FINAL DECISION: ACCEPT 50 various candidates

To: cve-editorial-board-list@lists.mitre.org
Subject: FINAL DECISION: ACCEPT 50 various candidates
From: "Steven M. Christey" <coley@linus.mitre.org>
Date: Tue, 28 Sep 1999 19:38:39 -0400 (EDT)
Delivery-Date: Wed Sep 29 04:14:22 1999
Sender: owner-cve-editorial-board-list@lists.mitre.org
I have made a Final Decision to ACCEPT the following candidates.
These candidates are now assigned CVE names as noted below.  Voting
details and comments are provided afterwards.

This brings the total number of CVE entries to 317.

The CVE names for candidates that reach Final Decision should be
regarded as stable.  In the case of these and all other candidates
that reach Final Decision during this validation period, accepted
candidates won't reach Publication phase until CVE goes fully public.
The only difference between Publication and Final Decision is that the
CVE name is officially "announced" by MITRE during Publication.

- Steve


Candidate	CVE Name
---------	----------
CAN-1999-0009	CVE-1999-0009
CAN-1999-0010	CVE-1999-0010
CAN-1999-0011	CVE-1999-0011
CAN-1999-0016	CVE-1999-0016
CAN-1999-0025	CVE-1999-0025
CAN-1999-0026	CVE-1999-0026
CAN-1999-0027	CVE-1999-0027
CAN-1999-0028	CVE-1999-0028
CAN-1999-0029	CVE-1999-0029
CAN-1999-0037	CVE-1999-0037
CAN-1999-0059	CVE-1999-0059
CAN-1999-0068	CVE-1999-0068
CAN-1999-0075	CVE-1999-0075
CAN-1999-0084	CVE-1999-0084
CAN-1999-0087	CVE-1999-0087
CAN-1999-0095	CVE-1999-0095
CAN-1999-0096	CVE-1999-0096
CAN-1999-0126	CVE-1999-0126
CAN-1999-0138	CVE-1999-0138
CAN-1999-0150	CVE-1999-0150
CAN-1999-0152	CVE-1999-0152
CAN-1999-0167	CVE-1999-0167
CAN-1999-0175	CVE-1999-0175
CAN-1999-0183	CVE-1999-0183
CAN-1999-0202	CVE-1999-0202
CAN-1999-0204	CVE-1999-0204
CAN-1999-0245	CVE-1999-0245
CAN-1999-0260	CVE-1999-0260
CAN-1999-0273	CVE-1999-0273
CAN-1999-0281	CVE-1999-0281
CAN-1999-0289	CVE-1999-0289
CAN-1999-0346	CVE-1999-0346
CAN-1999-0348	CVE-1999-0348
CAN-1999-0350	CVE-1999-0350
CAN-1999-0362	CVE-1999-0362
CAN-1999-0368	CVE-1999-0368
CAN-1999-0383	CVE-1999-0383
CAN-1999-0388	CVE-1999-0388
CAN-1999-0391	CVE-1999-0391
CAN-1999-0412	CVE-1999-0412
CAN-1999-0424	CVE-1999-0424
CAN-1999-0425	CVE-1999-0425
CAN-1999-0437	CVE-1999-0437
CAN-1999-0438	CVE-1999-0438
CAN-1999-0448	CVE-1999-0448
CAN-1999-0449	CVE-1999-0449
CAN-1999-0458	CVE-1999-0458
CAN-1999-0494	CVE-1999-0494
CAN-1999-0514	CVE-1999-0514
CAN-1999-0526	CVE-1999-0526



=================================
Candidate: CAN-1999-0009
Published:
Final-Decision: 19990928
Interim-Decision: 19990925
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: CERT:CA-98.05.bind_problems
Reference: SGI:19980603-01-PX
Reference: HP:HPSBUX9808-083
Reference: XF:bind-bo
Reference: SUN:00180

Inverse query buffer overflow in BIND 4.9 and BIND 8 Releases.

VOTES:
   ACCEPT(6) Frech, Northcutt, Blake, Prosser, Balinsky, Levy


=================================
Candidate: CAN-1999-0010
Published:
Final-Decision: 19990928
Interim-Decision: 19990925
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: CERT:CA-98.05.bind_problems
Reference: SGI:19980603-01-PX
Reference: HP:HPSBUX9808-083
Reference: XF:bind-dos

Denial of Service vulnerability in BIND 8 Releases via maliciously
formatted DNS messages.

VOTES:
   ACCEPT(4) Frech, Blake, Northcutt, Prosser


=================================
Candidate: CAN-1999-0011
Published:
Final-Decision: 19990928
Interim-Decision: 19990925
Modified: 19990925-01
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: CERT:CA-98.05.bind_problems
Reference: SGI:19980603-01-PX
Reference: HP:HPSBUX9808-083
Reference: SUN:00180
Reference: XF:bind-axfr-dos

Denial of Service vulnerabilities in BIND 4.9 and BIND 8 Releases
via CNAME record and zone transfer.

Modifications:
  CHANGEREF XF:bind-dos XF:bind-axfr-dos

VOTES:
   ACCEPT(2) Blake, Northcutt
   MODIFY(1) Frech

COMMENTS:
 Frech> Change XF reference to:
 Frech> XF:bind-axfr-dos


=================================
Candidate: CAN-1999-0016
Published:
Final-Decision: 19990928
Interim-Decision: 19990925
Modified: 19990925-02
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: CERT:CA-97.28.Teardrop_Land
Reference: FreeBSD:FreeBSD-SA-98:01
Reference: HP:HPSBUX9801-076
Reference: CISCO:http://www.cisco.com/warp/public/770/land-pub.shtml
Reference: XF:cisco-land
Reference: XF:land
Reference: XF:95-verv-tcp
Reference: XF:land-patch
Reference: XF:ver-tcpip-sys

Land IP denial of service

Modifications:
  ADDREF HP:HPSBUX9801-076
  ADDREF XF:ver-tcpip-sys
  DELREF XF:land-exploit

VOTES:
   ACCEPT(4) Northcutt, Blake, Balinsky, Ozancin
   MODIFY(1) Frech

COMMENTS:
 Frech> XF:ver-tcpip-sys (applies to a check, not a vulnerability, and is thus not
 Frech> listed on website)
 Frech> XF:land-exploit (obsolete, replaced by land)


=================================
Candidate: CAN-1999-0025
Published:
Final-Decision: 19990928
Interim-Decision: 19990925
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: CERT:CA-97.21.sgi_buffer_overflow
Reference: AUSCERT:AA-97.19.IRIX.df.buffer.overflow.vul
Reference: XF:df-bo

root privileges via buffer overflow in df command on SGI IRIX
systems.

VOTES:
   ACCEPT(2) Frech, Ozancin


=================================
Candidate: CAN-1999-0026
Published:
Final-Decision: 19990928
Interim-Decision: 19990925
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: CERT:CA-97.21.sgi_buffer_overflow
Reference: AUSCERT:AA-97.20.IRIX.pset.buffer.overflow.vul
Reference: XF:pset-bo

root privileges via buffer overflow in pset command on SGI IRIX
systems.

VOTES:
   ACCEPT(3) Frech, Prosser, Ozancin


=================================
Candidate: CAN-1999-0027
Published:
Final-Decision: 19990928
Interim-Decision: 19990925
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: CERT:CA-97.21.sgi_buffer_overflow
Reference: AUSCERT:AA-97.21.IRIX.eject.buffer.overflow.vul
Reference: XF:eject-bo

root privileges via buffer overflow in eject command on SGI IRIX
systems.

VOTES:
   ACCEPT(2) Frech, Ozancin


=================================
Candidate: CAN-1999-0028
Published:
Final-Decision: 19990928
Interim-Decision: 19990925
Modified: 19990925-01
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: CERT:CA-97.21.sgi_buffer_overflow
Reference: AUSCERT:AA-97.22.IRIX.login.scheme.buffer.overflow.vul
Reference: XF:sgi-schemebo

root privileges via buffer overflow in login/scheme command on SGI
IRIX systems.

Modifications:
  ADDREF XF:sgi-schemebo

VOTES:
   ACCEPT(1) Prosser
   MODIFY(2) Frech, Ozancin

COMMENTS:
 Frech> XF:sgi-schemebo
 Ozancin> => login/scheme


=================================
Candidate: CAN-1999-0029
Published:
Final-Decision: 19990928
Interim-Decision: 19990925
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: CERT:CA-97.21.sgi_buffer_overflow
Reference: AUSCERT:AA-97.23-IRIX.ordist.buffer.overflow.vul
Reference: XF:ordist-bo

root privileges via buffer overflow in ordist command on SGI IRIX
systems.

VOTES:
   ACCEPT(2) Frech, Ozancin


=================================
Candidate: CAN-1999-0037
Published:
Final-Decision: 19990928
Interim-Decision: 19990925
Modified: 19990925-01
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: CERT:CA-97.14.metamail
Reference: XF:metamail-header-commands

Arbitrary command execution via metamail package using message
headers, when user processes attacker's message using metamail.

Modifications:
  ADDREF XF:metamail-header-commands

VOTES:
   ACCEPT(4) Hill, Prosser, Landfield, Northcutt
   MODIFY(1) Frech

COMMENTS:
 Frech> XF:metamail-header-commands


=================================
Candidate: CAN-1999-0059
Published:
Final-Decision: 19990928
Interim-Decision: 19990925
Modified:
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: NAI:NAI-16
Reference: XF:irix-fam

IRIX fam service allows an attacker to obtain a list of all files
on the server.

VOTES:
   ACCEPT(3) Hill, Northcutt, Prosser
   MODIFY(1) Frech

COMMENTS:
 Frech> XF:irix-fam


=================================
Candidate: CAN-1999-0068
Published:
Final-Decision: 19990928
Interim-Decision: 19990925
Modified: 19990925-01
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: XF:http-cgi-php-mylog
Reference: BUGTRAQ:19971019 Vulnerability in PHP Example Logging Scripts

CGI PHP mylog script allows an attacker to read any file on the
target server.

Modifications:
  ADDREF BUGTRAQ:19971019 Vulnerability in PHP Example Logging Scripts

VOTES:
   ACCEPT(2) Frech, Northcutt
   MODIFY(1) Prosser

COMMENTS:
 Prosser> add source
 Prosser> Bugtraq
 Prosser> "Vulnerability in PHP Example Logging Scripts"
 Prosser> http://www.securityfocus.com/bugtraq/1997_3/0560.html


=================================
Candidate: CAN-1999-0075
Published:
Final-Decision: 19990928
Interim-Decision: 19990925
Modified: 19990928-02
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19961016 Re: ftpd bug? Was: bin/1805: Bug in ftpd
Reference: XF:ftp-pasvcore

PASV core dump in wu-ftpd daemon when attacker uses a QUOTE PASV
command after specifying a username and password.

Modifications:
  ADDREF BUGTRAQ:19961016 Re: ftpd bug? Was: bin/1805: Bug in ftpd
  DESC make more explicit to distinguish from CAN-1999-0076
  CHANGEREF XF:pasvcore XF:ftp-pasvcore

VOTES:
   MODIFY(2) Frech, Prosser

COMMENTS:
 Frech> There is no pasvcore record; delete and add
 Frech> XF:ftp-pasvcore
 Prosser> additional sources
 Prosser> Various BUGTRAQ messages
 Prosser> http://www.securityfocus.com/
 Prosser> http://oliver.efri.hr/~crv/security/bugs/SunOS/wuftpd7.html
 Prosser> http://www.insecure.org/sploits


=================================
Candidate: CAN-1999-0084
Published:
Final-Decision: 19990928
Interim-Decision: 19990925
Modified:
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: XF:nfs-mknod

NFS mknod bug

VOTES:
   ACCEPT(5) Hill, Frech, Northcutt, Proctor, Balinsky


=================================
Candidate: CAN-1999-0087
Published:
Final-Decision: 19990928
Interim-Decision: 19990925
Modified: 19990925-01
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: XF:ibm-telnetdos
Reference: ERS:ERS-SVA-E01-1998:003.1

Denial of service in AIX telnet can freeze a system and prevent
users from accessing the server.

Modifications:
  ADDREF XF:ibm-telnetdos

VOTES:
   ACCEPT(1) Hill
   MODIFY(3) Meunier, Frech, Landfield
   NOOP(2) Northcutt, Christey

COMMENTS:
 Meunier> Add "STD0011:  Incorrect or incomplete address field found and ignored" to
 Meunier> distinguish from other vulnerabilities resulting in DOS on AIX telnet that
 Meunier> might be discovered in the future.
 Frech> XF:ibm-telnetdos
 Christey> To keep the description as short and simple as possible, we
 Christey> should avoid this specific detail until there is a second AIX
 Christey> telnet DoS


=================================
Candidate: CAN-1999-0095
Published:
Final-Decision: 19990928
Interim-Decision: 19990925
Modified: 19990925-01
Proposed: 19990630
Assigned: 19990607
Category: CF
Reference: CERT:CA-88.01
Reference: CERT:CA-93.14
Reference: XF:smtp-debug

The debug command in Sendmail is enabled, allowing attackers to
execute commands as root.

Modifications:
  ADDREF CERT:CA-88.01
  ADDREF CERT:CA-93.14
  DESC change to reflect that it's a config problem

VOTES:
   ACCEPT(7) Hill, Frech, Blake, Northcutt, Proctor, Balinsky, Ozancin
   NOOP(1) Christey
   RECAST(1) Prosser

COMMENTS:
 Northcutt> (I swear I have voted for this before, this is how I got into
 Northcutt> computer security, someone broke into my SUN WS doing this)
 Prosser> There is an sendmail 8.6.7 debug vulnerability :source
 Prosser> CERT Advisory CA-94.12
 Prosser> http://www.cert.org
 Prosser> as well as an older BSD sendmail 5.59 debug vulnerability
 Prosser> CERT Advisory CA-88.01,96.20, 24 and 25
 Prosser> which one are we talking about here
 Christey> Some of Steve's votes got lost somehow.  I found them and
 Christey> re-entered them, using his latest votes where conflicts
 Christey> occurred.
 Christey>
 Christey> With respect to CERT advisories, some of the advisories
 Christey> mentioned by Mike are superseded by others, and not available
 Christey> on the CERT web site.  However, this entry is referencing
 Christey> when Sendmail is configured with the Debug option enabled,
 Christey> as referred to in CA-88.01 and CA-93.14.


=================================
Candidate: CAN-1999-0096
Published:
Final-Decision: 19990928
Interim-Decision: 19990925
Modified: 19990925-01
Proposed: 19990630
Assigned: 19990607
Category: CF
Reference: CERT:CA-93.16
Reference: CERT:CA-95.05
Reference: CIAC:A-13
Reference: CIAC:A-14
Reference: SUN:00122
Reference: XF:smtp-dcod

Sendmail decode alias can be used to overwrite sensitive files

Modifications:
  ADDREF CERT:CA-93.16
  ADDREF CERT:CA-95.05
  ADDREF CIAC:A-13
  ADDREF CIAC:A-14
  ADDREF SUN:00122

VOTES:
   ACCEPT(7) Hill, Frech, Blake, Northcutt, Proctor, Balinsky, Ozancin
   MODIFY(1) Prosser

COMMENTS:
 Prosser> additional sources
 Prosser> CERT Advisory CA-93:16, CA-95.05
 Prosser> http://www.cert.org
 Prosser> Sun Security Bulletin 00122
 Prosser> http://www.sunsolve.sun.com


=================================
Candidate: CAN-1999-0126
Published:
Final-Decision: 19990928
Interim-Decision: 19990925
Modified: 19990925-01
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: CERT:VB-98.04.xterm.Xaw
Reference: CIAC:J-010
Reference: XF:xfree86-xterm-xaw
Reference: XF:xfree86-xaw

SGI IRIX buffer overflow in xterm and Xaw allows root access.

Modifications:
  ADDREF XF:xfree86-xterm-xaw
  ADDREF XF:xfree86-xaw

VOTES:
   ACCEPT(3) Northcutt, Prosser, Ozancin
   MODIFY(1) Frech

COMMENTS:
 Frech> XF:xfree86-xterm-xaw
 Frech> XF:xfree86-xaw


=================================
Candidate: CAN-1999-0138
Published:
Final-Decision: 19990928
Interim-Decision: 19990925
Modified: 19990925-01
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: CERT:CA-96.12.suidperl_vul
Reference: XF:sperl-suid

The suidperl and sperl program do not give up root privileges when
changing UIDs back to the original users, allowing root access.

Modifications:
  ADDREF XF:sperl-suid

VOTES:
   ACCEPT(1) Prosser
   MODIFY(1) Frech

COMMENTS:
 Frech> XF:sperl-suid


=================================
Candidate: CAN-1999-0150
Published:
Final-Decision: 19990928
Interim-Decision: 19990925
Modified: 19990925-01
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: XF:perl-fingerd

The Perl fingerd program allows arbitrary command execution from
remote users.

Modifications:
  ADDREF XF:perl-fingerd

VOTES:
   ACCEPT(3) Hill, Northcutt, Proctor
   MODIFY(1) Frech

COMMENTS:
 Frech> XF:perl-fingerd


=================================
Candidate: CAN-1999-0152
Published:
Final-Decision: 19990928
Interim-Decision: 19990925
Modified: 19990925-01
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19970811 dgux in.fingerd vulnerability
Reference: XF:dgux-fingerd

The DG/UX finger daemon allows remote command execution through shell
metacharacters.

Modifications:
  ADDREF BUGTRAQ:19970811 dgux in.fingerd vulnerability

VOTES:
   ACCEPT(5) Hill, Frech, Northcutt, Proctor, Balinsky
   MODIFY(1) Prosser

COMMENTS:
 Prosser> additional resource
 Prosser> Bugtraq
 Prosser> "dgux in.fingerd vulnerability"
 Prosser> http://www.securityfocus.com/


=================================
Candidate: CAN-1999-0167
Published:
Final-Decision: 19990928
Interim-Decision: 19990925
Modified: 19990925-01
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: XF:nfs-guess
Reference: CERT:CA-91.21.SunOS.NFS.Jumbo.and.fsirand

In SunOS, NFS file handles could be guessed, giving unauthorized
access to the exported file system.

Modifications:
  ADDREF CERT:CA-91.21.SunOS.NFS.Jumbo.and.fsirand

VOTES:
   ACCEPT(6) Hill, Frech, Blake, Northcutt, Proctor, Balinsky
   MODIFY(1) Prosser

COMMENTS:
 Prosser> sort of an oldie source
 Prosser> CERT Security Alert CA-91:21
 Prosser> http://www.cert.org


=================================
Candidate: CAN-1999-0175
Published:
Final-Decision: 19990928
Interim-Decision: 19990925
Modified:
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: XF:http-nov-convert

The convert.bas program in the Novell web server allows a remote
attackers to read any file on the system that is internally accessible
by the web server.

VOTES:
   ACCEPT(4) Hill, Frech, Blake, Northcutt


=================================
Candidate: CAN-1999-0183
Published:
Final-Decision: 19990928
Interim-Decision: 19990925
Modified:
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: XF:linux-tftp

Linux implementations of TFTP would allow access to files outside the
restricted directory.

VOTES:
   ACCEPT(3) Hill, Frech, Landfield
   NOOP(1) Northcutt


=================================
Candidate: CAN-1999-0202
Published:
Final-Decision: 19990928
Interim-Decision: 19990925
Modified:
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: XF:ftp-exectar

The GNU tar command, when used in FTP sessions, may allow an attacker
to execute arbitrary commands.

VOTES:
   ACCEPT(4) Hill, Frech, Northcutt, Proctor


=================================
Candidate: CAN-1999-0204
Published:
Final-Decision: 19990928
Interim-Decision: 19990925
Modified: 19990925-01
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: XF:ident-bo

Sendmail 8.6.9 allows remote attackers to execute root commands, using
ident.

Modifications:
  ADDREF XF:ident-bo

VOTES:
   ACCEPT(3) Hill, Balinsky, Landfield
   NOOP(1) Northcutt
   REVIEWING(1) Frech

COMMENTS:
 Frech> probably XF:ident-bo


=================================
Candidate: CAN-1999-0245
Published:
Final-Decision: 19990928
Interim-Decision: 19990925
Modified: 19990925-01
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19950907 Linux NIS security problem hole and fix
Reference: XF:linux-plus

Some configurations of NIS+ in Linux allowed attackers
to log in as the user "+"

Modifications:
  ADDREF BUGTRAQ:19950907 Linux NIS security problem hole and fix

VOTES:
   ACCEPT(3) Hill, Frech, Northcutt
   MODIFY(1) Prosser

COMMENTS:
 Prosser> source
 Prosser> BUGTRAQ
 Prosser> "Linux NIS security problem hole and fix"
 Prosser> http://www.securityfocus.com/


=================================
Candidate: CAN-1999-0260
Published:
Final-Decision: 19990928
Interim-Decision: 19990925
Modified: 19990925-01
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19961224 jj cgi
Reference: XF:http-cgi-jj

The jj CGI program allows command execution via shell metacharacters.

Modifications:
  ADDREF XF:http-cgi-jj
  ADDREF BUGTRAQ:19961224 jj cgi

VOTES:
   ACCEPT(2) Hill, Ozancin
   MODIFY(1) Frech
   NOOP(2) Northcutt, Landfield

COMMENTS:
 Frech> XF:http-cgi-jj


=================================
Candidate: CAN-1999-0273
Published:
Final-Decision: 19990928
Interim-Decision: 19990925
Modified: 19990925-01
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: XF:sun-telnet-kill

Denial of service through Solaris 2.5.1 telnet by sending ^D characters.

Modifications:
  ADDREF XF:sun-telnet-kill

VOTES:
   ACCEPT(3) Hill, Blake, Northcutt
   MODIFY(1) Frech
   NOOP(1) Meunier

COMMENTS:
 Frech> XF:sun-telnet-kill


=================================
Candidate: CAN-1999-0281
Published:
Final-Decision: 19990928
Interim-Decision: 19990925
Modified: 19990925-01
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: XF:http-iis-longurl

Denial of service in IIS using long URLs.

Modifications:
  ADDREF XF:http-iis-longurl

VOTES:
   ACCEPT(6) Hill, Blake, Wall, Balinsky, Ozancin, Northcutt
   MODIFY(1) Frech

COMMENTS:
 Frech> XF:http-iis-longurl


=================================
Candidate: CAN-1999-0289
Published:
Final-Decision: 19990928
Interim-Decision: 19990925
Modified:
Proposed: 19990630
Assigned: 19990607
Category: SF

The Apache web server for Win32 may provide access to restricted
files when a . (dot) is appended to a requested URL.

VOTES:
   ACCEPT(4) Hill, Blake, Landfield, Ozancin
   NOOP(1) Northcutt
   REVIEWING(1) Frech


=================================
Candidate: CAN-1999-0346
Published:
Final-Decision: 19990928
Interim-Decision: 19990925
Modified: 19990928-02
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19971019 Vulnerability in PHP Example Logging Scripts
Reference: XF:http-cgi-php-mlog

CGI PHP mlog script allows an attacker to read any file on the target
server.

Modifications:
  ADDREF XF:http-cgi-php-mlog
  ADDREF BUGTRAQ:19971019 Vulnerability in PHP Example Logging Scripts

VOTES:
   ACCEPT(2) Northcutt, Proctor
   MODIFY(1) Frech

COMMENTS:
 Frech> XF:http-cgi-php-mlog


=================================
Candidate: CAN-1999-0348
Published:
Final-Decision: 19990928
Interim-Decision: 19990925
Modified: 19990925-01
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: NTBUGTRAQ:Jan27,1999
Reference: MSKB:Q197003

IIS ASP caching problem releases sensitive information when two
virtual servers share the same physical directory.

Modifications:
  ADDREF MSKB:Q197003

VOTES:
   ACCEPT(4) Northcutt, Prosser, Wall, Levy
   REVIEWING(1) Frech

COMMENTS:
 Prosser> additional source
 Prosser> MS KnowledgeBase Article Q197003
 Prosser> http://support.microsoft.com/support/kb/articles/q197/0/03.asp


=================================
Candidate: CAN-1999-0350
Published:
Final-Decision: 19990928
Interim-Decision: 19990925
Modified: 19990925-01
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: L0PHT:Feb8,1999
Reference: XF:clearcase-temp-race

Race condition in the db_loader program in ClearCase gives local
users root access by setting SUID bits.

Modifications:
  ADDREF XF:clearcase-temp-race

VOTES:
   ACCEPT(3) Hill, Prosser, Northcutt
   MODIFY(1) Frech

COMMENTS:
 Frech> XF:clearcase-temp-race


=================================
Candidate: CAN-1999-0362
Published:
Final-Decision: 19990928
Interim-Decision: 19990925
Modified:
Proposed: 19990726
Assigned: 19990607
Category: SF
Reference: EEYE:AD02021999
Reference: XF:wsftp-remote-dos
Reference: SF:217

WS_FTP server remote denial of service through cwd command.

VOTES:
   ACCEPT(4) Ozancin, Frech, Northcutt, Levy
   NOOP(1) Wall


=================================
Candidate: CAN-1999-0368
Published:
Final-Decision: 19990928
Interim-Decision: 19990925
Modified: 19990925-01
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: NETECT:palmetto.ftpd
Reference: CERT:CA-99.03
Reference: XF:palmetto-ftpd-bo

Buffer overflows in wuarchive ftpd (wu-ftpd) and ProFTPD lead to
remote root access, a.k.a. palmetto.

Modifications:
  ADDREF XF:palmetto-ftpd-bo

VOTES:
   ACCEPT(2) Northcutt, Prosser
   MODIFY(1) Frech

COMMENTS:
 Frech> XF:palmetto-ftpd-bo


=================================
Candidate: CAN-1999-0383
Published:
Final-Decision: 19990928
Interim-Decision: 19990925
Modified: 19990925-01
Proposed: 19990726
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:Feb02,1999
Reference: XF:acc-tigris-login

ACC Tigris allows public access without a login.

Modifications:
  DESC change allowed to allows for consistency

VOTES:
   ACCEPT(1) Ozancin
   MODIFY(1) Frech
   NOOP(3) Wall, Northcutt, Landfield

COMMENTS:
 Frech> Change allowed to allows.


=================================
Candidate: CAN-1999-0388
Published:
Final-Decision: 19990928
Interim-Decision: 19990925
Modified:
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: XF:datalynx-suguard-relative-paths
Reference: L0PHT:Jan3,1999

DataLynx suGuard trusts the PATH environment variable to execute the
ps command, allowing local users to execute commands as root.

VOTES:
   ACCEPT(4) Hill, Frech, Prosser, Northcutt


=================================
Candidate: CAN-1999-0391
Published:
Final-Decision: 19990928
Interim-Decision: 19990925
Modified: 19990928-01
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: L0PHT:Jan. 5, 1999

The cryptographic challenge of SMB authentication in Windows 95 and
Windows 98 can be reused, allowing an attacker to replay the response and
impersonate a user.

Modifications:
  DESC Tiny changes, spelling corrections

VOTES:
   ACCEPT(4) Hill, Northcutt, Landfield, Levy
   REVIEWING(1) Frech


=================================
Candidate: CAN-1999-0412
Published:
Final-Decision: 19990928
Interim-Decision: 19990925
Modified:
Proposed: 19990726
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:Feb19,1999
Reference: XF:iis-isapi-execute
Reference: SF:501

In IIS and other web servers, an attacker can attack commands as
SYSTEM if the server is running as SYSTEM and loading an ISAPI
extension.

VOTES:
   ACCEPT(2) Frech, Wall
   NOOP(1) Ozancin


=================================
Candidate: CAN-1999-0424
Published:
Final-Decision: 19990928
Interim-Decision: 19990925
Modified:
Proposed: 19990726
Assigned: 19990607
Category: SF
Reference: SUSE:Mar18,1999
Reference: XF:netscape-talkback-overwrite

talkback in Netscape 4.5 allows a local user to overwrite
arbitrary files of another user whose Netscape crashes.

VOTES:
   ACCEPT(3) Ozancin, Frech, Prosser
   REVIEWING(1) Wall

COMMENTS:
 Prosser> source should be
 Prosser> SuSE Security Announcements
 Prosser> "Security hole in Netscape Communicator's 4.5 'talkback' function"
 Prosser> http://www.suse.de/security


=================================
Candidate: CAN-1999-0425
Published:
Final-Decision: 19990928
Interim-Decision: 19990925
Modified:
Proposed: 19990726
Assigned: 19990607
Category: SF
Reference: SUSE:Mar18,1999
Reference: XF:netscape-talkback-kill

talkback in Netscape 4.5 allows a local user to kill an arbitrary
process of another user whose Netscape crashes.

VOTES:
   ACCEPT(3) Ozancin, Frech, Prosser
   REVIEWING(1) Wall

COMMENTS:
 Prosser> again source should be
 Prosser> SuSE Security Announcements
 Prosser> "Security hole in Netscape Communicator's 4.5 'talkback' function"
 Prosser> http://www.suse.de/security


=================================
Candidate: CAN-1999-0437
Published:
Final-Decision: 19990928
Interim-Decision: 19990925
Modified: 19990925-01
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: ISS:WebRamp Denial of Service Attacks
Reference: XF:webramp-device-crash

Remote attackers can perform a denial of service in WebRamp systems by
sending a malicious string to the HTTP port.

Modifications:
  ADDREF XF:webramp-device-crash

VOTES:
   ACCEPT(2) Hill, Meunier
   MODIFY(1) Frech
   NOOP(2) Northcutt, Landfield

COMMENTS:
 Frech> XF:webramp-device-crash
 Landfield> - really should specify versions


=================================
Candidate: CAN-1999-0438
Published:
Final-Decision: 19990928
Interim-Decision: 19990925
Modified: 19990925-01
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: ISS:WebRamp Denial of Service Attacks
Reference: XF:webramp-ipchange

Remote attackers can perform a denial of service in WebRamp systems by
sending a malicious UDP packet to port 5353, changing its IP address.

Modifications:
  ADDREF XF:webramp-ipchange

VOTES:
   ACCEPT(2) Hill, Meunier
   MODIFY(1) Frech
   NOOP(2) Northcutt, Landfield

COMMENTS:
 Frech> XF:webramp-ipchange
 Landfield> - really should specify versions


=================================
Candidate: CAN-1999-0448
Published:
Final-Decision: 19990928
Interim-Decision: 19990925
Modified:
Proposed: 19990726
Assigned: 19990607
Category: SF
Reference: XF:iis-http-request-logging

IIS 4.0 and Apache log HTTP request methods, regardless of how long
they are, allowing a remote attacker to hide the URL they really
request.

VOTES:
   ACCEPT(3) Frech, Wall, Levy
   NOOP(2) Ozancin, Landfield


=================================
Candidate: CAN-1999-0449
Published:
Final-Decision: 19990928
Interim-Decision: 19990925
Modified:
Proposed: 19990726
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:Jan26,1999
Reference: XF:iis-exair-dos
Reference: SF:193

Denial of service in IIS 4 with scripts from the ExAir sample site.

VOTES:
   ACCEPT(4) Wall, Frech, Northcutt, Levy


=================================
Candidate: CAN-1999-0458
Published:
Final-Decision: 19990928
Interim-Decision: 19990925
Modified: 19990925-01
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:Jan6,1999
Reference: XF:l0phtcrack-temp-files

L0phtcrack 2.5 used temporary files in the system TEMP directory which
could contain password information.

Modifications:
  ADDREF XF:l0phtcrack-temp-files

VOTES:
   ACCEPT(3) Hill, Prosser, Northcutt
   MODIFY(1) Frech
   NOOP(2) Landfield, Levy

COMMENTS:
 Frech> XF:l0phtcrack-temp-files


=================================
Candidate: CAN-1999-0494
Published:
Final-Decision: 19990928
Interim-Decision: 19990925
Modified:
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: XF:wingate-pop3-user-bo

Denial of service in WinGate proxy through a buffer overflow in
POP3.

VOTES:
   ACCEPT(5) Hill, Frech, Northcutt, Landfield, Ozancin


=================================
Candidate: CAN-1999-0514
Published:
Final-Decision: 19990928
Interim-Decision: 19990925
Modified: 19990925-01
Proposed: 19990630
Assigned: 19990607
Category: CF
Reference: XF:fraggle

UDP messages to broadcast addresses are allowed, allowing for a
Fraggle attack that can cause a denial of service by flooding the
target.

Modifications:
  ADDREF XF:fraggle
  DESC clarified at Landfield's prompting

VOTES:
   ACCEPT(2) Hill, Northcutt
   MODIFY(1) Frech
   REVIEWING(1) Landfield

COMMENTS:
 Frech> XF:fraggle
 Landfield> System ? General Stack issue ?  This is not clear.


=================================
Candidate: CAN-1999-0526
Published:
Final-Decision: 19990928
Interim-Decision: 19990925
Modified: 19990925-01
Proposed: 19990630
Assigned: 19990607
Category: CF
Reference: XF:xcheck-keystroke

An X server's access control is disabled (e.g. through an "xhost +"
command) and allows anyone to connect to the server.

Modifications:
  ADDREF XF:xcheck-keystroke
  DESC Rephrase per Northcutt's suggestion

VOTES:
   ACCEPT(4) Hill, Blake, Proctor, Balinsky
   MODIFY(2) Frech, Northcutt

COMMENTS:
 Frech> XF:xcheck-keystroke
 Northcutt> X does have some access control as long as a user (insider) doesn't type
 Northcutt> "xhost +". I don't think an outsider can disable the access.
 Northcutt> Suggested phrasing "An X server's access control can be disabled e.g.
 Northcutt> through an "xhost +" command and allows anyone to connect to the server."
Prev by Date: FINAL DECISION: ACCEPT 4 SA category candidates
Next by Date: press release
Prev by thread: FINAL DECISION: ACCEPT 4 SA category candidates
Next by thread: press release
Index(es):
- Date
- Thread