|
Name: CVE-2000-0005
Description:
HP-UX aserver program allows local users to gain
privileges via a symlink attack.
Status: Candidate
Phase: Modified (20000204-01)
Reference: BUGTRAQ:19991230 aserver.sh
Reference: BUGTRAQ:20000102 HPUX Aserver
revisited.
Reference: HP:HPSBUX0001-108
Reference: XF:hp-aserver
Votes:
ACCEPT(3) Baker, Armstrong, Stracener
MODIFY(1) Frech
RECAST(1) Christey
REVIEWING(1) Levy
Voter Comments:
Christey> BUGTRAQ:20000102 "HPUX Aserver revisited." indicates that two
different versions of aserver have symlink problems, but with
different files. So CD:SF-LOC says we should split this.
Frech> XF:hp-aserver
Christey> BID:1928 and BID:1930? Which one is being described in
this candidate?
Christey> BID:1930
Name: CVE-2000-0008
Description:
FTPPro allows local users to read sensitive information,
which is stored in plain text.
Status: Candidate
Phase: Proposed (20000111)
Reference: BUGTRAQ:19991227 FTPPro insecuities
Votes:
ACCEPT(3) Baker, Armstrong, Stracener
MODIFY(1) Frech
NOOP(1) Christey
REVIEWING(1) Levy
Voter Comments:
Frech> XF:ftppro-plaintext-information
Christey> ADDREF BID:1790
ADDREF URL:http://www.securityfocus.com/bid/1790
Name: CVE-2000-0016
Description:
Buffer overflow in Internet Anywhere POP3 Mail Server
allows remote attackers to cause a denial of service or
execute commands via a long username.
Status: Candidate
Phase: Proposed (20000111)
Reference: NTBUGTRAQ:19991001 Vulnerabilities in
the Internet Anywhere Mail Server
Reference: BUGTRAQ:19991227 Remote DoS/Access
Attack in Internet Anywhere Mail Server(POP 3) v2.3.1
Reference: BID:730
Reference:
URL:http://www.securityfocus.com/bid/730
Votes:
ACCEPT(4) Baker, Armstrong, Stracener, Levy
MODIFY(1) Frech
Voter Comments:
Frech> XF:iams-pop3-command-dos
Name: CVE-2000-0017
Description:
Buffer overflow in Linux linuxconf package allows remote
attackers to gain root privileges via a long parameter.
Status: Candidate
Phase: Proposed (20000111)
Reference: BUGTRAQ:19991221 (Possible) Linuxconf
Remote Buffer Overflow Vulnerability
Votes:
NOOP(4) Christey, Baker, Armstrong, Stracener
REJECT(2) Frech, Levy
Voter Comments:
Christey> It's not certain whether this is exploitable or not. An
expert (the linuxconf author?) wasn't able to duplicate the
bug - see http://lwn.net/1999/1223/a/linuxconfresponse.html
The original posting with example exploit was
http://marc.theaimsgroup.com/?l=bugtraq&m=94580196627059&w=2
However - GIAC and the Security Focus incidents list have
consistently reported that scans are taking place for
linuxconf, so do the hackers know more than we do?
Frech> Unless vendor or other confirmation occurs, there has been no corroboration
of this issue in public forums.
CHANGE> [Armstrong changed vote from ACCEPT to NOOP]
Name: CVE-2000-0019
Description:
IMail POP3 daemon uses weak encryption, which allows
local users to read files.
Status: Candidate
Phase: Proposed (20000111)
Reference: BUGTRAQ:19991221 [w00giving '99 #11]
IMail's password encryption scheme
Votes:
ACCEPT(3) Baker, Armstrong, Stracener
MODIFY(2) Frech, Levy
NOOP(1) Christey
Voter Comments:
Frech> XF:imail-passwords
Levy> BID 880
Christey> BUGTRAQ:19990304 IMAIL password recovery is trivial.
http://www.securityfocus.com/archive/1/12750
Christey> Add version numbers (5.0 through 5.08)
Name: CVE-2000-0021
Description:
Lotus Domino HTTP server allows remote attackers to
determine the real path of the server via a request to a
non-existent script in /cgi-bin.
Status: Candidate
Phase: Modified (20060616)
Reference: BUGTRAQ:19991221 serious Lotus Domino
HTTP denial of service
Reference: BUGTRAQ:19991227 Re: Lotus Domino HTTP
denial of service attack
Reference: BID:881
Reference:
URL:http://www.securityfocus.com/bid/881
Votes:
ACCEPT(3) Baker, Armstrong, Stracener
MODIFY(2) Frech, Levy
NOOP(1) Christey
Voter Comments:
Frech> XF:http-cgi-lotus-domino
Levy> BID 881
Christey> BID:881
Name: CVE-2000-0028
Description:
Internet Explorer 5.0 and 5.01 allows remote attackers
to bypass the cross frame security policy and read files
via the external.NavigateAndFind function.
Status: Candidate
Phase: Modified (20000626-01)
Reference: BUGTRAQ:19991222 IE 5.01
vulnerabilities in external.NavigateAndFind()
Reference: XF:ie-navigateandfind
Votes:
ACCEPT(2) Armstrong, Stracener
MODIFY(2) Frech, Levy
NOOP(1) Baker
RECAST(1) LeBlanc
REVIEWING(1) Christey
Voter Comments:
Frech> XF:ie-navigateandfind
Christey> May be a duplicate of CVE-2000-0465 according to my
communications with Microsoft people. CVE-2000-0266 may
also be a variant.
Levy> BID 887
LeBlanc> duplicate
Name: CVE-2000-0035
Description:
resend command in Majordomo allows local users to gain
privileges via shell metacharacters.
Status: Candidate
Phase: Proposed (20000111)
Reference: BUGTRAQ:19991228 majordomo local
exploit
Reference: BUGTRAQ:20000113 Info on some security
holes reported against SCO Unixware.
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94780294009285&w=2
Reference: BID:902
Reference:
URL:http://www.securityfocus.com/bid/902
Votes:
ACCEPT(3) Baker, Stracener, Levy
MODIFY(2) Frech, Cox
NOOP(1) Armstrong
REVIEWING(1) Christey
Voter Comments:
Frech> XF:majordomo-local-resend
Christey> The Bugtraq thread indicates that this problem may be
due to misconfiguration, and may extend beyond just the
resend command.
CHANGE> [Armstrong changed vote from REVIEWING to NOOP]
Christey> Include "wrapper" to facilitate search and matching? (but
double-check CVE-2000-0037).
Add "1.94.4 and earlier" as the affected version number.
ADDREF AUSCERT:AA-2000.01
ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-2000.01
Cox> ADDREF REDHAT:RHSA-2000:005
Name: CVE-2000-0038
Description:
glFtpD includes a default glftpd user account with a
default password and a UID of 0.
Status: Candidate
Phase: Proposed (20000111)
Reference: BUGTRAQ:19991223 Multiple
vulnerabilites in glFtpD (current versions)
Votes:
ACCEPT(2) Armstrong, Stracener
MODIFY(2) Frech, Levy
NOOP(1) Baker
Voter Comments:
Frech> XF:glftpd-default-account
Levy> BID 881
Name: CVE-2000-0046
Description:
Buffer overflow in ICQ 99b 1.1.1.1 client allows remote
attackers to execute commands via a malformed URL within
an ICQ message.
Status: Candidate
Phase: Modified (20000204-01)
Reference: BID:929
Reference:
URL:http://www.securityfocus.com/bid/929
Reference: BUGTRAQ:20000111 ICQ Buffer Overflow
Exploit
Reference: XF:icq-url-bo
Votes:
ACCEPT(2) Williams, Baker
MODIFY(1) Frech
Voter Comments:
Frech> ADDREF XF:icq-url-bo
Name: CVE-2000-0047
Description:
Buffer overflow in Yahoo Pager/Messenger client allows
remote attackers to cause a denial of service via a long
URL within a message.
Status: Candidate
Phase: Modified (20000202-01)
Reference: BUGTRAQ:20000117 Yahoo Pager/Messanger
Buffer Overflow
Reference: XF:yahoo-messenger-pager-dos
Votes:
ACCEPT(2) Baker, Frech
NOOP(1) Williams
Name: CVE-2000-0049
Description:
Buffer overflow in Winamp client allows remote attackers
to execute commands via a long entry in a .pls file.
Status: Candidate
Phase: Modified (20071115)
Reference: NTBUGTRAQ:20000107 Winamp buffer
overflow advisory
Reference: BUGTRAQ:20000109 Buffer overflow with
WinAmp 2.10
Reference: BID:925
Reference:
URL:http://www.securityfocus.com/bid/925
Reference: OSVDB:12022
Reference: URL:http://www.osvdb.org/12022
Reference: XF:winamp-playlist-bo
Votes:
ACCEPT(2) Wall, Cole
MODIFY(2) Baker, Frech
REVIEWING(1) Christey
Voter Comments:
Frech> XF:winamp-playlist-bo
Christey> This may have been discovered earlier in:
BUGTRAQ:19990512 Buffer overflow in WinAMP 2.x
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92662988700367&w=2
See the following for possible confirmation:
URL:http://www.winamp.com/getwinamp/newfeatures.jhtml
Wall> This vulnerability has been seen in several versions of Winamp and part of ISS
X-Force
and SecuriTeam vulnerability checks.
CHANGE> [Christey changed vote from NOOP to REVIEWING]
Baker> The old confirm url doesn't work any more... I am not sure where we can get the old changelog/error list.
Name: CVE-2000-0054
Description:
search.cgi in the SolutionScripts Home Free package
allows remote attackers to view directories via a ..
(dot dot) attack.
Status: Candidate
Phase: Proposed (20000125)
Reference: BUGTRAQ:20000104 Another search.cgi
vulnerability
Reference: BID:921
Reference:
URL:http://www.securityfocus.com/bid/921
Votes:
MODIFY(1) Frech
Voter Comments:
Frech> XF:http-cgi-homefree-search
Name: CVE-2000-0055
Description:
Buffer overflow in Solaris chkperm command allows local
users to gain root access via a long -n option.
Status: Candidate
Phase: Proposed (20000125)
Reference: BUGTRAQ:20000106 [Hackerslab
bug_paper] Solaris chkperm buffer overflow
Reference: BID:918
Reference:
URL:http://www.securityfocus.com/bid/918
Votes:
MODIFY(2) Baker, Frech
NOOP(1) Dik
Voter Comments:
Frech> XF:sol-chkperm-bo(3870)
Dik> chkperm runs set-uid bin, so initially the access granted
will be user bin, not root. (Though bin access can easily be leveraged
to root access, less so in Solaris 8+)
Also, there is reason to believe this bug is not exploitable; the buffer
overflown is declared in the stack in main(); yet, the program never
returns from main() but calls exit instead so any damage to return addresses
is never noticed.
Baker> Maybe the details from Caspar could be included, or modify the description somewhat
Name: CVE-2000-0058
Description:
Network HotSync program in Handspring Visor does not
have authentication, which allows remote attackers to
retrieve email and files.
Status: Candidate
Phase: Proposed (20000125)
Reference: BUGTRAQ:20000105 Handspring Visor
Network HotSync Security Hole
Reference:
URL:http://www.security-express.com/archives/bugtraq/2000-01/0085.html
Reference: BID:920
Reference:
URL:http://www.securityfocus.com/bid/920
Votes:
MODIFY(2) Baker, Frech
NOOP(1) Christey
Voter Comments:
Frech> XF:handspring-visor-auth(3873)
Consider removing the security-express.com reference, since it is identical
to the BugTraq reference. The BugTraq reference is (hopefully) not going to
disappear soon, and the security-express.com reference provides no new or
additional information.
Christey> URLs will begin to be included with candidates to support
Board members' voting activities. They will be converted to
the generalized reference format when if candidate is
ACCEPTed and becomes an official entry.
Christey> The problem may not be a lack of authentication (as mentioned
by the poster), but rather weak authentication (the apparent
need to provide the same username).
Baker> MOdify description to indicate the weak authentication
Name: CVE-2000-0059
Description:
PHP3 with safe_mode enabled does not properly filter
shell metacharacters from commands that are executed by
popen, which could allow remote attackers to execute
commands.
Status: Candidate
Phase: Proposed (20000125)
Reference: BUGTRAQ:20000103 PHP3 safe_mode and
popen()
Reference: BID:911
Reference:
URL:http://www.securityfocus.com/bid/911
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
NOOP(1) Christey
Voter Comments:
Frech> XF:php3-popen-execute(3900)
Christey> CONFIRM:http://www.php.net/ChangeLog.php3
Section dated January 11, 2000 says: "Fix safe-mode problem in
popen() (Kristian)"
Name: CVE-2000-0061
Description:
Internet Explorer 5 does not modify the security zone
for a document that is being loaded into a window until
after the document has been loaded, which could allow
remote attackers to execute Javascript in a different
security context while the document is loading.
Status: Candidate
Phase: Proposed (20000125)
Reference: BUGTRAQ:20000107 IE 5 security
vulnerablity - circumventing Cross-frame security policy
and accessing the DOM of "old" documents.
Reference: BID:923
Reference:
URL:http://www.securityfocus.com/bid/923
Votes:
MODIFY(2) LeBlanc, Frech
NOOP(1) Baker
REJECT(1) Christey
Voter Comments:
Frech> XF:ie-cross-frame-docs(3901)
LeBlanc> - I'd like to see a KB or bulletin referenced
Christey> This is a duplicate of CVE-2000-0156. The FAQ at
http://www.microsoft.com/technet/security/bulletin/fq00-009.asp.
says "the vulnerability requires Active Scripting" and
"it is possible, under very specific conditions, to violate IE's
cross-domain security model." Also says "the redirect is made, via
the <IMG SRC> HTML tag"
Need to copy these references over to CVE-2000-0156.
Name: CVE-2000-0066
Description:
WebSite Pro allows remote attackers to determine the
real pathname of webdirectories via a malformed URL
request.
Status: Candidate
Phase: Proposed (20000125)
Reference: BUGTRAQ:20000112 WebSitePro/2.3.18 is
revealing Webdirectories
Votes:
ACCEPT(2) Williams, Baker
MODIFY(1) Frech
NOOP(1) Christey
Voter Comments:
Frech> XF:website-pro-dir-path
Christey> ADDREF BUGTRAQ:20000113 Re: WebSitePro/2.3.18 + 2.4.9 is revealing Webdirectories
URL:http://www.securityfocus.com/archive/1/41798
Also BID:932
Name: CVE-2000-0067
Description:
CyberCash Merchant Connection Kit (MCK) allows local
users to modify files via a symlink attack.
Status: Candidate
Phase: Proposed (20000125)
Reference: BUGTRAQ:20000112 CyberCash MCK
3.2.0.4: Large /tmp hole
Votes:
ACCEPT(2) Williams, Baker
MODIFY(1) Frech
Voter Comments:
Frech> XF:cybercash-mck-tmp(3823)
Name: CVE-2000-0068
Description:
daynad program in Intel InBusiness E-mail Station does
not require authentication, which allows remote
attackers to modify its configuration, delete files, or
read mail.
Status: Candidate
Phase: Proposed (20000125)
Reference: BUGTRAQ:20000104 [rootshell] Security
Bulletin #27
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94704437920965&w=2
Votes:
MODIFY(1) Frech
Voter Comments:
Frech> XF:intel-email-unauthenticate-users
Name: CVE-2000-0069
Description:
The recover program in Solstice Backup allows local
users to restore sensitive files.
Status: Candidate
Phase: Proposed (20000125)
Reference: BUGTRAQ:20000104 Security problem with
Solstice Backup/Legato Networker recover command
Votes:
MODIFY(1) Frech
Voter Comments:
Frech> XF:solstice-backup-restore-files(3904)
Name: CVE-2000-0071
Description:
IIS 4.0 allows a remote attacker to obtain the real
pathname of the document root by requesting non-existent
files with .ida or .idq extensions.
Status: Candidate
Phase: Proposed (20000125)
Reference: BUGTRAQ:20000111 IIS still revealing
paths for web directories
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94770020309953&w=2
Reference: BUGTRAQ:20000113 SV: IIS still
revealing paths for web directories
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94780058006791&w=2
Votes:
ACCEPT(2) LeBlanc, Levy
MODIFY(1) Frech
NOOP(1) Baker
REJECT(1) Christey
Voter Comments:
Frech> XF:iis-ida-idq-paths
Christey> Consider adding:
ADDREF BID:1065
BUGTRAQ:20000309 Enumerate Root Web Server Directory Vulnerability for IIS 4.0
Are there really 2 different threads on the same problem?
Also consider XF:iis-root-enum
May also be a dupe of CVE-1999-0450 (BID:194)
CHANGE> [Christey changed vote from NOOP to REVIEWING]
Christey> Appears to be a duplicate of CVE-2000-0098. Confirm with
Microsoft, and if it is a duplicate, then REJECT this
candidate.
CHANGE> [Christey changed vote from REVIEWING to REJECT]
Christey> Confirmed duplicate by Microsoft.
Christey> iis-ida-idq-paths(4346) is obsolete; ensure
http-indexserver-path(3890) is added to CVE-2000-0098.
Name: CVE-2000-0074
Description:
PowerScripts PlusMail CGI program allows remote
attackers to execute commands via a password file with
improper permissions.
Status: Candidate
Phase: Proposed (20000125)
Reference: BUGTRAQ:20000111 PowerScripts PlusMail
Vulnerablity
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
NOOP(2) Christey, Williams
Voter Comments:
Frech> XF:plusmail-password-permissions
Christey> Re-read the Bugtraq post to make sure the problem is described
properly. The advisory itself is vague as to the nature of
the problem, and the exploit doesn't help clarify too much.
Christey> Consider adding BID:2653
Name: CVE-2000-0077
Description:
The October 1998 version of the HP-UX aserver program
allows local users to gain privileges by specifying an
alternate PATH which aserver uses to find the ps and
grep commands.
Status: Candidate
Phase: Proposed (20000125)
Reference: BUGTRAQ:20000102 HPUX Aserver
revisited.
Reference: HP:HPSBUX0001-108
Votes:
MODIFY(2) Baker, Frech
REVIEWING(1) Christey
Voter Comments:
Frech> ADDREF XF:hp-aserver
Christey> The Bugtraq posting does not mention specific versions.
Is October 1998 equivalent to HP-UX 10.x?
CHANGE> [Christey changed vote from NOOP to REVIEWING]
Christey> BID:1929
Make sure not dupe's with CVE-2000-0005 and CVE-20000-0078.
Baker> Was the BID reference ever added to this one?
Name: CVE-2000-0078
Description:
The June 1999 version of the HP-UX aserver program
allows local users to gain privileges by specifying an
alternate PATH which aserver uses to find the awk
command.
Status: Candidate
Phase: Proposed (20000125)
Reference: BUGTRAQ:20000102 HPUX Aserver
revisited.
Reference: HP:HPSBUX0001-108
Votes:
ACCEPT(2) Prosser, Baker
MODIFY(1) Frech
REVIEWING(1) Christey
Voter Comments:
Frech> ADDREF XF:hp-aserver
Christey> The Bugtraq posting does not mention specific versions.
Is June 1999 equivalent to HP-UX 10.x?
Prosser> The HP Bulletin (already ref'd) just specifies 10.x and 11.x OS versions running on HP9000 700/800 series. According to Tripp (bugtraq), the audio server doesn't run on a machine without Audio Hardware (logical). So one has to assume from the bulletin that any 9000 with audio hardware that is running a 10.x or 11.x version of OS with either the 98 or 99 version of Aserver loaded will be vulnerable to either the exploit in CVE-1999-0005(the 98 version of Aserver) or CVE-2000-0078 (the 99 version)and should take appropriate action. No patches out from HP as of 10/2/2000 so either remove the program or tighten the permissions considerably.
CHANGE> [Christey changed vote from NOOP to REVIEWING]
Christey> BID:1929
Make sure not dupe's with CVE-2000-0005 and CVE-20000-0077.
Name: CVE-2000-0079
Description:
The W3C CERN httpd HTTP server allows remote attackers
to determine the real pathnames of some commands via a
request for a nonexistent URL.
Status: Candidate
Phase: Proposed (20000125)
Reference: BUGTRAQ:20000118 Re: IIS still
revealing paths for web directories
Reference: BID:936
Reference:
URL:http://www.securityfocus.com/bid/936
Votes:
MODIFY(2) Baker, Frech
NOOP(2) Christey, Williams
RECAST(1) LeBlanc
Voter Comments:
Frech> XF:w3c-httpd-reveal-paths
LeBlanc> Title references IIS, vuln references W3C CERN httpd. Which
one is broken?
Christey> The mention of CERN httpd was buried in a followup on a
description of an IIS problem, so this is the correct reference.
Baker> Will the XF reference be added?
Name: CVE-2000-0081
Description:
Hotmail does not properly filter JavaScript code from a
user's mailbox, which allows a remote attacker to
execute the code by using hexadecimal codes to specify
the javascript: protocol, e.g. jAvascript.
Status: Candidate
Phase: Proposed (20000125)
Reference: BUGTRAQ:20000110 Yet another Hotmail
security hole - injecting JavaScript using
"jAvascript:"
Votes:
MODIFY(1) Frech
REJECT(1) Baker
Voter Comments:
CHANGE> [Frech changed vote from REVIEWING to MODIFY]
Frech> XF:hotmail-vascript-java-injection
Name: CVE-2000-0082
Description:
WebTV email client allows remote attackers to force the
client to send email without the user's knowledge via
HTML.
Status: Candidate
Phase: Modified (20040901)
Reference:
MISC:http://net4tv.com/voice/story.cfm?StoryID=1823
Reference:
MISC:http://www.wired.com/news/technology/0,1282,33420,00.html
Reference: BUGTRAQ:20000104 The WebTV Email
Exploit
Votes:
MODIFY(1) Frech
REJECT(1) Baker
Voter Comments:
CHANGE> [Frech changed vote from REVIEWING to MODIFY]
Frech> ADDREF XF:webtv-hijack-mail-forward
Name: CVE-2000-0084
Description:
CuteFTP uses weak encryption to store password
information in its tree.dat file.
Status: Candidate
Phase: Proposed (20000125)
Reference: BUGTRAQ:20000105 CuteFTP saved
password 'encryption' weakness
Votes:
MODIFY(2) Baker, Frech
NOOP(1) Christey
Voter Comments:
Frech> XF:cuteftp-weak-encrypt(3910)
Christey> BUGTRAQ:20010823 Re: Respondus v1.1.2 stores passwords using weak encryption
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=99861651923668&w=2
This followup to a different thread mentions the sm.dat file
for the site manager.
Baker> The reference from the Bugtraq mentions the sm.dat uses better encryption, but doesn't really address the tree.dat file.
Name: CVE-2000-0085
Description:
Hotmail does not properly filter JavaScript code from a
user's mailbox, which allows a remote attacker to
execute code via the LOWSRC or DYNRC parameters in the
IMG tag.
Status: Candidate
Phase: Proposed (20000125)
Reference: BUGTRAQ:20000103 Hotmail security hole
- injecting JavaScript using <IMG
LOWSRC="javascript:....">
Reference: BUGTRAQ:20000104 Yet another Hotmail
security hole - injecting JavaScript in IE using <IMG
DYNRC="javascript:....">
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
Voter Comments:
Frech> XF:hotmail-java-execute
Name: CVE-2000-0086
Description:
Netopia Timbuktu Pro sends user IDs and passwords in
cleartext, which allows remote attackers to obtain them
via sniffing.
Status: Candidate
Phase: Proposed (20000125)
Reference: BUGTRAQ:20000116 TB2 Pro sending NT
passwords cleartext
Reference: BID:935
Reference:
URL:http://www.securityfocus.com/bid/935
Votes:
ACCEPT(2) Williams, Baker
MODIFY(1) Frech
Voter Comments:
Frech> XF:timbuktu-password-cleartext
Name: CVE-2000-0093
Description:
An installation of Red Hat uses DES password encryption
with crypt() for the initial password, instead of md5.
Status: Candidate
Phase: Proposed (20000208)
Reference: BUGTRAQ:20000122 NIS security advisory
: password method downgrade
Reference: BUGTRAQ:20000121 Rh 6.1 initial root
password encryption
Votes:
ACCEPT(2) Baker, Cole
MODIFY(1) Frech
NOOP(1) Wall
Voter Comments:
Frech> XF:linux-initial-password-encryption
Name: CVE-2000-0096
Description:
Buffer overflow in qpopper 3.0 beta versions allows
local users to gain privileges via a long LIST command.
Status: Candidate
Phase: Proposed (20000208)
Reference: BUGTRAQ:20000126 Qpopper security bug
Reference: BID:948
Reference:
URL:http://www.securityfocus.com/bid/948
Votes:
ACCEPT(2) Baker, Cole
MODIFY(1) Frech
NOOP(1) Wall
Voter Comments:
Frech> XF:qpopper-list-bo
Name: CVE-2000-0101
Description:
The Make-a-Store OrderPage shopping cart application
allows remote users to modify sensitive purchase
information via hidden form fields.
Status: Candidate
Phase: Proposed (20000208)
Reference: ISS:20000201 Form Tampering
Vulnerabilities in Several Web-Based Shopping Cart
Applications
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
NOOP(1) Christey
RECAST(1) Cole
REVIEWING(1) Wall
Voter Comments:
Cole> I would combine all of these shopping cart applications into one listing,
since they all have the same vulnerability being able to modify sensitive
purchase information via hidden form fields. My concern is in cases like
this we used over 10 entries for basically the same vulnerability. I could
think of cases were there could be 20+ applications with the same
vulnerability and in my opinion it could start to weaken the value of CVE
where there are 30 entries all referring to the same thing. It is almost
like we are playing the vendor game where more is better. I think we
should go after the quality over quantity aspect.
Christey> I disagree with Eric here. This vulnerability is a "type" of
problem in the same way that a buffer overflow is a "type" of
problem. While the shopping cart application bugs were
proposed mostly at the same time, they are all by different
vendors.
The raw numbers of applications with this problem can make it
appear that CVE is artificially inflating the number of
entries. However, content decisions such as CD:SF-LOC
(different lines of code) dictate that these should be
separated. It's not a "numbers game" but rather a principled
and consistent approach to resolving problems with
selecting a level of abstraction.
Frech> XF:shopping-cart-form-tampering
Name: CVE-2000-0102
Description:
The SalesCart shopping cart application allows remote
users to modify sensitive purchase information via
hidden form fields.
Status: Candidate
Phase: Proposed (20000208)
Reference: ISS:20000201 Form Tampering
Vulnerabilities in Several Web-Based Shopping Cart
Applications
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
RECAST(1) Cole
REVIEWING(1) Wall
Voter Comments:
Cole> See comments for CVE-2000-0101
Frech> XF:shopping-cart-form-tampering
Name: CVE-2000-0103
Description:
The SmartCart shopping cart application allows remote
users to modify sensitive purchase information via
hidden form fields.
Status: Candidate
Phase: Proposed (20000208)
Reference: ISS:20000201 Form Tampering
Vulnerabilities in Several Web-Based Shopping Cart
Applications
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
RECAST(1) Cole
REVIEWING(1) Wall
Voter Comments:
Cole> See comments for CVE-2000-0101
Frech> XF:shopping-cart-form-tampering
Name: CVE-2000-0104
Description:
The Shoptron shopping cart application allows remote
users to modify sensitive purchase information via
hidden form fields.
Status: Candidate
Phase: Proposed (20000208)
Reference: ISS:20000201 Form Tampering
Vulnerabilities in Several Web-Based Shopping Cart
Applications
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
RECAST(1) Cole
REVIEWING(1) Wall
Voter Comments:
Cole> See comments for CVE-2000-0101
Frech> XF:shopping-cart-form-tampering
Name: CVE-2000-0105
Description:
Outlook Express 5.01 and Internet Explorer 5.01 allow
remote attackers to view a user's email messages via a
script that accesses a variable that references
subsequent email messages that are read by the client.
Status: Candidate
Phase: Proposed (20000208)
Reference: BUGTRAQ:20000201 Outlook Express 5
vulnerability - Active Scripting may read email messages
Reference: BID:962
Reference:
URL:http://www.securityfocus.com/bid/962
Votes:
ACCEPT(2) Wall, Cole
MODIFY(1) Frech
NOOP(1) Baker
REVIEWING(1) Christey
Voter Comments:
Frech> email-active-script-html
Christey> Acknowledged via personal communication with Microsoft
personnel, but I need to look through my email logs to recall
whether they said that it is a duplicate of CVE-2000-0653
CHANGE> [Christey changed vote from NOOP to REVIEWING]
Name: CVE-2000-0106
Description:
The EasyCart shopping cart application allows remote
users to modify sensitive purchase information via
hidden form fields.
Status: Candidate
Phase: Proposed (20000208)
Reference: ISS:20000201 Form Tampering
Vulnerabilities in Several Web-Based Shopping Cart
Applications
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
RECAST(1) Cole
REVIEWING(1) Wall
Voter Comments:
Cole> See comments for CVE-2000-0101
Frech> XF:shopping-cart-form-tampering
Name: CVE-2000-0108
Description:
The Intellivend shopping cart application allows remote
users to modify sensitive purchase information via
hidden form fields.
Status: Candidate
Phase: Proposed (20000208)
Reference: ISS:20000201 Form Tampering
Vulnerabilities in Several Web-Based Shopping Cart
Applications
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
RECAST(1) Cole
REVIEWING(1) Wall
Voter Comments:
Cole> See comments for CVE-2000-0101
Frech> XF:shopping-cart-form-tampering
Name: CVE-2000-0109
Description:
The mcsp Client Site Processor system (MultiCSP) in
Standard and Poor's ComStock is installed with several
accounts that have no passwords or easily guessable
default passwords.
Status: Candidate
Phase: Proposed (20000208)
Reference: BUGTRAQ:20000201 Security issues with
S&P ComStock multiCSP (Linux)
Votes:
ACCEPT(2) Cole, Levy
MODIFY(1) Frech
NOOP(3) Christey, Wall, Baker
Voter Comments:
Christey> ADDREF BUGTRAQ:20000324 Security issues with S&P ComStock multiCSP (Linux)
http://marc.theaimsgroup.com/?l=bugtraq&m=95422382625409&w=2
Note: this posting was a repeat of the February 1 post,
saying that the problem still hadn't been fixed.
Frech> XF:comstock-multicsp-passwords
Christey> ADDREF BID:1080
URL:http://www.securityfocus.com/vdb/bottom.html?vid=1080
Name: CVE-2000-0110
Description:
The WebSiteTool shopping cart application allows remote
users to modify sensitive purchase information via
hidden form fields.
Status: Candidate
Phase: Proposed (20000208)
Reference: ISS:20000201 Form Tampering
Vulnerabilities in Several Web-Based Shopping Cart
Applications
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
RECAST(1) Cole
REVIEWING(1) Wall
Voter Comments:
Cole> See comments for CVE-2000-0101
Frech> XF:shopping-cart-form-tampering
Name: CVE-2000-0114
Description:
Frontpage Server Extensions allows remote attackers to
determine the name of the anonymous account via an RPC
POST request to shtml.dll in the /_vti_bin/ virtual
directory.
Status: Candidate
Phase: Proposed (20000208)
Reference: BUGTRAQ:20000203 2 MS Frontpage issues
Cerberus Information Security Advisory (CISADV000203)
Votes:
ACCEPT(3) Wall, Baker, Cole
MODIFY(1) Frech
REVIEWING(1) Christey
Voter Comments:
Frech> XF:iis-frontpage-info
Christey> Acknowledged via personal communication with Microsoft
personnel.
May be the same as BID:1174 and/or BID:1433 (both mention
FrontPage, but one mentions shtml.exe and another mentions
shtml.dll)
Christey> [note to self: review comments by Mark Burnett]
CHANGE> [Christey changed vote from NOOP to REVIEWING]
Name: CVE-2000-0115
Description:
IIS allows local users to cause a denial of service via
invalid regular expressions in a Visual Basic script in
an ASP page.
Status: Candidate
Phase: Proposed (20000208)
Reference: NTBUGTRAQ:20000121 Strange behaviour
IIS and RegExp
Votes:
ACCEPT(1) Cole
NOOP(1) Baker
REJECT(2) LeBlanc, Frech
REVIEWING(1) Wall
Voter Comments:
Frech> This reference to NTBugtraq has a message that ends with "Can anyone
reproduce this?", and there are no followups. This makes for a weak
reference. There are also no other references listed for this CAN.
LeBlanc> - no follow-ups, no KB article, no fix
CHANGE> [Frech changed vote from REVIEWING to REJECT]
Name: CVE-2000-0118
Description:
The Red Hat Linux su program does not log failed
password guesses if the su process is killed before it
times out, which allows local attackers to conduct brute
force password guessing.
Status: Candidate
Phase: Proposed (20000208)
Reference: BUGTRAQ:20000130 RedHat 6.1 /and
others/ PAM
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94935300520617&w=2
Votes:
ACCEPT(3) Baker, Cole, Levy
MODIFY(1) Frech
NOOP(1) Wall
REVIEWING(1) Christey
Voter Comments:
Frech> Is this the same issue as BugTraq Mailing List, Wed, 9 Jun 1999 14:07:27
-0700 "vulnerability in su/PAM in redhat" at
http://www.netspace.org/cgi-bin/wa?A2=ind9906b&L=bugtraq&F=&S=&P=5356 and
"Solaris 2.5 /bin/su [was: vulnerability in su/PAM in redhat]" at
http://www.netspace.org/cgi-bin/wa?A2=ind9906b&L=bugtraq&F=&S=&P=6051
If so, then MODIFY XF:su-brute
Christey> BID:320
URL:http://www.securityfocus.com/vdb/bottom.html?vid=320
CHANGE> [Frech changed vote from REVIEWING to MODIFY]
Frech> XF:su-brute(2278)
This issue involves more platforms than Red Hat. See BugTraq
Mailing List, Thu Jun 10 1999 12:13:06, "Solaris 2.5 /bin/su [was:
vulnerability in su/PAM in redhat]",
http://www.securityfocus.com/archive/1/14854
Christey> It does look like this is the same issue as the other Bugtraq
post that explicitly mentions Red Hat and PAM.
CHANGE> [Christey changed vote from NOOP to REVIEWING]
Name: CVE-2000-0119
Description:
The default configurations for McAfee Virus Scan and
Norton Anti-Virus virus checkers do not check files in
the RECYCLED folder that is used by the Windows Recycle
Bin utility, which allows attackers to store malicious
code without detection.
Status: Candidate
Phase: Proposed (20000208)
Reference: BUGTRAQ:20000130 Bypass Virus Checking
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94936267131123&w=2
Votes:
ACCEPT(2) Wall, Cole
MODIFY(1) Frech
NOOP(1) Baker
REVIEWING(1) Christey
Voter Comments:
Christey> ADDREF BID:956
A followup post on Feb 8 by Paul L Schmehl claims that this
would not work, because the anti-virus checkers would
activate if the user attempts to execute the program.
Frech> XF:win-trojan-detection-bypass
Much earlier possible reference at NTBugtraq Mailing List, Wed, 22 Dec 1999
20:37:43 -0800, "Bypass Virus Checking under 95/98/NT" at
http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind9912&L=ntbugtraq&F=&S=&P=6030
CHANGE> [Cole changed vote from REVIEWING to ACCEPT]
Christey> NTBUGTRAQ:19991222 Bypass Virus Checking under 95/98/NT
http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind9912&L=ntbugtraq&F=&S=&P=6030
Name: CVE-2000-0122
Description:
Frontpage Server Extensions allows remote attackers to
determine the physical path of a virtual directory via a
GET request to the htimage.exe CGI program.
Status: Candidate
Phase: Modified (20070607)
Reference: BUGTRAQ:20070603 CERN İmage Map
Dispatcher
Reference:
URL:http://www.securityfocus.com/archive/1/archive/1/470458/100/0/threaded
Reference: NTBUGTRAQ:20000203 2 MS Frontpage
issues Cerberus Information Security Advisory
(CISADV000203)
Reference: BID:964
Reference:
URL:http://www.securityfocus.com/bid/964
Reference:
XF:frontpage-cern-information-disclosure(34719)
Reference:
URL:http://xforce.iss.net/xforce/xfdb/34719
Votes:
ACCEPT(4) LeBlanc, Wall, Baker, Cole
MODIFY(1) Frech
NOOP(1) Christey
Voter Comments:
Frech> XF:ms-frontpage-get-htimage
Christey> It appears that this was rediscovered in April 18, 2000:
BUGTRAQ:20000418 More vulnerabilities in FP
URL:http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26msg%3D38FCAC0C.869611C0%40hobbiton.org
This in turn may match BID:1141
Christey> According to Scott Culp of Microsoft, this was patched in MS:MS00-028.
Christey> BID:1141 ??
Name: CVE-2000-0123
Description:
The shopping cart application provided with Filemaker
allows remote users to modify sensitive purchase
information via hidden form fields.
Status: Candidate
Phase: Proposed (20000208)
Reference: BUGTRAQ:20000203 Re: [xforce@iss.net:
ISSalert: ISS E-Security Alert: Form Tampering
Vulnerabilities in Several Web-Based Shopping Cart
Applications]
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
RECAST(1) Cole
REVIEWING(1) Wall
Voter Comments:
Cole> See comments for CVE-2000-0101
Frech> XF:shopping-cart-form-tampering
Name: CVE-2000-0124
Description:
surfCONTROL SuperScout does not properly asign a
category to web sites with a . (dot) at the end, which
may allow users to bypass web access restrictions.
Status: Candidate
Phase: Proposed (20000208)
Reference: BUGTRAQ:20000203 surfCONTROL
SuperScout v2.6.1.6 flaw
Reference: BID:965
Reference:
URL:http://www.securityfocus.com/bid/965
Votes:
MODIFY(2) Baker, Frech
NOOP(2) Christey, Wall
RECAST(1) Cole
Voter Comments:
Cole> See comments for CVE-2000-0101
Frech> XF:surfcontrol-superscout-bypass-filter(4009)
Christey> Fix typo: "asign"
Baker> Description still has typo asign instead of assign
Name: CVE-2000-0125
Description:
wwwthreads does not properly cleanse numeric data or
table names that are passed to SQL queries, which allows
remote attackers to gain privileges for wwwthreads
forums.
Status: Candidate
Phase: Proposed (20000208)
Reference: BUGTRAQ:20000203 RFP2K01 - "How I
hacked Packetstorm" (wwwthreads advisory)
Reference:
URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.4.10.10002031027120.15921-100000@eight.wiretrip.net
Reference: BID:967
Reference:
URL:http://www.securityfocus.com/bid/967
Votes:
ACCEPT(2) Baker, Cole
MODIFY(1) Frech
NOOP(2) Christey, Wall
Voter Comments:
Frech> XF:wwwthreads-sql-command-privs(4011)
Christey> CONFIRM:http://www.wwwthreads.com/perl/showflat.pl?Cat=&Board=info&Number=9932&page=1&view=collapsed&sb=5
Name: CVE-2000-0126
Description:
Sample Internet Data Query (IDQ) scripts in IIS 3 and 4
allow remote attackers to read files via a .. (dot dot)
attack.
Status: Candidate
Phase: Proposed (20000208)
Reference: BUGTRAQ:20000202 Alert: IIS 4 / IS 2
IDQ Cerberus Information Security Advisory
(CISADV000202)
Reference: NTBUGTRAQ:20000202 Alert: IIS 4 / IS 2
IDQ Cerberus Information Security Advisory
(CISADV000202)
Votes:
ACCEPT(4) LeBlanc, Wall, Baker, Cole
MODIFY(1) Frech
REVIEWING(1) Christey
Voter Comments:
Frech> XF:iis-dir-traversal-read
Christey> This may be a variant of CVE-2000-0097 or CVE-2000-0098.
MS:MS00-006 says that a new variant was announced on February 4,
but that it only revealed the physical path. The post related
to this CAN is dated February 2, but it describes the impact
as being able to read files.
See http://marc.theaimsgroup.com/?l=bugtraq&m=94972759912790&w=2
Christey> According to Mark Burnett: "CISADV000202 [described] idq.dll
and involving .idq files... IDQ files are vulnerable to a
double-dot bug that allows files on the same partition as the
web root to be viewed.... [This candidate] refers to the same
MS00-006"
ADDREF MS:MS00-006
ADDREF BID:968 ?
Frech> Change iis-dir-traversal-read(4014) to http-indexserver-view-files(4232)
Name: CVE-2000-0129
Description:
Buffer overflow in the SHGetPathFromIDList function of
the Serv-U FTP server allows attackers to cause a denial
of service by performing a LIST command on a malformed
.lnk file.
Status: Candidate
Phase: Proposed (20000208)
Reference: NTBUGTRAQ:20000204 Local / Remote
D.o.S Attack in Serv-U FTP-Server v2.5b for Win9x/WinNT
Vulnerability
Reference: BUGTRAQ:20000204 Local / Remote D.o.S
Attack in Serv-U FTP-Server v2.5b for Win9x/WinNT
Vulnerability
Reference: NTBUGTRAQ:20000204 Windows Api
SHGetPathFromIDList Buffer Overflow
Reference: BUGTRAQ:20000204 Windows Api
SHGetPathFromIDList Buffer Overflow
Votes:
ACCEPT(3) Blake, Baker, Cole
MODIFY(2) Frech, Levy
NOOP(2) Armstrong, Ozancin
RECAST(1) Christey
REVIEWING(1) Wall
Voter Comments:
Frech> XF:win-shortcut-api-bo
The real problem seems to be with the Windows API call, not the Serv-U FTP
app. As the "Windows Api SHGetPathFromIDList Buffer Overflow" reference
states, [The bug can] "cause whatever handles the shortcuts to crash."
As a suggestion, rephrase the description from Windows's context, and state
that the Serv-U FTP server is an example of an app that exhibits this
problem.
Wall> Comment: the original UssrLabs advisory does mention the SHGetPathFromIDList
buffer overflow in a Windows API and that Serv-U FTP uses this API to cause the
problem. The problem does not exist on Windows 2000. The solution seems to be
in a new release of Serv-U FTP.
Levy> BID 970
Christey>
Reports indicate that while the vulnerable function was found in Serv-U FTP
server, the function is actually from Microsoft, and as such may affect other
applications.
XF:win-shortcut-api-bo
BID:970
Name: CVE-2000-0132
Description:
Microsoft Java Virtual Machine allows remote attackers
to read files via the getSystemResourceAsStream
function.
Status: Candidate
Phase: Proposed (20000208)
Reference: BUGTRAQ:20000201 `Microsoft VM for
Java' allows reading local files using
`getSystemResourceAsStream'.
Reference: BID:957
Reference:
URL:http://www.securityfocus.com/bid/957
Votes:
ACCEPT(2) Wall, Cole
NOOP(1) Baker
REJECT(3) Christey, LeBlanc, Frech
Voter Comments:
Frech> How is this different from MITRE:CVE-2000-0162, other than the
fact that it has an MS advisory that's vague on the reason but
has the same outcome, and this one mentions the
getSystemResourceAsStream function?
Christey> This is a duplicate of CVE-2000-0162, as confirmed via David
LeBlanc. The descriptions of CVE-2000-0132 and CVE-2000-0162 were
significantly different, as was the descriptive text of
MS:MS00-011 and the original Bugtraq posting. So this
duplicate wasn't picked up before. CVE-2000-0162 needs to be
modified to include XF:virtual-machine-file-read as a
reference.
LeBlanc> Duplicate
Christey> Ensure that CVE-2000-0162 uses msvm-java-file-read(4024) now,
instead of virtual-machine-file-read(4577)
Frech> If duplicate with CVE-2000-0098, shouldn't the references be
moved over to the valid CVE number? Please advise.
Christey> When CVE-2000-0132 is rejected, the references will be added
to CVE-2000-0098.
Name: CVE-2000-0133
Description:
Buffer overflows in Tiny FTPd 0.52 beta3 FTP server
allows users to execute commands via the STOR, RNTO,
MKD, XMKD, RMD, XRMD, APPE, SIZE, and RNFR commands.
Status: Candidate
Phase: Proposed (20000208)
Reference: BUGTRAQ:20000201 Tiny FTPd 0.52 beta3
Buffer Overflow
Reference: BID:961
Reference:
URL:http://www.securityfocus.com/bid/961
Votes:
ACCEPT(2) Baker, Cole
MODIFY(1) Frech
NOOP(1) Wall
Voter Comments:
Frech> XF:tinyftp-command-overflow(4000)
Name: CVE-2000-0134
Description:
The Check It Out shopping cart application allows remote
users to modify sensitive purchase information via
hidden form fields.
Status: Candidate
Phase: Proposed (20000208)
Reference: ISS:20000201 Form Tampering
Vulnerabilities in Several Web-Based Shopping Cart
Applications
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
RECAST(1) Cole
REVIEWING(1) Wall
Voter Comments:
Cole> See comments for CVE-2000-0101
Frech> XF:shopping-cart-form-tampering
Name: CVE-2000-0135
Description:
The @Retail shopping cart application allows remote
users to modify sensitive purchase information via
hidden form fields.
Status: Candidate
Phase: Proposed (20000208)
Reference: ISS:20000201 Form Tampering
Vulnerabilities in Several Web-Based Shopping Cart
Applications
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
RECAST(1) Cole
REVIEWING(1) Wall
Voter Comments:
Cole> See comments for CVE-2000-0101
Frech> XF:shopping-cart-form-tampering
Name: CVE-2000-0136
Description:
The Cart32 shopping cart application allows remote users
to modify sensitive purchase information via hidden form
fields.
Status: Candidate
Phase: Proposed (20000208)
Reference: ISS:20000201 Form Tampering
Vulnerabilities in Several Web-Based Shopping Cart
Applications
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
RECAST(1) Cole
REVIEWING(1) Wall
Voter Comments:
Cole> See comments for CVE-2000-0101
Frech> XF:shopping-cart-form-tampering
Name: CVE-2000-0137
Description:
The CartIt shopping cart application allows remote users
to modify sensitive purchase information via hidden form
fields.
Status: Candidate
Phase: Proposed (20000208)
Reference: ISS:20000201 Form Tampering
Vulnerabilities in Several Web-Based Shopping Cart
Applications
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
RECAST(1) Cole
REVIEWING(1) Wall
Voter Comments:
Cole> See comments for CVE-2000-0101
Frech> XF:shopping-cart-form-tampering
Name: CVE-2000-0138
Description:
A system has a distributed denial of service (DDOS)
attack master, agent, or zombie installed, such as (1)
Trinoo, (2) Tribe Flood Network (TFN), (3) Tribe Flood
Network 2000 (TFN2K), (4) stacheldraht, (5) mstream, or
(6) shaft.
Status: Candidate
Phase: Modified (20000502-01)
Reference: CERT:CA-2000-01
Reference: CERT:IN-99-04
Reference: SUN:00193
Reference: ISS:20000209 Denial of Service Attack
using the TFN2K and Stacheldraht programs
Reference: ISS:20000502 "mstream" Distributed
Denial of Service Tool
Reference:
URL:http://xforce.iss.net/alerts/advise48.php3
Reference: BUGTRAQ:19991206 Analysis of trin00
Reference: BUGTRAQ:19991206 Analysis of Tribe
Flood Network
Reference: BUGTRAQ:19991229 Analysis of
"stacheldraht"
Reference: BUGTRAQ:20000211 DDOS Attack
Mitigation
Reference: BUGTRAQ:20000211 TFN2K - An Analysis
Reference: BUGTRAQ:20000211 A DDOS proposal.
Reference: BUGTRAQ:20000429 Re: Source code to
mstream, a DDoS tool
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=95715370208598&w=2
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=95722093124322&w=2
Votes:
ACCEPT(2) Wall, Cole
NOOP(4) Christey, Dik, Shostack, Levy
RECAST(3) Baker, Ziese, Meunier
REVIEWING(2) Blake, Bishop
Voter Comments:
Christey> **********************************************************
THIS CANDIDATE HAS GENERATED A LONG THREAD. SEE THE
EDITORIAL BOARD ARCHIVES FOR DETAILS, BEGINNING AT
http://cve.mitre.org/Board_Sponsors/archives/msg00590.html
**********************************************************
Ziese>
I suggest we I'd like to suggest that we consider not tying
specifically to a DDOS tool. Instead, since we are at at higher
abstraction level, that we make the class include those master/slave
tool combinations that are used for malicious purposes (i.e. DDOS,
data exfiltration, or whatever the appropriate classes of effect are).
My concern is that (1) we treat all distributed attacks at the same
abstract level; not just the DDOS ones. Second, if it is at a higher
abstraction level then it seems right to unlimit it (by including
master/slave combinations in general; not just the DDOS asect).
Meunier> I think that trinoo etc... are very similar to smurf attacks
(CVE-1999-0513 ) in the sense that a third party allows itself to be
used. Also, there is an obvious solution that can only be done by
that third party.
As for the CVE entry, I am considering whether the common entry point
could be reduced to "egress filtering has not been implemented or has
been disabled, allowing the sending of spoofed IP packets".
Incidentally, this would prevent the use of decoys in port scans,
etc... This single CVE entry would be very powerful. We could use
the dot notation to list the DDoS tools and attacks that rely on the
absence of egress filtering based on the argument that if you have
egress filtering, nobody will bother to put or use DDoS tools on your
computers.
The weakness of this is that one could in theory still use DDoS tools
even if you have egress filtering -- only they will be one shot guns,
almost completely eliminating their appeal and effectiveness. One
use, and they will be blocked, tracked down and destroyed
efficiently.
Pascal
P.S.: I am attracted by the idea of starting an internet (fire)wall
of shame, for people who haven't implemented egress filtering. It
worked pretty well against sites allowing themselves to be used for
smurf attacks (http://www.powertech.no/smurf/). Why not use the same
strategy for egress filtering? Of course it's hard to know who is
the source of IP spoofed packets. However the consistent detection
of crud originating from a server is a sure sign that they haven't
implemented egress filtering. For example (my first candidate to
this wall of shame), this weekend the Linux suse ftp server sent many
packets with an illegal ip address as source, one reserved for local
area networks, upon making an ftp connection (it may still be doing
it, I haven't checked since -- the suse ftp admin mentioned that they
were aware of it). It was easy to figure out it was them by
repeating the ftp connections and observing the 100% reproducibility
and time correlation of the extraneous packets. In addition, the
suse servers kept sending me crud for *hours* after a failed attempt
to download their PPC beta.
The cost of egress filtering is easily justified. The argument is
similar to those relating to pollution, excepted that people don't
try to break into your car if you have removed the catalytic
converter.
Bishop> I need to think about the exact meaning of MP. I suspect I
will agree with the classification, on an operational basis
(meaning I may want to revisit it), but I want to think on it
some more.
Blake> I don't agree with Pascal that this is a filtering problem analogous to
smurf. Rootkit is a better analogy. The DDoS software doesn't exploit
any unique vulnerability directly. It's presence is entirely predicated
on the existence of at least one other, easily exploited vulnerability.
>From the perspective of the system owner, this is just one of several
backdoors that could be installed. Seems to me that the presence of a
known backdoor package should be considered a vulnerability (or at least
an exposure).
I'm really torn on whether or not to split them out, though. My
inclination is to group master and slave by package; i.e., trinoo
master/slave, tfn master/slave, etc.
Wall>
Just to be consistent, you may add Trinoo (trin00) and does it matter
if it is Tribal or Tribe? The original internal c program says Tribe Flood
Network.
Meunier> What they have in common is the use of an amplification mechanism.
They are broadcasting (multicasting) to a (virtual private) network,
which then amplifies the messages. In both cases, the amplification
is done by the third party victim hosts. The difference is just that
the network is virtual instead of physical.
Scott, you are assuming that the people who have the tools installed
are unwilling. Let's say theoretically speaking that there is an
underground hacker group (or student association) who is hooked up to
DSL lines (like in university residences) and who thinks that it
would be "cool" to form an "army". How about a popular civil
movement protesting something, like the WTO last summer? I think
some people would voluntarily "enlist" their computers in a cause
that would use DDoS attacks. The rootkit analogy does not hold, yet
the DDoS attacks could be just as effective. However, if the
university or ISPs implemented egress filtering, the DDoS attacks
could be easily stopped because the people could be held accountable.
The crux of the matter is the anonymity provided by IP spoofing.
You are correct that in most cases, having a DDoS tool installed on
your system is an exposure like rootkit. Maybe that deserves a CVE
entry. However, I think that does not capture the nature of the
DDoS, and that an entry about egress filtering is of utmost
importance because it patches a fundamental vulnerability of IPv4.
Blake> Excellent response, Pascal, thanks. I hadn't thought of people
volunteering, but that's certainly a plausible scenario. Part of my
motivation/thinking was a desire to stay away from making this into only
yet another use for spoofed IP packets. I wholeheartedly agree that
egress filtering essential, but am reluctant to single out the recent DDoS
events as the reason for it.
I'd prefer to split out egress filtering as a seperate CVE entry (on the
theory that not using egress filtering constitutes an exposure -- at least
to liability), rather than tying it to these entries.
Levy> I agree with Scott for no other reason that there needs to be a CVE
ID so that IDS systems can report this things.
Are we going to start handing out CVE ids for low level design faults?
E.g. lack of encryption at the IPv4 packet level? lack of resource
allocation protocols? the used of DES instead of Triple DES? etc
Shostack> Both excellent points, however, I'd like to add that even if people
volunteer to host the tools, Trinoo and company allow the controlling
attacker to hide activities, which counts as an exposure under
http://cve.mitre.org/About_CVE/About/definition.html
Cole> Even with all of the debate i accept this one.
Christey> With respect to inclusion of design flaws in CVE, review
http://cve.mitre.org/Board_Sponsors/archives/msg00602.html
Other design flaws that have already been added to CVE
include Smurf (CVE-1999-0513), Fraggle (CVE-1999-0514)
and TCP sequence number prediction (CVE-1999-0077), although
this last one may need to be RECAST to a lower level of
abstraction.
CHANGE> [Meunier changed vote from REVIEWING to RECAST]
Meunier> In the sense that this is like a rootkit, then it is a
duplicate of CVE-1999-0660, "A hacker utility or Trojan Horse is
installed on a system, e.g. NetBus, Back Orifice, Rootkit, etc..."
It should be recast as CVE-1999-0660.1 DDoS tools
Other dot notations could indicate different effects of the tools.
Dik> There doesn't seem to be much to add to the
discussion.
Baker> Concur that this is a hacker utility, and should be recast and merged with other backdoor programs that allow a hacker to control the activities of the system.
Name: CVE-2000-0142
Description:
The authentication protocol in Timbuktu Pro 2.0b650
allows remote attackers to cause a denial of service via
connections to port 407 and 1417.
Status: Candidate
Phase: Proposed (20000216)
Reference: BUGTRAQ:20000211 Timbuktu Pro 2.0b650
DoS
Votes:
ACCEPT(4) Blake, LeBlanc, Cole, Bishop
MODIFY(2) Frech, Levy
NOOP(2) Christey, Baker
Voter Comments:
Frech> XF:timbuktu-auth-dos
Levy> BID 984
Christey> BUGTRAQ:20000412 Timbuktu DoS repaired by Netopia
http://www.securityfocus.com/archive/1/54850
BID:984
Name: CVE-2000-0143
Description:
The SSH protocol server sshd allows local users without
shell access to redirect a TCP connection through a
service that uses the standard system password database
for authentication, such as POP or FTP.
Status: Candidate
Phase: Interim (20001011)
Reference: BUGTRAQ:20000211 sshd and pop/ftponly
users incorrect configuration
Reference: XF:ssh-redirect-tcp-connection
Votes:
ACCEPT(3) Blake, LeBlanc, Cole
MODIFY(1) Frech
NOOP(2) Baker, Bishop
REJECT(1) Levy
REVIEWING(1) Christey
Voter Comments:
Frech> XF:ssh-redirect-tcp-connection
CHANGE> [Cole changed vote from REVIEWING to ACCEPT]
Christey> Examine the thread at
http://marc.theaimsgroup.com/?l=bugtraq&m=95055978131077&w=2
to ensure that this problem is being characterized
appropriately.
Levy> SSH is working as designed. The fact that some of its interactions
are not forseen by some is not a vulnerability.
Name: CVE-2000-0147
Description:
snmpd in SCO OpenServer has an SNMP community string
that is writable by default, which allows local
attackers to modify the host's configuration.
Status: Candidate
Phase: Modified (20000321-01)
Reference: NAI:20000207 SNMPD default writable
community string
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-02/0045.html
Reference: SCO:SB-00.04a
Reference:
URL:ftp://ftp.sco.com/SSE/security_bulletins/SB-00.04a
Reference: BID:973
Reference:
URL:http://www.securityfocus.com/bid/973
Votes:
ACCEPT(5) Blake, Baker, Cole, Bishop, Levy
MODIFY(1) Frech
NOOP(1) LeBlanc
Voter Comments:
Frech> XF:sco-openserver-snmpd
Name: CVE-2000-0151
Description:
GNU make follows symlinks when it reads a Makefile from
stdin, which allows other local users to execute
commands.
Status: Candidate
Phase: Proposed (20000216)
Reference: SUSE:20000209 make-3.77-44
Reference: BID:981
Reference:
URL:http://www.securityfocus.com/bid/981
Votes:
ACCEPT(3) Blake, Bishop, Levy
MODIFY(1) Frech
NOOP(3) LeBlanc, Baker, Cole
REJECT(1) Christey
Voter Comments:
Frech> XF:gnu-makefile-tmp-root
(We have made assignment to two CANs. Requesting confirmation that this is
not a duplicate of CVE-2000-0092: The BSD make program allows local users to
modify files via a symlink attack when the -j option is being used.)
Christey> To confirm Andre's question, this is being treated as
different from CVE-2000-0092, based largely on the fact
that the exploit is different. I believe there was
another reason for keeping these distinct, but that
"deeper analysis" was not recorded :-( While it's possible
that this is the same bug from some common version of make,
in the absence of other information we should probably
keep these two split.
CHANGE> [Christey changed vote from NOOP to REVIEWING]
CHANGE> [Christey changed vote from REVIEWING to REJECT]
Christey> Taking a fresh look at the diff's for FreeBSD make:
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:01.make.asc
And Debian make:
http://security.debian.org/dists/slink/updates/source/make_3.77-5slink.diff.gz
OK... now that I've hurt my brain looking at the code, while
there are major differences in the surrounding code,
ultimately both FreeBSD and Debian create an "outfile" file
descriptor for the temporary file, within main() in main.c.
In addition, child_execute_job() in job.c uses an outfile
variable - for both sources.
Perhaps FreeBSD reported the -j problem without seeing that it
could come in from stdin as well, and/or Debian/etc. didn't realize
that it was exploitable from job control, or maybe a combination of
the two. Regardless, the two problems are the same.
Phew! There goes a half-hour of my life that I'll never be
able to get back...
Name: CVE-2000-0153
Description:
FrontPage Personal Web Server (PWS) allows remote
attackers to read files via a .... (dot dot) attack.
Status: Candidate
Phase: Proposed (20000223)
Reference: BUGTRAQ:20000216 Doubledot bug in
FrontPage FrontPage Personal Web Server.
Reference:
URL:http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-02-15&msg=000801bf780a$9ad4b2e0$0100007f@localhost
Reference: BID:989
Reference:
URL:http://www.securityfocus.com/bid/989
Votes:
ACCEPT(3) Wall, Cole, Levy
MODIFY(1) Frech
NOOP(2) Christey, Baker
REJECT(1) LeBlanc
Voter Comments:
LeBlanc> I think this is the same as
http://www.microsoft.com/technet/security/bulletin/ms99-010.asp
If that is true, and you already have it logged, we don't want to have an
entry for the same bug.
Christey> MS:MS99-010 describes CVE-1999-0386. Are there sufficient
details to ensure that this is the same problem?
See http://www.securityfocus.com/templates/archive.pike?list=1&msg=01bae51a$9ab232b0$0100007f@nordnode
Frech> XF:pws-file-access
(We currently have this issue assigned to this CAN and to CVE-1999-0386. I
see that others have similar concerns that this is a duplicate; please
confirm on current status of this candidate.)
Christey> [note to self: review comments by Mark Burnett]
Name: CVE-2000-0154
Description:
The ARCserve agent in UnixWare allows local attackers to
modify arbitrary files via a symlink attack.
Status: Candidate
Phase: Modified (20000403-01)
Reference: NAI:20000215 ARCserve symlink
vulnerability
Reference:
URL:http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-02-15&msg=000101bf78af$94528870$4d2f45a1@jmagdych.na.nai.com
Reference: BID:988
Reference:
URL:http://www.securityfocus.com/bid/988
Reference: MISC:http://www.sco.com/security/
Votes:
ACCEPT(1) Cole
NOOP(3) LeBlanc, Wall, Baker
REJECT(3) Christey, Frech, Levy
Voter Comments:
Christey> DUPE CVE-2000-0224
Frech> DUPE MITRE:CVE-2000-0224; XF:sco-openserver-arc-symlink
Recommend moving BID reference to CVE-2000-0224.
Name: CVE-2000-0155
Description:
Windows NT Autorun executes the autorun.inf file on
non-removable media, which allows local attackers to
specify an alternate program to execute when other users
access a drive.
Status: Candidate
Phase: Proposed (20000223)
Reference: BUGTRAQ:20000218 AUTORUN.INF
Vulnerability
Reference:
URL:http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-02-15&msg=000701bf79cd$fdb5a620$4c4342a6@mightye.org
Reference: BID:993
Reference:
URL:http://www.securityfocus.com/bid/993
Votes:
ACCEPT(4) Wall, Baker, Cole, Levy
MODIFY(1) Frech
REVIEWING(1) Christey
Voter Comments:
Frech> XF:nt-autorun-notdefault
Christey> Consider:
http://support.microsoft.com/support/kb/articles/Q155/2/17.asp
http://support.microsoft.com/support/kb/articles/Q136/2/14.asp
Name: CVE-2000-0158
Description:
Buffer overflow in MMDF server allows remote attackers
to gain privileges via a long MAIL FROM command to the
SMTP daemon.
Status: Candidate
Phase: Modified (20000403-01)
Reference: NAI:20000215 Remote Vulnerability in
the MMDF SMTP Daemon
Reference:
URL:http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-02-15&msg=000001bf78af$6d0d47a0$4d2f45a1@jmagdych.na.nai.com
Reference: BUGTRAQ:20000218 MMDF
Reference:
URL:http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-02-15&msg=200002181449.JAA03436@dragonfly.corp.home.net
Reference: SCO:SB-00.06a
Reference:
URL:ftp://ftp.sco.com/SSE/security_bulletins/SB-00.06a
Reference: BID:997
Reference:
URL:http://www.securityfocus.com/bid/997
Votes:
ACCEPT(3) Baker, Cole, Levy
MODIFY(1) Frech
NOOP(2) LeBlanc, Wall
Voter Comments:
Frech> XF:sco-mmdf-bo
Name: CVE-2000-0160
Description:
The Microsoft Active Setup ActiveX component in Internet
Explorer 4.x and 5.x allows a remote attacker to install
software components without prompting the user by
stating that the software's manufacturer is Microsoft.
Status: Candidate
Phase: Modified (20000321-01)
Reference: BUGTRAQ:20000221 Microsoft signed
software can be install software without prompting users
Reference:
URL:http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-02-15&msg=20000221103938.T21312@securityfocus.com
Reference: XF:win-active-setup
Votes:
ACCEPT(4) LeBlanc, Wall, Baker, Levy
MODIFY(1) Frech
NOOP(1) Cole
REVIEWING(1) Christey
Voter Comments:
Christey> In a followup to Bugtraq, Juan Carlos Cuartango makes some
clarifications, specifically that the code that is executed
*must* be signed by Microsoft.
See BUGTRAQ:20000222 MS signed softwrare privileges
Microsoft sends some followups, including a statement that it
will include notification.
The question is, does this belong in CVE? There is no known
means of exploitation; on the other hand, it is related
to privacy concerns. Several posts to the Bugtraq list
indicate that some people believe that unprompted installation
is a significant concern.
Frech> XF:win-active-setup
Levy> BID 999
I do consider this vulnerability as it allows a malicious web page
to install *old* and *vulnerable* components signed by microsoft.
LeBlanc> Fixed in MS00-042
Christey> BID:999
Also add XF:ie-active-setup-download ?
Name: CVE-2000-0163
Description:
asmon and ascpu in FreeBSD allow local users to gain
root privileges via a configuration file.
Status: Candidate
Phase: Proposed (20000223)
Reference: FREEBSD:FreeBSD-SA-00:03
Reference:
URL:http://www.securityfocus.com/templates/advisory.html?id=2092
Reference: BID:996
Reference:
URL:http://www.securityfocus.com/bid/996
Votes:
ACCEPT(3) Baker, Cole, Levy
MODIFY(1) Frech
NOOP(2) LeBlanc, Wall
Voter Comments:
Frech> XF:asmon-ascpu-execute-commands
(Not sims-slapd-logfiles)
Name: CVE-2000-0167
Description:
IIS Inetinfo.exe allows local users to cause a denial of
service by creating a mail file with a long name and a
.txt.eml extension in the pickup directory.
Status: Candidate
Phase: Proposed (20000223)
Reference: NTBUGTRAQ:20000215 Crashing
Inetinfo.exe by using a longfilename in the
\mailroot\pickup directory
Reference:
URL:http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0002&L=ntbugtraq&F=&S=&P=8800
Votes:
ACCEPT(1) Cole
MODIFY(1) Frech
NOOP(1) Baker
REVIEWING(4) Christey, LeBlanc, Wall, Levy
Voter Comments:
Frech> XF:iis-pickup-directory-dos
Christey> BID:1819
URL:http://www.securityfocus.com/bid/1819
LeBlanc> Trying to get more info
Name: CVE-2000-0173
Description:
Vulnerability in the EELS system in SCO UnixWare 7.1.x
allows remote attackers to cause a denial of service.
Status: Candidate
Phase: Proposed (20000322)
Reference: SCO:SB-00.08a
Reference:
URL:ftp://ftp.sco.com/SSE/security_bulletins/SB-00.08a
Votes:
ACCEPT(3) Blake, Baker, Cole
MODIFY(1) Frech
NOOP(4) LeBlanc, Prosser, Wall, Ozancin
REVIEWING(2) Christey, Levy
Voter Comments:
Prosser> Although SCO is reporting the problem, there is too little info
available to make an informed decision. Unable to find anything
anywhere on this. It is an events logging system, so one would assume
that there is a way to fill up the log and cause a system halt, but no
way of confirming this with limited information.
Christey> Perhaps we should create a content decision, say
CD:VAGUE-ACK, which says whether it's reasonable to
ACCEPT vendor-acknowledged problems that do not provide any
salient details, as in this candidate as well as several
others.
Cole> I researched this a little more and you can change my NOOP to an
ACCEPT
Frech> XF:sco-eels-dos
Name: CVE-2000-0176
Description:
The default configuration of Serv-U 2.5d and earlier
allows remote attackers to determine the real pathname
of the server by requesting a URL for a directory or
file that does not exist.
Status: Candidate
Phase: Proposed (20000322)
Reference: BUGTRAQ:20000228 Serv-U FTP-Server
v2.4a showing real path
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-02/0417.html
Reference: BID:1016
Reference:
URL:http://www.securityfocus.com/bid/1016
Votes:
ACCEPT(4) Blake, Cole, Ozancin, Levy
MODIFY(1) Frech
NOOP(3) LeBlanc, Wall, Baker
Voter Comments:
Frech> XF:servu-ftp-server-path(4060)
Name: CVE-2000-0177
Description:
DNSTools CGI applications allow remote attackers to
execute arbitrary commands via shell metacharacters.
Status: Candidate
Phase: Proposed (20000322)
Reference: BUGTRAQ:20000302 DNSTools v1.08 has no
input validation
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-03/0000.html
Reference: BID:1028
Reference:
URL:http://www.securityfocus.com/bid/1028
Votes:
ACCEPT(4) Blake, Cole, Ozancin, Levy
MODIFY(1) Frech
NOOP(3) LeBlanc, Wall, Baker
Voter Comments:
Frech> XF:dnstools-invalid-input(4876)
Name: CVE-2000-0187
Description:
EZShopper 3.0 loadpage.cgi CGI script allows remote
attackers to read arbitrary files via a .. (dot dot)
attack or execute commands via shell metacharacters.
Status: Candidate
Phase: Proposed (20000322)
Reference: BUGTRAQ:20000227 EZ Shopper 3.0
shopping cart CGI remote command execution
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-02/0356.html
Reference: BID:1014
Reference:
URL:http://www.securityfocus.com/bid/1014
Votes:
ACCEPT(2) Ozancin, Levy
MODIFY(1) Frech
NOOP(6) Christey, Blake, LeBlanc, Wall, Baker, Cole
Voter Comments:
Christey> Since EZShopper is written in Perl, there is strong evidence
that both the .. and metacharacter attack probably go
through the same insecure open() call. (Perl's open can
either read a regular file, or read piped output from
a command that is specified to the open).
Frech> XF:ezshopper-loadpage-cgi(4044)
Name: CVE-2000-0188
Description:
EZShopper 3.0 search.cgi CGI script allows remote
attackers to read arbitrary files via a .. (dot dot)
attack or execute commands via shell metacharacters.
Status: Candidate
Phase: Proposed (20000322)
Reference: BUGTRAQ:20000227 EZ Shopper 3.0
shopping cart CGI remote command execution
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-02/0356.html
Reference: BID:1014
Reference:
URL:http://www.securityfocus.com/bid/1014
Votes:
ACCEPT(2) Ozancin, Levy
MODIFY(1) Frech
NOOP(6) Christey, Blake, LeBlanc, Wall, Baker, Cole
Voter Comments:
Christey> The exploit is different than CVE-2000-0187 by going through
a different field in a different script, so maybe this should
be kept separate, even though it's probably another open()
call problem.
Frech> XF:ezshopper-search-cgi(4045)
Name: CVE-2000-0190
Description:
AOL Instant Messenger (AIM) client allows remote
attackers to cause a denial of service via a message
with a malformed ASCII value.
Status: Candidate
Phase: Proposed (20000322)
Reference: BUGTRAQ:20000303 Aol Instant Messenger
DoS vulnerability
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-03/0016.html
Votes:
ACCEPT(2) Blake, Cole
MODIFY(1) Frech
NOOP(3) LeBlanc, Baker, Ozancin
REVIEWING(2) Wall, Levy
Voter Comments:
Frech> XF:aolim-malformed-ascii-dos(4877)
Name: CVE-2000-0197
Description:
The Windows NT scheduler uses the drive mapping of the
interactive user who is currently logged onto the
system, which allows the local user to gain privileges
by providing a Trojan horse batch file in place of the
original batch file.
Status: Candidate
Phase: Proposed (20000322)
Reference: NTBUGTRAQ:20000313 AT Jobs - Denial of
serice/Privilege Elevation
Reference:
URL:http://archives.neohapsis.com/archives/ntbugtraq/current/0202.html
Reference: BID:1050
Reference:
URL:http://www.securityfocus.com/bid/1050
Votes:
ACCEPT(3) Baker, Cole, Levy
MODIFY(1) Frech
NOOP(2) Blake, Ozancin
REJECT(1) LeBlanc
REVIEWING(1) Wall
Voter Comments:
LeBlanc> this is just bad security practice, not a vulnerability
Frech> XF:nt-at-drive-mappings
Name: CVE-2000-0198
Description:
Buffer overflow in POP3 and IMAP servers in the MERCUR
mail server suite allows remote attackers to cause a
denial of service.
Status: Candidate
Phase: Proposed (20000322)
Reference: NTBUGTRAQ:20000314 Local / Remote
Multiples Remote DoS Attacks in MERCUR v3.2* for Windows
98/NT Vulnerability
Reference:
URL:http://archives.neohapsis.com/archives/ntbugtraq/current/0206.html
Reference: BUGTRAQ:20000314 Local / Remote
Multiples Remote DoS Attacks in MERCUR v3.2* for Windows
98/NT Vulnerability
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/current/0137.html
Reference: BID:1051
Reference:
URL:http://www.securityfocus.com/bid/1051
Votes:
ACCEPT(2) Ozancin, Levy
MODIFY(1) Frech
NOOP(5) Blake, LeBlanc, Wall, Baker, Cole
Voter Comments:
Frech> XF:mercur-login-dos
The following don't seem to be correct:
Reference:
URL:http://archives.neohapsis.com/archives/ntbugtraq/current/0206.html
Perhaps it is:
http://archives.neohapsis.com/archives/ntbugtraq/2000-q1/0206.html
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/current/0137.html
Perhaps it is:
http://archives.neohapsis.com/archives/bugtraq/2000-03/0137.html
Name: CVE-2000-0199
Description:
When a new SQL Server is registered in Enterprise
Manager for Microsoft SQL Server 7.0 and the "Always
prompt for login name and password" option is not set,
then the Enterprise Manager uses weak encryption to
store the login ID and password.
Status: Candidate
Phase: Proposed (20000322)
Reference: ISS:20000314 Vulnerability in
Microsoft SQL Server 7.0 Encryption Used to Store
Administrative Login ID
Reference: BID:1055
Reference:
URL:http://www.securityfocus.com/bid/1055
Votes:
ACCEPT(6) Blake, Wall, Baker, Cole, Ozancin, Levy
MODIFY(1) Frech
REVIEWING(2) Christey, LeBlanc
Voter Comments:
LeBlanc> I think this may just be user error - I'd like more information.
Frech> XF:mssql-weak-encryption
ISS:Vulnerability in Microsoft SQL Server 7.0 Encryption Used to Store
Administrative Login ID
URL:http://xforce.iss.net/alerts/advise45.php3
Christey> According to Scott Culp, this can only be reproduced if the
SQL server is running in an unsafe mode that is not
recommended by Microsoft: "To securely use SQL Server,
Microsoft recommends using Windows Integrated Security. In
Windows Integrated Security mode passwords are never stored,
as your Windows Domain sign-on is used as the security
identifier to the database server."
We still must consider approving this candidate, however, as a
user configuration error instead of a software flaw.
CD:DESIGN-WEAK-ENCRYPTION applies in this case, so if we
decide to include configuration problems in which a user
intentionally selects weak encryption, then we might still
approve this candidate.
Name: CVE-2000-0203
Description:
The Trend Micro OfficeScan client tmlisten.exe allows
remote attackers to cause a denial of service via
malformed data to port 12345.
Status: Candidate
Phase: Proposed (20000322)
Reference: BUGTRAQ:20000228 Re: TrendMicro
OfficeScan tmlisten.exe DoS
Reference:
URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=412FC0AFD62ED31191B40008C7E9A11A0D481D@srvnt04.previnet.it
Reference: BUGTRAQ:20000315 Trend Micro release
patch for "OfficeScan DoS & Message Replay" V
ulnerabilies
Reference:
URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=D129BBE1730AD2118A0300805FC1C2FE038AF28B@209-76-212-10.trendmicro.com
Reference:
MISC:http://www.antivirus.com/download/ofce_patch_35.htm
Reference: BID:1013
Reference:
URL:http://www.securityfocus.com/bid/1013
Votes:
ACCEPT(5) Blake, Wall, Baker, Armstrong, Levy
MODIFY(1) Frech
NOOP(3) LeBlanc, Cole, Ozancin
Voter Comments:
Frech> XF:trendmicro-tmlisten-dos
Name: CVE-2000-0204
Description:
The Trend Micro OfficeScan client allows remote
attackers to cause a denial of service by making 5
connections to port 12345, which raises CPU utilization
to 100%.
Status: Candidate
Phase: Proposed (20000322)
Reference: BUGTRAQ:20000226 DOS in Trendmicro
OfficeScan
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-02/0340.html
Reference: BUGTRAQ:20000315 Trend Micro release
patch for "OfficeScan DoS & Message Replay" V
ulnerabilies
Reference:
URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=D129BBE1730AD2118A0300805FC1C2FE038AF28B@209-76-212-10.trendmicro.com
Reference:
MISC:http://www.antivirus.com/download/ofce_patch_35.htm
Reference: BID:1013
Reference:
URL:http://www.securityfocus.com/bid/1013
Votes:
ACCEPT(6) Blake, Wall, Baker, Cole, Armstrong, Levy
MODIFY(1) Frech
NOOP(2) LeBlanc, Ozancin
Voter Comments:
Frech> XF:trendmicro-simultaneous-dos
Name: CVE-2000-0205
Description:
Trend Micro OfficeScan allows remote attackers to replay
administrative commands and modify the configuration of
OfficeScan clients.
Status: Candidate
Phase: Proposed (20000322)
Reference: BUGTRAQ:20000303 TrendMicro
OfficeScan, numerous security holes, remote files
modification.
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-03/0015.html
Reference: BUGTRAQ:20000315 Trend Micro release
patch for "OfficeScan DoS & Message Replay" V
ulnerabilies
Reference:
URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=D129BBE1730AD2118A0300805FC1C2FE038AF28B@209-76-212-10.trendmicro.com
Reference:
MISC:http://www.antivirus.com/download/ofce_patch_35.htm
Reference: BID:1013
Reference:
URL:http://www.securityfocus.com/bid/1013
Votes:
ACCEPT(4) Blake, Baker, Cole, Levy
MODIFY(1) Frech
NOOP(3) LeBlanc, Wall, Ozancin
Voter Comments:
Frech> XF:trendmicro-admin-command(4041)
Name: CVE-2000-0213
Description:
The Sambar server includes batch files ECHO.BAT and
HELLO.BAT in the CGI directory, which allow remote
attackers to execute commands via shell metacharacters.
Status: Candidate
Phase: Proposed (20000322)
Reference: BUGTRAQ:20000223 Sambar Server alert!
Reference:
URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=38B3E60A.6A84FEC3@cybcom.net
Reference:
CONFIRM:http://www.sambar.com/session/highlight?url=/syshelp/history.htm&words=security+&color=red
Reference: XF:sambar-batfiles
Reference: BID:1002
Reference:
URL:http://www.securityfocus.com/bid/1002
Votes:
ACCEPT(6) Blake, Baker, Cole, Armstrong, Frech, Levy
NOOP(3) LeBlanc, Wall, Ozancin
Name: CVE-2000-0214
Description:
FTP Explorer uses weak encryption for storing the
username, password, and profile of FTP sites.
Status: Candidate
Phase: Proposed (20000322)
Reference: BUGTRAQ:20000224 How the password
could be recover using FTP Explorer's registry!
Reference:
URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.4.10.10002242035500.30645-100000@unreal.sekure.org
Reference: BID:1003
Reference:
URL:http://www.securityfocus.com/bid/1003
Votes:
ACCEPT(5) Baker, Cole, Armstrong, Ozancin, Levy
MODIFY(1) Frech
NOOP(3) Blake, LeBlanc, Wall
Voter Comments:
Frech> XF:ftp-explorer-weak-pwd(4038)
Name: CVE-2000-0216
Description:
Microsoft email clients in Outlook, Exchange, and
Windows Messaging automatically respond to Read Receipt
and Delivery Receipt tags, which could allow an attacker
to flood a mail system with responses by forging a Read
Receipt request that is redirected to a large
distribution list.
Status: Candidate
Phase: Proposed (20000322)
Reference: NTBUGTRAQ:20000229 mailbombing DoS
easily exploitable against mail systems using MS mail
clients.
Reference:
URL:http://archives.neohapsis.com/archives/ntbugtraq/2000-q1/0176.html
Votes:
ACCEPT(1) Cole
MODIFY(1) Frech
NOOP(2) Baker, Ozancin
REJECT(3) Blake, LeBlanc, Levy
REVIEWING(1) Wall
Voter Comments:
Blake> This is a configuration issue. Should the fact that NT can be configured
to accept a blank Admin password have a CVE entry?
LeBlanc> This is documented as bad practice - if you have a wide distribution
mailing list, you should only allow certain users to send mail to it.
I don't think we want to start listing all possible admin errors as
vulnerabilities.
Frech> XF:microsoft-mail-client-dos(4893)
Levy> I agree with all the above comments. Furthermore the delivery status
notification RFC makes it clear that mailing list software should
strip messages from DSN headers. I assume Microsoft's products are
using the DSN standard and not something else.
Name: CVE-2000-0219
Description:
Red Hat 6.0 allows local users to gain root access by
booting single user and hitting ^C at the password
prompt.
Status: Candidate
Phase: Proposed (20000322)
Reference: BUGTRAQ:20000223 redhat 6.0: single
user boot security hole
Reference:
URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=200002230248.NAA19185@cairo.anu.edu.au
Reference: BID:1005
Reference:
URL:http://www.securityfocus.com/bid/1005
Votes:
ACCEPT(4) Cole, Armstrong, Ozancin, Levy
MODIFY(1) Frech
NOOP(4) Blake, LeBlanc, Wall, Baker
REVIEWING(1) Christey
Voter Comments:
Ozancin> We need an additional CVE entry for other distributions that simply drop you
into a root shell in single user mode.
Christey> Based on Craig's comments, need to consider if this is an LOA
issue.
Frech> XF:redhat-single-user-auth(4026)
Name: CVE-2000-0220
Description:
ZoneAlarm sends sensitive system and network information
in cleartext to the Zone Labs server if a user requests
more information about an event.
Status: Candidate
Phase: Proposed (20000322)
Reference: BUGTRAQ:20000225 Zonealarm exports
sensitive data
Votes:
ACCEPT(1) Armstrong
MODIFY(1) Frech
NOOP(5) LeBlanc, Wall, Baker, Cole, Ozancin
REJECT(1) Blake
REVIEWING(1) Levy
Voter Comments:
Blake> Discussion on Bugtraq shows that this is a really marginal issue. Very
tough to come up with a viable attack scenario. Also, it's part of how
this class of software works, not a flaw in the cited package. Might be
possible to recast this into something more generic....
Frech> XF:zonealarm-exposes-info
Name: CVE-2000-0227
Description:
The Linux 2.2.x kernel does not restrict the number of
Unix domain sockets as defined by the wmem_max
paremeter, which allows local users to cause a denial of
service by requesting a large number of sockets.
Status: Candidate
Phase: Modified (20010910-01)
Reference: BUGTRAQ:20000323 Local
Denial-of-Service attack against Linux
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-03/0254.html
Reference: BUGTRAQ:20000328 Re: Local
Denial-of-Service attack against Linux
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=95421263519558&w=2
Reference: BID:1072
Reference:
URL:http://www.securityfocus.com/bid/1072
Reference: XF:linux-domain-socket-dos(4186)
Reference:
URL:http://xforce.iss.net/static/4186.php
Votes:
ACCEPT(8) Blake, Baker, Cole, Armstrong, Frech, Collins, Ozancin, Levy
NOOP(3) Magdych, Christey, Wall
Voter Comments:
Christey> Fix typo: 'paremeter'
Magdych> I remember when this came up... seems like there were some wildly
mixed results for the exploit.
Christey> See http://marc.theaimsgroup.com/?l=bugtraq&m=95421263519558&w=2
for Elias' summary of the mixed results. It looks like
enough people were able to replicate it that we should
include it.
Christey> Fix typo: "paremeter"
CHANGE> [Magdych changed vote from REVIEWING to NOOP]
Name: CVE-2000-0239
Description:
Buffer overflow in the MERCUR WebView WebMail server
allows remote attackers to cause a denial of service via
a long mail_user parameter in the GET request.
Status: Candidate
Phase: Proposed (20000412)
Reference: BUGTRAQ:20000315 Local / Remote DoS
Attack in MERCUR WebView WebMail-Client 1.0
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=95325335825295&w=2
Reference:
URL:http://www.ussrback.com/labs36.html
Reference: BID:1056
Reference:
URL:http://www.securityfocus.com/bid/1056
Reference: XF:mercur-webview-get-dos
Votes:
ACCEPT(3) Baker, Frech, Levy
NOOP(2) Magdych, Cole
Voter Comments:
CHANGE> [Magdych changed vote from REVIEWING to NOOP]
Name: CVE-2000-0241
Description:
vqSoft vqServer stores sensitive information such as
passwords in cleartext in the server.cfg file, which
allows attackers to gain privileges.
Status: Candidate
Phase: Proposed (20000412)
Reference: BUGTRAQ:20000321 vqserver /........../
Reference:
URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=4.1.20000321084646.0095c7f0@olga.swip.net
Reference: BID:1068
Reference:
URL:http://www.securityfocus.com/bid/1068
Reference: XF:vqserver-passwd-plaintext
Votes:
ACCEPT(3) Baker, Frech, Levy
NOOP(2) Magdych, Cole
Voter Comments:
CHANGE> [Magdych changed vote from REVIEWING to NOOP]
Name: CVE-2000-0242
Description:
WindMail allows remote attackers to read arbitrary files
or execute commands via shell metacharacters.
Status: Candidate
Phase: Proposed (20000412)
Reference: BUGTRAQ:20000325 Windmail allow web
user get any file
Reference:
URL:http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-03-22&msg=20000325224146.6839.qmail@securityfocus.com
Reference: XF:windmail-fileread
Reference: XF:windmail-pipe-command
Reference: BID:1073
Reference:
URL:http://www.securityfocus.com/bid/1073
Votes:
ACCEPT(2) Cole, Levy
NOOP(1) Baker
RECAST(1) Frech
REJECT(2) Magdych, Christey
Voter Comments:
Frech> Violation of fundamentum divisionis (that is, it's more than one issue) and
a potential nitpick:
- windmail-fileread: allows remote attackers to read arbitrary files
- windmail-pipe-command: execute commands via shell metacharacters
- The conjunction 'or' should be 'and', if you decide to stick with one CAN.
Christey> As Andre basically said without naming content decisions,
CD:SF-LOC says this should be split.
HOWEVER - the author of the product says that WindMail isn't
supposed to be a CGI script, and says that the pipe
character problem is not related to Geocel. So should CVE
record when someone runs a program that wasn't intended to
be a CGI? There may be a level of abstraction issue here.
Note that Perl and shell interpreters in CGI-BIN are
already mentioned in CVE-1999-0509. If we want to include
"using a program that wasn't designed to be a CGI" as a
problem, we should have a separate candidate.
See the author's comments at:
http://www.securityfocus.com/templates/archive.pike?list=1&msg=3.0.5.32.20000331114325.013af680@mailhost.geocel.com
which also claims that the original announcer hasn't provided
any more details after the author was unable to reproduce the
problem.
CHANGE> [Magdych changed vote from REVIEWING to REJECT]
Magdych> After reviewing the author's comments, I'm inclined to think that this is more of a misconfiguration than a vulnerability.
Name: CVE-2000-0244
Description:
The Citrix ICA (Independent Computing Architecture)
protocol uses weak encryption (XOR) for user
authentication.
Status: Candidate
Phase: Proposed (20000412)
Reference: BUGTRAQ:20000328 Citrix ICA Basic
Encryption
Reference:
URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.BSO.4.20.0003290949280.2640-100000@naughty.monkey.org
Reference: BID:1077
Reference:
URL:http://www.securityfocus.com/bid/1077
Votes:
ACCEPT(2) Magdych, Levy
MODIFY(1) Frech
NOOP(2) Baker, Cole
Voter Comments:
Frech> XF:citrix-encryption
Name: CVE-2000-0248
Description:
The web GUI for the Linux Virtual Server (LVS) software
in the Red Hat Linux Piranha package has a backdoor
password that allows remote attackers to execute
arbitrary commands.
Status: Candidate
Phase: Modified (20070924)
Reference: ISS:20000424 Backdoor Password in Red
Hat Linux Virtual Server Package
Reference:
URL:http://xforce.iss.net/alerts/advise46.php3
Reference: REDHAT:RHSA-2000:014-10
Votes:
ACCEPT(3) Baker, Cole, Levy
MODIFY(1) Frech
NOOP(2) Christey, Wall
REJECT(1) Cox
Voter Comments:
Christey> Typo fix: change "passowrd" to "password"
ADDREF BID:1148
ADDREF URL:http://www.securityfocus.com/bid/1148
Christey> ADDREF XF:piranha-default-password
Frech> XF:piranha-default-password
In description, passowrd should be password.
Cox> The "execute arbitrary commands" part is a seperate vulnerability,
already assigned CVE-2000-0322. The package was designed to have no
password on installation, so "backdoor" does not apply. When users
install Piranha they are expected to add a password to the web
administration GUI, it's a documented part of the procedure. "The web
GUI for the Linux Virtual Server (LVS) software in the Red Hat Linux
Piranha package installs with a default password" is accurate if it
qualifies as an exposure.
Christey> BUGTRAQ:20000425 piranha default password/exploit
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=95668829621268&w=2
Default accounts/passwords need to be accounted for in CVE,
but the question is what level of abstraction to use - a
separate CVE for each password, or one CVE for all passwords,
or somewhere in the middle? That is the crux of CD:CF-PASS.
Name: CVE-2000-0250
Description:
The crypt function in QNX uses weak encryption, which
allows local users to decrypt passwords.
Status: Candidate
Phase: Proposed (20000426)
Reference: BUGTRAQ:20000414 qnx crypt comprimised
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-04/0072.html
Reference: BID:1114
Reference:
URL:http://www.securityfocus.com/bid/1114
Votes:
ACCEPT(2) Baker, Levy
MODIFY(1) Frech
NOOP(2) Wall, Cole
Voter Comments:
Frech> XF:qnx-weak-encryption(4866)
Name: CVE-2000-0256
Description:
Buffer overflows in htimage.exe and Imagemap.exe in
FrontPage 97 and 98 Server Extensions allow a user to
conduct activities that are not otherwise available
through the web site, aka the "Server-Side Image Map
Components" vulnerability.
Status: Candidate
Phase: Modified (20070607)
Reference: BUGTRAQ:20070603 CERN İmage Map
Dispatcher
Reference:
URL:http://www.securityfocus.com/archive/1/archive/1/470458/100/0/threaded
Reference: MS:MS00-028
Reference:
URL:http://www.microsoft.com/technet/security/bulletin/ms00-028.asp
Reference: BID:1117
Reference:
URL:http://www.securityfocus.com/bid/1117
Reference: XF:frontpage-cern-bo(34720)
Reference:
URL:http://xforce.iss.net/xforce/xfdb/34720
Votes:
ACCEPT(4) Wall, Baker, Cole, Levy
MODIFY(1) Frech
NOOP(1) Christey
Voter Comments:
Frech> XF:frontpage-ext-image-map
Christey> Possibly related to BUGTRAQ:20000418 More vulnerabilities in FP
http://archives.neohapsis.com/archives/bugtraq/2000-04/0116.html
Name: CVE-2000-0259
Description:
The default permissions for the Cryptography\Offload
registry key used by the OffloadModExpo in Windows NT
4.0 allows local users to obtain compromise the
cryptographic keys of other users.
Status: Candidate
Phase: Proposed (20000426)
Reference: MS:MS00-024
Reference:
URL:http://www.microsoft.com/technet/security/bulletin/ms00-024.asp
Reference: BID:1105
Reference:
URL:http://www.securityfocus.com/bid/1105
Votes:
ACCEPT(4) Wall, Baker, Cole, Levy
MODIFY(1) Frech
NOOP(1) Christey
Voter Comments:
Frech> XF:winnt-cryptkeys-compromise
Christey> Include "CryptoAPI" to facilitate search.
MSKB:Q259496
URL:http://www.microsoft.com/technet/support/kb.asp?ID=259496
Name: CVE-2000-0266
Description:
Internet Explorer 5.01 allows remote attackers to bypass
the cross frame security policy via a malicious applet
that interacts with the Java JSObject to modify the DOM
properties to set the IFRAME to an arbitrary Javascript
URL.
Status: Candidate
Phase: Proposed (20000426)
Reference: BUGTRAQ:20000418 IE 5 security
vulnerablity - circumventing Cross-frame security policy
using Java/JavaScript (and disabling Active Scripting is
not that easy)
Reference:
URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=38FC6130.D6D178FD@nat.bg
Reference: BID:1121
Reference:
URL:http://www.securityfocus.com/bid/1121
Votes:
ACCEPT(5) LeBlanc, Wall, Baker, Cole, Levy
MODIFY(1) Frech
REVIEWING(1) Christey
Voter Comments:
Frech> XF:ie-java-crossframe-security
Christey> May be a duplicate of CVE-2000-0465 according to my
communications with Microsoft people. CVE-2000-0028 may
also be a variant.
LeBlanc> MS00-039
Name: CVE-2000-0269
Description:
Emacs 20 does not properly set permissions for a slave
PTY device when starting a new subprocess, which allows
local users to read or modify communications between
Emacs and the subprocess.
Status: Candidate
Phase: Proposed (20000426)
Reference: BUGTRAQ:20000418 RUS-CERT Advisory
200004-01: GNU Emacs 20
Reference:
URL:http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-04-15&msg=tg4s8zioxq.fsf@mercury.rus.uni-stuttgart.de
Reference: BID:1125
Reference:
URL:http://www.securityfocus.com/bid/1125
Votes:
ACCEPT(2) Baker, Levy
MODIFY(1) Frech
NOOP(3) Christey, Wall, Cole
Voter Comments:
Christey> ADDREF XF:emacs-local-eavesdrop
Verify BID for this - is it 1125, 1126, or 1127?
Also, ADDREF CALDERA:CSSA-2000-011.1 ??
URL:ftp://ftp.calderasystems.com/pub/OpenLinux/security/CSSA-2000-011.1.txt
Frech> XF:emacs-local-eavesdrop
Christey> ADDREF MANDRAKE:MDKSA-2000:088 ?
Also http://www.securityfocus.com/bid/2164, but is that a
duplicate of BID:1125?
Name: CVE-2000-0270
Description:
The make-temp-name Lisp function in Emacs 20 creates
temporary files with predictable names, which allows
attackers to conduct a symlink attack.
Status: Candidate
Phase: Proposed (20000426)
Reference: BUGTRAQ:20000418 RUS-CERT Advisory
200004-01: GNU Emacs 20
Reference:
URL:http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-04-15&msg=tg4s8zioxq.fsf@mercury.rus.uni-stuttgart.de
Reference: BID:1125
Reference:
URL:http://www.securityfocus.com/bid/1126
Votes:
ACCEPT(1) Baker
MODIFY(2) Levy, Frech
NOOP(3) Christey, Wall, Cole
Voter Comments:
Christey> ADDREF XF:emacs-tempfile-creation
Verify BID for this - is it 1125, 1126, or 1127?
Also, ADDREF CALDERA:CSSA-2000-011.1 ??
URL:ftp://ftp.calderasystems.com/pub/OpenLinux/security/CSSA-2000-011.1.txt
Frech> XF:emacs-tempfile-creation
Levy> Change BID reference to BID 1126
Name: CVE-2000-0271
Description:
read-passwd and other Lisp functions in Emacs 20 do not
properly clear the history of recently typed keys, which
allows an attacker to read unencrypted passwords.
Status: Candidate
Phase: Proposed (20000426)
Reference: BUGTRAQ:20000418 RUS-CERT Advisory
200004-01: GNU Emacs 20
Reference:
URL:http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-04-15&msg=tg4s8zioxq.fsf@mercury.rus.uni-stuttgart.de
Reference: BID:1125
Reference:
URL:http://www.securityfocus.com/bid/1125
Votes:
ACCEPT(1) Baker
MODIFY(2) Levy, Frech
NOOP(3) Christey, Wall, Cole
Voter Comments:
Christey> Verify BID for this - is it 1125, 1126, or 1127?
Also, ADDREF CALDERA:CSSA-2000-011.1 ??
URL:ftp://ftp.calderasystems.com/pub/OpenLinux/security/CSSA-2000-011.1.txt
ADDREF XF:emacs-password-history
Frech> XF:emacs-password-history
Levy> Change BID reference to BID 1127
Name: CVE-2000-0275
Description:
CRYPTOCard CryptoAdmin for PalmOS uses weak encryption
to store a user's PIN number, which allows an attacker
with access to the .PDB file to generate valid PT-1
tokens after cracking the PIN.
Status: Candidate
Phase: Proposed (20000426)
Reference: L0PHT:20000410 CRYPTOCard PalmToken
PIN Extraction
Reference:
URL:http://www.l0pht.com/advisories/cc-pinextract.txt
Reference: BUGTRAQ:20000410 CRYPTOAdmin 4.1
server with PalmPilot PT-1 token 1.04 PIN Extract ion
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-04/0033.html
Reference: BID:1097
Reference:
URL:http://www.securityfocus.com/bid/1097
Votes:
ACCEPT(3) Levy, Baker, Cole
MODIFY(1) Frech
NOOP(1) Wall
Voter Comments:
Frech> XF:cryptoadmin-weak-encryption
Name: CVE-2000-0280
Description:
Buffer overflow in the RealNetworks RealPlayer client
versions 6 and 7 allows remote attackers to cause a
denial of service via a long Location URL.
Status: Candidate
Phase: Proposed (20000426)
Reference: BUGTRAQ:20000403 Win32 RealPlayer 6/7
Buffer Overflow
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-04/0018.html
Reference: BID:1088
Reference:
URL:http://www.securityfocus.com/bid/1088
Votes:
ACCEPT(3) Levy, Wall, Cole
MODIFY(1) Frech
NOOP(1) Baker
Voter Comments:
Frech> XF:realserver-ramgen-dos
Name: CVE-2000-0281
Description:
Buffer overflow in the Napster client beta 5 allows
remote attackers to cause a denial of service via a long
message.
Status: Candidate
Phase: Proposed (20000426)
Reference: BUGTRAQ:20000326 neat little napster
bug
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-03/0277.html
Reference: BUGTRAQ:20000330 Napster, Inc.
response to Colten Edwards
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-03/0299.html
Votes:
NOOP(2) Wall, Cole
REJECT(3) Levy, Baker, Frech
Voter Comments:
Frech> Does not meet CVE candidate requirements. The problem was remedied on the
server end, and no fault exists at the client. Based on
http://archives.neohapsis.com/archives/bugtraq/2000-03/0299.html:
Approximately one hour after receiving the post from BugTraq,
Napster's servers were patched to prevent this from occurring.
Users of the Napster Win32 client software are NOT vulnerable.
Baker> Agree with Andre
Name: CVE-2000-0284
Description:
Buffer overflow in University of Washington imapd
version 4.7 allows users with a valid account to execute
commands via LIST or other commands.
Status: Candidate
Phase: Proposed (20000426)
Reference: BUGTRAQ:20000416 imapd4r1 v12.264
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-04/0074.html
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-04/0085.html
Reference: BID:1110
Reference:
URL:http://www.securityfocus.com/bid/1110
Votes:
ACCEPT(3) Levy, Baker, Cole
MODIFY(1) Frech
NOOP(2) Christey, Wall
Voter Comments:
Christey> ADDREF FREEBSD:FreeBSD-SA-00:14
URL:http://www.securityfocus.com/templates/advisory.html?id=2179
Frech> XF:imap-mailserver-bo
Name: CVE-2000-0286
Description:
X fontserver xfs allows local users to cause a denial of
service via malformed input to the server.
Status: Candidate
Phase: Proposed (20000426)
Reference: BUGTRAQ:20000416 xfs
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-04/0079.html
Reference: BID:1111
Reference:
URL:http://www.securityfocus.com/bid/1111
Votes:
MODIFY(1) Frech
NOOP(3) Wall, Baker, Cole
REJECT(2) Levy, Christey
Voter Comments:
Frech> XF:redhat-fontserver-dos
POTENTIAL DUPE: CVE-2000-0263: The X font server xfs in Red Hat Linux 6.x
allows an attacker to cause a denial of service via a malformed request.
Christey> As Andre observed, this is a duplicate of CVE-2000-0263.
Name: CVE-2000-0288
Description:
Infonautics getdoc.cgi allows remote attackers to bypass
the payment phase for accessing documents via a modified
form variable.
Status: Candidate
Phase: Proposed (20000426)
Reference: BUGTRAQ:20000412 Infonautic's
getdoc.cgi may allow unauthorized access to documents
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-04/0049.html
Votes:
MODIFY(1) Frech
NOOP(2) Wall, Cole
REJECT(1) Baker
REVIEWING(2) Levy, Christey
Voter Comments:
Frech> XF:http-cgi-infonautics-getdoc
Christey> CD:EX-ONLINE-SVC applies here. This may be a vulnerability in
an online service (the search engines used by Infonautics)
which poses no risk to anyone but the company itself.
Name: CVE-2000-0291
Description:
Buffer overflow in Star Office 5.1 allows attackers to
cause a denial of service by embedding a long URL within
a document.
Status: Candidate
Phase: Proposed (20000426)
Reference: BUGTRAQ:20000416 StarOffice 5.1
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-04/0077.html
Reference: BID:1112
Reference:
URL:http://www.securityfocus.com/bid/1112
Votes:
ACCEPT(2) Levy, Dik
MODIFY(1) Frech
NOOP(3) Wall, Baker, Cole
Voter Comments:
Frech> XF:staroffice-long-url-bo
Name: CVE-2000-0293
Description:
aaa_base in SuSE Linux 6.3, and cron.daily in earlier
versions, allow local users to delete arbitrary files by
creating files whose names include spaces, which are
then incorrectly interpreted by aaa_base when it deletes
expired files from the /tmp directory.
Status: Candidate
Phase: Proposed (20000426)
Reference: BUGTRAQ:20000421 local user can delete
arbitrary files on SuSE-Linux
Reference: BID:1130
Reference:
URL:http://www.securityfocus.com/bid/1130
Votes:
ACCEPT(3) Levy, Baker, Cole
MODIFY(1) Frech
NOOP(2) Christey, Wall
Voter Comments:
Christey> ADDREF SUSE:20000502 aaabase < 2000.5.2
URL: http://www.suse.de/de/support/security/suse_security_announce_47.txt
This advisory references another problem that is listed in
CVE-2000-0433.
Frech> XF:aaabase-file-deletion
Name: CVE-2000-0295
Description:
Buffer overflow in LCDproc allows remote attackers to
gain root privileges via the screen_add command.
Status: Candidate
Phase: Modified (20071220)
Reference: BUGTRAQ:20000420 Remote vulnerability
in LCDproc 0.4
Reference:
URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.3.96.1000421010946.15318I-200000@schizo.strange.net
Reference: GENTOO:GLSA-200301-07
Reference:
URL:http://www.securityfocus.com/archive/1/archive/1/305589/30/26390/threaded
Reference: BID:1131
Reference:
URL:http://www.securityfocus.com/bid/1131
Reference: SECUNIA:7829
Reference: URL:http://secunia.com/advisories/7829
Reference: XF:lcdproc-remote-overflow(4315)
Reference:
URL:http://xforce.iss.net/xforce/xfdb/4315
Votes:
ACCEPT(2) Levy, Baker
MODIFY(1) Frech
NOOP(2) Wall, Cole
Voter Comments:
Frech> XF:lcdproc-remote-overflow
Name: CVE-2000-0299
Description:
Buffer overflow in WebObjects.exe in the WebObjects
Developer 4.5 package allows remote attackers to cause a
denial of service via an HTTP request with long headers
such as Accept.
Status: Candidate
Phase: Proposed (20000426)
Reference: BUGTRAQ:20000404 WebObjects DoS
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-04/0020.html
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
NOOP(4) Christey, Williams, Wall, Cole
REVIEWING(1) Levy
Voter Comments:
Christey> ADDREF XF:webobjects-post-dos
Frech> XF:webobjects-post-dos
Christey> See http://til.info.apple.com/techinfo.nsf/artnum/n75087
Document says:
"A request with a large, malformed http header can crash a WOApp"
(Apple reference #2470254) appears to be the acknowledgement needed.
Is this sufficient acknowledgement? This is dated AUgust 24,
but the initial disclosure occurred on April 4.
Christey> BID:1896
Name: CVE-2000-0300
Description:
The default encryption method of PcAnywhere 9.x uses
weak encryption, which allows remote attackers to sniff
and decrypt PcAnywhere or NT domain accounts.
Status: Candidate
Phase: Proposed (20000426)
Reference: BUGTRAQ:20000405 PcAnywhere weak
password encryption
Reference:
URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=20000406030958.23902.qmail@securityfocus.com
Reference: BID:1093
Reference:
URL:http://www.securityfocus.com/bid/1093
Votes:
ACCEPT(4) Levy, Prosser, Baker, Cole
MODIFY(1) Frech
REVIEWING(1) Wall
Voter Comments:
Frech> XF:pcanywhere-weak-encryption
Prosser> http://service2.symantec.com/SUPPORT/pca.nsf/pfdocs/1999022312571812
Upgraded in pcA 10
Name: CVE-2000-0312
Description:
cron in OpenBSD 2.5 allows local users to gain root
privileges via an argv[] that is not NULL terminated,
which is passed to cron's fake popen function.
Status: Candidate
Phase: Proposed (20010214)
Reference: OPENBSD:19990830 In cron(8), make sure
argv[] is NULL terminated in the fake popen() and run
sendmail as the user, not as root.
Reference:
URL:http://www.openbsd.org/errata25.html#cron
Votes:
ACCEPT(3) Baker, Cole, Collins
MODIFY(1) Frech
REVIEWING(1) Christey
Voter Comments:
Frech> XF:cron-sendmail-root(3335)
Seems like this issue is not just OpenBSD, and is described
differently by other vendors:
SuSE Security Announcement #15 Security hole in cron
http://www.suse.de/de/support/security/suse_security_announce_15.txt
Red Hat, Inc. Security Advisory RHSA-1999:030-02 Buffer overflow in
cron daemon
http://www.redhat.com/support/errata/rh52-errata-general.html#vixie-cron
Caldera Systems, Inc. Security Advisory CSSA-1999-023.0 serious security
problem in cron
http://www.calderasystems.com/support/security/advisories/CSSA-1999-023.0.tx
t
All are dated on or around 1999-08-27 to 1999-08-30.
Also, may overlap with CVE-1999-0769: Vixie Cron on Linux systems allows
local users to set parameters of sendmail commands via the MAILTO
environmental variable.
Christey> See Andre's comments, but I believe this is different than
CVE-1999-0769. Also consider CVE-1999-0768 and CVE-1999-0872
(Vixie Cron buffer overflow via MAILTO),
Name: CVE-2000-0317
Description:
Buffer overflow in Solaris 7 lpset allows local users to
gain root privileges via a long -r option.
Status: Candidate
Phase: Proposed (20000518)
Reference: BUGTRAQ:20000424 Solaris 7 x86 lpset
exploit.
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-04/0192.html
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-04/0236.html
Reference: BUGTRAQ:20000427 Re: Solaris/SPARC 2.7
lpset exploit (well not likely !)
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=95729763119559&w=2
Reference: SUNBUG:4334568
Reference: BID:1138
Reference:
URL:http://www.securityfocus.com/bid/1138
Votes:
ACCEPT(3) Levy, Baker, Cole
MODIFY(1) Frech
NOOP(3) Christey, LeBlanc, Wall
RECAST(1) Dik
Voter Comments:
Dik> there's a lot of confusion in this one.
These point to buffer overflows:
Reference: BUGTRAQ:20000424 Solaris 7 x86 lpset exploit.
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-04/0192.html
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-04/0236.html
But these point to dlopen() in libprint that doesnt' check pathnames:
Reference: BUGTRAQ:20000427 Re: Solaris/SPARC 2.7 lpset exploit (well not likely !)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=95729763119559&w=2
Reference: SUNBUG:4334568
And this is a bufferoverflow again:
Reference: BID:1138
Reference: URL:http://www.securityfocus.com/bid/1138
Frech> XF:solaris-lpset-bo
Christey> ADDREF SUN:00195? Need to check with Casper.
Name: CVE-2000-0321
Description:
Buffer overflow in IC Radius package allows a remote
attacker to cause a denial of service via a long user
name.
Status: Candidate
Phase: Proposed (20000518)
Reference: BUGTRAQ:20000424 Buffer Overflow in
version .14
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-04/0190.html
Reference: BID:1147
Reference:
URL:http://www.securityfocus.com/bid/1147
Votes:
ACCEPT(1) Levy
MODIFY(1) Frech
NOOP(4) LeBlanc, Wall, Baker, Cole
REJECT(1) Christey
Voter Comments:
Frech> XF:icradius-username-bo
Every reference I pull up shows the product's name as ICRADIUS. See
http://mysql.eunet.fi/Downloads/Contrib/icradius.README
Christey> In a followup, Alan DeKok (aland@FREERADIUS.ORG) says that
this could occur in other RADIUS servers also; however, the
bug could only be exploited if someone has altered the
configuration file, which shouldn't normally be modifiable
by anyone else.
So, this should be REJECTed since the bug doesn't directly give
anyone else any additional privileges or access.
Christey> Alan DeKok <aland@FREERADIUS.ORG> says it applies to other RADIUS
programs also, *however* since it needs a valid username, only
the RADIUS owner can exploit it by changing the config file. But
if the config file can be written by others - well, that's still
a potential risk, but you've probably got bigger problems then.
- http://marc.theaimsgroup.com/?l=bugtraq&m=95671883515060&w=2
Look at ChangeLog at ftp://ftp.cheapnet.net/pub/icradius/ChangeLog
Possible confirmation in 0.15: "sql_getvpdata now dynamically
allocates buffer sizes for sql queries to avoid over runs"
But that's a bit general.
Alan Kok said that Cistron and other RADIUS servers were affected; the
ICRADIUS changelog says to check the Cistron logs for other possible
bug fixes, since ICRADIUS uses Cistron codebase. Go back to
freeradius.org and find link to Cistron at
http://www.miquels.cistron.nl/radius/
Cistron changelog at http://www.miquels.cistron.nl/radius/ChangeLog It
has different version numbers - go back to ICRADIUS changelog to find
rought equivalents. ICRADIUS 0.15 uses Cistron 1.6.3 patches, so
start from there.
No apparent problems in 1.6.3 or 1.6.4, but 1.6.1 says: "Fix all
strcpy(), strcat(), sprintf() and sccanf() calls for buffer
overflows." So perhaps the problem was fixed then? Or maybe the
vulnerable sscanf() call was missed and/or disregarded because it was
believed that the hostname could be trusted since it came from a
well-controlled configuration file?
Name: CVE-2000-0325
Description:
The Microsoft Jet database engine allows an attacker to
execute commands via a database query, aka the "VBA
Shell" vulnerability.
Status: Candidate
Phase: Modified (20020222-01)
Reference: MS:MS99-030
Reference:
URL:http://www.microsoft.com/technet/security/bulletin/ms99-030.asp
Reference: XF:jet-vba-shell(3155)
Reference:
URL:http://xforce.iss.net/static/3155.php
Reference: BID:548
Reference:
URL:http://www.securityfocus.com/bid/548
Votes:
ACCEPT(5) Prosser, Wall, Baker, Cole, Armstrong
MODIFY(1) Frech
REJECT(1) LeBlanc
REVIEWING(1) Christey
Voter Comments:
LeBlanc> - same as CVE-1999-1011
If I'm misunderstanding something here, please correct me. In fact, it has
the same bulletin as a reference.
Frech> XF:jet-vba-shell
Prosser> This entry is not the same as "now" CVE-1999-1011. That entry is "The Remote Data Service (RDS) DataFactory component of Microsoft Data Access Components (MDAC) in IIS 3.x and 4.x exposes unsafe methods, which allows remote attackers to execute arbitrary commands." This one should be correct.
Christey> BUGTRAQ:19990525 Advisory: NT ODBC Remote Compromise
http://marc.theaimsgroup.com/?l=bugtraq&m=92765973107637&w=2
NTBUGTRAQ:19990526 Advisory: NT ODBC Remote Compromise
http://marc.theaimsgroup.com/?l=ntbugtraq&m=92781907215748&w=2
Christey> The Microsoft advisory itself describes two separate
vulnerabilities, calling the TEXT I-ISAM problem
(CVE-2000-0323) a variant of the VBA Shell problem (this
CAN). In addition, CVE-2000-0323 does *not* appear in Jet
4.0, while this one does. Since one problem appears in a
different version than the other, CD:SF-LOC suggests keeping
these candidates SPLIT.
BID:548
http://www.securityfocus.com/bid/548
CHANGE> [Christey changed vote from NOOP to REVIEWING]
Christey> Need to clarify whether the Bugtraq/NTBugtraq posts are
really describing the same issue (those are BID:286).
Name: CVE-2000-0326
Description:
Meeting Maker uses weak encryption (a polyalphabetic
substitution cipher) for passwords, which allows remote
attackers to sniff and decrypt passwords for Meeting
Maker accounts.
Status: Candidate
Phase: Proposed (20000518)
Reference: BID:1151
Reference:
URL:http://www.securityfocus.com/bid/1151
Reference:
CONFIRM:http://support.on.com/support/mmxp.nsf/31af51e08bcc93eb852565a90056138b/11af70407a16b165852568c50056a952?OpenDocument
Votes:
ACCEPT(2) Levy, Baker
MODIFY(1) Frech
NOOP(4) Christey, LeBlanc, Wall, Cole
Voter Comments:
Frech> XF:meetingmaker-weak-encryption
Christey> Add original Bugtraq reference at:
http://archives.neohapsis.com/archives/bugtraq/2000-04/0223.html
Also ADDREF XF:meetingmaker-weak-encryption
Name: CVE-2000-0333
Description:
tcpdump, Ethereal, and other sniffer packages allow
remote attackers to cause a denial of service via
malformed DNS packets in which a jump offset refers to
itself, which causes tcpdump to enter an infinite loop
while decompressing the packet.
Status: Candidate
Phase: Proposed (20000518)
Reference: BUGTRAQ:20000502 Denial of service
attack against tcpdump
Reference:
URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.SOL.4.10.10005021942380.2077-100000@paranoia.pgci.ca
Reference: BID:1165
Reference:
URL:http://www.securityfocus.com/bid/1165
Votes:
ACCEPT(3) Levy, Baker, Armstrong
MODIFY(1) Frech
NOOP(2) Wall, Cole
Voter Comments:
Frech> XF:sniffer-dns-decode-dos
Name: CVE-2000-0343
Description:
Buffer overflow in Sniffit 0.3.x with the -L logging
option enabled allows remote attackers to execute
arbitrary commands via a long MAIL FROM mail header.
Status: Candidate
Phase: Proposed (20000518)
Reference: BUGTRAQ:20000502 spj-003-000 - S0ftPj
Advisory
Reference:
URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=200005021736.TAA01991@ALuSSi
Reference: BID:1158
Reference:
URL:http://www.securityfocus.com/bid/1158
Votes:
ACCEPT(2) Levy, Cole
MODIFY(2) Christey, Frech
NOOP(2) Wall, Armstrong
Voter Comments:
Frech> XF:sniffit-lmail-bo
Christey> This issue was rediscovered.
ADDREF BUGTRAQ:20020119 remote buffer overflow in sniffit
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101167452712383&w=2
ADDREF BUGTRAQ:20000525 `sniffit -L mail' vulnerabilities
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=95928090612990&w=2
I reviewed the patch that was claimed in the 20020119 Bugtraq
post, and it could well address the issue. However, since the
patch is also dated around the time of the original Bugtraq
post, *and* it says that it's addressing an issue that's
discussed on Bugtraq, that is sufficient to establish
acknowledgement.
CHANGE> [Christey changed vote from NOOP to MODIFY]
Christey> XF:sniffit-normmail-l-bo(7933)
URL:http://www.iss.net/security_center/static/7933.php
Name: CVE-2000-0345
Description:
The on-line help system options in Cisco routers allows
non-privileged users without "enabled" access to obtain
sensitive information via the show command.
Status: Candidate
Phase: Proposed (20000518)
Reference: BUGTRAQ:20000502 Possible issue with
Cisco on-line help?
Reference:
URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=20000502222246.28423.qmail@securityfocus.com
Reference: BID:1161
Reference:
URL:http://www.securityfocus.com/bid/1161
Votes:
ACCEPT(1) Prosser
MODIFY(1) Frech
NOOP(5) Levy, Wall, Baker, Cole, Armstrong
REJECT(1) Balinsky
Voter Comments:
Levy> Arguably this is not a vulnerability. Cisco replying saying this
is standard behaviour that was simply not well documented. They have
no plans to change it and will simply document it better.
Frech> XF:cisco-online-help
Balinsky> As noted in a bugtraq posting by Lisa Napier from Cisco's Product Security Incident Response Team, this is a poorly documented feature. This is intended behavior, and does not represent a vulnerability in Cisco's opinion.
http://www.securityfocus.com/frames/?content=/templates/archive.pike?list=1&mid=59434
Prosser> Although Lisa Napier did say this issue was "functioning as designed", it was not intended to allow unprivileged access. Lisa did indicate that Cisco would be updating instructions on configuration to ensure proper user privileges. So, this should be considered IMHO an "exposure" vice a vulnerability, but security-related none the less.
http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26msg%3D20000502222246.28423.qmail@securityfocus.com
http://www.securityfocus.com/bid/1161
Name: CVE-2000-0355
Description:
pg and pb in SuSE pbpg 1.x package allows an attacker to
read arbitrary files.
Status: Candidate
Phase: Proposed (20000524)
Reference: SUSE:19990920 Security hole in pbpg
Reference:
URL:http://www.novell.com/linux/security/advisories/suse_security_announce_21.html
Reference: XF:linux-pb-fileread
Reference: XF:linux-pg-fileread
Votes:
ACCEPT(3) Levy, Baker, Frech
NOOP(1) Christey
Voter Comments:
Christey> ADDREF BID:1271
Christey> ADDREF BID:1271
URL:http://www.securityfocus.com/bid/1271
Name: CVE-2000-0357
Description:
ORBit and esound in Red Hat Linux 6.1 do not use
sufficiently random numbers, which allows local users to
guess the authentication keys.
Status: Candidate
Phase: Proposed (20000524)
Reference: REDHAT:RHSA-1999:058-01
Reference:
URL:http://www.redhat.com/corp/support/errata/RHSA1999058-01.html
Votes:
ACCEPT(2) Levy, Baker
MODIFY(1) Frech
NOOP(1) Christey
Voter Comments:
Christey> ADDREF BID:1275
Christey> ADDREF BID:1275
URL:http://www.securityfocus.com/bid/1275
Frech> XF:linux-orbit-esound-authentication-keys
Name: CVE-2000-0358
Description:
ORBit and gnome-session in Red Hat Linux 6.1 allows
remote attackers to crash a program.
Status: Candidate
Phase: Proposed (20000524)
Reference: REDHAT:RHSA-1999:058-01
Reference:
URL:http://www.redhat.com/corp/support/errata/RHSA1999058-01.html
Votes:
ACCEPT(2) Levy, Baker
MODIFY(1) Frech
NOOP(1) Christey
Voter Comments:
Christey> ADDREF BID:1283
Christey> ADDREF BID:1283
URL:http://www.securityfocus.com/bid/1283
Frech> XF:linux-orbit-gnome-session-dos
Name: CVE-2000-0364
Description:
screen and rxvt in Red Hat Linux 6.0 do not properly set
the modes of tty devices, which allows local users to
write to other ttys.
Status: Candidate
Phase: Proposed (20000524)
Reference: BUGTRAQ:19990606 RedHat 6.0, /dev/pts
permissions bug when using xterm
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92877527701347&w=2
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92886009012161&w=2
Reference: REDHAT:RHSA1999014_01
Reference:
URL:http://www.redhat.com/corp/support/errata/RHSA1999014_01.html
Reference: BID:309
Reference:
URL:http://www.securityfocus.com/bid/309
Votes:
ACCEPT(2) Levy, Baker
MODIFY(1) Frech
NOOP(1) Christey
Voter Comments:
Frech> XF:linux-tty-improper-mode
Christey> BUGTRAQ:19990607 Re: RedHat 6.0, /dev/pts permissions bug when using xterm
http://marc.theaimsgroup.com/?l=bugtraq&m=92886008912147&w=2
BUGTRAQ:19990607 Re: Red Hat 6.0, /dev/pts permissions bug when using xterm
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92886358415964&w=2
Name: CVE-2000-0365
Description:
Red Hat Linux 6.0 installs the /dev/pts file system with
insecure modes, which allows local users to write to
other tty devices.
Status: Candidate
Phase: Proposed (20000524)
Reference: BUGTRAQ:19990606 RedHat 6.0, /dev/pts
permissions bug when using xterm
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92877527701347&w=2
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92886009012161&w=2
Reference: REDHAT:RHSA1999014_01
Reference:
URL:http://www.redhat.com/corp/support/errata/RHSA1999014_01.html
Reference: BID:308
Reference:
URL:http://www.securityfocus.com/bid/308
Votes:
ACCEPT(2) Levy, Baker
MODIFY(1) Frech
NOOP(1) Christey
Voter Comments:
Frech> XF:linux-dev-insecure-mode
Christey> BUGTRAQ:19990607 Re: RedHat 6.0, /dev/pts permissions bug when using xterm
http://marc.theaimsgroup.com/?l=bugtraq&m=92886008912147&w=2
BUGTRAQ:19990607 Re: Red Hat 6.0, /dev/pts permissions bug when using xterm
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92886358415964&w=2
Name: CVE-2000-0383
Description:
The file transfer component of AOL Instant Messenger
(AIM) reveals the physical path of the transferred file
to the remote recipient.
Status: Candidate
Phase: Modified (20000706-01)
Reference: BUGTRAQ:20000507 AOL Instant Messenger
Reference:
URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=002401bfb918$7310d5a0$1ef084ce@karemor.com
Reference: XF:aolim-file-path
Reference: BID:1180
Reference:
URL:http://www.securityfocus.com/bid/1180
Votes:
ACCEPT(5) Stracener, Levy, Cole, Frech, Ozancin
NOOP(3) Christey, Prosser, Baker
Voter Comments:
Christey> Normalize the Bugtraq reference!
Name: CVE-2000-0384
Description:
NetStructure 7110 and 7180 have undocumented accounts
(servnow, root, and wizard) whose passwords are easily
guessable from the NetStructure's MAC address, which
could allow remote attackers to gain root access.
Status: Candidate
Phase: Proposed (20000615)
Reference: L0PHT:20000508 NetStructure 7180
remote backdoor vulnerability
Reference:
URL:http://www.lopht.com/advisories/ipivot7110.html
Reference: L0PHT:20000508 NetStructure 7110
console backdoor
Reference:
URL:http://www.l0pht.com/advisories/ipivot7180.html
Reference: CONFIRM:http://216.188.41.136/
Reference: XF:netstructure-root-compromise
Reference: XF:netstructure-wizard-mode
Reference: BID:1182
Reference:
URL:http://www.securityfocus.com/bid/1182
Reference: BID:1183
Reference:
URL:http://www.securityfocus.com/bid/1183
Votes:
ACCEPT(6) Stracener, Levy, Prosser, Baker, Frech, Ozancin
NOOP(1) Cole
Name: CVE-2000-0385
Description:
FileMaker Pro 5 Web Companion allows remote attackers to
bypass Field-Level database security restrictions via
the XML publishing or email capabilities.
Status: Candidate
Phase: Proposed (20000615)
Reference:
MISC:http://www.blueworld.com/blueworld/news/05.01.00-FM5_Security.html
Reference:
CONFIRM:http://www.filemaker.com/support/webcompanion.html
Reference: XF:macos-filemaker-xml
Reference: XF:macos-filemaker-email
Votes:
ACCEPT(5) Stracener, Prosser, Baker, Frech, Ozancin
MODIFY(1) Levy
NOOP(1) Cole
Voter Comments:
Levy> Reference: BID 1159
Name: CVE-2000-0386
Description:
FileMaker Pro 5 Web Companion allows remote attackers to
send anonymous or forged email.
Status: Candidate
Phase: Proposed (20000615)
Reference:
MISC:http://www.blueworld.com/blueworld/news/05.01.00-FM5_Security.html
Reference:
CONFIRM:http://www.filemaker.com/support/webcompanion.html
Reference: XF:macos-filemaker-anonymous-email
Votes:
ACCEPT(5) Stracener, Prosser, Baker, Frech, Ozancin
MODIFY(1) Levy
NOOP(1) Cole
Voter Comments:
Levy> Reference: BID 1159
Name: CVE-2000-0400
Description:
The Microsoft Active Movie ActiveX Control in Internet
Explorer 5 does not restrict which file types can be
downloaded, which allows an attacker to download any
type of file to a user's system by encoding it within an
email message or news post.
Status: Candidate
Phase: Proposed (20000615)
Reference: BUGTRAQ:20000516 MICROSOFT SECURITY
FLAW?
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=95868514521257&w=2
Reference: BID:1221
Reference:
URL:http://www.securityfocus.com/bid/1221
Reference: XF:ie-active-movie-control
Votes:
ACCEPT(4) Ozancin, Levy, Wall, Frech
NOOP(2) Stracener, Cole
REJECT(1) Christey
REVIEWING(1) LeBlanc
Voter Comments:
LeBlanc> COMMENT - this definately will not work if the user has applied the security
patch. I don't know whether this repros right now, and have sent a query to
find out.
Christey> Is this now documented in MS:MS00-042?
LeBlanc> the problem isn't in the Active Movie control. What was
observed was a symptom of another problem that got fixed in
some bulletin or another - I don't remember.
Christey> According to Scott Culp, this existed because
the patch for the Cache Bypass vulnerability (MS:MS00-046,
CVE-2000-0621) was not applied, so this should be REJECTed
as a duplicate of CVE-2000-0621.
Name: CVE-2000-0401
Description:
Buffer overflows in redirect.exe and changepw.exe in
PDGSoft shopping cart allow remote attackers to execute
arbitrary commands via a long query string.
Status: Candidate
Phase: Proposed (20000615)
Reference: BUGTRAQ:20000525 Alert: PDG Cart
Overflows
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=95928319715983&w=2
Reference: NTBUGTRAQ:20000525 Alert: PDG Cart
Overflows
Reference:
URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=95928667119963&w=2
Reference:
CONFIRM:http://www.pdgsoft.com/Security/security2.html
Reference: BID:1256
Reference:
URL:http://www.securityfocus.com/bid/1256
Votes:
ACCEPT(2) Stracener, Levy
MODIFY(1) Frech
NOOP(2) Wall, Cole
Voter Comments:
Frech> XF:pdgsoft-changepw-bo
XF:pdgsoft-redirect-bo
Name: CVE-2000-0412
Description:
The gnapster and knapster clients for Napster do not
properly restrict access only to MP3 files, which allows
remote attackers to read arbitrary files from the client
by specifying the full pathname for the file.
Status: Candidate
Phase: Proposed (20000615)
Reference: BUGTRAQ:20000510 KNapster
Vulnerability Compromises User-readable Files
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-05/0124.html
Reference: BUGTRAQ:20000510 Gnapster
Vulnerability Compromises User-readable Files
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-05/0127.html
Reference: FREEBSD:FreeBSD-SA-00:18
Reference:
URL:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:18-gnapster.adv
Reference: XF:gnapster-view-files
Reference: BID:1186
Reference:
URL:http://www.securityfocus.com/bid/1186
Votes:
ACCEPT(4) Ozancin, Stracener, Levy, Baker
MODIFY(1) Frech
NOOP(2) Prosser, Cole
Voter Comments:
Frech> ADDREF XF:knapster-view-files
Name: CVE-2000-0413
Description:
The shtml.exe program in the FrontPage extensions
package of IIS 4.0 and 5.0 allows remote attackers to
determine the physical path of HTML, HTM, ASP, and SHTML
files by requesting a file that does not exist, which
generates an error message that reveals the path.
Status: Candidate
Phase: Proposed (20000615)
Reference: BUGTRAQ:20000506 shtml.exe reveal
local path of IIS web directory
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-05/0084.html
Reference: BID:1174
Reference:
URL:http://www.securityfocus.com/bid/1174
Reference: XF:iis-shtml-reveal-path
Votes:
ACCEPT(7) Ozancin, Stracener, Levy, LeBlanc, Baker, Cole, Frech
MODIFY(1) Prosser
NOOP(1) Christey
Voter Comments:
Prosser> additional source Security BugWare
http://161.53.42.3/~crv/security/bugs/NT/fpse10.html comments on page re:
"MS soon to be released service release OSR 1.2 with needed changes."
I haven't located anything on MS site yet. Anyone help?
Christey> BID:1433 may also refer to this issue.
Christey> [note to self: review comments by Mark Burnett]
Christey> CHANGEREF XF:iis-shtml-reveal-path XF:frontpage-ext-shtml-path(4439)
LeBlanc> Fixes are up on site now - have been for a while.
Name: CVE-2000-0415
Description:
Buffer overflow in Outlook Express 4.x allows attackers
to cause a denial of service via a mail or news message
that has a .jpg or .bmp attachment with a long file
name.
Status: Candidate
Phase: Proposed (20000615)
Reference: BUGTRAQ:20000512 Overflow in Outlook
Express 4.* - too long filenames with graphic format
extension
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-05/0140.html
Reference: BID:1195
Reference:
URL:http://www.securityfocus.com/bid/1195
Votes:
ACCEPT(3) Ozancin, Levy, Wall
MODIFY(1) Frech
NOOP(3) Stracener, Christey, Cole
REJECT(1) LeBlanc
Voter Comments:
LeBlanc> The poster re-discovered a vulnerability we patched two years
ago, in
http://www.microsoft.com/technet/security/bulletin/ms98-008.asp
Microsoft posted a response to BugTraq when this one went
public, and reminded them that we'd already patched it.
BTW, I think we want to try and pay attention to follow-ups to
these threads in order to minimize noise in the process.
Christey> Based on David's comments, this is covered by CVE-1999-0002.
However, that candidate may wind up being SPLIT, so I will
keep this one around for the moment.
With respect to watching followups, we are relying quite
a bit on other data feeds instead of doing our own reviews
of all the different data sources. The data feeds may report
these problems as new before corrections are posted.
Followups do often lend additional information to the
candidates, and as is the case with this one, we will
often catch the discrepancy before the candidate becomes an
official entry, whether by MITRE's own analysis or by that
of other Board members.
Frech> XF:outlook-image-long-filename
Name: CVE-2000-0420
Description:
The default configuration of SYSKEY in Windows 2000
stores the startup key in the registry, which could
allow an attacker tor ecover it and use it to decrypt
Encrypted File System (EFS) data.
Status: Candidate
Phase: Proposed (20000615)
Reference: NTBUGTRAQ:20000511 ISS SAVANT Advisory
00/26
Reference:
URL:http://archives.neohapsis.com/archives/ntbugtraq/2000-q2/0112.html
Reference: BID:1198
Reference:
URL:http://www.securityfocus.com/bid/1198
Votes:
ACCEPT(2) Ozancin, Levy
MODIFY(1) Frech
NOOP(2) Stracener, Cole
REJECT(1) LeBlanc
REVIEWING(1) Wall
Voter Comments:
LeBlanc> This is not a vulnerability. It is essentially an advisory on best
practices. Also, the description is extremely inaccurate. If I weren't
intimately familiar with the issue, I would not be able to understand it
from this. Syskey, when applied at lower levels, has well-documented
limitations.
Stracener> "..to recover"
Frech> XF:win2k-syskey-default-configuration
Change "tor ecover" to "to recover"
Name: CVE-2000-0422
Description:
Buffer overflow in Netwin DMailWeb CGI program allows
remote attackers to execute arbitrary commands via a
long utoken parameter.
Status: Candidate
Phase: Proposed (20000615)
Reference: BUGTRAQ:20000504 Alert: DMailWeb
buffer overflow
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=95749276827558&w=2
Reference: XF:http-cgi-dmailweb-bo
Reference: BID:1171
Reference:
URL:http://www.securityfocus.com/bid/1171
Votes:
ACCEPT(5) Ozancin, Stracener, Levy, Prosser, Frech
NOOP(2) Baker, Cole
Name: CVE-2000-0423
Description:
Buffer overflow in Netwin DNEWSWEB CGI program allows
remote attackers to execute arbitrary commands via long
parameters such as group, cmd, and utag.
Status: Candidate
Phase: Proposed (20000615)
Reference: BUGTRAQ:20000505 Alert: DNewsWeb
buffer overflow
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=95764950403250&w=2
Reference: XF:http-cgi-dnews-bo
Reference: BID:1172
Reference:
URL:http://www.securityfocus.com/bid/1172
Votes:
ACCEPT(5) Ozancin, Stracener, Levy, Prosser, Frech
NOOP(2) Baker, Cole
Name: CVE-2000-0429
Description:
A backdoor password in Cart32 3.0 and earlier allows
remote attackers to execute arbitrary commands.
Status: Candidate
Phase: Proposed (20000615)
Reference: BUGTRAQ:20000427 Alert: Cart32 secret
password backdoor (CISADV000427)
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=95686068203138&w=2
Reference:
CONFIRM:http://www.cart32.com/kbshow.asp?article=c048
Votes:
ACCEPT(3) Ozancin, Stracener, Prosser
MODIFY(2) Levy, Frech
NOOP(2) Baker, Cole
Voter Comments:
Levy> Reference: BID 1153
Frech> XF:cart32-admin-password
Name: CVE-2000-0433
Description:
The SuSE aaa_base package installs some system accounts
with home directories set to /tmp, which allows local
users to gain privileges to those accounts by creating
standard user startup scripts such as profiles.
Status: Candidate
Phase: Proposed (20000615)
Reference: SUSE:20000502 aaabase < 2000.5.2
Reference:
URL:http://www.novell.com/linux/security/advisories/suse_security_announce_47.html
Reference: XF:aaabase-execute-dot-files
Votes:
ACCEPT(6) Ozancin, Stracener, Levy, Baker, Cole, Frech
MODIFY(1) Prosser
Voter Comments:
Prosser> add source:
SecurityFocus
BID1357
SuSE Linux aaabase User Account with /tmp Home Vulnerability
http://www.securityfocus.com/bid/1357
CHANGE> [Levy changed vote from REVIEWING to ACCEPT]
Name: CVE-2000-0434
Description:
The administrative password for the Allmanage web site
administration software is stored in plaintext in a file
which could be accessed by remote attackers.
Status: Candidate
Phase: Proposed (20000615)
Reference: BUGTRAQ:20000516 Allmanage.pl
Vulnerabilities
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-05/0167.html
Reference: BID:1217
Reference:
URL:http://www.securityfocus.com/bid/1217
Votes:
ACCEPT(3) Ozancin, Stracener, Levy
MODIFY(1) Frech
NOOP(3) LeBlanc, Wall, Cole
Voter Comments:
Frech> XF:http-cgi-allmanage-plaintext-admin
Name: CVE-2000-0444
Description:
HP Web JetAdmin 6.0 allows remote attackers to cause a
denial of service via a malformed URL to port 8000.
Status: Candidate
Phase: Proposed (20000615)
Reference: BUGTRAQ:20000524 HP Web JetAdmin
Version 6.0 Remote DoS attack Vulnerability
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-05/0277.html
Reference: XF:hp-jetadmin-malformed-url-dos
Reference: BID:1246
Reference:
URL:http://www.securityfocus.com/bid/1246
Votes:
ACCEPT(4) Stracener, Levy, Prosser, Frech
NOOP(2) Wall, Cole
REVIEWING(1) Christey
Voter Comments:
Christey> ADDREF CONFIRM:http://www.hp.com/cposupport/networking/support_doc/bpj06522.html
Christey> HP:HPSBUX0006-116 ?
XF:jetadmin-network-dos
CHANGE> [Christey changed vote from NOOP to REVIEWING]
Prosser> Vendor acknowledged in HP Bulletin HPSBUX0006-116 with upgrade info.
Name: CVE-2000-0449
Description:
Omnis Studio 2.4 uses weak encryption (trivial encoding)
for encrypting database fields.
Status: Candidate
Phase: Proposed (20000615)
Reference: BUGTRAQ:20000525 Omnis Weak Encryption
- Many products affected
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-05/0311.html
Reference: BID:1255
Reference:
URL:http://www.securityfocus.com/bid/1255
Votes:
ACCEPT(2) Stracener, Levy
MODIFY(1) Frech
NOOP(2) Wall, Cole
Voter Comments:
Frech> XF:omnis-studio-weak-encryption
Name: CVE-2000-0450
Description:
Vulnerability in bbd server in Big Brother System and
Network Monitor allows an attacker to execute arbitrary
commands.
Status: Candidate
Phase: Proposed (20000615)
Reference: BUGTRAQ:20000518 FW: Security Notice:
Big Brother System and Network Monitor
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-05/0216.html
Reference: BID:1257
Reference:
URL:http://www.securityfocus.com/bid/1257
Votes:
ACCEPT(3) Ozancin, Stracener, Levy
MODIFY(1) Frech
NOOP(3) Christey, Wall, Cole
RECAST(1) LeBlanc
Voter Comments:
LeBlanc> I have no idea what this one is talking about from the description. I also
don't think it involves "Network Monitor", which is a component of Windows
NT/Windows 2000. This should be clarified.
Frech> XF:big-brother-bbd-bo
Christey> The original advisory, as forwarded to Bugtraq, does not
provide any details, so the description is necessarily vague.
Also, the home page at http://bb4.com has it referring to
itself as "Big Brother System and Network Monitor," so
"Network Monitor" is apparently part of the name of the product.
Change this description to mention version 1.4g, to distinguish
from other Big Brother vulnerabilities.
Name: CVE-2000-0473
Description:
Buffer overflow in AnalogX SimpleServer 1.05 allows a
remote attacker to cause a denial of service via a long
GET request for a program in the cgi-bin directory.
Status: Candidate
Phase: Proposed (20000712)
Reference: BUGTRAQ:19991231 Local / Remote GET
Buffer Overflow Vulnerability in AnalogX
SimpleServer:WWW HTTP Server v1.1
Reference:
MISC:http://www.analogx.com/contents/download/network/sswww.htm
Reference: BID:1349
Reference:
URL:http://www.securityfocus.com/bid/1349
Votes:
ACCEPT(1) Levy
MODIFY(1) Frech
REVIEWING(1) Christey
Voter Comments:
Christey> Appears to be the same as, or similar to, CVE-2000-0011, which was
also discovered by USSR. Comments on the AnalogX web site are
decidedly sparse. In CVE-2000-0011, USSR only claims that
the vendor was informed, so is this still the same problem?
XF:simpleserver-long-url-dos
Frech> XF:simpleserver-long-url-dos(4693)
Please review whether your BUGTRAQ:19991231 reference is correct; seems like
this is the reference to CVE-2000-0011: Buffer overflow in AnalogX
SimpleServer:WWW HTTP server allows remote attackers to execute commands via
a long GET request. They are subtle; almost the only thing that changed was
the version.
A possible reference is "Remote DoS attack in AnalogX SimpleServer WWW
Version 1.05 Vulnerability" at http://www.ussrback.com/labs45.html.
Name: CVE-2000-0476
Description:
xterm, Eterm, and rxvt allow an attacker to cause a
denial of service by embedding certain escape characters
which force the window to be resized.
Status: Candidate
Phase: Proposed (20000712)
Reference: BUGTRAQ:20000601 [rootshell.com] Xterm
DoS Attack
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-05/0409.html
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-05/0420.html
Reference: BID:1298
Reference:
URL:http://www.securityfocus.com/bid/1298
Votes:
ACCEPT(2) Ozancin, Levy
MODIFY(1) Frech
NOOP(2) LeBlanc, Wall
Voter Comments:
Frech> XF:xterm-control-characters-dos(4987)
Name: CVE-2000-0479
Description:
Dragon FTP server allows remote attackers to cause a
denial of service via a long USER command.
Status: Candidate
Phase: Proposed (20000712)
Reference: BUGTRAQ:20000616 Multiples Remotes DoS
Attacks in Dragon Server v1.00 and v2.00
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96113734714517&w=2
Reference: BID:1352
Reference:
URL:http://www.securityfocus.com/bid/1352
Votes:
ACCEPT(2) Levy, Baker
MODIFY(1) Frech
NOOP(1) Christey
Voter Comments:
Christey> XF:dragon-ftp-dos
Frech> XF:dragon-ftp-dos(4691)
Name: CVE-2000-0480
Description:
Dragon telnet server allows remote attackers to cause a
denial of service via a long username.
Status: Candidate
Phase: Proposed (20000712)
Reference: BUGTRAQ:20000616 Multiples Remotes DoS
Attacks in Dragon Server v1.00 and v2.00
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96113734714517&w=2
Reference: BID:1352
Reference:
URL:http://www.securityfocus.com/bid/1352
Votes:
ACCEPT(2) Levy, Baker
MODIFY(1) Frech
NOOP(1) Christey
Voter Comments:
Christey> XF:dragon-telnet-dos
Frech> XF:dragon-ftp-dos(4691)
Name: CVE-2000-0487
Description:
The Protected Store in Windows 2000 does not properly
select the strongest encryption when available, which
causes it to use a default of 40-bit encryption instead
of 56-bit DES encryption, aka the "Protected Store Key
Length" vulnerability.
Status: Candidate
Phase: Proposed (20000712)
Reference: MS:MS00-032
Reference:
URL:http://www.microsoft.com/technet/security/bulletin/ms00-032.asp
Reference: BID:1295
Reference:
URL:http://www.securityfocus.com/bid/1295
Votes:
ACCEPT(3) Levy, LeBlanc, Wall
MODIFY(1) Frech
NOOP(1) Ozancin
Voter Comments:
Frech> XF:ms-protected-store(4589)
Name: CVE-2000-0491
Description:
Buffer overflow in the XDMCP parsing code of GNOME gdm,
KDE kdm, and wdm allows remote attackers to execute
arbitrary commands or cause a denial of service via a
long FORWARD_QUERY request.
Status: Candidate
Phase: Proposed (20000712)
Reference: BUGTRAQ:20000521 "gdm" remote hole
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-05/0241.html
Reference: SUSE:20000524 Security hole in gdm <=
2.0beta4-25
Reference:
URL:http://www.novell.com/linux/security/advisories/suse_security_announce_49.html
Reference: BUGTRAQ:20000607 Conectiva Linux
Security Announcement - gdm
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-06/0025.html
Reference: CALDERA:CSSA-2000-013.0
Reference:
URL:ftp://ftp.calderasystems.com/pub/OpenLinux/security/CSSA-2000-013.0.txt
Reference: BID:1233
Reference:
URL:http://www.securityfocus.com/bid/1233
Reference: BID:1279
Reference:
URL:http://www.securityfocus.com/bid/1279
Reference: BID:1370
Reference:
URL:http://www.securityfocus.com/bid/1370
Votes:
MODIFY(2) Levy, Frech
NOOP(2) LeBlanc, Wall
REVIEWING(2) Ozancin, Christey
Voter Comments:
Levy> The BID 1233 vulns is different from the other ones. BID 1233 uses
a FORWARD_QUERY request to overflow an in_addr structure via a memmove
in daemon/xdmcp.c, gdm_xdmcp_handle_forward_query(). In BID 1370
a buffer is overflowed by a sprintf in xdmcp.c, send_failed().
Frech> XF:gnome-gdm-bo(4530)
Christey> MANDRAKE:MDKSA-2001:070
URL:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-070.php3
Christey> BUGTRAQ:20000527 gdm exploit
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96017189021021&w=2
Consider REDHAT:RHSA-2000:027
Christey> RHSA-2000:027 confirmed via Mark Cox
Name: CVE-2000-0492
Description:
PassWD 1.2 uses weak encryption (trivial encoding) to
store passwords, which allows an attacker who can read
the password file to easliy decrypt the passwords.
Status: Candidate
Phase: Proposed (20000712)
Reference: BUGTRAQ:20000609 Insecure encryption
in PassWD v1.2
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-05/0450.html
Reference: BID:1300
Reference:
URL:http://www.securityfocus.com/bid/1300
Votes:
ACCEPT(1) Levy
MODIFY(2) Ozancin, Frech
NOOP(2) LeBlanc, Wall
Voter Comments:
Ozancin> change "attacker who can read the password" to "attacker to decrypt and read
the password"
Frech> XF:passwd-weak-encryption(4596)
Name: CVE-2000-0503
Description:
The IFRAME of the WebBrowser control in Internet
Explorer 5.01 allows a remote attacker to violate the
cross frame security policy via the NavigateComplete2
event.
Status: Candidate
Phase: Proposed (20000712)
Reference: BUGTRAQ:20000606 IE 5 Cross-frame
security vulnerability using IFRAME and WebBrowser
control
Reference:
URL:http://archives.neohapsis.com/archives/win2ksecadvice/2000-q2/0154.html
Reference: BID:1311
Reference:
URL:http://www.securityfocus.com/bid/1311
Votes:
ACCEPT(1) Levy
MODIFY(2) Frech, Wall
NOOP(2) Ozancin, LeBlanc
REVIEWING(1) Christey
Voter Comments:
Wall> This affects more than IE 5.01. See http://www.securityfocus.com/bid/1311 for
all versions of IE that this affects. Works on Windows 98, IE 5.01 and IE 5.5.
LeBlanc> If this is the one I was discussing offline with Steve, ACCEPT
Frech> XF:ie-cross-frame(4610)
Christey> Make sure this is the one I was discussing offline with David :-)
Frech> CVE-2000-0503 was reassigned to ie-frame-domain-file-access(5504) from
ie-cross-frame(4610), which was obsoleted and redirected to this
issue. Since these are the same issues but just described differently,
CVE-2000-0503 appears to be a dupe of CVE-2000-0768.
Name: CVE-2000-0509
Description:
Buffer overflows in the finger and whois demonstration
scripts in Sambar Server 4.3 allow remote attackers to
execute arbitrary commands via a long hostname.
Status: Candidate
Phase: Proposed (20000712)
Reference: BUGTRAQ:20000601 DST2K0008: Buffer
Overrun in Sambar Server 4.3
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=95990103207665&w=2
Reference: BID:1287
Reference:
URL:http://www.securityfocus.com/bid/1287
Votes:
ACCEPT(2) Ozancin, Levy
MODIFY(1) Frech
NOOP(2) LeBlanc, Wall
Voter Comments:
Frech> XF:sambar-dll-bo(4592)
Name: CVE-2000-0520
Description:
Buffer overflow in restore program 0.4b17 and earlier in
dump package allows local users to execute arbitrary
commands via a long tape name.
Status: Candidate
Phase: Proposed (20000712)
Reference: BUGTRAQ:20000630 CONECTIVA LINUX
SECURITY ANNOUNCEMENT - dump
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96240393814071&w=2
Reference:
MISC:http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=11880
Reference: BID:1330
Reference:
URL:http://www.securityfocus.com/bid/1330
Votes:
ACCEPT(2) Levy, Prosser
MODIFY(1) Frech
NOOP(4) Ozancin, Christey, LeBlanc, Wall
Voter Comments:
Christey> ADDREF BUGTRAQ:20000711 MDKSA-2000:018 dump update
URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0166.html
Frech> XF:linux-restore-bo(4647)
Prosser> Add Sources:
http://www.linux-mandrake.com/en/updates/2000/MDKSA-2000-018.php3?dis=6.0
http://www.redhat.com/support/errata/RHSA-2000-100.html
Name: CVE-2000-0524
Description:
Microsoft Outlook and Outlook Express allow remote
attackers to cause a denial of service by sending email
messages with blank fields such as BCC, Reply-To,
Return-Path, or From.
Status: Candidate
Phase: Proposed (20000712)
Reference: BUGTRAQ:20000604 Microsoft Outlook
(Express) bug..
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-06/0045.html
Reference: BID:1333
Reference:
URL:http://www.securityfocus.com/bid/1333
Votes:
MODIFY(3) Frech, Levy, LeBlanc
NOOP(1) Ozancin
RECAST(1) Wall
Voter Comments:
Levy> There was plenty of people that could not reproduce the problem although
some did. More research (as in actual testing) is probably required.
LeBlanc> This entry does not specify which versions of Outloook are vulnerable, nor
is that clear from the BUGTRAQ record. It is much too broad to say just
"Outlook" when it is definately not all versions of Outlook. The problem
appears confined to some version of Outlook 97, and if I recall correctly,
there has been a patch for this for quite some time.
Frech> XF:outlook-header-dos(4645)
CHANGE> [Wall changed vote from REVIEWING to RECAST]
Wall> UNABLE TO DUPLICATE
Name: CVE-2000-0526
Description:
mailview.cgi CGI program in MailStudio 2000 2.0 and
earlier allows remote attackers to read arbitrary files
via a .. (dot dot) attack.
Status: Candidate
Phase: Proposed (20000712)
Reference: BUGTRAQ:20000609 Mailstudio2000 CGI
Vulnerabilities [S0ftPj.4]
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-06/0081.html
Reference: BID:1335
Reference:
URL:http://www.securityfocus.com/bid/1335
Votes:
ACCEPT(2) Levy, Baker
MODIFY(1) Frech
NOOP(4) Ozancin, Christey, LeBlanc, Wall
Voter Comments:
Christey> ADDREF XF:mailstudio-view-files
Frech> XF:mailstudio-view-files(4737)
Name: CVE-2000-0527
Description:
userreg.cgi CGI program in MailStudio 2000 2.0 and
earlier allows remote attackers to execute arbitrary
commands via shell metacharacters.
Status: Candidate
Phase: Proposed (20000712)
Reference: BUGTRAQ:20000609 Mailstudio2000 CGI
Vulnerabilities [S0ftPj.4]
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-06/0081.html
Reference: BID:1335
Reference:
URL:http://www.securityfocus.com/bid/1335
Votes:
ACCEPT(2) Levy, Baker
MODIFY(1) Frech
NOOP(4) Ozancin, Christey, LeBlanc, Wall
Voter Comments:
Christey> Modify description - explicitly mention %0a string; other
metachar's are filtered
Frech> XF:mailstudio-cgi-input-vaildation(4739)
Name: CVE-2000-0531
Description:
Linux gpm program allows local users to cause a denial
of service by flooding the /dev/gpmctl device with
STREAM sockets.
Status: Candidate
Phase: Modified (20040818)
Reference: BUGTRAQ:20000620 Bug in gpm
Reference:
URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.4.10.10006201453090.1812-200000@apollo.aci.com.pl
Reference: REDHAT:RHSA-2000:045
Reference:
URL:http://www.redhat.com/support/errata/RHSA-2000-045.html
Reference: BUGTRAQ:20000728 MDKSA:2000-025 gpm
update
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0409.html
Reference: BID:1377
Reference:
URL:http://www.securityfocus.com/bid/1377
Reference: XF:linux-gpm-gpmctl-dos
Reference:
URL:http://xforce.iss.net/static/5010.php
Votes:
ACCEPT(1) Levy
MODIFY(1) Frech
REVIEWING(1) Christey
Voter Comments:
Frech> XF:linux-gpm-gpmctl-dos(5010)
Christey> ADDREF REDHAT:RHSA-2000:045-01
ADDREF BUGTRAQ:20000728 MDKSA:2000-025 gpm update
URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0409.html
CHANGE> [Christey changed vote from NOOP to REVIEWING]
Christey> Per Andre Frech's comments for CVE-2000-0667.
Name: CVE-2000-0535
Description:
OpenSSL 0.9.4 and OpenSSH for FreeBSD do not properly
check for the existence of the /dev/random or
/dev/urandom devices, which are absent on FreeBSD Alpha
systems, which causes them to produce weak keys which
may be more easily broken.
Status: Candidate
Phase: Proposed (20000712)
Reference: FREEBSD:FreeBSD-SA-00:25
Reference:
URL:http://archives.neohapsis.com/archives/freebsd/2000-06/0083.html
Reference: BID:1340
Reference:
URL:http://www.securityfocus.com/bid/1340
Votes:
ACCEPT(2) Ozancin, Levy
MODIFY(1) Frech
NOOP(2) LeBlanc, Wall
REVIEWING(1) Christey
Voter Comments:
Christey> ADDREF NETBSD
http://archives.neohapsis.com/archives/bugtraq/2000-06/0208.html
Frech> XF:freebsd-alpha-weak-encryption(4704)
Christey> ftp://ftp.netbsd.org/pub/NetBSD/misc/security/advisories/NetBSD-SA2000-007.txt.asc
CHANGE> [Christey changed vote from NOOP to REVIEWING]
Christey> Should the NetBSD problem really be combined with this?
Name: CVE-2000-0543
Description:
The command port for PGP Certificate Server 2.5.0 and
2.5.1 allows remote attackers to cause a denial of
service if their hostname does not have a reverse DNS
entry and they connect to port 4000.
Status: Candidate
Phase: Modified (20001010-1)
Reference: BUGTRAQ:20000614 Remote DoS attack in
Networks Associates PGP Certificate Server Version 2.5
Vulnerability
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-06/0107.html
Reference: BID:1343
Reference:
URL:http://www.securityfocus.com/bid/1343
Reference: XF:pgp-cert-server-dos
Reference:
URL:http://xforce.iss.net/static/4695.php
Votes:
ACCEPT(5) Collins, Ozancin, Levy, Baker, Cole
MODIFY(1) Frech
NOOP(1) Armstrong
REVIEWING(1) Christey
Voter Comments:
Christey> XF:pgp-cert-server-dos
Frech> XF:pgp-cert-server-dos(4695)
CHANGE> [Armstrong changed vote from REVIEWING to NOOP]
CHANGE> [Christey changed vote from NOOP to REVIEWING]
Christey> Need to consult Jim Magdych on this one.
Name: CVE-2000-0544
Description:
Windows NT and Windows 2000 hosts allow a remote
attacker to cause a denial of service via malformed
DCE/RPC SMBwriteX requests that contain an invalid data
length.
Status: Candidate
Phase: Proposed (20000712)
Reference: NTBUGTRAQ:20000604 anonymous SMBwriteX
DoS
Reference:
URL:http://archives.neohapsis.com/archives/ntbugtraq/2000-q2/0231.html
Reference: BID:1304
Reference:
URL:http://www.securityfocus.com/bid/1304
Votes:
ACCEPT(2) Levy, LeBlanc
MODIFY(1) Frech
NOOP(1) Ozancin
REVIEWING(2) Christey, Wall
Voter Comments:
Frech> XF;nt-smb-request-dos(4600)
Christey> Consult with Microsoft to see if this is MS:MS00-066
Christey> ADDREF MS:MS00-066
(confirmed offline with David LeBlanc)
Subsequently, add BID:1673 and XF:win2k-rpc-dos(5222)
Name: CVE-2000-0545
Description:
Buffer overflow in mailx mail command (aka Mail) on
Linux systems allows local users to gain privileges via
a long -c (carbon copy) parameter.
Status: Candidate
Phase: Proposed (20000712)
Reference: BUGTRAQ:20000602 /usr/bin/Mail exploit
for Slackware 7.0 (mail-slack.c)
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-05/0435.html
Reference: DEBIAN:20000605 mailx: mail group
exploit in mailx
Reference:
URL:http://www.debian.org/security/2000/20000605
Reference: BID:1305
Reference:
URL:http://www.securityfocus.com/bid/1305
Votes:
ACCEPT(2) Ozancin, Levy
MODIFY(1) Frech
NOOP(2) LeBlanc, Wall
REVIEWING(1) Christey
Voter Comments:
Frech> XF:sgi-mailx-bo(1371)
CVE-2000-0545 seems to be a dupe of CVE-1999-0125 (Buffer overflow in SGI
IRIX mailx program) since they both allow 'mail' group privileges. There was
no exploit for SGI's vuln to compare.
Christey> Since we are taking a split-by-default approach when
there are insufficient details, we should keep this
separate from CVE-1999-0125. The difference in the
time of discovery is also a factor, even if these wind
up being the same problem. However, there just aren't
enough details to be sure if this is the same problem or not.
Christey> On June 25, 1998, a buffer overflow in mailx via the HOME
environmental variable was posted at:
BUGTRAQ:19980625 security hole in mailx
http://marc.theaimsgroup.com/?l=bugtraq&m=90221103125955&w=2
This affected multiple OSes.
SGI:19980605-01-PX (CVE-1999-0125) was published on September
29, 1998; while the advisory is short on details, it does
mention a buffer overflow.
So, there's enough distinction here (time and what gets
exploited) to say that these should remain split; but
CVE-1999-0125 likely needs to be RECAST to mention other
affected OSes.
Name: CVE-2000-0546
Description:
Buffer overflow in Kerberos 4 KDC program allows remote
attackers to cause a denial of service via the lastrealm
variable in the set_tgtkey function.
Status: Candidate
Phase: Proposed (20000712)
Reference: BUGTRAQ:20000609 Security Advisory:
MULTIPLE DENIAL OF SERVICE VULNERABILITIES IN KRB4 KDC
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-06/0064.html
Reference:
CONFIRM:http://web.mit.edu/kerberos/www/advisories/krb4kdc.txt
Reference: CERT:CA-2000-11
Reference:
URL:http://www.cert.org/advisories/CA-2000-11.html
Reference: CIAC:K-051
Reference:
URL:http://ciac.llnl.gov/ciac/bulletins/k-051.shtml
Reference: BID:1338
Reference:
URL:http://www.securityfocus.com/bid/1338
Votes:
ACCEPT(2) Ozancin, Levy
MODIFY(2) Frech, Cox
NOOP(3) Christey, LeBlanc, Wall
Voter Comments:
Christey> ADDREF XF:kerberos-lastrealm-bo
Frech> XF:kerberos-lastrealm-bo(4656)
I question whether BID-1338 is appropriate here.
Cox> ADDREF REDHAT:RHSA-2000:031
Name: CVE-2000-0547
Description:
Buffer overflow in Kerberos 4 KDC program allows remote
attackers to cause a denial of service via the
localrealm variable in the process_v4 function.
Status: Candidate
Phase: Proposed (20000712)
Reference: BUGTRAQ:20000609 Security Advisory:
MULTIPLE DENIAL OF SERVICE VULNERABILITIES IN KRB4 KDC
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-06/0064.html
Reference:
CONFIRM:http://web.mit.edu/kerberos/www/advisories/krb4kdc.txt
Reference: CERT:CA-2000-11
Reference:
URL:http://www.cert.org/advisories/CA-2000-11.html
Reference: CIAC:K-051
Reference:
URL:http://ciac.llnl.gov/ciac/bulletins/k-051.shtml
Reference: BID:1338
Reference:
URL:http://www.securityfocus.com/bid/1338
Votes:
ACCEPT(2) Ozancin, Levy
MODIFY(2) Frech, Cox
NOOP(2) LeBlanc, Wall
Voter Comments:
Frech> XF:kerberos-localrealm-bo(4657)
I question whether BID-1338 is appropriate here.
Cox> ADDREF REDHAT:RHSA-2000:031
Name: CVE-2000-0554
Description:
Ceilidh allows remote attackers to obtain the real path
of the Ceilidh directory via the translated_path hidden
form field.
Status: Candidate
Phase: Proposed (20000712)
Reference: NTBUGTRAQ:20000608 DST2K0010: DoS &
Path Revealing Vulnerability in Ceilidh v2.60a
Reference:
URL:http://archives.neohapsis.com/archives/ntbugtraq/2000-q2/0246.html
Reference: BID:1320
Reference:
URL:http://www.securityfocus.com/bid/1320
Votes:
ACCEPT(2) Levy, Cole
MODIFY(1) Frech
NOOP(4) Ozancin, Christey, LeBlanc, Wall
Voter Comments:
Christey> ADDREF XF:ceilidh-path-disclosure
Frech> XF:ceilidh-path-disclosure(4620)
Name: CVE-2000-0559
Description:
eTrust Intrusion Detection System (formerly
SessionWall-3) uses weak encryption (XOR) to store
administrative passwords in the registry, which allows
local users to easily decrypt the passwords.
Status: Candidate
Phase: Proposed (20000712)
Reference: BUGTRAQ:20000607 SessionWall-3 Paper +
(links to) code
Reference:
URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.BSO.4.21.0006072124320.28062-100000@bearclaw.bogus.net
Reference: BID:1341
Reference:
URL:http://www.securityfocus.com/bid/1341
Votes:
ACCEPT(2) Ozancin, Levy
MODIFY(1) Frech
NOOP(2) LeBlanc, Wall
Voter Comments:
Frech> XF:etrust-weak-password-encryption(5051)
Name: CVE-2000-0562
Description:
BlackIce Defender 2.1 and earlier, and BlackIce Pro
2.0.23 and earlier, do not properly block Back Orifice
traffic when the security setting is Nervous or lower.
Status: Candidate
Phase: Proposed (20000712)
Reference: BUGTRAQ:20000620 BlackICE by Network
ICE Corp vulnerability against Back Orifice 1.2
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-06/0190.html
Votes:
ACCEPT(3) Levy, Cole, Armstrong
MODIFY(2) Frech, Baker
NOOP(1) Ozancin
REVIEWING(1) Christey
Voter Comments:
Levy> What do others think? Should this be a vuln? I can see the argument
that some features are simply not available unless you use the maximum
security settings.
Christey> At the very least, this needs to be modified to state that
this problem/concern applies to high ports in general, not
just Back orifice.
The Bugtraq poster claims that BlackICE "shuts down" the port,
but only *after* some initial traffic "leaks" out. This may
be by design, but it does mean that there is a small window
of opportunity in which BlackICE may not work "as
advertised," even at lower security settings.
Christey> XF:blackice-security-level-nervous
BID:1389
Frech> XF:blackice-security-level-nervous(4777)
CHANGE> [Levy changed vote from REVIEWING to ACCEPT]
CHANGE> [Christey changed vote from NOOP to REVIEWING]
Baker> I accept it more as a security exposure, than a real vulnerability.
It performs just as any other "firewall" or IDS product can be configured to
allow traffic without notifying the user. You can adjust settings on
any product that allow traffic that other people or organizations would
find unacceptable. So, as long as it is reflected that this is more of
a configuration that allows such traffic as opposed to a defective
or improperly functioning software issue, I don't have a problem with
it.
Name: CVE-2000-0563
Description:
The URLConnection function in MacOS Runtime Java (MRJ)
2.1 and earlier and the Microsoft virtual machine (VM)
for MacOS allows a malicious web site operator to
connect to arbitrary hosts using a HTTP redirection, in
violation of the Java security model.
Status: Candidate
Phase: Proposed (20000712)
Reference: BUGTRAQ:20000609 Security Holes Found
in URLConnection of MRJ and IE of Mac OS (was Re:
Reappearance of an old IE security bug)
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-06/0056.html
Reference: BUGTRAQ:20000513 Re: Reappearance of
an old IE security bug
Reference:
URL:http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-05-8&msg=391C95DE2DA.5E3BTAKAGI@java-house.etl.go.jp
Reference: BID:1336
Reference:
URL:http://www.securityfocus.com/bid/1336
Votes:
ACCEPT(2) Ozancin, Levy
MODIFY(1) Frech
NOOP(2) Christey, Wall
REVIEWING(1) LeBlanc
Voter Comments:
Christey> Confirmed by Scott Culp, but this only applies to
outdated/unsupported versions of the JVM.
Frech> XF:macos-java-security-ignored(5052)
Christey> Consult with Microsoft to ensure that this is fixed by
MS:MS00-059. If so, then this might not just be in MacOS.
Name: CVE-2000-0564
Description:
The guestbook CGI program in ICQ Web Front service for
ICQ 2000a, 99b, and others allows remote attackers to
cause a denial of service via a URL with a long name
parameter.
Status: Candidate
Phase: Proposed (20000712)
Reference: NTBUGTRAQ:20000529 ICQ Web Front
Remote DoS Attack Vulnerability
Reference:
URL:http://archives.neohapsis.com/archives/ntbugtraq/2000-q2/0218.html
Votes:
ACCEPT(2) Levy, Baker
MODIFY(1) Frech
NOOP(5) Ozancin, Christey, LeBlanc, Wall, Cole
Voter Comments:
Christey> ADDREF BID:1463
URL:http://www.securityfocus.com/bid/1463
Frech> XF:icq-webfront-guestbook-dos(4574)
Name: CVE-2000-0572
Description:
The Razor configuration management tool uses weak
encryption for its password file, which allows local
users to gain privileges.
Status: Candidate
Phase: Proposed (20000719)
Reference: BUGTRAQ:20000704 Recovering Passwords
in Visible Systems' Razor
Reference:
URL:http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-07-8&msg=613309F30B6DD2118C020000F809376C05CABD49@emss03m09.orl.lmco.com
Reference: BID:1424
Reference:
URL:http://www.securityfocus.com/bid/1424
Votes:
ACCEPT(2) Levy, Baker
MODIFY(1) Frech
NOOP(4) Magdych, LeBlanc, Wall, Cole
Voter Comments:
Frech> XF;razor-weak-encryption(4875)
CHANGE> [Magdych changed vote from REVIEWING to NOOP]
Name: CVE-2000-0574
Description:
FTP servers such as OpenBSD ftpd, NetBSD ftpd, ProFTPd
and Opieftpd do not properly cleanse untrusted format
strings that are used in the setproctitle function
(sometimes called by set_proc_title), which allows
remote attackers to cause a denial of service or execute
arbitrary commands.
Status: Candidate
Phase: Proposed (20000719)
Reference: BUGTRAQ:20000705 proftp advisory
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0031.html
Reference: BUGTRAQ:20000706 ftpd and
setproctitle()
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0061.html
Reference: CERT:CA-2000-13
Reference:
URL:http://www.cert.org/advisories/CA-2000-13.html
Reference: BUGTRAQ:20000710 opieftpd
setproctitle() patches
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0121.html
Reference: NETBSD:NetBSD-SA2000-009
Reference:
URL:ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/advisories/NetBSD-SA2000-009.txt.asc
Reference: BID:1425
Reference:
URL:http://www.securityfocus.com/bid/1425
Reference: BID:1438
Reference:
URL:http://www.securityfocus.com/bid/1438
Votes:
ACCEPT(3) Levy, Magdych, Cole
MODIFY(1) Frech
NOOP(2) LeBlanc, Wall
REVIEWING(1) Christey
Voter Comments:
Christey> CD:SF-CODEBASE applies here. There are many ftpd's that
have this setproctitle() problem, but it might be traced
back to the same codebase. See if the HP problem is the
same here as well, and if so, ADDREF HP:HPSBUX0007-117
URL:http://www.securityfocus.com/templates/advisory.html?id=2404
Frech> XF:ftp-setproctitle-format-string(4908)
BID:1438 does not exist.
Christey> ADDREF HP:HPSBUX0007-117??
http://archives.neohapsis.com/archives/hp/2000-q4/0020.html
Christey> ADDREF BID:650 ?
Name: CVE-2000-0578
Description:
SGI MIPSPro compilers C, C++, F77 and F90 generate
temporary files in /tmp with predictable file names,
which could allow local users to insert malicious
contents into these files as they are being compiled by
another user.
Status: Candidate
Phase: Proposed (20000719)
Reference: BUGTRAQ:20000621 Predictability
Problems in IRIX Cron and Compilers
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-06/0204.html
Reference: BID:1412
Reference:
URL:http://www.securityfocus.com/bid/1412
Votes:
ACCEPT(4) Levy, Blake, Baker, Cole
MODIFY(1) Frech
NOOP(7) Ozancin, Magdych, Christey, Oliver, LeBlanc, Wall, Armstrong
Voter Comments:
Frech> XF:sgi-mipspro-modify-files(5007)
CHANGE> [Cole changed vote from NOOP to ACCEPT]
CHANGE> [Magdych changed vote from REVIEWING to NOOP]
Christey> SGI:20030605-01-A
URL:ftp://patches.sgi.com/support/free/security/advisories/20030605-01-A
Name: CVE-2000-0580
Description:
Windows 2000 Server allows remote attackers to cause a
denial of service by sending a continuous stream of
binary zeros to various TCP and UDP ports, which
significantly increases the CPU utilization.
Status: Candidate
Phase: Proposed (20000719)
Reference: BUGTRAQ:20000630 SecureXpert Advisory
[SX-20000620-2]
Reference:
URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.3.96.1000630161935.4619B-100000@fjord.fscinternet.com
Reference: XF:win2k-cpu-overload-dos
Reference: BID:1415
Reference:
URL:http://www.securityfocus.com/bid/1415
Votes:
ACCEPT(3) Frech, Levy, Cole
REJECT(2) Magdych, LeBlanc
REVIEWING(1) Wall
Voter Comments:
LeBlanc> Insufficient data. Most of their claims are not reproducible. You can,
however, DoS the telnet server this way. As far as I know, there is no repro
on any of the other ports. I am not sure of fix status at this time
(7/19/00). Also overlaps with CVE-2000-0581
CHANGE> [Magdych changed vote from REVIEWING to REJECT]
Magdych> The only independent verification of these claims I have heard is for the Telnet denial of service, which is already defined in CVE candidate CVE-2000-0581.
Frech> Replace win2k-cpu-overload-dos(4824) with win2k-telnetserver-dos(4823)
Name: CVE-2000-0589
Description:
SawMill 5.0.21 uses weak encryption to store passwords,
which allows attackers to easily decrypt the password
and modify the SawMill configuration.
Status: Candidate
Phase: Proposed (20000719)
Reference: BUGTRAQ:20000626 sawmill5.0.21 old
path bug & weak hash algorithm
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-06/0271.html
Reference: BUGTRAQ:20000706 Patch for Flowerfire
Sawmill Vulnerabilities Available
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0080.html
Reference: BID:1403
Reference:
URL:http://www.securityfocus.com/bid/1403
Reference: XF:sawmill-weak-encryption
Votes:
ACCEPT(3) Frech, Levy, Magdych
NOOP(3) LeBlanc, Wall, Cole
Voter Comments:
CHANGE> [Magdych changed vote from REVIEWING to ACCEPT]
Name: CVE-2000-0592
Description:
Buffer overflows in POP3 service in WinProxy 2.0 and
2.0.1 allow remote attackers to execute arbitrary
commands via long USER, PASS, LIST, RETR, or DELE
commands.
Status: Candidate
Phase: Proposed (20000719)
Reference: BUGTRAQ:20000627 [SPSadvisory
#37]WinProxy 2.0.0/2.0.1 DoS and Exploitable Buffer
Overflow
Reference:
URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=200006271417.GFE84146.-BJXON@lac.co.jp
Reference: XF:winproxy-command-bo
Reference: BID:1400
Reference:
URL:http://www.securityfocus.com/bid/1400
Votes:
ACCEPT(4) Frech, Levy, Magdych, Cole
NOOP(1) LeBlanc
REVIEWING(1) Wall
Name: CVE-2000-0605
Description:
Blackboard CourseInfo 4.0 stores the local and SQL
administrator user names and passwords in cleartext in a
registry key whose access control allows users to access
the passwords.
Status: Candidate
Phase: Proposed (20000719)
Reference: NTBUGTRAQ:20000710 Two issues:
Blackboard CourseInfo 4.0 stores admin password in clear
text; strange settings on the winreg key.
Reference:
URL:http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0007&L=NTBUGTRAQ&P=R1647
Reference: BID:1460
Reference:
URL:http://www.securityfocus.com/bid/1460
Votes:
ACCEPT(2) Levy, Baker
MODIFY(1) Frech
NOOP(4) Cole, Magdych, Christey, LeBlanc
REVIEWING(1) Wall
Voter Comments:
Christey> ADDREF NTBUGTRAQ:20000718 Security Fix for Blackboard CourseInfo 4.0
URL:http://archives.neohapsis.com/archives/ntbugtraq/2000-q3/0040.html
Frech> XF:blackboard-courseinfo-plaintext(4904)
Christey> Vendor acknowledgement is at:
BUGTRAQ:20000719 Security Fix for Blackboard CourseInfo 4.0
URL:http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26msg%3D20000719151904.I17986@securityfocus.com
CHANGE> [Magdych changed vote from REVIEWING to NOOP]
Name: CVE-2000-0606
Description:
Buffer overflow in kon program in Kanji on Console (KON)
package on Linux may allow local users to gain root
privileges via a long -StartupMessage parameter.
Status: Candidate
Phase: Proposed (20000719)
Reference: BUGTRAQ:20000619 Problems with "kon2"
package
Reference:
URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.4.21.0006192340340.19998-100000@ferret.lmh.ox.ac.uk
Reference: XF:linux-kon-bo
Reference: BID:1371
Reference:
URL:http://www.securityfocus.com/bid/1371
Votes:
ACCEPT(3) Frech, Levy, Baker
NOOP(4) Cole, Magdych, LeBlanc, Wall
Voter Comments:
CHANGE> [Magdych changed vote from REVIEWING to NOOP]
Name: CVE-2000-0607
Description:
Buffer overflow in fld program in Kanji on Console (KON)
package on Linux may allow local users to gain root
privileges via an input file containing long
CHARSET_REGISTRY or CHARSET_ENCODING settings.
Status: Candidate
Phase: Proposed (20000719)
Reference: BUGTRAQ:20000619 Problems with "kon2"
package
Reference:
URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.4.21.0006192340340.19998-100000@ferret.lmh.ox.ac.uk
Reference: XF:linux-kon-bo
Reference: BID:1371
Reference:
URL:http://www.securityfocus.com/bid/1371
Votes:
ACCEPT(3) Frech, Levy, Baker
NOOP(5) Cole, Magdych, Christey, LeBlanc, Wall
Voter Comments:
Christey> BID:1983
URL:http://www.securityfocus.com/bid/1983
CHANGE> [Magdych changed vote from REVIEWING to NOOP]
Name: CVE-2000-0608
Description:
NetWin dMailWeb and cwMail 2.6i and earlier allows
remote attackers to cause a denial of service via a long
POP parameter (pophost).
Status: Candidate
Phase: Proposed (20000719)
Reference: BUGTRAQ:20000620 NetWin dMailWeb
Denial of Service
Reference:
URL:http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-06-15&msg=4.1.20000621113334.00996820@qlink.queensu.ca
Reference: BID:1376
Reference:
URL:http://www.securityfocus.com/bid/1376
Reference: XF:dmailweb-long-pophost-dos
Votes:
ACCEPT(3) Frech, Levy, Magdych
NOOP(3) Cole, LeBlanc, Wall
Name: CVE-2000-0609
Description:
NetWin dMailWeb and cwMail 2.6g and earlier allows
remote attackers to cause a denial of service via a long
username parameter.
Status: Candidate
Phase: Proposed (20000719)
Reference: BUGTRAQ:20000620 NetWin dMailWeb
Denial of Service
Reference:
URL:http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-06-15&msg=4.1.20000621113334.00996820@qlink.queensu.ca
Reference: XF:dmailweb-long-username-dos
Reference: BID:1376
Reference:
URL:http://www.securityfocus.com/bid/1376
Votes:
ACCEPT(3) Frech, Levy, Magdych
NOOP(3) Cole, LeBlanc, Wall
Name: CVE-2000-0612
Description:
Windows 95 and Windows 98 do not properly process
spoofed ARP packets, which allows remote attackers to
overwrite static entries in the cache table.
Status: Candidate
Phase: Proposed (20000719)
Reference: BUGTRAQ:20000629 Buggy ARP handling in
Windoze
Reference:
URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=395B7E64.9FB3D4DB@starzetz.de
Reference: XF:win-arp-spoofing
Reference: BID:1406
Reference:
URL:http://www.securityfocus.com/bid/1406
Votes:
ACCEPT(4) Cole, Frech, Levy, LeBlanc
NOOP(2) Magdych, Wall
REVIEWING(1) Christey
Voter Comments:
LeBlanc> I know we have a repro on this, but you may want to leave this in
the REVIEWING state until a fix is released.
CHANGE> [Magdych changed vote from REVIEWING to NOOP]
Name: CVE-2000-0614
Description:
Tnef program in Linux systems allows remote attackers to
overwrite arbitrary files via TNEF encoded compressed
attachments which specify absolute path names for the
decompressed output.
Status: Candidate
Phase: Proposed (20000719)
Reference: SUSE:20000710 Security Hole in tnef <
0-124
Reference:
URL:http://archives.neohapsis.com/archives/vendor/2000-q3/0002.html
Reference: BID:1450
Reference:
URL:http://www.securityfocus.com/bid/1450
Votes:
ACCEPT(1) Levy
MODIFY(1) Frech
NOOP(4) Cole, Magdych, LeBlanc, Wall
REVIEWING(1) Christey
Voter Comments:
Christey> This problem appears in AMaViS as well, so they may be the
same codebase. If so, then CD:SF-CODEBASE says to merge the
two (thus ADDREF BID:1461). If they are not the same
codebase, then create a separate candidate for BID:1461.
Frech> XF:linux-tnef-email-overwrite(4915)
CHANGE> [Magdych changed vote from REVIEWING to NOOP]
Name: CVE-2000-0617
Description:
Buffer overflow in xconq and cconq game programs on Red
Hat Linux allows local users to gain additional
privileges via long USER environmental variable.
Status: Candidate
Phase: Proposed (20000719)
Reference: BUGTRAQ:20000622 RHL 6.2 xconq package
- overflows yield gid games
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-06/0222.html
Votes:
ACCEPT(2) Cole, Levy
MODIFY(1) Frech
NOOP(4) Magdych, Christey, LeBlanc, Wall
Voter Comments:
Frech> XF:xconq-elevate-privileges(4995)
Christey> ADDREF BID:1495
ADDREF URL:http://www.securityfocus.com/bid/1495
CHANGE> [Levy changed vote from REVIEWING to ACCEPT]
CHANGE> [Magdych changed vote from REVIEWING to NOOP]
Name: CVE-2000-0618
Description:
Buffer overflow in xconq and cconq game programs on Red
Hat Linux allows local users to gain additional
privileges via long DISPLAY environmental variable.
Status: Candidate
Phase: Proposed (20000719)
Reference: BUGTRAQ:20000622 RHL 6.2 xconq package
- overflows yield gid games
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-06/0222.html
Votes:
ACCEPT(2) Cole, Levy
MODIFY(1) Frech
NOOP(4) Magdych, Christey, LeBlanc, Wall
Voter Comments:
Frech> XF:xconq-elevate-privileges(4995)
Christey> ADDREF BID:1495
ADDREF URL:http://www.securityfocus.com/bid/1495
CHANGE> [Levy changed vote from REVIEWING to ACCEPT]
CHANGE> [Magdych changed vote from REVIEWING to NOOP]
Name: CVE-2000-0623
Description:
Buffer overflow in O'Reilly WebSite Professional web
server 2.4 and earlier allows remote attackers to
execute arbitrary commands via a long GET request or
Referrer header.
Status: Candidate
Phase: Proposed (20000803)
Reference: NTBUGTRAQ:20000719 Alert: Buffer
Overrun is O'Reilly WebsitePro httpd32.exe
(CISADV000717)
Reference:
URL:http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0007&L=ntbugtraq&F=&S=&P=5946
Reference: BID:1492
Reference:
URL:http://www.securityfocus.com/bid/1492
Votes:
ACCEPT(2) Cole, Levy
MODIFY(1) Frech
NOOP(1) LeBlanc
REVIEWING(1) Wall
Voter Comments:
Frech> XF:website-httpd32-bo(4970)
In the description, I think it's spelled "referer"
Name: CVE-2000-0625
Description:
NetZero 3.0 and earlier uses weak encryption for storing
a user's login information, which allows a local user to
decrypt the password.
Status: Candidate
Phase: Proposed (20000803)
Reference: L0PHT:20000718 NetZero Password
Encryption Algorithm
Reference:
URL:http://www.l0pht.com/advisories/netzero.txt
Reference: BID:1483
Reference:
URL:http://www.securityfocus.com/bid/1483
Votes:
ACCEPT(2) Cole, Levy
MODIFY(1) Frech
NOOP(2) LeBlanc, Wall
Voter Comments:
Frech> XF:zeroport-weak-encryption(4963)
Name: CVE-2000-0626
Description:
Buffer overflow in Alibaba web server allows remote
attackers to cause a denial of service via a long GET
request.
Status: Candidate
Phase: Proposed (20000803)
Reference: BUGTRAQ:20000718 Multiple bugs in
Alibaba 2.0
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0237.html
Reference: BID:1482
Reference:
URL:http://www.securityfocus.com/bid/1482
Votes:
ACCEPT(4) Levy, Blake, Wall, Baker
MODIFY(1) Frech
NOOP(5) Cole, Armstrong, Ozancin, Oliver, LeBlanc
REVIEWING(1) Christey
Voter Comments:
Frech> XF:alibaba-get-dos(4934)
Christey> This is in a relatively old Nessus plugin, though the exploit
uses POST instead of GET. This was probably discovered
earlier than the references indicate.
CHANGE> [Wall changed vote from NOOP to ACCEPT]
Wall> Found by Arne Vidstrom and found in multiple sources
CHANGE> [Christey changed vote from NOOP to REVIEWING]
Christey> See the POST comment in
http://marc.theaimsgroup.com/?l=bugtraq&m=94182951012884&w=2
Also see http://marc.theaimsgroup.com/?l=bugtraq&m=94191318721834&w=2
One poster says that a large number of sites are running
Alibaba (based on a netcraft report), but I'm not 100%
sure Netcraft's doing a good job of identifying Alibaba
servers.
Name: CVE-2000-0629
Description:
The default configuration of the Sun Java web server 2.0
and earlier allows remote attackers to execute arbitrary
commands by uploading Java code to the server via
board.html, then directly calling the JSP compiler
servlet.
Status: Candidate
Phase: Proposed (20000803)
Reference: BUGTRAQ:20000711 Sun's Java Web Server
remote command execution vulnerability
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0163.html
Reference:
MISC:http://www.sun.com/software/jwebserver/faq/jwsca-2000-02.html
Reference: BID:1459
Reference:
URL:http://www.securityfocus.com/bid/1459
Votes:
ACCEPT(3) Cole, Dik, Levy
MODIFY(1) Frech
NOOP(3) Christey, LeBlanc, Wall
Voter Comments:
Frech> XF:sunjava-webadmin-bbs(5135)
Christey> Need to create/update
Dik> (through internal confirmation)
Name: CVE-2000-0645
Description:
WFTPD and WFTPD Pro 2.41 allows remote attackers to
cause a denial of service by using the RESTART (REST)
command and writing beyond the end of a file, or writing
to a file that does not exist, via commands such as
STORE UNIQUE (STOU), STORE (STOR), or APPEND (APPE).
Status: Candidate
Phase: Proposed (20000803)
Reference: BUGTRAQ:20000721 WFTPD/WFTPD Pro 2.41
RC11 vulnerabilities.
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0295.html
Reference: BID:1506
Reference:
URL:http://www.securityfocus.com/bid/1506
Votes:
ACCEPT(2) Levy, Baker
MODIFY(1) Frech
NOOP(3) Cole, LeBlanc, Wall
Voter Comments:
Frech> XF:wftpd-rest-dos(5004)
Name: CVE-2000-0646
Description:
WFTPD and WFTPD Pro 2.41 allows remote attackers to
obtain the real pathname for a file by executing a
STATUS (STAT) command while the file is being
transferred.
Status: Candidate
Phase: Proposed (20000803)
Reference: BUGTRAQ:20000721 WFTPD/WFTPD Pro 2.41
RC11 vulnerabilities.
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0295.html
Reference: BID:1506
Reference:
URL:http://www.securityfocus.com/bid/1506
Votes:
ACCEPT(2) Levy, Baker
MODIFY(1) Frech
NOOP(3) Cole, LeBlanc, Wall
Voter Comments:
Frech> XF:wftpd-stat-info(5005)
Name: CVE-2000-0647
Description:
WFTPD and WFTPD Pro 2.41 allows remote attackers to
cause a denial of service by executing an MLST command
before logging into the server.
Status: Candidate
Phase: Proposed (20000803)
Reference: BUGTRAQ:20000721 WFTPD/WFTPD Pro 2.41
RC11 vulnerabilities.
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0295.html
Reference: BID:1506
Reference:
URL:http://www.securityfocus.com/bid/1506
Votes:
ACCEPT(2) Levy, Baker
MODIFY(1) Frech
NOOP(3) Cole, LeBlanc, Wall
Voter Comments:
Frech> XF:wftpd-mlst-dos(5006)
Name: CVE-2000-0648
Description:
WFTPD and WFTPD Pro 2.41 allows local users to cause a
denial of service by executing the RENAME TO (RNTO)
command before a RENAME FROM (RNFR) command.
Status: Candidate
Phase: Proposed (20000803)
Reference: BUGTRAQ:20000711 WFTPD/WFTPD Pro 2.41
RC10 denial-of-service
Reference:
URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=E13BvU6-0007d8-00@dwarf.box.sk
Reference: BID:1456
Reference:
URL:http://www.securityfocus.com/bid/1456
Votes:
ACCEPT(2) Levy, Baker
MODIFY(1) Frech
NOOP(2) Cole, LeBlanc
REVIEWING(1) Wall
Voter Comments:
Frech> XF:wftpd-rnto-dos(4930)
Name: CVE-2000-0649
Description:
IIS 4.0 allows remote attackers to obtain the internal
IP address of the server via an HTTP 1.0 request for a
web page which is protected by basic authentication and
has no realm defined.
Status: Candidate
Phase: Proposed (20000803)
Reference: NTBUGTRAQ:20000713 IIS4 Basic
authentication realm issue
Reference:
URL:http://archives.neohapsis.com/archives/ntbugtraq/2000-q3/0025.html
Reference: BID:1499
Reference:
URL:http://www.securityfocus.com/bid/1499
Votes:
ACCEPT(2) Levy, LeBlanc
MODIFY(1) Frech
NOOP(1) Cole
REVIEWING(2) Christey, Wall
Voter Comments:
Christey> ADDREF http://support.microsoft.com/support/kb/articles/Q218/1/80.ASP
Change description to point out that the internal IP address
exposure is due to the default configuration as opposed to
a bug.
Frech> XF:iis-internal-ip-disclosure(5106)
CHANGE> [Christey changed vote from NOOP to REVIEWING]
Christey> There are two variants of the same type of issue here. The
KB article shows that IIS 4.0 reveals the IP address in a
Content-Location MIME header field. The NTBugtraq article
says that the IP address is shown in the WWW-Authenticate
MIME header. Which one has been fixed, or both, and when?
Christey> MSKB:Q218180 identifies a problem in which IIS returns the
info in a Content-Location header, but the authentication
realm problem is not specifically mentioned. Are these the
same problem?
Name: CVE-2000-0653
Description:
Microsoft Outlook Express allows remote attackers to
monitor a user's email by creating a persistent browser
link to the Outlook Express windows, aka the "Persistent
Mail-Browser Link" vulnerability.
Status: Candidate
Phase: Proposed (20000803)
Reference: MS:MS00-045
Reference:
URL:http://www.microsoft.com/technet/security/bulletin/MS00-045.asp
Reference: BID:1502
Reference:
URL:http://www.securityfocus.com/bid/1502
Votes:
ACCEPT(3) Cole, Levy, Wall
NOOP(1) LeBlanc
REJECT(1) Frech
REVIEWING(1) Christey
Voter Comments:
Frech> Is this a duplicate of CVE-2000-0105? I can find no differentiating evidence
to show that this issue is unique.
Christey> I need to look through my email logs to recall whether I
resolved this potential duplicate with Microsoft people.
CHANGE> [Frech changed vote from REVIEWING to REJECT]
Name: CVE-2000-0656
Description:
Buffer overflow in AnalogX proxy server 4.04 and earlier
allows remote attackers to cause a denial of service via
a long USER command in the FTP protocol.
Status: Candidate
Phase: Proposed (20000803)
Reference: BUGTRAQ:20000724 AnalogX Proxy DoS
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0360.html
Reference:
CONFIRM:http://www.analogx.com/contents/download/network/proxy.htm
Reference: BID:1504
Reference:
URL:http://www.securityfocus.com/bid/1504
Votes:
ACCEPT(1) Levy
MODIFY(1) Frech
NOOP(3) Cole, LeBlanc, Wall
Voter Comments:
Frech> XF:analogx-proxy-ftp-crash(4981)
Name: CVE-2000-0657
Description:
Buffer overflow in AnalogX proxy server 4.04 and earlier
allows remote attackers to cause a denial of service via
a long HELO command in the SMTP protocol.
Status: Candidate
Phase: Proposed (20000803)
Reference: BUGTRAQ:20000724 AnalogX Proxy DoS
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0360.html
Reference:
CONFIRM:http://www.analogx.com/contents/download/network/proxy.htm
Reference: BID:1504
Reference:
URL:http://www.securityfocus.com/bid/1504
Votes:
ACCEPT(1) Levy
MODIFY(1) Frech
NOOP(3) Cole, LeBlanc, Wall
Voter Comments:
Frech> XF:analogx-proxy-smtp-helo(5164)
Name: CVE-2000-0658
Description:
Buffer overflow in AnalogX proxy server 4.04 and earlier
allows remote attackers to cause a denial of service via
a long USER command in the POP3 protocol.
Status: Candidate
Phase: Proposed (20000803)
Reference: BUGTRAQ:20000724 AnalogX Proxy DoS
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0360.html
Reference:
CONFIRM:http://www.analogx.com/contents/download/network/proxy.htm
Reference: BID:1504
Reference:
URL:http://www.securityfocus.com/bid/1504
Votes:
ACCEPT(1) Levy
MODIFY(1) Frech
NOOP(3) Cole, LeBlanc, Wall
Voter Comments:
Frech> XF:analogx-proxy-pop3-crash(4982)
Name: CVE-2000-0659
Description:
Buffer overflow in AnalogX proxy server 4.04 and earlier
allows remote attackers to cause a denial of service via
a long user ID in a SOCKS4 CONNECT request.
Status: Candidate
Phase: Proposed (20000803)
Reference: BUGTRAQ:20000724 AnalogX Proxy DoS
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0360.html
Reference: BID:1504
Reference:
URL:http://www.securityfocus.com/bid/1504
Votes:
ACCEPT(2) Levy, Baker
MODIFY(1) Frech
NOOP(3) Cole, LeBlanc, Wall
Voter Comments:
Frech> XF:analogx-proxy-socks4-crash(4997)
Name: CVE-2000-0667
Description:
Vulnerability in gpm in Caldera Linux allows local users
to delete arbitrary files or conduct a denial of
service.
Status: Candidate
Phase: Proposed (20000803)
Reference: CALDERA:CSSA-2000-024.0
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0273.html
Reference: BID:1512
Reference:
URL:http://www.securityfocus.com/bid/1512
Votes:
ACCEPT(1) Levy
MODIFY(1) Frech
NOOP(3) Cole, LeBlanc, Wall
REVIEWING(1) Christey
Voter Comments:
Frech> XF:linux-gpm-gpmctl-dos(5010)
We show this issue to be cross-Linux-platform and not Caldera specific. May
also be a LOA issue or duplicate or specific instance of CVE-2000-0531. This
position is further validated by BID-1512 and BID-1377, which lists this as
a Conectiva Linux/Mandrake issue and list Mandrake:MDKSA-2000:025 in common.
We will list both CVEs under the listed XF tag unless otherwise instructed.
Christey> ADDREF Conectiva?
URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0396.html
Christey> ADDREF REDHAT:RHSA-2000:045-01
ADDREF BUGTRAQ:20000727 CONECTIVA LINUX SECURITY ANNOUNCEMENT - GPM
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96473014104340&w=2
Another possible reference is:
BUGTRAQ:20000728 MDKSA:2000-025 gpm update
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96480812908563&w=2
although the advisory is not explicit. It also refers to
CVE-2000-0531.
CHANGE> [Christey changed vote from NOOP to REVIEWING]
Christey> Per Andre Frech's comments.
Name: CVE-2000-0680
Description:
The CVS 1.10.8 server does not properly restrict users
from creating arbitrary Checkin.prog or Update.prog
programs, which allows remote CVS committers to modify
or create Trojan horse programs with the Checkin.prog or
Update.prog names, then performing a CVS commit action.
Status: Candidate
Phase: Proposed (20000921)
Reference: BUGTRAQ:20000728 cvs security problem
Reference:
URL:http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26msg%3Dhvou2daoebb.fsf%40serein.m17n.org
Reference: BID:1524
Reference:
URL:http://www.securityfocus.com/bid/1524
Votes:
ACCEPT(2) Levy, Baker
MODIFY(1) Frech
NOOP(2) Cole, Wall
Voter Comments:
Frech> XF:cvs-checkin-execute-binary
Name: CVE-2000-0686
Description:
Auction Weaver CGI script 1.03 and earlier allows remote
attackers to read arbitrary files via a .. (dot dot)
attack in the fromfile parameter.
Status: Candidate
Phase: Proposed (20000921)
Reference: BUGTRAQ:20000823 Auction WeaverT LITE
1.0
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0310.html
Reference: BID:1630
Reference:
URL:http://www.securityfocus.com/bid/1630
Votes:
ACCEPT(2) Cole, Levy
MODIFY(1) Frech
NOOP(1) Wall
Voter Comments:
Frech> XF:cgi-auction-weaver-read-files
Frech> XF:cgi-auction-weaver-read-files(5150)
Name: CVE-2000-0687
Description:
Auction Weaver CGI script 1.03 and earlier allows remote
attackers to read arbitrary files via a .. (dot dot)
attack in the catdir parameter.
Status: Candidate
Phase: Proposed (20000921)
Reference: BUGTRAQ:20000823 Auction WeaverT LITE
1.0
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0310.html
Reference: BID:1630
Reference:
URL:http://www.securityfocus.com/bid/1630
Votes:
ACCEPT(2) Cole, Levy
MODIFY(1) Frech
NOOP(2) Christey, Wall
Voter Comments:
Frech> XF:cgi-auction-weaver-read-files
Christey> Need to double-check BID's on all these Auction Weaver prob's.
Frech> XF:cgi-auction-weaver-read-files(5150)
Name: CVE-2000-0688
Description:
Subscribe Me LITE does not properly authenticate
attempts to change the administrator password, which
allows remote attackers to gain privileges for the
Account Manager by directly calling the subscribe.pl
script with the setpwd parameter.
Status: Candidate
Phase: Proposed (20000921)
Reference: BUGTRAQ:20000823 Subscribe Me
Vulnerability
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0292.html
Reference: BUGTRAQ:20000823 Re: Subscribe Me CGI
Vulnerability
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96722957421029&w=2
Reference:
CONFIRM:http://www.cgiscriptcenter.com/subscribe/
Reference: BID:1607
Reference:
URL:http://www.securityfocus.com/bid/1607
Votes:
ACCEPT(2) Cole, Levy
MODIFY(1) Frech
NOOP(2) Christey, Wall
Voter Comments:
Frech> XF:subscribe-me-overwrite-password
Christey> Make sure the mention of Account Manager is correct.
XF:subscribe-me-overwrite-password
http://xforce.iss.net/static/5126.php
Frech> XF:subscribe-me-overwrite-password(5126)
Name: CVE-2000-0689
Description:
Account Manager LITE does not properly authenticate
attempts to change the administrator password, which
allows remote attackers to gain privileges for the
Account Manager by directly calling the amadmin.pl
script with the setpasswd parameter.
Status: Candidate
Phase: Modified (20061027)
Reference: BUGTRAQ:20000823 Account Manager CGI
Vulnerability
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0291.html
Reference:
CONFIRM:http://www.cgiscriptcenter.com/acctlite/
Reference: BID:1604
Reference:
URL:http://www.securityfocus.com/bid/1604
Reference: OSVDB:13341
Reference: URL:http://www.osvdb.org/13341
Reference:
XF:account-manager-overwrite-password(5125)
Reference:
URL:http://xforce.iss.net/xforce/xfdb/5125
Votes:
ACCEPT(2) Cole, Levy
MODIFY(1) Frech
NOOP(2) Christey, Wall
Voter Comments:
Frech> XF:account-manager-overwrite-password
In description, you probably want to indicate both Account Manager LITE and PRO.
Because CONFIRM redirects, you may want to verify and normalize to http://www.cgiscriptcenter.com/acctman/index2.html.
Christey> XF:account-manager-overwrite-password
http://xforce.iss.net/static/5125.php
Frech> XF:account-manager-overwrite-password(5125)
Name: CVE-2000-0690
Description:
Auction Weaver CGI script 1.02 and earlier allows remote
attackers to execute arbitrary commands via shell
metacharacters in the fromfile parameter.
Status: Candidate
Phase: Proposed (20000921)
Reference: BUGTRAQ:20000830 More problems with
Auction Weaver & CGI Script Center.
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0370.html
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0452.html
Votes:
ACCEPT(1) Baker
MODIFY(2) Frech, Levy
NOOP(3) Cole, Christey, Wall
Voter Comments:
Levy> Reference: BID 1645
Christey> BID:1645
URL:http://www.securityfocus.com/bid/1645
Frech> XF:auction-weaver-execute-commands(6175)
Name: CVE-2000-0691
Description:
The faxrunq and faxrunqd in the mgetty package allows
local users to create or modify arbitrary files via a
symlink attack which creates a symlink in from
/var/spool/fax/outgoing/.last_run to the target file.
Status: Candidate
Phase: Proposed (20000921)
Reference: BUGTRAQ:20000826 Advisory: mgetty
local compromise
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0329.html
Reference:
CONFIRM:http://archives.neohapsis.com/archives/bugtraq/2000-08/0330.html
Reference: CALDERA:CSSA-2000-029.0
Reference:
URL:http://www.calderasystems.com/support/security/advisories/CSSA-2000-029.0.txt
Reference: BID:1612
Reference:
URL:http://www.securityfocus.com/bid/1612
Votes:
ACCEPT(1) Levy
MODIFY(2) Frech, Cox
NOOP(3) Cole, Christey, Wall
Voter Comments:
Frech> XF:mgetty-faxrunq-symlink
Christey> ADDREF XF:mgetty-faxrunq-symlink
ADDREF URL:http://xforce.iss.net/static/5159.php
ADDREF REDHAT:RHSA-2000:059-02
ADDREF BUGTRAQ:20000830 Conectiva Linux Security Announcement - mgetty
ADDREF MANDRAKE:MDKSA-2000:042
Christey> ADDREF REDHAT:RHSA-2000:059-02
Christey> ADDREF FREEBSD:FreeBSD-SA-00:71
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:71.mgetty.asc
Frech> XF:mgetty-faxrunq-symlink(5159)
Cox> ADDREF REDHAT:RHSA-2000:059
Name: CVE-2000-0692
Description:
ISS RealSecure 3.2.1 and 3.2.2 allows remote attackers
to cause a denial of service via a flood of fragmented
packets with the SYN flag set.
Status: Candidate
Phase: Modified (20001010-1)
Reference: BUGTRAQ:20000822 DOS on RealSecure 3.2
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0267.html
Reference: BID:1597
Reference:
URL:http://www.securityfocus.com/bid/1597
Reference: XF:realsecure-rskill-dos
Votes:
ACCEPT(2) Cole, Levy
MODIFY(1) Frech
NOOP(1) Wall
REVIEWING(1) Christey
Voter Comments:
Frech> XF:realsecure-rskill-dos
Christey> CHANGEREF XF:realsecure-rskill-dos to XF:realsecure-frag-syn-dos?
http://xforce.iss.net/static/5133.php
CHANGE> [Christey changed vote from NOOP to REVIEWING]
Christey> In an email to issforum@iss.net on September 7, 2000, ISS says
that Network Sensor 3.2.2 is affected by SYN flooding, but
RealSecure 5.0 is not affected by Syn flooding. In addition,
they could not find conclusive evidence that RS 3.2.2 or 5.0
was affected by IP fragmentation. This seems to indicate
that there are 2 *possible* problems: syn flooding (acknowledged
by ISS) and fragmentation (unconfirmed). Perhaps this
candidate needs to be split, or its description should be
rewritten to separate the 2 reported problems.
Frech> XF:realsecure-rskill-dos(5133)
Name: CVE-2000-0695
Description:
Buffer overflows in pgxconfig in the Raptor GFX
configuration tool allow local users to gain privileges
via command line options.
Status: Candidate
Phase: Modified (20010417-01)
Reference: BUGTRAQ:20000802 Local root compromise
in PGX Config Sun Sparc Solaris
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0463.html
Votes:
ACCEPT(3) Dik, Levy, Baker
NOOP(2) Cole, Wall
Voter Comments:
Dik> as CVE-2000-0693
Name: CVE-2000-0696
Description:
The administration interface for the dwhttpd web server
in Solaris AnswerBook2 does not properly authenticate
requests to its supporting CGI scripts, which allows
remote attackers to add user accounts to the interface
by directly calling the admin CGI script.
Status: Candidate
Phase: Modified (20080918)
Reference: BUGTRAQ:20000807 Vulnerabilities in
Sun Solaris AnswerBook2 dwhttpd server
Reference:
URL:http://seclists.org/bugtraq/2000/Aug/0105.html
Reference:
MISC:http://www.s21sec.com/en/avisos/s21sec-004-en.txt
Reference: SUN:00196
Reference:
URL:http://archives.neohapsis.com/archives/sun/2000-q3/0001.html
Reference:
XF:solaris-answerbook2-admin-interface(5069)
Reference:
URL:http://xforce.iss.net/static/5069.php
Reference: BID:1554
Reference:
URL:http://www.securityfocus.com/bid/1554
Votes:
ACCEPT(4) Cole, Dik, Levy, Baker
MODIFY(1) Frech
NOOP(2) Christey, Wall
Voter Comments:
Frech> XF:solaris-answerbook2-admin-interface
Christey> XF:solaris-answerbook2-admin-interface
http://xforce.iss.net/static/5069.php
Christey> BUGTRAQ:20000807 Vulnerabilities in Sun Solaris AnswerBook2 dwhttpd server
http://www.securityfocus.com/archive/1/74382
Christey> Fix typo: "CGi"
CHANGE> [Dik changed vote from REVIEWING to ACCEPT]
Name: CVE-2000-0697
Description:
The administration interface for the dwhttpd web server
in Solaris AnswerBook2 allows interface users to
remotely execute commands via shell metacharacters.
Status: Candidate
Phase: Modified (20080918)
Reference: BUGTRAQ:20000807 Vulnerabilities in
Sun Solaris AnswerBook2 dwhttpd server
Reference:
URL:http://seclists.org/bugtraq/2000/Aug/0105.html
Reference:
MISC:http://www.s21sec.com/en/avisos/s21sec-004-en.txt
Reference: SUN:00196
Reference:
URL:http://archives.neohapsis.com/archives/sun/2000-q3/0001.html
Reference:
XF:solaris-answerbook2-remote-execution(5058)
Reference:
URL:http://www.iss.net/security_center/static/5058.php
Reference: BID:1556
Reference:
URL:http://www.securityfocus.com/bid/1556
Votes:
ACCEPT(4) Cole, Dik, Levy, Baker
MODIFY(1) Frech
NOOP(2) Christey, Wall
Voter Comments:
Frech> XF:solaris-answerbook2-remote-execution
Christey> XF:solaris-answerbook2-remote-execution
http://xforce.iss.net/static/5058.php
CHANGE> [Dik changed vote from REVIEWING to ACCEPT]
Dik> COMMENTS
verified bug existance.
Christey> There needs to be a separate item for the .. problem reported
in this same post.
Name: CVE-2000-0701
Description:
The wrapper program in mailman 2.0beta3 and 2.0beta4
does not properly cleanse untrusted format strings,
which allows local users to gain privileges.
Status: Candidate
Phase: Modified (20040818)
Reference: BUGTRAQ:20000801 Advisory: mailman
local compromise
Reference:
URL:http://www.securityfocus.com/archive/1/73220
Reference:
CONFIRM:http://www.securityfocus.com/templates/archive.pike?list=1&msg=20000802105050.A11733@rak.isternet.sk
Reference: BUGTRAQ:20000802 CONECTIVA LINUX
SECURITY ANNOUNCEMENT - mailman
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0474.html
Reference: BUGTRAQ:20000802 MDKSA-2000:030 -
Linux-Mandrake not affected by mailman problem
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0479.html
Reference: REDHAT:RHSA-2000:030
Reference:
URL:http://www.redhat.com/support/errata/RHSA-2000-030.html
Reference: BID:1539
Reference:
URL:http://www.securityfocus.com/bid/1539
Votes:
ACCEPT(3) Cole, Levy, Baker
MODIFY(1) Frech
NOOP(1) Wall
Voter Comments:
Frech> XF:gnu-mailman-format-string
You can perhaps normalize Bugtraq URL to CONFIRM:http://www.securityfocus.com/archive/1/73355.
Name: CVE-2000-0704
Description:
Buffer overflow in SGI Omron WorldView Wnn allows remote
attackers to execute arbitrary commands via long
JS_OPEN, JS_MKDIR, or JS_FILE_INFO commands.
Status: Candidate
Phase: Modified (20060505)
Reference: SGI:20000803-01-A
Reference:
URL:ftp://sgigate.sgi.com/security/20000803-01-A
Reference: BID:1603
Reference:
URL:http://www.securityfocus.com/bid/1603
Reference: OSVDB:11080
Reference: URL:http://www.osvdb.org/11080
Reference: XF:irix-worldview-wnn-bo(5163)
Reference:
URL:http://xforce.iss.net/xforce/xfdb/5163
Votes:
ACCEPT(3) Cole, Levy, Baker
MODIFY(1) Frech
NOOP(2) Christey, Wall
Voter Comments:
Frech> XF:irix-worldview-wnn-bo
Christey> XF:irix-worldview-wnn-bo
http://xforce.iss.net/static/5163.php
Name: CVE-2000-0709
Description:
The shtml.exe component of Microsoft FrontPage 2000
Server Extensions 1.1 allows remote attackers to cause a
denial of service in some components by requesting a URL
whose name includes a standard DOS device name.
Status: Candidate
Phase: Proposed (20000921)
Reference: BUGTRAQ:20000823 Xato Advisory:
FrontPage DOS Device DoS
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0288.html
Reference:
CONFIRM:http://msdn.microsoft.com/workshop/languages/fp/2000/sr12.asp
Reference: BID:1608
Reference:
URL:http://www.securityfocus.com/bid/1608
Votes:
ACCEPT(3) Cole, Levy, Wall
MODIFY(1) Frech
REVIEWING(1) Christey
Voter Comments:
Christey> [note to self: review comments by Mark Burnett]
CHANGE> [Christey changed vote from NOOP to REVIEWING]
Christey> XF:frontpage-ext-device-name-dos(5124)
Frech> XF:frontpage-ext-device-name-dos(5124)
Name: CVE-2000-0710
Description:
The shtml.exe component of Microsoft FrontPage 2000
Server Extensions 1.1 allows remote attackers determine
the physical path of the server components by requesting
an invalid URL whose name includes a standard DOS device
name.
Status: Candidate
Phase: Proposed (20000921)
Reference: BUGTRAQ:20000823 Xato Advisory:
FrontPage DOS Device DoS
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0288.html
Reference:
CONFIRM:http://msdn.microsoft.com/workshop/languages/fp/2000/sr12.asp
Reference: BID:1608
Reference:
URL:http://www.securityfocus.com/bid/1608
Votes:
ACCEPT(3) Cole, Levy, Wall
MODIFY(1) Frech
NOOP(1) Christey
Voter Comments:
Christey> [note to self: review comments by Mark Burnett]
Frech> XF:frontpage-ext-device-name-dos(5124)
Name: CVE-2000-0713
Description:
Buffer overflow in Adobe Acrobat 4.05, Reader, Business
Tools, and Fill In products that handle PDF files allows
attackers to execute arbitrary commands via a long
/Registry or /Ordering specifier.
Status: Candidate
Phase: Proposed (20000921)
Reference: BUGTRAQ:20000726 [SPSadvisory#39]Adobe
Acrobat Series PDF File Buffer Overflow
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0382.html
Reference:
CONFIRM:http://www.adobe.com/misc/pdfsecurity.html
Reference: BID:1509
Reference:
URL:http://www.securityfocus.com/bid/1509
Votes:
ACCEPT(4) Cole, Levy, Wall, Baker
NOOP(1) Christey
Voter Comments:
Christey> ADDREF XF:adobe-pdf-bo(5002)
Name: CVE-2000-0714
Description:
umb-scheme 3.2-11 for Red Hat Linux is installed with
world-writeable files.
Status: Candidate
Phase: Modified (20040818)
Reference: REDHAT:RHSA-2000:047
Reference:
URL:http://www.redhat.com/support/errata/RHSA-2000-047.html
Reference: BID:1551
Reference:
URL:http://www.securityfocus.com/bid/1551
Votes:
ACCEPT(5) Cole, Cox, Levy, Williams, Baker
NOOP(2) Christey, Wall
Voter Comments:
Christey> XF:linux-umb-scheme
http://xforce.iss.net/static/5048.php
Cox> (If me voting speeds up its inclusion :))
Name: CVE-2000-0715
Description:
DiskCheck script diskcheck.pl in Red Hat Linux 6.2
allows local users to create or overwrite arbitrary
files via a symlink attack on a temporary file.
Status: Candidate
Phase: Modified (20080226)
Reference: BUGTRAQ:20000622 Re: rh 6.2 - gid
compromises, etc [+ MORE!!!]
Reference:
URL:http://seclists.org/bugtraq/2000/Jun/0298.html
Reference: BUGTRAQ:20000805 Diskcheck 3.1.1
Symlink Vulnerability
Reference:
URL:http://seclists.org/bugtraq/2000/Aug/0082.html
Reference: BUGTRAQ:20000807 Re: Diskcheck 3.1.1
Symlink Vulnerability
Reference:
URL:http://seclists.org/bugtraq/2000/Aug/0096.html
Reference: BID:1552
Reference:
URL:http://www.securityfocus.com/bid/1552
Votes:
ACCEPT(3) Levy, Williams, Baker
MODIFY(2) Cox, Christey
NOOP(2) Cole, Wall
Voter Comments:
Christey> XF:diskcheck-tmp-race-condition
http://xforce.iss.net/static/5061.php
Christey> ADDREF REDHAT:RHSA-2000:122-04 ?
The advisory addresses some diskcheck symlink vulnerability,
but the initial announcement was 4 months before the advisory
was released; however, the DiskCheck versions seem to
correspond.
Christey> See various Bugtraq posts relating to this, and verify if the
Conectiva/Red Hat/etc. advisories are really addressing this
particular problem.
e.g.: BUGTRAQ:20000622 Re: rh 6.2 - gid compromises, etc [+ MORE!!!]
http://marc.theaimsgroup.com/?l=bugtraq&m=96172022819526&w=2
BUGTRAQ:20000810 CONECTIVA LINUX SECURITY ANNOUNCEMENT - diskcheck
http://marc.theaimsgroup.com/?l=bugtraq&m=96604843017702&w=2
REDHAT:RHSA-2000:122-06
http://marc.theaimsgroup.com/?l=bugtraq&m=97649229201967&w=2
BID:2050
URL:http://www.securityfocus.com/bid/2050
Christey> The following RedHat advisory appears to identify the same
problem as one that was posted to Bugtraq on August 8, 2000:
REDHAT:RHSA-2000:122-06
http://www.redhat.com/support/errata/powertools/RHSA-2000-122.html
See the following BugID, as referenced in the advisory:
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=11724
So, add:
BID:2050
URL:http://www.securityfocus.com/bid/2050
XF:linux-diskcheck-race-symlink
URL:http://xforce.iss.net/static/5624.php
[note the apparent BID duplicates, however]
CHANGE> [Christey changed vote from NOOP to MODIFY]
Christey> Missing BID - BID:1552
Cox> ADDREF REDHAT:RHSA-2000:122
Name: CVE-2000-0719
Description:
VariCAD 7.0 is installed with world-writeable files,
which allows local users to replace the VariCAD programs
with a Trojan horse program.
Status: Candidate
Phase: Proposed (20000921)
Reference: BUGTRAQ:20000810 VariCAD 7.0
premission vulnerability
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0126.html
Votes:
MODIFY(1) Frech
NOOP(4) Cole, Christey, Williams, Wall
REVIEWING(1) Levy
Voter Comments:
Christey> XF:varicad-world-write-permissions
http://xforce.iss.net/static/5077.php
Frech> XF:aricad-world-write-permissions(5077)
Christey> BID:1862
Name: CVE-2000-0721
Description:
The FSserial, FlagShip_c, and FlagShip_p programs in the
FlagShip package are installed world-writeable, which
allows local users to replace them with Trojan horses.
Status: Candidate
Phase: Proposed (20000921)
Reference: BUGTRAQ:20000810 FlagShip v4.48.7449
premission vulnerability
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0114.html
Reference: BID:1586
Reference:
URL:http://www.securityfocus.com/bid/1586
Votes:
ACCEPT(2) Levy, Baker
MODIFY(1) Frech
NOOP(2) Cole, Wall
Voter Comments:
Frech> XF:flagship-incorrect-permissions(5114)
Name: CVE-2000-0722
Description:
Helix GNOME Updater helix-update 0.5 and earlier allows
local users to install arbitrary RPM packages by
creating the /tmp/helix-install installation directory
before root has begun installing packages.
Status: Candidate
Phase: Proposed (20000921)
Reference: BUGTRAQ:20000819 Multiple Local
Vulnerabilities in Helix Gnome Installer
Reference:
URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=E13QAYl-0007il-00@the-village.bc.nu
Reference: BUGTRAQ:20000820 Helix Code Security
Advisory - Helix GNOME Update
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0240.html
Reference: BUGTRAQ:20000820 [Helix Beta] Helix
Code Security Advisory - Helix GNOME Installer
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0251.html
Reference: BID:1593
Reference:
URL:http://www.securityfocus.com/bid/1593
Votes:
ACCEPT(2) Cole, Levy
MODIFY(1) Frech
NOOP(2) Christey, Wall
Voter Comments:
Christey> XF:linux-update-race-condition
Frech> XF:gnome-installer-overwrite-configuration(5129)
Name: CVE-2000-0723
Description:
Helix GNOME Updater helix-update 0.5 and earlier does
not properly create /tmp directories, which allows local
users to create empty system configuration files such as
/etc/config.d/bashrc, /etc/config.d/csh.cshrc, and
/etc/rc.config.
Status: Candidate
Phase: Proposed (20000921)
Reference: BUGTRAQ:20000819 Multiple Local
Vulnerabilities in Helix Gnome Installer
Reference:
URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=E13QAYl-0007il-00@the-village.bc.nu
Reference: BUGTRAQ:20000820 [Helix Beta] Helix
Code Security Advisory - Helix GNOME Installer
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0251.html
Reference: BID:1596
Reference:
URL:http://www.securityfocus.com/bid/1596
Votes:
ACCEPT(2) Cole, Levy
MODIFY(1) Frech
NOOP(2) Christey, Wall
Voter Comments:
Christey> XF:gnome-installer-overwrite-configuration(5129)
Frech> XF:gnome-installer-overwrite-configuration(5129)
Name: CVE-2000-0724
Description:
The go-gnome Helix GNOME pre-installer allows local
users to overwrite arbitrary files via a symlink attack
on various files in /tmp, including uudecode, snarf, and
some installer files.
Status: Candidate
Phase: Proposed (20000921)
Reference: BUGTRAQ:20000829 More Helix Code
installation problems (go-gnome)
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0351.html
Reference: BUGTRAQ:20000829 Helix Code Security
Advisory - go-gnome pre-installer
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0356.html
Reference: BID:1622
Reference:
URL:http://www.securityfocus.com/bid/1622
Votes:
ACCEPT(2) Cole, Levy
MODIFY(1) Frech
NOOP(2) Christey, Wall
Voter Comments:
Christey> XF:go-gnome-preinstaller-symlink(5161)
Frech> XF:go-gnome-preinstaller-symlink(5161)
Name: CVE-2000-0734
Description:
eEye IRIS 1.01 beta allows remote attackers to cause a
denial of service via a large number of UDP connections.
Status: Candidate
Phase: Proposed (20000921)
Reference: BUGTRAQ:20000831 Remote DoS Attack in
Eeye Iris 1.01 and SpyNet CaptureNet v3.12
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96774637326591&w=2
Reference: BID:1627
Reference:
URL:http://www.securityfocus.com/bid/1627
Votes:
MODIFY(1) Levy
NOOP(2) Cole, Wall
REJECT(1) Frech
Voter Comments:
Levy> The product is in wide use even while is in beta. eEye brought another company and made all their previous customers upgrade to the new software.
Name: CVE-2000-0735
Description:
Buffer overflow in Becky! Internet Mail client 1.26.03
and earlier allows remote attackers to cause a denial of
service via a long Content-type: MIME header when the
user replies to a message.
Status: Candidate
Phase: Proposed (20000921)
Reference: BUGTRAQ:20000818 Becky! Internet Mail
Buffer overflow
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0234.html
Reference:
CONFIRM:http://member.nifty.ne.jp/rimarts/becky-e/Readme.txt
Reference: BID:1588
Reference:
URL:http://www.securityfocus.com/bid/1588
Votes:
ACCEPT(2) Cole, Levy
MODIFY(1) Frech
NOOP(2) Christey, Wall
Voter Comments:
Christey> XF:becky-imail-header-dos
http://xforce.iss.net/static/5110.php
Frech> XF:becky-imail-header-dos(5110)
Name: CVE-2000-0736
Description:
Buffer overflow in Becky! Internet Mail client 1.26.04
and earlier allows remote attackers to cause a denial of
service via a long Content-type: MIME header when the
user forwards a message.
Status: Candidate
Phase: Proposed (20000921)
Reference: BUGTRAQ:20000818 Becky! Internet Mail
Buffer overflow
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0234.html
Reference:
CONFIRM:http://member.nifty.ne.jp/rimarts/becky-e/Readme.txt
Reference: BID:1588
Reference:
URL:http://www.securityfocus.com/bid/1588
Votes:
ACCEPT(2) Cole, Levy
MODIFY(1) Frech
NOOP(2) Christey, Wall
Voter Comments:
Christey> XF:becky-imail-header-dos
http://xforce.iss.net/static/5110.php
Frech> XF:becky-imail-header-dos(5110)
Name: CVE-2000-0746
Description:
Vulnerabilities in IIS 4.0 and 5.0 do not properly
protect against cross-site scripting (CSS) attacks. They
allow a malicious web site operator to embed scripts in
a link to a trusted site, which are returned without
quoting in an error message back to the client. The
client then executes those scripts in the same context
as the trusted site, aka the "IIS Cross-Site Scripting"
vulnerabilities.
Status: Candidate
Phase: Proposed (20000921)
Reference: BUGTRAQ:20000821 IIS 5.0 cross site
scripting vulnerability - using .shtml files or
/_vti_bin/shtml.dll
Reference:
URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=39A12BD6.E811BF4F@nat.bg
Reference: MS:MS00-060
Reference:
URL:http://www.microsoft.com/technet/security/bulletin/ms00-060.asp
Reference: BID:1594
Reference:
URL:http://www.securityfocus.com/bid/1594
Reference: BID:1595
Reference:
URL:http://www.securityfocus.com/bid/1595
Votes:
ACCEPT(3) Cole, Levy, Wall
MODIFY(1) Frech
REVIEWING(1) Christey
Voter Comments:
Christey> Make sure both BID's are appropriate
XF:iis-cross-site-scripting
http://xforce.iss.net/static/5156.php
Frech> XF: iis-cross-site-scripting(5156)
CHANGE> [Christey changed vote from NOOP to REVIEWING]
Christey> A re-release of MS:MS00-060 indicates that a new variant of
this problem was discovered, but the advisory does not
provide sufficient details to distinguish it from this
candidate. A new candidate is being created, but the
description can't be written without mentioning this CAN.
Name: CVE-2000-0748
Description:
OpenLDAP 1.2.11 and earlier improperly installs the ud
binary with group write permissions, which could allow
any user in that group to replace the binary with a
Trojan horse.
Status: Candidate
Phase: Proposed (20000921)
Reference: BUGTRAQ:20000726 Group-writable
executable in OpenLDAP
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0375.html
Reference: BID:1511
Reference:
URL:http://www.securityfocus.com/bid/1511
Votes:
ACCEPT(1) Levy
NOOP(4) Cole, Williams, Wall, Baker
Name: CVE-2000-0752
Description:
Buffer overflows in brouted in FreeBSD and possibly
other OSes allows local users to gain root privileges
via long command line arguments.
Status: Candidate
Phase: Proposed (20000921)
Reference: FREEBSD:FreeBSD-SA-00:43
Reference:
URL:http://archives.neohapsis.com/archives/freebsd/2000-08/0339.html
Reference: BID:1629
Reference:
URL:http://www.securityfocus.com/bid/1629
Votes:
ACCEPT(2) Levy, Baker
MODIFY(1) Frech
NOOP(2) Cole, Wall
Voter Comments:
Frech> XF:freebsd-brouted-bo(6185)
Name: CVE-2000-0755
Description:
Vulnerability in the newgrp command in HP-UX 11.00
allows local users to gain privileges.
Status: Candidate
Phase: Proposed (20000921)
Reference: HP:HPSBUX0008-118
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0144.html
Reference: BID:1581
Reference:
URL:http://www.securityfocus.com/bid/1581
Votes:
ACCEPT(2) Cole, Levy
NOOP(2) Wall, Baker
REJECT(2) Frech, Christey
Voter Comments:
Christey> DUPE CVE-2000-0730
Also, the BID is wrong.
Frech> DUPE OF CVE-2000-0730
Also, the BID is wrong.
Name: CVE-2000-0756
Description:
Microsoft Outlook 2000 does not properly process long or
malformed fields in vCard (.vcf) files, which allows
attackers to cause a denial of service.
Status: Candidate
Phase: Proposed (20000921)
Reference: BUGTRAQ:20000831 vCard DoS on Outlook
2000
Reference:
URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Springmail.105.967737080.0.16997300@www.springmail.com
Reference: BID:1633
Reference:
URL:http://www.securityfocus.com/bid/1633
Votes:
ACCEPT(2) Cole, Levy
MODIFY(2) Frech, LeBlanc
REVIEWING(2) Christey, Wall
Voter Comments:
LeBlanc> - if a KB article, bulletin, or patch can be found, then
I'll ACCEPT
Christey> This is the same as MS:MS01-012 (CVE-2001-0145)
See the Bugtraq post by Joel Moses:
http://marc.theaimsgroup.com/?l=bugtraq&m=98322714210100&w=2
As of this writing, it is not certain which candidate
should be preferred: the candidate that has been publicly
known longer (i.e. CVE-2000-0756), or the more "official"
candidate, which has probably been publicized more (i.e.
CVE-2001-0145).
Frech> XF:outlook-vcard-dos(5175)
XF:outlook-vcard-bo(6145)
Because there's another more recent CAN linked to @stake and
Microsoft's advisories, we'll link both of our records to both
candiates until a final decision occurs. If a decision has been made
to promote the CVE-2001 entry, then enter my vote as a REJECT for
CVE-2000-0756.
Frech> Replace outlook-vcard-bo(6145) with outlook-vcard-dos(5175)
Name: CVE-2000-0757
Description:
The sysgen service in Aptis Totalbill does not perform
authentication, which allows remote attackers to gain
root privileges by connecting to the service and
specifying the commands to be executed.
Status: Candidate
Phase: Proposed (20000921)
Reference: BUGTRAQ:20000808 Exploit for
Totalbill...
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0074.html
Reference: BID:1555
Reference:
URL:http://www.securityfocus.com/bid/1555
Votes:
ACCEPT(2) Levy, Baker
NOOP(4) Cole, Christey, Williams, Wall
Voter Comments:
Christey> XF:totalbill-remote-execution
http://xforce.iss.net/static/5068.php
Name: CVE-2000-0759
Description:
Jakarta Tomcat 3.1 under Apache reveals physical path
information when a remote attacker requests a URL that
does not exist, which generates an error message that
includes the physical path.
Status: Candidate
Phase: Modified (20050703)
Reference: BUGTRAQ:20000719 [LoWNOISE] Tomcat 3.1
Path Revealing Problem.
Reference:
URL:http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26date%3D2000-07-15%26msg%3DPine.SUN.3.96.1000719184401.17782A-100000@grex.cyberspace.org
Reference: BID:1531
Reference:
URL:http://www.securityfocus.com/bid/1531
Reference: XF:tomcat-error-path-reveal(4967)
Reference:
URL:http://www.iss.net/security_center/static/4967.php
Votes:
ACCEPT(2) Levy, Baker
NOOP(3) Cole, Williams, Wall
Name: CVE-2000-0760
Description:
The Snoop servlet in Jakarta Tomcat 3.1 and 3.0 under
Apache reveals sensitive system information when a
remote attacker requests a nonexistent URL with a .snp
extension.
Status: Candidate
Phase: Proposed (20000921)
Reference: BUGTRAQ:20000719 [LoWNOISE] Snoop
Servlet (Tomcat 3.1 and 3.0)
Reference:
URL:http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26date%3D2000-07-15%26msg%3DPine.SUN.3.96.1000719235404.24004A-100000@grex.cyberspace.org
Reference: XF:tomcat-snoop-info
Reference: BID:1532
Reference:
URL:http://www.securityfocus.com/bid/1532
Votes:
ACCEPT(2) Levy, Baker
NOOP(3) Cole, Williams, Wall
Name: CVE-2000-0769
Description:
O'Reilly WebSite Pro 2.3.7 installs the uploader.exe
program with execute permissions for all users, which
allows remote attackers to create and execute arbitrary
files by directly calling uploader.exe.
Status: Candidate
Phase: Proposed (20000921)
Reference: BUGTRAQ:20000824 WebServer Pro 2.3.7
Vulnerability
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96715834610888&w=2
Reference: BID:1611
Reference:
URL:http://www.securityfocus.com/bid/1611
Votes:
ACCEPT(2) Levy, Baker
MODIFY(1) Frech
NOOP(2) Cole, Christey
REVIEWING(1) Wall
Voter Comments:
Christey> XF:website-pro-upload-files(5157)
Frech> XF:website-pro-upload-files(5157)
Name: CVE-2000-0772
Description:
The installation of Tumbleweed Messaging Management
System (MMS) 4.6 and earlier (formerly Worldtalk
Worldsecure) creates a default account "sa" with no
password.
Status: Candidate
Phase: Modified (20010116-01)
Reference: BUGTRAQ:20000810 Tumbleweed
Worldsecure (MMS) BLANK 'sa' account password
vulnerability
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0098.html
Reference:
CONFIRM:http://thompson.tumbleweed.com/NewKB/bulletin/UPFiles/sa-official.htm
Reference: BID:1562
Reference:
URL:http://www.securityfocus.com/bid/1562
Reference: XF:tumbleweed-mms-blank-password
Reference:
URL:http://xforce.iss.net/static/5072.php
Votes:
ACCEPT(2) Levy, Baker
MODIFY(1) Frech
NOOP(3) Cole, Christey, Wall
Voter Comments:
Christey> XF:tumbleweed-mms-blank-password
http://xforce.iss.net/static/5072.php
Frech> XF:umbleweed-mms-blank-password(5072)
Name: CVE-2000-0774
Description:
The sample Java servlet "test" in Bajie HTTP web server
0.30a reveals the real pathname of the web document
root.
Status: Candidate
Phase: Proposed (20000921)
Reference: BUGTRAQ:20000731 Two security flaws in
Bajie Webserver
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0426.html
Reference: BID:1521
Reference:
URL:http://www.securityfocus.com/bid/1521
Votes:
ACCEPT(3) Levy, Williams, Baker
NOOP(2) Cole, Wall
Voter Comments:
Baker> Vendor fixed this issue in later version of the software
Name: CVE-2000-0775
Description:
Buffer overflow in RobTex Viking server earlier than
1.06-370 allows remote attackers to cause a denial of
service or execute arbitrary commands via a long HTTP
GET request, or long Unless-Modified-Since, If-Range, or
If-Modified-Since headers.
Status: Candidate
Phase: Proposed (20000921)
Reference: BUGTRAQ:20000828 [NT] Viking security
vulnerabilities enable remote code execution (long URL,
date parsing)
Reference:
URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=399a01c01122$0d7f2310$0201a8c0@aviram
Reference:
CONFIRM:http://www.robtex.com/viking/bugs.htm
Reference: BID:1614
Reference:
URL:http://www.securityfocus.com/bid/1614
Votes:
ACCEPT(2) Levy, Baker
MODIFY(1) Frech
NOOP(3) Cole, Christey, Wall
Voter Comments:
Christey> XF:viking-server-bo(5158)
Frech> XF:viking-server-bo(5158)
Name: CVE-2000-0784
Description:
sshd program in the Rapidstream 2.1 Beta VPN appliance
has a hard-coded "rsadmin" account with a null password,
which allows remote attackers to execute arbitrary
commands via ssh.
Status: Candidate
Phase: Proposed (20000921)
Reference: BUGTRAQ:20000816 Remote Root
Compromise On All RapidStream VPN Appliances
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0216.html
Reference: BID:1574
Reference:
URL:http://www.securityfocus.com/bid/1574
Votes:
ACCEPT(3) Cole, Levy, Baker
MODIFY(1) Frech
NOOP(2) Christey, Wall
Voter Comments:
Christey> XF:rapidstream-remote-execution
http://xforce.iss.net/static/5093.php
Frech> XF:rapidstream-remote-execution(5093)
Name: CVE-2000-0785
Description:
WircSrv IRC Server 5.07s allows IRC operators to read
arbitrary files via the importmotd command, which sets
the Message of the Day (MOTD) to the specified file.
Status: Candidate
Phase: Proposed (20000921)
Reference: BUGTRAQ:20000713 More wIRCSrv
stupidity
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96353027909756&w=2
Votes:
ACCEPT(1) Baker
MODIFY(1) Levy
NOOP(3) Cole, Williams, Wall
Voter Comments:
Levy> BID 1472
Name: CVE-2000-0789
Description:
WinU 5.x and earlier uses weak encryption to store its
configuration password, which allows local users to
decrypt the password and gain privileges.
Status: Candidate
Phase: Proposed (20000921)
Reference: BUGTRAQ:20000816 WinU 4/5 weak
password vulnerability
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0201.html
Votes:
ACCEPT(1) Williams
MODIFY(2) Frech, Baker
NOOP(3) Cole, Christey, Wall
REVIEWING(1) Levy
Voter Comments:
Frech> XF:winu-backdoor(5376)
Christey> ADDREF BID:1741
ADDREF URL:http://www.securityfocus.com/bid/1741
Baker> Since there are apparently two different methods of weak encryption, perhaps the description should read " ... used weak encryption methods.."
Name: CVE-2000-0791
Description:
Trustix installs the httpsd program for Apache-SSL with
world-writeable permissions, which allows local users to
replace it with a Trojan horse.
Status: Candidate
Phase: Proposed (20000921)
Reference: BUGTRAQ:20000815 Trustix security
advisory - apache-ssl
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0179.html
Reference: BID:1575
Reference:
URL:http://www.securityfocus.com/bid/1575
Votes:
ACCEPT(3) Cole, Levy, Baker
MODIFY(1) Frech
NOOP(2) Christey, Wall
Voter Comments:
Christey> XF:trustix-secure-apache-misconfig
http://xforce.iss.net/static/5099.php
Frech> XF:trustix-secure-apache-misconfig(5099)
Name: CVE-2000-0793
Description:
Norton AntiVirus 5.00.01C with the Novell Netware client
does not properly restart the auto-protection service
after the first user has logged off of the system.
Status: Candidate
Phase: Proposed (20000921)
Reference: BUGTRAQ:20000728 Norton Antivirus
Protection Disabled under Novell Netware
Reference:
URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=398222C5@zathras.cc.vt.edu
Reference: BID:1533
Reference:
URL:http://www.securityfocus.com/bid/1533
Votes:
ACCEPT(1) Levy
MODIFY(1) Baker
NOOP(3) Cole, Williams, Wall
Voter Comments:
Baker> Perhaps the description should read "... after the first user to log on to the system logs off."
Name: CVE-2000-0794
Description:
Buffer overflow in IRIX libgl.so library allows local
users to gain root privileges via a long HOME variable
to programs such as (1) gmemusage and (2) gr_osview.
Status: Candidate
Phase: Modified (20060705)
Reference: BUGTRAQ:20000802 [LSD] some
unpublished LSD exploit codes
Reference:
URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=200008021924.e72JOVs12558@ix.put.poznan.pl
Reference: BID:1527
Reference:
URL:http://www.securityfocus.com/bid/1527
Reference: OSVDB:8568
Reference: URL:http://www.osvdb.org/8568
Reference: XF:irix-libgl-bo(5063)
Reference:
URL:http://www.iss.net/security_center/static/5063.php
Votes:
ACCEPT(3) Levy, Williams, Baker
NOOP(3) Cole, Christey, Wall
Voter Comments:
Christey> XF:irix-libgl-bo
http://xforce.iss.net/static/5063.php
Name: CVE-2000-0798
Description:
The truncate function in IRIX 6.x does not properly
check for privileges when the file is in the xfs file
system, which allows local users to delete the contents
of arbitrary files.
Status: Candidate
Phase: Modified (20060626)
Reference: BUGTRAQ:20000802 [LSD] some
unpublished LSD exploit codes
Reference:
URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=200008021924.e72JOVs12558@ix.put.poznan.pl
Reference: BID:1540
Reference:
URL:http://www.securityfocus.com/bid/1540
Reference: OSVDB:8569
Reference: URL:http://www.osvdb.org/8569
Votes:
ACCEPT(3) Levy, Williams, Baker
NOOP(3) Cole, Christey, Wall
Voter Comments:
Christey> XF:irix-xfs-truncate
http://xforce.iss.net/static/5011.php
Christey> XF:sgi-xfs(2110) ?
SGI:19970102-01-PX ?
Christey> Consulting SGI on this... the relationship is pretty close.
Name: CVE-2000-0800
Description:
String parsing error in rpc.kstatd in the linuxnfs or
knfsd packages in SuSE and possibly other Linux systems
allows remote attackers to gain root privileges.
Status: Candidate
Phase: Proposed (20000921)
Reference: SUSE:20000810 Security Hole in knfsd,
all versions
Reference:
URL:http://www.novell.com/linux/security/advisories/suse_security_announce_58.html
Votes:
ACCEPT(1) Cole
MODIFY(2) Frech, Levy
NOOP(2) Baker, Wall
REJECT(1) Christey
Voter Comments:
Levy> This is the same as other Linux vendors statd format string problem.
Reference: BID 1480
Christey> If this is the same as the other statd format string problems,
then this is a duplicate of CVE-2000-0666.
Frech> XF:linux-rpcstatd-format-overwrite(4939)
CHANGE> [Christey changed vote from REVIEWING to REJECT]
Christey> OK, I agree that this is a dupe of CVE-2000-0666.
Here's why:
BUGTRAQ:20000803 SuSE Security: miscellaneous
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96540330329127&w=2
One statement says "The SuSE package containing rpc.kstatd
(other vendors named it rpc.statd)... An updated package is
currently being tested."
Name: CVE-2000-0801
Description:
Buffer overflow in bdf program in HP-UX 11.00 may allow
local users to gain root privileges via a long -t
option.
Status: Candidate
Phase: Proposed (20000921)
Reference: BUGTRAQ:20000727 [ Hackerslab
bug_paper ] HP-UX bdf -t option buffer overflow vul.
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0388.html
Reference: BID:1520
Reference:
URL:http://www.securityfocus.com/bid/1520
Votes:
ACCEPT(3) Baker, Levy, Williams
NOOP(3) Cole, Christey, Wall
Voter Comments:
Christey> ADDREF HP:HPSBUX0010-127??
http://archives.neohapsis.com/archives/hp/2000-q4/0028.html
Name: CVE-2000-0802
Description:
The BAIR program does not properly restrict access to
the Internet Explorer Internet options menu, which
allows local users to obtain access to the menu by
modifying the registry key that starts BAIR.
Status: Candidate
Phase: Proposed (20000921)
Reference: BUGTRAQ:20000722 More bad censorware
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96430372326912&w=2
Reference: XF:bair-security-removal
Votes:
NOOP(5) Baker, Cole, Williams, LeBlanc, Wall
REVIEWING(1) Levy
Voter Comments:
LeBlanc> What the heck is BAIR? I don't think it is MS software.
Name: CVE-2000-0812
Description:
The administration module in Sun Java web server allows
remote attackers to execute arbitrary commands by
uploading Java code to the module and invoke the
com.sun.server.http.pagecompile.jsp92.JspServlet by
requesting a URL that begins with a /servlet/ tag.
Status: Candidate
Phase: Interim (20010117)
Reference: SUN:00197
Reference:
URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/197&type=0&nav=sec.sba
Reference:
MISC:http://www.securityfocus.com/templates/advisory.html?id=2542
Reference: BID:1600
Reference:
URL:http://www.securityfocus.com/bid/1600
Reference: XF:sunjava-webadmin-bbs
Reference:
URL:http://xforce.iss.net/static/5135.php
Votes:
ACCEPT(2) Baker, Dik
MODIFY(2) Frech, Levy
NOOP(3) Cole, Armstrong, Wall
REVIEWING(1) Christey
Voter Comments:
Frech> XF:sunjava-webadmin-bbs(5135)
Levy> BID 1600
Frech> We also show this associated with CVE-2000-0629: The default
configuration of the Sun Java web server 2.0 and earlier allows remote
attackers to execute arbitrary commands by uploading Java code to the
server via board.html, then directly calling the JSP compiler
servlet. CVE web site concurs.
Christey> I think that Casper Dik confirmed that CVE-2000-0629 is a
configuration problem, and this one is a bug, so they are
different problems. I need to dig up that email, though...
Dik> CVE-2000-0629 indeed is about sample code which shouldn't
be run on prodution servers
This one is an actual bug and patches have been produced
for JWS 2.0 and 1.1.3
Name: CVE-2000-0817
Description:
Buffer overflow in the HTTP protocol parser for
Microsoft Network Monitor (Netmon) allows remote
attackers to execute arbitrary commands via malformed
data, aka the "Netmon Protocol Parsing" vulnerability.
Status: Candidate
Phase: Modified (20010119-01)
Reference: ISS:20001101 Buffer Overflow in
Microsoft Windows NT 4.0 and Windows 2000 Network
Monitor
Reference:
URL:http://xforce.iss.net/alerts/index.php
Reference: MS:MS00-083
Reference:
URL:http://www.microsoft.com/technet/security/bulletin/MS00-083.asp
Reference: XF:network-monitor-bo(5399)
Votes:
ACCEPT(3) Baker, Cole, Mell
MODIFY(1) Frech
NOOP(1) Renaud
Voter Comments:
Frech> XF:network-monitor-bo(5399)
Name: CVE-2000-0826
Description:
Buffer overflow in ddicgi.exe program in Mobius
DocumentDirect for the Internet 1.2 allows remote
attackers to execute arbitrary commands via a long GET
request.
Status: Candidate
Phase: Proposed (20001018)
Reference: ATSTAKE:A090800-1
Reference:
URL:http://www.atstake.com/research/advisories/2000/a090800-1.txt
Reference: BID:1657
Reference:
URL:http://www.securityfocus.com/bid/1657
Reference: XF:documentdirect-get-bo
Reference:
URL:http://xforce.iss.net/static/5210.php
Votes:
ACCEPT(2) Baker, Collins
NOOP(3) Cole, Armstrong, Wall
Name: CVE-2000-0827
Description:
Buffer overflow in the web authorization form of Mobius
DocumentDirect for the Internet 1.2 allows remote
attackers to cause a denial of service or execute
arbitrary commands via a long username.
Status: Candidate
Phase: Proposed (20001018)
Reference: ATSTAKE:A090800-1
Reference:
URL:http://www.atstake.com/research/advisories/2000/a090800-1.txt
Reference: BID:1657
Reference:
URL:http://www.securityfocus.com/bid/1657
Reference: XF:documentdirect-username-bo
Reference:
URL:http://xforce.iss.net/static/5211.php
Votes:
ACCEPT(2) Baker, Collins
NOOP(3) Cole, Armstrong, Wall
Name: CVE-2000-0828
Description:
Buffer overflow in ddicgi.exe in Mobius DocumentDirect
for the Internet 1.2 allows remote attackers to execute
arbitrary commands via a long User-Agent parameter.
Status: Candidate
Phase: Proposed (20001018)
Reference: ATSTAKE:A090800-1
Reference:
URL:http://www.atstake.com/research/advisories/2000/a090800-1.txt
Reference: BID:1657
Reference:
URL:http://www.securityfocus.com/bid/1657
Reference: XF:documentdirect-user-agent-bo
Reference:
URL:http://xforce.iss.net/static/5212.php
Votes:
ACCEPT(2) Baker, Collins
NOOP(3) Cole, Armstrong, Wall
Name: CVE-2000-0831
Description:
Buffer overflow in Fastream FTP++ 2.0 allows remote
attackers to cause a denial of service and possibly
execute arbitrary commands via a long username.
Status: Candidate
Phase: Proposed (20001018)
Reference: WIN2KSEC:20000912 DST2K0027: DoS in
Faststream FTP++ 2.0
Reference:
URL:http://archives.neohapsis.com/archives/win2ksecadvice/2000-q3/0109.html
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
NOOP(3) Cole, Armstrong, Magdych
REVIEWING(2) Christey, Wall
Voter Comments:
Frech> XF:fastream-ftp-dos(5235)
Christey> XF:fastream-ftp-dos
CHANGE> [Christey changed vote from NOOP to REVIEWING]
Christey> CVE-2000-0831 and CVE-2001-0256 are probable duplicates, since
they involve the same product and version (Fastream FTP++
2.0), vuln type (buffer overflow), and attack vector (username).
Name: CVE-2000-0832
Description:
Htgrep CGI program allows remote attackers to read
arbitrary files by specifying the full pathname in the
hdr parameter.
Status: Candidate
Phase: Modified (20010910-01)
Reference: BUGTRAQ:20000817 Htgrep CGI Arbitrary
File Viewing Vulnerability
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0208.html
Reference: XF:htgrep-cgi-view-files(5476)
Reference:
URL:http://xforce.iss.net/static/5476.php
Votes:
ACCEPT(2) Baker, Collins
MODIFY(1) Frech
NOOP(4) Cole, Armstrong, Christey, Wall
Voter Comments:
Frech> XF:htgrep-cgi-view-files(5476)
Collins> http://www.iam.unibe.ch/~scg/Src/Doc/
Christey> The change log for htgrep acknowledges the problem, but it
says that the qry tag is also affected. CD:SF-LOC says that
multiple problems of the same type in the same version should
be combined, so this candidate should get a "soft recast"
and qry should be added to the description.
Name: CVE-2000-0833
Description:
Buffer overflow in WinSMTP 1.06f and 2.X allows remote
attackers to cause a denial of service via a long (1)
USER or (2) HELO command.
Status: Candidate
Phase: Modified (20020222-01)
Reference: BUGTRAQ:2000911 WinSMTPD remote
exploit/DoS problem
Reference:
URL:http://www.securityfocus.com/archive/1/81693
Reference: BID:1680
Reference:
URL:http://www.securityfocus.com/bid/1680
Reference: XF:winsmtp-helo-bo(5255)
Reference:
URL:http://xforce.iss.net/static/5255.php
Votes:
ACCEPT(5) Baker, Cole, Frech, Collins, Wall
NOOP(2) Armstrong, Magdych
Voter Comments:
Cole> HAS-INDEPENDENT-CONFIRMATION
CHANGE> [Wall changed vote from REVIEWING to ACCEPT]
Name: CVE-2000-0835
Description:
search.dll Sambar ISAPI Search utility in Sambar Server
4.4 Beta 3 allows remote attackers to read arbitrary
directories by specifying the directory in the query
paraeater.
Status: Candidate
Phase: Modified (20051126)
Reference: BUGTRAQ:20000915 Sambar Server search
CGI vulnerability
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-09/0175.html
Reference: BID:1684
Reference:
URL:http://www.securityfocus.com/bid/1684
Votes:
MODIFY(1) Frech
NOOP(5) Cole, Armstrong, Collins, Christey, Wall
REJECT(2) Baker, Magdych
Voter Comments:
Magdych> Unless the beta product is in very widespread use, or the product is in
"perpetual beta" (e.g. ICQ), I would prefer not to include beta software.
Christey> XF:sambar-search-view-folder
Frech> XF:sambar-search-view-folder(5247)
Baker> Unless we change our CD:EX-BETA, we should reject this entry. Perhaps we need to address the issue of Beta software again, but the previous discussion was pretty thorough and I believe the editorial board was unanimous in excluding normal beta software.
Christey> Fix typo: "paramater"
Christey> fix typo: "paramatar"
Name: CVE-2000-0836
Description:
Buffer overflow in CamShot WebCam Trial2.6 allows remote
attackers to execute arbitrary commands via a long
Authorization header.
Status: Candidate
Phase: Proposed (20001018)
Reference: BUGTRAQ:20000915 [NEWS] Vulnerability
in CamShot server (Authorization)
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-09/0176.html
Reference: BID:1685
Reference:
URL:http://www.securityfocus.com/bid/1685
Reference: XF:camshot-password-bo
Reference:
URL:http://xforce.iss.net/static/5246.php
Votes:
ACCEPT(2) Baker, Frech
NOOP(3) Cole, Armstrong, Magdych
REVIEWING(1) Wall
Name: CVE-2000-0840
Description:
Buffer overflow in XMail POP3 server before version 0.59
allows remote attackers to execute arbitrary commands
via a long USER command.
Status: Candidate
Phase: Proposed (20001018)
Reference: BUGTRAQ:20000906 [NEWS] XMail
vulnerable to a remotely exploitable buffer overflow
(APOP, USER)
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-09/0001.html
Reference: BID:1652
Reference:
URL:http://www.securityfocus.com/bid/1652
Reference: XF:xmail-long-user-bo
Reference:
URL:http://xforce.iss.net/static/5192.php
Votes:
ACCEPT(4) Baker, Cole, Armstrong, Collins
NOOP(2) Christey, Wall
Voter Comments:
Cole> INDEPENDENT-CONFIRMATION
Christey> CONFIRM:http://www.mycio.com/davidel/xmail/xmaildoc.htm
The entry dated 30-07-2000 for version 0.59 says: "A possible
buffer overflow error has been fixed."
Name: CVE-2000-0841
Description:
Buffer overflow in XMail POP3 server before version 0.59
allows remote attackers to execute arbitrary commands
via a long APOP command.
Status: Candidate
Phase: Proposed (20001018)
Reference: BUGTRAQ:20000906 [NEWS] XMail
vulnerable to a remotely exploitable buffer overflow
(APOP, USER)
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-09/0001.html
Reference: BID:1652
Reference:
URL:http://www.securityfocus.com/bid/1652
Reference: XF:xmail-long-apop-bo
Reference:
URL:http://xforce.iss.net/static/5191.php
Votes:
ACCEPT(4) Baker, Cole, Armstrong, Collins
NOOP(2) Christey, Wall
Voter Comments:
Cole> INDEPENDENT-CONFIRMATION
Christey> CONFIRM:http://www.mycio.com/davidel/xmail/xmaildoc.htm
The entry dated 30-07-2000 for version 0.59 says: "A possible
buffer overflow error has been fixed."
Name: CVE-2000-0842
Description:
The search97cgi/vtopic" in the UnixWare 7 scohelphttp
webserver allows remote attackers to read arbitrary
files via a .. (dot dot) attack.
Status: Candidate
Phase: Proposed (20001018)
Reference: BUGTRAQ:20000911 SCO scohelhttp
documentation webserver exposes local files
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-09/0086.html
Reference: BID:1663
Reference:
URL:http://www.securityfocus.com/bid/1663
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
NOOP(5) Cole, Armstrong, Magdych, Christey, Wall
Voter Comments:
Frech> XF:sco-help-view-files(5226)
Christey> What is the proper "spelling" for the SCO help HTTP server?
I've seen it as "SCOhelp" and "scohelphttp" and "SCO help HTTP"
Christey> XF:sco-help-view-files
Christey> typo - extra "
Name: CVE-2000-0843
Description:
Buffer overflow in pam_smb and pam_ntdom pluggable
authentication modules (PAM) allow remote attackers to
execute arbitrary commands via a login with a long user
name.
Status: Candidate
Phase: Proposed (20001018)
Reference: BUGTRAQ:20000910 (SRADV00002) Remote
root compromise through pam_smb and pam_ntdom
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-09/0073.html
Reference: DEBIAN:20000911 libpam-smb: remote
root exploit
Reference:
URL:http://www.debian.org/security/2000/20000911
Reference: SUSE:20000913 pam_smb remotely
exploitable buffer overflow
Reference:
URL:http://www.novell.com/linux/security/advisories/adv8_draht_pam_smb_txt.html
Reference: MANDRAKE:MDKSA-2000:047
Reference:
URL:http://www.linux-mandrake.com/en/security/MDKSA-2000-047.php3
Reference: BUGTRAQ:20000911 Conectiva Linux
Security Announcement - pam_smb
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-09/0114.html
Reference: BID:1666
Reference:
URL:http://www.securityfocus.com/bid/1666
Votes:
ACCEPT(4) Baker, Armstrong, Collins, Magdych
MODIFY(1) Frech
NOOP(3) Cole, Christey, Wall
Voter Comments:
Magdych> ACKNOWLEDGED-BY-VENDOR
Christey> ADDREF XF:pam-authentication-bo
Frech> XF:pam-authentication-bo(5225)
Name: CVE-2000-0845
Description:
kdebug daemon (kdebugd) in Digital Unix 4.0F allows
remote attackers to read arbitrary files by specifying
the full file name in the initialization packet.
Status: Candidate
Phase: Proposed (20001018)
Reference: BUGTRAQ:20000918 [ENIGMA] Digital
UNIX/Tru64 UNIX remote kdebug Vulnerability
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-09/0204.html
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
NOOP(5) Cole, Armstrong, Magdych, Christey, Wall
Voter Comments:
Frech> XF:du-kdebugd-write-access(5262)
Christey> This problem also allows attackers to overwrite files.
ADDREF BID:1693
ADDREF URL:http://www.securityfocus.com/bid/1693
ADDREF XF:du-kdebugd-write-access
ADDREF http://xforce.iss.net/static/5262.php
Name: CVE-2000-0855
Description:
SunFTP build 9(1) allows remote attackers to cause a
denial of service by connecting to the server and
disconnecting before sending a newline.
Status: Candidate
Phase: Proposed (20001018)
Reference: BUGTRAQ:20000901 [EXPL] SunFTP
vulnerable to two Denial-of-Service attacks (long
buffer, half-open)
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0408.html
Reference: BID:1637
Reference:
URL:http://www.securityfocus.com/bid/1637
Votes:
ACCEPT(4) Baker, Cole, Armstrong, Collins
NOOP(1) Wall
Voter Comments:
Cole> INDEPENDENT-CONFIRMATION
Name: CVE-2000-0857
Description:
The logging capability in muh 2.05d IRC server does not
properly cleanse user-injected format strings, which
allows remote attackers to cause a denial of service or
execute arbitrary commands via a malformed nickname.
Status: Candidate
Phase: Proposed (20001018)
Reference: BUGTRAQ:20000909 format string bug in
muh
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-09/0067.html
Reference: BUGTRAQ:20000909 Re: format string bug
in muh
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-09/0068.html
Reference: BID:1665
Reference:
URL:http://www.securityfocus.com/bid/1665
Reference: XF:muh-log-dos
Reference:
URL:http://xforce.iss.net/static/5215.php
Votes:
ACCEPT(4) Baker, Cole, Frech, Collins
NOOP(4) Armstrong, Magdych, Christey, Wall
Voter Comments:
Cole> HAS-INDEPENDENT-CONFIRMATION
Christey> ADDREF FREEBSD:FreeBSD-SA-00:57
CHANGE> [Magdych changed vote from REVIEWING to NOOP]
Name: CVE-2000-0866
Description:
Interbase 6 SuperServer for Linux allows an attacker to
cause a denial of service via a query containing 0
bytes.
Status: Candidate
Phase: Proposed (20001018)
Reference: BUGTRAQ:20000907 SEGFAULTING Interbase
6 SS Linux
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-09/0027.html
Reference: BID:1654
Reference:
URL:http://www.securityfocus.com/bid/1654
Reference: XF:interbase-query-dos
Reference:
URL:http://xforce.iss.net/static/5205.php
Votes:
ACCEPT(2) Baker, Collins
NOOP(3) Cole, Armstrong, Wall
Name: CVE-2000-0872
Description:
explorer.php in PhotoAlbum 0.9.9 allows remote attackers
to read arbitrary files via a .. (dot dot) attack.
Status: Candidate
Phase: Proposed (20001018)
Reference: BUGTRAQ:20000906 PhotoAlbum 0.9.9
explorer.php Vulnerability
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-09/0015.html
Reference: BID:1650
Reference:
URL:http://www.securityfocus.com/bid/1650
Reference: XF:phpphoto-dir-traverse
Reference:
URL:http://xforce.iss.net/static/5198.php
Votes:
ACCEPT(2) Baker, Collins
NOOP(3) Cole, Armstrong, Wall
Name: CVE-2000-0879
Description:
LPPlus programs dccsched, dcclpdser, dccbkst, dccshut,
dcclpdshut, and dccbkstshut are installed setuid root
and world executable, which allows arbitrary local users
to start and stop various LPD services.
Status: Candidate
Phase: Proposed (20001018)
Reference: BUGTRAQ:20000906 Multiple Security
Holes in LPPlus
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0531.html
Reference: BID:1643
Reference:
URL:http://www.securityfocus.com/bid/1643
Reference: XF:lpplus-permissions-dos
Reference:
URL:http://xforce.iss.net/static/5199.php
Votes:
ACCEPT(2) Baker, Collins
NOOP(3) Cole, Armstrong, Wall
Name: CVE-2000-0880
Description:
LPPlus creates the lpdprocess file with world-writeable
permissions, which allows local users to kill arbitrary
processes by specifying an alternate process ID and
using the setuid dcclpdshut program to kill the process
that was specified in the lpdprocess file.
Status: Candidate
Phase: Proposed (20001018)
Reference: BUGTRAQ:20000906 Multiple Security
Holes in LPPlus
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0531.html
Reference: BID:1643
Reference:
URL:http://www.securityfocus.com/bid/1643
Reference: XF:lpplus-process-perms-dos
Reference:
URL:http://xforce.iss.net/static/5200.php
Votes:
ACCEPT(2) Baker, Collins
NOOP(3) Cole, Armstrong, Wall
Name: CVE-2000-0881
Description:
The dccscan setuid program in LPPlus does not properly
check if the user has the permissions to print the file
that is specified to dccscan, which allows local users
to print arbitrary files.
Status: Candidate
Phase: Proposed (20001018)
Reference: BUGTRAQ:20000906 Multiple Security
Holes in LPPlus
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0531.html
Reference: BID:1644
Reference:
URL:http://www.securityfocus.com/bid/1644
Reference: XF:lpplus-dccscan-file-read
Reference:
URL:http://xforce.iss.net/static/5201.php
Votes:
ACCEPT(2) Baker, Collins
NOOP(3) Cole, Armstrong, Wall
Name: CVE-2000-0882
Description:
Intel Express 500 series switches allow a remote
attacker to cause a denial of service via a malformed
ICMP packet, which causes the CPU to crash.
Status: Candidate
Phase: Proposed (20001018)
Reference: BUGTRAQ:20000906 VIGILANTE-2000010:
Intel Express Switch series 500 DoS #2
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0533.html
Reference: BID:1647
Reference:
URL:http://www.securityfocus.com/bid/1647
Votes:
ACCEPT(1) Baker
NOOP(3) Cole, Armstrong, Wall
Name: CVE-2000-0885
Description:
Buffer overflows in Microsoft Network Monitor (Netmon)
allow remote attackers to execute arbitrary commands via
a long Browser Name in a CIFS Browse Frame, a long SNMP
community name, or a long username or filename in an SMB
session, aka the "Netmon Protocol Parsing"
vulnerability. NOTE: It is highly likely that this
candidate will be split into multiple candidates.
Status: Candidate
Phase: Modified (20010119-01)
Reference: NAI:20001101 Multiple Network Monitor
Overflows
Reference: MS:MS00-083
Reference:
URL:http://www.microsoft.com/technet/security/bulletin/MS00-083.asp
Reference: XF:network-monitor-bo(5399)
Votes:
ACCEPT(4) Baker, Cole, Renaud, Mell
MODIFY(1) Frech
Voter Comments:
Frech> XF:network-monitor-bo(5399)
Name: CVE-2000-0889
Description:
Two Sun security certificates have been compromised,
which could allow attackers to insert malicious code
such as applets and make it appear that it is signed by
Sun.
Status: Candidate
Phase: Proposed (20010202)
Reference: CERT:CA-2000-19
Reference:
URL:http://www.cert.org/advisories/CA-2000-19.html
Reference: SUN:00198
Reference:
URL:http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/198&type=0&nav=sec.sba
Votes:
ACCEPT(3) Baker, Cole, Dik
MODIFY(1) Frech
NOOP(2) Ziese, Wall
REVIEWING(1) Christey
Voter Comments:
Frech> XF:sun-compromised-certificate(5404)
Christey> Should revoked cert's be included in CVE? How about the ones
for Microsoft from early 2001?
Name: CVE-2000-0893
Description:
The presence of the Distributed GL Daemon (dgld) service
on port 5232 on SGI IRIX systems allows remote attackers
to identify the target host as an SGI system.
Status: Candidate
Phase: Proposed (20010202)
Reference: CERT-VN:VU#28027
Reference:
URL:http://www.kb.cert.org/vuls/id/28027
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
NOOP(2) Cole, Wall
REVIEWING(1) Ziese
Voter Comments:
CHANGE> [Frech changed vote from REVIEWING to MODIFY]
Frech> XF:irix-dgld-port-scan(6592)
Name: CVE-2000-0898
Description:
Small HTTP Server 2.01 does not properly process Server
Side Includes (SSI) tags that contain null values, which
allows local users, and possibly remote attackers, to
cause the server to crash by inserting the SSI into an
HTML file.
Status: Candidate
Phase: Proposed (20001219)
Reference: BUGTRAQ:20001114 Vulnerabilites in
SmallHTTP Server
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97421834001092&w=2
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
NOOP(4) Cole, Armstrong, Balinsky, Wall
Voter Comments:
Frech> XF:small-http-ssi-dos(5960)
Balinsky> Found no data on vendor web site to support this.
http://home.lanck.net/mf/srv/index.htm
Name: CVE-2000-0899
Description:
Small HTTP Server 2.01 allows remote attackers to cause
a denial of service by connecting to the server and
sending out multiple GET, HEAD, or POST requests and
closing the connection before the server responds to the
requests.
Status: Candidate
Phase: Proposed (20001219)
Reference: BUGTRAQ:20001114 Vulnerabilites in
SmallHTTP Server
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97421834001092&w=2
Reference: BID:1942
Reference:
URL:http://www.securityfocus.com/bid/1942
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
NOOP(4) Cole, Armstrong, Balinsky, Wall
Voter Comments:
Frech> XF:small-http-request-dos(5523)
Balinsky> Found no data on vendor web site to support this.
http://home.lanck.net/mf/srv/index.htm
Name: CVE-2000-0902
Description:
getalbum.php in PhotoAlbum before 0.9.9 allows remote
attackers to read arbitrary files via a .. (dot dot)
attack.
Status: Candidate
Phase: Proposed (20001129)
Reference: BUGTRAQ:20000907 Re: PhotoAlbum 0.9.9
explorer.php Vulnerability
Reference:
URL:http://www.securityfocus.com/archive/1/80858
Reference:
XF:phpphotoalbum-getalbum-directory-traversal
Reference:
URL:http://xforce.iss.net/static/5209.php
Votes:
ACCEPT(2) Mell, Collins
NOOP(2) Cole, Wall
Name: CVE-2000-0903
Description:
Directory traversal vulnerability in Voyager web server
2.01B in the demo disks for QNX 405 allows remote
attackers to read arbitrary files via a .. (dot dot)
attack.
Status: Candidate
Phase: Proposed (20001129)
Reference: BUGTRAQ:20000901 Multiple QNX Voyager
Issues
Reference:
URL:http://www.securityfocus.com/archive/1/79956
Reference: BID:1648
Reference:
URL:http://www.securityfocus.com/bid/1648
Votes:
ACCEPT(2) Mell, Baker
NOOP(3) Cole, Collins, Wall
Voter Comments:
Collins> Assigning CVE numbers for demo software is not appropriate
Baker> Was this a beta version in the demo disk? I don't think it was. While we do have an exclusion for beta software,
software that is distributed as production software, just limited in scope, does not mean beta..
The current version is 4, but it is still offered for free download from their website for use.
CHANGE> [Baker changed vote from REVIEWING to ACCEPT]
Baker> SHould change vote from review to accept
Name: CVE-2000-0904
Description:
Voyager web server 2.01B in the demo disks for QNX 405
stores sensitive web client information in the .photon
directory in the web document root, which allows remote
attackers to obtain that information.
Status: Candidate
Phase: Proposed (20001129)
Reference: BUGTRAQ:20000901 Multiple QNX Voyager
Issues
Reference:
URL:http://www.securityfocus.com/archive/1/79956
Reference: BID:1648
Reference:
URL:http://www.securityfocus.com/bid/1648
Votes:
ACCEPT(1) Mell
NOOP(3) Cole, Collins, Wall
Voter Comments:
Collins> assigning CVE numbers for demo software is not appropriate
Name: CVE-2000-0905
Description:
QNX Embedded Resource Manager in Voyager web server
2.01B in the demo disks for QNX 405 allows remote
attackers to read sensitive system statistics
information via the embedded.html web page.
Status: Candidate
Phase: Proposed (20001129)
Reference: BUGTRAQ:20000901 Multiple QNX Voyager
Issues
Reference:
URL:http://www.securityfocus.com/archive/1/79956
Reference: BID:1648
Reference:
URL:http://www.securityfocus.com/bid/1648
Votes:
ACCEPT(1) Mell
NOOP(2) Cole, Wall
Name: CVE-2000-0906
Description:
Directory traversal vulnerability in Moreover.com
cached_feed.cgi script version 4.July.00 allows remote
attackers to read arbitrary files via a .. (dot dot)
attack on the category or format parameters.
Status: Candidate
Phase: Proposed (20001129)
Reference: BUGTRAQ:20001002 Moreover Cached_Feed
CGI Vulnerability
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-10/0013.html
Reference: XF:moreover-cgi-dir-traverse
Reference:
URL:http://xforce.iss.net/static/5334.php
Reference: BID:1762
Reference:
URL:http://www.securityfocus.com/bid/1762
Votes:
ACCEPT(3) Mell, Frech, Collins
NOOP(2) Cole, Wall
Name: CVE-2000-0907
Description:
EServ 2.92 Build 2982 allows remote attackers to cause a
denial of service and possibly execute arbitrary
commands via long HELO and MAIL FROM commands.
Status: Candidate
Phase: Proposed (20001129)
Reference: WIN2KSEC:20000925 DST2K0030: DoS in
EServ 2.92 Build 2982
Reference:
URL:http://archives.neohapsis.com/archives/win2ksecadvice/2000-q3/0131.html
Votes:
ACCEPT(3) Mell, Baker, Collins
MODIFY(1) Frech
NOOP(2) Cole, Wall
Voter Comments:
Frech> XF:eserv-remote-dos(5643)
Name: CVE-2000-0916
Description:
FreeBSD 4.1.1 and earlier, and possibly other BSD-based
OSes, uses an insufficient random number generator to
generate initial TCP sequence numbers (ISN), which
allows remote attackers to spoof TCP connections.
Status: Candidate
Phase: Proposed (20001129)
Reference: FREEBSD:FreeBSD-SA-00:52
Reference:
URL:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:52.tcp-iss.asc
Reference: BID:1766
Reference:
URL:http://www.securityfocus.com/bid/1766
Votes:
ACCEPT(2) Mell, Cole
MODIFY(1) Frech
REVIEWING(1) Christey
Voter Comments:
Frech> XF:tcp-seq-predict(139)
Christey> Abstraction issue: CVE-1999-0077 is for TCP sequence
prediction as a general problem; but here we have a specific
implementation flaw.
Name: CVE-2000-0918
Description:
Format string vulnerability in kvt in KDE 1.1.2 may
allow local users to execute arbitrary commands via a
DISPLAY environmental variable that contains formatting
characters.
Status: Candidate
Phase: Proposed (20001129)
Reference: BID:1700
Reference:
URL:http://www.securityfocus.com/bid/1700
Reference: BUGTRAQ:20000919 kvt format bug
Reference:
URL:http://www.securityfocus.com/archive/1/83914
Votes:
ACCEPT(2) Mell, Baker
NOOP(2) Cole, Wall
REVIEWING(1) Christey
Voter Comments:
Christey> May be a duplicate of CVE-2000-0373, but the ref's in that CVE
are vague. I suspect this *isn't* a duplicate because this is
a format string problem.
Baker> I think it is sufficiently different from 2000-0373.
Name: CVE-2000-0931
Description:
Buffer overflow in Pegasus Mail 3.11 allows remote
attackers to cause a denial of service and possibly
execute arbitrary commands via a long email message
containing binary data.
Status: Candidate
Phase: Proposed (20001129)
Reference: BUGTRAQ:20001004 Another Pegasus Mail
vulnerability
Reference:
URL:http://www.securityfocus.com/archive/1/137518
Reference: BID:1750
Reference:
URL:http://www.securityfocus.com/bid/1750
Votes:
ACCEPT(1) Mell
MODIFY(1) Frech
NOOP(2) Cole, Wall
Voter Comments:
Frech> XF:pegasus-mail-bo(5644)
Name: CVE-2000-0939
Description:
Samba Web Administration Tool (SWAT) in Samba 2.0.7
allows remote attackers to cause a denial of service by
repeatedly submitting a nonstandard URL in the GET HTTP
request and forcing it to restart.
Status: Candidate
Phase: Proposed (20001129)
Reference: BUGTRAQ:20001030 Samba 2.0.7 SWAT
vulnerabilities
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-10/0430.html
Reference: XF:samba-swat-url-filename-dos
Reference:
URL:http://xforce.iss.net/static/5444.php
Votes:
ACCEPT(2) Mell, Frech
NOOP(1) Cole
REJECT(1) Renaud
Voter Comments:
Renaud> SWAT makes this DoS easier to perform, but actually, it is an inetd
problem, not a swat problem.
Name: CVE-2000-0940
Description:
Directory traversal vulnerability in Metertek
pagelog.cgi allows remote attackers to read arbitrary
files via a .. (dot dot) attack on the "name" or
"display" parameter.
Status: Candidate
Phase: Proposed (20001129)
Reference: BUGTRAQ:20001029 Minor bug in
Pagelog.cgi
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-10/0422.html
Reference: BID:1864
Reference:
URL:http://www.securityfocus.com/bid/1864
Reference: XF:pagelog-cgi-dir-traverse
Reference:
URL:http://xforce.iss.net/static/5451.php
Votes:
ACCEPT(2) Mell, Frech
NOOP(1) Cole
Name: CVE-2000-0950
Description:
Format string vulnerability in x-gw in TIS Firewall
Toolkit (FWTK) allows local users to execute arbitrary
commands via a malformed display name.
Status: Candidate
Phase: Proposed (20001129)
Reference: BUGTRAQ:20001026 FWTK x-gw Security
Advisory [GSA2000-01]
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-10/0376.html
Reference: XF:tisfwtk-xgw-execute-code
Reference:
URL:http://xforce.iss.net/static/5420.php
Votes:
ACCEPT(4) Mell, Baker, Cole, Frech
NOOP(1) Renaud
REVIEWING(1) Christey
Voter Comments:
Christey> I thought I saw some mailing list that questioned whether this
problem was only a DoS...
Name: CVE-2000-0954
Description:
Shambala Server 4.5 stores passwords in plaintext, which
could allow local users to obtain the passwords and
compromise the server.
Status: Candidate
Phase: Proposed (20001129)
Reference: BUGTRAQ:20001009 Shambala 4.5
vulnerability
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-10/0134.html
Reference: BID:1771
Reference:
URL:http://www.securityfocus.com/bid/1771
Reference: XF:shambala-password-plaintext
Reference:
URL:http://xforce.iss.net/static/5346.php
Votes:
ACCEPT(3) Mell, Baker, Frech
NOOP(1) Cole
Name: CVE-2000-0955
Description:
Cisco Virtual Central Office 4000 (VCO/4K) uses weak
encryption to store usernames and passwords in the SNMP
MIB, which allows an attacker who knows the community
name to crack the password and gain privileges.
Status: Candidate
Phase: Proposed (20001129)
Reference: ATSTAKE:A102600-1
Reference:
URL:http://www.atstake.com/research/advisories/2000/a102600-1.txt
Reference: BID:1885
Reference:
URL:http://www.securityfocus.com/bid/1885
Reference: XF:cisco-vco-snmp-passwords
Reference:
URL:http://xforce.iss.net/static/5425.php
Votes:
ACCEPT(4) Mell, Cole, Frech, Ziese
NOOP(2) Balinsky, Christey
Voter Comments:
Christey> CISCO:20001026 VCO/4K Remote Password Disclosure
http://www.cisco.com/warp/public/707/vco4kpasswdexposure-pub.shtml
CHANGE> [Balinsky changed vote from REVIEWING to NOOP]
Name: CVE-2000-0963
Description:
Buffer overflow in ncurses library allows local users to
execute arbitrary commands via long environmental
information such as TERM or TERMINFO_DIRS.
Status: Candidate
Phase: Modified (20080819)
Reference: BUGTRAQ:20001009 ncurses buffer
overflows
Reference:
URL:http://www.securityfocus.com/archive/1/138550
Reference: CALDERA:CSSA-2000-036.0
Reference:
URL:http://www.calderasystems.com/support/security/advisories/CSSA-2000-036.0.txt
Reference: BID:1142
Reference:
URL:http://www.securityfocus.com/bid/1142
Reference:
XF:gnu-ncurses-term-terminfodirs-bo(44487)
Reference:
URL:http://xforce.iss.net/xforce/xfdb/44487
Votes:
ACCEPT(2) Mell, Cole
MODIFY(1) Frech
REVIEWING(1) Christey
Voter Comments:
Christey> Various vendor writeups indicate that there are multiple
overflows, so maybe this needs to be SPLIT.
ADDREF FREEBSD:FreeBSD-SA-00:68
ADDREF DEBIAN:20001121 ncurses: local privilege escalation
http://www.debian.org/security/2000/20001121
ADDREF REDHAT:RHSA-2000:115
http://www.redhat.com/support/errata/RHSA-2000-115.html
BUGTRAQ:20001201 Immunix OS Security update for ncurses
http://marc.theaimsgroup.com/?l=bugtraq&m=97570745306444&w=2
Frech> XF:libmytinfo-bo(4422)
CHANGE> [Christey changed vote from NOOP to REVIEWING]
Christey> This is all a library issue in which TERM/TERMINFO_DIRS are
one possible attack vector, but another is through entries
in the .terminfo file. Add .terminfo and termcap to the
description, as well as libncurses.
ADDREF MANDRAKE:MDKSA-2001:052
URL:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-052.php3
Now need to examine whether this is a dupe of CVE-2002-0062,
and/or BID:2116. There's certainly enough confusion to go
around.
CHANGE> [Christey changed vote from REVIEWING to NOOP]
Christey> This is not a dupe of CVE-2002-0062. As explained in
DEBIAN:DSA-113, the original patches for CVE-2000-0963
didn't catch every problem.
ADDREF SUSE:SuSE-SA:2000:043
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97267560724404&w=2
CHANGE> [Christey changed vote from NOOP to REVIEWING]
Name: CVE-2000-0971
Description:
Avirt Mail 4.0 and 4.2 allows remote attackers to cause
a denial of service and possible execute arbitrary
commands via a long "RCPT TO" or "MAIL FROM" command.
Status: Candidate
Phase: Proposed (20001129)
Reference: BUGTRAQ:20001023 Avirt Mail 4.x DoS
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-10/0301.html
Reference: XF:avirt-mail-from-dos
Reference:
URL:http://xforce.iss.net/static/5397.php
Reference: XF:avirt-rcpt-to-dos
Reference:
URL:http://xforce.iss.net/static/5398.php
Votes:
ACCEPT(3) Mell, Cole, Frech
NOOP(2) Armstrong, Christey
Voter Comments:
Christey> Fix typo: "possible" should be "possibly"
Christey> fix typo: "and possible"
Name: CVE-2000-0985
Description:
Buffer overflow in All-Mail 1.1 allows remote attackers
to execute arbitrary commands via a long "MAIL FROM" or
"RCPT TO" command.
Status: Candidate
Phase: Proposed (20001129)
Reference: ATSTAKE:A101200-2
Reference:
URL:http://www.atstake.com/research/advisories/2000/a101200-2.txt
Reference: BID:1789
Reference:
URL:http://www.securityfocus.com/bid/1789
Votes:
ACCEPT(2) Mell, Baker
MODIFY(1) Frech
NOOP(1) Cole
Voter Comments:
Frech> XF:all-mail-smtp-bo(5360)
Name: CVE-2000-0986
Description:
Buffer overflow in Oracle 8.1.5 applications such as
names, namesctl, onrsd, osslogin, tnslsnr, tnsping,
trcasst, and trcroute possibly allow local users to gain
privileges via a long ORACLE_HOME environmental
variable.
Status: Candidate
Phase: Proposed (20001129)
Reference: BUGTRAQ:20001020 [ Hackerslab
bug_paper ] Linux ORACLE 8.1.5 vulnerability
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-10/0294.html
Reference: XF:oracle-home-bo
Reference:
URL:http://xforce.iss.net/static/5390.php
Votes:
ACCEPT(3) Mell, Baker, Frech
NOOP(2) Cole, Armstrong
Name: CVE-2000-0987
Description:
Buffer overflow in oidldapd in Oracle 8.1.6 allow local
users to gain privileges via a long "connect" command
line parameter.
Status: Candidate
Phase: Proposed (20001129)
Reference: XF:oracle-oidldap-bo
Reference:
URL:http://xforce.iss.net/static/5401.php
Reference: BUGTRAQ:20001018 vulnerability in
Oracle Internet Directory in Oracle 8.1.6
Reference:
URL:http://www.securityfocus.com/archive/1/140340
Reference: BUGTRAQ:20001020 In response to
posting 10/18/2000 vulnerability in Oracle Internet
Directory in Oracle 8.1.6
Reference:
URL:http://www.securityfocus.com/archive/1/140709
Votes:
ACCEPT(3) Mell, Cole, Frech
NOOP(2) Armstrong, Christey
Voter Comments:
Christey> http://archives.neohapsis.com/archives/bugtraq/2000-12/0400.html
appears to be a rediscovery of this problem.
Christey> It looks like Juan Manuel Pascual Escriba saw this issue
in a later version and re-posted, but that later post doesn't
mention the earlier one. The exploit is almost exactly the
same, but the affected version is 8.1.7.
ADDREF BUGTRAQ:20001221 vulnerability #1 in Oracle Internet Directory 2.1.1.1 in Oracle 8.1.7
http://archives.neohapsis.com/archives/bugtraq/2000-12/0400.html
ADDREF BUGTRAQ:20010118 Patch for Potential Buffer Overflow Vulnerabilities in Oracle Internet Directory
http://archives.neohapsis.com/archives/bugtraq/2001-01/0325.html
Name: CVE-2000-0988
Description:
WinU 1.0 through 5.1 has a backdoor password that allows
remote attackers to gain access to its administrative
interface and modify configuration.
Status: Candidate
Phase: Proposed (20001129)
Reference: BUGTRAQ:20001013 WinU Backdoor
passwords!!!!
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-10/0238.html
Reference:
CONFIRM:http://www.bardon.com/pwdcrack.htm
Reference: BID:1801
Reference:
URL:http://www.securityfocus.com/bid/1801
Reference: XF:winu-backdoor
Reference:
URL:http://xforce.iss.net/static/5376.php
Votes:
ACCEPT(4) Mell, Cole, Armstrong, Frech
Name: CVE-2000-0997
Description:
Format string vulnerabilities in eeprom program in
OpenBSD, NetBSD, and possibly other operating systems
allows local attackers to gain root privileges.
Status: Candidate
Phase: Proposed (20001129)
Reference: OPENBSD:20001006 There are
printf-style format string bugs in several privileged
programs.
Reference:
MISC:ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.7/common/028_format_strings.patch
Reference: BID:1752
Reference:
URL:http://www.securityfocus.com/bid/1752
Reference: XF:bsd-eeprom-format
Reference:
URL:http://xforce.iss.net/static/5337.php
Votes:
ACCEPT(3) Mell, Cole, Frech
NOOP(1) Wall
Name: CVE-2000-0998
Description:
Format string vulnerability in top program allows local
attackers to gain root privileges via the "kill" or
"renice" function.
Status: Candidate
Phase: Proposed (20001129)
Reference: OPENBSD:20001006 There are
printf-style format string bugs in several privileged
programs.
Reference:
MISC:ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.7/common/028_format_strings.patch
Reference: FREEBSD:FreeBSD-SA-00:62
Reference:
URL:ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:62.top.v1.1.asc
Reference: BID:1895
Reference:
URL:http://www.securityfocus.com/bid/1895
Votes:
ACCEPT(3) Mell, Cole, Collins
MODIFY(1) Frech
NOOP(2) Christey, Wall
Voter Comments:
Frech> XF:top-format-string(5486)
Christey> BUGTRAQ:20011114 SCO skunkware top format strings issue
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100576637928933&w=2
Name: CVE-2000-0999
Description:
Format string vulnerabilities in OpenBSD ssh program
(and possibly other BSD-based operating systems) allow
attackers to gain root privileges.
Status: Candidate
Phase: Proposed (20001129)
Reference: OPENBSD:20001006 There are
printf-style format string bugs in several privileged
programs.
Reference:
MISC:ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.7/common/028_format_strings.patch
Votes:
ACCEPT(1) Cole
MODIFY(1) Frech
NOOP(2) Mell, Wall
Voter Comments:
Frech> XF:bsd-ssh-format(5637)
Name: CVE-2000-1008
Description:
PalmOS 3.5.2 and earlier uses weak encryption to store
the user password, which allows attackers with physical
access to the Palm device to decrypt the password and
gain access to the device.
Status: Candidate
Phase: Modified (20010116-01)
Reference: ATSTAKE:A092600-1
Reference:
URL:http://www.atstake.com/research/advisories/2000/a092600-1.txt
Reference: BID:1715
Reference:
URL:http://www.securityfocus.com/bid/1715
Votes:
ACCEPT(2) Mell, Cole
MODIFY(1) Frech
NOOP(1) Wall
Voter Comments:
Frech> XF:palm-weak-encryption(5308)
Name: CVE-2000-1009
Description:
dump in Red Hat Linux 6.2 trusts the pathname specified
by the RSH environmental variable, which allows local
users to obtain root privileges by modifying the RSH
variable to point to a Trojan horse program.
Status: Candidate
Phase: Proposed (20001129)
Reference: BUGTRAQ:20001030 Redhat 6.2 dump
command executes external program with suid priviledge.
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-10/0438.html
Reference: BID:1871
Reference:
URL:http://www.securityfocus.com/bid/1871
Reference: XF:linux-dump-execute-code
Reference:
URL:http://xforce.iss.net/static/5437.php
Votes:
ACCEPT(5) Renaud, Mell, Baker, Cole, Frech
NOOP(1) Christey
Voter Comments:
Christey> http://www.redhat.com/support/errata/RHSA-2000-100.html
ADDREF BUGTRAQ:20001103 Trustix Security Advisory - dump
http://archives.neohapsis.com/archives/bugtraq/2000-11/0026.html
Christey> CERT-VN:VU#153653
URL:http://www.kb.cert.org/vuls/id/153653
Name: CVE-2000-1012
Description:
The catopen function in FreeBSD 5.0 and earlier, and
possibly other OSes, allows local users to read
arbitrary files via the LANG environmental variable.
Status: Candidate
Phase: Proposed (20001129)
Reference: FREEBSD:FreeBSD-SA-00:53
Reference:
URL:ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:53.catopen.asc
Votes:
ACCEPT(3) Mell, Cole, Collins
MODIFY(1) Frech
NOOP(1) Wall
Voter Comments:
Frech> XF:freebsd-display-read-files(5645)
Name: CVE-2000-1013
Description:
The setlocale function in FreeBSD 5.0 and earlier, and
possibly other OSes, allows local users to read
arbitrary files via the LANG environmental variable.
Status: Candidate
Phase: Proposed (20001129)
Reference: FREEBSD:FreeBSD-SA-00:53
Reference:
URL:ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:53.catopen.asc
Votes:
ACCEPT(2) Mell, Cole
MODIFY(1) Frech
NOOP(1) Wall
Voter Comments:
Frech> XF:freebsd-display-read-files(5645)
Name: CVE-2000-1015
Description:
The default configuration of Slashcode before version
2.0 Alpha has a default administrative password, which
allows remote attackers to gain Slashcode priviliges and
possibly execute arbitrary commands.
Status: Candidate
Phase: Proposed (20001129)
Reference: BUGTRAQ:20000929 Default admin
password with Slashcode.
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-09/0366.html
Reference: BID:1731
Reference:
URL:http://www.securityfocus.com/bid/1731
Reference: XF:slashcode-default-admin-passwords
Reference:
URL:http://xforce.iss.net/static/5306.php
Votes:
ACCEPT(4) Mell, Cole, Frech, Collins
NOOP(1) Wall
Name: CVE-2000-1017
Description:
Webteachers Webdata allows remote attackers with valid
Webdata accounts to read arbitrary files by posting a
request to import the file into the WebData database.
Status: Candidate
Phase: Proposed (20001129)
Reference: BUGTRAQ:20001002 DST2K0039:
Webteachers Webdata: Importing files lower than web ro
ot possible in to database
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-10/0007.html
Reference: BUGTRAQ:20001003 Update to DST2K0039:
Webteachers Webdata: Importing files lower t han web
root possible in to database
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-10/0032.html
Reference: BID:1732
Reference:
URL:http://www.securityfocus.com/bid/1732
Votes:
ACCEPT(2) Mell, Frech
NOOP(2) Wall, Cole
Name: CVE-2000-1020
Description:
Heap overflow in Worldclient in Mdaemon 3.1.1 and
earlier allows remote attackers to cause a denial of
service and possibly execute arbitrary commands via a
long URL.
Status: Candidate
Phase: Proposed (20001129)
Reference: BUGTRAQ:20000917 VIGILANTE-2000012:
Mdaemon Web Services Heap Overflow DoS
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96925269716274&w=2
Reference: BID:1689
Reference:
URL:http://www.securityfocus.com/bid/1689
Reference: XF:mdaemon-url-dos
Reference:
URL:http://xforce.iss.net/static/5250.php
Votes:
ACCEPT(4) Mell, Baker, Cole, Collins
NOOP(1) Wall
Name: CVE-2000-1021
Description:
Heap overflow in WebConfig in Mdaemon 3.1.1 and earlier
allows remote attackers to cause a denial of service and
possibly execute arbitrary commands via a long URL.
Status: Candidate
Phase: Proposed (20001129)
Reference: BUGTRAQ:20000917 VIGILANTE-2000012:
Mdaemon Web Services Heap Overflow DoS
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96925269716274&w=2
Reference: BID:1689
Reference:
URL:http://www.securityfocus.com/bid/1689
Reference: XF:mdaemon-url-dos
Reference:
URL:http://xforce.iss.net/static/5250.php
Votes:
ACCEPT(4) Mell, Baker, Cole, Collins
NOOP(1) Wall
Name: CVE-2000-1023
Description:
The Alabanza Control Panel does not require passwords to
access administrative commands, which allows remote
attackers to modify domain name information via the
nsManager.cgi CGI program.
Status: Candidate
Phase: Proposed (20001129)
Reference: BUGTRAQ:20000924 Major Vulnerability
in Alabanza Control Panel
Reference:
URL:http://www.securityfocus.com/archive/1/84766
Reference: BID:1710
Reference:
URL:http://www.securityfocus.com/bid/1710
Reference: XF:alabanza-unauthorized-access
Reference:
URL:http://xforce.iss.net/static/5284.php
Votes:
ACCEPT(2) Mell, Collins
NOOP(2) Wall, Cole
REJECT(1) Baker
Voter Comments:
Baker> I agree with Steve that this appears to be an on-line applet, accessible from their server only.
CHANGE> [Baker changed vote from REVIEWING to REJECT]
Name: CVE-2000-1025
Description:
eWave ServletExec JSP/Java servlet engine, versions 3.0C
and earlier, allows remote attackers to cause a denial
of service via a URL that contains the "/servlet/"
string, which invokes the ServletExec servlet and causes
an exception if the servlet is already running.
Status: Candidate
Phase: Proposed (20001129)
Reference: BUGTRAQ:20001030 Unify eWave
ServletExec DoS
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97295224226042&w=2
Reference: BID:1868
Reference:
URL:http://www.securityfocus.com/bid/1868
Reference: XF:ewave-servletexec-dos
Reference:
URL:http://xforce.iss.net/static/5435.php
Votes:
ACCEPT(2) Mell, Frech
NOOP(1) Cole
Name: CVE-2000-1028
Description:
Buffer overflow in cu program in HP-UX 11.0 may allow
local users to gain privileges via a long -l command
line argument.
Status: Candidate
Phase: Modified (20010119-01)
Reference: BUGTRAQ:20001102 HPUX cu -l option
buffer overflow vulnerabilit
Reference:
URL:http://www.securityfocus.com/archive/1/142792
Reference: BID:1886
Reference:
URL:http://www.securityfocus.com/bid/1886
Reference: XF:hp-cu-bo(5460)
Votes:
ACCEPT(1) Mell
MODIFY(1) Frech
NOOP(2) Renaud, Cole
Voter Comments:
Frech> XF:hp-cu-bo(5460)
Name: CVE-2000-1029
Description:
Buffer overflow in host command allows a remote attacker
to execute arbitrary commands via a long response to an
AXFR query.
Status: Candidate
Phase: Modified (20010119-01)
Reference: BUGTRAQ:20001027 old version of host
command vulnearbility
Reference:
URL:http://www.securityfocus.com/archive/1/141660
Reference: BID:1887
Reference:
URL:http://www.securityfocus.com/bid/1887
Reference: XF:isc-bind-axfr-bo(5462)
Votes:
ACCEPT(1) Mell
MODIFY(1) Frech
NOOP(2) Renaud, Cole
Voter Comments:
Frech> XF:isc-bind-axfr-bo(5462)
Name: CVE-2000-1030
Description:
CS&T CorporateTime for the Web returns different error
messages for invalid usernames and invalid passwords,
which allows remote attackers to determine valid
usernames on the server.
Status: Candidate
Phase: Modified (20010119-01)
Reference: BUGTRAQ:20001031 Re: Samba 2.0.7 SWAT
vulnerabilities
Reference:
URL:http://www.securityfocus.com/archive/1/142672
Reference: BID:1888
Reference:
URL:http://www.securityfocus.com/bid/1888
Reference: XF:corporatetime-brute-force(5529)
Votes:
ACCEPT(1) Mell
MODIFY(1) Frech
NOOP(1) Cole
Voter Comments:
Frech> XF:corporatetime-brute-force(5529)
Name: CVE-2000-1033
Description:
Serv-U FTP Server allows remote attackers to bypass its
anti-hammering feature by first logging on as a valid
user (possibly anonymous) and then attempting to guess
the passwords of other users.
Status: Candidate
Phase: Proposed (20001129)
Reference: BUGTRAQ:20001029 Brute Forcing FTP
Servers with enabled anti-hammering (anti brute-force)
modus
Reference:
URL:http://www.securityfocus.com/archive/1/141905
Reference: BID:1860
Reference:
URL:http://www.securityfocus.com/bid/1860
Reference: XF:ftp-servu-brute-force
Reference:
URL:http://xforce.iss.net/static/5436.php
Votes:
ACCEPT(2) Mell, Frech
NOOP(1) Cole
Name: CVE-2000-1035
Description:
Buffer overflows in TYPSoft FTP Server 0.78 and earlier
allows remote attackers to cause a denial of service and
possibly execute arbitrary commands via a long USER,
PASS, or CWD command.
Status: Candidate
Phase: Proposed (20001129)
Reference: BUGTRAQ:20000912 TYPSoft FTP Server
remote DoS Problem
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96879389027478&w=2
Reference:
MISC:http://www.synnergy.net/Archives/Advisories/dethy/typsoft-ftpd.txt
Reference: BID:1690
Reference:
URL:http://www.securityfocus.com/bid/1690
Votes:
ACCEPT(1) Mell
MODIFY(1) Baker
NOOP(2) Wall, Cole
Voter Comments:
CHANGE> [Baker changed vote from NOOP to MODIFY]
Baker> http://www.synnergy.net/downloads/advisories/SLA-2000-07.typsoft-ftpd.txt
Name: CVE-2000-1037
Description:
Check Point Firewall-1 session agent 3.0 through 4.1
generates different error messages for invalid user
names versus invalid passwords, which allows remote
attackers to determine valid usernames and guess a
password via a brute force attack.
Status: Candidate
Phase: Proposed (20001129)
Reference: BUGTRAQ:20000815 Firewall-1 session
agent 3.0 -> 4.1, dictionnary and brute force attack
Reference:
URL:http://www.securityfocus.com/archive/1/76389
Reference: BID:1662
Reference:
URL:http://www.securityfocus.com/bid/1662
Votes:
ACCEPT(2) Mell, Baker
NOOP(2) Wall, Cole
Name: CVE-2000-1039
Description:
Various TCP/IP stacks and network applications allow
remote attackers to cause a denial of service by
flooding a target host with TCP connection attempts and
completing the TCP/IP handshake without maintaining the
connection state on the attacker host, aka the "NAPTHA"
class of vulnerabilities. NOTE: this candidate may
change significantly as the security community discusses
the technical nature of NAPTHA and learns more about the
affected applications. This candidate is at a higher
level of abstraction than is typical for CVE.
Status: Candidate
Phase: Proposed (20001219)
Reference: BINDVIEW:20001130 The NAPTHA DoS
vulnerabilities
Reference:
URL:http://razor.bindview.com/publish/advisories/adv_NAPTHA.html
Reference: WIN2KSEC:20001204 NAPTHA Advisory
Updated - BindView RAZOR
Reference:
URL:http://archives.neohapsis.com/archives/win2ksecadvice/2000-q4/0105.html
Reference: CERT:CA-2000-21
Reference:
URL:http://www.cert.org/advisories/CA-2000-21.html
Reference: MS:MS00-091
Reference:
URL:http://www.microsoft.com/technet/security/bulletin/MS00-091.asp
Reference: BID:2022
Reference:
URL:http://www.securityfocus.com/bid/2022
Votes:
ACCEPT(3) Renaud, Baker, Cole
MODIFY(1) Frech
NOOP(2) Magdych, Wall
REVIEWING(1) Christey
Voter Comments:
Baker> Although this is at a high level, the fact is that it is a vulnerability, and as such we need to recognize this, even if we have to recast or modify the description at some later time.
Christey> This needs to be commented on and reviewed by many Board
members.
Frech> XF:naptha-resource-starvation(5810)
Christey> ADDREF SGI:20020304-01-A
Christey> SGI:20020304-01-A
Name: CVE-2000-1046
Description:
Multiple buffer overflows in the ESMTP service of Lotus
Domino 5.0.2c and earlier allow remote attackers to
cause a denial of service and possibly execute arbitrary
code via long (1) "RCPT TO," (2) "SAML FROM," or (3)
"SOML FROM" commands.
Status: Candidate
Phase: Modified (20040723)
Reference: BUGTRAQ:20000911 Advisory Code:
VIGILANTE-2000011 Lotus Domino ESMTP Service Buffer
overflow
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-09/0093.html
Votes:
ACCEPT(2) Mell, Baker
MODIFY(1) Collins
NOOP(2) Wall, Cole
Voter Comments:
Collins> http://www.synnergy.net/downloads/advisories/SLA-2000-07.typsoft-ftpd.txt
Baker> Reference by Collins was entered into the wrong CAN Entry...
It should have been for 2000-1035, not this CAN
CHANGE> [Baker changed vote from REVIEWING to ACCEPT]
Name: CVE-2000-1048
Description:
Directory traversal vulnerability in the logfile service
of Wingate 4.1 Beta A and earlier allows remote
attackers to read arbitrary files via a .. (dot dot)
attack via an HTTP GET request that uses encoded
characters in the URL.
Status: Candidate
Phase: Proposed (20001129)
Reference: BUGTRAQ:20001016 Wingate 4.1 Beta A
vulnerability
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-10/0245.html
Reference: XF:wingate-view-files
Reference:
URL:http://xforce.iss.net/static/5373.php
Votes:
ACCEPT(3) Mell, Baker, Frech
NOOP(2) Cole, Armstrong
Name: CVE-2000-1052
Description:
Allaire JRun 2.3 server allows remote attackers to
obtain source code for executable content by directly
calling the SSIFilter servlet.
Status: Candidate
Phase: Proposed (20001129)
Reference: BUGTRAQ:20001023 Allaire JRUN 2.3
Arbitrary File Retrieval
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97236692714978&w=2
Votes:
ACCEPT(3) Mell, Cole, Armstrong
MODIFY(1) Frech
Voter Comments:
Frech> XF:allaire-jrun-ssifilter-url(5405)
Name: CVE-2000-1053
Description:
Allaire JRun 2.3.3 server allows remote attackers to
compile and execute JSP code by inserting it via a
cross-site scripting (CSS) attack and directly calling
the com.livesoftware.jrun.plugins.JSP JSP servlet.
Status: Candidate
Phase: Proposed (20001129)
Reference: BUGTRAQ:20001023 Allaire JRUN 2.3
Remote command execution
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97236125107957&w=2
Reference: ALLAIRE:ASB00-029
Reference:
URL:http://www.allaire.com/handlers/index.cfm?ID=17969&Method=Full
Reference: XF:allaire-jrun-jsp-execute
Reference:
URL:http://xforce.iss.net/static/5406.php
Votes:
ACCEPT(4) Mell, Cole, Armstrong, Frech
Name: CVE-2000-1062
Description:
Buffer overflow in the FTP service in HP JetDirect
printer card Firmware x.08.20 and earlier allows remote
attackers to cause a denial of service.
Status: Candidate
Phase: Proposed (20001129)
Reference: BUGTRAQ:20001010 VIGILANTE-2000014: HP
Jetdirect multiple DoS
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97119729613778&w=2
Reference: BID:1775
Reference:
URL:http://www.securityfocus.com/bid/1775
Reference: XF:hp-jetdirect-firmware-dos
Reference:
URL:http://xforce.iss.net/static/5353.php
Votes:
ACCEPT(3) Mell, Baker, Frech
NOOP(1) Cole
Name: CVE-2000-1063
Description:
Buffer overflow in the Telnet service in HP JetDirect
printer card Firmware x.08.20 and earlier allows remote
attackers to cause a denial of service.
Status: Candidate
Phase: Proposed (20001129)
Reference: BUGTRAQ:20001010 VIGILANTE-2000014: HP
Jetdirect multiple DoS
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97119729613778&w=2
Reference: BID:1775
Reference:
URL:http://www.securityfocus.com/bid/1775
Reference: XF:hp-jetdirect-firmware-dos
Reference:
URL:http://xforce.iss.net/static/5353.php
Votes:
ACCEPT(3) Mell, Cole, Frech
Name: CVE-2000-1064
Description:
Buffer overflow in the LPD service in HP JetDirect
printer card Firmware x.08.20 and earlier allows remote
attackers to cause a denial of service.
Status: Candidate
Phase: Proposed (20001129)
Reference: BUGTRAQ:20001010 VIGILANTE-2000014: HP
Jetdirect multiple DoS
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97119729613778&w=2
Reference: BID:1775
Reference:
URL:http://www.securityfocus.com/bid/1775
Reference: XF:hp-jetdirect-firmware-dos
Reference:
URL:http://xforce.iss.net/static/5353.php
Votes:
ACCEPT(3) Mell, Cole, Frech
Name: CVE-2000-1065
Description:
Vulnerability in IP implementation of HP JetDirect
printer card Firmware x.08.20 and earlier allows remote
attackers to cause a denial of service (printer crash)
via a malformed packet.
Status: Candidate
Phase: Proposed (20001129)
Reference: BUGTRAQ:20001010 VIGILANTE-2000014: HP
Jetdirect multiple DoS
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97119729613778&w=2
Reference: BID:1775
Reference:
URL:http://www.securityfocus.com/bid/1775
Reference: XF:hp-jetdirect-ip-implementation
Reference:
URL:http://xforce.iss.net/static/5354.php
Votes:
ACCEPT(3) Mell, Baker, Frech
NOOP(1) Cole
Name: CVE-2000-1066
Description:
The getnameinfo function in FreeBSD 4.1.1 and earlier,
and possibly other operating systems, allows a remote
attacker to cause a denial of service via a long DNS
hostname.
Status: Candidate
Phase: Modified (20010119-01)
Reference: FREEBSD:FreeBSD-SA-00:63
Reference:
URL:ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:63.getnameinfo.asc
Reference: BID:1894
Reference:
URL:http://www.securityfocus.com/bid/1894
Reference: XF:getnameinfo-dos(5454)
Votes:
ACCEPT(2) Mell, Cole
MODIFY(1) Frech
NOOP(1) Renaud
Voter Comments:
Frech> XF:getnameinfo-dos(5454)
Name: CVE-2000-1076
Description:
Netscape (iPlanet) Certificate Management System 4.2 and
Directory Server 4.12 stores the administrative password
in plaintext, which could allow local and possibly
remote attackers to gain administrative privileges on
the server.
Status: Candidate
Phase: Proposed (20001129)
Reference: BUGTRAQ:20001026 [CORE SDI ADVISORY]
iPlanet Certificate Management System 4.2 path traversal
bug
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-10/0383.html
Reference: XF:iplanet-netscape-plaintext-password
Reference:
URL:http://xforce.iss.net/static/5422.php
Votes:
ACCEPT(3) Mell, Baker, Frech
NOOP(2) Christey, Cole
Voter Comments:
Christey> Partial vendor acknowledgement at:
http://docs.iplanet.com/docs/manuals/cms/42/relnotes/release_notes.html
"By default, Administration Server administrator's password
(also known as the SIE password) is stored in clear text in the
adm.conf file.
This does not usually pose a security threat because most
administrators use their Operating System's security features to
ensure that the file is protected from other users."
Name: CVE-2000-1078
Description:
ICQ Web Front HTTPd allows remote attackers to cause a
denial of service by requesting a URL that contains a
"?" character.
Status: Candidate
Phase: Proposed (20001129)
Reference: BUGTRAQ:20001007 ICQ WebFront HTTPd
DoS
Reference:
URL:http://www.securityfocus.com/archive/1/138332
Reference: XF:icq-webfront-url-dos
Reference:
URL:http://xforce.iss.net/static/5332.php
Votes:
ACCEPT(3) Mell, Baker, Frech
NOOP(2) Christey, Cole
Voter Comments:
Christey> The following post appears to describe the same problem, 7
months earlier:
BUGTRAQ:20000310 ICQ remote DoS
Name: CVE-2000-1079
Description:
Interactions between the CIFS Browser Protocol and
NetBIOS as implemented in Microsoft Windows 95, 98, NT,
and 2000 allow remote attackers to modify dynamic
NetBIOS name cache entries via a spoofed Browse Frame
Request in a unicast or UDP broadcast datagram.
Status: Candidate
Phase: Modified (20061101)
Reference: NAI:20000829 Windows NetBIOS
Unsolicited Cache Corruption
Reference:
URL:http://www.nai.com/research/covert/advisories/045.asp
Reference: NTBUGTRAQ:20000829 Re:
[COVERT-2000-10] Windows NetBIOS Unsolicited Cache
Corruption
Reference:
URL:http://archives.neohapsis.com/archives/ntbugtraq/2000-q3/0116.html
Reference: BID:1620
Reference:
URL:http://www.securityfocus.com/bid/1620
Reference: XF:win-netbios-corrupt-cache
Reference:
URL:http://xforce.iss.net/static/5168.php
Reference: OVAL:oval:org.mitre.oval:def:1079
Reference:
URL:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:1079
Votes:
ACCEPT(3) Wall, Mell, Baker
NOOP(1) Cole
REVIEWING(1) Christey
Voter Comments:
Wall> No known exploit or patch yet.
Christey> This was a little controversial, if I recall correctly.
Name: CVE-2000-1081
Description:
The xp_displayparamstmt function in SQL Server and
Microsoft SQL Server Desktop Engine (MSDE) does not
properly restrict the length of a buffer before calling
the srv_paraminfo function in the SQL Server API for
Extended Stored Procedures (XP), which allows an
attacker to cause a denial of service or execute
arbitrary commands, aka the "Extended Stored Procedure
Parameter Parsing" vulnerability.
Status: Candidate
Phase: Modified (20061101)
Reference: ATSTAKE:20001201 Microsoft SQL Server
extended stored procedure vulnerability
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97570878710037&w=2
Reference: MS:MS00-092
Reference:
URL:http://www.microsoft.com/technet/security/bulletin/ms00-092.asp
Reference: BID:2030
Reference:
URL:http://www.securityfocus.com/bid/2030
Reference: OVAL:oval:org.mitre.oval:def:231
Reference:
URL:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:231
Votes:
ACCEPT(3) Magdych, Baker, Cole
MODIFY(1) Frech
NOOP(1) Christey
REVIEWING(1) Wall
Voter Comments:
Baker> ALready posted in refs
Christey> ADDREF XF:mssql-xp-paraminfo-bo
URL:http://xforce.iss.net/static/5622.php
Frech> XF:mssql-xp-paraminfo-bo(5622)
Name: CVE-2000-1082
Description:
The xp_enumresultset function in SQL Server and
Microsoft SQL Server Desktop Engine (MSDE) does not
properly restrict the length of a buffer before calling
the srv_paraminfo function in the SQL Server API for
Extended Stored Procedures (XP), which allows an
attacker to cause a denial of service or execute
arbitrary commands, aka the "Extended Stored Procedure
Parameter Parsing" vulnerability.
Status: Candidate
Phase: Proposed (20001219)
Reference: ATSTAKE:20001201 Microsoft SQL Server
extended stored procedure vulnerability
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97570878710037&w=2
Reference: MS:MS00-092
Reference:
URL:http://www.microsoft.com/technet/security/bulletin/ms00-092.asp
Reference: BID:2031
Reference:
URL:http://www.securityfocus.com/bid/2031
Votes:
ACCEPT(3) Magdych, Baker, Cole
MODIFY(1) Frech
NOOP(1) Christey
REVIEWING(1) Wall
Voter Comments:
Christey> ADDREF XF:mssql-xp-paraminfo-bo
URL:http://xforce.iss.net/static/5622.php
Frech> XF:mssql-xp-paraminfo-bo(5622)
Name: CVE-2000-1083
Description:
The xp_showcolv function in SQL Server and Microsoft SQL
Server Desktop Engine (MSDE) does not properly restrict
the length of a buffer before calling the srv_paraminfo
function in the SQL Server API for Extended Stored
Procedures (XP), which allows an attacker to cause a
denial of service or execute arbitrary commands, aka the
"Extended Stored Procedure Parameter Parsing"
vulnerability.
Status: Candidate
Phase: Proposed (20001219)
Reference: ATSTAKE:20001201 Microsoft SQL Server
extended stored procedure vulnerability
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97570878710037&w=2
Reference: MS:MS00-092
Reference:
URL:http://www.microsoft.com/technet/security/bulletin/ms00-092.asp
Reference: BID:2038
Reference:
URL:http://www.securityfocus.com/bid/2038
Votes:
ACCEPT(3) Magdych, Baker, Cole
MODIFY(1) Frech
NOOP(1) Christey
REVIEWING(1) Wall
Voter Comments:
Christey> ADDREF XF:mssql-xp-paraminfo-bo
URL:http://xforce.iss.net/static/5622.php
Frech> XF:mssql-xp-paraminfo-bo(5622)
Name: CVE-2000-1084
Description:
The xp_updatecolvbm function in SQL Server and Microsoft
SQL Server Desktop Engine (MSDE) does not properly
restrict the length of a buffer before calling the
srv_paraminfo function in the SQL Server API for
Extended Stored Procedures (XP), which allows an
attacker to cause a denial of service or execute
arbitrary commands, aka the "Extended Stored Procedure
Parameter Parsing" vulnerability.
Status: Candidate
Phase: Proposed (20001219)
Reference: ATSTAKE:20001201 Microsoft SQL Server
extended stored procedure vulnerability
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97570878710037&w=2
Reference: MS:MS00-092
Reference:
URL:http://www.microsoft.com/technet/security/bulletin/ms00-092.asp
Reference: BID:2039
Reference:
URL:http://www.securityfocus.com/bid/2039
Votes:
ACCEPT(3) Magdych, Baker, Cole
MODIFY(1) Frech
NOOP(1) Christey
REVIEWING(1) Wall
Voter Comments:
Christey> ADDREF XF:mssql-xp-paraminfo-bo
URL:http://xforce.iss.net/static/5622.php
Frech> XF:mssql-xp-paraminfo-bo(5622)
Name: CVE-2000-1085
Description:
The xp_peekqueue function in Microsoft SQL Server 2000
and SQL Server Desktop Engine (MSDE) does not properly
restrict the length of a buffer before calling the
srv_paraminfo function in the SQL Server API for
Extended Stored Procedures (XP), which allows an
attacker to cause a denial of service or execute
arbitrary commands, aka the "Extended Stored Procedure
Parameter Parsing" vulnerability.
Status: Candidate
Phase: Proposed (20001219)
Reference: ATSTAKE:20001201 SQL Server 2000
Extended Stored Procedure Vulnerability
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97570884410184&w=2
Reference: MS:MS00-092
Reference:
URL:http://www.microsoft.com/technet/security/bulletin/ms00-092.asp
Reference: BID:2040
Reference:
URL:http://www.securityfocus.com/bid/2040
Votes:
ACCEPT(4) Magdych, Wall, Baker, Cole
MODIFY(1) Frech
REVIEWING(1) Christey
Voter Comments:
Christey> CVE-2000-1085, CVE-2000-1086, CVE-2000-1087, and CVE-2000-1088
all have abstraction issues; perhaps they should be RECAST
into a single candidate.
Christey> ADDREF XF:mssql-xp-paraminfo-bo
URL:http://xforce.iss.net/static/5622.php
Frech> XF:mssql-xp-paraminfo-bo(5622)
Name: CVE-2000-1086
Description:
The xp_printstatements function in Microsoft SQL Server
2000 and SQL Server Desktop Engine (MSDE) does not
properly restrict the length of a buffer before calling
the srv_paraminfo function in the SQL Server API for
Extended Stored Procedures (XP), which allows an
attacker to cause a denial of service or execute
arbitrary commands, aka the "Extended Stored Procedure
Parameter Parsing" vulnerability.
Status: Candidate
Phase: Proposed (20001219)
Reference: ATSTAKE:20001201 SQL Server 2000
Extended Stored Procedure Vulnerability
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97570884410184&w=2
Reference: MS:MS00-092
Reference:
URL:http://www.microsoft.com/technet/security/bulletin/ms00-092.asp
Reference: BID:2041
Reference:
URL:http://www.securityfocus.com/bid/2041
Votes:
ACCEPT(4) Magdych, Wall, Baker, Cole
MODIFY(1) Frech
REVIEWING(1) Christey
Voter Comments:
Christey> CVE-2000-1085, CVE-2000-1086, CVE-2000-1087, and CVE-2000-1088
all have abstraction issues; perhaps they should be RECAST
into a single candidate.
Christey> ADDREF XF:mssql-xp-paraminfo-bo
URL:http://xforce.iss.net/static/5622.php
Frech> XF:mssql-xp-paraminfo-bo(5622)
Name: CVE-2000-1087
Description:
The xp_proxiedmetadata function in Microsoft SQL Server
2000 and SQL Server Desktop Engine (MSDE) does not
properly restrict the length of a buffer before calling
the srv_paraminfo function in the SQL Server API for
Extended Stored Procedures (XP), which allows an
attacker to cause a denial of service or execute
arbitrary commands, aka the "Extended Stored Procedure
Parameter Parsing" vulnerability.
Status: Candidate
Phase: Proposed (20001219)
Reference: ATSTAKE:20001201 SQL Server 2000
Extended Stored Procedure Vulnerability
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97570884410184&w=2
Reference: MS:MS00-092
Reference:
URL:http://www.microsoft.com/technet/security/bulletin/ms00-092.asp
Reference: BID:2042
Reference:
URL:http://www.securityfocus.com/bid/2042
Votes:
ACCEPT(4) Magdych, Wall, Baker, Cole
MODIFY(1) Frech
REVIEWING(1) Christey
Voter Comments:
Christey> CVE-2000-1085, CVE-2000-1086, CVE-2000-1087, and CVE-2000-1088
all have abstraction issues; perhaps they should be RECAST
into a single candidate.
Christey> ADDREF XF:mssql-xp-paraminfo-bo
URL:http://xforce.iss.net/static/5622.php
Frech> XF:mssql-xp-paraminfo-bo(5622)
Name: CVE-2000-1088
Description:
The xp_SetSQLSecurity function in Microsoft SQL Server
2000 and SQL Server Desktop Engine (MSDE) does not
properly restrict the length of a buffer before calling
the srv_paraminfo function in the SQL Server API for
Extended Stored Procedures (XP), which allows an
attacker to cause a denial of service or execute
arbitrary commands, aka the "Extended Stored Procedure
Parameter Parsing" vulnerability.
Status: Candidate
Phase: Proposed (20001219)
Reference: ATSTAKE:20001201 SQL Server 2000
Extended Stored Procedure Vulnerability
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97570884410184&w=2
Reference: MS:MS00-092
Reference:
URL:http://www.microsoft.com/technet/security/bulletin/ms00-092.asp
Reference: BID:2043
Reference:
URL:http://www.securityfocus.com/bid/2043
Votes:
ACCEPT(4) Magdych, Wall, Baker, Cole
MODIFY(1) Frech
REVIEWING(1) Christey
Voter Comments:
Christey> CVE-2000-1085, CVE-2000-1086, CVE-2000-1087, and CVE-2000-1088
all have abstraction issues; perhaps they should be RECAST
into a single candidate.
Christey> ADDREF XF:mssql-xp-paraminfo-bo
URL:http://xforce.iss.net/static/5622.php
Frech> XF:mssql-xp-paraminfo-bo(5622)
Name: CVE-2000-1090
Description:
Microsoft IIS for Far East editions 4.0 and 5.0 allows
remote attackers to read source code for parsed pages
via a malformed URL that uses the lead-byte of a
double-byte character.
Status: Candidate
Phase: Proposed (20010202)
Reference:
MISC:http://www.nsfocus.com/english/homepage/sa_08.htm
Reference: BID:2100
Reference:
URL:http://www.securityfocus.com/bid/2100
Reference: XF:microsoft-iis-file-disclosure
Reference:
URL:http://xforce.iss.net/static/5729.php
Votes:
ACCEPT(3) LeBlanc, Baker, Frech
NOOP(1) Cole
REVIEWING(3) Ziese, Christey, Wall
Voter Comments:
LeBlanc> Fixed in SP2 for Win2K. NT 4.0 is not affected. bulletin
MS99-022
Christey> Need to add the Bugtraq references for this.
CHANGE> [Christey changed vote from NOOP to REVIEWING]
Christey> Is this really the same problem addressed by MS99-022,
which is covered by CVE-1999-0725 ?
Name: CVE-2000-1092
Description:
loadpage.cgi CGI program in EZshopper 3.0 and 2.0 allows
remote attackers to list and read files in the EZshopper
data directory by inserting a "/" in front of the target
filename in the "file" parameter.
Status: Candidate
Phase: Modified (20020327-01)
Reference: BUGTRAQ:20001213 NSFOCUS SA2000-09 :
AHG EZshopper Loadpage.cgi File List
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97676270729984&w=2
Reference: BID:2109
Reference:
URL:http://www.securityfocus.com/bid/2109
Reference: XF:ezshopper-cgi-file-disclosure(5740)
Reference:
URL:http://xforce.iss.net/static/5740.php
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
NOOP(4) Magdych, Christey, Wall, Cole
Voter Comments:
Christey> This is documented in an NSFOCUS security advisory released
sometime around December 11. Also, it's BID:2109.
Christey> BUGTRAQ:20001213 NSFOCUS SA2000-09 : AHG EZshopper Loadpage.cgi File List
http://marc.theaimsgroup.com/?l=bugtraq&m=97676270729984&w=2
XF:ezshopper-cgi-file-disclosure
URL:http://xforce.iss.net/static/5740.php
Frech> XF:ezshopper-cgi-file-disclosure(5740)
Christey> Followup posts indicate that this problem may have been
discovered earlier than 20001213.
Name: CVE-2000-1093
Description:
Buffer overflow in AOL Instant Messenger before 4.3.2229
allows remote attackers to execute arbitrary commands
via a long "goim" command.
Status: Candidate
Phase: Modified (20010417-01)
Reference: ATSTAKE:A121200-1
Reference:
URL:http://www.atstake.com/research/advisories/2000/a121200-1.txt
Reference: XF:aim-remote-bo(5732)
Votes:
ACCEPT(2) Wall, Baker
MODIFY(1) Frech
NOOP(1) Cole
REVIEWING(1) Christey
Voter Comments:
Frech> XF:aim-remote-bo(5732)
Christey> CD:SF-LOC as currently written suggests merging this with
CVE-2000-1094, since both describe buffer overflows in the
same software version.
Christey> Consider adding BID:2118
Name: CVE-2000-1098
Description:
The web server for the SonicWALL SOHO firewall allows
remote attackers to cause a denial of service via an
empty GET or POST request.
Status: Candidate
Phase: Interim (20010117)
Reference: BUGTRAQ:20001201 Re: DoS in Sonicwall
SOHO firewall
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0439.html
Reference: BUGTRAQ:20001201 FW: SonicWALL SOHO
Vulnerability (fwd)
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0435.html
Votes:
ACCEPT(2) Baker, Cole
MODIFY(1) Frech
NOOP(1) Wall
Voter Comments:
Frech> The company's name is SonicWALL.
CHANGE> [Frech changed vote from REVIEWING to MODIFY]
Frech> XF:sonicwall-empty-request-dos(6042)
The company's name is SonicWALL.
Name: CVE-2000-1100
Description:
The default configuration for PostACI webmail system
installs the /includes/global.inc configuration file
within the web root, which allows remote attackers to
read sensitive information such as database usernames
and passwords via a direct HTTP GET request.
Status: Candidate
Phase: Proposed (20001219)
Reference: BUGTRAQ:20001130 PostACI Webmail
Vulnerability
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0433.html
Reference: BID:2029
Reference:
URL:http://www.securityfocus.com/bid/2029
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
NOOP(2) Wall, Cole
Voter Comments:
Frech> XF:postaci-webmail-reveal-passwords(5612)
Name: CVE-2000-1102
Description:
PTlink IRCD 3.5.3 and PTlink Services 1.8.1 allow remote
attackers to cause a denial of service (server crash)
via "mode +owgscfxeb" and "oper" commands.
Status: Candidate
Phase: Proposed (20001219)
Reference: BID:2008
Reference:
URL:http://www.securityfocus.com/bid/2008
Reference: BUGTRAQ:20001126 Vulnerablity in
PTlink3.5.3ircd + PTlink.Services.1.8.1...
Reference:
URL:http://www.securityfocus.com/archive/1/147115
Votes:
ACCEPT(2) Baker, Cole
MODIFY(1) Frech
NOOP(1) Wall
Voter Comments:
Frech> XF:ptlink-ircd-mode-dos(5589)
Name: CVE-2000-1103
Description:
rcvtty in BSD 3.0 and 4.0 does not properly drop
privileges before executing a script, which allows local
attackers to gain privileges by specifying an alternate
Trojan horse script on the command line.
Status: Candidate
Phase: Proposed (20001219)
Reference: BUGTRAQ:20001127 BSDi 3.0/4.0 rcvtty
gid=tty exploit... (mh package)
Reference:
URL:http://www.securityfocus.com/archive/1/147120
Reference: BID:2009
Reference:
URL:http://www.securityfocus.com/bid/2009
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
NOOP(2) Wall, Cole
Voter Comments:
Frech> XF:rcvtty-elevate-privileges(5587)
Name: CVE-2000-1104
Description:
Variant of the "IIS Cross-Site Scripting" vulnerability
as originally discussed in MS:MS00-060 (CVE-2000-0746)
allows a malicious web site operator to embed scripts in
a link to a trusted site, which are returned without
quoting in an error message back to the client. The
client then executes those scripts in the same context
as the trusted site.
Status: Candidate
Phase: Proposed (20001219)
Reference: MS:MS00-060
Reference:
URL:http://www.microsoft.com/technet/security/bulletin/ms00-060.asp
Votes:
ACCEPT(3) Wall, Baker, Cole
MODIFY(1) Frech
Voter Comments:
Frech> XF:iis-cross-site-scripting(5156)
Name: CVE-2000-1105
Description:
The ixsso.query ActiveX Object is marked as safe for
scripting, which allows malicious web site operators to
embed a script that remotely determines the existence of
files on visiting Windows 2000 systems that have
Indexing Services enabled.
Status: Candidate
Phase: Proposed (20001219)
Reference: BUGTRAQ:20001110 IE 5.x Win2000
Indexing service vulnerability
Reference:
URL:http://www.securityfocus.com/archive/1/144270
Reference: WIN2KSEC:20001110 IE 5.x Win2000
Indexing service vulnerability
Reference:
URL:http://archives.neohapsis.com/archives/win2ksecadvice/2000-q4/0074.html
Reference: BID:1933
Reference:
URL:http://www.securityfocus.com/bid/1933
Votes:
ACCEPT(2) Baker, Cole
MODIFY(1) Frech
REVIEWING(2) Christey, Wall
Voter Comments:
Frech> XF:win2k-index-service-ixsso(5502)
Christey> ADDREF MS:MS00-098
ADDREF XF:win2k-index-service-activex
URL:http://xforce.iss.net/static/5800.php
Add 'aka the "Indexing Service File Enumeration" vulnerability'
to the description.
CHANGE> [Christey changed vote from NOOP to REVIEWING]
Christey> DUPE CVE-2001-0245? Need to check w/Microsoft.
Name: CVE-2000-1110
Description:
document.d2w CGI program in the IBM Net.Data db2www
package allows remote attackers to determine the
physical path of the web server by sending a nonexistent
command to the program.
Status: Candidate
Phase: Proposed (20001219)
Reference: BUGTRAQ:20001128 IBM Net.Data Local
Path Disclosure Vulnerability?
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0384.html
Reference: BID:2017
Reference:
URL:http://www.securityfocus.com/bid/2017
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
NOOP(2) Wall, Cole
Voter Comments:
Frech> XF:ibm-netdata-reveal-path(5599)
Name: CVE-2000-1114
Description:
Unify ServletExec AS v3.0C allows remote attackers to
read source code for JSP pages via an HTTP request that
ends with characters such as ".", or "+", or "%20".
Status: Candidate
Phase: Proposed (20001219)
Reference: BUGTRAQ:20001121 Disclosure of JSP
source code with ServletExec AS v3.0c + web ins tance
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0285.html
Reference: BID:1970
Reference:
URL:http://www.securityfocus.com/bid/1970
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
NOOP(2) Wall, Cole
Voter Comments:
Frech> XF:ewave-jsp-source-read(5562)
Name: CVE-2000-1116
Description:
Buffer overflow in TransSoft Broker FTP Server before
4.3.0.1 allows remote attackers to cause a denial of
service and possibly execute arbitrary commands via a
long command.
Status: Candidate
Phase: Proposed (20001219)
Reference: WIN2KSEC:20001018 TransSoft's Broker
FTP Server 3.x & 4.x Remote DoS attack Vulnerability
Reference:
URL:http://archives.neohapsis.com/archives/win2ksecadvice/2000-q4/0041.html
Reference: XF:broker-ftp-username-dos
Reference:
URL:http://xforce.iss.net/static/5388.php
Votes:
MODIFY(1) Frech
NOOP(2) Wall, Cole
Voter Comments:
Frech> XF:broker-user-dos(3482)
Name: CVE-2000-1117
Description:
The Extended Control List (ECL) feature of the Java
Virtual Machine (JVM) in Lotus Notes Client R5 allows
malicious web site operators to determine the existence
of files on the client by measuring delays in the
execution of the getSystemResource method.
Status: Candidate
Phase: Proposed (20001219)
Reference: BUGTRAQ:20001124 Security Hole in ECL
Feature of Java VM Embedded in Lotus Notes Client R5
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0341.html
Reference: BID:1994
Reference:
URL:http://www.securityfocus.com/bid/1994
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
NOOP(2) Wall, Cole
Voter Comments:
Frech> XF:lotus-notes-verify-files(5565)
Name: CVE-2000-1118
Description:
24Link 1.06 web server allows remote attackers to bypass
access restrictions by prepending strings such as "/+/"
or "/." to the HTTP GET request.
Status: Candidate
Phase: Proposed (20001219)
Reference: BUGTRAQ:20001127 24Link Webserver
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0369.html
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
NOOP(2) Wall, Cole
Voter Comments:
Frech> XF:24link-bypass-authentication(5930)
Name: CVE-2000-1125
Description:
restore 0.4b15 and earlier in Red Hat Linux 6.2 trusts
the pathname specified by the RSH environmental
variable, which allows local users to obtain root
privileges by modifying the RSH variable to point to a
Trojan horse program.
Status: Candidate
Phase: Proposed (20001219)
Reference: BUGTRAQ:20001104 Redhat 6.2 restore
exploit
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97336034309944&w=2
Reference: BID:1914
Reference:
URL:http://www.securityfocus.com/bid/1914
Votes:
ACCEPT(2) Baker, Cole
MODIFY(1) Frech
NOOP(2) Christey, Wall
Voter Comments:
Frech> XF:restore-rsh-executable(5483)
Christey> CERT-VN:VU#960877
URL:http://www.kb.cert.org/vuls/id/960877
Name: CVE-2000-1126
Description:
Vulnerability in auto_parms and set_parms in HP-UX 11.00
and earlier allows remote attackers to execute arbitrary
commands or cause a denial of service.
Status: Candidate
Phase: Proposed (20001219)
Reference: HP:HPSBUX0011-130
Reference:
URL:http://www.securityfocus.com/advisories/2850
Reference: BID:1954
Reference:
URL:http://www.securityfocus.com/bid/1954
Votes:
ACCEPT(3) Baker, Cole, Armstrong
MODIFY(1) Frech
NOOP(1) Wall
Voter Comments:
Frech> XF:hpux-autoparms-execute-commands(5961)
Name: CVE-2000-1127
Description:
registrar in the HP resource monitor service allows
local users to read and modify arbitrary files by
renaming the original registrar.log log file and
creating a symbolic link to the target file, to which
registrar appends log information and sets the
permissions to be world readable.
Status: Candidate
Phase: Proposed (20001219)
Reference: BUGTRAQ:20001108 HP-UX 10.20 resource
monitor service
Reference:
URL:http://www.securityfocus.com/archive/1/143845
Reference: BID:1919
Reference:
URL:http://www.securityfocus.com/bid/1919
Votes:
MODIFY(1) Frech
NOOP(2) Wall, Cole
Voter Comments:
Frech> XF:hp-registrar-file-read(5485)
Name: CVE-2000-1128
Description:
The default configuration of McAfee VirusScan 4.5 does
not quote the ImagePath variable, which improperly sets
the search path and allows local users to place a Trojan
horse "common.exe" program in the C:\Program Files
directory.
Status: Candidate
Phase: Proposed (20001219)
Reference: NTBUGTRAQ:20001103 Elevation of
Privileges Exploit with McAfee VirusScan 4.5
Reference:
URL:http://archives.neohapsis.com/archives/ntbugtraq/2000-q4/0073.html
Reference: BID:1920
Reference:
URL:http://www.securityfocus.com/bid/1920
Votes:
ACCEPT(1) Cole
MODIFY(1) Frech
REVIEWING(1) Wall
Voter Comments:
Frech> XF:nai-virusscan-unquoted-imagepath(5484)
Name: CVE-2000-1129
Description:
McAfee WebShield SMTP 4.5 allows remote attackers to
cause a denial of service via a malformed recipient
field.
Status: Candidate
Phase: Proposed (20001219)
Reference: BUGTRAQ:20001123 McAfee WebShield SMTP
vulnerabilities
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0324.html
Reference: BID:1999
Reference:
URL:http://www.securityfocus.com/bid/1999
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
NOOP(1) Cole
REVIEWING(1) Wall
Voter Comments:
Frech> XF:webshield-smtp-recpt-dos(5572)
Name: CVE-2000-1130
Description:
McAfee WebShield SMTP 4.5 allows remote attackers to
bypass email content filtering rules by including
Extended ASCII characters in name of the attachment.
Status: Candidate
Phase: Proposed (20001219)
Reference: BUGTRAQ:20001123 McAfee WebShield SMTP
vulnerabilities
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0324.html
Reference: BID:1993
Reference:
URL:http://www.securityfocus.com/bid/1993
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
NOOP(2) Christey, Cole
REVIEWING(1) Wall
Voter Comments:
Frech> XF:webshield-smtp-filter-bypass(5571)
Christey> Fix typo: "in name"
Name: CVE-2000-1133
Description:
Authentix Authentix100 allows remote attackers to bypass
authentication by inserting a . (dot) into the URL for a
protected directory.
Status: Candidate
Phase: Proposed (20001219)
Reference: BUGTRAQ:20001106 Authentix Security
Advisory
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97353881829760&w=2
Reference: BUGTRAQ:20001107 Explanation Authentix
Input Validation Error
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97362374200478&w=2
Reference: BID:1907
Reference:
URL:http://www.securityfocus.com/bid/1907
Votes:
MODIFY(1) Frech
NOOP(2) Wall, Cole
Voter Comments:
Frech> XF:flicks-authentix-url-info(5477)
Name: CVE-2000-1134
Description:
Multiple shell programs on various Unix systems,
including (1) tcsh, (2) csh, (3) sh, and (4) bash,
follow symlinks when processing << redirects (aka
here-documents or in-here documents), which allows local
users to overwrite files of other users via a symlink
attack.
Status: Candidate
Phase: Modified (20061101)
Reference: BUGTRAQ:20001028 tcsh: unsafe tempfile
in << redirects
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-10/0418.html
Reference: BUGTRAQ:20001130 [ADV/EXP]: RH6.x root
from bash /tmp vuln + MORE
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97561816504170&w=2
Reference: BUGTRAQ:20001128 /bin/sh creates
insecure tmp files
Reference:
URL:http://www.securityfocus.com/archive/1/146657
Reference: CALDERA:CSSA-2000-043.0
Reference:
URL:http://www.calderasystems.com/support/security/advisories/CSSA-2000-043.0.txt
Reference: CALDERA:CSSA-2000-042.0
Reference:
URL:http://www.calderasystems.com/support/security/advisories/CSSA-2000-042.0.txt
Reference: COMPAQ:SSRT1-41U
Reference:
URL:http://archives.neohapsis.com/archives/tru64/2002-q1/0009.html
Reference: CONECTIVA:CLSA-2000:354
Reference:
URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000354
Reference: DEBIAN:20001111a
Reference:
URL:http://www.debian.org/security/2000/20001111a
Reference: FREEBSD:FreeBSD-SA-00:76
Reference:
URL:ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:76.tcsh-csh.asc
Reference: MANDRAKE:MDKSA-2000-069
Reference:
URL:http://www.linux-mandrake.com/en/security/MDKSA-2000-069.php3
Reference: MANDRAKE:MDKSA-2000:075
Reference:
URL:http://www.linux-mandrake.com/en/security/MDKSA-2000-075.php3
Reference: REDHAT:RHSA-2000:117
Reference:
URL:http://www.redhat.com/support/errata/RHSA-2000-117.html
Reference: REDHAT:RHSA-2000:121
Reference:
URL:http://www.redhat.com/support/errata/RHSA-2000-121.html
Reference: SGI:20011103-02-P
Reference:
URL:ftp://patches.sgi.com/support/free/security/advisories/20011103-02-P
Reference: CERT-VN:VU#10277
Reference:
URL:http://www.kb.cert.org/vuls/id/10277
Reference: BID:1926
Reference:
URL:http://www.securityfocus.com/bid/1926
Reference: BID:2006
Reference:
URL:http://www.securityfocus.com/bid/2006
Reference: CONECTIVA:CLA-2000:350
Reference:
URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000350
Reference: OVAL:oval:org.mitre.oval:def:4047
Reference:
URL:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:4047
Votes:
ACCEPT(2) Baker, Cole
MODIFY(1) Frech
NOOP(1) Wall
REVIEWING(1) Christey
Voter Comments:
Frech> XF:linux-bash-tmp-symlink(5593)
Christey> Don't all these shell programs originate from the same
codebase, including ksh? If so, we should have a single CAN
for all of these, and add:
XF:ksh-redirection-symlink
URL:http://xforce.iss.net/static/5811.php
CONECTIVA:CLA-2000:354
BUGTRAQ:20001208 Immunix OS Security update for tcsh
http://archives.neohapsis.com/archives/linux/immunix/2000-q4/0041.html
BUGTRAQ:20001220 /bin/ksh creates insecure tmp files
http://archives.neohapsis.com/archives/bugtraq/2000-12/0368.html
BUGTRAQ:20001227 IBM Findings: Korn Shell Redirection Race Condition Vulnerability
http://archives.neohapsis.com/archives/bugtraq/2000-12/0473.html
Also see: http://archives.neohapsis.com/archives/bugtraq/2000-12/0420.html
which gives some shell history which may be of use.
Christey> ADDREF FREEBSD:FreeBSD-SA-01:03 for the bash problem.
Christey> Consider adding BID:2148 if this CAN should include ksh
Christey> SGI:20011103-01-I
URL:ftp://patches.sgi.com/support/free/security/advisories/20011103-01-I
Also, DELREF BID:2148 and BID:1926. Keep BID:2006
Christey> COMPAQ:SSRT1-41U
URL:http://ftp.support.compaq.com/patches/.new/html/SSRT0742U-59U.shtml
CERT-VN:VU#10277
URL:http://www.kb.cert.org/vuls/id/10277
Christey> SGI:20011103-02-P
URL:ftp://patches.sgi.com/support/free/security/advisories/20011103-02-P
Note that this is an update of the other SGI reference.
Christey> CALDERA:CSSA-2001-SCO.24
URL:ftp://stage.caldera.com/pub/security/openserver/CSSA-2001-SCO.24.1/CSSA-2001-SCO.24.1.txt
CERT-VN:VU#10277
URL:http://www.kb.cert.org/vuls/id/10277
Christey> Missing BID - BID:1926
Christey> HP:SSRT3618
URL:http://archives.neohapsis.com/archives/hp/2003-q3/0042.html
Name: CVE-2000-1138
Description:
Lotus Notes R5 client R5.0.5 and earlier does not
properly warn users when an S/MIME email message has
been modified, which could allow an attacker to modify
the email in transit without being detected.
Status: Candidate
Phase: Proposed (20001219)
Reference: BUGTRAQ:20001108 Lotus Notes R5
clients - no warning for broken signature or encryption
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97370725220953&w=2
Reference: BID:1925
Reference:
URL:http://www.securityfocus.com/bid/1925
Votes:
MODIFY(1) Frech
NOOP(2) Wall, Cole
Voter Comments:
Frech> XF:lotus-notes-r5-mime(5492)
Name: CVE-2000-1147
Description:
Buffer overflow in IIS ISAPI .ASP parsing mechanism
allows attackers to execute arbitrary commands via a
long string to the "LANGUAGE" argument in a script tag.
Status: Candidate
Phase: Modified (20010116-01)
Reference: BUGTRAQ:20001103 IIS ASP $19.95 hack -
IISHack 1.5
Reference:
URL:http://www.securityfocus.com/archive/1/143070
Reference: BID:1911
Reference:
URL:http://www.securityfocus.com/bid/1911
Reference: XF:iis-isapi-asp-bo
Reference:
URL:http://xforce.iss.net/static/5510.php
Votes:
ACCEPT(2) Wall, Baker
MODIFY(1) Frech
NOOP(1) Cole
RECAST(1) LeBlanc
REVIEWING(1) Christey
Voter Comments:
Frech> XF:iis-isapi-asp-bo(5510)
Christey> Consult Microsoft on this one.
LeBlanc> This one was already fixed in several hotfixes when it was
found. I'm not sure what the content decision is on this. It is a valid
problem, but it was already fixed when announced. I will go along with
an accept vote once it is modified to show fixes.
Name: CVE-2000-1150
Description:
Felix IRC client in BeOS r5 pro and earlier allows
remote attackers to conduct a denial of service via a
message that contains a long URL.
Status: Candidate
Phase: Proposed (20001219)
Reference: BUGTRAQ:20001113 beos vulnerabilities
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0203.html
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
NOOP(3) Wall, Cole, Armstrong
Voter Comments:
Frech> XF:felix-irc-long-url(5520)
Name: CVE-2000-1151
Description:
Baxter IRC client in BeOS r5 pro and earlier allows
remote attackers to conduct a denial of service via a
message that contains a long URL.
Status: Candidate
Phase: Proposed (20001219)
Reference: BUGTRAQ:20001113 beos vulnerabilities
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0203.html
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
NOOP(3) Wall, Cole, Armstrong
Voter Comments:
Frech> XF:baxter-irc-bo(5518)
Name: CVE-2000-1152
Description:
Browser IRC client in BeOS r5 pro and earlier allows
remote attackers to conduct a denial of service via a
message that contains a long URL.
Status: Candidate
Phase: Proposed (20001219)
Reference: BUGTRAQ:20001113 beos vulnerabilities
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0203.html
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
NOOP(3) Wall, Cole, Armstrong
Voter Comments:
Frech> XF:bowser-irc-dos(5964)
Name: CVE-2000-1153
Description:
PostMaster 1.0 in BeOS r5 pro and earlier allows remote
attackers to conduct a denial of service via a message
that contains a long URL.
Status: Candidate
Phase: Proposed (20001219)
Reference: BUGTRAQ:20001113 beos vulnerabilities
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0203.html
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
NOOP(3) Wall, Cole, Armstrong
Voter Comments:
Frech> XF:postmaster-long-url-bo(5522)
Name: CVE-2000-1154
Description:
RHConsole in RobinHood 1.1 web server in BeOS r5 pro and
earlier allows remote attackers to cause a denial of
service via long HTTP request.
Status: Candidate
Phase: Proposed (20001219)
Reference: BUGTRAQ:20001113 beos vulnerabilities
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0203.html
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
NOOP(3) Wall, Cole, Armstrong
Voter Comments:
Frech> XF:robinhood-cpp-request-bo(5521)
Name: CVE-2000-1155
Description:
RHDaemon in RobinHood 1.1 web server in BeOS r5 pro and
earlier allows remote attackers to cause a denial of
service via long HTTP request.
Status: Candidate
Phase: Proposed (20001219)
Reference: BUGTRAQ:20001113 beos vulnerabilities
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0203.html
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
NOOP(3) Wall, Cole, Armstrong
Voter Comments:
Frech> XF:robinhood-cpp-request-bo(5521)
Name: CVE-2000-1156
Description:
StarOffice 5.2 follows symlinks and sets world-readable
permissions for the /tmp/soffice.tmp directory, which
allows a local user to read files of the user who is
using StarOffice.
Status: Candidate
Phase: Modified (20010116-01)
Reference: BUGTRAQ:20001108 StarOffice 5.2
Temporary Dir Vulnerability
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0115.html
Reference: BID:1922
Reference:
URL:http://www.securityfocus.com/bid/1922
Reference: XF:staroffice-tmp-sym-link
Reference:
URL:http://xforce.iss.net/static/5487.php
Votes:
ACCEPT(3) Dik, Baker, Cole
MODIFY(1) Frech
NOOP(1) Wall
REVIEWING(1) Christey
Voter Comments:
Frech> XF:staroffice-tmp-sym-link(5487)
Christey> Consult Sun on this one.
Dik> Supposedly fixed in Soffice 5.1 Service pack 1
Name: CVE-2000-1157
Description:
Buffer overflow in NAI Sniffer Agent allows remote
attackers to execute arbitrary commands via a long SNMP
community name.
Status: Candidate
Phase: Proposed (20001219)
Reference: BUGTRAQ:20001102 Remotely exploitable
buffer overflow in NAI's Distributed Sniffer Agent
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0038.html
Reference: BID:1901
Reference:
URL:http://www.securityfocus.com/bid/1901
Votes:
MODIFY(1) Frech
NOOP(2) Wall, Cole
Voter Comments:
Frech> XF:sniffer-agent-snmp-bo(5455)
Name: CVE-2000-1158
Description:
NAI Sniffer Agent uses base64 encoding for
authentication, which allows attackers to sniff the
network and easily decrypt usernames and passwords.
Status: Candidate
Phase: Proposed (20001219)
Reference: BUGTRAQ:20001102 Remotely exploitable
buffer overflow in NAI's Distributed Sniffer Agent
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0038.html
Votes:
MODIFY(1) Frech
NOOP(2) Wall, Cole
Voter Comments:
Frech> XF:sniffer-agent-weak-authentication(5951)
Name: CVE-2000-1159
Description:
NAI Sniffer Agent allows remote attackers to gain
privileges on the agent by sniffing the initial UDP
authentication packets and spoofing commands.
Status: Candidate
Phase: Proposed (20001219)
Reference: BUGTRAQ:20001102 Remotely exploitable
buffer overflow in NAI's Distributed Sniffer Agent
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0038.html
Reference: BID:1902
Reference:
URL:http://www.securityfocus.com/bid/1902
Votes:
ACCEPT(2) Baker, Cole
MODIFY(1) Frech
NOOP(1) Wall
REVIEWING(1) Christey
Voter Comments:
Frech> XF:sniffer-agent-snmp-bo(5455)
Christey> Consult NAI on this one.
Name: CVE-2000-1160
Description:
NAI Sniffer Agent allows remote attackers to cause a
denial of service (crash) by sending a large number of
login requests.
Status: Candidate
Phase: Proposed (20001219)
Reference: BUGTRAQ:20001102 Remotely exploitable
buffer overflow in NAI's Distributed Sniffer Agent
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0038.html
Reference: BID:1903
Reference:
URL:http://www.securityfocus.com/bid/1903
Votes:
ACCEPT(2) Baker, Cole
MODIFY(1) Frech
NOOP(1) Wall
REVIEWING(1) Christey
Voter Comments:
Frech> XF:sniffer-agent-login-dos(5456)
Christey> Consult NAI on this one.
Name: CVE-2000-1161
Description:
The installation of AdCycle banner management system
leaves the build.cgi program in a web-accessible
directory, which allows remote attackers to execute the
program and view passwords or delete databases.
Status: Candidate
Phase: Proposed (20001219)
Reference: BUGTRAQ:20001120 security problem in
AdCycle installation
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0271.html
Reference: BID:1969
Reference:
URL:http://www.securityfocus.com/bid/1969
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
NOOP(3) Wall, Cole, Armstrong
Voter Comments:
Frech> XF:adcycle-password-disclosure(5559)
Name: CVE-2000-1168
Description:
IBM HTTP Server 1.3.6 (based on Apache) allows remote
attackers to cause a denial of service and possibly
execute arbitrary commands via a long GET request.
Status: Candidate
Phase: Proposed (20001219)
Reference: BUGTRAQ:20001123 IBM HTTP Server 1.3.6
Remote Overflow
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97502498610979&w=2
Reference: BID:1988
Reference:
URL:http://www.securityfocus.com/bid/1988
Votes:
ACCEPT(2) Baker, Cole
MODIFY(1) Frech
NOOP(1) Wall
REVIEWING(1) Christey
Voter Comments:
Frech> XF:ibm-http-server-dos(5577)
Christey> Consult Troy Bollinger on this one.
Name: CVE-2000-1172
Description:
Buffer overflow in Gaim 0.10.3 and earlier using the
OSCAR protocol allows remote attackers to conduct a
denial of service and possibly execute arbitrary
commands via a long HTML tag.
Status: Candidate
Phase: Proposed (20001219)
Reference: BUGTRAQ:20001110 Advisory: Gaim remote
vulnerability
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0204.html
Reference: BID:1948
Reference:
URL:http://www.securityfocus.com/bid/1948
Votes:
MODIFY(1) Frech
NOOP(2) Wall, Cole
Voter Comments:
Frech> XF:gaim-remote-bo(5511)
Name: CVE-2000-1173
Description:
Microsys CyberPatrol uses weak encryption (trivial
encoding) for credit card numbers and uses no encryption
for the remainder of the information during
registration, which could allow attackers to sniff
network traffic and obtain this sensitive information.
Status: Candidate
Phase: Proposed (20001219)
Reference: BUGTRAQ:20001122 CyberPatrol - poor
credit card protection
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0323.html
Reference: BID:1977
Reference:
URL:http://www.securityfocus.com/bid/1977
Votes:
ACCEPT(2) Baker, Cole
MODIFY(1) Frech
NOOP(1) Wall
Voter Comments:
Frech> XF:cyberpatrol-insecure-data(5578)
Name: CVE-2000-1175
Description:
Buffer overflow in Koules 1.4 allows local users to
execute arbitrary commands via a long command line
argument.
Status: Candidate
Phase: Proposed (20001219)
Reference: BUGTRAQ:20001120 local exploit for
linux's Koules1.4 package
Reference:
URL:http://www.securityfocus.com/archive/1/145823
Reference: BID:1967
Reference:
URL:http://www.securityfocus.com/bid/1967
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
NOOP(3) Wall, Cole, Armstrong
Voter Comments:
Frech> XF:koules-svgalib-bo(5558)
Name: CVE-2000-1176
Description:
Directory traversal vulnerability in YaBB search.pl CGI
script allows remote attackers to read arbitrary files
via a .. (dot dot) attack in the "catsearch" form field.
Status: Candidate
Phase: Proposed (20001219)
Reference: BUGTRAQ:20001107 Insecure input
balidation in YaBB Search.pl
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0110.html
Reference: BID:1921
Reference:
URL:http://www.securityfocus.com/bid/1921
Votes:
MODIFY(1) Frech
NOOP(2) Wall, Cole
Voter Comments:
Frech> XF:yabb-search-format-string(5501)
Name: CVE-2000-1177
Description:
bb-hist.sh, bb-histlog.sh, bb-hostsvc.sh, bb-rep.sh,
bb-replog.sh, and bb-ack.sh in Big Brother (BB) before
1.5d3 allows remote attackers to determine the existence
of files and user ID's by specifying the target file in
the HISTFILE parameter.
Status: Candidate
Phase: Proposed (20001219)
Reference: BUGTRAQ:20001121 Big Brother Advisory
- Fate Research Labs
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0284.html
Reference: CONFIRM:http://bb4.com/incident.nov21
Reference: BID:1971
Reference:
URL:http://www.securityfocus.com/bid/1971
Votes:
ACCEPT(3) Baker, Cole, Armstrong
MODIFY(1) Frech
NOOP(1) Wall
Voter Comments:
Frech> XF:bb-cgi-brute-force(5560)
Name: CVE-2000-1183
Description:
Buffer overflow in socks5 server on Linux allows
attackers to execute arbitrary commands via a long
connection request.
Status: Candidate
Phase: Proposed (20001219)
Reference: BUGTRAQ:20001115 socks5 remote exploit
/ linux x86
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0219.html
Votes:
MODIFY(1) Frech
NOOP(3) Wall, Cole, Armstrong
Voter Comments:
CHANGE> [Armstrong changed vote from REVIEWING to NOOP]
CHANGE> [Frech changed vote from REVIEWING to MODIFY]
Frech> XF:linux-socks5-connection-bo(8376)
Name: CVE-2000-1185
Description:
The telnet proxy in RideWay PN proxy server allows
remote attackers to cause a denial of service via a
flood of connections that contain malformed requests.
Status: Candidate
Phase: Proposed (20001219)
Reference: BUGTRAQ:20001113 Rideway PN Telnet DoS
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0201.html
Reference: BID:1938
Reference:
URL:http://www.securityfocus.com/bid/1938
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
NOOP(3) Wall, Cole, Armstrong
Voter Comments:
Frech> XF:rideway-pn-proxy-dos(5525)
Name: CVE-2000-1186
Description:
Buffer overflow in phf CGI program allows remote
attackers to execute arbitrary commands by specifying a
large number of arguments and including a long MIME
header.
Status: Candidate
Phase: Modified (20010122-01)
Reference: BUGTRAQ:20001115 Exploit: phf buffer
overflow (CGI)
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0221.html
Reference: XF:phf-cgi-bo(5970)
Reference:
URL:http://xforce.iss.net/static/5970.php
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
NOOP(3) Wall, Cole, Armstrong
Voter Comments:
CHANGE> [Frech changed vote from REVIEWING to MODIFY]
Frech> XF:phf-cgi-bo(5970)
Name: CVE-2000-1188
Description:
Directory traversal vulnerability in Quikstore shopping
cart program allows remote attackers to read arbitrary
files via a .. (dot dot) attack in the "page" parameter.
Status: Candidate
Phase: Modified (20060413)
Reference: BUGTRAQ:20001120 Cgisecurity
Quickstore Shopping cart
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0283.html
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
NOOP(3) Wall, Cole, Armstrong
Voter Comments:
Frech> XF:quikstore-cgi-read-files(5561)
Armstrong> in Description: change rmeote to remote.
Name: CVE-2000-1191
Description:
htsearch program in htDig 3.2 beta, 3.1.6, 3.1.5, and
earlier allows remote attackers to determine the
physical path of the server by requesting a non-existent
configuration file using the config parameter, which
generates an error message that includes the full path.
Status: Candidate
Phase: Modified (20050703)
Reference:
MISC:http://www.securiteam.com/exploits/htDig_reveals_web_server_configuration_paths.html
Reference: BID:4366
Reference:
URL:http://www.securityfocus.com/bid/4366
Reference:
XF:htdig-htsearch-path-disclosure(7367)
Reference:
URL:http://xforce.iss.net/xforce/xfdb/7367
Votes:
ACCEPT(1) Stracener
MODIFY(1) Frech
NOOP(4) Williams, Wall, Foat, Cole
Voter Comments:
Frech> XF:htdig-htsearch-path-disclosure(7367)
MISC reference should be
http://www.securiteam.com/exploits/5YQ0C000IU.html.
Name: CVE-2000-1192
Description:
Buffer overflow in BTT Software SNMP Trap Watcher 1.16
allows remote attackers to cause a denial of service,
and possibly execute arbitrary commands, via a long
string trap.
Status: Candidate
Phase: Proposed (20010912)
Reference:
MISC:http://www.securiteam.com/windowsntfocus/5ZP0C000KC.html
Reference:
MISC:http://www.bttsoftware.co.uk/snmptrap.html
Reference: XF:snmp-trapwatcher-string-dos
Reference: BID:985
Reference:
URL:http://www.securityfocus.com/bid/985
Votes:
ACCEPT(1) Frech
NOOP(5) Stracener, Williams, Wall, Foat, Cole
Name: CVE-2000-1194
Description:
Argosoft FRP server 1.0 allows remote attackers to cause
a denial of service, and possibly execute arbitrary
commands, via a long string to the (1) USER or (2) CWD
commands.
Status: Candidate
Phase: Proposed (20010912)
Reference: MISC:http://www.mdma.za.net/fk/FK9.zip
Reference: BID:1227
Reference:
URL:http://www.securityfocus.com/bid/1227
Votes:
ACCEPT(1) Williams
MODIFY(1) Frech
NOOP(4) Stracener, Wall, Foat, Cole
Voter Comments:
Frech> XF:argosoft-ftp-bo(6553)
Williams> %s/FRP/FTP
CHANGE> [Williams changed vote from MODIFY to ACCEPT]
Name: CVE-2000-1197
Description:
POP2 or POP3 server (pop3d) in imap-uw IMAP package on
FreeBSD and other operating systems creates lock files
with predictable names, which allows local users to
cause a denial of service (lack of mail access) for
other users by creating lock files for other mail boxes.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:20000420 pop3d/imap DOS (while
we're on the subject)
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=95624629924545&w=2
Reference: FREEBSD:FreeBSD-SA-00:15
Reference:
URL:ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:15.imap-uw.asc
Reference: BID:1132
Reference:
URL:http://www.securityfocus.com/bid/1132
Votes:
ACCEPT(4) Stracener, Baker, Foat, Cole
MODIFY(1) Frech
NOOP(1) Wall
Voter Comments:
Foat> ACKNOWLEDGED-BY-VENDOR
Frech> XF:freebsd-imap-uw(4335)
Frech> Please change XF:freebsd-imap-uw(4335) to XF:pop-predictable-lockfile(4335)
Name: CVE-2000-1198
Description:
qpopper POP server creates lock files with predictable
names, which allows local users to cause a denial of
service for other users (lack of mail access) by
creating lock files for other mail boxes.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:20000420 pop3
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=95634229925906&w=2
Reference: BUGTRAQ:20000420 pop3d/imap DOS (while
we're on the subject)
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=95624629924545&w=2
Reference: BID:1132
Reference:
URL:http://www.securityfocus.com/bid/1132
Votes:
ACCEPT(3) Stracener, Baker, Cole
MODIFY(1) Frech
NOOP(2) Wall, Foat
Voter Comments:
Frech> XF:pop-predictable-lockfile(4335)
Name: CVE-2000-1199
Description:
PostgreSQL stores usernames and passwords in plaintext
in (1) pg_shadow and (2) pg_pwd, which allows attackers
with sufficient privileges to gain access to databases.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:20000423 Postgresql cleartext
password storage
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=95659987018649&w=2
Reference:
XF:postgresql-plaintext-passwords(4364)
Reference:
URL:http://xforce.iss.net/static/4364.php
Reference: BID:1139
Reference:
URL:http://www.securityfocus.com/bid/1139
Votes:
ACCEPT(1) Frech
NOOP(5) Stracener, Williams, Wall, Foat, Cole
Name: CVE-2000-1201
Description:
Check Point FireWall-1 allows remote attackers to cause
a denial of service (high CPU) via a flood of packets to
port 264.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:20000707 Re: CheckPoint FW1
BUG
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0085.html
Votes:
MODIFY(1) Frech
NOOP(5) Stracener, Williams, Wall, Foat, Cole
Voter Comments:
Frech> XF:fw1-portflood-dos(7368)
Name: CVE-2000-1202
Description:
ikeyman in IBM IBMHSSSB 1.0 sets the CLASSPATH
environmental variable to include the user's own
CLASSPATH directories before the system's directories,
which allows a malicious local user to execute arbitrary
code as root via a Trojan horse Ikeyman class.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:20000405 minor issue with IBM
HTTPD and /usr/bin/ikeyman
Reference:
URL:http://www.securityfocus.com/archive/1/54073
Reference: BID:1092
Reference:
URL:http://www.securityfocus.com/bid/1092
Reference: XF:ibm-ikeyman(4235)
Reference:
URL:http://xforce.iss.net/static/4235.php
Votes:
ACCEPT(2) Frech, Williams
NOOP(4) Stracener, Wall, Foat, Cole
Voter Comments:
Williams> :%s/IBMHSSSB/IBMHSSB
Name: CVE-2000-1204
Description:
Vulnerability in the mod_vhost_alias virtual hosting
module for Apache 1.3.9, 1.3.11 and 1.3.12 allows remote
attackers to obtain the source code for CGI programs if
the cgi-bin directory is under the document root.
Status: Candidate
Phase: Proposed (20020830)
Reference:
CONFIRM:http://www.apacheweek.com/issues/00-10-13
Votes:
ACCEPT(5) Cox, Green, Baker, Cole, Armstrong
MODIFY(1) Frech
NOOP(2) Wall, Foat
Voter Comments:
Frech> XF:apache-modvhostalias-source-disclosure(11088)
Name: CVE-2000-1205
Description:
Cross site scripting vulnerabilities in Apache 1.3.0
through 1.3.11 allow remote attackers to execute script
as other web site visitors via (1) the printenv CGI
(printenv.pl), which does not encode its output, (2)
pages generated by the ap_send_error_response function
such as a default 404, which does not add an explicit
charset, or (3) various messages that are generated by
certain Apache modules or core code. NOTE: the printenv
issue might still exist for web browsers that can render
text/plain content types as HTML, such as Internet
Explorer, but CVE regards this as a design limitation of
those browsers, not Apache. The printenv.pl/acuparam
vector, discloser on 20070724, is one such variant.
Status: Candidate
Phase: Modified (20070926)
Reference: BUGTRAQ:20021223 Re: 'printenv' XSS
vulnerability
Reference:
URL:http://archive.cert.uni-stuttgart.de/bugtraq/2002/12/msg00243.html
Reference:
CONFIRM:http://httpd.apache.org/info/css-security/apache_specific.html
Reference: BUGTRAQ:20021222 'printenv' XSS
vulnerability
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2002-12/0233.html
Reference: BUGTRAQ:20070724 printenv.pl(all
versions) cross site scripting Vulnerability
Reference:
URL:http://marc.info/?l=bugtraq&m=118529436424127&w=2
Reference: XF:apache-printenv-xss(10938)
Reference:
URL:http://xforce.iss.net/xforce/xfdb/10938
Reference: XF:apache-printenv-acuparam-xss(35597)
Reference:
URL:http://xforce.iss.net/xforce/xfdb/35597
Votes:
ACCEPT(7) Cox, Green, Wall, Baker, Foat, Cole, Armstrong
MODIFY(1) Frech
Voter Comments:
Frech> XF:apache-printenv-xss(10938)
Name: CVE-2000-1206
Description:
Vulnerability in Apache httpd before 1.3.11, when
configured for mass virtual hosting using mod_rewrite,
or mod_vhost_alias in Apache 1.3.9, allows remote
attackers to retrieve arbitrary files.
Status: Candidate
Phase: Proposed (20020830)
Reference:
CONFIRM:http://www.apacheweek.com/issues/00-01-07#status
Votes:
ACCEPT(6) Cox, Green, Wall, Baker, Cole, Armstrong
MODIFY(1) Frech
NOOP(1) Foat
Voter Comments:
Frech> XF:apache-virtualhosting-obtain-files(11139)
Name: CVE-2000-1207
Description:
userhelper in the usermode package on Red Hat Linux
executes non-setuid programs as root, which does not
activate the security measures in glibc and allows the
programs to be exploited via format string
vulnerabilities in glibc via the LANG or LC_ALL
environment variables (CVE-2000-0844).
Status: Candidate
Phase: Proposed (20020830)
Reference: BUGTRAQ:20000930 glibc and userhelper
- local root
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97034397026473&w=2
Reference: REDHAT:RHSA-2000:075
Reference:
URL:http://www.redhat.com/support/errata/RHSA-2000-075.html
Reference: MANDRAKE:MDKSA-2000:059
Reference:
URL:http://www.linux-mandrake.com/en/security/2000/MDKSA-2000-059.php3
Reference: BUGTRAQ:20001003 SuSE:
userhelper/usermode
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97063854808796&w=2
Votes:
ACCEPT(6) Cox, Green, Wall, Baker, Cole, Armstrong
MODIFY(1) Frech
NOOP(1) Foat
Voter Comments:
Frech> XF:usermode-userhelper-bypass-security(11089)
Name: CVE-2000-1208
Description:
Format string vulnerability in startprinting() function
of printjob.c in BSD-based lpr lpd package may allow
local users to gain privileges via an improper syslog
call that uses format strings from the checkremote()
call.
Status: Candidate
Phase: Proposed (20020830)
Reference: BUGTRAQ:20000925 Format strings: bug
#1: BSD-lpr
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96994604300675&w=2
Reference: REDHAT:RHSA-2000:066
Reference:
URL:http://www.redhat.com/support/errata/RHSA-2000-066.html
Reference: MANDRAKE:MDKSA-2000:054
Reference: CONECTIVA:CLSA-2000:321
Reference: BUGTRAQ:20001004 Immunix OS Security
Update for lpr
Reference:
URL:http://online.securityfocus.com/archive/1/137555
Reference: XF:lpr-checkremote-format-string(5286)
Reference:
URL:http://www.iss.net/security_center/static/5286.php
Reference: BID:1711
Reference:
URL:http://www.securityfocus.com/bid/1711
Votes:
ACCEPT(6) Frech, Cox, Green, Baker, Cole, Armstrong
NOOP(2) Wall, Foat
Name: CVE-2000-1209
Description:
The "sa" account is installed with a default null
password on (1) Microsoft SQL Server 2000, (2) SQL
Server 7.0, and (3) Data Engine (MSDE) 1.0, including
third party packages that use these products such as (4)
Tumbleweed Secure Mail (MMS) (5) Compaq Insight Manager,
and (6) Visio 2000, which allows remote attackers to
gain privileges, as exploited by worms such as Voyager
Alpha Force and Spida.
Status: Candidate
Phase: Modified (20071113)
Reference: BUGTRAQ:20000710 MSDE / Re: Default
Password Database
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96333895000350&w=2
Reference: BUGTRAQ:20000810 Tumbleweed
Worldsecure (MMS) BLANK 'sa' account password
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96593218804850&w=2
Reference: BUGTRAQ:20000815 MS-SQL 'sa' user
exploit code
Reference:
URL:http://security-archive.merton.ox.ac.uk/bugtraq-200008/0233.html
Reference: BUGTRAQ:20000816 Released Patch:
Tumbleweed Worldsecure (MMS) BLANK 'sa' account password
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96644570412692&w=2
Reference: BUGTRAQ:20020522 Opty-Way Enterprise
includes MSDE with sa <blank>
Reference:
URL:http://online.securityfocus.com/archive/1/273639
Reference: MSKB:Q313418
Reference:
URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q313418
Reference: MSKB:Q321081
Reference:
URL:http://support.microsoft.com/default.aspx?scid=kb;EN-US;q321081
Reference:
CONFIRM:http://www.microsoft.com/security/security_bulletins/ms02020_sql.asp
Reference: ISS:20020521 Microsoft SQL Spida Worm
Propagation
Reference: CERT-VN:VU#635463
Reference:
URL:http://www.kb.cert.org/vuls/id/635463
Reference: COMPAQ:SSRT2195
Reference: BID:4797
Reference:
URL:http://www.securityfocus.com/bid/4797
Reference: OSVDB:3570
Reference: URL:http://www.osvdb.org/3570
Reference: XF:mssql-no-sapassword(1459)
Reference:
URL:http://www.iss.net/security_center/static/1459.php
Votes:
ACCEPT(5) Green, Wall, Baker, Cole, Armstrong
MODIFY(1) Frech
NOOP(3) Cox, Christey, Foat
Voter Comments:
Frech> XF:tumbleweed-mms-blank-password(5072)
XF:msde-mssql-default-password(9154)
May overlap with CVE-2000-0772.
Christey> fix desc - "installed with a default password" appears twice.
Name: CVE-2000-1213
Description:
ping in iputils before 20001010, as distributed on Red
Hat Linux 6.2 through 7J and other operating systems,
does not drop privileges after acquiring a raw socket,
which increases ping's exposure to bugs that otherwise
would occur at lower privileges.
Status: Candidate
Phase: Proposed (20020830)
Reference: BUGTRAQ:20001025 Immunix OS Security
Update for ping package
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97249980727834&w=2
Reference: BUGTRAQ:20001030 Trustix Security
Advisory - ping gnupg ypbind
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-10/0429.html
Reference: REDHAT:RHSA-2000:087
Reference:
URL:http://www.redhat.com/support/errata/RHSA-2000-087.html
Votes:
ACCEPT(7) Cox, Green, Wall, Baker, Foat, Cole, Armstrong
MODIFY(1) Frech
Voter Comments:
Frech> XF:iputils-ping-privileges(11090)
Name: CVE-2000-1214
Description:
Buffer overflows in the (1) outpack or (2) buf variables
of ping in iputils before 20001010, as distributed on
Red Hat Linux 6.2 through 7J and other operating
systems, may allow local users to gain privileges.
Status: Candidate
Phase: Proposed (20020830)
Reference: BUGTRAQ:20001025 Immunix OS Security
Update for ping package
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97249980727834&w=2
Reference: BUGTRAQ:20001020 Re:
[RHSA-2000:087-02] Potential security problems in ping
fixed.
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97208562830613&w=2
Reference: BUGTRAQ:20001030 Trustix Security
Advisory - ping gnupg ypbind
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-10/0429.html
Reference: REDHAT:RHSA-2000:087
Reference:
URL:http://www.redhat.com/support/errata/RHSA-2000-087.html
Reference: BID:1813
Reference:
URL:http://www.securityfocus.com/bid/1813
Reference: XF:ping-buf-bo(5431)
Reference:
URL:http://www.iss.net/security_center/static/5431.php
Votes:
ACCEPT(8) Frech, Cox, Green, Wall, Baker, Foat, Cole, Armstrong
Name: CVE-2000-1215
Description:
The default configuration of Lotus Domino server 5.0.8
includes system information (version, operating system,
and build date) in the HTTP headers of replies, which
allows remote attackers to obtain sensitive information.
Status: Candidate
Phase: Assigned (20050421)
Reference: BUGTRAQ:20010919 lotus domino server
5.08 is very gabby
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100094373621813&w=2
Reference:
CONFIRM:http://www-10.lotus.com/ldd/r5fixlist.nsf/5c087391999d06e7852569280062619d/5552251934afaa9585256c0000737a7f?OpenDocument&Highlight=0,AWHN4A8QWM
Reference: CERT-VN:VU#984555
Reference:
URL:http://www.kb.cert.org/vuls/id/984555
Reference:
XF:lotus-domino-information-disclosure(10685)
Reference:
URL:http://xforce.iss.net/xforce/xfdb/10685
Votes:
Name: CVE-2000-1216
Description:
Buffer overflow in portmir for AIX 4.3.0 allows local
users to corrupt lock files and gain root privileges via
the echo_error routine.
Status: Candidate
Phase: Assigned (20050421)
Reference: AIXAPAR:IY07832
Reference:
URL:http://www-1.ibm.com/support/docview.wss?uid=isg1IY07832
Reference: CERT-VN:VU#433499
Reference:
URL:http://www.kb.cert.org/vuls/id/433499
Reference: XF:aix-portmir-echoerror-bo(7929)
Reference:
URL:http://xforce.iss.net/xforce/xfdb/7929
Votes:
Name: CVE-2000-1217
Description:
Microsoft Windows 2000 before Service Pack 2 (SP2), when
running in a non-Windows 2000 domain and using NTLM
authentication, and when credentials of an account are
locally cached, allows local users to bypass account
lockout policies and make an unlimited number of login
attempts, aka the "Domain Account Lockout"
vulnerability.
Status: Candidate
Phase: Assigned (20050421)
Reference: MS:MS00-089
Reference:
URL:http://www.microsoft.com/technet/security/bulletin/MS00-089.mspx
Reference: CERT-VN:VU#818496
Reference:
URL:http://www.kb.cert.org/vuls/id/818496
Reference: BID:1973
Reference:
URL:http://www.securityfocus.com/bid/1973
Reference: XF:win2k-brute-force(5585)
Reference:
URL:http://xforce.iss.net/xforce/xfdb/5585
Votes:
Name: CVE-2000-1218
Description:
The default configuration for the domain name resolver
for Microsoft Windows 98, NT 4.0, 2000, and XP sets the
QueryIpMatching parameter to 0, which causes Windows to
accept DNS updates from hosts that it did not query,
which allows remote attackers to poison the DNS cache.
Status: Candidate
Phase: Assigned (20050421)
Reference: CERT-VN:VU#458659
Reference:
URL:http://www.kb.cert.org/vuls/id/458659
Reference: XF:win2k-dns-resolver(4280)
Reference:
URL:http://xforce.iss.net/xforce/xfdb/4280
Votes:
Name: CVE-2000-1219
Description:
The -ftrapv compiler option in gcc and g++ 3.3.3 and
earlier does not handle all types of integer overflows,
which may leave applications vulnerable to
vulnerabilities related to overflows.
Status: Candidate
Phase: Assigned (20050421)
Reference: MLIST:[gcc-bugs] 20020506 c/6586:
-ftrapv doesn't catch multiplication overflow
Reference:
URL:http://gcc.gnu.org/ml/gcc-bugs/2002-05/msg00198.html
Reference: CERT-VN:VU#540517
Reference:
URL:http://www.kb.cert.org/vuls/id/540517
Votes:
Name: CVE-2000-1220
Description:
The line printer daemon (lpd) in the lpr package in
multiple Linux operating systems allows local users to
gain root privileges by causing sendmail to execute with
arbitrary command line arguments, as demonstrated using
the -C option to specify a configuration file.
Status: Candidate
Phase: Assigned (20050421)
Reference: BUGTRAQ:20000108 L0pht Advisory: LPD,
RH 4.x,5.x,6.x
Reference:
URL:http://seclists.org/lists/bugtraq/2000/Jan/0116.html
Reference: L0PHT:20000108 Quadruple Inverted
Backflip
Reference:
URL:http://www.atstake.com/research/advisories/2000/lpd_advisory.txt
Reference:
MISC:http://www.atstake.com/research/advisories/2000/lpd_advisory.txt
Reference: DEBIAN:20000109 lpr -- access control
problem and root exploit
Reference:
URL:http://www.debian.org/security/2000/20000109
Reference: DEBIAN:DSA-20000109
Reference:
URL:http://www.debian.org/security/2000/20000109
Reference: REDHAT:RHSA-2000:002
Reference:
URL:http://www.redhat.com/support/errata/RHSA-2000-002.html
Reference: SGI:20021104-01-P
Reference:
URL:ftp://patches.sgi.com/support/free/security/advisories/20021104-01-P
Reference: CERT-VN:VU#39001
Reference:
URL:http://www.kb.cert.org/vuls/id/39001
Reference: BID:927
Reference:
URL:http://www.securityfocus.com/bid/927
Reference: XF:redhat-lpd-print-control(3841)
Reference:
URL:http://xforce.iss.net/xforce/xfdb/3841
Votes:
Name: CVE-2000-1221
Description:
The line printer daemon (lpd) in the lpr package in
multiple Linux operating systems authenticates by
comparing the reverse-resolved hostname of the local
machine to the hostname of the print server as returned
by gethostname, which allows remote attackers to bypass
intended access controls by modifying the DNS for the
attacking IP.
Status: Candidate
Phase: Assigned (20050421)
Reference: ATSTAKE:A010800-v
Reference:
URL:http://www.atstake.com/research/advisories/2000/lpd_advisory.txt
Reference: L0PHT:20000108 Quadruple Inverted
Backflip
Reference:
URL:http://www.atstake.com/research/advisories/2000/lpd_advisory.txt
Reference: DEBIAN:20000109 lpr -- access control
problem and root exploit
Reference:
URL:http://www.debian.org/security/2000/20000109
Reference: REDHAT:RHSA-2000:002
Reference:
URL:http://rhn.redhat.com/errata/RHSA-2000-002.html
Reference: SGI:20021104-01-P
Reference:
URL:ftp://patches.sgi.com/support/free/security/advisories/20021104-01-P
Reference: CERT-VN:VU#30308
Reference:
URL:http://www.kb.cert.org/vuls/id/30308
Reference: BID:927
Reference:
URL:http://www.securityfocus.com/bid/0927
Reference: XF:redhat-lpd-auth(3840)
Reference:
URL:http://xforce.iss.net/xforce/xfdb/3840
Votes:
Name: CVE-2000-1222
Description:
AIX sysback before 4.2.1.13 uses a relative path to find
and execute the hostname program, which allows local
users to gain privileges by modifying the path to point
to a malicious hostname program.
Status: Candidate
Phase: Assigned (20050421)
Reference: CERT-VN:VU#17566
Reference:
URL:http://www.kb.cert.org/vuls/id/17566
Reference:
XF:aix-sysback-elevate-privileges(6432)
Reference:
URL:http://xforce.iss.net/xforce/xfdb/6432
Votes:
Name: CVE-2000-1223
Description:
quikstore.cgi in Quikstore Shopping Cart allows remote
attackers to execute arbitrary commands via shell
metacharacters in the URL portion of an HTTP GET
request.
Status: Candidate
Phase: Assigned (20050421)
Reference: CERT-VN:VU#671444
Reference:
URL:http://www.kb.cert.org/vuls/id/671444
Votes:
Name: CVE-2000-1224
Description:
Caucho Technology Resin 1.2 and possibly earlier allows
remote attackers to view JSP source via an HTTP request
to a .jsp file with certain characters appended to the
file name, such as (1) "..", (2) "%2e..", (3) "%81", (4)
"%82", and others.
Status: Candidate
Phase: Assigned (20050519)
Reference: BUGTRAQ:20001123 RESIN ServletExec JSP
Source Disclosure Vulnerability(Apache 1.3.6 Win2k))
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97502269408279&w=2
Reference: BUGTRAQ:20001123 Re: RESIN ServletExec
JSP Source Disclosure Vulnerability(Apache 1.3.6 Win2k))
Reference:
URL:http://www.securityfocus.com/archive/1/146770
Reference: BID:1986
Reference:
URL:http://www.securityfocus.com/bid/1986
Reference: XF:resin-jsp-source-disclosure(5568)
Reference:
URL:http://xforce.iss.net/xforce/xfdb/5568
Votes:
Name: CVE-2000-1225
Description:
Xitami 2.5b installs the testcgi.exe program by default
in the cgi-bin directory, which allows remote attackers
to gain sensitive configuration information about the
web server by accessing the program.
Status: Candidate
Phase: Assigned (20050621)
Reference:
MISC:http://archives.neohapsis.com/archives/win2ksecadvice/2000-q4/0109.html
Votes:
Name: CVE-2000-1226
Description:
Snort 1.6, when running in straight ASCII packet logging
mode or IDS mode with straight decoded ASCII packet
logging selected, allows remote attackers to cause a
denial of service (crash) by sending non-IP protocols
that Snort does not know about, as demonstrated by an
nmap protocol scan.
Status: Candidate
Phase: Assigned (20050621)
Reference: BUGTRAQ:20000614 Snort 1.6 and nmap
2.54beta1
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-06/0122.html
Reference: BUGTRAQ:20000614 Re: Snort 1.6 and
nmap 2.54beta1
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-06/0126.html
Votes:
Name: CVE-2000-1227
Description:
Windows NT 4.0 and Windows 2000 hosts allow remote
attackers to cause a denial of service (unavailable
connections) by sending multiple SMB SMBnegprots
requests but not reading the response that is sent back.
Status: Candidate
Phase: Assigned (20050629)
Reference: BUGTRAQ:20000605 anonymous SMB service
DoS on nt5 (and TCP DoS on nt4) (fwd)
Reference:
URL:http://www.securityfocus.com/archive/1/63322
Reference: BID:1301
Reference:
URL:http://www.securityfocus.com/bid/1301
Votes:
Name: CVE-2000-1228
Description:
Phorum 3.0.7 allows remote attackers to change the
administrator password without authentication via an
HTTP request for admin.php3 that sets step, option,
confirm and newPssword variables.
Status: Candidate
Phase: Assigned (20050714)
Reference: BUGTRAQ:20000106 Phorum 3.0.7 exploits
and IDS signatures
Reference:
URL:http://cert.uni-stuttgart.de/archive/bugtraq/2000/01/msg00215.html
Reference:
MISC:http://hispahack.ccc.de/mi020.html
Reference:
MISC:http://www.digitalsec.net/stuff/z-mirrors/hispahack/mi020.htm
Reference: BID:2271
Reference:
URL:http://www.securityfocus.com/bid/2271
Votes:
Name: CVE-2000-1229
Description:
Directory traversal vulnerability in Phorum 3.0.7 allows
remote Phorum administrators to read arbitrary files via
".." (dot dot) sequences in the default .langfile name
field in the Master Settings administrative function,
which causes the file to be displayed in admin.php3.
Status: Candidate
Phase: Assigned (20050714)
Reference: BUGTRAQ:20000106 Phorum 3.0.7 exploits
and IDS signatures
Reference:
URL:http://cert.uni-stuttgart.de/archive/bugtraq/2000/01/msg00215.html
Reference:
MISC:http://hispahack.ccc.de/mi020.html
Reference:
MISC:http://www.digitalsec.net/stuff/z-mirrors/hispahack/mi020.htm
Votes:
Name: CVE-2000-1230
Description:
Backdoor in auth.php3 in Phorum 3.0.7 allows remote
attackers to access restricted web pages via an HTTP
request with the PHP_AUTH_USER parameter set to
"boogieman".
Status: Candidate
Phase: Assigned (20050714)
Reference: BUGTRAQ:20000106 Phorum 3.0.7 exploits
and IDS signatures
Reference:
URL:http://cert.uni-stuttgart.de/archive/bugtraq/2000/01/msg00215.html
Reference:
MISC:http://hispahack.ccc.de/mi020.html
Reference:
MISC:http://www.digitalsec.net/stuff/z-mirrors/hispahack/mi020.htm
Reference: BID:2274
Reference:
URL:http://www.securityfocus.com/bid/2274
Votes:
Name: CVE-2000-1231
Description:
code.php3 in Phorum 3.0.7 allows remote attackers to
read arbitrary files in the phorum directory via the
query string.
Status: Candidate
Phase: Assigned (20050714)
Reference: BUGTRAQ:20000106 Phorum 3.0.7 exploits
and IDS signatures
Reference:
URL:http://cert.uni-stuttgart.de/archive/bugtraq/2000/01/msg00215.html
Reference:
MISC:http://hispahack.ccc.de/mi020.html
Reference:
MISC:http://www.digitalsec.net/stuff/z-mirrors/hispahack/mi020.htm
Votes:
Name: CVE-2000-1232
Description:
upgrade.php3 in Phorum 3.0.7 could allow remote
attackers to modify certain Phorum database tables via
an unknown method.
Status: Candidate
Phase: Assigned (20050714)
Reference: BUGTRAQ:20000106 Phorum 3.0.7 exploits
and IDS signatures
Reference:
URL:http://cert.uni-stuttgart.de/archive/bugtraq/2000/01/msg00215.html
Reference:
MISC:http://hispahack.ccc.de/mi020.html
Reference:
MISC:http://www.digitalsec.net/stuff/z-mirrors/hispahack/mi020.htm
Votes:
Name: CVE-2000-1233
Description:
SQL injection vulnerability in read.php3 and other
scripts in Phorum 3.0.7 allows remote attackers to
execute arbitrary SQL queries via the sSQL parameter.
Status: Candidate
Phase: Assigned (20050714)
Reference: BUGTRAQ:20000106 Phorum 3.0.7 exploits
and IDS signatures
Reference:
URL:http://cert.uni-stuttgart.de/archive/bugtraq/2000/01/msg00215.html
Reference:
MISC:http://hispahack.ccc.de/mi020.html
Reference:
MISC:http://www.digitalsec.net/stuff/z-mirrors/hispahack/mi020.htm
Votes:
Name: CVE-2000-1234
Description:
violation.php3 in Phorum 3.0.7 allows remote attackers
to send e-mails to arbitrary addresses and possibly use
Phorum as a "spam proxy" by setting the Mod and
ForumName parameters.
Status: Candidate
Phase: Assigned (20050714)
Reference: BUGTRAQ:20000106 Phorum 3.0.7 exploits
and IDS signatures
Reference:
URL:http://cert.uni-stuttgart.de/archive/bugtraq/2000/01/msg00215.html
Reference:
MISC:http://hispahack.ccc.de/mi020.html
Reference:
MISC:http://www.digitalsec.net/stuff/z-mirrors/hispahack/mi020.htm
Reference: BID:2272
Reference:
URL:http://www.securityfocus.com/bid/2272
Votes:
Name: CVE-2000-1235
Description:
The default configurations of (1) the port listener and
(2) modplsql in Oracle Internet Application Server (IAS)
3.0.7 and earlier allow remote attackers to view
privileged database information via HTTP requests for
Database Access Descriptor (DAD) files.
Status: Candidate
Phase: Assigned (20050714)
Reference: BUGTRAQ:20001219 Oracle WebDb engine
brain-damagse
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-12/0339.html
Reference: BUGTRAQ:20001221 Re: Oracle WebDb
engine brain-damagse
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-12/0372.html
Reference: BUGTRAQ:20001223 Potential
Vulnerabilities in Oracle Internet Application Server
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-12/0463.html
Reference: BUGTRAQ:20010110 Patch for Potential
Vulnerability in Oracle Internet Application Server
Reference:
URL:http://online.securityfocus.com/archive/1/155881
Reference: BID:2150
Reference:
URL:http://www.securityfocus.com/bid/2150
Reference: XF:oracle-webdb-admin-access(5818)
Reference:
URL:http://www.iss.net/security_center/static/5818.php
Votes:
Name: CVE-2000-1236
Description:
SQL injection vulnerability in mod_sql in Oracle
Internet Application Server (IAS) 3.0.7 and earlier
allows remote attackers to execute arbitrary SQL
commands via the query string of the URL.
Status: Candidate
Phase: Assigned (20050714)
Reference: BUGTRAQ:20001219 Oracle WebDb engine
brain-damagse
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-12/0339.html
Reference: BUGTRAQ:20001221 Re: Oracle WebDb
engine brain-damagse
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-12/0372.html
Reference: BUGTRAQ:20001223 Potential
Vulnerabilities in Oracle Internet Application Server
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-12/0463.html
Reference: BUGTRAQ:20010110 Patch for Potential
Vulnerability in Oracle Internet Application Server
Reference:
URL:http://online.securityfocus.com/archive/1/155881
Reference: BID:2150
Reference:
URL:http://www.securityfocus.com/bid/2150
Reference: XF:oracle-execute-plsql(5817)
Reference:
URL:http://www.iss.net/security_center/static/5817.php
Votes:
Name: CVE-2000-1237
Description:
The POP3 server in FTGate returns an -ERR code after
receiving an invalid USER request, which makes it easier
for remote attackers to determine valid usernames and
conduct brute force password guessing.
Status: Candidate
Phase: Assigned (20050714)
Reference: BUGTRAQ:20000626 Problems with FTGate
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/2000-06/0282.html
Reference: XF:ftgate-invalid-user-requests(4793)
Reference:
URL:http://www.iss.net/security_center/static/4793.php
Votes:
Name: CVE-2000-1238
Description:
BEA Systems WebLogic Express and WebLogic Server 5.1
SP1-SP6 allows remote attackers to bypass access
controls for restricted JSP or servlet pages via a URL
with multiple / (forward slash) characters before the
restricted pages.
Status: Candidate
Phase: Assigned (20051116)
Reference:
CONFIRM:ftp://ftpna.bea.com/pub/releases/patches/SecurityBEA00-0600.zip
Reference: BID:5089
Reference:
URL:http://www.securityfocus.com/bid/5089
Reference: XF:weblogic-bypass-auth(5588)
Reference:
URL:http://xforce.iss.net/xforce/xfdb/5588
Votes:
Name: CVE-2000-1239
Description:
The HTTP interface of Tivoli Lightweight Client
Framework (LCF) in IBM Tivoli Management Framework 3.7.1
sets http_disable to zero at install time, which allows
remote authenticated users to bypass file permissions on
Tivoli Endpoint Configuration data files via an
unspecified manipulation of log files.
Status: Candidate
Phase: Assigned (20060315)
Reference:
CONFIRM:http://www-1.ibm.com/support/docview.wss?uid=swg21082896
Reference: BID:17085
Reference:
URL:http://www.securityfocus.com/bid/17085
Reference: XF:tivoli-lcf-file-read(3927)
Reference:
URL:http://xforce.iss.net/xforce/xfdb/3927
Votes:
Name: CVE-2000-1240
Description:
Unspecified vulnerability in siteman.php3 in
AnyPortal(php) before 22 APR 00 allows remote attackers
to obtain sensitive information via unknown attack
vectors, which reveal the absolute path. NOTE: the
provenance of this information is unknown; the details
are obtained from third party information.
Status: Candidate
Phase: Assigned (20060323)
Reference: OSVDB:23983
Reference: URL:http://www.osvdb.org/23983
Reference:
XF:anyportalphp-siteman-information-disclosure(25441)
Reference:
URL:http://xforce.iss.net/xforce/xfdb/25441
Votes:
Name: CVE-2000-1241
Description:
Unspecified vulnerability in Haakon Nilsen simple,
integrated publishing system (SIPS) before 0.2.4 allows
attackers to has an unknown impact and unspecified
vectors, related to a "grave security fault."
Status: Candidate
Phase: Assigned (20060913)
Reference:
CONFIRM:http://sourceforge.net/forum/forum.php?forum_id=25971
Votes:
Name: CVE-2000-1242
Description:
The HTTP service in American Power Conversion (APC)
PowerChute uses a default username and password, which
allows remote attackers to gain system access.
Status: Candidate
Phase: Assigned (20061209)
Reference:
MISC:http://governmentsecurity.org/articles/DefaultLoginsandPasswordsforNetworkedDevices.php
Reference: OSVDB:30768
Reference: URL:http://www.osvdb.org/30768
Votes:
Name: CVE-2000-1243
Description:
Privacy leak in Dansie Shopping Cart 3.04, and probably
earlier versions, sends sensitive information such as
user credentials to an e-mail address controlled by the
product developers.
Status: Candidate
Phase: Assigned (20070605)
Reference: BUGTRAQ:20000411 Back Door in
Commercial Shopping Cart
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-04/0051.html
Reference: BUGTRAQ:20000413 Re: Back Door in
Commercial Shopping Cart
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-04/0071.html
Reference: BUGTRAQ:20000413 Re: Back Door in
Commercial Shopping Cart [RESOLVED]
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-04/0086.html
Reference: BUGTRAQ:20000413 Re: Back Door in
Commercial Shopping Cart [Stormer Hosting]
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-04/0066.html
Reference: BUGTRAQ:20070603 Dansie Cart Script
Exploit Reported
Reference: URL:http://www.securityfocus.com/archive/1/archive/
| 
