 Status: Candidate Phase: Proposed(20010912) Reference: MISC:http://www.counterpane.com/crypto-gram-9812.html#doghouse ZIP drive for Iomega ZIP-100 disks allows attackers with physical access to the drive to bypass password protection by inserting a known disk with a known password, waiting for the ZIP drive to power down, manually replacing the known disk with the target disk, and using the known password to access the target disk. Current Votes: ACCEPT(1) Cole NOOP(2) Foat, Wall ====================================================== Name: CVE-1999-1175 Status: Entry Reference: CIAC:I-054 Reference: URL:http://www.ciac.org/ciac/bulletins/i-054.shtml Reference: CISCO:19980513 Cisco Web Cache Control Protocol Router Vulnerability Reference: URL:http://www.cisco.com/warp/public/770/wccpauth-pub.shtml Reference: XF:cisco-wccp-vuln(1577) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1577 Web Cache Control Protocol (WCCP) in Cisco Cache Engine for Cisco IOS 11.2 and earlier does not use authentication, which allows remote attackers to redirect HTTP traffic to arbitrary hosts via WCCP packets to UDP port 2048. ====================================================== Name: CVE-1999-1176 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19980110 Cidentd Reference: URL:http://marc.info/?l=bugtraq&m=88466930416716&w=2 Reference: BUGTRAQ:19980911 Re: security problems with jidentd Reference: URL:http://marc.info/?l=bugtraq&m=90554230925545&w=2 Reference: MISC:http://spisa.act.uji.es/spi/progs/codigo/www.hack.co.za/exploits/daemon/ident/cidentd.c Buffer overflow in cidentd ident daemon allows local users to gain root privileges via a long line in the .authlie script. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:cidentd-authlie-bo(7327) ====================================================== Name: CVE-1999-1177 Status: Entry Reference: CONFIRM:http://www-genome.wi.mit.edu/WWW/tools/CGI_scripts/server_publish/nph-publish Reference: MISC:http://www.w3.org/Security/Faq/wwwsf4.html Reference: XF:http-cgi-nphpublish(2055) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2055 Directory traversal vulnerability in nph-publish before 1.2 allows remote attackers to overwrite arbitrary files via a .. (dot dot) in the pathname for an upload operation. ====================================================== Name: CVE-1999-1178 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19980610 Sambar Server Beta BUG.. Reference: URL:http://www.securityfocus.com/archive/1/9505 Reference: XF:sambar-dump-env(3223) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3223 Sambar Server 4.1 beta allows remote attackers to obtain sensitive information about the server via an HTTP request for the dumpenv.pl script. Current Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1179 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19980515 May SysAdmin man.sh security hole Reference: URL:http://www.securityfocus.com/archive/1/9330 Vulnerability in man.sh CGI script, included in May 1998 issue of SysAdmin Magazine, allows remote attackers to execute arbitrary commands. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:mansh-execute-commands(7328) ====================================================== Name: CVE-1999-1180 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19990216 Website Pro v2.0 (NT) Configuration Issues Reference: URL:http://www.tryc.on.ca/archives/bugtraq/1999_1/0612.html Reference: MISC:http://oliver.efri.hr/~crv/security/bugs/NT/buffer.html O'Reilly WebSite 1.1e and Website Pro 2.0 allows remote attackers to execute arbitrary commands via shell metacharacters in an argument to (1) args.cmd or (2) args.bat. Current Votes: ACCEPT(1) Wall MODIFY(1) Frech NOOP(3) Christey, Cole, Foat Voter Comments: Christey> DELREF MISC:http://oliver.efri.hr/~crv/security/bugs/NT/buffer.html ADDREF MISC:http://focus.silversand.net/vulner/allbug/buffer.html Frech> XF:website-pro-args-commands(7529) ====================================================== Name: CVE-1999-1181 Status: Entry Reference: CIAC:J-003 Reference: URL:http://ciac.llnl.gov/ciac/bulletins/j-003.shtml Reference: SGI:19980901-01-PX Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19980901-01-PX Reference: XF:irix-register(7441) Reference: URL:http://www.iss.net/security_center/static/7441.php Vulnerability in On-Line Customer Registration software for IRIX 6.2 through 6.4 allows local users to gain root privileges. ====================================================== Name: CVE-1999-1182 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19970717 KSR[T] Advisory #2: ld.so Reference: URL:http://marc.info/?l=bugtraq&m=87602661419318&w=2 Reference: BUGTRAQ:19970722 ld.so vulnerability Reference: URL:http://marc.info/?l=bugtraq&m=87602661419351&w=2 Reference: BUGTRAQ:19980204 An old ld-linux.so hole Reference: URL:http://marc.info/?l=bugtraq&m=88661732807795&w=2 Buffer overflow in run-time linkers (1) ld.so or (2) ld-linux.so for Linux systems allows local users to gain privileges by calling a setuid program with a long program name (argv[0]) and forcing ld.so/ld-linux.so to report an error. Current Votes: NOOP(2) Cole, Foat ====================================================== Name: CVE-1999-1183 Status: Candidate Phase: Modified(20060705) Reference: OSVDB:8556 Reference: URL:http://www.osvdb.org/8556 Reference: SGI:19980403-01-PX Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19980403-01-PX Reference: SGI:19980403-02-PX Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19980403-02-PX Reference: XF:sgi-mailcap(809) Reference: URL:http://www.iss.net/security_center/static/809.php System Manager sysmgr GUI in SGI IRIX 6.4 and 6.3 allows remote attackers to execute commands by providing a trojan horse (1) runtask or (2) runexec descriptor file, which is used to execute a System Manager Task when the user's Mailcap entry supports the x-sgi-task or x-sgi-exec type. Current Votes: ACCEPT(3) Cole, Foat, Stracener MODIFY(1) Frech Voter Comments: Frech> XF:sgi-mailcap(809) ====================================================== Name: CVE-1999-1184 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19970513 Reference: URL:http://marc.info/?l=bugtraq&m=87602167420967&w=2 Reference: BUGTRAQ:19970514 Re: ELM overflow Reference: URL:http://marc.info/?l=bugtraq&m=87602167420970&w=2 Buffer overflow in Elm 2.4 and earlier allows local users to gain privileges via a long TERM environmental variable. Current Votes: MODIFY(1) Frech NOOP(2) Cole, Foat Voter Comments: Frech> XF:elm-term-bo(7183) ====================================================== Name: CVE-1999-1185 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19980827 SCO mscreen vul. Reference: BUGTRAQ:19980926 Root exploit for SCO OpenServer. Reference: URL:http://marc.info/?l=bugtraq&m=90686250717719&w=2 Reference: CERT:VB-98.10 Reference: SCO:98.05 Reference: XF:sco-openserver-mscreen-bo(1379) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1379 Buffer overflow in SCO mscreen allows local users to gain root privileges via a long terminal entry (TERM) in the .mscreenrc file. Current Votes: ACCEPT(4) Cole, Foat, Frech, Stracener NOOP(1) Wall REVIEWING(1) Christey Voter Comments: Frech> Possible dupe on CVE-1999-1041. Christey> Possible dupe with CVE-1999-1041. ====================================================== Name: CVE-1999-1186 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19960102 rxvt security hole Reference: URL:http://marc.info/?l=bugtraq&m=87602167418966&w=2 rxvt, when compiled with the PRINT_PIPE option in various Linux operating systems including Linux Slackware 3.0 and RedHat 2.1, allows local users to gain root privileges by specifying a malicious program using the -print-pipe command line parameter. Current Votes: MODIFY(1) Frech NOOP(2) Cole, Foat Voter Comments: Frech> XF:rxvtpipe(425) ====================================================== Name: CVE-1999-1187 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19960826 [BUG] Vulnerability in PINE Reference: URL:http://marc.info/?l=bugtraq&m=87602167419803&w=2 Reference: XF:pine-tmpfile(416) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/416 Pine before version 3.94 allows local users to gain privileges via a symlink attack on a lockfile that is created when a user receives new mail. Current Votes: ACCEPT(1) Frech NOOP(2) Cole, Foat Voter Comments: Frech> CONFIRM:http://www.washington.edu/pine/changes.html ====================================================== Name: CVE-1999-1188 Status: Entry Reference: BUGTRAQ:19981227 mysql: mysqld creates world readable logs.. Reference: URL:http://marc.info/?l=bugtraq&m=91479159617803&w=2 Reference: XF:mysql-readable-log-files(1568) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1568 mysqld in MySQL 3.21 creates log files with world-readable permissions, which allows local users to obtain passwords for users who are added to the user database. ====================================================== Name: CVE-1999-1189 Status: Entry Reference: BID:822 Reference: URL:http://www.securityfocus.com/bid/822 Reference: BUGTRAQ:19991124 Netscape Communicator 4.7 - Navigator Overflows Reference: URL:http://www.securityfocus.com/archive/1/36306 Reference: BUGTRAQ:19991127 Netscape Communicator 4.7 - Navigator Overflows Reference: URL:http://www.securityfocus.com/archive/1/36608 Reference: XF:netscape-long-argument-bo(7884) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/7884 Buffer overflow in Netscape Navigator/Communicator 4.7 for Windows 95 and Windows 98 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long argument after the ? character in a URL that references an .asp, .cgi, .html, or .pl file. ====================================================== Name: CVE-1999-1190 Status: Candidate Phase: Proposed(20010912) Reference: BID:801 Reference: URL:http://www.securityfocus.com/bid/801 Reference: MISC:http://www.securiteam.com/exploits/E-MailClub__FROM__remote_buffer_overflow.html Buffer overflow in POP3 server of Admiral Systems EmailClub 1.05 allows remote attackers to execute arbitrary commands via a long "From" header in an e-mail message. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:emailclub-pop3-from-bo(7873) ====================================================== Name: CVE-1999-1191 Status: Entry Reference: AUSCERT:AA-97.18 Reference: URL:ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-97.18.solaris.chkey.buffer.overflow.vul Reference: BID:207 Reference: URL:http://www.securityfocus.com/bid/207 Reference: BUGTRAQ:19970519 Re: Finally, most of an exploit for Solaris 2.5.1's ps. Reference: URL:http://marc.info/?l=bugtraq&m=87602167418335&w=2 Reference: SUN:00144 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/144 Reference: XF:solaris-chkey-bo(7442) Reference: URL:http://www.iss.net/security_center/static/7442.php Buffer overflow in chkey in Solaris 2.5.1 and earlier allows local users to gain root privileges via a long command line argument. ====================================================== Name: CVE-1999-1192 Status: Entry Reference: BID:206 Reference: URL:http://www.securityfocus.com/bid/206 Reference: SUN:00143 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/143 Reference: XF:solaris-eeprom-bo(7444) Reference: URL:http://www.iss.net/security_center/static/7444.php Buffer overflow in eeprom in Solaris 2.5.1 and earlier allows local users to gain root privileges via a long command line argument. ====================================================== Name: CVE-1999-1193 Status: Entry Reference: BID:20 Reference: URL:http://www.securityfocus.com/bid/20 Reference: CERT:CA-1991-06 Reference: URL:http://www.cert.org/advisories/CA-1991-06.html Reference: XF:next-me(581) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/581 The "me" user in NeXT NeXTstep 2.1 and earlier has wheel group privileges, which could allow the me user to use the su command to become root. ====================================================== Name: CVE-1999-1194 Status: Entry Reference: BID:17 Reference: URL:http://www.securityfocus.com/bid/17 Reference: CERT:CA-1991-05 Reference: URL:http://www.cert.org/advisories/CA-1991-05.html Reference: XF:dec-chroot(577) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/577 chroot in Digital Ultrix 4.1 and 4.0 is insecurely installed, which allows local users to gain privileges. ====================================================== Name: CVE-1999-1195 Status: Candidate Phase: Proposed(20010912) Reference: BID:169 Reference: URL:http://www.securityfocus.com/bid/169 Reference: BUGTRAQ:19990505 NAI AntiVirus Update Problem Reference: URL:http://marc.info/?l=bugtraq&m=92588169005196&w=2 Reference: NTBUGTRAQ:19990505 NAI AntiVirus Update Problem Reference: URL:http://marc.info/?l=ntbugtraq&m=92587579032534&w=2 NAI VirusScan NT 4.0.2 does not properly modify the scan.dat virus definition file during an update via FTP, but it reports that the update was successful, which could cause a system administrator to believe that the definitions have been updated correctly. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:virusscan-ftp-update(8387) ====================================================== Name: CVE-1999-1196 Status: Candidate Phase: Proposed(20010912) Reference: BID:158 Reference: URL:http://www.securityfocus.com/bid/158 Reference: BUGTRAQ:19990427 NT/Exceed D.O.S. Reference: URL:http://www.securityfocus.com/archive/1/13451 Hummingbird Exceed X version 5 allows remote attackers to cause a denial of service via malformed data to port 6000. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:exceed-xserver-dos(7530) ====================================================== Name: CVE-1999-1197 Status: Entry Reference: BID:14 Reference: URL:http://www.securityfocus.com/bid/14 Reference: CERT:CA-1990-12 Reference: URL:http://www.cert.org/advisories/CA-1990-12.html Reference: XF:sunos-tioccons-console-redirection(7140) Reference: URL:http://www.iss.net/security_center/static/7140.php TIOCCONS in SunOS 4.1.1 does not properly check the permissions of a user who tries to redirect console output and input, which could allow a local user to gain privileges. ====================================================== Name: CVE-1999-1198 Status: Entry Reference: BID:11 Reference: URL:http://www.securityfocus.com/bid/11 Reference: CERT:CA-1990-06 Reference: URL:http://www.cert.org/advisories/CA-1990-06.html Reference: CIAC:B-01 Reference: URL:http://ciac.llnl.gov/ciac/bulletins/b-01.shtml Reference: XF:nextstep-builddisk-root-access(7141) Reference: URL:http://www.iss.net/security_center/static/7141.php BuildDisk program on NeXT systems before 2.0 does not prompt users for the root password, which allows local users to gain root privileges. ====================================================== Name: CVE-1999-1199 Status: Entry Reference: BUGTRAQ:19980807 YA Apache DoS attack Reference: URL:http://marc.info/?l=bugtraq&m=90252779826784&w=2 Reference: BUGTRAQ:19980808 Debian Apache Security Update Reference: URL:http://marc.info/?l=bugtraq&m=90276683825862&w=2 Reference: BUGTRAQ:19980810 Apache DoS Attack Reference: URL:http://marc.info/?l=bugtraq&m=90286768232093&w=2 Reference: BUGTRAQ:19980811 Apache 'sioux' DOS fix for TurboLinux Reference: URL:http://marc.info/?l=bugtraq&m=90280517007869&w=2 Reference: CONFIRM:http://www.redhat.com/support/errata/rh51-errata-general.html#apache Reference: MLIST:[httpd-cvs] 20210330 svn commit: r1073139 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/json/ Reference: URL:https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9@%3Ccvs.httpd.apache.org%3E Reference: MLIST:[httpd-cvs] 20210330 svn commit: r1073140 [1/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html Reference: URL:https://lists.apache.org/thread.html/r5419c9ba0951ef73a655362403d12bb8d10fab38274deb3f005816f5@%3Ccvs.httpd.apache.org%3E Reference: MLIST:[httpd-cvs] 20210330 svn commit: r1073149 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/ Reference: URL:https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920@%3Ccvs.httpd.apache.org%3E Reference: MLIST:[httpd-cvs] 20210606 svn commit: r1075470 [1/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html Reference: URL:https://lists.apache.org/thread.html/rf2f0f3611f937cf6cfb3b4fe4a67f69885855126110e1e3f2fb2728e@%3Ccvs.httpd.apache.org%3E Apache WWW server 1.3.1 and earlier allows remote attackers to cause a denial of service (resource exhaustion) via a large number of MIME headers with the same name, aka the "sioux" vulnerability. ====================================================== Name: CVE-1999-1200 Status: Candidate Phase: Proposed(20010912) Reference: NTBUGTRAQ:19980720 DOS in Vintra systems Mailserver software. Reference: URL:http://marc.info/?l=ntbugtraq&m=90222454131610&w=2 Reference: XF:vintra-mail-dos(1617) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1617 Vintra SMTP MailServer allows remote attackers to cause a denial of service via a malformed "EXPN *@" command. Current Votes: ACCEPT(2) Cole, Frech NOOP(2) Foat, Wall ====================================================== Name: CVE-1999-1201 Status: Entry Reference: BID:225 Reference: URL:http://www.securityfocus.com/bid/225 Reference: NTBUGTRAQ:19990206 New Windows 9x Bug: TCP Chorusing Reference: URL:http://marc.info/?l=ntbugtraq&m=91849617221319&w=2 Reference: XF:win-multiple-ip-dos(7542) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/7542 Windows 95 and Windows 98 systems, when configured with multiple TCP/IP stacks bound to the same MAC address, allow remote attackers to cause a denial of service (traffic amplification) via a certain ICMP echo (ping) packet, which causes all stacks to send a ping response, aka TCP Chorusing. ====================================================== Name: CVE-1999-1202 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19980703 Windows95 Proxy DoS Vulnerabilites Reference: URL:http://marc.info/?l=bugtraq&m=90221104525873&w=2 Reference: XF:startech-pop3-overflow(2088) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2088 StarTech (1) POP3 proxy server and (2) telnet server allows remote attackers to cause a denial of service via a long USER command. Current Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1203 Status: Entry Reference: BUGTRAQ:19990210 Security problems in ISDN equipment authentication Reference: URL:http://marc.info/?l=bugtraq&m=91868964203769&w=2 Reference: BUGTRAQ:19990212 PPP/ISDN multilink security issue - summary Reference: URL:http://marc.info/?l=bugtraq&m=91888117502765&w=2 Reference: XF:ascend-ppp-isdn-dos(7498) Reference: URL:http://www.iss.net/security_center/static/7498.php Multilink PPP for ISDN dialup users in Ascend before 4.6 allows remote attackers to cause a denial of service via a spoofed endpoint identifier. ====================================================== Name: CVE-1999-1204 Status: Entry Reference: BUGTRAQ:19980511 Firewall-1 Reserved Keywords Vulnerability Reference: URL:http://marc.info/?l=bugtraq&m=90221101925912&w=2 Reference: CONFIRM:http://www.checkpoint.com/techsupport/config/keywords.html Reference: OSVDB:4416 Reference: URL:http://www.osvdb.org/4416 Reference: XF:fw1-user-defined-keywords-access(7293) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/7293 Check Point Firewall-1 does not properly handle certain restricted keywords (e.g., Mail, auth, time) in user-defined objects, which could produce a rule with a default "ANY" address and result in access to more systems than intended by the administrator. ====================================================== Name: CVE-1999-1205 Status: Entry Reference: BUGTRAQ:19960607 HP-UX B.10.01 vulnerability Reference: URL:http://marc.info/?l=bugtraq&m=87602167419195&w=2 Reference: CIAC:G-34 Reference: HP:HPSBUX9607-035 Reference: URL:http://packetstormsecurity.org/advisories/ibm-ers/96-08 Reference: XF:hp-nettune(414) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/414 nettune in HP-UX 10.01 and 10.00 is installed setuid root, which allows local users to cause a denial of service by modifying critical networking configuration information. ====================================================== Name: CVE-1999-1206 Status: Candidate Phase: Proposed(20010912) Reference: BID:555 Reference: URL:http://www.securityfocus.com/bid/555 Reference: BUGTRAQ:19990729 New ActiveX security problems in Windows 98 PCs Reference: URL:http://marc.info/?l=bugtraq&m=93336970231857&w=2 Reference: CONFIRM:http://www.systemsoft.com/l-2/l-3/support-systemwizard.htm SystemSoft SystemWizard package in HP Pavilion PC with Windows 98, and possibly other platforms and operating systems, installs two ActiveX controls that are marked as safe for scripting, which allows remote attackers to execute arbitrary commands via a malicious web page that references (1) the Launch control, or (2) the RegObj control. Current Votes: ACCEPT(4) Armstrong, Cole, Foat, Stracener MODIFY(1) Frech NOOP(2) Christey, Wall Voter Comments: Frech> XF:systemwizard-modify-registry(7080) Christey> CERT-VN:VU#22919 URL:http://www.kb.cert.org/vuls/id/22919 CERT-VN:VU#34453 URL:http://www.kb.cert.org/vuls/id/34453 ====================================================== Name: CVE-1999-1207 Status: Candidate Phase: Proposed(20010912) Reference: MISC:http://www.efri.hr/~crv/security/bugs/NT/netxtray.html Reference: XF:netxray-bo(907) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/907 Buffer overflow in web-admin tool in NetXRay 2.6 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long HTTP request. Current Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1208 Status: Entry Reference: BUGTRAQ:19970721 AIX ping (Exploit) Reference: URL:http://marc.info/?l=bugtraq&m=87602661419330&w=2 Reference: BUGTRAQ:19970721 AIX ping, lchangelv, xlock fixes Reference: URL:http://marc.info/?l=bugtraq&m=87602661419337&w=2 Reference: XF:ping-bo(803) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/803 Buffer overflow in ping in AIX 4.2 and earlier allows local users to gain root privileges via a long command line argument. ====================================================== Name: CVE-1999-1209 Status: Entry Reference: BUGTRAQ:19971204 scoterm exploit Reference: URL:http://marc.info/?l=bugtraq&m=88131151000069&w=2 Reference: CERT:VB-97.14 Reference: URL:http://www.cert.org/vendor_bulletins/VB-97.14.scoterm Reference: XF:sco-scoterm(690) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/690 Vulnerability in scoterm in SCO OpenServer 5.0 and SCO Open Desktop/Open Server 3.0 allows local users to gain root privileges. ====================================================== Name: CVE-1999-1210 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19971112 Digital Unix Security Problem Reference: URL:http://marc.info/?l=bugtraq&m=87936891504885&w=2 Reference: XF:dec-xterm(613) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/613 xterm in Digital UNIX 4.0B *with* patch kit 5 allows local users to overwrite arbitrary files via a symlink attack on a core dump file, which is created when xterm is called with a DISPLAY environmental variable set to a display that xterm cannot access. Current Votes: ACCEPT(1) Frech NOOP(2) Cole, Foat ====================================================== Name: CVE-1999-1211 Status: Candidate Phase: Proposed(20010912) Reference: CERT:CA-1991-02 Reference: URL:http://www.cert.org/advisories/CA-1991-02.html Reference: XF:sun-intelnetd(574) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/574 Vulnerability in in.telnetd in SunOS 4.1.1 and earlier allows local users to gain root privileges. Current Votes: ACCEPT(5) Cole, Dik, Foat, Frech, Stracener NOOP(1) Wall Voter Comments: Frech> CONFIRM:Sun Microsystems, Inc. Security Bulletin #00106 at http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/1 06&type=0&nav=sec.sba Dik> sun bug: 1054669 1049886 1042370 1033809 ====================================================== Name: CVE-1999-1212 Status: Candidate Phase: Proposed(20010912) Reference: CERT:CA-1991-02 Reference: URL:http://www.cert.org/advisories/CA-1991-02.html Reference: XF:sun-intelnetd(574) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/574 Vulnerability in in.rlogind in SunOS 4.0.3 and 4.0.3c allows local users to gain root privileges. Current Votes: ACCEPT(5) Cole, Dik, Foat, Frech, Stracener NOOP(1) Wall Voter Comments: Dik> sun bug: 1054669 1049886 1042370 1033809 ====================================================== Name: CVE-1999-1213 Status: Candidate Phase: Proposed(20010912) Reference: HP:HPSBUX9710-070 Reference: URL:http://www2.dataguard.no/bugtraq/1997_4/0001.html Reference: XF:hp-telnetdos(571) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/571 Vulnerability in telnet service in HP-UX 10.30 allows attackers to cause a denial of service. Current Votes: ACCEPT(4) Cole, Foat, Frech, Stracener ====================================================== Name: CVE-1999-1214 Status: Entry Reference: MISC:http://www.openbsd.com/advisories/signals.txt Reference: OPENBSD:19970915 Vulnerability in I/O Signal Handling Reference: URL:http://www.openbsd.com/advisories/signals.txt Reference: OSVDB:11062 Reference: URL:http://www.osvdb.org/11062 Reference: XF:openbsd-iosig(556) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/556 The asynchronous I/O facility in 4.4 BSD kernel does not check user credentials when setting the recipient of I/O notification, which allows local users to cause a denial of service by using certain ioctl and fcntl calls to cause the signal to be sent to an arbitrary process ID. ====================================================== Name: CVE-1999-1215 Status: Entry Reference: CERT:CA-1993-12 Reference: URL:http://www.cert.org/advisories/CA-1993-12.html Reference: CIAC:D-21 Reference: URL:http://ciac.llnl.gov/ciac/bulletins/d-21.shtml Reference: XF:novell-login(545) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/545 LOGIN.EXE program in Novell Netware 4.0 and 4.01 temporarily writes user name and password information to disk, which could allow local users to gain privileges. ====================================================== Name: CVE-1999-1216 Status: Candidate Phase: Proposed(20010912) Reference: CERT:CA-1993-07 Reference: URL:http://www.cert.org/advisories/CA-1993-07.html Reference: CIAC:D-15 Reference: URL:http://ciac.llnl.gov/ciac/bulletins/d-15.shtml Reference: XF:cisco-sourceroute(541) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/541 Cisco routers 9.17 and earlier allow remote attackers to bypass security restrictions via certain IP source routed packets that should normally be denied using the "no ip source-route" command. Current Votes: ACCEPT(4) Cole, Foat, Frech, Stracener NOOP(1) Wall ====================================================== Name: CVE-1999-1217 Status: Entry Reference: NTBUGTRAQ:19970723 NT security - why bother? Reference: URL:http://marc.info/?l=ntbugtraq&m=87602726319426&w=2 Reference: NTBUGTRAQ:19970725 Re: NT security - why bother? Reference: URL:http://marc.info/?l=ntbugtraq&m=87602726319435&w=2 Reference: XF:nt-path(526) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/526 The PATH in Windows NT includes the current working directory (.), which could allow local users to gain privileges by placing Trojan horse programs with the same name as commonly used system programs into certain directories. ====================================================== Name: CVE-1999-1218 Status: Candidate Phase: Proposed(20010912) Reference: CERT:CA-1993-04 Reference: URL:http://www.cert.org/advisories/CA-1993-04.html Reference: XF:amiga-finger(522) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/522 Vulnerability in finger in Commodore Amiga UNIX 2.1p2a and earlier allows local users to read arbitrary files. Current Votes: ACCEPT(4) Cole, Foat, Frech, Stracener NOOP(1) Wall ====================================================== Name: CVE-1999-1219 Status: Candidate Phase: Proposed(20010912) Reference: AUSCERT:AA-94.04a Reference: BID:468 Reference: URL:http://www.securityfocus.com/bid/468 Reference: CERT:CA-1994-13 Reference: URL:http://www.cert.org/advisories/CA-1994-13.html Reference: CIAC:E-33 Reference: URL:http://ciac.llnl.gov/ciac/bulletins/e-33.shtml Reference: XF:sgi-prn-mgr(511) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/511 Vulnerability in sgihelp in the SGI help system and print manager in IRIX 5.2 and earlier allows local users to gain root privileges, possibly through the clogin command. Current Votes: ACCEPT(4) Cole, Foat, Frech, Stracener NOOP(1) Wall ====================================================== Name: CVE-1999-1220 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19970824 Vulnerability in Majordomo Reference: URL:http://www.securityfocus.com/archive/1/7527 Reference: XF:majordomo-advertise(502) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/502 Majordomo 1.94.3 and earlier allows remote attackers to execute arbitrary commands when the advertise or noadvertise directive is used in a configuration file, via shell metacharacters in the Reply-To header. Current Votes: ACCEPT(1) Frech NOOP(2) Cole, Foat ====================================================== Name: CVE-1999-1221 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19961117 Digital Unix v3.x (v4.x?) security vulnerability Reference: URL:http://marc.info/?l=bugtraq&m=87602167420141&w=2 Reference: XF:dgux-chpwd(399) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/399 dxchpwd in Digital Unix (OSF/1) 3.x allows local users to modify arbitrary files via a symlink attack on the dxchpwd.log file. Current Votes: ACCEPT(1) Frech NOOP(2) Cole, Foat ====================================================== Name: CVE-1999-1222 Status: Entry Reference: MSKB:Q188571 Reference: URL:http://support.microsoft.com/support/kb/articles/Q188/5/71.ASP Reference: XF:dns-netbtsys-dos(3893) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3893 Netbt.sys in Windows NT 4.0 allows remote malicious DNS servers to cause a denial of service (crash) by returning 0.0.0.0 as the IP address for a DNS host name lookup. ====================================================== Name: CVE-1999-1223 Status: Entry Reference: MSKB:Q187503 Reference: URL:http://support.microsoft.com/support/kb/articles/q187/5/03.asp Reference: XF:url-asp-av(3892) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3892 IIS 3.0 allows remote attackers to cause a denial of service via a request to an ASP page in which the URL contains a large number of / (forward slash) characters. ====================================================== Name: CVE-1999-1224 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19971008 L0pht Advisory: IMAP4rev1 imapd server Reference: URL:http://marc.info/?l=bugtraq&m=87635124302928&w=2 Reference: XF:imapd-core(349) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/349 IMAP 4.1 BETA, and possibly other versions, does not properly handle the SIGABRT (abort) signal, which allows local users to crash the server (imapd) via certain sequences of commands, which causes a core dump that may contain sensitive password information. Current Votes: ACCEPT(1) Frech NOOP(2) Cole, Foat ====================================================== Name: CVE-1999-1225 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19970824 Serious security flaw in rpc.mountd on several operating systems. Reference: URL:http://www.securityfocus.com/archive/1/7526 Reference: XF:mountd-file-exists(347) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/347 rpc.mountd on Linux, Ultrix, and possibly other operating systems, allows remote attackers to determine the existence of a file on the server by attempting to mount that file, which generates different error messages depending on whether the file exists or not. Current Votes: ACCEPT(1) Frech NOOP(2) Cole, Foat ====================================================== Name: CVE-1999-1226 Status: Entry Reference: MISC:http://www.securiteam.com/exploits/Netscape_4_7_and_earlier_vulnerable_to__Huge_Key__DoS.html Reference: XF:netscape-huge-key-dos(3436) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3436 Netscape Communicator 4.7 and earlier allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long certificate key. ====================================================== Name: CVE-1999-1227 Status: Candidate Phase: Proposed(20010912) Reference: MISC:http://www.ethereal.com/lists/ethereal-dev/199907/msg00126.html Reference: MISC:http://www.ethereal.com/lists/ethereal-dev/199907/msg00130.html Reference: XF:ethereal-dev-capturec-root(3334) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3334 Ethereal allows local users to overwrite arbitrary files via a symlink attack on the packet capture file. Current Votes: ACCEPT(2) Cole, Frech NOOP(2) Foat, Wall ====================================================== Name: CVE-1999-1228 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19980927 1+2=3, +++ATH0=Old school DoS Reference: URL:http://marc.info/?l=bugtraq&m=90695973308453&w=2 Reference: MISC:http://www.macintouch.com/modemsecurity.html Reference: XF:global-village-modem-dos(3320) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3320 Various modems that do not implement a guard time, or are configured with a guard time of 0, can allow remote attackers to execute arbitrary modem commands such as ATH, ATH0, etc., via a "+++" sequence that appears in ICMP packets, the subject of an e-mail message, IRC commands, and others. Current Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1229 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19980225 Quake 2 Linux 3.13 (and lower) allow users to read arbitrary files Reference: URL:http://www.securityfocus.com/archive/1/8590 Reference: XF:linux-quake2(733) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/733 Quake 2 server 3.13 on Linux does not properly check file permissions for the config.cfg configuration file, which allows local users to read arbitrary files via a symlink from config.cfg to the target file. Current Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1230 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19971224 Quake II Remote Denial of Service Reference: URL:http://www.securityfocus.com/archive/1/8282 Reference: XF:quake2-dos(698) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/698 Quake 2 server allows remote attackers to cause a denial of service via a spoofed UDP packet with a source address of 127.0.0.1, which causes the server to attempt to connect to itself. Current Votes: ACCEPT(1) Frech NOOP(2) Cole, Foat ====================================================== Name: CVE-1999-1231 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19990609 ssh advirsory Reference: URL:http://www.securityfocus.com/archive/1/14758 Reference: XF:ssh-leak(2276) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2276 ssh 2.0.12, and possibly other versions, allows valid user names to attempt to enter the correct password multiple times, but only prompts an invalid user name for a password once, which allows remote attackers to determine user account names on the server. Current Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1232 Status: Candidate Phase: Modified(20060503) Reference: BUGTRAQ:19970516 Irix and WWW Reference: URL:http://marc.info/?l=bugtraq&m=87602167420994&w=2 Reference: OSVDB:8559 Reference: URL:http://www.osvdb.org/8559 Reference: XF:sgi-day5datacopier(3316) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3316 Untrusted search path vulnerability in day5datacopier in SGI IRIX 6.2 allows local users to execute arbitrary commands via a modified PATH environment variable that points to a malicious cp program. Current Votes: ACCEPT(1) Frech NOOP(2) Cole, Foat ====================================================== Name: CVE-1999-1233 Status: Entry Reference: BID:657 Reference: URL:http://www.securityfocus.com/bid/657 Reference: MS:MS99-039 Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-039 Reference: MSKB:241562 Reference: URL:http://support.microsoft.com/support/kb/articles/Q241/5/62.asp Reference: XF:iis-unresolved-domain-access(3306) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3306 IIS 4.0 does not properly restrict access for the initial session request from a user's IP address if the address does not resolve to a DNS domain, aka the "Domain Resolution" vulnerability. ====================================================== Name: CVE-1999-1234 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19991026 Re: LSA vulnerability on NT40 SP5 Reference: URL:http://marc.info/?l=ntbugtraq&m=94096671308565&w=2 Reference: XF:msrpc-samr-open-dos(3293) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3293 LSA (LSASS.EXE) in Windows NT 4.0 allows remote attackers to cause a denial of service via a NULL policy handle in a call to (1) SamrOpenDomain, (2) SamrEnumDomainUsers, and (3) SamrQueryDomainInfo. Current Votes: ACCEPT(3) Cole, Frech, Wall NOOP(1) Foat ====================================================== Name: CVE-1999-1235 Status: Candidate Phase: Proposed(20010912) Reference: NTBUGTRAQ:19990331 Minor Bug in IE5.0 Reference: URL:http://ntbugtraq.ntadvice.com/default.asp?pid=36&sid=1&A2=ind9904&L=NTBUGTRAQ&P=R179 Reference: NTBUGTRAQ:19990825 IE5 FTP password exposure & index.dat null ACL problem Reference: URL:http://packetderm.cotse.com/mailing-lists/ntbugtraq/1999/0364.html Reference: XF:nt-ie5-user-ftp-password(3289) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3289 Internet Explorer 5.0 records the username and password for FTP servers in the URL history, which could allow (1) local users to read the information from another user's index.dat, or (2) people who are physically observing ("shoulder surfing") another user to read the information from the status bar when the user moves the mouse over a link. Current Votes: ACCEPT(4) Cole, Foat, Frech, Wall Voter Comments: CHANGE> [Foat changed vote from NOOP to ACCEPT] ====================================================== Name: CVE-1999-1236 Status: Candidate Phase: Proposed(20010912) Reference: BID:731 Reference: URL:http://www.securityfocus.com/bid/731 Reference: NTBUGTRAQ:19991001 Vulnerabilities in the Internet Anywhere Mail Server Reference: URL:http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind9910&L=ntbugtraq&F=&S=&P=662 Reference: XF:iams-passwords-plaintext(3285) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3285 Internet Anywhere Mail Server 2.3.1 stores passwords in plaintext in the msgboxes.dbf file, which could allow local users to gain privileges by extracting the passwords from msgboxes.dbf. Current Votes: ACCEPT(2) Cole, Frech NOOP(2) Foat, Wall ====================================================== Name: CVE-1999-1237 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19990606 Buffer overflows in smbval library Reference: URL:http://www.securityfocus.com/archive/1/14384 Reference: XF:smbvalid-bo(2272) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2272 Multiple buffer overflows in smbvalid/smbval SMB authentication library, as used in Apache::AuthenSmb and possibly other modules, allows remote attackers to execute arbitrary commands via (1) a long username, (2) a long password, and (3) other unspecified methods. Current Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1238 Status: Candidate Phase: Proposed(20010912) Reference: HP:HPSBUX9409-017 Reference: URL:http://www.securityfocus.com/advisories/1531 Reference: XF:hp-core-diag-fileset(2262) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2262 Vulnerability in CORE-DIAG fileset in HP message catalog in HP-UX 9.05 and earlier allows local users to gain privileges. Current Votes: ACCEPT(4) Cole, Foat, Frech, Stracener ====================================================== Name: CVE-1999-1239 Status: Candidate Phase: Proposed(20010912) Reference: HP:HPSBUX9407-015 Reference: URL:http://www.securityfocus.com/advisories/1559 Reference: XF:hp-xauthority(2261) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2261 HP-UX 9.x does not properly enable the Xauthority mechanism in certain conditions, which could allow local users to access the X display even when they have not explicitly been authorized to do so. Current Votes: ACCEPT(4) Cole, Foat, Frech, Stracener ====================================================== Name: CVE-1999-1240 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19961126 Major Security Vulnerabilities in Remote CD Databases Reference: URL:http://www.securityfocus.com/archive/1/5784 Reference: XF:cddbd-bo(2203) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2203 Buffer overflow in cddbd CD database server allows remote attackers to execute arbitrary commands via a long log message. Current Votes: ACCEPT(1) Frech NOOP(2) Cole, Foat ====================================================== Name: CVE-1999-1241 Status: Candidate Phase: Proposed(20010912) Reference: MISC:http://oliver.efri.hr/~crv/security/bugs/NT/activex4.html Reference: XF:ie-filesystemobject(2173) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2173 Internet Explorer, with a security setting below Medium, allows remote attackers to execute arbitrary commands via a malicious web page that uses the FileSystemObject ActiveX object. Current Votes: ACCEPT(3) Cole, Frech, Wall NOOP(2) Christey, Foat Voter Comments: Christey> DELREF MISC:http://oliver.efri.hr/~crv/security/bugs/NT/activex4.html ADDREF MISC:http://focus.silversand.net/vulner/allbug/activex4.html Frech> Change MISC to http://www.securitybugware.org/NT/1018.html ====================================================== Name: CVE-1999-1242 Status: Candidate Phase: Proposed(20010912) Reference: HP:HPSBUX9402-003 Reference: URL:http://packetstormsecurity.org/advisories/hpalert/003 Reference: XF:hp-subnet-config(2162) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2162 Vulnerability in subnetconfig in HP-UX 9.01 and 9.0 allows local users to gain privileges. Current Votes: ACCEPT(4) Cole, Foat, Frech, Stracener ====================================================== Name: CVE-1999-1243 Status: Entry Reference: CIAC:F-16 Reference: URL:http://ciac.llnl.gov/ciac/bulletins/f-16.shtml Reference: SGI:19950301-01-P373 Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19950301-01-P373 Reference: XF:sgi-permissions(2113) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2113 SGI Desktop Permissions Tool in IRIX 6.0.1 and earlier allows local users to modify permissions for arbitrary files and gain privileges. ====================================================== Name: CVE-1999-1244 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19990415 FSA-99.04-IPFILTER-v3.2.10 Reference: URL:http://www.securityfocus.com/archive/1/13303 Reference: XF:ipfilter-temp-file(2087) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2087 IPFilter 3.2.3 through 3.2.10 allows local users to modify arbitrary files via a symlink attack on the saved output file. Current Votes: ACCEPT(2) Cole, Frech NOOP(2) Foat, Wall ====================================================== Name: CVE-1999-1245 Status: Candidate Phase: Proposed(20010912) Reference: XF:ucd-snmpd-community(2086) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2086 vacm ucd-snmp SNMP server, version 3.52, does not properly disable access to the public community string, which could allow remote attackers to obtain sensitive information. Current Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> http://www.securityfocus.com/archive/1/13130 ====================================================== Name: CVE-1999-1246 Status: Entry Reference: MSKB:Q229972 Reference: URL:http://support.microsoft.com/support/kb/articles/Q229/9/72.asp Reference: XF:siteserver-directmail-passwords(2068) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2068 Direct Mailer feature in Microsoft Site Server 3.0 saves user domain names and passwords in plaintext in the TMLBQueue network share, which has insecure default permissions, allowing remote attackers to read the passwords and gain privileges. ====================================================== Name: CVE-1999-1247 Status: Candidate Phase: Proposed(20010912) Reference: HP:HPSBUX9402-006 Reference: URL:http://packetstormsecurity.org/advisories/hpalert/006 Reference: XF:hp-dce9000(2061) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2061 Vulnerability in HP Camera component of HP DCE/9000 in HP-UX 9.x allows attackers to gain root privileges. Current Votes: ACCEPT(4) Cole, Foat, Frech, Stracener ====================================================== Name: CVE-1999-1248 Status: Candidate Phase: Proposed(20010912) Reference: HP:HPSBUX9411-019 Reference: URL:http://packetstormsecurity.org/advisories/hpalert/019 Reference: XF:hp-supportwatch(2058) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2058 Vulnerability in Support Watch (aka SupportWatch) in HP-UX 8.0 through 9.0 allows local users to gain privileges. Current Votes: ACCEPT(4) Cole, Foat, Frech, Stracener ====================================================== Name: CVE-1999-1249 Status: Entry Reference: HP:HPSBUX9701-047 Reference: URL:http://www.codetalker.com/advisories/vendor/hp/hpsbux9701-047.html Reference: OSVDB:8099 Reference: URL:http://www.osvdb.org/8099 Reference: XF:hp-movemail(2057) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2057 movemail in HP-UX 10.20 has insecure permissions, which allows local users to gain privileges. ====================================================== Name: CVE-1999-1250 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19970819 Lasso CGI security hole (fwd) Reference: URL:http://www.securityfocus.com/archive/1/7506 Reference: XF:http-cgi-lasso(2044) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2044 Vulnerability in CGI program in the Lasso application by Blue World, as used on WebSTAR and other servers, allows remote attackers to read arbitrary files. Current Votes: ACCEPT(1) Frech NOOP(2) Cole, Foat ====================================================== Name: CVE-1999-1251 Status: Candidate Phase: Proposed(20010912) Reference: HP:HPSBUX9612-043 Reference: URL:http://packetstormsecurity.org/advisories/hpalert/043 Reference: XF:hp-audio-panic(2010) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2010 Vulnerability in direct audio user space code on HP-UX 10.20 and 10.10 allows local users to cause a denial of service. Current Votes: ACCEPT(4) Cole, Foat, Frech, Stracener ====================================================== Name: CVE-1999-1252 Status: Candidate Phase: Proposed(20010912) Reference: CERT:VB-96.15 Reference: URL:http://www.cert.org/vendor_bulletins/VB-96.15.sco Reference: SCO:96:002 Reference: URL:ftp://ftp.sco.COM/SSE/security_bulletins/SB.96:02a Reference: XF:sco-system-call(1966) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1966 Vulnerability in a certain system call in SCO UnixWare 2.0.x and 2.1.0 allows local users to access arbitrary files and gain root privileges. Current Votes: ACCEPT(4) Cole, Foat, Frech, Stracener NOOP(1) Wall ====================================================== Name: CVE-1999-1253 Status: Candidate Phase: Proposed(20010912) Reference: CERT:VB-96.10 Reference: URL:http://www.cert.org/vendor_bulletins/VB-96.10.sco Reference: SCO:96:001 Reference: URL:ftp://ftp.sco.com/SSE/security_bulletins/SB.96:01a Reference: XF:sco-kernel(1965) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1965 Vulnerability in a kernel error handling routine in SCO OpenServer 5.0.2 and earlier, and SCO Internet FastStart 1.0, allows local users to gain root privileges. Current Votes: ACCEPT(4) Cole, Foat, Frech, Stracener NOOP(1) Wall ====================================================== Name: CVE-1999-1254 Status: Candidate Phase: Proposed(20010912) Reference: NTBUGTRAQ:19990308 Winfreeze EXPLOIT Win9x/NT Reference: URL:http://marc.info/?l=ntbugtraq&m=92099515709467&w=2 Reference: XF:win-redirects-freeze(1947) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1947 Windows 95, 98, and NT 4.0 allow remote attackers to cause a denial of service by spoofing ICMP redirect messages from a router, which causes Windows to change its routing tables. Current Votes: ACCEPT(3) Cole, Frech, Wall MODIFY(1) Meunier NOOP(2) Christey, Foat Voter Comments: Christey> Need to get feedback from MS on this. Christey> (prompted from Pascal Meunier) should this be treated as a general design issue with ICMP? Or is it a specific implementation flaw that only affects Reliant? Meunier> The description is too narrow and incorrect. Spoofed ICMP redirect messages can be used to setup man-in-the-middle attacks instead of a DoS. There's no reason that this behavior would be limited to Windows, as it is specified by the standard. As I said elsewhere, ICMP messages should not be acted upon without access controls. ====================================================== Name: CVE-1999-1255 Status: Candidate Phase: Proposed(20010912) Reference: MISC:http://www.rootshell.com/archive-j457nxiqi3gq59dv/199902/hyperseek.txt.html Reference: XF:hyperseek-modify(1914) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1914 Hyperseek allows remote attackers to modify the hyperseek configuration by directly calling the admin.cgi program with an edit_file action parameter. Current Votes: ACCEPT(2) Cole, Frech NOOP(2) Foat, Wall ====================================================== Name: CVE-1999-1256 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19990304 Oracle Plaintext Password Reference: URL:http://www.securityfocus.com/archive/1/12744 Reference: NTBUGTRAQ:19990304 Oracle Plaintext Password Reference: URL:http://marc.info/?l=ntbugtraq&m=92056752115116&w=2 Reference: XF:oracle-passwords(1902) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1902 Oracle Database Assistant 1.0 in Oracle 8.0.3 Enterprise Edition stores the database master password in plaintext in the spoolmain.log file when a new database is created, which allows local users to obtain the password from that file. Current Votes: ACCEPT(2) Cole, Frech NOOP(2) Foat, Wall ====================================================== Name: CVE-1999-1257 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19971126 Xyplex terminal server bug Reference: URL:http://www.securityfocus.com/archive/1/8134 Reference: XF:xyplex-controlz-login(1825) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1825 Reference: XF:xyplex-question-login(1826) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1826 Xyplex terminal server 6.0.1S1, and possibly other versions, allows remote attackers to bypass the password prompt by entering (1) a CTRL-Z character, or (2) a ? (question mark). Current Votes: ACCEPT(1) Frech NOOP(2) Cole, Foat ====================================================== Name: CVE-1999-1258 Status: Entry Reference: SUN:00102 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/102 Reference: XF:sun-pwdauthd(1782) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1782 rpc.pwdauthd in SunOS 4.1.1 and earlier does not properly prevent remote access to the daemon, which allows remote attackers to obtain sensitive system information. ====================================================== Name: CVE-1999-1259 Status: Entry Reference: MSKB:Q189529 Reference: URL:http://support.microsoft.com/support/kb/articles/q189/5/29.asp Reference: XF:office-extraneous-data(1780) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1780 Microsoft Office 98, Macintosh Edition, does not properly initialize the disk space used by Office 98 files and effectively inserts data from previously deleted files into the Office file, which could allow attackers to obtain sensitive information. ====================================================== Name: CVE-1999-1260 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19990215 KSR[T] Advisory #10: mSQL ServerStats Reference: URL:http://marc.info/?l=bugtraq&m=91910115718150&w=2 Reference: XF:msql-serverstats(1777) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1777 mSQL (Mini SQL) 2.0.6 allows remote attackers to obtain sensitive server information such as logged users, database names, and server version via the ServerStats query. Current Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1261 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19990211 Rainbow Six Buffer Overflow..... Reference: URL:http://www.securityfocus.com/archive/1/12433 Reference: XF:rainbowsix-nick-bo(1772) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1772 Buffer overflow in Rainbow Six Multiplayer allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long nickname (nick) command. Current Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1262 Status: Entry Reference: BUGTRAQ:19990202 Unsecured server in applets under Netscape Reference: URL:http://www.securityfocus.com/archive/1/12231 Reference: XF:java-socket-open(1727) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1727 Java in Netscape 4.5 does not properly restrict applets from connecting to other hosts besides the one from which the applet was loaded, which violates the Java security model and could allow remote attackers to conduct unauthorized activities. ====================================================== Name: CVE-1999-1263 Status: Entry Reference: BUGTRAQ:19971024 Vulnerability in metamail Reference: URL:http://marc.info/?l=bugtraq&m=87773365324657&w=2 Reference: XF:metamail-file-creation(1677) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1677 Metamail before 2.7-7.2 allows remote attackers to overwrite arbitrary files via an e-mail message containing a uuencoded attachment that specifies the full pathname for the file to be modified, which is processed by uuencode in Metamail scripts such as sun-audio-file. ====================================================== Name: CVE-1999-1264 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19990121 WebRamp M3 remote network access bug Reference: URL:http://www.securityfocus.com/archive/1/12048 Reference: BUGTRAQ:19990203 WebRamp M3 Perceived Bug Reference: URL:http://marc.info/?l=bugtraq&m=91815321510224&w=2 Reference: XF:webramp-remote-access(1670) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1670 WebRamp M3 router does not disable remote telnet or HTTP access to itself, even when access has been explicitly disabled. Current Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1265 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19980922 Re: WARNING! SMTP Denial of Service in SLmail ver 3.1 Reference: BUGTRAQ:19980922 WARNING! SMTP Denial of Service in SLmail ver 3.1 Reference: URL:http://marc.info/?l=bugtraq&m=90649892424117&w=2 Reference: NTBUGTRAQ:19980922 WARNING! SMTP Denial of Service in SLmail ver 3.1 Reference: URL:http://marc.info/?l=ntbugtraq&m=90650438826447&w=2 Reference: XF:slmail-parens-overload(1664) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1664 SMTP server in SLmail 3.1 and earlier allows remote attackers to cause a denial of service via malformed commands whose arguments begin with a "(" (parenthesis) character, such as (1) SEND, (2) VRFY, (3) EXPN, (4) MAIL FROM, (5) RCPT TO. Current Votes: ACCEPT(3) Cole, Foat, Frech NOOP(1) Wall ====================================================== Name: CVE-1999-1266 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19970613 rshd gives away usernames Reference: URL:http://www.securityfocus.com/archive/1/6978 Reference: XF:rsh-username-leaks(1660) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1660 rsh daemon (rshd) generates different error messages when a valid username is provided versus an invalid name, which allows remote attackers to determine valid users on the system. Current Votes: ACCEPT(1) Frech NOOP(2) Cole, Foat ====================================================== Name: CVE-1999-1267 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19970505 Hole in the KDE desktop Reference: URL:http://marc.info/?l=bugtraq&m=87602167420906&w=2 Reference: XF:kde-flawed-ipc(1646) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1646 KDE file manager (kfm) uses a TCP server for certain file operations, which allows remote attackers to modify arbitrary files by sending a copy command to the server. Current Votes: ACCEPT(1) Frech NOOP(2) Cole, Foat ====================================================== Name: CVE-1999-1268 Status: Candidate Phase: Proposed(20010912) Reference: MISC:http://lists.kde.org/?l=kde-devel&m=91560433413263&w=2 Reference: XF:kde-konsole-hijack(1645) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1645 Vulnerability in KDE konsole allows local users to hijack or observe sessions of other users by accessing certain devices. Current Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1269 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19980206 serious security hole in KDE Beta 3 Reference: URL:http://www.securityfocus.com/archive/1/8506 Reference: XF:kde-kss-file-clobber(1641) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1641 Screen savers in KDE beta 3 allows local users to overwrite arbitrary files via a symlink attack on the .kss.pid file. Current Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1270 Status: Candidate Phase: Proposed(20010912) Reference: MISC:http://lists.kde.org/?l=kde-devel&m=90221974029738&w=2 Reference: XF:kde-kmail-passphrase-leak(1639) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1639 KMail in KDE 1.0 provides a PGP passphrase as a command line argument to other programs, which could allow local users to obtain the passphrase and compromise the PGP keys of other users by viewing the arguments via programs that list process information, such as ps. Current Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1271 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19980611 Unsecure passwords in Macromedia Dreamweaver Reference: URL:http://www.securityfocus.com/archive/1/9511 Reference: XF:dreamweaver-weak-passwords(1636) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1636 Macromedia Dreamweaver uses weak encryption to store FTP passwords, which could allow local users to easily decrypt the passwords of other users. Current Votes: ACCEPT(2) Cole, Frech NOOP(2) Foat, Wall ====================================================== Name: CVE-1999-1272 Status: Candidate Phase: Proposed(20010912) Reference: SGI:19980301-01-PX Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19980301-01-PX Reference: XF:irix-cdrom-confidence(1635) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1635 Buffer overflows in CDROM Confidence Test program (cdrom) allow local users to gain root privileges. Current Votes: ACCEPT(4) Cole, Foat, Frech, Stracener ====================================================== Name: CVE-1999-1273 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19980220 Simple way to bypass squid ACLs Reference: URL:http://www.securityfocus.com/archive/1/8551 Reference: XF:squid-regexp-acl(1627) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1627 Squid Internet Object Cache 1.1.20 allows users to bypass access control lists (ACLs) by encoding the URL with hexadecimal escape sequences. Current Votes: ACCEPT(2) Cole, Frech NOOP(2) Foat, Wall ====================================================== Name: CVE-1999-1274 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19971229 iPass RoamServer 3.1 Reference: URL:http://www.securityfocus.com/archive/1/8307 Reference: XF:ipass-temporary-files(1625) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1625 iPass RoamServer 3.1 creates temporary files with world-writable permissions. Current Votes: ACCEPT(1) Frech NOOP(2) Cole, Foat ====================================================== Name: CVE-1999-1275 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19970908 Password unsecurity in cc:Mail release 8 Reference: URL:http://www.securityfocus.com/archive/1/9478 Reference: XF:lotus-ccmail-passwords(1619) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1619 Lotus cc:Mail release 8 stores the postoffice password in plaintext in a hidden file which has insecure permissions, which allows local users to gain privileges. Current Votes: ACCEPT(1) Frech NOOP(2) Cole, Foat ====================================================== Name: CVE-1999-1276 Status: Entry Reference: DEBIAN:19981207 fte-console: does not drop its root priviliges Reference: URL:http://www.debian.org/security/1998/19981207 Reference: XF:fte-console-privileges(1609) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1609 fte-console in the fte package before 0.46b-4.1 does not drop root privileges, which allows local users to gain root access via the virtual console device. ====================================================== Name: CVE-1999-1277 Status: Candidate Phase: Proposed(20010912) Reference: NTBUGTRAQ:19981224 BackWeb - Password issue (used by NAI for Corporate customer notification). Reference: URL:http://marc.info/?l=ntbugtraq&m=91487886514546&w=2 Reference: XF:backweb-cleartext-passwords(1565) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1565 BackWeb client stores the username and password in cleartext for proxy authentication in the Communication registry key, which could allow other local users to gain privileges by reading the password. Current Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1278 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19981225 Re: Nlog v1.0 Released - Nmap 2.x log management / analyzing tool Reference: URL:http://marc.info/?l=bugtraq&m=91470326629357&w=2 Reference: BUGTRAQ:19981226 Nlog 1.1b released - security holes fixed Reference: URL:http://marc.info/?l=bugtraq&m=91471400632145&w=2 Reference: XF:http-cgi-nlog-metachars(1549) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1549 Reference: XF:http-cgi-nlog-netbios(1550) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1550 nlog CGI scripts do not properly filter shell metacharacters from the IP address argument, which could allow remote attackers to execute certain commands via (1) nlog-smb.pl or (2) rpc-nlog.pl. Current Votes: ACCEPT(3) Cole, Foat, Frech NOOP(1) Wall ====================================================== Name: CVE-1999-1279 Status: Entry Reference: MSKB:Q138001 Reference: URL:http://support.microsoft.com/support/kb/articles/q138/0/01.asp Reference: XF:snaserver-shared-folders(1548) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1548 An interaction between the AS/400 shared folders feature and Microsoft SNA Server 3.0 and earlier allows users to view each other's folders when the users share the same Local APPC LU. ====================================================== Name: CVE-1999-1280 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19981203 Remote Tools w/Exceed v.6.0.1.0 fer 95 Reference: URL:http://www.securityfocus.com/archive/1/11512 Reference: XF:exceed-cleartext-passwords(1547) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1547 Hummingbird Exceed 6.0.1.0 inadvertently includes a DLL that was meant for development and testing, which logs user names and passwords in cleartext in the test.log file. Current Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1281 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19981226 Breeze Network Server remote reboot and other bogosity. Reference: URL:http://www.securityfocus.com/archive/1/11720 Reference: XF:breeze-remote-reboot(1544) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1544 Development version of Breeze Network Server allows remote attackers to cause the system to reboot by accessing the configbreeze CGI program. Current Votes: ACCEPT(2) Cole, Frech NOOP(2) Foat, Wall Voter Comments: Frech> There have been no followups to indicate that this issue has been resolved in the production version, and as a benefit to the doubt, this issue transcends EX-BETA until proven otherwise. ====================================================== Name: CVE-1999-1282 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19981210 RealSystem passwords Reference: URL:http://www.securityfocus.com/archive/1/11543 Reference: XF:realsystem-readable-conf-file(1542) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1542 RealSystem G2 server stores the administrator password in cleartext in a world-readable configuration file, which allows local users to gain privileges. Current Votes: ACCEPT(2) Cole, Frech NOOP(2) Foat, Wall ====================================================== Name: CVE-1999-1283 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19980814 URL exploit to crash Opera Browser Reference: URL:http://www.securityfocus.com/archive/1/10320 Reference: XF:opera-slash-crash(1541) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1541 Opera 3.2.1 allows remote attackers to cause a denial of service (application crash) via a URL that contains an extra / in the http:// tag. Current Votes: ACCEPT(2) Cole, Frech NOOP(2) Foat, Wall Voter Comments: Frech> Will go along with a REJECT if MITRE decides on EX-CLIENT-DOS. ====================================================== Name: CVE-1999-1284 Status: Entry Reference: BUGTRAQ:19981105 various *lame* DoS attacks Reference: URL:http://www.securityfocus.com/archive/1/11131 Reference: BUGTRAQ:19981107 Re: various *lame* DoS attacks Reference: URL:http://marc.info/?l=bugtraq&m=91063407332594&w=2 Reference: MISC:http://www.dynamsol.com/puppet/text/new.txt Reference: XF:nukenabber-timeout-dos(1540) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1540 NukeNabber allows remote attackers to cause a denial of service by connecting to the NukeNabber port (1080) without sending any data, which causes the CPU usage to rise to 100% from the report.exe program that is executed upon the connection. ====================================================== Name: CVE-1999-1285 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19981227 [patch] fix for urandom read(2) not interruptible Reference: URL:http://marc.info/?l=bugtraq&m=91495921611500&w=2 Reference: XF:linux-random-read-dos(1472) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1472 Linux 2.1.132 and earlier allows local users to cause a denial of service (resource exhaustion) by reading a large buffer from a random device (e.g. /dev/urandom), which cannot be interrupted until the read has completed. Current Votes: ACCEPT(2) Cole, Frech NOOP(2) Foat, Wall ====================================================== Name: CVE-1999-1286 Status: Candidate Phase: Modified(20060623) Reference: BID:330 Reference: URL:http://www.securityfocus.com/bid/330 Reference: BUGTRAQ:19970509 Re: Irix: misc Reference: URL:http://marc.info/?l=bugtraq&m=87602167420927&w=2 Reference: MISC:ftp://patches.sgi.com/support/free/security/advisories/19961203-02-PX Reference: OSVDB:8560 Reference: URL:http://www.osvdb.org/8560 Reference: XF:irix-addnetpr(1433) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1433 addnetpr in SGI IRIX 6.2 and earlier allows local users to modify arbitrary files and possibly gain root access via a symlink attack on a temporary file. Current Votes: ACCEPT(1) Frech NOOP(3) Christey, Cole, Foat Voter Comments: Christey> CHANGE DESC: "via a symlink attack on the printers temporary file." Add 5.3 as another affected version. MISC:ftp://patches.sgi.com/support/free/security/advisories/19961203-02-PX SGI:19961203-02-PX may solve this problem, but the advisory is so vague that it is uncertain whether this was fixed or not. addnetpr is not specifically named in the advisory, which names netprint, which is not specified in the original Bugtraq post. In addition, the date on the advisory is one day earlier than that of the Bugtraq post, though that could be a difference in time zones. It seems plausible that the problem had already been patched (the researcher did say "There *was* [a] race condition") so maybe SGI released this advisory after the problem was publicized. ADDREF BID:330 URL:http://www.securityfocus.com/bid/330 Note: this is a dupe of CVE-1999-1410, but CVE-1999-1410 will be rejected in favor of CVE-1999-1286. ====================================================== Name: CVE-1999-1287 Status: Candidate Phase: Proposed(20010912) Reference: CONFIRM:http://www.statslab.cam.ac.uk/~sret1/analog/security.html Reference: XF:analog-remote-file(1410) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1410 Vulnerability in Analog 3.0 and earlier allows remote attackers to read arbitrary files via the forms interface. Current Votes: ACCEPT(4) Armstrong, Cole, Frech, Stracener NOOP(2) Foat, Wall Voter Comments: CHANGE> [Foat changed vote from ACCEPT to NOOP] ====================================================== Name: CVE-1999-1288 Status: Entry Reference: BUGTRAQ:19981119 Vulnerability in Samba on RedHat, Caldera and PHT TurboLinux Reference: URL:http://www.securityfocus.com/archive/1/11397 Reference: CALDERA:SA-1998.35 Reference: URL:http://www.caldera.com/support/security/advisories/SA-1998.35.txt Reference: XF:samba-wsmbconf(1406) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1406 Samba 1.9.18 inadvertently includes a prototype application, wsmbconf, which is installed with incorrect permissions including the setgid bit, which allows local users to read and write files and possibly gain privileges via bugs in the program. ====================================================== Name: CVE-1999-1289 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19981111 WARNING: Another ICQ IP address vulnerability Reference: URL:http://www.securityfocus.com/archive/1/11233 Reference: XF:icq-ip-info(1398) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1398 ICQ 98 beta on Windows NT leaks the internal IP address of a client in the TCP data segment of an ICQ packet instead of the public address (e.g. through NAT), which provides remote attackers with potentially sensitive information about the client or the internal network configuration. Current Votes: ACCEPT(3) Cole, Frech, Wall NOOP(1) Foat Voter Comments: Frech> Override EX-BETA in this case, since ICQ is always in beta and is widely run in production environments. ====================================================== Name: CVE-1999-1290 Status: Entry Reference: BUGTRAQ:19981117 nftp vulnerability (fwd) Reference: URL:http://marc.info/?l=bugtraq&m=91127951426494&w=2 Reference: CONFIRM:http://www.ayukov.com/nftp/history.html Reference: XF:nftp-bo(1397) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1397 Buffer overflow in nftp FTP client version 1.40 allows remote malicious FTP servers to cause a denial of service, and possibly execute arbitrary commands, via a long response string. ====================================================== Name: CVE-1999-1291 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19981005 New Windows Vulnerability Reference: URL:http://www.securityfocus.com/archive/1/10789 Reference: XF:nt-brkill(1383) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1383 TCP/IP implementation in Microsoft Windows 95, Windows NT 4.0, and possibly others, allows remote attackers to reset connections by forcing a reset (RST) via a PSH ACK or other means, obtaining the target's last sequence number from the resulting packet, then spoofing a reset to the target. Current Votes: ACCEPT(3) Cole, Frech, Wall NOOP(2) Christey, Foat Voter Comments: Christey> Need to get feedback from MS on this. ====================================================== Name: CVE-1999-1292 Status: Candidate Phase: Proposed(20010912) Reference: ISS:19980901 Remote Buffer Overflow in the Kolban Webcam32 Program Reference: URL:http://xforce.iss.net/alerts/advise7.php Reference: XF:webcam32-buffer-overflow(1366) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1366 Buffer overflow in web administration feature of Kolban Webcam32 4.8.3 and earlier allows remote attackers to execute arbitrary commands via a long URL. Current Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1293 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19980106 Apache security advisory Reference: URL:http://marc.info/?l=bugtraq&m=88413292830649&w=2 Reference: CONFIRM:http://www.apache.org/info/security_bulletin_1.2.5.html mod_proxy in Apache 1.2.5 and earlier allows remote attackers to cause a denial of service via malformed FTP commands, which causes Apache to dump core. Current Votes: ACCEPT(3) Armstrong, Cole, Stracener MODIFY(1) Frech NOOP(2) Foat, Wall Voter Comments: Frech> XF:apache-mod-proxy-dos(7249) CONFIRM reference no longer seems to exist. BugTraq message seems to be a confirmation/advisory, however. CHANGE> [Foat changed vote from ACCEPT to NOOP] ====================================================== Name: CVE-1999-1294 Status: Entry Reference: MSKB:Q146604 Reference: URL:http://support.microsoft.com/support/kb/articles/q146/6/04.asp Reference: XF:nt-filemgr(562) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/562 Office Shortcut Bar (OSB) in Windows 3.51 enables backup and restore permissions, which are inherited by programs such as File Manager that are started from the Shortcut Bar, which could allow local users to read folders for which they do not have permission. ====================================================== Name: CVE-1999-1295 Status: Candidate Phase: Modified(20020218) Reference: CERT:VB-96.16 Reference: URL:http://www.cert.org/vendor_bulletins/VB-96.16.transarc Reference: XF:dfs-login-groups(7154) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/7154 Transarc DCE Distributed File System (DFS) 1.1 for Solaris 2.4 and 2.5 does not properly initialize the grouplist for users who belong to a large number of groups, which could allow those users to gain access to resources that are protected by DFS. Current Votes: ACCEPT(3) Cole, Foat, Stracener MODIFY(1) Frech NOOP(1) Wall Voter Comments: Frech> XF:dfs-login-groups(7154) ====================================================== Name: CVE-1999-1296 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19970429 vulnerabilities in kerberos Reference: URL:http://marc.info/?l=bugtraq&m=87602167420878&w=2 Buffer overflow in Kerberos IV compatibility libraries as used in Kerberos V allows local users to gain root privileges via a long line in a kerberos configuration file, which can be specified via the KRB_CONF environmental variable. Current Votes: MODIFY(1) Frech NOOP(2) Cole, Foat Voter Comments: Frech> XF:kerberos-config-file-bo(7184) ====================================================== Name: CVE-1999-1297 Status: Entry Reference: SUNBUG:1077164 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fpatches%2F100452&zone_32=10045%2A%20 Reference: XF:sun-cmdtool-echo(7482) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/7482 cmdtool in OpenWindows 3.0 and XView 3.0 in SunOS 4.1.4 and earlier allows attackers with physical access to the system to display unechoed characters (such as those from password prompts) via the L2/AGAIN key. ====================================================== Name: CVE-1999-1298 Status: Entry Reference: FREEBSD:FreeBSD-SA-97:03 Reference: URL:ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/old/FreeBSD-SA-97:03.sysinstall.asc Reference: OSVDB:6087 Reference: URL:http://www.osvdb.org/6087 Reference: XF:freebsd-sysinstall-ftp-password(7537) Reference: URL:http://www.iss.net/security_center/static/7537.php Sysinstall in FreeBSD 2.2.1 and earlier, when configuring anonymous FTP, creates the ftp user without a password and with /bin/date as the shell, which could allow attackers to gain access to certain system resources. ====================================================== Name: CVE-1999-1299 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19970203 Linux rcp bug Reference: URL:http://marc.info/?l=bugtraq&m=87602167420509&w=2 rcp on various Linux systems including Red Hat 4.0 allows a "nobody" user or other user with UID of 65535 to overwrite arbitrary files, since 65535 is interpreted as -1 by chown and other system calls, which causes the calls to fail to modify the ownership of the file. Current Votes: MODIFY(1) Frech NOOP(2) Cole, Foat Voter Comments: Frech> XF:rcp-nobody-file-overwrite(7187) ====================================================== Name: CVE-1999-1300 Status: Candidate Phase: Proposed(20010912) Reference: CIAC:B-31 Reference: URL:http://ciac.llnl.gov/ciac/bulletins/b-31.shtml Vulnerability in accton in Cray UNICOS 6.1 and 6.0 allows local users to read arbitrary files and modify system accounting configuration. Current Votes: ACCEPT(4) Armstrong, Cole, Foat, Stracener MODIFY(1) Frech NOOP(1) Wall Voter Comments: Frech> XF: unicos-accton-read-files(7210) ====================================================== Name: CVE-1999-1301 Status: Entry Reference: CIAC:G-31 Reference: URL:http://ciac.llnl.gov/ciac/bulletins/g-31.shtml Reference: FREEBSD:FreeBSD-SA-96:17 Reference: URL:ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/old/FreeBSD-SA-96:17.rzsz.asc Reference: XF:rzsz-command-execution(7540) Reference: URL:http://www.iss.net/security_center/static/7540.php A design flaw in the Z-Modem protocol allows the remote sender of a file to execute arbitrary programs on the client, as implemented in rz in the rzsz module of FreeBSD before 2.1.5, and possibly other programs. ====================================================== Name: CVE-1999-1302 Status: Candidate Phase: Modified(20070105) Reference: CERT:VB-94:01 Reference: URL:http://ftp.cerias.purdue.edu/pub/advisories/cert/cert_bulletins/VB-94:01.sco Reference: CIAC:F-05 Reference: URL:http://ciac.llnl.gov/ciac/bulletins/f-05.shtml Reference: OSVDB:8797 Reference: URL:http://www.osvdb.org/8797 Reference: SCO:94:001 Reference: URL:http://ciac.llnl.gov/ciac/bulletins/f-05.shtml Reference: XF:sco-pt_chmod(7586) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/7586 Unspecified vulnerability in pt_chmod in SCO UNIX 4.2 and earlier allows local users to gain root access. Current Votes: ACCEPT(3) Cole, Foat, Stracener MODIFY(1) Frech Voter Comments: Frech> XF:sco-pt_chmod(7586) ====================================================== Name: CVE-1999-1303 Status: Candidate Phase: Proposed(20010912) Reference: CIAC:F-05 Reference: URL:http://ciac.llnl.gov/ciac/bulletins/f-05.shtml Reference: SCO:94:001 Reference: URL:http://ciac.llnl.gov/ciac/bulletins/f-05.shtml Vulnerability in prwarn in SCO UNIX 4.2 and earlier allows local users to gain root access. Current Votes: ACCEPT(3) Cole, Foat, Stracener MODIFY(1) Frech Voter Comments: Frech> XF:sco-prwarn(7587) ====================================================== Name: CVE-1999-1304 Status: Candidate Phase: Proposed(20010912) Reference: CIAC:F-05 Reference: URL:http://ciac.llnl.gov/ciac/bulletins/f-05.shtml Reference: SCO:94:001 Reference: URL:http://ciac.llnl.gov/ciac/bulletins/f-05.shtml Vulnerability in login in SCO UNIX 4.2 and earlier allows local users to gain root access. Current Votes: ACCEPT(3) Cole, Foat, Stracener MODIFY(1) Frech Voter Comments: Frech> XF:sco-login(7588) ====================================================== Name: CVE-1999-1305 Status: Candidate Phase: Proposed(20010912) Reference: CIAC:F-05 Reference: URL:http://ciac.llnl.gov/ciac/bulletins/f-05.shtml Reference: SCO:94:001 Reference: URL:http://ciac.llnl.gov/ciac/bulletins/f-05.shtml Vulnerability in "at" program in SCO UNIX 4.2 and earlier allows local users to gain root access. Current Votes: ACCEPT(3) Cole, Foat, Stracener MODIFY(1) Frech Voter Comments: Frech> XF:sco-at(7589) ====================================================== Name: CVE-1999-1306 Status: Candidate Phase: Proposed(20010912) Reference: CERT:CA-1992-20 Reference: URL:http://www.cert.org/advisories/CA-1992-20.html Cisco IOS 9.1 and earlier does not properly handle extended IP access lists when the IP route cache is enabled and the "established" keyword is set, which could allow attackers to bypass filters. Current Votes: ACCEPT(3) Cole, Foat, Stracener MODIFY(1) Frech NOOP(1) Wall REVIEWING(1) Christey Voter Comments: Frech> XF:cisco-acl-established(1248) Possibly duplicate with CVE-1999-0162? Christey> Might be a duplicate of CVE-1999-0162, but CVE-1999-0162 was released in 1995, whereas this bug was released in 1992. ====================================================== Name: CVE-1999-1307 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19941209 Novell security advisory on sadc, urestore and the suid_exec feature Reference: URL:http://www.dataguard.no/bugtraq/1994_4/0676.html Reference: CIAC:F-06 Reference: URL:http://ciac.llnl.gov/ciac/bulletins/f-06.shtml Vulnerability in urestore in Novell UnixWare 1.1 allows local users to gain root privileges. Current Votes: ACCEPT(4) Armstrong, Cole, Foat, Stracener MODIFY(1) Frech NOOP(1) Wall Voter Comments: Frech> XF;novell-unixware-urestore-root(7211) ====================================================== Name: CVE-1999-1308 Status: Candidate Phase: Modified(20020218) Reference: CIAC:H-09 Reference: URL:http://ciac.llnl.gov/ciac/bulletins/h-09.shtml Reference: CIAC:H-91 Reference: URL:http://ciac.llnl.gov/ciac/bulletins/h-91.shtml Reference: HP:HPSBUX9611-041 Reference: URL:http://ciac.llnl.gov/ciac/bulletins/h-91.shtml Reference: XF:hp-large-uid-gid(7594) Reference: URL:http://www.iss.net/security_center/static/7594.php Certain programs in HP-UX 10.20 do not properly handle large user IDs (UID) or group IDs (GID) over 60000, which could allow local users to gain privileges. Current Votes: ACCEPT(3) Cole, Foat, Stracener MODIFY(1) Frech Voter Comments: Frech> XF:hp-large-uid-gid(7594) ====================================================== Name: CVE-1999-1309 Status: Entry Reference: BUGTRAQ:19940314 sendmail -d problem (OLD yet still here) Reference: URL:http://www.dataguard.no/bugtraq/1994_1/0040.html Reference: BUGTRAQ:19940315 Security problem in sendmail versions 8.x.x Reference: URL:http://www.dataguard.no/bugtraq/1994_1/0048.html Reference: BUGTRAQ:19940315 anyone know details? Reference: URL:http://www.dataguard.no/bugtraq/1994_1/0042.html Reference: BUGTRAQ:19940315 so... Reference: URL:http://www.dataguard.no/bugtraq/1994_1/0043.html Reference: BUGTRAQ:19940327 sendmail exploit script - resend Reference: URL:http://www.dataguard.no/bugtraq/1994_1/0078.html Reference: CERT:CA-1994-12 Reference: URL:http://www.cert.org/advisories/CA-94.12.sendmail.vulnerabilities Reference: XF:sendmail-debug-gain-root(7155) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/7155 Sendmail before 8.6.7 allows local users to gain root access via a large value in the debug (-d) command line option. ====================================================== Name: CVE-1999-1310 Status: Candidate Phase: Modified(20050204) ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-1022. Reason: This candidate is a duplicate of CVE-1999-1022. Notes: All CVE users should reference CVE-1999-1022 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Current Votes: ACCEPT(3) Cole, Foat, Stracener REJECT(2) Christey, Frech Voter Comments: Frech> DUPE CVE-1999-1022 Christey> As noted by Andre Frech, this is a duplicate of CVE-1999-1022. The references from this candidate will be added to CVE-1999-1022. ====================================================== Name: CVE-1999-1311 Status: Candidate Phase: Proposed(20010912) Reference: CIAC:H-21 Reference: URL:http://ciac.llnl.gov/ciac/bulletins/h-21.shtml Reference: HP:HPSBUX9701-046 Reference: URL:http://ciac.llnl.gov/ciac/bulletins/h-21.shtml Vulnerability in dtlogin and dtsession in HP-UX 10.20 and 10.10 allows local users to bypass authentication and gain privileges. Current Votes: ACCEPT(3) Cole, Foat, Stracener MODIFY(1) Frech Voter Comments: Frech> XF:hp-dt-bypass-auth(7668) ACKNOWLEDGED-BY-VENDOR ====================================================== Name: CVE-1999-1312 Status: Candidate Phase: Modified(20020218) Reference: CERT:CA-1993-05 Reference: URL:http://www.cert.org/advisories/CA-1993-05.html Reference: XF:openvms-local-privilege-elevation(7142) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/7142 Vulnerability in DEC OpenVMS VAX 5.5-2 through 5.0, and OpenVMS AXP 1.0, allows local users to gain system privileges. Current Votes: ACCEPT(3) Cole, Foat, Stracener MODIFY(1) Frech NOOP(1) Wall Voter Comments: Frech> XF:openvms-local-privilege-elevation(7142) ====================================================== Name: CVE-1999-1313 Status: Candidate Phase: Modified(20020218) Reference: CIAC:G-24 Reference: URL:http://ciac.llnl.gov/ciac/bulletins/g-24.shtml Reference: FREEBSD:FreeBSD-SA-96:11 Reference: URL:ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/old/FreeBSD-SA-96:11.man.asc Reference: XF:bsd-man-command-sequence(7348) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/7348 Manual page reader (man) in FreeBSD 2.2 and earlier allows local users to gain privileges via a sequence of commands. Current Votes: ACCEPT(3) Cole, Foat, Stracener MODIFY(1) Frech Voter Comments: Frech> XF:bsd-man-command-sequence(7348) ====================================================== Name: CVE-1999-1314 Status: Candidate Phase: Modified(20020218) Reference: CIAC:G-24 Reference: URL:http://ciac.llnl.gov/ciac/bulletins/g-24.shtml Reference: FREEBSD:FreeBSD-SA-96:10 Reference: URL:ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/old/FreeBSD-SA-96:10.mount_union.asc Reference: XF:unionfs-mount-ordering(7429) Reference: URL:http://www.iss.net/security_center/static/7429.php Vulnerability in union file system in FreeBSD 2.2 and earlier, and possibly other operating systems, allows local users to cause a denial of service (system reload) via a series of certain mount_union commands. Current Votes: ACCEPT(3) Cole, Foat, Stracener MODIFY(1) Frech Voter Comments: Frech> XF:unionfs-mount-ordering(7429) ====================================================== Name: CVE-1999-1315 Status: Candidate Phase: Proposed(20010912) Reference: CIAC:F-04 Reference: URL:http://ciac.llnl.gov/ciac/bulletins/f-04.shtml Vulnerabilities in DECnet/OSI for OpenVMS before 5.8 on DEC Alpha AXP and VAX/VMS systems allow local users to gain privileges or cause a denial of service. Current Votes: ACCEPT(4) Armstrong, Cole, Foat, Stracener MODIFY(1) Frech NOOP(1) Wall Voter Comments: Frech> XF:openvms-decnetosi-gain-privileges(7212) ====================================================== Name: CVE-1999-1316 Status: Entry Reference: MSKB:Q247975 Reference: URL:http://support.microsoft.com/support/kb/articles/Q247/9/75.asp Reference: XF:passfilt-fullname(7391) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/7391 Passfilt.dll in Windows NT SP2 allows users to create a password that contains the user's name, which could make it easier for an attacker to guess. ====================================================== Name: CVE-1999-1317 Status: Entry Reference: MSKB:Q222159 Reference: URL:http://support.microsoft.com/support/kb/articles/q222/1/59.asp Reference: NTBUGTRAQ:19990312 [ ALERT ] Case Sensitivity and Symbolic Links Reference: URL:http://marc.info/?l=ntbugtraq&m=92127046701349&w=2 Reference: NTBUGTRAQ:19990314 AW: [ ALERT ] Case Sensitivity and Symbolic Links Reference: URL:http://marc.info/?l=ntbugtraq&m=92162979530341&w=2 Reference: XF:nt-symlink-case(7398) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/7398 Windows NT 4.0 SP4 and earlier allows local users to gain privileges by modifying the symbolic link table in the \?? object folder using a different case letter (upper or lower) to point to a different device. ====================================================== Name: CVE-1999-1318 Status: Entry Reference: SUNBUG:1121935 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fpatches%2F100630&zone_32=112193%2A%20 Reference: XF:sun-su-path(7480) Reference: URL:http://www.iss.net/security_center/static/7480.php /usr/5bin/su in SunOS 4.1.3 and earlier uses a search path that includes the current working directory (.), which allows local users to gain privileges via Trojan horse programs. ====================================================== Name: CVE-1999-1319 Status: Candidate Phase: Modified(20020218) Reference: SGI:19960101-01-PX Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19960101-01-PX Reference: XF:irix-object-server(7430) Reference: URL:http://www.iss.net/security_center/static/7430.php Vulnerability in object server program in SGI IRIX 5.2 through 6.1 allows remote attackers to gain root privileges in certain configurations. Current Votes: ACCEPT(3) Cole, Foat, Stracener MODIFY(1) Frech Voter Comments: Frech> XF:irix-object-server(7430) ====================================================== Name: CVE-1999-1320 Status: Entry Reference: CIAC:D-01 Reference: URL:http://ciac.llnl.gov/ciac/bulletins/d-01.shtml Reference: XF:netware-packet-spoofing-privileges(7213) Reference: URL:http://www.iss.net/security_center/static/7213.php Vulnerability in Novell NetWare 3.x and earlier allows local users to gain privileges via packet spoofing. ====================================================== Name: CVE-1999-1321 Status: Entry Reference: BUGTRAQ:19981105 security patch for ssh-1.2.26 kerberos code Reference: URL:http://lists.netspace.org/cgi-bin/wa?A2=ind9811A&L=bugtraq&P=R4814 Reference: OSVDB:4883 Reference: URL:http://www.osvdb.org/4883 Buffer overflow in ssh 1.2.26 client with Kerberos V enabled could allow remote attackers to cause a denial of service or execute arbitrary commands via a long DNS hostname that is not properly handled during TGT ticket passing. ====================================================== Name: CVE-1999-1322 Status: Candidate Phase: Proposed(20010912) Reference: NTBUGTRAQ:19981112 exchverify.log Reference: URL:http://marc.info/?l=ntbugtraq&m=91096758513985&w=2 Reference: NTBUGTRAQ:19981117 Re: exchverify.log - update #1 Reference: URL:http://marc.info/?l=ntbugtraq&m=91133714919229&w=2 Reference: NTBUGTRAQ:19981125 Re: exchverify.log - update #2 Reference: NTBUGTRAQ:19981216 Arcserve Exchange Client security issue being fixed Reference: NTBUGTRAQ:19990305 Cheyenne InocuLAN for Exchange plain text password still there Reference: NTBUGTRAQ:19990426 ArcServe Exchange Client Security Issue still unresolved The installation of 1ArcServe Backup and Inoculan AV client modules for Exchange create a log file, exchverify.log, which contains usernames and passwords in plaintext. Current Votes: NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1323 Status: Candidate Phase: Proposed(20010912) Reference: NTBUGTRAQ:19990409 NAV for MS Exchange & Internet Email Gateways Reference: URL:http://marc.info/?l=ntbugtraq&m=92370067416739&w=2 Norton AntiVirus for Internet Email Gateways (NAVIEG) 1.0.1.7 and earlier, and Norton AntiVirus for MS Exchange (NAVMSE) 1.5 and earlier, store the administrator password in cleartext in (1) the navieg.ini file for NAVIEG, and (2) the ModifyPassword registry key in NAVMSE. Current Votes: ACCEPT(1) Prosser MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:nav-admin-password(7543) Prosser> This has been since corrected in later releases. ====================================================== Name: CVE-1999-1324 Status: Entry Reference: CIAC:D-06 Reference: URL:http://ciac.llnl.gov/ciac/bulletins/d-06.shtml Reference: XF:openvms-sysgen-enabled(7225) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/7225 VAXstations running Open VMS 5.3 through 5.5-2 with VMS DECwindows or MOTIF do not properly disable access to user accounts that exceed the break-in limit threshold for failed login attempts, which makes it easier for attackers to conduct brute force password guessing. ====================================================== Name: CVE-1999-1325 Status: Entry Reference: CIAC:C-19 Reference: URL:http://ciac.llnl.gov/ciac/bulletins/c-19.shtml Reference: XF:vaxvms-sas-gain-privileges(7261) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/7261 SAS System 5.18 on VAX/VMS is installed with insecure permissions for its directories and startup file, which allows local users to gain privileges. ====================================================== Name: CVE-1999-1326 Status: Entry Reference: BUGTRAQ:19970104 serious security bug in wu-ftpd v2.4 Reference: URL:http://marc.info/?l=bugtraq&m=87602167420401&w=2 Reference: BUGTRAQ:19970105 BoS: serious security bug in wu-ftpd v2.4 -- PATCH Reference: URL:http://marc.info/?l=bugtraq&m=87602167420408&w=2 Reference: XF:wuftpd-abor-gain-privileges(7169) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/7169 wu-ftpd 2.4 FTP server does not properly drop privileges when an ABOR (abort file transfer) command is executed during a file transfer, which causes a signal to be handled incorrectly and allows local and possibly remote attackers to read arbitrary files. ====================================================== Name: CVE-1999-1327 Status: Entry Reference: BUGTRAQ:19980601 Re: SECURITY: Red Hat Linux 5.1 linuxconf bug (fwd) Reference: URL:http://marc.info/?l=bugtraq&m=90221103125826&w=2 Reference: CONFIRM:http://www.redhat.com/support/errata/rh51-errata-general.html#linuxconf Reference: OSVDB:6065 Reference: URL:http://www.osvdb.org/6065 Reference: XF:linuxconf-lang-bo(7239) Reference: URL:http://www.iss.net/security_center/static/7239.php Buffer overflow in linuxconf 1.11r11-rh2 on Red Hat Linux 5.1 allows local users to gain root privileges via a long LANG environmental variable. ====================================================== Name: CVE-1999-1328 Status: Entry Reference: BUGTRAQ:19980823 Security concerns in linuxconf shipped w/RedHat 5.1 Reference: URL:http://marc.info/?l=bugtraq&m=90383955231511&w=2 Reference: BUGTRAQ:19980826 [djb@redhat.com: Unidentified subject!] Reference: CONFIRM:http://www.redhat.com/support/errata/rh51-errata-general.html#linuxconf Reference: OSVDB:6068 Reference: URL:http://www.osvdb.org/6068 Reference: XF:linuxconf-symlink-gain-privileges(7232) Reference: URL:http://www.iss.net/security_center/static/7232.php linuxconf before 1.11.r11-rh3 on Red Hat Linux 5.1 allows local users to overwrite arbitrary files and gain root access via a symlink attack. ====================================================== Name: CVE-1999-1329 Status: Entry Reference: CONFIRM:http://www.redhat.com/support/errata/rh50-errata-general.html#SysVinit Reference: XF:sysvinit-root-bo(7250) Reference: URL:http://www.iss.net/security_center/static/7250.php Buffer overflow in SysVInit in Red Hat Linux 5.1 and earlier allows local users to gain privileges. ====================================================== Name: CVE-1999-1330 Status: Entry Reference: BUGTRAQ:19970709 [linux-security] so-called snprintf() in db-1.85.4 (fwd) Reference: URL:http://marc.info/?l=bugtraq&m=87602661419259&w=2 Reference: CONFIRM:http://lists.openresources.com/Debian/debian-bugs-closed/msg00581.html Reference: CONFIRM:http://www.redhat.com/support/errata/rh42-errata-general.html#db Reference: XF:linux-libdb-snprintf-bo(7244) Reference: URL:http://www.iss.net/security_center/static/7244.php The snprintf function in the db library 1.85.4 ignores the size parameter, which could allow attackers to exploit buffer overflows that would be prevented by a properly implemented snprintf. ====================================================== Name: CVE-1999-1331 Status: Entry Reference: CONFIRM:http://www.redhat.com/support/errata/rh42-errata-general.html#netcfg Reference: XF:netcfg-ethernet-dos(7245) Reference: URL:http://www.iss.net/security_center/static/7245.php netcfg 2.16-1 in Red Hat Linux 4.2 allows the Ethernet interface to be controlled by users on reboot when an option is set, which allows local users to cause a denial of service by shutting down the interface. ====================================================== Name: CVE-1999-1332 Status: Entry Reference: BID:7845 Reference: URL:http://www.securityfocus.com/bid/7845 Reference: BUGTRAQ:19980128 GZEXE - the big problem Reference: URL:http://marc.info/?l=bugtraq&m=88603844115233&w=2 Reference: CONFIRM:http://www.redhat.com/support/errata/rh50-errata-general.html#gzip Reference: DEBIAN:DSA-308 Reference: URL:http://www.debian.org/security/2003/dsa-308 Reference: OSVDB:3812 Reference: URL:http://www.osvdb.org/3812 Reference: XF:gzip-gzexe-tmp-symlink(7241) Reference: URL:http://www.iss.net/security_center/static/7241.php gzexe in the gzip package on Red Hat Linux 5.0 and earlier allows local users to overwrite files of other users via a symlink attack on a temporary file. ====================================================== Name: CVE-1999-1333 Status: Entry Reference: BUGTRAQ:19980319 ncftp 2.4.2 MkDirs bug Reference: URL:http://marc.info/?l=bugtraq&m=89042322924057&w=2 Reference: CONFIRM:http://www.redhat.com/support/errata/rh50-errata-general.html#ncftp Reference: OSVDB:6111 Reference: URL:http://www.osvdb.org/6111 Reference: XF:ncftp-autodownload-command-execution(7240) Reference: URL:http://www.iss.net/security_center/static/7240.php automatic download option in ncftp 2.4.2 FTP client in Red Hat Linux 5.0 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the names of files that are to be downloaded. ====================================================== Name: CVE-1999-1334 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19980129 KSR[T] Advisory #7: filter Reference: URL:http://marc.info/?l=bugtraq&m=88609666024181&w=2 Reference: CONFIRM:http://www.redhat.com/support/errata/rh50-errata-general.html#elm Multiple buffer overflows in filter command in Elm 2.4 allows attackers to execute arbitrary commands via (1) long From: headers, (2) long Reply-To: headers, or (3) via a long -f (filterfile) command line argument. Current Votes: ACCEPT(3) Cole, Foat, Stracener MODIFY(1) Frech NOOP(2) Armstrong, Wall Voter Comments: Frech> XF:elm-filter-getfilterrules-bo(7214) XF:elm-filter2(711) ====================================================== Name: CVE-1999-1335 Status: Entry Reference: CONFIRM:http://www.redhat.com/support/errata/rh40-errata-general.html#cmu-snmp Reference: XF:cmusnmp-read-write(7251) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/7251 snmpd server in cmu-snmp SNMP package before 3.3-1 in Red Hat Linux 4.0 is configured to allow remote attackers to read and write sensitive information. ====================================================== Name: CVE-1999-1336 Status: Entry Reference: BUGTRAQ:19990812 3com hiperarch flaw [hiperbomb.c] Reference: URL:http://marc.info/?l=bugtraq&m=93458364903256&w=2 Reference: BUGTRAQ:19990816 Re: 3com hiperarch flaw [hiperbomb.c] Reference: URL:http://marc.info/?l=bugtraq&m=93492615408725&w=2 Reference: OSVDB:6057 Reference: URL:http://www.osvdb.org/6057 3Com HiPer Access Router Card (HiperARC) 4.0 through 4.2.29 allows remote attackers to cause a denial of service (reboot) via a flood of IAC packets to the telnet port. ====================================================== Name: CVE-1999-1337 Status: Entry Reference: BUGTRAQ:19990801 midnight commander vulnerability(?) (fwd) Reference: URL:http://marc.info/?l=bugtraq&m=93370073207984&w=2 Reference: OSVDB:5921 Reference: URL:http://www.osvdb.org/5921 Reference: XF:midnight-commander-data-disclosure(9873) Reference: URL:http://www.iss.net/security_center/static/9873.php FTP client in Midnight Commander (mc) before 4.5.11 stores usernames and passwords for visited sites in plaintext in the world-readable history file, which allows other local users to gain privileges. ====================================================== Name: CVE-1999-1338 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19990721 Delegate creates directories writable for anyone Reference: URL:http://marc.info/?l=bugtraq&m=93259112204664&w=2 Delegate proxy 5.9.3 and earlier creates files and directories in the DGROOT with world-writable permissions. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:delegate-dgroot-permissions(8438) ====================================================== Name: CVE-1999-1339 Status: Entry Reference: BUGTRAQ:19990722 Linux +ipchains+ ping -R Reference: URL:http://marc.info/?l=bugtraq&m=93277426802802&w=2 Reference: BUGTRAQ:19990722 Re: ping -R causes kernel panic on a forwarding machine ( 2.2.5 a nd 2 .2.10) Reference: URL:http://marc.info/?l=bugtraq&m=93277766505061&w=2 Reference: CONFIRM:http://www.kernel.org/pub/linux/kernel/v2.2/patch-2.2.11.gz Reference: OSVDB:6105 Reference: URL:http://www.osvdb.org/6105 Reference: XF:ipchains-ping-route-dos(7257) Reference: URL:http://www.iss.net/security_center/static/7257.php Vulnerability when Network Address Translation (NAT) is enabled in Linux 2.2.10 and earlier with ipchains, or FreeBSD 3.2 with ipfw, allows remote attackers to cause a denial of service (kernel panic) via a ping -R (record route) command. ====================================================== Name: CVE-1999-1340 Status: Candidate Phase: Proposed(20010912) Reference: BID:765 Reference: URL:http://www.securityfocus.com/bid/765 Reference: BUGTRAQ:19991104 hylafax-4.0.2 local exploit Reference: URL:http://marc.info/?l=bugtraq&m=94173799532589&w=2 Buffer overflow in faxalter in hylafax 4.0.2 allows local users to gain privileges via a long -m command line argument. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:hylafax-faxalter-gain-privs(3453) Proper spelling of the product is HylaFAX (see http://www.hylafax.org/) ====================================================== Name: CVE-1999-1341 Status: Entry Reference: BUGTRAQ:19991022 Local user can send forged packets Reference: URL:http://marc.info/?l=bugtraq&m=94061108411308&w=2 Reference: XF:linux-tiocsetd-forge-packets(7858) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/7858 Linux kernel before 2.3.18 or 2.2.13pre15, with SLIP and PPP options, allows local unprivileged users to forge IP packets via the TIOCSETD option on tty devices. ====================================================== Name: CVE-1999-1342 Status: Candidate Phase: Proposed(20010912) Reference: NTBUGTRAQ:19991017 ICQ ActiveList Server Exploit... Reference: URL:http://marc.info/?l=ntbugtraq&m=94042342010662&w=2 ICQ ActiveList Server allows remote attackers to cause a denial of service (crash) via malformed packets to the server's UDP port. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:icq-activelist-udp-dos(7877) ====================================================== Name: CVE-1999-1343 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19991013 Xerox DocuColor 4 LP D.O.S Reference: URL:http://marc.info/?l=bugtraq&m=93986405412867&w=2 HTTP server for Xerox DocuColor 4 LP allows remote attackers to cause a denial of service (hang) via a long URL that contains a large number of . characters. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:xerox-docucolor4lp-dos(8041) ====================================================== Name: CVE-1999-1344 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19991005 Auto_FTP v0.02 Advisory Reference: URL:http://marc.info/?l=bugtraq&m=93923873006014&w=2 Auto_FTP.pl script in Auto_FTP 0.2 stores usernames and passwords in plaintext in the auto_ftp.conf configuration file. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:autoftp-plaintext-password(8045) ====================================================== Name: CVE-1999-1345 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19991005 Auto_FTP v0.02 Advisory Reference: URL:http://marc.info/?l=bugtraq&m=93923873006014&w=2 Auto_FTP.pl script in Auto_FTP 0.2 uses the /tmp/ftp_tmp as a shared directory with insecure permissions, which allows local users to (1) send arbitrary files to the remote server by placing them in the directory, and (2) view files that are being transferred. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:autoftp-shared-directory(8047) ====================================================== Name: CVE-1999-1346 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19991007 Problems with redhat 6 Xsession and pam.d/rlogin. Reference: URL:http://marc.info/?l=bugtraq&m=93942774609925&w=2 PAM configuration file for rlogin in Red Hat Linux 6.1 and earlier includes a less restrictive rule before a more restrictive one, which allows users to access the host via rlogin even if rlogin has been explicitly disabled using the /etc/nologin file. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:pam-rlogin-bypass(8315) ====================================================== Name: CVE-1999-1347 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19991007 Problems with redhat 6 Xsession and pam.d/rlogin. Reference: URL:http://marc.info/?l=bugtraq&m=93942774609925&w=2 Xsession in Red Hat Linux 6.1 and earlier can allow local users with restricted accounts to bypass execution of the .xsession file by starting kde, gnome or anotherlevel from kdm. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:xsession-bypass(8316) ====================================================== Name: CVE-1999-1348 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19990630 linuxconf doesn't seem to deal correctly with /etc/pam.d/reboot Reference: URL:http://marc.info/?l=bugtraq&m=93220073515880&w=2 Linuxconf on Red Hat Linux 6.0 and earlier does not properly disable PAM-based access to the shutdown command, which could allow local users to cause a denial of service. Current Votes: ACCEPT(1) Cole MODIFY(1) Frech NOOP(2) Foat, Wall Voter Comments: Frech> XF:linuxconf-pam-shutdown-dos(8437) ====================================================== Name: CVE-1999-1349 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19991006 Omni-NFS/X Enterprise (nfsd.exe) DOS Reference: URL:http://marc.info/?l=bugtraq&m=93923679004325&w=2 NFS daemon (nfsd.exe) for Omni-NFS/X 6.1 allows remote attackers to cause a denial of service (resource exhaustion) via certain packets, possibly with the Urgent (URG) flag set, to port 111. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:xlink-nfsd-dos(8317) ====================================================== Name: CVE-1999-1350 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19990929 Multiple Vendor ARCAD permission problems Reference: URL:http://marc.info/?l=bugtraq&m=93871933521519&w=2 ARCAD Systemhaus 0.078-5 installs critical programs and files with world-writeable permissions, which could allow local users to gain privileges by replacing a program with a Trojan horse. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:arcad-insecure-permissions(8318) ====================================================== Name: CVE-1999-1351 Status: Entry Reference: BUGTRAQ:19990924 Kvirc bug Reference: URL:http://marc.info/?l=bugtraq&m=93845560631314&w=2 Reference: XF:kvirc-dot-directory-traversal(7761) Reference: URL:http://www.iss.net/security_center/static/7761.php Directory traversal vulnerability in KVIrc IRC client 0.9.0 with the "Listen to !nick <soundname> requests" option enabled allows remote attackers to read arbitrary files via a .. (dot dot) in a DCC GET request. ====================================================== Name: CVE-1999-1352 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19990928 Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Reference: URL:http://marc.info/?l=bugtraq&m=93855134409747&w=2 mknod in Linux 2.2 follows symbolic links, which could allow local users to overwrite files or gain privileges. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:mknod-symlink(8319) ====================================================== Name: CVE-1999-1353 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19990907 MsgCore mailserver stores passwords in clear text Reference: URL:http://marc.info/?l=ntbugtraq&m=93698162708211&w=2 Nosque MsgCore 2.14 stores passwords in cleartext: (1) the administrator password in the AdmPasswd registry key, and (2) user passwords in the Userbase.dbf data file, which could allow local users to gain privileges. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:msgcore-plaintext-passwords(8271) BUGTRAQ Reference is actually NTBUGTRAQ. ====================================================== Name: CVE-1999-1354 Status: Candidate Phase: Proposed(20010912) Reference: NTBUGTRAQ:19990830 SoftArc's FirstClass E-mail Client Reference: URL:http://marc.info/?l=ntbugtraq&m=93637687305327&w=2 Reference: NTBUGTRAQ:19990909 SoftArc's FirstClass E-mail Client Reference: URL:http://marc.info/?l=ntbugtraq&m=93698283309513&w=2 E-mail client in Softarc FirstClass Internet Server 5.506 and earlier stores usernames and passwords in cleartext in the files (1) home.fc for version 5.506, (2) network.fc for version 3.5, or (3) FCCLIENT.LOG when logging is enabled. Current Votes: ACCEPT(1) Cole MODIFY(1) Frech NOOP(3) Christey, Foat, Wall Voter Comments: Frech> (Task 1766) CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:firstclass-plaintext-account(9874) Christey> The following reference is for the FCCLIENT.LOG piece: ADDREF NTBUGTRAQ:19990911 Re: SoftArc's FirstClass E-mail Client URL:http://archives.neohapsis.com/archives/ntbugtraq/1999-q3/0189.html ====================================================== Name: CVE-1999-1355 Status: Candidate Phase: Proposed(20010912) Reference: CONFIRM:http://www.compaq.com/products/servers/management/advisory.html Reference: NTBUGTRAQ:19990817 Compaq PFCUser account Reference: URL:http://marc.info/?l=ntbugtraq&m=93542118727732&w=2 Reference: NTBUGTRAQ:19990905 Case ID SSRT0620 - PFCUser account communication Reference: URL:http://marc.info/?l=ntbugtraq&m=93654336516711&w=2 Reference: NTBUGTRAQ:19990915 (I) UPDATE - PFCUser Account, Reference: URL:http://marc.info/?l=ntbugtraq&m=93759822430801&w=2 Reference: NTBUGTRAQ:19991105 UPDATE: SSRT0620 Compaq Foundation Agents v4.40B PFCUser issues Reference: URL:http://marc.info/?l=ntbugtraq&m=94183795025294&w=2 Reference: XF:management-pfcuser(3231) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3231 BMC Patrol component, when installed with Compaq Insight Management Agent 4.23 and earlier, or Management Agents for Servers 4.40 and earlier, creates a PFCUser account with a default password and potentially dangerous privileges. Current Votes: ACCEPT(5) Armstrong, Cole, Foat, Frech, Stracener NOOP(1) Wall ====================================================== Name: CVE-1999-1356 Status: Entry Reference: BUGTRAQ:19990902 Compaq CIM UG Overwrites Legal Notice Reference: URL:http://marc.info/?l=bugtraq&m=93646669500991&w=2 Reference: NTBUGTRAQ:19990902 Compaq CIM UG Overwrites Legal Notice Reference: URL:http://marc.info/?l=ntbugtraq&m=93637792706047&w=2 Reference: NTBUGTRAQ:19990917 Re: Compaq CIM UG Overwrites Legal Notice Reference: URL:http://marc.info/?l=ntbugtraq&m=93759822830815&w=2 Reference: XF:compaq-smartstart-legal-notice(7763) Reference: URL:http://www.iss.net/security_center/static/7763.php Compaq Integration Maintenance Utility as used in Compaq Insight Manager agent before SmartStart 4.50 modifies the legal notice caption (LegalNoticeCaption) and text (LegalNoticeText) in Windows NT, which could produce a legal notice that is in violation of the security policy. ====================================================== Name: CVE-1999-1357 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19991005 Time to update those CGIs again Reference: URL:http://marc.info/?l=bugtraq&m=93915331626185&w=2 Netscape Communicator 4.04 through 4.7 (and possibly other versions) in various UNIX operating systems converts the 0x8b character to a "<" sign, and the 0x9b character to a ">" sign, which could allow remote attackers to attack other clients via cross-site scripting (CSS) in CGI programs that do not filter these characters. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:netscape-cgi-filtering-css(8274) ====================================================== Name: CVE-1999-1358 Status: Entry Reference: MSKB:Q157673 Reference: URL:http://support.microsoft.com/support/kb/articles/q157/6/73.asp Reference: XF:nt-user-policy-update(7400) Reference: URL:http://www.iss.net/security_center/static/7400.php When an administrator in Windows NT or Windows 2000 changes a user policy, the policy is not properly updated if the local ntconfig.pol is not writable by the user, which could allow local users to bypass restrictions that would otherwise be enforced by the policy, possibly by changing the policy file to be read-only. ====================================================== Name: CVE-1999-1359 Status: Entry Reference: MSKB:Q163875 Reference: URL:http://support.microsoft.com/support/kb/articles/q163/8/75.asp Reference: XF:nt-group-policy-longname(7401) Reference: URL:http://www.iss.net/security_center/static/7401.php When the Ntconfig.pol file is used on a server whose name is longer than 13 characters, Windows NT does not properly enforce policies for global groups, which could allow users to bypass restrictions that were intended by those policies. ====================================================== Name: CVE-1999-1360 Status: Entry Reference: MSKB:Q160650 Reference: URL:http://support.microsoft.com/support/kb/articles/q160/6/50.asp Reference: XF:nt-kernel-handle-dos(7402) Reference: URL:http://www.iss.net/security_center/static/7402.php Windows NT 4.0 allows local users to cause a denial of service via a user mode application that closes a handle that was opened in kernel mode, which causes a crash when the kernel attempts to close the handle. ====================================================== Name: CVE-1999-1361 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19980509 coke.c Reference: URL:http://marc.info/?l=bugtraq&m=90221101925891&w=2 Windows NT 3.51 and 4.0 running WINS (Windows Internet Name Service) allows remote attackers to cause a denial of service (resource exhaustion) via a flood of malformed packets, which causes the server to slow down and fill the event logs with error messages. Current Votes: ACCEPT(1) Wall MODIFY(1) Frech NOOP(2) Cole, Foat Voter Comments: Frech> XF:winnt-wins-packet-flood-dos(7329) ====================================================== Name: CVE-1999-1362 Status: Entry Reference: MSKB:Q160601 Reference: URL:http://support.microsoft.com/support/kb/articles/q160/6/01.asp Reference: XF:nt-win32k-dos(7403) Reference: URL:http://www.iss.net/security_center/static/7403.php Win32k.sys in Windows NT 4.0 before SP2 allows local users to cause a denial of service (crash) by calling certain WIN32K functions with incorrect parameters. ====================================================== Name: CVE-1999-1363 Status: Entry Reference: MSKB:Q163143 Reference: URL:http://support.microsoft.com/support/kb/articles/q163/1/43.asp Reference: XF:nt-nonpagedpool-dos(7405) Reference: URL:http://www.iss.net/security_center/static/7405.php Windows NT 3.51 and 4.0 allow local users to cause a denial of service (crash) by running a program that creates a large number of locks on a file, which exhausts the NonPagedPool. ====================================================== Name: CVE-1999-1364 Status: Candidate Phase: Modified(20020218) Reference: MSKB:Q142653 Reference: URL:http://support.microsoft.com/support/kb/articles/q142/6/53.asp Reference: XF:nt-threadcontext-dos(7421) Reference: URL:http://www.iss.net/security_center/static/7421.php Windows NT 4.0 allows local users to cause a denial of service (crash) via an illegal kernel mode address to the functions (1) GetThreadContext or (2) SetThreadContext. Current Votes: ACCEPT(3) Cole, Foat, Wall MODIFY(1) Frech Voter Comments: Frech> XF:nt-threadcontext-dos(7421) ====================================================== Name: CVE-1999-1365 Status: Entry Reference: BID:515 Reference: URL:http://www.securityfocus.com/bid/515 Reference: NTBUGTRAQ:19990628 NT runs Explorer.exe, Taskmgr.exe etc. from wrong location Reference: URL:http://marc.info/?l=ntbugtraq&m=93069418400856&w=2 Reference: NTBUGTRAQ:19990630 Update: NT runs explorer.exe, etc... Reference: URL:http://marc.info/?l=ntbugtraq&m=93127894731200&w=2 Reference: XF:nt-login-default-folder(2336) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2336 Windows NT searches a user's home directory (%systemroot% by default) before other directories to find critical programs such as NDDEAGNT.EXE, EXPLORER.EXE, USERINIT.EXE or TASKMGR.EXE, which could allow local users to bypass access restrictions or gain privileges by placing a Trojan horse program into the root directory, which is writable by default. ====================================================== Name: CVE-1999-1366 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19990515 Pegasus Mail weak encryption Reference: URL:http://marc.info/?l=bugtraq&m=92714118829880&w=2 Pegasus e-mail client 3.0 and earlier uses weak encryption to store POP3 passwords in the pmail.ini file, which allows local users to easily decrypt the passwords and read e-mail. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:pegasus-weak-password-encryption(8430) ====================================================== Name: CVE-1999-1367 Status: Candidate Phase: Proposed(20010912) Reference: MISC:http://www.pcworld.com/news/article/0,aid,10842,00.asp Internet Explorer 5.0 does not properly reset the username/password cache for Web sites that do not use standard cache controls, which could allow users on the same system to access restricted web sites that were visited by other users. Current Votes: NOOP(3) Cole, Foat, Wall REVIEWING(1) Frech Voter Comments: Frech> (Task 2283) ====================================================== Name: CVE-1999-1368 Status: Candidate Phase: Proposed(20010912) Reference: NTBUGTRAQ:19990512 InoculateIT 4.53 Real-Time Exchange Scanner Flawed Reference: URL:http://marc.info/?l=ntbugtraq&m=92652152723629&w=2 Reference: NTBUGTRAQ:20001116 InoculateIT AV Option for MS Exchange Server Reference: URL:http://marc.info/?l=ntbugtraq&m=97439568517355&w=2 AV Option for MS Exchange Server option for InoculateIT 4.53, and possibly other versions, only scans the Inbox folder tree of a Microsoft Exchange server, which could allow viruses to escape detection if a user's rules cause the message to be moved to a different mailbox. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:inoculate-message-redirect-bypass(5602) ====================================================== Name: CVE-1999-1369 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19990414 Real Media Server stores passwords in plain text Reference: URL:http://marc.info/?l=bugtraq&m=92411181619110&w=2 Real Media RealServer (rmserver) 6.0.3.353 stores a password in plaintext in the world-readable rmserver.cfg file, which allows local users to gain privileges. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:realserver-insecure-password(7544) ====================================================== Name: CVE-1999-1370 Status: Candidate Phase: Proposed(20010912) Reference: NTBUGTRAQ:19990323 MSIE 5 installer disables screen saver Reference: URL:http://marc.info/?l=ntbugtraq&m=92220197414799&w=2 The setup wizard (ie5setup.exe) for Internet Explorer 5.0 disables (1) the screen saver, which could leave the system open to users with physical access if a failure occurs during an unattended installation, and (2) the Task Scheduler Service, which might prevent the scheduled execution of security-critical programs. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:ie-ie5setup-disable-password(7545) ====================================================== Name: CVE-1999-1371 Status: Candidate Phase: Modified(20040723) Reference: BUGTRAQ:19990308 Solaris "/usr/bin/write" bug Reference: URL:http://marc.info/?l=bugtraq&m=92100752221493&w=2 Reference: MISC:http://www.securiteam.com/exploits/5ZP0O1P35O.html Reference: XF:solaris-write-bo(7546) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/7546 Buffer overflow in /usr/bin/write in Solaris 2.6 and 7 allows local users to gain privileges via a long string in the terminal name argument. Current Votes: ACCEPT(2) Cole, Dik MODIFY(1) Frech NOOP(3) Christey, Foat, Wall Voter Comments: Frech> XF:solaris-write-bo(7546) Christey> This appears to be a rediscovery of the problem for Solaris 2.8: BUGTRAQ:20011114 /usr/bin/write (solaris2.x) Segmentation Fault URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100588255815773&w=2 Dik> sun bug: 4218941 ====================================================== Name: CVE-1999-1372 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19990219 Plaintext Password in Tractive's Remote Manager Software Reference: URL:http://marc.info/?l=bugtraq&m=91966339502073&w=2 Triactive Remote Manager with Basic authentication enabled stores the username and password in cleartext in registry keys, which could allow local users to gain privileges. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:triactive-remote-basic-auth(7548) ====================================================== Name: CVE-1999-1373 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19990105 Re: Network Scan Vulnerability [SUMMARY] Reference: URL:http://marc.info/?l=bugtraq&m=91651770130771&w=2 FORE PowerHub before 5.0.1 allows remote attackers to cause a denial of service (hang) via a TCP SYN scan with TCP/IP OS fingerprinting, e.g. via nmap. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:powerhub-nmap-dos(7556) ====================================================== Name: CVE-1999-1374 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19990427 Re: Shopping Carts exposing CC data Reference: URL:http://marc.info/?l=bugtraq&m=92523159819402&w=2 perlshop.cgi shopping cart program stores sensitive customer information in directories and files that are under the web root, which allows remote attackers to obtain that information via an HTTP request. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:perlshop-cgi-obtain-information(7557) ====================================================== Name: CVE-1999-1375 Status: Candidate Phase: Proposed(20010912) Reference: BID:230 Reference: URL:http://www.securityfocus.com/bid/230 Reference: NTBUGTRAQ:19990211 Using FSO in ASP to view just about anything Reference: URL:http://marc.info/?l=ntbugtraq&m=91877455626320&w=2 FileSystemObject (FSO) in the showfile.asp Active Server Page (ASP) allows remote attackers to read arbitrary files by specifying the name in the file parameter. Current Votes: ACCEPT(1) Cole MODIFY(1) Frech NOOP(3) Christey, Foat, Wall Voter Comments: Frech> XF:iis-fso-read-files(7558) Christey> Explicitly mention IIS ====================================================== Name: CVE-1999-1376 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19990114 MS IIS 4.0 Security Advisory Reference: URL:http://marc.info/?l=bugtraq&m=91638375309890&w=2 Reference: NTBUGTRAQ:19990114 MS IIS 4.0 Security Advisory Reference: URL:http://marc.info/?l=ntbugtraq&m=91632724913080&w=2 Buffer overflow in fpcount.exe in IIS 4.0 with FrontPage Server Extensions allows remote attackers to execute arbitrary commands. Current Votes: ACCEPT(1) Wall MODIFY(1) Frech NOOP(2) Cole, Foat Voter Comments: Frech> XF:frontpage-ext-fpcount-crash(5494) ====================================================== Name: CVE-1999-1377 Status: Candidate Phase: Proposed(20010912) Reference: MISC:http://pulhas.org/phrack/55/P55-07.html Matt Wright's download.cgi 1.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the f parameter. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:download-cgi-directory-traversal(8279) ====================================================== Name: CVE-1999-1378 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19990917 improper chroot in dbmlparser.exe Reference: URL:http://marc.info/?l=bugtraq&m=93250710625956&w=2 dbmlparser.exe CGI guestbook program does not perform a chroot operation properly, which allows remote attackers to read arbitrary files. Current Votes: NOOP(3) Cole, Foat, Wall REVIEWING(1) Frech Voter Comments: Frech> (Task 2284) ====================================================== Name: CVE-1999-1379 Status: Entry Reference: AUSCERT:AL-1999.004 Reference: URL:ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos Reference: BUGTRAQ:19990730 Possible Denial Of Service using DNS Reference: URL:http://marc.info/?l=bugtraq&m=93348057829957&w=2 Reference: BUGTRAQ:19990810 Possible Denial Of Service using DNS Reference: URL:http://marc.info/?l=bugtraq&m=93433758607623&w=2 Reference: CIAC:J-063 Reference: URL:http://ciac.llnl.gov/ciac/bulletins/j-063.shtml Reference: XF:dns-udp-query-dos(7238) Reference: URL:http://www.iss.net/security_center/static/7238.php DNS allows remote attackers to use DNS name servers as traffic amplifiers via a UDP DNS query with a spoofed source address, which produces more traffic to the victim than was sent by the attacker. ====================================================== Name: CVE-1999-1380 Status: Entry Reference: MISC:http://mlarchive.ima.com/win95/1997/May/0342.html Reference: MISC:http://news.zdnet.co.uk/story/0,,s2065518,00.html Reference: MISC:http://www.net-security.sk/bugs/NT/nu20.html Reference: XF:nu-tuneocx-activex-control(7188) Reference: URL:http://www.iss.net/security_center/static/7188.php Symantec Norton Utilities 2.0 for Windows 95 marks the TUNEOCX.OCX ActiveX control as safe for scripting, which allows remote attackers to execute arbitrary commands via the run option through malicious web pages that are accessed by browsers such as Internet Explorer 3.0. ====================================================== Name: CVE-1999-1381 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19981008 buffer overflow in dbadmin Reference: URL:http://marc.info/?l=bugtraq&m=90786656409618&w=2 Buffer overflow in dbadmin CGI program 1.0.1 on Linux allows remote attackers to execute arbitrary commands. Current Votes: NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1382 Status: Entry Reference: BUGTRAQ:19980108 NetWare NFS Reference: URL:http://marc.info/?l=bugtraq&m=88427711321769&w=2 Reference: BUGTRAQ:19980812 Re: Netware NFS (fwd) Reference: URL:http://marc.info/?l=bugtraq&m=90295697702474&w=2 Reference: CONFIRM:http://support.novell.com/cgi-bin/search/tidfinder.cgi?2940551 Reference: XF:netware-nfs-file-ownership(7246) Reference: URL:http://www.iss.net/security_center/static/7246.php NetWare NFS mode 1 and 2 implements the "Read Only" flag in Unix by changing the ownership of a file to root, which allows local users to gain root privileges by creating a setuid program and setting it to "Read Only," which NetWare-NFS changes to a setuid root program. ====================================================== Name: CVE-1999-1383 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19960913 tee see shell problems Reference: URL:http://marc.info/?l=bugtraq&m=87602167419868&w=2 Reference: BUGTRAQ:19960919 Vulnerability in expansion of PS1 in bash & tcsh Reference: URL:http://www.dataguard.no/bugtraq/1996_3/0503.html (1) bash before 1.14.7, and (2) tcsh 6.05 allow local users to gain privileges via directory names that contain shell metacharacters (` back-tick), which can cause the commands enclosed in the directory name to be executed when the shell expands filenames using the \w option in the PS1 variable. Current Votes: NOOP(2) Cole, Foat ====================================================== Name: CVE-1999-1384 Status: Entry Reference: AUSCERT:AA-96.08 Reference: URL:ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-96.08.SGI.systour.vul Reference: BID:470 Reference: URL:http://www.securityfocus.com/bid/470 Reference: BUGTRAQ:19961030 (Another) vulnerability in new SGIs Reference: URL:http://marc.info/?l=bugtraq&m=87602167420095&w=2 Reference: SGI:19961101-01-I Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19961101-01-I Reference: XF:irix-systour(7456) Reference: URL:http://www.iss.net/security_center/static/7456.php Indigo Magic System Tour in the SGI system tour package (systour) for IRIX 5.x through 6.3 allows local users to gain root privileges via a Trojan horse .exitops program, which is called by the inst command that is executed by the RemoveSystemTour program. ====================================================== Name: CVE-1999-1385 Status: Entry Reference: BUGTRAQ:19961219 Exploit for ppp bug (FreeBSD 2.1.0). Reference: URL:http://marc.info/?l=bugtraq&m=87602167420332&w=2 Reference: FREEBSD:FreeBSD-SA-96:20 Reference: URL:ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/old/FreeBSD-SA-96:20.stack-overflow.asc Reference: OSVDB:6085 Reference: URL:http://www.osvdb.org/6085 Reference: XF:ppp-bo(7465) Reference: URL:http://www.iss.net/security_center/static/7465.php Buffer overflow in ppp program in FreeBSD 2.1 and earlier allows local users to gain privileges via a long HOME environment variable. ====================================================== Name: CVE-1999-1386 Status: Entry Reference: BUGTRAQ:19980308 another /tmp race: `perl -e' opens temp file not safely Reference: URL:http://marc.info/?l=bugtraq&m=88932165406213&w=2 Reference: CONFIRM:http://www.redhat.com/support/errata/rh50-errata-general.html#perl Reference: XF:perl-e-tmp-symlink(7243) Reference: URL:http://www.iss.net/security_center/static/7243.php Perl 5.004_04 and earlier follows symbolic links when running with the -e option, which allows local users to overwrite arbitrary files via a symlink attack on the /tmp/perl-eaXXXXX file. ====================================================== Name: CVE-1999-1387 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19970402 Fatal bug in NT 4.0 server Reference: URL:http://marc.info/?l=bugtraq&m=87602167420731&w=2 Reference: BUGTRAQ:19970403 Fatal bug in NT 4.0 server (more comments) Reference: URL:http://marc.info/?l=bugtraq&m=87602167420732&w=2 Reference: BUGTRAQ:19970407 DUMP of NT system crash Reference: URL:http://marc.info/?l=bugtraq&m=87602167420741&w=2 Windows NT 4.0 SP2 allows remote attackers to cause a denial of service (crash), possibly via malformed inputs or packets, such as those generated by a Linux smbmount command that was compiled on the Linux 2.0.29 kernel but executed on Linux 2.0.25. Current Votes: ACCEPT(1) Cole NOOP(1) Foat ====================================================== Name: CVE-1999-1388 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19940513 [8lgm]-Advisory-7.UNIX.passwd.11-May-1994 Reference: URL:http://www2.dataguard.no/bugtraq/1994_2/0197.html Reference: BUGTRAQ:19940514 [8lgm]-Advisory-7.UNIX.passwd.11-May-1994.NEWFIX Reference: URL:http://www2.dataguard.no/bugtraq/1994_2/0207.html Reference: BUGTRAQ:19941218 Sun Patch Id #102060-01 Reference: URL:http://www.dataguard.no/bugtraq/1994_4/0755.html passwd in SunOS 4.1.x allows local users to overwrite arbitrary files via a symlink attack and the -F command line argument. Current Votes: ACCEPT(1) Dik NOOP(2) Cole, Foat Voter Comments: Dik> sun bug: 1171499 ====================================================== Name: CVE-1999-1389 Status: Candidate Phase: Proposed(20010912) Reference: BID:99 Reference: URL:http://www.securityfocus.com/bid/99 Reference: BUGTRAQ:19980511 3Com/USR Total Control Chassis dialup port access filters Reference: URL:http://marc.info/?l=bugtraq&m=90221101925916&w=2 US Robotics/3Com Total Control Chassis with Frame Relay between 3.6.22 and 3.7.24 does not properly enforce access filters when the "set host prompt" setting is made for a port, which allows attackers to bypass restrictions by providing the hostname twice at the "host: " prompt. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:3com-netserver-filter-bypass(7330) ====================================================== Name: CVE-1999-1390 Status: Candidate Phase: Proposed(20010912) Reference: BID:94 Reference: URL:http://www.securityfocus.com/bid/94 Reference: BUGTRAQ:19980428 [Debian 2.0] /usr/bin/suidexec gives root access Reference: URL:http://darwin.bio.uci.edu/~mcoogan/bugtraq/msg00890.html suidexec in suidmanager 0.18 on Debian 2.0 allows local users to gain root privileges by specifying a malicious program on the command line. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:suidmanager-suidexec-root-privileges(7304) ====================================================== Name: CVE-1999-1391 Status: Candidate Phase: Modified(20020218) Reference: BID:10 Reference: URL:http://www.securityfocus.com/bid/10 Reference: CERT:CA-1990-06 Reference: URL:http://www.cert.org/advisories/CA-1990-06.html Reference: CIAC:B-01 Reference: URL:http://ciac.llnl.gov/ciac/bulletins/b-01.shtml Reference: XF:nextstep-npd-root-access(7143) Reference: URL:http://www.iss.net/security_center/static/7143.php Vulnerability in NeXT 1.0a and 1.0 with publicly accessible printers allows local users to gain privileges via a combination of the npd program and weak directory permissions. Current Votes: ACCEPT(3) Cole, Foat, Stracener MODIFY(1) Frech NOOP(1) Wall Voter Comments: Frech> XF:nextstep-npd-root-access(7143) ====================================================== Name: CVE-1999-1392 Status: Candidate Phase: Modified(20020218) Reference: BID:9 Reference: URL:http://www.securityfocus.com/bid/9 Reference: CERT:CA-1990-06 Reference: URL:http://www.cert.org/advisories/CA-1990-06.html Reference: CIAC:B-01 Reference: URL:http://ciac.llnl.gov/ciac/bulletins/b-01.shtml Reference: XF:nextstep-restore09-root-access(7144) Reference: URL:http://www.iss.net/security_center/static/7144.php Vulnerability in restore0.9 installation script in NeXT 1.0a and 1.0 allows local users to gain root privileges. Current Votes: ACCEPT(3) Cole, Foat, Stracener MODIFY(1) Frech NOOP(1) Wall Voter Comments: Frech> XF:nextstep-restore09-root-access(7144) ====================================================== Name: CVE-1999-1393 Status: Candidate Phase: Proposed(20010912) Reference: BID:532 Reference: URL:http://www.securityfocus.com/bid/532 Reference: MISC:http://freaky.staticusers.net/macsec/data/powerbooksecurity-data.html Control Panel "Password Security" option for Apple Powerbooks allows attackers with physical access to the machine to bypass the security by booting it with an emergency startup disk and using a disk editor to modify the on/off toggle or password in the aaaaaaaAPWD file, which is normally inaccessible. Current Votes: NOOP(3) Cole, Foat, Wall REVIEWING(1) Frech Voter Comments: Frech> (Task 2285) ====================================================== Name: CVE-1999-1394 Status: Candidate Phase: Proposed(20010912) Reference: BID:510 Reference: URL:http://www.securityfocus.com/bid/510 Reference: BUGTRAQ:19990702 BSD-fileflags Reference: URL:http://marc.info/?l=bugtraq&m=93094058620450&w=2 BSD 4.4 based operating systems, when running at security level 1, allow the root user to clear the immutable and append-only flags for files by unmounting the file system and using a file system editor such as fsdb to directly modify the file through a device. Current Votes: ACCEPT(1) Cole NOOP(2) Foat, Wall REVIEWING(1) Frech Voter Comments: Frech> (Task 2286) ====================================================== Name: CVE-1999-1395 Status: Candidate Phase: Modified(20091029) Reference: BID:51 Reference: URL:http://www.securityfocus.com/bid/51 Reference: CERT:CA-1992-18 Reference: URL:http://www.cert.org/advisories/CA-1992-18.html Reference: CERT:CA-92.16 Reference: URL:http://www.cert.org/advisories/CA-92.16.VMS.Monitor.vulnerability Reference: OSVDB:59332 Reference: URL:http://osvdb.org/59332 Reference: XF:vms-monitor-gain-privileges(7136) Reference: URL:http://www.iss.net/security_center/static/7136.php Vulnerability in Monitor utility (SYS$SHARE:SPISHR.EXE) in VMS 5.0 through 5.4-2 allows local users to gain privileges. Current Votes: ACCEPT(3) Cole, Foat, Stracener MODIFY(1) Frech NOOP(2) Christey, Wall Voter Comments: Frech> XF:vms-monitor-gain-privileges(7136) Duplicate of CVE-1999-1056? If not, indicate why in Analysis comments. Christey> Note that CVE-1999-1056 Christey> CVE-1999-1056 is in fact a duplicate. This candidate will be kept, and CVE-1999-1056 will be REJECTed, because this candidate has more references. ====================================================== Name: CVE-1999-1396 Status: Candidate Phase: Modified(20020218) Reference: BID:49 Reference: URL:http://www.securityfocus.com/bid/49 Reference: CERT:CA-1992-15 Reference: URL:http://www.cert.org/advisories/CA-1992-15.html Reference: XF:sun-integer-multiplication-access(7150) Reference: URL:http://www.iss.net/security_center/static/7150.php Vulnerability in integer multiplication emulation code on SPARC architectures for SunOS 4.1 through 4.1.2 allows local users to gain root access or cause a denial of service (crash). Current Votes: ACCEPT(4) Cole, Dik, Foat, Stracener MODIFY(1) Frech NOOP(1) Wall Voter Comments: Frech> XF:sun-integer-multiplication-access(7150) Dik> sun bug: 1069072 1071053 ====================================================== Name: CVE-1999-1397 Status: Entry Reference: BID:476 Reference: URL:http://www.securityfocus.com/bid/476 Reference: BUGTRAQ:19990323 Index Server 2.0 and the Registry Reference: URL:http://marc.info/?l=bugtraq&m=92242671024118&w=2 Reference: NTBUGTRAQ:19990323 Index Server 2.0 and the Registry Reference: URL:http://marc.info/?l=ntbugtraq&m=92223293409756&w=2 Reference: XF:iis-indexserver-reveal-path(7559) Reference: URL:http://www.iss.net/security_center/static/7559.php Index Server 2.0 on IIS 4.0 stores physical path information in the ContentIndex\Catalogs subkey of the AllowedPaths registry key, whose permissions allows local and remote users to obtain the physical paths of directories that are being indexed. ====================================================== Name: CVE-1999-1398 Status: Candidate Phase: Proposed(20010912) Reference: BID:472 Reference: URL:http://www.securityfocus.com/bid/472 Reference: BUGTRAQ:19970507 Irix: misc Reference: URL:http://marc.info/?l=bugtraq&m=87602167420921&w=2 Reference: MISC:http://www.insecure.org/sploits/irix.xfsdump.html Vulnerability in xfsdump in SGI IRIX may allow local users to obtain root privileges via the bck.log log file, possibly via a symlink attack. Current Votes: ACCEPT(1) Cole MODIFY(1) Frech NOOP(1) Foat Voter Comments: Frech> XF:irix-xfsdump-symlink(7193) ====================================================== Name: CVE-1999-1399 Status: Candidate Phase: Proposed(20010912) Reference: BID:471 Reference: URL:http://www.securityfocus.com/bid/471 Reference: BUGTRAQ:19970820 SpaceWare 7.3 v1.0 Reference: URL:http://marc.info/?l=bugtraq&m=87602746719552&w=2 spaceball program in SpaceWare 7.3 v1.0 in IRIX 6.2 allows local users to gain root privileges by setting the HOSTNAME environmental variable to contain the commands to be executed. Current Votes: ACCEPT(1) Cole MODIFY(1) Frech NOOP(1) Foat Voter Comments: Frech> XF:spaceware-hostname-command-execution(7194) ====================================================== Name: CVE-1999-1400 Status: Candidate Phase: Proposed(20010912) Reference: BID:466 Reference: URL:http://www.securityfocus.com/bid/466 Reference: NTBUGTRAQ:19990603 Huge Exploit in NT 4.0 SP5 Screensaver with Password Protection Enabled Reference: URL:http://archives.indenial.com/hypermail/ntbugtraq/1999/June1999/0007.html Reference: NTBUGTRAQ:19990603 Re: Huge Exploit in NT 4.0 SP5 Screensaver with Password Protecti on Enabled. Reference: URL:http://archives.indenial.com/hypermail/ntbugtraq/1999/June1999/0009.html Reference: NTBUGTRAQ:19990604 Official response from The Economist re: 1999 Screen Saver Reference: URL:http://marc.info/?l=ntbugtraq&m=92851653600852&w=2 The Economist screen saver 1999 with the "Password Protected" option enabled allows users with physical access to the machine to bypass the screen saver and read files by running Internet Explorer while the screen is still locked. Current Votes: ACCEPT(1) Wall NOOP(2) Cole, Foat REVIEWING(1) Frech Voter Comments: Frech> (Task 2287) CONFIRM NTBUGTRAQ:19990604 Official response from The Economist re: 1999 Screen Saver ====================================================== Name: CVE-1999-1401 Status: Candidate Phase: Modified(20060309) Reference: BID:463 Reference: URL:http://www.securityfocus.com/bid/463 Reference: OSVDB:8563 Reference: URL:http://www.osvdb.org/8563 Reference: SGI:19961201-01-PX Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19961201-01-PX Reference: XF:irix-searchbook-permissions(7575) Reference: URL:http://www.iss.net/security_center/static/7575.php Vulnerability in Desktop searchbook program in IRIX 5.0.x through 6.2 sets insecure permissions for certain user files (iconbook and searchbook). Current Votes: ACCEPT(3) Cole, Foat, Stracener MODIFY(1) Frech Voter Comments: Frech> XF:irix-searchbook-permissions(7575) ====================================================== Name: CVE-1999-1402 Status: Entry Reference: BID:456 Reference: URL:http://www.securityfocus.com/bid/456 Reference: BUGTRAQ:19970517 UNIX domain socket (Solarisx86 2.5) Reference: URL:http://marc.info/?l=bugtraq&m=87602167418317&w=2 Reference: BUGTRAQ:19971003 Solaris 2.6 and sockets Reference: URL:http://marc.info/?l=bugtraq&m=87602248718482&w=2 Reference: XF:sun-domain-socket-permissions(7172) Reference: URL:http://www.iss.net/security_center/static/7172.php The access permissions for a UNIX domain socket are ignored in Solaris 2.x and SunOS 4.x, and other BSD-based operating systems before 4.4, which could allow local users to connect to the socket and possibly disrupt or control the operations of the program using that socket. ====================================================== Name: CVE-1999-1403 Status: Candidate Phase: Proposed(20010912) Reference: BID:382 Reference: URL:http://www.securityfocus.com/bid/382 Reference: BUGTRAQ:19981002 Several potential security problems in IBM/Tivoli OPC Tracker Age nt Reference: URL:http://www.securityfocus.com/archive/1/10771 IBM/Tivoli OPC Tracker Agent version 2 release 1 creates files, directories, and IPC message queues with insecure permissions (world- readable and world-writable), which could allow local users to disrupt operations and possibly gain privileges by modifying or deleting files. Current Votes: NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1404 Status: Candidate Phase: Proposed(20010912) Reference: BID:382 Reference: URL:http://www.securityfocus.com/bid/382 Reference: BUGTRAQ:19981002 Several potential security problems in IBM/Tivoli OPC Tracker Age nt Reference: URL:http://www.securityfocus.com/archive/1/10771 IBM/Tivoli OPC Tracker Agent version 2 release 1 allows remote attackers to cause a denial of service (resource exhaustion) via malformed data to the localtracker client port (5011), which prevents the connection from being closed properly. Current Votes: NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1405 Status: Candidate Phase: Proposed(20010912) Reference: BID:375 Reference: URL:http://www.securityfocus.com/bid/375 Reference: BUGTRAQ:19990217 snap utility for AIX. Reference: URL:http://marc.info/?l=bugtraq&m=91936783009385&w=2 Reference: BUGTRAQ:19990220 Re: snap utility for AIX. Reference: URL:http://marc.info/?l=bugtraq&m=91954824614013&w=2 snap command in AIX before 4.3.2 creates the /tmp/ibmsupt directory with world-readable permissions and does not remove or clear the directory when snap -a is executed, which could allow local users to access the shadowed password file by creating /tmp/ibmsupt/general/passwd before root runs snap -a. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:aix-snap-insecure-tmp(7560) ====================================================== Name: CVE-1999-1406 Status: Candidate Phase: Proposed(20010912) Reference: BID:372 Reference: URL:http://www.securityfocus.com/bid/372 Reference: BUGTRAQ:19980729 Crash a redhat 5.1 linux box Reference: URL:http://marc.info/?l=bugtraq&m=90221104526185&w=2 Reference: BUGTRAQ:19980730 FD's 0..2 and suid/sgid procs (Was: Crash a redhat 5.1 linux box) Reference: URL:http://marc.info/?l=bugtraq&m=90221104526192&w=2 dumpreg in Red Hat Linux 5.1 opens /dev/mem with O_RDWR access, which allows local users to cause a denial of service (crash) by redirecting fd 1 (stdout) to the kernel. Current Votes: ACCEPT(1) Cole NOOP(2) Foat, Wall ====================================================== Name: CVE-1999-1407 Status: Entry Reference: BID:368 Reference: URL:http://www.securityfocus.com/bid/368 Reference: BUGTRAQ:19980309 *sigh* another RH5 /tmp problem Reference: URL:http://marc.info/?l=bugtraq&m=88950856416985&w=2 Reference: CONFIRM:http://www.redhat.com/support/errata/rh50-errata-general.html#initscripts Reference: XF:initscripts-ifdhcpdone-dhcplog-symlink(7294) Reference: URL:http://www.iss.net/security_center/static/7294.php ifdhcpc-done script for configuring DHCP on Red Hat Linux 5 allows local users to append text to arbitrary files via a symlink attack on the dhcplog file. ====================================================== Name: CVE-1999-1408 Status: Candidate Phase: Proposed(20010912) Reference: BID:352 Reference: URL:http://www.securityfocus.com/bid/352 Reference: BUGTRAQ:19970305 Bug in connect() for aix 4.1.4 ? Reference: URL:http://marc.info/?l=bugtraq&m=87602167420641&w=2 Vulnerability in AIX 4.1.4 and HP-UX 10.01 and 9.05 allows local users to cause a denial of service (crash) by using a socket to connect to a port on the localhost, calling shutdown to clear the socket, then using the same socket to connect to a different port on localhost. Current Votes: MODIFY(1) Frech NOOP(3) Christey, Cole, Foat Voter Comments: Frech> XF: aix-hpux-connect-dos(7195) Christey> BUGTRAQ:19970307 Re: Bug in connect() ? URL:http://www.securityfocus.com/archive/1/Pine.HPP.3.92.970307195408.12139B-100000@wpax13.physik.uni-wuerzburg.de BUGTRAQ:19970311 Re: Bug in connect() for aix 4.1.4 ? URL:http://www.securityfocus.com/cgi-bin/archive.pl?id=1&mid=6419 ====================================================== Name: CVE-1999-1409 Status: Entry Reference: BID:331 Reference: URL:http://www.securityfocus.com/bid/331 Reference: BUGTRAQ:19980703 more about 'at' Reference: URL:http://www.shmoo.com/mail/bugtraq/jul98/msg00064.html Reference: BUGTRAQ:19980805 irix-6.2 "at -f" vulnerability Reference: URL:http://marc.info/?l=bugtraq&m=90233906612929&w=2 Reference: NETBSD:NetBSD-SA1998-004 Reference: URL:ftp://ftp.NetBSD.ORG/pub/NetBSD/security/advisories/NetBSD-SA1998-004.txt.asc Reference: XF:at-f-read-files(7577) Reference: URL:http://www.iss.net/security_center/static/7577.php The at program in IRIX 6.2 and NetBSD 1.3.2 and earlier allows local users to read portions of arbitrary files by submitting the file to at with the -f argument, which generates error messages that at sends to the user via e-mail. ====================================================== Name: CVE-1999-1410 Status: Candidate Phase: Proposed(20010912) Reference: BID:330 Reference: URL:http://www.securityfocus.com/bid/330 Reference: BUGTRAQ:19970509 Re: Irix: misc Reference: URL:http://marc.info/?l=bugtraq&m=87602167420927&w=2 Reference: MISC:ftp://patches.sgi.com/support/free/security/advisories/19961203-02-PX addnetpr in IRIX 5.3 and 6.2 allows local users to overwrite arbitrary files and possibly gain root privileges via a symlink attack on the printers temporary file. Current Votes: NOOP(2) Cole, Foat REJECT(2) Christey, Frech Voter Comments: Christey> DUPE CVE-1999-1286 Need to add these references to CVE-1999-1286 ====================================================== Name: CVE-1999-1411 Status: Entry Reference: BID:316 Reference: URL:http://www.securityfocus.com/bid/316 Reference: BUGTRAQ:19981128 Debian: Security flaw in FSP Reference: URL:http://marc.info/?l=bugtraq&m=91228908407679&w=2 Reference: BUGTRAQ:19981130 Debian: Security flaw in FSP Reference: URL:http://marc.info/?l=bugtraq&m=91244712808780&w=2 Reference: BUGTRAQ:19990217 Debian GNU/Linux 2.0r5 released (fwd) Reference: URL:http://marc.info/?l=bugtraq&m=91936850009861&w=2 Reference: DEBIAN:19981126 new version of fsp fixes security flaw Reference: URL:http://lists.debian.org/debian-security-announce/debian-security-announce-1998/msg00033.html Reference: XF:fsp-anon-ftp-access(7574) Reference: URL:http://www.iss.net/security_center/static/7574.php The installation of the fsp package 2.71-10 in Debian GNU/Linux 2.0 adds the anonymous FTP user without notifying the administrator, which could automatically enable anonymous FTP on some servers such as wu- ftp. ====================================================== Name: CVE-1999-1412 Status: Candidate Phase: Proposed(20010912) Reference: BID:306 Reference: URL:http://www.securityfocus.com/bid/306 Reference: BUGTRAQ:19990603 MacOS X system panic with CGI Reference: URL:http://www.securityfocus.com/archive/1/14215 A possible interaction between Apple MacOS X release 1.0 and Apache HTTP server allows remote attackers to cause a denial of service (crash) via a flood of HTTP GET requests to CGI programs, which generates a large number of processes. Current Votes: NOOP(3) Cole, Foat, Wall REVIEWING(1) Frech Voter Comments: Frech> (Task 2288) ====================================================== Name: CVE-1999-1413 Status: Candidate Phase: Proposed(20010912) Reference: BID:296 Reference: URL:http://www.securityfocus.com/bid/296 Reference: BUGTRAQ:19960803 Exploiting Zolaris 2.4 ?? :) Reference: URL:http://marc.info/?l=bugtraq&m=87602167419549&w=2 Solaris 2.4 before kernel jumbo patch -35 allows set-gid programs to dump core even if the real user id is not in the set-gid group, which allows local users to overwrite or create files at higher privileges by causing a core dump, e.g. through dmesg. Current Votes: MODIFY(2) Dik, Frech NOOP(2) Cole, Foat Voter Comments: Frech> XF:solaris-coredump-symlink(7196) Dik> sun bug: 1208241 Also applies to set-uid executables that have made real and effective uid identical ====================================================== Name: CVE-1999-1414 Status: Entry Reference: BID:284 Reference: URL:http://www.securityfocus.com/bid/284 Reference: NTBUGTRAQ:19990525 Security Leak with IBM Netfinity Remote Control Software Reference: URL:http://marc.info/?l=ntbugtraq&m=92765856706547&w=2 Reference: NTBUGTRAQ:19990609 IBM's response to "Security Leak with IBM Netfinity Remote Control Software Reference: URL:http://marc.info/?l=ntbugtraq&m=92902484317769&w=2 IBM Netfinity Remote Control allows local users to gain administrator privileges by starting programs from the process manager, which runs with system level privileges. ====================================================== Name: CVE-1999-1415 Status: Candidate Phase: Proposed(20010912) Reference: BID:27 Reference: URL:http://www.securityfocus.com/bid/27 Reference: CERT:CA-91.13 Reference: URL:http://www.cert.org/advisories/CA-91.13.Ultrix.mail.vulnerability Vulnerability in /usr/bin/mail in DEC ULTRIX before 4.2 allows local users to gain privileges. Current Votes: ACCEPT(3) Cole, Foat, Stracener MODIFY(1) Frech NOOP(2) Christey, Wall Voter Comments: Frech> XF:bsd-binmail(515) CA-1991-13 was superseded by CA-1995-02. Christey> Is there overlap between CVE-1999-1415 and CVE-1999-1438? Both CERT advisories are vague. ====================================================== Name: CVE-1999-1416 Status: Candidate Phase: Proposed(20010912) Reference: BID:253 Reference: URL:http://www.securityfocus.com/bid/253 Reference: BUGTRAQ:19980823 Solaris ab2 web server is junk Reference: URL:http://www.securityfocus.com/archive/1/10383 AnswerBook2 (AB2) web server dwhttpd 3.1a4 allows remote attackers to cause a denial of service (resource exhaustion) via an HTTP POST request with a large content-length. Current Votes: NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1417 Status: Candidate Phase: Proposed(20010912) Reference: BID:253 Reference: URL:http://www.securityfocus.com/bid/253 Reference: BUGTRAQ:19980823 Solaris ab2 web server is junk Reference: URL:http://www.securityfocus.com/archive/1/10383 Format string vulnerability in AnswerBook2 (AB2) web server dwhttpd 3.1a4 allows remote attackers to cause a denial of service and possibly execute arbitrary commands via encoded % characters in an HTTP request, which is improperly logged. Current Votes: ACCEPT(1) Dik NOOP(3) Cole, Foat, Wall Voter Comments: Dik> sun bug: 4218283 ====================================================== Name: CVE-1999-1418 Status: Candidate Phase: Proposed(20010912) Reference: BID:246 Reference: URL:http://www.securityfocus.com/bid/246 Reference: BUGTRAQ:19990501 Update: security hole in the ICQ-Webserver Reference: URL:http://www.securityfocus.com/archive/1/13508 ICQ99 ICQ web server build 1701 with "Active Homepage" enabled generates allows remote attackers to determine the existence of files on the server by comparing server responses when a file exists ("404 Forbidden") versus when a file does not exist ("404 not found"). Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF;icq-webserver-gain-information(8229) CONFIRM:http://online.securityfocus.com/archive/1/13655 ====================================================== Name: CVE-1999-1419 Status: Entry Reference: BID:219 Reference: URL:http://www.securityfocus.com/bid/219 Reference: SUN:00148 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/148 Reference: XF:sun-nisplus-bo(7535) Reference: URL:http://www.iss.net/security_center/static/7535.php Buffer overflow in nss_nisplus.so.1 library in NIS+ in Solaris 2.3 and 2.4 allows local users to gain root privileges. ====================================================== Name: CVE-1999-1420 Status: Candidate Phase: Proposed(20010912) Reference: BID:212 Reference: URL:http://www.securityfocus.com/bid/212 Reference: BUGTRAQ:19980720 N-Base Vulnerability Advisory Reference: URL:http://marc.info/?l=bugtraq&m=90221104526016&w=2 Reference: BUGTRAQ:19980722 N-Base Vulnerability Advisory Followup Reference: URL:http://marc.info/?l=bugtraq&m=90221104526065&w=2 NBase switches NH2012, NH2012R, NH2015, and NH2048 have a back door password that cannot be disabled, which allows remote attackers to modify the switch's configuration. Current Votes: ACCEPT(1) Cole NOOP(2) Foat, Wall ====================================================== Name: CVE-1999-1421 Status: Candidate Phase: Proposed(20010912) Reference: BID:212 Reference: URL:http://www.securityfocus.com/bid/212 Reference: BUGTRAQ:19980720 N-Base Vulnerability Advisory Reference: URL:http://marc.info/?l=bugtraq&m=90221104526016&w=2 Reference: BUGTRAQ:19980722 N-Base Vulnerability Advisory Followup Reference: URL:http://marc.info/?l=bugtraq&m=90221104526065&w=2 NBase switches NH208 and NH215 run a TFTP server which allows remote attackers to send software updates to modify the switch or cause a denial of service (crash) by guessing the target filenames, which have default names. Current Votes: ACCEPT(2) Cole, Foat NOOP(1) Wall ====================================================== Name: CVE-1999-1422 Status: Candidate Phase: Proposed(20010912) Reference: BID:211 Reference: URL:http://www.securityfocus.com/bid/211 Reference: BUGTRAQ:19990102 PATH variable in zip-slackware 2.0.35 Reference: URL:http://marc.info/?l=bugtraq&m=91540043023167&w=2 The default configuration of Slackware 3.4, and possibly other versions, includes . (dot, the current directory) in the PATH environmental variable, which could allow local users to create Trojan horse programs that are inadvertently executed by other users. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:linux-path-execute-commands(7561) ====================================================== Name: CVE-1999-1423 Status: Entry Reference: BID:209 Reference: URL:http://www.securityfocus.com/bid/209 Reference: BUGTRAQ:19970626 Solaris Ping bug (DoS) Reference: URL:http://marc.info/?l=bugtraq&m=87602558319160&w=2 Reference: BUGTRAQ:19970627 SUMMARY: Solaris Ping bug (DoS) Reference: URL:http://marc.info/?l=bugtraq&m=87602558319171&w=2 Reference: BUGTRAQ:19970627 Solaris Ping bug(inetsvc) Reference: URL:http://marc.info/?l=bugtraq&m=87602558319181&w=2 Reference: BUGTRAQ:19971005 Solaris Ping Bug and other [bc] oddities Reference: URL:http://marc.info/?l=bugtraq&m=87602558319180&w=2 Reference: SUN:00146 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/146 Reference: XF:ping-multicast-loopback-dos(7492) Reference: URL:http://www.iss.net/security_center/static/7492.php ping in Solaris 2.3 through 2.6 allows local users to cause a denial of service (crash) via a ping request to a multicast address through the loopback interface, e.g. via ping -i. ====================================================== Name: CVE-1999-1424 Status: Candidate Phase: Proposed(20010912) Reference: BID:208 Reference: URL:http://www.securityfocus.com/bid/208 Reference: SUN:00145 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/145 Solaris Solstice AdminSuite (AdminSuite) 2.1 uses unsafe permissions when adding new users to the NIS+ password table, which allows local users to gain root access by modifying their password table entries. Current Votes: ACCEPT(4) Cole, Dik, Foat, Stracener MODIFY(1) Frech Voter Comments: Frech> XF:solaris-adminsuite-nisplus-password(7467) Dik> sun bug:1237225 ====================================================== Name: CVE-1999-1425 Status: Candidate Phase: Proposed(20010912) Reference: BID:208 Reference: URL:http://www.securityfocus.com/bid/208 Reference: SUN:00145 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/145 Solaris Solstice AdminSuite (AdminSuite) 2.1 incorrectly sets write permissions on source files for NIS maps, which could allow local users to gain privileges by modifying /etc/passwd. Current Votes: ACCEPT(4) Cole, Dik, Foat, Stracener MODIFY(1) Frech Voter Comments: Frech> XF:solaris-adminsuite-password-map-permissions(7468) Dik> 1236787 ====================================================== Name: CVE-1999-1426 Status: Candidate Phase: Proposed(20010912) Reference: BID:208 Reference: URL:http://www.securityfocus.com/bid/208 Reference: SUN:00145 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/145 Solaris Solstice AdminSuite (AdminSuite) 2.1 follows symbolic links when updating an NIS database, which allows local users to overwrite arbitrary files. Current Votes: ACCEPT(4) Cole, Dik, Foat, Stracener MODIFY(1) Frech Voter Comments: Frech> XF:solaris-adminsuite-symlink(7469) Dik> sun bug: 1262888 ====================================================== Name: CVE-1999-1427 Status: Candidate Phase: Proposed(20010912) Reference: BID:208 Reference: URL:http://www.securityfocus.com/bid/208 Reference: SUN:00145 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/145 Solaris Solstice AdminSuite (AdminSuite) 2.1 and 2.2 create lock files insecurely, which allows local users to gain root privileges. Current Votes: ACCEPT(4) Cole, Dik, Foat, Stracener MODIFY(1) Frech Voter Comments: Frech> XF:solaris-adminsuite-lock-file(7470) Dik> sun bug: 1262888 ====================================================== Name: CVE-1999-1428 Status: Candidate Phase: Proposed(20010912) Reference: BID:208 Reference: URL:http://www.securityfocus.com/bid/208 Reference: SUN:00145 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/145 Solaris Solstice AdminSuite (AdminSuite) 2.1 and 2.2 allows local users to gain privileges via the save option in the Database Manager, which is running with setgid bin privileges. Current Votes: ACCEPT(4) Cole, Dik, Foat, Stracener MODIFY(1) Frech Voter Comments: Frech> XF:solaris-adminsuite-database-manager(7471) Dik> sun bug: 4005611 ====================================================== Name: CVE-1999-1429 Status: Candidate Phase: Proposed(20010912) Reference: BID:204 Reference: URL:http://www.securityfocus.com/bid/204 Reference: BUGTRAQ:19980105 Security flaw in either DIT TransferPro or Solaris Reference: URL:http://marc.info/?l=bugtraq&m=88419633507543&w=2 DIT TransferPro installs devices with world-readable and world- writable permissions, which could allow local users to damage disks through the ff device driver. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:transferpro-devices-insecure-permissions(7305) ====================================================== Name: CVE-1999-1430 Status: Candidate Phase: Proposed(20010912) Reference: BID:185 Reference: URL:http://www.securityfocus.com/bid/185 Reference: BUGTRAQ:19990102 security problem with Royal daVinci Reference: URL:http://marc.info/?l=bugtraq&m=91540043723185&w=2 PIM software for Royal daVinci does not properly password-protext access to data stored in the .mdb (Microsoft Access) file, which allows local users to read the data without a password by directly accessing the files with a different application, such as Access. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:davinci-pim-access-information(7562) ====================================================== Name: CVE-1999-1431 Status: Candidate Phase: Proposed(20010912) Reference: BID:181 Reference: URL:http://www.securityfocus.com/bid/181 Reference: NTBUGTRAQ:19990107 WinNT, ZAK and Office 97 Reference: URL:http://marc.info/?l=ntbugtraq&m=91576100022688&w=2 Reference: NTBUGTRAQ:19990109 WinNT, ZAK and Office 97 Reference: URL:http://marc.info/?l=ntbugtraq&m=91606260910008&w=2 ZAK in Appstation mode allows users to bypass the "Run only allowed apps" policy by starting Explorer from Office 97 applications (such as Word), installing software into the TEMP directory, and changing the name to that for an allowed application, such as Winword.exe. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:zak-bypass-restrictions(7563) ====================================================== Name: CVE-1999-1432 Status: Entry Reference: BID:160 Reference: URL:http://www.securityfocus.com/bid/160 Reference: BUGTRAQ:19980716 Security risk with powermanagemnet on Solaris 2.6 Reference: URL:http://marc.info/?l=bugtraq&m=90221104525997&w=2 Reference: SUNBUG:4024179 Power management (Powermanagement) on Solaris 2.4 through 2.6 does not start the xlock process until after the sys-suspend has completed, which allows an attacker with physical access to input characters to the last active application from the keyboard for a short period after the system is restoring, which could lead to increased privileges. ====================================================== Name: CVE-1999-1433 Status: Entry Reference: BID:157 Reference: URL:http://www.securityfocus.com/bid/157 Reference: BUGTRAQ:19980715 JetAdmin software Reference: URL:http://marc.info/?l=bugtraq&m=90221104525988&w=2 Reference: BUGTRAQ:19980722 Re: JetAdmin software Reference: URL:http://marc.info/?l=bugtraq&m=90221104526067&w=2 HP JetAdmin D.01.09 on Solaris allows local users to change the permissions of arbitrary files via a symlink attack on the /tmp/jetadmin.log file. ====================================================== Name: CVE-1999-1434 Status: Candidate Phase: Proposed(20010912) Reference: BID:155 Reference: URL:http://www.securityfocus.com/bid/155 Reference: BUGTRAQ:19980713 Slackware Shadow Insecurity Reference: URL:http://marc.info/?l=bugtraq&m=90221104525951&w=2 login in Slackware Linux 3.2 through 3.5 does not properly check for an error when the /etc/group file is missing, which prevents it from dropping privileges, causing it to assign root privileges to any local user who logs on to the server. Current Votes: NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1435 Status: Candidate Phase: Proposed(20010912) Reference: BID:154 Reference: URL:http://www.securityfocus.com/bid/154 Reference: BUGTRAQ:19980710 socks5 1.0r5 buffer overflow.. Reference: URL:http://marc.info/?l=bugtraq&m=90221104525933&w=2 Buffer overflow in libsocks5 library of Socks 5 (socks5) 1.0r5 allows local users to gain privileges via long environmental variables. Current Votes: ACCEPT(1) Cole NOOP(2) Foat, Wall ====================================================== Name: CVE-1999-1436 Status: Candidate Phase: Proposed(20010912) Reference: BID:152 Reference: URL:http://www.securityfocus.com/bid/152 Reference: BUGTRAQ:19980708 WWW Authorization Gateway Reference: URL:http://marc.info/?l=bugtraq&m=90221104525905&w=2 Ray Chan WWW Authorization Gateway 0.1 CGI program allows remote attackers to execute arbitrary commands via shell metacharacters in the "user" parameter. Current Votes: NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1437 Status: Entry Reference: BID:151 Reference: URL:http://www.securityfocus.com/bid/151 Reference: BUGTRAQ:19980707 ePerl: bad handling of ISINDEX queries Reference: URL:http://marc.info/?l=bugtraq&m=90221104525890&w=2 Reference: BUGTRAQ:19980710 ePerl Security Update Available Reference: URL:http://marc.info/?l=bugtraq&m=90221104525927&w=2 ePerl 2.2.12 allows remote attackers to read arbitrary files and possibly execute certain commands by specifying a full pathname of the target file as an argument to bar.phtml. ====================================================== Name: CVE-1999-1438 Status: Candidate Phase: Proposed(20010912) Reference: BID:15 Reference: URL:http://www.securityfocus.com/bid/15 Reference: CERT:CA-1991-01 Reference: URL:http://www.cert.org/advisories/CA-91.01a.SunOS.mail.vulnerability Reference: SUN:00105 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/105 Vulnerability in /bin/mail in SunOS 4.1.1 and earlier allows local users to gain root privileges via certain command line arguments. Current Votes: ACCEPT(4) Cole, Dik, Foat, Stracener MODIFY(1) Frech NOOP(2) Christey, Wall Voter Comments: Frech> XF:bsd-binmail(515) Dik> sun bug: 1047340 Christey> Is there overlap between CVE-1999-1415 and CVE-1999-1438? Both CERT advisories are vague. ====================================================== Name: CVE-1999-1439 Status: Candidate Phase: Proposed(20010912) Reference: BID:146 Reference: URL:http://www.securityfocus.com/bid/146 Reference: BUGTRAQ:19980102 Symlink bug with GCC 2.7.2 Reference: URL:http://marc.info/?l=bugtraq&m=88419592307388&w=2 Reference: BUGTRAQ:19980108 GCC Exploit Reference: URL:http://marc.info/?l=bugtraq&m=88524071002939&w=2 Reference: BUGTRAQ:19980115 GCC 2.7.? /tmp files Reference: URL:http://marc.info/?l=bugtraq&m=88492937727193&w=2 gcc 2.7.2 allows local users to overwrite arbitrary files via a symlink attack on temporary .i, .s, or .o files. Current Votes: ACCEPT(1) Cole MODIFY(1) Frech NOOP(2) Foat, Wall Voter Comments: Frech> XF:gnu-gcc-tmp-symlink(7338) ====================================================== Name: CVE-1999-1440 Status: Candidate Phase: Proposed(20010912) Reference: BID:132 Reference: URL:http://www.securityfocus.com/bid/132 Reference: BUGTRAQ:19990101 Win32 ICQ 98a flaw Reference: URL:http://marc.info/?l=bugtraq&m=91522424302962&w=2 Win32 ICQ 98a 1.30, and possibly other versions, does not display the entire portion of long filenames, which could allow attackers to send an executable file with a long name that contains so many spaces that the .exe extension is not displayed, which could make the user believe that the file is safe to open from the client. Current Votes: ACCEPT(1) Cole MODIFY(1) Frech NOOP(2) Foat, Wall Voter Comments: Frech> XF:icq-long-filename(7564) ====================================================== Name: CVE-1999-1441 Status: Candidate Phase: Proposed(20010912) Reference: BID:111 Reference: URL:http://www.securityfocus.com/bid/111 Reference: BUGTRAQ:19980630 Serious Linux 2.0.34 security problem Reference: URL:http://marc.info/?l=bugtraq&m=90221103126047&w=2 Linux 2.0.34 does not properly prevent users from sending SIGIO signals to arbitrary processes, which allows local users to cause a denial of service by sending SIGIO to processes that do not catch it. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:linux-sigio-dos(7339) ====================================================== Name: CVE-1999-1442 Status: Candidate Phase: Proposed(20010912) Reference: BID:105 Reference: URL:http://www.securityfocus.com/bid/105 Reference: MISC:http://uwsg.iu.edu/hypermail/linux/kernel/9805.3/0855.html Reference: MISC:http://www.cs.helsinki.fi/linux/linux-kernel/Year-1998/1998-25/0816.html Bug in AMD K6 processor on Linux 2.0.x and 2.1.x kernels allows local users to cause a denial of service (crash) via a particular sequence of instructions, possibly related to accessing addresses outside of segments. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:linux-k6-dos(7340) ====================================================== Name: CVE-1999-1443 Status: Candidate Phase: Proposed(20010912) Reference: BID:103 Reference: URL:http://www.securityfocus.com/bid/103 Reference: BUGTRAQ:19980602 Full Armor.... Fool Proof etc... bugs Reference: URL:http://marc.info/?l=bugtraq&m=90221103125889&w=2 Reference: BUGTRAQ:19980609 Full Armor Reference: URL:http://marc.info/?l=bugtraq&m=90221103125869&w=2 Micah Software Full Armor Network Configurator and Zero Administration allow local users with physical access to bypass the desktop protection by (1) using <CTRL><ALT><DEL> and kill the process using the task manager, (2) booting the system from a separate disk, or (3) interrupting certain processes that execute while the system is booting. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:full-armor-protection-bypass(7341) ====================================================== Name: CVE-1999-1444 Status: Candidate Phase: Proposed(20010912) Reference: MISC:http://catless.ncl.ac.uk/Risks/20.41.html#subj4 genkey utility in Alibaba 2.0 generates RSA key pairs with an exponent of 1, which results in transactions that are sent in cleartext. Current Votes: NOOP(3) Cole, Foat, Wall REVIEWING(1) Frech Voter Comments: Frech> (Task 2290) ====================================================== Name: CVE-1999-1445 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19980202 imapd/ipop3d coredump in slackware 3.4 Reference: URL:http://marc.info/?l=bugtraq&m=88637951600184&w=2 Vulnerability in imapd and ipop3d in Slackware 3.4 and 3.3 with shadowing enabled, and possibly other operating systems, allows remote attackers to cause a core dump via a short sequence of USER and PASS commands that do not provide valid usernames or passwords. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:linux-imapd-ipop3d-dos(7345) ====================================================== Name: CVE-1999-1446 Status: Candidate Phase: Proposed(20010912) Reference: NTBUGTRAQ:19970805 Re: Strange behavior regarding directory Reference: URL:http://marc.info/?l=ntbugtraq&m=87602837719654&w=2 Reference: NTBUGTRAQ:19970806 Re: Strange behavior regarding directory Reference: URL:http://marc.info/?l=ntbugtraq&m=87602837719655&w=2 Internet Explorer 3 records a history of all URL's that are visited by a user in DAT files located in the Temporary Internet Files and History folders, which are not cleared when the user selects the "Clear History" option, and are not visible when the user browses the folders because of tailored displays. Current Votes: MODIFY(1) Frech NOOP(2) Cole, Foat Voter Comments: Frech> XF:http-ie-record(524) In description, URL's should be URLs. ====================================================== Name: CVE-1999-1447 Status: Candidate Phase: Modified(20020218) Reference: BUGTRAQ:19980728 Object tag crashes Internet Explorer 4.0 Reference: URL:http://marc.info/?l=bugtraq&m=90221104526169&w=2 Reference: BUGTRAQ:19980730 Re: Object tag crashes Internet Explorer 4.0 Reference: URL:http://marc.info/?l=bugtraq&m=90221104526188&w=2 Internet Explorer 4.0 allows remote attackers to cause a denial of service (crash) via HTML code that contains a long CLASSID parameter in an OBJECT tag. Current Votes: ACCEPT(2) Cole, Wall NOOP(2) Christey, Foat Voter Comments: Christey> BUGTRAQ:19980730 Re: Object tag crashes Internet Explorer 4.0 URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221104526188&w=2 ====================================================== Name: CVE-1999-1448 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19980729 Eudora exploit (was Microsoft Security Bulletin (MS98-008)) Reference: URL:http://marc.info/?l=bugtraq&m=90221104526168&w=2 Eudora and Eudora Light before 3.05 allows remote attackers to cause a crash and corrupt the user's mailbox via an e-mail message with certain dates, such as (1) dates before 1970, which cause a Divide By Zero error, or (2) dates that are 100 years after the current date, which causes a segmentation fault. Current Votes: NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1449 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19970519 /dev/tcx0 crashes SunOS 4.1.4 on Sparc 20's Reference: URL:http://oamk.fi/~jukkao/bugtraq/before-971202/0498.html Reference: MISC:http://www.insecure.org/sploits/sunos.dev.tcx0.write.wierd.shit.to.device.bug.html SunOS 4.1.4 on a Sparc 20 machine allows local users to cause a denial of service (kernel panic) by reading from the /dev/tcx0 TCX device. Current Votes: MODIFY(1) Frech NOOP(2) Cole, Foat Voter Comments: Frech> XF:sun-tcx-dos(7197) ====================================================== Name: CVE-1999-1450 Status: Candidate Phase: Proposed(20010912) Reference: SCO:SB-99.03b Reference: URL:ftp://ftp.sco.com/SSE/security_bulletins/SB-99.03b Reference: SCO:SB-99.06b Reference: URL:ftp://ftp.sco.com/SSE/security_bulletins/SB-99.06b Reference: SCO:SSE020 Reference: URL:ftp://ftp.sco.COM/SSE/sse020.ltr Reference: SCO:SSE023 Vulnerability in (1) rlogin daemon rshd and (2) scheme on SCO UNIX OpenServer 5.0.5 and earlier, and SCO UnixWare 7.0.1 and earlier, allows remote attackers to gain privileges. Current Votes: ACCEPT(3) Cole, Foat, Stracener MODIFY(1) Frech Voter Comments: Frech> XF:sco-rshd(7466) Correct URLS are listed below: Reference: SCO:SSE020 Reference: URL:ftp://stage.caldera.com/pub/security/sse/sse020/sse020.ltr Reference: SCO:SSE023 Reference: URL:ftp://stage.caldera.com/pub/security/sse/sse023/sse023.ltr ====================================================== Name: CVE-1999-1451 Status: Candidate Phase: Proposed(20010912) Reference: MS:MS99-013 Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-013 Reference: MSKB:Q231368 Reference: URL:http://support.microsoft.com/support/kb/articles/q231/3/68.asp Reference: XF:iis-samples-winmsdp(3271) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3271 The Winmsdp.exe sample file in IIS 4.0 and Site Server 3.0 allows remote attackers to read arbitrary files. Current Votes: ACCEPT(4) Cole, Foat, Frech, Wall ====================================================== Name: CVE-1999-1452 Status: Entry Reference: BID:198 Reference: URL:http://www.securityfocus.com/bid/198 Reference: BUGTRAQ:19990129 ole objects in a "secured" environment? Reference: URL:http://marc.info/?l=bugtraq&m=91788829326419&w=2 Reference: MSKB:Q214802 Reference: URL:http://support.microsoft.com/support/kb/articles/q214/8/02.asp Reference: NTBUGTRAQ:19990129 ole objects in a "secured" environment? Reference: URL:http://marc.info/?l=ntbugtraq&m=91764169410814&w=2 Reference: NTBUGTRAQ:19990205 Alert: MS releases GINA-fix for SP3, SP4, and TS Reference: URL:http://marc.info/?l=ntbugtraq&m=91822011021558&w=2 Reference: XF:nt-gina-clipboard(1975) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1975 GINA in Windows NT 4.0 allows attackers with physical access to display a portion of the clipboard of the user who has locked the workstation by pasting (CTRL-V) the contents into the username prompt. ====================================================== Name: CVE-1999-1453 Status: Candidate Phase: Proposed(20010912) Reference: BID:215 Reference: URL:http://www.securityfocus.com/bid/215 Reference: NTBUGTRAQ:19990222 New IE4 vulnerability : the clipboard again. Reference: URL:http://marc.info/?l=ntbugtraq&m=91979439932341&w=2 Internet Explorer 4 allows remote attackers (malicious web site operators) to read the contents of the clipboard via the Internet WebBrowser ActiveX object. Current Votes: ACCEPT(1) Wall MODIFY(1) Frech NOOP(2) Cole, Foat Voter Comments: Frech> XF:webbrowser-activex-view-clipboard(7565) REMOVE:http://www.securityfocus.com/bid/215 This reference deals with the Forms vulnerability only. ====================================================== Name: CVE-1999-1454 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19991004 Weakness In "The Matrix" Screensaver For Windows Reference: URL:http://marc.info/?l=bugtraq&m=93915027622690&w=2 Macromedia "The Matrix" screen saver on Windows 95 with the "Password protected" option enabled allows attackers with physical access to the machine to bypass the password prompt by pressing the ESC (Escape) key. Current Votes: MODIFY(1) Frech NOOP(4) Christey, Cole, Foat, Wall Voter Comments: Christey> Looks like there might have been a re-discovery, though the exploit is slightly different, and there is insufficient detail to be certain that this isn't for a different Matrix screen saver: BUGTRAQ:20010801 matrix screensvr(16 Bit CineMac Screen Saver Engine) - [input validation error?] URL:http://marc.theaimsgroup.com/?l=bugtraq&m=99669949717618&w=2 BID:3130 URL:http://www.securityfocus.com/bid/3130 Frech> XF:matrix-win95-password-bypass(8280) ====================================================== Name: CVE-1999-1455 Status: Entry Reference: MSKB:Q158320 Reference: URL:http://support.microsoft.com/support/kb/articles/q158/3/20.asp Reference: XF:nt-rshsvc-ale-bypass(7422) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/7422 RSH service utility RSHSVC in Windows NT 3.5 through 4.0 does not properly restrict access as specified in the .Rhosts file when a user comes from an authorized host, which could allow unauthorized users to access the service by logging in from an authorized host. ====================================================== Name: CVE-1999-1456 Status: Entry Reference: BUGTRAQ:19980819 thttpd 2.04 released (fwd) Reference: URL:http://www.securityfocus.com/archive/1/10368 Reference: CONFIRM:http://www.acme.com/software/thttpd/thttpd.html#releasenotes Reference: XF:thttpd-file-read(1809) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1809 thttpd HTTP server 2.03 and earlier allows remote attackers to read arbitrary files via a GET request with more than one leading / (slash) character in the filename. ====================================================== Name: CVE-1999-1457 Status: Candidate Phase: Proposed(20010912) Reference: SUSE:19991116 thttpd Reference: URL:http://www.novell.com/linux/security/advisories/suse_security_announce_30.html Buffer overflow in thttpd HTTP server before 2.04-31 allows remote attackers to execute arbitrary commands via a long date string, which is not properly handled by the tdate_parse function. Current Votes: ACCEPT(3) Cole, Foat, Stracener REJECT(1) Frech ====================================================== Name: CVE-1999-1458 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19990125 Digital Unix 4.0 exploitable buffer overflows Reference: URL:http://www.securityfocus.com/archive/1/12121 Reference: SCO:SSRT0583U Reference: URL:http://ftp1.support.compaq.com/public/dunix/v4.0d/ssrt0583u.README Reference: XF:du-at(3138) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3138 Buffer overflow in at program in Digital UNIX 4.0 allows local users to gain root privileges via a long command line argument. Current Votes: ACCEPT(3) Cole, Foat, Frech NOOP(1) Stracener ====================================================== Name: CVE-1999-1459 Status: Candidate Phase: Proposed(20010912) Reference: BID:534 Reference: URL:http://www.securityfocus.com/bid/534 Reference: ISS:19981102 BMC PATROL File Creation Vulnerability Reference: URL:http://xforce.iss.net/alerts/advise10.php Reference: XF:bmc-patrol-file-create(1388) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1388 BMC PATROL Agent before 3.2.07 allows local users to gain root privileges via a symlink attack on a temporary file. Current Votes: ACCEPT(2) Cole, Frech NOOP(3) Christey, Foat, Wall Voter Comments: Christey> The vendor has acknowledged this vulnerability via e-mail. It has been fixed. NOTE: despite the fact that this candidate has been acknowledged and fixed by the vendor, it is affected by the CVE content decision CD:SF-LOC. It cannot be accepted until the CD:SF-LOC guidelines have been finalized. ====================================================== Name: CVE-1999-1460 Status: Candidate Phase: Proposed(20010912) Reference: BID:525 Reference: URL:http://www.securityfocus.com/bid/525 Reference: BUGTRAQ:19990713 Root Perms Gained with Patrol SNMP Agent 3.2 (all others?) Reference: URL:http://marc.info/?l=bugtraq&m=93198293132463&w=2 Reference: BUGTRAQ:19990801 Re: Root Perms Gained with Patrol SNMP Agent 3.2 (all others?) Reference: URL:http://marc.info/?l=bugtraq&m=93372579004129&w=2 BMC PATROL SNMP Agent before 3.2.07 allows local users to create arbitrary world-writeable files as root by specifying the target file as the second argument to the snmpmagt program. Current Votes: MODIFY(1) Frech NOOP(4) Christey, Cole, Foat, Wall Voter Comments: Frech> XF:patrol-snmp-file-creation(2347) Christey> The vendor has acknowledged this vulnerability via e-mail. It has been fixed. NOTE: despite the fact that this candidate has been acknowledged and fixed by the vendor, it is affected by the CVE content decision CD:SF-LOC. It cannot be accepted until the CD:SF-LOC guidelines have been finalized. ====================================================== Name: CVE-1999-1461 Status: Candidate Phase: Proposed(20010912) Reference: BID:381 Reference: URL:http://www.securityfocus.com/bid/381 Reference: BUGTRAQ:19970507 Irix: misc Reference: URL:http://marc.info/?l=bugtraq&m=87602167420921&w=2 Reference: SGI:20001101-01-I Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20001101-01-I inpview in InPerson on IRIX 5.3 through IRIX 6.5.10 trusts the PATH environmental variable to find and execute the ttsession program, which allows local users to obtain root access by modifying the PATH to point to a Trojan horse ttsession program. Current Votes: ACCEPT(3) Cole, Foat, Stracener REJECT(1) Frech Voter Comments: Frech> Possible conflict with CVE-2000-0799. ====================================================== Name: CVE-1999-1462 Status: Candidate Phase: Proposed(20010912) Reference: BID:142 Reference: URL:http://www.securityfocus.com/bid/142 Reference: BUGTRAQ:19990426 FW: Security Notice: Big Brother 1.09b/c Reference: URL:http://www.securityfocus.com/archive/1/13440 Reference: CONFIRM:http://bb4.com/README.CHANGES Reference: XF:http-cgi-bigbrother-bbhist(3755) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3755 Vulnerability in bb-hist.sh CGI History module in Big Brother 1.09b and 1.09c allows remote attackers to read portions of arbitrary files. Current Votes: ACCEPT(5) Armstrong, Cole, Foat, Frech, Stracener NOOP(1) Wall ====================================================== Name: CVE-1999-1463 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19970710 A New Fragmentation Attack Reference: URL:http://www.securityfocus.com/archive/1/7219 Reference: XF:nt-frag(528) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/528 Windows NT 4.0 before SP3 allows remote attackers to bypass firewall restrictions or cause a denial of service (crash) by sending improperly fragmented IP packets without the first fragment, which the TCP/IP stack incorrectly reassembles into a valid session. Current Votes: ACCEPT(2) Cole, Frech NOOP(1) Foat Voter Comments: Frech> This issue is also listed under CVE-1999-0226. ====================================================== Name: CVE-1999-1464 Status: Candidate Phase: Proposed(20010912) Reference: CIAC:J-016 Reference: URL:http://ciac.llnl.gov/ciac/bulletins/j-016.shtml Reference: CISCO:19981105 Cisco IOS DFS Access List Leakage Reference: URL:http://www.cisco.com/warp/public/770/iosdfsacl-pub.shtml Reference: XF:cisco-acl-leakage(1401) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1401 Vulnerability in Cisco IOS 11.1CC and 11.1CT with distributed fast switching (DFS) enabled allows remote attackers to bypass certain access control lists when the router switches traffic from a DFS- enabled interface to an interface that does not have DFS enabled, as described by Cisco bug CSCdk35564. Current Votes: ACCEPT(6) Armstrong, Balinsky, Cole, Foat, Frech, Stracener NOOP(1) Wall ====================================================== Name: CVE-1999-1465 Status: Candidate Phase: Modified(20020228) Reference: CIAC:J-016 Reference: URL:http://ciac.llnl.gov/ciac/bulletins/j-016.shtml Reference: CISCO:19981105 Cisco IOS DFS Access List Leakage Reference: URL:http://www.cisco.com/warp/public/770/iosdfsacl-pub.shtml Reference: XF:cisco-acl-leakage(1401) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1401 Vulnerability in Cisco IOS 11.1 through 11.3 with distributed fast switching (DFS) enabled allows remote attackers to bypass certain access control lists when the router switches traffic from a DFS- enabled input interface to an output interface with a logical subinterface, as described by Cisco bug CSCdk43862. Current Votes: ACCEPT(6) Armstrong, Balinsky, Cole, Foat, Frech, Stracener NOOP(1) Wall ====================================================== Name: CVE-1999-1466 Status: Candidate Phase: Proposed(20010912) Reference: BID:53 Reference: URL:http://www.securityfocus.com/bid/53 Reference: CERT:CA-1992-20 Reference: URL:http://www.cert.org/advisories/CA-1992-20.html Vulnerability in Cisco routers versions 8.2 through 9.1 allows remote attackers to bypass access control lists when extended IP access lists are used on certain interfaces, the IP route cache is enabled, and the access list uses the "established" keyword. Current Votes: ACCEPT(3) Cole, Foat, Stracener MODIFY(1) Frech NOOP(2) Christey, Wall Voter Comments: Frech> XF:cisco-acl-established(1248) Possible dupe with CVE-1999-0162. Christey> This is not a dupe with CVE-1999-0162. The Cisco advisory referenced in CVE-1999-0162 says that affected Cisco versions are 10.0 through 10.3. This CAN deals with versions 8.2 through 9.1. In addition, the date of release of CVE-1999-0162 is June 1995; this CAN was released December 1992. Both items include clear Cisco acknowledgement with details, so we should conclude that they are separate problems, despite the vagueness of the reports. ====================================================== Name: CVE-1999-1467 Status: Candidate Phase: Proposed(20010912) Reference: BID:5 Reference: URL:http://www.securityfocus.com/bid/5 Reference: CERT:CA-1989-07 Reference: URL:http://www.cert.org/advisories/CA-1989-07.html Reference: XF:sun-rcp(3165) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3165 Vulnerability in rcp on SunOS 4.0.x allows remote attackers from trusted hosts to execute arbitrary commands as root, possibly related to the configuration of the nobody user. Current Votes: ACCEPT(5) Cole, Dik, Foat, Frech, Stracener NOOP(1) Wall Voter Comments: Dik> sun bug: 1028958 ====================================================== Name: CVE-1999-1468 Status: Entry Reference: BID:31 Reference: URL:http://www.securityfocus.com/bid/31 Reference: CERT:CA-91.20 Reference: URL:http://www.cert.org/advisories/CA-91.20.rdist.vulnerability Reference: MISC:http://www.alw.nih.gov/Security/8lgm/8lgm-Advisory-01.html Reference: OSVDB:8106 Reference: URL:http://www.osvdb.org/8106 Reference: XF:rdist-popen-gain-privileges(7160) Reference: URL:http://www.iss.net/security_center/static/7160.php rdist in various UNIX systems uses popen to execute sendmail, which allows local users to gain root privileges by modifying the IFS (Internal Field Separator) variable. ====================================================== Name: CVE-1999-1469 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19990930 mini-sql Buffer Overflow Reference: URL:http://marc.info/?l=bugtraq&m=93871926821410&w=2 Buffer overflow in w3-auth CGI program in miniSQL package allows remote attackers to execute arbitrary commands via an HTTP request with (1) a long URL, or (2) a long User-Agent MIME header. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:msql-w3auth-bo(8301) ====================================================== Name: CVE-1999-1470 Status: Candidate Phase: Proposed(20010912) Reference: BID:485 Reference: URL:http://www.securityfocus.com/bid/485 Reference: NTBUGTRAQ:19990624 Eastman Software Work Management 3.21 Reference: URL:http://marc.info/?l=ntbugtraq&m=93034788412494&w=2 Reference: XF:eastman-cleartext-passwords(2303) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2303 Eastman Work Management 3.21 stores passwords in cleartext in the COMMON and LOCATOR registry keys, which could allow local users to gain privileges. Current Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1471 Status: Candidate Phase: Modified(20020218) Reference: BID:4 Reference: URL:http://www.securityfocus.com/bid/4 Reference: CERT:CA-1989-01 Reference: URL:http://www.cert.org/advisories/CA-1989-01.html Reference: XF:bsd-passwd-bo(7152) Reference: URL:http://www.iss.net/security_center/static/7152.php Buffer overflow in passwd in BSD based operating systems 4.3 and earlier allows local users to gain root privileges by specifying a long shell or GECOS field. Current Votes: ACCEPT(3) Cole, Foat, Stracener MODIFY(1) Frech NOOP(1) Wall Voter Comments: Frech> XF:bsd-passwd-bo(7152) ====================================================== Name: CVE-1999-1472 Status: Entry Reference: BUGTRAQ:19971017 Security Hole in Explorer 4.0 Reference: URL:http://marc.info/?l=bugtraq&m=87710897923098&w=2 Reference: CONFIRM:http://www.microsoft.com/Windows/ie/security/freiburg.asp Reference: MISC:http://www.insecure.org/sploits/Internet_explorer_4.0.hack.html Reference: MSKB:Q176697 Reference: URL:http://support.microsoft.com/support/kb/articles/q176/6/97.asp Reference: MSKB:Q176794 Reference: URL:http://support.microsoft.com/support/kb/articles/q176/7/94.asp Reference: OSVDB:7819 Reference: URL:http://www.osvdb.org/7819 Reference: XF:http-ie-spy(587) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/587 Internet Explorer 4.0 allows remote attackers to read arbitrary text and HTML files on the user's machine via a small IFRAME that uses Dynamic HTML (DHTML) to send the data to the attacker, aka the Freiburg text-viewing issue. ====================================================== Name: CVE-1999-1473 Status: Entry Reference: MSKB:Q176697 Reference: URL:http://support.microsoft.com/support/kb/articles/q176/6/97.asp Reference: OSVDB:7818 Reference: URL:http://www.osvdb.org/7818 Reference: XF:ie-page-redirect(7426) Reference: URL:http://www.iss.net/security_center/static/7426.php When a Web site redirects the browser to another site, Internet Explorer 3.02 and 4.0 automatically resends authentication information to the second site, aka the "Page Redirect Issue." ====================================================== Name: CVE-1999-1474 Status: Candidate Phase: Proposed(20010912) Reference: CONFIRM:http://www.microsoft.com/windows/ie/security/powerpoint.asp Reference: XF:nt-ppt-patch(179) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/179 PowerPoint 95 and 97 allows remote attackers to cause an application to be run automatically without prompting the user, possibly through the slide show, when the document is opened in browsers such as Internet Explorer. Current Votes: ACCEPT(6) Armstrong, Cole, Foat, Frech, Stracener, Wall Voter Comments: Frech> Looks like CONFIRM URL is too old for Microsoft to keep (currently cached at http://www.google.com/search?q=cache:86loHcRhaL4:www.microsoft.com/ie/ security/powerpoint.htm+%22PowerPoint+Browsing+Security+Issue%22&hl=en ). Same information is available at BugTraq at http://www.securityfocus.com/cgi-bin/archive.pl?id=1&mid=6724 ====================================================== Name: CVE-1999-1475 Status: Candidate Phase: Proposed(20010912) Reference: BID:812 Reference: URL:http://www.securityfocus.com/bid/812 Reference: BUGTRAQ:19991119 ProFTPd - mod_sqlpw.c Reference: URL:http://www.securityfocus.com/archive/1/35483 ProFTPd 1.2 compiled with the mod_sqlpw module records user passwords in the wtmp log file, which allows local users to obtain the passwords and gain privileges by reading wtmp, e.g. via the last command. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:proftpd-modsqlpw-insecure-passwords(8332) ====================================================== Name: CVE-1999-1476 Status: Entry Reference: MSKB:Q163852 Reference: URL:http://support.microsoft.com/support/kb/articles/q163/8/52.asp Reference: XF:pentium-crash(704) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/704 A bug in Intel Pentium processor (MMX and Overdrive) allows local users to cause a denial of service (hang) in Intel-based operating systems such as Windows NT and Windows 95, via an invalid instruction, aka the "Invalid Operand with Locked CMPXCHG8B Instruction" problem. ====================================================== Name: CVE-1999-1477 Status: Candidate Phase: Proposed(20010912) Reference: BID:663 Reference: URL:http://www.securityfocus.com/bid/663 Reference: BUGTRAQ:19990923 Linux GNOME exploit Reference: URL:http://www.securityfocus.com/archive/1/28717 Reference: XF:gnome-espeaker-local-bo(3349) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3349 Buffer overflow in GNOME libraries 1.0.8 allows local user to gain root access via a long --espeaker argument in programs such as nethack. Current Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1478 Status: Entry Reference: BID:522 Reference: URL:http://www.securityfocus.com/bid/522 Reference: NTBUGTRAQ:19990706 Bug in SUN's Hotspot VM Reference: URL:http://marc.info/?l=ntbugtraq&m=93138827429589&w=2 Reference: NTBUGTRAQ:19990716 FW: (Review ID: 85125) Hotspot crashes bringing down webserver Reference: URL:http://marc.info/?l=ntbugtraq&m=93240220324183&w=2 Reference: XF:sun-hotspot-vm(2348) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2348 The Sun HotSpot Performance Engine VM allows a remote attacker to cause a denial of service on any server running HotSpot via a URL that includes the [ character. ====================================================== Name: CVE-1999-1479 Status: Candidate Phase: Modified(20080304) Reference: BID:2265 Reference: URL:http://www.securityfocus.com/bid/2265 Reference: BUGTRAQ:19980624 textcounter.pl SECURITY HOLE Reference: URL:http://www.securityfocus.com/archive/1/9609 Reference: XF:http-cgi-textcounter(2052) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2052 The textcounter.pl by Matt Wright allows remote attackers to execute arbitrary commands via shell metacharacters. Current Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1480 Status: Candidate Phase: Proposed(20010912) Reference: BID:429 Reference: URL:http://www.securityfocus.com/bid/429 (1) acledit and (2) aclput in AIX 4.3 allow local users to create or modify files via a symlink attack. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:aix-acledit-aclput-symlink(7346) CONFIRM:APAR IX79139 ====================================================== Name: CVE-1999-1481 Status: Entry Reference: BID:741 Reference: URL:http://www.securityfocus.com/bid/741 Reference: BUGTRAQ:19991025 [squid] exploit for external authentication problem Reference: URL:http://www.securityfocus.com/archive/1/33295 Reference: BUGTRAQ:19991103 [squid]exploit for external authentication problem Reference: URL:http://www.securityfocus.com/archive/1/33295 Reference: CONFIRM:http://www.squid-cache.org/Versions/v2/2.2/bugs/ Reference: XF:squid-proxy-auth-access(3433) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3433 Squid 2.2.STABLE5 and below, when using external authentication, allows attackers to bypass access controls via a newline in the user/password pair. ====================================================== Name: CVE-1999-1482 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19990219 Security hole: "zgv" Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&date=1999-02-15&msg=Pine.LNX.3.96.990219175605.9622A-100000@ferret.lmh.ox.ac.uk SVGAlib zgv 3.0-7 and earlier allows local users to gain root access via a privilege leak of the iopl(3) privileges to child processes. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:zgv-privilege-leak(1798) ====================================================== Name: CVE-1999-1483 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19970619 svgalib/zgv Reference: URL:http://www.securityfocus.com/archive/1/7041 Buffer overflow in zgv in svgalib 1.2.10 and earlier allows local users to execute arbitrary code via a long HOME environment variable. Current Votes: MODIFY(1) Frech NOOP(2) Cole, Foat Voter Comments: Frech> XF;linux-svgalib-dos(3412) ====================================================== Name: CVE-1999-1484 Status: Candidate Phase: Proposed(20010912) Reference: BID:668 Reference: URL:http://www.securityfocus.com/bid/668 Reference: BUGTRAQ:19990924 Several ActiveX Buffer Overruns Reference: URL:http://www.securityfocus.com/archive/1/28719 Reference: XF:msn-setup-bbs-activex-bo(3310) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3310 Buffer overflow in MSN Setup BBS 4.71.0.10 ActiveX control (setupbbs.ocx) allows a remote attacker to execute arbitrary commands via the methods (1) vAddNewsServer or (2) bIsNewsServerConfigured. Current Votes: ACCEPT(2) Cole, Frech NOOP(2) Foat, Wall ====================================================== Name: CVE-1999-1485 Status: Candidate Phase: Modified(20060705) Reference: BID:412 Reference: URL:http://www.securityfocus.com/bid/412 Reference: BUGTRAQ:19990531 IRIX 6.5 nsd virtual filesystem vulnerability Reference: URL:http://marc.info/?l=bugtraq&m=92818552106912&w=2 Reference: OSVDB:8564 Reference: URL:http://www.osvdb.org/8564 Reference: XF:sgi-nsd-create(2247) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2247 Reference: XF:sgi-nsd-view(2246) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2246 nsd in IRIX 6.5 through 6.5.2 exports a virtual filesystem on a UDP port, which allows remote attackers to view files and cause a possible denial of service by mounting the nsd virtual file system. Current Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1486 Status: Entry Reference: AIXAPAR:IX75554 Reference: URL:http://www-1.ibm.com/support/search.wss?rs=0&q=IX75554&apar=only Reference: AIXAPAR:IX76330 Reference: URL:http://www-1.ibm.com/support/search.wss?rs=0&q=IX76330&apar=only Reference: AIXAPAR:IX76853 Reference: URL:http://www-1.ibm.com/support/search.wss?rs=0&q=IX76853&apar=only Reference: BID:408 Reference: URL:http://www.securityfocus.com/bid/408 Reference: CONFIRM:http://techsupport.services.ibm.com/aix/fixes/v4/os/bos.acct.4.3.1.0.info Reference: XF:aix-sadc-timex(7675) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/7675 sadc in IBM AIX 4.1 through 4.3, when called from programs such as timex that are setgid adm, allows local users to overwrite arbitrary files via a symlink attack. ====================================================== Name: CVE-1999-1487 Status: Candidate Phase: Modified(20020218) Reference: AIXAPAR:IX74599 Reference: URL:http://www-1.ibm.com/servlet/support/manager?rt=0&rs=0&org=apars&doc=41D8B61D1E1C4FAB852567C9002C546C Reference: BID:405 Reference: URL:http://www.securityfocus.com/bid/405 Reference: XF:aix-digest(7477) Reference: URL:http://www.iss.net/security_center/static/7477.php Vulnerability in digest in AIX 4.3 allows printq users to gain root privileges by creating and/or modifing any file on the system. Current Votes: ACCEPT(3) Cole, Foat, Stracener MODIFY(1) Frech Voter Comments: Frech> XF:aix-digest(7477) ====================================================== Name: CVE-1999-1488 Status: Entry Reference: BID:371 Reference: URL:http://www.securityfocus.com/bid/371 Reference: CIAC:I-079A Reference: URL:http://ciac.llnl.gov/ciac/bulletins/i-079a.shtml Reference: XF:ibm-sdr-read-files(7217) Reference: URL:http://www.iss.net/security_center/static/7217.php sdrd daemon in IBM SP2 System Data Repository (SDR) allows remote attackers to read files without authentication. ====================================================== Name: CVE-1999-1489 Status: Candidate Phase: Proposed(20010912) Reference: BID:364 Reference: URL:http://www.securityfocus.com/bid/364 Reference: BUGTRAQ:19970304 Linux SuperProbe exploit Reference: URL:http://www.securityfocus.com/archive/1/6384 Buffer overflow in TestChip function in XFree86 SuperProbe in Slackware Linux 3.1 allows local users to gain root privileges via a long -nopr argument. Current Votes: MODIFY(1) Frech NOOP(2) Cole, Foat Voter Comments: Frech> XF:xfree86-superprobe-testchip-bo(7198) ====================================================== Name: CVE-1999-1490 Status: Entry Reference: BID:362 Reference: URL:http://www.securityfocus.com/bid/362 Reference: BUGTRAQ:19980528 ALERT: Tiresome security hole in "xosview", RedHat5.1? Reference: URL:http://marc.info/?l=bugtraq&m=90221101926021&w=2 Reference: BUGTRAQ:19980529 Re: Tiresome security hole in "xosview" (xosexp.c) Reference: URL:http://marc.info/?l=bugtraq&m=90221101926034&w=2 Reference: XF:linux-xosview-bo(8787) Reference: URL:http://www.iss.net/security_center/static/8787.php xosview 1.5.1 in Red Hat 5.1 allows local users to gain root access via a long HOME environmental variable. ====================================================== Name: CVE-1999-1491 Status: Candidate Phase: Proposed(20010912) Reference: BID:354 Reference: URL:http://www.securityfocus.com/bid/354 Reference: BUGTRAQ:19960202 abuse Red Hat 2.1 security hole Reference: URL:http://marc.info/?l=bugtraq&m=87602167418994&w=2 abuse.console in Red Hat 2.1 uses relative pathnames to find and execute the undrv program, which allows local users to execute arbitrary commands via a path that points to a Trojan horse program. Current Votes: ACCEPT(1) Cole NOOP(1) Foat ====================================================== Name: CVE-1999-1492 Status: Candidate Phase: Proposed(20010912) Reference: BID:348 Reference: URL:http://www.securityfocus.com/bid/348 Reference: SGI:19980502-01-P3030 Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19980502-01-P3030 Reference: XF:sgi-diskalign(2104) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2104 Reference: XF:sgi-diskperf(2103) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2103 Vulnerability in (1) diskperf and (2) diskalign in IRIX 6.4 allows local attacker to create arbitrary root owned files, leading to root privileges. Current Votes: ACCEPT(4) Cole, Foat, Frech, Stracener ====================================================== Name: CVE-1999-1493 Status: Candidate Phase: Modified(20020308) Reference: BID:34 Reference: URL:http://www.securityfocus.com/bid/34 Reference: CERT:CA-1991-23 Reference: URL:http://www.cert.org/advisories/CA-1991-23.html Reference: XF:apollo-crp-root-access(7158) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/7158 Vulnerability in crp in Hewlett Packard Apollo Domain OS SR10 through SR10.3 allows remote attackers to gain root privileges via insecure system calls, (1) pad_$dm_cmd and (2) pad_$def_pfk(). Current Votes: ACCEPT(3) Cole, Foat, Stracener MODIFY(1) Frech NOOP(1) Wall Voter Comments: Frech> XF:apollo-crp-root-access(7158) ====================================================== Name: CVE-1999-1494 Status: Entry Reference: BID:336 Reference: URL:http://www.securityfocus.com/bid/336 Reference: BUGTRAQ:19940809 Re: IRIX 5.2 Security Advisory Reference: URL:http://www.securityfocus.com/archive/1/675 Reference: BUGTRAQ:19950307 sigh. another Irix 5.2 hole. Reference: URL:http://www.tryc.on.ca/archives/bugtraq/1995_1/0614.html Reference: SGI:19950209-00-P Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19950209-01-P Reference: XF:sgi-colorview(2112) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2112 colorview in Silicon Graphics IRIX 5.1, 5.2, and 6.0 allows local attackers to read arbitrary files via the -text argument. ====================================================== Name: CVE-1999-1495 Status: Candidate Phase: Proposed(20010912) Reference: BID:325 Reference: URL:http://www.securityfocus.com/bid/325 Reference: BUGTRAQ:19990218 xtvscreen and suse 6 Reference: URL:http://www.securityfocus.com/archive/1/12580 Reference: XF:xtvscreen-overwrite(1792) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1792 xtvscreen in SuSE Linux 6.0 allows local users to overwrite arbitrary files via a symlink attack on the pic000.pnm file. Current Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1496 Status: Candidate Phase: Proposed(20010912) Reference: BID:321 Reference: URL:http://www.securityfocus.com/bid/321 Reference: BUGTRAQ:19990608 unneeded information in sudo Reference: URL:http://www.securityfocus.com/archive/1/14665 Reference: XF:sudo-file-exists(2277) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2277 Sudo 1.5 in Debian Linux 2.1 and Red Hat 6.0 allows local users to determine the existence of arbitrary files by attempting to execute the target filename as a program, which generates a different error message when the file does not exist. Current Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1497 Status: Candidate Phase: Modified(20070122) Reference: BID:880 Reference: URL:http://www.securityfocus.com/bid/880 Reference: BUGTRAQ:19991221 [w00giving '99 #11] IMail's password encryption scheme Reference: URL:http://www.securityfocus.com/archive/1/39329 Ipswitch IMail 5.0 and 6.0 uses weak encryption to store passwords in registry keys, which allows local attackers to read passwords for e-mail accounts. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:imail-passwords(1901) May be the same as CVE-2000-0019 on a different level of abstraction. ====================================================== Name: CVE-1999-1498 Status: Candidate Phase: Proposed(20010912) Reference: BID:82 Reference: URL:http://www.securityfocus.com/bid/82 Reference: BUGTRAQ:19980406 insecure tmp file creation Slackware Linux 3.4 pkgtool allows local attacker to read and write to arbitrary files via a symlink attack on the reply file. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:linux-pkgtool-reply-symlink(7347) ====================================================== Name: CVE-1999-1499 Status: Candidate Phase: Proposed(20010912) Reference: BID:80 Reference: URL:http://www.securityfocus.com/bid/80 Reference: BUGTRAQ:19980410 BIND 4.9.7 named follows symlinks, clobbers anything Reference: URL:http://www.securityfocus.com/archive/1/8966 named in ISC BIND 4.9 and 8.1 allows local users to destroy files via a symlink attack on (1) named_dump.db when root kills the process with a SIGINT, or (2) named.stats when SIGIOT is used. Current Votes: MODIFY(1) Frech NOOP(2) Cole, Wall REJECT(1) Foat Voter Comments: Foat> The files get written to /var/named which the user does not have write access. Frech> XF:bind-sigint-sigiot-symlink(7366) ====================================================== Name: CVE-1999-1500 Status: Candidate Phase: Proposed(20010912) Reference: BID:733 Reference: URL:http://www.securityfocus.com/bid/733 Reference: NTBUGTRAQ:19991001 Vulnerabilities in the Internet Anywhere Mail Server Reference: URL:http://marc.info/?l=ntbugtraq&m=93880357530599&w=2 Internet Anywhere POP3 Mail Server 2.3.1 allows remote attackers to cause a denial of service (crash) via (1) LIST, (2) TOP, or (3) UIDL commands using letters as arguments. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:iams-pop3-command-dos(3283) ====================================================== Name: CVE-1999-1501 Status: Candidate Phase: Proposed(20010912) Reference: BID:70 Reference: URL:http://www.securityfocus.com/bid/70 Reference: BID:71 Reference: URL:http://www.securityfocus.com/bid/71 Reference: BUGTRAQ:19980408 SGI O2 ipx security issue Reference: URL:http://marc.info/?l=bugtraq&m=89217373930054&w=2 (1) ipxchk and (2) ipxlink in SGI OS2 IRIX 6.3 does not properly clear the IFS environmental variable before executing system calls, which allows local users to execute arbitrary commands. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall REJECT(1) Christey Voter Comments: Frech> XF:irix-ipxchk-ipxlink-ifs-commands(7365) Christey> DUPE CVE-1999-1040 ====================================================== Name: CVE-1999-1502 Status: Candidate Phase: Proposed(20010912) Reference: BID:68 Reference: URL:http://www.securityfocus.com/bid/68 Reference: BID:69 Reference: URL:http://www.securityfocus.com/bid/69 Reference: BUGTRAQ:19980408 QuakeI client: serious holes. Reference: URL:http://marc.info/?l=bugtraq&m=89205623028934&w=2 Buffer overflows in Quake 1.9 client allows remote malicious servers to execute arbitrary commands via long (1) precache paths, (2) server name, (3) server address, or (4) argument to the map console command. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:quake-precache-bo(7358) XF:quake-server-address-bo(7359) XF:quake-map-argument-bo(7360) ====================================================== Name: CVE-1999-1503 Status: Candidate Phase: Proposed(20010912) Reference: BID:63 Reference: URL:http://www.securityfocus.com/bid/63 Network Flight Recorder (NFR) 1.5 and 1.6 allows remote attackers to cause a denial of service in nfrd (crash) via a TCP packet with a null header and data field. Current Votes: ACCEPT(1) Cole MODIFY(1) Frech NOOP(2) Foat, Wall Voter Comments: Frech> XF:nfr-tcp-packet-dos(7357) ====================================================== Name: CVE-1999-1504 Status: Candidate Phase: Proposed(20010912) Reference: BID:62 Reference: URL:http://www.securityfocus.com/bid/62 Reference: BUGTRAQ:19980408 Re: AppleShare IP Mail Server Reference: URL:http://www.securityfocus.com/archive/1/8951 Stalker Internet Mail Server 1.6 allows a remote attacker to cause a denial of service (crash) via a long HELO command. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:smtp-helo-bo(886) ====================================================== Name: CVE-1999-1505 Status: Candidate Phase: Proposed(20010912) Reference: BID:60 Reference: URL:http://www.securityfocus.com/bid/60 Reference: BUGTRAQ:19980407 QW vulnerability Reference: URL:http://marc.info/?l=bugtraq&m=89200537415923&w=2 Buffer overflow in QuakeWorld 2.10 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary commands via a long initial connect packet. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:quakeworld-connect-bo(7356) ====================================================== Name: CVE-1999-1506 Status: Candidate Phase: Proposed(20010912) Reference: BID:6 Reference: URL:http://www.securityfocus.com/bid/6 Reference: CERT:CA-1990-01 Reference: URL:http://www.cert.org/advisories/CA-90.01.sun.sendmail.vulnerability Vulnerability in SMI Sendmail 4.0 and earlier, on SunOS up to 4.0.3, allows remote attackers to access user bin. Current Votes: ACCEPT(3) Cole, Dik, Stracener MODIFY(1) Frech NOOP(2) Foat, Wall Voter Comments: Frech> XF:sunos-sendmail-bin-access(7161) Dik> sun bug 1028173 CHANGE> [Foat changed vote from ACCEPT to NOOP] ====================================================== Name: CVE-1999-1507 Status: Entry Reference: BID:59 Reference: URL:http://www.securityfocus.com/bid/59 Reference: CERT:CA-1993-03 Reference: URL:http://www.cert.org/advisories/CA-1993-03.html Reference: XF:sun-dir(521) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/521 Sun SunOS 4.1 through 4.1.3 allows local attackers to gain root access via insecure permissions on files and directories such as crash. ====================================================== Name: CVE-1999-1508 Status: Candidate Phase: Proposed(20010912) Reference: BID:806 Reference: URL:http://www.securityfocus.com/bid/806 Reference: BUGTRAQ:19991116 [Fwd: Printer Vulnerability: Tektronix PhaserLink Webserver gives Administrator Password] Reference: URL:http://marc.info/?l=bugtraq&m=94286041430870&w=2 Web server in Tektronix PhaserLink Printer 840.0 and earlier allows a remote attacker to gain administrator access by directly calling undocumented URLs such as ncl_items.html and ncl_subjects.html. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall REVIEWING(1) Christey Voter Comments: Frech> XF:tektronix-phaserlink-webserver-backdoor(6482) Possible dupe with CVE-2001-0484 and BID-2659. Christey> CVE-2001-0484 may be a duplicate. ====================================================== Name: CVE-1999-1509 Status: Candidate Phase: Proposed(20010912) Reference: BID:773 Reference: URL:http://www.securityfocus.com/bid/773 Reference: BUGTRAQ:19991104 Eserv 2.50 Web interface Server Directory Traversal Vulnerability Reference: URL:http://marc.info/?l=bugtraq&m=94183041514522&w=2 Reference: NTBUGTRAQ:19991104 Eserv 2.50 Web interface Server Directory Traversal Vulnerability Reference: URL:http://marc.info/?l=ntbugtraq&m=94177470915423&w=2 Reference: XF:eserv-fileread Directory traversal vulnerability in Etype Eserv 2.50 web server allows a remote attacker to read any file in the file system via a .. (dot dot) in a URL. Current Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> Normalize XF:eserv-fileread(3449) Normalize URL:http://xforce.iss.net/static/3449.php ====================================================== Name: CVE-1999-1510 Status: Candidate Phase: Proposed(20010912) Reference: NTBUGTRAQ:19990517 Vulnerabilities in BisonWare FTP Server 3.5 Reference: URL:http://marc.info/?l=ntbugtraq&m=92697301706956&w=2 Reference: XF:bisonware-command-bo(3234) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3234 Buffer overflows in Bisonware FTP server prior to 4.1 allow remote attackers to cause a denial of service, and possibly execute arbitrary commands, via long (1) USER, (2) LIST, or (3) CWD commands. Current Votes: ACCEPT(3) Cole, Foat, Frech NOOP(1) Wall ====================================================== Name: CVE-1999-1511 Status: Candidate Phase: Proposed(20010912) Reference: BID:791 Reference: URL:http://www.securityfocus.com/bid/791 Reference: BUGTRAQ:19991110 Multiples Remotes DoS Attacks in Artisoft XtraMail v1.11 Vulnerability Reference: URL:http://marc.info/?l=bugtraq&m=94226003804744&w=2 Reference: XF:xtramail-pass-dos(3488) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3488 Buffer overflows in Xtramail 1.11 allow attackers to cause a denial of service (crash) and possibly execute arbitrary commands via (1) a long PASS command in the POP3 service, (2) a long HELO command in the SMTP service, or (3) a long user name in the Control Service. Current Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1512 Status: Entry Reference: BID:527 Reference: URL:http://www.securityfocus.com/bid/527 Reference: BUGTRAQ:19990716 AMaViS virus scanner for Linux - root exploit Reference: URL:http://marc.info/?l=bugtraq&m=93219846414732&w=2 Reference: CONFIRM:http://www.amavis.org/ChangeLog.txt Reference: XF:amavis-command-execute(2349) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2349 The AMaViS virus scanner 0.2.0-pre4 and earlier allows remote attackers to execute arbitrary commands as root via an infected mail message with shell metacharacters in the reply-to field. ====================================================== Name: CVE-1999-1513 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19990830 One more 3Com SNMP vulnerability Reference: URL:http://marc.info/?l=bugtraq&m=93616983223090&w=2 Management information base (MIB) for a 3Com SuperStack II hub running software version 2.10 contains an object identifier (.1.3.6.1.4.1.43.10.4.2) that is accessible by a read-only community string, but lists the entire table of community strings, which could allow attackers to conduct unauthorized activities. Current Votes: NOOP(3) Cole, Foat, Wall REVIEWING(1) Frech Voter Comments: Frech> (ACCEPT; Task 2355) ====================================================== Name: CVE-1999-1514 Status: Candidate Phase: Proposed(20010912) Reference: BID:749 Reference: URL:http://www.securityfocus.com/bid/749 Reference: BUGTRAQ:19990729 ExpressFS 2.x FTPServer remotely exploitable buffer overflow vulnerability Reference: URL:http://marc.info/?l=bugtraq&m=94121377716133&w=2 Reference: NTBUGTRAQ:19990729 ExpressFS 2.x FTPServer remotely exploitable buffer overflow vulnerability Reference: URL:http://marc.info/?l=ntbugtraq&m=94130292519646&w=2 Reference: XF:expressfs-command-bo(3401) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3401 Buffer overflow in Celtech ExpressFS FTP server 2.x allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long USER command. Current Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> BugTraq reference date seems to be 19991029; see http://online.securityfocus.com/archive/1/33123 ====================================================== Name: CVE-1999-1515 Status: Candidate Phase: Proposed(20010912) Reference: BID:613 Reference: URL:http://www.securityfocus.com/bid/613 Reference: XF:tfs-gateway-dos(3290) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3290 A non-default configuration in TenFour TFS Gateway 4.0 allows an attacker to cause a denial of service via messages with incorrect sender and recipient addresses, which causes the gateway to continuously try to return the message every 10 seconds. Current Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1516 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19990902 [SECURITY] TenFour TFS SMTP 3.2 Buffer Overflow Reference: URL:http://marc.info/?l=bugtraq&m=93677241318492&w=2 A buffer overflow in TenFour TFS Gateway SMTP mail server 3.2 allows an attacker to crash the mail server and possibly execute arbitrary code by offering more than 128 bytes in a MAIL FROM string. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:tfs-gateway-dos(3290) ====================================================== Name: CVE-1999-1517 Status: Candidate Phase: Proposed(20010912) Reference: BID:750 Reference: URL:http://www.securityfocus.com/bid/750 Reference: BUGTRAQ:19991101 Amanda multiple vendor local root compromises Reference: URL:http://marc.info/?l=bugtraq&m=94148942818975&w=2 runtar in the Amanda backup system used in various UNIX operating systems executes tar with root privileges, which allows a user to overwrite or read arbitrary files by providing the target files to runtar. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:amanda-runtar(3402) ====================================================== Name: CVE-1999-1518 Status: Candidate Phase: Proposed(20010912) Reference: BID:526 Reference: URL:http://www.securityfocus.com/bid/526 Reference: BUGTRAQ:19990715 Shared memory DoS's Reference: URL:http://marc.info/?l=bugtraq&m=93207728118694&w=2 Reference: XF:bsd-shared-memory-dos(2351) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2351 Operating systems with shared memory implementations based on BSD 4.4 code allow a user to conduct a denial of service and bypass memory limits (e.g., as specified with rlimits) using mmap or shmget to allocate memory and cause page faults. Current Votes: ACCEPT(2) Cole, Frech NOOP(2) Foat, Wall ====================================================== Name: CVE-1999-1519 Status: Candidate Phase: Proposed(20010912) Reference: BID:805 Reference: URL:http://www.securityfocus.com/bid/805 Reference: BUGTRAQ:19991117 Remote D.o.S Attack in G6 FTP Server v2.0 (beta 4/5) Vulnerability Reference: URL:http://marc.info/?l=bugtraq&m=94286244700573&w=2 Reference: XF:g6ftp-username-dos(3513) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3513 Gene6 G6 FTP Server 2.0 allows a remote attacker to cause a denial of service (resource exhaustion) via a long (1) user name or (2) password. Current Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1520 Status: Entry Reference: BID:256 Reference: URL:http://www.securityfocus.com/bid/256 Reference: BUGTRAQ:19990511 [ALERT] Site Server 3.0 May Expose SQL IDs and PSWs Reference: URL:http://marc.info/?l=bugtraq&m=92647407227303&w=2 Reference: XF:siteserver-site-csc(2270) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2270 A configuration problem in the Ad Server Sample directory (AdSamples) in Microsoft Site Server 3.0 allows an attacker to obtain the SITE.CSC file, which exposes sensitive SQL database information. ====================================================== Name: CVE-1999-1521 Status: Candidate Phase: Proposed(20010912) Reference: BID:633 Reference: URL:http://www.securityfocus.com/bid/633 Reference: BUGTRAQ:19990729 Vulnerability in CMail SMTP Server Version 2.4: Remotely exploitable buffer Reference: URL:http://marc.info/?l=bugtraq&m=94121824921783&w=2 Reference: BUGTRAQ:19990912 Many kind of POP3/SMTP server softwares for Windows have buffer overflow bug Reference: URL:http://marc.info/?l=bugtraq&m=93720402717560&w=2 Reference: XF:cmail-command-bo(2240) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2240 Computalynx CMail 2.4 and CMail 2.3 SP2 SMTP servers are vulnerable to a buffer overflow attack in the MAIL FROM command that may allow a remote attacker to execute arbitrary code on the server. Current Votes: ACCEPT(1) Frech NOOP(4) Christey, Cole, Foat, Wall Voter Comments: Christey> Remove "attack" from description and slightly rewrite. Christey> ADDREF BUGTRAQ:19991029 Vulnerability in CMail SMTP Server Version 2.4: Remotely exploitable buffer URL:URL:http://www.securityfocus.com/archive/1/32573 ADDREF BUGTRAQ:19990616 C-Mail SMTP Server Remote Buffer Overflow Exploit URL:http://online.securityfocus.com/archive/1/15524 Note: this last post exploits an overflow through VRFY instead of MAIL FROM. However, CD:SF-LOC suggests merging two issues of the same type that are in the same versions. ADDREF BUGTRAQ:19990526 Multiple Web Interface Security Holes URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92774425211457&w=2 ====================================================== Name: CVE-1999-1522 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19991007 Roxen security alert Reference: URL:http://marc.info/?l=bugtraq&m=93942579008408&w=2 Vulnerability in htmlparse.pike in Roxen Web Server 1.3.11 and earlier, possibly related to recursive parsing and referer tags in RXML. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:roxen-rxml-recursive-parsing(3372) ====================================================== Name: CVE-1999-1523 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19991004 Reference: URL:http://marc.info/?l=bugtraq&m=93901161727373&w=2 Reference: BUGTRAQ:19991006 Re: Sample DOS against the Sambar HTTP-Server Reference: URL:http://marc.info/?l=bugtraq&m=93941351229256&w=2 Reference: XF:sambar-logging-bo(1672) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1672 Buffer overflow in Sambar Web Server 4.2.1 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long HTTP GET request. Current Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1524 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19990807 Re: FlowPoint DSL router vulnerability Reference: URL:http://marc.info/?l=bugtraq&m=93424680430460&w=2 FlowPoint DSL router firmware versions prior to 3.0.8 allows a remote attacker to exploit a password recovery feature from the network and conduct brute force password guessing, instead of limiting the feature to the serial console port. Current Votes: NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1525 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19970314 Shockwave Security Alert Reference: URL:http://marc.info/?l=bugtraq&m=87602167420670&w=2 Reference: XF:http-ns-shockwave(460) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/460 Reference: XF:shockwave-file-read-vuln(1586) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1586 Reference: XF:shockwave-internal-access(1585) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1585 Macromedia Shockwave before 6.0 allows a malicious webmaster to read a user's mail box and possibly access internal web servers via the GetNextText command on a Shockwave movie. Current Votes: ACCEPT(1) Frech NOOP(2) Cole, Foat ====================================================== Name: CVE-1999-1526 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19990311 [Fwd: Shockwave 7 Security Hole] Reference: URL:http://www.securityfocus.com/archive/1/12842 Reference: XF:shockwave-updater(1931) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1931 Auto-update feature of Macromedia Shockwave 7 transmits a user's password and hard disk information back to Macromedia. Current Votes: ACCEPT(1) Frech NOOP(2) Cole, Foat ====================================================== Name: CVE-1999-1527 Status: Candidate Phase: Proposed(20010912) Reference: BID:816 Reference: URL:http://www.securityfocus.com/bid/816 Reference: BUGTRAQ:19991123 NetBeans/ Forte' Java IDE HTTP vulnerability Reference: URL:http://marc.info/?l=bugtraq&m=94338883114254&w=2 Internal HTTP server in Sun Netbeans Java IDE in Netbeans Developer 3.0 Beta and Forte Community Edition 1.0 Beta does not properly restrict access to IP addresses as specified in its configuration, which allows arbitrary remote attackers to access the server. Current Votes: ACCEPT(1) Cole MODIFY(1) Frech NOOP(2) Foat, Wall Voter Comments: Frech> XF:sun-java-ide-http-access(8333) ====================================================== Name: CVE-1999-1528 Status: Candidate Phase: Proposed(20010912) Reference: BID:794 Reference: URL:http://www.securityfocus.com/bid/794 Reference: BUGTRAQ:19991114 MacOS 9 and the MacOS Netware Client Reference: URL:http://marc.info/?l=bugtraq&m=94261444428430&w=2 ProSoft Netware Client 5.12 on Macintosh MacOS 9 does not automatically log a user out of the NDS tree when the user logs off the system, which allows other users of the same system access to the unprotected NDS session. Current Votes: ACCEPT(1) Cole MODIFY(1) Frech NOOP(2) Foat, Wall Voter Comments: Frech> XF:macos-netware-nds-access(8339) ====================================================== Name: CVE-1999-1529 Status: Candidate Phase: Proposed(20010912) Reference: BID:787 Reference: URL:http://www.securityfocus.com/bid/787 Reference: BUGTRAQ:19991107 Interscan VirusWall NT 3.23/3.3 buffer overflow Reference: URL:http://marc.info/?l=bugtraq&m=94201512111092&w=2 Reference: BUGTRAQ:19991108 Patch for VirusWall 3.23. Reference: URL:http://marc.info/?l=bugtraq&m=94204166130782&w=2 Reference: BUGTRAQ:19991108 Re: Interscan VirusWall NT 3.23/3.3 buffer overflow. Reference: URL:http://marc.info/?l=bugtraq&m=94210427406568&w=2 Reference: BUGTRAQ:20000417 New DOS on Interscan NT/3.32 Reference: URL:http://www.securityfocus.com/archive/1/55551 Reference: NTBUGTRAQ:19991107 Interscan VirusWall NT 3.23/3.3 buffer overflow. Reference: URL:http://marc.info/?l=ntbugtraq&m=94199707625818&w=2 Reference: NTBUGTRAQ:19991108 Patch for VirusWall 3.23. Reference: URL:http://marc.info/?l=ntbugtraq&m=94208143007829&w=2 Reference: XF:viruswall-helo-bo(3465) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3465 A buffer overflow exists in the HELO command in Trend Micro Interscan VirusWall SMTP gateway 3.23/3.3 for NT, which may allow an attacker to execute arbitrary code. Current Votes: ACCEPT(2) Cole, Foat NOOP(1) Wall REJECT(1) Frech ====================================================== Name: CVE-1999-1530 Status: Entry Reference: BID:777 Reference: URL:http://www.securityfocus.com/bid/777 Reference: BUGTRAQ:19991108 Security flaw in Cobalt RaQ2 cgiwrap Reference: URL:http://marc.info/?l=bugtraq&m=94209954200450&w=2 Reference: BUGTRAQ:19991109 [Cobalt] Security Advisory - cgiwrap Reference: URL:http://marc.info/?l=bugtraq&m=94225629200045&w=2 Reference: OSVDB:35 Reference: URL:http://www.osvdb.org/35 Reference: XF:cobalt-cgiwrap-incorrect-permissions(7764) Reference: URL:http://www.iss.net/security_center/static/7764.php cgiwrap as used on Cobalt RaQ 2.0 and RaQ 3i does not properly identify the user for running certain scripts, which allows a malicious site administrator to view or modify data located at another virtual site on the same system. ====================================================== Name: CVE-1999-1531 Status: Entry Reference: BID:763 Reference: URL:http://www.securityfocus.com/bid/763 Reference: BUGTRAQ:19991102 Some holes for Win/UNIX softwares Reference: URL:http://marc.info/?l=bugtraq&m=94157187815629&w=2 Reference: XF:ibm-homepageprint-bo(7767) Reference: URL:http://www.iss.net/security_center/static/7767.php Buffer overflow in IBM HomePagePrint 1.0.7 for Windows98J allows a malicious Web site to execute arbitrary code on a viewer's system via a long IMG_SRC HTML tag. ====================================================== Name: CVE-1999-1532 Status: Candidate Phase: Modified(20011126) Reference: BID:748 Reference: URL:http://www.securityfocus.com/bid/748 Reference: BUGTRAQ:19991029 message:Netscape Messaging Server RCPT TO vul. Reference: URL:http://marc.info/?l=bugtraq&m=94117465014255&w=2 Netscape Messaging Server 3.54, 3.55, and 3.6 allows a remote attacker to cause a denial of service (memory exhaustion) via a series of long RCPT TO commands. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:netscape-messaging-rcptto-dos(8340) Description ends with a comma and not a period, possibly indicating that the sentence is not complete, ====================================================== Name: CVE-1999-1533 Status: Candidate Phase: Proposed(20010912) Reference: BID:665 Reference: URL:http://www.securityfocus.com/bid/665 Reference: BUGTRAQ:19990926 DoS Exploit in Eicon Diehl LAN ISDN Modem Reference: URL:http://marc.info/?l=bugtraq&m=93846522511387&w=2 Reference: XF:diva-lan-isdn-dos(3317) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3317 Eicon Technology Diva LAN ISDN modem allows a remote attacker to cause a denial of service (hang) via a long password argument to the login.htm file in its HTTP service. Current Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1534 Status: Candidate Phase: Proposed(20010912) Reference: BID:661 Reference: URL:http://www.securityfocus.com/bid/661 Reference: BUGTRAQ:19990923 Multiple vendor Knox Arkiea local root/remote DoS Reference: URL:http://marc.info/?l=bugtraq&m=93837184228248&w=2 Buffer overflow in (1) nlservd and (2) rnavc in Knox Software Arkeia backup product allows local users to obtain root access via a long HOME environmental variable. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:arkiea-backup-home-bo(3322) ====================================================== Name: CVE-1999-1535 Status: Entry Reference: BID:592 Reference: URL:http://www.securityfocus.com/bid/592 Reference: NTBUGTRAQ:19990720 Buffer overflow in AspUpload 1.4 Reference: URL:http://marc.info/?l=ntbugtraq&m=93256878011447&w=2 Reference: NTBUGTRAQ:19990818 AspUpload Buffer Overflow Fixed Reference: URL:http://marc.info/?l=ntbugtraq&m=93501427820328&w=2 Reference: XF:http-aspupload-bo(3291) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3291 Buffer overflow in AspUpload.dll in Persits Software AspUpload before 1.4.0.2 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long argument in the HTTP request. ====================================================== Name: CVE-1999-1536 Status: Candidate Phase: Modified(20070207) Reference: BID:560 Reference: URL:http://www.securityfocus.com/bid/560 Reference: BUGTRAQ:19990730 World writable root owned script in SalesBuilder (RedHat 6.0) Reference: URL:http://marc.info/?l=bugtraq&m=93347785827287&w=2 Reference: OSVDB:13557 Reference: URL:http://www.osvdb.org/13557 .sbstart startup script in AcuShop Salesbuilder is world writable, which allows local users to gain privileges by appending commands to the file. Current Votes: NOOP(3) Cole, Foat, Wall REVIEWING(1) Frech Voter Comments: Frech> (ACCEPT; Task 2356) ====================================================== Name: CVE-1999-1537 Status: Entry Reference: BID:521 Reference: URL:http://www.securityfocus.com/bid/521 Reference: NTBUGTRAQ:19990707 SSL and IIS. Reference: URL:http://marc.info/?l=ntbugtraq&m=93138827329577&w=2 Reference: XF:ssl-iis-dos(2352) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2352 IIS 3.x and 4.x does not distinguish between pages requiring encryption and those that do not, which allows remote attackers to cause a denial of service (resource exhaustion) via SSL requests to the HTTPS port for normally unencrypted files, which will cause IIS to perform extra work to send the files over SSL. ====================================================== Name: CVE-1999-1538 Status: Candidate Phase: Proposed(20010912) Reference: BID:189 Reference: URL:http://www.securityfocus.com/bid/189 Reference: BUGTRAQ:19990114 MS IIS 4.0 Security Advisory Reference: URL:http://marc.info/?l=bugtraq&m=91638375309890&w=2 Reference: NTBUGTRAQ:19990114 MS IIS 4.0 Security Advisory Reference: URL:http://marc.info/?l=ntbugtraq&m=91632724913080&w=2 When IIS 2 or 3 is upgraded to IIS 4, ism.dll is inadvertently left in /scripts/iisadmin, which does not restrict access to the local machine and allows an unauthorized user to gain access to sensitive server information, including the Administrator's password. Current Votes: ACCEPT(1) Wall MODIFY(1) Frech NOOP(2) Cole, Foat Voter Comments: Frech> XF:iis-ismdll-info(7566) ====================================================== Name: CVE-1999-1539 Status: Candidate Phase: Proposed(20010912) Reference: BID:796 Reference: URL:http://www.securityfocus.com/bid/796 Reference: BUGTRAQ:19991110 Remote DoS Attack in QVT/Term 'Plus' 4.2d FTP Server Vulnerability Reference: URL:http://marc.info/?l=bugtraq&m=94225924803704&w=2 Reference: NTBUGTRAQ:19991110 Remote DoS Attack in QVT/Term 'Plus' 4.2d FTP Server Vulnerability Reference: URL:http://marc.info/?l=ntbugtraq&m=94223972910670&w=2 Reference: XF:qvtterm-login-dos(3491) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3491 Buffer overflow in FTP server in QPC Software's QVT/Term Plus versions 4.2d and 4.3 and QVT/Net 4.3 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long (1) user name or (2) password. Current Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1540 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19991005 Cactus Software's shell-lock Reference: URL:http://marc.info/?l=bugtraq&m=93916168802365&w=2 Reference: L0PHT:19991004 Reference: URL:http://www.atstake.com/research/advisories/1999/shell-lock.txt Reference: XF:cactus-shell-lock-retrieve-shell-code(3356) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3356 shell-lock in Cactus Software Shell Lock uses weak encryption (trivial encoding) which allows attackers to easily decrypt and obtain the source code. Current Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1541 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19991005 Cactus Software's shell-lock Reference: URL:http://marc.info/?l=bugtraq&m=93916168802365&w=2 Reference: L0PHT:19991004 Reference: URL:http://www.atstake.com/research/advisories/1999/shell-lock.txt Reference: XF:cactus-shell-lock-root-privs(3358) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3358 shell-lock in Cactus Software Shell Lock allows local users to read or modify decoded shell files before they are executed, via a symlink attack on a temporary file. Current Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1542 Status: Entry Reference: BUGTRAQ:19991004 RH6.0 local/remote command execution Reference: URL:http://marc.info/?l=bugtraq&m=93915641729415&w=2 Reference: BUGTRAQ:19991006 Fwd: [Re: RH6.0 local/remote command execution] Reference: URL:http://marc.info/?l=bugtraq&m=93923853105687&w=2 Reference: XF:linux-rh-rpmmail(3353) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3353 RPMMail before 1.4 allows remote attackers to execute commands via an e-mail message with shell metacharacters in the "MAIL FROM" command. ====================================================== Name: CVE-1999-1543 Status: Candidate Phase: Proposed(20010912) Reference: BID:519 Reference: URL:http://www.securityfocus.com/bid/519 Reference: BUGTRAQ:19990710 MacOS system encryption algorithm Reference: URL:http://marc.info/?l=bugtraq&m=93188174906513&w=2 Reference: BUGTRAQ:19990914 MacOS system encryption algorithm 3 Reference: URL:http://marc.info/?l=bugtraq&m=93736667813924&w=2 MacOS uses weak encryption for passwords that are stored in the Users & Groups Data File. Current Votes: NOOP(3) Cole, Foat, Wall REVIEWING(1) Frech Voter Comments: Frech> (ACCEPT; Task 2357) ====================================================== Name: CVE-1999-1544 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19990124 Advisory: IIS FTP Exploit/DoS Attack Reference: URL:http://marc.info/?l=bugtraq&m=91722115016183&w=2 Buffer overflow in FTP server in Microsoft IIS 3.0 and 4.0 allows local and sometimes remote attackers to cause a denial of service via a long NLST (ls) command. Current Votes: ACCEPT(1) Wall NOOP(2) Cole, Foat REJECT(1) Frech Voter Comments: Frech> Dupe CVE-1999-0349 ====================================================== Name: CVE-1999-1545 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19990714 Reference: URL:http://marc.info/?l=bugtraq&m=93216103027827&w=2 Reference: BUGTRAQ:19990717 joe 2.8 makes world-readable DEADJOE Reference: URL:http://marc.info/?l=bugtraq&m=93226771401036&w=2 Joe's Own Editor (joe) 2.8 sets the world-readable permission on its crash-save file, DEADJOE, which could allow local users to read files that were being edited by other users. Current Votes: NOOP(3) Cole, Foat, Wall REVIEWING(1) Frech Voter Comments: Frech> (ACCEPT; Task 2358) ====================================================== Name: CVE-1999-1546 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19990129 TROJAN: netstation.navio-comm.rte 1.1.0.1 Reference: URL:http://www.securityfocus.com/archive/1/12217 Reference: XF:navionc-config-script(1724) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1724 netstation.navio-com.rte 1.1.0.1 configuration script for Navio NC on IBM AIX exports /tmp over NFS as world-readable and world-writable. Current Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1547 Status: Candidate Phase: Proposed(20010912) Reference: BID:841 Reference: URL:http://www.securityfocus.com/bid/841 Reference: BUGTRAQ:19991125 Oracle Web Listener Reference: URL:http://marc.info/?l=bugtraq&m=94359982417686&w=2 Reference: NTBUGTRAQ:19991125 Oracle Web Listener Reference: URL:http://marc.info/?l=ntbugtraq&m=94390053530890&w=2 Oracle Web Listener 2.1 allows remote attackers to bypass access restrictions by replacing a character in the URL with its HTTP-encoded (hex) equivalent. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:oracle-weblistener-bypass-restrictions(8355) ====================================================== Name: CVE-1999-1548 Status: Candidate Phase: Proposed(20010912) Reference: BID:821 Reference: URL:http://www.securityfocus.com/bid/821 Reference: BINDVIEW:19991124 Cabletron SmartSwitch Router 8000 Firmware v2.x Reference: URL:http://razor.bindview.com/publish/advisories/adv_Cabletron.html Cabletron SmartSwitch Router (SSR) 8000 firmware 2.x can only handle 200 ARP requests per second allowing a denial of service attack to succeed with a flood of ARP requests exceeding that limit. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:smartswitch-arp-flood-dos(7770) BID URL should be 821, not 841. ====================================================== Name: CVE-1999-1549 Status: Candidate Phase: Proposed(20010912) Reference: BID:804 Reference: URL:http://www.securityfocus.com/bid/804 Reference: BUGTRAQ:19991116 lynx 2.8.x - 'special URLs' anti-spoofing protection is weak Reference: URL:http://marc.info/?l=bugtraq&m=94286509804526&w=2 Lynx 2.x does not properly distinguish between internal and external HTML, which may allow a local attacker to read a "secure" hidden form value from a temporary file and craft a LYNXOPTIONS: URL that causes Lynx to modify the user's configuration file and execute commands. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:lynx-lynxurl-spoof(8342) ====================================================== Name: CVE-1999-1550 Status: Entry Reference: BID:778 Reference: URL:http://www.securityfocus.com/bid/778 Reference: BUGTRAQ:19991108 BigIP - bigconf.cgi holes Reference: URL:http://marc.info/?l=bugtraq&m=94217006208374&w=2 Reference: BUGTRAQ:19991109 Reference: URL:http://marc.info/?l=bugtraq&m=94225879703021&w=2 Reference: BUGTRAQ:19991109 Re: BigIP - bigconf.cgi holes Reference: URL:http://marc.info/?l=bugtraq&m=94217879020184&w=2 Reference: XF:bigip-bigconf-view-files(7771) Reference: URL:http://www.iss.net/security_center/static/7771.php bigconf.conf in F5 BIG/ip 2.1.2 and earlier allows remote attackers to read arbitrary files by specifying the target file in the "file" parameter. ====================================================== Name: CVE-1999-1551 Status: Candidate Phase: Proposed(20010912) Reference: BID:505 Reference: URL:http://www.securityfocus.com/bid/505 Reference: BUGTRAQ:19990302 Multiple IMail Vulnerabilites Reference: URL:http://marc.info/?l=bugtraq&m=92038879607336&w=2 Reference: XF:imail-websvc-overflow(1898) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1898 Buffer overflow in Ipswitch IMail Service 5.0 allows an attacker to cause a denial of service (crash) and possibly execute arbitrary commands via a long URL. Current Votes: ACCEPT(2) Cole, Frech NOOP(2) Foat, Wall ====================================================== Name: CVE-1999-1552 Status: Candidate Phase: Proposed(20010912) Reference: BID:358 Reference: URL:http://www.securityfocus.com/bid/358 Reference: BUGTRAQ:19940720 xnews and XDM Reference: URL:http://lists.insecure.org/lists/bugtraq/1994/Jul/0038.html dpsexec (DPS Server) when running under XDM in IBM AIX 3.2.5 and earlier does not properly check privileges, which allows local users to overwrite arbitrary files and gain privileges. Current Votes: NOOP(2) Cole, Foat ====================================================== Name: CVE-1999-1553 Status: Candidate Phase: Proposed(20010912) Reference: BID:311 Reference: URL:http://www.securityfocus.com/bid/311 Reference: BUGTRAQ:19990301 [0z0n3] XCmail remotely exploitable vulnerability Reference: URL:http://www.securityfocus.com/archive/1/12730 Reference: XF:xcmail-reply-overflow(1859) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1859 Buffer overflow in XCmail 0.99.6 with autoquote enabled allows remote attackers to execute arbitrary commands via a long subject line. Current Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1554 Status: Candidate Phase: Modified(20020218) Reference: BID:13 Reference: URL:http://www.securityfocus.com/bid/13 Reference: CERT:CA-1990-08 Reference: URL:http://www.cert.org/advisories/CA-1990-08.html Reference: XF:sgi-irix-reset(3164) Reference: URL:http://www.iss.net/security_center/static/3164.php /usr/sbin/Mail on SGI IRIX 3.3 and 3.3.1 does not properly set the group ID to the group ID of the user who started Mail, which allows local users to read the mail of other users. Current Votes: ACCEPT(2) Cole, Stracener MODIFY(1) Frech NOOP(2) Foat, Wall Voter Comments: Frech> XF:sgi-irix-reset(3164) CHANGE> [Foat changed vote from ACCEPT to NOOP] ====================================================== Name: CVE-1999-1555 Status: Candidate Phase: Proposed(20010912) Reference: BID:106 Reference: URL:http://www.securityfocus.com/bid/106 Reference: BUGTRAQ:19980611 Cheyenne Inoculan vulnerability on NT Reference: URL:http://www.securityfocus.com/archive/1/9515 Reference: XF:inoculan-bad-permissions(1536) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1536 Cheyenne InocuLAN Anti-Virus Server in Inoculan 4.0 before Service Pack 2 creates an update directory with "EVERYONE FULL CONTROL" permissions, which allows local users to cause Inoculan's antivirus update feature to install a Trojan horse dll. Current Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> http://support.cai.com/Download/patches/inocnt.html ====================================================== Name: CVE-1999-1556 Status: Entry Reference: BID:109 Reference: URL:http://www.securityfocus.com/bid/109 Reference: NTBUGTRAQ:19980629 MS SQL Server 6.5 stores password in unprotected registry keys Reference: URL:http://marc.info/?l=ntbugtraq&m=90222453431645&w=2 Reference: XF:mssql-sqlexecutivecmdexec-password(7354) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/7354 Microsoft SQL Server 6.5 uses weak encryption for the password for the SQLExecutiveCmdExec account and stores it in an accessible portion of the registry, which could allow local users to gain privileges by reading and decrypting the CmdExecAccount value. ====================================================== Name: CVE-1999-1557 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19990301 Multiple IMail Vulnerabilites Reference: URL:http://marc.info/?l=bugtraq&m=92038879607336&w=2 Reference: XF:imail-imap-overflow(1895) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1895 Buffer overflow in the login functions in IMAP server (imapd) in Ipswitch IMail 5.0 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary code via (1) a long user name or (2) a long password. Current Votes: ACCEPT(2) Cole, Frech NOOP(2) Foat, Wall ====================================================== Name: CVE-1999-1558 Status: Candidate Phase: Modified(20020218) Reference: BID:161 Reference: URL:http://www.securityfocus.com/bid/161 Reference: CERT:VB-98.07 Reference: CIAC:I-071A Reference: URL:http://ciac.llnl.gov/ciac/bulletins/i-071a.shtml Reference: XF:openvms-loginout-unauth-access(7151) Reference: URL:http://www.iss.net/security_center/static/7151.php Vulnerability in loginout in Digital OpenVMS 7.1 and earlier allows unauthorized access when external authentication is enabled. Current Votes: ACCEPT(3) Cole, Foat, Stracener MODIFY(1) Frech NOOP(1) Wall Voter Comments: Frech> XF:openvms-loginout-unauth-access(7151) ====================================================== Name: CVE-1999-1559 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19990331 Xylan OmniSwitch "features" Reference: URL:http://marc.info/?l=bugtraq&m=92299263017061&w=2 Reference: XF:xylan-omniswitch-login(2064) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2064 Xylan OmniSwitch before 3.2.6 allows remote attackers to bypass the login prompt via a CTRL-D (control d) character, which locks other users out of the switch because it only supports one session at a time. Current Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1560 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19990720 tiger vulnerability Reference: URL:http://marc.info/?l=bugtraq&m=93252050203589&w=2 Reference: XF:tiger-script-execute(2369) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2369 Vulnerability in a script in Texas A&M University (TAMU) Tiger allows local users to execute arbitrary commands as the Tiger user, usually root. Current Votes: ACCEPT(3) Cole, Foat, Frech NOOP(1) Wall ====================================================== Name: CVE-1999-1561 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19990820 Winamp SHOUTcast server: Gain Administrator Password Reference: URL:http://www.securityfocus.com/archive/1/24852 Nullsoft SHOUTcast server stores the administrative password in plaintext in a configuration file (sc_serv.conf), which could allow a local user to gain administrative privileges on the server. Current Votes: NOOP(3) Cole, Foat, Wall REVIEWING(1) Frech Voter Comments: Frech> (ACCEPT; Task 2359) ====================================================== Name: CVE-1999-1562 Status: Candidate Phase: Modified(20050309) Reference: BID:3446 Reference: URL:http://www.securityfocus.com/bid/3446 Reference: BUGTRAQ:19990905 gftp Reference: URL:http://www.securityfocus.com/archive/1/26915 Reference: DEBIAN:DSA-084 Reference: URL:http://www.debian.org/security/2001/dsa-084 gFTP FTP client 1.13, and other versions before 2.0.0, records a password in plaintext in (1) the log window, or (2) in a log file. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:gftp-plaintext-password(7319) ====================================================== Name: CVE-1999-1563 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19991014 NEUROCOM: Nashuatec printer, 3 vulnerabilities found Reference: URL:http://www.securityfocus.com/archive/1/30849 Reference: BUGTRAQ:19991116 NEUROCOM: Nashuatec D445/435 vulnerabilities updated Reference: URL:http://www.securityfocus.com/archive/1/35075 Nachuatec D435 and D445 printer allows remote attackers to cause a denial of service via ICMP redirect storm. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:icmp-redirect(285) ====================================================== Name: CVE-1999-1564 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19990902 [ Kernel panic with FreeBSD-3.2-19990830-STABLE ] Reference: URL:http://www.securityfocus.com/archive/1/26166 FreeBSD 3.2 and possibly other versions allows a local user to cause a denial of service (panic) with a large number accesses of an NFS v3 mounted directory from a large number of processes. Current Votes: ACCEPT(1) Cole MODIFY(1) Frech NOOP(2) Foat, Wall Voter Comments: Frech> XF:freebsd-nfs-access-dos(8325) ====================================================== Name: CVE-1999-1565 Status: Entry Reference: BUGTRAQ:19990820 [SECURITY] New versions of man2html fixes postinst glitch Reference: URL:http://www.securityfocus.com/archive/1/24784 Reference: OSVDB:6291 Reference: URL:http://www.osvdb.org/6291 Man2html 2.1 and earlier allows local users to overwrite arbitrary files via a symlink attack on a temporary file. ====================================================== Name: CVE-1999-1566 Status: Candidate Phase: Proposed(20010912) Reference: BUGTRAQ:19990508 iParty Daemon Vulnerability w/ Exploit Code (worse than thought?) Reference: URL:http://www.securityfocus.com/archive/1/13600 Buffer overflow in iParty server 1.2 and earlier allows remote attackers to cause a denial of service (crash) by connecting to default port 6004 and sending repeated extended characters. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:iparty-dos(1416) ====================================================== Name: CVE-1999-1567 Status: Candidate Phase: Modified(20020218) Reference: NTBUGTRAQ:19990308 Password and DOS Vulnerability with Testrack (bug tracking software) Reference: URL:http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind9903&L=NTBUGTRAQ&P=R1215 Reference: NTBUGTRAQ:19990616 Password and DOS Vulnerability with Testrack (bug tracking software) Reference: URL:http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind9906&L=NTBUGTRAQ&P=R1680 Reference: XF:testtrack-dos(1948) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1948 Seapine Software TestTrack server allows a remote attacker to cause a denial of service (high CPU) via (1) TestTrackWeb.exe and (2) ttcgi.exe by connecting to port 99 and disconnecting without sending any data. Current Votes: ACCEPT(2) Cole, Foat MODIFY(1) Frech NOOP(1) Wall Voter Comments: Frech> XF:testtrack-dos(1948) ====================================================== Name: CVE-1999-1568 Status: Entry Reference: BUGTRAQ:19990223 Comments on NcFTPd "theoretical root compromise" Reference: URL:http://www.securityfocus.com/archive/1/12699 Reference: BUGTRAQ:19990223 NcFTPd remote buffer overflow Reference: URL:http://marc.info/?l=bugtraq&m=91981352617720&w=2 Reference: XF:ncftpd-port-bo(1833) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1833 Off-by-one error in NcFTPd FTP server before 2.4.1 allows a remote attacker to cause a denial of service (crash) via a long PORT command. ====================================================== Name: CVE-1999-1569 Status: Candidate Phase: Proposed(20020830) Reference: BID:3051 Reference: URL:http://www.securityfocus.com/bid/3051 Reference: BUGTRAQ:19980502 NetQuake Protocol problem resulting in smurf like effect. Reference: URL:http://marc.info/?l=bugtraq&m=90221101925989&w=2 Reference: BUGTRAQ:19981101 Quake problem? Reference: URL:http://marc.info/?l=bugtraq&m=91012172524181&w=2 Reference: BUGTRAQ:20010716 Quake client and server denial-of-service Reference: URL:http://www.securityfocus.com/archive/1/197268 Reference: XF:quake-spoofed-client-dos(6871) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/6871 Quake 1 and NetQuake servers allow remote attackers to cause a denial of service (resource exhaustion or forced disconnection) via a flood of spoofed UDP connection packets, which exceeds the server's player limit. Current Votes: ACCEPT(1) Frech NOOP(5) Armstrong, Cole, Cox, Foat, Wall REVIEWING(1) Green ====================================================== Name: CVE-1999-1570 Status: Candidate Phase: Proposed(20020830) Reference: BID:4089 Reference: URL:http://www.securityfocus.com/bid/4089 Reference: BUGTRAQ:19990909 19 SCO 5.0.5+Skunware98 buffer overflows Reference: URL:http://online.securityfocus.com/archive/1/27074 Reference: CALDERA:CSSA-2002-SCO.17 Reference: URL:ftp://stage.caldera.com/pub/security/openserver/CSSA-2002-SCO.17/CSSA-2002-SCO.17.txt Reference: VULN-DEV:20020509 Sar -o exploitation process info. Reference: URL:http://marc.info/?l=vuln-dev&m=102098949103708&w=2 Reference: XF:openserver-sar-bo(8989) Reference: URL:http://www.iss.net/security_center/static/8989.php Buffer overflow in sar for OpenServer 5.0.5 allows local users to gain root privileges via a long -o parameter. Current Votes: ACCEPT(4) Armstrong, Cole, Frech, Green NOOP(3) Cox, Foat, Wall REVIEWING(1) Christey Voter Comments: Frech> It seems as if the BID-4089 assignment on this CAN name may be in error. BID-4089 (Multiple Vendor SNMP Request Handling Vulnerabilities) is already assigned to CVE-2002-0013. Also, this CVE issue seems to have nothing to do with SNMP. Christey> Agreed, this is the wrong BID. SecurityFocus has assigned BID:643 to CVE-1999-1570, but there's a bit of an inconsistency. BID:643 alludes to Bugtraq posts in 1999 from Brock Tellier, mentioning overflows in sar via BOTH the -o and -f parameters. However, they also link this issue to SCO advisory 99.17, although the advisory itself is too vague to *really* know what vulns they fixed. And now the link to a potentially more detailed document (sse037.ltr) is broken. So we don't have any independent reason for knowing whether SCO 99.17 (a) addresses any "sar" vulnerabilities, and (b) even if it does, whether it addresses *both* the -o and -f arguments originally claimed by Tellier. Finally, it seems rather curious that CSSA-2002-SCO.17 talks about a -o overflow but does not mention -f. Sounds like an email to the security people at SCO is in order... OK. Having consulted with SCO (who responded quickly), I looked even further into this issue. There is now sufficient evidence that the -f overflow was fixed in 1999. This means that a separate candidate should be created (by CD:SF-LOC), so the -f overflow is now covered by CVE-1999-1571. Need to DELREF BID:4089 CHANGE> [Frech changed vote from NOOP to ACCEPT] CHANGE> [Christey changed vote from NOOP to REVIEWING] ====================================================== Name: CVE-1999-1571 Status: Candidate Phase: Assigned(20021008) Reference: BID:643 Reference: URL:http://www.securityfocus.com/bid/643 Reference: BUGTRAQ:19990909 19 SCO 5.0.5+Skunware98 buffer overflows Reference: URL:http://online.securityfocus.com/archive/1/27074 Reference: BUGTRAQ:19990917 Re: recent SCO 5.0.x vulnerabilities Reference: URL:http://marc.info/?l=bugtraq&m=93762097815861&w=2 Reference: BUGTRAQ:19991020 Re: recent SCO 5.0.x vulnerabilities Reference: URL:http://marc.info/?l=bugtraq&m=94053017801639&w=2 Reference: BUGTRAQ:19991105 SCO Security Bulletin 99.17 Reference: URL:http://marc.info/?l=bugtraq&m=94183363719024&w=2 Reference: CONFIRM:ftp://stage.caldera.com/pub/security/sse/sse037c/sse037c.ltr Reference: MISC:http://online.securityfocus.com/advisories/1843 Reference: SCO:SB-99.17c Reference: URL:ftp://stage.caldera.com/pub/security/sse/security_bulletins/SB-99.17c Reference: VULN-DEV:20020509 Sar -o exploitation process info. Reference: URL:http://marc.info/?l=vuln-dev&m=102098949103708&w=2 Reference: XF:openserver-sar-bo(8989) Reference: URL:http://www.iss.net/security_center/static/8989.php Buffer overflow in sar for SCO OpenServer 5.0.0 through 5.0.5 may allow local users to gain root privileges via a long -f parameter, a different vulnerability than CVE-1999-1570. Current Votes: None (candidate not yet proposed) ====================================================== Name: CVE-1999-1572 Status: Candidate Phase: Assigned(20050127) Reference: BUGTRAQ:20050204 [USN-75-1] cpio vulnerability Reference: URL:http://marc.info/?l=bugtraq&m=110763404701519&w=2 Reference: CONFIRM:http://support.avaya.com/elmodocs2/security/ASA-2005-212.pdf Reference: DEBIAN:DSA-664 Reference: URL:http://www.debian.org/security/2005/dsa-664 Reference: MANDRAKE:MDKSA-2005:032 Reference: URL:http://www.mandriva.com/security/advisories?name=MDKSA-2005:032 Reference: MISC:http://www.freebsd.org/cgi/query-pr.cgi?pr=bin/1391 Reference: OVAL:oval:org.mitre.oval:def:10888 Reference: URL:https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10888 Reference: REDHAT:RHSA-2005:073 Reference: URL:http://www.redhat.com/support/errata/RHSA-2005-073.html Reference: REDHAT:RHSA-2005:080 Reference: URL:http://www.redhat.com/support/errata/RHSA-2005-080.html Reference: REDHAT:RHSA-2005:806 Reference: URL:http://www.redhat.com/support/errata/RHSA-2005-806.html Reference: SECUNIA:14357 Reference: URL:http://secunia.com/advisories/14357 Reference: SECUNIA:17063 Reference: URL:http://secunia.com/advisories/17063 Reference: SECUNIA:17532 Reference: URL:http://secunia.com/advisories/17532 Reference: TRUSTIX:2005-0003 Reference: URL:http://www.trustix.org/errata/2005/0003/ Reference: XF:cpio-o-archive-insecure-permissions(19167) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/19167 cpio on FreeBSD 2.1.0, Debian GNU/Linux 3.0, and possibly other operating systems, uses a 0 umask when creating files using the -O (archive) or -F options, which creates the files with mode 0666 and allows local users to read or overwrite those files. Current Votes: None (candidate not yet proposed) ====================================================== Name: CVE-1999-1573 Status: Candidate Phase: Assigned(20050421) Reference: AUSCERT:ESB-98.186 Reference: URL:http://www.auscert.org.au/render.html?it=490 Reference: CERT-VN:VU#13217 Reference: URL:http://www.kb.cert.org/vuls/id/13217 Reference: CIAC:J-022 Reference: URL:http://www.ciac.org/ciac/bulletins/j-022.shtml Reference: HP:HPSBUX9812-090 Reference: URL:http://www.securityfocus.com/advisories/1471 Reference: OVAL:oval:org.mitre.oval:def:5550 Reference: URL:https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5550 Reference: XF:hp-rcmnds-gain-privileges(7860) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/7860 Multiple unknown vulnerabilities in the "r-cmnds" (1) remshd, (2) rexecd, (3) rlogind, (4) rlogin, (5) remsh, (6) rcp, (7) rexec, and (8) rdist for HP-UX 10.00 through 11.00 allow attackers to gain privileges or access files. Current Votes: None (candidate not yet proposed) ====================================================== Name: CVE-1999-1574 Status: Candidate Phase: Assigned(20050421) Reference: AIXAPAR:IX79909 Reference: URL:http://www-1.ibm.com/support/search.wss?rs=0&q=IX79909&apar=only Reference: CERT-VN:VU#182777 Reference: URL:http://www.kb.cert.org/vuls/id/182777 Reference: XF:aix-nslookup-lex-bo(7867) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/7867 Buffer overflow in the lex routines of nslookup for AIX 4.3 may allow attackers to cause a core dump and possibly execute arbitrary code via "long input strings." Current Votes: None (candidate not yet proposed) ====================================================== Name: CVE-1999-1575 Status: Candidate Phase: Assigned(20050421) Reference: BUGTRAQ:19990924 Several ActiveX Buffer Overruns Reference: URL:http://www.securityfocus.com/archive/1/28719 Reference: CERT-VN:VU#23412 Reference: URL:http://www.kb.cert.org/vuls/id/23412 Reference: CERT-VN:VU#24839 Reference: URL:http://www.kb.cert.org/vuls/id/24839 Reference: CERT-VN:VU#26924 Reference: URL:http://www.kb.cert.org/vuls/id/26924 Reference: CERT-VN:VU#41408 Reference: URL:http://www.kb.cert.org/vuls/id/41408 Reference: CERT-VN:VU#9162 Reference: URL:http://www.kb.cert.org/vuls/id/9162 Reference: MS:MS99-037 Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-037 Reference: XF:wang-kodak-activex-control(7097) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/7097 The Kodak/Wang (1) Image Edit (imgedit.ocx), (2) Image Annotation (imgedit.ocx), (3) Image Scan (imgscan.ocx), (4) Thumbnail Image (imgthumb.ocx), (5) Image Admin (imgadmin.ocx), (6) HHOpen (hhopen.ocx), (7) Registration Wizard (regwizc.dll), and (8) IE Active Setup (setupctl.dll) ActiveX controls for Internet Explorer (IE) 4.01 and 5.0 are marked as "Safe for Scripting," which allows remote attackers to create and modify files and execute arbitrary commands. Current Votes: None (candidate not yet proposed) ====================================================== Name: CVE-1999-1576 Status: Candidate Phase: Assigned(20050421) Reference: BID:666 Reference: URL:http://www.securityfocus.com/bid/666 Reference: BUGTRAQ:19990924 Several ActiveX Buffer Overruns Reference: URL:http://www.securityfocus.com/archive/1/28719 Reference: CERT-VN:VU#25919 Reference: URL:http://www.kb.cert.org/vuls/id/25919 Reference: XF:adobe-acrobat-pdf-bo(3318) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3318 Buffer overflow in Adobe Acrobat ActiveX control (pdf.ocx, PDF.PdfCtrl.1) 1.3.188 for Acrobat Reader 4.0 allows remote attackers to execute arbitrary code via the pdf.setview method. Current Votes: None (candidate not yet proposed) ====================================================== Name: CVE-1999-1577 Status: Candidate Phase: Assigned(20050421) Reference: BID:669 Reference: URL:http://www.securityfocus.com/bid/669 Reference: BUGTRAQ:19990924 Several ActiveX Buffer Overruns Reference: URL:http://www.securityfocus.com/archive/1/28719 Reference: CERT-VN:VU#29795 Reference: URL:http://www.kb.cert.org/vuls/id/29795 Reference: XF:ie-hhopen-bo(3314) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3314 Buffer overflow in HHOpen ActiveX control (hhopen.ocx) 1.0.0.1 for Internet Explorer 4.01 and 5 allows remote attackers to execute arbitrary commands via long arguments to the OpenHelp method. Current Votes: None (candidate not yet proposed) ====================================================== Name: CVE-1999-1578 Status: Candidate Phase: Assigned(20050421) Reference: BID:671 Reference: URL:http://www.securityfocus.com/bid/671 Reference: BUGTRAQ:19990924 Several ActiveX Buffer Overruns Reference: URL:http://www.securityfocus.com/archive/1/28719 Reference: CERT-VN:VU#37556 Reference: URL:http://www.kb.cert.org/vuls/id/37556 Reference: XF:ie-registration-wiz-bo(3311) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3311 Buffer overflow in Registration Wizard ActiveX control (regwizc.dll, InvokeRegWizard) 3.0.0.0 for Internet Explorer 4.01 and 5 allows remote attackers to execute arbitrary commands. Current Votes: None (candidate not yet proposed) ====================================================== Name: CVE-1999-1579 Status: Candidate Phase: Assigned(20050421) Reference: BID:6827 Reference: URL:http://www.securityfocus.com/bid/6827 Reference: CERT-VN:VU#3062 Reference: URL:http://www.kb.cert.org/vuls/id/3062 Reference: MSKB:Q242366 Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];242366 Reference: XF:winnt-xenroll-dos(7107) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/7107 The Cenroll ActiveX control (xenroll.dll) for Terminal Server Editions of Windows NT 4.0 and Windows NT Server 4.0 before SP6 allows remote attackers to cause a denial of service (resource consumption) by creating a large number of arbitrary files on the target machine. Current Votes: None (candidate not yet proposed) ====================================================== Name: CVE-1999-1580 Status: Candidate Phase: Assigned(20050421) Reference: AUSCERT:AA-95.09 Reference: URL:http://www.auscert.org.au/render.html?it=1853&cid=1978 Reference: BID:7829 Reference: URL:http://www.securityfocus.com/bid/7829 Reference: CERT:CA-1995-11 Reference: URL:http://www.cert.org/advisories/CA-95.11.sun.sendmail-oR.vul Reference: CERT-VN:VU#3278 Reference: URL:http://www.kb.cert.org/vuls/id/3278 Reference: MISC:http://www.alw.nih.gov/Security/8lgm/8lgm-Advisory-21.html Reference: URL:http://www.alw.nih.gov/Security/8lgm/8lgm-Advisory-21.html SunOS sendmail 5.59 through 5.65 uses popen to process a forwarding host argument, which allows local users to gain root privileges by modifying the IFS (Internal Field Separator) variable and passing crafted values to the -oR option. Current Votes: None (candidate not yet proposed) ====================================================== Name: CVE-1999-1581 Status: Candidate Phase: Assigned(20050421) Reference: CERT-VN:VU#4923 Reference: URL:http://www.kb.cert.org/vuls/id/4923 Reference: MSKB:Q178381 Reference: URL:http://support.microsoft.com/kb/q178381/ Reference: XF:winnt-snmp-oid-memory-leak(8231) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/8231 Memory leak in Simple Network Management Protocol (SNMP) agent (snmp.exe) for Windows NT 4.0 before Service Pack 4 allows remote attackers to cause a denial of service (memory consumption) via a large number of SNMP packets with Object Identifiers (OIDs) that cannot be decoded. Current Votes: None (candidate not yet proposed) ====================================================== Name: CVE-1999-1582 Status: Candidate Phase: Assigned(20050421) Reference: CERT-VN:VU#6733 Reference: URL:http://www.kb.cert.org/vuls/id/6733 Reference: CISCO:19980715 PIX Firewall "established" Command Reference: URL:http://www.cisco.com/warp/public/707/pixest-pub.shtml Reference: XF:cisco-pix-established-bypass(8052) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/8052 By design, the "established" command on the Cisco PIX firewall allows connections from one host to arbitrary ports of a target host if an alternative conduit has already been allowed, which can cause administrators to configure less restrictive access controls than intended if they do not understand this functionality. Current Votes: None (candidate not yet proposed) ====================================================== Name: CVE-1999-1583 Status: Candidate Phase: Assigned(20050421) Reference: AIXAPAR:IY02120 Reference: URL:http://www-1.ibm.com/support/search.wss?rs=0&q=IY02120&apar=only Reference: CERT-VN:VU#872443 Reference: URL:http://www.kb.cert.org/vuls/id/872443 Reference: XF:aix-nslookup-hostname-bo(8031) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/8031 Buffer overflow in nslookup for AIX 4.3 allows local users to execute arbitrary code via a long hostname command line argument. Current Votes: None (candidate not yet proposed) ====================================================== Name: CVE-1999-1584 Status: Candidate Phase: Assigned(20050830) Reference: CERT:CA-93.18 Reference: URL:http://www.cert.org/advisories/CA-1993-18.html Reference: SUN:00124 Reference: URL:http://sunsolve.sun.com/search/document.do?assetkey=1-22-00124-1 Unknown vulnerability in (1) loadmodule, and (2) modload if modload is installed with setuid/setgid privileges, in SunOS 4.1.1 through 4.1.3c, and Open Windows 3.0, allows local users to gain root privileges via environment variables, a different vulnerability than CVE-1999-1586. Current Votes: None (candidate not yet proposed) ====================================================== Name: CVE-1999-1585 Status: Candidate Phase: Assigned(20050830) Reference: SUN:00124 Reference: URL:http://sunsolve.sun.com/search/document.do?assetkey=1-22-00124-1 The (1) rcS and (2) mountall programs in Sun Solaris 2.x, possibly before 2.4, start a privileged shell on the system console if fsck fails while the system is booting, which allows attackers with physical access to gain root privileges. Current Votes: None (candidate not yet proposed) ====================================================== Name: CVE-1999-1586 Status: Candidate Phase: Assigned(20050830) Reference: CERT:CA-95.12 Reference: URL:http://www.cert.org/advisories/CA-1995-12.html Reference: CIAC:G-02 Reference: URL:http://www.ciac.org/ciac/bulletins/g-02.shtml Reference: XF:sun-loadmodule(498) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/498 loadmodule in SunOS 4.1.x, as used by xnews, does not properly sanitize its environment, which allows local users to gain privileges, a different vulnerability than CVE-1999-1584. Current Votes: None (candidate not yet proposed) ====================================================== Name: CVE-1999-1587 Status: Candidate Phase: Assigned(20060328) Reference: BID:19662 Reference: URL:http://www.securityfocus.com/bid/19662 Reference: MISC:http://www.sunmanagers.org/archives/1996/1383.html Reference: OSVDB:24200 Reference: URL:http://www.osvdb.org/24200 Reference: OVAL:oval:org.mitre.oval:def:1470 Reference: URL:https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1470 Reference: SECTRACK:1015833 Reference: URL:http://securitytracker.com/id?1015833 Reference: SECUNIA:19426 Reference: URL:http://secunia.com/advisories/19426 Reference: SUNALERT:102215 Reference: URL:http://sunsolve.sun.com/search/document.do?assetkey=1-26-102215-1 Reference: VUPEN:ADV-2006-1123 Reference: URL:http://www.vupen.com/english/advisories/2006/1123 Reference: XF:solaris-ps-information-disclosure(25460) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/25460 /usr/ucb/ps in Sun Microsystems Solaris 8 and 9, and certain earlier releases, allows local users to view the environment variables and values of arbitrary processes via the -e option. Current Votes: None (candidate not yet proposed) ====================================================== Name: CVE-1999-1588 Status: Candidate Phase: Assigned(20060421) Reference: BID:2319 Reference: URL:http://www.securityfocus.com/bid/2319 Reference: MISC:http://lsd-pl.net/files/get?SOLARIS/solx86_nlps_server Reference: MISC:http://security-protocols.com/sploits/unsorted_exploits/nlps_server.c Reference: MISC:http://www.securityfocus.com/data/vulnerabilities/exploits/nlps_server.c Buffer overflow in nlps_server in Sun Solaris x86 2.4, 2.5, and 2.5.1 allows remote attackers to execute arbitrary code as root via a long string beginning with "NLPS:002:002:" to the listen (aka System V listener) port, TCP port 2766. Current Votes: None (candidate not yet proposed) ====================================================== Name: CVE-1999-1589 Status: Candidate Phase: Assigned(20060615) Reference: AIXAPAR:IX26997 Reference: BID:357 Reference: URL:http://www.securityfocus.com/bid/357 Reference: CERT:CA-1992-10 Reference: URL:http://www.cert.org/advisories/CA-1992-10.html Unspecified vulnerability in crontab in IBM AIX 3.2 allows local users to gain root privileges via unknown attack vectors. Current Votes: None (candidate not yet proposed) ====================================================== Name: CVE-1999-1590 Status: Candidate Phase: Assigned(20061203) Reference: BUGTRAQ:19971010 Security flaw in Count.cgi (wwwcount) Reference: URL:http://seclists.org/bugtraq/1997/Oct/0058.html Directory traversal vulnerability in Muhammad A. Muquit wwwcount (Count.cgi) 2.3 allows remote attackers to read arbitrary GIF files via ".." sequences in the image parameter, a different vulnerability than CVE-1999-0021. Current Votes: None (candidate not yet proposed) ====================================================== Name: CVE-1999-1591 Status: Candidate Phase: Assigned(20070705) Reference: BID:190 Reference: URL:http://www.securityfocus.com/bid/190 Reference: NTBUGTRAQ:19990118 IIS4.0 and Visual Interdev Reference: URL:http://archives.neohapsis.com/archives/ntbugtraq/1998-1999/msg00276.html Reference: NTBUGTRAQ:19990119 Re: IIS4.0 and Visual Interdev Reference: URL:http://archives.neohapsis.com/archives/ntbugtraq/1998-1999/msg00277.html Microsoft Internet Information Services (IIS) server 4.0 SP4, without certain hotfixes released for SP4, does not require authentication credentials under certain conditions, which allows remote attackers to bypass authentication requirements, as demonstrated by connecting via Microsoft Visual InterDev 6.0. Current Votes: None (candidate not yet proposed) ====================================================== Name: CVE-1999-1592 Status: Candidate Phase: Assigned(20070712) Reference: BID:243 Reference: URL:http://www.securityfocus.com/bid/243 Reference: SUN:00159 Reference: URL:http://sunsolve.sun.com/search/document.do?assetkey=1-22-00159-1 Multiple unspecified vulnerabilities in sendmail 5, as installed on Sun SunOS 4.1.3_U1 and 4.1.4, have unspecified attack vectors and impact. NOTE: this might overlap CVE-1999-0129. Current Votes: None (candidate not yet proposed) ====================================================== Name: CVE-1999-1593 Status: Candidate Phase: Assigned(20090114) Reference: BID:2221 Reference: URL:http://www.securityfocus.com/bid/2221 Reference: BUGTRAQ:20010117 Invalid WINS entries Reference: URL:http://seclists.org/bugtraq/2001/Jan/0264.html Reference: BUGTRAQ:20010117 Re: Invalid WINS entries Reference: URL:http://seclists.org/bugtraq/2001/Jan/0269.html Reference: BUGTRAQ:20010117 Re: Invalid WINS entries Reference: URL:http://seclists.org/bugtraq/2001/Jan/0274.html Reference: BUGTRAQ:20010117 Re: Invalid WINS entries Reference: URL:http://seclists.org/bugtraq/2001/Jan/0276.html Reference: BUGTRAQ:20010118 Re: Invalid WINS entries Reference: URL:http://seclists.org/bugtraq/2001/Jan/0271.html Reference: BUGTRAQ:20010118 Re: Invalid WINS entries Reference: URL:http://seclists.org/bugtraq/2001/Jan/0289.html Reference: BUGTRAQ:20010119 Re: Invalid WINS entries Reference: URL:http://seclists.org/bugtraq/2001/Jan/0298.html Reference: MISC:https://www2.sans.org/reading_room/whitepapers/win2k/185.php Reference: NTBUGTRAQ:19990302 NT Domain DoS and Security Exploit with SAMBA Server Reference: URL:http://archives.neohapsis.com/archives/ntbugtraq/1998-1999/msg00371.html Windows Internet Naming Service (WINS) allows remote attackers to cause a denial of service (connectivity loss) or steal credentials via a 1Ch registration that causes WINS to change the domain controller to point to a malicious server. NOTE: this problem may be limited when Windows 95/98 clients are used, or if the primary domain controller becomes unavailable. Current Votes: None (candidate not yet proposed) ====================================================== Name: CVE-1999-1594 Status: Candidate Phase: Assigned(20120104) ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none. Current Votes: None (candidate not yet proposed) ====================================================== Name: CVE-1999-1595 Status: Candidate Phase: Assigned(20120104) ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none. Current Votes: None (candidate not yet proposed) ====================================================== Name: CVE-1999-1596 Status: Candidate Phase: Assigned(20120104) ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none. Current Votes: None (candidate not yet proposed) ====================================================== Name: CVE-1999-1597 Status: Candidate Phase: Assigned(20120104) ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none. Current Votes: None (candidate not yet proposed) ====================================================== Name: CVE-1999-1598 Status: Candidate Phase: Assigned(20120104) ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none. Current Votes: None (candidate not yet proposed) ====================================================== Name: CVE-2000-0001 Status: Entry Reference: BID:888 Reference: URL:http://www.securityfocus.com/bid/888 Reference: BUGTRAQ:19991222 RealMedia Server 5.0 Crasher (rmscrash.c) Reference: XF:realserver-ramgen-dos RealMedia server allows remote attackers to cause a denial of service via a long ramgen request. ====================================================== Name: CVE-2000-0002 Status: Entry Reference: BID:889 Reference: URL:http://www.securityfocus.com/bid/889 Reference: BUGTRAQ:19991223 Local / Remote GET Buffer Overflow Vulnerability in ZBServer 1.5 Pro Edition for Win98/NT Reference: URL:http://marc.info/?l=bugtraq&m=94598388530358&w=2 Reference: BUGTRAQ:20000128 ZBServer 1.50-r1x exploit (WinNT) Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=36B0596E.8D111D66@teleline.es Reference: NTBUGTRAQ:19991223 Local / Remote GET Buffer Overflow Vulnerability in ZBServer 1.5 Pro Edition for Win98/NT Reference: URL:http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind9912&L=NTBUGTRAQ&P=R3556 Reference: VULNWATCH:20020114 ZBServer Pro DoS Vulnerability Reference: XF:zbserver-get-bo Buffer overflow in ZBServer Pro 1.50 allows remote attackers to execute commands via a long GET request. ====================================================== Name: CVE-2000-0003 Status: Entry Reference: BUGTRAQ:19991230 UnixWare rtpm exploit + discussion Reference: BUGTRAQ:20000127 New SCO patches... Reference: URL:http://marc.info/?l=bugtraq&m=94908470928258&w=2 Buffer overflow in UnixWare rtpm program allows local users to gain privileges via a long environmental variable. ====================================================== Name: CVE-2000-0004 Status: Entry Reference: BUGTRAQ:19991223 Re: Local / Remote GET Buffer Overflow Vulnerability in ZBServer 1.5 Pro Edition for Win98/NT Reference: URL:http://marc.info/?l=bugtraq&m=94606572912422&w=2 Reference: NTBUGTRAQ:19991223 Local / Remote GET Buffer Overflow Vulnerability in ZBServer 1.5 Pro Edition for Win98/NT Reference: URL:http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind9912&L=NTBUGTRAQ&P=R3556 Reference: XF:zbserver-url-dot ZBServer Pro allows remote attackers to read source code for executable files by inserting a . (dot) into the URL. ====================================================== Name: CVE-2000-0005 Status: Candidate Phase: Modified(20090302) Reference: BUGTRAQ:19991230 aserver.sh Reference: BUGTRAQ:20000102 HPUX Aserver revisited. Reference: HP:HPSBUX0001-108 Reference: OVAL:oval:org.mitre.oval:def:5635 Reference: URL:https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5635 Reference: XF:hp-aserver HP-UX aserver program allows local users to gain privileges via a symlink attack. Current Votes: ACCEPT(3) Armstrong, Baker, Stracener MODIFY(1) Frech RECAST(1) Christey REVIEWING(1) Levy Voter Comments: Christey> BUGTRAQ:20000102 "HPUX Aserver revisited." indicates that two different versions of aserver have symlink problems, but with different files. So CD:SF-LOC says we should split this. Frech> XF:hp-aserver Christey> BID:1928 and BID:1930? Which one is being described in this candidate? Christey> BID:1930 ====================================================== Name: CVE-2000-0006 Status: Entry Reference: BUGTRAQ:19991225 strace can lie Reference: URL:http://online.securityfocus.com/archive/1/39831 Reference: XF:linux-strace(4554) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/4554 strace allows local users to read arbitrary files via memory mapped file names. ====================================================== Name: CVE-2000-0007 Status: Entry Reference: BID:1740 Reference: URL:http://www.securityfocus.com/bid/1740 Reference: BUGTRAQ:19991230 PC-Cillin 6.x DoS Attack Reference: XF:pccillin-proxy-remote-dos(4491) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/4491 Trend Micro PC-Cillin does not restrict access to its internal proxy port, allowing remote attackers to conduct a denial of service. ====================================================== Name: CVE-2000-0008 Status: Candidate Phase: Proposed(20000111) Reference: BUGTRAQ:19991227 FTPPro insecuities Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-2000-0008 FTPPro allows local users to read sensitive information, which is stored in plain text. Current Votes: ACCEPT(3) Armstrong, Baker, Stracener MODIFY(1) Frech NOOP(1) Christey REVIEWING(1) Levy Voter Comments: Frech> XF:ftppro-plaintext-information Christey> ADDREF BID:1790 ADDREF URL:http://www.securityfocus.com/bid/1790 ====================================================== Name: CVE-2000-0009 Status: Entry Reference: BID:907 Reference: URL:http://www.securityfocus.com/bid/907 Reference: BUGTRAQ:19991230 bna,sh Reference: XF:netarchitect-path-vulnerability The bna_pass program in Optivity NETarchitect uses the PATH environmental variable for finding the "rm" program, which allows local users to execute arbitrary commands. ====================================================== Name: CVE-2000-0010 Status: Entry Reference: BUGTRAQ:19991226 WebWho+ ADVISORY Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-2000-0010 Reference: XF:http-cgi-webwhoplus WebWho+ whois.cgi program allows remote attackers to execute commands via shell metacharacters in the TLD parameter. ====================================================== Name: CVE-2000-0011 Status: Entry Reference: BID:906 Reference: URL:http://www.securityfocus.com/bid/906 Reference: BUGTRAQ:19991231 Local / Remote GET Buffer Overflow Vulnerability in AnalogX SimpleServer:WWW HTTP Server v1.1 Reference: MISC:http://www.analogx.com/contents/download/network/sswww.htm Reference: OSVDB:1184 Reference: URL:http://www.osvdb.org/1184 Reference: XF:simpleserver-get-bo Buffer overflow in AnalogX SimpleServer:WWW HTTP server allows remote attackers to execute commands via a long GET request. ====================================================== Name: CVE-2000-0012 Status: Entry Reference: BID:898 Reference: URL:http://www.securityfocus.com/bid/898 Reference: BUGTRAQ:19991227 remote buffer overflow in miniSQL Reference: XF:w3-msql-scanf-bo Buffer overflow in w3-msql CGI program in miniSQL package allows remote attackers to execute commands. ====================================================== Name: CVE-2000-0013 Status: Entry Reference: BID:909 Reference: URL:http://www.securityfocus.com/bid/909 Reference: BUGTRAQ:19991231 irix-soundplayer.sh Reference: XF:irix-soundplayer-symlink IRIX soundplayer program allows local users to gain privileges by including shell metacharacters in a .wav file, which is executed via the midikeys program. ====================================================== Name: CVE-2000-0014 Status: Entry Reference: BID:897 Reference: URL:http://www.securityfocus.com/bid/897 Reference: BUGTRAQ:19991228 Local / Remote D.o.S Attack in Savant Web Server V2.0 WIN9X / NT / 2K Reference: XF:savant-server-null-dos Denial of service in Savant web server via a null character in the requested URL. ====================================================== Name: CVE-2000-0015 Status: Entry Reference: BID:910 Reference: URL:http://www.securityfocus.com/bid/910 Reference: BUGTRAQ:19991231 tftpserv.sh Reference: XF:cascadeview-tftp-symlink CascadeView TFTP server allows local users to gain privileges via a symlink attack. ====================================================== Name: CVE-2000-0016 Status: Candidate Phase: Proposed(20000111) Reference: BID:730 Reference: URL:http://www.securityfocus.com/bid/730 Reference: BUGTRAQ:19991227 Remote DoS/Access Attack in Internet Anywhere Mail Server(POP 3) v2.3.1 Reference: NTBUGTRAQ:19991001 Vulnerabilities in the Internet Anywhere Mail Server Buffer overflow in Internet Anywhere POP3 Mail Server allows remote attackers to cause a denial of service or execute commands via a long username. Current Votes: ACCEPT(4) Armstrong, Baker, Levy, Stracener MODIFY(1) Frech Voter Comments: Frech> XF:iams-pop3-command-dos ====================================================== Name: CVE-2000-0017 Status: Candidate Phase: Proposed(20000111) Reference: BUGTRAQ:19991221 (Possible) Linuxconf Remote Buffer Overflow Vulnerability Reference: MISC:https://marc.info/?l=bugtraq&m=94580196627059&w=2 Buffer overflow in Linux linuxconf package allows remote attackers to gain root privileges via a long parameter. Current Votes: NOOP(4) Armstrong, Baker, Christey, Stracener REJECT(2) Frech, Levy Voter Comments: Christey> It's not certain whether this is exploitable or not. An expert (the linuxconf author?) wasn't able to duplicate the bug - see http://lwn.net/1999/1223/a/linuxconfresponse.html The original posting with example exploit was http://marc.theaimsgroup.com/?l=bugtraq&m=94580196627059&w=2 However - GIAC and the Security Focus incidents list have consistently reported that scans are taking place for linuxconf, so do the hackers know more than we do? Frech> Unless vendor or other confirmation occurs, there has been no corroboration of this issue in public forums. CHANGE> [Armstrong changed vote from ACCEPT to NOOP] ====================================================== Name: CVE-2000-0018 Status: Entry Reference: BID:885 Reference: URL:http://www.securityfocus.com/bid/885 Reference: BUGTRAQ:19991221 Wmmon under FreeBSD Reference: OSVDB:1169 Reference: URL:http://www.osvdb.org/1169 Reference: XF:freebsd-wmmon-root-exploit wmmon in FreeBSD allows local users to gain privileges via the .wmmonrc configuration file. ====================================================== Name: CVE-2000-0019 Status: Candidate Phase: Proposed(20000111) Reference: BUGTRAQ:19991221 [w00giving '99 #11] IMail's password encryption scheme Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-2000-0019 IMail POP3 daemon uses weak encryption, which allows local users to read files. Current Votes: ACCEPT(3) Armstrong, Baker, Stracener MODIFY(2) Frech, Levy NOOP(1) Christey Voter Comments: Frech> XF:imail-passwords Levy> BID 880 Christey> BUGTRAQ:19990304 IMAIL password recovery is trivial. http://www.securityfocus.com/archive/1/12750 Christey> Add version numbers (5.0 through 5.08) ====================================================== Name: CVE-2000-0020 Status: Entry Reference: BUGTRAQ:19991221 Remote D.o.S Attack in DNS PRO v5.7 WinNT From FBLI Software Vulnerability Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-2000-0020 Reference: NTBUGTRAQ:19991221 Remote D.o.S Attack in DNS PRO v5.7 WinNT From FBLI Software Vulnerability Reference: XF:dnspro-flood-dos DNS PRO allows remote attackers to conduct a denial of service via a large number of connections. ====================================================== Name: CVE-2000-0021 Status: Candidate Phase: Modified(20060616) Reference: BID:881 Reference: URL:http://www.securityfocus.com/bid/881 Reference: BUGTRAQ:19991221 serious Lotus Domino HTTP denial of service Reference: BUGTRAQ:19991227 Re: Lotus Domino HTTP denial of service attack Lotus Domino HTTP server allows remote attackers to determine the real path of the server via a request to a non-existent script in /cgi-bin. Current Votes: ACCEPT(3) Armstrong, Baker, Stracener MODIFY(2) Frech, Levy NOOP(1) Christey Voter Comments: Frech> XF:http-cgi-lotus-domino Levy> BID 881 Christey> BID:881 ====================================================== Name: CVE-2000-0022 Status: Entry Reference: BID:881 Reference: URL:http://www.securityfocus.com/bid/881 Reference: BUGTRAQ:19991221 serious Lotus Domino HTTP denial of service Reference: BUGTRAQ:19991227 Re: Lotus Domino HTTP denial of service attack Lotus Domino HTTP server does not properly disable anonymous access for the cgi-bin directory. ====================================================== Name: CVE-2000-0023 Status: Entry Reference: BID:881 Reference: URL:http://www.securityfocus.com/bid/881 Reference: BUGTRAQ:19991221 serious Lotus Domino HTTP denial of service Reference: BUGTRAQ:19991222 Lotus Notes HTTP cgi-bin vulnerability: possible workaround Reference: BUGTRAQ:19991227 Re: Lotus Domino HTTP denial of service attack Reference: OSVDB:51 Reference: URL:http://www.osvdb.org/51 Buffer overflow in Lotus Domino HTTP server allows remote attackers to cause a denial of service via a long URL. ====================================================== Name: CVE-2000-0024 Status: Entry Reference: BUGTRAQ:19991228 Third Party Software Affected by IIS "Escape Character Parsing" Vulnerability Reference: BUGTRAQ:19991229 More info on MS99-061 (IIS escape character vulnerability) Reference: MISC:http://www.acrossecurity.com/aspr/ASPR-1999-11-10-1-PUB.txt Reference: MS:MS99-061 Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-061 Reference: MSKB:Q246401 Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q246401 Reference: XF:iis-badescapes IIS does not properly canonicalize URLs, potentially allowing remote attackers to bypass access restrictions in third-party software via escape characters, aka the "Escape Character Parsing" vulnerability. ====================================================== Name: CVE-2000-0025 Status: Entry Reference: MS:MS99-058 Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-058 Reference: MSKB:Q238606 Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q238606 Reference: OSVDB:8098 Reference: URL:http://www.osvdb.org/8098 IIS 4.0 and Site Server 3.0 allow remote attackers to read source code for ASP files if the file is in a virtual directory whose name includes extensions such as .com, .exe, .sh, .cgi, or .dll, aka the "Virtual Directory Naming" vulnerability. ====================================================== Name: CVE-2000-0026 Status: Entry Reference: BID:876 Reference: URL:http://www.securityfocus.com/bid/876 Reference: BUGTRAQ:19991222 UnixWare i2odialogd remote root exploit Reference: BUGTRAQ:19991223 FYI, SCO Security patches available. Reference: URL:http://marc.info/?l=bugtraq&m=94606167110764&w=2 Reference: OSVDB:6310 Reference: URL:http://www.osvdb.org/6310 Buffer overflow in UnixWare i2odialogd daemon allows remote attackers to gain root access via a long username/password authorization string. ====================================================== Name: CVE-2000-0027 Status: Entry Reference: BID:900 Reference: URL:http://www.securityfocus.com/bid/900 Reference: BUGTRAQ:19991227 IBM NetStation/UnixWare local root exploit Reference: URL:http://www.securityfocus.com/archive/1/39962 Reference: XF:ibm-netstat-race-condition(5381) Reference: URL:http://www.iss.net/security_center/static/5381.php IBM Network Station Manager NetStation allows local users to gain privileges via a symlink attack. ====================================================== Name: CVE-2000-0028 Status: Candidate Phase: Modified(20000626) Reference: BUGTRAQ:19991222 IE 5.01 vulnerabilities in external.NavigateAndFind() Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-2000-0028 Reference: XF:ie-navigateandfind Internet Explorer 5.0 and 5.01 allows remote attackers to bypass the cross frame security policy and read files via the external.NavigateAndFind function. Current Votes: ACCEPT(2) Armstrong, Stracener MODIFY(2) Frech, Levy NOOP(1) Baker RECAST(1) LeBlanc REVIEWING(1) Christey Voter Comments: Frech> XF:ie-navigateandfind Christey> May be a duplicate of CVE-2000-0465 according to my communications with Microsoft people. CVE-2000-0266 may also be a variant. Levy> BID 887 LeBlanc> duplicate ====================================================== Name: CVE-2000-0029 Status: Entry Reference: BID:901 Reference: URL:http://www.securityfocus.com/bid/901 Reference: BUGTRAQ:19991227 UnixWare local pis exploit Reference: BUGTRAQ:20000113 Info on some security holes reported against SCO Unixware. Reference: URL:http://marc.info/?l=bugtraq&m=94780294009285&w=2 UnixWare pis and mkpis commands allow local users to gain privileges via a symlink attack. ====================================================== Name: CVE-2000-0030 Status: Entry Reference: BID:878 Reference: URL:http://www.securityfocus.com/bid/878 Reference: BUGTRAQ:19991222 Solaris 2.7 dmispd local/remote problems Reference: XF:sol-dmispd-fill-disk Solaris dmispd dmi_cmd allows local users to fill up restricted disk space by adding files to the /var/dmi/db database. ====================================================== Name: CVE-2000-0031 Status: Entry Reference: L0PHT:19991227 initscripts-4.48-1 RedHat Linux 6.1 Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-2000-0031 Reference: REDHAT:RHSA-1999:052-04 The initscripts package in Red Hat Linux allows local users to gain privileges via a symlink attack. ====================================================== Name: CVE-2000-0032 Status: Entry Reference: BID:878 Reference: URL:http://www.securityfocus.com/bid/878 Reference: BUGTRAQ:19991222 Solaris 2.7 dmispd local/remote problems Reference: OSVDB:7582 Reference: URL:http://www.osvdb.org/7582 Reference: XF:sol-dmispd-dos Solaris dmi_cmd allows local users to crash the dmispd daemon by adding a malformed file to the /var/dmi/db database. ====================================================== Name: CVE-2000-0033 Status: Entry Reference: BID:899 Reference: URL:http://www.securityfocus.com/bid/899 Reference: BUGTRAQ:19991227 Trend Micro InterScan VirusWall SMTP bug Reference: XF:interscan-viruswall-bypass InterScan VirusWall SMTP scanner does not properly scan messages with malformed attachments. ====================================================== Name: CVE-2000-0034 Status: Entry Reference: BUGTRAQ:19991222 More Netscape Passwords Available. Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-2000-0034 Reference: XF:netscape-password-preferences Netscape 4.7 records user passwords in the preferences.js file during an IMAP or POP session, even if the user has not enabled "remember passwords." ====================================================== Name: CVE-2000-0035 Status: Candidate Phase: Proposed(20000111) Reference: BID:902 Reference: URL:http://www.securityfocus.com/bid/902 Reference: BUGTRAQ:19991228 majordomo local exploit Reference: BUGTRAQ:20000113 Info on some security holes reported against SCO Unixware. Reference: URL:http://marc.info/?l=bugtraq&m=94780294009285&w=2 resend command in Majordomo allows local users to gain privileges via shell metacharacters. Current Votes: ACCEPT(3) Baker, Levy, Stracener MODIFY(2) Cox, Frech NOOP(1) Armstrong REVIEWING(1) Christey Voter Comments: Frech> XF:majordomo-local-resend Christey> The Bugtraq thread indicates that this problem may be due to misconfiguration, and may extend beyond just the resend command. CHANGE> [Armstrong changed vote from REVIEWING to NOOP] Christey> Include "wrapper" to facilitate search and matching? (but double-check CVE-2000-0037). Add "1.94.4 and earlier" as the affected version number. ADDREF AUSCERT:AA-2000.01 ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-2000.01 Cox> ADDREF REDHAT:RHSA-2000:005 ====================================================== Name: CVE-2000-0036 Status: Entry Reference: MS:MS99-060 Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-060 Reference: MSKB:Q249082 Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q249082 Outlook Express 5 for Macintosh downloads attachments to HTML mail without prompting the user, aka the "HTML Mail Attachment" vulnerability. ====================================================== Name: CVE-2000-0037 Status: Entry Reference: BID:903 Reference: URL:http://www.securityfocus.com/bid/903 Reference: BUGTRAQ:19991228 majordomo local exploit Reference: BUGTRAQ:20000113 Info on some security holes reported against SCO Unixware. Reference: URL:http://marc.info/?l=bugtraq&m=94780294009285&w=2 Reference: BUGTRAQ:20000124 majordomo 1.94.5 does not fix all vulnerabilities Reference: REDHAT:RHSA-2000:005 Reference: URL:http://www.redhat.com/support/errata/RHSA-2000-005.html Majordomo wrapper allows local users to gain privileges by specifying an alternate configuration file. ====================================================== Name: CVE-2000-0038 Status: Candidate Phase: Proposed(20000111) Reference: BUGTRAQ:19991223 Multiple vulnerabilites in glFtpD (current versions) Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-2000-0038 glFtpD includes a default glftpd user account with a default password and a UID of 0. Current Votes: ACCEPT(2) Armstrong, Stracener MODIFY(2) Frech, Levy NOOP(1) Baker Voter Comments: Frech> XF:glftpd-default-account Levy> BID 881 ====================================================== Name: CVE-2000-0039 Status: Entry Reference: BID:896 Reference: URL:http://www.securityfocus.com/bid/896 Reference: BUGTRAQ:19991229 AltaVista Reference: BUGTRAQ:19991229 AltaVista followup and monitor script Reference: BUGTRAQ:19991230 Follow UP AltaVista Reference: BUGTRAQ:20000103 FW: Patch issued for AltaVista Search Engine Directory TraversalVulnerability Reference: BUGTRAQ:20000109 Altavista followup Reference: OSVDB:15 Reference: URL:http://www.osvdb.org/15 AltaVista search engine allows remote attackers to read files above the document root via a .. (dot dot) in the query.cgi CGI program. ====================================================== Name: CVE-2000-0040 Status: Entry Reference: BUGTRAQ:19991223 Multiple vulnerabilites in glFtpD (current versions) Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-2000-0040 glFtpD allows local users to gain privileges via metacharacters in the SITE ZIPCHK command. ====================================================== Name: CVE-2000-0041 Status: Entry Reference: BID:890 Reference: URL:http://www.securityfocus.com/bid/890 Reference: BUGTRAQ:19991229 The "Mac DoS Attack," a Scheme for Blocking Internet Connections Macintosh systems generate large ICMP datagrams in response to malformed datagrams, allowing them to be used as amplifiers in a flood attack. ====================================================== Name: CVE-2000-0042 Status: Entry Reference: BID:895 Reference: URL:http://www.securityfocus.com/bid/895 Reference: BUGTRAQ:19991229 Local / Remote D.o.S Attack in CSM Mail Server for Windows 95/NT v.2000.08.A Reference: XF:csm-server-bo Buffer overflow in CSM mail server allows remote attackers to cause a denial of service or execute commands via a long HELO command. ====================================================== Name: CVE-2000-0043 Status: Entry Reference: BID:905 Reference: URL:http://www.securityfocus.com/bid/905 Reference: BUGTRAQ:19991230 Local / Remote GET Buffer Overflow Vulnerability in CamShot WebCam HTTP Server v2.5 for Win9x/NT Reference: XF:camshot-http-get-overflow Buffer overflow in CamShot WebCam HTTP server allows remote attackers to execute commands via a long GET request. ====================================================== Name: CVE-2000-0044 Status: Entry Reference: BID:919 Reference: URL:http://www.securityfocus.com/bid/919 Reference: BUGTRAQ:20000105 SECURITY ALERT - WAR FTP DAEMON ALL VERSIONS Reference: XF:warftp-macro-access-files Macros in War FTP 1.70 and 1.67b2 allow local or remote attackers to read arbitrary files or execute commands. ====================================================== Name: CVE-2000-0045 Status: Entry Reference: BID:926 Reference: URL:http://www.securityfocus.com/bid/926 Reference: BUGTRAQ:20000111 Serious bug in MySQL password handling. Reference: BUGTRAQ:20000113 New MySQL Available Reference: XF:mysql-pwd-grant MySQL allows local users to modify passwords for arbitrary MySQL users via the GRANT privilege. ====================================================== Name: CVE-2000-0046 Status: Candidate Phase: Modified(20000204) Reference: BID:929 Reference: URL:http://www.securityfocus.com/bid/929 Reference: BUGTRAQ:20000111 ICQ Buffer Overflow Exploit Reference: XF:icq-url-bo Buffer overflow in ICQ 99b 1.1.1.1 client allows remote attackers to execute commands via a malformed URL within an ICQ message. Current Votes: ACCEPT(2) Baker, Williams MODIFY(1) Frech Voter Comments: Frech> ADDREF XF:icq-url-bo ====================================================== Name: CVE-2000-0047 Status: Candidate Phase: Modified(20000202) Reference: BUGTRAQ:20000117 Yahoo Pager/Messanger Buffer Overflow Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-2000-0047 Reference: XF:yahoo-messenger-pager-dos Buffer overflow in Yahoo Pager/Messenger client allows remote attackers to cause a denial of service via a long URL within a message. Current Votes: ACCEPT(2) Baker, Frech NOOP(1) Williams ====================================================== Name: CVE-2000-0048 Status: Entry Reference: BID:928 Reference: URL:http://www.securityfocus.com/bid/928 Reference: BUGTRAQ:20000112 Serious Bug in Corel Linux.(Local root exploit) Reference: CONFIRM:http://linux.corel.com/support/clos_patch1.htm Reference: XF:linux-corel-update get_it program in Corel Linux Update allows local users to gain root access by specifying an alternate PATH for the cp program. ====================================================== Name: CVE-2000-0049 Status: Candidate Phase: Modified(20071115) Reference: BID:925 Reference: URL:http://www.securityfocus.com/bid/925 Reference: BUGTRAQ:20000109 Buffer overflow with WinAmp 2.10 Reference: NTBUGTRAQ:20000107 Winamp buffer overflow advisory Reference: OSVDB:12022 Reference: URL:http://www.osvdb.org/12022 Reference: XF:winamp-playlist-bo Buffer overflow in Winamp client allows remote attackers to execute commands via a long entry in a .pls file. Current Votes: ACCEPT(2) Cole, Wall MODIFY(2) Baker, Frech REVIEWING(1) Christey Voter Comments: Frech> XF:winamp-playlist-bo Christey> This may have been discovered earlier in: BUGTRAQ:19990512 Buffer overflow in WinAMP 2.x URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92662988700367&w=2 See the following for possible confirmation: URL:http://www.winamp.com/getwinamp/newfeatures.jhtml Wall> This vulnerability has been seen in several versions of Winamp and part of ISS X-Force and SecuriTeam vulnerability checks. CHANGE> [Christey changed vote from NOOP to REVIEWING] Baker> The old confirm url doesn't work any more... I am not sure where we can get the old changelog/error list. ====================================================== Name: CVE-2000-0050 Status: Entry Reference: ALLAIRE:ASB00-01 Reference: URL:http://www.allaire.com/handlers/index.cfm?ID=13976&Method=Full Reference: BID:915 Reference: URL:http://www.securityfocus.com/bid/915 Reference: XF:allaire-webtop-access The Allaire Spectra Webtop allows authenticated users to access other Webtop sections by specifying explicit URLs. ====================================================== Name: CVE-2000-0051 Status: Entry Reference: ALLAIRE:ASB00-02 Reference: URL:http://www.allaire.com/handlers/index.cfm?ID=13977&Method=Full Reference: BID:916 Reference: URL:http://www.securityfocus.com/bid/916 Reference: XF:allaire-spectra-config-dos The Allaire Spectra Configuration Wizard allows remote attackers to cause a denial of service by repeatedly resubmitting data collections for indexing via a URL. ====================================================== Name: CVE-2000-0052 Status: Entry Reference: BID:913 Reference: URL:http://www.securityfocus.com/bid/913 Reference: L0PHT:20000104 PamSlam Reference: URL:http://www.l0pht.com/advisories/pam_advisory Reference: REDHAT:RHSA-2000:001 Reference: URL:http://www.redhat.com/support/errata/RHSA-2000-001.html Reference: XF:linux-pam-userhelper Reference: URL:http://xforce.iss.net/search.php3?type=2&pattern=linux-pam-userhelper Red Hat userhelper program in the usermode package allows local users to gain root access via PAM and a .. (dot dot) attack. ====================================================== Name: CVE-2000-0053 Status: Entry Reference: BID:912 Reference: URL:http://www.securityfocus.com/bid/912 Reference: MS:MS00-001 Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/2000/ms00-001 Reference: MSKB:Q246731 Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q246731 Reference: XF:mcis-malformed-imap Microsoft Commercial Internet System (MCIS) IMAP server allows remote attackers to cause a denial of service via a malformed IMAP request. ====================================================== Name: CVE-2000-0054 Status: Candidate Phase: Proposed(20000125) Reference: BID:921 Reference: URL:http://www.securityfocus.com/bid/921 Reference: BUGTRAQ:20000104 Another search.cgi vulnerability search.cgi in the SolutionScripts Home Free package allows remote attackers to view directories via a .. (dot dot) attack. Current Votes: MODIFY(1) Frech Voter Comments: Frech> XF:http-cgi-homefree-search ====================================================== Name: CVE-2000-0055 Status: Candidate Phase: Proposed(20000125) Reference: BID:918 Reference: URL:http://www.securityfocus.com/bid/918 Reference: BUGTRAQ:20000106 [Hackerslab bug_paper] Solaris chkperm buffer overflow Buffer overflow in Solaris chkperm command allows local users to gain root access via a long -n option. Current Votes: MODIFY(2) Baker, Frech NOOP(1) Dik Voter Comments: Frech> XF:sol-chkperm-bo(3870) Dik> chkperm runs set-uid bin, so initially the access granted will be user bin, not root. (Though bin access can easily be leveraged to root access, less so in Solaris 8+) Also, there is reason to believe this bug is not exploitable; the buffer overflown is declared in the stack in main(); yet, the program never returns from main() but calls exit instead so any damage to return addresses is never noticed. Baker> Maybe the details from Caspar could be included, or modify the description somewhat ====================================================== Name: CVE-2000-0056 Status: Entry Reference: BID:914 Reference: URL:http://www.securityfocus.com/bid/914 Reference: BUGTRAQ:20000105 Local / Remote D.o.S Attack in IMail IMONITOR Server for WinNT Version 5.08 Reference: XF:imail-imonitor-status-dos IMail IMONITOR status.cgi CGI script allows remote attackers to cause a denial of service with many calls to status.cgi. ====================================================== Name: CVE-2000-0057 Status: Entry Reference: ALLAIRE:ASB00-03 Reference: URL:http://www.allaire.com/handlers/index.cfm?ID=13978&Method=Full Reference: BID:917 Reference: URL:http://www.securityfocus.com/bid/917 Reference: XF:coldfusion-cfcache Cold Fusion CFCACHE tag places temporary cache files within the web document root, allowing remote attackers to obtain sensitive system information. ====================================================== Name: CVE-2000-0058 Status: Candidate Phase: Proposed(20000125) Reference: BID:920 Reference: URL:http://www.securityfocus.com/bid/920 Reference: BUGTRAQ:20000105 Handspring Visor Network HotSync Security Hole Reference: URL:http://www.security-express.com/archives/bugtraq/2000-01/0085.html Network HotSync program in Handspring Visor does not have authentication, which allows remote attackers to retrieve email and files. Current Votes: MODIFY(2) Baker, Frech NOOP(1) Christey Voter Comments: Frech> XF:handspring-visor-auth(3873) Consider removing the security-express.com reference, since it is identical to the BugTraq reference. The BugTraq reference is (hopefully) not going to disappear soon, and the security-express.com reference provides no new or additional information. Christey> URLs will begin to be included with candidates to support Board members' voting activities. They will be converted to the generalized reference format when if candidate is ACCEPTed and becomes an official entry. Christey> The problem may not be a lack of authentication (as mentioned by the poster), but rather weak authentication (the apparent need to provide the same username). Baker> MOdify description to indicate the weak authentication ====================================================== Name: CVE-2000-0059 Status: Candidate Phase: Proposed(20000125) Reference: BID:911 Reference: URL:http://www.securityfocus.com/bid/911 Reference: BUGTRAQ:20000103 PHP3 safe_mode and popen() PHP3 with safe_mode enabled does not properly filter shell metacharacters from commands that are executed by popen, which could allow remote attackers to execute commands. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(1) Christey Voter Comments: Frech> XF:php3-popen-execute(3900) Christey> CONFIRM:http://www.php.net/ChangeLog.php3 Section dated January 11, 2000 says: "Fix safe-mode problem in popen() (Kristian)" ====================================================== Name: CVE-2000-0060 Status: Entry Reference: BID:894 Reference: URL:http://www.securityfocus.com/bid/894 Reference: BUGTRAQ:19991227 Local / Remote Remote DoS Attack in Rover POP3 Server V1.1 NT From aVirt Reference: URL:http://marc.info/?l=bugtraq&m=94633851427858&w=2 Reference: NTBUGTRAQ:19991227 Local / Remote Remote DoS Attack in Rover POP3 Server V1.1 NT From aVirt Reference: URL:http://marc.info/?l=ntbugtraq&m=94647711311057&w=2 Reference: XF:avirt-rover-pop3-dos(3765) Reference: URL:http://www.iss.net/security_center/static/3765.php Buffer overflow in aVirt Rover POP3 server 1.1 allows remote attackers to cause a denial of service via a long user name. ====================================================== Name: CVE-2000-0061 Status: Candidate Phase: Proposed(20000125) Reference: BID:923 Reference: URL:http://www.securityfocus.com/bid/923 Reference: BUGTRAQ:20000107 IE 5 security vulnerablity - circumventing Cross-frame security policy and accessing the DOM of "old" documents. Internet Explorer 5 does not modify the security zone for a document that is being loaded into a window until after the document has been loaded, which could allow remote attackers to execute Javascript in a different security context while the document is loading. Current Votes: MODIFY(2) Frech, LeBlanc NOOP(1) Baker REJECT(1) Christey Voter Comments: Frech> XF:ie-cross-frame-docs(3901) LeBlanc> - I'd like to see a KB or bulletin referenced Christey> This is a duplicate of CVE-2000-0156. The FAQ at http://www.microsoft.com/technet/security/bulletin/fq00-009.asp. says "the vulnerability requires Active Scripting" and "it is possible, under very specific conditions, to violate IE's cross-domain security model." Also says "the redirect is made, via the <IMG SRC> HTML tag" Need to copy these references over to CVE-2000-0156. ====================================================== Name: CVE-2000-0062 Status: Entry Reference: BID:922 Reference: URL:http://www.securityfocus.com/bid/922 Reference: BUGTRAQ:20000104 [petrilli@digicool.com: [Zope] SECURITY ALERT] Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=20000104222219.B41650@schvin.net Reference: XF:zope-dtml The DTML implementation in the Z Object Publishing Environment (Zope) allows remote attackers to conduct unauthorized activities. ====================================================== Name: CVE-2000-0063 Status: Entry Reference: BID:938 Reference: URL:http://www.securityfocus.com/bid/938 Reference: BUGTRAQ:20000118 Nortel Contivity Vulnerability Reference: XF:http-cgi-cgiproc-file-read cgiproc CGI script in Nortel Contivity HTTP server allows remote attackers to read arbitrary files by specifying the filename in a parameter to the script. ====================================================== Name: CVE-2000-0064 Status: Entry Reference: BID:938 Reference: URL:http://www.securityfocus.com/bid/938 Reference: BUGTRAQ:20000118 Nortel Contivity Vulnerability Reference: OSVDB:7583 Reference: URL:http://www.osvdb.org/7583 Reference: XF:http-cgi-cgiproc-dos cgiproc CGI script in Nortel Contivity HTTP server allows remote attackers to cause a denial of service via a malformed URL that includes shell metacharacters. ====================================================== Name: CVE-2000-0065 Status: Entry Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-2000-0065 Reference: NTBUGTRAQ:20000117 Remote Buffer Exploit - InetServ 3.0 Reference: XF:inetserv-get-bo Buffer overflow in InetServ 3.0 allows remote attackers to execute commands via a long GET request. ====================================================== Name: CVE-2000-0066 Status: Candidate Phase: Proposed(20000125) Reference: BUGTRAQ:20000112 WebSitePro/2.3.18 is revealing Webdirectories Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-2000-0066 WebSite Pro allows remote attackers to determine the real pathname of webdirectories via a malformed URL request. Current Votes: ACCEPT(2) Baker, Williams MODIFY(1) Frech NOOP(1) Christey Voter Comments: Frech> XF:website-pro-dir-path Christey> ADDREF BUGTRAQ:20000113 Re: WebSitePro/2.3.18 + 2.4.9 is revealing Webdirectories URL:http://www.securityfocus.com/archive/1/41798 Also BID:932 ====================================================== Name: CVE-2000-0067 Status: Candidate Phase: Proposed(20000125) Reference: BUGTRAQ:20000112 CyberCash MCK 3.2.0.4: Large /tmp hole Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-2000-0067 CyberCash Merchant Connection Kit (MCK) allows local users to modify files via a symlink attack. Current Votes: ACCEPT(2) Baker, Williams MODIFY(1) Frech Voter Comments: Frech> XF:cybercash-mck-tmp(3823) ====================================================== Name: CVE-2000-0068 Status: Candidate Phase: Proposed(20000125) Reference: BUGTRAQ:20000104 [rootshell] Security Bulletin #27 Reference: URL:http://marc.info/?l=bugtraq&m=94704437920965&w=2 daynad program in Intel InBusiness E-mail Station does not require authentication, which allows remote attackers to modify its configuration, delete files, or read mail. Current Votes: MODIFY(1) Frech Voter Comments: Frech> XF:intel-email-unauthenticate-users ====================================================== Name: CVE-2000-0069 Status: Candidate Phase: Proposed(20000125) Reference: BUGTRAQ:20000104 Security problem with Solstice Backup/Legato Networker recover command Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-2000-0069 The recover program in Solstice Backup allows local users to restore sensitive files. Current Votes: MODIFY(1) Frech Voter Comments: Frech> XF:solstice-backup-restore-files(3904) ====================================================== Name: CVE-2000-0070 Status: Entry Reference: BID:934 Reference: URL:http://www.securityfocus.com/bid/934 Reference: BINDVIEW:20000113 Local Promotion Vulnerability in Windows NT 4 Reference: URL:http://www.bindview.com/security/advisory/adv_NtImpersonate.html Reference: MS:MS00-003 Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/2000/ms00-003 Reference: MSKB:Q247869 Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q247869 Reference: XF:nt-spoofed-lpc-port Reference: URL:http://xforce.iss.net/search.php3?type=2&pattern=nt-spoofed-lpc-port NtImpersonateClientOfPort local procedure call in Windows NT 4.0 allows local users to gain privileges, aka "Spoofed LPC Port Request." ====================================================== Name: CVE-2000-0071 Status: Candidate Phase: Proposed(20000125) Reference: BUGTRAQ:20000111 IIS still revealing paths for web directories Reference: URL:http://marc.info/?l=bugtraq&m=94770020309953&w=2 Reference: BUGTRAQ:20000113 SV: IIS still revealing paths for web directories Reference: URL:http://marc.info/?l=bugtraq&m=94780058006791&w=2 IIS 4.0 allows a remote attacker to obtain the real pathname of the document root by requesting non-existent files with .ida or .idq extensions. Current Votes: ACCEPT(2) LeBlanc, Levy MODIFY(1) Frech NOOP(1) Baker REJECT(1) Christey Voter Comments: Frech> XF:iis-ida-idq-paths Christey> Consider adding: ADDREF BID:1065 BUGTRAQ:20000309 Enumerate Root Web Server Directory Vulnerability for IIS 4.0 Are there really 2 different threads on the same problem? Also consider XF:iis-root-enum May also be a dupe of CVE-1999-0450 (BID:194) CHANGE> [Christey changed vote from NOOP to REVIEWING] Christey> Appears to be a duplicate of CVE-2000-0098. Confirm with Microsoft, and if it is a duplicate, then REJECT this candidate. CHANGE> [Christey changed vote from REVIEWING to REJECT] Christey> Confirmed duplicate by Microsoft. Christey> iis-ida-idq-paths(4346) is obsolete; ensure http-indexserver-path(3890) is added to CVE-2000-0098. ====================================================== Name: CVE-2000-0072 Status: Entry Reference: BID:937 Reference: URL:http://www.securityfocus.com/bid/937 Reference: BUGTRAQ:20000118 Warning: VCasel security hole. Reference: URL:http://marc.info/?l=bugtraq&m=94823061421676&w=2 Reference: XF:vcasel-filename-trusting(3867) Reference: URL:http://www.iss.net/security_center/static/3867.php Visual Casel (Vcasel) does not properly prevent users from executing files, which allows local users to use a relative pathname to specify an alternate file which has an approved name and possibly gain privileges. ====================================================== Name: CVE-2000-0073 Status: Entry Reference: MS:MS00-005 Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/2000/ms00-005 Reference: MSKB:Q249973 Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q249973 Reference: XF:win-malformed-rtf-control-word Reference: URL:http://xforce.iss.net/search.php3?type=2&pattern=win-malformed-rtf-control-word Buffer overflow in Microsoft Rich Text Format (RTF) reader allows attackers to cause a denial of service via a malformed control word. ====================================================== Name: CVE-2000-0074 Status: Candidate Phase: Proposed(20000125) Reference: BUGTRAQ:20000111 PowerScripts PlusMail Vulnerablity Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-2000-0074 PowerScripts PlusMail CGI program allows remote attackers to execute commands via a password file with improper permissions. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(2) Christey, Williams Voter Comments: Frech> XF:plusmail-password-permissions Christey> Re-read the Bugtraq post to make sure the problem is described properly. The advisory itself is vague as to the nature of the problem, and the exploit doesn't help clarify too much. Christey> Consider adding BID:2653 ====================================================== Name: CVE-2000-0075 Status: Entry Reference: BID:930 Reference: URL:http://www.securityfocus.com/bid/930 Reference: BUGTRAQ:20000113 Local / Remote D.o.S Attack in Super Mail Transfer Package (SMTP) Server for WinNT Version 1.9x Reference: NTBUGTRAQ:20000113 Local / Remote D.o.S Attack in Super Mail Transfer Package (SMTP) Server for WinNT Version 1.9x Reference: XF:supermail-memleak-dos Super Mail Transfer Package (SMTP), later called MsgCore, has a memory leak which allows remote attackers to cause a denial of service by repeating multiple HELO, MAIL FROM, RCPT TO, and DATA commands in the same session. ====================================================== Name: CVE-2000-0076 Status: Entry Reference: BID:1439 Reference: URL:http://www.securityfocus.com/bid/1439 Reference: BUGTRAQ:19991230 vibackup.sh Reference: URL:http://marc.info/?l=bugtraq&m=94709988232618&w=2 Reference: DEBIAN:20000108 Reference: XF:nvi-delete-files nviboot boot script in the Debian nvi package allows local users to delete files via malformed entries in vi.recover. ====================================================== Name: CVE-2000-0077 Status: Candidate Phase: Modified(20090302) Reference: BUGTRAQ:20000102 HPUX Aserver revisited. Reference: HP:HPSBUX0001-108 Reference: OVAL:oval:org.mitre.oval:def:5549 Reference: URL:https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5549 The October 1998 version of the HP-UX aserver program allows local users to gain privileges by specifying an alternate PATH which aserver uses to find the ps and grep commands. Current Votes: MODIFY(2) Baker, Frech REVIEWING(1) Christey Voter Comments: Frech> ADDREF XF:hp-aserver Christey> The Bugtraq posting does not mention specific versions. Is October 1998 equivalent to HP-UX 10.x? CHANGE> [Christey changed vote from NOOP to REVIEWING] Christey> BID:1929 Make sure not dupe's with CVE-2000-0005 and CVE-20000-0078. Baker> Was the BID reference ever added to this one? ====================================================== Name: CVE-2000-0078 Status: Candidate Phase: Modified(20090302) Reference: BUGTRAQ:20000102 HPUX Aserver revisited. Reference: HP:HPSBUX0001-108 Reference: OVAL:oval:org.mitre.oval:def:5728 Reference: URL:https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5728 The June 1999 version of the HP-UX aserver program allows local users to gain privileges by specifying an alternate PATH which aserver uses to find the awk command. Current Votes: ACCEPT(2) Baker, Prosser MODIFY(1) Frech REVIEWING(1) Christey Voter Comments: Frech> ADDREF XF:hp-aserver Christey> The Bugtraq posting does not mention specific versions. Is June 1999 equivalent to HP-UX 10.x? Prosser> The HP Bulletin (already ref'd) just specifies 10.x and 11.x OS versions running on HP9000 700/800 series. According to Tripp (bugtraq), the audio server doesn't run on a machine without Audio Hardware (logical). So one has to assume from the bulletin that any 9000 with audio hardware that is running a 10.x or 11.x version of OS with either the 98 or 99 version of Aserver loaded will be vulnerable to either the exploit in CVE-1999-0005(the 98 version of Aserver) or CVE-2000-0078 (the 99 version)and should take appropriate action. No patches out from HP as of 10/2/2000 so either remove the program or tighten the permissions considerably. CHANGE> [Christey changed vote from NOOP to REVIEWING] Christey> BID:1929 Make sure not dupe's with CVE-2000-0005 and CVE-20000-0077. ====================================================== Name: CVE-2000-0079 Status: Candidate Phase: Proposed(20000125) Reference: BID:936 Reference: URL:http://www.securityfocus.com/bid/936 Reference: BUGTRAQ:20000118 Re: IIS still revealing paths for web directories The W3C CERN httpd HTTP server allows remote attackers to determine the real pathnames of some commands via a request for a nonexistent URL. Current Votes: MODIFY(2) Baker, Frech NOOP(2) Christey, Williams RECAST(1) LeBlanc Voter Comments: Frech> XF:w3c-httpd-reveal-paths LeBlanc> Title references IIS, vuln references W3C CERN httpd. Which one is broken? Christey> The mention of CERN httpd was buried in a followup on a description of an IIS problem, so this is the correct reference. Baker> Will the XF reference be added? ====================================================== Name: CVE-2000-0080 Status: Entry Reference: BID:931 Reference: URL:http://www.securityfocus.com/bid/931 Reference: BUGTRAQ:20000110 2nd attempt: AIX techlibss follows links Reference: URL:http://marc.info/?l=bugtraq&m=94757136413681&w=2 Reference: XF:aix-techlibss-symbolic-link AIX techlibss allows local users to overwrite files via a symlink attack. ====================================================== Name: CVE-2000-0081 Status: Candidate Phase: Proposed(20000125) Reference: BUGTRAQ:20000110 Yet another Hotmail security hole - injecting JavaScript using "jAvascript:" Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-2000-0081 Hotmail does not properly filter JavaScript code from a user's mailbox, which allows a remote attacker to execute the code by using hexadecimal codes to specify the javascript: protocol, e.g. jAvascript. Current Votes: MODIFY(1) Frech REJECT(1) Baker Voter Comments: CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:hotmail-vascript-java-injection ====================================================== Name: CVE-2000-0082 Status: Candidate Phase: Modified(20040901) Reference: BUGTRAQ:20000104 The WebTV Email Exploit Reference: MISC:http://net4tv.com/voice/story.cfm?StoryID=1823 Reference: MISC:http://www.wired.com/news/technology/0,1282,33420,00.html WebTV email client allows remote attackers to force the client to send email without the user's knowledge via HTML. Current Votes: MODIFY(1) Frech REJECT(1) Baker Voter Comments: CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> ADDREF XF:webtv-hijack-mail-forward ====================================================== Name: CVE-2000-0083 Status: Entry Reference: HP:HPSBUX0001-109 Reference: URL:http://www.securityfocus.com/templates/advisory.html?id=2031 Reference: XF:hp-audio-security-perms HP asecure creates the Audio Security File audio.sec with insecure permissions, which allows local users to cause a denial of service or gain additional privileges. ====================================================== Name: CVE-2000-0084 Status: Candidate Phase: Proposed(20000125) Reference: BUGTRAQ:20000105 CuteFTP saved password 'encryption' weakness Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-2000-0084 CuteFTP uses weak encryption to store password information in its tree.dat file. Current Votes: MODIFY(2) Baker, Frech NOOP(1) Christey Voter Comments: Frech> XF:cuteftp-weak-encrypt(3910) Christey> BUGTRAQ:20010823 Re: Respondus v1.1.2 stores passwords using weak encryption URL:http://marc.theaimsgroup.com/?l=bugtraq&m=99861651923668&w=2 This followup to a different thread mentions the sm.dat file for the site manager. Baker> The reference from the Bugtraq mentions the sm.dat uses better encryption, but doesn't really address the tree.dat file. ====================================================== Name: CVE-2000-0085 Status: Candidate Phase: Proposed(20000125) Reference: BUGTRAQ:20000103 Hotmail security hole - injecting JavaScript using <IMG LOWSRC="javascript:...."> Reference: BUGTRAQ:20000104 Yet another Hotmail security hole - injecting JavaScript in IE using <IMG DYNRC="javascript:...."> Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-2000-0085 Hotmail does not properly filter JavaScript code from a user's mailbox, which allows a remote attacker to execute code via the LOWSRC or DYNRC parameters in the IMG tag. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech Voter Comments: Frech> XF:hotmail-java-execute ====================================================== Name: CVE-2000-0086 Status: Candidate Phase: Proposed(20000125) Reference: BID:935 Reference: URL:http://www.securityfocus.com/bid/935 Reference: BUGTRAQ:20000116 TB2 Pro sending NT passwords cleartext Netopia Timbuktu Pro sends user IDs and passwords in cleartext, which allows remote attackers to obtain them via sniffing. Current Votes: ACCEPT(2) Baker, Williams MODIFY(1) Frech Voter Comments: Frech> XF:timbuktu-password-cleartext ====================================================== Name: CVE-2000-0087 Status: Entry Reference: BUGTRAQ:20000113 Misleading sense of security in Netscape Reference: URL:http://marc.info/?l=bugtraq&m=94790377622943&w=2 Reference: XF:netscape-mail-notify-plaintext(4385) Reference: URL:http://www.iss.net/security_center/static/4385.php Netscape Mail Notification (nsnotify) utility in Netscape Communicator uses IMAP without SSL, even if the user has set a preference for Communicator to use an SSL connection, allowing a remote attacker to sniff usernames and passwords in plaintext. ====================================================== Name: CVE-2000-0088 Status: Entry Reference: BID:946 Reference: URL:http://www.securityfocus.com/bid/946 Reference: MS:MS00-002 Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/2000/ms00-002 Reference: XF:office-malformed-convert Buffer overflow in the conversion utilities for Japanese, Korean and Chinese Word 5 documents allows an attacker to execute commands, aka the "Malformed Conversion Data" vulnerability. ====================================================== Name: CVE-2000-0089 Status: Entry Reference: BID:947 Reference: URL:http://www.securityfocus.com/bid/947 Reference: BUGTRAQ:20000122 RDISK registry enumeration file vulnerability in Windows NT 4.0 Terminal Server Edition Reference: MS:MS00-004 Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/2000/ms00-004 Reference: MSKB:Q249108 Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q249108 Reference: NTBUGTRAQ:20000121 RDISK registry enumeration file vulnerability in Windows NT 4.0 Terminal Server Edition Reference: XF:nt-rdisk-enum-file The rdisk utility in Microsoft Terminal Server Edition and Windows NT 4.0 stores registry hive information in a temporary file with permissions that allow local users to read it, aka the "RDISK Registry Enumeration File" vulnerability. ====================================================== Name: CVE-2000-0090 Status: Entry Reference: BID:943 Reference: URL:http://www.securityfocus.com/bid/943 Reference: BUGTRAQ:20000124 VMware 1.1.2 Symlink Vulnerability Reference: OSVDB:1205 Reference: URL:http://www.osvdb.org/1205 Reference: XF:linux-vmware-symlink VMWare 1.1.2 allows local users to cause a denial of service via a symlink attack. ====================================================== Name: CVE-2000-0091 Status: Entry Reference: BID:942 Reference: URL:http://www.securityfocus.com/bid/942 Reference: BUGTRAQ:20000122 remote root qmail-pop with vpopmail advisory and exploit with patch Reference: BUGTRAQ:20000123 Re: vpopmail/vchkpw remote root exploit Reference: MISC:http://www.inter7.com/vpopmail/ Reference: MISC:http://www.inter7.com/vpopmail/ChangeLog Buffer overflow in vchkpw/vpopmail POP authentication package allows remote attackers to gain root privileges via a long username or password. ====================================================== Name: CVE-2000-0092 Status: Entry Reference: BID:939 Reference: URL:http://www.securityfocus.com/bid/939 Reference: FREEBSD:FreeBSD-SA-00:01 Reference: URL:ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:01.make.asc Reference: XF:gnu-makefile-tmp-root The BSD make program allows local users to modify files via a symlink attack when the -j option is being used. ====================================================== Name: CVE-2000-0093 Status: Candidate Phase: Proposed(20000208) Reference: BUGTRAQ:20000121 Rh 6.1 initial root password encryption Reference: BUGTRAQ:20000122 NIS security advisory : password method downgrade Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-2000-0093 An installation of Red Hat uses DES password encryption with crypt() for the initial password, instead of md5. Current Votes: ACCEPT(2) Baker, Cole MODIFY(1) Frech NOOP(1) Wall Voter Comments: Frech> XF:linux-initial-password-encryption ====================================================== Name: CVE-2000-0094 Status: Entry Reference: BID:940 Reference: URL:http://www.securityfocus.com/bid/940 Reference: BUGTRAQ:20000121 *BSD procfs vulnerability Reference: FREEBSD:FreeBSD-SA-00:02 Reference: NETBSD:NetBSD-SA2000-001 Reference: URL:ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2000-001.txt.asc Reference: OPENBSD:20000120 [2.6] 018: SECURITY FIX: Jan 20, 2000 Reference: OSVDB:20760 Reference: URL:http://www.osvdb.org/20760 Reference: XF:netbsd-procfs(3995) Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3995 procfs in BSD systems allows local users to gain root privileges by modifying the /proc/pid/mem interface via a modified file descriptor for stderr. ====================================================== Name: CVE-2000-0095 Status: Entry Reference: BID:944 Reference: URL:http://www.securityfocus.com/bid/944 Reference: HP:HPSBUX0001-110 Reference: URL:http://www.securityfocus.com/templates/advisory.html?id=2041 The PMTU discovery procedure used by HP-UX 10.30 and 11.00 for determining the optimum MTU generates large amounts of traffic in response to small packets, allowing remote attackers to cause the system to be used as a packet amplifier. ====================================================== Name: CVE-2000-0096 Status: Candidate Phase: Proposed(20000208) Reference: BID:948 Reference: URL:http://www.securityfocus.com/bid/948 Reference: BUGTRAQ:20000126 Qpopper security bug Buffer overflow in qpopper 3.0 beta versions allows local users to gain privileges via a long LIST command. Current Votes: ACCEPT(2) Baker, Cole MODIFY(1) Frech NOOP(1) Wall Voter Comments: Frech> XF:qpopper-list-bo ====================================================== Name: CVE-2000-0097 Status: Entry Reference: BID:950 Reference: URL:http://www.securityfocus.com/bid/950 Reference: MS:MS00-006 Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/2000/ms00-006 Reference: NTBUGTRAQ:20000127 Alert: MS IIS 4 / IS 2 (Cerberus Security Advisory CISADV000126) Reference: OSVDB:1210 Reference: URL:http://www.osvdb.org/1210 Reference: XF:http-indexserver-dirtrans The WebHits ISAPI filter in Microsoft Index Server allows remote attackers to read arbitrary files, aka the "Malformed Hit-Highlighting Argument" vulnerability. ====================================================== Name: CVE-2000-0098 Status: Entry Reference: MS:MS00-006 Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/2000/ms00-006 Microsoft Index Server allows remote attackers to determine the real path for a web directory via a request to an Internet Data Query file that does not exist. ====================================================== Name: CVE-2000-0099 Status: Entry Reference: BUGTRAQ:20000119 Unixware ppptalk Reference: URL:http://marc.info/?l=bugtraq&m=94848865112897&w=2 Buffer overflow in UnixWare ppptalk command allows local users to gain privileges via a long prompt argument. ====================================================== Name: CVE-2000-0100 Status: Entry Reference: MS:MS00-012 Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/2000/ms00-012 Reference: NTBUGTRAQ:20000115 Security Vulnerability with SMS 2.0 Remote Control Reference: URL:http://archives.neohapsis.com/archives/ntbugtraq/current/0045.html The SMS Remote Control program is installed with insecure permissions, which allows local users to gain privileges by modifying or replacing the program. ====================================================== Name: CVE-2000-0101 Status: Candidate Phase: Proposed(20000208) Reference: ISS:20000201 Form Tampering Vulnerabilities in Several Web-Based Shopping Cart Applications Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-2000-0101 The Make-a-Store OrderPage shopping cart application allows remote users to modify sensitive purchase information via hidden form fields. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(1) Christey RECAST(1) Cole REVIEWING(1) Wall Voter Comments: Cole> I would combine all of these shopping cart applications into one listing, since they all have the same vulnerability being able to modify sensitive purchase information via hidden form fields. My concern is in cases like this we used over 10 entries for basically the same vulnerability. I could think of cases were there could be 20+ applications with the same vulnerability and in my opinion it could start to weaken the value of CVE where there are 30 entries all referring to the same thing. It is almost like we are playing the vendor game where more is better. I think we should go after the quality over quantity aspect. Christey> I disagree with Eric here. This vulnerability is a "type" of problem in the same way that a buffer overflow is a "type" of problem. While the shopping cart application bugs were proposed mostly at the same time, they are all by different vendors. The raw numbers of applications with this problem can make it appear that CVE is artificially inflating the number of entries. However, content decisions such as CD:SF-LOC (different lines of code) dictate that these should be separated. It's not a "numbers game" but rather a principled and consistent approach to resolving problems with selecting a level of abstraction. Frech> XF:shopping-cart-form-tampering ====================================================== Name: CVE-2000-0102 Status: Candidate Phase: Proposed(20000208) Reference: ISS:20000201 Form Tampering Vulnerabilities in Several Web-Based Shopping Cart Applications Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-2000-0102 The SalesCart shopping cart application allows remote users to modify sensitive purchase information via hidden form fields. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech RECAST(1) Cole REVIEWING(1) Wall Voter Comments: Cole> See comments for CVE-2000-0101 Frech> XF:shopping-cart-form-tampering ====================================================== Name: CVE-2000-0103 Status: Candidate Phase: Proposed(20000208) Reference: ISS:20000201 Form Tampering Vulnerabilities in Several Web-Based Shopping Cart Applications Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-2000-0103 The SmartCart shopping cart application allows remote users to modify sensitive purchase information via hidden form fields. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech RECAST(1) Cole REVIEWING(1) Wall Voter Comments: Cole> See comments for CVE-2000-0101 Frech> XF:shopping-cart-form-tampering ====================================================== Name: CVE-2000-0104 Status: Candidate Phase: Proposed(20000208) Reference: ISS:20000201 Form Tampering Vulnerabilities in Several Web-Based Shopping Cart Applications Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-2000-0104 The Shoptron shopping cart application allows remote users to modify sensitive purchase information via hidden form fields. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech RECAST(1) Cole REVIEWING(1) Wall Voter Comments: Cole> See comments for CVE-2000-0101 Frech> XF:shopping-cart-form-tampering ====================================================== Name: CVE-2000-0105 Status: Candidate Phase: Proposed(20000208) Reference: BID:962 Reference: URL:http://www.securityfocus.com/bid/962 Reference: BUGTRAQ:20000201 Outlook Express 5 vulnerability - Active Scripting may read email messages Outlook Express 5.01 and Internet Explorer 5.01 allow remote attackers to view a user's email messages via a script that accesses a variable that references subsequent email messages that are read by the client. Current Votes: ACCEPT(2) Cole, Wall MODIFY(1) Frech NOOP(1) Baker REVIEWING(1) Christey Voter Comments: Frech> email-active-script-html Christey> Acknowledged via personal communication with Microsoft personnel, but I need to look through my email logs to recall whether they said that it is a duplicate of CVE-2000-0653 CHANGE> [Christey changed vote from NOOP to REVIEWING] ====================================================== Name: CVE-2000-0106 Status: Candidate Phase: Proposed(20000208) Reference: ISS:20000201 Form Tampering Vulnerabilities in Several Web-Based Shopping Cart Applications Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-2000-0106 The EasyCart shopping cart application allows remote users to modify sensitive purchase information via hidden form fields. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech RECAST(1) Cole REVIEWING(1) Wall Voter Comments: Cole> See comments for CVE-2000-0101 Frech> XF:shopping-cart-form-tampering ====================================================== Name: CVE-2000-0107 Status: Entry Reference: BID:958 Reference: URL:http://www.securityfocus.com/bid/958 Reference: DEBIAN:20000201 Reference: URL:http://www.debian.org/security/2000/20000201 Linux apcd program allows local attackers to modify arbitrary files via a symlink attack. ====================================================== Name: CVE-2000-0108 Status: Candidate Phase: Proposed(20000208) Reference: ISS:20000201 Form Tampering Vulnerabilities in Several Web-Based Shopping Cart Applications Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-2000-0108 The Intellivend shopping cart application allows remote users to modify sensitive purchase information via hidden form fields. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech RECAST(1) Cole REVIEWING(1) Wall Voter Comments: Cole> See comments for CVE-2000-0101 Frech> XF:shopping-cart-form-tampering ====================================================== Name: CVE-2000-0109 Status: Candidate Phase: Proposed(20000208) Reference: BUGTRAQ:20000201 Security issues with S&P ComStock multiCSP (Linux) Reference: MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-2000-0109 The mcsp Client Site Processor system (MultiCSP) in Standard and Poor's ComStock is installed with several accounts that have no passwords or easily guessable default passwords. Current Votes: ACCEPT(2) Cole, Levy MODIFY(1) Frech NOOP(3) Baker, Christey, Wall Voter Comments: Christey> ADDREF BUGTRAQ:20000324 Security issues with S&P ComStock multiCSP (Linux) http://marc.theaimsgroup.com/?l=bugtraq&m=95422382625409&w=2 Note: this posting was a repeat of the February 1 post, saying that the problem still hadn't been fixed. Frech> XF:comstock-multicsp-passwords Christey> ADDREF BID:1080 URL:http://www.securityfocus.com/vdb/bottom.html?vid=1080 ====================================================== Name: CVE-2000-0110 Status: Candidate Phase: Proposed(20000208) Reference: ISS:20000201 Form Tampering Vulnerabilities in Several Web-Based Shopping Cart Applications Reference: MISC:https://exchange.xforce