[PROPOSAL] Cluster 48 - WEB (35 candidates)

To: cve-editorial-board-list@lists.mitre.org
Subject: [PROPOSAL] Cluster 48 - WEB (35 candidates)
From: "Steven M. Christey" <coley@linus.mitre.org>
Date: Mon, 13 Dec 1999 21:21:40 -0500 (EST)
Delivery-Date: Mon Dec 13 21:24:36 1999
Sender: owner-cve-editorial-board-list@lists.mitre.org
The following cluster contains 35 candidates which are related to WWW
servers or browsers.

- Steve


Proposed: 12/13
Scheduled Proposed: 12/13
Scheduled Interim Decision: 12/27
Scheduled Final Decision: 12/31



Summary of votes to use (in ascending order of "severity"):

ACCEPT - voter accepts the candidate as proposed
NOOP - voter has no opinion on the candidate
MODIFY - voter wants to change some MINOR detail (e.g. reference/description)
REVIEWING - voter is reviewing/researching the candidate, or needs more info
RECAST - candidate must be significantly modified, e.g. split or merged
REJECT - candidate is "not a vulnerability", or a duplicate, etc.

1) Please write your vote on the line that starts with "VOTE: ".  If
   you want to add comments or details, add them to lines after the
   VOTE: line.

2) If you see any missing references, please mention them so that they
   can be included.  References help greatly during mapping.

3) Note that a "MODIFY" is treated as an "ACCEPT" when counting votes.
   So if you don't have sufficient information for a candidate but you
   don't want to NOOP, use a REVIEWING.

=================================
Candidate: CAN-1999-0677
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991214
Assigned: 19991125
Category: CF
Reference: BUGTRAQ:19990802 [LoWNOISE] Password hunting with webramp
Reference: BID:577

The WebRamp web administration utility has a default password.

VOTE:

=================================
Candidate: CAN-1999-0685
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991214
Assigned: 19991125
Category: SF
Reference: BUGTRAQ:19991209 Netscape communicator 4.06J, 4.5J-4.6J, 4.61e Buffer Overflow
Reference: BID:618

Buffer overflow in Netscape Communicator via EMBED tags.

VOTE:

=================================
Candidate: CAN-1999-0695
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991214
Assigned: 19991125
Category: SF
Reference: BUGTRAQ: [Sybase] software vendors do not think about old bugs
Reference: XF:http-powerdynamo-dotdotslash
Reference: BID:620

The Sybase PowerDynamo personal web server allows attackers to
read arbitrary files through a .. (dot dot) attack.

VOTE:

=================================
Candidate: CAN-1999-0699
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991214
Assigned: 19991125
Category: SF
Reference: BID:623

The Bluestone Sapphire web server allows session hijacking via easily
guessable session IDs.

VOTE:

=================================
Candidate: CAN-1999-0744
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991214
Assigned: 19991125
Category: SF
Reference: ISS:Buffer Overflow in Netscape Enterprise and FastTrack Web Servers
Reference: BID:603

Buffer overflow in Netscape Enterprise Server and FastTrask Server via
a long HTTP GET request.

VOTE:

=================================
Candidate: CAN-1999-0751
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991214
Assigned: 19991125
Category: SF
Reference: BUGTRAQ:19990913 Accept overflow on Netscape Enterprise Server 3.6 SP2
Reference: BID:631

Buffer overflow in Accept command in Netscape Enterprise Server 3.6
with the SSL Handshake Patch.

VOTE:

=================================
Candidate: CAN-1999-0752
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991214
Assigned: 19991125
Category: SF
Reference: BUGTRAQ:19990706 Netscape Enterprise Server SSL Handshake Bug

Buffer overflow in Netscape Enterprise Server via SSL handshake.

VOTE:

=================================
Candidate: CAN-1999-0753
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991214
Assigned: 19991125
Category: unknown
Reference: BUGTRAQ:19990817 Stupid bug in W3-msql
Reference: BID:591

The w3-msql CGI script provided with Mini SQL allows remote attackers
to view restricted directories.

VOTE:

=================================
Candidate: CAN-1999-0762
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991214
Assigned: 19991125
Category: SF
Reference: XF:netscape-title
Reference: BUGTRAQ:19990524 Netscape Communicator JavaScript in <TITLE> security vulnerability

When Javascript is embedded within the TITLE tag, Netscape
Communicator allows a remote attacker to use the "about" protocol to
gain access to browser information.

VOTE:

=================================
Candidate: CAN-1999-0776
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991214
Assigned: 19991125
Category: SF
Reference: NTBUGTRAQ:19990506 ".."-hole in Alibaba 2.0
Reference: XF:http-alibaba-dotdot

Alibaba HTTP server allows remote attackers to read files via a
... (dot dot) attack.

VOTE:

=================================
Candidate: CAN-1999-0790
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991214
Assigned: 19991125
Category: SF

A remote attacker can read information from a Netscape user's cache
via JavaScript.

VOTE:

=================================
Candidate: CAN-1999-0807
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991214
Assigned: 19991125
Category: SF
Reference: XF:netscape-dirsvc-password

The Netscape Directory Server installation procedure leaves sensitive
information in a file that is accessible to local users.

VOTE:

=================================
Candidate: CAN-1999-0809
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991214
Assigned: 19991125
Category: SF
Reference: BUGTRAQ:19990709 Communicator 4.[56]x, JavaScript used to bypass cookie settings

Netscape Communicator 4.x with Javascript enabled does not warn a user
of cookie settings, even if they have selected the option to "Only
accept cookies originating from the same server as the page being
viewed"

VOTE:

=================================
Candidate: CAN-1999-0876
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991214
Assigned: 19991208
Category: SF
Reference: MSKB:Q185959
Reference: MSKB:Q176697

Buffer overflow in Internet Explorer 4.0 via EMBED tag.

VOTE:

=================================
Candidate: CAN-1999-0881
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991214
Assigned: 19991208
Category: SF
Reference: BUGTRAQ:19991025 Falcon Web Server
Reference: BINDVIEW:Falcon Web Server

Falcon web server allows remote attackers to read arbitrary files via
a .. (dot dot) attack.

VOTE:

=================================
Candidate: CAN-1999-0882
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991214
Assigned: 19991208
Category: SF
Reference: BUGTRAQ:19991025 Falcon Web Server
Reference: BINDVIEW:Falcon Web Server

Falcon web server allows remote attackers to determine the absolute
path of the web root via long file names.

VOTE:

=================================
Candidate: CAN-1999-0883
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991214
Assigned: 19991208
Category: SF
Reference: BUGTRAQ:19991024 RFP9905: Zeus webserver remote root compromise
Reference: BID:742

Zeus web server allows remote attackers to read arbitrary files by
specifying the file name in an option to the search engine.

VOTE:

=================================
Candidate: CAN-1999-0884
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991214
Assigned: 19991208
Category: SF
Reference: BUGTRAQ:19991024 RFP9905: Zeus webserver remote root compromise
Reference: BID:742

The Zeus web server administrative interface uses weak encryption for
its passwords.

VOTE:

=================================
Candidate: CAN-1999-0885
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991214
Assigned: 19991208
Category: SF
Reference: BUGTRAQ:19991103 More Alibaba Web Server problems...
Reference: BID:770

Alibaba web server allows remote attackers to execute commands via a
pipe character in a malformed URL.

VOTE:

=================================
Candidate: CAN-1999-0887
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991214
Assigned: 19991208
Category: SF
Reference: BUGTRAQ:19991104 FTGate Version 2.1 Web interface Server Directory Traversal Vulnerability
Reference: EEYE:AD05261999

FTGate web interface server allows remote attackers to read files via
a .. (dot dot) attack.

VOTE:

=================================
Candidate: CAN-1999-0892
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991214
Assigned: 19991208
Category: SF
Reference: BUGTRAQ:19991018 Netscape 4.x buffer overflow

Buffer overflow in Netscape Communicator before 4.7 via a dynamic font
whose length field is less than the size of the font.

VOTE:

=================================
Candidate: CAN-1999-0897
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991214
Assigned: 19991208
Category: SF
Reference: BUGTRAQ:19990908 bug in iChat 3.0 (maybe others)

iChat ROOMS Webserver allows remote attackers to read arbitrary files
via a .. (dot dot) attack.

VOTE:

=================================
Candidate: CAN-1999-0913
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991214
Assigned: 19991208
Category: SF
Reference: BUGTRAQ:19990804 NSW Dragon Fire gets drowned
Reference: BID:564

dfire.cgi script in Dragon-Fire IDS allows remote users to execute
commands via shell metacharacters.

VOTE:

=================================
Candidate: CAN-1999-0915
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991214
Assigned: 19991208
Category: SF
Reference: BUGTRAQ:19991028 URL Live! 1.0 WebServer
Reference: BID:746

URL Live! web server allows remote attackers to read arbitrary files
via a .. (dot dot) attack.

VOTE:

=================================
Candidate: CAN-1999-0929
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991214
Assigned: 19991208
Category: SF
Reference: BUGTRAQ:19990616 Novell NetWare webservers DoS

Novell NetWare with Novell-HTTP-Server or YAWN web servers allows
remote attackers to conduct a denial of service via a large number of
HTTP GET requests.

VOTE:

=================================
Candidate: CAN-1999-0933
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991214
Assigned: 19991208
Category: SF
Reference: BUGTRAQ:19991001 RFP9904: TeamTrack webserver vulnerability
Reference: BID:689

TeamTrack web server allows remote attackers to read arbitrary files
via a .. (dot dot) attack.

VOTE:

=================================
Candidate: CAN-1999-0934
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991214
Assigned: 19991208
Category: SF
Reference: EL8:19991215 Classifieds (classifieds.cgi)

classifieds.cgi allows remote attackers to read arbitrary files via
shell metacharacters.

VOTE:

=================================
Candidate: CAN-1999-0935
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991214
Assigned: 19991208
Category: SF
Reference: EL8:19991215 Classifieds (classifieds.cgi)

classifieds.cgi allows remote attackers to execute arbitrary commands
by specifying them in a hidden variable in a CGI form.

VOTE:

=================================
Candidate: CAN-1999-0936
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991214
Assigned: 19991208
Category: SF
Reference: EL8:19981203 BNBSurvey (survey.cgi)

BNBSurvey survey.cgi program allows remote attackers to execute
commands via shell metacharacters.

VOTE:

=================================
Candidate: CAN-1999-0937
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991214
Assigned: 19991208
Category: SF
Reference: EL8:19981203 BNBForm (bnbform.cgi)

BNBForm allows remote attackers to read arbitrary files via the
automessage hidden form variable.

VOTE:

=================================
Candidate: CAN-1999-0943
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991214
Assigned: 19991208
Category: SF
Reference: BUGTRAQ:19991015 OpenLink 3.2 Advisory

Buffer overflow in OpenLink 3.2 allows remote attackers to gain
privileges via a long GET request to the web configurator.

VOTE:

=================================
Candidate: CAN-1999-0947
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991214
Assigned: 19991208
Category: SF
Reference: BUGTRAQ:19991102 Some holes for Win/UNIX softwares
Reference: BID:762

AN-HTTPd provides example CGI scripts test.bat, input.bat, input2.bat,
and envout.bat, which allow remote attackers to execute commands via
shell metacharacters.

VOTE:

=================================
Candidate: CAN-1999-0951
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991214
Assigned: 19991208
Category: SF
Reference: BUGTRAQ:19991022 Imagemap CGI overflow exploit
Reference: BID:739

Buffer overflow in OmniHTTPd CGI program imagemap.cgi allows remote
attackers toe xecute commands.

VOTE:

=================================
Candidate: CAN-1999-0953
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991214
Assigned: 19991208
Category: CF
Reference: BUGTRAQ:19980903 wwwboard.pl vulnerability
Reference: BUGTRAQ:19990916 More fun with WWWBoard

WWWBoard stores encrypted passwords in a password file that is
under the web root and thus accessible by remote attackers.

VOTE:

=================================
Candidate: CAN-1999-0967
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991214
Assigned: 19991208
Category: SF
Reference: L0PHT:19971101 Microsoft Internet Explorer 4.0 Suite

Buffer overflow in the HTML library used by Internet Explorer, Outlook
Express, and Windows Explorer via the res: local resource protocol.

VOTE:
Prev by Date: [PROPOSAL] Cluster 47 - UNIX-VEN (25 candidates)
Next by Date: [CVEPRI] Board teleconference Dec. 15 1999, 3:30 PM - 5 PM EST
Prev by thread: [PROPOSAL] Cluster 47 - UNIX-VEN (25 candidates)
Next by thread: [CVEPRI] Board teleconference Dec. 15 1999, 3:30 PM - 5 PM EST
Index(es):
- Date
- Thread