[INTERIM] ACCEPT 26 candidates from WEB (Final 1/3/2000)

To: cve-editorial-board-list@lists.mitre.org
Subject: [INTERIM] ACCEPT 26 candidates from WEB (Final 1/3/2000)
From: "Steven M. Christey" <coley@linus.mitre.org>
Date: Wed, 29 Dec 1999 02:02:52 -0500 (EST)
Delivery-Date: Wed Dec 29 02:05:32 1999
Sender: owner-cve-editorial-board-list@lists.mitre.org
I have made an Interim Decision to ACCEPT the following 26 candidates
from the WEB cluster.  I will make a Final Decision on January 3,
2000.

Voters:
  Cole ACCEPT(19) MODIFY(7)
  Stracener ACCEPT(26)
  Blake ACCEPT(26)


- Steve


=================================
Candidate: CAN-1999-0685
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991214
Assigned: 19991125
Category: SF
Reference: BUGTRAQ:19991209 Netscape communicator 4.06J, 4.5J-4.6J, 4.61e Buffer Overflow
Reference: BID:618

Buffer overflow in Netscape Communicator via EMBED tags in the
pluginspage option.

Modifications:
  DESC Add pluginspage option

INFERRED VOTE: CAN-1999-0685 ACCEPT (3 accept, 0 review)

VOTES:
   ACCEPT(2) Blake, Stracener
   MODIFY(1) Cole

COMMENTS:
 Cole> This is located in the buffer is in the 'plugins page' option. This
 Cole> vulnerability can be exploited by a malicious webpage.


=================================
Candidate: CAN-1999-0695
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991214
Assigned: 19991125
Category: SF
Reference: BUGTRAQ:19990904 [Sybase] software vendors do not think about old bugs
Reference: XF:http-powerdynamo-dotdotslash
Reference: BID:620

The Sybase PowerDynamo personal web server allows attackers to
read arbitrary files through a .. (dot dot) attack.

Modifications:
  CHANGEREF BUGTRAQ [add date]

INFERRED VOTE: CAN-1999-0695 ACCEPT (3 accept, 0 review)

VOTES:
   ACCEPT(2) Blake, Stracener
   MODIFY(1) Cole

COMMENTS:
 Cole> It allows the entire drive to be read.


=================================
Candidate: CAN-1999-0699
Published:
Final-Decision:
Interim-Decision: 19991229
Modified:
Proposed: 19991214
Assigned: 19991125
Category: SF
Reference: BID:623

The Bluestone Sapphire web server allows session hijacking via easily
guessable session IDs.

INFERRED VOTE: CAN-1999-0699 ACCEPT (3 accept, 0 review)

VOTES:
   ACCEPT(3) Cole, Blake, Stracener


=================================
Candidate: CAN-1999-0744
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991214
Assigned: 19991125
Category: SF
Reference: ISS:Buffer Overflow in Netscape Enterprise and FastTrack Web Servers
Reference: BID:603

Buffer overflow in Netscape Enterprise Server and FastTrask Server
allows remote attackers to gain privileges via a long HTTP GET
request.

Modifications:
  DESC Add remote compromise

INFERRED VOTE: CAN-1999-0744 ACCEPT (3 accept, 0 review)

VOTES:
   ACCEPT(2) Blake, Stracener
   MODIFY(1) Cole

COMMENTS:
 Cole> This can lead to a remote system compromise.


=================================
Candidate: CAN-1999-0751
Published:
Final-Decision:
Interim-Decision: 19991229
Modified:
Proposed: 19991214
Assigned: 19991125
Category: SF
Reference: BUGTRAQ:19990913 Accept overflow on Netscape Enterprise Server 3.6 SP2
Reference: BID:631

Buffer overflow in Accept command in Netscape Enterprise Server 3.6
with the SSL Handshake Patch.

INFERRED VOTE: CAN-1999-0751 ACCEPT (3 accept, 0 review)

VOTES:
   ACCEPT(2) Blake, Stracener
   MODIFY(1) Cole

COMMENTS:
 Cole> This allows a DOS attack or arbitray commands to be executed.


=================================
Candidate: CAN-1999-0752
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991214
Assigned: 19991125
Category: SF
Reference: BUGTRAQ:19990706 Netscape Enterprise Server SSL Handshake Bug

Denial of service in Netscape Enterprise Server via a buffer overflow
in the SSL handshake.

Modifications:
  DESC

INFERRED VOTE: CAN-1999-0752 ACCEPT (3 accept, 0 review)

VOTES:
   ACCEPT(2) Blake, Stracener
   MODIFY(1) Cole

COMMENTS:
 Cole> I would be more specific.


=================================
Candidate: CAN-1999-0762
Published:
Final-Decision:
Interim-Decision: 19991229
Modified:
Proposed: 19991214
Assigned: 19991125
Category: SF
Reference: XF:netscape-title
Reference: BUGTRAQ:19990524 Netscape Communicator JavaScript in <TITLE> security vulnerability

When Javascript is embedded within the TITLE tag, Netscape
Communicator allows a remote attacker to use the "about" protocol to
gain access to browser information.

INFERRED VOTE: CAN-1999-0762 ACCEPT (3 accept, 0 review)

VOTES:
   ACCEPT(3) Cole, Blake, Stracener


=================================
Candidate: CAN-1999-0807
Published:
Final-Decision:
Interim-Decision: 19991229
Modified:
Proposed: 19991214
Assigned: 19991125
Category: SF
Reference: XF:netscape-dirsvc-password

The Netscape Directory Server installation procedure leaves sensitive
information in a file that is accessible to local users.

INFERRED VOTE: CAN-1999-0807 ACCEPT (3 accept, 0 review)

VOTES:
   ACCEPT(3) Cole, Blake, Stracener


=================================
Candidate: CAN-1999-0809
Published:
Final-Decision:
Interim-Decision: 19991229
Modified:
Proposed: 19991214
Assigned: 19991125
Category: SF
Reference: BUGTRAQ:19990709 Communicator 4.[56]x, JavaScript used to bypass cookie settings

Netscape Communicator 4.x with Javascript enabled does not warn a user
of cookie settings, even if they have selected the option to "Only
accept cookies originating from the same server as the page being
viewed"

INFERRED VOTE: CAN-1999-0809 ACCEPT (3 accept, 0 review)

VOTES:
   ACCEPT(3) Cole, Blake, Stracener


=================================
Candidate: CAN-1999-0876
Published:
Final-Decision:
Interim-Decision: 19991229
Modified:
Proposed: 19991214
Assigned: 19991208
Category: SF
Reference: MSKB:Q185959
Reference: MSKB:Q176697

Buffer overflow in Internet Explorer 4.0 via EMBED tag.

INFERRED VOTE: CAN-1999-0876 ACCEPT (3 accept, 0 review)

VOTES:
   ACCEPT(3) Cole, Blake, Stracener


=================================
Candidate: CAN-1999-0883
Published:
Final-Decision:
Interim-Decision: 19991229
Modified:
Proposed: 19991214
Assigned: 19991208
Category: SF
Reference: BUGTRAQ:19991024 RFP9905: Zeus webserver remote root compromise
Reference: BID:742

Zeus web server allows remote attackers to read arbitrary files by
specifying the file name in an option to the search engine.

INFERRED VOTE: CAN-1999-0883 ACCEPT (3 accept, 0 review)

VOTES:
   ACCEPT(3) Cole, Blake, Stracener


=================================
Candidate: CAN-1999-0884
Published:
Final-Decision:
Interim-Decision: 19991229
Modified:
Proposed: 19991214
Assigned: 19991208
Category: SF
Reference: BUGTRAQ:19991024 RFP9905: Zeus webserver remote root compromise
Reference: BID:742

The Zeus web server administrative interface uses weak encryption for
its passwords.

INFERRED VOTE: CAN-1999-0884 ACCEPT (3 accept, 0 review)

VOTES:
   ACCEPT(3) Cole, Blake, Stracener


=================================
Candidate: CAN-1999-0887
Published:
Final-Decision:
Interim-Decision: 19991229
Modified:
Proposed: 19991214
Assigned: 19991208
Category: SF
Reference: BUGTRAQ:19991104 FTGate Version 2.1 Web interface Server Directory Traversal Vulnerability
Reference: EEYE:AD05261999

FTGate web interface server allows remote attackers to read files via
a .. (dot dot) attack.

INFERRED VOTE: CAN-1999-0887 ACCEPT (3 accept, 0 review)

VOTES:
   ACCEPT(3) Cole, Blake, Stracener


=================================
Candidate: CAN-1999-0892
Published:
Final-Decision:
Interim-Decision: 19991229
Modified:
Proposed: 19991214
Assigned: 19991208
Category: SF
Reference: BUGTRAQ:19991018 Netscape 4.x buffer overflow

Buffer overflow in Netscape Communicator before 4.7 via a dynamic font
whose length field is less than the size of the font.

INFERRED VOTE: CAN-1999-0892 ACCEPT (3 accept, 0 review)

VOTES:
   ACCEPT(3) Cole, Blake, Stracener


=================================
Candidate: CAN-1999-0915
Published:
Final-Decision:
Interim-Decision: 19991229
Modified:
Proposed: 19991214
Assigned: 19991208
Category: SF
Reference: BUGTRAQ:19991028 URL Live! 1.0 WebServer
Reference: BID:746

URL Live! web server allows remote attackers to read arbitrary files
via a .. (dot dot) attack.

INFERRED VOTE: CAN-1999-0915 ACCEPT (3 accept, 0 review)

VOTES:
   ACCEPT(3) Cole, Blake, Stracener


=================================
Candidate: CAN-1999-0929
Published:
Final-Decision:
Interim-Decision: 19991229
Modified:
Proposed: 19991214
Assigned: 19991208
Category: SF
Reference: BUGTRAQ:19990616 Novell NetWare webservers DoS

Novell NetWare with Novell-HTTP-Server or YAWN web servers allows
remote attackers to conduct a denial of service via a large number of
HTTP GET requests.

CONTENT-DECISIONS: SF-CODEBASE

INFERRED VOTE: CAN-1999-0929 ACCEPT (3 accept, 0 review) HAS_CDS

VOTES:
   ACCEPT(3) Cole, Blake, Stracener


=================================
Candidate: CAN-1999-0933
Published:
Final-Decision:
Interim-Decision: 19991229
Modified:
Proposed: 19991214
Assigned: 19991208
Category: SF
Reference: BUGTRAQ:19991001 RFP9904: TeamTrack webserver vulnerability
Reference: BID:689

TeamTrack web server allows remote attackers to read arbitrary files
via a .. (dot dot) attack.

INFERRED VOTE: CAN-1999-0933 ACCEPT (3 accept, 0 review)

VOTES:
   ACCEPT(3) Cole, Blake, Stracener


=================================
Candidate: CAN-1999-0934
Published:
Final-Decision:
Interim-Decision: 19991229
Modified:
Proposed: 19991214
Assigned: 19991208
Category: SF
Reference: EL8:19991215 Classifieds (classifieds.cgi)

classifieds.cgi allows remote attackers to read arbitrary files via
shell metacharacters.

INFERRED VOTE: CAN-1999-0934 ACCEPT (3 accept, 0 review)

VOTES:
   ACCEPT(3) Cole, Blake, Stracener


=================================
Candidate: CAN-1999-0935
Published:
Final-Decision:
Interim-Decision: 19991229
Modified:
Proposed: 19991214
Assigned: 19991208
Category: SF
Reference: EL8:19991215 Classifieds (classifieds.cgi)

classifieds.cgi allows remote attackers to execute arbitrary commands
by specifying them in a hidden variable in a CGI form.

INFERRED VOTE: CAN-1999-0935 ACCEPT (3 accept, 0 review)

VOTES:
   ACCEPT(3) Cole, Blake, Stracener


=================================
Candidate: CAN-1999-0936
Published:
Final-Decision:
Interim-Decision: 19991229
Modified:
Proposed: 19991214
Assigned: 19991208
Category: SF
Reference: EL8:19981203 BNBSurvey (survey.cgi)

BNBSurvey survey.cgi program allows remote attackers to execute
commands via shell metacharacters.

INFERRED VOTE: CAN-1999-0936 ACCEPT (3 accept, 0 review)

VOTES:
   ACCEPT(3) Cole, Blake, Stracener


=================================
Candidate: CAN-1999-0937
Published:
Final-Decision:
Interim-Decision: 19991229
Modified:
Proposed: 19991214
Assigned: 19991208
Category: SF
Reference: EL8:19981203 BNBForm (bnbform.cgi)

BNBForm allows remote attackers to read arbitrary files via the
automessage hidden form variable.

INFERRED VOTE: CAN-1999-0937 ACCEPT (3 accept, 0 review)

VOTES:
   ACCEPT(3) Cole, Blake, Stracener


=================================
Candidate: CAN-1999-0943
Published:
Final-Decision:
Interim-Decision: 19991229
Modified:
Proposed: 19991214
Assigned: 19991208
Category: SF
Reference: BUGTRAQ:19991015 OpenLink 3.2 Advisory

Buffer overflow in OpenLink 3.2 allows remote attackers to gain
privileges via a long GET request to the web configurator.

INFERRED VOTE: CAN-1999-0943 ACCEPT (3 accept, 0 review)

VOTES:
   ACCEPT(3) Cole, Blake, Stracener


=================================
Candidate: CAN-1999-0947
Published:
Final-Decision:
Interim-Decision: 19991229
Modified:
Proposed: 19991214
Assigned: 19991208
Category: SF
Reference: BUGTRAQ:19991102 Some holes for Win/UNIX softwares
Reference: BID:762

AN-HTTPd provides example CGI scripts test.bat, input.bat, input2.bat,
and envout.bat, which allow remote attackers to execute commands via
shell metacharacters.

INFERRED VOTE: CAN-1999-0947 ACCEPT (3 accept, 0 review)

VOTES:
   ACCEPT(2) Blake, Stracener
   MODIFY(1) Cole

COMMENTS:
 Cole> This is due to poor error checking.


=================================
Candidate: CAN-1999-0951
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991214
Assigned: 19991208
Category: SF
Reference: BUGTRAQ:19991022 Imagemap CGI overflow exploit
Reference: BID:739

Buffer overflow in OmniHTTPd CGI program imagemap.cgi allows remote
attackers to execute commands.

Modifications:
  DESC fix typo

INFERRED VOTE: CAN-1999-0951 ACCEPT (3 accept, 0 review)

VOTES:
   ACCEPT(2) Blake, Stracener
   MODIFY(1) Cole

COMMENTS:
 Cole> Minor spelling error teo xecute..


=================================
Candidate: CAN-1999-0953
Published:
Final-Decision:
Interim-Decision: 19991229
Modified:
Proposed: 19991214
Assigned: 19991208
Category: CF
Reference: BUGTRAQ:19980903 wwwboard.pl vulnerability
Reference: BUGTRAQ:19990916 More fun with WWWBoard

WWWBoard stores encrypted passwords in a password file that is
under the web root and thus accessible by remote attackers.

INFERRED VOTE: CAN-1999-0953 ACCEPT (3 accept, 0 review)

VOTES:
   ACCEPT(3) Cole, Blake, Stracener


=================================
Candidate: CAN-1999-0967
Published:
Final-Decision:
Interim-Decision: 19991229
Modified:
Proposed: 19991214
Assigned: 19991208
Category: SF
Reference: L0PHT:19971101 Microsoft Internet Explorer 4.0 Suite

Buffer overflow in the HTML library used by Internet Explorer, Outlook
Express, and Windows Explorer via the res: local resource protocol.

INFERRED VOTE: CAN-1999-0967 ACCEPT (3 accept, 0 review)

VOTES:
   ACCEPT(3) Cole, Blake, Stracener
Prev by Date: [INTERIM] ACCEPT 17 candidates from UNIX-VEN (Final 1/3/2000)
Next by Date: [INTERIM] ACCEPT 17 candidates from various clusters (Final 1/3/2000)
Prev by thread: [INTERIM] ACCEPT 17 candidates from UNIX-VEN (Final 1/3/2000)
Next by thread: [INTERIM] ACCEPT 17 candidates from various clusters (Final 1/3/2000)
Index(es):
- Date
- Thread