Common Vulnerabilities and Exposures
Get CVEAbout CVENews and EventsEditorial BoardCompatible ProductsRegister

CVE Candidates as of 20030718

Candidates must be reviewed and accepted by the CVE Editorial Board before they can be added to the official CVE list. Therefore, these candidates may be modified or even rejected in the future. They are provided for use by individuals who have a need for an early numbering scheme for items that have not been fully reviewed by the Editorial Board.
CAN-1999-0001

Phase: Modified (20000106-01)
Reference: CERT:CA-98-13-tcp-denial-of-service
Reference: BUGTRAQ:19981223 Re: CERT Advisory CA-98.13 - TCP/IP Denial of Service

Description:
Denial of service in BSD-derived TCP/IP implementations, as described in CERT CA-98-13.

Votes:

   MODIFY(1) Frech
   NOOP(2) Wall, Northcutt
   REVIEWING(1) Christey
Voter Comments:
 Christey> A Bugtraq posting indicates that the bug has to do with
   "short packets with certain options set," so the description
   should be modified accordingly.
   
   But is this the same as CVE-1999-0052?  That one is related
   to nestea (CAN-1999-0257) and probably the one described in
   BUGTRAQ:19981023 nestea v2 against freebsd 3.0-Release
   The patch for nestea is in ip_input.c around line 750.
   The patches for CAN-1999-0001 are in lines 388&446.  So, 
   CAN-1999-0001 is different from CAN-1999-0257 and CVE-1999-0052.
   The FreeBSD patch for CVE-1999-0052 is in line 750.
   So, CAN-1999-0257 and CVE-1999-0052 may be the same, though
   CVE-1999-0052 should be RECAST since this bug affects Linux
   and other OSes besides FreeBSD.
 Frech> XF:teardrop(338)
   This assignment was based solely on references to the CERT advisory.


CAN-1999-0004

Phase: Modified (19990621-01)
Reference: CERT:CA-98.10.mime_buffer_overflows
Reference: XF:outlook-long-name
Reference: SUN:00175
Reference: MS:MS98-008
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms98-008.asp

Description:
MIME buffer overflow in email clients, e.g. Solaris mailtool and Outlook.

Votes:

   ACCEPT(8) Baker, Magdych, Wall, Landfield, Cole, Dik, Collins, Northcutt
   MODIFY(1) Frech
   NOOP(1) Christey
   REVIEWING(1) Shostack
Voter Comments:
 Frech> Extremely minor, but I believe e-mail is the correct term. (If you reject
   this suggestion, I will not be devastated.) :-)
 Christey> This issue seems to have been rediscovered in
   BUGTRAQ:20000515 Eudora Pro & Outlook Overflow - too long filenames again
   http://marc.theaimsgroup.com/?l=bugtraq&m=95842482413076&w=2
   
   Also see
   BUGTRAQ:19990320 Eudora Attachment Buffer Overflow
   http://marc.theaimsgroup.com/?l=bugtraq&m=92195396912110&w=2
 Christey> 
   CAN-2000-0415 may be a later rediscovery of this problem
   for Outlook.
 Dik> Sun bug 4163471,
 Christey> ADDREF BID:125
 Christey> BUGTRAQ:19980730 Long Filenames & Lotus Products
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221104526201&w=2


CAN-1999-0015

Phase: Proposed (19990726)
Reference: CERT:CA-97.28.Teardrop_Land
Reference: XF:teardrop

Description:
Teardrop IP denial of service.

Votes:

   ACCEPT(1) Wall
   MODIFY(1) Frech
   REVIEWING(1) Christey
Voter Comments:
 Frech> XF: teardrop-mod
 Christey> Not sure how many separate "instances" of Teardrop there are.
   See: CAN-1999-0015, CAN-1999-0104, CAN-1999-0257, CAN-1999-0258
 Christey> See the SCO advisory at:
   http://www.securityfocus.com/templates/advisory.html?id=1411
   which may further clarify the issue.
 Christey> MSKB:Q154174
   MSKB:Q154174 (CAN-1999-0015) and MSKB:Q179129 (CAN-1999-0104)
   indicate that CAN-1999-0015 was fixed in NT SP3, but
   CAN-1999-0104 was not.  Thus CD:SF-LOC suggests that the
   problems keep separate candidates because one problem appears
   in a different version than the other.
 Christey> BID:124
   http://www.securityfocus.com/bid/124
   Consider MSKB:Q154174
   http://support.microsoft.com/support/kb/articles/q154/1/74.asp
   Consider BUGTRAQ:19971113 Linux IP fragment overlap bug
   http://www.securityfocus.com/archive/1/8014


CAN-1999-0020

Phase: Modified (20000106-01)

Description:
** REJECT ** Duplicate of CVE-1999-0032 ** REJECT ** Buffer overflow in Linux lpr command gives root access.

Votes:

   MODIFY(1) Frech
   NOOP(4) Shostack, Levy, Wall, Northcutt
   REJECT(2) Baker, Christey
Voter Comments:
 Frech> XF:lpr-bo
 Christey> DUPE CVE-1999-0032, which includes XF:lpr-bo


CAN-1999-0030

Phase: Proposed (19990623)
Reference: CERT:CA-97.21.sgi_buffer_overflow
Reference: AUSCERT:AA-97.24.IRIX.xlock.buffer.overflow.vul
Reference: XF:sgi-xlockbo
Reference: SGI:19970508-02-PX

Description:
root privileges via buffer overflow in xlock command on SGI IRIX systems.

Votes:

   ACCEPT(3) Ozancin, Levy, Prosser
   RECAST(1) Frech
   REJECT(1) Christey
Voter Comments:
 Frech> XF:xlock-bo (also add)
   As per xlock-bo, also appears on AIX, BSDI, DG/UX, FreeBSD, Solaris, and
   several Linii.
   Also, don't you mean to cite SGI:19970502-02-PX? The one you list is
   login/scheme.
 Levy> Notice that this xlock overflow is the same as in
   CA-97.13. CA-97.21 simply is a reminder.
 Christey> As pointed out by Elias, CA-97.21 states: "For more
   information about vulnerabilities in xlock... see CA-97.13"
   CA-97.13 = CVE-1999-0038.
   This may also be a duplicate with CAN-1999-0306.
   
   See exploits at:
   
   http://marc.theaimsgroup.com/?l=bugtraq&m=87602167418394&w=2
   http://marc.theaimsgroup.com/?l=bugtraq&m=87602167418404&w=2
   
   Sun also has this problem, at
   http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/150&type=0&nav=sec.sba


CAN-1999-0033

Phase: Proposed (19990607)
Reference: CERT:CA-97.18.at
Reference: SUN:00160
Reference: XF:sun-atbo

Description:
Command execution in Sun systems via buffer overflow in the at program

Votes:

   ACCEPT(8) Baker, Shostack, Wall, Cole, Dik, Collins, Hill, Northcutt
   NOOP(1) Christey
   RECAST(1) Frech
Voter Comments:
 Frech> This vulnerability also manifests itself for the following 
   platforms: AIX, HPUX, IRIX, Solaris, SCO, NCR MP-RAS. In this light,
   please add the following:
   Reference: XF:at-bo
 Dik> Sun bug 1265200, 4063161
 Christey> ADDREF SGI:19971102-01-PX
   ftp://patches.sgi.com/support/free/security/advisories/19971102-01-PX
   SCO:SB.97:01
   ftp://ftp.sco.com/SSE/security_bulletins/SB.97:01a
 Christey> CIAC:F-15
   http://ciac.llnl.gov/ciac/bulletins/f-15.shtml
   HP:HPSBUX9502-023
 Christey> Add period to the end of the description.


CAN-1999-0061

Phase: Proposed (19990630)
Reference: NAI:NAI-20
Reference: XF:bsd-lpd

Description:
File creation and deletion, and remote execution, in the BSD line printer daemon (lpd).

Votes:

   ACCEPT(3) Frech, Hill, Northcutt
   RECAST(1) Baker
   REVIEWING(1) Christey
Voter Comments:
 Christey> This should be split into three separate problems based on
   the SNI advisory.  But there's newer information to further
   complicate things.
   
   What do we do about this one?  in 1997 or so, SNI did an
   advisory on this problem.  In early 2000, it was still
   discovered to be present in some Linux systems.  So an 
   SF-DISCOVERY content decision might say that this is a
   long enough time between the two, so this should be recorded
   separately.  But they're the same codebase... so if we keep
   them in the same entry, how do we make sure that this entry
   reflects that some new information has been discovered?
   
   The use of dot notation may help in this regard, to use one
   dot for the original problem as discovered in 1997, and
   another dot for the resurgence of the problem in 2000.
 Baker> We should merge these.


CAN-1999-0076

Phase: Modified (19990925-01)
Reference: XF:ftp-args

Description:
Buffer overflow in wu-ftp from PASV command causes a core dump.

Votes:

   ACCEPT(3) Baker, Frech, Ozancin
   NOOP(1) Balinsky
   REVIEWING(1) Christey
Voter Comments:
 Balinsky> Don't know what this is.  Is this the LIST Core dump vulnerability?
 Christey> Need to add more references and details.


CAN-1999-0078

Phase: Modified (19990621-01)
Reference: CERT:CA-96.08.pcnfsd
Reference: XF:rpc-pcnfsd

Description:
pcnfsd (aka rpc.pcnfsd) allows local users to change file permissions, or execute arbitrary commands through arguments in the RPC call.

Votes:

   ACCEPT(5) Frech, Shostack, Landfield, Collins, Northcutt
   RECAST(1) Christey
Voter Comments:
 Christey> This candidate should be SPLIT, since there are two separate
   software flaws.  One is a symlink race and the other is a
   shell metacharacter problem.
 Christey> The permissions part of this vulnerability appears to
   overlap with CVE-1999-0353
 Christey> SGI:20020802-01-I


CAN-1999-0086

Phase: Interim (19990630)
Reference: ERS:ERS-SVA-E01-1998:001.1
Reference: XF:ibm-routed

Description:
AIX routed allows remote users to modify sensitive files.

Votes:

   ACCEPT(2) Shostack, Northcutt
   MODIFY(2) Frech, Prosser
   NOOP(1) Baker
   REJECT(1) Christey
Voter Comments:
 Frech> Reference: XF:ibm-routed
 Prosser> This vulnerability allows debug mode to be turned on which is
   the problem.  Should this be more specific in the description? This
   one also affects SGI OSes, ref SGI Security Advisory 19981004-PX which
   is in the SGI cluster, shouldn't these be cross-referenced as the same
   vuln affects multiple OSes.
 Christey> This appears to be subsumed by CVE-1999-0215


CAN-1999-0088

Phase: Proposed (19990617)
Reference: ERS:ERS-SVA-E01-1998:004.1
Reference: URL:http://www-1.ibm.com/services/brs/brspwhub.nsf/advisories/852567CC004F9038852566BF007B6393/$file/ERS-SVA-E01-1998_004_1.txt

Description:
IRIX and AIX automountd services (autofsd) allow remote users to execute root commands.

Votes:

   ACCEPT(2) Shostack, Northcutt
   MODIFY(2) Frech, Prosser
   RECAST(1) Baker
   REVIEWING(1) Christey
Voter Comments:
 Frech> ERS (and other references, BTW) explicitly stipulate 'local and
   remote'.
   Reference: XF:irix-autofsd
 Prosser> Include the SGI Alert as well since it is mentioned in the
   description.
   SGI Security Advisory 19981005-01-PX
 Christey> DUPE CAN-1999-0210?
 Christey> ADDREF CIAC:J-014
 Baker> It does look very similar to 1999-0210.  Perhaps they should be a single entry


CAN-1999-0089

Phase: Interim (19990630)
Reference: ERS:ERS-SVA-E01-1997:005.1
Reference: XF:ibm-libDtSvc

Description:
Buffer overflow in AIX libDtSvc library can allow local users to gain root access.

Votes:

   ACCEPT(2) Shostack, Northcutt
   MODIFY(2) Frech, Prosser
   RECAST(1) Baker
   REVIEWING(1) Christey
Voter Comments:
 Frech> Reference: XF:ibm-libDtSvc
 Prosser> The overflow is in the dtaction utility.  Also affects
   dtaction in the CDE on versions of SunOS (SUN 164). Probably should be
   specific.
 Christey> Same Codebase as CAN-1999-0121, so the two entries should be
   merged.


CAN-1999-0092

Phase: Proposed (19990623)
Reference: ERS:ERS-SVA-E01-1997:006.1

Description:
Various vulnerabilities in the AIX portmir command allows local users to obtain root access.

Votes:

   ACCEPT(1) Bollinger
   MODIFY(1) Frech
   NOOP(1) Ozancin
Voter Comments:
 Frech> XF:ibm-portmir


CAN-1999-0098

Phase: Proposed (19990726)
Reference: XF:smtp-helo-bo

Description:
Buffer overflow in SMTP HELO command in Sendmail allows a remote attacker to hide activities.

Votes:

   MODIFY(1) Frech
   NOOP(1) Wall
   REVIEWING(1) Christey
Voter Comments:
 Frech> (Accept XF reference.)
   Our references do not mention hiding activities. This issue can crash the
   SMTP server or execute arbitrary byte-code. Is there another reference
   available?
 Christey> Should this be merged with CAN-1999-0284, which is Sendmail
   with SMTP HELO?
 Christey> BUGTRAQ:19980522 about sendmail 8.8.8 HELO hole
   http://marc.theaimsgroup.com/?l=bugtraq&m=90221101925991&w=2
   BUGTRAQ:19980527 about sendmail 8.8.8 HELO hole
   http://marc.theaimsgroup.com/?l=bugtraq&m=90221101926003&w=2


CAN-1999-0104

Phase: Proposed (19990726)
Reference: CERT:CA-97.28.Teardrop_Land
Reference: XF:teardrop-mod

Description:
A later variation on the Teardrop IP denial of service attack, a.k.a. Teardrop-2

Votes:

   ACCEPT(2) Frech, Wall
   REVIEWING(1) Christey
Voter Comments:
 Wall> Another reference is Microsoft Knowledge Base Q179129.
 Christey> Not sure how many separate "instances" of Teardrop there are.
   See: CAN-1999-0015, CAN-1999-0104, CAN-1999-0257, CAN-1999-0258
 Christey> See the SCO advisory at:
   http://www.securityfocus.com/templates/advisory.html?id=1411
   which may further clarify the issue.
 Christey> MSKB:Q179129
   http://support.microsoft.com/support/kb/articles/q179/1/29.asp
 Christey> MSKB:Q179129
   http://support.microsoft.com/support/kb/articles/q179/1/29.asp
   Note that the hotfix name is teardrop2, but the keywords
   included in the KB article specifically name bonk
   (CAN-1999-0258) and boink.
   Since teardrop2 was fixed in a slightly different version
   (at least in a separate patch) than Teardrop, CD:SF-LOC
   suggests keeping them separate.
 Christey> Add period to the end of the description.


CAN-1999-0105

Phase: Proposed (19990726)

Description:
finger allows recursive searches by using a long string of @ symbols.

Votes:

   MODIFY(2) Frech, Shostack
   NOOP(1) Christey
   REJECT(1) Northcutt
Voter Comments:
 Shostack> fingerD
 Frech> XF:finger-bomb
 Christey> aka redirection or forwarding requests? (but then might
   overlap CAN-1999-0106)


CAN-1999-0106

Phase: Proposed (19990726)

Description:
Finger redirection allows finger bombs.

Votes:

   ACCEPT(1) Northcutt
   MODIFY(2) Frech, Shostack
   REVIEWING(1) Christey
Voter Comments:
 Shostack> fingerd allows redirection
   This is a larger modification, since there are two applications of the 
   vulnerability, one that I can finger anonymously, and the other that I 
   can finger bomb anonymously.
 Frech> XF:finger-bomb
 Christey> need more refs


CAN-1999-0107

Phase: Modified (19991223-01)
Reference: XF:apache-dos
Reference: BUGTRAQ:19971230 Apache DoS attack?

Description:
Buffer overflow in Apache 1.2.5 and earlier allows a remote attacker to cause a denial of service with a large number of GET requests containing a large number of / characters.

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Frech
   NOOP(3) Shostack, Wall, Northcutt
   REVIEWING(1) Levy
   REVOTE(1) Christey
Voter Comments:
 Wall> - Although this is probably the phf hack.
 Frech> XF:apache-dos
 Christey> This sounds like the incident reported in:
   NTBUGTRAQ:20000810 Apache Distributed Denial of Service
 Levy> I belive this is the problem where sending lot of HTTP headers to apache resulted on a denial of service.
   BUGTRAQ: http://www.securityfocus.com/archive/1/10228
   BUGTRAQ: http://www.securityfocus.com/archive/1/10516


CAN-1999-0110

Phase: Interim (19990810)

Description:
** REJECT ** Duplicate of CVE-1999-0315 (this has a typo) ** REJECT ** Buffer overflow in fbformat command in Solaris.

Votes:

   MODIFY(1) Frech
   NOOP(4) Shostack, Levy, Wall, Northcutt
   REJECT(3) Baker, Dik, Christey
Voter Comments:
 Frech> XF:fdformat-bo
 Christey> Duplicate of CAN-1999-0315
 Dik> dup


CAN-1999-0114

Phase: Modified (20000106-01)
Reference: BUGTRAQ:19990912 elm filter program
Reference: BUGTRAQ:19951226 filter (elm package) security hole
Reference: XF:elm-filter2

Description:
Local users can execute commands as other users, and read other users' files, through the filter command in the Elm elm-2.4 mail package using a symlink attack.

Votes:

   ACCEPT(7) Shostack, Bishop, Wall, Landfield, Cole, Armstrong, Blake
   MODIFY(2) Baker, Frech
   NOOP(3) Ozancin, Christey, Northcutt
   REVIEWING(1) Levy
Voter Comments:
 Frech> XF:elm-filter2
 CHANGE> [Wall changed vote from NOOP to ACCEPT]
 Landfield> with Frech modifications
 Baker> ADD REF http://www.cert.org/ftp/cert_bulletins/VB-95:10a.elm	Official Advisory
 Christey> The correct URL is http://www.cert.org/vendor_bulletins/VB-95:10a.elm
   Need to make sure that this CERT advisory describes the right
   problem, especially since the CERT advisory is dated December
   18, 1995 and the original Bugtraq post was December 26, 1995.
 Christey> BID:1802
   URL:http://www.securityfocus.com/bid/1802
   BID:1802 doesn't include the 1999 posting - does Security
   Focus think that the 1999 post describes a different
   vulnerability?
 Christey> XF:elm-filter2 isn't on the X-Force web site.  How about XF:elm-filter(402) ?
   Its references point to the December 26, 1995 BUgtraq post.
   
   Also consider CIAC:G-36 and CERT:VB-95:10
 Frech> DELREF:XF:elm-filter2(711)
   ADDREF:XF:elm-filter(402)


CAN-1999-0119

Phase: Proposed (19990728)

Description:
Windows NT 4.0 beta allows users to read and delete shares.

Votes:

   MODIFY(1) Frech
   NOOP(1) Northcutt
   REJECT(1) Wall
Voter Comments:
 Wall> Reject based on beta copy.
 Frech> XF:nt-beta(11)
   Reconsider reject, because this beta was in widespread use.


CAN-1999-0121

Phase: Proposed (19990617)
Reference: SUN:00164
Reference: ERS:ERS-SVA-E01-1997:005.1

Description:
Buffer overflow in dtaction command gives root access.

Votes:

   ACCEPT(2) Dik, Northcutt
   MODIFY(3) Baker, Frech, Prosser
   REVIEWING(1) Christey
Voter Comments:
 Frech> Reference: XF:dtaction-bo
   Reference: XF:sun-dtaction
 Prosser> Buffer overflow also affects /usr/dt/bin/dtaction in libDtSvc.a
   library in AIX 4.x, but reference for this Sun vulnerability should
   only reflect the Sun Bulletin or the CIAC I-032 version of the Sun
   Bulletin
 Christey> This is the Same Codebase as CAN-1999-0089, so the two entries
   should be merged.
 Frech> Replace sun-dtaction(732) with dtaction-bo(879)
 Baker> Merge with 1999-0089


CAN-1999-0123

Phase: Modified (20000105-01)
Reference: XF:linux-mailx
Reference: BUGTRAQ:19951222 mailx-5.5 (slackware /bin/mail) security hole

Description:
Race condition in Linux mailx command allows local users to read user files.

Votes:

   ACCEPT(3) Baker, Frech, Ozancin
   NOOP(1) Wall

CAN-1999-0127

Phase: Proposed (19990623)
Reference: CERT:CA-96.27.hp_sw_install
Reference: AUSCERT:AA-96.04
Reference: XF:hpux-swinstall

Description:
swinstall and swmodify commands in SD-UX package in HP-UX systems allow local users to create or overwrite arbitrary files to gain root access.

Votes:

   ACCEPT(1) Prosser
   MODIFY(1) Frech
   NOOP(1) Christey
Voter Comments:
 Frech> (keep current XF: reference, and add)
   XF:hpux-sqwmodify
 Christey> Perhaps this should be split, per SF-LOC.
 Christey> CIAC:H-81
   http://ciac.llnl.gov/ciac/bulletins/h-81.shtml
   HP:HPSBUX9707-064  references CERT:CA-96.27
   http://ciac.llnl.gov/ciac/bulletins/h-81.shtml
   
   The original AUSCERT advisory says that the programs "create
   files in an insecure manner" and "Exploit details involving
   this vulnerability have been made publicly available." which
   leads one to assume that the following original Bugtraq post
   provides the details for a standard symlink problem:
   
   BUGTRAQ:19961005 swinst,bug
   http://marc.theaimsgroup.com/?l=bugtraq&m=87602167419941&w=2


CAN-1999-0140

Phase: Proposed (19990630)

Description:
Denial of service in RAS/PPTP on NT systems.

Votes:

   ACCEPT(1) Hill
   MODIFY(2) Frech, Meunier
   NOOP(1) Baker
   REJECT(1) Christey
Voter Comments:
 Meunier> Add "pptp invalid packet length in header" to distinguish from other
   vulnerabilities in RAS/PPTP on NT systems resulting in DOS, that might be
   discovered in the future.
 Frech> XF:nt-ras-bo
   ONLY IF reference is to MS:MS99-016
 Christey> According to my mappings, this is not the MS:MS99-016 problem
   referred to by Andre.  However, I have yet to dig up a
   source.
 CHANGE> [Christey changed vote from NOOP to REVIEWING]
 CHANGE> [Christey changed vote from REVIEWING to REJECT]
 Christey> This is too general to know which problem is being discussed.
   More precise candidates should be created.
 Christey> Consider adding BID:2111


CAN-1999-0144

Phase: Modified (20010301-02)
Reference: BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602558319024&w=2
Reference: BUGTRAQ:19970612 Re: Denial of service (qmail-smtpd)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602558319029&w=2
Reference: MISC:http://cr.yp.to/qmail/venema.html
Reference: MISC:http://www.ornl.gov/its/archives/mailing-lists/qmail/1997/06/threads.html
Reference: BID:2237
Reference: URL:http://www.securityfocus.com/bid/2237
Reference: XF:qmail-rcpt
Reference: URL:http://xforce.iss.net/static/208.php

Description:
Denial of service in Qmail by specifying a large number of recipients with the RCPT command.

Votes:

   ACCEPT(4) Baker, Frech, Meunier, Hill
   REVIEWING(1) Christey
Voter Comments:
 Christey> DUPE CAN-1999-0418 and CAN-1999-0250?
 Christey> Dan Bernstein, author of Qmail, says that this is not a
   vulnerability in qmail because Unix has built-in resource
   limits that can restrict the size of a qmail process; other
   limits can be specified by the administrator.  See
   http://cr.yp.to/qmail/venema.html
   
   Significant discussion of this issue took place on the qmail
   list.  The fundamental question appears to be whether 
   application software should set its own limits, or rely
   on limits set by the parent operating system (in this case,
   UNIX).  Also, some people said that the only problem was that
   the suggested configuration was not well documented, but this
   was refuted by others.
   
   See the following threads at
   http://www.ornl.gov/its/archives/mailing-lists/qmail/1997/06/threads.html
   "Denial of service (qmail-smtpd)"
   "qmail-dos-2.c, another denial of service"
   "[PATCH] denial of service"
   "just another qmail denial-of-service"
   "the UNIX way"
   "Time for a reality check"
   
   Also see Bugtraq threads on a different vulnerability that
   is related to this topic:
   BUGTRAQ:19990903 Web servers / possible DOS Attack / mime header flooding
   http://archives.neohapsis.com/archives/bugtraq/1998_3/0742.html
 Baker> http://cr.yp.to/qmail/venema.html
   Berstein rejects this as a vulnerability, claiming this is a slander campaign by Wietse Venema.
   His page states this is not a qmail problem, rather it is a UNIX problem
   that many apps can consume all available memory, and that the administrator
   is responsible to set limits in the OS, rather than expect applications to
   individually prevent memory exhaustion.  CAN 1999-0250 does appear to
   be a duplicate of this entry, based on the research I have done so far.
   There were two different bugtraq postings, but the second one references
   the first, stating that the new exploit uses perl instead of shell scripting
   to accomplish the same attack/exploit.
 Baker> http://www.securityfocus.com/archive/1/6970
   http://www.securityfocus.com/archive/1/6969
   http://cr.yp.to/qmail/venema.html
   
   Should probably reject CAN-1999-0250, and add these references to this
   Candidate.
 Baker> http://www.securityfocus.com/bid/2237
 CHANGE> [Baker changed vote from REVIEWING to ACCEPT]
 Christey> qmail-dos-1.c, as published by Wietse Venema (CAN-1999-0250)
   in "BUGTRAQ:19970612 Denial of service (qmail-smtpd)", does not
   use any RCPT commands.  Instead, it sends long strings
   of "X" characters.  A followup by "super@UFO.ORG" includes
   an exploit that claims to do the same thing; however, that
   exploit does not send long strings of X characters - it sends
   a large number of RCPT commands.  It appears that super@ufo.org
   followed up to the wrong message.
   
   qmail-dos-2.c, as published by Wietse Venema (CAN-1999-0144)
   in "BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack"
   sends a large number of RCPT commands.
   
   ADDREF BID:2237
   ADDREF BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack
   ADDREF BUGTRAQ:19970612 Re: Denial of service (qmail-smtpd)
   
   Also see a related thread:
   BUGTRAQ:19990308 SMTP server account probing
   http://marc.theaimsgroup.com/?l=bugtraq&m=92100018214316&w=2
   
   This also describes a problem with mail servers not being able
   to handle too many "RCPT TO" requests.  A followup message
   notes that application-level protection is used in Sendmail
   to prevent this:
   BUGTRAQ:19990309 Re: SMTP server account probing
   http://marc.theaimsgroup.com/?l=bugtraq&m=92101584629263&w=2
   The person further says, "This attack can easily be
   prevented with configuration methods."


CAN-1999-0154

Phase: Proposed (20010912)
Reference: MSKB:Q163485
Reference: MSKB:Q164059
Reference: BUGTRAQ:19970220 ! [ADVISORY] Major Security Hole in MS ASP
Reference: XF:http-iis-aspdot
Reference: XF:http-iis-aspsource

Description:
IIS 2.0 and 3.0 allows remote attackers to read the source code for ASP pages by appending a . (dot) to the end of the URL.

Votes:

   ACCEPT(4) Frech, Wall, Foat, Stracener
   NOOP(2) Cole, Christey
Voter Comments:
 Christey> This is the precursor to the problem that is identified in
   CAN-1999-0253.  
 Christey> CIAC:H-48
   URL:http://ciac.llnl.gov/ciac/bulletins/h-48.shtml
 CHANGE> [Foat changed vote from NOOP to ACCEPT]


CAN-1999-0156

Phase: Proposed (19990714)
Reference: XF:ftp-pwless

Description:
wu-ftpd FTP daemon allows any user and password combination.

Votes:

   ACCEPT(2) Shostack, Northcutt
   NOOP(1) Baker
   RECAST(1) Frech
   REVIEWING(2) Christey, Prosser
Voter Comments:
 Prosser> but so far can find no reference to this one
 Frech> Our records indicate that this does not necessarly affect just wu-ftp (ie,
   also affects IIS FTP server).
 Christey> The references for XF:ftp-pwless are not specific enough,
   e.g. in terms of version numbers.  Perhaps this candidate
   should be rejected due to insufficient information.


CAN-1999-0163

Phase: Proposed (19990714)
Reference: XF:smtp-pipe

Description:
In older versions of Sendmail, an attacker could use a pipe character to execute root commands.

Votes:

   ACCEPT(2) Frech, Northcutt
   MODIFY(1) Prosser
   NOOP(2) Baker, Christey
   RECAST(1) Shostack
Voter Comments:
 Shostack> there was a 'To: |' and a 'From: |' attack, which I
   think are seperate.
 Prosser> older vulnerability, but one additional reference is-
   The Ultimate Sendmail Hole List by Markus Hübner @
   bau2.uibk.ac.at/matic/buglist.htm
   '|PROGRAM '
 Christey> Description needs to be more specific to distinguish between
   this and CAN-1999-0203, as alluded to by Adam Shostack


CAN-1999-0165

Phase: Proposed (19990714)
Reference: XF:nfs-cache

Description:
NFS cache poisoning

Votes:

   ACCEPT(3) Baker, Frech, Northcutt
   MODIFY(1) Shostack
   NOOP(1) Prosser
   REVIEWING(1) Christey
Voter Comments:
 Shostack> need more data
 Christey> need more refs
 Christey> Add period to the end of the description.


CAN-1999-0169

Phase: Proposed (19990714)
Reference: XF:nfs-uid

Description:
NFS allows attackers to read and write any file on the system by specifying a false UID.

Votes:

   ACCEPT(2) Frech, Northcutt
   REJECT(1) Shostack
Voter Comments:
 Shostack> this is not a vulnerability but a design feature.


CAN-1999-0171

Phase: Proposed (19990714)
Reference: XF:syslog-flood

Description:
Denial of service in syslog by sending it a large number of superfluous messages.

Votes:

   ACCEPT(2) Frech, Northcutt
   NOOP(1) Baker
   REJECT(2) Shostack, Christey
Voter Comments:
 Shostack> design issue, not a vulnerability.  Alternately, add:
   DOS on server by opening a large number of telnet sessions..
 Christey> Duplicate of CVE-1999-0566


CAN-1999-0186

Phase: Proposed (19990726)
Reference: SUN:00178
Reference: XF:snmp-backdoor-access

Description:
In Solaris, an SNMP subagent has a default community string that allows remote attackers to execute arbitrary commands as root, or modify system parameters.

Votes:

   ACCEPT(2) Baker, Dik
   MODIFY(1) Frech
   NOOP(1) Wall
   REVIEWING(1) Christey
Voter Comments:
 Frech> Change XF:snmp-backdoor-access to XF:sol-hidden-commstr
   Add ISS:Hidden Community String in SNMP Implementation
 Christey> What is the proper level of abstraction to use here?  Should
   we have a separate entry for each different default community
   string?  See:
   http://cve.mitre.org/Board_Sponsors/archives/msg00242.html and
   http://cve.mitre.org/Board_Sponsors/archives/msg00250.html
   http://cve.mitre.org/Board_Sponsors/archives/msg00251.html
   
   Until the associated content decisions have been approved
   by the Editorial Board, this candidate cannot be accepted
   for inclusion in CVE.
 Christey> ADDREF BID:177
 Christey> ISS:19981102 Hidden community string in SNMP implementation
   http://xforce.iss.net/alerts/advise11.php
   
   Change description to include "hidden"
 Christey> XF:snmp-backdoor-access is missing.


CAN-1999-0187

Phase: Modified (19990805)
Reference: SUN:00179

Description:
** REJECT ** Duplicate of CAN-1999-0022 (SUN:00179 is referenced in CERT:CA-97.23.rdist) The rdist program in Solaris has some buffer overflows that allow attackers to gain root access.

Votes:

   ACCEPT(2) Hill, Northcutt
   RECAST(3) Baker, Frech, Prosser
   REJECT(1) Dik
   REVIEWING(1) Christey
Voter Comments:
 Prosser> The Sun Patches in Ref roll-up fixes for an earlier BO in
   rdist lookup( )(ref CERT 96.14)as well as the BO in rdist function expstr()
   (ref CERT 97-23) and various vendor bulletins.  However both of these rdist
   BO's affect many more OSs than just Sun, i.e., BSD/OS 2.1, DEC OSF's, AIX,
   FreeBSD, SCO, SGI, etc.  Believe this falls into the SF-codebase content
   decision
 Frech> XF:rdist-bo (error msg formation)
   XF:rdist-bo2 (execute code)
   XF:rdist-bo3 (execute user-created code)
   XF:rdist-sept97 (root from local)
 Christey> Duplicate of CAN-1999-0022 (SUN:00179 is referenced in
   CERT:CA-97.23.rdist), but as Mike and Andre noted, there
   are multiple flaws here, so a RECAST may be necessary.
 Dik> As currently phrasedm thissa duplicate of CVE-1999-0022
 Baker> Based on our new philosophy, this should be recast/merged or re-described.


CAN-1999-0193

Phase: Proposed (19990714)

Description:
Denial of service in Ascend and 3com routers, which can be rebooted by sending a zero length TCP option.

Votes:

   ACCEPT(5) Shostack, Bishop, Ozancin, Cole, Northcutt
   MODIFY(2) Baker, Blake
   NOOP(4) Frech, Wall, Landfield, Armstrong
   REVIEWING(2) Levy, Christey
Voter Comments:
 Frech> possibly XF:ascend-kill
   I can't find a reference that lists both routers in the same reference.
 Wall> Comment:  There is a reference about the zero length TCP option in BugTraq on
   Feb 5, 1999
   and it mentions Cisco, but not directly Ascend or 3Com.  CIAC Advisory I-038
   mentions
   vulnerabilities in Ascend, but does not mention TCP.  CIAC Advisory I-052
   mentions
   3Com vulnerabilities, but not TCP.  Too confusing withour better references.
 Landfield> What are the references for this ? I cannot find a means to check it out.
 CHANGE> [Frech changed vote from REVIEWING to NOOP]
 Frech> Cannot reconcile to our database without further references.
 Blake> I'm with Andre.  I only remember and can find reference to the Ascend
   issue.  Do we have a refernce to the 3Coms?  If not, that should be
   removed from the description.
 Baker> http://xforce.iss.net/static/614.php	Misc Defensive Info
   http://www.securityfocus.com/archive/1/5682	Misc Offensive Info
   http://www.securityfocus.com/archive/1/5647	Misc Defensive Info
   http://www.securityfocus.com/archive/1/5640	Misc Defensive Info
 CHANGE> [Armstrong changed vote from REVIEWING to NOOP]


CAN-1999-0195

Phase: Modified (19991130-01)
Reference: BUGTRAQ:19990128 rpcbind: deceive, enveigle and obfuscate

Description:
Denial of service in RPC portmapper allows attackers to register or unregister RPC services or spoof RPC services using a spoofed source IP address such as 127.0.0.1.

Votes:

   ACCEPT(2) Shostack, Balinsky
   MODIFY(1) Frech
   NOOP(3) Baker, Wall, Northcutt
   REVIEWING(2) Levy, Christey
Voter Comments:
 Frech> XF:rpcbind-spoof
 Christey> CAN-1999-0195 = CAN-1999-0461 ?
   If this is approved over CAN-1999-0461, make sure it gets
   XF:pmap-sset


CAN-1999-0197

Phase: Proposed (19990726)

Description:
finger 0@host on some systems may print information on some user accounts.

Votes:

   MODIFY(2) Frech, Shostack
   REJECT(1) Northcutt
Voter Comments:
 Shostack> fingerd may respond to 'finger 0@host' with account info
 Frech> Need more reference to establish this 'exposure'.
 CHANGE> [Frech changed vote from REVIEWING to MODIFY]
 Frech> XF:finger-unused-accounts(8378)
   We're entering it into our database solely to track
   competition. The only references seem to be product listings:
   http://hq.mcafeeasap.com/vulnerabilities/vuln_data/1000.asp (1002
   Finger 0@host check)
   http://www.ipnsa.com/ipnsa_vuln.htm?step=1000 (Finger 0@host check)
   http://cgi.nessus.org/plugins/dump.php3?id=10069 (Finger zero at host
   feature)


CAN-1999-0198

Phase: Proposed (19990726)

Description:
finger .@host on some systems may print information on some user accounts.

Votes:

   MODIFY(2) Frech, Shostack
   REJECT(1) Northcutt
Voter Comments:
 Shostack> as above
 Frech> Need more reference to establish this 'exposure'.
 CHANGE> [Frech changed vote from REVIEWING to MODIFY]
 Frech> XF:finger-unused-accounts(8378)
   We're entering it into our database solely to track
   competition. The only references seem to be product listings:
   http://hq.mcafeeasap.com/vulnerabilities/vuln_data/1000.asp (1004
   Finger .@target-host check)
   http://www.ipnsa.com/ipnsa_vuln.htm?step=1000 (Finger .@target-host
   check )
   http://cgi.nessus.org/plugins/dump.php3?id=10072 (Finger dot at host
   feature)


CAN-1999-0200

Phase: Modified (19991130-01)
Reference: MSKB:Q137853

Description:
Windows NT FTP server (WFTP) with the guest account enabled without a password allows an attacker to log into the FTP server using any username and password.

Votes:

   ACCEPT(1) Baker
   MODIFY(2) Frech, Shostack
   NOOP(2) Wall, Northcutt
   REJECT(1) Christey
   REVIEWING(1) Levy
Voter Comments:
 Shostack> WFTP is not sufficient; is this wu-, ws-, war-, or another?
 Frech> Other have mentioned this before, but it may be WU-FTP.
   POSSIBLY XF:ftp-exec; does this have to do with the Site Exec allowing root
   access without anon FTP or a regular account?
   POSSIBLY XF:wu-ftpd-exec;same as above conditions, but instead from a
   non-anon FTP account and gain root privs.
 Christey> added MSKB reference
 CHANGE> [Christey changed vote from REVOTE to REJECT]
 Christey> The MSKB article may have confused things even more.  There
   were reports of problems in a Windows-based FTP server called
   WFTP (http://www.wftpd.com/) that is not a Microsft FTP
   server.  It's best to just kill this candidate where it
   stands and start fresh.


CAN-1999-0205

Phase: Modified (19990925-01)
Reference: BUGTRAQ:19990708 SM 8.6.12

Description:
Denial of service in Sendmail 8.6.11 and 8.6.12.

Votes:

   ACCEPT(2) Hill, Northcutt
   MODIFY(2) Frech, Prosser
   NOOP(1) Baker
   REVIEWING(2) Ozancin, Christey
Voter Comments:
 Frech> XF:sendmail-alias-dos
 Prosser> additional source
   Bugtraq
   "Re:  SM 8.6.12"
   http://www.securityfocus.com
 Christey> The Bugtraq thread does not provide any proof, including a
   comment by Eric Allman that he hadn't been provided any
   details either.
   
   See http://www.securityfocus.com/templates/archive.pike?list=1&date=1995-07-8&thread=199507131402.KAA02492@bedbugs.net.ohio-state.edu
   for the thread.
 Christey> Change Bugtraq reference date to 19950708.


CAN-1999-0213

Phase: Modified (20001009-01)
Reference: XF:sun-libnsl
Reference: SUNBUG:4305859

Description:
libnsl in Solaris allowed an attacker to perform a denial of service of rpcbind.

Votes:

   ACCEPT(6) Ozancin, Landfield, Cole, Dik, Hill, Blake
   MODIFY(3) Baker, Frech, Levy
   NOOP(4) Bishop, Wall, Armstrong, Meunier
   REVIEWING(1) Christey
Voter Comments:
 Frech> XF:sun-libnsl
 Dik> Sun bug #4305859
 Baker> http://xforce.iss.net/static/1204.php	Misc Defensive Info
   http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/172&type=0&nav=sec.sba	Vendor Info
   http://www-1.ibm.com/services/continuity/recover1.nsf/advisories/A1050E354364BF498525680F0077E414/$file/ERS-OAR-E01-1998_074_1.txt	Vendor Info
   http://www.securityfocus.com/archive/1/9749	Misc Defensive Info
 Christey> I don't think this is the bug that everyone thinks it is.
   This candidate came from CyberCop Scanner 2.4/2.5, which
   only reports this as a DoS problem.  If SUN:00172 is an
   advisory for this, then it may be a duplicate of
   CVE-1999-0055.  There appears to be overlap with other
   references as well.  HOWEVER, this particular one deals with a
   DoS in rpcbind - which isn't mentioned in the sources for
   CVE-1999-0055.
 Levy> BID 148


CAN-1999-0216

Phase: Modified (19991203-01)
Reference: BUGTRAQ:19971130 Linux inetd..
Reference: XF:linux-inetd-dos
Reference: HP:HPSBUX9803-077
Reference: XF:hp-inetd

Description:
Denial of service of inetd on Linux through SYN and RST packets.

Votes:

   ACCEPT(1) Hill
   MODIFY(2) Baker, Frech
   RECAST(1) Meunier
Voter Comments:
 Meunier> The location of the vulnerability, whether in the Linux kernel or the
   application, is debatable.  Any program making the same (reasonnable)
   assumption is vulnerable, i.e., implements the same vulnerability:
   "Assumption that TCP-three-way handshake is complete after calling Linux
   kernel function accept(), which returns socket after getting SYN.   Result
   is process death by SIGPIPE"
   Moreover, whether it results in DOS (to third parties) depends on the
   process that made the assumption.
   I think that the present entry should be split, one entry for every
   application that implements the vulnerability (really describing threat
   instances, which is what other people think about when we talk about
   vulnerabilities), and one entry for the Linux kernel that allows the
   vulnerability to happen.
 Frech> XF:hp-inetd
   XF:linux-inetd-dos
 Baker> Since we have an hpux bulletin, the description should not specifically say Linux, should it?  It applies to mulitple OS and should be likely either modified, or in extreme case, recast


CAN-1999-0220

Phase: Proposed (19990728)

Description:
Attackers can do a denial of service of IRC by crashing the server.

Votes:

   NOOP(1) Northcutt
   REJECT(2) Frech, Christey
Voter Comments:
 Frech> Would reconsider if any references were available.
 Christey> No references available, combined with extremely vague
   description, equals REJECT.


CAN-1999-0222

Phase: Proposed (19990714)

Description:
Denial of service in Cisco IOS web server allows attackers to reboot the router using a long URL.

Votes:

   ACCEPT(1) Baker
   MODIFY(3) Frech, Shostack, Levy
   NOOP(3) Balinsky, Wall, Northcutt
   RECAST(1) Ziese
   REJECT(1) Christey
Voter Comments:
 Shostack> I follow cisco announcements and problems pretty closely, and haven't
   seen this.  Source?
 Frech> XF:cisco-web-crash
 Christey> XF:cisco-web-crash has no additional references.  I can't find
   any references in Bugtraq or Cisco either.  This bug is
   supposedly tested by at least one security product, but that
   product's database doesn't have any references either.  So
   a question becomes, how did it make it into at least two
   security companies' databases?
 Levy> BUGTGRAQ: http://www.securityfocus.com/archive/1/60159
   BID 1154
 Ziese> The vulnerability is addressed by a vendor acknowledgement.  This one, if
   recast to reflect that "...after using a long url..." should be replaced
   with
   "...A defect in multiple releases of Cisco IOS software will cause a Cisco
   router or switch to halt and reload if the IOS HTTP service is enabled,
   browsing to "http://router-ip/anytext?/" is attempted, and the enable
   password is supplied when requested. This defect can be exploited to produce
   a denial of service (DoS) attack."
   Then I can accept this and mark it as "Verfied by my Company".  If it can't
   be recast because this (long uri) is diffferent then our release (special
   url construction).
 CHANGE> [Christey changed vote from REVIEWING to REJECT]
 Christey> Elias Levy's suggested reference is CVE-2000-0380.
   I don't think that Kevin's description is really addressing
   this either.  The lack of references and a specific
   description make this candidate unusable, so it should be
   rejected.


CAN-1999-0226

Phase: Proposed (19990728)

Description:
Windows NT TCP/IP processes fragmented IP packets improperly, causing a denial of service.

Votes:

   ACCEPT(1) Northcutt
   MODIFY(1) Frech
   REJECT(1) Christey
Voter Comments:
 Christey> Too general, and no references.
 Frech> XF:nt-frag(528)
   See reference from BugTraq Mailing List, "A New Fragmentation Attack" at
   http://www.securityfocus.com/templates/archive.pike?list=1&date=1997-07-8&ms
   g=Pine.SUN.3.94.970710054440.11707A-100000@dfw.dfw.net


CAN-1999-0229

Phase: Modified (19991228-02)
Reference: MSKB:Q115052

Description:
Denial of service in Windows NT IIS server using ..\..

Votes:

   ACCEPT(2) Baker, Shostack
   MODIFY(2) Frech, Wall
   NOOP(1) Northcutt
   REJECT(1) Christey
   REVIEWING(1) Levy
Voter Comments:
 Wall> Denial of service in Windows NT IIS Server 1.0 using ..\...
   Source: Microsoft Knowledge Base Article Q115052 - IIS Server.
 Frech> XF:http-dotdot (not necessarily IIS?)
 Christey> DELREF XF:http-dotdot - it deals with a read/access dot dot
   problem.
 Christey> This actually looks like XF:iis-dot-dot-crash(1638)
   http://xforce.iss.net/static/1638.php
   If so, include the version number (2.0)
   
 CHANGE> [Christey changed vote from REVOTE to REJECT]
 Christey> Bill Wall intended to suggest Q155052, but the affected
   IIS version there is 1.0; the effect is to read files,
   so this sounds like a directory traversal problem,
   instead of an inability to process certain strings.
   
   As a result, this candidate is too general, since it could
   apply to 2 different problems, so it should be REJECTed.
 Christey> Consider adding BID:2218


CAN-1999-0231

Phase: Modified (19991207-01)
Reference: BUGTRAQ:19990317 Re: SLMail 2.6 DoS - Imail also

Description:
Buffer overflow in IP-Switch IMail and Seattle Labs Slmail 2.6 packages using a long VRFY command, causing a denial of service and possibly remote access.

Votes:

   ACCEPT(1) Levy
   NOOP(3) Landfield, Christey, Northcutt
   RECAST(1) Frech
   REVIEWING(1) Ozancin
Voter Comments:
 Frech> XF:slmail-vrfyexpn-overflow (for Slmail v3.2 and below)
   XF:smtp-vrfy-bo (many mail packages)
 Northcutt> (There is no way I will have access to these systems)
 Christey> Some sources report that VRFY and EXPN are both affected.


CAN-1999-0232

Phase: Modified (19991220-01)

Description:
Buffer overflow in NCSA WebServer (version 1.5c) gives remote access.

Votes:

   ACCEPT(2) Hill, Northcutt
   MODIFY(1) Frech
   NOOP(1) Prosser
   REJECT(1) Baker
   REVIEWING(1) Christey
Voter Comments:
 Frech> Unable to provide a match due to vague/insufficient description/references.
   Possible matches are:
   XF:ftp-ncsa (probably not, considering you've mentioned the webserver.)
   XF:http-ncsa-longurl (highest probability)
 Christey> CAN-1999-0235 is the one associated with XF:http-ncsa-longurl
   More research is necessary for this one.
 Baker> Since this has no references at all, and is vague and we have a
   CAN for the most likely issue, we should kill this one


CAN-1999-0235

Phase: Modified (19991220-01)
Reference: CERT:CA-95:04
Reference: CIAC:F-11

Description:
Buffer overflow in NCSA WebServer (1.4.1 and below) gives remote access.

Votes:

   ACCEPT(3) Hill, Prosser, Northcutt
   MODIFY(1) Frech
   REJECT(2) Baker, Christey
Voter Comments:
 Frech> XF:http-ncsa-longurl
 Christey> CAN-1999-0235 has the same ref's as CVE-1999-0267
 Baker> Not to mention, the X-force listings of http-ncsa-longurl and http-port both
   refer to the same problem.  This should be rejected as 1999-0267 is the same problem.


CAN-1999-0238

Phase: Proposed (19990623)
Reference: XF:http-cgi-phpfileread

Description:
php.cgi allows attackers to read any file on the system.

Votes:

   ACCEPT(5) Baker, Frech, Collins, Prosser, Northcutt
   NOOP(1) Christey
Voter Comments:
 Prosser> additional source
   AUSCERT External Security Bulletin ESB-97.047
   http://www.auscert.org.au
 Christey> ADDREF BUGTRAQ:19970416 Update on PHP/FI hole
   URL:http://www.dataguard.no/bugtraq/1997_2/0069.html
   The attacker specifies the filename as an argument to the
   program.
   Add "PHP/FI" to description to facilitate search.
   AUSCERT URL is ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-97.047
 Christey> Consider adding BID:2250


CAN-1999-0240

Phase: Proposed (19990728)

Description:
Some filters or firewalls allow fragmented SYN packets with IP reserved bits in violation of their implemented policy.

Votes:

   ACCEPT(1) Northcutt
   REJECT(1) Frech
Voter Comments:
 Frech> Would reconsider if any references were available.


CAN-1999-0241

Phase: Modified (19990925-01)
Reference: XF:http-xguess-cookie

Description:
Guessable magic cookies in X Windows allows remote attackers to execute commands, e.g. through xterm.

Votes:

   ACCEPT(3) Proctor, Hill, Northcutt
   MODIFY(2) Frech, Prosser
   NOOP(1) Baker
   REVIEWING(1) Christey
Voter Comments:
 Frech> Also add to references:
   XF:sol-mkcookie
 Prosser> additional source
   Bugtraq
   "X11 cookie hijacker"
   http://www.securityfocus.com
 Christey> The cookie hijacker thread has to do with stealing cookies
   through a file with bad permissions.  I'm not sure the
   X-Force reference identifies this problem either.
 Christey> CIAC:G-04
   URL:http://ciac.llnl.gov/ciac/bulletins/g-04.shtml
   SGI:19960601-01-I
   URL:ftp://patches.sgi.com/support/free/security/advisories/19960601-01-I
   CERT:VB-95:08


CAN-1999-0242

Phase: Modified (20000106-01)
Reference: BUGTRAQ:19951222 mailx-5.5 (slackware /bin/mail) security hole
Reference: XF:linux-pop3d

Description:
Remote attackers can access mail files via POP3 in some Linux systems that are using shadow passwords.

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Frech
   NOOP(4) Shostack, Wall, Christey, Northcutt
   REVIEWING(1) Levy
Voter Comments:
 Frech> Ambiguous description: need more detail. Possibly:
   XF:linux-pop3d (mktemp() leads to reading e-mail)
 Christey> At first glance this might look like CAN-1999-0123 or
   CVE-1999-0125, however this particular candidate arises out
   of a brief mention of the problem in a larger posting which
   discusses CAN-1999-0123 (which may be the same bug as
   CVE-1999-0125).  See the following phrase in the Bugtraq
   post: "one such example of this is in.pop3d"
   
   However, the original source of this candidate's description
   explicitly mentions shadowed passwords, though it has no
   references to help out here.


CAN-1999-0243

Phase: Proposed (19990714)

Description:
Linux cfingerd could be exploited to gain root access.

Votes:

   ACCEPT(1) Shostack
   NOOP(4) Baker, Levy, Wall, Northcutt
   REJECT(2) Frech, Christey
Voter Comments:
 Christey> This has no sources; neither does the original database that
   this entry came from.  It's a likely duplicate of 
   CAN-1999-0813.
 Frech> I disagree on the dupe; see Linux-Security Mailing List,
   "[linux-security] Cfinger (Yet more :)" at
   http://www.geocrawler.com/archives/3/92/1996/9/0/2217716/. Seems as
   if v1.2.3 is vulnerable, perhaps 1.3.0 also. CAN-1999-0813 pertains
   to 1.4.x and below and shows up two years later.
 CHANGE> [Frech changed vote from REVIEWING to REJECT]
 Frech> If the reference I previously supplied is correct, then
   it appears as if the poster modified the source using authorized 
   access to make it vulnerable. Modifying the source in this manner 
   does not qualify as being listed a vulnerability.
   I disagree on the dupe; see Linux-Security Mailing List,
   "[linux-security] Cfinger (Yet more :)" at
   http://www.geocrawler.com/archives/3/92/1996/9/0/2217716/. Seems as
   if v1.2.3 is vulnerable, perhaps 1.3.0 also. CAN-1999-0813 pertains
   to 1.4.x and below and shows up two years later.


CAN-1999-0246

Phase: Proposed (19990630)
Reference: XF:hp-remote

Description:
HP Remote Watch allows a remote user to gain root access.

Votes:

   ACCEPT(4) Frech, Hill, Prosser, Northcutt
   NOOP(1) Baker
   RECAST(1) Christey
Voter Comments:
 Frech> Comment: Determine if it's RemoteWatch or Remote Watch.
 Christey> HP:HPSBUX9610-039 alludes to multiple vulnerabilities in
   Remote Watch (the advisory uses two words, not one, for the
   "Remote Watch" name)
   
   ADDREF BUGTRAQ:19961015 HP/UX Remote Watch (was Re: BoS: SOD remote exploit)
   URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=199610151351.JAA18241@grymoire.crd.ge.com
 Prosser> agree that the advisory mentions two vulnerabilities in Remote
   Watch, one being a socket connection and other with the showdisk utility
   which seems to be a suid vulnerability.  Never get much details on this
   anywhere since the recommendation is to remove the program since it is
   obsolete and superceded by later tools. Believe the biggest concern here is
   to just not run the tool at all.
 Christey> CIAC:H-16
   Also, http://www.cert.org/vendor_bulletins/VB-96.20.hp
   And possibly AUSCERT:AA-96.07 at
   ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-96.07.HP-UX.Remote.Watch.vul
 Christey> Also BUGTRAQ:19961013 BoS: SOD remote exploit
   http://marc.theaimsgroup.com/?l=bugtraq&m=87602167419969&w=2
   Include "remwatch" in the description to facilitate search.


CAN-1999-0249

Phase: Proposed (19990714)

Description:
Windows NT RSHSVC program allows remote users to execute arbitrary commands.

Votes:

   ACCEPT(1) Baker
   MODIFY(2) Frech, Wall
   NOOP(2) Shostack, Northcutt
   RECAST(1) Christey
   REVIEWING(1) Levy
Voter Comments:
 Wall> Windows NT Rshsvc.exe from the Windows NT Resource Kit allows
   remote
   users to execute arbitrary commands.
   Source: rshsvc.txt from the Windows NT Resource Kit.
 Frech> XF:rsh-svc
 Christey> MSKB:Q158320, last reviewed in January 1999, refers to a case
   where remote users coming from authorized machines are
   allowed access regardless of what .rhosts says.  XF:rsh-svc
   refers to a bug circa 1997 where any remote entity could
   execute commands as system.


CAN-1999-0250

Phase: Modified (20010301-01)
Reference: BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602558319024&w=2
Reference: MISC:http://cr.yp.to/qmail/venema.html
Reference: MISC:http://www.ornl.gov/its/archives/mailing-lists/qmail/1997/06/threads.html
Reference: XF:qmail-leng

Description:
Denial of service in Qmail through long SMTP commands.

Votes:

   ACCEPT(2) Meunier, Hill
   MODIFY(1) Frech
   REJECT(1) Baker
   REVIEWING(1) Christey
Voter Comments:
 Frech> XF:qmail-rcpt
 Christey> DUPE CAN-1999-0418 and CAN-1999-0144?
 Christey> Dan Bernstein, author of Qmail, says that this is not a
   vulnerability in qmail because Unix has built-in resource
   limits that can restrict the size of a qmail process; other
   limits can be specified by the administrator.  See
   http://cr.yp.to/qmail/venema.html
   
   Significant discussion of this issue took place on the qmail
   list.  The fundamental question appears to be whether 
   application software should set its own limits, or rely
   on limits set by the parent operating system (in this case,
   UNIX).  Also, some people said that the only problem was that
   the suggested configuration was not well documented, but this
   was refuted by others.
   
   See the following threads at
   http://www.ornl.gov/its/archives/mailing-lists/qmail/1997/06/threads.html
   "Denial of service (qmail-smtpd)"
   "qmail-dos-2.c, another denial of service"
   "[PATCH] denial of service"
   "just another qmail denial-of-service"
   "the UNIX way"
   "Time for a reality check"
   
   Also see Bugtraq threads on a different vulnerability that
   is related to this topic:
   BUGTRAQ:19990903 Web servers / possible DOS Attack / mime header flooding
   http://archives.neohapsis.com/archives/bugtraq/1998_3/0742.html
 Baker> This appears to be the same vulnerability listed in CAN 1999-0144.  In reading
   through both bugtraq postings, the one that is referenced by 0144 is
   based on a shell code exploit to cause memory exhaustion. The bugtraq
   posting referenced by this entry refers explicitly to the prior
   posting for 0144, and states that the same effect could be
   accomplished by a perl exploit, which was then attached.
 Baker> http://www.securityfocus.com/archive/1/6969    CAN-1999-0144
   http://www.securityfocus.com/archive/1/6970    CAN-1999-0250
   
   Both references should be added to CAN-1999-0144, and CAN-1999-0250
   should likely be rejected.
 CHANGE> [Baker changed vote from REVIEWING to REJECT]
 Christey> XF:qmail-leng no longer exists; check with Andre to see if they
   regarded it as a duplicate as well.
   
   qmail-dos-1.c, as published by Wietse Venema (CAN-1999-0250)
   in "BUGTRAQ:19970612 Denial of service (qmail-smtpd)", does not
   use any RCPT commands.  Instead, it sends long strings
   of "X" characters.  A followup by "super@UFO.ORG" includes
   an exploit that claims to do the same thing; however, that
   exploit does not send long strings of X characters - it sends
   a large number of RCPT commands.  It appears that super@ufo.org
   followed up to the wrong message.
   
   qmail-dos-2.c, as published by Wietse Venema (CAN-1999-0144)
   in "BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack"
   sends a large number of RCPT commands.
   
   ADDREF BUGTRAQ:19970612 Denial of service (qmail-smtpd)
   ADDREF BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack
   
   Also see a related thread:
   BUGTRAQ:19990308 SMTP server account probing
   http://marc.theaimsgroup.com/?l=bugtraq&m=92100018214316&w=2
   
   This also describes a problem with mail servers not being able
   to handle too many "RCPT TO" requests.  A followup message
   notes that application-level protection is used in Sendmail
   to prevent this:
   BUGTRAQ:19990309 Re: SMTP server account probing
   http://marc.theaimsgroup.com/?l=bugtraq&m=92101584629263&w=2
   The person further says, "This attack can easily be
   prevented with configuration methods."


CAN-1999-0253

Phase: Modified (2000106-01)
Reference: XF:http-iis-2e
Reference: L0PHT:19970319

Description:
IIS 3.0 with the iis-fix hotfix installed allows remote intruders to read source code for ASP programs by using a %2e instead of a . (dot) in the URL.

Votes:

   ACCEPT(9) Baker, Frech, Bishop, Landfield, Cole, Armstrong, Collins, Blake, Northcutt
   MODIFY(1) LeBlanc
   NOOP(3) Ozancin, Wall, Prosser
   REVIEWING(1) Christey
Voter Comments:
 Christey> This is a problem that was introduced after patching a
   previous dot bug with the iis-fix hotfix (see CAN-1999-0154).
   Since the hotfix introduced the problem, this should be
   treated as a seaprate issue.
 Wall> Agree with the comment.
 LeBlanc> - this one is so old, I don't remember it at all and can't verify or
   deny the issue. If you can find some documentation that says we fixed it (KB
   article, hotfix, something), then I would change this to ACCEPT
 CHANGE> [Christey changed vote from NOOP to REVIEWING]
 Christey> BID:1814
   URL:http://www.securityfocus.com/bid/1814


CAN-1999-0254

Phase: Proposed (19990726)
Reference: ISS:Hidden SNMP community in HP OpenView
Reference: XF:hpov-hidden-snmp-comm

Description:
A hidden SNMP community string in HP OpenView allows remote attackers to modify MIB tables and obtain sensitive information.

Votes:

   ACCEPT(2) Baker, Frech
   NOOP(1) Wall
   REVIEWING(1) Christey
Voter Comments:
 Christey> What is the proper level of abstraction to use here?  Should
   we have a separate entry for each different default community
   string?  See:
   http://cve.mitre.org/Board_Sponsors/archives/msg00242.html and
   http://cve.mitre.org/Board_Sponsors/archives/msg00250.html
   http://cve.mitre.org/Board_Sponsors/archives/msg00251.html
   
   Until the associated content decisions have been approved
   by the Editorial Board, this candidate cannot be accepted
   for inclusion in CVE.


CAN-1999-0255

Phase: Proposed (19990623)

Description:
Buffer overflow in ircd allows arbitrary command execution.

Votes:

   ACCEPT(3) Baker, Hill, Northcutt
   MODIFY(1) Frech
   NOOP(1) Prosser
   REJECT(1) Christey
Voter Comments:
 Frech> XF:irc-bo
 Christey> This is too general and doesn't have any references.  The
   XF reference doesn't appear toe xist any more.
   
   Perhaps this reference would help:
   BUGTRAQ:19970701 ircd buffer overflow
 Baker> It appears that the XForce entry has been corrected, and there is a patch posted in the original bugtraq post.


CAN-1999-0257

Phase: Proposed (19990726)

Description:
Nestea variation of teardrop IP fragmentation denial of service.

Votes:

   ACCEPT(1) Wall
   MODIFY(1) Frech
   REVIEWING(1) Christey
Voter Comments:
 Frech> XF:nestea-linux-dos
 Christey> Not sure how many separate "instances" of Teardrop
   and its ilk.  Also see comments on CAN-1999-0001.
   
   See: CAN-1999-0015, CAN-1999-0104, CAN-1999-0257, CAN-1999-0258
   
   Is CAN-1999-0001 the same as CVE-1999-0052?  That one is related
   to nestea (CAN-1999-0257) and probably the one described in
   BUGTRAQ:19981023 nestea v2 against freebsd 3.0-Release
   The patch for nestea is in ip_input.c around line 750.
   The patches for CAN-1999-0001 are in lines 388&446.  So, 
   CAN-1999-0001 is different from CAN-1999-0257 and CVE-1999-0052.
   The FreeBSD patch for CVE-1999-0052 is in line 750.
   So, CAN-1999-0257 and CVE-1999-0052 may be the same, though
   CVE-1999-0052 should be RECAST since this bug affects Linux
   and other OSes besides FreeBSD.
   
   Also see BUGTRAQ:19990909 CISCO and nestea.
   
   Finally, note that there is no fundamental difference between
   nestea and nestea2/nestea-v2; they are different ports that
   exploit the same problem.
   
   The original nestea advisory is at
   http://www.technotronic.com/rhino9/advisories/06.htm
   but notice that the suggested fix is in line 375 of
   ip_fragment.c, not ip_input.c.
 Christey> See the SCO advisory at:
   http://www.securityfocus.com/templates/advisory.html?id=1411
   which may further clarify the issue.
 Christey> BUGTRAQ:19980501 nestea does other things
   http://marc.theaimsgroup.com/?l=bugtraq&m=90221101925819&w=2
   BUGTRAQ:19980508 nestea2 and HP Jet Direct cards.
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221101925870&w=2
   BUGTRAQ:19981027 nestea v2 against freebsd 3.0-Release
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90951521507669&w=2
   
   Nestea source code is in
   MISC:http://oliver.efri.hr/~crv/security/bugs/Linux/ipfrag6.html


CAN-1999-0258

Phase: Proposed (19990726)

Description:
Bonk variation of teardrop IP fragmentation denial of service.

Votes:

   MODIFY(2) Frech, Wall
   REVIEWING(1) Christey
Voter Comments:
 Wall> Reference Q179129
 Frech> XF:teardrop-mod
 Christey> Not sure how many separate "instances" of Teardrop there are.
   See: CAN-1999-0015, CAN-1999-0104, CAN-1999-0257, CAN-1999-0258
 Christey> See the SCO advisory at:
   http://www.securityfocus.com/templates/advisory.html?id=1411
   which may further clarify the issue.
 Christey> BUGTRAQ:19980108 bonk.c
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88429524325956&w=2
   NTBUGTRAQ:19980108 bonk.c
   URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=88433857200304&w=2
   NTBUGTRAQ:19980109 Re: Bonk.c
   URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=88441302913269&w=2
   NTBUGTRAQ:19980304 Update on wide-spread NewTear Denial of Service attacks
   URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=88901842000424&w=2
   BUGTRAQ:19980304 Update on wide-spread NewTear Denial of Service attacks
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88903296104349&w=2
   CIAC:I-031a
   http://ciac.llnl.gov/ciac/bulletins/i-031a.shtml
   
   CERT summary CS-98.02 implies that bonk, boink, and newtear
   all exploit the same vulnerability.


CAN-1999-0261

Phase: Modified (20000827-01)
Reference: BUGTRAQ:19980504 Netmanage Holes
Reference: MISC:http://www.insecure.org/sploits/netmanage.chameleon.overflows.html

Description:
Netmanager Chameleon SMTPd has several buffer overflows that cause a crash.

Votes:

   ACCEPT(1) Baker
   MODIFY(2) Frech, Landfield
   NOOP(3) Ozancin, Christey, Northcutt
Voter Comments:
 Frech> XF:chamelion-smtp-dos
 Landfield> - Specify what "a crash" means.
 Christey> ADDREF XF:chameleon-smtp-dos ?  (but it's not on the web site)
 Christey> Consider adding BID:2387


CAN-1999-0271

Phase: Modified (19990925-01)
Reference: BUGTRAQ:19980115 pnserver exploit..
Reference: BUGTRAQ:19980817 Re: Real Audio Server Version 5 bug?

Description:
Progressive Networks Real Video server (pnserver) can be crashed remotely.

Votes:

   ACCEPT(3) Baker, Blake, Northcutt
   MODIFY(1) Frech
   NOOP(1) Prosser
   REVIEWING(1) Christey
Voter Comments:
 Christey> Problem confirmed by RealServer vendor (URL listed in Bugtraq
   posting), but may be multiple codebases since several
   Real Audio servers are affected.
   
   Also, this may be the same as BUGTRAQ:19991105 RealNetworks RealServer G2 buffer overflow.
   See CVE-1999-0896
 CHANGE> [Frech changed vote from REVIEWING to MODIFY]
 Frech> ADDREF XF:realvideo-telnet-dos


CAN-1999-0282

Phase: Proposed (19990623)
Reference: CERT:CA-95.12.sun.loadmodule.vul

Description:
Vulnerabilities in loadmodule and modload programs in SunOS and OpenWindows

Votes:

   ACCEPT(1) Dik
   MODIFY(1) Frech
   NOOP(2) Ozancin, Christey
   RECAST(1) Prosser
Voter Comments:
 Frech> XF:sun-loadmodule
   XF:sun-modload (CERT CA-93.18 very old!)
 Prosser> Believe the reference given, 95-12,  is referencing a later
   loadmodule(8) setuid problem in the X11/NeWS windowing system.  There is an
   earlier, similar setuid vulnerability in the CA-93.18, CIAC G-02 advisories
   for the SunOS 4.1.x/Solbourne and OpenWindow 3.0.  In fact, there may be the
   same as the HP patches are 100448-02 for the 93 loadmodule/modload
   vulnerability and 100448-03 for the 95 loadmodule vulnerability which
   normally indicated a patch update.  Looks like the original patch either
   didn't completely fix the problem or it resurfaced in X11 NeWS.  Can't tell
   much beyond that and this is my opinion only as have no way to check it.  
   Which one is this CVE referencing?  I accept both.
 Dik> There are three similar Sun bug ids associated with the patches.
   1076118 loadmodule has a security vulnerability
   1148753 loadmodule has a security vulnerability
   1222192 loadmodule has a security vulnerability
   as well as:
   1137491
   Ancient stuff.
 Christey> Add period to the end of the description.


CAN-1999-0283

Phase: Modified (19991203-01)
Reference: BUGTRAQ:19970716 Viewable .jhtml source with JavaWebServer
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88256790401004&w=2

Description:
The Java Web Server would allow remote users to obtain the source code for CGI programs.

Votes:

   ACCEPT(7) Northcutt, Baker, Wall, Cole, Dik, Collins, Blake
   MODIFY(1) Frech
   NOOP(5) Bishop, Landfield, Armstrong, Christey, Prosser
   REVIEWING(1) Ozancin
Voter Comments:
 Wall> Acknowledged by vendor at
   http://www.sun.com/software/jwebserver/techinfo/jws112info.html.
 Baker> Vulnerability Reference (HTML)	Reference Type
   http://www.securityfocus.com/archive/1/7260	Misc Defensive Info
   http://www.sun.com/software/jwebserver/techinfo/jws112info.html Vendor Info
 Christey> BID:1891
   URL:http://www.securityfocus.com/bid/1891
 Christey> Add version number (1.1 beta) and details of attack (appending
   a . or a \)
   
   The Sun URL referenced by Dave Baker no longer exists, so I
   wasn't able to verify that it addressed the problem described
   in the Bugtraq post.  This might not even be Sun's
   "Java Web Server," as CAN-2001-0186 describes some product
   called "Free Java Web Server"
 Dik> There appears to be some confusion.
   
   The particular bug seems to be on in JWS 1.1beta or 1.1 which was fixed
   in 1.1.2 (get foo.jthml source by appending "." of "\" to URL)
   
   There are other bugs that give access and that require a configuration
   change.
   
   http://www.sun.com/software/jwebserver/techinfo/security_advisory.html
 Christey> Need to make sure to create CAN's for the other bugs,
   as documented in:
   NTBUGTRAQ:19980724 Alert: New Source Bug Affect Sun JWS
   http://marc.theaimsgroup.com/?l=ntbugtraq&m=90222454131622&w=2
   BUGTRAQ:19980725 Alert: New Source Bug Affect Sun JWS
   http://marc.theaimsgroup.com/?l=bugtraq&m=90221104526086&w=2
   The reported bugs are:
   1) file read by appending %20
   2) Directly call /servlet/file
   URL:http://www.sddt.com/cgi-bin/Subscriber?/library/98/07/24/tbd.html
   #2 is explicitly mentioned in the Sun advisory for
   CAN-1999-0283.
 CHANGE> [Frech changed vote from REVIEWING to MODIFY]
 Frech> XF:javawebserver-cgi-source(5383)


CAN-1999-0284

Phase: Proposed (19990623)
Reference: XF:smtp-helo-bo

Description:
Denial of service to NT mail servers including Ipswitch, Mdaemon, and Exchange through a buffer overflow in the SMTP HELO command.

Votes:

   ACCEPT(2) Northcutt, Blake
   MODIFY(3) Frech, Ozancin, Levy
   REVIEWING(1) Christey
Voter Comments:
 Frech> "Windows NT-based mail servers" (A trademark thing, and for clarification)
   XF:mdaemon-helo-bo
   XF:lotus-notes-helo-crash
   XF:slmail-helo-overflow
   XF:smtp-helo-bo (mentions several products)
   XF:smtp-exchangedos
 Levy> - Need one per software. Each one should be its own
   vulnerability.
 Ozancin> => Windows NT is correct
 Christey> These are probably multiple codebases, so we'll need to use
   dot notation.  Also need to see if this should be merged
   with CAN-1999-0098 (Sendmail SMTP HELO).


CAN-1999-0285

Phase: Proposed (19990630)

Description:
Denial of service in telnet from the Windows NT Resource Kit, by opening then immediately closing a connection.

Votes:

   ACCEPT(1) Hill
   NOOP(1) Wall
   REJECT(2) Frech, Christey
Voter Comments:
 Christey> No references, no information.
 CHANGE> [Frech changed vote from REVIEWING to REJECT]
 Frech> No references; closest documented match is with
   CVE-2001-0346, but that's for Windows 2000.


CAN-1999-0286

Phase: Proposed (19990714)

Description:
In some NT web servers, appending a space at the end of a URL may allow attackers to read source code for active pages.

Votes:

   ACCEPT(3) Shostack, Cole, Armstrong
   MODIFY(3) Levy, Wall, Blake
   NOOP(5) Northcutt, Baker, Bishop, Ozancin, Landfield
   REJECT(1) Frech
   REVIEWING(1) Christey
Voter Comments:
 Wall> In some NT web servers, appending a dot at the end of a URL may
   allows attackers to read source code for active pages.
   Source:  MS Knowledge Base Article Q163485 - "Active Server Pages Script Appears
   in Browser"
 Frech> In the meantime, reword description as 'Windows NT' (trademark issue)
 Christey> Q163485 does not refer to a space, it refers to a dot.
   However, I don't have other references.
   
   Reading source code with a dot appended is in CAN-1999-0154,
   which will be proposed.  A subsequent bug similar to the
   dot bug is CAN-1999-0253.
 Levy> NTBUGTRAQ: http://www.securityfocus.com/archive/2/22014
   NTBUGTRAQ: http://www.securityfocus.com/archive/2/22019
   BID 273
 Blake> Reference:  http://www.allaire.com/handlers/index.cfm?ID=10967
 CHANGE> [Christey changed vote from NOOP to REVIEWING]
 CHANGE> [Frech changed vote from REVIEWING to REJECT]
 Frech> BID articles)


CAN-1999-0287

Phase: Proposed (19990714)

Description:
Vulnerability in the Wguest CGI program.

Votes:

   MODIFY(2) Frech, Shostack
   NOOP(4) Northcutt, Levy, Wall, Blake
   REJECT(2) Baker, Christey
Voter Comments:
 Shostack> allows file reading
 Frech> XF:http-cgi-webcom-guestbook
 Christey> CAN-1999-0287 is probably a duplicate of CAN-1999-0467.  In
   NTBUGTRAQ:19990409 Webcom's CGI Guestbook for Win32 web servers
   Mnemonix says that he had previously reported on a similar
   problem.  Let's refer to the NTBugtraq posting as
   CAN-1999-0467.  We will refer to the "previous report" as
   CAN-1999-0287, which could be found at:
   http://oliver.efri.hr/~crv/security/bugs/NT/httpd41.html
   
   0287 describes an exploit via the "template" hidden variable.
   The exploit describes manually editing the HTML form to
   change the filename to read from the template variable.
   
   The exploit as described in 0467 encodes the template variable
   directly into the URL.  However, hidden variables are also
   encoded into the URL, which would have looked the same to
   the web server regardless of the exploit.  Therefore 0287
   and 0467 are the same.
 Christey> BID:2024


CAN-1999-0298

Phase: Modified (20000524-01)
Reference: NAI:19970205 Vulnerabilities in Ypbind when run with -ypset/-ypsetme
Reference: URL:http://www.nai.com/nai_labs/asp_set/advisory/06_ypbindsetme_adv.asp

Description:
ypbind with -ypset and -ypsetme options activated in Linux Slackware and SunOS allows local and remote attackers to overwrite files via a .. (dot dot) attack.

Votes:

   ACCEPT(4) Northcutt, Levy, Cole, Dik
   MODIFY(1) Frech
   NOOP(3) Baker, Shostack, Christey
Voter Comments:
 Christey> ADDREF BID:1441
   URL:http://www.securityfocus.com/bid/1441
 Dik> If you run with "-ypset", then you're always insecure.
   With ypsetme, only root on the local host
   can run ypset in Solaris 2.x+.
   Probably true for SunOS 4, hence my vote.
 CHANGE> [Frech changed vote from REVIEWING to MODIFY]
 Frech> ADDREF XF:ypbind-ypset-root
 CHANGE> [Dik changed vote from REVIEWING to ACCEPT]
 Dik> This vulnerability does exist in SunOS 4.x in non default configurations.
   In Solaris 2.x, the vulnerability only applies to files named "cache_binding"
   and not all files ending in .2
   Both releases are not vulnerable in the default configuration (both
   disabllow ypset by default which prevents this problem from occurring)


CAN-1999-0306

Phase: Proposed (19990714)
Reference: XF:hp-xlock

Description:
buffer overflow in HP xlock program.

Votes:

   ACCEPT(3) Northcutt, Baker, Frech
   MODIFY(1) Prosser
   NOOP(1) Shostack
   REJECT(1) Christey
Voter Comments:
 Prosser> This is another of those with multiple affected OSs.
   Refs:  CA-97.13, http://207.237.120.45/linux/xlock-exploit.txt,
   HPSBUX9711-073, SGI 19970502-02-PX, Sun Bulletin 000150
 Christey> XF:hp-xlock points to SGI:19970502-02-PX which says this is
   the same problem as in CERT:CA-97.13, which is CVE-1999-0038.


CAN-1999-0307

Phase: Modified (19991207-01)
Reference: BUGTRAQ:19961116 This week: turn me on, dead man
Reference: XF:hpux-cstm-bo

Description:
Buffer overflow in HP-UX cstm program allows local users to gain root privileges.

Votes:

   ACCEPT(2) Northcutt, Frech
   NOOP(3) Prosser, Baker, Shostack
   RECAST(1) Christey
Voter Comments:
 Prosser> only ref I can find is an old SOD exploit on
   www.outpost9.com
 Christey> MERGE CAN-1999-0336 (the exact exploit works with both
   cstm and mstm, which are clearly part of the same package,
   so CD:SF-EXEC says to merge them.)
   
   Also, there does not seem to be any recognition of this problem
   by HP.  The only other information besides the Bugtraq post
   is the SOD exploit.
   
   See the original post:
   http://www.securityfocus.com/templates/archive.pike?list=1&date=1996-11-15&msg=Pine.LNX.3.91.961116112242.15276J-100000@underground.org


CAN-1999-0317

Phase: Modified (19991216-01)
Reference: BUGTRAQ:19990818 slackware-3.5 /bin/su buffer overflow
Reference: XF:su-bo

Description:
Buffer overflow in Linux su command gives root access to local users.

Votes:

   ACCEPT(3) Northcutt, Frech, Hill
   NOOP(1) Prosser
   RECAST(1) Baker
   REVIEWING(1) Christey
Voter Comments:
 Christey> DUPE CAN-1999-0845?
   Also, ADDREF XF:unixware-su-username-bo
   A report summary by Aleph One states that nobody was able to
   confirm this problem on any Linux distribution.
 Baker> If this is the same as the unixware, the n it is a dupe of 1999-0845.  There is about a two and half month difference in the bugtraq reporting of these.
   Sounds like the same bug however...
 Christey> XF:su-bo no longer seems to exist.
   How about XF:linux-subo(734) ?
   http://xforce.iss.net/static/734.php
   
   BID:475 also seems to describe the same problem
   (http://www.securityfocus.com/bid/475) in which case,
   vsyslog is blamed in:
   BUGTRAQ:19971220 Linux vsyslog() overflow
   http://www.securityfocus.com/archive/1/8274


CAN-1999-0319

Phase: Proposed (19990623)
Reference: XF:xmcd-tiflestr

Description:
Buffer overflow in xmcd 2.1 allows local users to gain access through a user resource setting.

Votes:

   ACCEPT(3) Northcutt, Frech, Hill
   NOOP(2) Prosser, Baker
   REVIEWING(1) Christey
Voter Comments:
 Christey> BUGTRAQ:19961126 Security Problems in XMCD 2.1
   A followup to this post says that xmcd is not suid here.


CAN-1999-0330

Phase: Modified (20000105-01)
Reference: BUGTRAQ:19940101 (No Subject)
Reference: XF:bdash-bo

Description:
Linux bdash game has a buffer overflow that allows local users to gain root access.

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Frech
   NOOP(3) Northcutt, Shostack, Wall
   REVIEWING(1) Levy
Voter Comments:
 Frech> XF:bdash-bo


CAN-1999-0331

Phase: Proposed (19990714)
Reference: XF:msie-bo

Description:
Buffer overflow in Internet Explorer 4.0(1)

Votes:

   ACCEPT(2) Northcutt, Baker
   MODIFY(2) Frech, Shostack
   RECAST(1) Prosser
   REJECT(2) LeBlanc, Christey
Voter Comments:
 Shostack> this is a high cardinality item
 Prosser> needs to be more specific.
 Frech> Replace reference with XF:iemk-bug (msie-bo is obsolete and a vague
   duplicate)
   Description (from xfdb): Some versions of Internet Explorer for Windows
   contain a vulnerability that may crash the broswer when a malicious web site
   contains a certain kind of URL (that begins with "mk://") with more
   characters than the browser supports. 
 Christey> The description is too vague.
 LeBlanc> too vague
 Christey> Add period to the end of the description.


CAN-1999-0333

Phase: Modified (19990925-01)
Reference: RSI:RSI.0009.09-08-98.HP-UX.OMNIBACK
Reference: HP:HPSBUX9810-085
Reference: XF:omniback-remote

Description:
HP OpenView Omniback allows remote execution of commands as root via spoofing, and local users can gain root access via a symlink attack.

Votes:

   ACCEPT(1) Frech
   MODIFY(1) Prosser
   RECAST(1) Christey
Voter Comments:
 Prosser> additional source
   HP Security Bulletin 85
   http://us-support.external.hp.com
   http://europe-support.external.hp.com
 Christey> Two separate bugs, so SF-LOC says this candidate should be
   split
 Christey> ADDREF CIAC:J-007
   URL:http://ciac.llnl.gov/ciac/bulletins/j-007.shtml


CAN-1999-0336

Phase: Modified (19991207-01)
Reference: BUGTRAQ:19961116 This week: turn me on, dead man
Reference: XF:hpux-mstm-bo

Description:
Buffer overflow in mstm in HP-UX allows local users to gain root access.

Votes:

   ACCEPT(2) Northcutt, Frech
   NOOP(3) Prosser, Baker, Shostack
   RECAST(1) Christey
Voter Comments:
 Prosser> same as CAN-1999-0307, only ref I can find is an old SOD
   exploit on www.outpost9.com
 Christey> MERGE CAN-1999-0307 (the exact exploit works with both
   cstm and mstm, which are clearly part of the same package,
   so CD:SF-EXEC says to merge them.)
   
   Also, there does not seem to be any recognition of this problem
   by HP.  The only other information besides the Bugtraq post
   is the SOD exploit.


CAN-1999-0345

Phase: Proposed (19990728)

Description:
Jolt ICMP attack causes a denial of service in Windows 95 and Windows NT systems.

Votes:

   ACCEPT(2) Cole, Blake
   MODIFY(2) Frech, Wall
   NOOP(4) Northcutt, Bishop, Ozancin, Landfield
   RECAST(1) Meunier
   REJECT(4) Baker, Levy, LeBlanc, Armstrong
   REVIEWING(1) Christey
Voter Comments:
 Wall> Invalid ICMP datagram fragments causes a denial of service in Windows 95 and
   Windows NT systems.
   Reference: Q154174.
   Jolt is also known as sPING, ICMP bug, Icenewk, and Ping of Death.
   It is a modified teardrop 2 attack.  
 Frech> XF:nt-ssping
   ADDREF XF:ping-death
   ADDREF XF:teardrop-mod
   ADDREF XF:mpeix-echo-request-dos
 Christey> I can't tell whether the Jolt exploit at:
   
   http://www.securityfocus.com/templates/archive.pike?list=1&date=1997-06-28&msg=Pine.BSF.3.95q.970629163422.3264A-200000@apollo.tomco.net
   
   is exploiting any different flaw than teardrop does.
 CHANGE> [Christey changed vote from NOOP to REVIEWING]
 Baker> Jolt (original) is basically just a fragmented oversized ICMP that
   kills Win boxes ala Ping of Death.
   Teardrop is altering the offset in fragmented tcp packets so that the
   end of subsequent fragments is inside first packet...
   Teardrop 2 is UDP packets, if I remember right.
   Seems like Jolt (original, not jolt 2) is just exploit code that
   creates a ping of death (CVE 1999-0128)
 Levy> I tend to agree with Baker.
 CHANGE> [Armstrong changed vote from REVIEWING to REJECT]
 Armstrong> This code does not use fragment overlap.  It is simply a large ICMP echo request.
 Christey> See the SCO advisory at:
   http://www.securityfocus.com/templates/advisory.html?id=1411
   which may further clarify the issue.
 LeBlanc> This is a hodge-podge of DoS attacks. Jolt isn't the same
   thing as ping of death - POD was an oversized ICMP packet, Jolt froze
   Linux and Solaris (and I think not NT), IIRC Jolt2 did get NT boxes.
   Teardrop and teardrop2 were related attacks (usually ICMP frag attacks),
   but each of these is a distinct vulnerability, affected a discrete group
   of systems, and should have distinct CVE numbers. CVE entries should be
   precise as to what the problem is.
 Meunier> I agree with Leblanc in that Jolt is multi-faceted.  Jolt has
   characteristics of Ping of Death AND teardrop, but it doesn't do
   either exactly.  Moreover, it sends a truncated IP fragment.  I
   disagree with Armstrong; jolt uses overlapping fragments.  It's not a
   simple ping of death either.  It may be that the author's intent was
   to construct a "super attack" somehow combining elements of other
   vulnerabilities to try to make it more potent.  In any case it
   succeeded in confusing the CVE board :-).
   
   I notice that Jolt uses echo replies (type 0) instead of echo
   requests (to get past firewalls?).  Jolt is peculiar in that it also
   sends numerous overlapping fragments.  The "Pascal Simulator" :-) says
   it sends:
   
   - 172 fragments of length 400 with offset starting at 5120 and
   increasing by about 47 (odd arithmetic of 5120 OR ((n* 380) >> 3)),
   which eventually results in sending fragments inside an already
   covered area once ((n* 380) >> 3) is greater than 5120, which occurs
   when n is reaches 108.  This would look a bit like TearDrop if
   fragments were reassembled on-the-fly.
   
   - 1 fragment such that the total length of all the fragments
   is greater than 65535 (my calculation is 172*380 + 418 = 65778; the
   comment about 65538 must be wrong).  The last packet is size 418
   according to the IP header but the buffer is of size 400.  The sendto
   takes as argument the size of the buffer so a truncated packet is
   sent.
   
   So, I am not sure if the problem is because the last packet
   doesn't extend to the payload it says it has or because the total size
   of all fragments is greater than 65535.  The author says it may take
   more than one sending, so perhaps this has to do with an incorrect
   error handling and recovery.  One would need to experiment and isolate
   each of those characteristics and test them independently.  Inasmuch
   as each of those things is likely a different vulnerability, then I
   agree with Leblanc that this entry should be split.  I'll try that if
   I ever get bored.  Jolt 2 should also have a different entry (see
   below).
   
   Jolt 2 runs in an infinite loop, sending the same fragmented
   IP packet, which can pretend to be "ICMP" or "UDP" data; however this
   is meaningless, as it's just a late fragment of an IP packet.  The
   attack works only as long as packets are sent.  According to
   http://www.securityfocus.com/archive/1/62170 the packets are
   truncated, and would overflow over the 65535 byte limit, which is
   similar to Jolt.  Note that Jolt does send that much data whereas
   jolt2 doesn't.  Since jolt2 is simpler and narrower than jolt, and it
   has weaker consequences, I believe that it's a different
   vulnerability.
   
   "Jolt 2 vulnerability causes a temporary denial-of-service in
   Windows-type OSes" would be a title for it.


CAN-1999-0347

Phase: Proposed (19990623)
Reference: BUGTRAQ:Jan26,1999
Reference: NTBUGTRAQ:Jan28,1999

Description:
Javascript bug in Internet Explorer 4.01 by adding %01URL allows reading local files and spoofing of web pages from other sites.

Votes:

   ACCEPT(4) Northcutt, Baker, Levy, LeBlanc
   MODIFY(2) Prosser, Frech
   REVIEWING(1) Christey
Voter Comments:
 Prosser> this is a modified Cross-Frame vulnerability that circumvents
   the original Cross-Frame Patch.  Addressed in MS Bulletin MS99.012
   http://www.microsoft.com/security/bulletins/ms99-012.asp
 Christey> Duplicate of CAN-1999-0490?
 LeBlanc> If Prosser is correct that this is MS99-012, accept
 Christey> BUGTRAQ:19990126 Javascript ecurity bug in Internet Explorer
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91745430007021&w=2
   NTBUGTRAQ:19990128 Javascript %01 bug in Internet Explorer
   URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=91756771207719&w=2
   BID:197
   URL:http://www.securityfocus.com/bid/197
 CHANGE> [Frech changed vote from REVIEWING to MODIFY]
 Frech> XF:ie-window-spoof(2069)


CAN-1999-0352

Phase: Proposed (19990721)
Reference: ISS:Multiple vulnerabilities in ControlIT(tm) (formerly Remotely Possible/32) enterprise management software
Reference: XF:controlit-passwd-encrypt

Description:
ControlIT 4.5 and earlier (aka Remotely Possible) has weak password encryption.

Votes:

   ACCEPT(2) Baker, Frech
   NOOP(2) Northcutt, Wall
   RECAST(1) Ozancin
Voter Comments:
 Ozancin> Can we combine this with CAN-1999-0356 - ControlIT(tm) 4.5 and earlier uses
   weak encryption.


CAN-1999-0354

Phase: Proposed (19990623)
Reference: NTBUGTRAQ:Jan27,1999
Reference: MS:MS99-002
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-002.asp

Description:
Internet Explorer 4.x or 5.x with Word 97 allows arbitrary execution of Visual Basic programs to the IE client through the Word 97 template, which doesn't warn the user that the template contains executable content. Also applies to Outlook when the client views a malicious email message.

Votes:

   ACCEPT(2) Ozancin, Wall
   MODIFY(1) Frech
   NOOP(1) Christey
Voter Comments:
 Frech> XF:word97-template-macro
 Christey> CHANGEREF NTBUGTRAQ:19990127 IE 4/5/Outlook + Word 97 security hole
   URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=91747570922757&w=2
   BID:196
   http://www.securityfocus.com/bid/196
 Christey> MSKB:Q214652
   http://support.microsoft.com/support/kb/articles/q214/6/52.asp


CAN-1999-0356

Phase: Proposed (19990721)
Reference: ISS:Multiple vulnerabilities in ControlIT(tm) (formerly Remotely Possible/32) enterprise management software
Reference: XF:controlit-bookfile-access

Description:
ControlIT v4.5 and earlier uses weak encryption to store usernames and passwords in an address book.

Votes:

   ACCEPT(2) Baker, Frech
   NOOP(2) Northcutt, Wall
   RECAST(1) Ozancin

CAN-1999-0359

Phase: Proposed (20010214)
Reference: BUGTRAQ:19990127 UNIX shell modem access vulnerabilities
Reference: XF:ptylogin-dos

Description:
ptylogin in Unix systems allows users to perform a denial of service by locking out modems, dial out with that modem, or obtain passwords.

Votes:

   ACCEPT(2) Frech, Cole
Voter Comments:
 Frech> XF:ptylogin-dos 


CAN-1999-0360

Phase: Modified (20000530-01)
Reference: BUGTRAQ:19990130 Security Advisory for Internet Information Server 4 with Site
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91763097004101&w=2
Reference: NTBUGTRAQ:Jan29,1999

Description:
MS Site Server 2.0 with IIS 4 can allow users to upload content, including ASP, to the target web site, thus allowing them to execute commands remotely.

Votes:

   ACCEPT(6) Northcutt, Wall, Landfield, Cole, Collins, Blake
   MODIFY(3) Baker, Frech, LeBlanc
   NOOP(4) Prosser, Ozancin, Armstrong, Christey
Voter Comments:
 Christey> I can't find the original Bugtraq posting (it appears that
   mnemonix discovered the problem).
 LeBlanc> - if there was a fix or a KB article, I'd ACCEPT. A vuln based on a
   BUGTRAQ posting we can't find could be anything. 
 Baker> Vulnerability Reference (HTML)	Reference Type
   http://www.securityfocus.com/archive/1/12218	Misc Defensive InfoVulnerability Reference (HTML)	Reference Type
   THis is the URL for the Bugtraq posting.  It was cross posted to
   NT Bugtraq as well, but identical text.  It was Mnemonix...
 Christey> BID:1811
   URL:http://www.securityfocus.com/bid/1811
 Christey> CHANGEREF BUGTRAQ add "Server 2." to the subject.
   Also standardize NTBUGTRAQ reference title.
 Christey> Add "uploadn.asp" to the description.
 CHANGE> [Frech changed vote from REVIEWING to MODIFY]
 Frech> XF:siteserver-user-dir-permissions(5384)


CAN-1999-0361

Phase: Proposed (19990728)
Reference: BUGTRAQ:Jan29,1999

Description:
NetWare version of LaserFiche stores usernames and passwords unencrypted, and allows administrative changes without logging.

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Frech
   NOOP(2) Northcutt, Wall
Voter Comments:
 Frech> XF:compulink-pw-laserfiche(1679)
   Normalize BUGTRAQ reference to:
   BUGTRAQ:19990129 Compulink LaserFiche Client/Server - unencrypted passwords


CAN-1999-0364

Phase: Modified (20000426-01)
Reference: BUGTRAQ:19990204 Microsoft Access 97 Stores Database Password as Plaintext
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91816470220259&w=2

Description:
Microsoft Access 97 stores a database password as plaintext in a foreign mdb, allowing access to data.

Votes:

   ACCEPT(2) Baker, LeBlanc
   MODIFY(1) Frech
   NOOP(2) Northcutt, Wall
Voter Comments:
 CHANGE> [Frech changed vote from REVIEWING to MODIFY]
 Frech> XF:access-weak-passwords(1774)
   An older published reference (from our own Adam) would be
   better:
   ailab.coderpunks Newsgroup, 1998/06/23 "Re: MS Access 2.0"
   http://x15.dejanews.com/[ST_rn=ps]/getdoc.xp?AN=365308578&CONTEXT=9192
   07028.1462108427&hitnum=1


CAN-1999-0370

Phase: Modified (19991210-01)
Reference: SUN:00184
Reference: BID:165
Reference: URL:http://www.securityfocus.com/bid/165

Description:
In Sun Solaris and SunOS, man and catman contain vulnerabilities that allow overwriting arbitrary files.

Votes:

   ACCEPT(4) Prosser, Northcutt, Baker, Dik
   MODIFY(1) Frech
   REVIEWING(1) Christey
Voter Comments:
 Frech> Reference: XF:sun-man
 Christey> ADDREF CIAC:J-028
   
   Is the Linux man symlink problem the same as the one for Sun?
   See BUGTRAQ:19990602 /tmp symlink problems in SuSE Linux 6.1
   Also see BID:305
 Dik> sun bug 4154565


CAN-1999-0381

Phase: Proposed (19990726)
Reference: BUGTRAQ:19990225 SUPER buffer overflow
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.3.96.990225011801.12757A-100000@eleet
Reference: XF:linux-super-logging-bo
Reference: BID:342
Reference: URL:http://www.securityfocus.com/bid/342

Description:
super 3.11.6 and other versions have a buffer overflow in the syslog utility which allows a local user to gain root access.

Votes:

   ACCEPT(7) Baker, Frech, Ozancin, Levy, Landfield, Cole, Blake
   MODIFY(1) Bishop
   NOOP(2) Wall, Armstrong
   REVIEWING(1) Christey
Voter Comments:
 Christey> Is this the same as CVE-1999-0373?  They both have the same
   X-Force reference.
   
   BID:342 suggests that there are two.
   
   http://www.debian.org/security/1999/19990215a suggests
   that there are two.  However, CVE-1999-0373 is written up in
   a fashion that is too general; and both XF:linux-super-bo and
   XF:linux-super-logging-bo refer to CVE-1999-0373.
   CVE-1999-0373 may need to be split.
   
 Frech> From what I can surmise, ISS released the original advisory (attached to
   linux-super-bo), and Sekure SDI expanded on it by releasing another related
   overflow in syslog (which is linux-super-logging-bo).
   
   When I was originally assigning these issues, I placed both XF references
   and the ISS advisory on the -0373 candidate, since there was nothing else
   available. Based on the information above, I'd request that
   XF:linux-super-logging-bo be removed from CVE-1999-0373.
 Christey> Given Andre's feedback, these are different issues.
   CVE-1999-0373 does not need to be split because the ISS
   reference is sufficient to distinguish that CVE from this
   candidate; however, the CVE-1999-0373 description should
   probably be modified slightly.
 Bishop> (as indicated by Christey)
 CHANGE> [Cole changed vote from NOOP to ACCEPT]
 CHANGE> [Christey changed vote from NOOP to REVIEWING]
 Christey> There are 2 bugs, as confirmed by the super author at:
   BUGTRAQ:19990226 Buffer Overflow in Super (new)
   http://www.securityfocus.com/archive/1/12713
   BID:397 also seems to cover this one, and it may cover
   CVE-1999-0373 as well.


CAN-1999-0389

Phase: Modified (19991207-01)
Reference: DEBIAN:19990104
Reference: BUGTRAQ:19990103 [SECURITY] New versions of netstd fixes buffer overflows
Reference: BID:324
Reference: URL:http://www.securityfocus.com/bid/324

Description:
Buffer overflow in the bootp server in the Debian Linux netstd package.

Votes:

   ACCEPT(2) Ozancin, Stracener
   MODIFY(1) Frech
   REVIEWING(1) Christey
Voter Comments:
 Christey> Is CAN-1999-0389 a duplicate of CAN-1999-0798?  CAN-1999-0389
   has January 1999 dates associated with it, while CAN-1999-0798
   was reported in late December.
   
   Also, is this the same line of code as CVE-1999-0914?  Both are in
   the netstd package, it could look like a library problem.
   
   However, deep in the changelog in the
   netstd_3.07-7slink.3.diff on Debian, Herbert Xu includes
   the following entry:
   
   +netstd (3.07-7slink.1) frozen; urgency=high
   +
   +  * bootpd:     Applied patch from Redhat as well as a fix for the overflow in
   +                report() (fixes #30675).
   +  * netkit-ftp: Applied patch from RedHat that fixes some obscure overflow
   +                bugs.
   +
   + -- Herbert Xu <herbert@debian.org>  Sat, 19 Dec 1998 14:36:48 +1100
   
   This tells me that two separate bugs are involved.
   
   Note that Red Hat posted *some* fix for *some* bootp problem
   in June 1998.  See:
   http://www.redhat.com/support/errata/rh42-errata-general.html#bootp
 Frech> XF:debian-netstd-bo
 Christey> Further analysis indicates that this is a duplicate of CVE-1999-0799
 CHANGE> [Christey changed vote from REJECT to REVIEWING]
 Christey> The fix information for BID:324 suggests that there are two
   overflows, one of which is in handle_request (bootpd.c) and is
   likely related to a file name; but there is another issue in
   report (report.c) which also looks like a straightforward
   overflow, which would suggest that this is not a duplicate of
   CAN-1999-0798 or CVE-1999-0799.
   
   Note: see comments for CAN-1999-0798 which explain how that
   candidate is not related to CAN-1999-0799.


CAN-1999-0394

Phase: Proposed (19990728)
Reference: BUGTRAQ:19990115 DPEC Online Courseware

Description:
DPEC Online Courseware allows an attacker to change another user's password without knowing the original password.

Votes:

   NOOP(1) Christey
   REJECT(1) Frech
Voter Comments:
 Frech> If I understand the issue, this HIGHCARD involves insecure web programming. 
   If I don't understand, mark this as my first NOOP.
 Christey> CONFIRM:http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26msg%3D19990803132618.16407.qmail%40securityfocus.com
   ADDREF BID:565
   URL:http://www.securityfocus.com/vdb/bottom.html?vid=565


CAN-1999-0397

Phase: Proposed (19990728)
Reference: L0PHT:Jan21,1999
Reference: BUGTRAQ:Jan21,1999

Description:
The demo version of the Quakenbush NT Password Appraiser sends passwords across the network in plaintext.

Votes:

   ACCEPT(1) Northcutt
   MODIFY(1) Frech
   REJECT(1) Wall
Voter Comments:
 Wall> Reject based on beta copy.
 Frech> XF:quakenbush-pw-appraiser(1652)


CAN-1999-0398

Phase: Modified (20000106-01)
Reference: BUGTRAQ:19990123 SSH 1.x and 2.x Daemon
Reference: BUGTRAQ:19990124 SSH Daemon
Reference: XF:ssh-exp-account-access

Description:
In some instances of SSH 1.2.27 and 2.0.11 on Linux systems, SSH will allow users with expired accounts to login.

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Frech
Voter Comments:
 Frech> Followups to the bugtraq message (1/24/99) indicate that 1.2.27 was not yet
   released. v1.2.26 should be substituted in the description for '27.
   XF:ssh-exp-account-access


CAN-1999-0399

Phase: Modified (20000105-01)
Reference: BUGTRAQ:19990124 Mirc 5.5 'DCC Server' hole
Reference: XF:mirc-dcc-metachar-filename

Description:
The DCC server command in the Mirc 5.5 client doesn't filter characters from file names properly, allowing remote attackers to place a malicious file in a different location, possibly allowing the attacker to execute commands.

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Frech
Voter Comments:
 Frech> XF:mirc-dcc-metachar-filename


CAN-1999-0400

Phase: Modified (20000105-01)
Reference: BUGTRAQ:19990127 2.2.0 SECURITY (fwd)
Reference: XF:linux-kernel-ldd-dos
Reference: BID:344
Reference: URL:http://www.securityfocus.com/bid/344

Description:
Denial of service in Linux 2.2.0 running the ldd command on a core file.

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Frech
Voter Comments:
 Frech> BUGTRAQ:Jan27,1999
   (http://www.securityfocus.com/templates/archive.pike?list=1&date=1999-01-22&
   msg=Pine.LNX.4.05.9901270538380.539-100000@vitelus.com)
   XF:linux-kernel-ldd-dos


CAN-1999-0401

Phase: Modified (20000105-01)
Reference: BUGTRAQ:19990202 [patch] /proc race fixes for 2.2.1 (fwd)
Reference: XF:linux-race-condition-proc

Description:
A race condition in Linux 2.2.1 allows local users to read arbitrary memory from /proc files.

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Frech
Voter Comments:
 Frech> XF:linux-race-condition-proc


CAN-1999-0406

Phase: Proposed (19990728)
Reference: BUGTRAQ:Feb19,1999
Reference: XF:digital-networker-bo

Description:
Digital Unix Networker program nsralist has a buffer overflow which allows local users to obtain root privilege.

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Frech
Voter Comments:
 Frech> In description, change 'which' to 'that'.


CAN-1999-0411

Phase: Proposed (19990726)
Reference: BUGTRAQ:Feb19,1999
Reference: XF:sco-startup-scripts

Description:
Several startup scripts in SCO OpenServer Enterprise System v 5.0.4p, including S84rpcinit, S95nis, S85tcp, and S89nfs, are vulnerable to a symlink attack, allowing a local user to gain root access.

Votes:

   MODIFY(2) Baker, Frech
   NOOP(2) Wall, Christey
Voter Comments:
 Frech> Neither XFDB nor the BugTraq article (incidentally, shows up as 7 March, not
   19 February) does not mention gaining root access... it says a local user
   could
   "delete or overwrite arbitrary files on the system."
 Baker> By overwriting arbitrary files, one could then gain root access.  I agree with a minor description change to reflect this.
 Christey> Normalize Bugtraq reference to:
   BUGTRAQ:19990307 Little exploit for startup scripts (SCO 5.0.4p).
   http://marc.theaimsgroup.com/?l=bugtraq&m=92087765014242&w=2
   Also, SCO:SB-99.17
   ftp://ftp.sco.com/SSE/security_bulletins/SB-99.17c


CAN-1999-0418

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990308 SMTP server account probing
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92100018214316&w=2

Description:
Denial of service in SMTP applications such as Sendmail, when a remote attacker (e.g. spammer) uses many "RCPT TO" commands in the same connection.

Votes:

   ACCEPT(1) Cole
   MODIFY(1) Frech
   NOOP(2) Wall, Foat
   REVIEWING(1) Christey
Voter Comments:
 Christey> DUPE CAN-1999-0144 and CAN-1999-0250?
 Frech> XF:smtp-rctpto-dos(7499)


CAN-1999-0419

Phase: Modified (20000105-01)
Reference: BUGTRAQ:19990319 Microsoft's SMTP service broken/stupid
Reference: XF:smtp-4xx-error-dos

Description:
When the Microsoft SMTP service attempts to send a message to a server and receives a 4xx error code, it quickly and repeatedly attempts to redeliver the message, causing a denial of service.

Votes:

   MODIFY(2) Frech, LeBlanc
   REVIEWING(1) Christey
Voter Comments:
 Frech> XF:smtp-4xx-error-dos
 LeBlanc> - if we can find a KB or something that shows that this wasn't just
   user error, I'd vote ACCEPT.
 Christey> David Lemson, Microsoft SMTP Service Program Manager,
   posted a followup that said "We have confirmed this as a
   problem..."
   http://marc.theaimsgroup.com/?l=bugtraq&m=92171608127206&w=2


CAN-1999-0426

Phase: Proposed (19990728)
Reference: BUGTRAQ:19990319 The default permissions on /dev/kmem is insecure.

Description:
The default permissions of /dev/kmem in Linux versions before 2.0.36 allows IP spoofing.

Votes:

   MODIFY(1) Frech
   REJECT(1) Christey
Voter Comments:
 Frech> XF:linux-dev-kmem-spoof
 Christey> DUPE CVE-1999-0414
   XF:linux-dev-kmem-spoof does not exist.
 Christey> *Now* XF:linux-dev-kmem-spoof(3500) exists...


CAN-1999-0427

Phase: Proposed (19990728)
Reference: BUGTRAQ:19990320 Eudora Attachment Buffer Overflow
Reference: XF:eudora-long-attachments

Description:
Eudora 4.1 allows remote attackers to perform a denial of service by sending attachments with long file names.

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Frech
   NOOP(1) Christey
Voter Comments:
 Frech> Change version number to 4.2beta. Second to last paragraph in bugtraq
   reference states: "Both the Win 95 and Win NT versions, along with the 4.2
   beta of Eudora are affected."
 Christey> This issue seems to have been rediscovered in
   BUGTRAQ:20000515 Eudora Pro & Outlook Overflow - too long filenames again
   http://marc.theaimsgroup.com/?l=bugtraq&m=95842482413076&w=2
   
   Also see
   BUGTRAQ:19990320 Eudora Attachment Buffer Overflow
   http://marc.theaimsgroup.com/?l=bugtraq&m=92195396912110&w=2
   
   Is this a duplicate/subsumed by CAN-1999-0004?


CAN-1999-0431

Phase: Modified (20000106-01)
Reference: BUGTRAQ:19990324 DoS for Linux 2.1.89 - 2.2.3: 0 length fragment bug
Reference: XF:linux-zerolength-fragment

Description:
Linux 2.2.3 and earlier allow a remote attacker to perform an IP fragmentation attack, causing a denial of service.

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Frech
   NOOP(1) Christey
Voter Comments:
 Frech> XF:linux-zerolength-fragment  
 Christey> Consider adding BID:2247


CAN-1999-0434

Phase: Proposed (19990728)
Reference: BUGTRAQ:19990331 Bug in xfs
Reference: BID:359
Reference: URL:http://www.securityfocus.com/bid/359

Description:
XFree86 xfs command is vulnerable to a symlink attack, allowing local users to create files in restricted directories, possibly allowing them to gain privileges or cause a denial of service.

Votes:

   MODIFY(1) Frech
   NOOP(1) Christey
Voter Comments:
 Frech> XF:xfree86-xfs-symlink-dos
 Christey> Is this the same problem as CVE-1999-0433?  CVE-1999-0433
   deals with a symlink attack on one file (/tmp/.X11-unix),
   while xfs (this candidate) deals with /tmp/.font-unix
   XF:xfree86-xfs-symlink-dos doesn't exist.
 Christey> ADDREF DEBIAN:19990331 symbolic link can be used to make any file world readable
   Note: Debian's advisory says that this is not a problem for Debian.


CAN-1999-0435

Phase: Proposed (19990623)
Reference: HP:HPSBUX9903-096

Description:
MC/ServiceGuard and MC/LockManager in HP-UX allows local users to gain privileges through SAM.

Votes:

   ACCEPT(1) Ozancin
   MODIFY(1) Frech
   NOOP(1) Christey
Voter Comments:
 Frech> XF:hp-servicegaurd
 Christey> ADDREF CIAC:J-039


CAN-1999-0443

Phase: Proposed (19990728)
Reference: BUGTRAQ:19990409 Patrol security bugs
Reference: URL:http://www.securityfocus.com/archive/1/13204
Reference: XF:bmc-patrol-replay

Description:
Patrol management software allows a remote attacker to conduct a replay attack to steal the administrator password.

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Frech
Voter Comments:
 Frech> Change "Patrol management software" to "The PATROL management product from
   BMC Software".


CAN-1999-0444

Phase: Modified (20000106-01)
Reference: BUGTRAQ:19990412 ARP problem in Windows9X/NT
Reference: XF:windows-arp-dos

Description:
Remote attackers can perform a denial of service in Windows machines using malicious ARP packets, forcing a message box display for each packet or filling up log files.

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Frech
Voter Comments:
 Frech> ADDREF: XF:windows-arp-dos  


CAN-1999-0450

Phase: Proposed (19990726)
Reference: BUGTRAQ:19990122 Perl.exe and IIS security advisory
Reference: BID:194
Reference: URL:http://www.securityfocus.com/bid/194

Description:
In IIS, an attacker could determine a real path using a request for a non-existent URL that would be interpreted by Perl (perl.exe) .

Votes:

   ACCEPT(2) Ozancin, Wall
   NOOP(1) Christey
   REJECT(2) Frech, LeBlanc
Voter Comments:
 Frech> Can't find in database.
 Christey> This looks like another discovery of CAN-2000-0071 
 LeBlanc> - I just tried to repro this based on the BUGTRAQ vuln information,
   and it does not repro - 
   GET /bogus.pl HTTP/1.0
   HTTP/1.1 404 Object Not Found
   Server: Microsoft-IIS/5.0
   Date: Thu, 05 Oct 2000 21:04:20 GMT
   Content-Length: 3243
   Content-Type: text/html
   No path is returned whatsoever. This may have been a problem on some version
   of IIS in the past, but the BUGTRAQ ID says all versions are vulnerable.
   Let's try and figure out what version had the problem, whether it is
   intrinsic to IIS or the result of adding a 3rd party implementation of perl,
   and when it got fixed, then we can try again.
 CHANGE> [Frech changed vote from REVIEWING to REJECT]
 Christey> Add "no-such-file.pl" as an example to the desc, to facilitate
   search (it's used by CGI scanners and in the original example)


CAN-1999-0451

Phase: Proposed (19990726)
Reference: BUGTRAQ:Jan19,1999
Reference: BID:343
Reference: URL:http://www.securityfocus.com/bid/343

Description:
Denial of service in Linux 2.0.36 allows local users to prevent any server from listening on any non-privileged port.

Votes:

   ACCEPT(2) Baker, Ozancin
   MODIFY(1) Frech
   NOOP(1) Wall
Voter Comments:
 CHANGE> [Frech changed vote from REVIEWING to MODIFY]
 Frech> XF:linux-ports-dos(8364)


CAN-1999-0452

Phase: Proposed (19990726)

Description:
A service or application has a backdoor password that was placed there by the developer.

Votes:

   ACCEPT(2) Baker, Wall
   REJECT(1) Frech
Voter Comments:
 Frech> Much too broad. Also may be HIGHCARD (or will be in the future).
 Baker> I think we want to address this using the dot notation idea.  We do need to address this, just not a separate entry for every single occurance.


CAN-1999-0453

Phase: Modified (20010425-01)
Reference: BUGTRAQ:19990118 Remote Cisco Identification

Description:
An attacker can identify a CISCO device by sending a SYN packet to port 1999, which is for the Cisco Dicsovery Protocol (CDP).

Votes:

   ACCEPT(2) Baker, Balinsky
   MODIFY(1) Frech
   NOOP(2) Northcutt, Wall
   REVIEWING(1) Christey
Voter Comments:
 Frech> XF:cisco-ident(2289)
   ADDREF BUGTRAQ:19990118 Remote Cisco Identification
   In description, probably better to use "Cisco" as product/company name.
 Balinsky> CiscoSecure IDS has a signature for this...ID 3602 Cisco IOS Identity.
 Christey> There may be a slight abstraction problem here, e.g. look
   at the candidate for queso/nmap; also see followup Bugtraq post
   from "Basement Research" on 19990120 which says that there are
   many other features in Cisco products that allow remote
   identification.


CAN-1999-0454

Phase: Proposed (19990728)

Description:
A remote attacker can sometimes identify the operating system of a host based on how it reacts to some IP or ICMP packets, using a tool such as nmap or queso.

Votes:

   MODIFY(1) Frech
   NOOP(2) Wall, Christey
   REJECT(1) Northcutt
Voter Comments:
 Northcutt> Nmap and queso are the tip of the iceberg and not the most advanced
   ways to accomplish this.  To pursue making the world signature free
   is as much a vulnerability as having signatures, nay more.
 Frech> XF:decod-nmap(2053)
   XF:decod-queso(2048)
 Christey> Add "fingerprinting" to facilitate search.
   Some references:
   MISC:http://www.insecure.org/nmap/nmap-fingerprinting-article.html
   BUGTRAQ:19981228 A few more fingerprinting techniques - time and netmask
   http://marc.theaimsgroup.com/?l=bugtraq&m=91489155019895&w=2
   BUGTRAQ:19990222 Preventing remote OS detection
   http://marc.theaimsgroup.com/?l=bugtraq&m=91971553006937&w=2
   BUGTRAQ:20000901 ICMP Usage In Scanning v2.0 - Research Paper
   http://marc.theaimsgroup.com/?l=bugtraq&m=96791499611849&w=2
   BUGTRAQ:20000912 Using the Unused (Identifying OpenBSD,
   http://marc.theaimsgroup.com/?l=bugtraq&m=96879267724690&w=2
   BUGTRAQ:20000912 The DF Bit Playground (Identifying Sun Solaris & OpenBSD OSs)
   http://marc.theaimsgroup.com/?l=bugtraq&m=96879481129637&w=2
   BUGTRAQ:20000816 TOSing OSs out of the window / Fingerprinting Windows 2000 with
   http://marc.theaimsgroup.com/?l=bugtraq&m=96644121403569&w=2
   BUGTRAQ:20000609 p0f - passive os fingerprinting tool
   http://marc.theaimsgroup.com/?l=bugtraq&m=96062535628242&w=2


CAN-1999-0455

Phase: Modified (19991210-01)
Reference: ALLAIRE:ASB-001
Reference: XF:coldfusion-expression-evaluator
Reference: BID:115
Reference: URL:http://www.securityfocus.com/bid/115

Description:
The Expression Evaluator sample application in ColdFusion allows remote attackers to read or delete files on the server via exprcalc.cfm, which does not restrict access to the server properly.

Votes:

   ACCEPT(3) Frech, Ozancin, Balinsky
   MODIFY(1) Wall
   REVIEWING(1) Christey
Voter Comments:
 Wall> The reference should be ASB99-01 (Expression Evaluator Security Issues)
   make application plural since there are three sample applications
   (openfile.cfm, displayopenedfile.cfm, and exprcalc.cfm).
 Christey> The CD:SF-EXEC and CD:SF-LOC content decisions apply here.
   Since there are 3 separate "executables" with the same
   (or similar) problem, we need to make sure that CD:SF-EXEC
   determines what to do here.  There is evidence that some
   of these .cfm scripts have an "include" file, and if so, 
   then CD:SF-LOC says that we shouldn't make separate entries
   for each of these scripts.  On the other hand, the initial
   L0pht discovery didn't include all 3 of these scripts, and
   as far as I can tell, Allaire had patched the first problem
   before the others were discovered.  So, CD:DISCOVERY-DATE
   may argue that we should split these because the problems
   were discovered and patched at different times.
   
   In any case, this candidate can not be accepted until the
   Editorial Board has accepted the CD:SF-EXEC, CD:SF-LOC,
   and CD:DISCOVERY-DATE content decisions.


CAN-1999-0459

Phase: Proposed (19990728)
Reference: XF:linux-milo-halt

Description:
Local users can perform a denial of service in Alpha Linux, using MILO to force a reboot.

Votes:

   ACCEPT(1) Frech
   NOOP(1) Northcutt
   REJECT(1) Wall
Voter Comments:
 Wall> Reject based on beta copy.


CAN-1999-0460

Phase: Proposed (19990726)
Reference: BUGTRAQ:19990218 Linux autofs overflow in 2.0.36+
Reference: BID:312
Reference: URL:http://www.securityfocus.com/bid/312

Description:
Buffer overflow in Linux autofs module through long directory names allows local users to perform a denial of service.

Votes:

   ACCEPT(2) Baker, Ozancin
   MODIFY(1) Frech
   NOOP(1) Wall
Voter Comments:
 CHANGE> [Frech changed vote from REVIEWING to MODIFY]
 Frech> XF:linux-autofs-bo(8365)


CAN-1999-0461

Phase: Proposed (19990728)

Description:
Versions of rpcbind including Linux, IRIX, and Wietse Venema's rpcbind allow a remote attacker to insert and delete entries by spoofing a source address.

Votes:

   MODIFY(1) Frech
   REVIEWING(1) Christey
Voter Comments:
 Frech> ADDREF XF:pmap-sset
 Christey> CAN-1999-0195 = CAN-1999-0461 ?
   If this is approved over CAN-1999-0195, make sure it gets
   XF:pmap-sset


CAN-1999-0462

Phase: Proposed (19990728)
Reference: BUGTRAQ:19990114 Secuity hole with perl (suidperl) and nosuid mounts on Linux
Reference: BID:339
Reference: URL:http://www.securityfocus.com/bid/339

Description:
suidperl in Linux Perl does not check the nosuid mount option on file systems, allowing local users to gain root access by placing a setuid script in a mountable file system, e.g. a CD-ROM or floppy disk.

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Frech
   NOOP(1) Christey
Voter Comments:
 Frech> XF:perl-suidperl-bo
 Christey> XF:perl-suidperl-bo doesn't exist.


CAN-1999-0465

Phase: Proposed (19990728)
Reference: XF:http-img-overflow

Description:
Remote attackers can crash Lynx and Internet Explorer using an IMG tag with a large width parameter.

Votes:

   ACCEPT(2) Northcutt, Frech
   REJECT(2) LeBlanc, Wall
Voter Comments:
 Wall> Reject based on client-side DoS
 LeBlanc> Client side DOS


CAN-1999-0467

Phase: Modified (20000106-01)
Reference: NTBUGTRAQ:19990409 Webcom's CGI Guestbook for Win32 web servers
Reference: XF:http-cgi-webcom-guestbook

Description:
The Webcom CGI Guestbook programs wguest.exe and rguest.exe allow a remote attacker to read arbitrary files using the "template" parameter.

Votes:

   ACCEPT(4) Blake, Frech, Ozancin, Landfield
   NOOP(2) Northcutt, Christey
Voter Comments:
 Christey> CAN-1999-0287 is probably a duplicate of CAN-1999-0467.  In
   NTBUGTRAQ:19990409 Webcom's CGI Guestbook for Win32 web servers
   Mnemonix says that he had previously reported on a similar
   problem.  Let's refer to the NTBugtraq posting as
   CAN-1999-0467.  We will refer to the "previous report" as
   CAN-1999-0287, which can be found at:
   http://oliver.efri.hr/~crv/security/bugs/NT/httpd41.html
   
   0287 describes an exploit via the "template" hidden variable.
   The exploit describes manually editing the HTML form to
   change the filename to read from the template variable.
   
   The exploit as described in 0467 encodes the template variable
   directly into the URL.  However, hidden variables are also
   encoded into the URL, which would have looked the same to
   the web server regardless of the exploit.  Therefore 0287
   and 0467 are the same.
 Christey> 
   The CD:SF-EXEC content decision also applies here.  We have 2
   programs, wguest.exe and rguest.exe, which appear to have the
   same problem.  CD:SF-EXEC needs to be accepted by the Editorial
   Board before this candidate can be converted into a CVE
   entry.  When finalized, CD:SF-EXEC will decide whether
   this candidate should be split or not.
 Christey> BID:2024


CAN-1999-0469

Phase: Proposed (19990728)
Reference: BUGTRAQ:19990409 IE 5.0 security vulnerabilities - %01 bug again
Reference: XF:ie-window-spoof

Description:
Internet Explorer 5.0 allows window spoofing, allowing a remote attacker to spoof a legitimate web site and capture information from the client.

Votes:

   ACCEPT(1) Wall
   NOOP(1) Northcutt
   REJECT(3) Frech, LeBlanc, Christey
Voter Comments:
 Wall> Reference: Microsoft Security Bulletin MS99-012
 Christey> DUPE CAN-1999-0488
 Frech> Defer to Christey's vote.
   However, XF:ie-mshtml-crossframe(2216) assigned to CAN-1999-0488.
 LeBlanc> Duplicate


CAN-1999-0476

Phase: Proposed (19990721)
Reference: BUGTRAQ:19990331 Potential vulnerability in SCO TermVision Windows 95 client
Reference: XF:sco-termvision-password

Description:
A weak encryption algorithm is used for passwords in SCO TermVision, allowing them to be easily decrypted by a local user.

Votes:

   ACCEPT(3) Baker, Frech, Ozancin
   NOOP(3) Northcutt, LeBlanc, Wall

CAN-1999-0477

Phase: Modified (19991210-01)
Reference: L0PHT:Cold Fusion App Server
Reference: XF:coldfusion-expression-evaluator
Reference: BID:115
Reference: URL:http://www.securityfocus.com/bid/115

Description:
The Expression Evaluator in the ColdFusion Application Server allows a remote attacker to upload files to the server via openfile.cfm, which does not restrict access to the server properly.

Votes:

   ACCEPT(3) Frech, Ozancin, Christey
   REJECT(1) Wall
Voter Comments:
 Wall> Duplicate of 0455
 Christey> CAN-1999-0477 and CAN-1999-0455 were discovered at different
   times.  Also, the attack was different.  So "Same Attack" and
   "Same Time of Discovery" dictate that these should remain
   separate.


CAN-1999-0480

Phase: Modified (20000106-01)
Reference: BUGTRAQ:19980315 Midnight Commander /tmp race

Description:
Local attackers can conduct a denial of service in Midnight Commander 4.x with a symlink attack.

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Frech
   NOOP(1) Christey
Voter Comments:
 Frech> XF:midnight-commander-symlink-dos
 Christey> XF:midnight-commander-symlink-dos(3505)


CAN-1999-0486

Phase: Modified (20000106-01)
Reference: BUGTRAQ:19990420 AOL Instant Messenger URL Crash

Description:
Denial of service in AOL Instant Messenger when a remote attacker sends a malicious hyperlink to the receiving client, potentially causing a system crash.

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Frech
   NOOP(1) Christey
Voter Comments:
 Frech> XF:aol-im.
 Christey> XF:aol-im appears to be related to the problem discussed in
   BUGTRAQ:19980224 AOL Instant Messanger Bug
   
   This one is related to BUGTRAQ:19990420 AOL Instant Messenger URL Crash


CAN-1999-0488

Phase: Modified (19991205-01)
Reference: MS:MS99-012
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-012.asp

Description:
Internet Explorer 4.0 and 5.0 allows a remote attacker to execute security scripts in a different security context using malicious URLs, a variant of the "cross frame" vulnerability.

Votes:

   ACCEPT(1) Landfield
   MODIFY(2) Frech, Wall
   NOOP(2) Ozancin, Christey
Voter Comments:
 Frech> XF:ie-mshtml-crossframe
 Wall> (source: MSKB:Q168485)
 Christey> CAN-1999-0469 appears to be a duplicate; prefer this one over
   that one, since this one has an MS advisory.  Confirm with
   Microsoft that these are really duplicates.
   
   Also review CVE-1999-0487, which appears to be a similar
   bug.


CAN-1999-0489

Phase: Modified (19991205-01)
Reference: MS:MS99-015
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-015.asp

Description:
MSHTML.DLL in Internet Explorer 5.0 allows a remote attacker to paste a file name into the file upload intrinsic control, a variant of "untrusted scripted paste" as described in MS:MS98-013.

Votes:

   ACCEPT(1) Levy
   MODIFY(1) Wall
   NOOP(1) Ozancin
   RECAST(1) Prosser
   REJECT(1) Christey
   REVIEWING(1) Frech
Voter Comments:
 Frech> Wasn't Untrusted scripted paste MS98-015? I can find no mention of a
   clipboard in either.
   I cannot proceed on this one without further clarification.
 Wall> (source: MS:MS99-012)
 Prosser> agree with Andre here.  The Untrusted Scripted paste
   vulnerability was originally addressed in MS98-015 and it is in the file
   upload intrinsic control in which an attacker can paste the name of a file
   on the target's drive in the control and a form submission would then send
   that file from the attacked machine to the remote web site.  This one has
   nothing to do with the clipboard.  What the advisory mentioned here,
   MS99-012, does is replace the MSHTML parsing engine which is supposed to fix
   the original Untrusted Scripted Paste issue and a variant, as well as the
   two Cross-Frame variants and a privacy issue in IMG SRC.  
   The vulnerability that allowed reading of a user's clipboard is the Forms
   2.0 Active X control vulnerability discussed in MS99-01
 Christey> The advisory should have been listed as MS99-012.  
   CVE-1999-0468 describes the untrusted scripted paste problem
   in MS99-012.
 Frech> Pending response to guidance request. 12/6/01.


CAN-1999-0490

Phase: Modified (19991205-01)
Reference: MS:MS99-012
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-012.asp

Description:
MSHTML.DLL in Internet Explorer 5.0 allows a remote attacker to learn information about a local user's files via an IMG SRC tag.

Votes:

   ACCEPT(2) Wall, Landfield
   MODIFY(1) Frech
   NOOP(1) Ozancin
   REVIEWING(1) Christey
Voter Comments:
 Frech> XF:ie-scriplet-fileread
 Christey> Duplicate of CAN-1999-0347?


CAN-1999-0492

Phase: Proposed (19990726)
Reference: BUGTRAQ:Apr23,1999

Description:
The ffingerd 1.19 allows remote attackers to identify users on the target system based on its responses.

Votes:

   ACCEPT(3) Northcutt, Armstrong, Collins
   MODIFY(4) Blake, Baker, Frech, Shostack
   NOOP(4) Wall, Landfield, Cole, Christey
   REVIEWING(1) Ozancin
Voter Comments:
 Shostack> isn't that what finger is supposed to do?
 Landfield> Maybe we need a new category of "unsafe system utilities and protocols"
 Blake> Ffingerd 1.19 allows remote attackers to differentiate valid and invalid
   usernames on the target system based on its responses to finger queries.
 Christey> CHANGEREF BUGTRAQ [canonicalize]
   BUGTRAQ:19990423 Ffingerd privacy issues
   http://marc.theaimsgroup.com/?l=bugtraq&m=92488772121313&w=2
   
   Here's the nature of the problem.
   (1) FFingerd allows users to decide not to be fingered,
   printing a message "That user does not want to be fingered"
   (2) If the fingered user does not exist, then FFingerd's
   intended default is to print that the user does not
   want to be fingered; however, the error message has a
   period at the end.
   Thus, ffingerd can allow someone to determine who valid users
   on the server are, *in spite of* the intended functionality of
   ffingerd itself.  Thus this exposure should be viewed in light
   of the intended functionality of the application, as opposed
   to the common usage of the finger protocol in general.
   
   Also, the vendor posted a followup and said that a patch was
   available.  See:
   http://marc.theaimsgroup.com/?l=bugtraq&m=92489375428016&w=2
 Baker> Vulnerability Reference (HTML)	Reference Type
   http://www.securityfocus.com/archive/1/13422	Misc Defensive Info
 CHANGE> [Frech changed vote from REVIEWING to MODIFY]
 Frech> XF:ffinger-user-info(5393)


CAN-1999-0495

Phase: Proposed (19990728)

Description:
A remote attacker can gain access to a file system using .. (dot dot) when accessing SMB shares.

Votes:

   ACCEPT(6) Blake, Northcutt, Baker, Ozancin, Cole, Collins
   MODIFY(1) Frech
   NOOP(4) Bishop, Wall, Landfield, Armstrong
   REVIEWING(2) Levy, Christey
Voter Comments:
 Frech> XF:nb-dotdotknown(837)
   References would be appreciated. We've got no reference for this issue;
   confidence rating is consequently low. 
 Levy> Some refernces:
   http://www.securityfocus.com/archive/1/3894
   http://www.securityfocus.com/archive/1/3533
   http://www.securityfocus.com/archive/1/3535


CAN-1999-0497

Phase: Proposed (19990728)

Description:
Anonymous FTP is enabled

Votes:

   ACCEPT(1) Shostack
   MODIFY(1) Frech
   NOOP(1) Christey
   REJECT(1) Northcutt
Voter Comments:
 Frech> ftp-anon(52) at http://xforce.iss.net/static/52.php
   ftp-anon2(543) at http://xforce.iss.net/static/543.php
 Christey> Add period to the end of the description.


CAN-1999-0498

Phase: Modified (19990925-01)
Reference: CERT:CA-91.18.Active.Internet.tftp.Attacks

Description:
TFTP is not running in a restricted directory, allowing a remote attacker to access sensitive information such as password files.

Votes:

   ACCEPT(3) Blake, Northcutt, Hill
   MODIFY(1) Frech
   NOOP(1) Baker
   REVIEWING(1) Christey
Voter Comments:
 Frech> XF:linux-tftp
 Christey> XF:linux-tftp refers to CAN-1999-0183


CAN-1999-0499

Phase: Proposed (19990721)

Description:
NETBIOS share information may be published through SNMP registry keys in NT.

Votes:

   ACCEPT(5) Northcutt, Baker, Shostack, Ozancin, Wall
   MODIFY(1) Frech
   REJECT(1) LeBlanc
Voter Comments:
 Frech> Change wording to 'Windows NT.'
   XF:snmp-netbios
 LeBlanc> Share info can be obtained via SNMP queries, but I question
   whether this is a vulnerability. The system can be configured not to do
   this, and one may argue that SNMP itself is an insecure configuration.
   Furthermore, the share information isn't published via registry keys -
   the description could refer to more than one actual issue. SNMP is meant
   to allow people to obtain information about systems. I'm willing to
   discuss this with the rest of the board.


CAN-1999-0501

Phase: Proposed (19990714)

Description:
A Unix account has a guessable password.

Votes:

   ACCEPT(3) Northcutt, Baker, Shostack
   RECAST(2) Frech, Meunier
   REVIEWING(1) Christey
Voter Comments:
 Frech> Guessable falls into the class of CAN-1999-0502, since I can guess a
   default, null, etc. password.
   Suggest changing to something like "has an existing non-default password
   that can be guessed."
   I'm also including default passwords in this entry. 
   In that vein, we show the following references:
   XF:user-password
   XF:passwd-username
   XF:default-unix-sync
   XF:default-unix-4dgifts
   XF:default-unix-bin
   XF:default-unix-daemon
   XF:default-unix-lp
   XF:default-unix-me
   XF:default-unix-nuucp
   XF:default-unix-root
   XF:default-unix-toor
   XF:default-unix-tour
   XF:default-unix-tty
   XF:default-unix-uucp
 Christey> This candidate is affected by the CD:CF-PASS content decision,
   which determines the appropriate level of abstraction to
   use for password problems.  CD:CF-PASS needs to be accepted
   by the Editorial Board before this candidate can be
   converted into a CVE entry; the final version of CD:CF-PASS
   may require using a different LOA than this candidate is
   currently using.
 CHANGE> [Meunier changed vote from ACCEPT to RECAST]
 Meunier> This relates only to account password technology, so this candidate is
   independent of the operating system, application, web site or other
   application of this technology.  The appropriate (natural) level of
   abstraction is therefore without specifying that it is for UNIX.
   Change the description to "An account has a guessable password other
   than default, null, blank."  This should satisfy Andre's objection.
   
   This Candidate should be merged with any candidate relating to
   account password technology where "Unix" in the original description
   can be replaced by something else.


CAN-1999-0502

Phase: Proposed (19990714)

Description:
A Unix account has a default, null, blank, or missing password.

Votes:

   ACCEPT(4) Northcutt, Baker, Shostack, Meunier
   MODIFY(1) Frech
   REVIEWING(1) Christey
Voter Comments:
 Frech> XF:passwd-blank
   XF:no-pass
   XF:dict
   XF:sgi-accounts
   XF:linux-caldera-lisa
 Christey> This candidate is affected by the CD:CF-PASS content decision,
   which determines the appropriate level of abstraction to
   use for password problems.  CD:CF-PASS needs to be accepted
   by the Editorial Board before this candidate can be
   converted into a CVE entry; the final version of CD:CF-PASS
   may require using a different LOA than this candidate is
   currently using.


CAN-1999-0503

Phase: Proposed (19990714)

Description:
A Windows NT local user or administrator account has a guessable password.

Votes:

   ACCEPT(4) Northcutt, Baker, Shostack, Meunier
   MODIFY(1) Frech
   REVIEWING(1) Christey
Voter Comments:
 Frech> Note: I am assuming that this entry includes Windows 2000 accounts and
   machine/service accounts listed in User Manager.
   XF:nt-guess-admin
   XF:nt-guess-user
   XF:nt-guess-guest
   XF:nt-guessed-operpwd
   XF:nt-guessed-powerwd
   XF:nt-guessed-disabled
   XF:nt-guessed-backup
   XF:nt-guessed-acctoper-pwd
   XF:nt-adminuserpw
   XF:nt-guestuserpw
   XF:nt-accountuserpw
   XF:nt-operator-userpw
   XF:nt-service-user-pwd
   XF:nt-server-oper-user-pwd
   XF:nt-power-user-pwd
   XF:nt-backup-operator-userpwd
   XF:nt-disabled-account-userpwd
 Christey> This candidate is affected by the CD:CF-PASS content decision,
   which determines the appropriate level of abstraction to
   use for password problems.  CD:CF-PASS needs to be accepted
   by the Editorial Board before this candidate can be
   converted into a CVE entry; the final version of CD:CF-PASS
   may require using a different LOA than this candidate is
   currently using.


CAN-1999-0504

Phase: Proposed (19990714)

Description:
A Windows NT local user or administrator account has a default, null, blank, or missing password.

Votes:

   ACCEPT(4) Northcutt, Baker, Shostack, Meunier
   MODIFY(1) Frech
   REVIEWING(1) Christey
Voter Comments:
 Frech> XF:nt-guestblankpw
   XF:nt-adminblankpw
   XF:nt-adminnopw
   XF:nt-usernopw
   XF:nt-guestnopw
   XF:nt-accountblankpw
   XF:nt-nopw
   XF:nt-operator-blankpwd
   XF:nt-server-oper-blank-pwd
   XF:nt-power-user-blankpwd
   XF:nt-backup-operator-blankpwd
   XF:nt-disabled-account-blankpwd
 Christey> This candidate is affected by the CD:CF-PASS content decision,
   which determines the appropriate level of abstraction to
   use for password problems.  CD:CF-PASS needs to be accepted
   by the Editorial Board before this candidate can be
   converted into a CVE entry; the final version of CD:CF-PASS
   may require using a different LOA than this candidate is
   currently using.


CAN-1999-0505

Phase: Proposed (19990714)

Description:
A Windows NT domain user or administrator account has a guessable password.

Votes:

   ACCEPT(4) Northcutt, Baker, Shostack, Meunier
   MODIFY(1) Frech
Voter Comments:
 Frech> XF:nt-guessed-domain-userpwd
   XF:nt-guessed-domain-guestpwd
   XF:nt-guessed-domain-adminpwd
   XF:nt-domain-userpwd
   XF:nt-domain-admin-userpwd
   XF:nt-domain-guest-userpwd
   XF:win2k-certpub-usrpwd
   XF:win2k-dhcpadm-usrpwd
   XF:win2k-dnsadm-usrpwd
   XF:win2k-entadm-usrpwd
   XF:win2k-schema-usrpwd
   XF:win2k-guessed-certpub
   XF:win2k-guessed-dhcpadm
   XF:win2k-guessed-dnsadm
   XF:win2k-guessed-entadm
   XF:win2k-guessed-schema


CAN-1999-0506

Phase: Proposed (19990714)

Description:
A Windows NT domain user or administrator account has a default, null, blank, or missing password.

Votes:

   ACCEPT(4) Northcutt, Baker, Shostack, Meunier
   MODIFY(1) Frech
Voter Comments:
 Frech> XF:nt-domain-admin-blankpwd
   XF:nt-domain-admin-nopwd
   XF:nt-domain-guest-blankpwd
   XF:nt-domain-guest-nopwd
   XF:nt-domain-user-blankpwd
   XF:nt-domain-user-nopwd
   XF:win2k-certpub-blnkpwd
   XF:win2k-dhcpadm-blnkpwd
   XF:win2k-dnsadm-blnkpwd
   XF:win2k-entadm-blnkpwd
   XF:win2k-schema-blnkpwd


CAN-1999-0507

Phase: Proposed (19990714)

Description:
An account on a router, firewall, or other network device has a guessable password.

Votes:

   ACCEPT(4) Northcutt, Baker, Shostack, Meunier
   MODIFY(1) Frech
Voter Comments:
 Frech> XF:firewall-tisopen
   XF:firewall-raptoropen
   XF:firewall-msopen
   XF:firewall-checkpointopen
   XF:firewall-ciscoopen


CAN-1999-0508

Phase: Proposed (19990714)

Description:
An account on a router, firewall, or other network device has a default, null, blank, or missing password.

Votes:

   ACCEPT(4) Northcutt, Baker, Shostack, Meunier
   MODIFY(1) Frech
   NOOP(1) Christey
Voter Comments:
 Frech> Note: Because the distinction between network hardware and software is not
   distinct, 
   the term 'network device' was liberally interpreted. Feel free to reject any
   of the
   below terms.
   XF:default-netranger
   XF:cayman-gatorbox
   XF:breezecom-default-passwords
   XF:default-portmaster
   XF:wingate-unpassworded
   XF:netopia-unpassworded
   XF:default-bay-switches
   XF:motorola-cable-default-pass
   XF:default-flowpoint
   XF:qms-2060-no-root-password
   XF:avirt-ras-password
   XF:webtrends-rtp-serv-install-password
   XF:cisco-bruteforce
   XF:cisco-bruteadmin
   XF:sambar-server-defaults
   XF:management-pfcuser
   XF:http-cgi-wwwboard-default
 Christey> DELREF XF:avirt-ras-password - does not fit CAN-1999-0508.


CAN-1999-0509

Phase: Modified (20000114-01)
Reference: CERT:CA-96.11

Description:
Perl, sh, csh, or other shell interpreters are installed in the cgi-bin directory on a WWW site, which allows remote attackers to execute arbitrary commands.

Votes:

   ACCEPT(2) Northcutt, Wall
   MODIFY(1) Frech
   REVIEWING(1) Christey
Voter Comments:
 Christey> What is the right level of abstraction to use here?  Should
   we combine all possible interpreters into a single entry,
   or have a different entry for each one?  I've often seen
   Perl separated from other interpreters - is it included
   by default in some Windows web server configurations?
 Christey> Add tcsh, zsh, bash, rksh, ksh, ash, to support search.
 Frech> XF:http-cgi-vuln(146)


CAN-1999-0510

Phase: Proposed (19990726)

Description:
A router or firewall allows source routed packets from arbitrary hosts.

Votes:

   ACCEPT(2) Northcutt, Baker
   MODIFY(1) Frech
Voter Comments:
 Frech> XF:source-routing


CAN-1999-0511

Phase: Proposed (19990726)

Description:
IP forwarding is enabled on a machine which is not a router or firewall.

Votes:

   ACCEPT(2) Northcutt, Baker
   MODIFY(1) Frech
Voter Comments:
 Frech> XF:ip-forwarding


CAN-1999-0512

Phase: Modified (20020427-01)

Description:
A mail server is explicitly configured to allow SMTP mail relay, which allows abuse by spammers.

Votes:

   ACCEPT(3) Northcutt, Baker, Shostack
   MODIFY(1) Frech
   NOOP(1) Christey
Voter Comments:
 Frech> XF:smtp-sendmail-relay(210)
   XF:ntmail-relay(2257)
   XF:exchange-relay(3107) (also assigned to CVE-1999-0682)
   XF:smtp-relay-uucp(3470)
   XF:sco-sendmail-spam(4342)
   XF:sco-openserver-mmdf-spam(4343)
   XF:lotus-domino-smtp-mail-relay(6591)
   XF:win2k-smtp-mail-relay(6803)
   XF:cobalt-poprelayd-mail-relay(6806)
   
   Candidate implicitly may refer to relaying settings enabled by default, or
   the bypass/circumvention of relaying. Both interpretations were used in
   assigning this candidate.
 Christey> The intention of this candidate is to cover configurations in
   which the admin has explicitly enabled relaying.  Other cases
   in which the application *intends* to prvent relaying, but
   there is some specific input that bypasses/tricks it, count
   as vulnerabilities (or exposures?) and as such would be
   assigned different numbers.
   
   http://www.sendmail.org/~ca/email/spam.html seems like a good
   general resource, as does ftp://ftp.isi.edu/in-notes/rfc2505.txt
 Christey> I changed the description to make it more clear that the issue
   is that of explicit configuration, as opposed to being the
   result of a vulnerability.


CAN-1999-0515

Phase: Proposed (19990728)

Description:
An unrestricted remote trust relationship for Unix systems has been set up, e.g. by using a + sign in /etc/hosts.equiv.

Votes:

   ACCEPT(1) Northcutt
   MODIFY(1) Frech
   REJECT(1) Shostack
Voter Comments:
 Shostack> Overly broad
 Frech> XF:rsh-equiv(111)


CAN-1999-0516

Phase: Proposed (19990714)

Description:
An SNMP community name is guessable.

Votes:

   ACCEPT(4) Northcutt, Baker, Shostack, Meunier
   MODIFY(1) Frech
   REVIEWING(1) Christey
Voter Comments:
 Frech> XF:snmp-get-guess
   XF:snmp-set-guess
   XF:sol-hidden-commstr
   XF:hpov-hidden-snmp-comm
 Christey> This candidate is affected by the CD:CF-PASS content decision,
   which determines the appropriate level of abstraction to
   use for password problems.  CD:CF-PASS needs to be accepted
   by the Editorial Board before this candidate can be
   converted into a CVE entry; the final version of CD:CF-PASS
   may require using a different LOA than this candidate is
   currently using.


CAN-1999-0517

Phase: Proposed (19990714)

Description:
An SNMP community name is the default (e.g. public), null, or missing.

Votes:

   ACCEPT(4) Northcutt, Baker, Shostack, Meunier
   MODIFY(1) Frech
   REVIEWING(1) Christey
Voter Comments:
 Frech> XF:nt-snmp
   XF:snmp-comm
   XF:snmp-set-any
   XF:snmp-get-public
   XF:snmp-set-public
   XF:snmp-get-any
 Christey> This candidate is affected by the CD:CF-PASS content decision,
   which determines the appropriate level of abstraction to
   use for password problems.  CD:CF-PASS needs to be accepted
   by the Editorial Board before this candidate can be
   converted into a CVE entry; the final version of CD:CF-PASS
   may require using a different LOA than this candidate is
   currently using.
 Christey> Consider adding BID:2112


CAN-1999-0518

Phase: Proposed (19990714)

Description:
A NETBIOS/SMB share password is guessable.

Votes:

   ACCEPT(5) Northcutt, Baker, Shostack, LeBlanc, Meunier
   MODIFY(1) Frech
Voter Comments:
 Frech> Change description term to NetBIOS.
   XF:nt-netbios-perm
   XF:sharepass
   XF:win95-smb-password
   XF:nt-netbios-dict


CAN-1999-0519

Phase: Proposed (19990714)

Description:
A NETBIOS/SMB share password is the default, null, or missing.

Votes:

   ACCEPT(5) Northcutt, Baker, Shostack, LeBlanc, Meunier
   MODIFY(1) Frech
Voter Comments:
 Frech> Change description term to NetBIOS.
   XF:decod-smb-password-empty
   XF:nt-netbios-everyoneaccess
   XF:nt-netbios-guestaccess
   XF:nt-netbios-allaccess
   XF:nt-netbios-open
   XF:nt-netbios-write
   XF:nt-netbios-shareguest
   XF:nt-writable-netbios
   XF:nt-netbios-everyoneaccess-printer
   XF:nt-netbios-share-print-guest


CAN-1999-0520

Phase: Proposed (19990803)

Description:
A system-critical NETBIOS/SMB share has inappropriate access control.

Votes:

   ACCEPT(1) Wall
   MODIFY(1) Frech
   RECAST(1) Northcutt
   REJECT(1) LeBlanc
   REVIEWING(1) Christey
Voter Comments:
 Northcutt> I think we need to enumerate the shares and or the access control
 Christey> One question is, what is "inappropriate"?  It's probably
   very dependent on the policy of the enterprise on which
   this is found.  And should writable shares be different
   from readable shares?  (Or file systems, mail spools, etc.)
   Yes, the impact may be different, but we could have a
   large number of entries for each possible type of access.
   A content decision (CD:CF-DATA) needs to be reviewed
   and accepted by the Editorial Board in order to resolve
   this question.
 LeBlanc> Unacceptably vague - agree with Christey's comments.
 Frech> associated to:
   XF:nt-netbios-everyoneaccess(1)
   XF:nt-netbios-guestaccess(2)
   XF:nt-netbios-allaccess(3)
   XF:nt-netbios-open(15)
   XF:nt-netbios-write(19)
   XF:nt-netbios-shareguest(20)
   XF:nt-writable-netbios(26)
   XF:nb-rootshare(393)
   XF:decod-smb-password-empty(2358)


CAN-1999-0521

Phase: Proposed (19990714)

Description:
An NIS domain name is easily guessable.

Votes:

   ACCEPT(4) Northcutt, Baker, Shostack, Meunier
   MODIFY(1) Frech
   NOOP(1) Christey
Voter Comments:
 Frech> XF:nis-dom
 Christey> Consider http://www.cert.org/advisories/CA-1992-13.html
   as well as ftp://ciac.llnl.gov/pub/ciac/bulletin/c-fy92/c-25.ciac-sunos-nis-patch


CAN-1999-0522

Phase: Proposed (19990803)
Reference: CERT:CA-96.10

Description:
The permissions for a system-critical NIS+ table (e.g. passwd) are inappropriate.

Votes:

   ACCEPT(1) Wall
   NOOP(1) Christey
   RECAST(1) Northcutt
Voter Comments:
 Northcutt> Why not say world readable, this is what you do further down in the
   file (world exportable in CAN-1999-0554)
 Christey> ADDREF AUSCERT:AA-96.02


CAN-1999-0523

Phase: Proposed (19990726)

Description:
ICMP echo (ping) is allowed from arbitrary hosts.

Votes:

   MODIFY(1) Meunier
   REJECT(2) Northcutt, Frech
Voter Comments:
 Northcutt> (Though I sympathize with this one :)
 CHANGE> [Frech changed vote from REVIEWING to REJECT]
 Frech> Ping is a utility that can be run on demand; ICMP echo is a
   message 
   type. As currently worded, this candidate seems as if an arbitrary
   host 
   is vulnerable because it is capable of running an arbitrary program
   or
   function (in this case, ping/ICMP echo). There are many
   programs/functions that 
   'shouldn't' be on a computer, from a security admin's perspective.
   Even if this
   were a vulnerability, it would be impacted by CD-HIGHCARD.
 Meunier> Every ICMP message type presents a vulnerability or an
   exposure, if access is not controlled.  By that I mean not only those
   in RFC 792, but also those in RFC 1256, 950, and more.  I think that
   the description should be changed to "ICMP messages are acted upon
   without any access control".  ICMP is an error and debugging protocol.
   We complain about vendors leaving testing backdoors in their programs.
   ICMP is the equivalent for TCP/IP.  ICMP should be in the dog house,
   unless you are trying to troubleshoot something.  MTU discovery is
   just a performance tweak -- it's not necessary.  I don't know of any
   ICMP message type that is necessary if the network is functional.
   Limited logging of ICMP messages could be useful, but acting upon them
   and allowing the modification of routing tables, the behavior of the
   TCP/IP stack, etc... without any form of authentication is just crazy.


CAN-1999-0524

Phase: Proposed (19990726)

Description:
ICMP information such as netmask and timestamp is allowed from arbitrary hosts.

Votes:

   MODIFY(2) Frech, Meunier
   REJECT(1) Northcutt
Voter Comments:
 Frech> XF:icmp-timestamp
   XF:icmp-netmask
 Meunier> If this is not merged with 1999-0523 as I commented for that
   CVE, then the description should be changed to "ICMP messages of types
   13 and 14 (timestamp request and reply) and 17 and 18 (netmask request
   and reply) are acted upon without any access control".  It's a more
   precise and correct language.  I believe that this is a valid CVE
   entry (it's a common source of vulnerabilities or exposures) even
   though I see that the inferred action was "reject".  Knowing the time
   of a host also allows attacks against random number generators that
   are seeded with the current time.  I want to push to have it accepted.


CAN-1999-0525

Phase: Proposed (19990726)

Description:
IP traceroute is allowed from arbitrary hosts.

Votes:

   MODIFY(1) Frech
   REJECT(1) Northcutt
Voter Comments:
 Frech> XF:traceroute


CAN-1999-0527

Phase: Proposed (19990803)

Description:
The permissions for system-critical data in an anonymous FTP account are inappropriate. For example, the root directory is writeable by world, a real password file is obtainable, or executable commands such as "ls" can be overwritten.

Votes:

   ACCEPT(3) Northcutt, Baker, Wall
   MODIFY(1) Frech
Voter Comments:
 Northcutt> That that starts to get specific :)
 Frech> ftp-writable-directory(6253)
   ftp-write(53)
   "writeable" in the description should be "writable." 


CAN-1999-0528

Phase: Proposed (19990726)

Description:
A router or firewall forwards external packets that claim to come from inside the network that the router/firewall is in front of.

Votes:

   ACCEPT(3) Northcutt, Baker, Meunier
   MODIFY(1) Frech
Voter Comments:
 Frech> possibly XF:nisd-dns-fwd-check
 CHANGE> [Frech changed vote from REVIEWING to MODIFY]
 Frech> XF:firewall-external-packet-forwarding(8372)


CAN-1999-0529

Phase: Proposed (19990726)

Description:
A router or firewall forwards packets that claim to come from IANA reserved or private addresses, e.g. 10.x.x.x, 127.x.x.x, 217.x.x.x, etc.

Votes:

   ACCEPT(1) Frech
   MODIFY(1) Meunier
   REJECT(1) Northcutt
Voter Comments:
 Northcutt> I have seen ISPs "assign" private addresses within their domain
 Meunier> A border router or firewall forwards packets that claim to come from IANA
   reserved or private addresses, e.g. 10.x.x.x, 127.x.x.x, 217.x.x.x,
   etc, outside of their area of validity.
 CHANGE> [Frech changed vote from REVIEWING to ACCEPT]


CAN-1999-0530

Phase: Proposed (19990728)

Description:
A system is operating in "promiscuous" mode which allows it to perform packet sniffing.

Votes:

   ACCEPT(1) Northcutt
   MODIFY(1) Frech
   REJECT(1) Shostack
Voter Comments:
 Frech> XF:etherstatd(264)
   XF:sniffer-attack(778) 
   XF:decod-packet-capture-remote(1072)
   XF:netmon-running(1448)
   XF:netxray3-probe(1450)
   XF:sol-snoop-getquota-bo(3670) (also assigned to CVE-1999-0974)


CAN-1999-0531

Phase: Proposed (19990728)

Description:
An SMTP service supports EXPN, VRFY, HELP, ESMTP, and/or EHLO.

Votes:

   MODIFY(1) Frech
   NOOP(1) Christey
   RECAST(1) Shostack
   REJECT(1) Northcutt
Voter Comments:
 Shostack> I think expn != vrfy, help, esmtp.
 Frech> XF:lotus-domino-esmtp-bo(4499) (also assigned to CVE-2000-0452 and
   CAN-2000-1046)
   XF:smtp-expn(128)
   XF:smtp-vrfy(130)
   XF:smtp-helo-bo(886)
   XF:smtp-vrfy-bo(887)
   XF:smtp-expn-bo(888)
   XF:slmail-vrfyexpn-overflow(1721)
   XF:smtp-ehlo(323)
   
   Perhaps add RCPT? If so, add XF:smtp-rcpt(1928)
 Christey> XF:smtp-vrfy(130) ?


CAN-1999-0532

Phase: Proposed (19990726)

Description:
A DNS server allows zone transfers.

Votes:

   MODIFY(1) Frech
   REJECT(1) Northcutt
Voter Comments:
 Northcutt> (With split DNS implementations this is quite appropriate)
 Frech> XF:dns-zonexfer


CAN-1999-0533

Phase: Proposed (19990726)

Description:
A DNS server allows inverse queries.

Votes:

   MODIFY(1) Frech
   REJECT(1) Northcutt
Voter Comments:
 Northcutt> (rule of thumb)
 Frech> XF:dns-iquery


CAN-1999-0534

Phase: Proposed (19990721)

Description:
A Windows NT user has inappropriate rights or privileges, e.g. Act as System, Add Workstation, Backup, Change System Time, Create Pagefile, Create Permanent Object, Create Token Name, Debug, Generate Security Audit, Increase Priority, Increase Quota, Load Driver, Lock Memory, Profile Single Process, Remote Shutdown, Replace Process Token, Restore, System Environment, Take Ownership, or Unsolicited Input.

Votes:

   ACCEPT(5) Christey, Baker, Shostack, Ozancin, Wall
   MODIFY(2) Northcutt, Frech
Voter Comments:
 Northcutt> If we are going to write a laundry list put access to the scheduler in it.
 Christey> The list of privileges is very useful for lookup.
 Frech> XF:nt-create-token
   XF:nt-replace-token
   XF:nt-lock-memory
   XF:nt-increase-quota
   XF:nt-unsol-input
   XF:nt-act-system
   XF:nt-create-object
   XF:nt-sec-audit
   XF:nt-add-workstation
   XF:nt-manage-log
   XF:nt-take-owner
   XF:nt-load-driver
   XF:nt-profile-system
   XF:nt-system-time
   XF:nt-single-process
   XF:nt-increase-priority
   XF:nt-create-pagefile
   XF:nt-backup
   XF:nt-restore
   XF:nt-debug
   XF:nt-system-env
   XF:nt-remote-shutdown


CAN-1999-0535

Phase: Proposed (19990721)

Description:
A Windows NT account policy for passwords has inappropriate, security-critical settings, e.g. for password length, password age, or uniqueness.

Votes:

   ACCEPT(2) Shostack, Wall
   MODIFY(2) Baker, Frech
   RECAST(2) Northcutt, Ozancin
Voter Comments:
 Northcutt> inappropriate implies there is appropriate.  As a guy who has been
   monitoring
   networks for years I have deep reservations about justiying the existance
   of any fixed cleartext password. For appropriate to exist, some "we" would 
   have to establish some criteria for appropriate passwords.
 Baker> Perhaps this could be re-worded a bit.  The CVE CAN-1999-00582
   specifies "...settings for lockouts".  To remain consistent with the
   other, maybe it should specify "...settings for passwords" I think
   most people would agree that passwords should be at least 8
   characters; contain letters (upper and lowercase), numbers and at
   least one non-alphanumeric; should only be good a limited time 30-90
   days; and should not contain character combinations from user's prior
   2 or 3 passwords.
   Suggested rewrite - 
   A Windows NT account policy does not enforce reasonable minimum
   security-critical settings for passwords, e.g. passwords of sufficient
   length, periodic required password changes, or new password uniqueness
 Ozancin> What is appropriate?
 Frech> XF:nt-autologonpwd
   XF:nt-pwlen
   XF:nt-maxage
   XF:nt-minage
   XF:nt-pw-history
   XF:nt-user-pwnoexpire
   XF:nt-unknown-pwdfilter
   XF:nt-pwd-never-expire
   XF:nt-pwd-nochange
   XF:nt-pwdcache-enable
   XF:nt-guest-change-passwords


CAN-1999-0537

Phase: Proposed (19990726)

Description:
A configuration in a web browser such as Internet Explorer or Netscape Navigator allows execution of active content such as ActiveX, Java, Javascript, etc.

Votes:

   ACCEPT(1) Wall
   RECAST(1) Frech
   REJECT(1) LeBlanc
Voter Comments:
 Frech> Good candidate for dot notation.
   XF:nav-java-enabled
   XF:nav-javascript-enabled
   XF:ie-active-content
   XF:ie-active-download
   XF:ie-active-scripting
   XF:ie-activex-execution
   XF:ie-java-enabled
   XF:netscape-javascript
   XF:netscape-java
   XF:zone-active-scripting
   XF:zone-activex-execution
   XF:zone-desktop-install
   XF:zone-low-channel
   XF:zone-file-download
   XF:zone-file-launch
   XF:zone-java-scripting
   XF:zone-low-java
   XF:zone-safe-scripting
   XF:zone-unsafe-scripting
 LeBlanc> Not a vulnerability. These are just checks for configuration
   settings that a user might have changed. I understand need to increase
   number of checks in a scanning product, but don't feel like these belong
   in CVE. Scanner vendors could argue that these entries are needed to
   keep a common language.


CAN-1999-0539

Phase: Proposed (19990728)

Description:
A trust relationship exists between two Unix hosts.

Votes:

   MODIFY(1) Frech
   REJECT(2) Northcutt, Shostack
Voter Comments:
 Northcutt> Too non specific
 Frech> XF:trusted-host(341)
   XF:trust-remote-same(717)
   XF:trust-remote-root(718)
   XF:trust-remote-nonroot(719)
   XF:trust-remote-any(720)
   XF:trust-other-host(723)
   XF:trust-all-nonroot(726)
   XF:trust-any-remote(727)
   XF:trust-local-acct(728)
   XF:trust-local-any(729)
   XF:trust-local-nonroot(730)
   XF:trust-all-hosts(731)
   XF:nt-trusted-domain(1284)
   XF:rsagent-trusted-domainadded(1588)
   XF:trust-remote-user(2955)
   XF:user-trust-hosts(3074)
   XF:user-trust-other-host(3077)
   XF:user-trust-remote-account(3079)


CAN-1999-0541

Phase: Proposed (19990714)

Description:
A password for accessing a WWW URL is guessable.

Votes:

   ACCEPT(4) Northcutt, Baker, Shostack, Meunier
   MODIFY(1) Frech
Voter Comments:
 Frech> XF:http-password


CAN-1999-0546

Phase: Proposed (19990721)

Description:
The Windows NT guest account is enabled.

Votes:

   ACCEPT(5) Northcutt, Baker, Shostack, Ozancin, Wall
   MODIFY(1) Frech
Voter Comments:
 Frech> XF:nt-guest-account


CAN-1999-0547

Phase: Proposed (19990728)

Description:
An SSH server allows authentication through the .rhosts file.

Votes:

   ACCEPT(2) Baker, Shostack
   MODIFY(1) Frech
   NOOP(1) Northcutt
Voter Comments:
 Frech> XF:sshd-rhosts(315)


CAN-1999-0548

Phase: Proposed (19990728)

Description:
A superfluous NFS server is running, but it is not importing or exporting any file systems.

Votes:

   ACCEPT(1) Shostack
   REJECT(1) Northcutt

CAN-1999-0549

Phase: Proposed (19990630)

Description:
Windows NT automatically logs in an administrator upon rebooting.

Votes:

   ACCEPT(1) Hill
   MODIFY(3) Blake, Frech, Ozancin
   NOOP(1) Wall
   REJECT(1) Baker
Voter Comments:
 Wall> Don't know what this is.  Don't think it is a vulnerability and would
   initially reject.  This is different than just renaming the
   administrator account.
 Frech> Would appreciate more information on this one, as in a reference.
 Blake> Reference: XF:nt-autologin
 Ozancin> Needs more detail
 Baker> I tried to find the XF:nt-autologin reference, and got no matching records from their search engine.
   No refs, no details, should reject
 CHANGE> [Frech changed vote from REVIEWING to MODIFY]
 Frech> XF:nt-autologon(5)


CAN-1999-0550

Phase: Proposed (19990726)

Description:
A router's routing tables can be obtained from arbitrary hosts.

Votes:

   MODIFY(1) Frech
   RECAST(1) Northcutt
Voter Comments:
 Northcutt> Don't you mean obtained by arbitrary hosts
 Frech> XF:routed
   XF:decod-rip-entry
   XF:rip


CAN-1999-0554

Phase: Proposed (19990803)

Description:
NFS exports system-critical data to the world, e.g. / or a password file.

Votes:

   ACCEPT(2) Northcutt, Wall
   REVIEWING(1) Christey
Voter Comments:
 Christey> A content decision (CD:CF-DATA) needs to be reviewed
   and accepted by the Editorial Board in order to resolve
   this question.


CAN-1999-0555

Phase: Proposed (19990728)

Description:
A Unix account with a name other than "root" has UID 0, i.e. root privileges.

Votes:

   REJECT(2) Northcutt, Shostack
Voter Comments:
 Northcutt> This is very bogus


CAN-1999-0556

Phase: Proposed (19990728)

Description:
Two or more Unix accounts have the same UID.

Votes:

   NOOP(1) Christey
   REJECT(2) Northcutt, Shostack
Voter Comments:
 Christey> XF:duplicate-uid(876)
 Christey> Add terms "duplicate" and "user ID" to facilitate search.
   ftp://ftp.auscert.org.au/pub/auscert/papers/unix_security_checklist


CAN-1999-0559

Phase: Proposed (19990803)

Description:
A system-critical Unix file or directory has inappropriate permissions.

Votes:

   ACCEPT(1) Wall
   RECAST(1) Northcutt
Voter Comments:
 Northcutt> Writable other than by root/bin/wheelgroup?


CAN-1999-0560

Phase: Proposed (19990803)

Description:
A system-critical Windows NT file or directory has inappropriate permissions.

Votes:

   ACCEPT(1) Wall
   RECAST(1) Northcutt
Voter Comments:
 Northcutt> I think we should specify these


CAN-1999-0561

Phase: Proposed (19990728)

Description:
IIS has the #exec function enabled for Server Side Include (SSI) files.

Votes:

   NOOP(1) Northcutt
   RECAST(1) Shostack
   REJECT(1) LeBlanc
Voter Comments:
 LeBlanc> Does not meet definition of a vulnerability. This function is
   just enabled. You can turn it off if you want. if you trust the people
   putting up your web pages, this isn't a problem. If you don't, this is
   just one of many things you need to change.


CAN-1999-0562

Phase: Proposed (19990721)

Description:
The registry in Windows NT can be accessed remotely by users who are not administrators.

Votes:

   ACCEPT(4) Baker, Shostack, Ozancin, Wall
   MODIFY(1) Frech
   RECAST(1) Northcutt
Voter Comments:
 Northcutt> This isn't all or nothing, users may be allowed to access part of the
   registry.
 Frech> XF:nt-winreg-all
   XF:nt-winreg-net


CAN-1999-0564

Phase: Proposed (19990728)

Description:
An attacker can force a printer to print arbitrary documents (e.g. if the printer doesn't require a password) or to become disabled.

Votes:

   ACCEPT(2) Baker, Shostack
   NOOP(1) Northcutt

CAN-1999-0565

Phase: Proposed (19990728)

Description:
A Sendmail alias allows input to be piped to a program.

Votes:

   ACCEPT(1) Northcutt
   RECAST(1) Shostack
Voter Comments:
 Shostack> Is this a default alias?  Is my .procmailrc an instance of this?


CAN-1999-0568

Phase: Proposed (19990728)

Description:
rpc.admind in Solaris is not running in a secure mode.

Votes:

   ACCEPT(1) Northcutt
   NOOP(1) Christey
   RECAST(2) Shostack, Dik
Voter Comments:
 Shostack> are there secure modes?
 Dik> Several:
   1) there is no "rpc.admind" daemon.
   there used to be a "admind" RPC daemon (100087/10)
   and there's now an "sadmind" daemon (100232/10)
   The switch over was somewhere around Solaris 2.4.
   2) Neither defaults to "secure mode"
   3) secure mode is "using secure RPC" which does
   proper over the wire authentication by specifying
   the "-S 2" option in inetd.conf
   (security level 2)
 Christey> XF:rpc-admind(626)
   http://xforce.iss.net/static/626.php
   MISC:http://pulhas.org/xploitsdb/mUNIXes/admind.html


CAN-1999-0569

Phase: Modified (19991130-01)

Description:
A URL for a WWW directory allows auto-indexing, which provides a list of all files in that directory if it does not contain an index.html file.

Votes:

   ACCEPT(1) Wall
   NOOP(1) Christey
   REJECT(1) Northcutt
Voter Comments:
 Northcutt> I do this intentionally somethings in high content directories
 Christey> XF:http-noindex(90) ?


CAN-1999-0570

Phase: Proposed (19990728)

Description:
Windows NT is not using a password filter utility, e.g. PASSFILT.DLL.

Votes:

   ACCEPT(1) Northcutt
   MODIFY(1) Frech
   NOOP(1) Christey
   REJECT(1) Wall
Voter Comments:
 Northcutt> Here we are crossing into the best practices arena again.  However since
   passfilt does establish a measurable standard and since we aren't the
   ones defining the stanard, simply saying it should be employed I will
   vote for this.  
 Frech> XF:nt-passfilt-not-inst(1308)
   XF:nt-passfilt-not-found(1309)
 Christey> Consider MSKB:Q161990 and MSKB:Q151082


CAN-1999-0571

Phase: Modified (20020312-01)
Reference: BUGTRAQ:Feb5,1999

Description:
A router's configuration service or management interface (such as a web server or telnet) is configured to allow connections from arbitrary hosts.

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Frech
   NOOP(2) Christey, Northcutt
Voter Comments:
 CHANGE> [Frech changed vote from REVIEWING to MODIFY]
 Frech> XF:ascend-config-kill(889)
   XF:cisco-ios-crash(1238)
   XF:webramp-remote-access(1670)
   XF:ascom-timeplex-debug(1824)
   XF:netopia-unpassworded(1850)
   XF:cisco-web-crash(1886)
   XF:cisco-router-commands(1951)
   XF:motorola-cable-default-pass(2002)
   XF:default-flowpoint(2091)
   XF:netgear-router-idle-dos(4003)
   XF:cisco-cbos-telnet(4251)
   XF:routermate-snmp-community(4290)
   XF:cayman-router-dos(4479)
   XF:wavelink-authentication(5185)
   XF:ciscosecure-ldap-bypass-authentication(5274)
   XF:foundry-firmware-telnet-dos(5514)
   XF:netopia-view-system-log(5536)
   XF:cisco-webadmin-remote-dos(5595)
   XF:cisco-cbos-web-access(5626)
   XF:netopia-telnet-dos(6001)
   XF:cisco-sn-gain-access(6827)
   XF:cayman-dsl-insecure-permissions(6841)
   XF:linksys-etherfast-reveal-passwords(6949)
   XF:zyxel-router-default-password(6968)
   XF:cisco-cbos-web-config(7027)
   XF:prestige-wan-bypass-filter(7146)
 Christey> I changed the description to make it more explicit that this
   candidate is about router configuration, as opposed to
   vulnerabilities that accidentally make a configuration
   service accessible to anyone.


CAN-1999-0572

Phase: Proposed (19990721)

Description:
.reg files are associated with the Windows NT registry editor, making the registry susceptible to Trojan Horse attacks.

Votes:

   ACCEPT(4) Baker, Shostack, Ozancin, Wall
   MODIFY(1) Frech
   NOOP(2) Christey, Northcutt
Voter Comments:
 Northcutt> I don't quite get what this means, sorry
 Frech> XF:nt-regfile(178)
 Christey> MISC:http://security-archive.merton.ox.ac.uk/nt-security-199902/0087.html


CAN-1999-0575

Phase: Proposed (19990721)

Description:
A Windows NT system's user audit policy does not log an event success or failure, e.g. for Logon and Logoff, File and Object Access, Use of User Rights, User and Group Management, Security Policy Changes, Restart, Shutdown, and System, and Process Tracking.

Votes:

   ACCEPT(4) Christey, Shostack, Ozancin, Wall
   MODIFY(1) Frech
   RECAST(2) Northcutt, Baker
Voter Comments:
 Northcutt> It isn't a great truth that you should enable all or the above, if you
   do you potentially introduce a vulnerbility of filling up the file
   system with stuff you will never look at.
 Ozancin> It is far less interesting what a user does successfully that what they
   attempt and fail at.
 Christey> The list of event types is very useful for lookup.
 Frech> XF:nt-system-audit
   XF:nt-logon-audit
   XF:nt-object-audit
   XF:nt-privil-audit
   XF:nt-process-audit
   XF:nt-policy-audit
   XF:nt-account-audit
 CHANGE> [Baker changed vote from REVIEWING to RECAST]


CAN-1999-0576

Phase: Proposed (19990721)

Description:
A Windows NT system's file audit policy does not log an event success or failure for security-critical files or directories.

Votes:

   ACCEPT(3) Baker, Shostack, Wall
   MODIFY(2) Frech, Ozancin
   REJECT(1) Northcutt
Voter Comments:
 Northcutt> 1.) Too general are we ready to state what the security-critical files
   and directories are
   2.) Does Ataris, Windows CE, PalmOS, Linux have such a capability
 Ozancin> Some files and directories are clearly understood to be critical. Others are
   unclear. We need to clarify that critical is.
 Frech> XF:nt-object-audit


CAN-1999-0577

Phase: Proposed (19990721)

Description:
A Windows NT system's file audit policy does not log an event success or failure for non-critical files or directories.

Votes:

   ACCEPT(2) Shostack, Wall
   MODIFY(3) Baker, Frech, Ozancin
   REJECT(1) Northcutt
Voter Comments:
 Ozancin> It is far less interesting what a user does successfully that what they
   attempt and fail at.
   Perhaps only failure should be logged.
 Frech> XF:nt-object-audit
 CHANGE> [Baker changed vote from REVIEWING to MODIFY]
 Baker> Failure on non-critical files is what should be monitored.


CAN-1999-0578

Phase: Proposed (19990721)

Description:
A Windows NT system's registry audit policy does not log an event success or failure for security-critical registry keys.

Votes:

   ACCEPT(4) Baker, Shostack, Ozancin, Wall
   MODIFY(1) Frech
   REJECT(1) Northcutt
Voter Comments:
 Ozancin> with reservation
   Again what is defined as critical
 CHANGE> [Frech changed vote from REVIEWING to MODIFY]
 Frech> XF:nt-object-audit(228)


CAN-1999-0579

Phase: Proposed (19990721)

Description:
A Windows NT system's registry audit policy does not log an event success or failure for non-critical registry keys.

Votes:

   ACCEPT(3) Baker, Shostack, Wall
   MODIFY(2) Frech, Ozancin
   REJECT(1) Northcutt
Voter Comments:
 Ozancin> Again only failure may be of interest. It would be impractical to wad
   through the incredibly large amount of logging that this would generate. It
   could overwhelm log entries that you might find interesting.
 CHANGE> [Frech changed vote from REVIEWING to MODIFY]
 Frech> XF:nt-object-audit(228)


CAN-1999-0580

Phase: Proposed (19990803)

Description:
The HKEY_LOCAL_MACHINE key in a Windows NT system has inappropriate, system-critical permissions.

Votes:

   ACCEPT(1) Wall
   RECAST(1) Northcutt
Voter Comments:
 Northcutt> I think we can define appropriate, take a look at the nt security .pdf
   and see if you can't see a way to phrase specific keys in a way that
   defines inappropriate.


CAN-1999-0581

Phase: Proposed (19990803)

Description:
The HKEY_CLASSES_ROOT key in a Windows NT system has inappropriate, system-critical permissions.

Votes:

   ACCEPT(1) Wall
   RECAST(1) Northcutt
Voter Comments:
 Northcutt> I think we can define appropriate, take a look at the nt security .pdf
   and see if you can't see a way to phrase specific keys in a way that
   defines inappropriate.


CAN-1999-0582

Phase: Proposed (19990721)

Description:
A Windows NT account policy has inappropriate, security-critical settings for lockout, e.g. lockout duration, lockout after bad logon attempts, etc.

Votes:

   ACCEPT(3) Shostack, Ozancin, Wall
   MODIFY(2) Baker, Frech
   REJECT(1) Northcutt
Voter Comments:
 Northcutt> The definition is?
 Baker> Maybe a rewording of this one too.  I think most people would agree on
   some "minimum" policies like 3-5 bad attempts lockout for an hour or
   until the administrator unlocks the account.
   Suggested rewrite -
   A Windows NT account policy does not enforce reasonable minimum
   security-critical settings for lockouts, e.g. lockout duration,
   lockout after bad logon attempts, etc.
 Ozancin> with reservations
   What is appropriate?
 Frech> XF:nt-thres-lockout
   XF:nt-lock-duration
   XF:nt-lock-window
   XF:nt-perm-lockout
   XF:lockout-disabled


CAN-1999-0583

Phase: Proposed (19990728)

Description:
There is a one-way or two-way trust relationship between Windows NT domains.

Votes:

   NOOP(1) Christey
   REJECT(2) Northcutt, Shostack
Voter Comments:
 Christey> XF:nt-trusted-domain(1284)


CAN-1999-0584

Phase: Proposed (19990728)

Description:
A Windows NT file system is not NTFS.

Votes:

   ACCEPT(2) Northcutt, Wall
   MODIFY(1) Frech
   NOOP(1) Christey
Voter Comments:
 Wall> NTFS partition provides the security.  This could be re-worded
   to "A Windows NT file system is FAT" since it is either NTFS or FAT
   and FAT is less secure.
 Frech> XF:nt-filesys(195)
 Christey> MSKB:Q214579
   MSKB:Q214579
   http://support.microsoft.com/support/kb/articles/Q100/1/08.ASP


CAN-1999-0585

Phase: Proposed (19990721)

Description:
A Windows NT administrator account has the default name of Administrator.

Votes:

   ACCEPT(1) Ozancin
   MODIFY(1) Frech
   REJECT(3) Northcutt, Baker, Shostack
   REVIEWING(1) Wall
Voter Comments:
 Wall> Some sources say this is not a vulnerability, but a warning.  It just
   slows down the search for the admin account (SID = 500) which can
   always be found.
 Northcutt> I change this on all NT systems I am responsible for, but is
   root a vulnerability?
 Baker> There are ways to identify the administrator account anyway, so this
   is only a minor delay to someone that is knowledgeable.  This, in and
   of itself, doesn't really strike me as a vulnerability, anymore than
   the root account on a Unix box.
 Shostack> (there is no way to hide the account name today)
 Frech> XF:nt-adminexists


CAN-1999-0586

Phase: Proposed (19990728)

Description:
A network service is running on a nonstandard port.

Votes:

   RECAST(1) Shostack
   REJECT(1) Northcutt
Voter Comments:
 Shostack> Might be acceptable if clearer; is that a standard service on a
   non-standard port, or any service on an unassigned port?


CAN-1999-0587

Phase: Proposed (19990803)

Description:
A WWW server is not running in a restricted file system, e.g. through a chroot, thus allowing access to system-critical data.

Votes:

   ACCEPT(1) Wall
   RECAST(1) Northcutt
Voter Comments:
 Northcutt> While I would accept this for Unix, I am not sure this applies to NT,
   VMS, palm pilots, or commodore 64


CAN-1999-0588

Phase: Proposed (19990726)

Description:
A filter in a router or firewall allows unusual fragmented packets.

Votes:

   MODIFY(1) Frech
   REJECT(1) Northcutt
Voter Comments:
 Northcutt> I want to vote to accept this one, but unusual is a shade broad.
 Frech> XF:nt-rras
   XF:cisco-fragmented-attacks
   XF:ip-frag


CAN-1999-0589

Phase: Proposed (19990803)

Description:
A system-critical Windows NT registry key has inappropriate permissions.

Votes:

   ACCEPT(1) Wall
   RECAST(2) Christey, Northcutt
Voter Comments:
 Northcutt> I think we can define appropriate, take a look at the nt security .pdf
   and see if you can't see a way to phrase specific keys in a way that
   defines inappropriate.
 Christey> Upon further reflection, this is too high-level for CVE.
   Specific registry keys with bad permissions is roughly
   equivalent to Unix configuration files that have bad
   permissions; those permission problems can be created by
   any vendor, not just a specific one.  Therefore this
   candidate should be RECAST into each separate registry
   key that has this problem.


CAN-1999-0590

Phase: Proposed (19990728)

Description:
A system does not present an appropriate legal message or warning to a user who is accessing it.

Votes:

   ACCEPT(1) Northcutt
   MODIFY(1) Christey
   RECAST(1) Shostack
Voter Comments:
 Christey> ADDREF CIAC:J-043
   URL:http://ciac.llnl.gov/ciac/bulletins/j-043.shtml
   Also add "banner" to the description to facilitate search.


CAN-1999-0591

Phase: Proposed (19990803)

Description:
An event log in Windows NT has inappropriate access permissions.

Votes:

   ACCEPT(1) Wall
   RECAST(1) Northcutt
Voter Comments:
 Northcutt> splain Lucy, splain


CAN-1999-0592

Phase: Proposed (19990728)

Description:
The Logon box of a Windows NT system displays the name of the last user who logged in.

Votes:

   MODIFY(1) Frech
   NOOP(1) Christey
   REJECT(2) Northcutt, Wall
Voter Comments:
 Wall> Information gathering, not vulnerability
 Northcutt> Ah a C2 weenie must have snuck this in, this can be a good thing 
   not just vulnerability
 Frech> XF:nt-display-last-username(1353)
   Use it if you will. :-) If not, let us know so I can remove the CAN
   reference from our database.
 Christey> MSKB:Q114463
   http://support.microsoft.com/support/kb/articles/q114/4/63.asp


CAN-1999-0593

Phase: Proposed (19990728)

Description:
A user is allowed to shut down a Windows NT system without logging in.

Votes:

   ACCEPT(1) Wall
   MODIFY(1) Frech
   REJECT(1) Northcutt
Voter Comments:
 Wall> Still a denial of service.
 Northcutt> May well be appropriate
 Frech> XF:nt-shutdown-without-logon(1291)


CAN-1999-0594

Phase: Proposed (19990728)

Description:
A Windows NT system does not restrict access to removable media drives such as a floppy disk drive or CDROM drive.

Votes:

   ACCEPT(1) Wall
   MODIFY(1) Frech
   NOOP(1) Christey
   REJECT(1) Northcutt
Voter Comments:
 Wall> Perhaps it can be re-worded to "removable media drives
   such as a floppy disk drive or CDROM drive can be accessed (shared) in a
   Windows NT system."
 Northcutt> - what good is my NT w/o its floppy
 Frech> XF:nt-allocate-cdroms(1294)
   XF:nt-allocate-floppy(1318)
 Christey> MSKB:Q172520
   URL:http://support.microsoft.com/support/kb/articles/q172/5/20.asp


CAN-1999-0595

Phase: Proposed (19990728)
Reference: MSKB:Q182086

Description:
A Windows NT system does not clear the system page file during shutdown, which might allow sensitive information to be recorded.

Votes:

   ACCEPT(1) Wall
   MODIFY(1) Frech
   NOOP(1) Northcutt
Voter Comments:
 Frech> XF:nt-clearpage(216)
   XF:reg-pagefile-clearing(2551)


CAN-1999-0596

Phase: Proposed (19990728)

Description:
A Windows NT log file has an inappropriate maximum size or retention period.

Votes:

   MODIFY(1) Frech
   REJECT(2) Northcutt, Wall
Voter Comments:
 Northcutt> define appropriate
 Frech> XF:reg-app-log-small(2521)
   XF:reg-sec-log-maxsize(2577)
   XF:reg-sys-log-small(2586)


CAN-1999-0597

Phase: Proposed (19990728)

Description:
A Windows NT account policy does not forcibly disconnect remote users from the server when their logon hours expire.

Votes:

   ACCEPT(1) Northcutt
   MODIFY(1) Frech
   REJECT(1) Wall
Voter Comments:
 Frech> XF:nt-forced-logoff(1343)


CAN-1999-0598

Phase: Proposed (19990726)

Description:
A network intrusion detection system (IDS) does not properly handle packets that are sent out of order, allowing an attacker to escape detection.

Votes:

   ACCEPT(3) Northcutt, Baker, Armstrong
   NOOP(1) Frech
   REVIEWING(1) Christey
Voter Comments:
 Frech> Waiting for CIEL.
 Christey> This is a design flaw, along with the other reported IDS
   problems; at least reference Ptacek/Newsham's paper.
 Christey> URL:http://www.robertgraham.com/mirror/Ptacek-Newsham-Evasion-98.html


CAN-1999-0599

Phase: Proposed (19990726)

Description:
A network intrusion detection system (IDS) does not properly handle packets with improper sequence numbers.

Votes:

   ACCEPT(2) Northcutt, Baker
   NOOP(1) Frech
   REVIEWING(1) Christey
Voter Comments:
 Frech> Waiting for CIEL.
 Christey> This is a design flaw, along with the other reported IDS
   problems; at least reference Ptacek/Newsham's paper.
 Christey> URL:http://www.robertgraham.com/mirror/Ptacek-Newsham-Evasion-98.html


CAN-1999-0600

Phase: Proposed (19990726)

Description:
A network intrusion detection system (IDS) does not verify the checksum on a packet.

Votes:

   ACCEPT(2) Northcutt, Baker
   NOOP(1) Frech
   REVIEWING(1) Christey
Voter Comments:
 Frech> Waiting for CIEL.
 Christey> This is a design flaw, along with the other reported IDS
   problems; at least reference Ptacek/Newsham's paper.
 Christey> URL:http://www.robertgraham.com/mirror/Ptacek-Newsham-Evasion-98.html


CAN-1999-0601

Phase: Proposed (19990726)

Description:
A network intrusion detection system (IDS) does not properly handle data within TCP handshake packets.

Votes:

   ACCEPT(2) Northcutt, Baker
   NOOP(1) Frech
   REVIEWING(1) Christey
Voter Comments:
 Frech> Waiting for Godot, er, CIEL.
 Christey> This is a design flaw, along with the other reported IDS
   problems; at least reference Ptacek/Newsham's paper.
 Christey> URL:http://www.robertgraham.com/mirror/Ptacek-Newsham-Evasion-98.html


CAN-1999-0602

Phase: Proposed (19990726)

Description:
A network intrusion detection system (IDS) does not properly reassemble fragmented packets.

Votes:

   ACCEPT(2) Northcutt, Baker
   NOOP(1) Frech
   REVIEWING(1) Christey
Voter Comments:
 Frech> Waiting for CIEL.
 Christey> This is a design flaw, along with the other reported IDS
   problems; at least reference Ptacek/Newsham's paper.
 Christey> URL:http://www.robertgraham.com/mirror/Ptacek-Newsham-Evasion-98.html


CAN-1999-0603

Phase: Proposed (19990728)

Description:
In Windows NT, an inappropriate user is a member of a group, e.g. Administrator, Backup Operators, Domain Admins, Domain Guests, Power Users, Print Operators, Replicators, System Operators, etc.

Votes:

   MODIFY(1) Frech
   REJECT(2) Northcutt, Wall
Voter Comments:
 Frech> XF:nt-system-operator
   XF:nt-admin-group
   XF:nt-replicator
   XF:nt-print-operator
   XF:nt-power-user
   XF:nt-guest-in-group
   XF:nt-backup-operator
   XF:nt-domain-admin
   XF:nt-domain-guest
   XF:win2k-acct-oper-grp
   XF:win2k-admin-grp
   XF:win2k-backup-oper-grp
   XF:win2k-certpublishers-grp
   XF:win2k-dhcp-admin-grp
   XF:win2k-dnsadm-grp
   XF:win2k-domainadm-grp
   XF:win2k-entadm-grp
   XF:win2k-printoper-grp
   XF:win2k-replicator-grp
   XF:win2k-schemaadm-grp
   XF:win2k-serveroper-grp
   You asked for it... :-) Use or reject at your discretion. If rejected,
   please let us know so we can remove CAN references from database.


CAN-1999-0604

Phase: Proposed (19990728)
Reference: BUGTRAQ:19990420 Shopping Carts exposing CC data
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92462991805485&w=2

Description:
An incorrect configuration of the WebStore 1.0 shopping cart CGI program "web_store.cgi" could disclose private information.

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Frech
   NOOP(2) Northcutt, Wall
Voter Comments:
 Frech> XF:webstore-misconfig(3861)


CAN-1999-0605

Phase: Proposed (19990728)
Reference: BUGTRAQ:19990420 Shopping Carts exposing CC data
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92462991805485&w=2

Description:
An incorrect configuration of the Order Form 1.0 shopping cart CGI program could disclose private information.

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Frech
   NOOP(3) Christey, Northcutt, Wall
Voter Comments:
 Frech> XF:orderform-misconfig(3860)
 Christey> BID:2021
 Christey> Mention affected files: order_log_v12.dat and order_log.dat
   fix version number (1.2)


CAN-1999-0606

Phase: Proposed (19990728)
Reference: BUGTRAQ:19990420 Shopping Carts exposing CC data
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92462991805485&w=2

Description:
An incorrect configuration of the EZMall 2000 shopping cart CGI program "mall2000.cgi" could disclose private information.

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Frech
   NOOP(3) Christey, Northcutt, Wall
Voter Comments:
 Frech> XF:ezmall2000-misconfig(3859)
 Christey> Add mall_log_files/order.log to desc


CAN-1999-0607

Phase: Proposed (19990728)
Reference: BUGTRAQ:19990420 Shopping Carts exposing CC data
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92462991805485&w=2

Description:
An incorrect configuration of the QuikStore shopping cart CGI program "quikstore.cgi" could disclose private information.

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Frech
   NOOP(3) Christey, Northcutt, Wall
Voter Comments:
 Frech> XF:quikstore-misconfig(3858)
 Christey> http://www.quikstore.com/help/pages/Security/security.htm says:
   
   "It is IMPORTANT that during the setup of the QuikStore program, you
   check to make sure that the cgi-bin or executable program directory
   of your web site not be viewable from the outside world. You don't
   want the users to have access to your programs or log files that could
   be stored there!
   
   ...
   
   If you can view or download these files from the browser, someone
   else can too"
   
   So is this a configuration problem?  See the configuration file at
   http://www.quikstore.com/help/pages/Configuration/configparametersfull.htm
   The [DIRECTORY_PATHS] section identifies pathnames and describes how
   pathnames are constructed.  It clearly uses relative pathnames,
   so all data is underneath the base directory!!
   
   If we call this a configuration problem, then maybe this (and
   all other "CGI-data-in-web-tree" configuration problems) should
   be combined.
 Christey> Consider adding BID:1983


CAN-1999-0609

Phase: Proposed (19990728)
Reference: BUGTRAQ:19990420 Shopping Carts exposing CC data
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92462991805485&w=2

Description:
An incorrect configuration of the SoftCart CGI program "SoftCart.exe" could disclose private information.

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Frech
   NOOP(3) Christey, Northcutt, Wall
Voter Comments:
 Frech> XF:softcart-misconfig(3856)
 Christey> Consider adding BID:2055


CAN-1999-0610

Phase: Proposed (19990728)
Reference: BUGTRAQ:19990420 Shopping Carts exposing CC data
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92462991805485&w=2

Description:
An incorrect configuration of the Webcart CGI program could disclose private information.

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Frech
   NOOP(2) Northcutt, Wall
Voter Comments:
 Frech> Cite reference as:
   BUGTRAQ:19990424  Re: Shopping Carts exposing CC data 
   URL:
   http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%
   3D1%26date%3D2000-08-22%26msg%3D3720E2B6.6031A2E7@datashopper.dk
 CHANGE> [Frech changed vote from REVIEWING to MODIFY]
 Frech> XF:webcart-data-exposure(8374)


CAN-1999-0611

Phase: Proposed (19990803)

Description:
A system-critical Windows NT registry key has an inappropriate value.

Votes:

   ACCEPT(1) Wall
   RECAST(1) Northcutt
Voter Comments:
 Northcutt> I think we can define appropriate, take a look at the nt security .pdf
   and see if you can't see a way to phrase specific keys in a way that
   defines inappropriate.


CAN-1999-0613

Phase: Proposed (19990721)

Description:
The rpc.sprayd service is running.

Votes:

   ACCEPT(2) Baker, Ozancin
   MODIFY(1) Frech
   NOOP(1) Wall
   REJECT(1) Northcutt
Voter Comments:
 Frech> XF:sprayd


CAN-1999-0614

Phase: Proposed (19990804)

Description:
The FTP service is running.

Votes:

   ACCEPT(2) Baker, Wall
   REJECT(1) Northcutt

CAN-1999-0615

Phase: Proposed (19990804)

Description:
The SNMP service is running.

Votes:

   ACCEPT(3) Prosser, Baker, Wall
   NOOP(1) Christey
   REJECT(1) Northcutt
Voter Comments:
 Baker> Although newer versions on snmp are not as vulnerable as prior versions,
   this can still be a significant risk of exploitation, as seen in recent
   attacks on snmp services via automated worms
 Christey> XF:snmp(132) ?
 Prosser> This fits the "exposure" description although we also know there are many vulnerabilities in SNMP.  This is more of a policy/best practice issue for administrators.  If you need SNMP lock it down as tight as you can, if you don't need it, don't run it.


CAN-1999-0616

Phase: Proposed (19990804)

Description:
The TFTP service is running.

Votes:

   ACCEPT(2) Baker, Wall
   REJECT(1) Northcutt

CAN-1999-0617

Phase: Proposed (19990804)

Description:
The SMTP service is running.

Votes:

   ACCEPT(2) Baker, Wall
   REJECT(1) Northcutt

CAN-1999-0618

Phase: Modified (19990921-01)
Reference: XF:rexec

Description:
The rexec service is running.

Votes:

   ACCEPT(4) Northcutt, Baker, Ozancin, Wall
   MODIFY(1) Frech
Voter Comments:
 Frech> XF:decod-rexec
   XF:rexec


CAN-1999-0619

Phase: Proposed (19990804)

Description:
The Telnet service is running.

Votes:

   ACCEPT(2) Baker, Wall
   REJECT(1) Northcutt

CAN-1999-0620

Phase: Proposed (19990804)

Description:
A component service related to NIS is running.

Votes:

   ACCEPT(2) Baker, Wall
   NOOP(1) Christey
   REJECT(1) Northcutt
Voter Comments:
 Christey> XF:ypserv(261)


CAN-1999-0621

Phase: Proposed (19990804)

Description:
A component service related to NETBIOS is running.

Votes:

   ACCEPT(2) Baker, Wall
   MODIFY(1) Frech
   REJECT(2) Northcutt, LeBlanc
Voter Comments:
 LeBlanc> There is insufficient description to even know what this is.
   Lots of component services related to NetBIOS run, and usually do not
   constitute a problem.
 Frech> associated to:
   XF:nt-alerter(29)
   XF:nt-messenger(69)
   XF:reg-ras-gateway-enabled(2567)


CAN-1999-0622

Phase: Proposed (19990804)

Description:
A component service related to DNS service is running.

Votes:

   ACCEPT(2) Baker, Wall
   REJECT(1) Northcutt

CAN-1999-0623

Phase: Proposed (19990804)

Description:
The X Windows service is running.

Votes:

   ACCEPT(2) Baker, Wall
   NOOP(1) Christey
   REJECT(1) Northcutt
Voter Comments:
 Christey> Add "X11" to facilitate search.


CAN-1999-0624

Phase: Interim (19990925)
Reference: XF:rstat-out
Reference: XF:rstatd

Description:
The rstat/rstatd service is running.

Votes:

   ACCEPT(3) Northcutt, Baker, Ozancin
   MODIFY(1) Frech
   NOOP(2) Wall, Meunier
Voter Comments:
 Frech> XF:rstat-out
   XF:rstatd


CAN-1999-0625

Phase: Proposed (19990721)

Description:
The rpc.rquotad service is running.

Votes:

   ACCEPT(3) Northcutt, Baker, Ozancin
   MODIFY(1) Frech
   NOOP(1) Wall
Voter Comments:
 Frech> XF:rquotad


CAN-1999-0629

Phase: Proposed (19990721)

Description:
The ident/identd service is running.

Votes:

   ACCEPT(2) Baker, Ozancin
   MODIFY(1) Frech
   NOOP(2) Christey, Wall
   REJECT(1) Northcutt
Voter Comments:
 Frech> possibly XF:identd?
 Christey> XF:ident-users(318) ?
 CHANGE> [Frech changed vote from REVIEWING to MODIFY]
 Frech> XF:identd-vuln(61)
   XF:ident-users(318)


CAN-1999-0630

Phase: Proposed (19990804)

Description:
The NT Alerter and Messenger services are running.

Votes:

   ACCEPT(2) Baker, Wall
   NOOP(1) Christey
   REJECT(1) Northcutt
Voter Comments:
 Christey> http://support.microsoft.com/support/kb/articles/q189/2/71.asp


CAN-1999-0631

Phase: Proposed (19990804)

Description:
The NFS service is running.

Votes:

   ACCEPT(2) Baker, Wall
   NOOP(1) Christey
   REJECT(1) Northcutt
Voter Comments:
 Christey> XF:nfs-nfsd(76) ?
 Christey> Add rpc.mountd/mountd to facilitate search.


CAN-1999-0632

Phase: Proposed (19990804)

Description:
The RPC portmapper service is running.

Votes:

   ACCEPT(2) Baker, Wall
   REJECT(1) Northcutt

CAN-1999-0633

Phase: Proposed (19990804)

Description:
The HTTP/WWW service is running.

Votes:

   ACCEPT(2) Baker, Wall
   REJECT(1) Northcutt

CAN-1999-0634

Phase: Proposed (19990804)

Description:
The SSH service is running.

Votes:

   ACCEPT(2) Baker, Wall
   REJECT(1) Northcutt

CAN-1999-0635

Phase: Proposed (19990804)

Description:
The echo service is running.

Votes:

   ACCEPT(3) Northcutt, Baker, Wall
   REVIEWING(1) Christey
Voter Comments:
 Northcutt> The method to my madness is echo is the common denom in the dos attack
 Christey> How much of this is an overlap with the echo/chargen flood
   problem (CVE-1999-0103)?  If this is only an exposure because
   of CVE-1999-0103, then maybe this should be REJECTed.


CAN-1999-0636

Phase: Proposed (19990804)

Description:
The discard service is running.

Votes:

   ACCEPT(1) Baker
   NOOP(1) Wall
   REJECT(1) Northcutt

CAN-1999-0637

Phase: Proposed (19990804)

Description:
The systat service is running.

Votes:

   ACCEPT(2) Baker, Wall
   REJECT(1) Northcutt

CAN-1999-0638

Phase: Proposed (19990804)

Description:
The daytime service is running.

Votes:

   ACCEPT(1) Baker
   NOOP(1) Wall
   REJECT(1) Northcutt

CAN-1999-0639

Phase: Proposed (19990804)

Description:
The chargen service is running.

Votes:

   ACCEPT(2) Baker, Wall
   REJECT(1) Northcutt
   REVIEWING(1) Christey
Voter Comments:
 Christey> How much of this is an overlap with the echo/chargen flood
   problem (CVE-1999-0103)?  If this is only an exposure because
   of CVE-1999-0103, then maybe this should be REJECTed.


CAN-1999-0640

Phase: Proposed (19990804)

Description:
The Gopher service is running.

Votes:

   ACCEPT(2) Baker, Wall
   REJECT(1) Northcutt

CAN-1999-0641

Phase: Proposed (19990804)

Description:
The UUCP service is running.

Votes:

   ACCEPT(2) Baker, Wall
   REJECT(1) Northcutt

CAN-1999-0642

Phase: Proposed (19990804)

Description:
A POP service is running.

Votes:

   ACCEPT(2) Baker, Wall
   REJECT(1) Northcutt

CAN-1999-0643

Phase: Proposed (19990804)

Description:
The IMAP service is running.

Votes:

   ACCEPT(2) Baker, Wall
   REJECT(1) Northcutt

CAN-1999-0644

Phase: Proposed (19990804)

Description:
The NNTP news service is running.

Votes:

   ACCEPT(2) Baker, Wall
   NOOP(1) Christey
   REJECT(1) Northcutt
Voter Comments:
 Christey> XF:nntp-post(88) ?


CAN-1999-0645

Phase: Proposed (19990804)

Description:
The IRC service is running.

Votes:

   ACCEPT(2) Baker, Wall
   NOOP(1) Christey
   REJECT(1) Northcutt
Voter Comments:
 Christey> XF:irc-server(767) ?


CAN-1999-0646

Phase: Proposed (19990804)

Description:
The LDAP service is running.

Votes:

   ACCEPT(2) Baker, Wall
   REJECT(1) Northcutt

CAN-1999-0647

Phase: Proposed (19990721)

Description:
The bootparam (bootparamd) service is running.

Votes:

   ACCEPT(2) Baker, Ozancin
   MODIFY(1) Frech
   NOOP(1) Wall
   REJECT(1) Northcutt
Voter Comments:
 Frech> XF:bootp


CAN-1999-0648

Phase: Proposed (19990804)

Description:
The X25 service is running.

Votes:

   ACCEPT(2) Baker, Wall
   REJECT(1) Northcutt

CAN-1999-0649

Phase: Proposed (19990804)

Description:
The FSP service is running.

Votes:

   ACCEPT(1) Baker
   NOOP(1) Wall
   REJECT(1) Northcutt

CAN-1999-0650

Phase: Proposed (19990804)

Description:
The netstat service is running.

Votes:

   ACCEPT(2) Baker, Wall
   REJECT(1) Northcutt

CAN-1999-0651

Phase: Proposed (19990804)

Description:
The rsh/rlogin service is running.

Votes:

   ACCEPT(2) Baker, Wall
   MODIFY(1) Frech
   NOOP(1) Christey
   REJECT(1) Northcutt
Voter Comments:
 Christey> aka "shell" on UNIX systems (at least Solaris) in the
   /etc/inetd.conf file.
 Frech> associated to:
   XF:nt-rlogin(92) 
   XF:rsh-svc(114)
   XF:rshd(2995)


CAN-1999-0652

Phase: Proposed (19990804)

Description:
A database service is running, e.g. a SQL server, Oracle, or mySQL.

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Frech
   NOOP(1) Wall
   REJECT(1) Northcutt
Voter Comments:
 Frech> XF:nt-sql-server(1289)
   XF:msql-detect(2211)
   XF:oracle-detect(2388)
   XF:sybase-detect-namedpipes(1461)


CAN-1999-0653

Phase: Proposed (19990804)

Description:
A component service related to NIS+ is running.

Votes:

   ACCEPT(2) Baker, Wall
   REJECT(1) Northcutt

CAN-1999-0654

Phase: Proposed (19990728)

Description:
The OS/2 or POSIX subsystem in NT is enabled.

Votes:

   ACCEPT(1) Wall
   MODIFY(1) Frech
   NOOP(1) Christey
   REJECT(1) Northcutt
Voter Comments:
 Wall> These subsystems could still allow a process to persist across logins.
 Frech> XF:nt-posix(217)
   XF:nt-posix-sub-c2(2397)
   XF:nt-posix-sub-onceonly(2478)
   XF:nt-os2-sub(218)
   XF:nt-os2-sub-c2(2396)
   XF:nt-os2-sub-onceonly(2477)
   XF:nt-os2-registry(2550)
 Christey> s2-file-os2(1865)


CAN-1999-0655

Phase: Proposed (19990721)

Description:
A service may include useful information in its banner or help function (such as the name and version), making it useful for information gathering activities.

Votes:

   ACCEPT(5) Northcutt, Baker, Frech, Ozancin, Wall
Voter Comments:
 CHANGE> [Frech changed vote from REVIEWING to ACCEPT]


CAN-1999-0656

Phase: Proposed (19990804)

Description:
The ugidd service is running.

Votes:

   ACCEPT(1) Baker
   NOOP(1) Wall
   REJECT(1) Northcutt

CAN-1999-0657

Phase: Proposed (19990804)

Description:
WinGate is being used.

Votes:

   ACCEPT(1) Baker
   NOOP(1) Wall
   REJECT(1) Northcutt

CAN-1999-0658

Phase: Proposed (19990804)

Description:
DCOM is running.

Votes:

   ACCEPT(2) Baker, Wall
   REJECT(1) Northcutt

CAN-1999-0659

Phase: Proposed (19990804)

Description:
A Windows NT Primary Domain Controller (PDC) or Backup Domain Controller (BDC) is present.

Votes:

   REJECT(3) Northcutt, Baker, Wall
Voter Comments:
 Wall> Don't consider this a service or a problem.
 Baker> concur with wall on this


CAN-1999-0660

Phase: Proposed (19990804)

Description:
A hacker utility, back door, or Trojan Horse is installed on a system, e.g. NetBus, Back Orifice, Rootkit, etc.

Votes:

   ACCEPT(4) Northcutt, Baker, Wall, Hill
   NOOP(1) Christey
Voter Comments:
 Christey> Add "back door" to description.


CAN-1999-0661

Phase: Modified (20020801-01)
Reference: CERT:CA-1994-07
Reference: URL:http://www.cert.org/advisories/CA-1994-07.html
Reference: CERT:CA-1994-14
Reference: URL:http://www.cert.org/advisories/CA-1994-14.html
Reference: CERT:CA-1999-01
Reference: URL:http://www.cert.org/advisories/CA-1999-01.html
Reference: CERT:CA-1999-02
Reference: URL:http://www.cert.org/advisories/CA-1999-02.html
Reference: BUGTRAQ:20020801 trojan horse in recent openssh (version 3.4 portable 1)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102820843403741&w=2
Reference: BUGTRAQ:20020801 OpenSSH Security Advisory: Trojaned Distribution Files
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102821663814127&w=2

Description:
A system is running a version of software that was replaced with a Trojan Horse at one of its distribution points, such as (1) TCP Wrappers 7.6, (2) util-linux 2.9g, (3) wuarchive ftpd (wuftpd) 2.2 and 2.1f, (4) IRC client (ircII) ircII 2.2.9, or (5) OpenSSH 3.4p1.

Votes:

   ACCEPT(4) Northcutt, Baker, Wall, Hill
   NOOP(1) Christey
Voter Comments:
 Christey> Should add the specific CERT advisory references for
   well-known Trojaned software.
   TCP Wrappers -> CERT:CA-1999-01
   CERT:CA-1999-02 includes util-linux
   wuarchive - CERT:CA-94.07
   IRC client - CERT:CA-1994-14
 Christey> BUGTRAQ:20020801 trojan horse in recent openssh (version 3.4 portable 1)
   Modify description to use dot notation.
 Christey> CERT:CA-2002-24
   URL:http://www.cert.org/advisories/CA-2002-24.html
   XF:openssh-backdoor(9763)
   URL:http://www.iss.net/security_center/static/9763.php
   BID:5374
   URL:http://www.securityfocus.com/bid/5374


CAN-1999-0662

Phase: Proposed (19990804)

Description:
A system-critical program or library does not have the appropriate patch, hotfix, or service pack installed, or is outdated or obsolete.

Votes:

   ACCEPT(4) Northcutt, Baker, Wall, Hill

CAN-1999-0663

Phase: Proposed (19990804)

Description:
A system-critical program, library, or file has a checksum or other integrity measurement that indicates that it has been modified.

Votes:

   ACCEPT(3) Baker, Wall, Hill
   RECAST(1) Northcutt
Voter Comments:
 Northcutt> This needs to be worded carefully.  
   1. Rootkits evade checksum detection.
   2. The modification could be positive (a patch)


CAN-1999-0664

Phase: Proposed (19990803)

Description:
An application-critical Windows NT registry key has inappropriate permissions.

Votes:

   ACCEPT(1) Wall
   RECAST(2) Christey, Northcutt
Voter Comments:
 Northcutt> I think we can define appropriate, take a look at the nt security .pdf
   and see if you can't see a way to phrase specific keys in a way that
   defines inappropriate.
 Christey> Upon further reflection, this is too high-level for CVE.
   Specific registry keys with bad permissions is roughly
   equivalent to Unix configuration files that have bad
   permissions; those permission problems can be created by
   any vendor, not just a specific one.  Therefore this
   candidate should be RECAST into each separate registry
   key that has this problem.


CAN-1999-0665

Phase: Proposed (19990803)

Description:
An application-critical Windows NT registry key has an inappropriate value.

Votes:

   ACCEPT(1) Wall
   RECAST(1) Northcutt
Voter Comments:
 Northcutt> I think we can define appropriate, take a look at the nt security .pdf
   and see if you can't see a way to phrase specific keys in a way that
   defines inappropriate.


CAN-1999-0667

Phase: Proposed (19991222)

Description:
The ARP protocol allows any host to spoof ARP replies and poison the ARP cache to conduct IP address spoofing or a denial of service.

Votes:

   ACCEPT(2) Blake, Cole
   MODIFY(1) Stracener
   NOOP(1) Christey
   REJECT(1) Frech
Voter Comments:
 Stracener> Add Ref: BUGTRAQ:19970919 Playing redir games with ARP and ICMP
 Frech> Cannot proceed without a reference. Too vague, and resembles XF:netbsd-arp:
   CAN-1999-0763: NetBSD on a multi-homed host allows ARP packets on one
   network to modify ARP entries on another connected network.
   CAN-1999-0764: NetBSD allows ARP packets to overwrite static ARP entries.
   Will reconsider if reference provides enough information to render a
   distinction.
 Christey> This particular vulnerability was exploited by an attacker
   during the ID'Net IDS test network exercise at the SANS
   Network Security '99 conference.  The attacker adapted a
   publicly available program that was able to spoof another
   machine on the same physical network.
   
   See http://marc.theaimsgroup.com/?l=bugtraq&m=87602880019797&w=2
   for the Bugtraq reference that Tom Stracener suggested.
   This generated a long thread on Bugtraq in 1997.
 Blake> I'll second Tom's request to add the reference, it's a very
   posting good and the vulnerability is clearly derivative of
   the work.
   
   (I do recall talking to the guy and drafting a description.)


CAN-1999-0669

Phase: Interim (19991229)
Reference: MS:MS99-032
Reference: CIAC:J-064
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/j-064.shtml
Reference: XF:ms-scriptlet-eyedog-unsafe
Reference: MSKB:Q240308

Description:
The Eyedog ActiveX control is marked as "safe for scripting" for Internet Explorer, which allows a remote attacker to execute arbitrary commands as demonstrated by Bubbleboy.

Votes:

   ACCEPT(5) Prosser, Baker, Ozancin, Wall, Cole
   MODIFY(2) Frech, Stracener
   REVIEWING(1) Christey
Voter Comments:
 Frech> XF:ms-scriptlet-eyedog-unsafe
 Stracener> Add Ref: MSKB Q240308
 Christey> Should CAN-1999-0669 and 668 be merged?  If not, then this is
   a reason for not merging CAN-1999-0988 and CAN-1999-0828.


CAN-1999-0670

Phase: Proposed (19991208)
Reference: MS:MS99-032
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-032.asp
Reference: CIAC:J-064
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/j-064.shtml

Description:
Buffer overflow in the Eyedog ActiveX control allows a remote attacker to execute arbitrary commands.

Votes:

   ACCEPT(3) Prosser, Ozancin, Wall
   MODIFY(2) Frech, Stracener
   REJECT(2) Baker, Cole
Voter Comments:
 Frech> XF:ie-eyedog-bo
 Cole> Based on the references and information listed this is the same as
   CAN-1999-0669
 Stracener> Add Ref: MSKB Q240308
 Baker> Duplicate


CAN-1999-0673

Phase: Proposed (19991222)
Reference: BID:574
Reference: URL:http://www.securityfocus.com/bid/574

Description:
Buffer overflow in ALMail32 POP3 client via From: or To: headers.

Votes:

   ACCEPT(6) Blake, Baker, Levy, Wall, Cole, Collins
   MODIFY(2) Frech, Stracener
   NOOP(3) Oliver, Landfield, Armstrong
   REVIEWING(1) Ozancin
Voter Comments:
 Stracener> AddRef: ShadowPenguinSecurity:PenguinToolbox,No.037
 Frech> XF:almail-bo
 CHANGE> [Cole changed vote from NOOP to ACCEPT]


CAN-1999-0677

Phase: Modified (19991228-01)
Reference: BUGTRAQ:19990802 [LoWNOISE] Password hunting with webramp
Reference: BID:577
Reference: URL:http://www.securityfocus.com/bid/577

Description:
The WebRamp web administration utility has a default password.

Votes:

   ACCEPT(3) Blake, Baker, Stracener
   MODIFY(2) Frech, Cole
   NOOP(2) Christey, Armstrong
Voter Comments:
 Cole> I would add that is is not forced to be changed.
 Frech> XF:webramp-default-password
 Christey> This problem may have been detected in January 1999:
   BUGTRAQ:19990121 Re: WebRamp M3 remote network access bug
   http://marc.theaimsgroup.com/?l=bugtraq&m=91702375402055&w=2


CAN-1999-0684

Phase: Proposed (19991214)
Reference: HP:HPSBUX9904-097

Description:
Denial of service in Sendmail 8.8.6 in HPUX.

Votes:

   ACCEPT(2) Blake, Cole
   MODIFY(3) Prosser, Frech, Stracener
   REJECT(1) Christey
Voter Comments:
 Stracener> Add Ref: CIAC: J-040
 Prosser> Might change description to indicate DoS caused by multiple connections
 Christey> Andre's right.  This is a duplicate of CAN-1999-0684.
 Frech> Without further information and/or references, this issue looks like an
   ambiguous version of CVE-1999-0478: Denial of service in HP-UX sendmail
   8.8.6 related to accepting connections.
   
   (was REJECT)
   XF:hp-sendmail-connect-dos


CAN-1999-0698

Phase: Proposed (19991222)

Description:
Denial of service in IP protocol logger (ippl) on Red Hat and Debian Linux.

Votes:

   ACCEPT(6) Blake, Baker, Ozancin, Cole, Armstrong, Collins
   MODIFY(1) Frech
   NOOP(4) Levy, Wall, Landfield, Stracener
   REJECT(1) Christey
Voter Comments:
 Stracener> Is the candidate referring to the denial of service problem mentioned in
   the
   changelogs for versions previous to 1.4.3-1 or does it pertain to some
   problem with or
   1.4.8-1?
 Frech> Depending on the version, this could be any number of DoSes 
   related to ippl.
   From http://www.larve.net/ippl/:
   9 April 1999: version 1.4.3 released, correctly fixing a 
   potential denial of service attack.
   7 April 1999: version 1.4.2 released, fixing a potential 
   denial of service attack. 
   XF:linux-ippl-dos
 Christey> Changelog: http://pltplp.net/ippl/docs/HISTORY
   
   See comments for version 1.4.2 and 1.4.3
   Another source: http://freshmeat.net/news/1999/04/08/923586598.html
 CHANGE> [Stracener changed vote from REVIEWING to NOOP]
 CHANGE> [Christey changed vote from NOOP to REJECT]
 Christey> As mentioned by others, this could apply to several different
   versions.  Since the description is too vague, this CAN should
   be REJECTED and recast into other candidates.


CAN-1999-0712

Phase: Proposed (19991214)
Reference: CALDERA:CSSA-1999:009
Reference: XF:linux-coas

Description:
A vulnerability in Caldera Open Administration System (COAS) allows the /etc/shadow password file to be made world-readable.

Votes:

   ACCEPT(4) Baker, Frech, Cole, Stracener
   MODIFY(1) Blake
   NOOP(1) Armstrong
   REVIEWING(1) Christey
Voter Comments:
 Blake> This obscurely-written advisory seems to state that COAS will make the
   file world-readable, not that it allows the user to make it so.  I hardly
   think that allowing the user to turn off security is a vulnerability.
 Christey> It's difficult to write the description based on what's in
   the advisory.  If COAS inadvertently changes permissions
   without user confirmation, then it should be ACCEPTed with
   appropriate modification to the description.
 Christey> ADDREF BID:137
 CHANGE> [Armstrong changed vote from REVIEWING to NOOP]


CAN-1999-0718

Phase: Proposed (20010214)
Reference: NTBUGTRAQ:19990823 IBM Gina security warning
Reference: URL:http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind9908&L=ntbugtraq&F=&S=&P=5534
Reference: BID:608
Reference: URL:http://www.securityfocus.com/bid/608
Reference: XF:ibm-gina-group-add
Reference: URL:http://xforce.iss.net/static/3166.php

Description:
IBM GINA, when used for OS/2 domain authentication of Windows NT users, allows local users to gain administrator privileges by changing the GroupMapping registry key.

Votes:

   ACCEPT(3) Baker, Frech, Cole
Voter Comments:
 Frech> XF:ibm-gina-group-add 


CAN-1999-0736

Phase: Proposed (19991208)
Reference: L0PHT:May7,1999
Reference: MS:MS99-013
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-013.asp
Reference: MSKB:Q232449
Reference: MSKB:Q231368

Description:
The showcode.asp sample file in IIS and Site Server allows remote attackers to read arbitrary files.

Votes:

   ACCEPT(4) Prosser, Ozancin, Wall, Stracener
   MODIFY(2) Frech, Cole
   REVIEWING(1) Christey
Voter Comments:
 Frech> XF:iis-samples-showcode
 Cole> There are several sample files that allow this.  I would quote
   showcode.asp but make it more generic.
 Prosser> (Modify)
   Have a question on this and on the following three candidates as well.  All
   of these are part of the file viewers utilities that allow unauthorized
   files reading, but MSKB Q231368 also mentioned the diagnostics
   program,Winmsdp.exe, as another vulnerable viewer in this same set of
   viewers.  If we are going to split out the seperate viewer tools then
   shouldn't there should be a seperate CAN for Winmsdp.exe also.
 Christey> Mike's question basically touches on the CD:SF-EXEC
   content decision - what do you do when you have the same bug
   in multiple executables?  CD:SF-EXEC needs to be reviewed
   and approved by the Editorial Board before we can decide
   what to do with this candidate.
 Christey> Mark Burnett says that Microsoft's mention of winmsdp.exe in
   MSKB:Q231368 may be an error, and that winmsdp.exe is a
   Microsoft Diagnostics Report Generator which may not even
   be installed as part of IIS.
   
   Also see http://www.securityfocus.com/focus/microsoft/iis/showcode.html
 Christey> ADDREF BID:167
   URL:http://www.securityfocus.com/vdb/bottom.html?vid=167


CAN-1999-0737

Phase: Proposed (19991208)
Reference: MS:MS99-013
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-013.asp
Reference: MSKB:Q231656

Description:
The viewcode.asp sample file in IIS and Site Server allows remote attackers to read arbitrary files.

Votes:

   ACCEPT(4) Prosser, Ozancin, Wall, Stracener
   MODIFY(1) Frech
   NOOP(1) Christey
   REJECT(1) Cole
Voter Comments:
 Frech> XF:iis-samples-viewcode
 Cole> I would combine this with the previous.
 Prosser> (modify)
   See comments in 0736 above
 Christey> See http://www.securityfocus.com/focus/microsoft/iis/showcode.html
   for additional details.


CAN-1999-0738

Phase: Proposed (19991208)
Reference: MS:MS99-013
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-013.asp
Reference: MSKB:Q232449
Reference: MSKB:Q231368

Description:
The code.asp sample file in IIS and Site Server allows remote attackers to read arbitrary files.

Votes:

   ACCEPT(4) Prosser, Ozancin, Wall, Stracener
   MODIFY(1) Frech
   NOOP(1) Christey
   REJECT(1) Cole
Voter Comments:
 Frech> XF:iis-samples-code
 Cole> Same as above
 Prosser> (modify)
   See comments in 0736 above
 Christey> See http://www.securityfocus.com/focus/microsoft/iis/showcode.html
   for additional details.


CAN-1999-0739

Phase: Proposed (19991208)
Reference: MS:MS99-013
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-013.asp
Reference: MSKB:Q232449
Reference: MSKB:Q231368

Description:
The codebrws.asp sample file in IIS and Site Server allows remote attackers to read arbitrary files.

Votes:

   ACCEPT(4) Prosser, Ozancin, Wall, Stracener
   MODIFY(1) Frech
   NOOP(1) Christey
   REJECT(1) Cole
Voter Comments:
 Frech> XF:iis-samples-codebrws
 Cole> Same as above.
 Prosser> (modify)
   See comments in 0736 above
 Christey> codebrw2.asp and Codebrw1.asp also need to be included
   somewhere.
   
   Also see http://www.securityfocus.com/focus/microsoft/iis/showcode.html


CAN-1999-0741

Phase: Proposed (19991222)
Reference: BUGTRAQ:19990818 QMS 2060 printer security hole
Reference: BID:593
Reference: URL:http://www.securityfocus.com/bid/593
Reference: XF:qms-2060-no-root-password

Description:
QMS CrownNet Unix Utilities for 2060 allows root to log on without a password.

Votes:

   ACCEPT(4) Baker, Frech, Levy, Stracener
   NOOP(2) Christey, Oliver
Voter Comments:
 Christey> change description - anyone can log on *as* root
 Frech> (Note: this XF also cataloged under CAN-1999-0508.)


CAN-1999-0748

Phase: Proposed (19991214)
Reference: REDHAT:RHSA-1999:017-01

Description:
Buffer overflows in Red Hat net-tools package.

Votes:

   ACCEPT(3) Cole, Armstrong, Stracener
   MODIFY(1) Frech
   REJECT(1) Blake
Voter Comments:
 Blake> RHSA-1999:017-01 describes "potential security problem fixed" in the
   absence of knowing whether or not the problems actually existed, I don't
   think we have an entry here.
 Frech> XF:redhat-net-tool-bo


CAN-1999-0750

Phase: Proposed (19991222)
Reference: BUGTRAQ:19990913 Hotmail security vulnerability - injecting JavaScript using 'STYLE' tag
Reference: BID:630
Reference: URL:http://www.securityfocus.com/bid/630

Description:
Hotmail allows Javascript to be executed via the HTML STYLE tag, allowing remote attackers to execute commands on the user's Hotmail account.

Votes:

   ACCEPT(1) Levy
   MODIFY(2) Frech, Stracener
Voter Comments:
 Stracener> Many sites are vulnerable to this problem. I recommend removing the
   explicit references to Hotmail and making the description more generic.
   Suggest: Javascript can be injected using the STYLE tag in an HTML
   formatted e-mail, allowing remote attackers to execute commands on user
   accounts.
 Frech> XF:hotmail-html-style-embed


CAN-1999-0757

Phase: Proposed (20010214)
Reference: ALLAIRE:ASB99-08
Reference: URL:http://www.allaire.com/handlers/index.cfm?ID=10969&Method=Full
Reference: XF:coldfusion-encryption
Reference: URL:http://xforce.iss.net/static/2208.php

Description:
The ColdFusion CFCRYPT program for encrypting CFML templates has weak encryption, allowing attackers to decrypt the templates.

Votes:

   ACCEPT(3) Baker, Frech, Cole
   NOOP(1) Christey
Voter Comments:
 Frech> XF:coldfusion-encryption 
 Christey> BUGTRAQ:19990724 Re: New Allaire Security Zone Bulletins and KB Articles
   URL:http://www.securityfocus.com/archive/1/19471
 Christey> ADDREF BID:275
   URL:http://www.securityfocus.com/bid/275


CAN-1999-0767

Phase: Proposed (19991214)
Reference: SUN:00189

Description:
Buffer overflow in Solaris libc, ufsrestore, and rcp via LC_MESSAGES environmental variable.

Votes:

   ACCEPT(4) Blake, Baker, Cole, Dik
   MODIFY(2) Frech, Stracener
   REVIEWING(2) Christey, Prosser
Voter Comments:
 Stracener> Add Ref: CIAC: J-069
 Frech> XF:sun-libc-lcmessages
 Prosser> BID 268 is an additional reference for this one as it has info on the Sun
   vulnerability.  However, BID 268 also includes AIX in this vulnerability and
   refs APARS issued to fix a vulnerability in various 'nixs with the Natural
   Language Service environmental variables NSLPATH and PATH_LOCALE depending
   on the 'nix, ref CERT CA-97.10, CVE-1999-0041.  However, Georgi Guninski
   reported a BO in AIX with LC_MESSAGES + mount, also refed in BID 268, so it
   is possible the AIX APARs fix an earlier, similar vulnerability to the Sun
   BO in LC_MESSAGES.   This should probably be considered under a different
   CAN.  Any ideas? 
 Christey> Given that the buffer overflows in CVE-1999-0041 are NLSPATH
   and PATH_LOCALE, I'd say that's good evidence that this is not
   the same problem.  But a buffer overflow in libc in
   LC_MESSAGES... We must ask if these are basically the same
   codebase.
   
   ADDREF CIAC:J-069
 Christey> While the description indicates multiple programs, CD:SF-EXEC
   does not apply because the vulnerability was in libc, and
   rcp and ufsrestore were both statically linked against libc.
   Thus CD:SF-LOC applies, and a single candidate is maintained
   because the problem occurred in a library.
 Dik> Sun bug 4240566
 Christey> I'm consulting with Casper Dik and Troy Bollinger to see if
   this should be combined with the AIX buffer overflows for
   LC_MESSAGES; current indications are that they should be
   split.
 Christey> For further consultation, consider this post, though it's
   associated with CVE-1999-0041:
   BUGTRAQ:19970213 Linux NLSPATH buffer overflow
   http://www.securityfocus.com/archive/1/6296
   Also add "NLSPATH" and "PATH_LOCALE" to the description to
   facilitate search.


CAN-1999-0776

Phase: Proposed (19991214)
Reference: NTBUGTRAQ:19990506 ".."-hole in Alibaba 2.0
Reference: URL:http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind9905&L=NTBUGTRAQ&P=R1533
Reference: XF:http-alibaba-dotdot

Description:
Alibaba HTTP server allows remote attackers to read files via a .. (dot dot) attack.

Votes:

   ACCEPT(4) Frech, Ozancin, Levy, Stracener
   MODIFY(1) Baker
   NOOP(6) Blake, LeBlanc, Wall, Landfield, Cole, Armstrong
   REVIEWING(1) Christey
Voter Comments:
 Christey> This candidate is unconfirmed by the vendor.
   
   Posted by Arne Vidstrom.
 Blake> I'd like to change my vote on this from ACCEPT to NOOP.  I did some
   digging and the vendor seems to have discontinued the product, so no
   information is available beyond Arne's post.  Unless Andre has a copy
   in his archive and can test it, I think we have to leave it out.
 Wall> I agree with Blake.  We have not seen the product and it has been discontinued.
 CHANGE> [Christey changed vote from NOOP to REVIEWING]
 Christey> If this is (or was) tested by some tool, we should ACCEPT it.
 Baker> http://www.securityfocus.com/bid/270
 Christey> BID:270
   URL:http://www.securityfocus.com/bid/270


CAN-1999-0784

Phase: Proposed (20010214)
Reference: NTBUGTRAQ:19980827 NERP DoS attack possible in Oracle
Reference: URL:http://archives.neohapsis.com/archives/ntbugtraq/1998/msg00536.html
Reference: BUGTRAQ:19990104 Re: Fw:"NERP" DoS attack possible in Oracle
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/1999_1/0056.html
Reference: BUGTRAQ:19981228 Oracle8 TNSLSNR DoS
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/1998_4/0764.html

Description:
Denial of service in Oracle TNSLSNR SQL*Net Listener via a malformed string to the listener port, aka NERP.

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Frech
   NOOP(1) Cole
Voter Comments:
 Frech> XF:oracle-tnslsnr-dos(1551)


CAN-1999-0792

Phase: Modified (20000827)
Reference: MISC:http://www2.merton.ox.ac.uk/~security/rootshell/0022.html

Description:
ROUTERmate has a default SNMP community name which allows remote attackers to modify its configuration.

Votes:

   ACCEPT(1) Baker
   MODIFY(2) Frech, Stracener
   NOOP(1) Christey
   REVIEWING(1) Levy
Voter Comments:
 Stracener> Change the Ref to read: ROOTSHELL: Osicom Technologies ROUTERmate
   Security
   Advisory
 Frech> XF:routermate-snmp-community
 Christey> BUGTRAQ:19980914 [rootshell] Security Bulletin #23
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90581019105693&w=2


CAN-1999-0795

Phase: Proposed (19991222)
Reference: NAI:NAI-27

Description:
The NIS+ rpc.nisd server allows remote attackers to execute certain RPC calls without authentication to obtain system information, disable logging, or modify caches.

Votes:

   ACCEPT(2) Baker, Stracener
   MODIFY(1) Frech
   NOOP(1) Ozancin
Voter Comments:
 Frech> XF:sun-nisplus


CAN-1999-0798

Phase: Proposed (19991222)
Reference: BUGTRAQ:19981204 bootpd remote vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91278867118128&w=2

Description:
Buffer overflow in bootpd on OpenBSD, FreeBSD, and Linux systems via a malformed header type.

Votes:

   ACCEPT(2) Ozancin, Stracener
   MODIFY(1) Frech
   NOOP(1) Christey
Voter Comments:
 Christey> Is CAN-1999-0389 a duplicate of CAN-1999-0798?  CAN-1999-0389
   has January 1999 dates associated with it, while CAN-1999-0798
   was reported in late December.
   
   http://marc.theaimsgroup.com/?l=bugtraq&m=91278867118128&w=2
   
   SCO appears to have acknowledged this as well:
   ftp://ftp.sco.com/SSE/security_bulletins/SB-99.01a
   
   The poster also claims that OpenBSD fixed this as well.
 Frech> XF:bootp-remote-bo
 Christey> Further analysis indicates that this is a duplicate of CVE-1999-0799
 CHANGE> [Christey changed vote from REJECT to NOOP]
 Christey> What was I thinking?  Brian Caswell pointed out that this is
   *not* the same bug as CVE-1999-0799.  As reported in the
   1998 Bugtraq post, the bug is in bootpd.c, and is related
   to providing an htype value that is used as an index
   into an array, and exceeds the intended boundaries of that
   array.


CAN-1999-0805

Phase: Proposed (20010214)
Reference: BUGTRAQ:19990512 DoS with Netware 4.x's TTS
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/1999_2/0439.html
Reference: XF:novell-tts-dos
Reference: URL:http://xforce.iss.net/static/2184.php

Description:
Novell NetWare Transaction Tracking System (TTS) in Novell 4.11 and earlier allows remote attackers to cause a denial of service via a large number of requests.

Votes:

   ACCEPT(2) Baker, Frech
   NOOP(2) Christey, Cole
Voter Comments:
 Christey> BID:276
   URL:http://www.securityfocus.com/vdb/bottom.html?vid=276
 Frech> XF:novell-tts-dos


CAN-1999-0808

Phase: Proposed (20010912)
Reference: BUGTRAQ:19980518 DHCP 1.0 and 2.0 SECURITY ALERT! (fwd)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221101925960&w=2
Reference: CIAC:I-053
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/i-053.shtml
Reference: MISC:ftp://ftp.isc.org/isc/dhcp/dhcp-1.0-history/dhcp-1.0.0-1.0pl1.diff.gz

Description:
Multiple buffer overflows in ISC DHCP Distribution server (dhcpd) 1.0 and 2.0 allow a remote attacker to cause a denial of service (crash) and possibly execute arbitrary commands via long options.

Votes:

   ACCEPT(4) Foat, Cole, Armstrong, Stracener
   MODIFY(1) Frech
   NOOP(1) Wall
Voter Comments:
 Frech> XF:dhcp-remote-dos(7248)


CAN-1999-0816

Phase: Modified (20000313-01)
Reference: BUGTRAQ:19980510 Security Vulnerability in Motorola CableRouters
Reference: URL:http://www.netspace.org/cgi-bin/wa?A2=ind9805B&L=bugtraq&P=R1621
Reference: XF:motorola-cable-default-pass

Description:
The Motorola CableRouter allows any remote user to connect to and configure the router on port 1024.

Votes:

   ACCEPT(3) Baker, Cole, Stracener
   MODIFY(1) Frech
   NOOP(2) Christey, LeBlanc
Voter Comments:
 Christey> This candidate is unconfirmed by the vendor.
 Frech> XF:motorola-cable-default-pass


CAN-1999-0818

Phase: Proposed (19991208)
Reference: BUGTRAQ:19991130 another hole of Solaris7 kcms_configure
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=38433B7F5A.53F4SHADOWPENGUIN@fox.nightland.net
Reference: BID:831
Reference: URL:http://www.securityfocus.com/bid/831

Description:
Buffer overflow in Solaris kcms_configure via a long NETPATH environmental variable.

Votes:

   ACCEPT(2) Armstrong, Stracener
   MODIFY(4) Prosser, Frech, Cole, Dik
   REVIEWING(1) Christey
Voter Comments:
 Cole> This can cause code to be executed.
 Frech> XF:sol-kcms-conf-netpath-bo
 Dik> the bug has nothing to do with kcms_configure; it's a bug
   in libnsl.so.  All set-uid executables that trigger this code path are
   vulnerable.  Sun bug 4295834; fixed in Solaris 8.
 Prosser> Okay, I am confused.  Based on Casper's comments and checking
   on the Sun patch site, I found the 4295834 bug(4295834 NETPATH security
   problem in libnsl) fixed in  SunOS 5.4, Patch 101974-37(x86) 101973 (sparc).
   Multiple libnsl vulnerabilities was first reported in an 98 Sun Bulletin
   #00172 for 5.4 up through 2.6.   Was this NETPATH a problem that resurfaced
   in 7 (looks like in 5.4 as well) and was fixed in 8?
 Christey> Need to dig up my offline email on this.
 Christey> May be a duplicate of CVE-1999-0321, whose sole reference
   (XF:sun-kcms-configure-bo) no longer exists.  Also examine
   BID:452 and
   BUGTRAQ:19981223 Merry Christmas to Sun! (Was: L0pht NFR N-Code
   Modules Updated)
   
   which are the same as XF:sol-kcms-conf-p-bo(3652), which could
   be the new name for XF:sun-kcms-configure-bo.


CAN-1999-0821

Phase: Proposed (19991208)
Reference: BUGTRAQ:19991130 Several FreeBSD-3.3 vulnerabilities
Reference: BID:838
Reference: URL:http://www.securityfocus.com/bid/838

Description:
FreeBSD seyon allows local users to gain privileges by providing a malicious program in the -emulator argument.

Votes:

   ACCEPT(2) Armstrong, Stracener
   MODIFY(1) Frech
   NOOP(1) Christey
   REJECT(1) Cole
   REVIEWING(1) Prosser
Voter Comments:
 Cole> I would combine this with the previous.  To me the general
   vulnerabilities are similar it is just the end result that changes.
 Frech> XF:freebsd-seyon-setgid
 Christey> ADDREF? CALDERA:CSSA-1999-037.0


CAN-1999-0822

Phase: Proposed (19991208)
Reference: BUGTRAQ:19991130 serious Qpopper 3.0 vulnerability
Reference: BUGTRAQ:19991130 qpop3.0b20 and below - notes and exploit
Reference: BID:830
Reference: URL:http://www.securityfocus.com/bid/830

Description:
Buffer overflow in Qpopper (qpop) 3.0 allows remote root access via AUTH command.

Votes:

   ACCEPT(3) Cole, Armstrong, Stracener
   MODIFY(1) Frech
   NOOP(1) Christey
   REVIEWING(1) Prosser
Voter Comments:
 Frech> XF:qpopper-auth-bo
 Christey> ADDREF? DEBIAN:19991215 buffer overflow in qpopper v3.0
   ADDREF XF:qpopper-auth-bo


CAN-1999-0825

Phase: Modified (20000121-01)
Reference: BUGTRAQ:19991203 UnixWare read/modify users' mail
Reference: BUGTRAQ:19991215 Recent postings about SCO UnixWare 7
Reference: BUGTRAQ:19991223 FYI, SCO Security patches available.
Reference: BID:849
Reference: URL:http://www.securityfocus.com/bid/849

Description:
The default permissions for UnixWare /var/mail allow local users to read and modify other users' mail.

Votes:

   ACCEPT(3) Cole, Armstrong, Stracener
   MODIFY(1) Frech
   NOOP(1) Christey
   REVIEWING(1) Prosser
Voter Comments:
 Frech> XF:sco-mail-permissions
 Christey> ADDREF ftp://ftp.sco.com/SSE/security_bulletins/SB-99.25a


CAN-1999-0827

Phase: Proposed (19991208)
Reference: BUGTRAQ:19991130 Default IE 5.0 security settings allow frame spoofing

Description:
By default, Internet Explorer 5.0 and other versions enables the "Navigate sub-frames across different domains" option, which allows frame spoofing.

Votes:

   ACCEPT(3) LeBlanc, Armstrong, Stracener
   MODIFY(2) Frech, Cole
   REVIEWING(1) Prosser
Voter Comments:
 Cole> The BID is 855.  If I have the right vulnerability, this allows an
   attacker to access URL's of there choosing which could lead to a compromise
   of private information.
 Frech> XF:http-frame-spoof
   Question: Similar vulnerability to MS98-020 / CAN-1999-0869?
 LeBlanc> MSRC tells me this is patched in MS00-009


CAN-1999-0828

Phase: Modified (20000121-01)
Reference: BUGTRAQ:19991203 UnixWare and the dacread permission
Reference: BUGTRAQ:19991204 UnixWare pkg* command exploits
Reference: BUGTRAQ:19991223 FYI, SCO Security patches available.
Reference: BUGTRAQ:19991220 SCO OpenServer Security Status
Reference: BID:853
Reference: URL:http://www.securityfocus.com/bid/853

Description:
UnixWare pkg commands such as pkginfo, pkgcat, and pkgparam allow local users to read arbitrary files via the dacread permission.

Votes:

   ACCEPT(2) Armstrong, Stracener
   MODIFY(2) Frech, Cole
   REVIEWING(2) Christey, Prosser
Voter Comments:
 Cole> This is BID 850.
 Christey> See comments on CAN-1999-0988.  Perhaps these two should be
   merged. ftp://ftp.sco.com/SSE/security_bulletins/SB-99.28a
   loosely alludes to this problem; the README for patch SSE053
   effectively confirms it.
 Frech> XF:sco-pkg-dacread-fileread


CAN-1999-0829

Phase: Proposed (19991208)
Reference: BUGTRAQ:19991201 HP Secure Web Console

Description:
HP Secure Web Console uses weak encryption.

Votes:

   ACCEPT(2) Armstrong, Stracener
   MODIFY(1) Frech
   NOOP(1) Cole
   REVIEWING(1) Prosser
Voter Comments:
 Cole> I could not find details on this using the above references.
 Frech> XF:hp-secure-console


CAN-1999-0830

Phase: Proposed (19991208)
Reference: BUGTRAQ:19991126 [w00giving '99 #6]: UnixWare 7's Xsco

Description:
Buffer overflow in SCO UnixWare Xsco command via a long argument.

Votes:

   ACCEPT(2) Armstrong, Stracener
   MODIFY(3) Prosser, Frech, Cole
   REVIEWING(1) Christey
Voter Comments:
 Cole> This is BID 824 and the BUGTRAQ reference is 19991125.
 Frech> XF:sco-unixware-xsco
 Christey> Confirmed by vendor, albeit vaguely:
   http://marc.theaimsgroup.com/?l=bugtraq&m=94581379905584&w=2
   
 Prosser> agree with Steve on vendor confirmation, however not sure the
   fix ref'd in BID 824 (SSE041) is right.  It lists fixes for libnsl and
   tcpip.so, nothing about xsco.  SSE050b
   (ftp://ftp.sco.com/SSE/security_bulletins/SB-99.26b) fixes a buffer overflow
   in xsco on OpenServer (the vendor message Steve refers to) but not the
   UnixWare vulnerability reported on Bugtraq and in BID824. Anyone more
   familar with SCO shed some light on this? Are they the same codebase so fix
   would be same?  From the SCO site it seems the UnixWare and OpenSever
   products are similar but have differences.
 CHANGE> [Christey changed vote from NOOP to REVIEWING]
 Christey> BID:824
   http://www.securityfocus.com/bid/824


CAN-1999-0840

Phase: Proposed (19991208)
Reference: BID:832
Reference: URL:http://www.securityfocus.com/bid/832
Reference: BUGTRAQ:19991129 Solaris7 dtmail/dtmailpr/mailtool Buffer Overflow

Description:
Buffer overflow in CDE dtmail and dtmailpr programs via the -f option.

Votes:

   ACCEPT(3) Armstrong, Dik, Stracener
   MODIFY(1) Frech
   NOOP(1) Cole
   REVIEWING(1) Prosser
Voter Comments:
 Cole> I went to 1129 and it looks like a reference for a different
   vulnerability.
 Frech> In the description, should dtmailptr be dtmailpr?
   XF:solaris-dtmailpr-overflow
   XF:solaris-dtmail-overflow
 Dik> sun bug: 4166321


CAN-1999-0841

Phase: Proposed (19991208)
Reference: BID:832
Reference: URL:http://www.securityfocus.com/bid/832
Reference: BUGTRAQ:19991129 Solaris7 dtmail/dtmailpr/mailtool Buffer Overflow

Description:
Buffer overflow in CDE mailtool allows local users to gain root privilege via a long MIME Content-Type.

Votes:

   ACCEPT(4) Cole, Armstrong, Dik, Stracener
   MODIFY(1) Frech
   REVIEWING(1) Prosser
Voter Comments:
 Frech> XF:cde-mailtool-bo
 Dik> bug 4163471
   (Root access is only possible when mail is send to root and he
   uses dtmail to read it)


CAN-1999-0843

Phase: Proposed (19991208)
Reference: BUGTRAQ:19991104 Cisco NAT DoS (VD#1)
Reference: BUGTRAQ:19991128 Re: Cisco NAT DoS (VD#1)

Description:
Denial of service in Cisco routers running NAT via a PORT command from an FTP client to a Telnet port.

Votes:

   ACCEPT(3) Balinsky, Cole, Stracener
   MODIFY(1) Frech
   NOOP(1) Armstrong
   REVIEWING(3) Christey, Prosser, Ziese
Voter Comments:
 Frech> XF:cisco-nat-dos
 Christey> Mike Prosser's REVIEWING vote expires July 17, 2000
 Ziese> After reviewing
   http://www.cisco.com/warp/public/707/iostelnetopt-pub.shtml 
   I can not confirm this exists unless it's restructred to
   describe a problem against IOS per se; not NAT per se.  I am
   reviewing this and it may take some time.
 CHANGE> [Christey changed vote from NOOP to REVIEWING]
 Christey> Not sure if Kevin's suggested reference really describes this
   one.  However, a followup email by Jim Duncan of Cisco does
   acknowledge the problem as discussed in the Bugtraq post:
   http://marc.theaimsgroup.com/?l=vuln-dev&m=94385601831585&w=2
   The original post is:
   http://marc.theaimsgroup.com/?l=bugtraq&m=94184947504814&w=2
   
   It could be that the researcher believed that the problem was
   NAT, but in fact it wasn't.
   
   I need to follow up with Ziese/Balinsky on this one.


CAN-1999-0844

Phase: Proposed (19991208)
Reference: NTBUGTRAQ:19991124 Remote DoS Attack in WorldClient Server v2.0.0.0 Vulnerability
Reference: BUGTRAQ:19991130 Fwd: RE: Multiples Remotes DoS Attacks in MDaemon Server v2.8.5.0 Vulnerability
Reference: BID:823
Reference: URL:http://www.securityfocus.com/bid/823
Reference: BID:820
Reference: URL:http://www.securityfocus.com/bid/820

Description:
Denial of service in MDaemon WorldClient and WebConfig services via a long URL.

Votes:

   ACCEPT(1) Stracener
   MODIFY(2) Frech, Cole
   NOOP(1) Armstrong
   RECAST(1) Christey
   REVIEWING(1) Prosser
Voter Comments:
 Cole> 823 and 820 are two different vulnerabilities and should be
   separated out.  They are both buffer overflows but accomplish it in a
   different fashion and the end exploit is different.
 Frech> (RECAST?)
   XF:mdaemon-worldclient-dos
   XF:mdaemon-webconfig-dos
   Recast request: This is really two services exhibiting the same problem.
 Christey> as suggested by others.
   
   Also see confirmation at:
   http://mdaemon.deerfield.com/helpdesk/hotfix.cfm


CAN-1999-0845

Phase: Proposed (19991208)
Reference: BUGTRAQ:19991126 [w00giving '99 #5 and w00news]: UnixWare 7's su
Reference: SCO:99.19
Reference: BUGTRAQ:19991128 SCO su patches

Description:
Buffer overflow in SCO su program allows local users to gain root access via a long username.

Votes:

   ACCEPT(4) Prosser, Cole, Armstrong, Stracener
   MODIFY(1) Frech
   REVIEWING(1) Christey
Voter Comments:
 Christey> DUPE CAN-1999-0317?
 Frech> XF:sco-su-username-bo
 Christey> ADDREF BID:826
   CONFIRM:ftp://ftp.sco.com/SSE/sse039.tar.Z


CAN-1999-0846

Phase: Proposed (19991208)
Reference: BUGTRAQ:19991129 MDaemon 2.7 J DoS
Reference: BUGTRAQ:19991130 Fwd: RE: Multiples Remotes DoS Attacks in MDaemon Server v2.8.5.0 Vulnerability

Description:
Denial of service in MDaemon 2.7 via a large number of connection attempts.

Votes:

   ACCEPT(4) Prosser, Cole, Armstrong, Stracener
   MODIFY(1) Frech
   REVIEWING(1) Christey
Voter Comments:
 Frech> XF:mdaemon-dos
 Christey> CAN-1999-0844 is confirmed by MDaemon at
   http://mdaemon.deerfield.com/helpdesk/hotfix.cfm but there
   is no apparent confirmation for this problem, even
   though it was posted the same day.
 Prosser> Looks like from a follow-on message on Bugtraq from Nobuo
   <http://www.securityfocus.com/templates/archive.pike?list=1&date=1999-11-28&msg=199912011604.HJI39569.BX-NOJ@lac.co.jp> Deerfield sent a reply about the
   DoS problems in MDaemon 2.8.5, that also talks about fixing the 2.7 J DoS
   that Nobuo initially reported. Can't find the original message, so may have
   been limited distro. Looks like an upgrade to the latest release might be
   the final solution here.


CAN-1999-0850

Phase: Proposed (19991208)
Reference: BID:845
Reference: URL:http://www.securityfocus.com/bid/845
Reference: BUGTRAQ:19991202 Insecure default permissions for MailMan Professional Edition, version 3.0.18

Description:
The default permissions for Endymion MailMan allow local users to read email or modify files.

Votes:

   ACCEPT(2) Cole, Stracener
   MODIFY(1) Frech
   NOOP(1) Armstrong
   REVIEWING(1) Prosser
Voter Comments:
 Frech> XF:endymion-mailman-perms


CAN-1999-0852

Phase: Proposed (19991208)
Reference: BID:844
Reference: URL:http://www.securityfocus.com/bid/844
Reference: BUGTRAQ:19991202 WebSphere protections from installation

Description:
IBM WebSphere sets permissions that allow a local user to modify a deinstallation script or its data files stored in /usr/bin.

Votes:

   ACCEPT(3) Cole, Armstrong, Stracener
   MODIFY(1) Frech
   REVIEWING(1) Prosser
Voter Comments:
 Frech> XF:websphere-protect


CAN-1999-0855

Phase: Proposed (19991208)
Reference: BID:834
Reference: URL:http://www.securityfocus.com/bid/834
Reference: BUGTRAQ:19991130 FreeBSD 3.3 gated-3.1.5 local exploit

Description:
Buffer overflow in FreeBSD gdc program.

Votes:

   ACCEPT(3) Prosser, Armstrong, Stracener
   MODIFY(2) Frech, Cole
   NOOP(1) Christey
Voter Comments:
 Cole> The BID is 834 and the reference is 19991201 not 1130.
 Frech> XF:freebsd-gdc-bo
 Christey> ADDREF BID:780 ?


CAN-1999-0857

Phase: Proposed (19991208)
Reference: BUGTRAQ:19991130 FreeBSD 3.3 gated-3.1.5 local exploit
Reference: BID:835
Reference: URL:http://www.securityfocus.com/bid/835

Description:
FreeBSD gdc program allows local users to modify files via a symlink attack.

Votes:

   ACCEPT(3) Prosser, Armstrong, Stracener
   MODIFY(2) Frech, Cole
Voter Comments:
 Cole> This is via debug output.
 Frech> XF:freebsd-gdc


CAN-1999-0860

Phase: Proposed (19991208)
Reference: BUGTRAQ:19991130 Solaris 2.x chkperm/arp vulnerabilities
Reference: BID:837
Reference: URL:http://www.securityfocus.com/bid/837

Description:
Solaris chkperm allows local users to read files owned by bin via the VMSYS environmental variable and a symlink attack.

Votes:

   ACCEPT(2) Armstrong, Stracener
   MODIFY(2) Frech, Dik
   NOOP(1) Christey
   REJECT(1) Cole
   REVIEWING(1) Prosser
Voter Comments:
 Cole> This is the same as the pervious.
 Frech> XF:sol-chkperm-vmsys
 Dik> include reference to Sun bug 4296167
 Christey> Remove BID:837, which is for arp, not chkperm


CAN-1999-0862

Phase: Proposed (19991208)
Reference: BUGTRAQ:19991202 PostgreSQL RPM's permission problems

Description:
Insecure directory permissions in RPM distribution for PostgreSQL allows local users to gain privileges by reading a plaintext password file.

Votes:

   ACCEPT(3) Cole, Armstrong, Stracener
   MODIFY(1) Frech
   REVIEWING(1) Prosser
Voter Comments:
 Frech> XF:postgresql-insecure-perms


CAN-1999-0863

Phase: Proposed (19991208)
Reference: BUGTRAQ:19970617 Seyon vulnerability - IRIX
Reference: BUGTRAQ:19991108 FreeBSD 3.3's seyon vulnerability
Reference: BUGTRAQ:19991130 Several FreeBSD-3.3 vulnerabilities

Description:
Buffer overflow in FreeBSD seyon via HOME environmental variable, -emulator argument, -modems argument, or the GUI.

Votes:

   ACCEPT(4) Prosser, Cole, Armstrong, Stracener
   MODIFY(1) Frech
   REVIEWING(1) Christey
Voter Comments:
 Frech> XF:freebsd-seyon-bo
 Christey> ADDREF? CALDERA:CSSA-1999-037.0
 Christey> May be multiple bugs here, or a single library problem.
   CD:SF-LOC needs to be resolved before determining if this
   candidate should be SPLIT.  Also see CAN-1999-0821.


CAN-1999-0872

Phase: Proposed (19991214)
Reference: BID:759
Reference: URL:http://www.securityfocus.com/bid/759
Reference: BID:611
Reference: URL:http://www.securityfocus.com/bid/611
Reference: REDHAT:RHSA-1999:030-02

Description:
Buffer overflow in Vixie cron allows local users to gain root access via a long MAILTO environment variable in a crontab file.

Votes:

   MODIFY(2) Frech, Cole
   REJECT(3) Christey, Blake, Stracener
Voter Comments:
 Cole> 611 is the mail to listed above but 759 is for the mail from and
   should be listed as a separate vulenrability.
 Blake> This does not appear materially different from CAN-1999-0768
 Christey> This is an apparent duplicate of CAN-1999-0768.
   REDHAT:RHSA-1999:030-02 describes two issues, one of which is
   CAN-1999-0768, and the other is CVE-1999-0769.
 Stracener> This is a duplicate of candidate CAN-1999-0768.
 Frech> XF:cron-sendmail-bo-root
 Christey> BID:759 is improperly assigned to this candidate and doesn't
   even describe it.  It may have been inadvertently copied
   from CAN-1999-0873.


CAN-1999-0882

Phase: Proposed (19991214)
Reference: BUGTRAQ:19991025 Falcon Web Server
Reference: BINDVIEW:Falcon Web Server

Description:
Falcon web server allows remote attackers to determine the absolute path of the web root via long file names.

Votes:

   ACCEPT(3) Blake, Baker, Stracener
   MODIFY(1) Frech
   NOOP(2) Cole, Armstrong
Voter Comments:
 Frech> XF:falcon-server-long-filename


CAN-1999-0885

Phase: Modified (20000313-01)
Reference: BUGTRAQ:19991103 More Alibaba Web Server problems...
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&date=1999-11-01&msg=01BF261F.928821E0.kerb@fnusa.com
Reference: BID:770
Reference: URL:http://www.securityfocus.com/bid/770
Reference: XF:alibaba-url-file-manipulation

Description:
Alibaba web server allows remote attackers to execute commands via a pipe character in a malformed URL.

Votes:

   ACCEPT(2) Baker, Stracener
   MODIFY(1) Frech
   NOOP(5) Christey, Blake, LeBlanc, Cole, Armstrong
Voter Comments:
 Christey> This candidate is unconfirmed by the vendor.
 Blake> Same as CAN-1999-0776.
 Frech> XF:alibaba-url-file-manipulation
 Christey> CD:SF-LOC and CD:SF-EXEC may say to merge this candidate with
   the problems described in:
   BUGTRAQ:20000718 Multiple bugs in Alibaba 2.0
   URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0237.html
   
   If so, then ADDREF BID:1485 as well.
 Christey> Include the names of the affected CGI's, including tst.bat,
   get32.exe, alibaba.pl, etc.


CAN-1999-0910

Phase: Proposed (19991208)
Reference: MS:MS99-035
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-035.asp
Reference: BID:625
Reference: URL:http://www.securityfocus.com/bid/625

Description:
Microsoft Site Server and Commercial Internet System (MCIS) do not set an expiration for a cookie, which could then be cached by a proxy and inadvertently used by a different user.

Votes:

   ACCEPT(3) Prosser, Ozancin, Wall
   MODIFY(2) Frech, Stracener
   REJECT(1) Cole
Voter Comments:
 Frech> XF:siteserver-cis-cookie-cache
 Cole> Whether cookies are a vulnerbality is a debate for another time, the
   question here is whether the
   expiration feature is a vulnerability and I do not think it is
   because the underlying concerns for this
   are present even without this feature.  The expiration feature does
   not add any new vulenrabilities
   that are not already present with cookies.
 Stracener> Add Ref: MSKB Q238647


CAN-1999-0911

Phase: Proposed (19991214)
Reference: BUGTRAQ:19990827 ProFTPD
Reference: BUGTRAQ:19990907 ProFTP-1.2.0pre4 buffer overflow -- once more
Reference: FREEBSD:FreeBSD-SA-99:03
Reference: BID:612
Reference: URL:http://www.securityfocus.com/bid/612

Description:
Buffer overflow in ProFTPD, wu-ftpd, and beroftpd allows remote attackers to gain root access via a series of MKD and CWD commands that create nested directories.

Votes:

   ACCEPT(5) Blake, Prosser, Baker, Cole, Stracener
   MODIFY(1) Frech
   REVIEWING(1) Christey
Voter Comments:
 Frech> XF:proftpd-long-dir-bo(3399)
 Christey> Not absolutely sure if this isn't the same as Palmetto
   (CVE-1999-0368), which describes a similar type of overflow.
   
   NETBSD:NetBSD-SA1999-003 may refer to CVE-1999-0368:
   ADDREF URL:ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/advisories/NetBSD-SA1999-003.txt.asc
 Christey> ADDREF CIAC:J-068
   Include version numbers; too many wu-ftp/etc. problems
   were published in summer/fall 1999


CAN-1999-0913

Phase: Proposed (19991214)
Reference: BUGTRAQ:19990804 NSW Dragon Fire gets drowned
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93383593909438&w=2
Reference: BID:564
Reference: URL:http://www.securityfocus.com/bid/564

Description:
dfire.cgi script in Dragon-Fire IDS allows remote users to execute commands via shell metacharacters.

Votes:

   ACCEPT(2) Blake, Stracener
   MODIFY(1) Frech
   NOOP(3) LeBlanc, Cole, Armstrong
   REVIEWING(1) Christey
Voter Comments:
 Christey> Some voters should use ABSTAIN.  
 Frech> XF:dragon-fire-ids-metachar(3834)
 CHANGE> [Armstrong changed vote from REVIEWING to NOOP]


CAN-1999-0919

Phase: Modified (20020226-02)
Reference: BUGTRAQ:19980510 Security Vulnerability in Motorola CableRouters
Reference: URL:http://www.netspace.org/cgi-bin/wa?A2=ind9805B&L=bugtraq&P=R1621
Reference: XF:motorola-cable-crash(2004)
Reference: URL:http://xforce.iss.net/static/2004.php

Description:
A memory leak in a Motorola CableRouter allows remote attackers to conduct a denial of service via a large number of telnet connections.

Votes:

   ACCEPT(2) Baker, Cole
   MODIFY(1) Frech
   NOOP(7) Christey, Ozancin, LeBlanc, Wall, Landfield, Armstrong, Stracener
   REVIEWING(1) Levy
Voter Comments:
 Christey> This candidate is unconfirmed by the vendor.
 Frech> XF:motorola-cable-crash
 Christey> This has enough votes, but not the "confidence" yet (until we
   resolve the question of the amount of verification needed
   for CVE).


CAN-1999-0923

Phase: Proposed (20010214)
Reference: ALLAIRE:ASB99-02
Reference: URL:http://www.allaire.com/handlers/index.cfm?ID=8739&Method=Full

Description:
Sample runnable code snippets in ColdFusion Server 4.0 allow remote attackers to read files, conduct a denial of service, or use the server as a proxy for other HTTP calls.

Votes:

   ACCEPT(2) Baker, Cole
   MODIFY(1) Frech
   NOOP(1) Christey
Voter Comments:
 Frech> XF:coldfusion-source-display(1741)
   XF:coldfusion-syntax-checker(1742)
   XF:coldfusion-file-existence(1743)
   XF:coldfusion-sourcewindow(1744)
 Christey> List all affected runnable code snippets to facilitate
   search, which may include:
   viewexample.cfm (though could that be part of CVE-1999-0922?)


CAN-1999-0925

Phase: Modified (20020829-01)
Reference: BUGTRAQ:19980903 Web servers / possible DOS Attack / mime header flooding
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90486243124867&w=2

Description:
UnityMail allows remote attackers to conduct a denial of service via a large number of MIME headers.

Votes:

   ACCEPT(2) Baker, Stracener
   MODIFY(1) Frech
   NOOP(1) Christey
   REVIEWING(1) Levy
Voter Comments:
 Frech> XF:unitymail-web-dos(1630)
 Christey> BID:1760
   URL:http://www.securityfocus.com/bid/1760
 Christey> Affected version is 2.0
   Change date of Bugtraq post - it was 1998.


CAN-1999-0926

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990903 Web servers / possible DOS Attack / mime header flooding
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/1998_3/0742.html

Description:
Apache allows remote attackers to conduct a denial of service via a large number of MIME headers.

Votes:

   ACCEPT(1) Cole
   MODIFY(1) Frech
   NOOP(3) Christey, Wall, Foat
Voter Comments:
 Christey> BID:1760
   URL:http://www.securityfocus.com/bid/1760
 Frech> XF:unitymail-web-dos(1630)


CAN-1999-0929

Phase: Interim (19991229)
Reference: BUGTRAQ:19990616 Novell NetWare webservers DoS

Description:
Novell NetWare with Novell-HTTP-Server or YAWN web servers allows remote attackers to conduct a denial of service via a large number of HTTP GET requests.

Votes:

   ACCEPT(4) Blake, Cole, Armstrong, Stracener
   MODIFY(1) Frech
Voter Comments:
 Frech> XF:novell-webserver-dos(2287)


CAN-1999-0941

Phase: Proposed (19991222)
Reference: BUGTRAQ:19980728 mutt x.x
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221104526154&w=2

Description:
Mutt mail client allows a remote attacker to execute commands via shell metacharacters.

Votes:

   ACCEPT(1) Stracener
   NOOP(1) Christey
   REJECT(1) Frech
   REVIEWING(1) Levy
Voter Comments:
 Frech> References are vague, but seem to be identical to CAN-1999-0940
   (XF:mutt-text-enriched-mime-bo). According to the references, the malformed
   messages consist of metacharacters. In addition, -0941's reference and
   -0940's SuSE reference both refer to fixes in 1.0pre3 release. Will
   reconsider vote if other clearer references are forthcoming.
 Christey> Modify to mention that the metachar's are in the Content-Type header.
   http://marc.theaimsgroup.com/?l=bugtraq&m=90221104526154&w=2


CAN-1999-0944

Phase: Proposed (19991222)
Reference: BUGTRAQ:19991024 password leak in IBM WebSphere / HTTP Server / ikeyman

Description:
IBM WebSphere ikeyman tool uses weak encryption to store a password for a key database that is used for SSL connections.

Votes:

   ACCEPT(2) Stracener, Baker
   MODIFY(1) Frech
   NOOP(2) Christey, Bollinger
   REVIEWING(1) Levy
Voter Comments:
 Frech> XF:websphere-database-pwd-accessible
 Christey> ADDREF BID:1763
   URL:http://www.securityfocus.com/bid/1763


CAN-1999-0948

Phase: Proposed (19991222)
Reference: BID:757
Reference: URL:http://www.securityfocus.com/bid/757
Reference: BUGTRAQ:19991102 Some holes for Win/UNIX softwares

Description:
Buffer overflow in uum program for Canna input system allows local users to gain root privileges.

Votes:

   ACCEPT(2) Stracener, Levy
   MODIFY(1) Frech
   NOOP(1) Christey
Voter Comments:
 Christey> CAN-1999-0948 and CAN-1999-0949 are extremely similar.
   uum (0948) is exploitable through a different set of options
   than canuum (0949).  If it's the same generic option parsing
   routine used by both programs, then CD:SF-CODEBASE says to
   merge them.  But if it's not, then CD:SF-LOC and CD:SF-EXEC
   says to split them.  However, this is a prime example of
   how SF-EXEC might be modified - uum and canuum are clearly
   part of the same package, so in the absence of clear
   information, maybe we should merge them.
 Frech> XF:canna-uum-bo


CAN-1999-0949

Phase: Proposed (19991222)
Reference: BID:757
Reference: URL:http://www.securityfocus.com/bid/757
Reference: BUGTRAQ:19991102 Some holes for Win/UNIX softwares

Description:
Buffer overflow in canuum program for Canna input system allows local users to gain root privileges.

Votes:

   ACCEPT(2) Stracener, Levy
   MODIFY(1) Frech
   NOOP(1) Christey
Voter Comments:
 Christey> CAN-1999-0948 and CAN-1999-0949 are extremely similar.
   uum (0948) is exploitable through a different set of options
   than canuum (0949).  If it's the same generic option parsing
   routine used by both programs, then CD:SF-CODEBASE says to
   merge them.  But if it's not, then CD:SF-LOC and CD:SF-EXEC
   says to split them.  However, this is a prime example of
   how SF-EXEC might be modified - uum and canuum are clearly
   part of the same package, so in the absence of clear
   information, maybe we should merge them.
   
   Also review BID:758 and BID:757 - may need to change the BID
   here.
 Frech> XF:canna-uum-bo
 Christey> CHANGEREF BID:757 BID:758


CAN-1999-0952

Phase: Proposed (19991222)
Reference: BUGTRAQ:19990126 Buffer overflow in Solaris 2.6/2.7 /usr/bin/lpstat
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91759216618637&w=2

Description:
Buffer overflow in Solaris lpstat via class argument allows local users to gain root access.

Votes:

   ACCEPT(3) Stracener, Baker, Ozancin
   MODIFY(2) Frech, Dik
   REVIEWING(1) Christey
Voter Comments:
 Frech> XF:solaris-lpstat-bo
 Christey> It is unclear from Casper Dik's followup whether this is
   exploitable or not.
 Dik> Sunbug 4129917
   (other reports in the same thread suggest that the then current patchd id
   fix the problem)
 Christey> Confirm with Casper Dik that the overflow is in the -c option,
   and if so, include it in the description to differentiate
   it from the lpstat -n buffer overflow.


CAN-1999-0970

Phase: Modified (20020226-01)
Reference: BUGTRAQ:19990605 Remote Exploit (Bug) in OmniHTTPd Web Server
Reference: URL:http://www.securityfocus.com/archive/1/14311
Reference: XF:omnihttpd-dos(2271)
Reference: URL:http://xforce.iss.net/static/2271.php
Reference: BID:1808
Reference: URL:http://www.securityfocus.com/bid/1808

Description:
The OmniHTTPD visadmin.exe program allows a remote attacker to conduct a denial of service via a malformed URL which causes a large number of temporary files to be created.

Votes:

   ACCEPT(3) Stracener, Blake, Baker
   MODIFY(1) Frech
   NOOP(1) Christey
   REVIEWING(1) Levy
Voter Comments:
 Frech> XF:omnihttpd-dos
 Christey> Some sort of confirmation might be findable at:
   http://www.omnicron.ab.ca/httpd/docs/release.html
 Christey> See http://www.omnicron.ab.ca/index.html
   The August 16, 2000 news item says "This release fixes some
   security problems."  It's for version 2.07, but the discloser
   didn't say what version was available.
   
   Other security fixes are in the release notes at
   http://www.omnicron.ab.ca/httpd/docs/release.html Notes for
   Professional Version 1.01 say "Patched up two security weaknesses."
   Notes for version 2.07 say "Fixes dot-appending vulnerability."
   Professional Alpha 7 says "Revamped CGI launching and security,"
   Professional Alpha 4 says "Fixed SSI path mapping and security
   problems," Alpha 5 says "Security fixup."
   
   In other words, you can't tell whether they've fixed this bug
   or not.
 Christey> BID:1808
   URL:http://www.securityfocus.com/bid/1808


CAN-1999-0983

Phase: Proposed (19991214)
Reference: BUGTRAQ:19991109 Whois.cgi - ADVISORY.

Description:
Whois Internic Lookup program whois.cgi allows remote attackers to execute commands via shell metacharacters in the domain entry.

Votes:

   ACCEPT(3) Stracener, Blake, Cole
   MODIFY(1) Frech
   REVIEWING(1) Christey
Voter Comments:
 Christey> More examination is required to determine if CAN-1999-0983,
   CAN-1999-0984, or CAN-1999-0985 are the same codebase.
 Frech> XF:whois-internic-shell-meta
 Christey> ADDREF BID:2000
 Christey> The XF appears to be gone.  Perhaps it's this one:
   XF:http-cgi-whois-meta(3798)


CAN-1999-0984

Phase: Proposed (19991214)
Reference: BUGTRAQ:19991109 Whois.cgi - ADVISORY.

Description:
Matt's Whois program whois.cgi allows remote attackers to execute commands via shell metacharacters in the domain entry.

Votes:

   ACCEPT(2) Stracener, Blake
   MODIFY(1) Frech
   NOOP(1) Cole
   REVIEWING(1) Christey
Voter Comments:
 Cole> How is this different than the previous?
 Christey> More examination is required to determine if CAN-1999-0983,
   CAN-1999-0984, or CAN-1999-0985 are the same codebase.
 Frech> XF:matts-whois-meta
 Christey> ADDREF BID:2000
 Christey> XF reference is gone.  Replace with http-cgi-matts-whois-meta(3799) ?


CAN-1999-0985

Phase: Proposed (19991214)
Reference: BUGTRAQ:19991109 Whois.cgi - ADVISORY.

Description:
CC Whois program whois.cgi allows remote attackers to execute commands via shell metacharacters in the domain entry.

Votes:

   ACCEPT(2) Stracener, Blake
   MODIFY(1) Frech
   NOOP(1) Cole
   REVIEWING(1) Christey
Voter Comments:
 Cole> I would combine all of these.
 Christey> More examination is required to determine if CAN-1999-0983,
   CAN-1999-0984, or CAN-1999-0985 are the same codebase.
 Frech> XF:cc-whois-meta
 Christey> ADDREF BID:2000
 Frech> Change cc-whois-meta(3800) to http-cgi-ccwhois(3747)
 Christey> Replace XF reference with XF:cc-whois-meta(3800) ?


CAN-1999-0988

Phase: Modified (20000121-01)
Reference: BUGTRAQ:19991204 UnixWare pkg* command exploits
Reference: BUGTRAQ:19991215 Recent postings about SCO UnixWare 7
Reference: BUGTRAQ:19991223 FYI, SCO Security patches available.
Reference: BUGTRAQ:19991220 SCO OpenServer Security Status

Description:
UnixWare pkgtrans allows local users to read arbitrary files via a symlink attack.

Votes:

   ACCEPT(2) Blake, Cole
   MODIFY(1) Frech
   RECAST(1) Stracener
   REVIEWING(1) Christey
Voter Comments:
 Stracener> The pkg* programs pkgtrans, pkginfo, pkgcat, pkginstall, and pkgparam
   can be used to mount etc/shadow printing attacks as a result of the
   "dacread" permission (cf. /etc/security/tcb/privs). The procedural
   differences between the individual exploits for each of these utilities
   are therefore inconsequential. CAN-1999-0988 should be merged with
   CAN-1999-0828. From the standpoint of maintaining consistency of the
   level of abstraction used in CVE, the co-existence of CANS
   1999-0988/1999-0828 present two choices: either merge 0988 with 0828, or
   split 0828 into 4 distinct candidates, keeping 0988 intact. Due to the
   very small differences (in principle) between the exploits subsumed by
   0828 and 0988 and the shared dacread permissions of the pkg* suite, I
   suggest a merge. Below is a summary of the data upon which my decision
   was based.
   utility         exploit
   --------      ---------------------------------- 
   pkgtrans  --> symlink + dacread permission prob
   pkginfo   --> truss (debugging utility) in conjunction with pkginfio -d
   etc/shadow. In this case, it captures the interaction between
   pkginfo                the shadow file. Once again: dacread.
   pkgcat    --> buffer overflow  + dacread permission prob
   pkginstall -> buffer overflow + dacread permission prob
   pkgparam --> -f etc/shadow (works because of dacread).
 Christey> This is a tough one.  While there are few procedural
   differences, one could view "assignment of an improper
   permission" as a "class" of problems along the lines of
   buffer overflows and the like.  Just like some programs
   were fine until they got turned into CGI scripts, this
   could be an emerging pattern which should be given
   consideration.  Consider the Eyedog and scriptlet.typelib
   ActiveX utilities being marked as safe for scripting
   (CAN-1999-0668 and 0669).
   
   ftp://ftp.sco.com/SSE/security_bulletins/SB-99.28a loosely
   alludes to this problem; the README for patch SSE053
   effectively confirms it.
 Frech> XF:unixware-pkgtrans-symlink


CAN-1999-0990

Phase: Interim (19991229)
Reference: BUGTRAQ:19991205 gdm thing

Description:
Error messages generated by gdm with the VerboseAuth setting allows an attacker to identify valid users on a system.

Votes:

   ACCEPT(3) Stracener, Blake, Cole
   MODIFY(1) Frech
Voter Comments:
 Frech> XF:verbose-auth-identify-user(3804)


CAN-1999-0993

Phase: Proposed (19991222)
Reference: NTBUGTRAQ:19991213 Changing ACL's in Exchange Server

Description:
Modifications to ACLs (Access Control Lists) in Microsoft Exchange 5.5 do not take effect until the directory store cache is refreshed.

Votes:

   ACCEPT(2) Stracener, Wall
   MODIFY(1) Frech
   NOOP(1) Cole
   REJECT(1) LeBlanc
Voter Comments:
 Frech> XF:exchange-acl-changes(3916)
 LeBlanc> Not a vulnerability


CAN-1999-1002

Phase: Modified (20030619-01)
Reference: MISC:http://www.rstcorp.com/news/bad-crypto.html
Reference: BUGTRAQ:19991216 Reinventing the wheel (aka "Decoding Netscape Mail passwords")
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94536309217214&w=2
Reference: BUGTRAQ:19991220 Netscape password scrambling
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94570673523998&w=2

Description:
Netscape Navigator uses weak encryption for storing a user's Netscape mail password.

Votes:

   ACCEPT(4) Baker, Wall, Cole, Stracener
   MODIFY(1) Frech
   NOOP(1) Christey
Voter Comments:
 Frech> XF:netscape-mail-encryption(3921)
 Christey> CHANGEREF make the RCA URL a "MISC" reference


CAN-1999-1003

Phase: Proposed (19991222)
Reference: BUGTRAQ:19991214 Local / Remote D.o.S Attack in War FTP Daemon 1.70 Vulnerability
Reference: BUGTRAQ:19991216 Statement: Local / Remote D.o.S Attack in War FTP Daemon 1.70

Description:
War FTP Daemon 1.70 allows remote attackers to cause a denial of service by flooding it with connections.

Votes:

   ACCEPT(3) Baker, Cole, Stracener
   MODIFY(1) Frech
   NOOP(1) Wall
Voter Comments:
 Frech> XF:warftp-connection-flood


CAN-1999-1006

Phase: Proposed (19991222)
Reference: BUGTRAQ:19991219 Groupewise Web Interface
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94571433731824&w=2

Description:
Groupwise web server GWWEB.EXE allows remote attackers to determine the real path of the web server via the HELP parameter.

Votes:

   ACCEPT(4) Prosser, Baker, Cole, Stracener
   MODIFY(1) Frech
   NOOP(2) Wall, Christey
Voter Comments:
 Frech> XF:groupwise-web-path
 Prosser> Pretty well confirmed by testing with responses to BugTraq list.
   
   additional ref:  BugTraq ID 879  http://www.securityfocus.com/bid/879
 Christey> A later discovery almost 2 years later is at:
   BUGTRAQ:20020227 SecurityOffice Security Advisory:// Novell
   GroupWise Web Access Path Disclosure Vulnerability
   http://marc.theaimsgroup.com/?l=bugtraq&m=101494830315071&w=2
   CD:SF-LOC might suggest merging these together.


CAN-1999-1009

Phase: Proposed (19991222)
Reference: BUGTRAQ:19991213 Privacy hole in Go Express Search

Description:
The Disney Go Express Search allows remote attackers to access and modify search information for users by connecting to an HTTP server on the user's system.

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Frech
   NOOP(4) Balinsky, Wall, Cole, Stracener
Voter Comments:
 Frech> XF:disney-search-info(3955)
 Balinsky> The go.express.com web site does not mention the existence of the Express web server mentioned in the advisory. There appears to be no way of verifying this.


CAN-1999-1012

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990504 AS/400
Reference: URL:http://www.securityfocus.com/archive/1/13527
Reference: BID:173
Reference: URL:http://www.securityfocus.com/bid/173

Description:
SMTP component of Lotus Domino 4.6.1 on AS/400, and possibly other operating systems, allows a remote attacker to crash the mail server via a long string.

Votes:

   ACCEPT(1) Cole
   MODIFY(1) Frech
   NOOP(2) Wall, Foat
Voter Comments:
 Frech> (Task 1770)
 CHANGE> [Frech changed vote from REVIEWING to MODIFY]
 Frech> XF:lotus-domino-smtp-dos(8790)


CAN-1999-1013

Phase: Proposed (20010912)
Reference: BID:673
Reference: URL:http://www.securityfocus.com/bid/673
Reference: BUGTRAQ:19990923 named-xfer hole on AIX (fwd)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93837026726954&w=2

Description:
named-xfer in AIX 4.1.5 and 4.2.1 allows members of the system group to overwrite system files to gain root access via the -f parameter and a malformed zone file.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole
Voter Comments:
 Frech> XF:aix-named-xfer-root-access(3308)


CAN-1999-1015

Phase: Proposed (20010912)
Reference: BUGTRAQ:19980408 AppleShare IP Mail Server
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=89200657216213&w=2
Reference: BID:61
Reference: URL:http://www.securityfocus.com/bid/61

Description:
Buffer overflow in Apple AppleShare Mail Server 5.0.3 on MacOS 8.1 and earlier allows a remote attacker to cause a denial of service (crash) via a long HELO command.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole
Voter Comments:
 Frech> XF:smtp-helo-bo(886)


CAN-1999-1016

Phase: Proposed (20010912)
Reference: NTBUGTRAQ:19990827 HTML code to crash IE5 and Outlook Express 5
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=93578772920970&w=2
Reference: BID:606
Reference: URL:http://www.securityfocus.com/bid/606

Description:
Microsoft HTML control as used in (1) Internet Explorer 5.0, (2) FrontPage Express, (3) Outlook Express 5, and (4) Eudora, and possibly others, allows remote malicious web site or HTML emails to cause a denial of service (100% CPU consumption) via large HTML form fields such as text inputs in a table cell

Votes:

   ACCEPT(2) Wall, Cole
   MODIFY(1) Frech
   NOOP(2) Foat, Christey
Voter Comments:
 Frech> XF:ms-html-table-form-dos(3246)
 Frech> XF:ms-html-table-form-dos(3246)
 Christey> Add period to the end of the description.


CAN-1999-1017

Phase: Proposed (20010912)
Reference: NTBUGTRAQ:19990728 Seattle Labs EMURL Vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=93316253431588&w=2
Reference: BID:544
Reference: URL:http://www.securityfocus.com/bid/544

Description:
Seattle Labs Emurl 2.0, and possibly earlier versions, stores e-mail attachments in a specific directory with scripting enabled, which allows a malicious ASP file attachment to execute when the recipient opens the message.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole
Voter Comments:
 Frech> (Task 2281)
 CHANGE> [Frech changed vote from REVIEWING to MODIFY]
 Frech> XF:emurl-attachment-execution(8794)


CAN-1999-1018

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990727 Linux 2.2.10 ipchains Advisory
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93312523904591&w=2
Reference: BID:543
Reference: URL:http://www.securityfocus.com/bid/543

Description:
IPChains in Linux kernels 2.2.10 and earlier does not reassemble IP fragments before checking the header information, which allows a remote attacker to bypass the filtering rules using several fragments with 0 offsets.

Votes:

   ACCEPT(1) Cole
   MODIFY(1) Frech
   NOOP(2) Wall, Foat
Voter Comments:
 Frech> XF:linux-ipchains-bypass-filter(6516)
 Frech> XF:linux-ipchains-bypass-filter(6516)


CAN-1999-1020

Phase: Proposed (20010912)
Reference: BUGTRAQ:19980918 NMRC Advisory - Default NDS Rights
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90613355902262&w=2
Reference: BID:484
Reference: URL:http://www.securityfocus.com/bid/484
Reference: XF:novell-nds(1364)
Reference: URL:http://xforce.iss.net/static/1364.php

Description:
The installation of Novell Netware NDS 5.99 provides an unauthenticated client with Read access for the tree, which allows remote attackers to access sensitive information such as users, groups, and readable objects via CX.EXE and NLIST.EXE.

Votes:

   ACCEPT(2) Frech, Cole
   NOOP(2) Wall, Foat

CAN-1999-1022

Phase: Proposed (20010912)
Reference: BUGTRAQ:19941002
Reference: URL:http://www.securityfocus.com/archive/1/930
Reference: XF:sgi-serialports(2111)
Reference: URL:http://xforce.iss.net/static/2111.php
Reference: BID:464
Reference: URL:http://www.securityfocus.com/bid/464

Description:
serial_ports administrative program in IRIX 4.x and 5.x trusts the user's PATH environmental variable to find and execute the ls program, which allows local users to gain root privileges via a Trojan horse ls program.

Votes:

   ACCEPT(2) Frech, Cole
   NOOP(2) Foat, Christey
Voter Comments:
 Christey> Note: CAN-1999-1310 is a duplicate of this candidate.
   CAN-1999-1310 will be REJECTed; this is the proper CAN to use.
   
   CIAC:F-01
   URL:http://ciac.llnl.gov/ciac/bulletins/f-01.shtml
   SGI:19941001-01-P
   URL:ftp://patches.sgi.com/support/free/security/advisories/19941001-01-P
   MISC:http://www.netsys.com/firewalls/firewalls-9410/0019.html


CAN-1999-1023

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990610 Sun Useradd program expiration date bug
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92904175406756&w=2
Reference: BID:426
Reference: URL:http://www.securityfocus.com/bid/426

Description:
useradd in Solaris 7.0 does not properly interpret certain date formats as specified in the "-e" (expiration date) argument, which could allow users to login after their accounts have expired.

Votes:

   ACCEPT(1) Dik
   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole
Voter Comments:
 Dik> sun bug: 4222400
 Frech> XF:solaris-useradd-expired-accounts(8375)
   CONFIRM:(2.6)110883-01, (2.6_x86) 110884-01, (7)110869-01,
   (7_x86) 110870-01


CAN-1999-1024

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990616 tcpdump 3.4 bug?
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92955903802773&w=2
Reference: BUGTRAQ:19990617 Re: tcpdump 3.4 bug?
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92963447601748&w=2
Reference: BUGTRAQ:19990620 Re: tcpdump 3.4 bug? (final)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92989907627051&w=2
Reference: BID:313
Reference: URL:http://www.securityfocus.com/bid/313

Description:
ip_print procedure in Tcpdump 3.4a allows remote attackers to cause a denial of service via a packet with a zero length header, which causes an infinite loop and core dump when tcpdump prints the packet.

Votes:

   ACCEPT(1) Cole
   MODIFY(1) Frech
   NOOP(2) Wall, Foat
Voter Comments:
 Frech> XF:tcpdump-ipprint-dos(8373)


CAN-1999-1025

Phase: Proposed (20010912)
Reference: BUGTRAQ:19981012 Annoying Solaris/CDE/NIS+ bug
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90831127921062&w=2
Reference: SUNBUG:4115685
Reference: URL:http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fpatches%2F106027&zone_32=411568%2A%20
Reference: BID:294
Reference: URL:http://www.securityfocus.com/bid/294

Description:
CDE screen lock program (screenlock) on Solaris 2.6 does not properly lock an unprivileged user's console session when the host is an NIS+ client, which allows others with physical access to login with any string.

Votes:

   ACCEPT(4) Foat, Cole, Dik, Stracener
   MODIFY(1) Frech
Voter Comments:
 Frech> XF:solaris-cde-nisplus-lock(7473)
 Dik> sun bug: 4115685


CAN-1999-1026

Phase: Proposed (20010912)
Reference: BUGTRAQ:19961220 Solaris 2.5 x86 aspppd (semi-exploitable-hole)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167420343&w=2
Reference: BID:292
Reference: URL:http://www.securityfocus.com/bid/292

Description:
aspppd on Solaris 2.5 x86 allows local users to modify arbitrary files and gain root privileges via a symlink attack on the /tmp/.asppp.fifo file.

Votes:

   ACCEPT(1) Cole
   MODIFY(1) Frech
   NOOP(1) Foat
Voter Comments:
 Frech> XF:sun-aspppd-tmp-symlink(7173)


CAN-1999-1029

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990513 - J.J.F. / Hackers Team warns for SSHD 2.x brute force password hacking
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92663402004280&w=2
Reference: BID:277
Reference: URL:http://www.securityfocus.com/bid/277
Reference: XF:ssh2-bruteforce(2193)
Reference: URL:http://xforce.iss.net/static/2193.php

Description:
SSH server (sshd2) before 2.0.12 does not properly record login attempts if the connection is closed before the maximum number of tries, allowing a remote attacker to guess the password without showing up in the audit logs.

Votes:

   ACCEPT(2) Frech, Cole
   NOOP(2) Wall, Foat

CAN-1999-1030

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990519 Denial of Service in Counter.exe version 2.70
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92713790426690&w=2
Reference: NTBUGTRAQ:19990519 Denial of Service in Counter.exe version 2.70
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=92707671717292&w=2
Reference: BID:267
Reference: URL:http://www.securityfocus.com/bid/267

Description:
counter.exe 2.70 allows a remote attacker to cause a denial of service (hang) via an HTTP request that ends in %0A (newline), which causes a malformed entry in the counter log that produces an access violation.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole
Voter Comments:
 Frech> XF:http-cgi-counter-long(2196)
 Frech> XF:http-cgi-counter-long(2196)


CAN-1999-1031

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990519 Denial of Service in Counter.exe version 2.70
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92713790426690&w=2
Reference: NTBUGTRAQ:19990519 Denial of Service in Counter.exe version 2.70
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=92707671717292&w=2
Reference: BID:267
Reference: URL:http://www.securityfocus.com/bid/267

Description:
counter.exe 2.70 allows a remote attacker to cause a denial of service (hang) via a long argument.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole
Voter Comments:
 Frech> XF:http-cgi-counter-long(2196)
 Frech> XF:http-cgi-counter-long(2196)


CAN-1999-1033

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990511 Outlook Express Win98 bug
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92647407427342&w=2
Reference: BUGTRAQ:19990512 Outlook Express Win98 bug, addition.
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92663402004275&w=2
Reference: BID:252
Reference: URL:http://www.securityfocus.com/bid/252

Description:
Microsoft Outlook Express before 4.72.3612.1700 allows a malicious user to send a message that contains a .., which can inadvertently cause Outlook to re-enter POP3 command mode and cause the POP3 session to hang.

Votes:

   ACCEPT(2) Wall, Cole
   MODIFY(1) Frech
   NOOP(1) Foat
Voter Comments:
 Frech> (Task 2241)
 CHANGE> [Frech changed vote from REVIEWING to MODIFY]
 Frech> XF:outlook-pop3-dot-dos(8926)


CAN-1999-1036

Phase: Proposed (20010912)
Reference: BUGTRAQ:19980626 vulnerability in satan, cops & tiger
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221103125976&w=2

Description:
COPS 1.04 allows local users to overwrite or create arbitrary files via a symlink attack on temporary files in (1) res_diff, (2) ca.src, and (3) mail.chk.

Votes:

   ACCEPT(1) Foat
   MODIFY(1) Frech
   NOOP(2) Wall, Cole
Voter Comments:
 Frech> XF:cops-temp-file-symlink(7325)


CAN-1999-1038

Phase: Proposed (20010912)
Reference: BUGTRAQ:19980626 vulnerability in satan, cops & tiger
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221103125976&w=2

Description:
Tiger 2.2.3 allows local users to overwrite arbitrary files via a symlink attack on various temporary files in Tiger's default working directory, as defined by the WORKDIR variable.

Votes:

   ACCEPT(1) Foat
   MODIFY(1) Frech
   NOOP(2) Wall, Cole
Voter Comments:
 Frech> XF:tiger-workdir-symlink(7326)


CAN-1999-1039

Phase: Proposed (20010912)
Reference: SGI:19980502-01-P3030
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19980502-01-P3030

Description:
Vulnerability in (1) diskalign and (2) diskperf in IRIX 6.4 patches 2291 and 2848 allow a local user to create root-owned files leading to a root compromise.

Votes:

   ACCEPT(3) Foat, Cole, Stracener
   REJECT(1) Frech

CAN-1999-1040

Phase: Proposed (20010912)
Reference: BUGTRAQ:19980408 SGI O2 ipx security issue
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=89217373930054&w=2
Reference: SGI:19980501-01-P
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19980501-01-P2869
Reference: CIAC:I-055
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/i-055.shtml

Description:
Vulnerabilities in (1) ipxchk and (2) ipxlink in NetWare Client 1.0 on IRIX 6.3 and 6.4 allows local users to gain root access via a modified IFS environmental variable.

Votes:

   ACCEPT(3) Foat, Cole, Stracener
   NOOP(1) Christey
   REJECT(1) Frech
Voter Comments:
 Christey> This candidate and CAN-1999-1501 are duplicates.  However,
   CAN-1999-1501 will be REJECTed in favor of this candidate.
   Add the following references:
   BID:70
   URL:http://www.securityfocus.com/bid/70
   BID:71
   URL:http://www.securityfocus.com/bid/71
   XF:irix-ipxchk-ipxlink-ifs-commands(7365)
   URL:http://xforce.iss.net/static/7365.php


CAN-1999-1041

Phase: Proposed (20010912)
Reference: BUGTRAQ:19980827 SCO mscreen vul.
Reference: URL:http://www.securityfocus.com/archive/1/10420
Reference: BUGTRAQ:19980926 Root exploit for SCO OpenServer.
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90686250717719&w=2
Reference: SCO:SB-98.05a
Reference: URL:ftp://ftp.sco.com/SSE/security_bulletins/SB-98.05a
Reference: CERT:VB-98.10
Reference: URL:http://www.cert.org/vendor_bulletins/VB-98.10.sco.mscreen

Description:
Buffer overflow in mscreen on SCO OpenServer 5.0 and SCO UNIX 3.2v4 allows a local user to gain root access via (1) a long TERM environmental variable and (2) a long entry in the .mscreenrc file.

Votes:

   ACCEPT(3) Foat, Cole, Stracener
   MODIFY(1) Frech
   NOOP(1) Wall
   REVIEWING(1) Christey
Voter Comments:
 Frech> XF:sco-openserver-mscreen-bo(1379)
 Christey> Possible dupe with CAN-1999-1185.


CAN-1999-1042

Phase: Proposed (20010912)
Reference: CISCO:19980813 CRM Temporary File Vulnerability
Reference: URL:http://www.cisco.com/warp/public/770/crmtmp-pub.shtml

Description:
Cisco Resource Manager (CRM) 1.0 and 1.1 creates world-readable log files and temporary files, which may expose sensitive information, to local users such as user IDs, passwords and SNMP community strings.

Votes:

   ACCEPT(3) Foat, Cole, Stracener
   MODIFY(1) Frech
   NOOP(1) Wall
   REJECT(3) Balinsky, Armstrong, Christey
Voter Comments:
 Frech> XF:cisco-crm-file-vuln(1575)
 Armstrong> I think that this is the same as Can-1999-1126
 Balinsky> This is the same as CAN-1999-1126. Merge them.
 Christey> DUPE CAN-1999-1126, as noted by others.
   This candidate will be rejected.  CAN-1999-1126 will be
   promoted.


CAN-1999-1043

Phase: Proposed (20010912)
Reference: MS:MS98-007
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms98-007.asp

Description:
Microsoft Exchange Server 5.5 and 5.0 does not properly handle (1) malformed NNTP data, or (2) malformed SMTP data, which allows remote attackers to cause a denial of service (application error).

Votes:

   ACCEPT(3) Wall, Foat, Cole
   MODIFY(1) Frech
Voter Comments:
 Frech> XF:exchange-dos(1223)


CAN-1999-1046

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990302 Multiple IMail Vulnerabilites
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92038879607336&w=2
Reference: BID:504
Reference: URL:http://www.securityfocus.com/bid/504
Reference: XF:imail-imonitor-overflow(1897)
Reference: URL:http://xforce.iss.net/static/1897.php

Description:
Buffer overflow in IMonitor in IMail 5.0 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long string to port 8181.

Votes:

   ACCEPT(2) Frech, Cole
   NOOP(2) Wall, Foat

CAN-1999-1049

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990222 Severe Security Hole in ARCserve NT agents (fwd)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91972006211238&w=2

Description:
ARCserve NT agents use weak encryption (XOR) for passwords, which allows remote attackers to sniff the authentication request to port 6050 and decrypt the password.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole
Voter Comments:
 Frech> XF:arcserve-agent-passwords(1822)


CAN-1999-1050

Phase: Proposed (20010912)
Reference: BUGTRAQ:19991112 FormHandler.cgi
Reference: URL:http://www.securityfocus.com/archive/1/34600
Reference: BUGTRAQ:19991116 Re: FormHandler.cgi
Reference: URL:http://www.securityfocus.com/archive/1/34939
Reference: BID:798
Reference: URL:http://www.securityfocus.com/bid/798
Reference: BID:799
Reference: URL:http://www.securityfocus.com/bid/799
Reference: XF:formhandler-cgi-absolute-path(3550)
Reference: URL:http://xforce.iss.net/static/3550.php

Description:
Directory traversal vulnerability in Matt Wright FormHandler.cgi script allows remote attackers to read arbitrary files via (1) a .. (dot dot) in the reply_message_attach attachment parameter, or (2) by specifying the filename as a template.

Votes:

   ACCEPT(1) Frech
   NOOP(3) Wall, Foat, Cole
   REVIEWING(1) Christey
Voter Comments:
 Christey> Abstraction and definition issue: CD:SF-LOC suggests combining
   issues of the same type.  Some people refer to "directory
   traversal" and just mean .. problems; but there are other
   issues (specifying an absolute pathname, using C: drive
   letters, doing encodings) that, to my way of thinking, are
   "different."  Perhaps this should be split.
   
   My brain hurts too much right now.  There are a couple
   problems with the references and descriptions of CAN-1999-1050
   and CAN-1999-1051.  I'm interpreting the underlying nature
   of the problem(s) a little differently than others are.
   Some of it may be due to differing definitions or thoughts
   about what "directory traversal vulnerabilities" are.


CAN-1999-1051

Phase: Proposed (20010912)
Reference: BUGTRAQ:19991116 Re: FormHandler.cgi
Reference: URL:http://www.securityfocus.com/archive/1/34939

Description:
Default configuration in Matt Wright FormHandler.cgi script allows arbitrary directories to be used for attachments, and only restricts access to the /etc/ directory, which allows remote attackers to read arbitrary files via the reply_message_attach attachment parameter.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole
   REVIEWING(1) Christey
Voter Comments:
 Frech> XF:formhandler-cgi-reply-message(7782)
 Christey> I view one of these as a configuration issue: FormHandler.cgi
   *could* be configured to limit hard-coded pathnames to a single
   directory which, while being an information leak, would still be
   "reasonably secure."  But by default, it's just not configured that
   way.
   
   My brain hurts too much right now.  There are a couple
   problems with the references and descriptions of CAN-1999-1050
   and CAN-1999-1051.  I'm interpreting the underlying nature
   of the problem(s) a little differently than others are.
   Some of it may be due to differing definitions or thoughts
   about what "directory traversal vulnerabilities" are.


CAN-1999-1052

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990824 Front Page form_results
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93582550911564&w=2

Description:
Microsoft FrontPage stores form results in a default location in /_private/form_results.txt, which is world-readable and accessible in the document root, which allows remote attackers to read possibly sensitive information submitted by other users.

Votes:

   ACCEPT(1) Wall
   MODIFY(1) Frech
   NOOP(2) Foat, Cole
Voter Comments:
 Frech> XF:frontpage-formresults-world-readable(8362)


CAN-1999-1053

Phase: Proposed (20010912)
Reference: VULN-DEV:19990913 Guestbook perl script (long)
Reference: URL:http://www.securityfocus.com/archive/82/27296
Reference: VULN-DEV:19990916 Re: Guestbook perl script (error fix)
Reference: URL:http://www.securityfocus.com/archive/82/27560
Reference: BUGTRAQ:19991105 Guestbook.pl, sloppy SSI handling in Apache? (VD#2)
Reference: URL:http://www.securityfocus.com/archive/1/33674
Reference: BID:776
Reference: URL:http://www.securityfocus.com/bid/776

Description:
guestbook.pl cleanses user-inserted SSI commands by removing text between "<!--" and "-->" separators, which allows remote attackers to execute arbitrary commands when guestbook.pl is run on Apache 1.3.9 and possibly other versions, since Apache allows other closing sequences besides "-->".

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole
Voter Comments:
 Frech> XF:guestbook-cgi-command-execution(7783)


CAN-1999-1054

Phase: Proposed (20010912)
Reference: BUGTRAQ:19980925 Globetrotter FlexLM 'lmdown' bogosity
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90675672323825&w=2

Description:
The default configuration of FLEXlm license manager 6.0d, and possibly other versions, allows remote attackers to shut down the server via the lmdown command.

Votes:

   ACCEPT(1) Cole
   NOOP(2) Wall, Foat

CAN-1999-1056

Phase: Proposed (20010912)
Reference: CERT:CA-1992-18
Reference: URL:http://www.cert.org/advisories/CA-1992-18.html

Description:
Vulnerability in VMS 5.0 through 5.4-2 allows local users to gain privileges via the Monitor utility.

Votes:

   ACCEPT(3) Foat, Cole, Stracener
   MODIFY(1) Frech
   NOOP(1) Wall
   REJECT(1) Christey
Voter Comments:
 Frech> XF:vms-monitor-gain-privileges(7136)
 Christey> DUPE CAN-1999-1395
   This CAN is being rejected in favor of CAN-1999-1395 because
   CAN-1999-1395 has more references.


CAN-1999-1058

Phase: Proposed (20010912)
Reference: NTBUGTRAQ:19991122 Remote DoS Attack in Vermillion FTP Daemon (VFTPD) v1.23 Vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=94337185023159&w=2
Reference: BUGTRAQ:19991122 Remote DoS Attack in Vermillion FTP Daemon (VFTPD) v1.23 Vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94329968617085&w=2
Reference: XF:vermillion-ftp-cwd-overflow(3543)
Reference: URL:http://xforce.iss.net/static/3543.php
Reference: BID:818
Reference: URL:http://www.securityfocus.com/bid/818

Description:
Buffer overflow in Vermillion FTP Daemon VFTPD 1.23 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via several long CWD commands.

Votes:

   ACCEPT(2) Frech, Cole
   NOOP(2) Wall, Foat

CAN-1999-1060

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990217 Tetrix 1.13.16 is Vulnerable
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91937090211855&w=2
Reference: BID:340
Reference: URL:http://www.securityfocus.com/bid/340

Description:
Buffer overflow in Tetrix TetriNet daemon 1.13.16 allows remote attackers to cause a denial of service and possibly execute arbitrary commands by connecting to port 31457 from a host with a long DNS hostname.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole
Voter Comments:
 Frech> XF:tetrinet-dns-hostname-bo(7500)


CAN-1999-1061

Phase: Proposed (20010912)
Reference: BUGTRAQ:19971004 HP Laserjet 4M Plus DirectJet Problem
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602248518480&w=2
Reference: XF:laserjet-unpassworded(1876)
Reference: URL:http://xforce.iss.net/static/1876.php

Description:
HP Laserjet printers with JetDirect cards, when configured with TCP/IP, can be configured without a password, which allows remote attackers to connect to the printer and change its IP address or disable logging.

Votes:

   ACCEPT(2) Frech, Cole
   NOOP(1) Foat
Voter Comments:
 Frech> CONFIRM:http://www.hp.com/cposupport/printers/support_doc/bpl
   02914.html


CAN-1999-1062

Phase: Proposed (20010912)
Reference: BUGTRAQ:19971004 HP Laserjet 4M Plus DirectJet Problem
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602248518480&w=2
Reference: XF:laserjet-unpassworded(1876)
Reference: URL:http://xforce.iss.net/static/1876.php

Description:
HP Laserjet printers with JetDirect cards, when configured with TCP/IP, allow remote attackers to bypass print filters by directly sending PostScript documents to TCP ports 9099 and 9100.

Votes:

   ACCEPT(1) Cole
   MODIFY(1) Frech
   NOOP(1) Foat
Voter Comments:
 Frech> DELREF:XF:laserjet-unpassworded(1876)
   ADDREF:XF:hp-printer-flood(1818)


CAN-1999-1063

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990601 whois_raw.cgi problem
Reference: URL:http://www.securityfocus.com/archive/1/14019
Reference: BID:304
Reference: URL:http://www.securityfocus.com/bid/304
Reference: XF:http-cgi-cdomain(2251)
Reference: URL:http://xforce.iss.net/static/2251.php

Description:
CDomain whois_raw.cgi whois CGI script allows remote attackers to execute arbitrary commands via shell metacharacters in the fqdn parameter.

Votes:

   ACCEPT(1) Frech
   NOOP(3) Wall, Foat, Cole

CAN-1999-1064

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990822
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93555317429630&w=2
Reference: BUGTRAQ:19990824 Re: WindowMaker bugs (was sub:none )
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93582070508957&w=2
Reference: BID:596
Reference: URL:http://www.securityfocus.com/bid/596

Description:
Multiple buffer overflows in WindowMaker 0.52 through 0.60.0 allow attackers to cause a denial of service and possibly execute arbitrary commands by executing WindowMaker with a long program name (argv[0]).

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole
Voter Comments:
 Frech> XF:windowmaker-bo(3249)
 Frech> XF:windowmaker-bo(3249)


CAN-1999-1065

Phase: Proposed (20010912)
Reference: BUGTRAQ:19991104 Palm Hotsync vulnerable to DoS attack
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94175465525422&w=2

Description:
Palm Pilot HotSync Manager 3.0.4 in Windows 98 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long string to port 14238 while the manager is in network mode.

Votes:

   ACCEPT(1) Cole
   MODIFY(1) Frech
   NOOP(2) Wall, Foat
Voter Comments:
 Frech> XF:palm-hotsync-bo(7785)


CAN-1999-1066

Phase: Proposed (20010912)
Reference: BUGTRAQ:19991222 Quake "smurf" - Quake War Utils
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94589559631535&w=2

Description:
Quake 1 server responds to an initial UDP game connection request with a large amount of traffic, which allows remote attackers to use the server as an amplifier in a "Smurf" style attack on another host, by spoofing the connection request.

Votes:

   MODIFY(1) Frech
   NOOP(4) Wall, Foat, Cole, Christey
Voter Comments:
 Christey> This is apparently a problem with the connection protocol.
   See BUGTRAQ:19980522 NetQuake Protocol problem resulting in smurf like effect.
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221101925989&w=2
 Frech> XF:quake-udp-connection-dos(7862)


CAN-1999-1067

Phase: Proposed (20010912)
Reference: BUGTRAQ:19970507 Re: SGI Security Advisory 19970501-01-A - Vulnerability in webdist.cgi
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167420919&w=2
Reference: XF:sgi-machineinfo

Description:
SGI MachineInfo CGI program, installed by default on some web servers, prints potentially sensitive system status information, which could be used by remote attackers for information gathering activities.

Votes:

   ACCEPT(1) Frech
   NOOP(2) Foat, Cole
Voter Comments:
 Frech> I'd be a lot more confident in this vote if there was a more
   concrete reference strongly associating webdist.cgi and machineinfo.


CAN-1999-1068

Phase: Proposed (20010912)
Reference: BUGTRAQ:19970723 DoS against Oracle Webserver 2.1 with PL/SQL stored procedures
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602661419366&w=2

Description:
Oracle Webserver 2.1, when serving PL/SQL stored procedures, allows remote attackers to cause a denial of service via a long HTTP GET request.

Votes:

   MODIFY(1) Frech
   NOOP(2) Foat, Cole
Voter Comments:
 Frech> XF:oracle-webserver-dos(1812)


CAN-1999-1069

Phase: Proposed (20010912)
Reference: BUGTRAQ:19971108 Security bug in iCat Suite version 3.0
Reference: URL:http://www.securityfocus.com/archive/1/7943
Reference: BID:2126
Reference: URL:http://www.securityfocus.com/bid/2126
Reference: XF:icat-carbo-server-vuln(1620)
Reference: URL:http://xforce.iss.net/static/1620.php

Description:
Directory traversal vulnerability in carbo.dll in iCat Carbo Server 3.0.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the icatcommand parameter.

Votes:

   ACCEPT(2) Frech, Cole
   NOOP(1) Foat
Voter Comments:
 Frech> iCat's site at http://www.icat.com/ is shut down, and no
   further support seems to be available.


CAN-1999-1070

Phase: Proposed (20010912)
Reference: BUGTRAQ:19980725 Annex DoS
Reference: URL:http://www.securityfocus.com/archive/1/10021

Description:
Buffer overflow in ping CGI program in Xylogics Annex terminal service allows remote attackers to cause a denial of service via a long query parameter.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole
Voter Comments:
 Frech> XF:annex-ping-crash(2090)


CAN-1999-1071

Phase: Proposed (20010912)
Reference: BUGTRAQ:19981130 Security bugs in Excite for Web Servers 1.1
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91248445931140&w=2
Reference: XF:excite-world-write(1417)
Reference: URL:http://xforce.iss.net/static/1417.php

Description:
Excite for Web Servers (EWS) 1.1 installs the Architext.conf authentication file with world-writeable permissions, which allows local users to gain access to Excite accounts by modifying the file.

Votes:

   ACCEPT(1) Frech
   NOOP(3) Wall, Foat, Cole

CAN-1999-1072

Phase: Proposed (20010912)
Reference: BUGTRAQ:19981130 Security bugs in Excite for Web Servers 1.1
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91248445931140&w=2

Description:
Excite for Web Servers (EWS) 1.1 allows local users to gain privileges by obtaining the encrypted password from the world-readable Architext.conf authentication file and replaying the encrypted password in an HTTP request to AT-generated.cgi or AT-admin.cgi.

Votes:

   NOOP(3) Wall, Foat, Cole

CAN-1999-1073

Phase: Proposed (20010912)
Reference: BUGTRAQ:19981130 Security bugs in Excite for Web Servers 1.1
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91248445931140&w=2

Description:
Excite for Web Servers (EWS) 1.1 records the first two characters of a plaintext password in the beginning of the encrypted password, which makes it easier for an attacker to guess passwords via a brute force or dictionary attack.

Votes:

   NOOP(3) Wall, Foat, Cole

CAN-1999-1075

Phase: Proposed (20010912)
Reference: BUGTRAQ:19980318 AIX 4.1.5 DoS attack (aka "Port 1025 problem")
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=89025820612530&w=2

Description:
inetd in AIX 4.1.5 dynamically assigns a port N when starting ttdbserver (ToolTalk server), but also inadvertently listens on port N-1 without passing control to ttdbserver, which allows remote attackers to cause a denial of service via a large number of connections to port N-1, which are not properly closed by inetd.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole
Voter Comments:
 Frech> XF:aix-ttdbserver(813)
   CONFIRM:APAR IX70400


CAN-1999-1076

Phase: Proposed (20010912)
Reference: BUGTRAQ:19991026 Mac OS 9 Idle Lock Bug
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94096348604173&w=2
Reference: BID:745
Reference: URL:http://www.securityfocus.com/bid/745

Description:
Idle locking function in MacOS 9 allows local users to bypass the password protection of idled sessions by selecting the "Log Out" option and selecting a "Cancel" option in the dialog box for an application that attempts to verify that the user wants to log out, which returns the attacker into the locked session.

Votes:

   ACCEPT(2) Foat, Cole
   MODIFY(1) Frech
   NOOP(1) Wall
Voter Comments:
 Frech> XF:macos-idle-screenlock-bypass(7794)


CAN-1999-1077

Phase: Proposed (20010912)
Reference: BUGTRAQ:19991101 Re: Mac OS 9 Idle Lock Bug
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94149318124548&w=2
Reference: BID:756
Reference: URL:http://www.securityfocus.com/bid/756

Description:
Idle locking function in MacOS 9 allows local attackers to bypass the password protection of idled sessions via the programmer's switch or CMD-PWR keyboard sequence, which brings up a debugger that the attacker can use to disable the lock.

Votes:

   ACCEPT(2) Foat, Cole
   MODIFY(1) Frech
   NOOP(1) Wall
Voter Comments:
 Frech> XF:macos-debug-screenlock-access(3426)


CAN-1999-1078

Phase: Proposed (20010912)
Reference: NTBUGTRAQ:19990729 WS_FTP Pro 6.0 Weak Password Encryption Vulnerability
Reference: URL:http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind9907&L=ntbugtraq&D=0&P=10370&F=P
Reference: BID:547
Reference: URL:http://www.securityfocus.com/bid/547

Description:
WS_FTP Pro 6.0 uses weak encryption for passwords in its initialization files, which allows remote attackers to easily decrypt the passwords and gain privileges.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole
Voter Comments:
 Frech> XF:wsftp-weak-password-encryption(8349)


CAN-1999-1079

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990506 AIX Security Fixes Update
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92601792420088&w=2
Reference: BUGTRAQ:19990825 AIX security summary
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93587956513233&w=2
Reference: AIXAPAR:IX80470
Reference: URL:http://www-1.ibm.com/servlet/support/manager?rs=0&rt=0&org=apars&doc=08E0B1A1B85472A1852567C90031BB36
Reference: BID:439
Reference: URL:http://www.securityfocus.com/bid/439

Description:
Vulnerability in ptrace in AIX 4.3 allows local users to gain privileges by attaching to a setgid program.

Votes:

   ACCEPT(3) Foat, Cole, Stracener
   MODIFY(1) Frech
Voter Comments:
 Frech> XF:aix-ptrace-setgid(7487)


CAN-1999-1081

Phase: Proposed (20010912)
Reference: MISC:http://www.w3.org/Security/Faq/wwwsf8.html#Q87
Reference: MISC:http://www.roxanne.org/faqs/www-secure/wwwsf4.html#Q35
Reference: XF:http-nov-files(2054)
Reference: URL:http://xforce.iss.net/static/2054.php

Description:
Vulnerability in files.pl script in Novell WebServer Examples Toolkit 2 allows remote attackers to read arbitrary files.

Votes:

   ACCEPT(2) Frech, Cole
   NOOP(1) Foat

CAN-1999-1082

Phase: Proposed (20010912)
Reference: BUGTRAQ:19991008 Jana webserver exploit
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93941794201059&w=2
Reference: BID:699
Reference: URL:http://www.securityfocus.com/bid/699

Description:
Directory traversal vulnerability in Jana proxy web server 1.40 allows remote attackers to ready arbitrary files via a "......" (modified dot dot) attack.

Votes:

   ACCEPT(1) Cole
   MODIFY(1) Frech
   NOOP(2) Wall, Foat
Voter Comments:
 Frech> XF:jana-server-directory-traversal(6513)


CAN-1999-1083

Phase: Proposed (20010912)
Reference: BUGTRAQ:20000502 Security Bug in Jana HTTP Server
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=95730430727064&w=2
Reference: BID:699
Reference: URL:http://www.securityfocus.com/bid/699

Description:
Directory traversal vulnerability in Jana proxy web server 1.45 allows remote attackers to ready arbitrary files via a .. (dot dot) attack.

Votes:

   ACCEPT(1) Cole
   MODIFY(1) Frech
   NOOP(2) Wall, Foat
Voter Comments:
 Frech> XF:jana-server-directory-traversal(6513)


CAN-1999-1084

Phase: Proposed (20010912)
Reference: NTBUGTRAQ:19980622 Yet another "get yourself admin rights exploit":
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=90222453431604&w=2
Reference: MSKB:Q103861
Reference: URL:http://support.microsoft.com/support/kb/articles/q103/8/61.asp
Reference: MS:MS00-008
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms00-008.asp
Reference: CIAC:K-029
Reference: URL:http://www.ciac.org/ciac/bulletins/k-029.shtml
Reference: BID:1044
Reference: URL:http://www.securityfocus.com/bid/1044

Description:
The "AEDebug" registry key is installed with insecure permissions, which allows local users to modify the key to specify a Trojan Horse debugger which is automatically executed on a system crash.

Votes:

   ACCEPT(3) Wall, Foat, Cole
   MODIFY(1) Frech
Voter Comments:
 Frech> XF:nt-registry-permissions(4111)


CAN-1999-1086

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990715 NMRC Advisory: Netware 5 Client Hijacking
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93214475111651&w=2
Reference: BID:528
Reference: URL:http://www.securityfocus.com/bid/528

Description:
Novell 5 and earlier, when running over IPX with a packet signature level less than 3, allows remote attackers to gain administrator privileges by spoofing the MAC address in IPC fragmented packets that make NetWare Core Protocol (NCP) calls.

Votes:

   ACCEPT(1) Cole
   MODIFY(1) Frech
   NOOP(2) Wall, Foat
Voter Comments:
 Frech> XF:netware-ipx-session-spoof(2350)


CAN-1999-1088

Phase: Proposed (20010912)
Reference: HP:HPSBUX9701-050
Reference: CIAC:H-21
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/h-21.shtml
Reference: XF:hp-chsh(2012)
Reference: URL:http://xforce.iss.net/static/2012.php

Description:
Vulnerability in chsh command in HP-UX 9.X through 10.20 allows local users to gain privileges.

Votes:

   ACCEPT(4) Frech, Foat, Cole, Stracener

CAN-1999-1089

Phase: Proposed (20010912)
Reference: BUGTRAQ:19961209 the HP Bug of the Week!
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167420285&w=2
Reference: HP:HPSBUX9701-049
Reference: CIAC:H-21
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/h-21.shtml
Reference: CIAC:H-16
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/h-16.shtml
Reference: AUSCERT:AA-96.18
Reference: XF:hp-chfn(2008)

Description:
Buffer overflow in chfn command in HP-UX 9.X through 10.20 allows local users to gain privileges via a long command line argument.

Votes:

   ACCEPT(4) Frech, Foat, Cole, Stracener

CAN-1999-1091

Phase: Proposed (20010912)
Reference: BUGTRAQ:19960903 [BUG] Vulnerability in TIN
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167419835&w=2
Reference: BUGTRAQ:19960903 Re: BoS: [BUG] Vulnerability in TIN
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167419839&w=2
Reference: BUGTRAQ:19970329 symlink bug in tin/rtin
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167420726&w=2
Reference: XF:tin-tmpfile(431)
Reference: URL:http://xforce.iss.net/static/431.php

Description:
UNIX news readers tin and rtin create the /tmp/.tin_log file with insecure permissions and follow symlinks, which allows attackers to modify the permissions of files writable by the user via a symlink attack.

Votes:

   ACCEPT(1) Frech
   NOOP(2) Foat, Cole

CAN-1999-1092

Phase: Proposed (20010912)
Reference: BUGTRAQ:19991117 default permissions for tin
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94286179032648&w=2

Description:
tin 1.40 creates the .tin directory with insecure permissions, which allows local users to read passwords from the .inputhistory file.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole
Voter Comments:
 Frech> XF:tin-insecure-permissions(7796)
   Confirmed in changelog for 1.4.1
   http://ftp.kreonet.re.kr/pub/tools/news/tin/v1.4/CHANGES


CAN-1999-1095

Phase: Proposed (20010912)
Reference: BUGTRAQ:19971006 KSR[T] Advisory #3: updatedb / crontabs
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87619953510834&w=2
Reference: BUGTRAQ:19980303 updatedb stuff
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88890116304676&w=2
Reference: BUGTRAQ:19980303 updatedb: sort patch
Reference: BUGTRAQ:19980302 overwrite any file with updatedb
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88886870129518&w=2

Description:
sort creates temporary files and follows symbolic links, which allows local users to modify arbitrary files that are writable by the user running sort, as observed in updatedb and other programs that use sort.

Votes:

   MODIFY(1) Frech
   NOOP(3) Foat, Cole, Christey
Voter Comments:
 Frech> XF:sort-tmp-file-symlink(7182)
 Christey> This issue clearly has a long history.
   CALDERA:CSSA-2002-SCO.21
   URL:http://archives.neohapsis.com/archives/linux/caldera/2002-q2/0018.html
   CALDERA:CSSA-2002-SCO.2
   URL:http://archives.neohapsis.com/archives/linux/caldera/2002-q1/0002.html
   (There are 2 Caldera advisories because one is for Open UNIX
   and UnixWare, and the other is for OpenServer)
   
   XF:openserver-sort-symlink(9218)
   URL:http://www.iss.net/security_center/static/9218.php


CAN-1999-1096

Phase: Proposed (20010912)
Reference: BUGTRAQ:19980516 kde exploit
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221101925954&w=2
Reference: BUGTRAQ:19980517 simple kde exploit fix
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221101925959&w=2
Reference: XF:kde-klock-home-bo(1644)
Reference: URL:http://xforce.iss.net/static/1644.php

Description:
Buffer overflow in kscreensaver in KDE klock allows local users to gain root privileges via a long HOME environmental variable.

Votes:

   ACCEPT(1) Frech
   NOOP(3) Wall, Foat, Cole

CAN-1999-1097

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990504 Microsoft Netmeeting Hole
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92586457816446&w=2
Reference: XF:netmeeting-clipboard(2187)
Reference: URL:http://xforce.iss.net/static/2187.php

Description:
Microsoft NetMeeting 2.1 allows one client to read the contents of another client's clipboard via a CTRL-C in the chat box when the box is empty.

Votes:

   ACCEPT(1) Frech
   NOOP(3) Wall, Foat, Cole

CAN-1999-1101

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990219 Yet Another password storing problem (was: Re: Possible Netscape Crypto Security Flaw)
Reference: URL:http://www.securityfocus.com/archive/1/12618

Description:
Kabsoftware Lydia utility uses weak encryption to store user passwords in the lydia.ini file, which allows local users to easily decrypt the passwords and gain privileges.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole
Voter Comments:
 Frech> XF:lydia-ini-passwords(7501)
   ADDREF:http://www.kabsoftware.com/lydia_history.txt (Version
   History for Lydia, V3.3 - 11/24/00)


CAN-1999-1106

Phase: Proposed (20010912)
Reference: BUGTRAQ:19980429 Security hole in kppp
Reference: URL:http://www.securityfocus.com/archive/1/9121
Reference: XF:kde-kppp-account-bo(1643)
Reference: URL:http://xforce.iss.net/static/1643.php
Reference: BID:92
Reference: URL:http://www.securityfocus.com/bid/92

Description:
Buffer overflow in kppp in KDE allows local users to gain root access via a long -c (account_name) command line argument.

Votes:

   ACCEPT(2) Frech, Cole
   NOOP(2) Wall, Foat

CAN-1999-1107

Phase: Proposed (20010912)
Reference: BUGTRAQ:19981118 Multiple KDE security vulnerabilities (root compromise)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91141486301691&w=2
Reference: XF:kde-kppp-path-bo(1650)
Reference: URL:http://xforce.iss.net/static/1650.php

Description:
Buffer overflow in kppp in KDE allows local users to gain root access via a long PATH environmental variable.

Votes:

   ACCEPT(1) Frech
   NOOP(3) Wall, Foat, Cole

CAN-1999-1108

Phase: Proposed (20010912)
Reference: BUGTRAQ:19981118 Multiple KDE security vulnerabilities (root compromise)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91141486301691&w=2
Reference: XF:kde-kppp-path-bo(1650)
Reference: URL:http://xforce.iss.net/static/1650.php

Description:
Buffer overflow in kppp in KDE allows local users to gain root access via a long PATH environmental variable.

Votes:

   ACCEPT(1) Cole
   NOOP(2) Wall, Foat
   REJECT(1) Frech
Voter Comments:
 Frech> Has exactly the same attributes as CAN-1999-1107.


CAN-1999-1110

Phase: Proposed (20010912)
Reference: BUGTRAQ:19991114 IE 5.0 and Windows Media Player ActiveX object allow checking the existence of local files and directories
Reference: URL:http://www.securityfocus.com/archive/1/34675
Reference: BID:793
Reference: URL:http://www.securityfocus.com/bid/793

Description:
Windows Media Player ActiveX object as used in Internet Explorer 5.0 returns a specific error code when a file does not exist, which allows remote malicious web sites to determine the existence of files on the client.

Votes:

   ACCEPT(1) Wall
   MODIFY(1) Frech
   NOOP(2) Foat, Cole
Voter Comments:
 Frech> XF:ie-mediaplayer-activex(7800)


CAN-1999-1112

Phase: Proposed (20010912)
Reference: BUGTRAQ:19991109 Irfan view 3.07 buffer overflow
Reference: URL:http://www.securityfocus.com/archive/1/34066
Reference: MISC:http://stud4.tuwien.ac.at/~e9227474/main2.html
Reference: XF:irfan-view32-bo(3549)
Reference: URL:http://xforce.iss.net/static/3549.php
Reference: BID:781
Reference: URL:http://www.securityfocus.com/bid/781

Description:
Buffer overflow in IrfanView32 3.07 and earlier allows attackers to execute arbitrary commands via a long string after the "8BPS" image type in a Photo Shop image header.

Votes:

   ACCEPT(1) Frech
   NOOP(3) Wall, Foat, Cole

CAN-1999-1113

Phase: Proposed (20010912)
Reference: BUGTRAQ:19980414 MacOS based buffer overflows...
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=89258194718577&w=2
Reference: BID:75
Reference: URL:http://www.securityfocus.com/bid/75

Description:
Buffer overflow in Eudora Internet Mail Server (EIMS) 2.01 and earlier on MacOS systems allows remote attackers to cause a denial of service via a long USER command to port 106.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole
Voter Comments:
 Frech> XF:eudora-ims-user-dos(7300) 


CAN-1999-1123

Phase: Proposed (20010912)
Reference: CERT:CA-1991-07
Reference: URL:http://www.cert.org/advisories/CA-1991-07.html
Reference: SUN:00107
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/107&type=0&nav=sec.sba
Reference: BID:21
Reference: URL:http://www.securityfocus.com/bid/21
Reference: BID:22
Reference: URL:http://www.securityfocus.com/bid/22
Reference: XF:sun-sourcetapes(582)
Reference: URL:http://xforce.iss.net/static/582.php

Description:
The installation of Sun Source (sunsrc) tapes allows local users to gain root privileges via setuid root programs (1) makeinstall or (2) winstall.

Votes:

   ACCEPT(5) Frech, Foat, Cole, Dik, Stracener
   NOOP(1) Wall
Voter Comments:
 Dik> sun bug: 1059621


CAN-1999-1124

Phase: Proposed (20010912)
Reference: MISC:http://packetstorm.securify.com/mag/phrack/phrack54/P54-08

Description:
HTTP Client application in ColdFusion allows remote attackers to bypass access restrictions for web pages on other ports by providing the target page to the mainframeset.cfm application, which requests the page from the server, making it look like the request is coming from the local host.

Votes:

   ACCEPT(2) Wall, Cole
   NOOP(1) Foat

CAN-1999-1125

Phase: Proposed (20010912)
Reference: BUGTRAQ:19970919 Instresting practises of Oracle [Oracle Webserver]
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602880019796&w=2

Description:
Oracle Webserver 2.1 and earlier runs setuid root, but the configuration file is owned by the oracle account, which allows any local or remote attacker who obtains access to the oracle account to gain privileges or modify arbitrary files by modifying the configuration file.

Votes:

   MODIFY(1) Frech
   NOOP(2) Foat, Cole
Voter Comments:
 Frech> XF:oracle-webserver-gain-root(7174)


CAN-1999-1126

Phase: Proposed (20010912)
Reference: CISCO:19980813 CRM Temporary File Vulnerability
Reference: URL:http://www.cisco.com/warp/public/770/crmtmp-pub.shtml
Reference: CIAC:I-086
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/i-086.shtml
Reference: XF:cisco-crm-file-vuln(1575)
Reference: URL:http://xforce.iss.net/static/1575.php

Description:
Cisco Resource Manager (CRM) 1.1 and earlier creates certain files with insecure permissions that allow local users to obtain sensitive configuration information including usernames, passwords, and SNMP community strings, from (1) swim_swd.log, (2) swim_debug.log, (3) dbi_debug.log, and (4) temporary files whose names begin with "DPR_".

Votes:

   ACCEPT(5) Frech, Foat, Cole, Armstrong, Stracener
   NOOP(1) Wall
   REJECT(1) Balinsky
Voter Comments:
 Balinsky> Duplicate of CAN-1999-1042


CAN-1999-1128

Phase: Proposed (20010912)
Reference: MISC:http://oliver.efri.hr/~crv/security/bugs/NT/ie3.html
Reference: MISC:http://members.tripod.com/~unibyte/iebug3.htm

Description:
Internet Explorer 3.01 on Windows 95 allows remote malicious web sites to execute arbitrary commands via a .isp file, which is automatically downloaded and executed without prompting the user.

Votes:

   ACCEPT(1) Cole
   MODIFY(1) Frech
   NOOP(2) Christey, Foat
Voter Comments:
 Frech> XF:http-ie-exec(462)
 Christey> DELREF MISC:http://oliver.efri.hr/~crv/security/bugs/NT/ie3.html
   ADDREF MISC:http://focus.silversand.net/vulner/allbug/ie3.html


CAN-1999-1129

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990901 VLAN Security
Reference: URL:http://www.securityfocus.com/archive/1/26008
Reference: MISC:http://www.cisco.com/univercd/cc/td/doc/product/lan/28201900/1928v8x/eescg8x/aleakyv.htm
Reference: XF:cisco-catalyst-vlan-frames(3294)
Reference: URL:http://xforce.iss.net/static/3294.php
Reference: BID:615
Reference: URL:http://www.securityfocus.com/bid/615

Description:
Cisco Catalyst 2900 Virtual LAN (VLAN) switches allow remote attackers to inject 802.1q frames into another VLAN by forging the VLAN identifier in the trunking tag.

Votes:

   ACCEPT(2) Frech, Foat
   NOOP(2) Wall, Cole
Voter Comments:
 CHANGE> [Foat changed vote from NOOP to ACCEPT]


CAN-1999-1130

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990730 Netscape Enterprise Server yeilds source of JHTML
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93346448121208&w=2
Reference: NTBUGTRAQ:19990730 Netscape Enterprise Server yeilds source of JHTML
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=93337389603117&w=2
Reference: BID:559
Reference: URL:http://www.securityfocus.com/bid/559

Description:
Default configuration of the search engine in Netscape Enterprise Server 3.5.1, and possibly other versions, allows remote attackers to read the source of JHTML files by specifying a search command using the HTML-tocrec-demo1.pat pattern file.

Votes:

   ACCEPT(1) Cole
   MODIFY(1) Frech
   NOOP(2) Wall, Foat
Voter Comments:
 Frech> XF:netscape-enterprise-view-jhtml(8352)


CAN-1999-1133

Phase: Modified (20020217-01)
Reference: HP:HPSBUX9709-069
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602880019776&w=2
Reference: XF:hp-vue-dt(499)
Reference: URL:http://xforce.iss.net/static/499.php

Description:
HP-UX 9.x and 10.x running X windows may allow local attackers to gain privileges via (1) vuefile, (2) vuepad, (3) dtfile, or (4) dtpad, which do not authenticate users.

Votes:

   ACCEPT(4) Frech, Foat, Cole, Stracener
   NOOP(1) Christey
Voter Comments:
 Christey> CHANGEREF:  chaneg XF reference to XF:hp-vue-dt(499)


CAN-1999-1134

Phase: Modified (20020217-01)
Reference: HP:HPSBUX9404-008
Reference: URL:http://packetstorm.securify.com/advisories/hpalert/008
Reference: CIAC:E-23
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/e-23.shtml
Reference: XF:hp-vue(2284)
Reference: URL:http://www.iss.net/security_center/static/2284.php

Description:
Vulnerability in Vue 3.0 in HP 9.x allows local users to gain root privileges, as fixed by PHSS_4038, PHSS_4055, and PHSS_4066.

Votes:

   ACCEPT(3) Foat, Cole, Stracener
   MODIFY(1) Frech
Voter Comments:
 Frech> XF:hp-vue(2284)
   Packetstorm URL is dead. Try another archive.


CAN-1999-1135

Phase: Proposed (20010912)
Reference: HP:HPSBUX9504-027
Reference: URL:http://packetstorm.securify.com/advisories/hpalert/027
Reference: XF:hp-vue(2284)
Reference: URL:http://xforce.iss.net/static/2284.php

Description:
Vulnerability in VUE 3.0 in HP 9.x allows local users to gain root privileges, as fixed by PHSS_4994 and PHSS_5438.

Votes:

   ACCEPT(4) Frech, Foat, Cole, Stracener

CAN-1999-1141

Phase: Proposed (20010912)
Reference: BUGTRAQ:19970515 MicroSolved finds hole in Ascom Timeplex Router Security
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167420981&w=2
Reference: XF:ascom-timeplex-debug(1824)
Reference: URL:http://xforce.iss.net/static/1824.php

Description:
Ascom Timeplex router allows remote attackers to obtain sensitive information or conduct unauthorized activities by entering debug mode through a sequence of CTRL-D characters.

Votes:

   ACCEPT(1) Frech
   NOOP(2) Foat, Cole

CAN-1999-1149

Phase: Proposed (20010912)
Reference: BUGTRAQ:19980716 S.A.F.E.R. Security Bulletin 980708.DOS.1.1
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221104525993&w=2
Reference: XF:csm-proxy-dos(1422)
Reference: URL:http://xforce.iss.net/static/1422.php

Description:
Buffer overflow in CSM Proxy 4.1 allows remote attackers to cause a denial of service (crash) via a long string to the FTP port.

Votes:

   ACCEPT(2) Frech, Cole
   NOOP(2) Wall, Foat

CAN-1999-1150

Phase: Proposed (20010912)
Reference: BUGTRAQ:19980630 Livingston Portmaster - ISN generation is loosy!
Reference: URL:http://www.securityfocus.com/archive/1/9723
Reference: XF:portmaster-fixed-isn(1882)
Reference: URL:http://xforce.iss.net/static/1882.php

Description:
Livingston Portmaster routers running ComOS use the same initial sequence number (ISN) for TCP connections, which allows remote attackers to conduct spoofing and hijack TCP sessions.

Votes:

   ACCEPT(1) Frech
   NOOP(3) Wall, Foat, Cole

CAN-1999-1151

Phase: Proposed (20010912)
Reference: BUGTRAQ:19980603 Compaq/Microcom 6000 DoS + more
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90296493106214&w=2
Reference: XF:microcom-dos(2089)
Reference: URL:http://xforce.iss.net/static/2089.php

Description:
Compaq/Microcom 6000 Access Integrator does not cause a session timeout after prompting for a username or password, which allows remote attackers to cause a denial of service by connecting to the integrator without providing a username or password.

Votes:

   ACCEPT(2) Frech, Cole
   NOOP(2) Wall, Foat

CAN-1999-1152

Phase: Proposed (20010912)
Reference: BUGTRAQ:19980603 Compaq/Microcom 6000 DoS + more
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90296493106214&w=2

Description:
Compaq/Microcom 6000 Access Integrator does not disconnect a client after a certain number of failed login attempts, which allows remote attackers to guess usernames or passwords via a brute force attack.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole
Voter Comments:
 Frech> XF:microcom-brute-force(7301)


CAN-1999-1153

Phase: Proposed (20010912)
Reference: BUGTRAQ:19981109 Several new CGI vulnerabilities
Reference: URL:http://www.securityfocus.com/archive/1/11175
Reference: XF:cgi-perl-mail-programs(1400)
Reference: URL:http://xforce.iss.net/static/1400.php

Description:
HAMcards Postcard CGI script 1.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the recipient email address.

Votes:

   ACCEPT(2) Frech, Cole
   NOOP(2) Wall, Foat

CAN-1999-1154

Phase: Proposed (20010912)
Reference: BUGTRAQ:19981109 Several new CGI vulnerabilities
Reference: URL:http://www.securityfocus.com/archive/1/11175
Reference: MISC:http://lakeweb.com/scripts/
Reference: XF:cgi-perl-mail-programs(1400)
Reference: URL:http://xforce.iss.net/static/1400.php

Description:
LakeWeb Filemail CGI script allows remote attackers to execute arbitrary commands via shell metacharacters in the recipient email address.

Votes:

   ACCEPT(2) Frech, Cole
   NOOP(3) Christey, Wall, Foat
Voter Comments:
 Christey> I confirmed this problem via visual inspection of the
   source code in http://www.lakeweb.com/scripts/filemail.zip
   Line 82 has an insufficient check for shell metacharacters
   that doesn't exclude semicolons.  Line 129 is the 
   call where the metacharacters are injected.
   
   Need to add "filemail.pl" to the description.


CAN-1999-1155

Phase: Proposed (20010912)
Reference: BUGTRAQ:19981109 Several new CGI vulnerabilities
Reference: URL:http://www.securityfocus.com/archive/1/11175
Reference: MISC:http://lakeweb.com/scripts/
Reference: XF:cgi-perl-mail-programs(1400)
Reference: URL:http://xforce.iss.net/static/1400.php

Description:
LakeWeb Mail List CGI script allows remote attackers to execute arbitrary commands via shell metacharacters in the recipient email address.

Votes:

   ACCEPT(2) Frech, Cole
   NOOP(2) Wall, Foat

CAN-1999-1158

Phase: Proposed (20010912)
Reference: AUSCERT:AA-97.09
Reference: URL:ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-97.09.Solaris.passwd.buffer.overrun.vul
Reference: SUN:00139
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/139&type=0&nav=sec.sba

Description:
Buffer overflow in (1) pluggable authentication module (PAM) on Solaris 2.5.1 and 2.5 and (2) unix_scheme in Solaris 2.4 and 2.3 allows local users to gain root privileges via programs that use these modules such as passwd, yppasswd, and nispasswd.

Votes:

   ACCEPT(4) Foat, Cole, Dik, Stracener
   MODIFY(1) Frech
Voter Comments:
 Frech> XF:solaris-pam-bo(7432)
 Dik> sun bug: 4018347


CAN-1999-1164

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990625 Outlook denial of service
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93041631215856&w=2

Description:
Microsoft Outlook client allows remote attackers to cause a denial of service by sending multiple email messages with the same X-UIDL headers, which causes Outlook to hang.

Votes:

   ACCEPT(1) Wall
   MODIFY(1) Frech
   NOOP(2) Foat, Cole
Voter Comments:
 Frech> XF:outlook-xuidl-dos(8356)


CAN-1999-1165

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990721 old gnu finger bugs
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93268249021561&w=2
Reference: BUGTRAQ:19950317 GNU finger 1.37 executes ~/.fingerrc with gid root
Reference: URL:http://www.securityfocus.com/archive/1/2478
Reference: BID:535
Reference: URL:http://www.securityfocus.com/bid/535

Description:
GNU fingerd 1.37 does not properly drop privileges before accessing user information, which could allow local users to (1) gain root privileges via a malicious program in the .fingerrc file, or (2) read arbitrary files via symbolic links from .plan, .forward, or .project files.

Votes:

   MODIFY(1) Frech
   NOOP(2) Foat, Cole
Voter Comments:
 Frech> XF:gnu-finger-privilege-dropping(7175)


CAN-1999-1166

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990711 Linux 2.0.37 segment limit bug
Reference: URL:http://www.securityfocus.com/archive/1/18156
Reference: BID:523
Reference: URL:http://www.securityfocus.com/bid/523

Description:
Linux 2.0.37 does not properly encode the Custom segment limit, which allows local users to gain root privileges by accessing and modifying kernel memory.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole
Voter Comments:
 Frech> (Task 2253)
 CHANGE> [Frech changed vote from REVIEWING to MODIFY]
 Frech> XF:linux-segment-limit-privileges(11202)


CAN-1999-1168

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990220 ISS install.iss security hole
Reference: URL:http://www.securityfocus.com/archive/1/12640

Description:
install.iss installation script for Internet Security Scanner (ISS) for Linux, version 5.3, allows local users to change the permissions of arbitrary files via a symlink attack on a temporary file.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole
Voter Comments:
 Frech> XF:iss-temp-files(1793)
   ADDREF:http://www.securityfocus.com/archive/1/12679


CAN-1999-1169

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990204 NOBO denial of service
Reference: URL:http://www.securityfocus.com/archive/1/12284

Description:
nobo 1.2 allows remote attackers to cause a denial of service (crash) via a series of large UDP packets.

Votes:

   ACCEPT(1) Foat
   MODIFY(1) Frech
   NOOP(2) Wall, Cole
Voter Comments:
 Frech> XF:nobo-udp-packet-dos(7502)
   ADDREF:http://www.securityfocus.com/archive/1/12378
   ADDREF:http://web.cip.com.br/nobo/mudancas_en.html


CAN-1999-1170

Phase: Proposed (20010912)
Reference: NTBUGTRAQ:19990204 WS FTP Server Remote DoS Attack
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=91816507920544&w=2
Reference: BID:218
Reference: URL:http://www.securityfocus.com/bid/218

Description:
IPswitch IMail allows local users to gain additional privileges and modify or add mail accounts by setting the "flags" registry key to 1920.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole
Voter Comments:
 Frech> XF:imail-registry(1725)


CAN-1999-1171

Phase: Proposed (20010912)
Reference: NTBUGTRAQ:19990204 WS FTP Server Remote DoS Attack
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=91816507920544&w=2
Reference: BID:218
Reference: URL:http://www.securityfocus.com/bid/218

Description:
IPswitch WS_FTP allows local users to gain additional privileges and modify or add mail accounts by setting the "flags" registry key to 1920.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole
Voter Comments:
 Frech> XF:wsftp-registry(1726)


CAN-1999-1172

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990114 security hole in Maximizer
Reference: URL:http://www.securityfocus.com/archive/1/11947

Description:
By design, Maximizer Enterprise 4 calendar and address book program allows arbitrary users to modify the calendar of other users when the calendar is being shared.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole
   REVIEWING(1) Christey
Voter Comments:
 Christey> The discloser does not provide enough details to fully
   understand what the problem is.  This makes it difficult
   because if Maximizer has a concept of "users" and it is
   designed to allow any user to modify any other user's data,
   then this would not be a vulnerability or exposure, unless
   that "cross-user" capability could be used to violate system
   integrity, data confidentiality, or the like.  There are some
   features of Maximizer 6.0 that, if abused, could allow someone
   to do some bad things.  For example, an attacker could modify
   the email addresses for contacts to redirect sales to
   locations besides the customer.  There's also a capability of
   assigning priorities and alarms, which could be susceptible to
   an "inconvenience attack" at the very least, as well as
   tie-ins to e-commerce capabilities.
   
   The critical question becomes: "how is this data shared" in
   the first place?  If it's through a network share or other
   distribution method besides transferring the complete database
   between sites, then this may be accessible to any attacker who
   can mimic a Maximizer client (if there is such a thing as a
   client), and this could be a vulnerability or exposure
   according to the CVE definition.
   
   However, since the Maximizer functionality is unknown to me
   and not readily apparent from product documentation, it's hard
   to know what to do about this one.
 CHANGE> [Frech changed vote from REVIEWING to MODIFY]
 Frech> XF:maximizer-enterprise-calendar-modification(7590)


CAN-1999-1173

Phase: Proposed (20010912)
Reference: BUGTRAQ:19981218 wordperfect 8 for linux security
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91404045014047&w=2

Description:
Corel Word Perfect 8 for Linux creates a temporary working directory with world-writable permissions, which allows local users to (1) modify Word Perfect behavior by modifying files in the working directory, or (2) modify files of other users via a symlink attack.

Votes:

   NOOP(3) Wall, Foat, Cole

CAN-1999-1174

Phase: Proposed (20010912)
Reference: MISC:http://www.counterpane.com/crypto-gram-9812.html#doghouse

Description:
ZIP drive for Iomega ZIP-100 disks allows attackers with physical access to the drive to bypass password protection by inserting a known disk with a known password, waiting for the ZIP drive to power down, manually replacing the known disk with the target disk, and using the known password to access the target disk.

Votes:

   ACCEPT(1) Cole
   NOOP(2) Wall, Foat

CAN-1999-1176

Phase: Proposed (20010912)
Reference: BUGTRAQ:19980110 Cidentd
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88466930416716&w=2
Reference: BUGTRAQ:19980911 Re: security problems with jidentd
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90554230925545&w=2
Reference: MISC:http://spisa.act.uji.es/spi/progs/codigo/www.hack.co.za/exploits/daemon/ident/cidentd.c

Description:
Buffer overflow in cidentd ident daemon allows local users to gain root privileges via a long line in the .authlie script.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole
Voter Comments:
 Frech> XF:cidentd-authlie-bo(7327)


CAN-1999-1178

Phase: Proposed (20010912)
Reference: XF:sambar-dump-env(3223)
Reference: URL:http://xforce.iss.net/static/3223.php
Reference: BUGTRAQ:19980610 Sambar Server Beta BUG..
Reference: URL:http://www.securityfocus.com/archive/1/9505

Description:
Sambar Server 4.1 beta allows remote attackers to obtain sensitive information about the server via an HTTP request for the dumpenv.pl script.

Votes:

   ACCEPT(1) Frech
   NOOP(3) Wall, Foat, Cole

CAN-1999-1179

Phase: Proposed (20010912)
Reference: BUGTRAQ:19980515 May SysAdmin man.sh security hole
Reference: URL:http://www.securityfocus.com/archive/1/9330

Description:
Vulnerability in man.sh CGI script, included in May 1998 issue of SysAdmin Magazine, allows remote attackers to execute arbitrary commands.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole
Voter Comments:
 Frech> XF:mansh-execute-commands(7328)


CAN-1999-1180

Phase: Proposed (20010912)
Reference: MISC:http://oliver.efri.hr/~crv/security/bugs/NT/buffer.html
Reference: BUGTRAQ:19990216 Website Pro v2.0 (NT) Configuration Issues
Reference: URL:http://www.tryc.on.ca/archives/bugtraq/1999_1/0612.html

Description:
O'Reilly WebSite 1.1e and Website Pro 2.0 allows remote attackers to execute arbitrary commands via shell metacharacters in an argument to (1) args.cmd or (2) args.bat.

Votes:

   ACCEPT(1) Wall
   MODIFY(1) Frech
   NOOP(3) Christey, Foat, Cole
Voter Comments:
 Christey> DELREF MISC:http://oliver.efri.hr/~crv/security/bugs/NT/buffer.html
   ADDREF MISC:http://focus.silversand.net/vulner/allbug/buffer.html
 Frech> XF:website-pro-args-commands(7529)


CAN-1999-1182

Phase: Proposed (20010912)
Reference: BUGTRAQ:19970717 KSR[T] Advisory #2: ld.so
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602661419318&w=2
Reference: BUGTRAQ:19970722 ld.so vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602661419351&w=2
Reference: BUGTRAQ:19980204 An old ld-linux.so hole
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88661732807795&w=2

Description:
Buffer overflow in run-time linkers (1) ld.so or (2) ld-linux.so for Linux systems allows local users to gain privileges by calling a setuid program with a long program name (argv[0]) and forcing ld.so/ld-linux.so to report an error.

Votes:

   NOOP(2) Foat, Cole

CAN-1999-1183

Phase: Modified (20020217-01)
Reference: SGI:19980403-02-PX
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19980403-02-PX
Reference: SGI:19980403-01-PX
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19980403-01-PX
Reference: XF:sgi-mailcap(809)
Reference: URL:http://www.iss.net/security_center/static/809.php

Description:
System Manager sysmgr GUI in SGI IRIX 6.4 and 6.3 allows remote attackers to execute commands by providing a trojan horse (1) runtask or (2) runexec descriptor file, which is used to execute a System Manager Task when the user's Mailcap entry supports the x-sgi-task or x-sgi-exec type.

Votes:

   ACCEPT(3) Foat, Cole, Stracener
   MODIFY(1) Frech
Voter Comments:
 Frech> XF:sgi-mailcap(809)


CAN-1999-1184

Phase: Proposed (20010912)
Reference: BUGTRAQ:19970513
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167420967&w=2
Reference: BUGTRAQ:19970514 Re: ELM overflow
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167420970&w=2

Description:
Buffer overflow in Elm 2.4 and earlier allows local users to gain privileges via a long TERM environmental variable.

Votes:

   MODIFY(1) Frech
   NOOP(2) Foat, Cole
Voter Comments:
 Frech> XF:elm-term-bo(7183)


CAN-1999-1185

Phase: Proposed (20010912)
Reference: BUGTRAQ:19980827 SCO mscreen vul.
Reference: BUGTRAQ:19980926 Root exploit for SCO OpenServer.
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90686250717719&w=2
Reference: CERT:VB-98.10
Reference: SCO:98.05
Reference: XF:sco-openserver-mscreen-bo(1379)

Description:
Buffer overflow in SCO mscreen allows local users to gain root privileges via a long terminal entry (TERM) in the .mscreenrc file.

Votes:

   ACCEPT(4) Frech, Foat, Cole, Stracener
   NOOP(1) Wall
   REVIEWING(1) Christey
Voter Comments:
 Frech> Possible dupe on CAN-1999-1041.
 Christey> Possible dupe with CAN-1999-1041.


CAN-1999-1186

Phase: Proposed (20010912)
Reference: BUGTRAQ:19960102 rxvt security hole
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167418966&w=2

Description:
rxvt, when compiled with the PRINT_PIPE option in various Linux operating systems including Linux Slackware 3.0 and RedHat 2.1, allows local users to gain root privileges by specifying a malicious program using the -print-pipe command line parameter.

Votes:

   MODIFY(1) Frech
   NOOP(2) Foat, Cole
Voter Comments:
 Frech> XF:rxvtpipe(425)


CAN-1999-1187

Phase: Proposed (20010912)
Reference: BUGTRAQ:19960826 [BUG] Vulnerability in PINE
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167419803&w=2
Reference: XF:pine-tmpfile(416)
Reference: URL:http://xforce.iss.net/static/416.php

Description:
Pine before version 3.94 allows local users to gain privileges via a symlink attack on a lockfile that is created when a user receives new mail.

Votes:

   ACCEPT(1) Frech
   NOOP(2) Foat, Cole
Voter Comments:
 Frech> CONFIRM:http://www.washington.edu/pine/changes.html


CAN-1999-1189

Phase: Proposed (20010912)
Reference: BUGTRAQ:19991124 Netscape Communicator 4.7 - Navigator Overflows
Reference: URL:http://www.securityfocus.com/archive/1/36306
Reference: BUGTRAQ:19991127 Netscape Communicator 4.7 - Navigator Overflows
Reference: URL:http://www.securityfocus.com/archive/1/36608
Reference: BID:822
Reference: URL:http://www.securityfocus.com/bid/822

Description:
Buffer overflow in Netscape Navigator/Communicator 4.7 for Windows 95 and Windows 98 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long argument after the ? character in a URL that references an .asp, .cgi, .html, or .pl file.

Votes:

   ACCEPT(2) Wall, Cole
   MODIFY(1) Frech
   NOOP(1) Foat
Voter Comments:
 Frech> XF:netscape-long-argument-bo(7884)


CAN-1999-1190

Phase: Proposed (20010912)
Reference: MISC:http://www.securiteam.com/exploits/E-MailClub__FROM__remote_buffer_overflow.html
Reference: BID:801
Reference: URL:http://www.securityfocus.com/bid/801

Description:
Buffer overflow in POP3 server of Admiral Systems EmailClub 1.05 allows remote attackers to execute arbitrary commands via a long "From" header in an e-mail message.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole
Voter Comments:
 Frech> XF:emailclub-pop3-from-bo(7873)


CAN-1999-1195

Phase: Proposed (20010912)
Reference: NTBUGTRAQ:19990505 NAI AntiVirus Update Problem
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=92587579032534&w=2
Reference: BUGTRAQ:19990505 NAI AntiVirus Update Problem
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92588169005196&w=2
Reference: BID:169
Reference: URL:http://www.securityfocus.com/bid/169

Description:
NAI VirusScan NT 4.0.2 does not properly modify the scan.dat virus definition file during an update via FTP, but it reports that the update was successful, which could cause a system administrator to believe that the definitions have been updated correctly.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole
Voter Comments:
 Frech> XF:virusscan-ftp-update(8387)


CAN-1999-1196

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990427 NT/Exceed D.O.S.
Reference: URL:http://www.securityfocus.com/archive/1/13451
Reference: BID:158
Reference: URL:http://www.securityfocus.com/bid/158

Description:
Hummingbird Exceed X version 5 allows remote attackers to cause a denial of service via malformed data to port 6000.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole
Voter Comments:
 Frech> XF:exceed-xserver-dos(7530)


CAN-1999-1199

Phase: Proposed (20010912)
Reference: BUGTRAQ:19980807 YA Apache DoS attack
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90252779826784&w=2
Reference: BUGTRAQ:19980808 Debian Apache Security Update
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90276683825862&w=2
Reference: BUGTRAQ:19980810 Apache DoS Attack
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90286768232093&w=2
Reference: BUGTRAQ:19980811 Apache 'sioux' DOS fix for TurboLinux
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90280517007869&w=2

Description:
Apache WWW server 1.3.1 and earlier allows remote attackers to cause a denial of service (resource exhaustion) via a large number of MIME headers with the same name, aka the "sioux" vulnerability.

Votes:

   ACCEPT(2) Cox, Cole
   NOOP(3) Christey, Wall, Foat
Voter Comments:
 Christey> CONFIRM:http://www.redhat.com/support/errata/rh51-errata-general.html#apache


CAN-1999-1200

Phase: Proposed (20010912)
Reference: NTBUGTRAQ:19980720 DOS in Vintra systems Mailserver software.
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=90222454131610&w=2
Reference: XF:vintra-mail-dos(1617)
Reference: URL:http://xforce.iss.net/static/1617.php

Description:
Vintra SMTP MailServer allows remote attackers to cause a denial of service via a malformed "EXPN *@" command.

Votes:

   ACCEPT(2) Frech, Cole
   NOOP(2) Wall, Foat

CAN-1999-1201

Phase: Proposed (20010912)
Reference: NTBUGTRAQ:19990206 New Windows 9x Bug: TCP Chorusing
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=91849617221319&w=2
Reference: BID:225
Reference: URL:http://www.securityfocus.com/bid/225

Description:
Windows 95 and Windows 98 systems, when configured with multiple TCP/IP stacks bound to the same MAC address, allow remote attackers to cause a denial of service (traffic amplification) via a certain ICMP echo (ping) packet, which causes all stacks to send a ping response, aka TCP Chorusing.

Votes:

   ACCEPT(2) Wall, Cole
   MODIFY(1) Frech
   NOOP(1) Foat
Voter Comments:
 Frech> XF:win-multiple-ip-dos(7542)


CAN-1999-1202

Phase: Proposed (20010912)
Reference: BUGTRAQ:19980703 Windows95 Proxy DoS Vulnerabilites
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221104525873&w=2
Reference: XF:startech-pop3-overflow(2088)
Reference: URL:http://xforce.iss.net/static/2088.php

Description:
StarTech (1) POP3 proxy server and (2) telnet server allows remote attackers to cause a denial of service via a long USER command.

Votes:

   ACCEPT(1) Frech
   NOOP(3) Wall, Foat, Cole

CAN-1999-1206

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990729 New ActiveX security problems in Windows 98 PCs
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93336970231857&w=2
Reference: CONFIRM:http://www.systemsoft.com/l-2/l-3/support-systemwizard.htm
Reference: BID:555
Reference: URL:http://www.securityfocus.com/bid/555

Description:
SystemSoft SystemWizard package in HP Pavilion PC with Windows 98, and possibly other platforms and operating systems, installs two ActiveX controls that are marked as safe for scripting, which allows remote attackers to execute arbitrary commands via a malicious web page that references (1) the Launch control, or (2) the RegObj control.

Votes:

   ACCEPT(4) Foat, Cole, Armstrong, Stracener
   MODIFY(1) Frech
   NOOP(2) Christey, Wall
Voter Comments:
 Frech> XF:systemwizard-modify-registry(7080)
 Christey> CERT-VN:VU#22919
   URL:http://www.kb.cert.org/vuls/id/22919
   CERT-VN:VU#34453
   URL:http://www.kb.cert.org/vuls/id/34453


CAN-1999-1207

Phase: Proposed (20010912)
Reference: MISC:http://www.efri.hr/~crv/security/bugs/NT/netxtray.html
Reference: XF:netxray-bo(907)
Reference: URL:http://xforce.iss.net/static/907.php

Description:
Buffer overflow in web-admin tool in NetXRay 2.6 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long HTTP request.

Votes:

   ACCEPT(1) Frech
   NOOP(3) Wall, Foat, Cole

CAN-1999-1210

Phase: Proposed (20010912)
Reference: BUGTRAQ:19971112 Digital Unix Security Problem
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87936891504885&w=2
Reference: XF:dec-xterm(613)
Reference: URL:http://xforce.iss.net/static/613.php

Description:
xterm in Digital UNIX 4.0B *with* patch kit 5 allows local users to overwrite arbitrary files via a symlink attack on a core dump file, which is created when xterm is called with a DISPLAY environmental variable set to a display that xterm cannot access.

Votes:

   ACCEPT(1) Frech
   NOOP(2) Foat, Cole

CAN-1999-1211

Phase: Proposed (20010912)
Reference: CERT:CA-1991-02
Reference: URL:http://www.cert.org/advisories/CA-1991-02.html
Reference: XF:sun-intelnetd(574)
Reference: URL:http://xforce.iss.net/static/574.php

Description:
Vulnerability in in.telnetd in SunOS 4.1.1 and earlier allows local users to gain root privileges.

Votes:

   ACCEPT(5) Frech, Foat, Cole, Dik, Stracener
   NOOP(1) Wall
Voter Comments:
 Frech> CONFIRM:Sun Microsystems, Inc. Security Bulletin #00106 at
   http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/1
   06&type=0&nav=sec.sba
 Dik> sun bug:  1054669 1049886 1042370 1033809


CAN-1999-1212

Phase: Proposed (20010912)
Reference: CERT:CA-1991-02
Reference: URL:http://www.cert.org/advisories/CA-1991-02.html
Reference: XF:sun-intelnetd(574)
Reference: URL:http://xforce.iss.net/static/574.php

Description:
Vulnerability in in.rlogind in SunOS 4.0.3 and 4.0.3c allows local users to gain root privileges.

Votes:

   ACCEPT(5) Frech, Foat, Cole, Dik, Stracener
   NOOP(1) Wall
Voter Comments:
 Dik> sun bug:  1054669 1049886 1042370 1033809


CAN-1999-1213

Phase: Proposed (20010912)
Reference: HP:HPSBUX9710-070
Reference: URL:http://www2.dataguard.no/bugtraq/1997_4/0001.html
Reference: XF:hp-telnetdos(571)
Reference: URL:http://xforce.iss.net/static/571.php

Description:
Vulnerability in telnet service in HP-UX 10.30 allows attackers to cause a denial of service.

Votes:

   ACCEPT(4) Frech, Foat, Cole, Stracener

CAN-1999-1216

Phase: Proposed (20010912)
Reference: CERT:CA-1993-07
Reference: URL:http://www.cert.org/advisories/CA-1993-07.html
Reference: CIAC:D-15
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/d-15.shtml
Reference: XF:cisco-sourceroute(541)
Reference: URL:http://xforce.iss.net/static/541.php

Description:
Cisco routers 9.17 and earlier allow remote attackers to bypass security restrictions via certain IP source routed packets that should normally be denied using the "no ip source-route" command.

Votes:

   ACCEPT(4) Frech, Foat, Cole, Stracener
   NOOP(1) Wall

CAN-1999-1217

Phase: Proposed (20010912)
Reference: NTBUGTRAQ:19970725 Re: NT security - why bother?
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=87602726319435&w=2
Reference: NTBUGTRAQ:19970723 NT security - why bother?
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=87602726319426&w=2
Reference: XF:nt-path(526)
Reference: URL:http://xforce.iss.net/static/526.php

Description:
The PATH in Windows NT includes the current working directory (.), which could allow local users to gain privileges by placing Trojan horse programs with the same name as commonly used system programs into certain directories.

Votes:

   ACCEPT(3) Frech, Foat, Cole
Voter Comments:
 CHANGE> [Foat changed vote from NOOP to ACCEPT]


CAN-1999-1218

Phase: Proposed (20010912)
Reference: CERT:CA-1993-04
Reference: URL:http://www.cert.org/advisories/CA-1993-04.html
Reference: XF:amiga-finger(522)
Reference: URL:http://xforce.iss.net/static/522.php

Description:
Vulnerability in finger in Commodore Amiga UNIX 2.1p2a and earlier allows local users to read arbitrary files.

Votes:

   ACCEPT(4) Frech, Foat, Cole, Stracener
   NOOP(1) Wall

CAN-1999-1219

Phase: Proposed (20010912)
Reference: CERT:CA-1994-13
Reference: URL:http://www.cert.org/advisories/CA-1994-13.html
Reference: AUSCERT:AA-94.04a
Reference: CIAC:E-33
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/e-33.shtml
Reference: XF:sgi-prn-mgr(511)
Reference: URL:http://xforce.iss.net/static/511.php
Reference: BID:468
Reference: URL:http://www.securityfocus.com/bid/468

Description:
Vulnerability in sgihelp in the SGI help system and print manager in IRIX 5.2 and earlier allows local users to gain root privileges, possibly through the clogin command.

Votes:

   ACCEPT(4) Frech, Foat, Cole, Stracener
   NOOP(1) Wall

CAN-1999-1220

Phase: Proposed (20010912)
Reference: BUGTRAQ:19970824 Vulnerability in Majordomo
Reference: URL:http://www.securityfocus.com/archive/1/7527
Reference: XF:majordomo-advertise(502)
Reference: URL:http://xforce.iss.net/static/502.php

Description:
Majordomo 1.94.3 and earlier allows remote attackers to execute arbitrary commands when the advertise or noadvertise directive is used in a configuration file, via shell metacharacters in the Reply-To header.

Votes:

   ACCEPT(1) Frech
   NOOP(2) Foat, Cole

CAN-1999-1221

Phase: Proposed (20010912)
Reference: BUGTRAQ:19961117 Digital Unix v3.x (v4.x?) security vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167420141&w=2
Reference: XF:dgux-chpwd(399)
Reference: URL:http://xforce.iss.net/static/399.php

Description:
dxchpwd in Digital Unix (OSF/1) 3.x allows local users to modify arbitrary files via a symlink attack on the dxchpwd.log file.

Votes:

   ACCEPT(1) Frech
   NOOP(2) Foat, Cole

CAN-1999-1224

Phase: Proposed (20010912)
Reference: BUGTRAQ:19971008 L0pht Advisory: IMAP4rev1 imapd server
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87635124302928&w=2
Reference: XF:imapd-core(349)
Reference: URL:http://xforce.iss.net/static/349.php

Description:
IMAP 4.1 BETA, and possibly other versions, does not properly handle the SIGABRT (abort) signal, which allows local users to crash the server (imapd) via certain sequences of commands, which causes a core dump that may contain sensitive password information.

Votes:

   ACCEPT(1) Frech
   NOOP(2) Foat, Cole

CAN-1999-1225

Phase: Proposed (20010912)
Reference: BUGTRAQ:19970824 Serious security flaw in rpc.mountd on several operating systems.
Reference: URL:http://www.securityfocus.com/archive/1/7526
Reference: XF:mountd-file-exists(347)
Reference: URL:http://xforce.iss.net/static/347.php

Description:
rpc.mountd on Linux, Ultrix, and possibly other operating systems, allows remote attackers to determine the existence of a file on the server by attempting to mount that file, which generates different error messages depending on whether the file exists or not.

Votes:

   ACCEPT(1) Frech
   NOOP(2) Foat, Cole

CAN-1999-1227

Phase: Proposed (20010912)
Reference: MISC:http://www.ethereal.com/lists/ethereal-dev/199907/msg00126.html
Reference: MISC:http://www.ethereal.com/lists/ethereal-dev/199907/msg00130.html
Reference: XF:ethereal-dev-capturec-root(3334)
Reference: URL:http://xforce.iss.net/static/3334.php

Description:
Ethereal allows local users to overwrite arbitrary files via a symlink attack on the packet capture file.

Votes:

   ACCEPT(2) Frech, Cole
   NOOP(2) Wall, Foat

CAN-1999-1228

Phase: Proposed (20010912)
Reference: BUGTRAQ:19980927 1+2=3, +++ATH0=Old school DoS
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90695973308453&w=2
Reference: MISC:http://www.macintouch.com/modemsecurity.html
Reference: XF:global-village-modem-dos(3320)
Reference: URL:http://xforce.iss.net/static/3320.php

Description:
Various modems that do not implement a guard time, or are configured with a guard time of 0, can allow remote attackers to execute arbitrary modem commands such as ATH, ATH0, etc., via a "+++" sequence that appears in ICMP packets, the subject of an e-mail message, IRC commands, and others.

Votes:

   ACCEPT(1) Frech
   NOOP(3) Wall, Foat, Cole

CAN-1999-1229

Phase: Proposed (20010912)
Reference: BUGTRAQ:19980225 Quake 2 Linux 3.13 (and lower) allow users to read arbitrary files
Reference: URL:http://www.securityfocus.com/archive/1/8590
Reference: XF:linux-quake2(733)
Reference: URL:http://xforce.iss.net/static/733.php

Description:
Quake 2 server 3.13 on Linux does not properly check file permissions for the config.cfg configuration file, which allows local users to read arbitrary files via a symlink from config.cfg to the target file.

Votes:

   ACCEPT(1) Frech
   NOOP(3) Wall, Foat, Cole

CAN-1999-1230

Phase: Proposed (20010912)
Reference: BUGTRAQ:19971224 Quake II Remote Denial of Service
Reference: URL:http://www.securityfocus.com/archive/1/8282
Reference: XF:quake2-dos(698)
Reference: URL:http://xforce.iss.net/static/698.php

Description:
Quake 2 server allows remote attackers to cause a denial of service via a spoofed UDP packet with a source address of 127.0.0.1, which causes the server to attempt to connect to itself.

Votes:

   ACCEPT(1) Frech
   NOOP(2) Foat, Cole

CAN-1999-1231

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990609 ssh advirsory
Reference: URL:http://www.securityfocus.com/archive/1/14758
Reference: XF:ssh-leak(2276)
Reference: URL:http://xforce.iss.net/static/2276.php

Description:
ssh 2.0.12, and possibly other versions, allows valid user names to attempt to enter the correct password multiple times, but only prompts an invalid user name for a password once, which allows remote attackers to determine user account names on the server.

Votes:

   ACCEPT(1) Frech
   NOOP(3) Wall, Foat, Cole

CAN-1999-1232

Phase: Proposed (20010912)
Reference: BUGTRAQ:19970516 Irix and WWW
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167420994&w=2
Reference: XF:sgi-day5datacopier(3316)
Reference: URL:http://xforce.iss.net/static/3316.php

Description:
day5datacopier in SGI IRIX 6.2 trusts the PATH environmental variable to find the "cp" program, which allows local users to execute arbitrary commands by modifying the PATH to point to a Trojan horse cp program.

Votes:

   ACCEPT(1) Frech
   NOOP(2) Foat, Cole

CAN-1999-1234

Phase: Proposed (20010912)
Reference: BUGTRAQ:19991026 Re: LSA vulnerability on NT40 SP5
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=94096671308565&w=2
Reference: XF:msrpc-samr-open-dos(3293)
Reference: URL:http://xforce.iss.net/static/3293.php

Description:
LSA (LSASS.EXE) in Windows NT 4.0 allows remote attackers to cause a denial of service via a NULL policy handle in a call to (1) SamrOpenDomain, (2) SamrEnumDomainUsers, and (3) SamrQueryDomainInfo.

Votes:

   ACCEPT(3) Frech, Wall, Cole
   NOOP(1) Foat

CAN-1999-1235

Phase: Proposed (20010912)
Reference: NTBUGTRAQ:19990331 Minor Bug in IE5.0
Reference: URL:http://ntbugtraq.ntadvice.com/default.asp?pid=36&sid=1&A2=ind9904&L=NTBUGTRAQ&P=R179
Reference: NTBUGTRAQ:19990825 IE5 FTP password exposure & index.dat null ACL problem
Reference: URL:http://packetderm.cotse.com/mailing-lists/ntbugtraq/1999/0364.html
Reference: XF:nt-ie5-user-ftp-password(3289)
Reference: URL:http://xforce.iss.net/static/3289.php

Description:
Internet Explorer 5.0 records the username and password for FTP servers in the URL history, which could allow (1) local users to read the information from another user's index.dat, or (2) people who are physically observing ("shoulder surfing") another user to read the information from the status bar when the user moves the mouse over a link.

Votes:

   ACCEPT(4) Frech, Wall, Foat, Cole
Voter Comments:
 CHANGE> [Foat changed vote from NOOP to ACCEPT]


CAN-1999-1236

Phase: Proposed (20010912)
Reference: NTBUGTRAQ:19991001 Vulnerabilities in the Internet Anywhere Mail Server
Reference: URL:http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind9910&L=ntbugtraq&F=&S=&P=662
Reference: BID:731
Reference: URL:http://www.securityfocus.com/bid/731
Reference: XF:iams-passwords-plaintext(3285)
Reference: URL:http://xforce.iss.net/static/3285.php

Description:
Internet Anywhere Mail Server 2.3.1 stores passwords in plaintext in the msgboxes.dbf file, which could allow local users to gain privileges by extracting the passwords from msgboxes.dbf.

Votes:

   ACCEPT(2) Frech, Cole
   NOOP(2) Wall, Foat

CAN-1999-1237

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990606 Buffer overflows in smbval library
Reference: URL:http://www.securityfocus.com/archive/1/14384
Reference: XF:smbvalid-bo(2272)
Reference: URL:http://xforce.iss.net/static/2272.php

Description:
Multiple buffer overflows in smbvalid/smbval SMB authentication library, as used in Apache::AuthenSmb and possibly other modules, allows remote attackers to execute arbitrary commands via (1) a long username, (2) a long password, and (3) other unspecified methods.

Votes:

   ACCEPT(1) Frech
   NOOP(3) Wall, Foat, Cole

CAN-1999-1238

Phase: Proposed (20010912)
Reference: HP:HPSBUX9409-017
Reference: URL:http://www.securityfocus.com/advisories/1531
Reference: XF:hp-core-diag-fileset(2262)
Reference: URL:http://xforce.iss.net/static/2262.php

Description:
Vulnerability in CORE-DIAG fileset in HP message catalog in HP-UX 9.05 and earlier allows local users to gain privileges.

Votes:

   ACCEPT(4) Frech, Foat, Cole, Stracener

CAN-1999-1239

Phase: Proposed (20010912)
Reference: HP:HPSBUX9407-015
Reference: URL:http://www.securityfocus.com/advisories/1559
Reference: XF:hp-xauthority(2261)
Reference: URL:http://xforce.iss.net/static/2261.php

Description:
HP-UX 9.x does not properly enable the Xauthority mechanism in certain conditions, which could allow local users to access the X display even when they have not explicitly been authorized to do so.

Votes:

   ACCEPT(4) Frech, Foat, Cole, Stracener

CAN-1999-1240

Phase: Proposed (20010912)
Reference: BUGTRAQ:19961126 Major Security Vulnerabilities in Remote CD Databases
Reference: URL:http://www.securityfocus.com/archive/1/5784
Reference: XF:cddbd-bo(2203)
Reference: URL:http://xforce.iss.net/static/2203.php

Description:
Buffer overflow in cddbd CD database server allows remote attackers to execute arbitrary commands via a long log message.

Votes:

   ACCEPT(1) Frech
   NOOP(2) Foat, Cole

CAN-1999-1241

Phase: Proposed (20010912)
Reference: MISC:http://oliver.efri.hr/~crv/security/bugs/NT/activex4.html
Reference: XF:ie-filesystemobject(2173)
Reference: URL:http://xforce.iss.net/static/2173.php

Description:
Internet Explorer, with a security setting below Medium, allows remote attackers to execute arbitrary commands via a malicious web page that uses the FileSystemObject ActiveX object.

Votes:

   ACCEPT(3) Frech, Wall, Cole
   NOOP(2) Christey, Foat
Voter Comments:
 Christey> DELREF MISC:http://oliver.efri.hr/~crv/security/bugs/NT/activex4.html
   ADDREF MISC:http://focus.silversand.net/vulner/allbug/activex4.html
 Frech> Change MISC to http://www.securitybugware.org/NT/1018.html


CAN-1999-1242

Phase: Proposed (20010912)
Reference: HP:HPSBUX9402-003
Reference: URL:http://packetstormsecurity.org/advisories/hpalert/003
Reference: XF:hp-subnet-config(2162)
Reference: URL:http://xforce.iss.net/static/2162.php

Description:
Vulnerability in subnetconfig in HP-UX 9.01 and 9.0 allows local users to gain privileges.

Votes:

   ACCEPT(4) Frech, Foat, Cole, Stracener

CAN-1999-1244

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990415 FSA-99.04-IPFILTER-v3.2.10
Reference: URL:http://www.securityfocus.com/archive/1/13303
Reference: XF:ipfilter-temp-file(2087)
Reference: URL:http://xforce.iss.net/static/2087.php

Description:
IPFilter 3.2.3 through 3.2.10 allows local users to modify arbitrary files via a symlink attack on the saved output file.

Votes:

   ACCEPT(2) Frech, Cole
   NOOP(2) Wall, Foat

CAN-1999-1245

Phase: Proposed (20010912)
Reference: XF:ucd-snmpd-community(2086)
Reference: URL:http://xforce.iss.net/static/2086.php

Description:
vacm ucd-snmp SNMP server, version 3.52, does not properly disable access to the public community string, which could allow remote attackers to obtain sensitive information.

Votes:

   ACCEPT(1) Frech
   NOOP(3) Wall, Foat, Cole
Voter Comments:
 Frech> http://www.securityfocus.com/archive/1/13130


CAN-1999-1247

Phase: Proposed (20010912)
Reference: HP:HPSBUX9402-006
Reference: URL:http://packetstormsecurity.org/advisories/hpalert/006
Reference: XF:hp-dce9000(2061)
Reference: URL:http://xforce.iss.net/static/2061.php

Description:
Vulnerability in HP Camera component of HP DCE/9000 in HP-UX 9.x allows attackers to gain root privileges.

Votes:

   ACCEPT(4) Frech, Foat, Cole, Stracener

CAN-1999-1248

Phase: Proposed (20010912)
Reference: HP:HPSBUX9411-019
Reference: URL:http://packetstormsecurity.org/advisories/hpalert/019
Reference: XF:hp-supportwatch(2058)
Reference: URL:http://xforce.iss.net/static/2058.php

Description:
Vulnerability in Support Watch (aka SupportWatch) in HP-UX 8.0 through 9.0 allows local users to gain privileges.

Votes:

   ACCEPT(4) Frech, Foat, Cole, Stracener

CAN-1999-1250

Phase: Proposed (20010912)
Reference: BUGTRAQ:19970819 Lasso CGI security hole (fwd)
Reference: URL:http://www.securityfocus.com/archive/1/7506
Reference: XF:http-cgi-lasso(2044)
Reference: URL:http://xforce.iss.net/static/2044.php

Description:
Vulnerability in CGI program in the Lasso application by Blue World, as used on WebSTAR and other servers, allows remote attackers to read arbitrary files.

Votes:

   ACCEPT(1) Frech
   NOOP(2) Foat, Cole

CAN-1999-1251

Phase: Proposed (20010912)
Reference: HP:HPSBUX9612-043
Reference: URL:http://packetstormsecurity.org/advisories/hpalert/043
Reference: XF:hp-audio-panic(2010)
Reference: URL:http://xforce.iss.net/static/2010.php

Description:
Vulnerability in direct audio user space code on HP-UX 10.20 and 10.10 allows local users to cause a denial of service.

Votes:

   ACCEPT(4) Frech, Foat, Cole, Stracener

CAN-1999-1252

Phase: Proposed (20010912)
Reference: CERT:VB-96.15
Reference: URL:http://www.cert.org/vendor_bulletins/VB-96.15.sco
Reference: SCO:96:002
Reference: URL:ftp://ftp.sco.COM/SSE/security_bulletins/SB.96:02a
Reference: XF:sco-system-call(1966)
Reference: URL:http://xforce.iss.net/static/1966.php

Description:
Vulnerability in a certain system call in SCO UnixWare 2.0.x and 2.1.0 allows local users to access arbitrary files and gain root privileges.

Votes:

   ACCEPT(4) Frech, Foat, Cole, Stracener
   NOOP(1) Wall

CAN-1999-1253

Phase: Proposed (20010912)
Reference: CERT:VB-96.10
Reference: URL:http://www.cert.org/vendor_bulletins/VB-96.10.sco
Reference: SCO:96:001
Reference: URL:ftp://ftp.sco.com/SSE/security_bulletins/SB.96:01a
Reference: XF:sco-kernel(1965)
Reference: URL:http://xforce.iss.net/static/1965.php

Description:
Vulnerability in a kernel error handling routine in SCO OpenServer 5.0.2 and earlier, and SCO Internet FastStart 1.0, allows local users to gain root privileges.

Votes:

   ACCEPT(4) Frech, Foat, Cole, Stracener
   NOOP(1) Wall

CAN-1999-1254

Phase: Proposed (20010912)
Reference: NTBUGTRAQ:19990308 Winfreeze EXPLOIT Win9x/NT
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=92099515709467&w=2
Reference: XF:win-redirects-freeze(1947)
Reference: URL:http://xforce.iss.net/static/1947.php

Description:
Windows 95, 98, and NT 4.0 allow remote attackers to cause a denial of service by spoofing ICMP redirect messages from a router, which causes Windows to change its routing tables.

Votes:

   ACCEPT(3) Frech, Wall, Cole
   MODIFY(1) Meunier
   NOOP(2) Christey, Foat
Voter Comments:
 Christey> Need to get feedback from MS on this.
 Christey> (prompted from Pascal Meunier) should this be treated
   as a general design issue with ICMP?  Or is it a specific
   implementation flaw that only affects Reliant?
 Meunier> The description is too narrow and incorrect.  Spoofed ICMP
   redirect messages can be used to setup man-in-the-middle attacks
   instead of a DoS.  There's no reason that this behavior would be
   limited to Windows, as it is specified by the standard.  As I said
   elsewhere, ICMP messages should not be acted upon without access
   controls.


CAN-1999-1255

Phase: Proposed (20010912)
Reference: MISC:http://www.rootshell.com/archive-j457nxiqi3gq59dv/199902/hyperseek.txt.html
Reference: XF:hyperseek-modify(1914)
Reference: URL:http://xforce.iss.net/static/1914.php

Description:
Hyperseek allows remote attackers to modify the hyperseek configuration by directly calling the admin.cgi program with an edit_file action parameter.

Votes:

   ACCEPT(2) Frech, Cole
   NOOP(2) Wall, Foat

CAN-1999-1256

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990304 Oracle Plaintext Password
Reference: URL:http://www.securityfocus.com/archive/1/12744
Reference: NTBUGTRAQ:19990304 Oracle Plaintext Password
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=92056752115116&w=2
Reference: XF:oracle-passwords(1902)
Reference: URL:http://xforce.iss.net/static/1902.php

Description:
Oracle Database Assistant 1.0 in Oracle 8.0.3 Enterprise Edition stores the database master password in plaintext in the spoolmain.log file when a new database is created, which allows local users to obtain the password from that file.

Votes:

   ACCEPT(2) Frech, Cole
   NOOP(2) Wall, Foat

CAN-1999-1257

Phase: Proposed (20010912)
Reference: BUGTRAQ:19971126 Xyplex terminal server bug
Reference: URL:http://www.securityfocus.com/archive/1/8134
Reference: XF:xyplex-controlz-login(1825)
Reference: URL:http://xforce.iss.net/static/1825.php
Reference: XF:xyplex-question-login(1826)
Reference: URL:http://xforce.iss.net/static/1826.php

Description:
Xyplex terminal server 6.0.1S1, and possibly other versions, allows remote attackers to bypass the password prompt by entering (1) a CTRL-Z character, or (2) a ? (question mark).

Votes:

   ACCEPT(1) Frech
   NOOP(2) Foat, Cole

CAN-1999-1260

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990215 KSR[T] Advisory #10: mSQL ServerStats
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91910115718150&w=2
Reference: XF:msql-serverstats(1777)
Reference: URL:http://xforce.iss.net/static/1777.php

Description:
mSQL (Mini SQL) 2.0.6 allows remote attackers to obtain sensitive server information such as logged users, database names, and server version via the ServerStats query.

Votes:

   ACCEPT(1) Frech
   NOOP(3) Wall, Foat, Cole

CAN-1999-1261

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990211 Rainbow Six Buffer Overflow.....
Reference: URL:http://www.securityfocus.com/archive/1/12433
Reference: XF:rainbowsix-nick-bo(1772)
Reference: URL:http://xforce.iss.net/static/1772.php

Description:
Buffer overflow in Rainbow Six Multiplayer allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long nickname (nick) command.

Votes:

   ACCEPT(1) Frech
   NOOP(3) Wall, Foat, Cole

CAN-1999-1264

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990121 WebRamp M3 remote network access bug
Reference: URL:http://www.securityfocus.com/archive/1/12048
Reference: BUGTRAQ:19990203 WebRamp M3 Perceived Bug
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91815321510224&w=2
Reference: XF:webramp-remote-access(1670)
Reference: URL:http://xforce.iss.net/static/1670.php

Description:
WebRamp M3 router does not disable remote telnet or HTTP access to itself, even when access has been expliticly disabled.

Votes:

   ACCEPT(1) Frech
   NOOP(3) Wall, Foat, Cole

CAN-1999-1265

Phase: Proposed (20010912)
Reference: BUGTRAQ:19980922 Re: WARNING! SMTP Denial of Service in SLmail ver 3.1
Reference: BUGTRAQ:19980922 WARNING! SMTP Denial of Service in SLmail ver 3.1
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90649892424117&w=2
Reference: NTBUGTRAQ:19980922 WARNING! SMTP Denial of Service in SLmail ver 3.1
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=90650438826447&w=2
Reference: XF:slmail-parens-overload(1664)
Reference: URL:http://xforce.iss.net/static/1664.php

Description:
SMTP server in SLmail 3.1 and earlier allows remote attackers to cause a denial of service via malformed commands whose arguments begin with a "(" (parenthesis) character, such as (1) SEND, (2) VRFY, (3) EXPN, (4) MAIL FROM, (5) RCPT TO.

Votes:

   ACCEPT(3) Frech, Foat, Cole
   NOOP(1) Wall

CAN-1999-1266

Phase: Proposed (20010912)
Reference: BUGTRAQ:19970613 rshd gives away usernames
Reference: URL:http://www.securityfocus.com/archive/1/6978
Reference: XF:rsh-username-leaks(1660)
Reference: URL:http://xforce.iss.net/static/1660.php

Description:
rsh daemon (rshd) generates different error messages when a valid username is provided versus an invalid name, which allows remote attackers to determine valid users on the system.

Votes:

   ACCEPT(1) Frech
   NOOP(2) Foat, Cole

CAN-1999-1267

Phase: Proposed (20010912)
Reference: BUGTRAQ:19970505 Hole in the KDE desktop
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167420906&w=2
Reference: XF:kde-flawed-ipc(1646)
Reference: URL:http://xforce.iss.net/static/1646.php

Description:
KDE file manager (kfm) uses a TCP server for certain file operations, which allows remote attackers to modify arbitrary files by sending a copy command to the server.

Votes:

   ACCEPT(1) Frech
   NOOP(2) Foat, Cole

CAN-1999-1268

Phase: Proposed (20010912)
Reference: MISC:http://lists.kde.org/?l=kde-devel&m=91560433413263&w=2
Reference: XF:kde-konsole-hijack(1645)
Reference: URL:http://xforce.iss.net/static/1645.php

Description:
Vulnerability in KDE konsole allows local users to hijack or observe sessions of other users by accessing certain devices.

Votes:

   ACCEPT(1) Frech
   NOOP(3) Wall, Foat, Cole

CAN-1999-1269

Phase: Proposed (20010912)
Reference: BUGTRAQ:19980206 serious security hole in KDE Beta 3
Reference: URL:http://www.securityfocus.com/archive/1/8506
Reference: XF:kde-kss-file-clobber(1641)
Reference: URL:http://xforce.iss.net/static/1641.php

Description:
Screen savers in KDE beta 3 allows local users to overwrite arbitrary files via a symlink attack on the .kss.pid file.

Votes:

   ACCEPT(1) Frech
   NOOP(3) Wall, Foat, Cole

CAN-1999-1270

Phase: Proposed (20010912)
Reference: MISC:http://lists.kde.org/?l=kde-devel&m=90221974029738&w=2
Reference: XF:kde-kmail-passphrase-leak(1639)
Reference: URL:http://xforce.iss.net/static/1639.php

Description:
KMail in KDE 1.0 provides a PGP passphrase as a command line argument to other programs, which could allow local users to obtain the passphrase and compromise the PGP keys of other users by viewing the arguments via programs that list process information, such as ps.

Votes:

   ACCEPT(1) Frech
   NOOP(3) Wall, Foat, Cole

CAN-1999-1271

Phase: Proposed (20010912)
Reference: BUGTRAQ:19980611 Unsecure passwords in Macromedia Dreamweaver
Reference: URL:http://www.securityfocus.com/archive/1/9511
Reference: XF:dreamweaver-weak-passwords(1636)
Reference: URL:http://xforce.iss.net/static/1636.php

Description:
Macromedia Dreamweaver uses weak encryption to store FTP passwords, which could allow local users to easily decrypt the passwords of other users.

Votes:

   ACCEPT(2) Frech, Cole
   NOOP(2) Wall, Foat

CAN-1999-1272

Phase: Proposed (20010912)
Reference: SGI:19980301-01-PX
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19980301-01-PX
Reference: XF:irix-cdrom-confidence(1635)
Reference: URL:http://xforce.iss.net/static/1635.php

Description:
Buffer overflows in CDROM Confidence Test program (cdrom) allow local users to gain root privileges.

Votes:

   ACCEPT(4) Frech, Foat, Cole, Stracener

CAN-1999-1273

Phase: Proposed (20010912)
Reference: BUGTRAQ:19980220 Simple way to bypass squid ACLs
Reference: URL:http://www.securityfocus.com/archive/1/8551
Reference: XF:squid-regexp-acl(1627)
Reference: URL:http://xforce.iss.net/static/1627.php

Description:
Squid Internet Object Cache 1.1.20 allows users to bypass access control lists (ACLs) by encoding the URL with hexadecimal escape sequences.

Votes:

   ACCEPT(2) Frech, Cole
   NOOP(2) Wall, Foat

CAN-1999-1274

Phase: Proposed (20010912)
Reference: BUGTRAQ:19971229 iPass RoamServer 3.1
Reference: URL:http://www.securityfocus.com/archive/1/8307
Reference: XF:ipass-temporary-files(1625)
Reference: URL:http://xforce.iss.net/static/1625.php

Description:
iPass RoamServer 3.1 creates temporary files with world-writable permissions.

Votes:

   ACCEPT(1) Frech
   NOOP(2) Foat, Cole

CAN-1999-1275

Phase: Proposed (20010912)
Reference: BUGTRAQ:19970908 Password unsecurity in cc:Mail release 8
Reference: URL:http://www.securityfocus.com/archive/1/9478
Reference: XF:lotus-ccmail-passwords(1619)
Reference: URL:http://xforce.iss.net/static/1619.php

Description:
Lotus cc:Mail release 8 stores the postoffice password in plaintext in a hidden file which has insecure permissions, which allows local users to gain privileges.

Votes:

   ACCEPT(1) Frech
   NOOP(2) Foat, Cole

CAN-1999-1277

Phase: Proposed (20010912)
Reference: NTBUGTRAQ:19981224 BackWeb - Password issue (used by NAI for Corporate customer notification).
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=91487886514546&w=2
Reference: XF:backweb-cleartext-passwords(1565)
Reference: URL:http://xforce.iss.net/static/1565.php

Description:
BackWeb client stores the username and password in cleartext for proxy authentication in the Communication registry key, which could allow other local users to gain privileges by reading the password.

Votes:

   ACCEPT(1) Frech
   NOOP(3) Wall, Foat, Cole

CAN-1999-1278

Phase: Proposed (20010912)
Reference: BUGTRAQ:19981225 Re: Nlog v1.0 Released - Nmap 2.x log management / analyzing tool
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91470326629357&w=2
Reference: BUGTRAQ:19981226 Nlog 1.1b released - security holes fixed
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91471400632145&w=2
Reference: XF:http-cgi-nlog-netbios(1550)
Reference: URL:http://xforce.iss.net/static/1550.php
Reference: XF:http-cgi-nlog-metachars(1549)

Description:
nlog CGI scripts do not properly filter shell metacharacters from the IP address argument, which could allow remote attackers to execute certain commands via (1) nlog-smb.pl or (2) rpc-nlog.pl.

Votes:

   ACCEPT(3) Frech, Foat, Cole
   NOOP(1) Wall

CAN-1999-1280

Phase: Proposed (20010912)
Reference: BUGTRAQ:19981203 Remote Tools w/Exceed v.6.0.1.0 fer 95
Reference: URL:http://www.securityfocus.com/archive/1/11512
Reference: XF:exceed-cleartext-passwords(1547)
Reference: URL:http://xforce.iss.net/static/1547.php

Description:
Hummingbird Exceed 6.0.1.0 inadvertently includes a DLL that was meant for development and testing, which logs user names and passwords in cleartext in the test.log file.

Votes:

   ACCEPT(1) Frech
   NOOP(3) Wall, Foat, Cole

CAN-1999-1281

Phase: Proposed (20010912)
Reference: BUGTRAQ:19981226 Breeze Network Server remote reboot and other bogosity.
Reference: URL:http://www.securityfocus.com/archive/1/11720
Reference: XF:breeze-remote-reboot(1544)
Reference: URL:http://xforce.iss.net/static/1544.php

Description:
Development version of Breeze Network Server allows remote attackers to cause the system to reboot by accessing the configbreeze CGI program.

Votes:

   ACCEPT(2) Frech, Cole
   NOOP(2) Wall, Foat
Voter Comments:
 Frech> There have been no followups to indicate that this issue has
   been 
   resolved in the production version, and as a benefit to the doubt,
   this issue
   transcends EX-BETA until proven otherwise.


CAN-1999-1282

Phase: Proposed (20010912)
Reference: BUGTRAQ:19981210 RealSystem passwords
Reference: URL:http://www.securityfocus.com/archive/1/11543
Reference: XF:realsystem-readable-conf-file(1542)
Reference: URL:http://xforce.iss.net/static/1542.php

Description:
RealSystem G2 server stores the administrator password in cleartext in a world-readable configuration file, which allows local users to gain privileges.

Votes:

   ACCEPT(2) Frech, Cole
   NOOP(2) Wall, Foat

CAN-1999-1283

Phase: Proposed (20010912)
Reference: BUGTRAQ:19980814 URL exploit to crash Opera Browser
Reference: URL:http://www.securityfocus.com/archive/1/10320
Reference: XF:opera-slash-crash(1541)
Reference: URL:http://xforce.iss.net/static/1541.php

Description:
Opera 3.2.1 allows remote attackers to cause a denial of service (application crash) via a URL that contains an extra / in the http:// tag.

Votes:

   ACCEPT(2) Frech, Cole
   NOOP(2) Wall, Foat
Voter Comments:
 Frech> Will go along with a REJECT if MITRE decides on
   EX-CLIENT-DOS.


CAN-1999-1285

Phase: Proposed (20010912)
Reference: BUGTRAQ:19981227 [patch] fix for urandom read(2) not interruptible
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91495921611500&w=2
Reference: XF:linux-random-read-dos(1472)
Reference: URL:http://xforce.iss.net/static/1472.php

Description:
Linux 2.1.132 and earlier allows local users to cause a denial of service (resource exhaustion) by reading a large buffer from a random device (e.g. /dev/urandom), which cannot be interrupted until the read has completed.

Votes:

   ACCEPT(2) Frech, Cole
   NOOP(2) Wall, Foat

CAN-1999-1286

Phase: Proposed (20010912)
Reference: BUGTRAQ:19970509 Re: Irix: misc
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167420927&w=2
Reference: XF:irix-addnetpr(1433)
Reference: URL:http://xforce.iss.net/static/1433.php

Description:
addnetpr in SGI IRIX 6.2 and earlier allows local users to modify arbitrary files and possibly gain root access via a symlink attack on a temporary file.

Votes:

   ACCEPT(1) Frech
   NOOP(3) Christey, Foat, Cole
Voter Comments:
 Christey> CHANGE DESC: "via a symlink attack on the printers temporary file."
   Add 5.3 as another affected version.
   
   MISC:ftp://patches.sgi.com/support/free/security/advisories/19961203-02-PX
   SGI:19961203-02-PX may solve this problem, but the advisory is so
   vague that it is uncertain whether this was fixed or not. addnetpr is
   not specifically named in the advisory, which names netprint, which is
   not specified in the original Bugtraq post. In addition, the date on
   the advisory is one day earlier than that of the Bugtraq post, though
   that could be a difference in time zones. It seems plausible that the
   problem had already been patched (the researcher did say "There *was*
   [a] race condition") so maybe SGI released this advisory after the
   problem was publicized.
   
   ADDREF BID:330
   URL:http://www.securityfocus.com/bid/330
   
   Note: this is a dupe of CAN-1999-1410, but CAN-1999-1410 will
   be rejected in favor of CAN-1999-1286.


CAN-1999-1287

Phase: Proposed (20010912)
Reference: CONFIRM:http://www.statslab.cam.ac.uk/~sret1/analog/security.html
Reference: XF:analog-remote-file(1410)
Reference: URL:http://xforce.iss.net/static/1410.php

Description:
Vulnerability in Analog 3.0 and earlier allows remote attackers to read arbitrary files via the forms interface.

Votes:

   ACCEPT(4) Frech, Cole, Armstrong, Stracener
   NOOP(2) Wall, Foat
Voter Comments:
 CHANGE> [Foat changed vote from ACCEPT to NOOP]


CAN-1999-1289

Phase: Proposed (20010912)
Reference: BUGTRAQ:19981111 WARNING: Another ICQ IP address vulnerability
Reference: URL:http://www.securityfocus.com/archive/1/11233
Reference: XF:icq-ip-info(1398)
Reference: URL:http://xforce.iss.net/static/1398.php

Description:
ICQ 98 beta on Windows NT leaks the internal IP address of a client in the TCP data segment of an ICQ packet instead of the public address (e.g. through NAT), which provides remote attackers with potentially sensitive information about the client or the internal network configuration.

Votes:

   ACCEPT(3) Frech, Wall, Cole
   NOOP(1) Foat
Voter Comments:
 Frech> Override EX-BETA in this case, since ICQ is always in beta
   and is 
   widely run in production environments.


CAN-1999-1291

Phase: Proposed (20010912)
Reference: BUGTRAQ:19981005 New Windows Vulnerability
Reference: URL:http://www.securityfocus.com/archive/1/10789
Reference: XF:nt-brkill(1383)
Reference: URL:http://xforce.iss.net/static/1383.php

Description:
TCP/IP implementation in Microsoft Windows 95, Windows NT 4.0, and possibly others, allows remote attackers to reset connections by forcing a reset (RST) via a PSH ACK or other means, obtaining the target's last sequence number from the resulting packet, then spoofing a reset to the target.

Votes:

   ACCEPT(3) Frech, Wall, Cole
   NOOP(2) Christey, Foat
Voter Comments:
 Christey> Need to get feedback from MS on this.


CAN-1999-1292

Phase: Proposed (20010912)
Reference: ISS:19980901 Remote Buffer Overflow in the Kolban Webcam32 Program
Reference: URL:http://xforce.iss.net/alerts/advise7.php
Reference: XF:webcam32-buffer-overflow(1366)
Reference: URL:http://xforce.iss.net/static/1366.php

Description:
Buffer overflow in web administration feature of Kolban Webcam32 4.8.3 and earlier allows remote attackers to execute arbitrary commands via a long URL.

Votes:

   ACCEPT(1) Frech
   NOOP(3) Wall, Foat, Cole

CAN-1999-1293

Phase: Proposed (20010912)
Reference: BUGTRAQ:19980106 Apache security advisory
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88413292830649&w=2
Reference: CONFIRM:http://www.apache.org/info/security_bulletin_1.2.5.html

Description:
mod_proxy in Apache 1.2.5 and earlier allows remote attackers to cause a denial of service via malformed FTP commands, which causes Apache to dump core.

Votes:

   ACCEPT(3) Cole, Armstrong, Stracener
   MODIFY(1) Frech
   NOOP(2) Wall, Foat
Voter Comments:
 Frech> XF:apache-mod-proxy-dos(7249)
   CONFIRM reference no longer seems to exist. BugTraq message
   seems to be a confirmation/advisory, however.
 CHANGE> [Foat changed vote from ACCEPT to NOOP]


CAN-1999-1295

Phase: Modified (20020218-01)
Reference: CERT:VB-96.16
Reference: URL:http://www.cert.org/vendor_bulletins/VB-96.16.transarc
Reference: XF:dfs-login-groups(7154)
Reference: URL:http://xforce.iss.net/static/7154.php

Description:
Transarc DCE Distributed File System (DFS) 1.1 for Solaris 2.4 and 2.5 does not properly initialize the grouplist for users who belong to a large number of groups, which could allow those users to gain access to resources that are protected by DFS.

Votes:

   ACCEPT(3) Foat, Cole, Stracener
   MODIFY(1) Frech
   NOOP(1) Wall
Voter Comments:
 Frech> XF:dfs-login-groups(7154)


CAN-1999-1296

Phase: Proposed (20010912)
Reference: BUGTRAQ:19970429 vulnerabilities in kerberos
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167420878&w=2

Description:
Buffer overflow in Kerberos IV compatibility libraries as used in Kerberos V allows local users to gain root privileges via a long line in a kerberos configuration file, which can be specified via the KRB_CONF environmental variable.

Votes:

   MODIFY(1) Frech
   NOOP(2) Foat, Cole
Voter Comments:
 Frech> XF:kerberos-config-file-bo(7184)


CAN-1999-1299

Phase: Proposed (20010912)
Reference: BUGTRAQ:19970203 Linux rcp bug
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167420509&w=2

Description:
rcp on various Linux systems including Red Hat 4.0 allows a "nobody" user or other user with UID of 65535 to overwrite arbitrary files, since 65535 is interpreted as -1 by chown and other system calls, which causes the calls to fail to modify the ownership of the file.

Votes:

   MODIFY(1) Frech
   NOOP(2) Foat, Cole
Voter Comments:
 Frech> XF:rcp-nobody-file-overwrite(7187)


CAN-1999-1300

Phase: Proposed (20010912)
Reference: CIAC:B-31
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/b-31.shtml

Description:
Vulnerability in accton in Cray UNICOS 6.1 and 6.0 allows local users to read arbitrary files and modify system accounting configuration.

Votes:

   ACCEPT(4) Foat, Cole, Armstrong, Stracener
   MODIFY(1) Frech
   NOOP(1) Wall
Voter Comments:
 Frech> XF: unicos-accton-read-files(7210)


CAN-1999-1302

Phase: Proposed (20010912)
Reference: CIAC:F-05
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/f-05.shtml
Reference: SCO:94:001
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/f-05.shtml

Description:
Vulnerability in pt_chmod in SCO UNIX 4.2 and earlier allows local users to gain root access.

Votes:

   ACCEPT(3) Foat, Cole, Stracener
   MODIFY(1) Frech
Voter Comments:
 Frech> XF:sco-pt_chmod(7586)


CAN-1999-1303

Phase: Proposed (20010912)
Reference: CIAC:F-05
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/f-05.shtml
Reference: SCO:94:001
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/f-05.shtml

Description:
Vulnerability in prwarn in SCO UNIX 4.2 and earlier allows local users to gain root access.

Votes:

   ACCEPT(3) Foat, Cole, Stracener
   MODIFY(1) Frech
Voter Comments:
 Frech> XF:sco-prwarn(7587)


CAN-1999-1304

Phase: Proposed (20010912)
Reference: CIAC:F-05
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/f-05.shtml
Reference: SCO:94:001
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/f-05.shtml

Description:
Vulnerability in login in SCO UNIX 4.2 and earlier allows local users to gain root access.

Votes:

   ACCEPT(3) Foat, Cole, Stracener
   MODIFY(1) Frech
Voter Comments:
 Frech> XF:sco-login(7588)


CAN-1999-1305

Phase: Proposed (20010912)
Reference: CIAC:F-05
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/f-05.shtml
Reference: SCO:94:001
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/f-05.shtml

Description:
Vulnerability in "at" program in SCO UNIX 4.2 and earlier allows local users to gain root access.

Votes:

   ACCEPT(3) Foat, Cole, Stracener
   MODIFY(1) Frech
Voter Comments:
 Frech> XF:sco-at(7589)


CAN-1999-1306

Phase: Proposed (20010912)
Reference: CERT:CA-1992-20
Reference: URL:http://www.cert.org/advisories/CA-1992-20.html

Description:
Cisco IOS 9.1 and earlier does not properly handle extended IP access lists when the IP route cache is enabled and the "established" keyword is set, which could allow attackers to bypass filters.

Votes:

   ACCEPT(3) Foat, Cole, Stracener
   MODIFY(1) Frech
   NOOP(1) Wall
   REVIEWING(1) Christey
Voter Comments:
 Frech> XF:cisco-acl-established(1248)
   Possibly duplicate with CVE-1999-0162?
 Christey> Might be a duplicate of CVE-1999-0162, but CVE-1999-0162 was
   released in 1995, whereas this bug was released in 1992.


CAN-1999-1307

Phase: Proposed (20010912)
Reference: BUGTRAQ:19941209 Novell security advisory on sadc, urestore and the suid_exec feature
Reference: URL:http://www.dataguard.no/bugtraq/1994_4/0676.html
Reference: CIAC:F-06
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/f-06.shtml

Description:
Vulnerability in urestore in Novell UnixWare 1.1 allows local users to gain root privileges.

Votes:

   ACCEPT(4) Foat, Cole, Armstrong, Stracener
   MODIFY(1) Frech
   NOOP(1) Wall
Voter Comments:
 Frech> XF;novell-unixware-urestore-root(7211)


CAN-1999-1308

Phase: Modified (20020218-01)
Reference: HP:HPSBUX9611-041
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/h-91.shtml
Reference: CIAC:H-09
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/h-09.shtml
Reference: CIAC:H-91
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/h-91.shtml
Reference: XF:hp-large-uid-gid(7594)
Reference: URL:http://www.iss.net/security_center/static/7594.php

Description:
Certain programs in HP-UX 10.20 do not properly handle large user IDs (UID) or group IDs (GID) over 60000, which could allow local users to gain privileges.

Votes:

   ACCEPT(3) Foat, Cole, Stracener
   MODIFY(1) Frech
Voter Comments:
 Frech> XF:hp-large-uid-gid(7594)


CAN-1999-1310

Phase: Proposed (20010912)
Reference: CIAC:F-01
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/f-01.shtml
Reference: SGI:19941001-01-P
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19941001-01-P
Reference: MISC:http://www.netsys.com/firewalls/firewalls-9410/0019.html

Description:
/usr/lib/vadmin/serial_ports in SGI IRIX 5.x and earlier trusts the PATH environmental variable to find the ls program, which allows local users to gain root access.

Votes:

   ACCEPT(3) Foat, Cole, Stracener
   REJECT(2) Christey, Frech
Voter Comments:
 Frech> DUPE CAN-1999-1022
 Christey> As noted by Andre Frech, this is a duplicate of CAN-1999-1022.
   The references from this candidate will be added to
   CAN-1999-1022.


CAN-1999-1311

Phase: Proposed (20010912)
Reference: HP:HPSBUX9701-046
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/h-21.shtml
Reference: CIAC:H-21
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/h-21.shtml

Description:
Vulnerability in dtlogin and dtsession in HP-UX 10.20 and 10.10 allows local users to bypass authentication and gain privileges.

Votes:

   ACCEPT(3) Foat, Cole, Stracener
   MODIFY(1) Frech
Voter Comments:
 Frech> XF:hp-dt-bypass-auth(7668)
   ACKNOWLEDGED-BY-VENDOR


CAN-1999-1312

Phase: Modified (20020218-01)
Reference: CERT:CA-1993-05
Reference: URL:http://www.cert.org/advisories/CA-1993-05.html
Reference: XF:openvms-local-privilege-elevation(7142)
Reference: URL:http://xforce.iss.net/static/7142.php

Description:
Vulnerability in DEC OpenVMS VAX 5.5-2 through 5.0, and OpenVMS AXP 1.0, allows local users to gain system privileges.

Votes:

   ACCEPT(3) Foat, Cole, Stracener
   MODIFY(1) Frech
   NOOP(1) Wall
Voter Comments:
 Frech> XF:openvms-local-privilege-elevation(7142)


CAN-1999-1313

Phase: Modified (20020218-01)
Reference: CIAC:G-24
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/g-24.shtml
Reference: FREEBSD:FreeBSD-SA-96:11
Reference: URL:ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/old/FreeBSD-SA-96:11.man.asc
Reference: XF:bsd-man-command-sequence(7348)
Reference: URL:http://xforce.iss.net/static/7348.php

Description:
Manual page reader (man) in FreeBSD 2.2 and earlier allows local users to gain privileges via a sequence of commands.

Votes:

   ACCEPT(3) Foat, Cole, Stracener
   MODIFY(1) Frech
Voter Comments:
 Frech> XF:bsd-man-command-sequence(7348)


CAN-1999-1314

Phase: Modified (20020218-01)
Reference: CIAC:G-24
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/g-24.shtml
Reference: FREEBSD:FreeBSD-SA-96:10
Reference: URL:ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/old/FreeBSD-SA-96:10.mount_union.asc
Reference: XF:unionfs-mount-ordering(7429)
Reference: URL:http://www.iss.net/security_center/static/7429.php

Description:
Vulnerability in union file system in FreeBSD 2.2 and earlier, and possibly other operating systems, allows local users to cause a denial of service (system reload) via a series of certain mount_union commands.

Votes:

   ACCEPT(3) Foat, Cole, Stracener
   MODIFY(1) Frech
Voter Comments:
 Frech> XF:unionfs-mount-ordering(7429)


CAN-1999-1315

Phase: Proposed (20010912)
Reference: CIAC:F-04
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/f-04.shtml

Description:
Vulnerabilities in DECnet/OSI for OpenVMS before 5.8 on DEC Alpha AXP and VAX/VMS systems allow local users to gain privileges or cause a denial of service.

Votes:

   ACCEPT(4) Foat, Cole, Armstrong, Stracener
   MODIFY(1) Frech
   NOOP(1) Wall
Voter Comments:
 Frech> XF:openvms-decnetosi-gain-privileges(7212)


CAN-1999-1319

Phase: Modified (20020218-01)
Reference: SGI:19960101-01-PX
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19960101-01-PX
Reference: XF:irix-object-server(7430)
Reference: URL:http://www.iss.net/security_center/static/7430.php

Description:
Vulnerability in object server program in SGI IRIX 5.2 through 6.1 allows remote attackers to gain root privileges in certain configurations.

Votes:

   ACCEPT(3) Foat, Cole, Stracener
   MODIFY(1) Frech
Voter Comments:
 Frech> XF:irix-object-server(7430)


CAN-1999-1322

Phase: Proposed (20010912)
Reference: NTBUGTRAQ:19981112 exchverify.log
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=91096758513985&w=2
Reference: NTBUGTRAQ:19981117 Re: exchverify.log - update #1
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=91133714919229&w=2
Reference: NTBUGTRAQ:19981125 Re: exchverify.log - update #2
Reference: NTBUGTRAQ:19981216 Arcserve Exchange Client security issue being fixed
Reference: NTBUGTRAQ:19990305 Cheyenne InocuLAN for Exchange plain text password still there
Reference: NTBUGTRAQ:19990426 ArcServe Exchange Client Security Issue still unresolved

Description:
The installation of 1ArcServe Backup and Inoculan AV client modules for Exchange create a log file, exchverify.log, which contains usernames and passwords in plaintext.

Votes:

   NOOP(3) Wall, Foat, Cole

CAN-1999-1323

Phase: Proposed (20010912)
Reference: NTBUGTRAQ:19990409 NAV for MS Exchange & Internet Email Gateways
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=92370067416739&w=2

Description:
Norton AntiVirus for Internet Email Gateways (NAVIEG) 1.0.1.7 and earlier, and Norton AntiVirus for MS Exchange (NAVMSE) 1.5 and earlier, store the administrator password in cleartext in (1) the navieg.ini file for NAVIEG, and (2) the ModifyPassword registry key in NAVMSE.

Votes:

   ACCEPT(1) Prosser
   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole
Voter Comments:
 Frech> XF:nav-admin-password(7543)
 Prosser> This has been since corrected in later releases.


CAN-1999-1334

Phase: Proposed (20010912)
Reference: BUGTRAQ:19980129 KSR[T] Advisory #7: filter
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88609666024181&w=2
Reference: CONFIRM:http://www.redhat.com/support/errata/rh50-errata-general.html#elm

Description:
Multiple buffer overflows in filter command in Elm 2.4 allows attackers to execute arbitrary commands via (1) long From: headers, (2) long Reply-To: headers, or (3) via a long -f (filterfile) command line argument.

Votes:

   ACCEPT(3) Foat, Cole, Stracener
   MODIFY(1) Frech
   NOOP(2) Wall, Armstrong
Voter Comments:
 Frech> XF:elm-filter-getfilterrules-bo(7214)
   XF:elm-filter2(711)


CAN-1999-1338

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990721 Delegate creates directories writable for anyone
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93259112204664&w=2

Description:
Delegate proxy 5.9.3 and earlier creates files and directories in the DGROOT with world-writable permissions.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole
Voter Comments:
 Frech> XF:delegate-dgroot-permissions(8438)


CAN-1999-1340

Phase: Proposed (20010912)
Reference: BUGTRAQ:19991104 hylafax-4.0.2 local exploit
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94173799532589&w=2
Reference: BID:765
Reference: URL:http://www.securityfocus.com/bid/765

Description:
Buffer overflow in faxalter in hylafax 4.0.2 allows local users to gain privileges via a long -m command line argument.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole
Voter Comments:
 Frech> XF:hylafax-faxalter-gain-privs(3453)
   Proper spelling of the product is HylaFAX (see
   http://www.hylafax.org/)


CAN-1999-1342

Phase: Proposed (20010912)
Reference: NTBUGTRAQ:19991017 ICQ ActiveList Server Exploit...
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=94042342010662&w=2

Description:
ICQ ActiveList Server allows remote attackers to cause a denial of service (crash) via malformed packets to the server's UDP port.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole
Voter Comments:
 Frech> XF:icq-activelist-udp-dos(7877)


CAN-1999-1343

Phase: Proposed (20010912)
Reference: BUGTRAQ:19991013 Xerox DocuColor 4 LP D.O.S
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93986405412867&w=2

Description:
HTTP server for Xerox DocuColor 4 LP allows remote attackers to cause a denial of service (hang) via a long URL that contains a large number of . characters.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole
Voter Comments:
 Frech> XF:xerox-docucolor4lp-dos(8041)


CAN-1999-1344

Phase: Proposed (20010912)
Reference: BUGTRAQ:19991005 Auto_FTP v0.02 Advisory
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93923873006014&w=2

Description:
Auto_FTP.pl script in Auto_FTP 0.2 stores usernames and passwords in plaintext in the auto_ftp.conf configuration file.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole
Voter Comments:
 Frech> XF:autoftp-plaintext-password(8045)


CAN-1999-1345

Phase: Proposed (20010912)
Reference: BUGTRAQ:19991005 Auto_FTP v0.02 Advisory
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93923873006014&w=2

Description:
Auto_FTP.pl script in Auto_FTP 0.2 uses the /tmp/ftp_tmp as a shared directory with insecure permissions, which allows local users to (1) send arbitrary files to the remote server by placing them in the directory, and (2) view files that are being transferred.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole
Voter Comments:
 Frech> XF:autoftp-shared-directory(8047)


CAN-1999-1346

Phase: Proposed (20010912)
Reference: BUGTRAQ:19991007 Problems with redhat 6 Xsession and pam.d/rlogin.
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93942774609925&w=2

Description:
PAM configuration file for rlogin in Red Hat Linux 6.1 and earlier includes a less restrictive rule before a more restrictive one, which allows users to access the host via rlogin even if rlogin has been explicitly disabled using the /etc/nologin file.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole
Voter Comments:
 Frech> XF:pam-rlogin-bypass(8315)


CAN-1999-1347

Phase: Proposed (20010912)
Reference: BUGTRAQ:19991007 Problems with redhat 6 Xsession and pam.d/rlogin.
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93942774609925&w=2

Description:
Xsession in Red Hat Linux 6.1 and earlier can allow local users with restricted accounts to bypass execution of the .xsession file by starting kde, gnome or anotherlevel from kdm.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole
Voter Comments:
 Frech> XF:xsession-bypass(8316)


CAN-1999-1348

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990630 linuxconf doesn't seem to deal correctly with /etc/pam.d/reboot
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93220073515880&w=2

Description:
Linuxconf on Red Hat Linux 6.0 and earlier does not properly disable PAM-based access to the shutdown command, which could allow local users to cause a denial of service.

Votes:

   ACCEPT(1) Cole
   MODIFY(1) Frech
   NOOP(2) Wall, Foat
Voter Comments:
 Frech> XF:linuxconf-pam-shutdown-dos(8437)


CAN-1999-1349

Phase: Proposed (20010912)
Reference: BUGTRAQ:19991006 Omni-NFS/X Enterprise (nfsd.exe) DOS
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93923679004325&w=2

Description:
NFS daemon (nfsd.exe) for Omni-NFS/X 6.1 allows remote attackers to cause a denial of service (resource exhaustion) via certain packets, possibly with the Urgent (URG) flag set, to port 111.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole
Voter Comments:
 Frech> XF:xlink-nfsd-dos(8317)


CAN-1999-1350

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990929 Multiple Vendor ARCAD permission problems
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93871933521519&w=2

Description:
ARCAD Systemhaus 0.078-5 installs critical programs and files with world-writeable permissions, which could allow local users to gain privileges by replacing a program with a Trojan horse.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole
Voter Comments:
 Frech> XF:arcad-insecure-permissions(8318)


CAN-1999-1352

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990928 Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy]
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93855134409747&w=2

Description:
mknod in Linux 2.2 follows symbolic links, which could allow local users to overwrite files or gain privileges.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole
Voter Comments:
 Frech> XF:mknod-symlink(8319)


CAN-1999-1353

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990907 MsgCore mailserver stores passwords in clear text
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=93698162708211&w=2

Description:
Nosque MsgCore 2.14 stores passwords in cleartext: (1) the administrator password in the AdmPasswd registry key, and (2) user passwords in the Userbase.dbf data file, which could allow local users to gain privielges.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole
Voter Comments:
 Frech> XF:msgcore-plaintext-passwords(8271)
   BUGTRAQ Reference is actually NTBUGTRAQ.


CAN-1999-1354

Phase: Proposed (20010912)
Reference: NTBUGTRAQ:19990830 SoftArc's FirstClass E-mail Client
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=93637687305327&w=2
Reference: NTBUGTRAQ:19990909 SoftArc's FirstClass E-mail Client
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=93698283309513&w=2

Description:
E-mail client in Softarc FirstClass Internet Server 5.506 and earlier stores usernames and passwords in cleartext in the files (1) home.fc for version 5.506, (2) network.fc for version 3.5, or (3) FCCLIENT.LOG when logging is enabled.

Votes:

   ACCEPT(1) Cole
   MODIFY(1) Frech
   NOOP(2) Wall, Foat
Voter Comments:
 Frech> (Task 1766)
 CHANGE> [Frech changed vote from REVIEWING to MODIFY]
 Frech> XF:firstclass-plaintext-account(9874)


CAN-1999-1355

Phase: Proposed (20010912)
Reference: NTBUGTRAQ:19990817 Compaq PFCUser account
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=93542118727732&w=2
Reference: NTBUGTRAQ:19990905 Case ID SSRT0620 - PFCUser account communication
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=93654336516711&w=2
Reference: NTBUGTRAQ:19990915 (I) UPDATE - PFCUser Account,
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=93759822430801&w=2
Reference: NTBUGTRAQ:19991105 UPDATE: SSRT0620 Compaq Foundation Agents v4.40B PFCUser issues
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=94183795025294&w=2
Reference: CONFIRM:http://www.compaq.com/products/servers/management/advisory.html
Reference: XF:management-pfcuser(3231)
Reference: URL:http://xforce.iss.net/static/3231.php

Description:
BMC Patrol component, when installed with Compaq Insight Management Agent 4.23 and earlier, or Management Agents for Servers 4.40 and earlier, creates a PFCUser account with a default password and potentially dangerous privileges.

Votes:

   ACCEPT(5) Frech, Foat, Cole, Armstrong, Stracener
   NOOP(1) Wall

CAN-1999-1357

Phase: Proposed (20010912)
Reference: BUGTRAQ:19991005 Time to update those CGIs again
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93915331626185&w=2

Description:
Netscape Communicator 4.04 through 4.7 (and possibly other versions) in various UNIX operating systems converts the 0x8b character to a "<" sign, and the 0x9b character to a ">" sign, which could allow remote attackers to attack other clients via cross-site scripting (CSS) in CGI programs that do not filter these characters.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole
Voter Comments:
 Frech> XF:netscape-cgi-filtering-css(8274)


CAN-1999-1361

Phase: Proposed (20010912)
Reference: BUGTRAQ:19980509 coke.c
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221101925891&w=2

Description:
Windows NT 3.51 and 4.0 running WINS (Windows Internet Name Service) allows remote attackers to cause a denial of service (resource exhaustion) via a flood of malformed packets, which causes the server to slow down and fill the event logs with error messages.

Votes:

   ACCEPT(1) Wall
   MODIFY(1) Frech
   NOOP(2) Foat, Cole
Voter Comments:
 Frech> XF:winnt-wins-packet-flood-dos(7329)


CAN-1999-1364

Phase: Modified (20020218-01)
Reference: MSKB:Q142653
Reference: URL:http://support.microsoft.com/support/kb/articles/q142/6/53.asp
Reference: XF:nt-threadcontext-dos(7421)
Reference: URL:http://www.iss.net/security_center/static/7421.php

Description:
Windows NT 4.0 allows local users to cause a denial of service (crash) via an illegal kernel mode address to the functions (1) GetThreadContext or (2) SetThreadContext.

Votes:

   ACCEPT(3) Wall, Foat, Cole
   MODIFY(1) Frech
Voter Comments:
 Frech> XF:nt-threadcontext-dos(7421)


CAN-1999-1365

Phase: Proposed (20010912)
Reference: NTBUGTRAQ:19990628 NT runs Explorer.exe, Taskmgr.exe etc. from wrong location
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=93069418400856&w=2
Reference: NTBUGTRAQ:19990630 Update: NT runs explorer.exe, etc...
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=93127894731200&w=2

Description:
Windows NT searches a user's home directory (%systemroot% by default) before other directories to find critical programs such as NDDEAGNT.EXE, EXPLORER.EXE, USERINIT.EXE or TASKMGR.EXE, which could allow local users to bypass access restrictions or gain privileges by placing a Trojan horse program into the root directory, which is writable by default.

Votes:

   ACCEPT(3) Wall, Foat, Cole
   MODIFY(1) Frech
Voter Comments:
 Frech> XF:nt-login-default-folder(2336)
 CHANGE> [Foat changed vote from NOOP to ACCEPT]
 Frech> XF:nt-login-default-folder(2336)


CAN-1999-1366

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990515 Pegasus Mail weak encryption
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92714118829880&w=2

Description:
Pegasus e-mail client 3.0 and earlier uses weak encryption to store POP3 passwords in the pmail.ini file, which allows local users to easily decrypt the passwords and read e-mail.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole
Voter Comments:
 Frech> XF:pegasus-weak-password-encryption(8430)


CAN-1999-1367

Phase: Proposed (20010912)
Reference: MISC:http://www.pcworld.com/news/article/0,aid,10842,00.asp

Description:
Internet Explorer 5.0 does not properly reset the username/password cache for Web sites that do not use standard cache controls, which could allow users on the same system to access restricted web sites that were visited by other users.

Votes:

   NOOP(3) Wall, Foat, Cole
   REVIEWING(1) Frech
Voter Comments:
 Frech> (Task 2283)


CAN-1999-1368

Phase: Proposed (20010912)
Reference: NTBUGTRAQ:19990512 InoculateIT 4.53 Real-Time Exchange Scanner Flawed
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=92652152723629&w=2
Reference: NTBUGTRAQ:20001116 InoculateIT AV Option for MS Exchange Server
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=97439568517355&w=2

Description:
AV Option for MS Exchange Server option for InoculateIT 4.53, and possibly other versions, only scans the Inbox folder tree of a Microsoft Exchange server, which could allow viruses to escape detection if a user's rules cause the message to be moved to a different mailbox.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole
Voter Comments:
 Frech> XF:inoculate-message-redirect-bypass(5602)


CAN-1999-1369

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990414 Real Media Server stores passwords in plain text
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92411181619110&w=2

Description:
Real Media RealServer (rmserver) 6.0.3.353 stores a password in plaintext in the world-readable rmserver.cfg file, which allows local users to gain privileges.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole
Voter Comments:
 Frech> XF:realserver-insecure-password(7544)


CAN-1999-1370

Phase: Proposed (20010912)
Reference: NTBUGTRAQ:19990323 MSIE 5 installer disables screen saver
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=92220197414799&w=2

Description:
The setup wizard (ie5setup.exe) for Internet Explorer 5.0 disables (1) the screen saver, which could leave the system open to users with physical access if a failure occurs during an unattended installation, and (2) the Task Scheduler Service, which might prevent the scheduled execution of security-critical programs.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole
Voter Comments:
 Frech> XF:ie-ie5setup-disable-password(7545)


CAN-1999-1371

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990308 Solaris "/usr/bin/write" bug
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92100752221493&w=2
Reference: MISC:http://www.securiteam.com/exploits/5ZP0O1P35O.html

Description:
Buffer overflow in /usr/bin/write in Solaris 2.6 and 7 allows local users to gain privileges via a long string in the terminal name argument.

Votes:

   ACCEPT(2) Cole, Dik
   MODIFY(1) Frech
   NOOP(3) Christey, Wall, Foat
Voter Comments:
 Frech> XF:solaris-write-bo(7546)
 Christey> This appears to be a rediscovery of the problem for Solaris
   2.8:
   BUGTRAQ:20011114 /usr/bin/write (solaris2.x) Segmentation Fault
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100588255815773&w=2
 Dik> sun bug:  4218941


CAN-1999-1372

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990219 Plaintext Password in Tractive's Remote Manager Software
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91966339502073&w=2

Description:
Triactive Remote Manager with Basic authentication enabled stores the username and password in cleartext in registry keys, which could allow local users to gain privileges.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole
Voter Comments:
 Frech> XF:triactive-remote-basic-auth(7548)


CAN-1999-1373

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990105 Re: Network Scan Vulnerability [SUMMARY]
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91651770130771&w=2

Description:
FORE PowerHub before 5.0.1 allows remote attackers to cause a denial of service (hang) via a TCP SYN scan with TCP/IP OS fingerprinting, e.g. via nmap.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole
Voter Comments:
 Frech> XF:powerhub-nmap-dos(7556)


CAN-1999-1374

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990427 Re: Shopping Carts exposing CC data
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92523159819402&w=2

Description:
perlshop.cgi shopping cart program stores sensitive customer information in directories and files that are under the web root, which allows remote attackers to obtain that information via an HTTP request.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole
Voter Comments:
 Frech> XF:perlshop-cgi-obtain-information(7557)


CAN-1999-1375

Phase: Proposed (20010912)
Reference: NTBUGTRAQ:19990211 Using FSO in ASP to view just about anything
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=91877455626320&w=2
Reference: BID:230
Reference: URL:http://www.securityfocus.com/bid/230

Description:
FileSystemObject (FSO) in the showfile.asp Active Server Page (ASP) allows remote attackers to read arbitrary files by specifying the name in the file parameter.

Votes:

   ACCEPT(1) Cole
   MODIFY(1) Frech
   NOOP(2) Wall, Foat
Voter Comments:
 Frech> XF:iis-fso-read-files(7558)


CAN-1999-1376

Phase: Proposed (20010912)
Reference: NTBUGTRAQ:19990114 MS IIS 4.0 Security Advisory
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=91632724913080&w=2
Reference: BUGTRAQ:19990114 MS IIS 4.0 Security Advisory
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91638375309890&w=2

Description:
Buffer overflow in fpcount.exe in IIS 4.0 with FrontPage Server Extensions allows remote attackers to execute arbitrary commands.

Votes:

   ACCEPT(1) Wall
   MODIFY(1) Frech
   NOOP(2) Foat, Cole
Voter Comments:
 Frech> XF:frontpage-ext-fpcount-crash(5494)


CAN-1999-1377

Phase: Proposed (20010912)
Reference: MISC:http://pulhas.org/phrack/55/P55-07.html

Description:
Matt Wright's download.cgi 1.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the f parameter.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole
Voter Comments:
 Frech> XF:download-cgi-directory-traversal(8279)


CAN-1999-1378

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990917 improper chroot in dbmlparser.exe
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93250710625956&w=2

Description:
dbmlparser.exe CGI guestbook program does not perform a chroot operation properly, which allows remote attackers to read arbitrary files.

Votes:

   NOOP(3) Wall, Foat, Cole
   REVIEWING(1) Frech
Voter Comments:
 Frech> (Task 2284)


CAN-1999-1381

Phase: Proposed (20010912)
Reference: BUGTRAQ:19981008 buffer overflow in dbadmin
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90786656409618&w=2

Description:
Buffer overflow in dbadmin CGI program 1.0.1 on Linux allows remote attackers to execute arbitrary commands.

Votes:

   NOOP(3) Wall, Foat, Cole

CAN-1999-1383

Phase: Proposed (20010912)
Reference: BUGTRAQ:19960913 tee see shell problems
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167419868&w=2
Reference: BUGTRAQ:19960919 Vulnerability in expansion of PS1 in bash & tcsh
Reference: URL:http://www.dataguard.no/bugtraq/1996_3/0503.html

Description:
(1) bash before 1.14.7, and (2) tcsh 6.05 allow local users to gain privileges via directory names that contain shell metacharacters (` back-tick), which can cause the commands enclosed in the directory name to be executed when the shell expands filenames using the \w option in the PS1 variable.

Votes:

   NOOP(2) Foat, Cole

CAN-1999-1387

Phase: Proposed (20010912)
Reference: BUGTRAQ:19970402 Fatal bug in NT 4.0 server
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167420731&w=2
Reference: BUGTRAQ:19970403 Fatal bug in NT 4.0 server (more comments)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167420732&w=2
Reference: BUGTRAQ:19970407 DUMP of NT system crash
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167420741&w=2

Description:
Windows NT 4.0 SP2 allows remote attackers to cause a denial of service (crash), possibly via malformed inputs or packets, such as those generated by a Linux smbmount command that was compiled on the Linux 2.0.29 kernel but executed on Linux 2.0.25.

Votes:

   ACCEPT(1) Cole
   NOOP(1) Foat

CAN-1999-1388

Phase: Proposed (20010912)
Reference: BUGTRAQ:19940513 [8lgm]-Advisory-7.UNIX.passwd.11-May-1994
Reference: URL:http://www2.dataguard.no/bugtraq/1994_2/0197.html
Reference: BUGTRAQ:19940514 [8lgm]-Advisory-7.UNIX.passwd.11-May-1994.NEWFIX
Reference: URL:http://www2.dataguard.no/bugtraq/1994_2/0207.html
Reference: BUGTRAQ:19941218 Sun Patch Id #102060-01
Reference: URL:http://www.dataguard.no/bugtraq/1994_4/0755.html

Description:
passwd in SunOS 4.1.x allows local users to overwrite arbitrary files via a symlink attack and the -F command line argument.

Votes:

   ACCEPT(1) Dik
   NOOP(2) Foat, Cole
Voter Comments:
 Dik> sun bug: 1171499


CAN-1999-1389

Phase: Proposed (20010912)
Reference: BUGTRAQ:19980511 3Com/USR Total Control Chassis dialup port access filters
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221101925916&w=2
Reference: BID:99
Reference: URL:http://www.securityfocus.com/bid/99

Description:
US Robotics/3Com Total Control Chassis with Frame Relay between 3.6.22 and 3.7.24 does not properly enforce access filters when the "set host prompt" setting is made for a port, which allows attackers to bypass restrictions by providing the hostname twice at the "host: " prompt.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole
Voter Comments:
 Frech> XF:3com-netserver-filter-bypass(7330)


CAN-1999-1390

Phase: Proposed (20010912)
Reference: BUGTRAQ:19980428 [Debian 2.0] /usr/bin/suidexec gives root access
Reference: URL:http://darwin.bio.uci.edu/~mcoogan/bugtraq/msg00890.html
Reference: BID:94
Reference: URL:http://www.securityfocus.com/bid/94

Description:
suidexec in suidmanager 0.18 on Debian 2.0 allows local users to gain root privileges by specifying a malicious program on the command line.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole
Voter Comments:
 Frech> XF:suidmanager-suidexec-root-privileges(7304)


CAN-1999-1391

Phase: Modified (20020218-01)
Reference: CERT:CA-1990-06
Reference: URL:http://www.cert.org/advisories/CA-1990-06.html
Reference: CIAC:B-01
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/b-01.shtml
Reference: BID:10
Reference: URL:http://www.securityfocus.com/bid/10
Reference: XF:nextstep-npd-root-access(7143)
Reference: URL:http://www.iss.net/security_center/static/7143.php

Description:
Vulnerability in NeXT 1.0a and 1.0 with publicly accessible printers allows local users to gain privileges via a combination of the npd program and weak directory permissions.

Votes:

   ACCEPT(3) Foat, Cole, Stracener
   MODIFY(1) Frech
   NOOP(1) Wall
Voter Comments:
 Frech> XF:nextstep-npd-root-access(7143)


CAN-1999-1392

Phase: Modified (20020218-01)
Reference: CERT:CA-1990-06
Reference: URL:http://www.cert.org/advisories/CA-1990-06.html
Reference: CIAC:B-01
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/b-01.shtml
Reference: BID:9
Reference: URL:http://www.securityfocus.com/bid/9
Reference: XF:nextstep-restore09-root-access(7144)
Reference: URL:http://www.iss.net/security_center/static/7144.php

Description:
Vulnerability in restore0.9 installation script in NeXT 1.0a and 1.0 allows local users to gain root privileges.

Votes:

   ACCEPT(3) Foat, Cole, Stracener
   MODIFY(1) Frech
   NOOP(1) Wall
Voter Comments:
 Frech> XF:nextstep-restore09-root-access(7144)


CAN-1999-1393

Phase: Proposed (20010912)
Reference: MISC:http://freaky.staticusers.net/macsec/data/powerbooksecurity-data.html
Reference: BID:532
Reference: URL:http://www.securityfocus.com/bid/532

Description:
Control Panel "Password Security" option for Apple Powerbooks allows attackers with physical access to the machine to bypass the security by booting it with an emergency startup disk and using a disk editor to modify the on/off toggle or password in the aaaaaaaAPWD file, which is normally inaccessible.

Votes:

   NOOP(3) Wall, Foat, Cole
   REVIEWING(1) Frech
Voter Comments:
 Frech> (Task 2285)


CAN-1999-1394

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990702 BSD-fileflags
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93094058620450&w=2
Reference: BID:510
Reference: URL:http://www.securityfocus.com/bid/510

Description:
BSD 4.4 based operating systems, when running at security level 1, allow the root user to clear the immutable and append-only flags for files by unmounting the file system and using a file system editor such as fsdb to directly modify the file through a device.

Votes:

   ACCEPT(1) Cole
   NOOP(2) Wall, Foat
   REVIEWING(1) Frech
Voter Comments:
 Frech> (Task 2286)


CAN-1999-1395

Phase: Modified (20020218-01)
Reference: CERT:CA-1992-18
Reference: URL:http://www.cert.org/advisories/CA-1992-18.html
Reference: CERT:CA-92.16
Reference: URL:http://www.cert.org/advisories/CA-92.16.VMS.Monitor.vulnerability
Reference: BID:51
Reference: URL:http://www.securityfocus.com/bid/51
Reference: XF:vms-monitor-gain-privileges(7136)
Reference: URL:http://www.iss.net/security_center/static/7136.php

Description:
Vulnerability in Monitor utility (SYS$SHARE:SPISHR.EXE) in VMS 5.0 through 5.4-2 allows local users to gain privileges.

Votes:

   ACCEPT(3) Foat, Cole, Stracener
   MODIFY(1) Frech
   NOOP(2) Christey, Wall
Voter Comments:
 Frech> XF:vms-monitor-gain-privileges(7136)
   Duplicate of CAN-1999-1056? If not, indicate why in Analysis
   comments.
 Christey> Note that CAN-1999-1056
 Christey> CAN-1999-1056 is in fact a duplicate.  This candidate will
   be kept, and CAN-1999-1056 will be REJECTed, because this
   candidate has more references.


CAN-1999-1396

Phase: Modified (20020218-01)
Reference: CERT:CA-1992-15
Reference: URL:http://www.cert.org/advisories/CA-1992-15.html
Reference: BID:49
Reference: URL:http://www.securityfocus.com/bid/49
Reference: XF:sun-integer-multiplication-access(7150)
Reference: URL:http://www.iss.net/security_center/static/7150.php

Description:
Vulnerability in integer multiplication emulation code on SPARC architectures for SunOS 4.1 through 4.1.2 allows local users to gain root access or cause a denial of service (crash).

Votes:

   ACCEPT(4) Foat, Cole, Dik, Stracener
   MODIFY(1) Frech
   NOOP(1) Wall
Voter Comments:
 Frech> XF:sun-integer-multiplication-access(7150)
 Dik> sun bug: 1069072 1071053


CAN-1999-1397

Phase: Modified (20020218-01)
Reference: BUGTRAQ:19990323 Index Server 2.0 and the Registry
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92242671024118&w=2
Reference: NTBUGTRAQ:19990323 Index Server 2.0 and the Registry
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=92223293409756&w=2
Reference: BID:476
Reference: URL:http://www.securityfocus.com/bid/476
Reference: XF:iis-indexserver-reveal-path(7559)
Reference: URL:http://www.iss.net/security_center/static/7559.php

Description:
Index Server 2.0 on IIS 4.0 stores physical path information in the ContentIndex\Catalogs subkey of the AllowedPaths registry key, whose permissions allows local and remote users to obtain the physical paths of directories that are being indexed.

Votes:

   ACCEPT(2) Wall, Cole
   MODIFY(1) Frech
   NOOP(1) Foat
Voter Comments:
 Frech> XF:iis-indexserver-reveal-path(7559)


CAN-1999-1398

Phase: Proposed (20010912)
Reference: BUGTRAQ:19970507 Irix: misc
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167420921&w=2
Reference: MISC:http://www.insecure.org/sploits/irix.xfsdump.html
Reference: BID:472
Reference: URL:http://www.securityfocus.com/bid/472

Description:
Vulnerability in xfsdump in SGI IRIX may allow local users to obtain root privileges via the bck.log log file, possibly via a symlink attack.

Votes:

   ACCEPT(1) Cole
   MODIFY(1) Frech
   NOOP(1) Foat
Voter Comments:
 Frech> XF:irix-xfsdump-symlink(7193)


CAN-1999-1399

Phase: Proposed (20010912)
Reference: BUGTRAQ:19970820 SpaceWare 7.3 v1.0
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602746719552&w=2
Reference: BID:471
Reference: URL:http://www.securityfocus.com/bid/471

Description:
spaceball program in SpaceWare 7.3 v1.0 in IRIX 6.2 allows local users to gain root privileges by setting the HOSTNAME environmental variable to contain the commands to be executed.

Votes:

   ACCEPT(1) Cole
   MODIFY(1) Frech
   NOOP(1) Foat
Voter Comments:
 Frech> XF:spaceware-hostname-command-execution(7194)


CAN-1999-1400

Phase: Proposed (20010912)
Reference: NTBUGTRAQ:19990603 Huge Exploit in NT 4.0 SP5 Screensaver with Password Protection Enabled
Reference: URL:http://archives.indenial.com/hypermail/ntbugtraq/1999/June1999/0007.html
Reference: NTBUGTRAQ:19990603 Re: Huge Exploit in NT 4.0 SP5 Screensaver with Password Protecti on Enabled.
Reference: URL:http://archives.indenial.com/hypermail/ntbugtraq/1999/June1999/0009.html
Reference: NTBUGTRAQ:19990604 Official response from The Economist re: 1999 Screen Saver
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=92851653600852&w=2
Reference: BID:466
Reference: URL:http://www.securityfocus.com/bid/466

Description:
The Economist screen saver 1999 with the "Password Protected" option enabled allows users with physical access to the machine to bypass the screen saver and read files by running Internet Explorer while the screen is still locked.

Votes:

   ACCEPT(1) Wall
   NOOP(2) Foat, Cole
   REVIEWING(1) Frech
Voter Comments:
 Frech> (Task 2287)
   CONFIRM NTBUGTRAQ:19990604 Official response from The
   Economist re: 1999 Screen Saver


CAN-1999-1401

Phase: Modified (20020218-01)
Reference: SGI:19961201-01-PX
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19961201-01-PX
Reference: BID:463
Reference: URL:http://www.securityfocus.com/bid/463
Reference: XF:irix-searchbook-permissions(7575)
Reference: URL:http://www.iss.net/security_center/static/7575.php

Description:
Vulnerability in Desktop searchbook program in IRIX 5.0.x through 6.2 sets insecure permissions for certain user files (iconbook and searchbook).

Votes:

   ACCEPT(3) Foat, Cole, Stracener
   MODIFY(1) Frech
Voter Comments:
 Frech> XF:irix-searchbook-permissions(7575)


CAN-1999-1403

Phase: Proposed (20010912)
Reference: BUGTRAQ:19981002 Several potential security problems in IBM/Tivoli OPC Tracker Age nt
Reference: URL:http://www.securityfocus.com/archive/1/10771
Reference: BID:382
Reference: URL:http://www.securityfocus.com/bid/382

Description:
IBM/Tivoli OPC Tracker Agent version 2 release 1 creates files, directories, and IPC message queues with insecure permissions (world-readable and world-writable), which could allow local users to disrupt operations and possibly gain privileges by modifying or deleting files.

Votes:

   NOOP(3) Wall, Foat, Cole

CAN-1999-1404

Phase: Proposed (20010912)
Reference: BUGTRAQ:19981002 Several potential security problems in IBM/Tivoli OPC Tracker Age nt
Reference: URL:http://www.securityfocus.com/archive/1/10771
Reference: BID:382
Reference: URL:http://www.securityfocus.com/bid/382

Description:
IBM/Tivoli OPC Tracker Agent version 2 release 1 allows remote attackers to cause a denial of service (resource exhaustion) via malformed data to the localtracker client port (5011), which prevents the connection from being closed properly.

Votes:

   NOOP(3) Wall, Foat, Cole

CAN-1999-1405

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990217 snap utility for AIX.
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91936783009385&w=2
Reference: BUGTRAQ:19990220 Re: snap utility for AIX.
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91954824614013&w=2
Reference: BID:375
Reference: URL:http://www.securityfocus.com/bid/375

Description:
snap command in AIX before 4.3.2 creates the /tmp/ibmsupt directory with world-readable permissions and does not remove or clear the directory when snap -a is executed, which could allow local users to access the shadowed password file by creating /tmp/ibmsupt/general/passwd before root runs snap -a.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole
Voter Comments:
 Frech> XF:aix-snap-insecure-tmp(7560)


CAN-1999-1406

Phase: Proposed (20010912)
Reference: BUGTRAQ:19980729 Crash a redhat 5.1 linux box
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221104526185&w=2
Reference: BUGTRAQ:19980730 FD's 0..2 and suid/sgid procs (Was: Crash a redhat 5.1 linux box)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221104526192&w=2
Reference: BID:372
Reference: URL:http://www.securityfocus.com/bid/372

Description:
dumpreg in Red Hat Linux 5.1 opens /dev/mem with O_RDWR access, which allows local users to cause a denial of service (crash) by redirecting fd 1 (stdout) to the kernel.

Votes:

   ACCEPT(1) Cole
   NOOP(2) Wall, Foat

CAN-1999-1408

Phase: Proposed (20010912)
Reference: BUGTRAQ:19970305 Bug in connect() for aix 4.1.4 ?
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167420641&w=2
Reference: BID:352
Reference: URL:http://www.securityfocus.com/bid/352

Description:
Vulnerability in AIX 4.1.4 and HP-UX 10.01 and 9.05 allows local users to cause a denial of service (crash) by using a socket to connect to a port on the localhost, calling shutdown to clear the socket, then using the same socket to connect to a different port on localhost.

Votes:

   MODIFY(1) Frech
   NOOP(3) Christey, Foat, Cole
Voter Comments:
 Frech> XF: aix-hpux-connect-dos(7195)
 Christey> BUGTRAQ:19970307 Re: Bug in connect() ?
   URL:http://www.securityfocus.com/archive/1/Pine.HPP.3.92.970307195408.12139B-100000@wpax13.physik.uni-wuerzburg.de
   BUGTRAQ:19970311 Re: Bug in connect() for aix 4.1.4 ?
   URL:http://www.securityfocus.com/cgi-bin/archive.pl?id=1&mid=6419


CAN-1999-1410

Phase: Proposed (20010912)
Reference: BUGTRAQ:19970509 Re: Irix: misc
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167420927&w=2
Reference: MISC:ftp://patches.sgi.com/support/free/security/advisories/19961203-02-PX
Reference: BID:330
Reference: URL:http://www.securityfocus.com/bid/330

Description:
addnetpr in IRIX 5.3 and 6.2 allows local users to overwrite arbitrary files and possibly gain root privileges via a symlink attack on the printers temporary file.

Votes:

   NOOP(2) Foat, Cole
   REJECT(2) Christey, Frech
Voter Comments:
 Christey> DUPE CAN-1999-1286
   Need to add these references to CAN-1999-1286


CAN-1999-1412

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990603 MacOS X system panic with CGI
Reference: URL:http://www.securityfocus.com/archive/1/14215
Reference: BID:306
Reference: URL:http://www.securityfocus.com/bid/306

Description:
A possible interaction between Apple MacOS X release 1.0 and Apache HTTP server allows remote attackers to cause a denial of service (crash) via a flood of HTTP GET requests to CGI programs, which generates a large number of processes.

Votes:

   NOOP(3) Wall, Foat, Cole
   REVIEWING(1) Frech
Voter Comments:
 Frech> (Task 2288)


CAN-1999-1413

Phase: Proposed (20010912)
Reference: BUGTRAQ:19960803 Exploiting Zolaris 2.4 ?? :)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167419549&w=2
Reference: BID:296
Reference: URL:http://www.securityfocus.com/bid/296

Description:
Solaris 2.4 before kernel jumbo patch -35 allows set-gid programs to dump core even if the real user id is not in the set-gid group, which allows local users to overwrite or create files at higher privileges by causing a core dump, e.g. through dmesg.

Votes:

   MODIFY(2) Frech, Dik
   NOOP(2) Foat, Cole
Voter Comments:
 Frech> XF:solaris-coredump-symlink(7196)
 Dik> sun bug: 1208241
   
   Also applies to set-uid executables that have made real
   and effective uid identical


CAN-1999-1415

Phase: Proposed (20010912)
Reference: CERT:CA-91.13
Reference: URL:http://www.cert.org/advisories/CA-91.13.Ultrix.mail.vulnerability
Reference: BID:27
Reference: URL:http://www.securityfocus.com/bid/27

Description:
Vulnerability in /usr/bin/mail in DEC ULTRIX before 4.2 allows local users to gain privileges.

Votes:

   ACCEPT(3) Foat, Cole, Stracener
   MODIFY(1) Frech
   NOOP(2) Christey, Wall
Voter Comments:
 Frech> XF:bsd-binmail(515)
   CA-1991-13 was superseded by CA-1995-02.
 Christey> Is there overlap between CAN-1999-1415 and CAN-1999-1438?
   Both CERT advisories are vague.


CAN-1999-1416

Phase: Proposed (20010912)
Reference: BUGTRAQ:19980823 Solaris ab2 web server is junk
Reference: URL:http://www.securityfocus.com/archive/1/10383
Reference: BID:253
Reference: URL:http://www.securityfocus.com/bid/253

Description:
AnswerBook2 (AB2) web server dwhttpd 3.1a4 allows remote attackers to cause a denial of service (resource exhaustion) via an HTTP POST request with a large content-length.

Votes:

   NOOP(3) Wall, Foat, Cole

CAN-1999-1417

Phase: Proposed (20010912)
Reference: BUGTRAQ:19980823 Solaris ab2 web server is junk
Reference: URL:http://www.securityfocus.com/archive/1/10383
Reference: BID:253
Reference: URL:http://www.securityfocus.com/bid/253

Description:
Format string vulnerability in AnswerBook2 (AB2) web server dwhttpd 3.1a4 allows remote attackers to cause a denial of service and possibly execute arbitrary commands via encoded % characters in an HTTP request, which is improperly logged.

Votes:

   ACCEPT(1) Dik
   NOOP(3) Wall, Foat, Cole
Voter Comments:
 Dik> sun bug: 4218283


CAN-1999-1418

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990501 Update: security hole in the ICQ-Webserver
Reference: URL:http://www.securityfocus.com/archive/1/13508
Reference: BID:246
Reference: URL:http://www.securityfocus.com/bid/246

Description:
ICQ99 ICQ web server build 1701 with "Active Homepage" enabled generates allows remote attackers to determine the existence of files on the server by comparing server responses when a file exists ("404 Forbidden") versus when a file does not exist ("404 not found").

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole
Voter Comments:
 Frech> XF;icq-webserver-gain-information(8229)
   CONFIRM:http://online.securityfocus.com/archive/1/13655


CAN-1999-1420

Phase: Proposed (20010912)
Reference: BUGTRAQ:19980720 N-Base Vulnerability Advisory
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221104526016&w=2
Reference: BUGTRAQ:19980722 N-Base Vulnerability Advisory Followup
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221104526065&w=2
Reference: BID:212
Reference: URL:http://www.securityfocus.com/bid/212

Description:
NBase switches NH2012, NH2012R, NH2015, and NH2048 have a back door password that cannot be disabled, which allows remote attackers to modify the switch's configuration.

Votes:

   ACCEPT(1) Cole
   NOOP(2) Wall, Foat

CAN-1999-1421

Phase: Proposed (20010912)
Reference: BUGTRAQ:19980720 N-Base Vulnerability Advisory
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221104526016&w=2
Reference: BUGTRAQ:19980722 N-Base Vulnerability Advisory Followup
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221104526065&w=2
Reference: BID:212
Reference: URL:http://www.securityfocus.com/bid/212

Description:
NBase switches NH208 and NH215 run a TFTP server which allows remote attackers to send software updates to modify the switch or cause a denial of service (crash) by guessing the target filenames, which have default names.

Votes:

   ACCEPT(2) Foat, Cole
   NOOP(1) Wall

CAN-1999-1422

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990102 PATH variable in zip-slackware 2.0.35
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91540043023167&w=2
Reference: BID:211
Reference: URL:http://www.securityfocus.com/bid/211

Description:
The default configuration of Slackware 3.4, and possibly other versions, includes . (dot, the current directory) in the PATH environmental variable, which could allow local users to create Trojan horse programs that are inadvertently executed by other users.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole
Voter Comments:
 Frech> XF:linux-path-execute-commands(7561)


CAN-1999-1424

Phase: Proposed (20010912)
Reference: SUN:00145
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/145
Reference: BID:208
Reference: URL:http://www.securityfocus.com/bid/208

Description:
Solaris Solstice AdminSuite (AdminSuite) 2.1 uses unsafe permissions when adding new users to the NIS+ password table, which allows local users to gain root access by modifying their password table entries.

Votes:

   ACCEPT(4) Foat, Cole, Dik, Stracener
   MODIFY(1) Frech
Voter Comments:
 Frech> XF:solaris-adminsuite-nisplus-password(7467)
 Dik> sun bug:1237225


CAN-1999-1425

Phase: Proposed (20010912)
Reference: SUN:00145
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/145
Reference: BID:208
Reference: URL:http://www.securityfocus.com/bid/208

Description:
Solaris Solstice AdminSuite (AdminSuite) 2.1 incorrectly sets write permissions on source files for NIS maps, which could allow local users to gain privileges by modifying /etc/passwd.

Votes:

   ACCEPT(4) Foat, Cole, Dik, Stracener
   MODIFY(1) Frech
Voter Comments:
 Frech> XF:solaris-adminsuite-password-map-permissions(7468)
 Dik> 1236787


CAN-1999-1426

Phase: Proposed (20010912)
Reference: SUN:00145
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/145
Reference: BID:208
Reference: URL:http://www.securityfocus.com/bid/208

Description:
Solaris Solstice AdminSuite (AdminSuite) 2.1 follows symbolic links when updating an NIS database, which allows local users to overwrite arbitrary files.

Votes:

   ACCEPT(4) Foat, Cole, Dik, Stracener
   MODIFY(1) Frech
Voter Comments:
 Frech> XF:solaris-adminsuite-symlink(7469)
 Dik> sun bug: 1262888


CAN-1999-1427

Phase: Proposed (20010912)
Reference: SUN:00145
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/145
Reference: BID:208
Reference: URL:http://www.securityfocus.com/bid/208

Description:
Solaris Solstice AdminSuite (AdminSuite) 2.1 and 2.2 create lock files insecurely, which allows local users to gain root privileges.

Votes:

   ACCEPT(4) Foat, Cole, Dik, Stracener
   MODIFY(1) Frech
Voter Comments:
 Frech> XF:solaris-adminsuite-lock-file(7470)
 Dik> sun bug: 1262888


CAN-1999-1428

Phase: Proposed (20010912)
Reference: SUN:00145
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/145
Reference: BID:208
Reference: URL:http://www.securityfocus.com/bid/208

Description:
Solaris Solstice AdminSuite (AdminSuite) 2.1 and 2.2 allows local users to gain privileges via the save option in the Database Manager, which is running with setgid bin privileges.

Votes:

   ACCEPT(4) Foat, Cole, Dik, Stracener
   MODIFY(1) Frech
Voter Comments:
 Frech> XF:solaris-adminsuite-database-manager(7471)
 Dik> sun bug: 4005611


CAN-1999-1429

Phase: Proposed (20010912)
Reference: BUGTRAQ:19980105 Security flaw in either DIT TransferPro or Solaris
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88419633507543&w=2
Reference: BID:204
Reference: URL:http://www.securityfocus.com/bid/204

Description:
DIT TransferPro installs devices with world-readable and world-writable permissions, which could allow local users to damage disks through the ff device driver.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole
Voter Comments:
 Frech> XF:transferpro-devices-insecure-permissions(7305)


CAN-1999-1430

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990102 security problem with Royal daVinci
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91540043723185&w=2
Reference: BID:185
Reference: URL:http://www.securityfocus.com/bid/185

Description:
PIM software for Royal daVinci does not properly password-protext access to data stored in the .mdb (Microsoft Access) file, which allows local users to read the data without a password by directly accessing the files with a different application, such as Access.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole
Voter Comments:
 Frech> XF:davinci-pim-access-information(7562)


CAN-1999-1431

Phase: Proposed (20010912)
Reference: NTBUGTRAQ:19990107 WinNT, ZAK and Office 97
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=91576100022688&w=2
Reference: NTBUGTRAQ:19990109 WinNT, ZAK and Office 97
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=91606260910008&w=2
Reference: BID:181
Reference: URL:http://www.securityfocus.com/bid/181

Description:
ZAK in Appstation mode allows users to bypass the "Run only allowed apps" policy by starting Explorer from Office 97 applications (such as Word), installing software into the TEMP directory, and changing the name to that for an allowed application, such as Winword.exe.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole
Voter Comments:
 Frech> XF:zak-bypass-restrictions(7563)


CAN-1999-1434

Phase: Proposed (20010912)
Reference: BUGTRAQ:19980713 Slackware Shadow Insecurity
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221104525951&w=2
Reference: BID:155
Reference: URL:http://www.securityfocus.com/bid/155

Description:
login in Slackware Linux 3.2 through 3.5 does not properly check for an error when the /etc/group file is missing, which prevents it from dropping privileges, causing it to assign root privileges to any local user who logs on to the server.

Votes:

   NOOP(3) Wall, Foat, Cole

CAN-1999-1435

Phase: Proposed (20010912)
Reference: BUGTRAQ:19980710 socks5 1.0r5 buffer overflow..
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221104525933&w=2
Reference: BID:154
Reference: URL:http://www.securityfocus.com/bid/154

Description:
Buffer overflow in libsocks5 library of Socks 5 (socks5) 1.0r5 allows local users to gain privileges via long environmental variables.

Votes:

   ACCEPT(1) Cole
   NOOP(2) Wall, Foat

CAN-1999-1436

Phase: Proposed (20010912)
Reference: BUGTRAQ:19980708 WWW Authorization Gateway
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221104525905&w=2
Reference: BID:152
Reference: URL:http://www.securityfocus.com/bid/152

Description:
Ray Chan WWW Authorization Gateway 0.1 CGI program allows remote attackers to execute arbitrary commands via shell metacharacters in the "user" parameter.

Votes:

   NOOP(3) Wall, Foat, Cole

CAN-1999-1438

Phase: Proposed (20010912)
Reference: CERT:CA-1991-01
Reference: URL:http://www.cert.org/advisories/CA-91.01a.SunOS.mail.vulnerability
Reference: SUN:00105
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/105
Reference: BID:15
Reference: URL:http://www.securityfocus.com/bid/15

Description:
Vulnerability in /bin/mail in SunOS 4.1.1 and earlier allows local users to gain root privileges via certain command line arguments.

Votes:

   ACCEPT(4) Foat, Cole, Dik, Stracener
   MODIFY(1) Frech
   NOOP(2) Christey, Wall
Voter Comments:
 Frech> XF:bsd-binmail(515)
 Dik> sun bug: 1047340
 Christey> Is there overlap between CAN-1999-1415 and CAN-1999-1438?
   Both CERT advisories are vague.


CAN-1999-1439

Phase: Proposed (20010912)
Reference: BUGTRAQ:19980102 Symlink bug with GCC 2.7.2
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88419592307388&w=2
Reference: BUGTRAQ:19980108 GCC Exploit
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88524071002939&w=2
Reference: BUGTRAQ:19980115 GCC 2.7.? /tmp files
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88492937727193&w=2
Reference: BID:146
Reference: URL:http://www.securityfocus.com/bid/146

Description:
gcc 2.7.2 allows local users to overwrite arbitrary files via a symlink attack on temporary .i, .s, or .o files.

Votes:

   ACCEPT(1) Cole
   MODIFY(1) Frech
   NOOP(2) Wall, Foat
Voter Comments:
 Frech> XF:gnu-gcc-tmp-symlink(7338)


CAN-1999-1440

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990101 Win32 ICQ 98a flaw
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91522424302962&w=2
Reference: BID:132
Reference: URL:http://www.securityfocus.com/bid/132

Description:
Win32 ICQ 98a 1.30, and possibly other versions, does not display the entire portion of long filenames, which could allow attackers to send an executable file with a long name that contains so many spaces that the .exe extension is not displayed, which could make the user believe that the file is safe to open from the client.

Votes:

   ACCEPT(1) Cole
   MODIFY(1) Frech
   NOOP(2) Wall, Foat
Voter Comments:
 Frech> XF:icq-long-filename(7564)


CAN-1999-1441

Phase: Proposed (20010912)
Reference: BUGTRAQ:19980630 Serious Linux 2.0.34 security problem
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221103126047&w=2
Reference: BID:111
Reference: URL:http://www.securityfocus.com/bid/111

Description:
Linux 2.0.34 does not properly prevent users from sending SIGIO signals to arbitrary processes, which allows local users to cause a denial of service by sending SIGIO to processes that do not catch it.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole
Voter Comments:
 Frech> XF:linux-sigio-dos(7339)


CAN-1999-1442

Phase: Proposed (20010912)
Reference: MISC:http://www.cs.helsinki.fi/linux/linux-kernel/Year-1998/1998-25/0816.html
Reference: MISC:http://uwsg.iu.edu/hypermail/linux/kernel/9805.3/0855.html
Reference: BID:105
Reference: URL:http://www.securityfocus.com/bid/105

Description:
Bug in AMD K6 processor on Linux 2.0.x and 2.1.x kernels allows local users to cause a denial of service (crash) via a particular sequence of instructions, possibly related to accessing addresses outside of segments.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole
Voter Comments:
 Frech> XF:linux-k6-dos(7340)


CAN-1999-1443

Phase: Proposed (20010912)
Reference: BUGTRAQ:19980602 Full Armor.... Fool Proof etc... bugs
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221103125889&w=2
Reference: BUGTRAQ:19980609 Full Armor
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221103125869&w=2
Reference: BID:103
Reference: URL:http://www.securityfocus.com/bid/103

Description:
Micah Software Full Armor Network Configurator and Zero Administration allow local users with physical access to bypass the desktop protection by (1) using <CTRL><ALT><DEL> and kill the process using the task manager, (2) booting the system from a separate disk, or (3) interrupting certain processes that execute while the system is booting.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole
Voter Comments:
 Frech> XF:full-armor-protection-bypass(7341)


CAN-1999-1444

Phase: Proposed (20010912)
Reference: MISC:http://catless.ncl.ac.uk/Risks/20.41.html#subj4

Description:
genkey utility in Alibaba 2.0 generates RSA key pairs with an exponent of 1, which results in transactions that are sent in cleartext.

Votes:

   NOOP(3) Wall, Foat, Cole
   REVIEWING(1) Frech
Voter Comments:
 Frech> (Task 2290)


CAN-1999-1445

Phase: Proposed (20010912)
Reference: BUGTRAQ:19980202 imapd/ipop3d coredump in slackware 3.4
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88637951600184&w=2

Description:
Vulnerability in imapd and ipop3d in Slackware 3.4 and 3.3 with shadowing enabled, and possibly other operating systems, allows remote attackers to cause a core dump via a short sequence of USER and PASS commands that do not provide valid usernames or passwords.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole
Voter Comments:
 Frech> XF:linux-imapd-ipop3d-dos(7345)


CAN-1999-1446

Phase: Proposed (20010912)
Reference: NTBUGTRAQ:19970805 Re: Strange behavior regarding directory
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=87602837719654&w=2
Reference: NTBUGTRAQ:19970806 Re: Strange behavior regarding directory
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=87602837719655&w=2

Description:
Internet Explorer 3 records a history of all URL's that are visited by a user in DAT files located in the Temporary Internet Files and History folders, which are not cleared when the user selects the "Clear History" option, and are not visible when the user browses the folders because of tailored displays.

Votes:

   MODIFY(1) Frech
   NOOP(2) Foat, Cole
Voter Comments:
 Frech> XF:http-ie-record(524)
   In description, URL's should be URLs.


CAN-1999-1447

Phase: Modified (20020218-01)
Reference: BUGTRAQ:19980728 Object tag crashes Internet Explorer 4.0
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221104526169&w=2
Reference: BUGTRAQ:19980730 Re: Object tag crashes Internet Explorer 4.0
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221104526188&w=2

Description:
Internet Explorer 4.0 allows remote attackers to cause a denial of service (crash) via HTML code that contains a long CLASSID parameter in an OBJECT tag.

Votes:

   ACCEPT(2) Wall, Cole
   NOOP(2) Christey, Foat
Voter Comments:
 Christey> BUGTRAQ:19980730 Re: Object tag crashes Internet Explorer 4.0
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221104526188&w=2


CAN-1999-1448

Phase: Proposed (20010912)
Reference: BUGTRAQ:19980729 Eudora exploit (was Microsoft Security Bulletin (MS98-008))
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221104526168&w=2

Description:
Eudora and Eudora Light before 3.05 allows remote attackers to cause a crash and corrupt the user's mailbox via an e-mail message with certain dates, such as (1) dates before 1970, which cause a Divide By Zero error, or (2) dates that are 100 years after the current date, which causes a segmentation fault.

Votes:

   NOOP(3) Wall, Foat, Cole

CAN-1999-1449

Phase: Proposed (20010912)
Reference: BUGTRAQ:19970519 /dev/tcx0 crashes SunOS 4.1.4 on Sparc 20's
Reference: URL:http://oamk.fi/~jukkao/bugtraq/before-971202/0498.html
Reference: MISC:http://www.insecure.org/sploits/sunos.dev.tcx0.write.wierd.shit.to.device.bug.html

Description:
SunOS 4.1.4 on a Sparc 20 machine allows local users to cause a denial of service (kernel panic) by reading from the /dev/tcx0 TCX device.

Votes:

   MODIFY(1) Frech
   NOOP(2) Foat, Cole
Voter Comments:
 Frech> XF:sun-tcx-dos(7197)


CAN-1999-1450

Phase: Proposed (20010912)
Reference: SCO:SB-99.03b
Reference: URL:ftp://ftp.sco.com/SSE/security_bulletins/SB-99.03b
Reference: SCO:SB-99.06b
Reference: URL:ftp://ftp.sco.com/SSE/security_bulletins/SB-99.06b
Reference: SCO:SSE020
Reference: URL:ftp://ftp.sco.COM/SSE/sse020.ltr
Reference: SCO:SSE023

Description:
Vulnerability in (1) rlogin daemon rshd and (2) scheme on SCO UNIX OpenServer 5.0.5 and earlier, and SCO UnixWare 7.0.1 and earlier, allows remote attackers to gain privileges.

Votes:

   ACCEPT(3) Foat, Cole, Stracener
   MODIFY(1) Frech
Voter Comments:
 Frech> XF:sco-rshd(7466)
   Correct URLS are listed below:
   Reference: SCO:SSE020
   Reference:
   URL:ftp://stage.caldera.com/pub/security/sse/sse020/sse020.ltr
   Reference: SCO:SSE023
   Reference:
   URL:ftp://stage.caldera.com/pub/security/sse/sse023/sse023.ltr


CAN-1999-1451

Phase: Proposed (20010912)
Reference: MSKB:Q231368
Reference: URL:http://support.microsoft.com/support/kb/articles/q231/3/68.asp
Reference: MS:MS99-013
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-013.asp
Reference: XF:iis-samples-winmsdp(3271)
Reference: URL:http://xforce.iss.net/static/3271.php

Description:
The Winmsdp.exe sample file in IIS 4.0 and Site Server 3.0 allows remote attackers to read arbitrary files.

Votes:

   ACCEPT(4) Frech, Wall, Foat, Cole

CAN-1999-1453

Phase: Proposed (20010912)
Reference: NTBUGTRAQ:19990222 New IE4 vulnerability : the clipboard again.
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=91979439932341&w=2
Reference: BID:215
Reference: URL:http://www.securityfocus.com/bid/215

Description:
Internet Explorer 4 allows remote attackers (malicious web site operators) to read the contents of the clipboard via the Internet WebBrowser ActiveX object.

Votes:

   ACCEPT(1) Wall
   MODIFY(1) Frech
   NOOP(2) Foat, Cole
Voter Comments:
 Frech> XF:webbrowser-activex-view-clipboard(7565)
   REMOVE:http://www.securityfocus.com/bid/215 This reference
   deals with the Forms vulnerability only.


CAN-1999-1454

Phase: Proposed (20010912)
Reference: BUGTRAQ:19991004 Weakness In "The Matrix" Screensaver For Windows
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93915027622690&w=2

Description:
Macromedia "The Matrix" screen saver on Windows 95 with the "Password protected" option enabled allows attackers with physical access to the machine to bypass the password prompt by pressing the ESC (Escape) key.

Votes:

   MODIFY(1) Frech
   NOOP(4) Christey, Wall, Foat, Cole
Voter Comments:
 Christey> Looks like there might have been a re-discovery, though the
   exploit is slightly different, and there is insufficient
   detail to be certain that this isn't for a different
   Matrix screen saver:
   BUGTRAQ:20010801 matrix screensvr(16 Bit CineMac Screen Saver Engine) - [input validation error?]
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=99669949717618&w=2
   BID:3130
   URL:http://www.securityfocus.com/bid/3130
 Frech> XF:matrix-win95-password-bypass(8280)


CAN-1999-1457

Phase: Proposed (20010912)
Reference: SUSE:19991116 thttpd
Reference: URL:http://www.suse.de/de/support/security/suse_security_announce_30.txt

Description:
Buffer overflow in thttpd HTTP server before 2.04-31 allows remote attackers to execute arbitrary commands via a long date string, which is not properly handled by the tdate_parse function.

Votes:

   ACCEPT(3) Foat, Cole, Stracener
   REJECT(1) Frech

CAN-1999-1458

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990125 Digital Unix 4.0 exploitable buffer overflows
Reference: URL:http://www.securityfocus.com/archive/1/12121
Reference: SCO:SSRT0583U
Reference: URL:http://ftp1.support.compaq.com/public/dunix/v4.0d/ssrt0583u.README
Reference: XF:du-at(3138)
Reference: URL:http://xforce.iss.net/static/3138.php

Description:
Buffer overflow in at program in Digital UNIX 4.0 allows local users to gain root privileges via a long command line argument.

Votes:

   ACCEPT(3) Frech, Foat, Cole
   NOOP(1) Stracener

CAN-1999-1459

Phase: Proposed (20010912)
Reference: ISS:19981102 BMC PATROL File Creation Vulnerability
Reference: URL:http://xforce.iss.net/alerts/advise10.php
Reference: XF:bmc-patrol-file-create(1388)
Reference: URL:http://xforce.iss.net/static/1388.php
Reference: BID:534
Reference: URL:http://www.securityfocus.com/bid/534

Description:
BMC PATROL Agent before 3.2.07 allows local users to gain root privileges via a symlink attack on a temporary file.

Votes:

   ACCEPT(2) Frech, Cole
   NOOP(3) Christey, Wall, Foat
Voter Comments:
 Christey> The vendor has acknowledged this vulnerability via e-mail.  It
   has been fixed.
   
   NOTE: despite the fact that this candidate has been acknowledged
   and fixed by the vendor, it is affected by the CVE content
   decision CD:SF-LOC.  It cannot be accepted until the
   CD:SF-LOC guidelines have been finalized.


CAN-1999-1460

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990713 Root Perms Gained with Patrol SNMP Agent 3.2 (all others?)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93198293132463&w=2
Reference: BUGTRAQ:19990801 Re: Root Perms Gained with Patrol SNMP Agent 3.2 (all others?)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93372579004129&w=2
Reference: BID:525
Reference: URL:http://www.securityfocus.com/bid/525

Description:
BMC PATROL SNMP Agent before 3.2.07 allows local users to create arbitrary world-writeable files as root by specifying the target file as the second argument to the snmpmagt program.

Votes:

   MODIFY(1) Frech
   NOOP(4) Christey, Wall, Foat, Cole
Voter Comments:
 Frech> XF:patrol-snmp-file-creation(2347)
 Christey> The vendor has acknowledged this vulnerability via e-mail.  It
   has been fixed.
   
   NOTE: despite the fact that this candidate has been acknowledged
   and fixed by the vendor, it is affected by the CVE content
   decision CD:SF-LOC.  It cannot be accepted until the
   CD:SF-LOC guidelines have been finalized.


CAN-1999-1461

Phase: Proposed (20010912)
Reference: BUGTRAQ:19970507 Irix: misc
Reference: URL:http://www.securityfocus.com/archive/1/6702
Reference: SGI:20001101-01-I
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20001101-01-I
Reference: BID:381
Reference: URL:http://www.securityfocus.com/bid/381

Description:
inpview in InPerson on IRIX 5.3 through IRIX 6.5.10 trusts the PATH environmental variable to find and execute the ttsession program, which allows local users to obtain root access by modifying the PATH to point to a Trojan horse ttsession program.

Votes:

   ACCEPT(3) Foat, Cole, Stracener
   REJECT(1) Frech
Voter Comments:
 Frech> Possible conflict with CVE-2000-0799.


CAN-1999-1462

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990426 FW: Security Notice: Big Brother 1.09b/c
Reference: URL:http://www.securityfocus.com/archive/1/13440
Reference: CONFIRM:http://bb4.com/README.CHANGES
Reference: BID:142
Reference: URL:http://www.securityfocus.com/bid/142
Reference: XF:http-cgi-bigbrother-bbhist(3755)
Reference: URL:http://xforce.iss.net/static/3755.php

Description:
Vulnerability in bb-hist.sh CGI History module in Big Brother 1.09b and 1.09c allows remote attacker to read portions of arbitrary files.

Votes:

   ACCEPT(5) Frech, Foat, Cole, Armstrong, Stracener
   NOOP(1) Wall

CAN-1999-1463

Phase: Proposed (20010912)
Reference: BUGTRAQ:19970710 A New Fragmentation Attack
Reference: URL:http://www.securityfocus.com/archive/1/7219
Reference: XF:nt-frag(528)
Reference: URL:http://xforce.iss.net/static/528.php

Description:
Windows NT 4.0 before SP3 allows remote attackers to bypass firewall restrictions or cause a denial of service (crash) by sending improperly fragmented IP packets without the first fragment, which the TCP/IP stack incorrectly reassembles into a valid session.

Votes:

   ACCEPT(2) Frech, Cole
   NOOP(1) Foat
Voter Comments:
 Frech> This issue is also listed under CAN-1999-0226.


CAN-1999-1464

Phase: Proposed (20010912)
Reference: CISCO:19981105 Cisco IOS DFS Access List Leakage
Reference: URL:http://www.cisco.com/warp/public/770/iosdfsacl-pub.shtml
Reference: CIAC:J-016
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/j-016.shtml
Reference: XF:cisco-acl-leakage(1401)
Reference: URL:http://xforce.iss.net/static/1401.php

Description:
Vulnerability in Cisco IOS 11.1CC and 11.1CT with distributed fast switching (DFS) enabled allows remote attackers to bypass certain access control lists when the router switches traffic from a DFS-enabled interface to an interface that does not have DFS enabled, as described by Cisco bug CSCdk35564.

Votes:

   ACCEPT(6) Frech, Balinsky, Foat, Cole, Armstrong, Stracener
   NOOP(1) Wall

CAN-1999-1465

Phase: Modified (20020228-01)
Reference: CISCO:19981105 Cisco IOS DFS Access List Leakage
Reference: URL:http://www.cisco.com/warp/public/770/iosdfsacl-pub.shtml
Reference: CIAC:J-016
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/j-016.shtml
Reference: XF:cisco-acl-leakage(1401)
Reference: URL:http://xforce.iss.net/static/1401.php

Description:
Vulnerability in Cisco IOS 11.1 through 11.3 with distributed fast switching (DFS) enabled allows remote attackers to bypass certain access control lists when the router switches traffic from a DFS-enabled input interface to an output interface with a logical subinterface, as described by Cisco bug CSCdk43862.

Votes:

   ACCEPT(6) Frech, Balinsky, Foat, Cole, Armstrong, Stracener
   NOOP(1) Wall

CAN-1999-1466

Phase: Proposed (20010912)
Reference: CERT:CA-1992-20
Reference: URL:http://www.cert.org/advisories/CA-1992-20.html
Reference: BID:53
Reference: URL:http://www.securityfocus.com/bid/53

Description:
Vulnerability in Cisco routers versions 8.2 through 9.1 allows remote attackers to bypass access control lists when extended IP access lists are used on certain interfaces, the IP route cache is enabled, and the access list uses the "established" keyword.

Votes:

   ACCEPT(3) Foat, Cole, Stracener
   MODIFY(1) Frech
   NOOP(2) Christey, Wall
Voter Comments:
 Frech> XF:cisco-acl-established(1248)
   Possible dupe with CVE-1999-0162.
 Christey> This is not a dupe with CVE-1999-0162.  The Cisco advisory
   referenced in CVE-1999-0162 says that affected Cisco versions
   are 10.0 through 10.3.  This CAN deals with versions 8.2
   through 9.1.  In addition, the date of release of
   CVE-1999-0162 is June 1995; this CAN was released December
   1992.  Both items include clear Cisco acknowledgement with
   details, so we should conclude that  they are separate
   problems, despite the vagueness of the reports.


CAN-1999-1467

Phase: Proposed (20010912)
Reference: CERT:CA-1989-07
Reference: URL:http://www.cert.org/advisories/CA-1989-07.html
Reference: BID:5
Reference: URL:http://www.securityfocus.com/bid/5
Reference: XF:sun-rcp(3165)
Reference: URL:http://xforce.iss.net/static/3165.php

Description:
Vulnerability in rcp on SunOS 4.0.x allows remote attackers from trusted hosts to execute arbitrary commands as root, possibly related to the configuration of the nobody user.

Votes:

   ACCEPT(5) Frech, Foat, Cole, Dik, Stracener
   NOOP(1) Wall
Voter Comments:
 Dik> sun bug: 1028958


CAN-1999-1469

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990930 mini-sql Buffer Overflow
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93871926821410&w=2

Description:
Buffer overflow in w3-auth CGI program in miniSQL package allows remote attackers to execute arbitrary commands via an HTTP request with (1) a long URL, or (2) a long User-Agent MIME header.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole
Voter Comments:
 Frech> XF:msql-w3auth-bo(8301)


CAN-1999-1470

Phase: Proposed (20010912)
Reference: NTBUGTRAQ:19990624 Eastman Software Work Management 3.21
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=93034788412494&w=2
Reference: XF:eastman-cleartext-passwords(2303)
Reference: URL:http://xforce.iss.net/static/2303.php
Reference: BID:485
Reference: URL:http://www.securityfocus.com/bid/485

Description:
Eastman Work Management 3.21 stores passwords in cleartext in the COMMON and LOCATOR registry keys, which could allow local users to gain privileges.

Votes:

   ACCEPT(1) Frech
   NOOP(3) Wall, Foat, Cole

CAN-1999-1471

Phase: Modified (20020218-01)
Reference: CERT:CA-1989-01
Reference: URL:http://www.cert.org/advisories/CA-1989-01.html
Reference: BID:4
Reference: URL:http://www.securityfocus.com/bid/4
Reference: XF:bsd-passwd-bo(7152)
Reference: URL:http://www.iss.net/security_center/static/7152.php

Description:
Buffer overflow in passwd in BSD based operating systems 4.3 and earlier allows local users to gain root privileges by specifying a long shell or GECOS field.

Votes:

   ACCEPT(3) Foat, Cole, Stracener
   MODIFY(1) Frech
   NOOP(1) Wall
Voter Comments:
 Frech> XF:bsd-passwd-bo(7152)


CAN-1999-1474

Phase: Proposed (20010912)
Reference: CONFIRM:http://www.microsoft.com/windows/ie/security/powerpoint.asp
Reference: XF:nt-ppt-patch(179)
Reference: URL:http://xforce.iss.net/static/179.php

Description:
PowerPoint 95 and 97 allows remote attackers to cause an application to be run automatically without prompting the user, possibly through the slide show, when the document is opened in browsers such as Internet Explorer.

Votes:

   ACCEPT(6) Frech, Wall, Foat, Cole, Armstrong, Stracener
Voter Comments:
 Frech> Looks like CONFIRM URL is too old for Microsoft to keep
   (currently cached at
   http://www.google.com/search?q=cache:86loHcRhaL4:www.microsoft.com/ie/
   security/powerpoint.htm+%22PowerPoint+Browsing+Security+Issue%22&hl=en
   ). Same information is available at BugTraq at
   http://www.securityfocus.com/cgi-bin/archive.pl?id=1&mid=6724


CAN-1999-1475

Phase: Proposed (20010912)
Reference: BUGTRAQ:19991119 ProFTPd - mod_sqlpw.c
Reference: URL:http://www.securityfocus.com/archive/1/35483
Reference: BID:812
Reference: URL:http://www.securityfocus.com/bid/812

Description:
ProFTPd 1.2 compiled with the mod_sqlpw module records user passwords in the wtmp log file, which allows local users to obtain the passwords and gain privileges by reading wtmp, e.g. via the last command.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole
Voter Comments:
 Frech> XF:proftpd-modsqlpw-insecure-passwords(8332)


CAN-1999-1477

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990923 Linux GNOME exploit
Reference: URL:http://www.securityfocus.com/archive/1/28717
Reference: BID:663
Reference: URL:http://www.securityfocus.com/bid/663
Reference: XF:gnome-espeaker-local-bo(3349)
Reference: URL:http://xforce.iss.net/static/3349.php

Description:
Buffer overflow in GNOME libraries 1.0.8 allows local user to gain root access via a long --espeaker argument in programs such as nethack.

Votes:

   ACCEPT(1) Frech
   NOOP(3) Wall, Foat, Cole

CAN-1999-1479

Phase: Proposed (20010912)
Reference: BUGTRAQ:19980624 textcounter.pl SECURITY HOLE
Reference: URL:http://www.securityfocus.com/archive/1/9609
Reference: XF:http-cgi-textcounter(2052)
Reference: URL:http://xforce.iss.net/static/2052.php

Description:
The textcounter.pl by Matt Wright allows remote attackers to execute arbitrary commands via shell metacharacters.

Votes:

   ACCEPT(1) Frech
   NOOP(3) Wall, Foat, Cole

CAN-1999-1480

Phase: Proposed (20010912)
Reference: BID:429
Reference: URL:http://www.securityfocus.com/bid/429

Description:
(1) acledit and (2) aclput in AIX 4.3 allow local users to create or modify files via a symlink attack.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole
Voter Comments:
 Frech> XF:aix-acledit-aclput-symlink(7346)
   CONFIRM:APAR IX79139


CAN-1999-1482

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990219 Security hole: "zgv"
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&date=1999-02-15&msg=Pine.LNX.3.96.990219175605.9622A-100000@ferret.lmh.ox.ac.uk

Description:
SVGAlib zgv 3.0-7 and earlier allows local users to gain root access via a privilege leak of the iopl(3) privileges to child processes.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole
Voter Comments:
 Frech> XF:zgv-privilege-leak(1798)


CAN-1999-1483

Phase: Proposed (20010912)
Reference: BUGTRAQ:19970619 svgalib/zgv
Reference: URL:http://www.securityfocus.com/archive/1/7041

Description:
Buffer overflow in zgv in svgalib 1.2.10 and earlier allows local users to execute arbitrary code via a long HOME environment variable.

Votes:

   MODIFY(1) Frech
   NOOP(2) Foat, Cole
Voter Comments:
 Frech> XF;linux-svgalib-dos(3412)


CAN-1999-1484

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990924 Several ActiveX Buffer Overruns
Reference: URL:http://www.securityfocus.com/archive/1/28719
Reference: XF:msn-setup-bbs-activex-bo(3310)
Reference: URL:http://xforce.iss.net/static/3310.php
Reference: BID:668
Reference: URL:http://www.securityfocus.com/bid/668

Description:
Buffer overflow in MSN Setup BBS 4.71.0.10 ActiveX control (setupbbs.ocx) allows a remote attacker to execute arbitrary commands via the methods (1) vAddNewsServer or (2) bIsNewsServerConfigured.

Votes:

   ACCEPT(2) Frech, Cole
   NOOP(2) Wall, Foat

CAN-1999-1485

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990531 IRIX 6.5 nsd virtual filesystem vulnerability
Reference: URL:http://www.securityfocus.com/archive/1/13999
Reference: XF:sgi-nsd-view(2246)
Reference: URL:http://xforce.iss.net/static/2246.php
Reference: XF:sgi-nsd-create(2247)
Reference: URL:http://xforce.iss.net/static/2247.php
Reference: BID:412
Reference: URL:http://www.securityfocus.com/bid/412

Description:
nsd in IRIX 6.5 through 6.5.2 exports a virtual filesystem on a UDP port, which allows remote attackers to view files and cause a possible denial of service by mounting the nsd virtual file system.

Votes:

   ACCEPT(1) Frech
   NOOP(3) Wall, Foat, Cole

CAN-1999-1486

Phase: Proposed (20010912)
Reference: BID:408
Reference: URL:http://www.securityfocus.com/bid/408
Reference: AIXAPAR:IX75554
Reference: AIXAPAR:IX76853
Reference: AIXAPAR:IX76330

Description:
sadc in IBM AIX 4.1 through 4.3 allows local users to overwrite files via a symlink attack.

Votes:

   ACCEPT(4) Bollinger, Foat, Cole, Stracener
   NOOP(1) Christey
Voter Comments:
 Christey> The description needs to be modified to mention the role of
   timex.  The one-line description for the IX75554
   APAR mentions timex instead of sadc, but the BID mentions
   sadc and not timex.  This apparent discrepancy is resolved
   by a README file for the fileset that is used by IX75554:
   
   CONFIRM:http://techsupport.services.ibm.com/aix/fixes/v4/os/bos.acct.4.3.1.0.info
   
   This clearly shows the relationship between timex and sadc.
 Bollinger> The one line abstract is somewhat misleading.  The timex
   command calls sadc with a filename and it's the sadc command that can
   be tricked into modifying files owned by the adm group.  Since sadc is
   only executable by group adm, a local attacker would need to use timex
   to exploit this.  (timex is setgid adm.)  So the vulnerability is
   really in sadc and that's where the fix was made.


CAN-1999-1487

Phase: Modified (20020218-01)
Reference: AIXAPAR:IX74599
Reference: URL:http://www-1.ibm.com/servlet/support/manager?rt=0&rs=0&org=apars&doc=41D8B61D1E1C4FAB852567C9002C546C
Reference: BID:405
Reference: URL:http://www.securityfocus.com/bid/405
Reference: XF:aix-digest(7477)
Reference: URL:http://www.iss.net/security_center/static/7477.php

Description:
Vulnerability in digest in AIX 4.3 allows printq users to gain root privileges by creating and/or modifing any file on the system.

Votes:

   ACCEPT(3) Foat, Cole, Stracener
   MODIFY(1) Frech
Voter Comments:
 Frech> XF:aix-digest(7477)


CAN-1999-1489

Phase: Proposed (20010912)
Reference: BUGTRAQ:19970304 Linux SuperProbe exploit
Reference: URL:http://www.securityfocus.com/archive/1/6384
Reference: BID:364
Reference: URL:http://www.securityfocus.com/bid/364

Description:
Buffer overflow in TestChip function in XFree86 SuperProbe in Slackware Linux 3.1 allows local users to gain root privileges via a long -nopr argument.

Votes:

   MODIFY(1) Frech
   NOOP(2) Foat, Cole
Voter Comments:
 Frech> XF:xfree86-superprobe-testchip-bo(7198)


CAN-1999-1491

Phase: Proposed (20010912)
Reference: BUGTRAQ:19960202 abuse Red Hat 2.1 security hole
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167418994&w=2
Reference: BID:354
Reference: URL:http://www.securityfocus.com/bid/354

Description:
abuse.console in Red Hat 2.1 uses relative pathnames to find and execute the undrv program, which allows local users to execute arbitrary commands via a path that points to a Trojan horse program.

Votes:

   ACCEPT(1) Cole
   NOOP(1) Foat

CAN-1999-1492

Phase: Proposed (20010912)
Reference: SGI:19980502-01-P3030
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19980502-01-P3030
Reference: XF:sgi-diskalign(2104)
Reference: URL:http://xforce.iss.net/static/2104.php
Reference: XF:sgi-diskperf(2103)
Reference: URL:http://xforce.iss.net/static/2103.php
Reference: BID:348
Reference: URL:http://www.securityfocus.com/bid/348

Description:
Vulnerability in (1) diskperf and (2) diskalign in IRIX 6.4 allows local attacker to create arbitrary root owned files, leading to root privileges.

Votes:

   ACCEPT(4) Frech, Foat, Cole, Stracener

CAN-1999-1493

Phase: Modified (20020308-01)
Reference: CERT:CA-1991-23
Reference: URL:http://www.cert.org/advisories/CA-1991-23.html
Reference: BID:34
Reference: URL:http://www.securityfocus.com/bid/34
Reference: XF:apollo-crp-root-access(7158)
Reference: URL:http://xforce.iss.net/static/7158.php

Description:
Vulnerability in crp in Hewlett Packard Apollo Domain OS SR10 through SR10.3 allows remote attackers to gain root privileges via insecure system calls, (1) pad_$dm_cmd and (2) pad_$def_pfk().

Votes:

   ACCEPT(3) Foat, Cole, Stracener
   MODIFY(1) Frech
   NOOP(1) Wall
Voter Comments:
 Frech> XF:apollo-crp-root-access(7158)


CAN-1999-1495

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990218 xtvscreen and suse 6
Reference: URL:http://www.securityfocus.com/archive/1/12580
Reference: XF:xtvscreen-overwrite(1792)
Reference: URL:http://xforce.iss.net/static/1792.php
Reference: BID:325
Reference: URL:http://www.securityfocus.com/bid/325

Description:
xtvscreen in SuSE Linux 6.0 allows local users to overwrite arbitrary files via a symlink attack on the pic000.pnm file.

Votes:

   ACCEPT(1) Frech
   NOOP(3) Wall, Foat, Cole

CAN-1999-1496

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990608 unneeded information in sudo
Reference: URL:http://www.securityfocus.com/archive/1/14665
Reference: BID:321
Reference: URL:http://www.securityfocus.com/bid/321
Reference: XF:sudo-file-exists(2277)
Reference: URL:http://xforce.iss.net/static/2277.php

Description:
Sudo 1.5 in Debian Linux 2.1 and Red Hat 6.0 allows local users to determine the existence of arbitrary files by attempting to execute the target filename as a program, which generates a different error message when the file does not exist.

Votes:

   ACCEPT(1) Frech
   NOOP(3) Wall, Foat, Cole

CAN-1999-1497

Phase: Proposed (20010912)
Reference: BUGTRAQ:19991221 [w00giving '99 #11] IMail's password encryption scheme
Reference: URL:http://www.securityfocus.com/archive/1/39329
Reference: BID:880
Reference: URL:http://www.securityfocus.com/bid/880

Description:
Ipswitch IMail 5.0 and 6.0 uses weak encryption to store passwords in registry keys, which allows local attackers to to read passwords for e-mail accounts.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole
Voter Comments:
 Frech> XF:imail-passwords(1901)
   May be the same as CAN-2000-0019 on a different level of
   abstraction.


CAN-1999-1498

Phase: Proposed (20010912)
Reference: BUGTRAQ:19980406 insecure tmp file creation
Reference: BID:82
Reference: URL:http://www.securityfocus.com/bid/82

Description:
Slackware Linux 3.4 pkgtool allows local attacker to read and write to arbitrary files via a symlink attack on the reply file.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole
Voter Comments:
 Frech> XF:linux-pkgtool-reply-symlink(7347) 


CAN-1999-1499

Phase: Proposed (20010912)
Reference: BUGTRAQ:19980410 BIND 4.9.7 named follows symlinks, clobbers anything
Reference: URL:http://www.securityfocus.com/archive/1/8966
Reference: BID:80
Reference: URL:http://www.securityfocus.com/bid/80

Description:
named in ISC BIND 4.9 and 8.1 allows local users to destroy files via a symlink attack on (1) named_dump.db when root kills the process with a SIGINT, or (2) named.stats when SIGIOT is used.

Votes:

   MODIFY(1) Frech
   NOOP(2) Wall, Cole
   REJECT(1) Foat
Voter Comments:
 Foat> The files get written to /var/named which the user does not have write 
   access.
 Frech> XF:bind-sigint-sigiot-symlink(7366)


CAN-1999-1500

Phase: Proposed (20010912)
Reference: NTBUGTRAQ:19991001 Vulnerabilities in the Internet Anywhere Mail Server
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=93880357530599&w=2
Reference: BID:733
Reference: URL:http://www.securityfocus.com/bid/733

Description:
Internet Anywhere POP3 Mail Server 2.3.1 allows remote attackers to cause a denial of service (crash) via (1) LIST, (2) TOP, or (3) UIDL commands using letters as arguments.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole
Voter Comments:
 Frech> XF:iams-pop3-command-dos(3283)


CAN-1999-1501

Phase: Proposed (20010912)
Reference: BUGTRAQ:19980408 SGI O2 ipx security issue
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=19980408184855.12506@math.princeton.edu
Reference: BID:70
Reference: URL:http://www.securityfocus.com/bid/70
Reference: BID:71
Reference: URL:http://www.securityfocus.com/bid/71

Description:
(1) ipxchk and (2) ipxlink in SGI OS2 IRIX 6.3 does not properly clear the IFS environmental variable before executing system calls, which allows local users to execute arbitrary commands.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole
   REJECT(1) Christey
Voter Comments:
 Frech> XF:irix-ipxchk-ipxlink-ifs-commands(7365)
 Christey> DUPE CAN-1999-1040


CAN-1999-1502

Phase: Proposed (20010912)
Reference: BUGTRAQ:19980408 QuakeI client: serious holes.
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=89205623028934&w=2
Reference: BID:68
Reference: URL:http://www.securityfocus.com/bid/68
Reference: BID:69
Reference: URL:http://www.securityfocus.com/bid/69

Description:
Buffer overflows in Quake 1.9 client allows remote malicious servers to execute arbitrary commands via long (1) precache paths, (2) server name, (3) server address, or (4) argument to the map console command.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole
Voter Comments:
 Frech> XF:quake-precache-bo(7358)
   XF:quake-server-address-bo(7359)
   XF:quake-map-argument-bo(7360)


CAN-1999-1503

Phase: Proposed (20010912)
Reference: BID:63
Reference: URL:http://www.securityfocus.com/bid/63

Description:
Network Flight Recorder (NFR) 1.5 and 1.6 allows remote attackers to cause a denial of service in nfrd (crash) via a TCP packet with a null header and data field.

Votes:

   ACCEPT(1) Cole
   MODIFY(1) Frech
   NOOP(2) Wall, Foat
Voter Comments:
 Frech> XF:nfr-tcp-packet-dos(7357)


CAN-1999-1504

Phase: Proposed (20010912)
Reference: BUGTRAQ:19980408 Re: AppleShare IP Mail Server
Reference: URL:http://www.securityfocus.com/archive/1/8951
Reference: BID:62
Reference: URL:http://www.securityfocus.com/bid/62

Description:
Stalker Internet Mail Server 1.6 allows a remote attacker to cause a denial of service (crash) via a long HELO command.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole
Voter Comments:
 Frech> XF:smtp-helo-bo(886)


CAN-1999-1505

Phase: Proposed (20010912)
Reference: BUGTRAQ:19980407 QW vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=89200537415923&w=2
Reference: BID:60
Reference: URL:http://www.securityfocus.com/bid/60

Description:
Buffer overflow in QuakeWorld 2.10 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary commands via a long initial connect packet.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole
Voter Comments:
 Frech> XF:quakeworld-connect-bo(7356)


CAN-1999-1506

Phase: Proposed (20010912)
Reference: CERT:CA-1990-01
Reference: URL:http://www.cert.org/advisories/CA-90.01.sun.sendmail.vulnerability
Reference: BID:6
Reference: URL:http://www.securityfocus.com/bid/6

Description:
Vulnerability in SMI Sendmail 4.0 and earlier, on SunOS up to 4.0.3, allows remote attackers to access user bin.

Votes:

   ACCEPT(3) Cole, Dik, Stracener
   MODIFY(1) Frech
   NOOP(2) Wall, Foat
Voter Comments:
 Frech> XF:sunos-sendmail-bin-access(7161)
 Dik> sun bug 1028173
 CHANGE> [Foat changed vote from ACCEPT to NOOP]


CAN-1999-1508

Phase: Proposed (20010912)
Reference: BUGTRAQ:19991116 [Fwd: Printer Vulnerability: Tektronix PhaserLink Webserver gives Administrator Password]
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94286041430870&w=2
Reference: BID:806
Reference: URL:http://www.securityfocus.com/bid/806

Description:
Web server in Tektronix PhaserLink Printer 840.0 and earlier allows a remote attacker to gain administrator access by directly calling undocumented URLs such as ncl_items.html and ncl_subjects.html.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole
   REVIEWING(1) Christey
Voter Comments:
 Frech> XF:tektronix-phaserlink-webserver-backdoor(6482)
   Possible dupe with CAN-2001-0484 and BID-2659.
 Christey> CAN-2001-0484 may be a duplicate.


CAN-1999-1509

Phase: Proposed (20010912)
Reference: NTBUGTRAQ:19991104 Eserv 2.50 Web interface Server Directory Traversal Vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=94177470915423&w=2
Reference: BUGTRAQ:19991104 Eserv 2.50 Web interface Server Directory Traversal Vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94183041514522&w=2
Reference: BID:773
Reference: URL:http://www.securityfocus.com/bid/773
Reference: XF:eserv-fileread

Description:
Directory traversal vulnerability in Etype Eserv 2.50 web server allows a remote attacker to read any file in the file system via a .. (dot dot) in a URL.

Votes:

   ACCEPT(1) Frech
   NOOP(3) Wall, Foat, Cole
Voter Comments:
 Frech> Normalize XF:eserv-fileread(3449)
   Normalize URL:http://xforce.iss.net/static/3449.php


CAN-1999-1510

Phase: Proposed (20010912)
Reference: NTBUGTRAQ:19990517 Vulnerabilities in BisonWare FTP Server 3.5
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=92697301706956&w=2
Reference: XF:bisonware-command-bo(3234)
Reference: URL:http://xforce.iss.net/static/3234.php

Description:
Buffer overflows in Bisonware FTP server prior to 4.1 allow remote attackers to cause a denial of service, and possibly execute arbitrary commands, via long (1) USER, (2) LIST, or (3) CWD commands.

Votes:

   ACCEPT(3) Frech, Foat, Cole
   NOOP(1) Wall

CAN-1999-1511

Phase: Proposed (20010912)
Reference: BUGTRAQ:19991110 Multiples Remotes DoS Attacks in Artisoft XtraMail v1.11 Vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94226003804744&w=2
Reference: BID:791
Reference: URL:http://www.securityfocus.com/bid/791
Reference: XF:xtramail-pass-dos(3488)
Reference: URL:http://xforce.iss.net/static/3488.php

Description:
Buffer overflows in Xtramail 1.11 allow attackers to cause a denial of service (crash) and possibly execute arbitrary commands via (1) a long PASS command in the POP3 service, (2) a long HELO command in the SMTP service, or (3) a long user name in the Control Service.

Votes:

   ACCEPT(1) Frech
   NOOP(3) Wall, Foat, Cole

CAN-1999-1513

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990830 One more 3Com SNMP vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93616983223090&w=2

Description:
Management information base (MIB) for a 3Com SuperStack II hub running software version 2.10 contains an object identifier (.1.3.6.1.4.1.43.10.4.2) that is accessible by a read-only community string, but lists the entire table of community strings, which could allow attackers to conduct unauthorized activities.

Votes:

   NOOP(3) Wall, Foat, Cole
   REVIEWING(1) Frech
Voter Comments:
 Frech> (ACCEPT; Task 2355)


CAN-1999-1514

Phase: Proposed (20010912)
Reference: NTBUGTRAQ:19990729 ExpressFS 2.x FTPServer remotely exploitable buffer overflow vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=94130292519646&w=2
Reference: BUGTRAQ:19990729 ExpressFS 2.x FTPServer remotely exploitable buffer overflow vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94121377716133&w=2
Reference: BID:749
Reference: URL:http://www.securityfocus.com/bid/749
Reference: XF:expressfs-command-bo(3401)
Reference: URL:http://xforce.iss.net/static/3401.php

Description:
Buffer overflow in Celtech ExpressFS FTP server 2.x allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long USER command.

Votes:

   ACCEPT(1) Frech
   NOOP(3) Wall, Foat, Cole
Voter Comments:
 Frech> BugTraq reference date seems to be 19991029; see
   http://online.securityfocus.com/archive/1/33123


CAN-1999-1515

Phase: Proposed (20010912)
Reference: BID:613
Reference: URL:http://www.securityfocus.com/bid/613
Reference: XF:tfs-gateway-dos(3290)
Reference: URL:http://xforce.iss.net/static/3290.php

Description:
A non-default configuration in TenFour TFS Gateway 4.0 allows an attacker to cause a denial of service via messages with incorrect sender and recipient addresses, which causes the gateway to continuously try to return the message every 10 seconds.

Votes:

   ACCEPT(1) Frech
   NOOP(3) Wall, Foat, Cole

CAN-1999-1516

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990902 [SECURITY] TenFour TFS SMTP 3.2 Buffer Overflow
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93677241318492&w=2

Description:
A buffer overflow in TenFour TFS Gateway SMTP mail server 3.2 allows an attacker to crash the mail server and possibly execute arbitrary code by offering more than 128 bytes in a MAIL FROM string.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole
Voter Comments:
 Frech> XF:tfs-gateway-dos(3290)


CAN-1999-1517

Phase: Proposed (20010912)
Reference: BUGTRAQ:19991101 Amanda multiple vendor local root compromises
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94148942818975&w=2
Reference: BID:750
Reference: URL:http://www.securityfocus.com/bid/750

Description:
runtar in the Amanda backup system used in various UNIX operating systems executes tar with root privileges, which allows a user to overwrite or read arbitrary files by providing the target files to runtar.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole
Voter Comments:
 Frech> XF:amanda-runtar(3402)


CAN-1999-1518

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990715 Shared memory DoS's
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93207728118694&w=2
Reference: BID:526
Reference: URL:http://www.securityfocus.com/bid/526
Reference: XF:bsd-shared-memory-dos(2351)
Reference: URL:http://xforce.iss.net/static/2351.php

Description:
Operating systems with shared memory implementations based on BSD 4.4 code allow a user to conduct a denial of service and bypass memory limits (e.g., as specified with rlimits) using mmap or shmget to allocate memory and cause page faults.

Votes:

   ACCEPT(2) Frech, Cole
   NOOP(2) Wall, Foat

CAN-1999-1519

Phase: Proposed (20010912)
Reference: BUGTRAQ:19991117 Remote D.o.S Attack in G6 FTP Server v2.0 (beta 4/5) Vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94286244700573&w=2
Reference: BID:805
Reference: URL:http://www.securityfocus.com/bid/805
Reference: XF:g6ftp-username-dos(3513)
Reference: URL:http://xforce.iss.net/static/3513.php

Description:
Gene6 G6 FTP Server 2.0 allows a remote attacker to cause a denial of service (resource exhaustion) via a long (1) user name or (2) password.

Votes:

   ACCEPT(1) Frech
   NOOP(3) Wall, Foat, Cole

CAN-1999-1520

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990511 [ALERT] Site Server 3.0 May Expose SQL IDs and PSWs
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92647407227303&w=2
Reference: BID:256
Reference: URL:http://www.securityfocus.com/bid/256
Reference: XF:siteserver-site-csc(2270)
Reference: URL:http://xforce.iss.net/static/2270.php

Description:
In Microsoft Site Server 3.0 a configuration problem exists in the Ad Server Sample directory (AdSamples) allowing an attacker to retrieve SITE.CSC, exposing sensitive SQL database information.

Votes:

   ACCEPT(3) Frech, Wall, Cole
   NOOP(1) Foat

CAN-1999-1521

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990912 Many kind of POP3/SMTP server softwares for Windows have buffer overflow bug
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93720402717560&w=2
Reference: BUGTRAQ:19990729 Vulnerability in CMail SMTP Server Version 2.4: Remotely exploitable buffer
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94121824921783&w=2
Reference: BID:633
Reference: URL:http://www.securityfocus.com/bid/633
Reference: XF:cmail-command-bo(2240)
Reference: URL:http://xforce.iss.net/static/2240.php

Description:
Computalynx CMail 2.4 and CMail 2.3 SP2 SMTP servers are vulnerable to a buffer overflow attack in the MAIL FROM command that may allow a remote attacker to execute arbitrary code on the server.

Votes:

   ACCEPT(1) Frech
   NOOP(4) Christey, Wall, Foat, Cole
Voter Comments:
 Christey> Remove "attack" from description and slightly rewrite.
 Christey> ADDREF BUGTRAQ:19991029 Vulnerability in CMail SMTP Server Version 2.4: Remotely exploitable buffer
   URL:URL:http://www.securityfocus.com/archive/1/32573 
   ADDREF BUGTRAQ:19990616 C-Mail SMTP Server Remote Buffer Overflow Exploit
   URL:http://online.securityfocus.com/archive/1/15524
   
   Note: this last post exploits an overflow through VRFY
   instead of MAIL FROM.  However, CD:SF-LOC suggests merging two
   issues of the same type that are in the same versions.
   
   ADDREF BUGTRAQ:19990526 Multiple Web Interface Security Holes
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92774425211457&w=2


CAN-1999-1522

Phase: Proposed (20010912)
Reference: BUGTRAQ:19991007 Roxen security alert
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93942579008408&w=2

Description:
Vulnerability in htmlparse.pike in Roxen Web Server 1.3.11 and earlier, possibly related to recursive parsing and referer tags in RXML.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole
Voter Comments:
 Frech> XF:roxen-rxml-recursive-parsing(3372)


CAN-1999-1523

Phase: Proposed (20010912)
Reference: BUGTRAQ:19991004
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93901161727373&w=2
Reference: BUGTRAQ:19991006 Re: Sample DOS against the Sambar HTTP-Server
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93941351229256&w=2
Reference: XF:sambar-logging-bo(1672)
Reference: URL:http://xforce.iss.net/static/1672.php

Description:
Buffer overflow in Sambar Web Server 4.2.1 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long HTTP GET request.

Votes:

   ACCEPT(1) Frech
   NOOP(3) Wall, Foat, Cole

CAN-1999-1524

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990807 Re: FlowPoint DSL router vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93424680430460&w=2

Description:
FlowPoint DSL router firmware versions prior to 3.0.8 allows a remote attacker to exploit a password recovery feature from the network and conduct brute force password guessing, instead of limiting the feature to the serial console port.

Votes:

   NOOP(3) Wall, Foat, Cole

CAN-1999-1525

Phase: Proposed (20010912)
Reference: BUGTRAQ:19970314 Shockwave Security Alert
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167420670&w=2
Reference: XF:shockwave-internal-access(1585)
Reference: URL:http://xforce.iss.net/static/1585.php
Reference: XF:shockwave-file-read-vuln(1586)
Reference: URL:http://xforce.iss.net/static/1586.php
Reference: XF:http-ns-shockwave(460)
Reference: URL:http://xforce.iss.net/static/460.php

Description:
Macromedia Shockwave before 6.0 allows a malicious webmaster to read a user's mail box and possibly access internal web servers via the GetNextText command on a Shockwave movie.

Votes:

   ACCEPT(1) Frech
   NOOP(2) Foat, Cole

CAN-1999-1526

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990311 [Fwd: Shockwave 7 Security Hole]
Reference: URL:http://www.securityfocus.com/archive/1/12842
Reference: XF:shockwave-updater(1931)
Reference: URL:http://xforce.iss.net/static/1931.php

Description:
Auto-update feature of Macromedia Shockwave 7 transmits a user's password and hard disk information back to Macromedia.

Votes:

   ACCEPT(1) Frech
   NOOP(2) Foat, Cole

CAN-1999-1527

Phase: Proposed (20010912)
Reference: BUGTRAQ:19991123 NetBeans/ Forte' Java IDE HTTP vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94338883114254&w=2
Reference: BID:816
Reference: URL:http://www.securityfocus.com/bid/816

Description:
Internal HTTP server in Sun Netbeans Java IDE in Netbeans Developer 3.0 Beta and Forte Community Edition 1.0 Beta does not properly restrict access to IP addresses as specified in its configuration, which allows arbitrary remote attackers to access the server.

Votes:

   ACCEPT(1) Cole
   MODIFY(1) Frech
   NOOP(2) Wall, Foat
Voter Comments:
 Frech> XF:sun-java-ide-http-access(8333)


CAN-1999-1528

Phase: Proposed (20010912)
Reference: BUGTRAQ:19991114 MacOS 9 and the MacOS Netware Client
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94261444428430&w=2
Reference: BID:794
Reference: URL:http://www.securityfocus.com/bid/794

Description:
ProSoft Netware Client 5.12 on Macintosh MacOS 9 does not automatically log a user out of the NDS tree when the user logs off the system, which allows other users of the same system access to the unprotected NDS session.

Votes:

   ACCEPT(1) Cole
   MODIFY(1) Frech
   NOOP(2) Wall, Foat
Voter Comments:
 Frech> XF:macos-netware-nds-access(8339)


CAN-1999-1529

Phase: Proposed (20010912)
Reference: BUGTRAQ:19991107 Interscan VirusWall NT 3.23/3.3 buffer overflow
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94201512111092&w=2
Reference: NTBUGTRAQ:19991107 Interscan VirusWall NT 3.23/3.3 buffer overflow.
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=94199707625818&w=2
Reference: BUGTRAQ:19991108 Re: Interscan VirusWall NT 3.23/3.3 buffer overflow.
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94210427406568&w=2
Reference: BUGTRAQ:19991108 Patch for VirusWall 3.23.
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94204166130782&w=2
Reference: NTBUGTRAQ:19991108 Patch for VirusWall 3.23.
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=94208143007829&w=2
Reference: BUGTRAQ:20000417 New DOS on Interscan NT/3.32
Reference: URL:http://www.securityfocus.com/archive/1/55551
Reference: BID:787
Reference: URL:http://www.securityfocus.com/bid/787
Reference: XF:viruswall-helo-bo(3465)
Reference: URL:http://xforce.iss.net/static/3465.php

Description:
A buffer overflow exists in the HELO command in Trend Micro Interscan VirusWall SMTP gateway 3.23/3.3 for NT, which may allow an attacker to execute arbitrary code.

Votes:

   ACCEPT(2) Foat, Cole
   NOOP(1) Wall
   REJECT(1) Frech

CAN-1999-1532

Phase: Modified (20011126-01)
Reference: BUGTRAQ:19991029 message:Netscape Messaging Server RCPT TO vul.
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94117465014255&w=2
Reference: BID:748
Reference: URL:http://www.securityfocus.com/bid/748

Description:
Netscape Messaging Server 3.54, 3.55, and 3.6 allows a remote attacker to cause a denial of service (memory exhaustion) via a series of long RCPT TO commands.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole
Voter Comments:
 Frech> XF:netscape-messaging-rcptto-dos(8340)
   Description ends with a comma and not a period, possibly 
   indicating that the sentence is not complete,


CAN-1999-1533

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990926 DoS Exploit in Eicon Diehl LAN ISDN Modem
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93846522511387&w=2
Reference: BID:665
Reference: URL:http://www.securityfocus.com/bid/665
Reference: XF:diva-lan-isdn-dos(3317)
Reference: URL:http://xforce.iss.net/static/3317.php

Description:
Eicon Technology Diva LAN ISDN modem allows a remote attacker to cause a denial of service (hang) via a long password argument to the login.htm file in its HTTP service.

Votes:

   ACCEPT(1) Frech
   NOOP(3) Wall, Foat, Cole

CAN-1999-1534

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990923 Multiple vendor Knox Arkiea local root/remote DoS
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93837184228248&w=2
Reference: BID:661
Reference: URL:http://www.securityfocus.com/bid/661

Description:
Buffer overflow in (1) nlservd and (2) rnavc in Knox Software Arkeia backup product allows local users to obtain root access via a long HOME environmental variable.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole
Voter Comments:
 Frech> XF:arkiea-backup-home-bo(3322)


CAN-1999-1536

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990730 World writable root owned script in SalesBuilder (RedHat 6.0)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93347785827287&w=2
Reference: BID:560
Reference: URL:http://www.securityfocus.com/bid/560

Description:
.sbstart startup script in AcuShop Salesbuilder is world writable, which allows local users to gain privileges by appending commands to the file.

Votes:

   NOOP(3) Wall, Foat, Cole
   REVIEWING(1) Frech
Voter Comments:
 Frech> (ACCEPT; Task 2356)


CAN-1999-1537

Phase: Proposed (20010912)
Reference: NTBUGTRAQ:19990707 SSL and IIS.
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=93138827329577&w=2
Reference: BID:521
Reference: URL:http://www.securityfocus.com/bid/521
Reference: XF:ssl-iis-dos(2352)
Reference: URL:http://xforce.iss.net/static/2352.php

Description:
IIS 3.x and 4.x does not distinguish between pages requiring encryption and those that do not, which allows remote attackers to cause a denial of service (resource exhaustion) via SSL requests to the HTTPS port for normally unencrypted files, which will cause IIS to perform extra work to send the files over SSL.

Votes:

   ACCEPT(3) Frech, Wall, Cole
   NOOP(1) Foat

CAN-1999-1538

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990114 MS IIS 4.0 Security Advisory
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91638375309890&w=2
Reference: NTBUGTRAQ:19990114 MS IIS 4.0 Security Advisory
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=91632724913080&w=2
Reference: BID:189
Reference: URL:http://www.securityfocus.com/bid/189

Description:
When IIS 2 or 3 is upgraded to IIS 4, ism.dll is inadvertently left in /scripts/iisadmin, which does not restrict access to the local machine and allows an unauthorized user to gain access to sensitive server information, including the Administrator's password.

Votes:

   ACCEPT(1) Wall
   MODIFY(1) Frech
   NOOP(2) Foat, Cole
Voter Comments:
 Frech> XF:iis-ismdll-info(7566)


CAN-1999-1539

Phase: Proposed (20010912)
Reference: BUGTRAQ:19991110 Remote DoS Attack in QVT/Term 'Plus' 4.2d FTP Server Vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94225924803704&w=2
Reference: NTBUGTRAQ:19991110 Remote DoS Attack in QVT/Term 'Plus' 4.2d FTP Server Vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=94223972910670&w=2
Reference: BID:796
Reference: URL:http://www.securityfocus.com/bid/796
Reference: XF:qvtterm-login-dos(3491)
Reference: URL:http://xforce.iss.net/static/3491.php

Description:
Buffer overflow in FTP server in QPC Software's QVT/Term Plus versions 4.2d and 4.3 and QVT/Net 4.3 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long (1) user name or (2) password.

Votes:

   ACCEPT(1) Frech
   NOOP(3) Wall, Foat, Cole

CAN-1999-1540

Phase: Proposed (20010912)
Reference: L0PHT:19991004
Reference: URL:http://www.atstake.com/research/advisories/1999/shell-lock.txt
Reference: BUGTRAQ:19991005 Cactus Software's shell-lock
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93916168802365&w=2
Reference: XF:cactus-shell-lock-retrieve-shell-code(3356)
Reference: URL:http://xforce.iss.net/static/3356.php

Description:
shell-lock in Cactus Software Shell Lock uses weak encryption (trivial encoding) which allows attackers to easily decrypt and obtain the source code.

Votes:

   ACCEPT(1) Frech
   NOOP(3) Wall, Foat, Cole

CAN-1999-1541

Phase: Proposed (20010912)
Reference: L0PHT:19991004
Reference: URL:http://www.atstake.com/research/advisories/1999/shell-lock.txt
Reference: BUGTRAQ:19991005 Cactus Software's shell-lock
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93916168802365&w=2
Reference: XF:cactus-shell-lock-root-privs(3358)
Reference: URL:http://xforce.iss.net/static/3358.php

Description:
shell-lock in Cactus Software Shell Lock allows local users to read or modify decoded shell files before they are executed, via a symlink attack on a temporary file.

Votes:

   ACCEPT(1) Frech
   NOOP(3) Wall, Foat, Cole

CAN-1999-1543

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990710 MacOS system encryption algorithm
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93188174906513&w=2
Reference: BUGTRAQ:19990914 MacOS system encryption algorithm 3
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93736667813924&w=2
Reference: BID:519
Reference: URL:http://www.securityfocus.com/bid/519

Description:
MacOS uses weak encryption for passwords that are stored in the Users & Groups Data File.

Votes:

   NOOP(3) Wall, Foat, Cole
   REVIEWING(1) Frech
Voter Comments:
 Frech> (ACCEPT; Task 2357)


CAN-1999-1544

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990124 Advisory: IIS FTP Exploit/DoS Attack
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91722115016183&w=2

Description:
Buffer overflow in FTP server in Microsoft IIS 3.0 and 4.0 allows local and sometimes remote attackers to cause a denial of service via a long NLST (ls) command.

Votes:

   ACCEPT(1) Wall
   NOOP(2) Foat, Cole
   REJECT(1) Frech
Voter Comments:
 Frech> Dupe CAN-1999-0349


CAN-1999-1545

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990714
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93216103027827&w=2
Reference: BUGTRAQ:19990717 joe 2.8 makes world-readable DEADJOE
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93226771401036&w=2

Description:
Joe's Own Editor (joe) 2.8 sets the world-readable permission on its crash-save file, DEADJOE, which could allow local users to read files that were being edited by other users.

Votes:

   NOOP(3) Wall, Foat, Cole
   REVIEWING(1) Frech
Voter Comments:
 Frech> (ACCEPT; Task 2358)


CAN-1999-1546

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990129 TROJAN: netstation.navio-comm.rte 1.1.0.1
Reference: URL:http://www.securityfocus.com/archive/1/12217
Reference: XF:navionc-config-script(1724)
Reference: URL:http://xforce.iss.net/static/1724.php

Description:
netstation.navio-com.rte 1.1.0.1 configuration script for Navio NC on IBM AIX exports /tmp over NFS as world-readable and world-writable.

Votes:

   ACCEPT(1) Frech
   NOOP(3) Wall, Foat, Cole

CAN-1999-1547

Phase: Proposed (20010912)
Reference: BUGTRAQ:19991125 Oracle Web Listener
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94359982417686&w=2
Reference: NTBUGTRAQ:19991125 Oracle Web Listener
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=94390053530890&w=2
Reference: BID:841
Reference: URL:http://www.securityfocus.com/bid/841

Description:
Oracle Web Listener 2.1 allows remote attackers to bypass access restrictions by replacing a character in the URL with its HTTP-encoded (hex) equivalent.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole
Voter Comments:
 Frech> XF:oracle-weblistener-bypass-restrictions(8355)


CAN-1999-1548

Phase: Proposed (20010912)
Reference: BINDVIEW:19991124 Cabletron SmartSwitch Router 8000 Firmware v2.x
Reference: URL:http://razor.bindview.com/publish/advisories/adv_Cabletron.html
Reference: BID:821
Reference: URL:http://www.securityfocus.com/bid/841

Description:
Cabletron SmartSwitch Router (SSR) 8000 firmware 2.x can only handle 200 ARP requests per second allowing a denial of service attack to succeed with a flood of ARP requests exceeding that limit.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole
Voter Comments:
 Frech> XF:smartswitch-arp-flood-dos(7770)
   BID URL should be 821, not 841.


CAN-1999-1549

Phase: Proposed (20010912)
Reference: BUGTRAQ:19991116 lynx 2.8.x - 'special URLs' anti-spoofing protection is weak
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94286509804526&w=2
Reference: BID:804
Reference: URL:http://www.securityfocus.com/bid/804

Description:
Lynx 2.x does not properly distinguish between internal and external HTML, which may allow a local attacker to read a "secure" hidden form value from a temporary file and craft a LYNXOPTIONS: URL that causes Lynx to modify the user's configuration file and execute commands.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole
Voter Comments:
 Frech> XF:lynx-lynxurl-spoof(8342)


CAN-1999-1551

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990302 Multiple IMail Vulnerabilites
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92038879607336&w=2
Reference: BID:505
Reference: URL:http://www.securityfocus.com/bid/505
Reference: XF:imail-websvc-overflow(1898)
Reference: URL:http://xforce.iss.net/static/1898.php

Description:
Buffer overflow in Ipswitch IMail Service 5.0 allows an attacker to cause a denial of service (crash) and possibly execute arbitrary commands via a long URL.

Votes:

   ACCEPT(2) Frech, Cole
   NOOP(2) Wall, Foat

CAN-1999-1552

Phase: Proposed (20010912)
Reference: BUGTRAQ:19940720 xnews and XDM
Reference: URL:http://lists.insecure.org/lists/bugtraq/1994/Jul/0038.html
Reference: BID:358
Reference: URL:http://www.securityfocus.com/bid/358

Description:
dpsexec (DPS Server) when running under XDM in IBM AIX 3.2.5 and earlier does not properly check privileges, which allows local users to overwrite arbitrary files and gain privileges.

Votes:

   NOOP(2) Foat, Cole

CAN-1999-1553

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990301 [0z0n3] XCmail remotely exploitable vulnerability
Reference: URL:http://www.securityfocus.com/archive/1/12730
Reference: BID:311
Reference: URL:http://www.securityfocus.com/bid/311
Reference: XF:xcmail-reply-overflow(1859)
Reference: URL:http://xforce.iss.net/static/1859.php

Description:
Buffer overflow in XCmail 0.99.6 with autoquote enabled allows remote attackers to execute arbitrary commands via a long subject line.

Votes:

   ACCEPT(1) Frech
   NOOP(3) Wall, Foat, Cole

CAN-1999-1554

Phase: Modified (20020218-01)
Reference: CERT:CA-1990-08
Reference: URL:http://www.cert.org/advisories/CA-1990-08.html
Reference: BID:13
Reference: URL:http://www.securityfocus.com/bid/13
Reference: XF:sgi-irix-reset(3164)
Reference: URL:http://www.iss.net/security_center/static/3164.php

Description:
/usr/sbin/Mail on SGI IRIX 3.3 and 3.3.1 does not properly set the group ID to the group ID of the user who started Mail, which allows local users to read the mail of other users.

Votes:

   ACCEPT(2) Cole, Stracener
   MODIFY(1) Frech
   NOOP(2) Wall, Foat
Voter Comments:
 Frech> XF:sgi-irix-reset(3164)
 CHANGE> [Foat changed vote from ACCEPT to NOOP]


CAN-1999-1555

Phase: Proposed (20010912)
Reference: BUGTRAQ:19980611 Cheyenne Inoculan vulnerability on NT
Reference: URL:http://www.securityfocus.com/archive/1/9515
Reference: BID:106
Reference: XF:inoculan-bad-permissions(1536)
Reference: URL:http://xforce.iss.net/static/1536.php

Description:
Cheyenne InocuLAN Anti-Virus Server in Inoculan 4.0 before Service Pack 2 creates an update directory with "EVERYONE FULL CONTROL" permissions, which allows local users to cause Inoculan's antivirus update feature to install a Trojan horse dll.

Votes:

   ACCEPT(1) Frech
   NOOP(3) Wall, Foat, Cole
Voter Comments:
 Frech> http://support.cai.com/Download/patches/inocnt.html


CAN-1999-1556

Phase: Proposed (20010912)
Reference: NTBUGTRAQ:19980629 MS SQL Server 6.5 stores password in unprotected registry keys
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=90222453431645&w=2
Reference: BID:109
Reference: URL:http://www.securityfocus.com/bid/109

Description:
Microsoft SQL Server 6.5 uses weak encryption for the password for the SQLExecutiveCmdExec account and stores it in an accessible portion of the registry, which could allow local users to gain privileges by reading andd decrypting the CmdExecAccount value.

Votes:

   ACCEPT(2) Wall, Cole
   MODIFY(1) Frech
   NOOP(2) Christey, Foat
Voter Comments:
 Frech> XF:mssql-sqlexecutivecmdexec-password(7354)
 Christey> Need to consult MS on this issue.


CAN-1999-1557

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990301 Multiple IMail Vulnerabilites
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92038879607336&w=2
Reference: XF:imail-imap-overflow(1895)
Reference: URL:http://xforce.iss.net/static/1895.php

Description:
Buffer overflow in the login functions in IMAP server (imapd) in Ipswitch IMail 5.0 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary code via (1) a long user name or (2) a long password.

Votes:

   ACCEPT(2) Frech, Cole
   NOOP(2) Wall, Foat

CAN-1999-1558

Phase: Modified (20020218-01)
Reference: CIAC:I-071A
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/i-071a.shtml
Reference: CERT:VB-98.07
Reference: BID:161
Reference: URL:http://www.securityfocus.com/bid/161
Reference: XF:openvms-loginout-unauth-access(7151)
Reference: URL:http://www.iss.net/security_center/static/7151.php

Description:
Vulnerability in loginout in Digital OpenVMS 7.1 and earlier allows unauthorized access when external authentication is enabled.

Votes:

   ACCEPT(3) Foat, Cole, Stracener
   MODIFY(1) Frech
   NOOP(1) Wall
Voter Comments:
 Frech> XF:openvms-loginout-unauth-access(7151)


CAN-1999-1559

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990331 Xylan OmniSwitch "features"
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92299263017061&w=2
Reference: XF:xylan-omniswitch-login(2064)
Reference: URL:http://xforce.iss.net/static/2064.php

Description:
Xylan OmniSwitch before 3.2.6 allows remote attackers to bypass the login prompt via a CTRL-D (control d) character, which locks other users out of the switch because it only supports one session at a time.

Votes:

   ACCEPT(1) Frech
   NOOP(3) Wall, Foat, Cole

CAN-1999-1560

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990720 tiger vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93252050203589&w=2
Reference: XF:tiger-script-execute(2369)
Reference: URL:http://xforce.iss.net/static/2369.php

Description:
Vulnerability in a script in Texas A&M University (TAMU) Tiger allows local users to execute arbitrary commands as the Tiger user, usually root.

Votes:

   ACCEPT(3) Frech, Foat, Cole
   NOOP(1) Wall

CAN-1999-1561

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990820 Winamp SHOUTcast server: Gain Administrator Password
Reference: URL:http://www.securityfocus.com/archive/1/24852

Description:
Nullsoft SHOUTcast server stores the administrative password in plaintext in a configuration file (sc_serv.conf), which could allow a local user to gain administrative privileges on the server.

Votes:

   NOOP(3) Wall, Foat, Cole
   REVIEWING(1) Frech
Voter Comments:
 Frech> (ACCEPT; Task 2359)


CAN-1999-1562

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990905 gftp
Reference: URL:http://www.securityfocus.com/archive/1/26915

Description:
gFTP FTP client 1.13, and other versions before 2.0.0, records a password in plaintext in (1) the log window, or (2) in a log file.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole
Voter Comments:
 Frech> XF:gftp-plaintext-password(7319)


CAN-1999-1563

Phase: Proposed (20010912)
Reference: BUGTRAQ:19991014 NEUROCOM: Nashuatec printer, 3 vulnerabilities found
Reference: URL:http://www.securityfocus.com/archive/1/30849
Reference: BUGTRAQ:19991116 NEUROCOM: Nashuatec D445/435 vulnerabilities updated
Reference: URL:http://www.securityfocus.com/archive/1/35075

Description:
Nachuatec D435 and D445 printer allows remote attackers to cause a denial of service via ICMP redirect storm.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole
Voter Comments:
 Frech> XF:icmp-redirect(285)


CAN-1999-1564

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990902 [ Kernel panic with FreeBSD-3.2-19990830-STABLE ]
Reference: URL:http://www.securityfocus.com/archive/1/26166

Description:
FreeBSD 3.2 and possibly other versions allows a local user to cause a denial of service (panic) with a large number accesses of an NFS v3 mounted directory from a large number of processes.

Votes:

   ACCEPT(1) Cole
   MODIFY(1) Frech
   NOOP(2) Wall, Foat
Voter Comments:
 Frech> XF:freebsd-nfs-access-dos(8325)


CAN-1999-1566

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990508 iParty Daemon Vulnerability w/ Exploit Code (worse than thought?)
Reference: URL:http://www.securityfocus.com/archive/1/13600

Description:
Buffer overflow in iParty server 1.2 and earlier allows remote attackers to cause a denial of service (crash) by connecting to default port 6004 and sending repeated extended characters.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole
Voter Comments:
 Frech> XF:iparty-dos(1416)


CAN-1999-1567

Phase: Modified (20020218-01)
Reference: NTBUGTRAQ:19990308 Password and DOS Vulnerability with Testrack (bug tracking software)
Reference: URL:http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind9903&L=NTBUGTRAQ&P=R1215
Reference: NTBUGTRAQ:19990616 Password and DOS Vulnerability with Testrack (bug tracking software)
Reference: URL:http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind9906&L=NTBUGTRAQ&P=R1680
Reference: XF:testtrack-dos(1948)
Reference: URL:http://xforce.iss.net/static/1948.php

Description:
Seapine Software TestTrack server allows a remote attacker to cause a denial of service (high CPU) via (1) TestTrackWeb.exe and (2) ttcgi.exe by connecting to port 99 and disconnecting without sending any data.

Votes:

   ACCEPT(2) Foat, Cole
   MODIFY(1) Frech
   NOOP(1) Wall
Voter Comments:
 Frech> XF:testtrack-dos(1948)


CAN-1999-1568

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990223 NcFTPd remote buffer overflow
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91981352617720&w=2
Reference: BUGTRAQ:19990223 Comments on NcFTPd "theoretical root compromise"
Reference: URL:http://www.securityfocus.com/archive/1/12699
Reference: XF:ncftpd-port-bo(1833)
Reference: URL:http://xforce.iss.net/static/1833.php

Description:
Off-by-one error in NcFTPd FTP server before 2.4.1 allows a remote attacker to cause a denial of service (crash) via a long PORT command.

Votes:

   ACCEPT(3) Frech, Foat, Cole
   NOOP(1) Wall

CAN-1999-1569

Phase: Proposed (20020830)
Reference: BUGTRAQ:20010716 Quake client and server denial-of-service
Reference: URL:http://www.securityfocus.com/archive/1/197268
Reference: BUGTRAQ:19981101 Quake problem?
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91012172524181&w=2
Reference: BUGTRAQ:19980502 NetQuake Protocol problem resulting in smurf like effect.
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221101925989&w=2
Reference: XF:quake-spoofed-client-dos(6871)
Reference: URL:http://xforce.iss.net/static/6871.php
Reference: BID:3051
Reference: URL:http://www.securityfocus.com/bid/3051

Description:
Quake 1 and NetQuake servers allow remote attackers to cause a denial of service (resource exhaustion or forced disconnection) via a flood of spoofed UDP connection packets, which exceeds the server's player limit.

Votes:

   ACCEPT(1) Frech
   NOOP(5) Cox, Wall, Foat, Cole, Armstrong
   REVIEWING(1) Green

CAN-1999-1570

Phase: Proposed (20020830)
Reference: VULN-DEV:20020509 Sar -o exploitation process info.
Reference: URL:http://marc.theaimsgroup.com/?l=vuln-dev&m=102098949103708&w=2
Reference: BUGTRAQ:19990909 19 SCO 5.0.5+Skunware98 buffer overflows
Reference: URL:http://online.securityfocus.com/archive/1/27074
Reference: CALDERA:CSSA-2002-SCO.17
Reference: URL:ftp://stage.caldera.com/pub/security/openserver/CSSA-2002-SCO.17/CSSA-2002-SCO.17.txt
Reference: BID:4089
Reference: URL:http://www.securityfocus.com/bid/4089
Reference: XF:openserver-sar-bo(8989)
Reference: URL:http://www.iss.net/security_center/static/8989.php

Description:
Buffer overflow in sar for OpenServer 5.0.5 allows local users to gain root privileges via a long -o parameter.

Votes:

   ACCEPT(4) Green, Frech, Cole, Armstrong
   NOOP(4) Christey, Cox, Wall, Foat
Voter Comments:
 Frech> It seems as if the BID-4089 assignment on this CAN name may be
   in error.
   BID-4089 (Multiple Vendor SNMP Request Handling Vulnerabilities) is
   already assigned to CAN-2002-0013. Also, this CVE issue seems to have
   nothing to do with SNMP.
 Christey> Agreed, this is the wrong BID.  SecurityFocus has assigned
   BID:643 to CAN-1999-1570, but there's a bit of an
   inconsistency.  BID:643 alludes to Bugtraq posts in 1999
   from Brock Tellier, mentioning overflows in sar via BOTH the
   -o and -f parameters.  However, they also link this issue to
   SCO advisory 99.17, although the advisory itself is too vague
   to *really* know what vulns they fixed.  And now the link
   to a potentially more detailed document (sse037.ltr)
   is broken.  So we don't have any independent reason for
   knowing whether SCO 99.17 (a) addresses any "sar"
   vulnerabilities, and (b) even if it does, whether it addresses
   *both* the -o and -f arguments originally claimed by Tellier.
   Finally, it seems rather curious that CSSA-2002-SCO.17
   talks about a -o overflow but does not mention -f.
   Sounds like an email to the security people at SCO
   is in order...
   
   OK.  Having consulted with SCO (who responded quickly), I
   looked even further into this issue.  There is now sufficient
   evidence that the -f overflow was fixed in 1999.  This
   means that a separate candidate should be created (by
   CD:SF-LOC), so the -f overflow is now covered by
   CAN-1999-1571.
   
   Need to DELREF BID:4089
 CHANGE> [Frech changed vote from NOOP to ACCEPT]


CAN-1999-1571

Phase: Assigned (20021008)
Reference: BUGTRAQ:19990909 19 SCO 5.0.5+Skunware98 buffer overflows
Reference: URL:http://online.securityfocus.com/archive/1/27074
Reference: BUGTRAQ:19990917 Re: recent SCO 5.0.x vulnerabilities
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93762097815861&w=2
Reference: BUGTRAQ:19991020 Re: recent SCO 5.0.x vulnerabilities
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94053017801639&w=2
Reference: BUGTRAQ:19991105 SCO Security Bulletin 99.17
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94183363719024&w=2
Reference: MISC:http://online.securityfocus.com/advisories/1843
Reference: SCO:SB-99.17c
Reference: URL:ftp://stage.caldera.com/pub/security/sse/security_bulletins/SB-99.17c
Reference: CONFIRM:ftp://stage.caldera.com/pub/security/sse/sse037c/sse037c.ltr
Reference: BID:643
Reference: URL:http://online.securityfocus.com/bid/643
Reference: VULN-DEV:20020509 Sar -o exploitation process info.
Reference: URL:http://marc.theaimsgroup.com/?l=vuln-dev&m=102098949103708&w=2
Reference: XF:openserver-sar-bo(8989)
Reference: URL:http://www.iss.net/security_center/static/8989.php

Description:
Buffer overflow in sar for SCO OpenServer 5.0.0 through 5.0.5 may allow local users to gain root privileges via a long -f parameter, a different vulnerability than CAN-1999-1570.

Votes:







CAN-2000-0005

Phase: Modified (20000204-01)
Reference: BUGTRAQ:19991230 aserver.sh
Reference: BUGTRAQ:20000102 HPUX Aserver revisited.
Reference: HP:HPSBUX0001-108
Reference: XF:hp-aserver

Description:
HP-UX aserver program allows local users to gain privileges via a symlink attack.

Votes:

   ACCEPT(2) Armstrong, Stracener
   MODIFY(1) Frech
   RECAST(1) Christey
   REVIEWING(1) Levy
Voter Comments:
 Christey> BUGTRAQ:20000102 "HPUX Aserver revisited." indicates that two
   different versions of aserver have symlink problems, but with
   different files.  So CD:SF-LOC says we should split this.
 Frech> XF:hp-aserver
 Christey> BID:1928 and BID:1930?  Which one is being described in
   this candidate?
 Christey> BID:1930


CAN-2000-0008

Phase: Proposed (20000111)
Reference: BUGTRAQ:19991227 FTPPro insecuities

Description:
FTPPro allows local users to read sensitive information, which is stored in plain text.

Votes:

   ACCEPT(3) Armstrong, Stracener, Baker
   MODIFY(1) Frech
   NOOP(1) Christey
   REVIEWING(1) Levy
Voter Comments:
 Frech> XF:ftppro-plaintext-information
 Christey> ADDREF BID:1790
   ADDREF URL:http://www.securityfocus.com/bid/1790


CAN-2000-0016

Phase: Proposed (20000111)
Reference: NTBUGTRAQ:19991001 Vulnerabilities in the Internet Anywhere Mail Server
Reference: BUGTRAQ:19991227 Remote DoS/Access Attack in Internet Anywhere Mail Server(POP 3) v2.3.1
Reference: BID:730
Reference: URL:http://www.securityfocus.com/bid/730

Description:
Buffer overflow in Internet Anywhere POP3 Mail Server allows remote attackers to cause a denial of service or execute commands via a long username.

Votes:

   ACCEPT(4) Levy, Armstrong, Stracener, Baker
   MODIFY(1) Frech
Voter Comments:
 Frech> XF:iams-pop3-command-dos


CAN-2000-0017

Phase: Proposed (20000111)
Reference: BUGTRAQ:19991221 (Possible) Linuxconf Remote Buffer Overflow Vulnerability

Description:
Buffer overflow in Linux linuxconf package allows remote attackers to gain root privileges via a long parameter.

Votes:

   NOOP(4) Armstrong, Stracener, Christey, Baker
   REJECT(2) Levy, Frech
Voter Comments:
 Christey> It's not certain whether this is exploitable or not.  An 
   expert (the linuxconf author?) wasn't able to duplicate the
   bug - see http://lwn.net/1999/1223/a/linuxconfresponse.html
   
   The original posting with example exploit was
   http://marc.theaimsgroup.com/?l=bugtraq&m=94580196627059&w=2
   
   However - GIAC and the Security Focus incidents list have
   consistently reported that scans are taking place for
   linuxconf, so do the hackers know more than we do?
 Frech> Unless vendor or other confirmation occurs, there has been no corroboration
   of this issue in public forums.
 CHANGE> [Armstrong changed vote from ACCEPT to NOOP]


CAN-2000-0019

Phase: Proposed (20000111)
Reference: BUGTRAQ:19991221 [w00giving '99 #11] IMail's password encryption scheme

Description:
IMail POP3 daemon uses weak encryption, which allows local users to read files.

Votes:

   ACCEPT(3) Armstrong, Stracener, Baker
   MODIFY(2) Levy, Frech
   NOOP(1) Christey
Voter Comments:
 Frech> XF:imail-passwords
 Levy> BID 880
 Christey> BUGTRAQ:19990304 IMAIL password recovery is trivial.
   http://www.securityfocus.com/archive/1/12750
 Christey> Add version numbers (5.0 through 5.08)


CAN-2000-0021

Phase: Proposed (20000111)
Reference: BUGTRAQ:19991221 serious Lotus Domino HTTP denial of service
Reference: BUGTRAQ:19991227 Re: Lotus Domino HTTP denial of service attack

Description:
Lotus Domino HTTP server allows remote attackers to determine the real path of the server via a request to a non-existent script in /cgi-bin.

Votes:

   ACCEPT(3) Armstrong, Stracener, Baker
   MODIFY(2) Levy, Frech
   NOOP(1) Christey
Voter Comments:
 Frech> XF:http-cgi-lotus-domino
 Levy> BID 881
 Christey> BID:881


CAN-2000-0028

Phase: Modified (20000626-01)
Reference: BUGTRAQ:19991222 IE 5.01 vulnerabilities in external.NavigateAndFind()
Reference: XF:ie-navigateandfind

Description:
Internet Explorer 5.0 and 5.01 allows remote attackers to bypass the cross frame security policy and read files via the external.NavigateAndFind function.

Votes:

   ACCEPT(2) Armstrong, Stracener
   MODIFY(2) Levy, Frech
   NOOP(1) Baker
   RECAST(1) LeBlanc
   REVIEWING(1) Christey
Voter Comments:
 Frech> XF:ie-navigateandfind
 Christey> May be a duplicate of CVE-2000-0465 according to my
   communications with Microsoft people.  CAN-2000-0266 may
   also be a variant.
 Levy> BID 887
 LeBlanc> duplicate


CAN-2000-0035

Phase: Proposed (20000111)
Reference: BUGTRAQ:19991228 majordomo local exploit
Reference: BUGTRAQ:20000113 Info on some security holes reported against SCO Unixware.
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94780294009285&w=2
Reference: BID:902
Reference: URL:http://www.securityfocus.com/bid/902

Description:
resend command in Majordomo allows local users to gain privileges via shell metacharacters.

Votes:

   ACCEPT(3) Levy, Stracener, Baker
   MODIFY(2) Cox, Frech
   NOOP(1) Armstrong
   REVIEWING(1) Christey
Voter Comments:
 Frech> XF:majordomo-local-resend
 Christey> The Bugtraq thread indicates that this problem may be
   due to misconfiguration, and may extend beyond just the
   resend command.
 CHANGE> [Armstrong changed vote from REVIEWING to NOOP]
 Christey> Include "wrapper" to facilitate search and matching?  (but
   double-check CAN-2000-0037).
   Add "1.94.4 and earlier" as the affected version number.
   ADDREF AUSCERT:AA-2000.01
   ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-2000.01
 Cox> ADDREF REDHAT:RHSA-2000:005


CAN-2000-0038

Phase: Proposed (20000111)
Reference: BUGTRAQ:19991223 Multiple vulnerabilites in glFtpD (current versions)

Description:
glFtpD includes a default glftpd user account with a default password and a UID of 0.

Votes:

   ACCEPT(2) Armstrong, Stracener
   MODIFY(2) Levy, Frech
   NOOP(1) Baker
Voter Comments:
 Frech> XF:glftpd-default-account
 Levy> BID 881


CAN-2000-0046

Phase: Modified (20000204-01)
Reference: BID:929
Reference: URL:http://www.securityfocus.com/bid/929
Reference: BUGTRAQ:20000111 ICQ Buffer Overflow Exploit
Reference: XF:icq-url-bo

Description:
Buffer overflow in ICQ 99b 1.1.1.1 client allows remote attackers to execute commands via a malformed URL within an ICQ message.

Votes:

   ACCEPT(2) Williams, Baker
   MODIFY(1) Frech
Voter Comments:
 Frech> ADDREF XF:icq-url-bo


CAN-2000-0047

Phase: Modified (20000202-01)
Reference: BUGTRAQ:20000117 Yahoo Pager/Messanger Buffer Overflow
Reference: XF:yahoo-messenger-pager-dos

Description:
Buffer overflow in Yahoo Pager/Messenger client allows remote attackers to cause a denial of service via a long URL within a message.

Votes:

   ACCEPT(2) Baker, Frech
   NOOP(1) Williams

CAN-2000-0049

Phase: Modified (20000204-01)
Reference: NTBUGTRAQ:20000107 Winamp buffer overflow advisory
Reference: BUGTRAQ:20000109 Buffer overflow with WinAmp 2.10
Reference: BID:925
Reference: URL:http://www.securityfocus.com/bid/925
Reference: XF:winamp-playlist-bo

Description:
Buffer overflow in Winamp client allows remote attackers to execute commands via a long entry in a .pls file.

Votes:

   ACCEPT(2) Wall, Cole
   MODIFY(1) Frech
   REVIEWING(1) Christey
Voter Comments:
 Frech> XF:winamp-playlist-bo
 Christey> This may have been discovered earlier in:
   BUGTRAQ:19990512 Buffer overflow in WinAMP 2.x
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92662988700367&w=2
   See the following for possible confirmation:
   URL:http://www.winamp.com/getwinamp/newfeatures.jhtml
 Wall> This vulnerability has been seen in several versions of Winamp and part of ISS
   X-Force
   and SecuriTeam vulnerability checks.
 CHANGE> [Christey changed vote from NOOP to REVIEWING]


CAN-2000-0054

Phase: Proposed (20000125)
Reference: BUGTRAQ:20000104 Another search.cgi vulnerability
Reference: BID:921
Reference: URL:http://www.securityfocus.com/bid/921

Description:
search.cgi in the SolutionScripts Home Free package allows remote attackers to view directories via a .. (dot dot) attack.

Votes:

   MODIFY(1) Frech
Voter Comments:
 Frech> XF:http-cgi-homefree-search


CAN-2000-0055

Phase: Proposed (20000125)
Reference: BUGTRAQ:20000106 [Hackerslab bug_paper] Solaris chkperm buffer overflow
Reference: BID:918
Reference: URL:http://www.securityfocus.com/bid/918

Description:
Buffer overflow in Solaris chkperm command allows local users to gain root access via a long -n option.

Votes:

   MODIFY(1) Frech
   NOOP(1) Dik
Voter Comments:
 Frech> XF:sol-chkperm-bo(3870)
 Dik> chkperm runs set-uid bin, so initially the access granted
   will be user bin, not root.  (Though bin access can easily be leveraged
   to root access, less so in Solaris 8+)
   Also, there is reason to believe this bug is not exploitable; the buffer
   overflown is declared in the stack in main(); yet, the program never
   returns from main() but calls exit instead so any damage to return addresses
   is never noticed.


CAN-2000-0058

Phase: Proposed (20000125)
Reference: BUGTRAQ:20000105 Handspring Visor Network HotSync Security Hole
Reference: URL:http://www.security-express.com/archives/bugtraq/2000-01/0085.html
Reference: BID:920
Reference: URL:http://www.securityfocus.com/bid/920

Description:
Network HotSync program in Handspring Visor does not have authentication, which allows remote attackers to retrieve email and files.

Votes:

   MODIFY(1) Frech
   NOOP(1) Christey
Voter Comments:
 Frech> XF:handspring-visor-auth(3873)
   Consider removing the security-express.com reference, since it is identical
   to the BugTraq reference. The BugTraq reference is (hopefully) not going to
   disappear soon, and the security-express.com reference provides no new or
   additional information.
 Christey> URLs will begin to be included with candidates to support
   Board members' voting activities.  They will be converted to
   the generalized reference format when if candidate is
   ACCEPTed and becomes an official entry.
 Christey> The problem may not be a lack of authentication (as mentioned
   by the poster), but rather weak authentication (the apparent
   need to provide the same username).


CAN-2000-0059

Phase: Proposed (20000125)
Reference: BUGTRAQ:20000103 PHP3 safe_mode and popen()
Reference: BID:911
Reference: URL:http://www.securityfocus.com/bid/911

Description:
PHP3 with safe_mode enabled does not properly filter shell metacharacters from commands that are executed by popen, which could allow remote attackers to execute commands.

Votes:

   MODIFY(1) Frech
   NOOP(1) Christey
Voter Comments:
 Frech> XF:php3-popen-execute(3900)
 Christey> CONFIRM:http://www.php.net/ChangeLog.php3
   Section dated January 11, 2000 says: "Fix safe-mode problem in
   popen() (Kristian)" 


CAN-2000-0061

Phase: Proposed (20000125)
Reference: BUGTRAQ:20000107 IE 5 security vulnerablity - circumventing Cross-frame security policy and accessing the DOM of "old" documents.
Reference: BID:923
Reference: URL:http://www.securityfocus.com/bid/923

Description:
Internet Explorer 5 does not modify the security zone for a document that is being loaded into a window until after the document has been loaded, which could allow remote attackers to execute Javascript in a different security context while the document is loading.

Votes:

   MODIFY(2) LeBlanc, Frech
   REJECT(1) Christey
Voter Comments:
 Frech> XF:ie-cross-frame-docs(3901)
 LeBlanc> - I'd like to see a KB or bulletin referenced 
 Christey> This is a duplicate of CVE-2000-0156.  The FAQ at
   http://www.microsoft.com/technet/security/bulletin/fq00-009.asp.
   says "the vulnerability requires Active Scripting" and
   "it is possible, under very specific conditions, to violate IE's
   cross-domain security model."  Also says "the redirect is made, via
   the <IMG SRC> HTML tag"
   
   Need to copy these references over to CVE-2000-0156.


CAN-2000-0066

Phase: Proposed (20000125)
Reference: BUGTRAQ:20000112 WebSitePro/2.3.18 is revealing Webdirectories

Description:
WebSite Pro allows remote attackers to determine the real pathname of webdirectories via a malformed URL request.

Votes:

   ACCEPT(2) Williams, Baker
   MODIFY(1) Frech
   NOOP(1) Christey
Voter Comments:
 Frech> XF:website-pro-dir-path
 Christey> ADDREF BUGTRAQ:20000113 Re: WebSitePro/2.3.18 + 2.4.9 is revealing Webdirectories
   URL:http://www.securityfocus.com/archive/1/41798
   Also BID:932


CAN-2000-0067

Phase: Proposed (20000125)
Reference: BUGTRAQ:20000112 CyberCash MCK 3.2.0.4: Large /tmp hole

Description:
CyberCash Merchant Connection Kit (MCK) allows local users to modify files via a symlink attack.

Votes:

   ACCEPT(2) Williams, Baker
   MODIFY(1) Frech
Voter Comments:
 Frech> XF:cybercash-mck-tmp(3823)


CAN-2000-0068

Phase: Proposed (20000125)
Reference: BUGTRAQ:20000104 [rootshell] Security Bulletin #27
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94704437920965&w=2

Description:
daynad program in Intel InBusiness E-mail Station does not require authentication, which allows remote attackers to modify its configuration, delete files, or read mail.

Votes:

   MODIFY(1) Frech
Voter Comments:
 Frech> XF:intel-email-unauthenticate-users


CAN-2000-0069

Phase: Proposed (20000125)
Reference: BUGTRAQ:20000104 Security problem with Solstice Backup/Legato Networker recover command

Description:
The recover program in Solstice Backup allows local users to restore sensitive files.

Votes:

   MODIFY(1) Frech
Voter Comments:
 Frech> XF:solstice-backup-restore-files(3904)


CAN-2000-0071

Phase: Proposed (20000125)
Reference: BUGTRAQ:20000111 IIS still revealing paths for web directories
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94770020309953&w=2
Reference: BUGTRAQ:20000113 SV: IIS still revealing paths for web directories
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94780058006791&w=2

Description:
IIS 4.0 allows a remote attacker to obtain the real pathname of the document root by requesting non-existent files with .ida or .idq extensions.

Votes:

   ACCEPT(2) Levy, LeBlanc
   MODIFY(1) Frech
   REJECT(1) Christey
Voter Comments:
 Frech> XF:iis-ida-idq-paths
 Christey> Consider adding:
   ADDREF BID:1065
   BUGTRAQ:20000309 Enumerate Root Web Server Directory Vulnerability for IIS 4.0
   Are there really 2 different threads on the same problem?
   
   Also consider XF:iis-root-enum
   
   May also be a dupe of CAN-1999-0450 (BID:194)
 CHANGE> [Christey changed vote from NOOP to REVIEWING]
 Christey> Appears to be a duplicate of CVE-2000-0098.  Confirm with
   Microsoft, and if it is a duplicate, then REJECT this
   candidate.
 CHANGE> [Christey changed vote from REVIEWING to REJECT]
 Christey> Confirmed duplicate by Microsoft.
 Christey> iis-ida-idq-paths(4346)	is obsolete; ensure
   http-indexserver-path(3890) is added to CVE-2000-0098.


CAN-2000-0074

Phase: Proposed (20000125)
Reference: BUGTRAQ:20000111 PowerScripts PlusMail Vulnerablity

Description:
PowerScripts PlusMail CGI program allows remote attackers to execute commands via a password file with improper permissions.

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Frech
   NOOP(2) Williams, Christey
Voter Comments:
 Frech> XF:plusmail-password-permissions
 Christey> Re-read the Bugtraq post to make sure the problem is described
   properly.  The advisory itself is vague as to the nature of
   the problem, and the exploit doesn't help clarify too much.
 Christey> Consider adding BID:2653


CAN-2000-0077

Phase: Proposed (20000125)
Reference: BUGTRAQ:20000102 HPUX Aserver revisited.
Reference: HP:HPSBUX0001-108

Description:
The October 1998 version of the HP-UX aserver program allows local users to gain privileges by specifying an alternate PATH which aserver uses to find the ps and grep commands.

Votes:

   MODIFY(1) Frech
   REVIEWING(1) Christey
Voter Comments:
 Frech> ADDREF XF:hp-aserver
 Christey> The Bugtraq posting does not mention specific versions.
   Is October 1998 equivalent to HP-UX 10.x?
 CHANGE> [Christey changed vote from NOOP to REVIEWING]
 Christey> BID:1929
   Make sure not dupe's with CAN-2000-0005 and CAN-20000-0078.


CAN-2000-0078

Phase: Proposed (20000125)
Reference: BUGTRAQ:20000102 HPUX Aserver revisited.
Reference: HP:HPSBUX0001-108

Description:
The June 1999 version of the HP-UX aserver program allows local users to gain privileges by specifying an alternate PATH which aserver uses to find the awk command.

Votes:

   ACCEPT(1) Prosser
   MODIFY(1) Frech
   REVIEWING(1) Christey
Voter Comments:
 Frech> ADDREF XF:hp-aserver
 Christey> The Bugtraq posting does not mention specific versions.
   Is June 1999 equivalent to HP-UX 10.x?
 Prosser> The HP Bulletin (already ref'd) just specifies 10.x and 11.x OS versions running on HP9000 700/800 series.  According to Tripp (bugtraq), the audio server doesn't run on a machine without Audio Hardware (logical).  So one has to assume from the bulletin that any 9000 with audio hardware that is running a 10.x or 11.x version of OS with either the 98 or 99 version of Aserver loaded will be vulnerable to either the exploit in CAN-1999-0005(the 98 version of Aserver) or CAN-2000-0078 (the 99 version)and should take appropriate action.  No patches out from HP as of 10/2/2000 so either remove the program or tighten the permissions considerably.
 CHANGE> [Christey changed vote from NOOP to REVIEWING]
 Christey> BID:1929
   Make sure not dupe's with CAN-2000-0005 and CAN-20000-0077.


CAN-2000-0079

Phase: Proposed (20000125)
Reference: BUGTRAQ:20000118 Re: IIS still revealing paths for web directories
Reference: BID:936
Reference: URL:http://www.securityfocus.com/bid/936

Description:
The W3C CERN httpd HTTP server allows remote attackers to determine the real pathnames of some commands via a request for a nonexistent URL.

Votes:

   MODIFY(1) Frech
   NOOP(2) Williams, Christey
   RECAST(1) LeBlanc
Voter Comments:
 Frech> XF:w3c-httpd-reveal-paths
 LeBlanc> Title references IIS, vuln references W3C CERN httpd. Which
   one is broken?
 Christey> The mention of CERN httpd was buried in a followup on a
   description of an IIS problem, so this is the correct reference.


CAN-2000-0081

Phase: Proposed (20000125)
Reference: BUGTRAQ:20000110 Yet another Hotmail security hole - injecting JavaScript using "j&#x41;vascript:"

Description:
Hotmail does not properly filter JavaScript code from a user's mailbox, which allows a remote attacker to execute the code by using hexadecimal codes to specify the javascript: protocol, e.g. j&#x41;vascript.

Votes:

   MODIFY(1) Frech
Voter Comments:
 CHANGE> [Frech changed vote from REVIEWING to MODIFY]
 Frech> XF:hotmail-vascript-java-injection


CAN-2000-0082

Phase: Proposed (20000125)
Reference: URL:http://net4tv.com/voice/story.cfm?StoryID=1823
Reference: MISC:http://www.wired.com/news/technology/0,1282,33420,00.html
Reference: BUGTRAQ:20000104 The WebTV Email Exploit

Description:
WebTV email client allows remote attackers to force the client to send email without the user's knowledge via HTML.

Votes:

   MODIFY(1) Frech
Voter Comments:
 CHANGE> [Frech changed vote from REVIEWING to MODIFY]
 Frech> ADDREF XF:webtv-hijack-mail-forward


CAN-2000-0084

Phase: Proposed (20000125)
Reference: BUGTRAQ:20000105 CuteFTP saved password 'encryption' weakness

Description:
CuteFTP uses weak encryption to store password information in its tree.dat file.

Votes:

   MODIFY(1) Frech
   NOOP(1) Christey
Voter Comments:
 Frech> XF:cuteftp-weak-encrypt(3910)
 Christey> BUGTRAQ:20010823 Re: Respondus v1.1.2 stores passwords using weak encryption
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=99861651923668&w=2
   This followup to a different thread mentions the sm.dat file
   for the site manager.


CAN-2000-0085

Phase: Proposed (20000125)
Reference: BUGTRAQ:20000103 Hotmail security hole - injecting JavaScript using <IMG LOWSRC="javascript:....">
Reference: BUGTRAQ:20000104 Yet another Hotmail security hole - injecting JavaScript in IE using <IMG DYNRC="javascript:....">

Description:
Hotmail does not properly filter JavaScript code from a user's mailbox, which allows a remote attacker to execute code via the LOWSRC or DYNRC parameters in the IMG tag.

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Frech
Voter Comments:
 Frech> XF:hotmail-java-execute


CAN-2000-0086

Phase: Proposed (20000125)
Reference: BUGTRAQ:20000116 TB2 Pro sending NT passwords cleartext
Reference: BID:935
Reference: URL:http://www.securityfocus.com/bid/935

Description:
Netopia Timbuktu Pro sends user IDs and passwords in cleartext, which allows remote attackers to obtain them via sniffing.

Votes:

   ACCEPT(2) Williams, Baker
   MODIFY(1) Frech
Voter Comments:
 Frech> XF:timbuktu-password-cleartext


CAN-2000-0093

Phase: Proposed (20000208)
Reference: BUGTRAQ:20000122 NIS security advisory : password method downgrade
Reference: BUGTRAQ:20000121 Rh 6.1 initial root password encryption

Description:
An installation of Red Hat uses DES password encryption with crypt() for the initial password, instead of md5.

Votes:

   ACCEPT(1) Cole
   MODIFY(1) Frech
   NOOP(1) Wall
Voter Comments:
 Frech> XF:linux-initial-password-encryption


CAN-2000-0096

Phase: Proposed (20000208)
Reference: BUGTRAQ:20000126 Qpopper security bug
Reference: BID:948
Reference: URL:http://www.securityfocus.com/bid/948

Description:
Buffer overflow in qpopper 3.0 beta versions allows local users to gain privileges via a long LIST command.

Votes:

   ACCEPT(1) Cole
   MODIFY(1) Frech
   NOOP(1) Wall
Voter Comments:
 Frech> XF:qpopper-list-bo


CAN-2000-0101

Phase: Proposed (20000208)
Reference: ISS:20000201 Form Tampering Vulnerabilities in Several Web-Based Shopping Cart Applications

Description:
The Make-a-Store OrderPage shopping cart application allows remote users to modify sensitive purchase information via hidden form fields.

Votes:

   MODIFY(1) Frech
   NOOP(1) Christey
   RECAST(1) Cole
   REVIEWING(1) Wall
Voter Comments:
 Cole> I would combine all of these shopping cart applications into one listing, 
   since they all have the same vulnerability being able to modify sensitive 
   purchase information via hidden form fields.  My concern is in cases like 
   this we used over 10 entries for basically the same vulnerability.  I could 
   think of cases were there could be 20+ applications with the same 
   vulnerability and in my opinion it could start to weaken the value of CVE 
   where there are 30 entries all referring to the same thing.  It is almost 
   like we are playing the vendor game where more is better.  I think we 
   should go after the quality over quantity aspect.
 Christey> I disagree with Eric here.  This vulnerability is a "type" of
   problem in the same way that a buffer overflow is a "type" of
   problem.  While the shopping cart application bugs were
   proposed mostly at the same time, they are all by different
   vendors.
   
   The raw numbers of applications with this problem can make it
   appear that CVE is artificially inflating the number of
   entries.   However, content decisions such as CD:SF-LOC
   (different lines of code) dictate that these should be
   separated.  It's not a "numbers game" but rather a principled
   and consistent approach to resolving problems with
   selecting a level of abstraction.
 Frech> XF:shopping-cart-form-tampering


CAN-2000-0102

Phase: Proposed (20000208)
Reference: ISS:20000201 Form Tampering Vulnerabilities in Several Web-Based Shopping Cart Applications

Description:
The SalesCart shopping cart application allows remote users to modify sensitive purchase information via hidden form fields.

Votes:

   MODIFY(1) Frech
   RECAST(1) Cole
   REVIEWING(1) Wall
Voter Comments:
 Cole> See comments for CAN-2000-0101
 Frech> XF:shopping-cart-form-tampering


CAN-2000-0103

Phase: Proposed (20000208)
Reference: ISS:20000201 Form Tampering Vulnerabilities in Several Web-Based Shopping Cart Applications

Description:
The SmartCart shopping cart application allows remote users to modify sensitive purchase information via hidden form fields.

Votes:

   MODIFY(1) Frech
   RECAST(1) Cole
   REVIEWING(1) Wall
Voter Comments:
 Cole> See comments for CAN-2000-0101
 Frech> XF:shopping-cart-form-tampering


CAN-2000-0104

Phase: Proposed (20000208)
Reference: ISS:20000201 Form Tampering Vulnerabilities in Several Web-Based Shopping Cart Applications

Description:
The Shoptron shopping cart application allows remote users to modify sensitive purchase information via hidden form fields.

Votes:

   MODIFY(1) Frech
   RECAST(1) Cole
   REVIEWING(1) Wall
Voter Comments:
 Cole> See comments for CAN-2000-0101
 Frech> XF:shopping-cart-form-tampering


CAN-2000-0105

Phase: Proposed (20000208)
Reference: BUGTRAQ:20000201 Outlook Express 5 vulnerability - Active Scripting may read email messages
Reference: BID:962
Reference: URL:http://www.securityfocus.com/bid/962

Description:
Outlook Express 5.01 and Internet Explorer 5.01 allow remote attackers to view a user's email messages via a script that accesses a variable that references subsequent email messages that are read by the client.

Votes:

   ACCEPT(2) Wall, Cole
   MODIFY(1) Frech
   REVIEWING(1) Christey
Voter Comments:
 Frech> email-active-script-html
 Christey> Acknowledged via personal communication with Microsoft
   personnel, but I need to look through my email logs to recall
   whether they said that it is a duplicate of CAN-2000-0653
 CHANGE> [Christey changed vote from NOOP to REVIEWING]


CAN-2000-0106

Phase: Proposed (20000208)
Reference: ISS:20000201 Form Tampering Vulnerabilities in Several Web-Based Shopping Cart Applications

Description:
The EasyCart shopping cart application allows remote users to modify sensitive purchase information via hidden form fields.

Votes:

   MODIFY(1) Frech
   RECAST(1) Cole
   REVIEWING(1) Wall
Voter Comments:
 Cole> See comments for CAN-2000-0101
 Frech> XF:shopping-cart-form-tampering


CAN-2000-0108

Phase: Proposed (20000208)
Reference: ISS:20000201 Form Tampering Vulnerabilities in Several Web-Based Shopping Cart Applications

Description:
The Intellivend shopping cart application allows remote users to modify sensitive purchase information via hidden form fields.

Votes:

   MODIFY(1) Frech
   RECAST(1) Cole
   REVIEWING(1) Wall
Voter Comments:
 Cole> See comments for CAN-2000-0101
 Frech> XF:shopping-cart-form-tampering


CAN-2000-0109

Phase: Proposed (20000208)
Reference: BUGTRAQ:20000201 Security issues with S&P ComStock multiCSP (Linux)

Description:
The mcsp Client Site Processor system (MultiCSP) in Standard and Poor's ComStock is installed with several accounts that have no passwords or easily guessable default passwords.

Votes:

   ACCEPT(2) Levy, Cole
   MODIFY(1) Frech
   NOOP(2) Wall, Christey
Voter Comments:
 Christey> ADDREF BUGTRAQ:20000324 Security issues with S&P ComStock multiCSP (Linux)
   http://marc.theaimsgroup.com/?l=bugtraq&m=95422382625409&w=2
   
   Note: this posting was a repeat of the February 1 post,
   saying that the problem still hadn't been fixed.
 Frech> XF:comstock-multicsp-passwords
 Christey> ADDREF BID:1080
   URL:http://www.securityfocus.com/vdb/bottom.html?vid=1080


CAN-2000-0110

Phase: Proposed (20000208)
Reference: ISS:20000201 Form Tampering Vulnerabilities in Several Web-Based Shopping Cart Applications

Description:
The WebSiteTool shopping cart application allows remote users to modify sensitive purchase information via hidden form fields.

Votes:

   MODIFY(1) Frech
   RECAST(1) Cole
   REVIEWING(1) Wall
Voter Comments:
 Cole> See comments for CAN-2000-0101
 Frech> XF:shopping-cart-form-tampering


CAN-2000-0114

Phase: Proposed (20000208)
Reference: BUGTRAQ:20000203 2 MS Frontpage issues Cerberus Information Security Advisory (CISADV000203)

Description:
Frontpage Server Extensions allows remote attackers to determine the name of the anonymous account via an RPC POST request to shtml.dll in the /_vti_bin/ virtual directory.

Votes:

   ACCEPT(2) Wall, Cole
   MODIFY(1) Frech
   REVIEWING(1) Christey
Voter Comments:
 Frech> XF:iis-frontpage-info
 Christey> Acknowledged via personal communication with Microsoft
   personnel.
   
   May be the same as BID:1174 and/or BID:1433 (both mention
   FrontPage, but one mentions shtml.exe and another mentions
   shtml.dll)
 Christey> [note to self: review comments by Mark Burnett]
 CHANGE> [Christey changed vote from NOOP to REVIEWING]


CAN-2000-0115

Phase: Proposed (20000208)
Reference: NTBUGTRAQ:20000121 Strange behaviour IIS and RegExp

Description:
IIS allows local users to cause a denial of service via invalid regular expressions in a Visual Basic script in an ASP page.

Votes:

   ACCEPT(1) Cole
   REJECT(2) Frech, LeBlanc
   REVIEWING(1) Wall
Voter Comments:
 Frech> This reference to NTBugtraq has a message that ends with "Can anyone
   reproduce this?", and there are no followups. This makes for a weak
   reference. There are also no other references listed for this CAN.
 LeBlanc> - no follow-ups, no KB article, no fix
 CHANGE> [Frech changed vote from REVIEWING to REJECT]


CAN-2000-0118

Phase: Proposed (20000208)
Reference: BUGTRAQ:20000130 RedHat 6.1 /and others/ PAM
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94935300520617&w=2

Description:
The Red Hat Linux su program does not log failed password guesses if the su process is killed before it times out, which allows local attackers to conduct brute force password guessing.

Votes:

   ACCEPT(3) Levy, Cole, Baker
   MODIFY(1) Frech
   NOOP(2) Wall, Christey
Voter Comments:
 Frech> Is this the same issue as BugTraq Mailing List, Wed, 9 Jun 1999 14:07:27
   -0700 "vulnerability in su/PAM in redhat" at
   http://www.netspace.org/cgi-bin/wa?A2=ind9906b&L=bugtraq&F=&S=&P=5356 and
   "Solaris 2.5 /bin/su [was: vulnerability in su/PAM in redhat]" at
   http://www.netspace.org/cgi-bin/wa?A2=ind9906b&L=bugtraq&F=&S=&P=6051
   If so, then MODIFY XF:su-brute
 Christey> BID:320
   URL:http://www.securityfocus.com/vdb/bottom.html?vid=320
 CHANGE> [Frech changed vote from REVIEWING to MODIFY]
 Frech> XF:su-brute(2278)
   This issue involves more platforms than Red Hat. See BugTraq
   Mailing List, Thu Jun 10 1999 12:13:06, "Solaris 2.5 /bin/su [was:
   vulnerability in su/PAM in redhat]",
   http://www.securityfocus.com/archive/1/14854
 Christey> It does look like this is the same issue as the other Bugtraq
   post that explicitly mentions Red Hat and PAM.


CAN-2000-0119

Phase: Proposed (20000208)
Reference: BUGTRAQ:20000130 Bypass Virus Checking
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94936267131123&w=2

Description:
The default configurations for McAfee Virus Scan and Norton Anti-Virus virus checkers do not check files in the RECYCLED folder that is used by the Windows Recycle Bin utility, which allows attackers to store malicious code without detection.

Votes:

   ACCEPT(2) Wall, Cole
   MODIFY(1) Frech
   REVIEWING(1) Christey
Voter Comments:
 Christey> ADDREF BID:956
   
   A followup post on Feb 8 by Paul L Schmehl claims that this
   would not work, because the anti-virus checkers would
   activate if the user attempts to execute the program.
 Frech> XF:win-trojan-detection-bypass
   Much earlier possible reference at NTBugtraq Mailing List, Wed, 22 Dec 1999
   20:37:43 -0800, "Bypass Virus Checking under 95/98/NT" at
   http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind9912&L=ntbugtraq&F=&S=&P=6030
 CHANGE> [Cole changed vote from REVIEWING to ACCEPT]
 Christey> NTBUGTRAQ:19991222 Bypass Virus Checking under 95/98/NT
   http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind9912&L=ntbugtraq&F=&S=&P=6030


CAN-2000-0122

Phase: Proposed (20000208)
Reference: NTBUGTRAQ:20000203 2 MS Frontpage issues Cerberus Information Security Advisory (CISADV000203)
Reference: BID:964
Reference: URL:http://www.securityfocus.com/bid/964

Description:
Frontpage Server Extensions allows remote attackers to determine the physical path of a virtual directory via a GET request to the htimage.exe CGI program.

Votes:

   ACCEPT(3) LeBlanc, Wall, Cole
   MODIFY(1) Frech
   NOOP(1) Christey
Voter Comments:
 Frech> XF:ms-frontpage-get-htimage
 Christey> It appears that this was rediscovered in April 18, 2000:
   BUGTRAQ:20000418 More vulnerabilities in FP
   URL:http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26msg%3D38FCAC0C.869611C0%40hobbiton.org
   
   This in turn may match BID:1141
 Christey> According to Scott Culp of Microsoft, this was patched in MS:MS00-028.
 Christey> BID:1141 ??


CAN-2000-0123

Phase: Proposed (20000208)
Reference: BUGTRAQ:20000203 Re: [xforce@iss.net: ISSalert: ISS E-Security Alert: Form Tampering Vulnerabilities in Several Web-Based Shopping Cart Applications]

Description:
The shopping cart application provided with Filemaker allows remote users to modify sensitive purchase information via hidden form fields.

Votes:

   MODIFY(1) Frech
   RECAST(1) Cole
   REVIEWING(1) Wall
Voter Comments:
 Cole> See comments for CAN-2000-0101
 Frech> XF:shopping-cart-form-tampering


CAN-2000-0124

Phase: Proposed (20000208)
Reference: BUGTRAQ:20000203 surfCONTROL SuperScout v2.6.1.6 flaw
Reference: BID:965
Reference: URL:http://www.securityfocus.com/bid/965

Description:
surfCONTROL SuperScout does not properly asign a category to web sites with a . (dot) at the end, which may allow users to bypass web access restrictions.

Votes:

   MODIFY(1) Frech
   NOOP(2) Wall, Christey
   RECAST(1) Cole
Voter Comments:
 Cole> See comments for CAN-2000-0101
 Frech> XF:surfcontrol-superscout-bypass-filter(4009)
 Christey> Fix typo: "asign"


CAN-2000-0125

Phase: Proposed (20000208)
Reference: BUGTRAQ:20000203 RFP2K01 - "How I hacked Packetstorm" (wwwthreads advisory)
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.4.10.10002031027120.15921-100000@eight.wiretrip.net
Reference: BID:967
Reference: URL:http://www.securityfocus.com/bid/967

Description:
wwwthreads does not properly cleanse numeric data or table names that are passed to SQL queries, which allows remote attackers to gain privileges for wwwthreads forums.

Votes:

   ACCEPT(2) Cole, Baker
   MODIFY(1) Frech
   NOOP(2) Wall, Christey
Voter Comments:
 Frech> XF:wwwthreads-sql-command-privs(4011)
 Christey> CONFIRM:http://www.wwwthreads.com/perl/showflat.pl?Cat=&Board=info&Number=9932&page=1&view=collapsed&sb=5


CAN-2000-0126

Phase: Proposed (20000208)
Reference: BUGTRAQ:20000202 Alert: IIS 4 / IS 2 IDQ Cerberus Information Security Advisory (CISADV000202)
Reference: NTBUGTRAQ:20000202 Alert: IIS 4 / IS 2 IDQ Cerberus Information Security Advisory (CISADV000202)

Description:
Sample Internet Data Query (IDQ) scripts in IIS 3 and 4 allow remote attackers to read files via a .. (dot dot) attack.

Votes:

   ACCEPT(3) LeBlanc, Wall, Cole
   MODIFY(1) Frech
   REVIEWING(1) Christey
Voter Comments:
 Frech> XF:iis-dir-traversal-read
 Christey> This may be a variant of CVE-2000-0097 or CVE-2000-0098.
   MS:MS00-006 says that a new variant was announced on February 4,
   but that it only revealed the physical path.  The post related
   to this CAN is dated February 2, but it describes the impact
   as being able to read files.
   
   See http://marc.theaimsgroup.com/?l=bugtraq&m=94972759912790&w=2
 Christey> According to Mark Burnett: "CISADV000202 [described] idq.dll
   and involving .idq files...  IDQ files are vulnerable to a
   double-dot bug that allows files on the same partition as the
   web root to be viewed.... [This candidate] refers to the same
   MS00-006"
   
   ADDREF MS:MS00-006
   ADDREF BID:968 ?
 Frech> Change iis-dir-traversal-read(4014) to http-indexserver-view-files(4232)


CAN-2000-0129

Phase: Proposed (20000208)
Reference: NTBUGTRAQ:20000204 Local / Remote D.o.S Attack in Serv-U FTP-Server v2.5b for Win9x/WinNT Vulnerability
Reference: BUGTRAQ:20000204 Local / Remote D.o.S Attack in Serv-U FTP-Server v2.5b for Win9x/WinNT Vulnerability
Reference: NTBUGTRAQ:20000204 Windows Api SHGetPathFromIDList Buffer Overflow
Reference: BUGTRAQ:20000204 Windows Api SHGetPathFromIDList Buffer Overflow

Description:
Buffer overflow in the SHGetPathFromIDList function of the Serv-U FTP server allows attackers to cause a denial of service by performing a LIST command on a malformed .lnk file.

Votes:

   ACCEPT(3) Cole, Blake, Baker
   MODIFY(2) Frech, Levy
   NOOP(2) Ozancin, Armstrong
   RECAST(1) Christey
   REVIEWING(1) Wall
Voter Comments:
 Frech> XF:win-shortcut-api-bo
   The real problem seems to be with the Windows API call, not the Serv-U FTP
   app. As the "Windows Api SHGetPathFromIDList Buffer Overflow" reference
   states, [The bug can] "cause whatever handles the shortcuts to crash."
   As a suggestion, rephrase the description from Windows's context, and state
   that the Serv-U FTP server is an example of an app that exhibits this
   problem.
 Wall> Comment:  the original UssrLabs advisory does mention the SHGetPathFromIDList
   buffer overflow in a Windows API and that Serv-U FTP uses this API to cause the
   problem.  The problem does not exist on Windows 2000.  The solution seems to be
   in a new release of Serv-U FTP.
 Levy> BID 970
 Christey> 
   Reports indicate that while the vulnerable function was found in Serv-U FTP
   server, the function is actually from Microsoft, and as such may affect other
   applications.
   XF:win-shortcut-api-bo
   BID:970


CAN-2000-0132

Phase: Proposed (20000208)
Reference: BUGTRAQ:20000201 `Microsoft VM for Java' allows reading local files using `getSystemResourceAsStream'.
Reference: BID:957
Reference: URL:http://www.securityfocus.com/bid/957

Description:
Microsoft Java Virtual Machine allows remote attackers to read files via the getSystemResourceAsStream function.

Votes:

   ACCEPT(2) Wall, Cole
   REJECT(3) Frech, LeBlanc, Christey
Voter Comments:
 Frech> How is this different from MITRE:CVE-2000-0162, other than the
   fact that it has an MS advisory that's vague on the reason but
   has the same outcome, and this one mentions the
   getSystemResourceAsStream function?
 Christey> This is a duplicate of CVE-2000-0162, as confirmed via David
   LeBlanc.  The descriptions of CAN-2000-0132 and CVE-2000-0162 were
   significantly different, as was the descriptive text of
   MS:MS00-011 and the original Bugtraq posting.  So this
   duplicate wasn't picked up before.   CVE-2000-0162 needs to be
   modified to include XF:virtual-machine-file-read as a
   reference.
 LeBlanc> Duplicate
 Christey> Ensure that CVE-2000-0162 uses msvm-java-file-read(4024) now,
   instead of virtual-machine-file-read(4577)
 Frech> If duplicate with CAN-2000-0098, shouldn't the references be
   moved over to the valid CVE number? Please advise.
 Christey> When CAN-2000-0132 is rejected, the references will be added
   to CVE-2000-0098.


CAN-2000-0133

Phase: Proposed (20000208)
Reference: BUGTRAQ:20000201 Tiny FTPd 0.52 beta3 Buffer Overflow
Reference: BID:961
Reference: URL:http://www.securityfocus.com/bid/961

Description:
Buffer overflows in Tiny FTPd 0.52 beta3 FTP server allows users to execute commands via the STOR, RNTO, MKD, XMKD, RMD, XRMD, APPE, SIZE, and RNFR commands.

Votes:

   ACCEPT(2) Cole, Baker
   MODIFY(1) Frech
   NOOP(1) Wall
Voter Comments:
 Frech> XF:tinyftp-command-overflow(4000)


CAN-2000-0134

Phase: Proposed (20000208)
Reference: ISS:20000201 Form Tampering Vulnerabilities in Several Web-Based Shopping Cart Applications

Description:
The Check It Out shopping cart application allows remote users to modify sensitive purchase information via hidden form fields.

Votes:

   MODIFY(1) Frech
   RECAST(1) Cole
   REVIEWING(1) Wall
Voter Comments:
 Cole> See comments for CAN-2000-0101
 Frech> XF:shopping-cart-form-tampering


CAN-2000-0135

Phase: Proposed (20000208)
Reference: ISS:20000201 Form Tampering Vulnerabilities in Several Web-Based Shopping Cart Applications

Description:
The @Retail shopping cart application allows remote users to modify sensitive purchase information via hidden form fields.

Votes:

   MODIFY(1) Frech
   RECAST(1) Cole
   REVIEWING(1) Wall
Voter Comments:
 Cole> See comments for CAN-2000-0101
 Frech> XF:shopping-cart-form-tampering


CAN-2000-0136

Phase: Proposed (20000208)
Reference: ISS:20000201 Form Tampering Vulnerabilities in Several Web-Based Shopping Cart Applications

Description:
The Cart32 shopping cart application allows remote users to modify sensitive purchase information via hidden form fields.

Votes:

   MODIFY(1) Frech
   RECAST(1) Cole
   REVIEWING(1) Wall
Voter Comments:
 Cole> See comments for CAN-2000-0101
 Frech> XF:shopping-cart-form-tampering


CAN-2000-0137

Phase: Proposed (20000208)
Reference: ISS:20000201 Form Tampering Vulnerabilities in Several Web-Based Shopping Cart Applications

Description:
The CartIt shopping cart application allows remote users to modify sensitive purchase information via hidden form fields.

Votes:

   MODIFY(1) Frech
   RECAST(1) Cole
   REVIEWING(1) Wall
Voter Comments:
 Cole> See comments for CAN-2000-0101
 Frech> XF:shopping-cart-form-tampering


CAN-2000-0138

Phase: Modified (20000502-01)
Reference: CERT:CA-2000-01
Reference: CERT:IN-99-04
Reference: SUN:00193
Reference: ISS:20000209 Denial of Service Attack using the TFN2K and Stacheldraht programs
Reference: ISS:20000502 "mstream" Distributed Denial of Service Tool
Reference: URL:http://xforce.iss.net/alerts/advise48.php3
Reference: BUGTRAQ:19991206 Analysis of trin00
Reference: BUGTRAQ:19991206 Analysis of Tribe Flood Network
Reference: BUGTRAQ:19991229 Analysis of "stacheldraht"
Reference: BUGTRAQ:20000211 DDOS Attack Mitigation
Reference: BUGTRAQ:20000211 TFN2K - An Analysis
Reference: BUGTRAQ:20000211 A DDOS proposal.
Reference: BUGTRAQ:20000429 Re: Source code to mstream, a DDoS tool
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=95715370208598&w=2
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=95722093124322&w=2

Description:
A system has a distributed denial of service (DDOS) attack master, agent, or zombie installed, such as (1) Trinoo, (2) Tribe Flood Network (TFN), (3) Tribe Flood Network 2000 (TFN2K), (4) stacheldraht, (5) mstream, or (6) shaft.

Votes:

   ACCEPT(2) Wall, Cole
   NOOP(4) Shostack, Levy, Dik, Christey
   RECAST(2) Ziese, Meunier
   REVIEWING(2) Bishop, Blake
Voter Comments:
 Christey> **********************************************************
   THIS CANDIDATE HAS GENERATED A LONG THREAD.  SEE THE 
   EDITORIAL BOARD ARCHIVES FOR DETAILS, BEGINNING AT
   
   http://cve.mitre.org/Board_Sponsors/archives/msg00590.html
   
   **********************************************************
 Ziese> 
   I suggest we I'd like to suggest that we consider not tying
   specifically to a DDOS tool.  Instead, since we are at at higher
   abstraction level, that we make the class include those master/slave
   tool combinations that are used for malicious purposes (i.e. DDOS,
   data exfiltration, or whatever the appropriate classes of effect are).
   
   My concern is that (1) we treat all distributed attacks at the same
   abstract level; not just the DDOS ones.  Second, if it is at a higher
   abstraction level then it seems right to unlimit it (by including
   master/slave combinations in general; not just the DDOS asect).
 Meunier> I think that trinoo etc... are very similar to smurf attacks
   (CVE-1999-0513 ) in the sense that a third party allows itself to be
   used.  Also, there is an  obvious solution that can only be done by
   that third party.
   
   As for the CVE entry, I am considering whether the common entry point
   could be reduced to "egress filtering has not been implemented or has
   been disabled, allowing the sending of spoofed IP packets".
   Incidentally, this would prevent the use of decoys in port scans,
   etc...  This single CVE entry would be very powerful. We could use
   the dot notation to list the DDoS tools and attacks that rely on the
   absence of egress filtering based on the argument that if you have
   egress filtering, nobody will bother to put or use DDoS tools on your
   computers.
   
   The weakness of this is that one could in theory still use DDoS tools
   even if you have egress filtering -- only they will be one shot guns,
   almost completely eliminating their appeal and effectiveness.  One
   use, and they will be blocked, tracked down and destroyed
   efficiently.
   
   Pascal
   
   P.S.: I am attracted by the idea of starting an internet (fire)wall
   of shame, for people who haven't implemented egress filtering.  It
   worked pretty well against sites allowing themselves to be used for
   smurf attacks (http://www.powertech.no/smurf/).  Why not use the same
   strategy for egress filtering?  Of course it's hard to know who is
   the source of IP spoofed  packets.  However the consistent detection
   of crud originating from a server is a sure sign that they haven't
   implemented egress filtering.  For example (my first candidate to
   this wall of shame), this weekend the Linux suse ftp server sent many
   packets with an illegal ip address as source, one reserved for local
   area networks, upon making an ftp connection (it may still be doing
   it, I haven't checked since -- the suse ftp admin mentioned that they
   were aware of it).  It was easy to figure out it was them by
   repeating the ftp connections and observing the 100% reproducibility
   and time correlation of the extraneous packets.  In addition, the
   suse servers kept sending me crud for *hours* after a failed attempt
   to download their PPC beta.
   
   The cost of egress filtering is easily justified.  The argument is
   similar to those relating to pollution, excepted that people don't
   try to break into your car if you have removed the catalytic
   converter.
 Bishop> I need to think about the exact meaning of MP. I suspect I
   will agree with the classification, on an operational basis
   (meaning I may want to revisit it), but I want to think on it
   some more.
 Blake> I don't agree with Pascal that this is a filtering problem analogous to
   smurf.  Rootkit is a better analogy.  The DDoS software doesn't exploit
   any unique vulnerability directly.  It's presence is entirely predicated
   on the existence of at least one other, easily exploited vulnerability.
   >From the perspective of the system owner, this is just one of several
   backdoors that could be installed.  Seems to me that the presence of a
   known backdoor package should be considered a vulnerability (or at least
   an exposure).
   
   I'm really torn on whether or not to split them out, though.  My
   inclination is to group master and slave by package; i.e., trinoo
   master/slave, tfn master/slave, etc.
   
 Wall> 
   Just to be consistent, you may add Trinoo (trin00) and does it matter
   if it is Tribal or Tribe?  The original internal c program says Tribe Flood
   Network.
 Meunier> What they have in common is the use of an amplification mechanism.
   They are broadcasting (multicasting) to a (virtual private) network,
   which then amplifies the messages.  In both cases, the amplification
   is done by the third party victim hosts.  The difference is just that
   the network is virtual instead of physical.
   
   
   Scott, you are assuming that the people who have the tools installed
   are unwilling.  Let's say theoretically speaking that there is an
   underground hacker group (or student association) who is hooked up to
   DSL lines (like in university residences) and who thinks that it
   would be "cool" to form an "army".  How about a popular civil
   movement protesting something, like the WTO last summer?  I think
   some people would voluntarily "enlist" their computers in a cause
   that would use DDoS attacks.  The rootkit analogy does not hold, yet
   the DDoS attacks could be just as effective.  However, if the
   university or ISPs implemented egress filtering, the DDoS attacks
   could be easily stopped because the people could be held accountable.
   The crux of the matter is the anonymity provided by IP spoofing.
   
   You are correct that in most cases, having a DDoS tool installed on
   your system is an exposure like rootkit.  Maybe that deserves a CVE
   entry.  However, I think that does not capture the nature of the
   DDoS, and that an entry about egress filtering is of utmost
   importance because it patches a fundamental vulnerability of IPv4.
 Blake> Excellent response, Pascal, thanks.  I hadn't thought of people
   volunteering, but that's certainly a plausible scenario.  Part of my
   motivation/thinking was a desire to stay away from making this into only
   yet another use for spoofed IP packets.  I wholeheartedly agree that
   egress filtering essential, but am reluctant to single out the recent DDoS
   events as the reason for it.
   
   I'd prefer to split out egress filtering as a seperate CVE entry (on the
   theory that not using egress filtering constitutes an exposure -- at least
   to liability), rather than tying it to these entries.
 Levy> I agree with Scott for no other reason that there needs to be a CVE
   ID so that IDS systems can report this things.
   
   Are we going to start handing out CVE ids for low level design faults?
   E.g. lack of encryption at the IPv4 packet level? lack of resource
   allocation protocols? the used of DES instead of Triple DES? etc
 Shostack> Both excellent points, however, I'd like to add that even if people
   volunteer to host the tools, Trinoo and company allow the controlling
   attacker to hide activities, which counts as an exposure under
   http://cve.mitre.org/About_CVE/About/definition.html
 Cole> Even with all of the debate i accept this one.
 Christey> With respect to inclusion of design flaws in CVE, review
   http://cve.mitre.org/Board_Sponsors/archives/msg00602.html
   
   Other design flaws that have already been added to CVE
   include Smurf (CVE-1999-0513), Fraggle (CVE-1999-0514)
   and TCP sequence number prediction (CVE-1999-0077), although
   this last one may need to be RECAST to a lower level of
   abstraction.
 CHANGE> [Meunier changed vote from REVIEWING to RECAST]
 Meunier> In the sense that this is like a rootkit, then it is a
   duplicate of CAN-1999-0660, "A hacker utility or Trojan Horse is
   installed on a system, e.g. NetBus, Back Orifice, Rootkit, etc..."
   
   It should be recast as CAN-1999-0660.1 DDoS tools
   Other dot notations could indicate different effects of the tools.
 Dik> There doesn't seem to be much to add to the
   discussion.


CAN-2000-0142

Phase: Proposed (20000216)
Reference: BUGTRAQ:20000211 Timbuktu Pro 2.0b650 DoS

Description:
The authentication protocol in Timbuktu Pro 2.0b650 allows remote attackers to cause a denial of service via connections to port 407 and 1417.

Votes:

   ACCEPT(4) Bishop, LeBlanc, Cole, Blake
   MODIFY(2) Frech, Levy
   NOOP(1) Christey
Voter Comments:
 Frech> XF:timbuktu-auth-dos
 Levy> BID 984
 Christey> BUGTRAQ:20000412 Timbuktu DoS repaired by Netopia
   http://www.securityfocus.com/archive/1/54850
   BID:984


CAN-2000-0143

Phase: Interim (20001011)
Reference: BUGTRAQ:20000211 sshd and pop/ftponly users incorrect configuration
Reference: XF:ssh-redirect-tcp-connection

Description:
The SSH protocol server sshd allows local users without shell access to redirect a TCP connection through a service that uses the standard system password database for authentication, such as POP or FTP.

Votes:

   ACCEPT(3) LeBlanc, Cole, Blake
   MODIFY(1) Frech
   NOOP(1) Bishop
   REJECT(1) Levy
   REVIEWING(1) Christey
Voter Comments:
 Frech> XF:ssh-redirect-tcp-connection
 CHANGE> [Cole changed vote from REVIEWING to ACCEPT]
 Christey> Examine the thread at
   http://marc.theaimsgroup.com/?l=bugtraq&m=95055978131077&w=2
   to ensure that this problem is being characterized
   appropriately.
 Levy> SSH is working as designed. The fact that some of its interactions
   are not forseen by some is not a vulnerability.


CAN-2000-0147

Phase: Modified (20000321-01)
Reference: NAI:20000207 SNMPD default writable community string
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-02/0045.html
Reference: SCO:SB-00.04a
Reference: URL:ftp://ftp.sco.com/SSE/security_bulletins/SB-00.04a
Reference: BID:973
Reference: URL:http://www.securityfocus.com/bid/973

Description:
snmpd in SCO OpenServer has an SNMP community string that is writable by default, which allows local attackers to modify the host's configuration.

Votes:

   ACCEPT(5) Bishop, Levy, Cole, Blake, Baker
   MODIFY(1) Frech
   NOOP(1) LeBlanc
Voter Comments:
 Frech> XF:sco-openserver-snmpd


CAN-2000-0151

Phase: Proposed (20000216)
Reference: SUSE:20000209 make-3.77-44
Reference: BID:981
Reference: URL:http://www.securityfocus.com/bid/981

Description:
GNU make follows symlinks when it reads a Makefile from stdin, which allows other local users to execute commands.

Votes:

   ACCEPT(3) Bishop, Levy, Blake
   MODIFY(1) Frech
   NOOP(2) LeBlanc, Cole
   REJECT(1) Christey
Voter Comments:
 Frech> XF:gnu-makefile-tmp-root
   (We have made assignment to two CANs. Requesting confirmation that this is
   not a duplicate of CAN-2000-0092: The BSD make program allows local users to
   modify files via a symlink attack when the -j option is being used.)
 Christey> To confirm Andre's question, this is being treated as
   different from CAN-2000-0092, based largely on the fact
   that the exploit is different.  I believe there was
   another reason for keeping these distinct, but that
   "deeper analysis" was not recorded :-(  While it's possible
   that this is the same bug from some common version of make,
   in the absence of other information we should probably
   keep these two split.
 CHANGE> [Christey changed vote from NOOP to REVIEWING]
 CHANGE> [Christey changed vote from REVIEWING to REJECT]
 Christey> Taking a fresh look at the diff's for FreeBSD make:
   ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:01.make.asc
   And Debian make:
   http://security.debian.org/dists/slink/updates/source/make_3.77-5slink.diff.gz
   
   OK... now that I've hurt my brain looking at the code, while
   there are major differences in the surrounding code,
   ultimately both FreeBSD and Debian create an "outfile" file
   descriptor for the temporary file, within main() in main.c.
   In addition, child_execute_job() in job.c uses an outfile
   variable - for both sources.
   
   Perhaps FreeBSD reported the -j problem without seeing that it
   could come in from stdin as well, and/or Debian/etc. didn't realize
   that it was exploitable from job control, or maybe a combination of
   the two.  Regardless, the two problems are the same.
   
   Phew!  There goes a half-hour of my life that I'll never be
   able to get back...


CAN-2000-0153

Phase: Proposed (20000223)
Reference: BUGTRAQ:20000216 Doubledot bug in FrontPage FrontPage Personal Web Server.
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-02-15&msg=000801bf780a$9ad4b2e0$0100007f@localhost
Reference: BID:989
Reference: URL:http://www.securityfocus.com/bid/989

Description:
FrontPage Personal Web Server (PWS) allows remote attackers to read files via a .... (dot dot) attack.

Votes:

   ACCEPT(3) Levy, Wall, Cole
   MODIFY(1) Frech
   NOOP(1) Christey
   REJECT(1) LeBlanc
Voter Comments:
 LeBlanc> I think this is the same as
   http://www.microsoft.com/technet/security/bulletin/ms99-010.asp
   If that is true, and you already have it logged, we don't want to have an
   entry for the same bug.
 Christey> MS:MS99-010 describes CVE-1999-0386.  Are there sufficient
   details to ensure that this is the same problem?
   
   See http://www.securityfocus.com/templates/archive.pike?list=1&msg=01bae51a$9ab232b0$0100007f@nordnode
   
 Frech> XF:pws-file-access
   (We currently have this issue assigned to this CAN and to CVE-1999-0386. I
   see that others have similar concerns that this is a duplicate; please
   confirm on current status of this candidate.)
 Christey> [note to self: review comments by Mark Burnett]


CAN-2000-0154

Phase: Modified (20000403-01)
Reference: NAI:20000215 ARCserve symlink vulnerability
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-02-15&msg=000101bf78af$94528870$4d2f45a1@jmagdych.na.nai.com
Reference: BID:988
Reference: URL:http://www.securityfocus.com/bid/988
Reference: MISC:http://www.sco.com/security/

Description:
The ARCserve agent in UnixWare allows local attackers to modify arbitrary files via a symlink attack.

Votes:

   ACCEPT(1) Cole
   NOOP(2) LeBlanc, Wall
   REJECT(3) Frech, Levy, Christey
Voter Comments:
 Christey> DUPE CAN-2000-0224
 Frech> DUPE MITRE:CVE-2000-0224; XF:sco-openserver-arc-symlink
   Recommend moving BID reference to CVE-2000-0224.


CAN-2000-0155

Phase: Proposed (20000223)
Reference: BUGTRAQ:20000218 AUTORUN.INF Vulnerability
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-02-15&msg=000701bf79cd$fdb5a620$4c4342a6@mightye.org
Reference: BID:993
Reference: URL:http://www.securityfocus.com/bid/993

Description:
Windows NT Autorun executes the autorun.inf file on non-removable media, which allows local attackers to specify an alternate program to execute when other users access a drive.

Votes:

   ACCEPT(3) Levy, Wall, Cole
   MODIFY(1) Frech
   REVIEWING(1) Christey
Voter Comments:
 Frech> XF:nt-autorun-notdefault
 Christey> Consider:
   http://support.microsoft.com/support/kb/articles/Q155/2/17.asp
   http://support.microsoft.com/support/kb/articles/Q136/2/14.asp


CAN-2000-0158

Phase: Modified (20000403-01)
Reference: NAI:20000215 Remote Vulnerability in the MMDF SMTP Daemon
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-02-15&msg=000001bf78af$6d0d47a0$4d2f45a1@jmagdych.na.nai.com
Reference: BUGTRAQ:20000218 MMDF
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-02-15&msg=200002181449.JAA03436@dragonfly.corp.home.net
Reference: SCO:SB-00.06a
Reference: URL:ftp://ftp.sco.com/SSE/security_bulletins/SB-00.06a
Reference: BID:997
Reference: URL:http://www.securityfocus.com/bid/997

Description:
Buffer overflow in MMDF server allows remote attackers to gain privileges via a long MAIL FROM command to the SMTP daemon.

Votes:

   ACCEPT(2) Levy, Cole
   MODIFY(1) Frech
   NOOP(2) LeBlanc, Wall
Voter Comments:
 Frech> XF:sco-mmdf-bo


CAN-2000-0160

Phase: Modified (20000321-01)
Reference: BUGTRAQ:20000221 Microsoft signed software can be install software without prompting users
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-02-15&msg=20000221103938.T21312@securityfocus.com
Reference: XF:win-active-setup

Description:
The Microsoft Active Setup ActiveX component in Internet Explorer 4.x and 5.x allows a remote attacker to install software components without prompting the user by stating that the software's manufacturer is Microsoft.

Votes:

   ACCEPT(3) Levy, LeBlanc, Wall
   MODIFY(1) Frech
   NOOP(1) Cole
   REVIEWING(1) Christey
Voter Comments:
 Christey> In a followup to Bugtraq, Juan Carlos Cuartango makes some
   clarifications, specifically that the code that is executed
   *must* be signed by Microsoft.
   
   See BUGTRAQ:20000222 MS signed softwrare privileges
   
   Microsoft sends some followups, including a statement that it
   will include notification.
   
   The question is, does this belong in CVE?  There is no known
   means of exploitation; on the other hand, it is related
   to privacy concerns.  Several posts to the Bugtraq list
   indicate that some people believe that unprompted installation
   is a significant concern.
 Frech> XF:win-active-setup
 Levy> BID 999
   
   I do consider this vulnerability as it allows a malicious web page
   to install *old* and *vulnerable* components signed by microsoft.
 LeBlanc> Fixed in MS00-042
 Christey> BID:999
   Also add XF:ie-active-setup-download ?


CAN-2000-0163

Phase: Proposed (20000223)
Reference: FREEBSD:FreeBSD-SA-00:03
Reference: URL:http://www.securityfocus.com/templates/advisory.html?id=2092
Reference: BID:996
Reference: URL:http://www.securityfocus.com/bid/996

Description:
asmon and ascpu in FreeBSD allow local users to gain root privileges via a configuration file.

Votes:

   ACCEPT(2) Levy, Cole
   MODIFY(1) Frech
   NOOP(2) LeBlanc, Wall
Voter Comments:
 Frech> XF:asmon-ascpu-execute-commands
   (Not sims-slapd-logfiles)


CAN-2000-0167

Phase: Proposed (20000223)
Reference: NTBUGTRAQ:20000215 Crashing Inetinfo.exe by using a longfilename in the \mailroot\pickup directory
Reference: URL:http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0002&L=ntbugtraq&F=&S=&P=8800

Description:
IIS Inetinfo.exe allows local users to cause a denial of service by creating a mail file with a long name and a .txt.eml extension in the pickup directory.

Votes:

   ACCEPT(1) Cole
   MODIFY(1) Frech
   REVIEWING(4) Levy, LeBlanc, Wall, Christey
Voter Comments:
 Frech> XF:iis-pickup-directory-dos
 Christey> BID:1819
   URL:http://www.securityfocus.com/bid/1819
 LeBlanc> Trying to get more info


CAN-2000-0173

Phase: Proposed (20000322)
Reference: SCO:SB-00.08a
Reference: URL:ftp://ftp.sco.com/SSE/security_bulletins/SB-00.08a

Description:
Vulnerability in the EELS system in SCO UnixWare 7.1.x allows remote attackers to cause a denial of service.

Votes:

   ACCEPT(2) Cole, Blake
   MODIFY(1) Frech
   NOOP(4) Ozancin, LeBlanc, Wall, Prosser
   REVIEWING(2) Levy, Christey
Voter Comments:
 Prosser> Although SCO is reporting the problem, there is too little info
   available to make an informed decision.  Unable to find anything
   anywhere on this.  It is an events logging system, so one would assume
   that there is a way to fill up the log and cause a system halt, but no
   way of confirming this with limited information.
 Christey> Perhaps we should create a content decision, say
   CD:VAGUE-ACK, which says whether it's reasonable to
   ACCEPT vendor-acknowledged problems that do not provide any
   salient details, as in this candidate as well as several
   others.
 Cole> I researched this a little more and you can change my NOOP to an
   ACCEPT
 Frech> XF:sco-eels-dos


CAN-2000-0176

Phase: Proposed (20000322)
Reference: BUGTRAQ:20000228 Serv-U FTP-Server v2.4a showing real path
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-02/0417.html
Reference: BID:1016
Reference: URL:http://www.securityfocus.com/bid/1016

Description:
The default configuration of Serv-U 2.5d and earlier allows remote attackers to determine the real pathname of the server by requesting a URL for a directory or file that does not exist.

Votes:

   ACCEPT(4) Ozancin, Levy, Cole, Blake
   MODIFY(1) Frech
   NOOP(2) LeBlanc, Wall
Voter Comments:
 Frech> XF:servu-ftp-server-path(4060)


CAN-2000-0177

Phase: Proposed (20000322)
Reference: BUGTRAQ:20000302 DNSTools v1.08 has no input validation
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-03/0000.html
Reference: BID:1028
Reference: URL:http://www.securityfocus.com/bid/1028

Description:
DNSTools CGI applications allow remote attackers to execute arbitrary commands via shell metacharacters.

Votes:

   ACCEPT(4) Ozancin, Levy, Cole, Blake
   MODIFY(1) Frech
   NOOP(2) LeBlanc, Wall
Voter Comments:
 Frech> XF:dnstools-invalid-input(4876)


CAN-2000-0187

Phase: Proposed (20000322)
Reference: BUGTRAQ:20000227 EZ Shopper 3.0 shopping cart CGI remote command execution
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-02/0356.html
Reference: BID:1014
Reference: URL:http://www.securityfocus.com/bid/1014

Description:
EZShopper 3.0 loadpage.cgi CGI script allows remote attackers to read arbitrary files via a .. (dot dot) attack or execute commands via shell metacharacters.

Votes:

   ACCEPT(2) Ozancin, Levy
   MODIFY(1) Frech
   NOOP(5) LeBlanc, Wall, Cole, Christey, Blake
Voter Comments:
 Christey> Since EZShopper is written in Perl, there is strong evidence
   that both the .. and metacharacter attack probably go
   through the same insecure open() call.  (Perl's open can
   either read a regular file, or read piped output from
   a command that is specified to the open).
 Frech> XF:ezshopper-loadpage-cgi(4044)


CAN-2000-0188

Phase: Proposed (20000322)
Reference: BUGTRAQ:20000227 EZ Shopper 3.0 shopping cart CGI remote command execution
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-02/0356.html
Reference: BID:1014
Reference: URL:http://www.securityfocus.com/bid/1014

Description:
EZShopper 3.0 search.cgi CGI script allows remote attackers to read arbitrary files via a .. (dot dot) attack or execute commands via shell metacharacters.

Votes:

   ACCEPT(2) Ozancin, Levy
   MODIFY(1) Frech
   NOOP(5) LeBlanc, Wall, Cole, Christey, Blake
Voter Comments:
 Christey> The exploit is different than CAN-2000-0187 by going through
   a different field in a different script, so maybe this should
   be kept separate, even though it's probably another open()
   call problem.
 Frech> XF:ezshopper-search-cgi(4045)


CAN-2000-0190

Phase: Proposed (20000322)
Reference: BUGTRAQ:20000303 Aol Instant Messenger DoS vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-03/0016.html

Description:
AOL Instant Messenger (AIM) client allows remote attackers to cause a denial of service via a message with a malformed ASCII value.

Votes:

   ACCEPT(2) Cole, Blake
   MODIFY(1) Frech
   NOOP(2) Ozancin, LeBlanc
   REVIEWING(2) Levy, Wall
Voter Comments:
 Frech> XF:aolim-malformed-ascii-dos(4877)


CAN-2000-0197

Phase: Proposed (20000322)
Reference: NTBUGTRAQ:20000313 AT Jobs - Denial of serice/Privilege Elevation
Reference: URL:http://archives.neohapsis.com/archives/ntbugtraq/current/0202.html
Reference: BID:1050
Reference: URL:http://www.securityfocus.com/bid/1050

Description:
The Windows NT scheduler uses the drive mapping of the interactive user who is currently logged onto the system, which allows the local user to gain privileges by providing a Trojan horse batch file in place of the original batch file.

Votes:

   ACCEPT(3) Levy, Cole, Baker
   MODIFY(1) Frech
   NOOP(2) Ozancin, Blake
   REJECT(1) LeBlanc
   REVIEWING(1) Wall
Voter Comments:
 LeBlanc> this is just bad security practice, not a vulnerability
 Frech> XF:nt-at-drive-mappings


CAN-2000-0198

Phase: Proposed (20000322)
Reference: NTBUGTRAQ:20000314 Local / Remote Multiples Remote DoS Attacks in MERCUR v3.2* for Windows 98/NT Vulnerability
Reference: URL:http://archives.neohapsis.com/archives/ntbugtraq/current/0206.html
Reference: BUGTRAQ:20000314 Local / Remote Multiples Remote DoS Attacks in MERCUR v3.2* for Windows 98/NT Vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/current/0137.html
Reference: BID:1051
Reference: URL:http://www.securityfocus.com/bid/1051

Description:
Buffer overflow in POP3 and IMAP servers in the MERCUR mail server suite allows remote attackers to cause a denial of service.

Votes:

   ACCEPT(2) Ozancin, Levy
   MODIFY(1) Frech
   NOOP(4) LeBlanc, Wall, Cole, Blake
Voter Comments:
 Frech> XF:mercur-login-dos
   The following don't seem to be correct:
   Reference:
   URL:http://archives.neohapsis.com/archives/ntbugtraq/current/0206.html 
   Perhaps it is:
   http://archives.neohapsis.com/archives/ntbugtraq/2000-q1/0206.html
   Reference:
   URL:http://archives.neohapsis.com/archives/bugtraq/current/0137.html
   Perhaps it is:
   http://archives.neohapsis.com/archives/bugtraq/2000-03/0137.html


CAN-2000-0199

Phase: Proposed (20000322)
Reference: ISS:20000314 Vulnerability in Microsoft SQL Server 7.0 Encryption Used to Store Administrative Login ID
Reference: BID:1055
Reference: URL:http://www.securityfocus.com/bid/1055

Description:
When a new SQL Server is registered in Enterprise Manager for Microsoft SQL Server 7.0 and the "Always prompt for login name and password" option is not set, then the Enterprise Manager uses weak encryption to store the login ID and password.

Votes:

   ACCEPT(5) Ozancin, Levy, Wall, Cole, Blake
   MODIFY(1) Frech
   REVIEWING(2) LeBlanc, Christey
Voter Comments:
 LeBlanc> I think this may just be user error - I'd like more information.
 Frech> XF:mssql-weak-encryption
   ISS:Vulnerability in Microsoft SQL Server 7.0 Encryption Used to Store
   Administrative Login ID
   URL:http://xforce.iss.net/alerts/advise45.php3
 Christey> According to Scott Culp, this can only be reproduced if the
   SQL server is running in an unsafe mode that is not
   recommended by Microsoft: "To securely use SQL Server,
   Microsoft recommends using Windows Integrated Security. In
   Windows Integrated Security mode passwords are never stored,
   as your Windows Domain sign-on is used as the security
   identifier to the database server."
   
   We still must consider approving this candidate, however, as a
   user configuration error instead of a software flaw.
   CD:DESIGN-WEAK-ENCRYPTION applies in this case, so if we
   decide to include configuration problems in which a user
   intentionally selects weak encryption, then we might still
   approve this candidate.


CAN-2000-0203

Phase: Proposed (20000322)
Reference: BUGTRAQ:20000228 Re: TrendMicro OfficeScan tmlisten.exe DoS
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=412FC0AFD62ED31191B40008C7E9A11A0D481D@srvnt04.previnet.it
Reference: BUGTRAQ:20000315 Trend Micro release patch for "OfficeScan DoS & Message Replay" V ulnerabilies
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=D129BBE1730AD2118A0300805FC1C2FE038AF28B@209-76-212-10.trendmicro.com
Reference: MISC:http://www.antivirus.com/download/ofce_patch_35.htm
Reference: BID:1013
Reference: URL:http://www.securityfocus.com/bid/1013

Description:
The Trend Micro OfficeScan client tmlisten.exe allows remote attackers to cause a denial of service via malformed data to port 12345.

Votes:

   ACCEPT(4) Levy, Wall, Armstrong, Blake
   MODIFY(1) Frech
   NOOP(3) Ozancin, LeBlanc, Cole
Voter Comments:
 Frech> XF:trendmicro-tmlisten-dos


CAN-2000-0204

Phase: Proposed (20000322)
Reference: BUGTRAQ:20000226 DOS in Trendmicro OfficeScan
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-02/0340.html
Reference: BUGTRAQ:20000315 Trend Micro release patch for "OfficeScan DoS & Message Replay" V ulnerabilies
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=D129BBE1730AD2118A0300805FC1C2FE038AF28B@209-76-212-10.trendmicro.com
Reference: MISC:http://www.antivirus.com/download/ofce_patch_35.htm
Reference: BID:1013
Reference: URL:http://www.securityfocus.com/bid/1013

Description:
The Trend Micro OfficeScan client allows remote attackers to cause a denial of service by making 5 connections to port 12345, which raises CPU utilization to 100%.

Votes:

   ACCEPT(5) Levy, Wall, Cole, Armstrong, Blake
   MODIFY(1) Frech
   NOOP(2) Ozancin, LeBlanc
Voter Comments:
 Frech> XF:trendmicro-simultaneous-dos


CAN-2000-0205

Phase: Proposed (20000322)
Reference: BUGTRAQ:20000303 TrendMicro OfficeScan, numerous security holes, remote files modification.
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-03/0015.html
Reference: BUGTRAQ:20000315 Trend Micro release patch for "OfficeScan DoS & Message Replay" V ulnerabilies
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=D129BBE1730AD2118A0300805FC1C2FE038AF28B@209-76-212-10.trendmicro.com
Reference: MISC:http://www.antivirus.com/download/ofce_patch_35.htm
Reference: BID:1013
Reference: URL:http://www.securityfocus.com/bid/1013

Description:
Trend Micro OfficeScan allows remote attackers to replay administrative commands and modify the configuration of OfficeScan clients.

Votes:

   ACCEPT(3) Levy, Cole, Blake
   MODIFY(1) Frech
   NOOP(3) Ozancin, LeBlanc, Wall
Voter Comments:
 Frech> XF:trendmicro-admin-command(4041)


CAN-2000-0213

Phase: Proposed (20000322)
Reference: BUGTRAQ:20000223 Sambar Server alert!
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=38B3E60A.6A84FEC3@cybcom.net
Reference: CONFIRM:http://www.sambar.com/session/highlight?url=/syshelp/history.htm&words=security+&color=red
Reference: XF:sambar-batfiles
Reference: BID:1002
Reference: URL:http://www.securityfocus.com/bid/1002

Description:
The Sambar server includes batch files ECHO.BAT and HELLO.BAT in the CGI directory, which allow remote attackers to execute commands via shell metacharacters.

Votes:

   ACCEPT(5) Frech, Levy, Cole, Armstrong, Blake
   NOOP(3) Ozancin, LeBlanc, Wall

CAN-2000-0214

Phase: Proposed (20000322)
Reference: BUGTRAQ:20000224 How the password could be recover using FTP Explorer's registry!
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.4.10.10002242035500.30645-100000@unreal.sekure.org
Reference: BID:1003
Reference: URL:http://www.securityfocus.com/bid/1003

Description:
FTP Explorer uses weak encryption for storing the username, password, and profile of FTP sites.

Votes:

   ACCEPT(4) Ozancin, Levy, Cole, Armstrong
   MODIFY(1) Frech
   NOOP(3) LeBlanc, Wall, Blake
Voter Comments:
 Frech> XF:ftp-explorer-weak-pwd(4038)


CAN-2000-0216

Phase: Proposed (20000322)
Reference: NTBUGTRAQ:20000229 mailbombing DoS easily exploitable against mail systems using MS mail clients.
Reference: URL:http://archives.neohapsis.com/archives/ntbugtraq/2000-q1/0176.html

Description:
Microsoft email clients in Outlook, Exchange, and Windows Messaging automatically respond to Read Receipt and Delivery Receipt tags, which could allow an attacker to flood a mail system with responses by forging a Read Receipt request that is redirected to a large distribution list.

Votes:

   ACCEPT(1) Cole
   MODIFY(1) Frech
   NOOP(1) Ozancin
   REJECT(3) Levy, LeBlanc, Blake
   REVIEWING(1) Wall
Voter Comments:
 Blake> This is a configuration issue.  Should the fact that NT can be configured
   to accept a blank Admin password have a CVE entry?
 LeBlanc> This is documented as bad practice - if you have a wide distribution
   mailing list, you should only allow certain users to send mail to it.
   I don't think we want to start listing all possible admin errors as
   vulnerabilities.
 Frech> XF:microsoft-mail-client-dos(4893)
 Levy> I agree with all the above comments. Furthermore the delivery status
   notification RFC makes it clear that mailing list software should
   strip messages from DSN headers. I assume Microsoft's products are
   using the DSN standard and not something else.


CAN-2000-0219

Phase: Proposed (20000322)
Reference: BUGTRAQ:20000223 redhat 6.0: single user boot security hole
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=200002230248.NAA19185@cairo.anu.edu.au
Reference: BID:1005
Reference: URL:http://www.securityfocus.com/bid/1005

Description:
Red Hat 6.0 allows local users to gain root access by booting single user and hitting ^C at the password prompt.

Votes:

   ACCEPT(4) Ozancin, Levy, Cole, Armstrong
   MODIFY(1) Frech
   NOOP(3) LeBlanc, Wall, Blake
   REVIEWING(1) Christey
Voter Comments:
 Ozancin> We need an additional CVE entry for other distributions that simply drop you
   into a root shell in single user mode.
 Christey> Based on Craig's comments, need to consider if this is an LOA
   issue.
 Frech> XF:redhat-single-user-auth(4026)


CAN-2000-0220

Phase: Proposed (20000322)
Reference: BUGTRAQ:20000225 Zonealarm exports sensitive data

Description:
ZoneAlarm sends sensitive system and network information in cleartext to the Zone Labs server if a user requests more information about an event.

Votes:

   ACCEPT(1) Armstrong
   MODIFY(1) Frech
   NOOP(4) Ozancin, LeBlanc, Wall, Cole
   REJECT(1) Blake
   REVIEWING(1) Levy
Voter Comments:
 Blake> Discussion on Bugtraq shows that this is a really marginal issue.  Very
   tough to come up with a viable attack scenario.  Also, it's part of how
   this class of software works, not a flaw in the cited package.  Might be
   possible to recast this into something more generic....
 Frech> XF:zonealarm-exposes-info


CAN-2000-0227

Phase: Modified (20010910-01)
Reference: BUGTRAQ:20000323 Local Denial-of-Service attack against Linux
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-03/0254.html
Reference: BUGTRAQ:20000328 Re: Local Denial-of-Service attack against Linux
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=95421263519558&w=2
Reference: BID:1072
Reference: URL:http://www.securityfocus.com/bid/1072
Reference: XF:linux-domain-socket-dos(4186)
Reference: URL:http://xforce.iss.net/static/4186.php

Description:
The Linux 2.2.x kernel does not restrict the number of Unix domain sockets as defined by the wmem_max paremeter, which allows local users to cause a denial of service by requesting a large number of sockets.

Votes:

   ACCEPT(8) Frech, Ozancin, Levy, Cole, Armstrong, Collins, Blake, Baker
   NOOP(3) Magdych, Wall, Christey
Voter Comments:
 Christey> Fix typo: 'paremeter'
 Magdych> I remember when this came up...  seems like there were some wildly
   mixed results for the exploit.
 Christey> See http://marc.theaimsgroup.com/?l=bugtraq&m=95421263519558&w=2
   for Elias' summary of the mixed results.  It looks like
   enough people were able to replicate it that we should
   include it.
 Christey> Fix typo: "paremeter"
 CHANGE> [Magdych changed vote from REVIEWING to NOOP]


CAN-2000-0239

Phase: Proposed (20000412)
Reference: BUGTRAQ:20000315 Local / Remote DoS Attack in MERCUR WebView WebMail-Client 1.0
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=95325335825295&w=2
Reference: URL:http://www.ussrback.com/labs36.html
Reference: BID:1056
Reference: URL:http://www.securityfocus.com/bid/1056
Reference: XF:mercur-webview-get-dos

Description:
Buffer overflow in the MERCUR WebView WebMail server allows remote attackers to cause a denial of service via a long mail_user parameter in the GET request.

Votes:

   ACCEPT(3) Frech, Levy, Baker
   NOOP(2) Magdych, Cole
Voter Comments:
 CHANGE> [Magdych changed vote from REVIEWING to NOOP]


CAN-2000-0241

Phase: Proposed (20000412)
Reference: BUGTRAQ:20000321 vqserver /........../
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=4.1.20000321084646.0095c7f0@olga.swip.net
Reference: BID:1068
Reference: URL:http://www.securityfocus.com/bid/1068
Reference: XF:vqserver-passwd-plaintext

Description:
vqSoft vqServer stores sensitive information such as passwords in cleartext in the server.cfg file, which allows attackers to gain privileges.

Votes:

   ACCEPT(3) Frech, Levy, Baker
   NOOP(2) Magdych, Cole
Voter Comments:
 CHANGE> [Magdych changed vote from REVIEWING to NOOP]


CAN-2000-0242

Phase: Proposed (20000412)
Reference: BUGTRAQ:20000325 Windmail allow web user get any file
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-03-22&msg=20000325224146.6839.qmail@securityfocus.com
Reference: XF:windmail-fileread
Reference: XF:windmail-pipe-command
Reference: BID:1073
Reference: URL:http://www.securityfocus.com/bid/1073

Description:
WindMail allows remote attackers to read arbitrary files or execute commands via shell metacharacters.

Votes:

   ACCEPT(2) Levy, Cole
   RECAST(1) Frech
   REJECT(2) Magdych, Christey
Voter Comments:
 Frech> Violation of fundamentum divisionis (that is, it's more than one issue) and
   a potential nitpick:
   - windmail-fileread: allows remote attackers to read arbitrary files
   - windmail-pipe-command: execute commands via shell metacharacters
   - The conjunction 'or' should be 'and', if you decide to stick with one CAN.
 Christey> As Andre basically said without naming content decisions,
   CD:SF-LOC says this should be split.
   
   HOWEVER - the author of the product says that WindMail isn't
   supposed to be a CGI script, and says that the pipe 
   character problem is not related to Geocel.  So should CVE
   record when someone runs a program that wasn't intended to
   be a CGI?  There may be a level of abstraction issue here.
   Note that Perl and shell interpreters in CGI-BIN are 
   already mentioned in CAN-1999-0509.  If we want to include
   "using a program that wasn't designed to be a CGI" as a
   problem, we should have a separate candidate.
   
   See the author's comments at:
   http://www.securityfocus.com/templates/archive.pike?list=1&msg=3.0.5.32.20000331114325.013af680@mailhost.geocel.com
   
   which also claims that the original announcer hasn't provided
   any more details after the author was unable to reproduce the
   problem.
 CHANGE> [Magdych changed vote from REVIEWING to REJECT]
 Magdych> After reviewing the author's comments, I'm inclined to think that this is more of a misconfiguration than a vulnerability.


CAN-2000-0244

Phase: Proposed (20000412)
Reference: BUGTRAQ:20000328 Citrix ICA Basic Encryption
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.BSO.4.20.0003290949280.2640-100000@naughty.monkey.org
Reference: BID:1077
Reference: URL:http://www.securityfocus.com/bid/1077

Description:
The Citrix ICA (Independent Computing Architecture) protocol uses weak encryption (XOR) for user authentication.

Votes:

   ACCEPT(2) Levy, Magdych
   MODIFY(1) Frech
   NOOP(1) Cole
Voter Comments:
 Frech> XF:citrix-encryption


CAN-2000-0247

Phase: Proposed (20000412)
Reference: BUGTRAQ:20000322 Local root compromise in GNQS 3.50.6 and 3.50.7
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-03/0236.html
Reference: MISC:http://ftp.gnqs.org/pub/gnqs/source/by-version-number/v3.50/Generic-NQS-3.50.8-ChangeLog.txt

Description:
Vulnerability in Generic-NQS (GNQS) allows local users to gain root privileges.

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Frech
   NOOP(3) Magdych, Cole, Christey
   REVIEWING(1) Levy
Voter Comments:
 Christey> ADDREF FREEBSD:FreeBSD-SA-00:13
   ADDREF ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00%3A13-generic-nqs.asc
 CHANGE> [Frech changed vote from REVIEWING to MODIFY]
 Frech> XF:generic-nqs-local-root
 CHANGE> [Magdych changed vote from REVIEWING to NOOP]


CAN-2000-0248

Phase: Proposed (20000426)
Reference: ISS:20000424 Backdoor Password in Red Hat Linux Virtual Server Package
Reference: URL:http://xforce.iss.net/alerts/advise46.php3
Reference: REDHAT:RHSA-2000:014-10

Description:
The web GUI for the Linux Virtual Server (LVS) software in the Red Hat Linux Piranha package has a backdoor passowrd that allows remote attackers to execute arbitrary commands.

Votes:

   ACCEPT(2) Levy, Cole
   MODIFY(1) Frech
   NOOP(2) Wall, Christey
   REJECT(1) Cox
Voter Comments:
 Christey> Typo fix: change "passowrd" to "password"
   ADDREF BID:1148
   ADDREF URL:http://www.securityfocus.com/bid/1148
 Christey> ADDREF XF:piranha-default-password
 Frech> XF:piranha-default-password
   In description, passowrd should be password.
 Cox> The "execute arbitrary commands" part is a seperate vulnerability,
   already assigned CVE-2000-0322.  The package was designed to have no
   password on installation, so "backdoor" does not apply.  When users
   install Piranha they are expected to add a password to the web
   administration GUI, it's a documented part of the procedure.  "The web
   GUI for the Linux Virtual Server (LVS) software in the Red Hat Linux
   Piranha package installs with a default password" is accurate if it
   qualifies as an exposure.
 Christey> BUGTRAQ:20000425 piranha default password/exploit
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=95668829621268&w=2
   
   Default accounts/passwords need to be accounted for in CVE,
   but the question is what level of abstraction to use - a
   separate CVE for each password, or one CVE for all passwords,
   or somewhere in the middle?  That is the crux of CD:CF-PASS.


CAN-2000-0250

Phase: Proposed (20000426)
Reference: BUGTRAQ:20000414 qnx crypt comprimised
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-04/0072.html
Reference: BID:1114
Reference: URL:http://www.securityfocus.com/bid/1114

Description:
The crypt function in QNX uses weak encryption, which allows local users to decrypt passwords.

Votes:

   ACCEPT(2) Levy, Baker
   MODIFY(1) Frech
   NOOP(2) Wall, Cole
Voter Comments:
 Frech> XF:qnx-weak-encryption(4866)


CAN-2000-0256

Phase: Proposed (20000426)
Reference: MS:MS00-028
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms00-028.asp
Reference: BID:1117
Reference: URL:http://www.securityfocus.com/bid/1117

Description:
Buffer overflows in htimage.exe and Imagemap.exe in FrontPage 97 and 98 Server Extensions allow a user to conduct activities that are not otherwise available through the web site, aka the "Server-Side Image Map Components" vulnerability.

Votes:

   ACCEPT(3) Levy, Wall, Cole
   MODIFY(1) Frech
   NOOP(1) Christey
Voter Comments:
 Frech> XF:frontpage-ext-image-map
 Christey> Possibly related to BUGTRAQ:20000418 More vulnerabilities in FP
   http://archives.neohapsis.com/archives/bugtraq/2000-04/0116.html


CAN-2000-0259

Phase: Proposed (20000426)
Reference: MS:MS00-024
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms00-024.asp
Reference: BID:1105
Reference: URL:http://www.securityfocus.com/bid/1105

Description:
The default permissions for the Cryptography\Offload registry key used by the OffloadModExpo in Windows NT 4.0 allows local users to obtain compromise the cryptographic keys of other users.

Votes:

   ACCEPT(3) Levy, Wall, Cole
   MODIFY(1) Frech
   NOOP(1) Christey
Voter Comments:
 Frech> XF:winnt-cryptkeys-compromise
 Christey> Include "CryptoAPI" to facilitate search.
   MSKB:Q259496
   URL:http://www.microsoft.com/technet/support/kb.asp?ID=259496


CAN-2000-0266

Phase: Proposed (20000426)
Reference: BUGTRAQ:20000418 IE 5 security vulnerablity - circumventing Cross-frame security policy using Java/JavaScript (and disabling Active Scripting is not that easy)
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=38FC6130.D6D178FD@nat.bg
Reference: BID:1121
Reference: URL:http://www.securityfocus.com/bid/1121

Description:
Internet Explorer 5.01 allows remote attackers to bypass the cross frame security policy via a malicious applet that interacts with the Java JSObject to modify the DOM properties to set the IFRAME to an arbitrary Javascript URL.

Votes:

   ACCEPT(4) Levy, LeBlanc, Wall, Cole
   MODIFY(1) Frech
   REVIEWING(1) Christey
Voter Comments:
 Frech> XF:ie-java-crossframe-security
 Christey> May be a duplicate of CVE-2000-0465 according to my
   communications with Microsoft people.  CAN-2000-0028 may
   also be a variant.
 LeBlanc> MS00-039 


CAN-2000-0269

Phase: Proposed (20000426)
Reference: BUGTRAQ:20000418 RUS-CERT Advisory 200004-01: GNU Emacs 20
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-04-15&msg=tg4s8zioxq.fsf@mercury.rus.uni-stuttgart.de
Reference: BID:1125
Reference: URL:http://www.securityfocus.com/bid/1125

Description:
Emacs 20 does not properly set permissions for a slave PTY device when starting a new subprocess, which allows local users to read or modify communications between Emacs and the subprocess.

Votes:

   ACCEPT(2) Levy, Baker
   MODIFY(1) Frech
   NOOP(3) Wall, Cole, Christey
Voter Comments:
 Christey> ADDREF XF:emacs-local-eavesdrop
   Verify BID for this - is it 1125, 1126, or 1127?
   Also, ADDREF CALDERA:CSSA-2000-011.1 ??
   URL:ftp://ftp.calderasystems.com/pub/OpenLinux/security/CSSA-2000-011.1.txt
 Frech> XF:emacs-local-eavesdrop
 Christey> ADDREF MANDRAKE:MDKSA-2000:088 ?
   Also http://www.securityfocus.com/bid/2164, but is that a
   duplicate of BID:1125?


CAN-2000-0270

Phase: Proposed (20000426)
Reference: BUGTRAQ:20000418 RUS-CERT Advisory 200004-01: GNU Emacs 20
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-04-15&msg=tg4s8zioxq.fsf@mercury.rus.uni-stuttgart.de
Reference: BID:1125
Reference: URL:http://www.securityfocus.com/bid/1126

Description:
The make-temp-name Lisp function in Emacs 20 creates temporary files with predictable names, which allows attackers to conduct a symlink attack.

Votes:

   ACCEPT(1) Baker
   MODIFY(2) Frech, Levy
   NOOP(3) Wall, Cole, Christey
Voter Comments:
 Christey> ADDREF XF:emacs-tempfile-creation
   Verify BID for this - is it 1125, 1126, or 1127?
   Also, ADDREF CALDERA:CSSA-2000-011.1 ??
   URL:ftp://ftp.calderasystems.com/pub/OpenLinux/security/CSSA-2000-011.1.txt
 Frech> XF:emacs-tempfile-creation
 Levy> Change BID reference to BID 1126


CAN-2000-0271

Phase: Proposed (20000426)
Reference: BUGTRAQ:20000418 RUS-CERT Advisory 200004-01: GNU Emacs 20
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-04-15&msg=tg4s8zioxq.fsf@mercury.rus.uni-stuttgart.de
Reference: BID:1125
Reference: URL:http://www.securityfocus.com/bid/1125

Description:
read-passwd and other Lisp functions in Emacs 20 do not properly clear the history of recently typed keys, which allows an attacker to read unencrypted passwords.

Votes:

   ACCEPT(1) Baker
   MODIFY(2) Frech, Levy
   NOOP(3) Wall, Cole, Christey
Voter Comments:
 Christey> Verify BID for this - is it 1125, 1126, or 1127?
   Also, ADDREF CALDERA:CSSA-2000-011.1 ??
   URL:ftp://ftp.calderasystems.com/pub/OpenLinux/security/CSSA-2000-011.1.txt
   ADDREF XF:emacs-password-history
 Frech> XF:emacs-password-history
 Levy> Change BID reference to BID 1127


CAN-2000-0275

Phase: Proposed (20000426)
Reference: L0PHT:20000410 CRYPTOCard PalmToken PIN Extraction
Reference: URL:http://www.l0pht.com/advisories/cc-pinextract.txt
Reference: BUGTRAQ:20000410 CRYPTOAdmin 4.1 server with PalmPilot PT-1 token 1.04 PIN Extract ion
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-04/0033.html
Reference: BID:1097
Reference: URL:http://www.securityfocus.com/bid/1097

Description:
CRYPTOCard CryptoAdmin for PalmOS uses weak encryption to store a user's PIN number, which allows an attacker with access to the .PDB file to generate valid PT-1 tokens after cracking the PIN.

Votes:

   ACCEPT(2) Levy, Cole
   MODIFY(1) Frech
   NOOP(1) Wall
Voter Comments:
 Frech> XF:cryptoadmin-weak-encryption


CAN-2000-0280

Phase: Proposed (20000426)
Reference: BUGTRAQ:20000403 Win32 RealPlayer 6/7 Buffer Overflow
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-04/0018.html
Reference: BID:1088
Reference: URL:http://www.securityfocus.com/bid/1088

Description:
Buffer overflow in the RealNetworks RealPlayer client versions 6 and 7 allows remote attackers to cause a denial of service via a long Location URL.

Votes:

   ACCEPT(3) Levy, Wall, Cole
   MODIFY(1) Frech
Voter Comments:
 Frech> XF:realserver-ramgen-dos


CAN-2000-0281

Phase: Proposed (20000426)
Reference: BUGTRAQ:20000326 neat little napster bug
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-03/0277.html
Reference: BUGTRAQ:20000330 Napster, Inc. response to Colten Edwards
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-03/0299.html

Description:
Buffer overflow in the Napster client beta 5 allows remote attackers to cause a denial of service via a long message.

Votes:

   NOOP(2) Wall, Cole
   REJECT(3) Frech, Levy, Baker
Voter Comments:
 Frech> Does not meet CVE candidate requirements. The problem was remedied on the
   server end, and no fault exists at the client. Based on
   http://archives.neohapsis.com/archives/bugtraq/2000-03/0299.html:
   Approximately one hour after receiving the post from BugTraq, 
   Napster's servers were patched to prevent this from occurring. 
   Users of the Napster Win32 client software are NOT vulnerable. 
 Baker> Agree with Andre


CAN-2000-0284

Phase: Proposed (20000426)
Reference: BUGTRAQ:20000416 imapd4r1 v12.264
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-04/0074.html
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-04/0085.html
Reference: BID:1110
Reference: URL:http://www.securityfocus.com/bid/1110

Description:
Buffer overflow in University of Washington imapd version 4.7 allows users with a valid account to execute commands via LIST or other commands.

Votes:

   ACCEPT(2) Levy, Cole
   MODIFY(1) Frech
   NOOP(2) Wall, Christey
Voter Comments:
 Christey> ADDREF FREEBSD:FreeBSD-SA-00:14
   URL:http://www.securityfocus.com/templates/advisory.html?id=2179
 Frech> XF:imap-mailserver-bo


CAN-2000-0286

Phase: Proposed (20000426)
Reference: BUGTRAQ:20000416 xfs
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.4.10.10004161525040.1186-200000@localhost
Reference: BID:1111
Reference: URL:http://www.securityfocus.com/bid/1111

Description:
X fontserver xfs allows local users to cause a denial of service via malformed input to the server.

Votes:

   MODIFY(1) Frech
   NOOP(2) Wall, Cole
   REJECT(2) Levy, Christey
Voter Comments:
 Frech> XF:redhat-fontserver-dos
   POTENTIAL DUPE: CAN-2000-0263: The X font server xfs in Red Hat Linux 6.x
   allows an attacker to cause a denial of service via a malformed request.
 Christey> As Andre observed, this is a duplicate of CAN-2000-0263.


CAN-2000-0288

Phase: Proposed (20000426)
Reference: BUGTRAQ:20000412 Infonautic's getdoc.cgi may allow unauthorized access to documents
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-04/0049.html

Description:
Infonautics getdoc.cgi allows remote attackers to bypass the payment phase for accessing documents via a modified form variable.

Votes:

   MODIFY(1) Frech
   NOOP(2) Wall, Cole
   REVIEWING(2) Levy, Christey
Voter Comments:
 Frech> XF:http-cgi-infonautics-getdoc
 Christey> CD:EX-ONLINE-SVC applies here.  This may be a vulnerability in
   an online service (the search engines used by Infonautics)
   which poses no risk to anyone but the company itself.


CAN-2000-0291

Phase: Proposed (20000426)
Reference: BUGTRAQ:20000416 StarOffice 5.1
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-04/0077.html
Reference: BID:1112
Reference: URL:http://www.securityfocus.com/bid/1112

Description:
Buffer overflow in Star Office 5.1 allows attackers to cause a denial of service by embedding a long URL within a document.

Votes:

   ACCEPT(2) Levy, Dik
   MODIFY(1) Frech
   NOOP(2) Wall, Cole
Voter Comments:
 Frech> XF:staroffice-long-url-bo


CAN-2000-0293

Phase: Proposed (20000426)
Reference: BUGTRAQ:20000421 local user can delete arbitrary files on SuSE-Linux
Reference: BID:1130
Reference: URL:http://www.securityfocus.com/bid/1130

Description:
aaa_base in SuSE Linux 6.3, and cron.daily in earlier versions, allow local users to delete arbitrary files by creating files whose names include spaces, which are then incorrectly interpreted by aaa_base when it deletes expired files from the /tmp directory.

Votes:

   ACCEPT(2) Levy, Cole
   MODIFY(1) Frech
   NOOP(2) Wall, Christey
Voter Comments:
 Christey> ADDREF SUSE:20000502 aaabase < 2000.5.2
   URL: http://www.suse.de/de/support/security/suse_security_announce_47.txt
   
   This advisory references another problem that is listed in
   CAN-2000-0433.
 Frech> XF:aaabase-file-deletion


CAN-2000-0295

Phase: Proposed (20000426)
Reference: BUGTRAQ:20000420 Remote vulnerability in LCDproc 0.4
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.3.96.1000421010946.15318I-200000@schizo.strange.net
Reference: BID:1131
Reference: URL:http://www.securityfocus.com/bid/1131

Description:
Buffer overflow in LCDproc allows remote attackers to gain root privileges via the screen_add command.

Votes:

   ACCEPT(2) Levy, Baker
   MODIFY(1) Frech
   NOOP(2) Wall, Cole
Voter Comments:
 Frech> XF:lcdproc-remote-overflow


CAN-2000-0299

Phase: Proposed (20000426)
Reference: BUGTRAQ:20000404 WebObjects DoS
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-04/0020.html

Description:
Buffer overflow in WebObjects.exe in the WebObjects Developer 4.5 package allows remote attackers to cause a denial of service via an HTTP request with long headers such as Accept.

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Frech
   NOOP(4) Williams, Wall, Cole, Christey
   REVIEWING(1) Levy
Voter Comments:
 Christey> ADDREF XF:webobjects-post-dos
 Frech> XF:webobjects-post-dos
 Christey> See http://til.info.apple.com/techinfo.nsf/artnum/n75087
   Document says:
   "A request with a large, malformed http header can crash a WOApp"
   (Apple reference #2470254) appears to be the acknowledgement needed.
   
   Is this sufficient acknowledgement?  This is dated AUgust 24,
   but the initial disclosure occurred on April 4.
 Christey> BID:1896


CAN-2000-0300

Phase: Proposed (20000426)
Reference: BUGTRAQ:20000405 PcAnywhere weak password encryption
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=20000406030958.23902.qmail@securityfocus.com
Reference: BID:1093
Reference: URL:http://www.securityfocus.com/bid/1093

Description:
The default encryption method of PcAnywhere 9.x uses weak encryption, which allows remote attackers to sniff and decrypt PcAnywhere or NT domain accounts.

Votes:

   ACCEPT(3) Levy, Cole, Prosser
   MODIFY(1) Frech
   REVIEWING(1) Wall
Voter Comments:
 Frech> XF:pcanywhere-weak-encryption
 Prosser> http://service2.symantec.com/SUPPORT/pca.nsf/pfdocs/1999022312571812
   Upgraded in pcA 10


CAN-2000-0312

Phase: Proposed (20010214)
Reference: OPENBSD:19990830 In cron(8), make sure argv[] is NULL terminated in the fake popen() and run sendmail as the user, not as root.
Reference: URL:http://www.openbsd.org/errata25.html#cron

Description:
cron in OpenBSD 2.5 allows local users to gain root privileges via an argv[] that is not NULL terminated, which is passed to cron's fake popen function.

Votes:

   ACCEPT(3) Baker, Cole, Collins
   MODIFY(1) Frech
   REVIEWING(1) Christey
Voter Comments:
 Frech> XF:cron-sendmail-root(3335)
   Seems like this issue is not just OpenBSD, and is described
   differently by other vendors:
   SuSE Security Announcement #15	Security hole in cron
   http://www.suse.de/de/support/security/suse_security_announce_15.txt
   Red Hat, Inc. Security Advisory RHSA-1999:030-02	Buffer overflow in
   cron daemon
   http://www.redhat.com/support/errata/rh52-errata-general.html#vixie-cron
   Caldera Systems, Inc. Security Advisory CSSA-1999-023.0	serious security
   problem in cron
   http://www.calderasystems.com/support/security/advisories/CSSA-1999-023.0.tx
   t
   All are dated on or around 1999-08-27 to 1999-08-30.
   Also, may overlap with CVE-1999-0769: Vixie Cron on Linux systems allows
   local users to set parameters of sendmail commands via the MAILTO
   environmental variable.
 Christey> See Andre's comments, but I believe this is different than
   CVE-1999-0769.  Also consider CVE-1999-0768 and CAN-1999-0872
   (Vixie Cron buffer overflow via MAILTO), 


CAN-2000-0317

Phase: Proposed (20000518)
Reference: BUGTRAQ:20000424 Solaris 7 x86 lpset exploit.
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-04/0192.html
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-04/0236.html
Reference: BUGTRAQ:20000427 Re: Solaris/SPARC 2.7 lpset exploit (well not likely !)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=95729763119559&w=2
Reference: SUNBUG:4334568
Reference: BID:1138
Reference: URL:http://www.securityfocus.com/bid/1138

Description:
Buffer overflow in Solaris 7 lpset allows local users to gain root privileges via a long -r option.

Votes:

   ACCEPT(3) Baker, Levy, Cole
   MODIFY(1) Frech
   NOOP(3) LeBlanc, Wall, Christey
   RECAST(1) Dik
Voter Comments:
 Dik> there's a lot of confusion in this one. 
   These point to buffer overflows:
   Reference: BUGTRAQ:20000424 Solaris 7 x86 lpset exploit.
   Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-04/0192.html
   Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-04/0236.html
   But these point to dlopen() in libprint that doesnt' check pathnames:
   Reference: BUGTRAQ:20000427 Re: Solaris/SPARC 2.7 lpset exploit (well not likely !)
   Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=95729763119559&w=2
   Reference: SUNBUG:4334568
   And this is a bufferoverflow again:
   Reference: BID:1138
   Reference: URL:http://www.securityfocus.com/bid/1138
 Frech> XF:solaris-lpset-bo
 Christey> ADDREF SUN:00195?  Need to check with Casper.


CAN-2000-0321

Phase: Proposed (20000518)
Reference: BUGTRAQ:20000424 Buffer Overflow in version .14
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-04/0190.html
Reference: BID:1147
Reference: URL:http://www.securityfocus.com/bid/1147

Description:
Buffer overflow in IC Radius package allows a remote attacker to cause a denial of service via a long user name.

Votes:

   ACCEPT(1) Levy
   MODIFY(1) Frech
   NOOP(4) Baker, LeBlanc, Wall, Cole
   REJECT(1) Christey
Voter Comments:
 Frech> XF:icradius-username-bo
   Every reference I pull up shows the product's name as ICRADIUS. See
   http://mysql.eunet.fi/Downloads/Contrib/icradius.README
 Christey> In a followup, Alan DeKok (aland@FREERADIUS.ORG) says that
   this could occur in other RADIUS servers also; however, the
   bug could only be exploited if someone has altered the
   configuration file, which shouldn't normally be modifiable
   by anyone else.
   
   So, this should be REJECTed since the bug doesn't directly give
   anyone else any additional privileges or access.
 Christey> Alan DeKok <aland@FREERADIUS.ORG> says it applies to other RADIUS
   programs also, *however* since it needs a valid username, only
   the RADIUS owner can exploit it by changing the config file.  But
   if the config file can be written by others - well, that's still
   a potential risk, but you've probably got bigger problems then.
   - http://marc.theaimsgroup.com/?l=bugtraq&m=95671883515060&w=2
   Look at ChangeLog at ftp://ftp.cheapnet.net/pub/icradius/ChangeLog
   
   Possible confirmation in 0.15: "sql_getvpdata now dynamically
   allocates buffer sizes for sql queries to avoid over runs"
   
   But that's a bit general.
   
   Alan Kok said that Cistron and other RADIUS servers were affected; the
   ICRADIUS changelog says to check the Cistron logs for other possible
   bug fixes, since ICRADIUS uses Cistron codebase.  Go back to
   freeradius.org and find link to Cistron at
   http://www.miquels.cistron.nl/radius/
   
   Cistron changelog at http://www.miquels.cistron.nl/radius/ChangeLog It
   has different version numbers - go back to ICRADIUS changelog to find
   rought equivalents.  ICRADIUS 0.15 uses Cistron 1.6.3 patches, so
   start from there.
   
   No apparent problems in 1.6.3 or 1.6.4, but 1.6.1 says: "Fix all
   strcpy(), strcat(), sprintf() and sccanf() calls for buffer
   overflows."  So perhaps the problem was fixed then?  Or maybe the
   vulnerable sscanf() call was missed and/or disregarded because it was
   believed that the hostname could be trusted since it came from a
   well-controlled configuration file?


CAN-2000-0325

Phase: Modified (20020222-01)
Reference: MS:MS99-030
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-030.asp
Reference: XF:jet-vba-shell(3155)
Reference: URL:http://xforce.iss.net/static/3155.php
Reference: BID:548
Reference: URL:http://www.securityfocus.com/bid/548

Description:
The Microsoft Jet database engine allows an attacker to execute commands via a database query, aka the "VBA Shell" vulnerability.

Votes:

   ACCEPT(5) Baker, Wall, Cole, Armstrong, Prosser
   MODIFY(1) Frech
   REJECT(1) LeBlanc
   REVIEWING(1) Christey
Voter Comments:
 LeBlanc> - same as CAN-1999-1011
   If I'm misunderstanding something here, please correct me.  In fact, it has
   the same bulletin as a reference.
 Frech> XF:jet-vba-shell
 Prosser> This entry is not the same as "now" CVE-1999-1011. That entry is "The Remote Data Service (RDS) DataFactory component of Microsoft Data Access Components (MDAC) in IIS 3.x and 4.x exposes unsafe methods, which allows remote attackers to execute arbitrary commands."  This one should be correct.
 Christey> BUGTRAQ:19990525 Advisory: NT ODBC Remote Compromise
   http://marc.theaimsgroup.com/?l=bugtraq&m=92765973107637&w=2
   NTBUGTRAQ:19990526 Advisory: NT ODBC Remote Compromise
   http://marc.theaimsgroup.com/?l=ntbugtraq&m=92781907215748&w=2
 Christey> The Microsoft advisory itself describes two separate
   vulnerabilities, calling the TEXT I-ISAM problem
   (CVE-2000-0323) a variant of the VBA Shell problem (this
   CAN).  In addition, CVE-2000-0323 does *not* appear in Jet
   4.0, while this one does.  Since one problem appears in a
   different version than the other, CD:SF-LOC suggests keeping
   these candidates SPLIT.
   
   BID:548
   http://www.securityfocus.com/bid/548
 CHANGE> [Christey changed vote from NOOP to REVIEWING]
 Christey> Need to clarify whether the Bugtraq/NTBugtraq posts are
   really describing the same issue (those are BID:286).


CAN-2000-0326

Phase: Proposed (20000518)
Reference: BID:1151
Reference: URL:http://www.securityfocus.com/bid/1151
Reference: CONFIRM:http://support.on.com/support/mmxp.nsf/31af51e08bcc93eb852565a90056138b/11af70407a16b165852568c50056a952?OpenDocument

Description:
Meeting Maker uses weak encryption (a polyalphabetic substitution cipher) for passwords, which allows remote attackers to sniff and decrypt passwords for Meeting Maker accounts.

Votes:

   ACCEPT(2) Baker, Levy
   MODIFY(1) Frech
   NOOP(4) LeBlanc, Wall, Cole, Christey
Voter Comments:
 Frech> XF:meetingmaker-weak-encryption
 Christey> Add original Bugtraq reference at:
   http://archives.neohapsis.com/archives/bugtraq/2000-04/0223.html
   Also ADDREF XF:meetingmaker-weak-encryption


CAN-2000-0333

Phase: Proposed (20000518)
Reference: BUGTRAQ:20000502 Denial of service attack against tcpdump
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.SOL.4.10.10005021942380.2077-100000@paranoia.pgci.ca
Reference: BID:1165
Reference: URL:http://www.securityfocus.com/bid/1165

Description:
tcpdump, Ethereal, and other sniffer packages allow remote attackers to cause a denial of service via malformed DNS packets in which a jump offset refers to itself, which causes tcpdump to enter an infinite loop while decompressing the packet.

Votes:

   ACCEPT(3) Baker, Levy, Armstrong
   MODIFY(1) Frech
   NOOP(2) Wall, Cole
Voter Comments:
 Frech> XF:sniffer-dns-decode-dos


CAN-2000-0343

Phase: Proposed (20000518)
Reference: BUGTRAQ:20000502 spj-003-000 - S0ftPj Advisory
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=200005021736.TAA01991@ALuSSi
Reference: BID:1158
Reference: URL:http://www.securityfocus.com/bid/1158

Description:
Buffer overflow in Sniffit 0.3.x with the -L logging option enabled allows remote attackers to execute arbitrary commands via a long MAIL FROM mail header.

Votes:

   ACCEPT(2) Levy, Cole
   MODIFY(2) Frech, Christey
   NOOP(2) Wall, Armstrong
Voter Comments:
 Frech> XF:sniffit-lmail-bo
 Christey> This issue was rediscovered.
   ADDREF BUGTRAQ:20020119 remote buffer overflow in sniffit
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101167452712383&w=2
   ADDREF BUGTRAQ:20000525 `sniffit -L mail' vulnerabilities
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=95928090612990&w=2
   
   I reviewed the patch that was claimed in the 20020119 Bugtraq
   post, and it could well address the issue.  However, since the
   patch is also dated around the time of the original Bugtraq
   post, *and* it says that it's addressing an issue that's
   discussed on Bugtraq, that is sufficient to establish
   acknowledgement.
 CHANGE> [Christey changed vote from NOOP to MODIFY]
 Christey> XF:sniffit-normmail-l-bo(7933)
   URL:http://www.iss.net/security_center/static/7933.php


CAN-2000-0345

Phase: Proposed (20000518)
Reference: BUGTRAQ:20000502 Possible issue with Cisco on-line help?
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=20000502222246.28423.qmail@securityfocus.com
Reference: BID:1161
Reference: URL:http://www.securityfocus.com/bid/1161

Description:
The on-line help system options in Cisco routers allows non-privileged users without "enabled" access to obtain sensitive information via the show command.

Votes:

   ACCEPT(1) Prosser
   MODIFY(1) Frech
   NOOP(5) Baker, Levy, Wall, Cole, Armstrong
   REJECT(1) Balinsky
Voter Comments:
 Levy> Arguably this is not a vulnerability. Cisco replying saying this
   is standard behaviour that was simply not well documented. They have
   no plans to change it and will simply document it better.
 Frech> XF:cisco-online-help
 Balinsky> As noted in a bugtraq posting by Lisa Napier from Cisco's Product Security Incident Response Team, this is a poorly documented feature. This is intended behavior, and does not represent a vulnerability in Cisco's opinion.
   http://www.securityfocus.com/frames/?content=/templates/archive.pike?list=1&mid=59434
 Prosser> Although Lisa Napier did say this issue was "functioning as designed", it was not intended to allow unprivileged access.  Lisa did indicate that Cisco would be updating instructions on configuration to ensure proper user privileges.  So, this should be considered IMHO an "exposure" vice a vulnerability, but security-related none the less.
   http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26msg%3D20000502222246.28423.qmail@securityfocus.com
   
   http://www.securityfocus.com/bid/1161


CAN-2000-0355

Phase: Proposed (20000524)
Reference: SUSE:19990920 Security hole in pbpg
Reference: URL:http://www.suse.de/de/support/security/suse_security_announce_21.txt
Reference: XF:linux-pb-fileread
Reference: XF:linux-pg-fileread

Description:
pg and pb in SuSE pbpg 1.x package allows an attacker to read arbitrary files.

Votes:

   ACCEPT(2) Frech, Levy
   NOOP(1) Christey
Voter Comments:
 Christey> ADDREF BID:1271
 Christey> ADDREF BID:1271
   URL:http://www.securityfocus.com/bid/1271


CAN-2000-0357

Phase: Proposed (20000524)
Reference: REDHAT:RHSA-1999:058-01
Reference: URL:http://www.redhat.com/corp/support/errata/RHSA1999058-01.html

Description:
ORBit and esound in Red Hat Linux 6.1 do not use sufficiently random numbers, which allows local users to guess the authentication keys.

Votes:

   ACCEPT(1) Levy
   MODIFY(1) Frech
   NOOP(1) Christey
Voter Comments:
 Christey> ADDREF BID:1275
 Christey> ADDREF BID:1275
   URL:http://www.securityfocus.com/bid/1275
 Frech> XF:linux-orbit-esound-authentication-keys


CAN-2000-0358

Phase: Proposed (20000524)
Reference: REDHAT:RHSA-1999:058-01
Reference: URL:http://www.redhat.com/corp/support/errata/RHSA1999058-01.html

Description:
ORBit and gnome-session in Red Hat Linux 6.1 allows remote attackers to crash a program.

Votes:

   ACCEPT(1) Levy
   MODIFY(1) Frech
   NOOP(1) Christey
Voter Comments:
 Christey> ADDREF BID:1283
 Christey> ADDREF BID:1283
   URL:http://www.securityfocus.com/bid/1283
 Frech> XF:linux-orbit-gnome-session-dos


CAN-2000-0364

Phase: Proposed (20000524)
Reference: BUGTRAQ:19990606 RedHat 6.0, /dev/pts permissions bug when using xterm
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92877527701347&w=2
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92886009012161&w=2
Reference: REDHAT:RHSA1999014_01
Reference: URL:http://www.redhat.com/corp/support/errata/RHSA1999014_01.html
Reference: BID:309
Reference: URL:http://www.securityfocus.com/bid/309

Description:
screen and rxvt in Red Hat Linux 6.0 do not properly set the modes of tty devices, which allows local users to write to other ttys.

Votes:

   ACCEPT(1) Levy
   MODIFY(1) Frech
   NOOP(1) Christey
Voter Comments:
 Frech> XF:linux-tty-improper-mode
 Christey> BUGTRAQ:19990607 Re: RedHat 6.0, /dev/pts permissions bug when using xterm
   http://marc.theaimsgroup.com/?l=bugtraq&m=92886008912147&w=2
   BUGTRAQ:19990607 Re: Red Hat 6.0, /dev/pts permissions bug when using xterm
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92886358415964&w=2


CAN-2000-0365

Phase: Proposed (20000524)
Reference: BUGTRAQ:19990606 RedHat 6.0, /dev/pts permissions bug when using xterm
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92877527701347&w=2
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92886009012161&w=2
Reference: REDHAT:RHSA1999014_01
Reference: URL:http://www.redhat.com/corp/support/errata/RHSA1999014_01.html
Reference: BID:308
Reference: URL:http://www.securityfocus.com/bid/308

Description:
Red Hat Linux 6.0 installs the /dev/pts file system with insecure modes, which allows local users to write to other tty devices.

Votes:

   ACCEPT(1) Levy
   MODIFY(1) Frech
   NOOP(1) Christey
Voter Comments:
 Frech> XF:linux-dev-insecure-mode
 Christey> BUGTRAQ:19990607 Re: RedHat 6.0, /dev/pts permissions bug when using xterm
   http://marc.theaimsgroup.com/?l=bugtraq&m=92886008912147&w=2
   BUGTRAQ:19990607 Re: Red Hat 6.0, /dev/pts permissions bug when using xterm
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92886358415964&w=2


CAN-2000-0383

Phase: Modified (20000706-01)
Reference: BUGTRAQ:20000507 AOL Instant Messenger
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=002401bfb918$7310d5a0$1ef084ce@karemor.com
Reference: XF:aolim-file-path
Reference: BID:1180
Reference: URL:http://www.securityfocus.com/bid/1180

Description:
The file transfer component of AOL Instant Messenger (AIM) reveals the physical path of the transferred file to the remote recipient.

Votes:

   ACCEPT(5) Frech, Ozancin, Levy, Cole, Stracener
   NOOP(2) Christey, Prosser
Voter Comments:
 Christey> Normalize the Bugtraq reference!


CAN-2000-0384

Phase: Proposed (20000615)
Reference: L0PHT:20000508 NetStructure 7180 remote backdoor vulnerability
Reference: URL:http://www.lopht.com/advisories/ipivot7110.html
Reference: L0PHT:20000508 NetStructure 7110 console backdoor
Reference: URL:http://www.l0pht.com/advisories/ipivot7180.html
Reference: CONFIRM:http://216.188.41.136/
Reference: XF:netstructure-root-compromise
Reference: XF:netstructure-wizard-mode
Reference: BID:1182
Reference: URL:http://www.securityfocus.com/bid/1182
Reference: BID:1183
Reference: URL:http://www.securityfocus.com/bid/1183

Description:
NetStructure 7110 and 7180 have undocumented accounts (servnow, root, and wizard) whose passwords are easily guessable from the NetStructure's MAC address, which could allow remote attackers to gain root access.

Votes:

   ACCEPT(5) Frech, Ozancin, Levy, Stracener, Prosser
   NOOP(1) Cole

CAN-2000-0385

Phase: Proposed (20000615)
Reference: MISC:http://www.blueworld.com/blueworld/news/05.01.00-FM5_Security.html
Reference: CONFIRM:http://www.filemaker.com/support/webcompanion.html
Reference: XF:macos-filemaker-xml
Reference: XF:macos-filemaker-email

Description:
FileMaker Pro 5 Web Companion allows remote attackers to bypass Field-Level database security restrictions via the XML publishing or email capabilities.

Votes:

   ACCEPT(4) Frech, Ozancin, Stracener, Prosser
   MODIFY(1) Levy
   NOOP(1) Cole
Voter Comments:
 Levy> Reference: BID 1159


CAN-2000-0386

Phase: Proposed (20000615)
Reference: MISC:http://www.blueworld.com/blueworld/news/05.01.00-FM5_Security.html
Reference: CONFIRM:http://www.filemaker.com/support/webcompanion.html
Reference: XF:macos-filemaker-anonymous-email

Description:
FileMaker Pro 5 Web Companion allows remote attackers to send anonymous or forged email.

Votes:

   ACCEPT(4) Frech, Ozancin, Stracener, Prosser
   MODIFY(1) Levy
   NOOP(1) Cole
Voter Comments:
 Levy> Reference: BID 1159


CAN-2000-0400

Phase: Proposed (20000615)
Reference: BUGTRAQ:20000516 MICROSOFT SECURITY FLAW?
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=95868514521257&w=2
Reference: BID:1221
Reference: URL:http://www.securityfocus.com/bid/1221
Reference: XF:ie-active-movie-control

Description:
The Microsoft Active Movie ActiveX Control in Internet Explorer 5 does not restrict which file types can be downloaded, which allows an attacker to download any type of file to a user's system by encoding it within an email message or news post.

Votes:

   ACCEPT(4) Frech, Ozancin, Levy, Wall
   NOOP(2) Cole, Stracener
   REJECT(1) Christey
   REVIEWING(1) LeBlanc
Voter Comments:
 LeBlanc> COMMENT - this definately will not work if the user has applied the security
   patch. I don't know whether this repros right now, and have sent a query to
   find out.
 Christey> Is this now documented in MS:MS00-042?
 LeBlanc> the problem isn't in the Active Movie control.  What was
   observed was a symptom of another problem that got fixed in
   some bulletin or another - I don't remember.
 Christey> According to Scott Culp, this existed because 
   the patch for the Cache Bypass vulnerability (MS:MS00-046,
   CAN-2000-0621) was not applied, so this should be REJECTed
   as a duplicate of CAN-2000-0621.


CAN-2000-0401

Phase: Proposed (20000615)
Reference: BUGTRAQ:20000525 Alert: PDG Cart Overflows
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=95928319715983&w=2
Reference: NTBUGTRAQ:20000525 Alert: PDG Cart Overflows
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=95928667119963&w=2
Reference: CONFIRM:http://www.pdgsoft.com/Security/security2.html
Reference: BID:1256
Reference: URL:http://www.securityfocus.com/bid/1256

Description:
Buffer overflows in redirect.exe and changepw.exe in PDGSoft shopping cart allow remote attackers to execute arbitrary commands via a long query string.

Votes:

   ACCEPT(2) Levy, Stracener
   MODIFY(1) Frech
   NOOP(2) Wall, Cole
Voter Comments:
 Frech> XF:pdgsoft-changepw-bo
   XF:pdgsoft-redirect-bo


CAN-2000-0412

Phase: Proposed (20000615)
Reference: BUGTRAQ:20000510 KNapster Vulnerability Compromises User-readable Files
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-05/0124.html
Reference: BUGTRAQ:20000510 Gnapster Vulnerability Compromises User-readable Files
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-05/0127.html
Reference: FREEBSD:FreeBSD-SA-00:18
Reference: URL:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:18-gnapster.adv
Reference: XF:gnapster-view-files
Reference: BID:1186
Reference: URL:http://www.securityfocus.com/bid/1186

Description:
The gnapster and knapster clients for Napster do not properly restrict access only to MP3 files, which allows remote attackers to read arbitrary files from the client by specifying the full pathname for the file.

Votes:

   ACCEPT(3) Ozancin, Levy, Stracener
   MODIFY(1) Frech
   NOOP(2) Cole, Prosser
Voter Comments:
 Frech> ADDREF XF:knapster-view-files


CAN-2000-0413

Phase: Proposed (20000615)
Reference: BUGTRAQ:20000506 shtml.exe reveal local path of IIS web directory
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-05/0084.html
Reference: BID:1174
Reference: URL:http://www.securityfocus.com/bid/1174
Reference: XF:iis-shtml-reveal-path

Description:
The shtml.exe program in the FrontPage extensions package of IIS 4.0 and 5.0 allows remote attackers to determine the physical path of HTML, HTM, ASP, and SHTML files by requesting a file that does not exist, which generates an error message that reveals the path.

Votes:

   ACCEPT(6) Frech, Ozancin, Levy, LeBlanc, Cole, Stracener
   MODIFY(1) Prosser
   NOOP(1) Christey
Voter Comments:
 Prosser> additional source Security BugWare
   http://161.53.42.3/~crv/security/bugs/NT/fpse10.html  comments on page re:
   "MS soon to be released service release OSR 1.2 with needed changes." 
   I haven't located anything on MS site yet.  Anyone help? 
 Christey> BID:1433 may also refer to this issue.
 Christey> [note to self: review comments by Mark Burnett]
 Christey> CHANGEREF XF:iis-shtml-reveal-path XF:frontpage-ext-shtml-path(4439)
 LeBlanc> Fixes are up on site now - have been for a while. 


CAN-2000-0415

Phase: Proposed (20000615)
Reference: BUGTRAQ:20000512 Overflow in Outlook Express 4.* - too long filenames with graphic format extension
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-05/0140.html
Reference: BID:1195
Reference: URL:http://www.securityfocus.com/bid/1195

Description:
Buffer overflow in Outlook Express 4.x allows attackers to cause a denial of service via a mail or news message that has a .jpg or .bmp attachment with a long file name.

Votes:

   ACCEPT(3) Ozancin, Levy, Wall
   MODIFY(1) Frech
   NOOP(3) Cole, Stracener, Christey
   REJECT(1) LeBlanc
Voter Comments:
 LeBlanc> The poster re-discovered a vulnerability we patched two years
   ago, in
   http://www.microsoft.com/technet/security/bulletin/ms98-008.asp
   Microsoft posted a response to BugTraq when this one went
   public, and reminded them that we'd already patched it.
   
   BTW, I think we want to try and pay attention to follow-ups to
   these threads in order to minimize noise in the process.
 Christey> Based on David's comments, this is covered by CAN-1999-0002.
   However, that candidate may wind up being SPLIT, so I will
   keep this one around for the moment.
   
   With respect to watching followups, we are relying quite
   a bit on other data feeds instead of doing our own reviews
   of all the different data sources.  The data feeds may report
   these problems as new before corrections are posted.
   Followups do often lend additional information to the
   candidates, and as is the case with this one, we will
   often catch the discrepancy before the candidate becomes an
   official entry, whether by MITRE's own analysis or by that
   of other Board members.
 Frech> XF:outlook-image-long-filename


CAN-2000-0420

Phase: Proposed (20000615)
Reference: NTBUGTRAQ:20000511 ISS SAVANT Advisory 00/26
Reference: URL:http://archives.neohapsis.com/archives/ntbugtraq/2000-q2/0112.html
Reference: BID:1198
Reference: URL:http://www.securityfocus.com/bid/1198

Description:
The default configuration of SYSKEY in Windows 2000 stores the startup key in the registry, which could allow an attacker tor ecover it and use it to decrypt Encrypted File System (EFS) data.

Votes:

   ACCEPT(2) Ozancin, Levy
   MODIFY(1) Frech
   NOOP(2) Cole, Stracener
   REJECT(1) LeBlanc
   REVIEWING(1) Wall
Voter Comments:
 LeBlanc> This is not a vulnerability.  It is essentially an advisory on best
   practices. Also, the description is extremely inaccurate. If I weren't
   intimately familiar with the issue, I would not be able to understand it
   from this. Syskey, when applied at lower levels, has well-documented
   limitations.  
 Stracener> "..to recover"
 Frech> XF:win2k-syskey-default-configuration
   Change "tor ecover" to "to recover"


CAN-2000-0422

Phase: Proposed (20000615)
Reference: BUGTRAQ:20000504 Alert: DMailWeb buffer overflow
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=95749276827558&w=2
Reference: XF:http-cgi-dmailweb-bo
Reference: BID:1171
Reference: URL:http://www.securityfocus.com/bid/1171

Description:
Buffer overflow in Netwin DMailWeb CGI program allows remote attackers to execute arbitrary commands via a long utoken parameter.

Votes:

   ACCEPT(5) Frech, Ozancin, Levy, Stracener, Prosser
   NOOP(1) Cole

CAN-2000-0423

Phase: Proposed (20000615)
Reference: BUGTRAQ:20000505 Alert: DNewsWeb buffer overflow
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=95764950403250&w=2
Reference: XF:http-cgi-dnews-bo
Reference: BID:1172
Reference: URL:http://www.securityfocus.com/bid/1172

Description:
Buffer overflow in Netwin DNEWSWEB CGI program allows remote attackers to execute arbitrary commands via long parameters such as group, cmd, and utag.

Votes:

   ACCEPT(5) Frech, Ozancin, Levy, Stracener, Prosser
   NOOP(1) Cole

CAN-2000-0429

Phase: Proposed (20000615)
Reference: BUGTRAQ:20000427 Alert: Cart32 secret password backdoor (CISADV000427)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=95686068203138&w=2
Reference: CONFIRM:http://www.cart32.com/kbshow.asp?article=c048

Description:
A backdoor password in Cart32 3.0 and earlier allows remote attackers to execute arbitrary commands.

Votes:

   ACCEPT(3) Ozancin, Stracener, Prosser
   MODIFY(2) Frech, Levy
   NOOP(1) Cole
Voter Comments:
 Levy> Reference: BID 1153
 Frech> XF:cart32-admin-password


CAN-2000-0433

Phase: Proposed (20000615)
Reference: SUSE:20000502 aaabase < 2000.5.2
Reference: URL:http://www.suse.de/de/support/security/suse_security_announce_47.txt
Reference: XF:aaabase-execute-dot-files

Description:
The SuSE aaa_base package installs some system accounts with home directories set to /tmp, which allows local users to gain privileges to those accounts by creating standard user startup scripts such as profiles.

Votes:

   ACCEPT(5) Frech, Ozancin, Levy, Cole, Stracener
   MODIFY(1) Prosser
Voter Comments:
 Prosser> add source:  
   SecurityFocus
   BID1357
   SuSE Linux aaabase User Account with /tmp Home Vulnerability
   http://www.securityfocus.com/bid/1357
 CHANGE> [Levy changed vote from REVIEWING to ACCEPT]


CAN-2000-0434

Phase: Proposed (20000615)
Reference: BUGTRAQ:20000516 Allmanage.pl Vulnerabilities
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-05/0167.html
Reference: BID:1217
Reference: URL:http://www.securityfocus.com/bid/1217

Description:
The administrative password for the Allmanage web site administration software is stored in plaintext in a file which could be accessed by remote attackers.

Votes:

   ACCEPT(3) Ozancin, Levy, Stracener
   MODIFY(1) Frech
   NOOP(3) LeBlanc, Wall, Cole
Voter Comments:
 Frech> XF:http-cgi-allmanage-plaintext-admin


CAN-2000-0444

Phase: Proposed (20000615)
Reference: BUGTRAQ:20000524 HP Web JetAdmin Version 6.0 Remote DoS attack Vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-05/0277.html
Reference: XF:hp-jetadmin-malformed-url-dos
Reference: BID:1246
Reference: URL:http://www.securityfocus.com/bid/1246

Description:
HP Web JetAdmin 6.0 allows remote attackers to cause a denial of service via a malformed URL to port 8000.

Votes:

   ACCEPT(4) Frech, Levy, Stracener, Prosser
   NOOP(2) Wall, Cole
   REVIEWING(1) Christey
Voter Comments:
 Christey> ADDREF CONFIRM:http://www.hp.com/cposupport/networking/support_doc/bpj06522.html
 Christey> HP:HPSBUX0006-116 ?
   XF:jetadmin-network-dos
 CHANGE> [Christey changed vote from NOOP to REVIEWING]
 Prosser> Vendor acknowledged in HP Bulletin HPSBUX0006-116 with upgrade info.


CAN-2000-0449

Phase: Proposed (20000615)
Reference: BUGTRAQ:20000525 Omnis Weak Encryption - Many products affected
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-05/0311.html
Reference: BID:1255
Reference: URL:http://www.securityfocus.com/bid/1255

Description:
Omnis Studio 2.4 uses weak encryption (trivial encoding) for encrypting database fields.

Votes:

   ACCEPT(2) Levy, Stracener
   MODIFY(1) Frech
   NOOP(2) Wall, Cole
Voter Comments:
 Frech> XF:omnis-studio-weak-encryption


CAN-2000-0450

Phase: Proposed (20000615)
Reference: BUGTRAQ:20000518 FW: Security Notice: Big Brother System and Network Monitor
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-05/0216.html
Reference: BID:1257
Reference: URL:http://www.securityfocus.com/bid/1257

Description:
Vulnerability in bbd server in Big Brother System and Network Monitor allows an attacker to execute arbitrary commands.

Votes:

   ACCEPT(3) Ozancin, Levy, Stracener
   MODIFY(1) Frech
   NOOP(3) Wall, Cole, Christey
   RECAST(1) LeBlanc
Voter Comments:
 LeBlanc> I have no idea what this one is talking about from the description.  I also
   don't think it involves "Network Monitor", which is a component of Windows
   NT/Windows 2000. This should be clarified.
 Frech> XF:big-brother-bbd-bo
 Christey> The original advisory, as forwarded to Bugtraq, does not
   provide any details, so the description is necessarily vague.
   Also, the home page at http://bb4.com has it referring to
   itself as "Big Brother System and Network Monitor," so
   "Network Monitor" is apparently part of the name of the product.
   
   Change this description to mention version 1.4g, to distinguish
   from other Big Brother vulnerabilities.


CAN-2000-0473

Phase: Proposed (20000712)
Reference: BUGTRAQ:19991231 Local / Remote GET Buffer Overflow Vulnerability in AnalogX SimpleServer:WWW HTTP Server v1.1
Reference: MISC:http://www.analogx.com/contents/download/network/sswww.htm
Reference: BID:1349
Reference: URL:http://www.securityfocus.com/bid/1349

Description:
Buffer overflow in AnalogX SimpleServer 1.05 allows a remote attacker to cause a denial of service via a long GET request for a program in the cgi-bin directory.

Votes:

   ACCEPT(1) Levy
   MODIFY(1) Frech
   REVIEWING(1) Christey
Voter Comments:
 Christey> Appears to be the same as, or similar to, CVE-2000-0011, which was
   also discovered by USSR.  Comments on the AnalogX web site are
   decidedly sparse.  In CAN-2000-0011, USSR only claims that
   the vendor was informed, so is this still the same problem?
   
   XF:simpleserver-long-url-dos
 Frech> XF:simpleserver-long-url-dos(4693)
   Please review whether your BUGTRAQ:19991231 reference is correct; seems like
   this is the reference to CVE-2000-0011: Buffer overflow in AnalogX
   SimpleServer:WWW HTTP server allows remote attackers to execute commands via
   a long GET request. They are subtle; almost the only thing that changed was
   the version.
   A possible reference is "Remote DoS attack in AnalogX SimpleServer WWW
   Version 1.05 Vulnerability" at http://www.ussrback.com/labs45.html.


CAN-2000-0476

Phase: Proposed (20000712)
Reference: BUGTRAQ:20000601 [rootshell.com] Xterm DoS Attack
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-05/0409.html
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-05/0420.html
Reference: BID:1298
Reference: URL:http://www.securityfocus.com/bid/1298

Description:
xterm, Eterm, and rxvt allow an attacker to cause a denial of service by embedding certain escape characters which force the window to be resized.

Votes:

   ACCEPT(2) Ozancin, Levy
   MODIFY(1) Frech
   NOOP(2) LeBlanc, Wall
Voter Comments:
 Frech> XF:xterm-control-characters-dos(4987)


CAN-2000-0479

Phase: Proposed (20000712)
Reference: BUGTRAQ:20000616 Multiples Remotes DoS Attacks in Dragon Server v1.00 and v2.00
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96113734714517&w=2
Reference: BID:1352
Reference: URL:http://www.securityfocus.com/bid/1352

Description:
Dragon FTP server allows remote attackers to cause a denial of service via a long USER command.

Votes:

   ACCEPT(2) Baker, Levy
   MODIFY(1) Frech
   NOOP(1) Christey
Voter Comments:
 Christey> XF:dragon-ftp-dos
 Frech> XF:dragon-ftp-dos(4691)


CAN-2000-0480

Phase: Proposed (20000712)
Reference: BUGTRAQ:20000616 Multiples Remotes DoS Attacks in Dragon Server v1.00 and v2.00
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96113734714517&w=2
Reference: BID:1352
Reference: URL:http://www.securityfocus.com/bid/1352

Description:
Dragon telnet server allows remote attackers to cause a denial of service via a long username.

Votes:

   ACCEPT(2) Baker, Levy
   MODIFY(1) Frech
   NOOP(1) Christey
Voter Comments:
 Christey> XF:dragon-telnet-dos
 Frech> XF:dragon-ftp-dos(4691)


CAN-2000-0487

Phase: Proposed (20000712)
Reference: MS:MS00-032
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms00-032.asp
Reference: BID:1295
Reference: URL:http://www.securityfocus.com/bid/1295

Description:
The Protected Store in Windows 2000 does not properly select the strongest encryption when available, which causes it to use a default of 40-bit encryption instead of 56-bit DES encryption, aka the "Protected Store Key Length" vulnerability.

Votes:

   ACCEPT(3) Levy, LeBlanc, Wall
   MODIFY(1) Frech
   NOOP(1) Ozancin
Voter Comments:
 Frech> XF:ms-protected-store(4589)


CAN-2000-0491

Phase: Proposed (20000712)
Reference: BUGTRAQ:20000521 "gdm" remote hole
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-05/0241.html
Reference: SUSE:20000524 Security hole in gdm <= 2.0beta4-25
Reference: URL:http://www.suse.de/de/support/security/suse_security_announce_49.txt
Reference: BUGTRAQ:20000607 Conectiva Linux Security Announcement - gdm
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-06/0025.html
Reference: CALDERA:CSSA-2000-013.0
Reference: URL:ftp://ftp.calderasystems.com/pub/OpenLinux/security/CSSA-2000-013.0.txt
Reference: BID:1233
Reference: URL:http://www.securityfocus.com/bid/1233
Reference: BID:1279
Reference: URL:http://www.securityfocus.com/bid/1279
Reference: BID:1370
Reference: URL:http://www.securityfocus.com/bid/1370

Description:
Buffer overflow in the XDMCP parsing code of GNOME gdm, KDE kdm, and wdm allows remote attackers to execute arbitrary commands or cause a denial of service via a long FORWARD_QUERY request.

Votes:

   MODIFY(2) Frech, Levy
   NOOP(2) LeBlanc, Wall
   REVIEWING(2) Ozancin, Christey
Voter Comments:
 Levy> The BID 1233 vulns is different from the other ones. BID 1233 uses
   a FORWARD_QUERY request to overflow an in_addr structure via a memmove
   in daemon/xdmcp.c, gdm_xdmcp_handle_forward_query(). In BID 1370
   a buffer is overflowed by a sprintf in xdmcp.c, send_failed().
 Frech> XF:gnome-gdm-bo(4530)
 Christey> MANDRAKE:MDKSA-2001:070
   URL:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-070.php3
 Christey> BUGTRAQ:20000527 gdm exploit
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96017189021021&w=2
   
   Consider REDHAT:RHSA-2000:027
 Christey> RHSA-2000:027 confirmed via Mark Cox


CAN-2000-0492

Phase: Proposed (20000712)
Reference: BUGTRAQ:20000609 Insecure encryption in PassWD v1.2
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-05/0450.html
Reference: BID:1300
Reference: URL:http://www.securityfocus.com/bid/1300

Description:
PassWD 1.2 uses weak encryption (trivial encoding) to store passwords, which allows an attacker who can read the password file to easliy decrypt the passwords.

Votes:

   ACCEPT(1) Levy
   MODIFY(2) Frech, Ozancin
   NOOP(2) LeBlanc, Wall
Voter Comments:
 Ozancin> change "attacker who can read the password" to "attacker to decrypt and read
   the password"
 Frech> XF:passwd-weak-encryption(4596)


CAN-2000-0503

Phase: Proposed (20000712)
Reference: BUGTRAQ:20000606 IE 5 Cross-frame security vulnerability using IFRAME and WebBrowser control
Reference: URL:http://archives.neohapsis.com/archives/win2ksecadvice/2000-q2/0154.html
Reference: BID:1311
Reference: URL:http://www.securityfocus.com/bid/1311

Description:
The IFRAME of the WebBrowser control in Internet Explorer 5.01 allows a remote attacker to violate the cross frame security policy via the NavigateComplete2 event.

Votes:

   ACCEPT(1) Levy
   MODIFY(2) Frech, Wall
   NOOP(2) Ozancin, LeBlanc
   REVIEWING(1) Christey
Voter Comments:
 Wall> This affects more than IE 5.01.  See http://www.securityfocus.com/bid/1311 for
   all versions of IE that this affects.  Works on Windows 98, IE 5.01 and IE 5.5.
 LeBlanc> If this is the one I was discussing offline with Steve, ACCEPT
 Frech> XF:ie-cross-frame(4610)
 Christey> Make sure this is the one I was discussing offline with David :-)
 Frech> CAN-2000-0503 was reassigned to ie-frame-domain-file-access(5504) from
   ie-cross-frame(4610), which was obsoleted and redirected to this
   issue. Since these are the same issues but just described differently,
   CAN-2000-0503 appears to be a dupe of CVE-2000-0768.


CAN-2000-0509

Phase: Proposed (20000712)
Reference: BUGTRAQ:20000601 DST2K0008: Buffer Overrun in Sambar Server 4.3
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=95990103207665&w=2
Reference: BID:1287
Reference: URL:http://www.securityfocus.com/bid/1287

Description:
Buffer overflows in the finger and whois demonstration scripts in Sambar Server 4.3 allow remote attackers to execute arbitrary commands via a long hostname.

Votes:

   ACCEPT(2) Ozancin, Levy
   MODIFY(1) Frech
   NOOP(2) LeBlanc, Wall
Voter Comments:
 Frech> XF:sambar-dll-bo(4592)


CAN-2000-0520

Phase: Proposed (20000712)
Reference: BUGTRAQ:20000630 CONECTIVA LINUX SECURITY ANNOUNCEMENT - dump
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96240393814071&w=2
Reference: MISC:http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=11880
Reference: BID:1330
Reference: URL:http://www.securityfocus.com/bid/1330

Description:
Buffer overflow in restore program 0.4b17 and earlier in dump package allows local users to execute arbitrary commands via a long tape name.

Votes:

   ACCEPT(2) Levy, Prosser
   MODIFY(1) Frech
   NOOP(4) Ozancin, LeBlanc, Wall, Christey
Voter Comments:
 Christey> ADDREF BUGTRAQ:20000711 MDKSA-2000:018 dump update
   URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0166.html
 Frech> XF:linux-restore-bo(4647)
 Prosser> Add Sources:
   http://www.linux-mandrake.com/en/updates/2000/MDKSA-2000-018.php3?dis=6.0
   http://www.redhat.com/support/errata/RHSA-2000-100.html


CAN-2000-0524

Phase: Proposed (20000712)
Reference: BUGTRAQ:20000604 Microsoft Outlook (Express) bug..
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-06/0045.html
Reference: BID:1333
Reference: URL:http://www.securityfocus.com/bid/1333

Description:
Microsoft Outlook and Outlook Express allow remote attackers to cause a denial of service by sending email messages with blank fields such as BCC, Reply-To, Return-Path, or From.

Votes:

   MODIFY(3) Frech, Levy, LeBlanc
   NOOP(1) Ozancin
   RECAST(1) Wall
Voter Comments:
 Levy> There was plenty of people that could not reproduce the problem although
   some did. More research (as in actual testing) is probably required.
 LeBlanc> This entry does not specify which versions of Outloook are vulnerable, nor
   is that clear from the BUGTRAQ record. It is much too broad to say just
   "Outlook" when it is definately not all versions of Outlook. The problem
   appears confined to some version of Outlook 97, and if I recall correctly,
   there has been a patch for this for quite some time.
 Frech> XF:outlook-header-dos(4645)
 CHANGE> [Wall changed vote from REVIEWING to RECAST]
 Wall> UNABLE TO DUPLICATE


CAN-2000-0526

Phase: Proposed (20000712)
Reference: BUGTRAQ:20000609 Mailstudio2000 CGI Vulnerabilities [S0ftPj.4]
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-06/0081.html
Reference: BID:1335
Reference: URL:http://www.securityfocus.com/bid/1335

Description:
mailview.cgi CGI program in MailStudio 2000 2.0 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) attack.

Votes:

   ACCEPT(2) Baker, Levy
   MODIFY(1) Frech
   NOOP(4) Ozancin, LeBlanc, Wall, Christey
Voter Comments:
 Christey> ADDREF XF:mailstudio-view-files
 Frech> XF:mailstudio-view-files(4737)


CAN-2000-0527

Phase: Proposed (20000712)
Reference: BUGTRAQ:20000609 Mailstudio2000 CGI Vulnerabilities [S0ftPj.4]
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-06/0081.html
Reference: BID:1335
Reference: URL:http://www.securityfocus.com/bid/1335

Description:
userreg.cgi CGI program in MailStudio 2000 2.0 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters.

Votes:

   ACCEPT(2) Baker, Levy
   MODIFY(1) Frech
   NOOP(4) Ozancin, LeBlanc, Wall, Christey
Voter Comments:
 Christey> Modify description - explicitly mention %0a string; other
   metachar's are filtered
 Frech> XF:mailstudio-cgi-input-vaildation(4739)


CAN-2000-0531

Phase: Modified (20001010-1)
Reference: BUGTRAQ:20000620 Bug in gpm
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.4.10.10006201453090.1812-200000@apollo.aci.com.pl
Reference: REDHAT:RHSA-2000:045-01
Reference: URL:http://www.redhat.com/support/errata/RHSA-2000-045-01.html
Reference: BUGTRAQ:20000728 MDKSA:2000-025 gpm update
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0409.html
Reference: BID:1377
Reference: URL:http://www.securityfocus.com/bid/1377
Reference: XF:linux-gpm-gpmctl-dos
Reference: URL:http://xforce.iss.net/static/5010.php

Description:
Linux gpm program allows local users to cause a denial of service by flooding the /dev/gpmctl device with STREAM sockets.

Votes:

   ACCEPT(1) Levy
   MODIFY(1) Frech
   REVIEWING(1) Christey
Voter Comments:
 Frech> XF:linux-gpm-gpmctl-dos(5010)
 Christey> ADDREF REDHAT:RHSA-2000:045-01
   ADDREF BUGTRAQ:20000728 MDKSA:2000-025 gpm update
   URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0409.html
 CHANGE> [Christey changed vote from NOOP to REVIEWING]
 Christey> Per Andre Frech's comments for CAN-2000-0667.


CAN-2000-0535

Phase: Proposed (20000712)
Reference: FREEBSD:FreeBSD-SA-00:25
Reference: URL:http://archives.neohapsis.com/archives/freebsd/2000-06/0083.html
Reference: BID:1340
Reference: URL:http://www.securityfocus.com/bid/1340

Description:
OpenSSL 0.9.4 and OpenSSH for FreeBSD do not properly check for the existence of the /dev/random or /dev/urandom devices, which are absent on FreeBSD Alpha systems, which causes them to produce weak keys which may be more easily broken.

Votes:

   ACCEPT(2) Ozancin, Levy
   MODIFY(1) Frech
   NOOP(2) LeBlanc, Wall
   REVIEWING(1) Christey
Voter Comments:
 Christey> ADDREF NETBSD
   http://archives.neohapsis.com/archives/bugtraq/2000-06/0208.html
   
 Frech> XF:freebsd-alpha-weak-encryption(4704)
 Christey> ftp://ftp.netbsd.org/pub/NetBSD/misc/security/advisories/NetBSD-SA2000-007.txt.asc
 CHANGE> [Christey changed vote from NOOP to REVIEWING]
 Christey> Should the NetBSD problem really be combined with this?


CAN-2000-0543

Phase: Modified (20001010-1)
Reference: BUGTRAQ:20000614 Remote DoS attack in Networks Associates PGP Certificate Server Version 2.5 Vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-06/0107.html
Reference: BID:1343
Reference: URL:http://www.securityfocus.com/bid/1343
Reference: XF:pgp-cert-server-dos
Reference: URL:http://xforce.iss.net/static/4695.php

Description:
The command port for PGP Certificate Server 2.5.0 and 2.5.1 allows remote attackers to cause a denial of service if their hostname does not have a reverse DNS entry and they connect to port 4000.

Votes:

   ACCEPT(5) Baker, Ozancin, Levy, Cole, Collins
   MODIFY(1) Frech
   NOOP(1) Armstrong
   REVIEWING(1) Christey
Voter Comments:
 Christey> XF:pgp-cert-server-dos
 Frech> XF:pgp-cert-server-dos(4695)
 CHANGE> [Armstrong changed vote from REVIEWING to NOOP]
 CHANGE> [Christey changed vote from NOOP to REVIEWING]
 Christey> Need to consult Jim Magdych on this one.


CAN-2000-0544

Phase: Proposed (20000712)
Reference: NTBUGTRAQ:20000604 anonymous SMBwriteX DoS
Reference: URL:http://archives.neohapsis.com/archives/ntbugtraq/2000-q2/0231.html
Reference: BID:1304
Reference: URL:http://www.securityfocus.com/bid/1304

Description:
Windows NT and Windows 2000 hosts allow a remote attacker to cause a denial of service via malformed DCE/RPC SMBwriteX requests that contain an invalid data length.

Votes:

   ACCEPT(2) Levy, LeBlanc
   MODIFY(1) Frech
   NOOP(1) Ozancin
   REVIEWING(2) Wall, Christey
Voter Comments:
 Frech> XF;nt-smb-request-dos(4600)
 Christey> Consult with Microsoft to see if this is MS:MS00-066
 Christey> ADDREF MS:MS00-066
   (confirmed offline with David LeBlanc)
   Subsequently, add  BID:1673 and XF:win2k-rpc-dos(5222)


CAN-2000-0545

Phase: Proposed (20000712)
Reference: BUGTRAQ:20000602 /usr/bin/Mail exploit for Slackware 7.0 (mail-slack.c)
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-05/0435.html
Reference: DEBIAN:20000605 mailx: mail group exploit in mailx
Reference: URL:http://www.debian.org/security/2000/20000605
Reference: BID:1305
Reference: URL:http://www.securityfocus.com/bid/1305

Description:
Buffer overflow in mailx mail command (aka Mail) on Linux systems allows local users to gain privileges via a long -c (carbon copy) parameter.

Votes:

   ACCEPT(2) Ozancin, Levy
   MODIFY(1) Frech
   NOOP(2) LeBlanc, Wall
   REVIEWING(1) Christey
Voter Comments:
 Frech> XF:sgi-mailx-bo(1371)
   CAN-2000-0545 seems to be a dupe of CVE-1999-0125 (Buffer overflow in SGI
   IRIX mailx program) since they both allow 'mail' group privileges. There was
   no exploit for SGI's vuln to compare.
 Christey> Since we are taking a split-by-default approach when
   there are insufficient details, we should keep this
   separate from CVE-1999-0125.  The difference in the
   time of discovery is also a factor, even if these wind
   up being the same problem.  However, there just aren't
   enough details to be sure if this is the same problem or not.
 Christey> On June 25, 1998, a buffer overflow in mailx via the HOME
   environmental variable was posted at:
   BUGTRAQ:19980625 security hole in mailx
   http://marc.theaimsgroup.com/?l=bugtraq&m=90221103125955&w=2
   
   This affected multiple OSes.
   
   SGI:19980605-01-PX (CVE-1999-0125) was published on September
   29, 1998; while the advisory is short on details, it does
   mention a buffer overflow.
   
   So, there's enough distinction here (time and what gets
   exploited) to say that these should remain split; but
   CVE-1999-0125 likely needs to be RECAST to mention other
   affected OSes.


CAN-2000-0546

Phase: Proposed (20000712)
Reference: BUGTRAQ:20000609 Security Advisory: MULTIPLE DENIAL OF SERVICE VULNERABILITIES IN KRB4 KDC
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-06/0064.html
Reference: CONFIRM:http://web.mit.edu/kerberos/www/advisories/krb4kdc.txt
Reference: CERT:CA-2000-11
Reference: URL:http://www.cert.org/advisories/CA-2000-11.html
Reference: CIAC:K-051
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/k-051.shtml
Reference: BID:1338
Reference: URL:http://www.securityfocus.com/bid/1338

Description:
Buffer overflow in Kerberos 4 KDC program allows remote attackers to cause a denial of service via the lastrealm variable in the set_tgtkey function.

Votes:

   ACCEPT(2) Ozancin, Levy
   MODIFY(2) Frech, Cox
   NOOP(3) LeBlanc, Wall, Christey
Voter Comments:
 Christey> ADDREF XF:kerberos-lastrealm-bo
 Frech> XF:kerberos-lastrealm-bo(4656)
   I question whether BID-1338 is appropriate here.
 Cox> ADDREF REDHAT:RHSA-2000:031


CAN-2000-0547

Phase: Proposed (20000712)
Reference: BUGTRAQ:20000609 Security Advisory: MULTIPLE DENIAL OF SERVICE VULNERABILITIES IN KRB4 KDC
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-06/0064.html
Reference: CONFIRM:http://web.mit.edu/kerberos/www/advisories/krb4kdc.txt
Reference: CERT:CA-2000-11
Reference: URL:http://www.cert.org/advisories/CA-2000-11.html
Reference: CIAC:K-051
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/k-051.shtml
Reference: BID:1338
Reference: URL:http://www.securityfocus.com/bid/1338

Description:
Buffer overflow in Kerberos 4 KDC program allows remote attackers to cause a denial of service via the localrealm variable in the process_v4 function.

Votes:

   ACCEPT(2) Ozancin, Levy
   MODIFY(2) Frech, Cox
   NOOP(2) LeBlanc, Wall
Voter Comments:
 Frech> XF:kerberos-localrealm-bo(4657)
   I question whether BID-1338 is appropriate here.
 Cox> ADDREF REDHAT:RHSA-2000:031


CAN-2000-0554

Phase: Proposed (20000712)
Reference: NTBUGTRAQ:20000608 DST2K0010: DoS & Path Revealing Vulnerability in Ceilidh v2.60a
Reference: URL:http://archives.neohapsis.com/archives/ntbugtraq/2000-q2/0246.html
Reference: BID:1320
Reference: URL:http://www.securityfocus.com/bid/1320

Description:
Ceilidh allows remote attackers to obtain the real path of the Ceilidh directory via the translated_path hidden form field.

Votes:

   ACCEPT(2) Levy, Cole
   MODIFY(1) Frech
   NOOP(4) Ozancin, LeBlanc, Wall, Christey
Voter Comments:
 Christey> ADDREF XF:ceilidh-path-disclosure
 Frech> XF:ceilidh-path-disclosure(4620)


CAN-2000-0559

Phase: Proposed (20000712)
Reference: BUGTRAQ:20000607 SessionWall-3 Paper + (links to) code
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.BSO.4.21.0006072124320.28062-100000@bearclaw.bogus.net
Reference: BID:1341
Reference: URL:http://www.securityfocus.com/bid/1341

Description:
eTrust Intrusion Detection System (formerly SessionWall-3) uses weak encryption (XOR) to store administrative passwords in the registry, which allows local users to easily decrypt the passwords.

Votes:

   ACCEPT(2) Ozancin, Levy
   MODIFY(1) Frech
   NOOP(2) LeBlanc, Wall
Voter Comments:
 Frech> XF:etrust-weak-password-encryption(5051)


CAN-2000-0562

Phase: Proposed (20000712)
Reference: BUGTRAQ:20000620 BlackICE by Network ICE Corp vulnerability against Back Orifice 1.2
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-06/0190.html

Description:
BlackIce Defender 2.1 and earlier, and BlackIce Pro 2.0.23 and earlier, do not properly block Back Orifice traffic when the security setting is Nervous or lower.

Votes:

   ACCEPT(3) Levy, Cole, Armstrong
   MODIFY(2) Baker, Frech
   NOOP(1) Ozancin
   REVIEWING(1) Christey
Voter Comments:
 Levy> What do others think? Should this be a vuln? I can see the argument
   that some features are simply not available unless you use the maximum
   security settings.
 Christey> At the very least, this needs to be modified to state that
   this problem/concern applies to high ports in general, not
   just Back orifice.
   
   The Bugtraq poster claims that BlackICE "shuts down" the port, 
   but only *after* some initial traffic "leaks" out.  This may
   be by design, but it does mean that there is a small window
   of opportunity in which BlackICE may not work "as
   advertised," even at lower security settings.
 Christey> XF:blackice-security-level-nervous
   BID:1389
 Frech> XF:blackice-security-level-nervous(4777)
 CHANGE> [Levy changed vote from REVIEWING to ACCEPT]
 CHANGE> [Christey changed vote from NOOP to REVIEWING]
 Baker> I accept it more as a security exposure, than a real vulnerability.
   It performs just as any other "firewall" or IDS product can be configured to
   allow traffic without notifying the user. You can adjust settings on
   any product that allow traffic that other people or organizations would
   find unacceptable.  So, as long as it is reflected that this is more of
   a configuration that allows such traffic as opposed to a defective
   or improperly functioning software issue, I don't have a problem with
   it.


CAN-2000-0563

Phase: Proposed (20000712)
Reference: BUGTRAQ:20000609 Security Holes Found in URLConnection of MRJ and IE of Mac OS (was Re: Reappearance of an old IE security bug)
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-06/0056.html
Reference: BUGTRAQ:20000513 Re: Reappearance of an old IE security bug
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-05-8&msg=391C95DE2DA.5E3BTAKAGI@java-house.etl.go.jp
Reference: BID:1336
Reference: URL:http://www.securityfocus.com/bid/1336

Description:
The URLConnection function in MacOS Runtime Java (MRJ) 2.1 and earlier and the Microsoft virtual machine (VM) for MacOS allows a malicious web site operator to connect to arbitrary hosts using a HTTP redirection, in violation of the Java security model.

Votes:

   ACCEPT(2) Ozancin, Levy
   MODIFY(1) Frech
   NOOP(2) Wall, Christey
   REVIEWING(1) LeBlanc
Voter Comments:
 Christey> Confirmed by Scott Culp, but this only applies to
   outdated/unsupported versions of the JVM.
 Frech> XF:macos-java-security-ignored(5052)
 Christey> Consult with Microsoft to ensure that this is fixed by
   MS:MS00-059.  If so, then this might not just be in MacOS.


CAN-2000-0564

Phase: Proposed (20000712)
Reference: NTBUGTRAQ:20000529 ICQ Web Front Remote DoS Attack Vulnerability
Reference: URL:http://archives.neohapsis.com/archives/ntbugtraq/2000-q2/0218.html

Description:
The guestbook CGI program in ICQ Web Front service for ICQ 2000a, 99b, and others allows remote attackers to cause a denial of service via a URL with a long name parameter.

Votes:

   ACCEPT(2) Baker, Levy
   MODIFY(1) Frech
   NOOP(5) Ozancin, LeBlanc, Wall, Cole, Christey
Voter Comments:
 Christey> ADDREF BID:1463
   URL:http://www.securityfocus.com/bid/1463
 Frech> XF:icq-webfront-guestbook-dos(4574)


CAN-2000-0572

Phase: Proposed (20000719)
Reference: BUGTRAQ:20000704 Recovering Passwords in Visible Systems' Razor
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-07-8&msg=613309F30B6DD2118C020000F809376C05CABD49@emss03m09.orl.lmco.com
Reference: BID:1424
Reference: URL:http://www.securityfocus.com/bid/1424

Description:
The Razor configuration management tool uses weak encryption for its password file, which allows local users to gain privileges.

Votes:

   ACCEPT(2) Baker, Levy
   MODIFY(1) Frech
   NOOP(4) Magdych, LeBlanc, Wall, Cole
Voter Comments:
 Frech> XF;razor-weak-encryption(4875)
 CHANGE> [Magdych changed vote from REVIEWING to NOOP]


CAN-2000-0574

Phase: Proposed (20000719)
Reference: BUGTRAQ:20000705 proftp advisory
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0031.html
Reference: BUGTRAQ:20000706 ftpd and setproctitle()
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0061.html
Reference: CERT:CA-2000-13
Reference: URL:http://www.cert.org/advisories/CA-2000-13.html
Reference: BUGTRAQ:20000710 opieftpd setproctitle() patches
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0121.html
Reference: NETBSD:NetBSD-SA2000-009
Reference: URL:ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/advisories/NetBSD-SA2000-009.txt.asc
Reference: BID:1425
Reference: URL:http://www.securityfocus.com/bid/1425
Reference: BID:1438
Reference: URL:http://www.securityfocus.com/bid/1438

Description:
FTP servers such as OpenBSD ftpd, NetBSD ftpd, ProFTPd and Opieftpd do not properly cleanse untrusted format strings that are used in the setproctitle function (sometimes called by set_proc_title), which allows remote attackers to cause a denial of service or execute arbitrary commands.

Votes:

   ACCEPT(3) Levy, Magdych, Cole
   MODIFY(1) Frech
   NOOP(2) LeBlanc, Wall
   REVIEWING(1) Christey
Voter Comments:
 Christey> CD:SF-CODEBASE applies here.  There are many ftpd's that
   have this setproctitle() problem, but it might be traced
   back to the same codebase.  See if the HP problem is the
   same here as well, and if so, ADDREF HP:HPSBUX0007-117
   URL:http://www.securityfocus.com/templates/advisory.html?id=2404
 Frech> XF:ftp-setproctitle-format-string(4908)
   BID:1438 does not exist.
 Christey> ADDREF HP:HPSBUX0007-117??
   http://archives.neohapsis.com/archives/hp/2000-q4/0020.html
 Christey> ADDREF BID:650 ?


CAN-2000-0578

Phase: Proposed (20000719)
Reference: BUGTRAQ:20000621 Predictability Problems in IRIX Cron and Compilers
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-06/0204.html
Reference: BID:1412
Reference: URL:http://www.securityfocus.com/bid/1412

Description:
SGI MIPSPro compilers C, C++, F77 and F90 generate temporary files in /tmp with predictable file names, which could allow local users to insert malicious contents into these files as they are being compiled by another user.

Votes:

   ACCEPT(4) Baker, Levy, Cole, Blake
   MODIFY(1) Frech
   NOOP(7) Ozancin, Magdych, Oliver, LeBlanc, Wall, Armstrong, Christey
Voter Comments:
 Frech> XF:sgi-mipspro-modify-files(5007)
 CHANGE> [Cole changed vote from NOOP to ACCEPT]
 CHANGE> [Magdych changed vote from REVIEWING to NOOP]
 Christey> SGI:20030605-01-A
   URL:ftp://patches.sgi.com/support/free/security/advisories/20030605-01-A


CAN-2000-0580

Phase: Proposed (20000719)
Reference: BUGTRAQ:20000630 SecureXpert Advisory [SX-20000620-2]
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.3.96.1000630161935.4619B-100000@fjord.fscinternet.com
Reference: XF:win2k-cpu-overload-dos
Reference: BID:1415
Reference: URL:http://www.securityfocus.com/bid/1415

Description:
Windows 2000 Server allows remote attackers to cause a denial of service by sending a continuous stream of binary zeros to various TCP and UDP ports, which significantly increases the CPU utilization.

Votes:

   ACCEPT(3) Frech, Levy, Cole
   REJECT(2) Magdych, LeBlanc
   REVIEWING(1) Wall
Voter Comments:
 LeBlanc> Insufficient data.  Most of their claims are not reproducible. You can,
   however, DoS the telnet server this way. As far as I know, there is no repro
   on any of the other ports. I am not sure of fix status at this time
   (7/19/00). Also overlaps with CAN-2000-0581
 CHANGE> [Magdych changed vote from REVIEWING to REJECT]
 Magdych> The only independent verification of these claims I have heard is for the Telnet denial of service, which is already defined in CVE candidate CAN-2000-0581.
 Frech> Replace win2k-cpu-overload-dos(4824) with win2k-telnetserver-dos(4823)


CAN-2000-0589

Phase: Proposed (20000719)
Reference: BUGTRAQ:20000626 sawmill5.0.21 old path bug & weak hash algorithm
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-06/0271.html
Reference: BUGTRAQ:20000706 Patch for Flowerfire Sawmill Vulnerabilities Available
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0080.html
Reference: BID:1403
Reference: URL:http://www.securityfocus.com/bid/1403
Reference: XF:sawmill-weak-encryption

Description:
SawMill 5.0.21 uses weak encryption to store passwords, which allows attackers to easily decrypt the password and modify the SawMill configuration.

Votes:

   ACCEPT(3) Frech, Levy, Magdych
   NOOP(3) LeBlanc, Wall, Cole
Voter Comments:
 CHANGE> [Magdych changed vote from REVIEWING to ACCEPT]


CAN-2000-0592

Phase: Proposed (20000719)
Reference: BUGTRAQ:20000627 [SPSadvisory #37]WinProxy 2.0.0/2.0.1 DoS and Exploitable Buffer Overflow
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=200006271417.GFE84146.-BJXON@lac.co.jp
Reference: XF:winproxy-command-bo
Reference: BID:1400
Reference: URL:http://www.securityfocus.com/bid/1400

Description:
Buffer overflows in POP3 service in WinProxy 2.0 and 2.0.1 allow remote attackers to execute arbitrary commands via long USER, PASS, LIST, RETR, or DELE commands.

Votes:

   ACCEPT(4) Frech, Levy, Magdych, Cole
   NOOP(1) LeBlanc
   REVIEWING(1) Wall

CAN-2000-0605

Phase: Proposed (20000719)
Reference: NTBUGTRAQ:20000710 Two issues: Blackboard CourseInfo 4.0 stores admin password in clear text; strange settings on the winreg key.
Reference: URL:http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0007&L=NTBUGTRAQ&P=R1647
Reference: BID:1460
Reference: URL:http://www.securityfocus.com/bid/1460

Description:
Blackboard CourseInfo 4.0 stores the local and SQL administrator user names and passwords in cleartext in a registry key whose access control allows users to access the passwords.

Votes:

   ACCEPT(2) Baker, Levy
   MODIFY(1) Frech
   NOOP(4) Magdych, LeBlanc, Cole, Christey
   REVIEWING(1) Wall
Voter Comments:
 Christey> ADDREF NTBUGTRAQ:20000718 Security Fix for Blackboard CourseInfo 4.0
   URL:http://archives.neohapsis.com/archives/ntbugtraq/2000-q3/0040.html
 Frech> XF:blackboard-courseinfo-plaintext(4904)
 Christey> Vendor acknowledgement is at:
   BUGTRAQ:20000719 Security Fix for Blackboard CourseInfo 4.0
   URL:http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26msg%3D20000719151904.I17986@securityfocus.com
 CHANGE> [Magdych changed vote from REVIEWING to NOOP]


CAN-2000-0606

Phase: Proposed (20000719)
Reference: BUGTRAQ:20000619 Problems with "kon2" package
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.4.21.0006192340340.19998-100000@ferret.lmh.ox.ac.uk
Reference: XF:linux-kon-bo
Reference: BID:1371
Reference: URL:http://www.securityfocus.com/bid/1371

Description:
Buffer overflow in kon program in Kanji on Console (KON) package on Linux may allow local users to gain root privileges via a long -StartupMessage parameter.

Votes:

   ACCEPT(3) Baker, Frech, Levy
   NOOP(4) Magdych, LeBlanc, Wall, Cole
Voter Comments:
 CHANGE> [Magdych changed vote from REVIEWING to NOOP]


CAN-2000-0607

Phase: Proposed (20000719)
Reference: BUGTRAQ:20000619 Problems with "kon2" package
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.4.21.0006192340340.19998-100000@ferret.lmh.ox.ac.uk
Reference: XF:linux-kon-bo
Reference: BID:1371
Reference: URL:http://www.securityfocus.com/bid/1371

Description:
Buffer overflow in fld program in Kanji on Console (KON) package on Linux may allow local users to gain root privileges via an input file containing long CHARSET_REGISTRY or CHARSET_ENCODING settings.

Votes:

   ACCEPT(3) Baker, Frech, Levy
   NOOP(5) Magdych, LeBlanc, Wall, Cole, Christey
Voter Comments:
 Christey> BID:1983
   URL:http://www.securityfocus.com/bid/1983
 CHANGE> [Magdych changed vote from REVIEWING to NOOP]


CAN-2000-0608

Phase: Proposed (20000719)
Reference: BUGTRAQ:20000620 NetWin dMailWeb Denial of Service
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-06-15&msg=4.1.20000621113334.00996820@qlink.queensu.ca
Reference: BID:1376
Reference: URL:http://www.securityfocus.com/bid/1376
Reference: XF:dmailweb-long-pophost-dos

Description:
NetWin dMailWeb and cwMail 2.6i and earlier allows remote attackers to cause a denial of service via a long POP parameter (pophost).

Votes:

   ACCEPT(3) Frech, Levy, Magdych
   NOOP(3) LeBlanc, Wall, Cole

CAN-2000-0609

Phase: Proposed (20000719)
Reference: BUGTRAQ:20000620 NetWin dMailWeb Denial of Service
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-06-15&msg=4.1.20000621113334.00996820@qlink.queensu.ca
Reference: XF:dmailweb-long-username-dos
Reference: BID:1376
Reference: URL:http://www.securityfocus.com/bid/1376

Description:
NetWin dMailWeb and cwMail 2.6g and earlier allows remote attackers to cause a denial of service via a long username parameter.

Votes:

   ACCEPT(3) Frech, Levy, Magdych
   NOOP(3) LeBlanc, Wall, Cole

CAN-2000-0612

Phase: Proposed (20000719)
Reference: BUGTRAQ:20000629 Buggy ARP handling in Windoze
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=395B7E64.9FB3D4DB@starzetz.de
Reference: XF:win-arp-spoofing
Reference: BID:1406
Reference: URL:http://www.securityfocus.com/bid/1406

Description:
Windows 95 and Windows 98 do not properly process spoofed ARP packets, which allows remote attackers to overwrite static entries in the cache table.

Votes:

   ACCEPT(4) Frech, Levy, LeBlanc, Cole
   NOOP(2) Magdych, Wall
   REVIEWING(1) Christey
Voter Comments:
 LeBlanc> I know we have a repro on this, but you may want to leave this in
   the REVIEWING state until a fix is released.
 CHANGE> [Magdych changed vote from REVIEWING to NOOP]


CAN-2000-0614

Phase: Proposed (20000719)
Reference: SUSE:20000710 Security Hole in tnef < 0-124
Reference: URL:http://archives.neohapsis.com/archives/vendor/2000-q3/0002.html
Reference: BID:1450
Reference: URL:http://www.securityfocus.com/bid/1450

Description:
Tnef program in Linux systems allows remote attackers to overwrite arbitrary files via TNEF encoded compressed attachments which specify absolute path names for the decompressed output.

Votes:

   ACCEPT(1) Levy
   MODIFY(1) Frech
   NOOP(4) Magdych, LeBlanc, Wall, Cole
   REVIEWING(1) Christey
Voter Comments:
 Christey> This problem appears in AMaViS as well, so they may be the
   same codebase.  If so, then CD:SF-CODEBASE says to merge the
   two (thus ADDREF BID:1461).  If they are not the same
   codebase, then create a separate candidate for BID:1461.
 Frech> XF:linux-tnef-email-overwrite(4915)
 CHANGE> [Magdych changed vote from REVIEWING to NOOP]


CAN-2000-0617

Phase: Proposed (20000719)
Reference: BUGTRAQ:20000622 RHL 6.2 xconq package - overflows yield gid games
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-06/0222.html

Description:
Buffer overflow in xconq and cconq game programs on Red Hat Linux allows local users to gain additional privileges via long USER environmental variable.

Votes:

   ACCEPT(2) Levy, Cole
   MODIFY(1) Frech
   NOOP(4) Magdych, LeBlanc, Wall, Christey
Voter Comments:
 Frech> XF:xconq-elevate-privileges(4995)
 Christey> ADDREF BID:1495
   ADDREF URL:http://www.securityfocus.com/bid/1495
 CHANGE> [Levy changed vote from REVIEWING to ACCEPT]
 CHANGE> [Magdych changed vote from REVIEWING to NOOP]


CAN-2000-0618

Phase: Proposed (20000719)
Reference: BUGTRAQ:20000622 RHL 6.2 xconq package - overflows yield gid games
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-06/0222.html

Description:
Buffer overflow in xconq and cconq game programs on Red Hat Linux allows local users to gain additional privileges via long DISPLAY environmental variable.

Votes:

   ACCEPT(2) Levy, Cole
   MODIFY(1) Frech
   NOOP(4) Magdych, LeBlanc, Wall, Christey
Voter Comments:
 Frech> XF:xconq-elevate-privileges(4995)
 Christey> ADDREF BID:1495
   ADDREF URL:http://www.securityfocus.com/bid/1495
 CHANGE> [Levy changed vote from REVIEWING to ACCEPT]
 CHANGE> [Magdych changed vote from REVIEWING to NOOP]


CAN-2000-0623

Phase: Proposed (20000803)
Reference: NTBUGTRAQ:20000719 Alert: Buffer Overrun is O'Reilly WebsitePro httpd32.exe (CISADV000717)
Reference: URL:http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0007&L=ntbugtraq&F=&S=&P=5946
Reference: BID:1492
Reference: URL:http://www.securityfocus.com/bid/1492

Description:
Buffer overflow in O'Reilly WebSite Professional web server 2.4 and earlier allows remote attackers to execute arbitrary commands via a long GET request or Referrer header.

Votes:

   ACCEPT(2) Levy, Cole
   MODIFY(1) Frech
   NOOP(1) LeBlanc
   REVIEWING(1) Wall
Voter Comments:
 Frech> XF:website-httpd32-bo(4970)
   In the description, I think it's spelled "referer"


CAN-2000-0625

Phase: Proposed (20000803)
Reference: L0PHT:20000718 NetZero Password Encryption Algorithm
Reference: URL:http://www.l0pht.com/advisories/netzero.txt
Reference: BID:1483
Reference: URL:http://www.securityfocus.com/bid/1483

Description:
NetZero 3.0 and earlier uses weak encryption for storing a user's login information, which allows a local user to decrypt the password.

Votes:

   ACCEPT(2) Levy, Cole
   MODIFY(1) Frech
   NOOP(2) LeBlanc, Wall
Voter Comments:
 Frech> XF:zeroport-weak-encryption(4963)


CAN-2000-0626

Phase: Proposed (20000803)
Reference: BUGTRAQ:20000718 Multiple bugs in Alibaba 2.0
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0237.html
Reference: BID:1482
Reference: URL:http://www.securityfocus.com/bid/1482

Description:
Buffer overflow in Alibaba web server allows remote attackers to cause a denial of service via a long GET request.

Votes:

   ACCEPT(4) Baker, Levy, Wall, Blake
   MODIFY(1) Frech
   NOOP(5) Ozancin, Oliver, LeBlanc, Cole, Armstrong
   REVIEWING(1) Christey
Voter Comments:
 Frech> XF:alibaba-get-dos(4934)
 Christey> This is in a relatively old Nessus plugin, though the exploit
   uses POST instead of GET.  This was probably discovered
   earlier than the references indicate.
 CHANGE> [Wall changed vote from NOOP to ACCEPT]
 Wall> Found by Arne Vidstrom and found in multiple sources
 CHANGE> [Christey changed vote from NOOP to REVIEWING]
 Christey> See the POST comment in
   http://marc.theaimsgroup.com/?l=bugtraq&m=94182951012884&w=2
   Also see http://marc.theaimsgroup.com/?l=bugtraq&m=94191318721834&w=2
   
   One poster says that a large number of sites are running
   Alibaba (based on a netcraft report), but I'm not 100%
   sure Netcraft's doing a good job of identifying Alibaba
   servers.


CAN-2000-0629

Phase: Proposed (20000803)
Reference: BUGTRAQ:20000711 Sun's Java Web Server remote command execution vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0163.html
Reference: MISC:http://www.sun.com/software/jwebserver/faq/jwsca-2000-02.html
Reference: BID:1459
Reference: URL:http://www.securityfocus.com/bid/1459

Description:
The default configuration of the Sun Java web server 2.0 and earlier allows remote attackers to execute arbitrary commands by uploading Java code to the server via board.html, then directly calling the JSP compiler servlet.

Votes:

   ACCEPT(3) Levy, Cole, Dik
   MODIFY(1) Frech
   NOOP(3) LeBlanc, Wall, Christey
Voter Comments:
 Frech> XF:sunjava-webadmin-bbs(5135)
 Christey> Need to create/update 
 Dik> (through internal confirmation)


CAN-2000-0645

Phase: Proposed (20000803)
Reference: BUGTRAQ:20000721 WFTPD/WFTPD Pro 2.41 RC11 vulnerabilities.
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0295.html
Reference: BID:1506
Reference: URL:http://www.securityfocus.com/bid/1506

Description:
WFTPD and WFTPD Pro 2.41 allows remote attackers to cause a denial of service by using the RESTART (REST) command and writing beyond the end of a file, or writing to a file that does not exist, via commands such as STORE UNIQUE (STOU), STORE (STOR), or APPEND (APPE).

Votes:

   ACCEPT(2) Baker, Levy
   MODIFY(1) Frech
   NOOP(3) LeBlanc, Wall, Cole
Voter Comments:
 Frech> XF:wftpd-rest-dos(5004)


CAN-2000-0646

Phase: Proposed (20000803)
Reference: BUGTRAQ:20000721 WFTPD/WFTPD Pro 2.41 RC11 vulnerabilities.
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0295.html
Reference: BID:1506
Reference: URL:http://www.securityfocus.com/bid/1506

Description:
WFTPD and WFTPD Pro 2.41 allows remote attackers to obtain the real pathname for a file by executing a STATUS (STAT) command while the file is being transferred.

Votes:

   ACCEPT(2) Baker, Levy
   MODIFY(1) Frech
   NOOP(3) LeBlanc, Wall, Cole
Voter Comments:
 Frech> XF:wftpd-stat-info(5005)


CAN-2000-0647

Phase: Proposed (20000803)
Reference: BUGTRAQ:20000721 WFTPD/WFTPD Pro 2.41 RC11 vulnerabilities.
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0295.html
Reference: BID:1506
Reference: URL:http://www.securityfocus.com/bid/1506

Description:
WFTPD and WFTPD Pro 2.41 allows remote attackers to cause a denial of service by executing an MLST command before logging into the server.

Votes:

   ACCEPT(2) Baker, Levy
   MODIFY(1) Frech
   NOOP(3) LeBlanc, Wall, Cole
Voter Comments:
 Frech> XF:wftpd-mlst-dos(5006)


CAN-2000-0648

Phase: Proposed (20000803)
Reference: BUGTRAQ:20000711 WFTPD/WFTPD Pro 2.41 RC10 denial-of-service
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=E13BvU6-0007d8-00@dwarf.box.sk
Reference: BID:1456
Reference: URL:http://www.securityfocus.com/bid/1456

Description:
WFTPD and WFTPD Pro 2.41 allows local users to cause a denial of service by executing the RENAME TO (RNTO) command before a RENAME FROM (RNFR) command.

Votes:

   ACCEPT(2) Baker, Levy
   MODIFY(1) Frech
   NOOP(2) LeBlanc, Cole
   REVIEWING(1) Wall
Voter Comments:
 Frech> XF:wftpd-rnto-dos(4930)


CAN-2000-0649

Phase: Proposed (20000803)
Reference: NTBUGTRAQ:20000713 IIS4 Basic authentication realm issue
Reference: URL:http://archives.neohapsis.com/archives/ntbugtraq/2000-q3/0025.html
Reference: BID:1499
Reference: URL:http://www.securityfocus.com/bid/1499

Description:
IIS 4.0 allows remote attackers to obtain the internal IP address of the server via an HTTP 1.0 request for a web page which is protected by basic authentication and has no realm defined.

Votes:

   ACCEPT(2) Levy, LeBlanc
   MODIFY(1) Frech
   NOOP(1) Cole
   REVIEWING(2) Wall, Christey
Voter Comments:
 Christey> ADDREF http://support.microsoft.com/support/kb/articles/Q218/1/80.ASP
   
   Change description to point out that the internal IP address
   exposure is due to the default configuration as opposed to
   a bug.
 Frech> XF:iis-internal-ip-disclosure(5106)
 CHANGE> [Christey changed vote from NOOP to REVIEWING]
 Christey> There are two variants of the same type of issue here.  The
   KB article shows that IIS 4.0 reveals the IP address in a
   Content-Location MIME header field.  The NTBugtraq article
   says that the IP address is shown in the WWW-Authenticate
   MIME header.  Which one has been fixed, or both, and when?
 Christey> MSKB:Q218180 identifies a problem in which IIS returns the
   info in a Content-Location header, but the authentication
   realm problem is not specifically mentioned.  Are these the
   same problem?


CAN-2000-0653

Phase: Proposed (20000803)
Reference: MS:MS00-045
Reference: URL:http://www.microsoft.com/technet/security/bulletin/MS00-045.asp
Reference: BID:1502
Reference: URL:http://www.securityfocus.com/bid/1502

Description:
Microsoft Outlook Express allows remote attackers to monitor a user's email by creating a persistent browser link to the Outlook Express windows, aka the "Persistent Mail-Browser Link" vulnerability.

Votes:

   ACCEPT(3) Levy, Wall, Cole
   NOOP(1) LeBlanc
   REJECT(1) Frech
   REVIEWING(1) Christey
Voter Comments:
 Frech> Is this a duplicate of CAN-2000-0105? I can find no differentiating evidence
   to show that this issue is unique.
 Christey> I need to look through my email logs to recall whether I 
   resolved this potential duplicate with Microsoft people.
 CHANGE> [Frech changed vote from REVIEWING to REJECT]


CAN-2000-0656

Phase: Proposed (20000803)
Reference: BUGTRAQ:20000724 AnalogX Proxy DoS
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0360.html
Reference: CONFIRM:http://www.analogx.com/contents/download/network/proxy.htm
Reference: BID:1504
Reference: URL:http://www.securityfocus.com/bid/1504

Description:
Buffer overflow in AnalogX proxy server 4.04 and earlier allows remote attackers to cause a denial of service via a long USER command in the FTP protocol.

Votes:

   ACCEPT(1) Levy
   MODIFY(1) Frech
   NOOP(3) LeBlanc, Wall, Cole
Voter Comments:
 Frech> XF:analogx-proxy-ftp-crash(4981)


CAN-2000-0657

Phase: Proposed (20000803)
Reference: BUGTRAQ:20000724 AnalogX Proxy DoS
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0360.html
Reference: CONFIRM:http://www.analogx.com/contents/download/network/proxy.htm
Reference: BID:1504
Reference: URL:http://www.securityfocus.com/bid/1504

Description:
Buffer overflow in AnalogX proxy server 4.04 and earlier allows remote attackers to cause a denial of service via a long HELO command in the SMTP protocol.

Votes:

   ACCEPT(1) Levy
   MODIFY(1) Frech
   NOOP(3) LeBlanc, Wall, Cole
Voter Comments:
 Frech> XF:analogx-proxy-smtp-helo(5164)


CAN-2000-0658

Phase: Proposed (20000803)
Reference: BUGTRAQ:20000724 AnalogX Proxy DoS
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0360.html
Reference: CONFIRM:http://www.analogx.com/contents/download/network/proxy.htm
Reference: BID:1504
Reference: URL:http://www.securityfocus.com/bid/1504

Description:
Buffer overflow in AnalogX proxy server 4.04 and earlier allows remote attackers to cause a denial of service via a long USER command in the POP3 protocol.

Votes:

   ACCEPT(1) Levy
   MODIFY(1) Frech
   NOOP(3) LeBlanc, Wall, Cole
Voter Comments:
 Frech> XF:analogx-proxy-pop3-crash(4982)


CAN-2000-0659

Phase: Proposed (20000803)
Reference: BUGTRAQ:20000724 AnalogX Proxy DoS
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0360.html
Reference: BID:1504
Reference: URL:http://www.securityfocus.com/bid/1504

Description:
Buffer overflow in AnalogX proxy server 4.04 and earlier allows remote attackers to cause a denial of service via a long user ID in a SOCKS4 CONNECT request.

Votes:

   ACCEPT(2) Baker, Levy
   MODIFY(1) Frech
   NOOP(3) LeBlanc, Wall, Cole
Voter Comments:
 Frech> XF:analogx-proxy-socks4-crash(4997)


CAN-2000-0667

Phase: Proposed (20000803)
Reference: CALDERA:CSSA-2000-024.0
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0273.html
Reference: BID:1512
Reference: URL:http://www.securityfocus.com/bid/1512

Description:
Vulnerability in gpm in Caldera Linux allows local users to delete arbitrary files or conduct a denial of service.

Votes:

   ACCEPT(1) Levy
   MODIFY(1) Frech
   NOOP(3) LeBlanc, Wall, Cole
   REVIEWING(1) Christey
Voter Comments:
 Frech> XF:linux-gpm-gpmctl-dos(5010)
   We show this issue to be cross-Linux-platform and not Caldera specific. May
   also be a LOA issue or duplicate or specific instance of CAN-2000-0531. This
   position is further validated by BID-1512 and BID-1377, which lists this as
   a Conectiva Linux/Mandrake issue and list Mandrake:MDKSA-2000:025 in common.
   We will list both CVEs under the listed XF tag unless otherwise instructed.
 Christey> ADDREF Conectiva?
   URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0396.html
 Christey> ADDREF REDHAT:RHSA-2000:045-01
   ADDREF BUGTRAQ:20000727 CONECTIVA LINUX SECURITY ANNOUNCEMENT - GPM
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96473014104340&w=2
   Another possible reference is:
   BUGTRAQ:20000728 MDKSA:2000-025 gpm update
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96480812908563&w=2
   although the advisory is not explicit.  It also refers to
   CAN-2000-0531.
 CHANGE> [Christey changed vote from NOOP to REVIEWING]
 Christey> Per Andre Frech's comments.


CAN-2000-0680

Phase: Proposed (20000921)
Reference: BUGTRAQ:20000728 cvs security problem
Reference: URL:http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26msg%3Dhvou2daoebb.fsf%40serein.m17n.org
Reference: BID:1524
Reference: URL:http://www.securityfocus.com/bid/1524

Description:
The CVS 1.10.8 server does not properly restrict users from creating arbitrary Checkin.prog or Update.prog programs, which allows remote CVS committers to modify or create Trojan horse programs with the Checkin.prog or Update.prog names, then performing a CVS commit action.

Votes:

   ACCEPT(2) Baker, Levy
   MODIFY(1) Frech
   NOOP(2) Wall, Cole
Voter Comments:
 Frech> XF:cvs-checkin-execute-binary


CAN-2000-0686

Phase: Proposed (20000921)
Reference: BUGTRAQ:20000823 Auction WeaverT LITE 1.0
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0310.html
Reference: BID:1630
Reference: URL:http://www.securityfocus.com/bid/1630

Description:
Auction Weaver CGI script 1.03 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) attack in the fromfile parameter.

Votes:

   ACCEPT(2) Levy, Cole
   MODIFY(1) Frech
   NOOP(1) Wall
Voter Comments:
 Frech> XF:cgi-auction-weaver-read-files
 Frech> XF:cgi-auction-weaver-read-files(5150)


CAN-2000-0687

Phase: Proposed (20000921)
Reference: BUGTRAQ:20000823 Auction WeaverT LITE 1.0
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0310.html
Reference: BID:1630
Reference: URL:http://www.securityfocus.com/bid/1630

Description:
Auction Weaver CGI script 1.03 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) attack in the catdir parameter.

Votes:

   ACCEPT(2) Levy, Cole
   MODIFY(1) Frech
   NOOP(2) Wall, Christey
Voter Comments:
 Frech> XF:cgi-auction-weaver-read-files
 Christey> Need to double-check BID's on all these Auction Weaver prob's.
 Frech> XF:cgi-auction-weaver-read-files(5150)


CAN-2000-0688

Phase: Proposed (20000921)
Reference: BUGTRAQ:20000823 Subscribe Me Vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0292.html
Reference: BUGTRAQ:20000823 Re: Subscribe Me CGI Vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96722957421029&w=2
Reference: CONFIRM:http://www.cgiscriptcenter.com/subscribe/
Reference: BID:1607
Reference: URL:http://www.securityfocus.com/bid/1607

Description:
Subscribe Me LITE does not properly authenticate attempts to change the administrator password, which allows remote attackers to gain privileges for the Account Manager by directly calling the subscribe.pl script with the setpwd parameter.

Votes:

   ACCEPT(2) Levy, Cole
   MODIFY(1) Frech
   NOOP(2) Wall, Christey
Voter Comments:
 Frech> XF:subscribe-me-overwrite-password
 Christey> Make sure the mention of Account Manager is correct.
   XF:subscribe-me-overwrite-password
   http://xforce.iss.net/static/5126.php
 Frech> XF:subscribe-me-overwrite-password(5126)


CAN-2000-0689

Phase: Proposed (20000921)
Reference: BUGTRAQ:20000823 Account Manager CGI Vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0291.html
Reference: CONFIRM:http://www.cgiscriptcenter.com/acctlite/
Reference: BID:1604
Reference: URL:http://www.securityfocus.com/bid/1604

Description:
Account Manager LITE does not properly authenticate attempts to change the administrator password, which allows remote attackers to gain privileges for the Account Manager by directly calling the amadmin.pl script with the setpasswd parameter.

Votes:

   ACCEPT(2) Levy, Cole
   MODIFY(1) Frech
   NOOP(2) Wall, Christey
Voter Comments:
 Frech> XF:account-manager-overwrite-password
   In description, you probably want to indicate both Account Manager LITE and PRO.
   Because CONFIRM redirects, you may want to verify and normalize to http://www.cgiscriptcenter.com/acctman/index2.html.
 Christey> XF:account-manager-overwrite-password
   http://xforce.iss.net/static/5125.php
 Frech> XF:account-manager-overwrite-password(5125)


CAN-2000-0690

Phase: Proposed (20000921)
Reference: BUGTRAQ:20000830 More problems with Auction Weaver & CGI Script Center.
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0370.html
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0452.html

Description:
Auction Weaver CGI script 1.02 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the fromfile parameter.

Votes:

   ACCEPT(1) Baker
   MODIFY(2) Frech, Levy
   NOOP(3) Wall, Cole, Christey
Voter Comments:
 Levy> Reference: BID 1645
 Christey> BID:1645
   URL:http://www.securityfocus.com/bid/1645
 Frech> XF:auction-weaver-execute-commands(6175)


CAN-2000-0691

Phase: Proposed (20000921)
Reference: BUGTRAQ:20000826 Advisory: mgetty local compromise
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0329.html
Reference: CONFIRM:http://archives.neohapsis.com/archives/bugtraq/2000-08/0330.html
Reference: CALDERA:CSSA-2000-029.0
Reference: URL:http://www.calderasystems.com/support/security/advisories/CSSA-2000-029.0.txt
Reference: BID:1612
Reference: URL:http://www.securityfocus.com/bid/1612

Description:
The faxrunq and faxrunqd in the mgetty package allows local users to create or modify arbitrary files via a symlink attack which creates a symlink in from /var/spool/fax/outgoing/.last_run to the target file.

Votes:

   ACCEPT(1) Levy
   MODIFY(2) Frech, Cox
   NOOP(3) Wall, Cole, Christey
Voter Comments:
 Frech> XF:mgetty-faxrunq-symlink
 Christey> ADDREF XF:mgetty-faxrunq-symlink
   ADDREF URL:http://xforce.iss.net/static/5159.php
   ADDREF REDHAT:RHSA-2000:059-02
   ADDREF BUGTRAQ:20000830 Conectiva Linux Security Announcement - mgetty
   ADDREF MANDRAKE:MDKSA-2000:042
 Christey> ADDREF REDHAT:RHSA-2000:059-02
 Christey> ADDREF FREEBSD:FreeBSD-SA-00:71
   ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:71.mgetty.asc
 Frech> XF:mgetty-faxrunq-symlink(5159)	
 Cox> ADDREF REDHAT:RHSA-2000:059


CAN-2000-0692

Phase: Modified (20001010-1)
Reference: BUGTRAQ:20000822 DOS on RealSecure 3.2
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0267.html
Reference: BID:1597
Reference: URL:http://www.securityfocus.com/bid/1597
Reference: XF:realsecure-rskill-dos

Description:
ISS RealSecure 3.2.1 and 3.2.2 allows remote attackers to cause a denial of service via a flood of fragmented packets with the SYN flag set.

Votes:

   ACCEPT(2) Levy, Cole
   MODIFY(1) Frech
   NOOP(1) Wall
   REVIEWING(1) Christey
Voter Comments:
 Frech> XF:realsecure-rskill-dos
 Christey> CHANGEREF XF:realsecure-rskill-dos to XF:realsecure-frag-syn-dos?
   http://xforce.iss.net/static/5133.php
 CHANGE> [Christey changed vote from NOOP to REVIEWING]
 Christey> In an email to issforum@iss.net on September 7, 2000, ISS says
   that Network Sensor 3.2.2 is affected by SYN flooding, but
   RealSecure 5.0 is not affected by Syn flooding.  In addition,
   they could not find conclusive evidence that RS 3.2.2 or 5.0
   was affected by IP fragmentation.  This seems to indicate
   that there are 2 *possible* problems: syn flooding (acknowledged
   by ISS) and fragmentation (unconfirmed).  Perhaps this
   candidate needs to be split, or its description should be
   rewritten to separate the 2 reported problems.
 Frech> XF:realsecure-rskill-dos(5133)


CAN-2000-0695

Phase: Modified (20010417-01)
Reference: BUGTRAQ:20000802 Local root compromise in PGX Config Sun Sparc Solaris
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0463.html

Description:
Buffer overflows in pgxconfig in the Raptor GFX configuration tool allow local users to gain privileges via command line options.

Votes:

   ACCEPT(3) Baker, Levy, Dik
   NOOP(2) Wall, Cole
Voter Comments:
 Dik> as CAN-2000-0693


CAN-2000-0696

Phase: Modified (20020222-01)
Reference: BUGTRAQ:20000807 Vulnerabilities in Sun Solaris AnswerBook2 dwhttpd server
Reference: URL:http://www.securityfocus.com/archive/1/74382
Reference: SUN:00196
Reference: URL:http://archives.neohapsis.com/archives/sun/2000-q3/0001.html
Reference: XF:solaris-answerbook2-admin-interface(5069)
Reference: URL:http://xforce.iss.net/static/5069.php
Reference: BID:1554
Reference: URL:http://www.securityfocus.com/bid/1554

Description:
The administration interface for the dwhttpd web server in Solaris AnswerBook2 does not properly authenticate requests to its supporting CGI scripts, which allows remote attackers to add user accounts to the interface by directly calling the admin CGI script.

Votes:

   ACCEPT(3) Levy, Cole, Dik
   MODIFY(1) Frech
   NOOP(2) Wall, Christey
Voter Comments:
 Frech> XF:solaris-answerbook2-admin-interface
 Christey> XF:solaris-answerbook2-admin-interface
   http://xforce.iss.net/static/5069.php
 Christey> BUGTRAQ:20000807 Vulnerabilities in Sun Solaris AnswerBook2 dwhttpd server
   http://www.securityfocus.com/archive/1/74382
 Christey> Fix typo: "CGi"
 CHANGE> [Dik changed vote from REVIEWING to ACCEPT]


CAN-2000-0697

Phase: Modified (20020222-01)
Reference: BUGTRAQ:20000807 Vulnerabilities in Sun Solaris AnswerBook2 dwhttpd server
Reference: URL:http://www.securityfocus.com/archive/1/74382
Reference: SUN:00196
Reference: URL:http://archives.neohapsis.com/archives/sun/2000-q3/0001.html
Reference: XF:solaris-answerbook2-remote-execution(5058)
Reference: URL:http://www.iss.net/security_center/static/5058.php
Reference: BID:1556
Reference: URL:http://www.securityfocus.com/bid/1556

Description:
The administration interface for the dwhttpd web server in Solaris AnswerBook2 allows interface users to remotely execute commands via shell metacharacters.

Votes:

   ACCEPT(3) Levy, Cole, Dik
   MODIFY(1) Frech
   NOOP(2) Wall, Christey
Voter Comments:
 Frech> XF:solaris-answerbook2-remote-execution
 Christey> XF:solaris-answerbook2-remote-execution
   http://xforce.iss.net/static/5058.php
 CHANGE> [Dik changed vote from REVIEWING to ACCEPT]
 Dik> COMMENTS
   verified bug existance.
 Christey> There needs to be a separate item for the .. problem reported
   in this same post.


CAN-2000-0701

Phase: Proposed (20000921)
Reference: BUGTRAQ:20000801 Advisory: mailman local compromise
Reference: URL:http://www.securityfocus.com/archive/1/73220
Reference: CONFIRM:http://www.securityfocus.com/templates/archive.pike?list=1&msg=20000802105050.A11733@rak.isternet.sk
Reference: BUGTRAQ:20000802 CONECTIVA LINUX SECURITY ANNOUNCEMENT - mailman
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0474.html
Reference: BUGTRAQ:20000802 MDKSA-2000:030 - Linux-Mandrake not affected by mailman problem
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0479.html
Reference: REDHAT:RHSA-2000:030-03
Reference: URL:http://www.redhat.com/support/errata/secureserver/RHSA-2000-030-03.html
Reference: BID:1539
Reference: URL:http://www.securityfocus.com/bid/1539

Description:
The wrapper program in mailman 2.0beta3 and 2.0beta4 does not properly cleanse untrusted format strings, which allows local users to gain privileges.

Votes:

   ACCEPT(2) Levy, Cole
   MODIFY(1) Frech
   NOOP(1) Wall
Voter Comments:
 Frech> XF:gnu-mailman-format-string
   You can perhaps normalize Bugtraq URL to CONFIRM:http://www.securityfocus.com/archive/1/73355.


CAN-2000-0704

Phase: Proposed (20000921)
Reference: SGI:20000803-01-A
Reference: URL:ftp://sgigate.sgi.com/security/20000803-01-A
Reference: BID:1603
Reference: URL:http://www.securityfocus.com/bid/1603

Description:
Buffer overflow in SGI Omron WorldView Wnn allows remote attackers to execute arbitrary commands via long JS_OPEN, JS_MKDIR, or JS_FILE_INFO commands.

Votes:

   ACCEPT(2) Levy, Cole
   MODIFY(1) Frech
   NOOP(2) Wall, Christey
Voter Comments:
 Frech> XF:irix-worldview-wnn-bo
 Christey> XF:irix-worldview-wnn-bo
   http://xforce.iss.net/static/5163.php


CAN-2000-0709

Phase: Proposed (20000921)
Reference: BUGTRAQ:20000823 Xato Advisory: FrontPage DOS Device DoS
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0288.html
Reference: CONFIRM:http://msdn.microsoft.com/workshop/languages/fp/2000/sr12.asp
Reference: BID:1608
Reference: URL:http://www.securityfocus.com/bid/1608

Description:
The shtml.exe component of Microsoft FrontPage 2000 Server Extensions 1.1 allows remote attackers to cause a denial of service in some components by requesting a URL whose name includes a standard DOS device name.

Votes:

   ACCEPT(3) Levy, Wall, Cole
   MODIFY(1) Frech
   REVIEWING(1) Christey
Voter Comments:
 Christey> [note to self: review comments by Mark Burnett]
 CHANGE> [Christey changed vote from NOOP to REVIEWING]
 Christey> XF:frontpage-ext-device-name-dos(5124)
 Frech> XF:frontpage-ext-device-name-dos(5124)


CAN-2000-0710

Phase: Proposed (20000921)
Reference: BUGTRAQ:20000823 Xato Advisory: FrontPage DOS Device DoS
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0288.html
Reference: CONFIRM:http://msdn.microsoft.com/workshop/languages/fp/2000/sr12.asp
Reference: BID:1608
Reference: URL:http://www.securityfocus.com/bid/1608

Description:
The shtml.exe component of Microsoft FrontPage 2000 Server Extensions 1.1 allows remote attackers determine the physical path of the server components by requesting an invalid URL whose name includes a standard DOS device name.

Votes:

   ACCEPT(3) Levy, Wall, Cole
   MODIFY(1) Frech
   NOOP(1) Christey
Voter Comments:
 Christey> [note to self: review comments by Mark Burnett]
 Frech> XF:frontpage-ext-device-name-dos(5124)


CAN-2000-0713

Phase: Proposed (20000921)
Reference: BUGTRAQ:20000726 [SPSadvisory#39]Adobe Acrobat Series PDF File Buffer Overflow
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0382.html
Reference: CONFIRM:http://www.adobe.com/misc/pdfsecurity.html
Reference: BID:1509
Reference: URL:http://www.securityfocus.com/bid/1509

Description:
Buffer overflow in Adobe Acrobat 4.05, Reader, Business Tools, and Fill In products that handle PDF files allows attackers to execute arbitrary commands via a long /Registry or /Ordering specifier.

Votes:

   ACCEPT(3) Levy, Wall, Cole
   NOOP(1) Christey
Voter Comments:
 Christey> ADDREF XF:adobe-pdf-bo(5002)


CAN-2000-0714

Phase: Proposed (20000921)
Reference: REDHAT:RHSA-2000:047-03
Reference: URL:http://www.redhat.com/support/errata/RHSA-2000-047-03.html
Reference: BID:1551
Reference: URL:http://www.securityfocus.com/bid/1551

Description:
umb-scheme 3.2-11 for Red Hat Linux is installed with world-writeable files.

Votes:

   ACCEPT(4) Cox, Levy, Williams, Cole
   NOOP(2) Wall, Christey
Voter Comments:
 Christey> XF:linux-umb-scheme
   http://xforce.iss.net/static/5048.php
 Cox> (If me voting speeds up its inclusion :))


CAN-2000-0715

Phase: Proposed (20000921)
Reference: BUGTRAQ:20000805 Diskcheck 3.1.1 Symlink Vulnerability
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=398BD1FD.BAEE3B70@chonnam.chonnam.ac.kr
Reference: BID:1552
Reference: URL:http://www.securityfocus.com/bid/1552

Description:
DiskCheck script diskcheck.pl in Red Hat Linux allows local users to create or overwrite arbitrary files via a symlink attack.

Votes:

   ACCEPT(3) Baker, Levy, Williams
   MODIFY(2) Cox, Christey
   NOOP(2) Wall, Cole
Voter Comments:
 Christey> XF:diskcheck-tmp-race-condition
   http://xforce.iss.net/static/5061.php
 Christey> ADDREF REDHAT:RHSA-2000:122-04 ?
   The advisory addresses some diskcheck symlink vulnerability,
   but the initial announcement was 4 months before the advisory
   was released; however, the DiskCheck versions seem to
   correspond.
 Christey> See various Bugtraq posts relating to this, and verify if the
   Conectiva/Red Hat/etc. advisories are really addressing this
   particular problem.
   e.g.: BUGTRAQ:20000622 Re: rh 6.2 - gid compromises, etc [+ MORE!!!]
   http://marc.theaimsgroup.com/?l=bugtraq&m=96172022819526&w=2
   BUGTRAQ:20000810 CONECTIVA LINUX SECURITY ANNOUNCEMENT - diskcheck
   http://marc.theaimsgroup.com/?l=bugtraq&m=96604843017702&w=2
   REDHAT:RHSA-2000:122-06
   http://marc.theaimsgroup.com/?l=bugtraq&m=97649229201967&w=2
   BID:2050
   URL:http://www.securityfocus.com/bid/2050
 Christey> The following RedHat advisory appears to identify the same
   problem as one that was posted to Bugtraq on August 8, 2000:
   REDHAT:RHSA-2000:122-06
   http://www.redhat.com/support/errata/powertools/RHSA-2000-122.html
   
   See the following BugID, as referenced in the advisory:
   http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=11724
   So, add:
   BID:2050
   URL:http://www.securityfocus.com/bid/2050
   XF:linux-diskcheck-race-symlink
   URL:http://xforce.iss.net/static/5624.php
   
   [note the apparent BID duplicates, however]
 CHANGE> [Christey changed vote from NOOP to MODIFY]
 Christey> Missing BID - BID:1552
 Cox> ADDREF REDHAT:RHSA-2000:122


CAN-2000-0719

Phase: Proposed (20000921)
Reference: BUGTRAQ:20000810 VariCAD 7.0 premission vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0126.html

Description:
VariCAD 7.0 is installed with world-writeable files, which allows local users to replace the VariCAD programs with a Trojan horse program.

Votes:

   MODIFY(1) Frech
   NOOP(4) Williams, Wall, Cole, Christey
   REVIEWING(1) Levy
Voter Comments:
 Christey> XF:varicad-world-write-permissions
   http://xforce.iss.net/static/5077.php
 Frech> XF:aricad-world-write-permissions(5077)
 Christey> BID:1862


CAN-2000-0721

Phase: Proposed (20000921)
Reference: BUGTRAQ:20000810 FlagShip v4.48.7449 premission vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0114.html
Reference: BID:1586
Reference: URL:http://www.securityfocus.com/bid/1586

Description:
The FSserial, FlagShip_c, and FlagShip_p programs in the FlagShip package are installed world-writeable, which allows local users to replace them with Trojan horses.

Votes:

   ACCEPT(2) Baker, Levy
   MODIFY(1) Frech
   NOOP(2) Wall, Cole
Voter Comments:
 Frech> XF:flagship-incorrect-permissions(5114)


CAN-2000-0722

Phase: Proposed (20000921)
Reference: BUGTRAQ:20000819 Multiple Local Vulnerabilities in Helix Gnome Installer
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=E13QAYl-0007il-00@the-village.bc.nu
Reference: BUGTRAQ:20000820 Helix Code Security Advisory - Helix GNOME Update
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0240.html
Reference: BUGTRAQ:20000820 [Helix Beta] Helix Code Security Advisory - Helix GNOME Installer
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0251.html
Reference: BID:1593
Reference: URL:http://www.securityfocus.com/bid/1593

Description:
Helix GNOME Updater helix-update 0.5 and earlier allows local users to install arbitrary RPM packages by creating the /tmp/helix-install installation directory before root has begun installing packages.

Votes:

   ACCEPT(2) Levy, Cole
   MODIFY(1) Frech
   NOOP(2) Wall, Christey
Voter Comments:
 Christey> XF:linux-update-race-condition
 Frech> XF:gnome-installer-overwrite-configuration(5129)


CAN-2000-0723

Phase: Proposed (20000921)
Reference: BUGTRAQ:20000819 Multiple Local Vulnerabilities in Helix Gnome Installer
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=E13QAYl-0007il-00@the-village.bc.nu
Reference: BUGTRAQ:20000820 [Helix Beta] Helix Code Security Advisory - Helix GNOME Installer
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0251.html
Reference: BID:1596
Reference: URL:http://www.securityfocus.com/bid/1596

Description:
Helix GNOME Updater helix-update 0.5 and earlier does not properly create /tmp directories, which allows local users to create empty system configuration files such as /etc/config.d/bashrc, /etc/config.d/csh.cshrc, and /etc/rc.config.

Votes:

   ACCEPT(2) Levy, Cole
   MODIFY(1) Frech
   NOOP(2) Wall, Christey
Voter Comments:
 Christey> XF:gnome-installer-overwrite-configuration(5129)
 Frech> XF:gnome-installer-overwrite-configuration(5129)


CAN-2000-0724

Phase: Proposed (20000921)
Reference: BUGTRAQ:20000829 More Helix Code installation problems (go-gnome)
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0351.html
Reference: BUGTRAQ:20000829 Helix Code Security Advisory - go-gnome pre-installer
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0356.html
Reference: BID:1622
Reference: URL:http://www.securityfocus.com/bid/1622

Description:
The go-gnome Helix GNOME pre-installer allows local users to overwrite arbitrary files via a symlink attack on various files in /tmp, including uudecode, snarf, and some installer files.

Votes:

   ACCEPT(2) Levy, Cole
   MODIFY(1) Frech
   NOOP(2) Wall, Christey
Voter Comments:
 Christey> XF:go-gnome-preinstaller-symlink(5161)
 Frech> XF:go-gnome-preinstaller-symlink(5161)


CAN-2000-0734

Phase: Proposed (20000921)
Reference: BUGTRAQ:20000831 Remote DoS Attack in Eeye Iris 1.01 and SpyNet CaptureNet v3.12
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96774637326591&w=2
Reference: BID:1627
Reference: URL:http://www.securityfocus.com/bid/1627

Description:
eEye IRIS 1.01 beta allows remote attackers to cause a denial of service via a large number of UDP connections.

Votes:

   MODIFY(1) Levy
   NOOP(2) Wall, Cole
   REJECT(1) Frech
Voter Comments:
 Levy> The product is in wide use even while is in beta. eEye brought another company and made all their previous customers upgrade to the new software.


CAN-2000-0735

Phase: Proposed (20000921)
Reference: BUGTRAQ:20000818 Becky! Internet Mail Buffer overflow
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0234.html
Reference: CONFIRM:http://member.nifty.ne.jp/rimarts/becky-e/Readme.txt
Reference: BID:1588
Reference: URL:http://www.securityfocus.com/bid/1588

Description:
Buffer overflow in Becky! Internet Mail client 1.26.03 and earlier allows remote attackers to cause a denial of service via a long Content-type: MIME header when the user replies to a message.

Votes:

   ACCEPT(2) Levy, Cole
   MODIFY(1) Frech
   NOOP(2) Wall, Christey
Voter Comments:
 Christey> XF:becky-imail-header-dos
   http://xforce.iss.net/static/5110.php
 Frech> XF:becky-imail-header-dos(5110)


CAN-2000-0736

Phase: Proposed (20000921)
Reference: BUGTRAQ:20000818 Becky! Internet Mail Buffer overflow
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0234.html
Reference: CONFIRM:http://member.nifty.ne.jp/rimarts/becky-e/Readme.txt
Reference: BID:1588
Reference: URL:http://www.securityfocus.com/bid/1588

Description:
Buffer overflow in Becky! Internet Mail client 1.26.04 and earlier allows remote attackers to cause a denial of service via a long Content-type: MIME header when the user forwards a message.

Votes:

   ACCEPT(2) Levy, Cole
   MODIFY(1) Frech
   NOOP(2) Wall, Christey
Voter Comments:
 Christey> XF:becky-imail-header-dos
   http://xforce.iss.net/static/5110.php
 Frech> XF:becky-imail-header-dos(5110)


CAN-2000-0746

Phase: Proposed (20000921)
Reference: BUGTRAQ:20000821 IIS 5.0 cross site scripting vulnerability - using .shtml files or /_vti_bin/shtml.dll
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=39A12BD6.E811BF4F@nat.bg
Reference: MS:MS00-060
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms00-060.asp
Reference: BID:1594
Reference: URL:http://www.securityfocus.com/bid/1594
Reference: BID:1595
Reference: URL:http://www.securityfocus.com/bid/1595

Description:
Vulnerabilities in IIS 4.0 and 5.0 do not properly protect against cross-site scripting (CSS) attacks. They allow a malicious web site operator to embed scripts in a link to a trusted site, which are returned without quoting in an error message back to the client. The client then executes those scripts in the same context as the trusted site, aka the "IIS Cross-Site Scripting" vulnerabilities.

Votes:

   ACCEPT(3) Levy, Wall, Cole
   MODIFY(1) Frech
   REVIEWING(1) Christey
Voter Comments:
 Christey> Make sure both BID's are appropriate
   XF:iis-cross-site-scripting
   http://xforce.iss.net/static/5156.php
 Frech> XF: iis-cross-site-scripting(5156)
 CHANGE> [Christey changed vote from NOOP to REVIEWING]
 Christey> A re-release of MS:MS00-060 indicates that a new variant of
   this problem was discovered, but the advisory does not
   provide sufficient details to distinguish it from this
   candidate.  A new candidate is being created, but the 
   description can't be written without mentioning this CAN.


CAN-2000-0747

Phase: Proposed (20000921)
Reference: BUGTRAQ:20000726 CONECTIVA LINUX SECURITY ANNOUNCEMENT - OPENLDAP
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0379.html

Description:
The logrotate script for openldap earlier than 1.2.11 in Conectiva Linux sends an improper signal to the kernel log daemon (klogd) and kills it.

Votes:

   ACCEPT(2) Baker, Cole
   NOOP(1) Wall
   REVIEWING(1) Levy

CAN-2000-0748

Phase: Proposed (20000921)
Reference: BUGTRAQ:20000726 Group-writable executable in OpenLDAP
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0375.html
Reference: BID:1511
Reference: URL:http://www.securityfocus.com/bid/1511

Description:
OpenLDAP 1.2.11 and earlier improperly installs the ud binary with group write permissions, which could allow any user in that group to replace the binary with a Trojan horse.

Votes:

   ACCEPT(1) Levy
   NOOP(3) Williams, Wall, Cole

CAN-2000-0752

Phase: Proposed (20000921)
Reference: FREEBSD:FreeBSD-SA-00:43
Reference: URL:http://archives.neohapsis.com/archives/freebsd/2000-08/0339.html
Reference: BID:1629
Reference: URL:http://www.securityfocus.com/bid/1629

Description:
Buffer overflows in brouted in FreeBSD and possibly other OSes allows local users to gain root privileges via long command line arguments.

Votes:

   ACCEPT(2) Baker, Levy
   MODIFY(1) Frech
   NOOP(2) Wall, Cole
Voter Comments:
 Frech> XF:freebsd-brouted-bo(6185)


CAN-2000-0755

Phase: Proposed (20000921)
Reference: HP:HPSBUX0008-118
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0144.html
Reference: BID:1581
Reference: URL:http://www.securityfocus.com/bid/1581

Description:
Vulnerability in the newgrp command in HP-UX 11.00 allows local users to gain privileges.

Votes:

   ACCEPT(2) Levy, Cole
   NOOP(1) Wall
   REJECT(2) Frech, Christey
Voter Comments:
 Christey> DUPE CVE-2000-0730
   Also, the BID is wrong.
 Frech> DUPE OF CVE-2000-0730
   Also, the BID is wrong.


CAN-2000-0756

Phase: Proposed (20000921)
Reference: BUGTRAQ:20000831 vCard DoS on Outlook 2000
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Springmail.105.967737080.0.16997300@www.springmail.com
Reference: BID:1633
Reference: URL:http://www.securityfocus.com/bid/1633

Description:
Microsoft Outlook 2000 does not properly process long or malformed fields in vCard (.vcf) files, which allows attackers to cause a denial of service.

Votes:

   ACCEPT(2) Levy, Cole
   MODIFY(2) Frech, LeBlanc
   REVIEWING(2) Wall, Christey
Voter Comments:
 LeBlanc> - if a KB article, bulletin, or patch can be found, then
   I'll ACCEPT
 Christey> This is the same as MS:MS01-012 (CAN-2001-0145)
   See the Bugtraq post by Joel Moses:
   http://marc.theaimsgroup.com/?l=bugtraq&m=98322714210100&w=2
   
   As of this writing, it is not certain which candidate
   should be preferred: the candidate that has been publicly
   known longer (i.e. CAN-2000-0756), or the more "official"
   candidate, which has probably been publicized more (i.e.
   CAN-2001-0145).
 Frech> XF:outlook-vcard-dos(5175)
   XF:outlook-vcard-bo(6145)
   Because there's another more recent CAN linked to @stake and
   Microsoft's advisories, we'll link both of our records to both
   candiates until a final decision occurs. If a decision has been made
   to promote the CAN-2001 entry, then enter my vote as a REJECT for
   CAN-2000-0756.
 Frech> Replace outlook-vcard-bo(6145) with outlook-vcard-dos(5175)


CAN-2000-0757

Phase: Proposed (20000921)
Reference: BUGTRAQ:20000808 Exploit for Totalbill...
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0074.html
Reference: BID:1555
Reference: URL:http://www.securityfocus.com/bid/1555

Description:
The sysgen service in Aptis Totalbill does not perform authentication, which allows remote attackers to gain root privileges by connecting to the service and specifying the commands to be executed.

Votes:

   ACCEPT(2) Baker, Levy
   NOOP(4) Williams, Wall, Cole, Christey
Voter Comments:
 Christey> XF:totalbill-remote-execution
   http://xforce.iss.net/static/5068.php


CAN-2000-0759

Phase: Proposed (20000921)
Reference: BUGTRAQ:20000719 [LoWNOISE] Tomcat 3.1 Path Revealing Problem.
Reference: URL:http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26date%3D2000-07-15%26msg%3DPine.SUN.3.96.1000719184401.17782A-100000@grex.cyberspace.org
Reference: BID:1531
Reference: URL:http://www.securityfocus.com/bid/1531
Reference: XF:tomcat-error-path-reveal

Description:
Jakarta Tomcat 3.1 under Apache reveals physical path information when a remote attacker requests a URL that does not exist, which generates an error message that includes the physical path.

Votes:

   ACCEPT(2) Baker, Levy
   NOOP(3) Williams, Wall, Cole

CAN-2000-0760

Phase: Proposed (20000921)
Reference: BUGTRAQ:20000719 [LoWNOISE] Snoop Servlet (Tomcat 3.1 and 3.0)
Reference: URL:http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26date%3D2000-07-15%26msg%3DPine.SUN.3.96.1000719235404.24004A-100000@grex.cyberspace.org
Reference: XF:tomcat-snoop-info
Reference: BID:1532
Reference: URL:http://www.securityfocus.com/bid/1532

Description:
The Snoop servlet in Jakarta Tomcat 3.1 and 3.0 under Apache reveals sensitive system information when a remote attacker requests a nonexistent URL with a .snp extension.

Votes:

   ACCEPT(2) Baker, Levy
   NOOP(3) Williams, Wall, Cole

CAN-2000-0769

Phase: Proposed (20000921)
Reference: BUGTRAQ:20000824 WebServer Pro 2.3.7 Vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96715834610888&w=2
Reference: BID:1611
Reference: URL:http://www.securityfocus.com/bid/1611

Description:
O'Reilly WebSite Pro 2.3.7 installs the uploader.exe program with execute permissions for all users, which allows remote attackers to create and execute arbitrary files by directly calling uploader.exe.

Votes:

   ACCEPT(2) Baker, Levy
   MODIFY(1) Frech
   NOOP(2) Cole, Christey
   REVIEWING(1) Wall
Voter Comments:
 Christey> XF:website-pro-upload-files(5157)
 Frech> XF:website-pro-upload-files(5157)


CAN-2000-0772

Phase: Modified (20010116-01)
Reference: BUGTRAQ:20000810 Tumbleweed Worldsecure (MMS) BLANK 'sa' account password vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0098.html
Reference: CONFIRM:http://thompson.tumbleweed.com/NewKB/bulletin/UPFiles/sa-official.htm
Reference: BID:1562
Reference: URL:http://www.securityfocus.com/bid/1562
Reference: XF:tumbleweed-mms-blank-password
Reference: URL:http://xforce.iss.net/static/5072.php

Description:
The installation of Tumbleweed Messaging Management System (MMS) 4.6 and earlier (formerly Worldtalk Worldsecure) creates a default account "sa" with no password.

Votes:

   ACCEPT(1) Levy
   MODIFY(1) Frech
   NOOP(3) Wall, Cole, Christey
Voter Comments:
 Christey> XF:tumbleweed-mms-blank-password
   http://xforce.iss.net/static/5072.php
 Frech> XF:umbleweed-mms-blank-password(5072)


CAN-2000-0773

Phase: Proposed (20000921)
Reference: BUGTRAQ:20000731 Two security flaws in Bajie Webserver
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0426.html
Reference: BID:1522
Reference: URL:http://www.securityfocus.com/bid/1522

Description:
Bajie HTTP web server 0.30a allows remote attackers to read arbitrary files by requesting a URL that contains a "....", a variant of the dot dot attack.

Votes:

   ACCEPT(2) Levy, Williams
   NOOP(2) Wall, Cole

CAN-2000-0774

Phase: Proposed (20000921)
Reference: BUGTRAQ:20000731 Two security flaws in Bajie Webserver
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0426.html
Reference: BID:1521
Reference: URL:http://www.securityfocus.com/bid/1521

Description:
The sample Java servlet "test" in Bajie HTTP web server 0.30a reveals the real pathname of the web document root.

Votes:

   ACCEPT(2) Levy, Williams
   NOOP(2) Wall, Cole

CAN-2000-0775

Phase: Proposed (20000921)
Reference: BUGTRAQ:20000828 [NT] Viking security vulnerabilities enable remote code execution (long URL, date parsing)
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=399a01c01122$0d7f2310$0201a8c0@aviram
Reference: CONFIRM:http://www.robtex.com/viking/bugs.htm
Reference: BID:1614
Reference: URL:http://www.securityfocus.com/bid/1614

Description:
Buffer overflow in RobTex Viking server earlier than 1.06-370 allows remote attackers to cause a denial of service or execute arbitrary commands via a long HTTP GET request, or long Unless-Modified-Since, If-Range, or If-Modified-Since headers.

Votes:

   ACCEPT(2) Baker, Levy
   MODIFY(1) Frech
   NOOP(3) Wall, Cole, Christey
Voter Comments:
 Christey> XF:viking-server-bo(5158)
 Frech> XF:viking-server-bo(5158)


CAN-2000-0781

Phase: Proposed (20000921)
Reference: BUGTRAQ:20000728 Client Agent 6.62 for Unix Vulnerability
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=20000728034420.A19824@sdf.freeshell.org
Reference: BID:1519
Reference: URL:http://www.securityfocus.com/bid/1519

Description:
uagentsetup in ARCServeIT Client Agent 6.62 does not properly check for the existence or ownership of a temporary file which is moved to the the agent.cfg configuration file, which allows local users to execute arbitrary commands by modifying the temporary file before it is moved.

Votes:

   ACCEPT(2) Levy, Williams
   NOOP(3) Wall, Cole, Christey
Voter Comments:
 Christey> fix typo: "the the"


CAN-2000-0784

Phase: Proposed (20000921)
Reference: BUGTRAQ:20000816 Remote Root Compromise On All RapidStream VPN Appliances
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0216.html
Reference: BID:1574
Reference: URL:http://www.securityfocus.com/bid/1574

Description:
sshd program in the Rapidstream 2.1 Beta VPN appliance has a hard-coded "rsadmin" account with a null password, which allows remote attackers to execute arbitrary commands via ssh.

Votes:

   ACCEPT(2) Levy, Cole
   MODIFY(1) Frech
   NOOP(2) Wall, Christey
Voter Comments:
 Christey> XF:rapidstream-remote-execution
   http://xforce.iss.net/static/5093.php
 Frech> XF:rapidstream-remote-execution(5093)


CAN-2000-0785

Phase: Proposed (20000921)
Reference: BUGTRAQ:20000713 More wIRCSrv stupidity
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96353027909756&w=2

Description:
WircSrv IRC Server 5.07s allows IRC operators to read arbitrary files via the importmotd command, which sets the Message of the Day (MOTD) to the specified file.

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Levy
   NOOP(3) Williams, Wall, Cole
Voter Comments:
 Levy> BID 1472


CAN-2000-0789

Phase: Proposed (20000921)
Reference: BUGTRAQ:20000816 WinU 4/5 weak password vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0201.html

Description:
WinU 5.x and earlier uses weak encryption to store its configuration password, which allows local users to decrypt the password and gain privileges.

Votes:

   ACCEPT(1) Williams
   MODIFY(1) Frech
   NOOP(3) Wall, Cole, Christey
   REVIEWING(1) Levy
Voter Comments:
 Frech> XF:winu-backdoor(5376)
 Christey> ADDREF BID:1741
   ADDREF URL:http://www.securityfocus.com/bid/1741


CAN-2000-0791

Phase: Proposed (20000921)
Reference: BUGTRAQ:20000815 Trustix security advisory - apache-ssl
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0179.html
Reference: BID:1575
Reference: URL:http://www.securityfocus.com/bid/1575

Description:
Trustix installs the httpsd program for Apache-SSL with world-writeable permissions, which allows local users to replace it with a Trojan horse.

Votes:

   ACCEPT(2) Levy, Cole
   MODIFY(1) Frech
   NOOP(2) Wall, Christey
Voter Comments:
 Christey> XF:trustix-secure-apache-misconfig
   http://xforce.iss.net/static/5099.php
 Frech> XF:trustix-secure-apache-misconfig(5099)


CAN-2000-0793

Phase: Proposed (20000921)
Reference: BUGTRAQ:20000728 Norton Antivirus Protection Disabled under Novell Netware
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=398222C5@zathras.cc.vt.edu
Reference: BID:1533
Reference: URL:http://www.securityfocus.com/bid/1533

Description:
Norton AntiVirus 5.00.01C with the Novell Netware client does not properly restart the auto-protection service after the first user has logged off of the system.

Votes:

   ACCEPT(1) Levy
   NOOP(3) Williams, Wall, Cole

CAN-2000-0794

Phase: Modified (20020222-01)
Reference: BUGTRAQ:20000802 [LSD] some unpublished LSD exploit codes
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=200008021924.e72JOVs12558@ix.put.poznan.pl
Reference: BID:1527
Reference: URL:http://www.securityfocus.com/bid/1527
Reference: XF:irix-libgl-bo(5063)
Reference: URL:http://www.iss.net/security_center/static/5063.php

Description:
Buffer overflow in IRIX libgl.so library allows local users to gain root privileges via a long HOME variable to programs such as (1) gmemusage and (2) gr_osview.

Votes:

   ACCEPT(3) Baker, Levy, Williams
   NOOP(3) Wall, Cole, Christey
Voter Comments:
 Christey> XF:irix-libgl-bo
   http://xforce.iss.net/static/5063.php


CAN-2000-0797

Phase: Proposed (20000921)
Reference: BUGTRAQ:20000802 [LSD] some unpublished LSD exploit codes
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=200008021924.e72JOVs12558@ix.put.poznan.pl
Reference: BID:1526
Reference: URL:http://www.securityfocus.com/bid/1526

Description:
Buffer overflow in gr_osview in IRIX 6.2 and 6.3 allows local users to gain privileges via a long -D option.

Votes:

   ACCEPT(2) Baker, Levy
   NOOP(4) Williams, Wall, Cole, Christey
Voter Comments:
 Christey> XF:irix-grosview-bo
   http://xforce.iss.net/static/5062.php


CAN-2000-0798

Phase: Proposed (20000921)
Reference: BUGTRAQ:20000802 [LSD] some unpublished LSD exploit codes
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=200008021924.e72JOVs12558@ix.put.poznan.pl
Reference: BID:1540
Reference: URL:http://www.securityfocus.com/bid/1540

Description:
The truncate function in IRIX 6.x does not properly check for privileges when the file is in the xfs file system, which allows local users to delete the contents of arbitrary files.

Votes:

   ACCEPT(3) Baker, Levy, Williams
   NOOP(3) Wall, Cole, Christey
Voter Comments:
 Christey> XF:irix-xfs-truncate
   http://xforce.iss.net/static/5011.php
 Christey> XF:sgi-xfs(2110) ?
   SGI:19970102-01-PX ?
 Christey> Consulting SGI on this... the relationship is pretty close.


CAN-2000-0800

Phase: Proposed (20000921)
Reference: SUSE:20000810 Security Hole in knfsd, all versions
Reference: URL:http://www.suse.de/de/support/security/suse_security_announce_58.txt

Description:
String parsing error in rpc.kstatd in the linuxnfs or knfsd packages in SuSE and possibly other Linux systems allows remote attackers to gain root privileges.

Votes:

   ACCEPT(1) Cole
   MODIFY(2) Frech, Levy
   NOOP(1) Wall
   REJECT(1) Christey
Voter Comments:
 Levy> This is the same as other Linux vendors statd format string problem.
   
   Reference: BID 1480
 Christey> If this is the same as the other statd format string problems,
   then this is a duplicate of CAN-2000-0666.
 Frech> XF:linux-rpcstatd-format-overwrite(4939)
 CHANGE> [Christey changed vote from REVIEWING to REJECT]
 Christey> OK, I agree that this is a dupe of CVE-2000-0666.
   Here's why:
   
   BUGTRAQ:20000803 SuSE Security: miscellaneous
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96540330329127&w=2
   
   One statement says "The SuSE package containing rpc.kstatd
   (other vendors named it rpc.statd)... An updated package is
   currently being tested."


CAN-2000-0801

Phase: Proposed (20000921)
Reference: BUGTRAQ:20000727 [ Hackerslab bug_paper ] HP-UX bdf -t option buffer overflow vul.
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0388.html
Reference: BID:1520
Reference: URL:http://www.securityfocus.com/bid/1520

Description:
Buffer overflow in bdf program in HP-UX 11.00 may allow local users to gain root privileges via a long -t option.

Votes:

   ACCEPT(2) Levy, Williams
   NOOP(3) Wall, Cole, Christey
Voter Comments:
 Christey> ADDREF HP:HPSBUX0010-127??
   http://archives.neohapsis.com/archives/hp/2000-q4/0028.html


CAN-2000-0802

Phase: Proposed (20000921)
Reference: BUGTRAQ:20000722 More bad censorware
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96430372326912&w=2
Reference: XF:bair-security-removal

Description:
The BAIR program does not properly restrict access to the Internet Explorer Internet options menu, which allows local users to obtain access to the menu by modifying the registry key that starts BAIR.

Votes:

   NOOP(4) Williams, LeBlanc, Wall, Cole
   REVIEWING(1) Levy
Voter Comments:
 LeBlanc> What the heck is BAIR? I don't think it is MS software.


CAN-2000-0812

Phase: Interim (20010117)
Reference: SUN:00197
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/197&type=0&nav=sec.sba
Reference: MISC:http://www.securityfocus.com/templates/advisory.html?id=2542
Reference: BID:1600
Reference: URL:http://www.securityfocus.com/bid/1600
Reference: XF:sunjava-webadmin-bbs
Reference: URL:http://xforce.iss.net/static/5135.php

Description:
The administration module in Sun Java web server allows remote attackers to execute arbitrary commands by uploading Java code to the module and invoke the com.sun.server.http.pagecompile.jsp92.JspServlet by requesting a URL that begins with a /servlet/ tag.

Votes:

   ACCEPT(2) Baker, Dik
   MODIFY(2) Frech, Levy
   NOOP(3) Wall, Cole, Armstrong
   REVIEWING(1) Christey
Voter Comments:
 Frech> XF:sunjava-webadmin-bbs(5135)
 Levy> BID 1600
 Frech> We also show this associated with CAN-2000-0629: The default
   configuration of the Sun Java web server 2.0 and earlier allows remote
   attackers to execute arbitrary commands by uploading Java code to the
   server via board.html, then directly calling the JSP compiler
   servlet. CVE web site concurs.
 Christey> I think that Casper Dik confirmed that CAN-2000-0629 is a
   configuration problem, and this one is a bug, so they are
   different problems.  I need to dig up that email, though...
 Dik> CAN-2000-0629 indeed is about sample code which shouldn't
   be run on prodution servers
   This one is an actual bug and patches have been produced
   for JWS 2.0 and 1.1.3


CAN-2000-0817

Phase: Modified (20010119-01)
Reference: ISS:20001101 Buffer Overflow in Microsoft Windows NT 4.0 and Windows 2000 Network Monitor
Reference: URL:http://xforce.iss.net/alerts/index.php
Reference: MS:MS00-083
Reference: URL:http://www.microsoft.com/technet/security/bulletin/MS00-083.asp
Reference: XF:network-monitor-bo(5399)

Description:
Buffer overflow in the HTTP protocol parser for Microsoft Network Monitor (Netmon) allows remote attackers to execute arbitrary commands via malformed data, aka the "Netmon Protocol Parsing" vulnerability.

Votes:

   ACCEPT(3) Baker, Mell, Cole
   MODIFY(1) Frech
   NOOP(1) Renaud
Voter Comments:
 Frech> XF:network-monitor-bo(5399)


CAN-2000-0826

Phase: Proposed (20001018)
Reference: ATSTAKE:A090800-1
Reference: URL:http://www.atstake.com/research/advisories/2000/a090800-1.txt
Reference: BID:1657
Reference: URL:http://www.securityfocus.com/bid/1657
Reference: XF:documentdirect-get-bo
Reference: URL:http://xforce.iss.net/static/5210.php

Description:
Buffer overflow in ddicgi.exe program in Mobius DocumentDirect for the Internet 1.2 allows remote attackers to execute arbitrary commands via a long GET request.

Votes:

   ACCEPT(2) Baker, Collins
   NOOP(3) Wall, Cole, Armstrong

CAN-2000-0827

Phase: Proposed (20001018)
Reference: ATSTAKE:A090800-1
Reference: URL:http://www.atstake.com/research/advisories/2000/a090800-1.txt
Reference: BID:1657
Reference: URL:http://www.securityfocus.com/bid/1657
Reference: XF:documentdirect-username-bo
Reference: URL:http://xforce.iss.net/static/5211.php

Description:
Buffer overflow in the web authorization form of Mobius DocumentDirect for the Internet 1.2 allows remote attackers to cause a denial of service or execute arbitrary commands via a long username.

Votes:

   ACCEPT(2) Baker, Collins
   NOOP(3) Wall, Cole, Armstrong

CAN-2000-0828

Phase: Proposed (20001018)
Reference: ATSTAKE:A090800-1
Reference: URL:http://www.atstake.com/research/advisories/2000/a090800-1.txt
Reference: BID:1657
Reference: URL:http://www.securityfocus.com/bid/1657
Reference: XF:documentdirect-user-agent-bo
Reference: URL:http://xforce.iss.net/static/5212.php

Description:
Buffer overflow in ddicgi.exe in Mobius DocumentDirect for the Internet 1.2 allows remote attackers to execute arbitrary commands via a long User-Agent parameter.

Votes:

   ACCEPT(2) Baker, Collins
   NOOP(3) Wall, Cole, Armstrong

CAN-2000-0831

Phase: Proposed (20001018)
Reference: WIN2KSEC:20000912 DST2K0027: DoS in Faststream FTP++ 2.0
Reference: URL:http://archives.neohapsis.com/archives/win2ksecadvice/2000-q3/0109.html

Description:
Buffer overflow in Fastream FTP++ 2.0 allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long username.

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Frech
   NOOP(4) Magdych, Cole, Armstrong, Christey
   REVIEWING(1) Wall
Voter Comments:
 Frech> XF:fastream-ftp-dos(5235)
 Christey> XF:fastream-ftp-dos


CAN-2000-0832

Phase: Modified (20010910-01)
Reference: BUGTRAQ:20000817 Htgrep CGI Arbitrary File Viewing Vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0208.html
Reference: XF:htgrep-cgi-view-files(5476)
Reference: URL:http://xforce.iss.net/static/5476.php

Description:
Htgrep CGI program allows remote attackers to read arbitrary files by specifying the full pathname in the hdr parameter.

Votes:

   ACCEPT(2) Baker, Collins
   MODIFY(1) Frech
   NOOP(4) Wall, Cole, Armstrong, Christey
Voter Comments:
 Frech> XF:htgrep-cgi-view-files(5476)
 Collins> http://www.iam.unibe.ch/~scg/Src/Doc/
 Christey> The change log for htgrep acknowledges the problem, but it
   says that the qry tag is also affected.  CD:SF-LOC says that
   multiple problems of the same type in the same version should
   be combined, so this candidate should get a "soft recast"
   and qry should be added to the description.


CAN-2000-0833

Phase: Modified (20020222-01)
Reference: BUGTRAQ:2000911 WinSMTPD remote exploit/DoS problem
Reference: URL:http://www.securityfocus.com/archive/1/81693
Reference: BID:1680
Reference: URL:http://www.securityfocus.com/bid/1680
Reference: XF:winsmtp-helo-bo(5255)
Reference: URL:http://xforce.iss.net/static/5255.php

Description:
Buffer overflow in WinSMTP 1.06f and 2.X allows remote attackers to cause a denial of service via a long (1) USER or (2) HELO command.

Votes:

   ACCEPT(5) Baker, Frech, Wall, Cole, Collins
   NOOP(2) Magdych, Armstrong
Voter Comments:
 Cole> HAS-INDEPENDENT-CONFIRMATION
 CHANGE> [Wall changed vote from REVIEWING to ACCEPT]


CAN-2000-0835

Phase: Proposed (20001018)
Reference: BUGTRAQ:20000915 Sambar Server search CGI vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-09/0175.html
Reference: BID:1684
Reference: URL:http://www.securityfocus.com/bid/1684

Description:
search.dll Sambar ISAPI Search utility in Sambar Server 4.4 Beta 3 allows remote attackers to read arbitrary directories by specifying the directory in the query paramater.

Votes:

   MODIFY(1) Frech
   NOOP(5) Wall, Cole, Armstrong, Collins, Christey
   REJECT(2) Baker, Magdych
Voter Comments:
 Magdych> Unless the beta product is in very widespread use, or the product is in
   "perpetual beta" (e.g. ICQ), I would prefer not to include beta software.
 Christey> XF:sambar-search-view-folder
 Frech> XF:sambar-search-view-folder(5247)
 Baker> Unless we change our CD:EX-BETA, we should reject this entry.  Perhaps we need to address the issue of Beta software again, but the previous discussion was pretty thorough and I believe the editorial board was unanimous in excluding normal beta software.
 Christey> Fix typo: "paramater"


CAN-2000-0836

Phase: Proposed (20001018)
Reference: BUGTRAQ:20000915 [NEWS] Vulnerability in CamShot server (Authorization)
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-09/0176.html
Reference: BID:1685
Reference: URL:http://www.securityfocus.com/bid/1685
Reference: XF:camshot-password-bo
Reference: URL:http://xforce.iss.net/static/5246.php

Description:
Buffer overflow in CamShot WebCam Trial2.6 allows remote attackers to execute arbitrary commands via a long Authorization header.

Votes:

   ACCEPT(2) Baker, Frech
   NOOP(3) Magdych, Cole, Armstrong
   REVIEWING(1) Wall

CAN-2000-0840

Phase: Proposed (20001018)
Reference: BUGTRAQ:20000906 [NEWS] XMail vulnerable to a remotely exploitable buffer overflow (APOP, USER)
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-09/0001.html
Reference: BID:1652
Reference: URL:http://www.securityfocus.com/bid/1652
Reference: XF:xmail-long-user-bo
Reference: URL:http://xforce.iss.net/static/5192.php

Description:
Buffer overflow in XMail POP3 server before version 0.59 allows remote attackers to execute arbitrary commands via a long USER command.

Votes:

   ACCEPT(4) Baker, Cole, Armstrong, Collins
   NOOP(2) Wall, Christey
Voter Comments:
 Cole> INDEPENDENT-CONFIRMATION
 Christey> CONFIRM:http://www.mycio.com/davidel/xmail/xmaildoc.htm
   The entry dated 30-07-2000 for version 0.59 says: "A possible
   buffer overflow error has been fixed."


CAN-2000-0841

Phase: Proposed (20001018)
Reference: BUGTRAQ:20000906 [NEWS] XMail vulnerable to a remotely exploitable buffer overflow (APOP, USER)
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-09/0001.html
Reference: BID:1652
Reference: URL:http://www.securityfocus.com/bid/1652
Reference: XF:xmail-long-apop-bo
Reference: URL:http://xforce.iss.net/static/5191.php

Description:
Buffer overflow in XMail POP3 server before version 0.59 allows remote attackers to execute arbitrary commands via a long APOP command.

Votes:

   ACCEPT(4) Baker, Cole, Armstrong, Collins
   NOOP(2) Wall, Christey
Voter Comments:
 Cole> INDEPENDENT-CONFIRMATION
 Christey> CONFIRM:http://www.mycio.com/davidel/xmail/xmaildoc.htm
   The entry dated 30-07-2000 for version 0.59 says: "A possible
   buffer overflow error has been fixed."


CAN-2000-0842

Phase: Proposed (20001018)
Reference: BUGTRAQ:20000911 SCO scohelhttp documentation webserver exposes local files
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-09/0086.html
Reference: BID:1663
Reference: URL:http://www.securityfocus.com/bid/1663

Description:
The search97cgi/vtopic" in the UnixWare 7 scohelphttp webserver allows remote attackers to read arbitrary files via a .. (dot dot) attack.

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Frech
   NOOP(5) Magdych, Wall, Cole, Armstrong, Christey
Voter Comments:
 Frech> XF:sco-help-view-files(5226)
 Christey> What is the proper "spelling" for the SCO help HTTP server?
   I've seen it as "SCOhelp" and "scohelphttp" and "SCO help HTTP"
 Christey> XF:sco-help-view-files


CAN-2000-0843

Phase: Proposed (20001018)
Reference: BUGTRAQ:20000910 (SRADV00002) Remote root compromise through pam_smb and pam_ntdom
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-09/0073.html
Reference: DEBIAN:20000911 libpam-smb: remote root exploit
Reference: URL:http://www.debian.org/security/2000/20000911
Reference: SUSE:20000913 pam_smb remotely exploitable buffer overflow
Reference: URL:http://www.suse.de/de/support/security/adv8_draht_pam_smb_txt.txt
Reference: MANDRAKE:MDKSA-2000:047
Reference: URL:http://www.linux-mandrake.com/en/security/MDKSA-2000-047.php3
Reference: BUGTRAQ:20000911 Conectiva Linux Security Announcement - pam_smb
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-09/0114.html
Reference: BID:1666
Reference: URL:http://www.securityfocus.com/bid/1666

Description:
Buffer overflow in pam_smb and pam_ntdom pluggable authentication modules (PAM) allow remote attackers to execute arbitrary commands via a login with a long user name.

Votes:

   ACCEPT(4) Baker, Magdych, Armstrong, Collins
   MODIFY(1) Frech
   NOOP(3) Wall, Cole, Christey
Voter Comments:
 Magdych> ACKNOWLEDGED-BY-VENDOR
 Christey> ADDREF XF:pam-authentication-bo
 Frech> XF:pam-authentication-bo(5225)


CAN-2000-0845

Phase: Proposed (20001018)
Reference: BUGTRAQ:20000918 [ENIGMA] Digital UNIX/Tru64 UNIX remote kdebug Vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-09/0204.html

Description:
kdebug daemon (kdebugd) in Digital Unix 4.0F allows remote attackers to read arbitrary files by specifying the full file name in the initialization packet.

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Frech
   NOOP(5) Magdych, Wall, Cole, Armstrong, Christey
Voter Comments:
 Frech> XF:du-kdebugd-write-access(5262)
 Christey> This problem also allows attackers to overwrite files.
   ADDREF BID:1693
   ADDREF URL:http://www.securityfocus.com/bid/1693
   ADDREF XF:du-kdebugd-write-access
   ADDREF http://xforce.iss.net/static/5262.php


CAN-2000-0855

Phase: Proposed (20001018)
Reference: BUGTRAQ:20000901 [EXPL] SunFTP vulnerable to two Denial-of-Service attacks (long buffer, half-open)
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0408.html
Reference: BID:1637
Reference: URL:http://www.securityfocus.com/bid/1637

Description:
SunFTP build 9(1) allows remote attackers to cause a denial of service by connecting to the server and disconnecting before sending a newline.

Votes:

   ACCEPT(4) Baker, Cole, Armstrong, Collins
   NOOP(1) Wall
Voter Comments:
 Cole> INDEPENDENT-CONFIRMATION


CAN-2000-0857

Phase: Proposed (20001018)
Reference: BUGTRAQ:20000909 format string bug in muh
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-09/0067.html
Reference: BUGTRAQ:20000909 Re: format string bug in muh
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-09/0068.html
Reference: BID:1665
Reference: URL:http://www.securityfocus.com/bid/1665
Reference: XF:muh-log-dos
Reference: URL:http://xforce.iss.net/static/5215.php

Description:
The logging capability in muh 2.05d IRC server does not properly cleanse user-injected format strings, which allows remote attackers to cause a denial of service or execute arbitrary commands via a malformed nickname.

Votes:

   ACCEPT(4) Baker, Frech, Cole, Collins
   NOOP(4) Magdych, Wall, Armstrong, Christey
Voter Comments:
 Cole> HAS-INDEPENDENT-CONFIRMATION
 Christey> ADDREF FREEBSD:FreeBSD-SA-00:57
 CHANGE> [Magdych changed vote from REVIEWING to NOOP]


CAN-2000-0866

Phase: Proposed (20001018)
Reference: BUGTRAQ:20000907 SEGFAULTING Interbase 6 SS Linux
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-09/0027.html
Reference: BID:1654
Reference: URL:http://www.securityfocus.com/bid/1654
Reference: XF:interbase-query-dos
Reference: URL:http://xforce.iss.net/static/5205.php

Description:
Interbase 6 SuperServer for Linux allows an attacker to cause a denial of service via a query containing 0 bytes.

Votes:

   ACCEPT(2) Baker, Collins
   NOOP(3) Wall, Cole, Armstrong

CAN-2000-0872

Phase: Proposed (20001018)
Reference: BUGTRAQ:20000906 PhotoAlbum 0.9.9 explorer.php Vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-09/0015.html
Reference: BID:1650
Reference: URL:http://www.securityfocus.com/bid/1650
Reference: XF:phpphoto-dir-traverse
Reference: URL:http://xforce.iss.net/static/5198.php

Description:
explorer.php in PhotoAlbum 0.9.9 allows remote attackers to read arbitrary files via a .. (dot dot) attack.

Votes:

   ACCEPT(2) Baker, Collins
   NOOP(3) Wall, Cole, Armstrong

CAN-2000-0879

Phase: Proposed (20001018)
Reference: BUGTRAQ:20000906 Multiple Security Holes in LPPlus
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0531.html
Reference: BID:1643
Reference: URL:http://www.securityfocus.com/bid/1643
Reference: XF:lpplus-permissions-dos
Reference: URL:http://xforce.iss.net/static/5199.php

Description:
LPPlus programs dccsched, dcclpdser, dccbkst, dccshut, dcclpdshut, and dccbkstshut are installed setuid root and world executable, which allows arbitrary local users to start and stop various LPD services.

Votes:

   ACCEPT(2) Baker, Collins
   NOOP(3) Wall, Cole, Armstrong

CAN-2000-0880

Phase: Proposed (20001018)
Reference: BUGTRAQ:20000906 Multiple Security Holes in LPPlus
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0531.html
Reference: BID:1643
Reference: URL:http://www.securityfocus.com/bid/1643
Reference: XF:lpplus-process-perms-dos
Reference: URL:http://xforce.iss.net/static/5200.php

Description:
LPPlus creates the lpdprocess file with world-writeable permissions, which allows local users to kill arbitrary processes by specifying an alternate process ID and using the setuid dcclpdshut program to kill the process that was specified in the lpdprocess file.

Votes:

   ACCEPT(2) Baker, Collins
   NOOP(3) Wall, Cole, Armstrong

CAN-2000-0881

Phase: Proposed (20001018)
Reference: BUGTRAQ:20000906 Multiple Security Holes in LPPlus
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0531.html
Reference: BID:1644
Reference: URL:http://www.securityfocus.com/bid/1644
Reference: XF:lpplus-dccscan-file-read
Reference: URL:http://xforce.iss.net/static/5201.php

Description:
The dccscan setuid program in LPPlus does not properly check if the user has the permissions to print the file that is specified to dccscan, which allows local users to print arbitrary files.

Votes:

   ACCEPT(2) Baker, Collins
   NOOP(3) Wall, Cole, Armstrong

CAN-2000-0882

Phase: Proposed (20001018)
Reference: BUGTRAQ:20000906 VIGILANTE-2000010: Intel Express Switch series 500 DoS #2
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0533.html
Reference: BID:1647
Reference: URL:http://www.securityfocus.com/bid/1647

Description:
Intel Express 500 series switches allow a remote attacker to cause a denial of service via a malformed ICMP packet, which causes the CPU to crash.

Votes:

   ACCEPT(1) Baker
   NOOP(3) Wall, Cole, Armstrong

CAN-2000-0885

Phase: Modified (20010119-01)
Reference: NAI:20001101 Multiple Network Monitor Overflows
Reference: MS:MS00-083
Reference: URL:http://www.microsoft.com/technet/security/bulletin/MS00-083.asp
Reference: XF:network-monitor-bo(5399)

Description:
Buffer overflows in Microsoft Network Monitor (Netmon) allow remote attackers to execute arbitrary commands via a long Browser Name in a CIFS Browse Frame, a long SNMP community name, or a long username or filename in an SMB session, aka the "Netmon Protocol Parsing" vulnerability. NOTE: It is highly likely that this candidate will be split into multiple candidates.

Votes:

   ACCEPT(4) Baker, Renaud, Mell, Cole
   MODIFY(1) Frech
Voter Comments:
 Frech> XF:network-monitor-bo(5399)


CAN-2000-0889

Phase: Proposed (20010202)
Reference: CERT:CA-2000-19
Reference: URL:http://www.cert.org/advisories/CA-2000-19.html
Reference: SUN:00198
Reference: URL:http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/198&type=0&nav=sec.sba

Description:
Two Sun security certificates have been compromised, which could allow attackers to insert malicious code such as applets and make it appear that it is signed by Sun.

Votes:

   ACCEPT(3) Baker, Cole, Dik
   MODIFY(1) Frech
   NOOP(2) Ziese, Wall
   REVIEWING(1) Christey
Voter Comments:
 Frech> XF:sun-compromised-certificate(5404)
 Christey> Should revoked cert's be included in CVE?  How about the ones
   for Microsoft from early 2001?


CAN-2000-0893

Phase: Proposed (20010202)
Reference: CERT-VN:VU#28027
Reference: URL:http://www.kb.cert.org/vuls/id/28027

Description:
The presence of the Distributed GL Daemon (dgld) service on port 5232 on SGI IRIX systems allows remote attackers to identify the target host as an SGI system.

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Frech
   NOOP(2) Wall, Cole
   REVIEWING(1) Ziese
Voter Comments:
 CHANGE> [Frech changed vote from REVIEWING to MODIFY]
 Frech> XF:irix-dgld-port-scan(6592)


CAN-2000-0894

Phase: Proposed (20010202)
Reference: ISS:20001214 Multiple vulnerabilities in the WatchGuard SOHO Firewall
Reference: URL:http://xforce.iss.net/alerts/advise70.php

Description:
HTTP server on the WatchGuard SOHO firewall does not properly restrict access to administrative functions such as password resets or rebooting, which allows attackers to cause a denial of service or conduct unauthorized activities.

Votes:

   ACCEPT(2) Baker, Cole
   MODIFY(1) Frech
   NOOP(2) Wall, Christey
   REVIEWING(1) Ziese
Voter Comments:
 Frech> XF:watchguard-soho-web-auth(5554)
 Christey> Consider adding BID:2119


CAN-2000-0895

Phase: Proposed (20010202)
Reference: ISS:20001214 Multiple vulnerabilities in the WatchGuard SOHO Firewall
Reference: URL:http://xforce.iss.net/alerts/advise70.php
Reference: BID:2114
Reference: URL:http://www.securityfocus.com/bid/2114

Description:
Buffer overflow in HTTP server on the WatchGuard SOHO firewall allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long GET request.

Votes:

   ACCEPT(2) Baker, Cole
   MODIFY(1) Frech
   NOOP(1) Wall
   REVIEWING(1) Ziese
Voter Comments:
 Frech> XF:watchguard-soho-web-dos(5218)


CAN-2000-0898

Phase: Proposed (20001219)
Reference: BUGTRAQ:20001114 Vulnerabilites in SmallHTTP Server
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97421834001092&w=2

Description:
Small HTTP Server 2.01 does not properly process Server Side Includes (SSI) tags that contain null values, which allows local users, and possibly remote attackers, to cause the server to crash by inserting the SSI into an HTML file.

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Frech
   NOOP(4) Balinsky, Wall, Cole, Armstrong
Voter Comments:
 Frech> XF:small-http-ssi-dos(5960)
 Balinsky> Found no data on vendor web site to support this.
   http://home.lanck.net/mf/srv/index.htm


CAN-2000-0899

Phase: Proposed (20001219)
Reference: BUGTRAQ:20001114 Vulnerabilites in SmallHTTP Server
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97421834001092&w=2
Reference: BID:1942
Reference: URL:http://www.securityfocus.com/bid/1942

Description:
Small HTTP Server 2.01 allows remote attackers to cause a denial of service by connecting to the server and sending out multiple GET, HEAD, or POST requests and closing the connection before the server responds to the requests.

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Frech
   NOOP(4) Balinsky, Wall, Cole, Armstrong
Voter Comments:
 Frech> XF:small-http-request-dos(5523)
 Balinsky> Found no data on vendor web site to support this.
   http://home.lanck.net/mf/srv/index.htm


CAN-2000-0902

Phase: Proposed (20001129)
Reference: BUGTRAQ:20000907 Re: PhotoAlbum 0.9.9 explorer.php Vulnerability
Reference: URL:http://www.securityfocus.com/archive/1/80858
Reference: XF:phpphotoalbum-getalbum-directory-traversal
Reference: URL:http://xforce.iss.net/static/5209.php

Description:
getalbum.php in PhotoAlbum before 0.9.9 allows remote attackers to read arbitrary files via a .. (dot dot) attack.

Votes:

   ACCEPT(2) Mell, Collins
   NOOP(2) Wall, Cole

CAN-2000-0903

Phase: Proposed (20001129)
Reference: BUGTRAQ:20000901 Multiple QNX Voyager Issues
Reference: URL:http://www.securityfocus.com/archive/1/79956
Reference: BID:1648
Reference: URL:http://www.securityfocus.com/bid/1648

Description:
Directory traversal vulnerability in Voyager web server 2.01B in the demo disks for QNX 405 allows remote attackers to read arbitrary files via a .. (dot dot) attack.

Votes:

   ACCEPT(1) Mell
   NOOP(3) Wall, Cole, Collins
   REVIEWING(1) Baker
Voter Comments:
 Collins> Assigning CVE numbers for demo software is not appropriate
 Baker> Was this a beta version in the demo disk?  I don't think it was.  While we do have an exclusion for beta software,
   software that is distributed as production software, just limited in scope, does not mean beta..
   The current version is 4, but it is still offered for free download from their website for use.


CAN-2000-0904

Phase: Proposed (20001129)
Reference: BUGTRAQ:20000901 Multiple QNX Voyager Issues
Reference: URL:http://www.securityfocus.com/archive/1/79956
Reference: BID:1648
Reference: URL:http://www.securityfocus.com/bid/1648

Description:
Voyager web server 2.01B in the demo disks for QNX 405 stores sensitive web client information in the .photon directory in the web document root, which allows remote attackers to obtain that information.

Votes:

   ACCEPT(1) Mell
   NOOP(3) Wall, Cole, Collins
Voter Comments:
 Collins> assigning CVE numbers for demo software is not appropriate


CAN-2000-0905

Phase: Proposed (20001129)
Reference: BUGTRAQ:20000901 Multiple QNX Voyager Issues
Reference: URL:http://www.securityfocus.com/archive/1/79956
Reference: BID:1648
Reference: URL:http://www.securityfocus.com/bid/1648

Description:
QNX Embedded Resource Manager in Voyager web server 2.01B in the demo disks for QNX 405 allows remote attackers to read sensitive system statistics information via the embedded.html web page.

Votes:

   ACCEPT(1) Mell
   NOOP(2) Wall, Cole

CAN-2000-0906

Phase: Proposed (20001129)
Reference: BUGTRAQ:20001002 Moreover Cached_Feed CGI Vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-10/0013.html
Reference: XF:moreover-cgi-dir-traverse
Reference: URL:http://xforce.iss.net/static/5334.php
Reference: BID:1762
Reference: URL:http://www.securityfocus.com/bid/1762

Description:
Directory traversal vulnerability in Moreover.com cached_feed.cgi script version 4.July.00 allows remote attackers to read arbitrary files via a .. (dot dot) attack on the category or format parameters.

Votes:

   ACCEPT(3) Frech, Mell, Collins
   NOOP(2) Wall, Cole

CAN-2000-0907

Phase: Proposed (20001129)
Reference: WIN2KSEC:20000925 DST2K0030: DoS in EServ 2.92 Build 2982
Reference: URL:http://archives.neohapsis.com/archives/win2ksecadvice/2000-q3/0131.html

Description:
EServ 2.92 Build 2982 allows remote attackers to cause a denial of service and possibly execute arbitrary commands via long HELO and MAIL FROM commands.

Votes:

   ACCEPT(3) Baker, Mell, Collins
   MODIFY(1) Frech
   NOOP(2) Wall, Cole
Voter Comments:
 Frech> XF:eserv-remote-dos(5643)


CAN-2000-0916

Phase: Proposed (20001129)
Reference: FREEBSD:FreeBSD-SA-00:52
Reference: URL:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:52.tcp-iss.asc
Reference: BID:1766
Reference: URL:http://www.securityfocus.com/bid/1766

Description:
FreeBSD 4.1.1 and earlier, and possibly other BSD-based OSes, uses an insufficient random number generator to generate initial TCP sequence numbers (ISN), which allows remote attackers to spoof TCP connections.

Votes:

   ACCEPT(2) Mell, Cole
   MODIFY(1) Frech
   REVIEWING(1) Christey
Voter Comments:
 Frech> XF:tcp-seq-predict(139)
 Christey> Abstraction issue: CVE-1999-0077 is for TCP sequence
   prediction as a general problem; but here we have a specific
   implementation flaw.


CAN-2000-0918

Phase: Proposed (20001129)
Reference: BID:1700
Reference: URL:http://www.securityfocus.com/bid/1700
Reference: BUGTRAQ:20000919 kvt format bug
Reference: URL:http://www.securityfocus.com/archive/1/83914

Description:
Format string vulnerability in kvt in KDE 1.1.2 may allow local users to execute arbitrary commands via a DISPLAY environmental variable that contains formatting characters.

Votes:

   ACCEPT(2) Baker, Mell
   NOOP(2) Wall, Cole
   REVIEWING(1) Christey
Voter Comments:
 Christey> May be a duplicate of CVE-2000-0373, but the ref's in that CVE
   are vague.  I suspect this *isn't* a duplicate because this is
   a format string problem.
 Baker> I think it is sufficiently different from 2000-0373.


CAN-2000-0931

Phase: Proposed (20001129)
Reference: BUGTRAQ:20001004 Another Pegasus Mail vulnerability
Reference: URL:http://www.securityfocus.com/archive/1/137518
Reference: BID:1750
Reference: URL:http://www.securityfocus.com/bid/1750

Description:
Buffer overflow in Pegasus Mail 3.11 allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long email message containing binary data.

Votes:

   ACCEPT(1) Mell
   MODIFY(1) Frech
   NOOP(2) Wall, Cole
Voter Comments:
 Frech> XF:pegasus-mail-bo(5644)


CAN-2000-0939

Phase: Proposed (20001129)
Reference: BUGTRAQ:20001030 Samba 2.0.7 SWAT vulnerabilities
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-10/0430.html
Reference: XF:samba-swat-url-filename-dos
Reference: URL:http://xforce.iss.net/static/5444.php

Description:
Samba Web Administration Tool (SWAT) in Samba 2.0.7 allows remote attackers to cause a denial of service by repeatedly submitting a nonstandard URL in the GET HTTP request and forcing it to restart.

Votes:

   ACCEPT(2) Frech, Mell
   NOOP(1) Cole
   REJECT(1) Renaud
Voter Comments:
 Renaud> SWAT makes this DoS easier to perform, but actually, it is an inetd
   problem, not a swat problem.


CAN-2000-0940

Phase: Proposed (20001129)
Reference: BUGTRAQ:20001029 Minor bug in Pagelog.cgi
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-10/0422.html
Reference: BID:1864
Reference: URL:http://www.securityfocus.com/bid/1864
Reference: XF:pagelog-cgi-dir-traverse
Reference: URL:http://xforce.iss.net/static/5451.php

Description:
Directory traversal vulnerability in Metertek pagelog.cgi allows remote attackers to read arbitrary files via a .. (dot dot) attack on the "name" or "display" parameter.

Votes:

   ACCEPT(2) Frech, Mell
   NOOP(1) Cole

CAN-2000-0950

Phase: Proposed (20001129)
Reference: BUGTRAQ:20001026 FWTK x-gw Security Advisory [GSA2000-01]
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-10/0376.html
Reference: XF:tisfwtk-xgw-execute-code
Reference: URL:http://xforce.iss.net/static/5420.php

Description:
Format string vulnerability in x-gw in TIS Firewall Toolkit (FWTK) allows local users to execute arbitrary commands via a malformed display name.

Votes:

   ACCEPT(4) Baker, Frech, Mell, Cole
   NOOP(1) Renaud
   REVIEWING(1) Christey
Voter Comments:
 Christey> I thought I saw some mailing list that questioned whether this
   problem was only a DoS...


CAN-2000-0954

Phase: Proposed (20001129)
Reference: BUGTRAQ:20001009 Shambala 4.5 vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-10/0134.html
Reference: BID:1771
Reference: URL:http://www.securityfocus.com/bid/1771
Reference: XF:shambala-password-plaintext
Reference: URL:http://xforce.iss.net/static/5346.php

Description:
Shambala Server 4.5 stores passwords in plaintext, which could allow local users to obtain the passwords and compromise the server.

Votes:

   ACCEPT(3) Baker, Frech, Mell
   NOOP(1) Cole

CAN-2000-0955

Phase: Proposed (20001129)
Reference: ATSTAKE:A102600-1
Reference: URL:http://www.atstake.com/research/advisories/2000/a102600-1.txt
Reference: BID:1885
Reference: URL:http://www.securityfocus.com/bid/1885
Reference: XF:cisco-vco-snmp-passwords
Reference: URL:http://xforce.iss.net/static/5425.php

Description:
Cisco Virtual Central Office 4000 (VCO/4K) uses weak encryption to store usernames and passwords in the SNMP MIB, which allows an attacker who knows the community name to crack the password and gain privileges.

Votes:

   ACCEPT(4) Frech, Ziese, Mell, Cole
   NOOP(2) Christey, Balinsky
Voter Comments:
 Christey> CISCO:20001026 VCO/4K Remote Password Disclosure
   http://www.cisco.com/warp/public/707/vco4kpasswdexposure-pub.shtml
 CHANGE> [Balinsky changed vote from REVIEWING to NOOP]


CAN-2000-0963

Phase: Proposed (20001129)
Reference: BUGTRAQ:20001009 ncurses buffer overflows
Reference: URL:http://www.securityfocus.com/archive/1/138550
Reference: CALDERA:CSSA-2000-036.0
Reference: URL:http://www.calderasystems.com/support/security/advisories/CSSA-2000-036.0.txt
Reference: BID:1142
Reference: URL:http://www.securityfocus.com/bid/1142

Description:
Buffer overflow in ncurses library allows local users to execute arbitrary commands via long environmental information such as TERM or TERMINFO_DIRS.

Votes:

   ACCEPT(2) Mell, Cole
   MODIFY(1) Frech
   REVIEWING(1) Christey
Voter Comments:
 Christey> Various vendor writeups indicate that there are multiple
   overflows, so maybe this needs to be SPLIT.
   
   ADDREF FREEBSD:FreeBSD-SA-00:68
   ADDREF DEBIAN:20001121 ncurses: local privilege escalation
   http://www.debian.org/security/2000/20001121
   ADDREF REDHAT:RHSA-2000:115
   http://www.redhat.com/support/errata/RHSA-2000-115.html
   BUGTRAQ:20001201 Immunix OS Security update for ncurses
   http://marc.theaimsgroup.com/?l=bugtraq&m=97570745306444&w=2
 Frech> XF:libmytinfo-bo(4422)
 CHANGE> [Christey changed vote from NOOP to REVIEWING]
 Christey> This is all a library issue in which TERM/TERMINFO_DIRS are
   one possible attack vector, but another is through entries
   in the .terminfo file.  Add .terminfo and termcap to the
   description, as well as libncurses.
   
   ADDREF MANDRAKE:MDKSA-2001:052
   URL:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-052.php3
   
   Now need to examine whether this is a dupe of CAN-2002-0062,
   and/or BID:2116.  There's certainly enough confusion to go
   around.
 CHANGE> [Christey changed vote from REVIEWING to NOOP]
 Christey> This is not a dupe of CAN-2002-0062.  As explained in
   DEBIAN:DSA-113, the original patches for CAN-2000-0963
   didn't catch every problem.
   
   ADDREF SUSE:SuSE-SA:2000:043
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97267560724404&w=2
 CHANGE> [Christey changed vote from NOOP to REVIEWING]


CAN-2000-0971

Phase: Proposed (20001129)
Reference: BUGTRAQ:20001023 Avirt Mail 4.x DoS
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-10/0301.html
Reference: XF:avirt-mail-from-dos
Reference: URL:http://xforce.iss.net/static/5397.php
Reference: XF:avirt-rcpt-to-dos
Reference: URL:http://xforce.iss.net/static/5398.php

Description:
Avirt Mail 4.0 and 4.2 allows remote attackers to cause a denial of service and possible execute arbitrary commands via a long "RCPT TO" or "MAIL FROM" command.

Votes:

   ACCEPT(3) Frech, Mell, Cole
   NOOP(2) Christey, Armstrong
Voter Comments:
 Christey> Fix typo: "possible" should be "possibly"
 Christey> fix typo: "and possible"


CAN-2000-0985

Phase: Proposed (20001129)
Reference: ATSTAKE:A101200-2
Reference: URL:http://www.atstake.com/research/advisories/2000/a101200-2.txt
Reference: BID:1789
Reference: URL:http://www.securityfocus.com/bid/1789

Description:
Buffer overflow in All-Mail 1.1 allows remote attackers to execute arbitrary commands via a long "MAIL FROM" or "RCPT TO" command.

Votes:

   ACCEPT(2) Baker, Mell
   MODIFY(1) Frech
   NOOP(1) Cole
Voter Comments:
 Frech> XF:all-mail-smtp-bo(5360)


CAN-2000-0986

Phase: Proposed (20001129)
Reference: BUGTRAQ:20001020 [ Hackerslab bug_paper ] Linux ORACLE 8.1.5 vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-10/0294.html
Reference: XF:oracle-home-bo
Reference: URL:http://xforce.iss.net/static/5390.php

Description:
Buffer overflow in Oracle 8.1.5 applications such as names, namesctl, onrsd, osslogin, tnslsnr, tnsping, trcasst, and trcroute possibly allow local users to gain privileges via a long ORACLE_HOME environmental variable.

Votes:

   ACCEPT(3) Baker, Frech, Mell
   NOOP(2) Cole, Armstrong

CAN-2000-0987

Phase: Proposed (20001129)
Reference: XF:oracle-oidldap-bo
Reference: URL:http://xforce.iss.net/static/5401.php
Reference: BUGTRAQ:20001018 vulnerability in Oracle Internet Directory in Oracle 8.1.6
Reference: URL:http://www.securityfocus.com/archive/1/140340
Reference: BUGTRAQ:20001020 In response to posting 10/18/2000 vulnerability in Oracle Internet Directory in Oracle 8.1.6
Reference: URL:http://www.securityfocus.com/archive/1/140709

Description:
Buffer overflow in oidldapd in Oracle 8.1.6 allow local users to gain privileges via a long "connect" command line parameter.

Votes:

   ACCEPT(3) Frech, Mell, Cole
   NOOP(2) Christey, Armstrong
Voter Comments:
 Christey> http://archives.neohapsis.com/archives/bugtraq/2000-12/0400.html
   appears to be a rediscovery of this problem.
 Christey> It looks like Juan Manuel Pascual Escriba saw this issue
   in a later version and re-posted, but that later post doesn't
   mention the earlier one.  The exploit is almost exactly the
   same, but the affected version is 8.1.7.
   ADDREF BUGTRAQ:20001221 vulnerability #1 in Oracle Internet Directory 2.1.1.1 in Oracle 8.1.7
   http://archives.neohapsis.com/archives/bugtraq/2000-12/0400.html
   ADDREF BUGTRAQ:20010118 Patch for Potential Buffer Overflow Vulnerabilities in Oracle Internet Directory
   http://archives.neohapsis.com/archives/bugtraq/2001-01/0325.html


CAN-2000-0988

Phase: Proposed (20001129)
Reference: BUGTRAQ:20001013 WinU Backdoor passwords!!!!
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-10/0238.html
Reference: CONFIRM:http://www.bardon.com/pwdcrack.htm
Reference: BID:1801
Reference: URL:http://www.securityfocus.com/bid/1801
Reference: XF:winu-backdoor
Reference: URL:http://xforce.iss.net/static/5376.php

Description:
WinU 1.0 through 5.1 has a backdoor password that allows remote attackers to gain access to its administrative interface and modify configuration.

Votes:

   ACCEPT(4) Frech, Mell, Cole, Armstrong

CAN-2000-0997

Phase: Proposed (20001129)
Reference: OPENBSD:20001006 There are printf-style format string bugs in several privileged programs.
Reference: MISC:ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.7/common/028_format_strings.patch
Reference: BID:1752
Reference: URL:http://www.securityfocus.com/bid/1752
Reference: XF:bsd-eeprom-format
Reference: URL:http://xforce.iss.net/static/5337.php

Description:
Format string vulnerabilities in eeprom program in OpenBSD, NetBSD, and possibly other operating systems allows local attackers to gain root privileges.

Votes:

   ACCEPT(3) Frech, Mell, Cole
   NOOP(1) Wall

CAN-2000-0998

Phase: Proposed (20001129)
Reference: OPENBSD:20001006 There are printf-style format string bugs in several privileged programs.
Reference: MISC:ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.7/common/028_format_strings.patch
Reference: FREEBSD:FreeBSD-SA-00:62
Reference: URL:ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:62.top.v1.1.asc
Reference: BID:1895
Reference: URL:http://www.securityfocus.com/bid/1895

Description:
Format string vulnerability in top program allows local attackers to gain root privileges via the "kill" or "renice" function.

Votes:

   ACCEPT(3) Mell, Cole, Collins
   MODIFY(1) Frech
   NOOP(2) Christey, Wall
Voter Comments:
 Frech> XF:top-format-string(5486)
 Christey> BUGTRAQ:20011114 SCO skunkware top format strings issue
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100576637928933&w=2


CAN-2000-0999

Phase: Proposed (20001129)
Reference: OPENBSD:20001006 There are printf-style format string bugs in several privileged programs.
Reference: MISC:ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.7/common/028_format_strings.patch

Description:
Format string vulnerabilities in OpenBSD ssh program (and possibly other BSD-based operating systems) allow attackers to gain root privileges.

Votes:

   ACCEPT(1) Cole
   MODIFY(1) Frech
   NOOP(2) Wall, Mell
Voter Comments:
 Frech> XF:bsd-ssh-format(5637)


CAN-2000-1008

Phase: Modified (20010116-01)
Reference: ATSTAKE:A092600-1
Reference: URL:http://www.atstake.com/research/advisories/2000/a092600-1.txt
Reference: BID:1715
Reference: URL:http://www.securityfocus.com/bid/1715

Description:
PalmOS 3.5.2 and earlier uses weak encryption to store the user password, which allows attackers with physical access to the Palm device to decrypt the password and gain access to the device.

Votes:

   ACCEPT(2) Mell, Cole
   MODIFY(1) Frech
   NOOP(1) Wall
Voter Comments:
 Frech> XF:palm-weak-encryption(5308)


CAN-2000-1009

Phase: Proposed (20001129)
Reference: BUGTRAQ:20001030 Redhat 6.2 dump command executes external program with suid priviledge.
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-10/0438.html
Reference: BID:1871
Reference: URL:http://www.securityfocus.com/bid/1871
Reference: XF:linux-dump-execute-code
Reference: URL:http://xforce.iss.net/static/5437.php

Description:
dump in Red Hat Linux 6.2 trusts the pathname specified by the RSH environmental variable, which allows local users to obtain root privileges by modifying the RSH variable to point to a Trojan horse program.

Votes:

   ACCEPT(5) Baker, Frech, Renaud, Mell, Cole
   NOOP(1) Christey
Voter Comments:
 Christey> http://www.redhat.com/support/errata/RHSA-2000-100.html
   ADDREF BUGTRAQ:20001103 Trustix Security Advisory - dump
   http://archives.neohapsis.com/archives/bugtraq/2000-11/0026.html


CAN-2000-1012

Phase: Proposed (20001129)
Reference: FREEBSD:FreeBSD-SA-00:53
Reference: URL:ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:53.catopen.asc

Description:
The catopen function in FreeBSD 5.0 and earlier, and possibly other OSes, allows local users to read arbitrary files via the LANG environmental variable.

Votes:

   ACCEPT(3) Mell, Cole, Collins
   MODIFY(1) Frech
   NOOP(1) Wall
Voter Comments:
 Frech> XF:freebsd-display-read-files(5645)


CAN-2000-1013

Phase: Proposed (20001129)
Reference: FREEBSD:FreeBSD-SA-00:53
Reference: URL:ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:53.catopen.asc

Description:
The setlocale function in FreeBSD 5.0 and earlier, and possibly other OSes, allows local users to read arbitrary files via the LANG environmental variable.

Votes:

   ACCEPT(2) Mell, Cole
   MODIFY(1) Frech
   NOOP(1) Wall
Voter Comments:
 Frech> XF:freebsd-display-read-files(5645)


CAN-2000-1015

Phase: Proposed (20001129)
Reference: BUGTRAQ:20000929 Default admin password with Slashcode.
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-09/0366.html
Reference: BID:1731
Reference: URL:http://www.securityfocus.com/bid/1731
Reference: XF:slashcode-default-admin-passwords
Reference: URL:http://xforce.iss.net/static/5306.php

Description:
The default configuration of Slashcode before version 2.0 Alpha has a default administrative password, which allows remote attackers to gain Slashcode priviliges and possibly execute arbitrary commands.

Votes:

   ACCEPT(4) Frech, Mell, Cole, Collins
   NOOP(1) Wall

CAN-2000-1017

Phase: Proposed (20001129)
Reference: BUGTRAQ:20001002 DST2K0039: Webteachers Webdata: Importing files lower than web ro ot possible in to database
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-10/0007.html
Reference: BUGTRAQ:20001003 Update to DST2K0039: Webteachers Webdata: Importing files lower t han web root possible in to database
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-10/0032.html
Reference: BID:1732
Reference: URL:http://www.securityfocus.com/bid/1732

Description:
Webteachers Webdata allows remote attackers with valid Webdata accounts to read arbitrary files by posting a request to import the file into the WebData database.

Votes:

   ACCEPT(2) Frech, Mell
   NOOP(2) Wall, Cole

CAN-2000-1020

Phase: Proposed (20001129)
Reference: BUGTRAQ:20000917 VIGILANTE-2000012: Mdaemon Web Services Heap Overflow DoS
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96925269716274&w=2
Reference: BID:1689
Reference: URL:http://www.securityfocus.com/bid/1689
Reference: XF:mdaemon-url-dos
Reference: URL:http://xforce.iss.net/static/5250.php

Description:
Heap overflow in Worldclient in Mdaemon 3.1.1 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long URL.

Votes:

   ACCEPT(4) Baker, Mell, Cole, Collins
   NOOP(1) Wall

CAN-2000-1021

Phase: Proposed (20001129)
Reference: BUGTRAQ:20000917 VIGILANTE-2000012: Mdaemon Web Services Heap Overflow DoS
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96925269716274&w=2
Reference: BID:1689
Reference: URL:http://www.securityfocus.com/bid/1689
Reference: XF:mdaemon-url-dos
Reference: URL:http://xforce.iss.net/static/5250.php

Description:
Heap overflow in WebConfig in Mdaemon 3.1.1 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long URL.

Votes:

   ACCEPT(4) Baker, Mell, Cole, Collins
   NOOP(1) Wall

CAN-2000-1023

Phase: Proposed (20001129)
Reference: BUGTRAQ:20000924 Major Vulnerability in Alabanza Control Panel
Reference: URL:http://www.securityfocus.com/archive/1/84766
Reference: BID:1710
Reference: URL:http://www.securityfocus.com/bid/1710
Reference: XF:alabanza-unauthorized-access
Reference: URL:http://xforce.iss.net/static/5284.php

Description:
The Alabanza Control Panel does not require passwords to access administrative commands, which allows remote attackers to modify domain name information via the nsManager.cgi CGI program.

Votes:

   ACCEPT(2) Mell, Collins
   NOOP(2) Wall, Cole
   REVIEWING(1) Baker
Voter Comments:
 Baker> I agree with Steve that this appears to be an on-line applet, accessible from their server only.


CAN-2000-1025

Phase: Proposed (20001129)
Reference: BUGTRAQ:20001030 Unify eWave ServletExec DoS
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97295224226042&w=2
Reference: BID:1868
Reference: URL:http://www.securityfocus.com/bid/1868
Reference: XF:ewave-servletexec-dos
Reference: URL:http://xforce.iss.net/static/5435.php

Description:
eWave ServletExec JSP/Java servlet engine, versions 3.0C and earlier, allows remote attackers to cause a denial of service via a URL that contains the "/servlet/" string, which invokes the ServletExec servlet and causes an exception if the servlet is already running.

Votes:

   ACCEPT(2) Frech, Mell
   NOOP(1) Cole

CAN-2000-1028

Phase: Modified (20010119-01)
Reference: BUGTRAQ:20001102 HPUX cu -l option buffer overflow vulnerabilit
Reference: URL:http://www.securityfocus.com/archive/1/142792
Reference: BID:1886
Reference: URL:http://www.securityfocus.com/bid/1886
Reference: XF:hp-cu-bo(5460)

Description:
Buffer overflow in cu program in HP-UX 11.0 may allow local users to gain privileges via a long -l command line argument.

Votes:

   ACCEPT(1) Mell
   MODIFY(1) Frech
   NOOP(2) Renaud, Cole
Voter Comments:
 Frech> XF:hp-cu-bo(5460)


CAN-2000-1029

Phase: Modified (20010119-01)
Reference: BUGTRAQ:20001027 old version of host command vulnearbility
Reference: URL:http://www.securityfocus.com/archive/1/141660
Reference: BID:1887
Reference: URL:http://www.securityfocus.com/bid/1887
Reference: XF:isc-bind-axfr-bo(5462)

Description:
Buffer overflow in host command allows a remote attacker to execute arbitrary commands via a long response to an AXFR query.

Votes:

   ACCEPT(1) Mell
   MODIFY(1) Frech
   NOOP(2) Renaud, Cole
Voter Comments:
 Frech> XF:isc-bind-axfr-bo(5462)


CAN-2000-1030

Phase: Modified (20010119-01)
Reference: BUGTRAQ:20001031 Re: Samba 2.0.7 SWAT vulnerabilities
Reference: URL:http://www.securityfocus.com/archive/1/142672
Reference: BID:1888
Reference: URL:http://www.securityfocus.com/bid/1888
Reference: XF:corporatetime-brute-force(5529)

Description:
CS&T CorporateTime for the Web returns different error messages for invalid usernames and invalid passwords, which allows remote attackers to determine valid usernames on the server.

Votes:

   ACCEPT(1) Mell
   MODIFY(1) Frech
   NOOP(1) Cole
Voter Comments:
 Frech> XF:corporatetime-brute-force(5529)


CAN-2000-1033

Phase: Proposed (20001129)
Reference: BUGTRAQ:20001029 Brute Forcing FTP Servers with enabled anti-hammering (anti brute-force) modus
Reference: URL:http://www.securityfocus.com/archive/1/141905
Reference: BID:1860
Reference: URL:http://www.securityfocus.com/bid/1860
Reference: XF:ftp-servu-brute-force
Reference: URL:http://xforce.iss.net/static/5436.php

Description:
Serv-U FTP Server allows remote attackers to bypass its anti-hammering feature by first logging on as a valid user (possibly anonymous) and then attempting to guess the passwords of other users.

Votes:

   ACCEPT(2) Frech, Mell
   NOOP(1) Cole

CAN-2000-1035

Phase: Proposed (20001129)
Reference: BUGTRAQ:20000912 TYPSoft FTP Server remote DoS Problem
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96879389027478&w=2
Reference: MISC:http://www.synnergy.net/Archives/Advisories/dethy/typsoft-ftpd.txt
Reference: BID:1690
Reference: URL:http://www.securityfocus.com/bid/1690

Description:
Buffer overflows in TYPSoft FTP Server 0.78 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long USER, PASS, or CWD command.

Votes:

   ACCEPT(1) Mell
   MODIFY(1) Baker
   NOOP(2) Wall, Cole
Voter Comments:
 CHANGE> [Baker changed vote from NOOP to MODIFY]
 Baker> http://www.synnergy.net/downloads/advisories/SLA-2000-07.typsoft-ftpd.txt


CAN-2000-1037

Phase: Proposed (20001129)
Reference: BUGTRAQ:20000815 Firewall-1 session agent 3.0 -> 4.1, dictionnary and brute force attack
Reference: URL:http://www.securityfocus.com/archive/1/76389
Reference: BID:1662
Reference: URL:http://www.securityfocus.com/bid/1662

Description:
Check Point Firewall-1 session agent 3.0 through 4.1 generates different error messages for invalid user names versus invalid passwords, which allows remote attackers to determine valid usernames and guess a password via a brute force attack.

Votes:

   ACCEPT(2) Baker, Mell
   NOOP(2) Wall, Cole

CAN-2000-1039

Phase: Proposed (20001219)
Reference: BINDVIEW:20001130 The NAPTHA DoS vulnerabilities
Reference: URL:http://razor.bindview.com/publish/advisories/adv_NAPTHA.html
Reference: WIN2KSEC:20001204 NAPTHA Advisory Updated - BindView RAZOR
Reference: URL:http://archives.neohapsis.com/archives/win2ksecadvice/2000-q4/0105.html
Reference: CERT:CA-2000-21
Reference: URL:http://www.cert.org/advisories/CA-2000-21.html
Reference: MS:MS00-091
Reference: URL:http://www.microsoft.com/technet/security/bulletin/MS00-091.asp
Reference: BID:2022
Reference: URL:http://www.securityfocus.com/bid/2022

Description:
Various TCP/IP stacks and network applications allow remote attackers to cause a denial of service by flooding a target host with TCP connection attempts and completing the TCP/IP handshake without maintaining the connection state on the attacker host, aka the "NAPTHA" class of vulnerabilities. NOTE: this candidate may change significantly as the security community discusses the technical nature of NAPTHA and learns more about the affected applications. This candidate is at a higher level of abstraction than is typical for CVE.

Votes:

   ACCEPT(3) Baker, Renaud, Cole
   MODIFY(1) Frech
   NOOP(2) Magdych, Wall
   REVIEWING(1) Christey
Voter Comments:
 Baker> Although this is at a high level, the fact is that it is a vulnerability, and as such we need to recognize this, even if we have to recast or modify the description at some later time.
 Christey> This needs to be commented on and reviewed by many Board
   members.
 Frech> XF:naptha-resource-starvation(5810)
 Christey> ADDREF SGI:20020304-01-A
 Christey> SGI:20020304-01-A


CAN-2000-1046

Phase: Proposed (20001129)
Reference: BUGTRAQ:20000911 Advisory Code: VIGILANTE-2000011 Lotus Domino ESMTP Service Buffer overflow
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-09/0093.html

Description:
Buffer overflows in ESMTP service of Lotus Domino 5.0.2c and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long "RCPT TO," "SAML FROM," or "SOML FROM" command.

Votes:

   ACCEPT(1) Mell
   MODIFY(1) Collins
   NOOP(2) Wall, Cole
   REVIEWING(1) Baker
Voter Comments:
 Collins> http://www.synnergy.net/downloads/advisories/SLA-2000-07.typsoft-ftpd.txt
 Baker> Reference by Collins was entered into the wrong CAN Entry...
   It should have been for 2000-1035, not this CAN


CAN-2000-1048

Phase: Proposed (20001129)
Reference: BUGTRAQ:20001016 Wingate 4.1 Beta A vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-10/0245.html
Reference: XF:wingate-view-files
Reference: URL:http://xforce.iss.net/static/5373.php

Description:
Directory traversal vulnerability in the logfile service of Wingate 4.1 Beta A and earlier allows remote attackers to read arbitrary files via a .. (dot dot) attack via an HTTP GET request that uses encoded characters in the URL.

Votes:

   ACCEPT(3) Baker, Frech, Mell
   NOOP(2) Cole, Armstrong

CAN-2000-1052

Phase: Proposed (20001129)
Reference: BUGTRAQ:20001023 Allaire JRUN 2.3 Arbitrary File Retrieval
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97236692714978&w=2

Description:
Allaire JRun 2.3 server allows remote attackers to obtain source code for executable content by directly calling the SSIFilter servlet.

Votes:

   ACCEPT(3) Mell, Cole, Armstrong
   MODIFY(1) Frech
Voter Comments:
 Frech> XF:allaire-jrun-ssifilter-url(5405)


CAN-2000-1053

Phase: Proposed (20001129)
Reference: BUGTRAQ:20001023 Allaire JRUN 2.3 Remote command execution
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97236125107957&w=2
Reference: ALLAIRE:ASB00-029
Reference: URL:http://www.allaire.com/handlers/index.cfm?ID=17969&Method=Full
Reference: XF:allaire-jrun-jsp-execute
Reference: URL:http://xforce.iss.net/static/5406.php

Description:
Allaire JRun 2.3.3 server allows remote attackers to compile and execute JSP code by inserting it via a cross-site scripting (CSS) attack and directly calling the com.livesoftware.jrun.plugins.JSP JSP servlet.

Votes:

   ACCEPT(4) Frech, Mell, Cole, Armstrong

CAN-2000-1062

Phase: Proposed (20001129)
Reference: BUGTRAQ:20001010 VIGILANTE-2000014: HP Jetdirect multiple DoS
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97119729613778&w=2
Reference: BID:1775
Reference: URL:http://www.securityfocus.com/bid/1775
Reference: XF:hp-jetdirect-firmware-dos
Reference: URL:http://xforce.iss.net/static/5353.php

Description:
Buffer overflow in the FTP service in HP JetDirect printer card Firmware x.08.20 and earlier allows remote attackers to cause a denial of service.

Votes:

   ACCEPT(3) Baker, Frech, Mell
   NOOP(1) Cole

CAN-2000-1063

Phase: Proposed (20001129)
Reference: BUGTRAQ:20001010 VIGILANTE-2000014: HP Jetdirect multiple DoS
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97119729613778&w=2
Reference: BID:1775
Reference: URL:http://www.securityfocus.com/bid/1775
Reference: XF:hp-jetdirect-firmware-dos
Reference: URL:http://xforce.iss.net/static/5353.php

Description:
Buffer overflow in the Telnet service in HP JetDirect printer card Firmware x.08.20 and earlier allows remote attackers to cause a denial of service.

Votes:

   ACCEPT(3) Frech, Mell, Cole

CAN-2000-1064

Phase: Proposed (20001129)
Reference: BUGTRAQ:20001010 VIGILANTE-2000014: HP Jetdirect multiple DoS
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97119729613778&w=2
Reference: BID:1775
Reference: URL:http://www.securityfocus.com/bid/1775
Reference: XF:hp-jetdirect-firmware-dos
Reference: URL:http://xforce.iss.net/static/5353.php

Description:
Buffer overflow in the LPD service in HP JetDirect printer card Firmware x.08.20 and earlier allows remote attackers to cause a denial of service.

Votes:

   ACCEPT(3) Frech, Mell, Cole

CAN-2000-1065

Phase: Proposed (20001129)
Reference: BUGTRAQ:20001010 VIGILANTE-2000014: HP Jetdirect multiple DoS
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97119729613778&w=2
Reference: BID:1775
Reference: URL:http://www.securityfocus.com/bid/1775
Reference: XF:hp-jetdirect-ip-implementation
Reference: URL:http://xforce.iss.net/static/5354.php

Description:
Vulnerability in IP implementation of HP JetDirect printer card Firmware x.08.20 and earlier allows remote attackers to cause a denial of service (printer crash) via a malformed packet.

Votes:

   ACCEPT(3) Baker, Frech, Mell
   NOOP(1) Cole

CAN-2000-1066

Phase: Modified (20010119-01)
Reference: FREEBSD:FreeBSD-SA-00:63
Reference: URL:ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:63.getnameinfo.asc
Reference: BID:1894
Reference: URL:http://www.securityfocus.com/bid/1894
Reference: XF:getnameinfo-dos(5454)

Description:
The getnameinfo function in FreeBSD 4.1.1 and earlier, and possibly other operating systems, allows a remote attacker to cause a denial of service via a long DNS hostname.

Votes:

   ACCEPT(2) Mell, Cole
   MODIFY(1) Frech
   NOOP(1) Renaud
Voter Comments:
 Frech> XF:getnameinfo-dos(5454)


CAN-2000-1076

Phase: Proposed (20001129)
Reference: BUGTRAQ:20001026 [CORE SDI ADVISORY] iPlanet Certificate Management System 4.2 path traversal bug
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-10/0383.html
Reference: XF:iplanet-netscape-plaintext-password
Reference: URL:http://xforce.iss.net/static/5422.php

Description:
Netscape (iPlanet) Certificate Management System 4.2 and Directory Server 4.12 stores the administrative password in plaintext, which could allow local and possibly remote attackers to gain administrative privileges on the server.

Votes:

   ACCEPT(3) Baker, Frech, Mell
   NOOP(2) Cole, Christey
Voter Comments:
 Christey> Partial vendor acknowledgement at:
   http://docs.iplanet.com/docs/manuals/cms/42/relnotes/release_notes.html
   "By default, Administration Server administrator's password
   (also known as the SIE password) is stored in clear text in the
   adm.conf file.
   This does not usually pose a security threat because most
   administrators use their Operating System's security features to
   ensure that the file is protected from other users."


CAN-2000-1078

Phase: Proposed (20001129)
Reference: BUGTRAQ:20001007 ICQ WebFront HTTPd DoS
Reference: URL:http://www.securityfocus.com/archive/1/138332
Reference: XF:icq-webfront-url-dos
Reference: URL:http://xforce.iss.net/static/5332.php

Description:
ICQ Web Front HTTPd allows remote attackers to cause a denial of service by requesting a URL that contains a "?" character.

Votes:

   ACCEPT(3) Baker, Frech, Mell
   NOOP(2) Cole, Christey
Voter Comments:
 Christey> The following post appears to describe the same problem, 7
   months earlier:
   BUGTRAQ:20000310 ICQ remote DoS


CAN-2000-1079

Phase: Proposed (20001129)
Reference: NAI:20000829 Windows NetBIOS Unsolicited Cache Corruption
Reference: URL:http://www.nai.com/research/covert/advisories/045.asp
Reference: NTBUGTRAQ:20000829 Re: [COVERT-2000-10] Windows NetBIOS Unsolicited Cache Corruption
Reference: URL:http://archives.neohapsis.com/archives/ntbugtraq/2000-q3/0116.html
Reference: BID:1620
Reference: URL:http://www.securityfocus.com/bid/1620
Reference: XF:win-netbios-corrupt-cache
Reference: URL:http://xforce.iss.net/static/5168.php

Description:
Interactions between the CIFS Browser Protocol and NetBIOS as implemented in Microsoft Windows 95, 98, NT, and 2000 allow remote attackers to modify dynamic NetBIOS name cache entries via a spoofed Browse Frame Request in a unicast or UDP broadcast datagram.

Votes:

   ACCEPT(3) Baker, Wall, Mell
   NOOP(1) Cole
   REVIEWING(1) Christey
Voter Comments:
 Wall> No known exploit or patch yet.
 Christey> This was a little controversial, if I recall correctly.


CAN-2000-1081

Phase: Proposed (20001219)
Reference: ATSTAKE:20001201 Microsoft SQL Server extended stored procedure vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97570878710037&w=2
Reference: MS:MS00-092
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms00-092.asp
Reference: BID:2030
Reference: URL:http://www.securityfocus.com/bid/2030

Description:
The xp_displayparamstmt function in SQL Server and Microsoft SQL Server Desktop Engine (MSDE) does not properly restrict the length of a buffer before calling the srv_paraminfo function in the SQL Server API for Extended Stored Procedures (XP), which allows an attacker to cause a denial of service or execute arbitrary commands, aka the "Extended Stored Procedure Parameter Parsing" vulnerability.

Votes:

   ACCEPT(3) Baker, Magdych, Cole
   MODIFY(1) Frech
   NOOP(1) Christey
   REVIEWING(1) Wall
Voter Comments:
 Baker> ALready posted in refs
 Christey> ADDREF XF:mssql-xp-paraminfo-bo
   URL:http://xforce.iss.net/static/5622.php
 Frech> XF:mssql-xp-paraminfo-bo(5622)


CAN-2000-1082

Phase: Proposed (20001219)
Reference: ATSTAKE:20001201 Microsoft SQL Server extended stored procedure vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97570878710037&w=2
Reference: MS:MS00-092
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms00-092.asp
Reference: BID:2031
Reference: URL:http://www.securityfocus.com/bid/2031

Description:
The xp_enumresultset function in SQL Server and Microsoft SQL Server Desktop Engine (MSDE) does not properly restrict the length of a buffer before calling the srv_paraminfo function in the SQL Server API for Extended Stored Procedures (XP), which allows an attacker to cause a denial of service or execute arbitrary commands, aka the "Extended Stored Procedure Parameter Parsing" vulnerability.

Votes:

   ACCEPT(3) Baker, Magdych, Cole
   MODIFY(1) Frech
   NOOP(1) Christey
   REVIEWING(1) Wall
Voter Comments:
 Christey> ADDREF XF:mssql-xp-paraminfo-bo
   URL:http://xforce.iss.net/static/5622.php
 Frech> XF:mssql-xp-paraminfo-bo(5622)


CAN-2000-1083

Phase: Proposed (20001219)
Reference: ATSTAKE:20001201 Microsoft SQL Server extended stored procedure vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97570878710037&w=2
Reference: MS:MS00-092
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms00-092.asp
Reference: BID:2038
Reference: URL:http://www.securityfocus.com/bid/2038

Description:
The xp_showcolv function in SQL Server and Microsoft SQL Server Desktop Engine (MSDE) does not properly restrict the length of a buffer before calling the srv_paraminfo function in the SQL Server API for Extended Stored Procedures (XP), which allows an attacker to cause a denial of service or execute arbitrary commands, aka the "Extended Stored Procedure Parameter Parsing" vulnerability.

Votes:

   ACCEPT(3) Baker, Magdych, Cole
   MODIFY(1) Frech
   NOOP(1) Christey
   REVIEWING(1) Wall
Voter Comments:
 Christey> ADDREF XF:mssql-xp-paraminfo-bo
   URL:http://xforce.iss.net/static/5622.php
 Frech> XF:mssql-xp-paraminfo-bo(5622)


CAN-2000-1084

Phase: Proposed (20001219)
Reference: ATSTAKE:20001201 Microsoft SQL Server extended stored procedure vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97570878710037&w=2
Reference: MS:MS00-092
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms00-092.asp
Reference: BID:2039
Reference: URL:http://www.securityfocus.com/bid/2039

Description:
The xp_updatecolvbm function in SQL Server and Microsoft SQL Server Desktop Engine (MSDE) does not properly restrict the length of a buffer before calling the srv_paraminfo function in the SQL Server API for Extended Stored Procedures (XP), which allows an attacker to cause a denial of service or execute arbitrary commands, aka the "Extended Stored Procedure Parameter Parsing" vulnerability.

Votes:

   ACCEPT(3) Baker, Magdych, Cole
   MODIFY(1) Frech
   NOOP(1) Christey
   REVIEWING(1) Wall
Voter Comments:
 Christey> ADDREF XF:mssql-xp-paraminfo-bo
   URL:http://xforce.iss.net/static/5622.php
 Frech> XF:mssql-xp-paraminfo-bo(5622)


CAN-2000-1085

Phase: Proposed (20001219)
Reference: ATSTAKE:20001201 SQL Server 2000 Extended Stored Procedure Vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97570884410184&w=2
Reference: MS:MS00-092
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms00-092.asp
Reference: BID:2040
Reference: URL:http://www.securityfocus.com/bid/2040

Description:
The xp_peekqueue function in Microsoft SQL Server 2000 and SQL Server Desktop Engine (MSDE) does not properly restrict the length of a buffer before calling the srv_paraminfo function in the SQL Server API for Extended Stored Procedures (XP), which allows an attacker to cause a denial of service or execute arbitrary commands, aka the "Extended Stored Procedure Parameter Parsing" vulnerability.

Votes:

   ACCEPT(4) Baker, Magdych, Wall, Cole
   MODIFY(1) Frech
   REVIEWING(1) Christey
Voter Comments:
 Christey> CAN-2000-1085, CAN-2000-1086, CAN-2000-1087, and CAN-2000-1088
   all have abstraction issues; perhaps they should be RECAST
   into a single candidate.
 Christey> ADDREF XF:mssql-xp-paraminfo-bo
   URL:http://xforce.iss.net/static/5622.php
 Frech> XF:mssql-xp-paraminfo-bo(5622)


CAN-2000-1086

Phase: Proposed (20001219)
Reference: ATSTAKE:20001201 SQL Server 2000 Extended Stored Procedure Vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97570884410184&w=2
Reference: MS:MS00-092
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms00-092.asp
Reference: BID:2041
Reference: URL:http://www.securityfocus.com/bid/2041

Description:
The xp_printstatements function in Microsoft SQL Server 2000 and SQL Server Desktop Engine (MSDE) does not properly restrict the length of a buffer before calling the srv_paraminfo function in the SQL Server API for Extended Stored Procedures (XP), which allows an attacker to cause a denial of service or execute arbitrary commands, aka the "Extended Stored Procedure Parameter Parsing" vulnerability.

Votes:

   ACCEPT(4) Baker, Magdych, Wall, Cole
   MODIFY(1) Frech
   REVIEWING(1) Christey
Voter Comments:
 Christey> CAN-2000-1085, CAN-2000-1086, CAN-2000-1087, and CAN-2000-1088
   all have abstraction issues; perhaps they should be RECAST
   into a single candidate.
 Christey> ADDREF XF:mssql-xp-paraminfo-bo
   URL:http://xforce.iss.net/static/5622.php
 Frech> XF:mssql-xp-paraminfo-bo(5622)


CAN-2000-1087

Phase: Proposed (20001219)
Reference: ATSTAKE:20001201 SQL Server 2000 Extended Stored Procedure Vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97570884410184&w=2
Reference: MS:MS00-092
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms00-092.asp
Reference: BID:2042
Reference: URL:http://www.securityfocus.com/bid/2042

Description:
The xp_proxiedmetadata function in Microsoft SQL Server 2000 and SQL Server Desktop Engine (MSDE) does not properly restrict the length of a buffer before calling the srv_paraminfo function in the SQL Server API for Extended Stored Procedures (XP), which allows an attacker to cause a denial of service or execute arbitrary commands, aka the "Extended Stored Procedure Parameter Parsing" vulnerability.

Votes:

   ACCEPT(4) Baker, Magdych, Wall, Cole
   MODIFY(1) Frech
   REVIEWING(1) Christey
Voter Comments:
 Christey> CAN-2000-1085, CAN-2000-1086, CAN-2000-1087, and CAN-2000-1088
   all have abstraction issues; perhaps they should be RECAST
   into a single candidate.
 Christey> ADDREF XF:mssql-xp-paraminfo-bo
   URL:http://xforce.iss.net/static/5622.php
 Frech> XF:mssql-xp-paraminfo-bo(5622)


CAN-2000-1088

Phase: Proposed (20001219)
Reference: ATSTAKE:20001201 SQL Server 2000 Extended Stored Procedure Vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97570884410184&w=2
Reference: MS:MS00-092
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms00-092.asp
Reference: BID:2043
Reference: URL:http://www.securityfocus.com/bid/2043

Description:
The xp_SetSQLSecurity function in Microsoft SQL Server 2000 and SQL Server Desktop Engine (MSDE) does not properly restrict the length of a buffer before calling the srv_paraminfo function in the SQL Server API for Extended Stored Procedures (XP), which allows an attacker to cause a denial of service or execute arbitrary commands, aka the "Extended Stored Procedure Parameter Parsing" vulnerability.

Votes:

   ACCEPT(4) Baker, Magdych, Wall, Cole
   MODIFY(1) Frech
   REVIEWING(1) Christey
Voter Comments:
 Christey> CAN-2000-1085, CAN-2000-1086, CAN-2000-1087, and CAN-2000-1088
   all have abstraction issues; perhaps they should be RECAST
   into a single candidate.
 Christey> ADDREF XF:mssql-xp-paraminfo-bo
   URL:http://xforce.iss.net/static/5622.php
 Frech> XF:mssql-xp-paraminfo-bo(5622)


CAN-2000-1090

Phase: Proposed (20010202)
Reference: MISC:http://www.nsfocus.com/english/homepage/sa_08.htm
Reference: BID:2100
Reference: URL:http://www.securityfocus.com/bid/2100
Reference: XF:microsoft-iis-file-disclosure
Reference: URL:http://xforce.iss.net/static/5729.php

Description:
Microsoft IIS for Far East editions 4.0 and 5.0 allows remote attackers to read source code for parsed pages via a malformed URL that uses the lead-byte of a double-byte character.

Votes:

   ACCEPT(3) Baker, Frech, LeBlanc
   NOOP(1) Cole
   REVIEWING(3) Ziese, Wall, Christey
Voter Comments:
 LeBlanc> Fixed in SP2 for Win2K. NT 4.0 is not affected. bulletin
   MS99-022
 Christey> Need to add the Bugtraq references for this.
 CHANGE> [Christey changed vote from NOOP to REVIEWING]
 Christey> Is this really the same problem addressed by MS99-022,
   which is covered by CVE-1999-0725 ?


CAN-2000-1092

Phase: Modified (20020327-01)
Reference: BUGTRAQ:20001213 NSFOCUS SA2000-09 : AHG EZshopper Loadpage.cgi File List
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97676270729984&w=2
Reference: BID:2109
Reference: URL:http://online.securityfocus.com/bid/2109
Reference: XF:ezshopper-cgi-file-disclosure(5740)
Reference: URL:http://xforce.iss.net/static/5740.php

Description:
loadpage.cgi CGI program in EZshopper 3.0 and 2.0 allows remote attackers to list and read files in the EZshopper data directory by inserting a "/" in front of the target filename in the "file" parameter.

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Frech
   NOOP(4) Magdych, Wall, Cole, Christey
Voter Comments:
 Christey> This is documented in an NSFOCUS security advisory released
   sometime around December 11.  Also, it's BID:2109.
 Christey> BUGTRAQ:20001213 NSFOCUS SA2000-09 : AHG EZshopper Loadpage.cgi File List
   http://marc.theaimsgroup.com/?l=bugtraq&m=97676270729984&w=2
   XF:ezshopper-cgi-file-disclosure
   URL:http://xforce.iss.net/static/5740.php
 Frech> XF:ezshopper-cgi-file-disclosure(5740)
 Christey> Followup posts indicate that this problem may have been
   discovered earlier than 20001213.


CAN-2000-1093

Phase: Modified (20010417-01)
Reference: ATSTAKE:A121200-1
Reference: URL:http://www.atstake.com/research/advisories/2000/a121200-1.txt
Reference: XF:aim-remote-bo(5732)

Description:
Buffer overflow in AOL Instant Messenger before 4.3.2229 allows remote attackers to execute arbitrary commands via a long "goim" command.

Votes:

   ACCEPT(2) Baker, Wall
   MODIFY(1) Frech
   NOOP(1) Cole
   REVIEWING(1) Christey
Voter Comments:
 Frech> XF:aim-remote-bo(5732)
 Christey> CD:SF-LOC as currently written suggests merging this with
   CVE-2000-1094, since both describe buffer overflows in the
   same software version.
 Christey> Consider adding BID:2118


CAN-2000-1098

Phase: Interim (20010117)
Reference: BUGTRAQ:20001201 Re: DoS in Sonicwall SOHO firewall
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0439.html
Reference: BUGTRAQ:20001201 FW: SonicWALL SOHO Vulnerability (fwd)
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0435.html

Description:
The web server for the SonicWALL SOHO firewall allows remote attackers to cause a denial of service via an empty GET or POST request.

Votes:

   ACCEPT(2) Baker, Cole
   MODIFY(1) Frech
   NOOP(1) Wall
Voter Comments:
 Frech> The company's name is SonicWALL.
 CHANGE> [Frech changed vote from REVIEWING to MODIFY]
 Frech> XF:sonicwall-empty-request-dos(6042)
   The company's name is SonicWALL.


CAN-2000-1100

Phase: Proposed (20001219)
Reference: BUGTRAQ:20001130 PostACI Webmail Vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0433.html
Reference: BID:2029
Reference: URL:http://www.securityfocus.com/bid/2029

Description:
The default configuration for PostACI webmail system installs the /includes/global.inc configuration file within the web root, which allows remote attackers to read sensitive information such as database usernames and passwords via a direct HTTP GET request.

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Frech
   NOOP(2) Wall, Cole
Voter Comments:
 Frech> XF:postaci-webmail-reveal-passwords(5612)


CAN-2000-1102

Phase: Proposed (20001219)
Reference: BID:2008
Reference: URL:http://www.securityfocus.com/bid/2008
Reference: BUGTRAQ:20001126 Vulnerablity in PTlink3.5.3ircd + PTlink.Services.1.8.1...
Reference: URL:http://www.securityfocus.com/archive/1/147115

Description:
PTlink IRCD 3.5.3 and PTlink Services 1.8.1 allow remote attackers to cause a denial of service (server crash) via "mode +owgscfxeb" and "oper" commands.

Votes:

   ACCEPT(2) Baker, Cole
   MODIFY(1) Frech
   NOOP(1) Wall
Voter Comments:
 Frech> XF:ptlink-ircd-mode-dos(5589)


CAN-2000-1103

Phase: Proposed (20001219)
Reference: BUGTRAQ:20001127 BSDi 3.0/4.0 rcvtty gid=tty exploit... (mh package)
Reference: URL:http://www.securityfocus.com/archive/1/147120
Reference: BID:2009
Reference: URL:http://www.securityfocus.com/bid/2009

Description:
rcvtty in BSD 3.0 and 4.0 does not properly drop privileges before executing a script, which allows local attackers to gain privileges by specifying an alternate Trojan horse script on the command line.

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Frech
   NOOP(2) Wall, Cole
Voter Comments:
 Frech> XF:rcvtty-elevate-privileges(5587)


CAN-2000-1104

Phase: Proposed (20001219)
Reference: MS:MS00-060
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms00-060.asp

Description:
Variant of the "IIS Cross-Site Scripting" vulnerability as originally discussed in MS:MS00-060 (CAN-2000-0746) allows a malicious web site operator to embed scripts in a link to a trusted site, which are returned without quoting in an error message back to the client. The client then executes those scripts in the same context as the trusted site.

Votes:

   ACCEPT(3) Baker, Wall, Cole
   MODIFY(1) Frech
Voter Comments:
 Frech> XF:iis-cross-site-scripting(5156)


CAN-2000-1105

Phase: Proposed (20001219)
Reference: BUGTRAQ:20001110 IE 5.x Win2000 Indexing service vulnerability
Reference: URL:http://www.securityfocus.com/archive/1/144270
Reference: WIN2KSEC:20001110 IE 5.x Win2000 Indexing service vulnerability
Reference: URL:http://archives.neohapsis.com/archives/win2ksecadvice/2000-q4/0074.html
Reference: BID:1933
Reference: URL:http://www.securityfocus.com/bid/1933

Description:
The ixsso.query ActiveX Object is marked as safe for scripting, which allows malicious web site operators to embed a script that remotely determines the existence of files on visiting Windows 2000 systems that have Indexing Services enabled.

Votes:

   ACCEPT(2) Baker, Cole
   MODIFY(1) Frech
   REVIEWING(2) Wall, Christey
Voter Comments:
 Frech> XF:win2k-index-service-ixsso(5502)
 Christey> ADDREF MS:MS00-098
   ADDREF XF:win2k-index-service-activex
   URL:http://xforce.iss.net/static/5800.php
   Add 'aka the "Indexing Service File Enumeration" vulnerability'
   to the description.
 CHANGE> [Christey changed vote from NOOP to REVIEWING]
 Christey> DUPE CVE-2001-0245?  Need to check w/Microsoft.


CAN-2000-1110

Phase: Proposed (20001219)
Reference: BUGTRAQ:20001128 IBM Net.Data Local Path Disclosure Vulnerability?
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0384.html
Reference: BID:2017
Reference: URL:http://www.securityfocus.com/bid/2017

Description:
document.d2w CGI program in the IBM Net.Data db2www package allows remote attackers to determine the physical path of the web server by sending a nonexistent command to the program.

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Frech
   NOOP(2) Wall, Cole
Voter Comments:
 Frech> XF:ibm-netdata-reveal-path(5599)


CAN-2000-1114

Phase: Proposed (20001219)
Reference: BUGTRAQ:20001121 Disclosure of JSP source code with ServletExec AS v3.0c + web ins tance
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0285.html
Reference: BID:1970
Reference: URL:http://www.securityfocus.com/bid/1970

Description:
Unify ServletExec AS v3.0C allows remote attackers to read source code for JSP pages via an HTTP request that ends with characters such as ".", or "+", or "%20".

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Frech
   NOOP(2) Wall, Cole
Voter Comments:
 Frech> XF:ewave-jsp-source-read(5562)


CAN-2000-1116

Phase: Proposed (20001219)
Reference: WIN2KSEC:20001018 TransSoft's Broker FTP Server 3.x & 4.x Remote DoS attack Vulnerability
Reference: URL:http://archives.neohapsis.com/archives/win2ksecadvice/2000-q4/0041.html
Reference: XF:broker-ftp-username-dos
Reference: URL:http://xforce.iss.net/static/5388.php

Description:
Buffer overflow in TransSoft Broker FTP Server before 4.3.0.1 allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long command.

Votes:

   MODIFY(1) Frech
   NOOP(2) Wall, Cole
Voter Comments:
 Frech> XF:broker-user-dos(3482)


CAN-2000-1117

Phase: Proposed (20001219)
Reference: BUGTRAQ:20001124 Security Hole in ECL Feature of Java VM Embedded in Lotus Notes Client R5
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0341.html
Reference: BID:1994
Reference: URL:http://www.securityfocus.com/bid/1994

Description:
The Extended Control List (ECL) feature of the Java Virtual Machine (JVM) in Lotus Notes Client R5 allows malicious web site operators to determine the existence of files on the client by measuring delays in the execution of the getSystemResource method.

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Frech
   NOOP(2) Wall, Cole
Voter Comments:
 Frech> XF:lotus-notes-verify-files(5565)


CAN-2000-1118

Phase: Proposed (20001219)
Reference: BUGTRAQ:20001127 24Link Webserver
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0369.html

Description:
24Link 1.06 web server allows remote attackers to bypass access restrictions by prepending strings such as "/+/" or "/." to the HTTP GET request.

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Frech
   NOOP(2) Wall, Cole
Voter Comments:
 Frech> XF:24link-bypass-authentication(5930)


CAN-2000-1125

Phase: Proposed (20001219)
Reference: BUGTRAQ:20001104 Redhat 6.2 restore exploit
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97336034309944&w=2
Reference: BID:1914
Reference: URL:http://www.securityfocus.com/bid/1914

Description:
restore 0.4b15 and earlier in Red Hat Linux 6.2 trusts the pathname specified by the RSH environmental variable, which allows local users to obtain root privileges by modifying the RSH variable to point to a Trojan horse program.

Votes:

   ACCEPT(2) Baker, Cole
   MODIFY(1) Frech
   NOOP(1) Wall
Voter Comments:
 Frech> XF:restore-rsh-executable(5483)


CAN-2000-1126

Phase: Proposed (20001219)
Reference: HP:HPSBUX0011-130
Reference: URL:http://www.securityfocus.com/advisories/2850
Reference: BID:1954
Reference: URL:http://www.securityfocus.com/bid/1954

Description:
Vulnerability in auto_parms and set_parms in HP-UX 11.00 and earlier allows remote attackers to execute arbitrary commands or cause a denial of service.

Votes:

   ACCEPT(3) Baker, Cole, Armstrong
   MODIFY(1) Frech
   NOOP(1) Wall
Voter Comments:
 Frech> XF:hpux-autoparms-execute-commands(5961)


CAN-2000-1127

Phase: Proposed (20001219)
Reference: BUGTRAQ:20001108 HP-UX 10.20 resource monitor service
Reference: URL:http://www.securityfocus.com/archive/1/143845
Reference: BID:1919
Reference: URL:http://www.securityfocus.com/bid/1919

Description:
registrar in the HP resource monitor service allows local users to read and modify arbitrary files by renaming the original registrar.log log file and creating a symbolic link to the target file, to which registrar appends log information and sets the permissions to be world readable.

Votes:

   MODIFY(1) Frech
   NOOP(2) Wall, Cole
Voter Comments:
 Frech> XF:hp-registrar-file-read(5485)


CAN-2000-1128

Phase: Proposed (20001219)
Reference: NTBUGTRAQ:20001103 Elevation of Privileges Exploit with McAfee VirusScan 4.5
Reference: URL:http://archives.neohapsis.com/archives/ntbugtraq/2000-q4/0073.html
Reference: BID:1920
Reference: URL:http://www.securityfocus.com/bid/1920

Description:
The default configuration of McAfee VirusScan 4.5 does not quote the ImagePath variable, which improperly sets the search path and allows local users to place a Trojan horse "common.exe" program in the C:\Program Files directory.

Votes:

   ACCEPT(1) Cole
   MODIFY(1) Frech
   REVIEWING(1) Wall
Voter Comments:
 Frech> XF:nai-virusscan-unquoted-imagepath(5484)


CAN-2000-1129

Phase: Proposed (20001219)
Reference: BUGTRAQ:20001123 McAfee WebShield SMTP vulnerabilities
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0324.html
Reference: BID:1999
Reference: URL:http://www.securityfocus.com/bid/1999

Description:
McAfee WebShield SMTP 4.5 allows remote attackers to cause a denial of service via a malformed recipient field.

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Frech
   NOOP(1) Cole
   REVIEWING(1) Wall
Voter Comments:
 Frech> XF:webshield-smtp-recpt-dos(5572)


CAN-2000-1130

Phase: Proposed (20001219)
Reference: BUGTRAQ:20001123 McAfee WebShield SMTP vulnerabilities
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0324.html
Reference: BID:1993
Reference: URL:http://www.securityfocus.com/bid/1993

Description:
McAfee WebShield SMTP 4.5 allows remote attackers to bypass email content filtering rules by including Extended ASCII characters in name of the attachment.

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Frech
   NOOP(2) Cole, Christey
   REVIEWING(1) Wall
Voter Comments:
 Frech> XF:webshield-smtp-filter-bypass(5571)
 Christey> Fix typo: "in name"


CAN-2000-1133

Phase: Proposed (20001219)
Reference: BUGTRAQ:20001106 Authentix Security Advisory
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97353881829760&w=2
Reference: BUGTRAQ:20001107 Explanation Authentix Input Validation Error
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97362374200478&w=2
Reference: BID:1907
Reference: URL:http://www.securityfocus.com/bid/1907

Description:
Authentix Authentix100 allows remote attackers to bypass authentication by inserting a . (dot) into the URL for a protected directory.

Votes:

   MODIFY(1) Frech
   NOOP(2) Wall, Cole
Voter Comments:
 Frech> XF:flicks-authentix-url-info(5477)


CAN-2000-1134

Phase: Proposed (20001219)
Reference: BUGTRAQ:20001028 tcsh: unsafe tempfile in << redirects
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-10/0418.html
Reference: BUGTRAQ:20001130 [ADV/EXP]: RH6.x root from bash /tmp vuln + MORE
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97561816504170&w=2
Reference: BUGTRAQ:20001128 /bin/sh creates insecure tmp files
Reference: URL:http://www.securityfocus.com/archive/1/146657
Reference: DEBIAN:20001111 tcsh: local exploit
Reference: URL:http://www.debian.org/security/2000/20001111a
Reference: MANDRAKE:MDKSA-2000-069
Reference: URL:http://www.linux-mandrake.com/en/security/MDKSA-2000-069.php3
Reference: FREEBSD:FreeBSD-SA-00:76
Reference: URL:ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:76.tcsh-csh.asc
Reference: CONECTIVA:CLSA-2000:354
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000354
Reference: CALDERA:CSSA-2000-043.0
Reference: URL:http://www.calderasystems.com/support/security/advisories/CSSA-2000-043.0.txt
Reference: CALDERA:CSSA-2000-042.0
Reference: URL:http://www.calderasystems.com/support/security/advisories/CSSA-2000-042.0.txt
Reference: REDHAT:RHSA-2000:117
Reference: URL:http://www.redhat.com/support/errata/RHSA-2000-117.html
Reference: REDHAT:RHSA-2000:121
Reference: URL:http://www.redhat.com/support/errata/RHSA-2000-121.html
Reference: MANDRAKE:MDKSA-2000:075
Reference: URL:http://www.linux-mandrake.com/en/security/MDKSA-2000-075.php3
Reference: BID:1926
Reference: URL:http://www.securityfocus.com/bid/1926
Reference: BID:2006
Reference: URL:http://www.securityfocus.com/bid/2006
Reference: CONECTIVA:CLA-2000:350
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000350

Description:
tcsh, csh, sh, and bash on various Unix systems follow symlinks when processing << redirects (aka here-documents or in-here documents), which allows local users to overwrite files of other users via a symlink attack.

Votes:

   ACCEPT(2) Baker, Cole
   MODIFY(1) Frech
   NOOP(1) Wall
   REVIEWING(1) Christey
Voter Comments:
 Frech> XF:linux-bash-tmp-symlink(5593)
 Christey> Don't all these shell programs originate from the same
   codebase, including ksh?  If so, we should have a single CAN
   for all of these, and add:
   XF:ksh-redirection-symlink
   URL:http://xforce.iss.net/static/5811.php
   CONECTIVA:CLA-2000:354
   BUGTRAQ:20001208 Immunix OS Security update for tcsh
   http://archives.neohapsis.com/archives/linux/immunix/2000-q4/0041.html
   BUGTRAQ:20001220 /bin/ksh creates insecure tmp files
   http://archives.neohapsis.com/archives/bugtraq/2000-12/0368.html
   BUGTRAQ:20001227 IBM Findings: Korn Shell Redirection Race Condition Vulnerability
   http://archives.neohapsis.com/archives/bugtraq/2000-12/0473.html
   
   Also see: http://archives.neohapsis.com/archives/bugtraq/2000-12/0420.html
   which gives some shell history which may be of use.
 Christey> ADDREF FREEBSD:FreeBSD-SA-01:03 for the bash problem.
 Christey> Consider adding BID:2148 if this CAN should include ksh
 Christey> SGI:20011103-01-I
   URL:ftp://patches.sgi.com/support/free/security/advisories/20011103-01-I
   Also, DELREF BID:2148 and BID:1926.  Keep BID:2006
 Christey> COMPAQ:SSRT1-41U
   URL:http://ftp.support.compaq.com/patches/.new/html/SSRT0742U-59U.shtml
   CERT-VN:VU#10277
   URL:http://www.kb.cert.org/vuls/id/10277
 Christey> SGI:20011103-02-P
   URL:ftp://patches.sgi.com/support/free/security/advisories/20011103-02-P
   Note that this is an update of the other SGI reference.
 Christey> CALDERA:CSSA-2001-SCO.24
   URL:ftp://stage.caldera.com/pub/security/openserver/CSSA-2001-SCO.24.1/CSSA-2001-SCO.24.1.txt
   CERT-VN:VU#10277
   URL:http://www.kb.cert.org/vuls/id/10277
 Christey> Missing BID - BID:1926


CAN-2000-1138

Phase: Proposed (20001219)
Reference: BUGTRAQ:20001108 Lotus Notes R5 clients - no warning for broken signature or encryption
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97370725220953&w=2
Reference: BID:1925
Reference: URL:http://www.securityfocus.com/bid/1925

Description:
Lotus Notes R5 client R5.0.5 and earlier does not properly warn users when an S/MIME email message has been modified, which could allow an attacker to modify the email in transit without being detected.

Votes:

   MODIFY(1) Frech
   NOOP(2) Wall, Cole
Voter Comments:
 Frech> XF:lotus-notes-r5-mime(5492)


CAN-2000-1147

Phase: Modified (20010116-01)
Reference: BUGTRAQ:20001103 IIS ASP $19.95 hack - IISHack 1.5
Reference: URL:http://www.securityfocus.com/archive/1/143070
Reference: BID:1911
Reference: URL:http://www.securityfocus.com/bid/1911
Reference: XF:iis-isapi-asp-bo
Reference: URL:http://xforce.iss.net/static/5510.php

Description:
Buffer overflow in IIS ISAPI .ASP parsing mechanism allows attackers to execute arbitrary commands via a long string to the "LANGUAGE" argument in a script tag.

Votes:

   ACCEPT(2) Baker, Wall
   MODIFY(1) Frech
   NOOP(1) Cole
   RECAST(1) LeBlanc
   REVIEWING(1) Christey
Voter Comments:
 Frech> XF:iis-isapi-asp-bo(5510)
 Christey> Consult Microsoft on this one.
 LeBlanc> This one was already fixed in several hotfixes when it was
   found. I'm not sure what the content decision is on this. It is a valid
   problem, but it was already fixed when announced. I will go along with
   an accept vote once it is modified to show fixes.


CAN-2000-1150

Phase: Proposed (20001219)
Reference: BUGTRAQ:20001113 beos vulnerabilities
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0203.html

Description:
Felix IRC client in BeOS r5 pro and earlier allows remote attackers to conduct a denial of service via a message that contains a long URL.

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Frech
   NOOP(3) Wall, Cole, Armstrong
Voter Comments:
 Frech> XF:felix-irc-long-url(5520)


CAN-2000-1151

Phase: Proposed (20001219)
Reference: BUGTRAQ:20001113 beos vulnerabilities
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0203.html

Description:
Baxter IRC client in BeOS r5 pro and earlier allows remote attackers to conduct a denial of service via a message that contains a long URL.

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Frech
   NOOP(3) Wall, Cole, Armstrong
Voter Comments:
 Frech> XF:baxter-irc-bo(5518)


CAN-2000-1152

Phase: Proposed (20001219)
Reference: BUGTRAQ:20001113 beos vulnerabilities
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0203.html

Description:
Browser IRC client in BeOS r5 pro and earlier allows remote attackers to conduct a denial of service via a message that contains a long URL.

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Frech
   NOOP(3) Wall, Cole, Armstrong
Voter Comments:
 Frech> XF:bowser-irc-dos(5964)


CAN-2000-1153

Phase: Proposed (20001219)
Reference: BUGTRAQ:20001113 beos vulnerabilities
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0203.html

Description:
PostMaster 1.0 in BeOS r5 pro and earlier allows remote attackers to conduct a denial of service via a message that contains a long URL.

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Frech
   NOOP(3) Wall, Cole, Armstrong
Voter Comments:
 Frech> XF:postmaster-long-url-bo(5522)


CAN-2000-1154

Phase: Proposed (20001219)
Reference: BUGTRAQ:20001113 beos vulnerabilities
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0203.html

Description:
RHConsole in RobinHood 1.1 web server in BeOS r5 pro and earlier allows remote attackers to cause a denial of service via long HTTP request.

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Frech
   NOOP(3) Wall, Cole, Armstrong
Voter Comments:
 Frech> XF:robinhood-cpp-request-bo(5521)


CAN-2000-1155

Phase: Proposed (20001219)
Reference: BUGTRAQ:20001113 beos vulnerabilities
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0203.html

Description:
RHDaemon in RobinHood 1.1 web server in BeOS r5 pro and earlier allows remote attackers to cause a denial of service via long HTTP request.

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Frech
   NOOP(3) Wall, Cole, Armstrong
Voter Comments:
 Frech> XF:robinhood-cpp-request-bo(5521)


CAN-2000-1156

Phase: Modified (20010116-01)
Reference: BUGTRAQ:20001108 StarOffice 5.2 Temporary Dir Vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0115.html
Reference: BID:1922
Reference: URL:http://www.securityfocus.com/bid/1922
Reference: XF:staroffice-tmp-sym-link
Reference: URL:http://xforce.iss.net/static/5487.php

Description:
StarOffice 5.2 follows symlinks and sets world-readable permissions for the /tmp/soffice.tmp directory, which allows a local user to read files of the user who is using StarOffice.

Votes:

   ACCEPT(3) Baker, Cole, Dik
   MODIFY(1) Frech
   NOOP(1) Wall
   REVIEWING(1) Christey
Voter Comments:
 Frech> XF:staroffice-tmp-sym-link(5487)
 Christey> Consult Sun on this one.
 Dik> Supposedly fixed in Soffice 5.1 Service pack 1


CAN-2000-1157

Phase: Proposed (20001219)
Reference: BUGTRAQ:20001102 Remotely exploitable buffer overflow in NAI's Distributed Sniffer Agent
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0038.html
Reference: BID:1901
Reference: URL:http://www.securityfocus.com/bid/1901

Description:
Buffer overflow in NAI Sniffer Agent allows remote attackers to execute arbitrary commands via a long SNMP community name.

Votes:

   MODIFY(1) Frech
   NOOP(2) Wall, Cole
Voter Comments:
 Frech> XF:sniffer-agent-snmp-bo(5455)


CAN-2000-1158

Phase: Proposed (20001219)
Reference: BUGTRAQ:20001102 Remotely exploitable buffer overflow in NAI's Distributed Sniffer Agent
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0038.html

Description:
NAI Sniffer Agent uses base64 encoding for authentication, which allows attackers to sniff the network and easily decrypt usernames and passwords.

Votes:

   MODIFY(1) Frech
   NOOP(2) Wall, Cole
Voter Comments:
 Frech> XF:sniffer-agent-weak-authentication(5951)


CAN-2000-1159

Phase: Proposed (20001219)
Reference: BUGTRAQ:20001102 Remotely exploitable buffer overflow in NAI's Distributed Sniffer Agent
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0038.html
Reference: BID:1902
Reference: URL:http://www.securityfocus.com/bid/1902

Description:
NAI Sniffer Agent allows remote attackers to gain privileges on the agent by sniffing the initial UDP authentication packets and spoofing commands.

Votes:

   ACCEPT(2) Baker, Cole
   MODIFY(1) Frech
   NOOP(1) Wall
   REVIEWING(1) Christey
Voter Comments:
 Frech> XF:sniffer-agent-snmp-bo(5455)
 Christey> Consult NAI on this one.


CAN-2000-1160

Phase: Proposed (20001219)
Reference: BUGTRAQ:20001102 Remotely exploitable buffer overflow in NAI's Distributed Sniffer Agent
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0038.html
Reference: BID:1903
Reference: URL:http://www.securityfocus.com/bid/1903

Description:
NAI Sniffer Agent allows remote attackers to cause a denial of service (crash) by sending a large number of login requests.

Votes:

   ACCEPT(2) Baker, Cole
   MODIFY(1) Frech
   NOOP(1) Wall
   REVIEWING(1) Christey
Voter Comments:
 Frech> XF:sniffer-agent-login-dos(5456)
 Christey> Consult NAI on this one.


CAN-2000-1161

Phase: Proposed (20001219)
Reference: BUGTRAQ:20001120 security problem in AdCycle installation
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0271.html
Reference: BID:1969
Reference: URL:http://www.securityfocus.com/bid/1969

Description:
The installation of AdCycle banner management system leaves the build.cgi program in a web-accessible directory, which allows remote attackers to execute the program and view passwords or delete databases.

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Frech
   NOOP(3) Wall, Cole, Armstrong
Voter Comments:
 Frech> XF:adcycle-password-disclosure(5559)


CAN-2000-1168

Phase: Proposed (20001219)
Reference: BUGTRAQ:20001123 IBM HTTP Server 1.3.6 Remote Overflow
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97502498610979&w=2
Reference: BID:1988
Reference: URL:http://www.securityfocus.com/bid/1988

Description:
IBM HTTP Server 1.3.6 (based on Apache) allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long GET request.

Votes:

   ACCEPT(2) Baker, Cole
   MODIFY(1) Frech
   NOOP(1) Wall
   REVIEWING(1) Christey
Voter Comments:
 Frech> XF:ibm-http-server-dos(5577)
 Christey> Consult Troy Bollinger on this one.


CAN-2000-1172

Phase: Proposed (20001219)
Reference: BUGTRAQ:20001110 Advisory: Gaim remote vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0204.html
Reference: BID:1948
Reference: URL:http://www.securityfocus.com/bid/1948

Description:
Buffer overflow in Gaim 0.10.3 and earlier using the OSCAR protocol allows remote attackers to conduct a denial of service and possibly execute arbitrary commands via a long HTML tag.

Votes:

   MODIFY(1) Frech
   NOOP(2) Wall, Cole
Voter Comments:
 Frech> XF:gaim-remote-bo(5511)


CAN-2000-1173

Phase: Proposed (20001219)
Reference: BUGTRAQ:20001122 CyberPatrol - poor credit card protection
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0323.html
Reference: BID:1977
Reference: URL:http://www.securityfocus.com/bid/1977

Description:
Microsys CyberPatrol uses weak encryption (trivial encoding) for credit card numbers and uses no encryption for the remainder of the information during registration, which could allow attackers to sniff network traffic and obtain this sensitive information.

Votes:

   ACCEPT(2) Baker, Cole
   MODIFY(1) Frech
   NOOP(1) Wall
Voter Comments:
 Frech> XF:cyberpatrol-insecure-data(5578)


CAN-2000-1175

Phase: Proposed (20001219)
Reference: BUGTRAQ:20001120 local exploit for linux's Koules1.4 package
Reference: URL:http://www.securityfocus.com/archive/1/145823
Reference: BID:1967
Reference: URL:http://www.securityfocus.com/bid/1967

Description:
Buffer overflow in Koules 1.4 allows local users to execute arbitrary commands via a long command line argument.

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Frech
   NOOP(3) Wall, Cole, Armstrong
Voter Comments:
 Frech> XF:koules-svgalib-bo(5558)


CAN-2000-1176

Phase: Proposed (20001219)
Reference: BUGTRAQ:20001107 Insecure input balidation in YaBB Search.pl
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0110.html
Reference: BID:1921
Reference: URL:http://www.securityfocus.com/bid/1921

Description:
Directory traversal vulnerability in YaBB search.pl CGI script allows remote attackers to read arbitrary files via a .. (dot dot) attack in the "catsearch" form field.

Votes:

   MODIFY(1) Frech
   NOOP(2) Wall, Cole
Voter Comments:
 Frech> XF:yabb-search-format-string(5501)


CAN-2000-1177

Phase: Proposed (20001219)
Reference: BUGTRAQ:20001121 Big Brother Advisory - Fate Research Labs
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0284.html
Reference: CONFIRM:http://bb4.com/incident.nov21
Reference: BID:1971
Reference: URL:http://www.securityfocus.com/bid/1971

Description:
bb-hist.sh, bb-histlog.sh, bb-hostsvc.sh, bb-rep.sh, bb-replog.sh, and bb-ack.sh in Big Brother (BB) before 1.5d3 allows remote attackers to determine the existence of files and user ID's by specifying the target file in the HISTFILE parameter.

Votes:

   ACCEPT(3) Baker, Cole, Armstrong
   MODIFY(1) Frech
   NOOP(1) Wall
Voter Comments:
 Frech> XF:bb-cgi-brute-force(5560)


CAN-2000-1183

Phase: Proposed (20001219)
Reference: BUGTRAQ:20001115 socks5 remote exploit / linux x86
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0219.html

Description:
Buffer overflow in socks5 server on Linux allows attackers to execute arbitrary commands via a long connection request.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Cole, Armstrong
Voter Comments:
 CHANGE> [Armstrong changed vote from REVIEWING to NOOP]
 CHANGE> [Frech changed vote from REVIEWING to MODIFY]
 Frech> XF:linux-socks5-connection-bo(8376)


CAN-2000-1185

Phase: Proposed (20001219)
Reference: BUGTRAQ:20001113 Rideway PN Telnet DoS
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0201.html
Reference: BID:1938
Reference: URL:http://www.securityfocus.com/bid/1938

Description:
The telnet proxy in RideWay PN proxy server allows remote attackers to cause a denial of service via a flood of connections that contain malformed requests.

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Frech
   NOOP(3) Wall, Cole, Armstrong
Voter Comments:
 Frech> XF:rideway-pn-proxy-dos(5525)


CAN-2000-1186

Phase: Modified (20010122-01)
Reference: BUGTRAQ:20001115 Exploit: phf buffer overflow (CGI)
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0221.html
Reference: XF:phf-cgi-bo(5970)
Reference: URL:http://xforce.iss.net/static/5970.php

Description:
Buffer overflow in phf CGI program allows remote attackers to execute arbitrary commands by specifying a large number of arguments and including a long MIME header.

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Frech
   NOOP(3) Wall, Cole, Armstrong
Voter Comments:
 CHANGE> [Frech changed vote from REVIEWING to MODIFY]
 Frech> XF:phf-cgi-bo(5970)


CAN-2000-1188

Phase: Proposed (20001219)
Reference: BUGTRAQ:20001120 Cgisecurity Quickstore Shopping cart
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0283.html

Description:
Directory traversal vulnerability in Quikstore shopping cart program allows rmeote attackers to read arbitrary files via a .. (dot dot) attack in the "page" parameter.

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Frech
   NOOP(3) Wall, Cole, Armstrong
Voter Comments:
 Frech> XF:quikstore-cgi-read-files(5561)
 Armstrong> in Description: change rmeote to remote.


CAN-2000-1191

Phase: Proposed (20010912)
Reference: MISC:http://www.securiteam.com/exploits/htDig_reveals_web_server_configuration_paths.html

Description:
htsearch program in htDig 3.2 beta, 3.1.5, and earlier allows remote attackers to determine the physical path of the server by requesting a non-existent configuration file using the config parameter, which generates an error message that includes the full path.

Votes:

   ACCEPT(1) Stracener
   MODIFY(1) Frech
   NOOP(4) Williams, Wall, Foat, Cole
Voter Comments:
 Frech> XF:htdig-htsearch-path-disclosure(7367)
   MISC reference should be
   http://www.securiteam.com/exploits/5YQ0C000IU.html.


CAN-2000-1192

Phase: Proposed (20010912)
Reference: MISC:http://www.securiteam.com/windowsntfocus/5ZP0C000KC.html
Reference: MISC:http://www.bttsoftware.co.uk/snmptrap.html
Reference: XF:snmp-trapwatcher-string-dos
Reference: BID:985
Reference: URL:http://www.securityfocus.com/bid/985

Description:
Buffer overflow in BTT Software SNMP Trap Watcher 1.16 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long string trap.

Votes:

   ACCEPT(1) Frech
   NOOP(5) Williams, Wall, Foat, Cole, Stracener

CAN-2000-1194

Phase: Proposed (20010912)
Reference: MISC:http://www.mdma.za.net/fk/FK9.zip
Reference: BID:1227
Reference: URL:http://www.securityfocus.com/bid/1227

Description:
Argosoft FRP server 1.0 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long string to the (1) USER or (2) CWD commands.

Votes:

   ACCEPT(1) Williams
   MODIFY(1) Frech
   NOOP(4) Wall, Foat, Cole, Stracener
Voter Comments:
 Frech> XF:argosoft-ftp-bo(6553)
 Williams> %s/FRP/FTP
 CHANGE> [Williams changed vote from MODIFY to ACCEPT]


CAN-2000-1197

Phase: Proposed (20010912)
Reference: BUGTRAQ:20000420 pop3d/imap DOS (while we're on the subject)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=95624629924545&w=2
Reference: FREEBSD:FreeBSD-SA-00:15
Reference: URL:ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:15.imap-uw.asc
Reference: BID:1132
Reference: URL:http://www.securityfocus.com/bid/1132

Description:
POP2 or POP3 server (pop3d) in imap-uw IMAP package on FreeBSD and other operating systems creates lock files with predictable names, which allows local users to cause a denial of service (lack of mail access) for other users by creating lock files for other mail boxes.

Votes:

   ACCEPT(4) Baker, Foat, Cole, Stracener
   MODIFY(1) Frech
   NOOP(1) Wall
Voter Comments:
 Foat> ACKNOWLEDGED-BY-VENDOR
 Frech> XF:freebsd-imap-uw(4335)
 Frech> Please change XF:freebsd-imap-uw(4335) to XF:pop-predictable-lockfile(4335)


CAN-2000-1198

Phase: Proposed (20010912)
Reference: BUGTRAQ:20000420 pop3
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=95634229925906&w=2
Reference: BUGTRAQ:20000420 pop3d/imap DOS (while we're on the subject)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=95624629924545&w=2
Reference: BID:1132
Reference: URL:http://www.securityfocus.com/bid/1132

Description:
qpopper POP server creates lock files with predictable names, which allows local users to cause a denial of service for other users (lack of mail access) by creating lock files for other mail boxes.

Votes:

   ACCEPT(3) Baker, Cole, Stracener
   MODIFY(1) Frech
   NOOP(2) Wall, Foat
Voter Comments:
 Frech> XF:pop-predictable-lockfile(4335)


CAN-2000-1199

Phase: Proposed (20010912)
Reference: BUGTRAQ:20000423 Postgresql cleartext password storage
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=95659987018649&w=2
Reference: XF:postgresql-plaintext-passwords(4364)
Reference: URL:http://xforce.iss.net/static/4364.php
Reference: BID:1139
Reference: URL:http://www.securityfocus.com/bid/1139

Description:
PostgreSQL stores usernames and passwords in plaintext in (1) pg_shadow and (2) pg_pwd, which allows attackers with sufficient privileges to gain access to databases.

Votes:

   ACCEPT(1) Frech
   NOOP(5) Williams, Wall, Foat, Cole, Stracener

CAN-2000-1201

Phase: Proposed (20010912)
Reference: BUGTRAQ:20000707 Re: CheckPoint FW1 BUG
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0085.html

Description:
Check Point FireWall-1 allows remote attackers to cause a denial of service (high CPU) via a flood of packets to port 264.

Votes:

   MODIFY(1) Frech
   NOOP(5) Williams, Wall, Foat, Cole, Stracener
Voter Comments:
 Frech> XF:fw1-portflood-dos(7368)


CAN-2000-1202

Phase: Proposed (20010912)
Reference: BUGTRAQ:20000405 minor issue with IBM HTTPD and /usr/bin/ikeyman
Reference: URL:http://www.securityfocus.com/archive/1/54073
Reference: BID:1092
Reference: URL:http://www.securityfocus.com/bid/1092
Reference: XF:ibm-ikeyman(4235)
Reference: URL:http://xforce.iss.net/static/4235.php

Description:
ikeyman in IBM IBMHSSSB 1.0 sets the CLASSPATH environmental variable to include the user's own CLASSPATH directories before the system's directories, which allows a malicious local user to execute arbitrary code as root via a Trojan horse Ikeyman class.

Votes:

   ACCEPT(2) Frech, Williams
   NOOP(4) Wall, Foat, Cole, Stracener
Voter Comments:
 Williams> :%s/IBMHSSSB/IBMHSSB


CAN-2000-1203

Phase: Modified (20030325-01)
Reference: VULN-DEV:20000520 Infinite loop in LOTUS NOTE 5.0.3. SMTP SERVER
Reference: URL:http://marc.theaimsgroup.com/?l=vuln-dev&m=95886062521327&w=2
Reference: BUGTRAQ:20010820 Lotus Domino DoS
Reference: URL:http://www.securityfocus.com/cgi-bin/archive.pl?id=1&start=2002-01-21&end=2002-01-27&mid=209116&threads=1
Reference: BUGTRAQ:20010823 Lotus Domino DoS solution
Reference: URL:http://www.securityfocus.com/archive/1/209754
Reference: BID:3212
Reference: URL:http://www.securityfocus.com/bid/3212
Reference: XF:lotus-domino-bounced-message-dos(7012)
Reference: URL:http://www.iss.net/security_center/static/7012.php

Description:
Lotus Domino SMTP server 4.63 through 5.08 allows remote attackers to cause a denial of service (CPU consumption) by forging an email message with the sender as bounce@[127.0.0.1] (localhost), which causes Domino to enter a mail loop.

Votes:

   ACCEPT(3) Baker, Armstrong, Green
   MODIFY(1) Frech
   NOOP(5) Cox, Wall, Foat, Cole, Christey
Voter Comments:
 Green> Since a work around involving configuration settings exists the presenting problem should also exist.
 Frech> XF:lotus-domino-bounced-message-dos(7012)
   CONFIRM:
   http://www-1.ibm.com/support/docview.wss?rs=0&org=sims&doc=DA18AA221C3
   B982085256B84000033EB
 Christey> The CONFIRM URL provided by Andre is broken


CAN-2000-1204

Phase: Proposed (20020830)
Reference: CONFIRM:http://www.apacheweek.com/issues/00-10-13

Description:
Vulnerability in the mod_vhost_alias virtual hosting module for Apache 1.3.9, 1.3.11 and 1.3.12 allows remote attackers to obtain the source code for CGI programs if the cgi-bin directory is under the document root.

Votes:

   ACCEPT(5) Baker, Cox, Cole, Armstrong, Green
   MODIFY(1) Frech
   NOOP(2) Wall, Foat
Voter Comments:
 Frech> XF:apache-modvhostalias-source-disclosure(11088)


CAN-2000-1205

Phase: Proposed (20020830)
Reference: CONFIRM:http://httpd.apache.org/info/css-security/apache_specific.html

Description:
Cross site scripting vulnerabilities in Apache 1.3.0 through 1.3.11 allow remote attackers to execute script as other web site visitors via (1) the printenv CGI, which does not encode its output, (2) pages generated by the ap_send_error_response function such as a default 404, which does not add an explicit charset, or (3) various messages that are generated by certain Apache modules or core code.

Votes:

   ACCEPT(7) Baker, Cox, Wall, Foat, Cole, Armstrong, Green
   MODIFY(1) Frech
Voter Comments:
 Frech> XF:apache-printenv-xss(10938)


CAN-2000-1206

Phase: Proposed (20020830)
Reference: CONFIRM:http://www.apacheweek.com/issues/00-01-07#status

Description:
Vulnerability in Apache httpd before 1.3.11, when configured for mass virtual hosting using mod_rewrite, or mod_vhost_alias in Apache 1.3.9, allows remote attackers to retrieve arbitrary files.

Votes:

   ACCEPT(6) Baker, Cox, Wall, Cole, Armstrong, Green
   MODIFY(1) Frech
   NOOP(1) Foat
Voter Comments:
 Frech> XF:apache-virtualhosting-obtain-files(11139)


CAN-2000-1207

Phase: Proposed (20020830)
Reference: BUGTRAQ:20000930 glibc and userhelper - local root
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97034397026473&w=2
Reference: REDHAT:RHSA-2000:075
Reference: URL:http://www.redhat.com/support/errata/RHSA-2000-075.html
Reference: MANDRAKE:MDKSA-2000:059
Reference: URL:http://www.linux-mandrake.com/en/security/2000/MDKSA-2000-059.php3
Reference: BUGTRAQ:20001003 SuSE: userhelper/usermode
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97063854808796&w=2

Description:
userhelper in the usermode package on Red Hat Linux executes non-setuid programs as root, which does not activate the security measures in glibc and allows the programs to be exploited via format string vulnerabilities in glibc via the LANG or LC_ALL environment variables (CVE-2000-0844).

Votes:

   ACCEPT(6) Baker, Cox, Wall, Cole, Armstrong, Green
   MODIFY(1) Frech
   NOOP(1) Foat
Voter Comments:
 Frech> XF:usermode-userhelper-bypass-security(11089)


CAN-2000-1208

Phase: Proposed (20020830)
Reference: BUGTRAQ:20000925 Format strings: bug #1: BSD-lpr
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96994604300675&w=2
Reference: REDHAT:RHSA-2000:066
Reference: URL:http://www.redhat.com/support/errata/RHSA-2000-066.html
Reference: MANDRAKE:MDKSA-2000:054
Reference: CONECTIVA:CLSA-2000:321
Reference: BUGTRAQ:20001004 Immunix OS Security Update for lpr
Reference: URL:http://online.securityfocus.com/archive/1/137555
Reference: XF:lpr-checkremote-format-string(5286)
Reference: URL:http://www.iss.net/security_center/static/5286.php
Reference: BID:1711
Reference: URL:http://online.securityfocus.com/bid/1711

Description:
Format string vulnerability in startprinting() function of printjob.c in BSD-based lpr lpd package may allow local users to gain privileges via an improper syslog call that uses format strings from the checkremote() call.

Votes:

   ACCEPT(6) Baker, Frech, Cox, Cole, Armstrong, Green
   NOOP(2) Wall, Foat

CAN-2000-1209

Phase: Proposed (20020830)
Reference: BUGTRAQ:20000710 MSDE / Re: Default Password Database
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96333895000350&w=2
Reference: BUGTRAQ:20000810 Tumbleweed Worldsecure (MMS) BLANK 'sa' account password
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96593218804850&w=2
Reference: BUGTRAQ:20000815 MS-SQL 'sa' user exploit code
Reference: URL:http://security-archive.merton.ox.ac.uk/bugtraq-200008/0233.html
Reference: BUGTRAQ:20000816 Released Patch: Tumbleweed Worldsecure (MMS) BLANK 'sa' account password
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96644570412692&w=2
Reference: BUGTRAQ:20020522 Opty-Way Enterprise includes MSDE with sa <blank>
Reference: URL:http://online.securityfocus.com/archive/1/273639
Reference: MSKB:Q313418
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q313418
Reference: MSKB:Q321081
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;EN-US;q321081
Reference: CONFIRM:http://www.microsoft.com/security/security_bulletins/ms02020_sql.asp
Reference: ISS:20020521 Microsoft SQL Spida Worm Propagation
Reference: CERT-VN:VU#635463
Reference: URL:http://www.kb.cert.org/vuls/id/635463
Reference: COMPAQ:SSRT2195
Reference: BID:4797
Reference: URL:http://online.securityfocus.com/bid/4797
Reference: XF:mssql-no-sapassword(1459)
Reference: URL:http://www.iss.net/security_center/static/1459.php

Description:
The "sa" account is installed with a default null password on (1) Microsoft SQL Server 2000, (2) SQL Server 7.0, and (3) Data Engine (MSDE) 1.0, including third party packages that use these products such as (4) Tumbleweed Secure Mail (MMS) (5) Compaq Insight Manager, and (6) Visio 2000, are installed with a default "sa" account with a null password, which allows remote attackers to gain privileges, including worms such as Voyager Alpha Force and Spida.

Votes:

   ACCEPT(5) Baker, Wall, Cole, Armstrong, Green
   MODIFY(1) Frech
   NOOP(2) Cox, Foat
Voter Comments:
 Frech> XF:tumbleweed-mms-blank-password(5072)
   XF:msde-mssql-default-password(9154)
   May overlap with CAN-2000-0772.


CAN-2000-1213

Phase: Proposed (20020830)
Reference: BUGTRAQ:20001025 Immunix OS Security Update for ping package
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97249980727834&w=2
Reference: BUGTRAQ:20001030 Trustix Security Advisory - ping gnupg ypbind
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97292944103571&w=2
Reference: REDHAT:RHSA-2000:087
Reference: URL:http://www.redhat.com/support/errata/RHSA-2000-087.html

Description:
ping in iputils before 20001010, as distributed on Red Hat Linux 6.2 through 7J and other operating systems, does not drop privileges after acquiring a raw socket, which increases ping's exposure to bugs that otherwise would occur at lower privileges.

Votes:

   ACCEPT(7) Baker, Cox, Wall, Foat, Cole, Armstrong, Green
   MODIFY(1) Frech
Voter Comments:
 Frech> XF:iputils-ping-privileges(11090)


CAN-2000-1214

Phase: Proposed (20020830)
Reference: BUGTRAQ:20001025 Immunix OS Security Update for ping package
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97249980727834&w=2
Reference: BUGTRAQ:20001020 Re: [RHSA-2000:087-02] Potential security problems in ping fixed.
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97208562830613&w=2
Reference: BUGTRAQ:20001030 Trustix Security Advisory - ping gnupg ypbind
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97292944103571&w=2
Reference: REDHAT:RHSA-2000:087
Reference: URL:http://www.redhat.com/support/errata/RHSA-2000-087.html
Reference: BID:1813
Reference: URL:http://online.securityfocus.com/bid/1813
Reference: XF:ping-buf-bo(5431)
Reference: URL:http://www.iss.net/security_center/static/5431.php

Description:
Buffer overflows in the (1) outpack or (2) buf variables of ping in iputils before 20001010, as distributed on Red Hat Linux 6.2 through 7J and other operating systems, may allow local users to gain privileges.

Votes:

   ACCEPT(8) Baker, Frech, Cox, Wall, Foat, Cole, Armstrong, Green

CAN-2001-0019

Phase: Proposed (20010202)
Reference: ATSTAKE:A013101-1
Reference: URL:http://www.atstake.com/research/advisories/2001/a013101-1.txt
Reference: CISCO:20010131 Cisco Content Services Switch Vulnerability
Reference: URL:http://www.cisco.com/warp/public/707/arrowpoint-cli-filesystem-pub.shtml

Description:
Arrowpoint (aka Cisco Content Services, or CSS) allows local users to cause a denial of service via a long argument to the "show script," "clear script," "show archive," "clear archive," "show log," or "clear log" commands.

Votes:

   ACCEPT(4) Cole, Prosser, Baker, Ziese
   MODIFY(1) Frech
   NOOP(2) Christey, Wall
Voter Comments:
 Frech> XF:cisco-ccs-cli-dos(6030)
   I could not find anything in the Cisco reference that
   indicates that this is a local-only vulnerability. Suggest dropping
   the description of "local users" unless further information is
   available.
 Christey> XF:cisco-ccs-cli-dos
 Christey> BID:2330
   URL:http://www.securityfocus.com/bid/2330
 Prosser> CISCO:20010131 Cisco Content Services Switch Vulnerability
   http://www.cisco.com/warp/public/707/arrowpoint-cli-filesystem-pub.shtml


CAN-2001-0022

Phase: Proposed (20010202)
Reference: BUGTRAQ:20001213 Re: Insecure input validation in simplestmail.cgi
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-12/0168.html
Reference: BID:2106
Reference: URL:http://www.securityfocus.com/bid/2106
Reference: XF:http-cgi-simplestguest
Reference: URL:http://xforce.iss.net/static/5743.php

Description:
simplestguest.cgi CGI program by Leif Wright allows remote attackers to execute arbitrary commands via shell metacharacters in the guestbook parameter.

Votes:

   ACCEPT(2) Baker, Frech
   NOOP(3) Cole, Ziese, Wall

CAN-2001-0023

Phase: Proposed (20010202)
Reference: BUGTRAQ:20001211 Insecure input validation in everythingform.cgi (remote command execution)
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-12/0137.html
Reference: BID:2101
Reference: URL:http://www.securityfocus.com/bid/2101
Reference: XF:http-cgi-everythingform
Reference: URL:http://xforce.iss.net/static/5736.php

Description:
everythingform.cgi CGI program by Leif Wright allows remote attackers to execute arbitrary commands via shell metacharacters in the config parameter.

Votes:

   ACCEPT(1) Frech
   NOOP(3) Cole, Ziese, Wall

CAN-2001-0024

Phase: Proposed (20010202)
Reference: BUGTRAQ:20001211 Insecure input validation in simplestmail.cgi (remote command execution)
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-12/0136.html
Reference: BID:2102
Reference: URL:http://www.securityfocus.com/bid/2102
Reference: XF:http-cgi-simplestmail
Reference: URL:http://xforce.iss.net/static/5739.php

Description:
simplestmail.cgi CGI program by Leif Wright allows remote attackers to execute arbitrary commands via shell metacharacters in the MyEmail parameter.

Votes:

   ACCEPT(1) Frech
   NOOP(3) Cole, Ziese, Wall

CAN-2001-0025

Phase: Proposed (20010202)
Reference: BUGTRAQ:20001211 Insecure input validation in ad.cgi
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-12/0143.html
Reference: BID:2103
Reference: URL:http://www.securityfocus.com/bid/2103
Reference: XF:http-cgi-ad
Reference: URL:http://xforce.iss.net/static/5741.php

Description:
ad.cgi CGI program by Leif Wright allows remote attackers to execute arbitrary commands via shell metacharacters in the file parameter.

Votes:

   ACCEPT(1) Frech
   NOOP(3) Cole, Ziese, Wall

CAN-2001-0027

Phase: Proposed (20010202)
Reference: BUGTRAQ:20001211 mod_sqlpw Password Caching Bug
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-12/0139.html
Reference: XF:proftpd-modsqlpw-unauth-access
Reference: URL:http://xforce.iss.net/static/5737.php

Description:
mod_sqlpw module in ProFTPD does not reset a cached password when a user uses the "user" command to change accounts, which allows authenticated attackers to gain privileges of other users.

Votes:

   ACCEPT(1) Frech
   NOOP(3) Cole, Ziese, Wall

CAN-2001-0029

Phase: Modified (20020222-01)
Reference: BUGTRAQ:20001212 Stack too ;) Re: [pkc] remote heap buffer overflow in oops
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-12/0158.html
Reference: BID:2099
Reference: URL:http://www.securityfocus.com/bid/2099
Reference: MISC:http://zipper.paco.net/~igor/oops/ChangeLog
Reference: XF:oops-dns-bo(6122)
Reference: URL:http://xforce.iss.net/static/6122.php

Description:
Buffer overflow in oops WWW proxy server 1.4.6 (and possibly other versions) allows remote attackers to execute arbitrary commands via a long host or domain name that is obtained from a reverse DNS lookup.

Votes:

   ACCEPT(2) Cole, Baker
   MODIFY(1) Frech
   NOOP(3) Christey, Ziese, Wall
Voter Comments:
 Frech> XF:oops-dns-bo(6122)
 Christey> This looks like a different overflow than the one described
   in the original post at:
   http://archives.neohapsis.com/archives/bugtraq/2000-12/0127.html
   The vendor does acknowledge *that* problem in the 1.5.0
   comments of
   http://zipper.paco.net/~igor/oops/ChangeLog
 Christey> Vendor fixed this problem between 1.4.22 and 1.5.5, based
   on a source code comparison.
   CD:SF-LOC says that bugs of the same type, that appear in
   different versions, must be SPLIT.  Therefore this should
   stay separate from CVE-2001-0028.
   
   Change MISC to CONFIRM.  The comments for version 1.5.4
   say "more sprintf/strncpy fixes" and that's the type of
   changes that were made in lib.c, the code that was listed
   in the Bugtraq post for this CAN.


CAN-2001-0030

Phase: Proposed (20010202)
Reference: BID:2089
Reference: URL:http://www.securityfocus.com/bid/2089
Reference: XF:foolproof-security-bypass
Reference: URL:http://xforce.iss.net/static/5758.php

Description:
FoolProof 3.9 allows local users to bypass program execution restrictions by downloading the restricted executables from another source and renaming them.

Votes:

   ACCEPT(2) Baker, Frech
   NOOP(4) Cole, Christey, Ziese, Wall
Voter Comments:
 Christey> ADDREF BUGTRAQ:20001208 Foolproof Security Vulnerability
   http://www.securityfocus.com/archive/1/149952


CAN-2001-0031

Phase: Proposed (20010202)
Reference: BUGTRAQ:20001207 BroadVision One-To-One Enterprise Path Disclosure Vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-12/0074.html
Reference: XF:broadvision-bv1to1-reveal-path
Reference: URL:http://xforce.iss.net/static/5661.php

Description:
BroadVision One-To-One Enterprise allows remote attackers to determine the physical path of server files by requesting a .JSP file name that does not exist.

Votes:

   ACCEPT(2) Baker, Frech
   NOOP(3) Cole, Ziese, Wall

CAN-2001-0032

Phase: Proposed (20010202)
Reference: BUGTRAQ:20001208 format string in ssl dump
Reference: URL:http://www.securityfocus.com/archive/1/149917
Reference: BID:2096
Reference: URL:http://www.securityfocus.com/bid/2096
Reference: XF:ssldump-format-strings
Reference: URL:http://xforce.iss.net/static/5717.php

Description:
Format string vulnerability in ssldump possibly allows remote attackers to cause a denial of service and possibly gain root privileges via malicious format string specifiers in a URL.

Votes:

   ACCEPT(2) Baker, Frech
   NOOP(3) Cole, Ziese, Wall

CAN-2001-0037

Phase: Proposed (20010202)
Reference: BUGTRAQ:20001207 HomeSeer Directory Traversal Vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-12/0082.html
Reference: BID:2085
Reference: URL:http://www.securityfocus.com/bid/2085
Reference: MISC:http://www.keware.com/hsbetachanges.htm
Reference: XF:homeseer-directory-traversal
Reference: URL:http://xforce.iss.net/static/5663.php

Description:
Directory traversal vulnerability in HomeSeer before 1.4.29 allows remote attackers to read arbitrary files via a URL containing .. (dot dot) specifiers.

Votes:

   ACCEPT(2) Baker, Frech
   NOOP(3) Cole, Ziese, Wall

CAN-2001-0038

Phase: Proposed (20010202)
Reference: BUGTRAQ:20001207 MetaProducts Offline Explorer
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-12/0078.html
Reference: BID:2084
Reference: URL:http://www.securityfocus.com/bid/2084
Reference: XF:offline-explorer-reveal-files
Reference: URL:http://xforce.iss.net/static/5728.php

Description:
Offline Explorer 1.4 before Service Release 2 allows remote attackers to read arbitrary files by specifying the drive letter (e.g. C:) in the requested URL.

Votes:

   ACCEPT(2) Baker, Frech
   NOOP(3) Cole, Ziese, Wall

CAN-2001-0042

Phase: Proposed (20010202)
Reference: BUGTRAQ:20001206 CHINANSL Security Advisory(CSA-200011)
Reference: URL:http://www.securityfocus.com/archive/1/149210
Reference: BID:2060
Reference: URL:http://www.securityfocus.com/bid/2060
Reference: XF:apache-php-disclose-files
Reference: URL:http://xforce.iss.net/static/5659.php

Description:
PHP3 running on Apache 1.3.6 allows remote attackers to read arbitrary files via a modified .. (dot dot) attack.

Votes:

   ACCEPT(3) Cole, Baker, Frech
   NOOP(1) Wall
   REVIEWING(1) Ziese

CAN-2001-0044

Phase: Proposed (20010202)
Reference: BUGTRAQ:20001206 (SRADV00007) Local root compromise through Lexmark MarkVision printer drivers
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-12/0064.html
Reference: BID:2075
Reference: URL:http://www.securityfocus.com/bid/2075
Reference: XF:markvision-printer-driver-bo
Reference: URL:http://xforce.iss.net/static/5651.php

Description:
Multiple buffer overflows in Lexmark MarkVision printer driver programs allows local users to gain privileges via long arguments to the cat_network, cat_paraller, and cat_serial commands.

Votes:

   ACCEPT(2) Baker, Frech
   NOOP(3) Cole, Ziese, Wall

CAN-2001-0045

Phase: Proposed (20010202)
Reference: MS:MS00-095
Reference: URL:http://www.microsoft.com/technet/security/bulletin/MS00-095.asp
Reference: BID:2064
Reference: URL:http://www.securityfocus.com/bid/2064
Reference: XF:nt-ras-reg-perms
Reference: URL:http://xforce.iss.net/static/5671.php

Description:
The default permissions for the RAS Administration key in Windows NT 4.0 allows local users to execute arbitrary commands by changing the value to point to a malicious DLL, aka one of the "Registry Permissions" vulnerabilities.

Votes:

   ACCEPT(5) Cole, Baker, Frech, Ziese, Wall

CAN-2001-0046

Phase: Proposed (20010202)
Reference: MS:MS00-095
Reference: URL:http://www.microsoft.com/technet/security/bulletin/MS00-095.asp
Reference: BID:2066
Reference: URL:http://www.securityfocus.com/bid/2066
Reference: XF:nt-snmp-reg-perms
Reference: URL:http://xforce.iss.net/static/5672.php

Description:
The default permissions for the SNMP Parameters registry key in Windows NT 4.0 allows remote attackers to read and possibly modify the SNMP community strings to obtain sensitive information or modify network configuration, aka one of the "Registry Permissions" vulnerabilities.

Votes:

   ACCEPT(4) Cole, Baker, Frech, Wall
   NOOP(1) Ziese

CAN-2001-0047

Phase: Proposed (20010202)
Reference: MS:MS00-095
Reference: URL:http://www.microsoft.com/technet/security/bulletin/MS00-095.asp
Reference: BID:2065
Reference: URL:http://www.securityfocus.com/bid/2065
Reference: XF:nt-mts-reg-perms
Reference: URL:http://xforce.iss.net/static/5673.php

Description:
The default permissions for the MTS Package Administration registry key in Windows NT 4.0 allows local users to install or modify arbitrary Microsoft Transaction Server (MTS) packages and gain privileges, aka one of the "Registry Permissions" vulnerabilities.

Votes:

   ACCEPT(4) Cole, Baker, Frech, Wall
   NOOP(1) Ziese

CAN-2001-0048

Phase: Proposed (20010202)
Reference: MS:MS00-099
Reference: URL:http://www.microsoft.com/technet/security/bulletin/MS00-099.asp
Reference: BID:2133
Reference: URL:http://www.securityfocus.com/bid/2133

Description:
The "Configure Your Server" tool in Microsoft 2000 domain controllers installs a blank password for the Directory Service Restore Mode, which allows attackers with physical access to the controller to install malicious programs, aka the "Directory Service Restore Mode Password" vulnerability.

Votes:

   ACCEPT(4) Cole, Baker, Ziese, Wall
   MODIFY(1) Frech
Voter Comments:
 Frech> XF:win2k-directory-service-restore-password(5936)


CAN-2001-0049

Phase: Proposed (20010202)
Reference: BUGTRAQ:20001207 WatchGuard SOHO v2.2.1 DoS
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-12/0079.html
Reference: BID:2082
Reference: URL:http://www.securityfocus.com/bid/2082
Reference: XF:watchguard-soho-get-dos
Reference: URL:http://xforce.iss.net/static/5665.php

Description:
WatchGuard SOHO FireWall 2.2.1 and earlier allows remote attackers to cause a denial of service via a large number of GET requests.

Votes:

   ACCEPT(2) Baker, Frech
   NOOP(2) Cole, Wall
   REVIEWING(1) Ziese

CAN-2001-0051

Phase: Proposed (20010202)
Reference: BUGTRAQ:20001205 IBM DB2 default account and password Vulnerability
Reference: URL:http://www.securityfocus.com/archive/1/149222
Reference: BID:2068
Reference: URL:http://www.securityfocus.com/bid/2068
Reference: XF:ibm-db2-gain-access
Reference: URL:http://xforce.iss.net/static/5662.php

Description:
IBM DB2 Universal Database version 6.1 creates an account with a default user name and password, which allows remote attackers to gain access to the databasse.

Votes:

   ACCEPT(2) Baker, Frech
   NOOP(3) Cole, Ziese, Wall
Voter Comments:
 Frech> In description, "database", not "databasse".


CAN-2001-0052

Phase: Proposed (20010202)
Reference: BUGTRAQ:20001205 IBM DB2 SQL DOS
Reference: URL:http://www.securityfocus.com/archive/1/149207
Reference: BID:2067
Reference: URL:http://www.securityfocus.com/bid/2067
Reference: XF:ibm-db2-dos
Reference: URL:http://xforce.iss.net/static/5664.php

Description:
IBM DB2 Universal Database version 6.1 allows users to cause a denial of service via a malformed query.

Votes:

   ACCEPT(2) Baker, Frech
   NOOP(3) Cole, Ziese, Wall

CAN-2001-0064

Phase: Proposed (20010202)
Reference: BUGTRAQ:20001219 def-2000-03: MDaemon 3.5.0 DoS
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-12/0315.html
Reference: BID:2134
Reference: URL:http://www.securityfocus.com/bid/2134

Description:
Webconfig, IMAP, and other services in MDaemon 3.5.0 and earlier allows remote attackers to cause a denial of service via a long URL terminated by a "\r\n" string.

Votes:

   MODIFY(1) Frech
   NOOP(3) Cole, Ziese, Wall
Voter Comments:
 Frech> XF:mdaemon-imap-dos(5805)


CAN-2001-0065

Phase: Proposed (20010202)
Reference: BUGTRAQ:20001213 Potential Buffer Overflow vulnerability in bftpd-1.0.13
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-12/0189.html
Reference: XF:bftpd-site-chown-bo
Reference: URL:http://xforce.iss.net/static/5775.php

Description:
Buffer overflow in bftpd 1.0.13 allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long SITE CHOWN command.

Votes:

   ACCEPT(1) Frech
   NOOP(3) Cole, Ziese, Wall

CAN-2001-0067

Phase: Proposed (20010202)
Reference: BUGTRAQ:20001214 J-Pilot Permissions Vulnerability
Reference: URL:http://www.securityfocus.com/templates/archive.pike?mid=150957&end=2001-02-03&fromthread=1&start=2001-01-28&threads=0&list=1&
Reference: MANDRAKE:MDKSA-2000:081
Reference: URL:http://www.linux-mandrake.com/en/security/2000/MDKSA-2000-081.php3
Reference: XF:jpilot-perms
Reference: URL:http://xforce.iss.net/static/5762.php

Description:
The installation of J-Pilot creates the .jpilot directory with the user's umask, which could allow local attackers to read other users' PalmOS backup information if their umasks are not securely set.

Votes:

   ACCEPT(3) Cole, Baker, Frech
   NOOP(2) Ziese, Wall

CAN-2001-0068

Phase: Proposed (20010202)
Reference: BUGTRAQ:20001215 Security Hole of MRJ 2.2.3 (Mac OS Runtime for Java) - Inconsistent Use of CODEBASE and ARCHIVE Attributes -
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-12/0241.html
Reference: XF:mrj-runtime-malicious-applets
Reference: URL:http://xforce.iss.net/static/5784.php

Description:
Mac OS Runtime for Java (MRJ) 2.2.3 allows remote attackers to use malicious applets to read files outside of the CODEBASE context via the ARCHIVE applet parameter.

Votes:

   ACCEPT(1) Frech
   NOOP(3) Cole, Ziese, Wall

CAN-2001-0070

Phase: Proposed (20010202)
Reference: BUGTRAQ:20001226 1st Up Mail Server v4.1 Buffer Overflow Vulnerability
Reference: URL:http://archives.neohapsis.com/archives/win2ksecadvice/2000-q4/0143.html
Reference: BID:2152
Reference: URL:http://www.securityfocus.com/bid/2152
Reference: XF:1stup-mail-server-bo
Reference: URL:http://xforce.iss.net/static/5808.php

Description:
Buffer overflow in 1st Up Mail Server 4.1 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long MAIL FROM command.

Votes:

   ACCEPT(1) Frech
   NOOP(3) Cole, Ziese, Wall

CAN-2001-0073

Phase: Proposed (20010202)
Reference: BUGTRAQ:20001226 buffer overflow in libsecure (NSA Security-enhanced Linux)
Reference: URL:http://www.securityfocus.com/archive/1/153188
Reference: BID:2154
Reference: URL:http://www.securityfocus.com/bid/2154

Description:
Buffer overflow in the find_default_type function in libsecure in NSA Security-enhanced Linux, which may allow attackers to modify critical data in memory.

Votes:

   MODIFY(1) Frech
   NOOP(3) Cole, Ziese, Wall
Voter Comments:
 Frech> slinux-libsecure-bo(5820)


CAN-2001-0074

Phase: Proposed (20010202)
Reference: BUGTRAQ:20001223 Technote
Reference: URL:http://www.securityfocus.com/archive/1/153007
Reference: BID:2155
Reference: URL:http://www.securityfocus.com/bid/2155

Description:
Directory traversal vulnerability in print.cgi in Technote allows remote attackers to read arbitrary files via a .. (dot dot) attack in the board parameter.

Votes:

   MODIFY(1) Frech
   NOOP(3) Cole, Ziese, Wall
Voter Comments:
 Frech> XF:http-cgi-technote-print(5815)
   Contrary to current references, product is spelled TECH-NOTE
   (see http://www.technote.co.kr/)


CAN-2001-0075

Phase: Proposed (20010202)
Reference: BUGTRAQ:20001227 [Ksecurity Advisory] main.cgi in technote
Reference: URL:http://www.securityfocus.com/archive/1/153212
Reference: BID:2156
Reference: URL:http://www.securityfocus.com/bid/2156

Description:
Directory traversal vulnerability in main.cgi in Technote allows remote attackers to read arbitrary files via a .. (dot dot) attack in the filename parameter.

Votes:

   MODIFY(1) Frech
   NOOP(3) Cole, Ziese, Wall
Voter Comments:
 Frech> XF:http-cgi-technote-main(5813)
   Contrary to current references, product is spelled TECH-NOTE
   (see http://www.technote.co.kr/)


CAN-2001-0076

Phase: Proposed (20010202)
Reference: BUGTRAQ:20001228 Remote vulnerability in Ikonboard upto version 2.1.7b
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-12/0483.html
Reference: BID:2157
Reference: URL:http://www.securityfocus.com/bid/2157
Reference: XF:http-cgi-ikonboard
Reference: URL:http://xforce.iss.net/static/5819.php

Description:
register.cgi in Ikonboard 2.1.7b and earlier allows remote attackers to execute arbitrary commands via the SEND_MAIL parameter, which overwrites an internal program variable that references a program to be executed.

Votes:

   ACCEPT(1) Frech
   NOOP(3) Cole, Ziese, Wall

CAN-2001-0079

Phase: Proposed (20010202)
Reference: BUGTRAQ:20001213 STM symlink Vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-12/0174.html

Description:
Support Tools Manager (STM) A.22.00 for HP-UX allows local users to overwrite arbitrary files via a symlink attack on the tool_stat.txt log file.

Votes:

   MODIFY(1) Frech
   NOOP(3) Cole, Ziese, Wall
Voter Comments:
 Frech> XF:stm-log-files-symlink(6126)
   BID-2158


CAN-2001-0082

Phase: Proposed (20010202)
Reference: BUGTRAQ:20001218 FireWall-1 Fastmode Vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-12/0271.html

Description:
Check Point VPN-1/FireWall-1 4.1 SP2 with Fastmode enabled allows remote attackers to bypass access restrictions via malformed, fragmented packets.

Votes:

   MODIFY(1) Frech
   NOOP(3) Cole, Ziese, Wall
Voter Comments:
 Frech> XF:fw1-bypass-rules(6000)
   BID-2143


CAN-2001-0084

Phase: Proposed (20010202)
Reference: BUGTRAQ:20010102 gtk+ security hole.
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-12/0498.html
Reference: BUGTRAQ:20010103 Claimed vulnerability in GTK_MODULES
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-01/0027.html
Reference: BID:2165
Reference: URL:http://www.securityfocus.com/bid/2165
Reference: MISC:http://www.gtk.org/setuid.html

Description:
GTK+ library allows local users to specify arbitrary modules via the GTK_MODULES environmental variable, which could allow local users to gain privileges if GTK+ is used by a setuid/setgid program.

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Frech
   NOOP(5) Cole, Christey, Prosser, Ziese, Wall
Voter Comments:
 Frech> XF:gtk-module-execute-code(5832)
 Christey> XF:gtk-module-execute-code
   URL:http://xforce.iss.net/static/5832.php
 Christey> TURBO:TLSA2001026
   URL:http://www.turbolinux.com/pipermail/tl-security-announce/2001-June/000440.html


CAN-2001-0086

Phase: Proposed (20010202)
Reference: BUGTRAQ:20001212 Security Advisory: Subscribe Me Lite 1.0 - 2.0 Unix or 1.0 - 2.0 NT and below.
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-12/0160.html
Reference: BID:2108
Reference: URL:http://www.securityfocus.com/bid/2108
Reference: XF:subscribemelite-gain-admin-access
Reference: URL:http://xforce.iss.net/static/5735.php

Description:
CGI Script Center Subscribe Me LITE 2.0 and earlier allows remote attackers to delete arbitrary mailing list users without authentication by directly calling subscribe.pl with the target address as a parameter.

Votes:

   ACCEPT(1) Frech
   NOOP(3) Cole, Ziese, Wall

CAN-2001-0087

Phase: Proposed (20010202)
Reference: BUGTRAQ:20001219 itetris[v1.6.2] local root exploit (system()+../ protection)
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-12/0295.html
Reference: BID:2139
Reference: URL:http://www.securityfocus.com/bid/2139
Reference: XF:itetris-svgalib-path
Reference: URL:http://xforce.iss.net/static/5795.php

Description:
itetris/xitetris 1.6.2 and earlier trusts the PATH environmental variable to find and execute the gunzip program, which allows local users to gain root privileges by changing their PATH so that it points to a malicious gunzip program.

Votes:

   ACCEPT(1) Frech
   NOOP(3) Cole, Ziese, Wall

CAN-2001-0088

Phase: Proposed (20010202)
Reference: BUGTRAQ:20001202 Bypassing admin authentication in phpWebLog
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-12/0025.html
Reference: BID:2047
Reference: URL:http://www.securityfocus.com/bid/2047
Reference: XF:phpweblog-bypass-authentication
Reference: URL:http://xforce.iss.net/static/5625.php

Description:
common.inc.php in phpWebLog 0.4.2 does not properly initialize the $CONF array, which inadvertently sets the password to a single character, allowing remote attackers to easily guess the SiteKey and gain administrative privileges to phpWebLog.

Votes:

   ACCEPT(2) Baker, Frech
   NOOP(3) Cole, Ziese, Wall

CAN-2001-0093

Phase: Proposed (20010202)
Reference: NETBSD:NetBSD-SA2000-017
Reference: URL:ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/advisories/NetBSD-SA2000-017.txt.asc

Description:
Vulnerability in telnetd in FreeBSD 1.5 allows local users to gain root privileges by modifying critical environmental variables that affect the behavior of telnetd.

Votes:

   ACCEPT(3) Cole, Baker, Ziese
   MODIFY(2) Prosser, Frech
   NOOP(1) Wall
   REVIEWING(1) Christey
Voter Comments:
 Frech> XF:kerberos4-arbitrary-proxy(9733)
   Description states FreeBSD, but advisory is for NetBSD.
 Prosser> http://www.linuxsecurity.com/advisories/netbsd_advisory-1007.html
 CHANGE> [Prosser changed vote from ACCEPT to MODIFY]
 Prosser> The operating system in this CAN should also be NetBSD vice FreeBSD, same as in 0094.  FreeBSD 3.5 STABLE and 4.2 STABLE are vulnerable as well.  See ref
   FreeBSD-SA-01:25
   http://www.linuxsecurity.com/advisories/freebsd_advisory-1153.html
   or http://www.freebsd.org/security/security.html#adv
 Christey> This description does not explicitly mention that the problem is
   in a kerberized telnet.  Need to verify that there aren't
   already other CVE's that describe this.


CAN-2001-0097

Phase: Proposed (20010202)
Reference: BUGTRAQ:20001221 Infinite InterChange DoS
Reference: URL:http://www.securityfocus.com/archive/1/152403
Reference: BID:2140
Reference: URL:http://www.securityfocus.com/bid/2140
Reference: XF:infinite-interchange-dos
Reference: URL:http://xforce.iss.net/static/5798.php

Description:
The Web interface for Infinite Interchange 3.6.1 allows remote attackers to cause a denial of service (application crash) via a large POST request.

Votes:

   ACCEPT(1) Frech
   NOOP(3) Cole, Ziese, Wall
Voter Comments:
 Frech> Version is listed as 3.61 (see
   http://support.infinite.com/kb/648.asp)
   Also, vendor seems to have issued a verification (see above
   document):
   - - WebMail: Fix for an exception error triggered by a POST request
   with
   an extremely long garbage URL. (v3.61.08)


CAN-2001-0098

Phase: Proposed (20010202)
Reference: BUGTRAQ:20001219 def-2000-04: Bea WebLogic Server dotdot-overflow
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-12/0331.html
Reference: BID:2138
Reference: URL:http://www.securityfocus.com/bid/2138
Reference: XF:weblogic-dot-bo
Reference: URL:http://xforce.iss.net/static/5782.php

Description:
Buffer overflow in Bea WebLogic Server before 5.1.0 allows remote attackers to execute arbitrary commands via a long URL that begins with a ".." string.

Votes:

   ACCEPT(1) Frech
   NOOP(3) Cole, Ziese, Wall

CAN-2001-0101

Phase: Modified (20020222-01)
Reference: TURBO:TLSA2000024-1
Reference: URL:http://www.turbolinux.com/pipermail/tl-security-announce/2000-December/000027.html
Reference: REDHAT:RHBA-2000:106-04
Reference: URL:http://www.redhat.com/support/errata/RHBA-2000-106.html
Reference: XF:fetchmail-authenticate-gssapi(7455)
Reference: URL:http://xforce.iss.net/static/7455.php

Description:
Vulnerability in fetchmail 5.5.0-2 and earlier in the AUTHENTICATE GSSAPI command.

Votes:

   ACCEPT(4) Cole, Prosser, Baker, Ziese
   MODIFY(1) Frech
   NOOP(1) Wall
Voter Comments:
 Prosser> TURBO:TLSA2000024-1
   http://www.turbolinux.com/pipermail/tl-security-announce/2000-December/000027.html
 CHANGE> [Frech changed vote from REVIEWING to MODIFY]
 Frech> XF:fetchmail-authenticate-gssapi(7455)


CAN-2001-0102

Phase: Proposed (20010202)
Reference: BUGTRAQ:20001229 Mac OS 9 Multiple Users Control Panel Password Vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-12/0497.html
Reference: XF:macos-multiple-users
Reference: URL:http://xforce.iss.net/static/5830.php

Description:
"Multiple Users" Control Panel in Mac OS 9 allows Normal users to gain Owner privileges by removing the Users & Groups Data File, which effectively removes the Owner password and allows the Normal user to log in as the Owner account without a password.

Votes:

   ACCEPT(1) Frech
   NOOP(4) Wall, Cole, Christey, Ziese
Voter Comments:
 Christey> The following post claims that Apple fixed the problem.
   However, the web page is broken, and the new page requires
   user registration.
   BUGTRAQ:20010420 [FYI] Mac OS 9 Multiple Users weakness fixed (was: Mac OS 9 Multiple Users Control Panel Password Vulnerability)
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=98793967806147&w=2


CAN-2001-0103

Phase: Proposed (20010202)
Reference: BID:2107
Reference: URL:http://www.securityfocus.com/bid/2107
Reference: XF:coffeecup-ftp-weak-encryption
Reference: URL:http://xforce.iss.net/static/5744.php

Description:
CoffeeCup Direct and Free FTP clients useas weak encryption to store passwords in the FTPServers.ini file, which could allow attackers to easily decrypt the passwords.

Votes:

   ACCEPT(1) Frech
   NOOP(3) Wall, Cole, Ziese

CAN-2001-0104

Phase: Proposed (20010202)
Reference: BUGTRAQ:20001214 Bypass MDaemon 3.5.1 "Lock Server" Protection
Reference: URL:http://www.securityfocus.com/archive/1/151156
Reference: BID:2115
Reference: URL:http://www.securityfocus.com/bid/2115
Reference: XF:mdaemon-lock-bypass-password
Reference: URL:http://xforce.iss.net/static/5763.php

Description:
MDaemon Pro 3.5.1 and earlier allows local users to bypass the "lock server" security setting by pressing the Cancel button at the password prompt, then pressing the enter key.

Votes:

   ACCEPT(1) Frech
   NOOP(3) Wall, Cole, Ziese

CAN-2001-0107

Phase: Proposed (20010214)
Reference: BUGTRAQ:20010115 Veritas BackupExec (remote DoS)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97958921407182&w=2
Reference: BID:2204
Reference: URL:http://www.securityfocus.com/bid/2204

Description:
Veritas Backup agent on Linux allows remote attackers to cause a denial of service by establishing a connection without sending any data, which causes the process to hang.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Cole, Christey
Voter Comments:
 Christey> XF:veritas-backupexec-dos
   URL:http://xforce.iss.net/static/5941.php
 Frech> XF:veritas-backupexec-dos(5941)
 Christey> BUGTRAQ:19990903 DOS in Backup Exec Agent
   http://marc.theaimsgroup.com/?l=bugtraq&m=93685651407299&w=2


CAN-2001-0112

Phase: Proposed (20010214)
Reference: BUGTRAQ:20010114 [MSY] Multiple vulnerabilities in splitvt
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97958269320974&w=2
Reference: DEBIAN:DSA-014-2
Reference: URL:http://www.debian.org/security/2001/dsa-014
Reference: BID:2210
Reference: URL:http://www.securityfocus.com/bid/2210

Description:
Multiple buffer overflows in splitvt before 1.6.5 allow local users to execute arbitrary commands.

Votes:

   ACCEPT(2) Cole, Baker
   MODIFY(1) Frech
   NOOP(1) Wall
Voter Comments:
 Frech> XF:splitvt-bo(6210)


CAN-2001-0113

Phase: Proposed (20010214)
Reference: BUGTRAQ:20010116 Vulnerabilities in OmniHTTPd default installation
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-01/0248.html
Reference: BID:2211
Reference: URL:http://www.securityfocus.com/bid/2211

Description:
statsconfig.pl in OmniHTTPd 2.07 allows remote attackers to execute arbitrary commands via the mostbrowsers parameter, whose value is used as part of a generated Perl script.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Cole, Christey
Voter Comments:
 Christey> XF:omnihttpd-statsconfig-execute-code
   URL:http://xforce.iss.net/static/5956.php
 Frech> XF:omnihttpd-statsconfig-execute-code(5956)


CAN-2001-0114

Phase: Proposed (20010214)
Reference: BUGTRAQ:20010116 Vulnerabilities in OmniHTTPd default installation
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-01/0248.html
Reference: BID:2211
Reference: URL:http://www.securityfocus.com/bid/2211

Description:
statsconfig.pl in OmniHTTPd 2.07 allows remote attackers to overwrite arbitrary files via the cgidir parameter.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Cole, Christey
Voter Comments:
 Christey> XF:omnihttpd-statsconfig-corrupt-files
   URL:http://xforce.iss.net/static/5955.php
 Frech> XF:omnihttpd-statsconfig-corrupt-files(5955)
 Christey> MISC:http://www.omnicron.ca/httpd/docs/release.html
   May be vague acknowledgement; need to ask
   mailto:support@omnicron.ca?subject=OmniHTTPd Technical Support
   (and ask them about the other OmniHTTP issues as well)


CAN-2001-0127

Phase: Proposed (20010214)
Reference: BUGTRAQ:20010115 Flash plugin write-overflow
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-01/0236.html
Reference: BID:2214
Reference: URL:http://www.securityfocus.com/bid/2214

Description:
Buffer overflow in Olivier Debon Flash plugin (not the Macromedia plugin) allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long DefineSound tag.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Cole, Christey
Voter Comments:
 Christey> XF:flash-module-bo
 Frech> XF:flash-module-bo(5952)


CAN-2001-0131

Phase: Modified (20010430-01)
Reference: BUGTRAQ:20010110 Immunix OS Security update for lots of temp file problems
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97916374410647&w=2
Reference: DEBIAN:DSA-021
Reference: URL:http://www.debian.org/security/2001/dsa-021
Reference: BID:2182
Reference: URL:http://www.securityfocus.com/bid/2182
Reference: XF:linux-apache-symlink(5926)
Reference: URL:http://xforce.iss.net/static/5926.php

Description:
htpasswd and htdigest in Apache 2.0a9, 1.3.14, and others allows local users to overwrite arbitrary files via a symlink attack.

Votes:

   ACCEPT(2) Cole, Baker
   MODIFY(1) Frech
   NOOP(3) Wall, Christey, Magdych
Voter Comments:
 Frech> XF:linux-apache-symlink(5926)
 Christey> XF:linux-apache-symlink
   URL:http://xforce.iss.net/static/5926.php
 Christey> http://archives.neohapsis.com/archives/vendor/2001-q1/0019.html
 Christey> This item may have been re-introduced into the Apache source
   code sometime during 2002; CAN-2002-1233 has been created for
   that version, which affects Apache 1.3.27 and other versions.
 Christey> As a further clarification, CAN-2002-1233 is *only* for the
   Debian-specific regression error.
 Christey> DEBIAN:DSA-195
   URL:http://www.debian.org/security/2002/dsa-195


CAN-2001-0132

Phase: Proposed (20010214)
Reference: BUGTRAQ:20010114 Trend Micro's VirusWall: Multiple vunerabilities
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-01/0235.html
Reference: BID:2213
Reference: URL:http://www.securityfocus.com/bid/2213

Description:
Interscan VirusWall 3.6.x and earlier follows symbolic links when uninstalling the product, which allows local users to overwrite arbitrary files via a symlink attack.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Cole, Christey
Voter Comments:
 Christey> XF:interscan-viruswall-symlink
   URL:http://xforce.iss.net/static/5947.php
 Frech> XF:interscan-viruswall-symlink(5947)


CAN-2001-0133

Phase: Proposed (20010214)
Reference: BUGTRAQ:20010114 Trend Micro's VirusWall: Multiple vunerabilities
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-01/0235.html
Reference: BID:2212
Reference: URL:http://www.securityfocus.com/bid/2212

Description:
The web administration interface for Interscan VirusWall 3.6.x and earlier does not use encryption, which could allow remote attackers to obtain the administrator password to sniff the administrator password via the setpasswd.cgi program or other HTTP GET requests that contain base64 encoded usernames and passwords.

Votes:

   MODIFY(1) Frech
   NOOP(2) Wall, Cole
Voter Comments:
 Frech> XF:interscan-viruswall-weak-authentication(5946)


CAN-2001-0134

Phase: Proposed (20010214)
Reference: BUGTRAQ:20010116 iXsecurity.20001120.compaq-authbo.a
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97967435023835&w=2
Reference: COMPAQ:SSRT0705
Reference: URL:http://www5.compaq.com/products/servers/management/agentsecurity.html
Reference: BID:2200
Reference: URL:http://www.securityfocus.com/bid/2200

Description:
Buffer overflow in cpqlogin.htm in web-enabled agents for various Compaq management software products such as Insight Manager and Management Agents allows remote attackers to execute arbitrary commands via a long user name.

Votes:

   ACCEPT(2) Cole, Baker
   MODIFY(1) Frech
   NOOP(2) Wall, Christey
Voter Comments:
 Frech> XF:compaq-web-management-bo(5935)
 Christ