[PROPOSAL] Cluster 53 (RECENT-04) - 43 candidates

To: cve-editorial-board-list@lists.mitre.org
Subject: [PROPOSAL] Cluster 53 (RECENT-04) - 43 candidates
From: "Steven M. Christey" <coley@linus.mitre.org>
Date: Tue, 11 Jan 2000 00:43:38 -0500 (EST)
Delivery-Date: Tue Jan 11 02:59:11 2000
Sender: owner-cve-editorial-board-list@lists.mitre.org
The following cluster contains 43 candidates, all of which were
announced between 12/20/1999 and 1/1/2000.

If you discover that any RECENT-XX cluster is incomplete with respect
to the problems discovered during the associated time frame, please
send that information to me so that candidates can be assigned.

Proposed: 1/10/00
Scheduled Interim Decision: 1/24/00
Scheduled Final Decision: 1/28/00



Summary of votes to use (in ascending order of "severity")
----------------------------------------------------------

ACCEPT - voter accepts the candidate as proposed
NOOP - voter has no opinion on the candidate
MODIFY - voter wants to change some MINOR detail (e.g. reference/description)
REVIEWING - voter is reviewing/researching the candidate, or needs more info
RECAST - candidate must be significantly modified, e.g. split or merged
REJECT - candidate is "not a vulnerability", or a duplicate, etc.

1) Please write your vote on the line that starts with "VOTE: ".  If
   you want to add comments or details, add them to lines after the
   VOTE: line.

2) If you see any missing references, please mention them so that they
   can be included.  References help greatly during mapping.

3) Note that a "MODIFY" is treated as an "ACCEPT" when counting votes.
   So if you don't have sufficient information for a candidate but you
   don't want to NOOP, use a REVIEWING.

********** NOTE ********** NOTE ********** NOTE ********** NOTE **********

Please keep in mind that your vote and comments will be recorded and
publicly viewable in the mailing list archives or in other formats.

=================================
Candidate: CAN-2000-0001
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: BUGTRAQ:19991222 RealMedia Server 5.0 Crasher (rmscrash.c)

RealMedia server allows remote attackers to cause a denial of service
via a long ramgen request.


VOTE:

=================================
Candidate: CAN-2000-0002
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: NTBUGTRAQ:19991223 Local / Remote GET Buffer Overflow Vulnerability in ZBServer 1.5 Pro Edition for Win98/NT
Reference: BUGTRAQ:19991223 Local / Remote GET Buffer Overflow Vulnerability in ZBServer 1.5 Pro Edition for Win98/NT

Buffer overflow in ZBServer Pro allows remote attackers to execute
commands via a long GET request.


VOTE:

=================================
Candidate: CAN-2000-0003
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: BUGTRAQ:19991230 UnixWare rtpm exploit + discussion

Buffer overflow in UnixWare rtpm program allows local users to gain
privileges via a long environmental variable.


VOTE:

=================================
Candidate: CAN-2000-0004
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: NTBUGTRAQ:19991223 Local / Remote GET Buffer Overflow Vulnerability in ZBServer 1.5 Pro Edition for Win98/NT
Reference: BUGTRAQ:19991223 Local / Remote GET Buffer Overflow Vulnerability in ZBServer 1.5 Pro Edition for Win98/NT

ZBServer Pro allows remote attackers to read source code for
executable files by inserting a . (dot) into the URL.


VOTE:

=================================
Candidate: CAN-2000-0005
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: BUGTRAQ:19991230 aserver.sh
Reference: BUGTRAQ:20000102 HPUX Aserver revisited.
Reference: HP:HPSBUX0001-108

HP-UX aserver program allows local users to gain privileges via a
symlink attack.


VOTE:

=================================
Candidate: CAN-2000-0006
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: BUGTRAQ:19991225 strace can lie

strace allows local users to read arbitrary files via memory mapped
file names.


VOTE:

=================================
Candidate: CAN-2000-0007
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: BUGTRAQ:19991230 PC-Cillin 6.x DoS Attack

Trend Micro PC-Cillin does not restrict access to its to its internal
proxy port, allowing remote attackers to conduct a denial of service.


VOTE:

=================================
Candidate: CAN-2000-0008
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000111
Assigned: 20000111
Category: SF/CF/MP/SA/AN/unknown
Reference: BUGTRAQ:19991227 FTPPro insecuities

FTPPro allows local users to read sensitive information, which is
stored in plain text.


VOTE:

=================================
Candidate: CAN-2000-0009
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: BUGTRAQ:19991230 bna,sh
Reference: BID:907

bna_pass program in Optivity NETarchitect allows local users to gain
privileges via a symlink attack.


VOTE:

=================================
Candidate: CAN-2000-0010
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: BUGTRAQ:19991226 WebWho+ ADVISORY

WebWho+ whois.cgi program allows remote attackers to execute commands
via shell metacharacters in the TLD parameter.


VOTE:

=================================
Candidate: CAN-2000-0011
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: BUGTRAQ:19991231 Local / Remote GET Buffer Overflow Vulnerability in AnalogX SimpleServer:WWW HTTP Server v1.1
Reference: BID:906

Buffer overflow in AnalogX SimpleServer:WWW allows remote attackers to
execute commands via a long GET request.


VOTE:

=================================
Candidate: CAN-2000-0012
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: BUGTRAQ:19991227 remote buffer overflow in miniSQL
Reference: BID:898

Buffer overflow in w3-msql CGI program in miniSQL package allows
remote attackers to execute commands.


VOTE:

=================================
Candidate: CAN-2000-0013
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: BUGTRAQ:19991231 irix-soundplayer.sh
Reference: BID:909

IRIX midikeys program allows local users to gain privileges via a
symlink attack.


VOTE:

=================================
Candidate: CAN-2000-0014
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: BUGTRAQ:19991228 Local / Remote D.o.S Attack in Savant Web Server V2.0 WIN9X / NT / 2K
Reference: BID:897

Denial of service in Savant web server via a null character in the
requested URL.


VOTE:

=================================
Candidate: CAN-2000-0015
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: BUGTRAQ:19991231 tftpserv.sh
Reference: BID:910

CascadeView TFTP server allows local users to gain privileges via a
symlink attack.


VOTE:

=================================
Candidate: CAN-2000-0016
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: NTBUGTRAQ:19991001 Vulnerabilities in the Internet Anywhere Mail Server
Reference: BUGTRAQ:19991227 Remote DoS/Access Attack in Internet Anywhere Mail Server(POP 3) v2.3.1
Reference: BID:730

Buffer overflow in Internet Anywhere POP3 Mail Server allows remote
attackers to cause a denial of service or execute commands via a long
username.


VOTE:

=================================
Candidate: CAN-2000-0017
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: BUGTRAQ:19991221 (Possible) Linuxconf Remote Buffer Overflow Vulnerability

Buffer overflow in Linux linuxconf package allows remote attackers to
gain root privileges via a long parameter.


VOTE:

=================================
Candidate: CAN-2000-0018
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: BUGTRAQ:19991221 Wmmon under FreeBSD

wmmon in FreeBSD allows local users to gain privileges via the
.wmmonrc configuration file.


VOTE:

=================================
Candidate: CAN-2000-0019
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: BUGTRAQ:19991221 [w00giving '99 #11] IMail's password encryption scheme

IMail POP3 daemon uses weak encryption, which allows local users to
read files.


VOTE:

=================================
Candidate: CAN-2000-0020
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: NTBUGTRAQ:19991221 Remote D.o.S Attack in DNS PRO v5.7 WinNT From FBLI Software Vulnerability
Reference: BUGTRAQ:19991221 Remote D.o.S Attack in DNS PRO v5.7 WinNT From FBLI Software Vulnerability

DNS PRO allows remote attackers to conduct a denial of service via a
large number of connections.


VOTE:

=================================
Candidate: CAN-2000-0021
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000111
Assigned: 20000111
Category: SF/CF/MP/SA/AN/unknown
Reference: BUGTRAQ:19991221 serious Lotus Domino HTTP denial of service
Reference: BUGTRAQ:19991227 Re: Lotus Domino HTTP denial of service attack

Lotus Domino HTTP server allows remote attackers to determine the real
path of the server via a request to a non-existent script in
/cgi-bin.


VOTE:

=================================
Candidate: CAN-2000-0022
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: BUGTRAQ:19991221 serious Lotus Domino HTTP denial of service
Reference: BUGTRAQ:19991227 Re: Lotus Domino HTTP denial of service attack

Lotus Domino HTTP server does not properly disable anonymous access
for the cgi-bin directory.


VOTE:

=================================
Candidate: CAN-2000-0023
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: BUGTRAQ:19991221 serious Lotus Domino HTTP denial of service
Reference: BUGTRAQ:19991222 Lotus Notes HTTP cgi-bin vulnerability: possible workaround
Reference: BUGTRAQ:19991227 Re: Lotus Domino HTTP denial of service attack

Buffer overflow in Lotus Domino HTTP server allows remote attackers to
cause a denial of service via a long URL.


VOTE:

=================================
Candidate: CAN-2000-0024
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: MS:MS99-061
Reference: BUGTRAQ:19991228 Third Party Software Affected by IIS "Escape Character Parsing" Vulnerability
Reference: BUGTRAQ:19991229 More info on MS99-061 (IIS escape character vulnerability)

IIS does not properly canonicalize URLs, potentially allowing remote
attackers to bypass access restrictions in third-party software via
escape characters, aka the "Escape Character Parsing" vulnerability.


VOTE:

=================================
Candidate: CAN-2000-0025
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: MS:MS99-058

IIS 4.0 and Site Server 3.0 allow remote attackers to read source code
for ASP files if the file is in a virtual directory whose name
includes extensions such as .com, .exe, .sh, .cgi, or .dll, aka the
"Virtual Directory Naming" vulnerability.


VOTE:

=================================
Candidate: CAN-2000-0026
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: BUGTRAQ:19991222 UnixWare i2odialogd remote root exploit

Buffer overflow in UnixWare i2odialogd daemon allows remote attackers
to gain root access via a long username/password authorization
string.


VOTE:

=================================
Candidate: CAN-2000-0027
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: BUGTRAQ:19991227 IBM NetStation/UnixWare local root exploit
Reference: BID:900

IBM Network Station Manager NetStation allows local users to gain
privileges via a symlink attack.


VOTE:

=================================
Candidate: CAN-2000-0028
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: BUGTRAQ:19991222 IE 5.01 vulnerabilities in external.NavigateAndFind()

Internet Explorer 5.0 and 5.01 allows remote attackers to bypass the
cross frame security policy and read files via the
external.NavigateAndFind function.


VOTE:

=================================
Candidate: CAN-2000-0029
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: BUGTRAQ:19991227 UnixWare local pis exploit
Reference: BID:901

UnixWare pis and mkpis commands allow local users to gain privileges
via a symlink attack.


VOTE:

=================================
Candidate: CAN-2000-0030
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: BUGTRAQ:19991222 Solaris 2.7 dmispd local/remote problems

Solaris dmispd dmi_cmd allows local users to fill up restricted disk
space by adding files to the /var/dmi/db database.


VOTE:

=================================
Candidate: CAN-2000-0031
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: L0PHT:19991227 initscripts-4.48-1 RedHat Linux 6.1
Reference: REDHAT:RHSA-1999:052-04

The initscripts package in Red Hat Linux allows local users to gain
privileges via a symlink attack.


VOTE:

=================================
Candidate: CAN-2000-0032
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: BUGTRAQ:19991222 Solaris 2.7 dmispd local/remote problems

Solaris dmi_cmd allows local users to crash the dmispd daemon by
adding a malformed file to the /var/dmi/db database.


VOTE:

=================================
Candidate: CAN-2000-0033
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: BUGTRAQ:19991227 Trend Micro InterScan VirusWall SMTP bug
Reference: BID:899

InterScan VirusWall SMTP scanner does not properly scan messages with
malformed attachments.


VOTE:

=================================
Candidate: CAN-2000-0034
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: BUGTRAQ:19991222 More Netscape Passwords Available.

Netscape 4.7 records user passwords in the preferences.js file during
an IMAP or POP session, even if the user has not enabled "remember
passwords."


VOTE:

=================================
Candidate: CAN-2000-0035
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: BUGTRAQ:19991228 majordomo local exploit
Reference: BID:902

resend command in Majordomo allows local users to gain privileges via
shell metacharacters.


VOTE:

=================================
Candidate: CAN-2000-0036
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: MS:MS99-060
Reference: MSKB:Q249082

Outlook Express 5 for Macintosh downloads attachments to HTML mail
without prompting the user, aka the "HTML Mail Attachment"
vulnerability.


VOTE:

=================================
Candidate: CAN-2000-0037
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: BUGTRAQ:19991228 majordomo local exploit
Reference: BID:903

Majordomo wrapper allows local users to gain privileges by specifying
an alternate configuration file.


VOTE:

=================================
Candidate: CAN-2000-0038
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000111
Assigned: 20000111
Category: CF
Reference: BUGTRAQ:19991223 Multiple vulnerabilites in glFtpD (current versions)

glFtpD includes a default glftpd user account with a default password
and a UID of 0.


VOTE:

=================================
Candidate: CAN-2000-0039
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: BUGTRAQ:19991229 AltaVista
Reference: BUGTRAQ:19991230 Follow UP AltaVista
Reference: BUGTRAQ:19991229 AltaVista followup and monitor script
Reference: BUGTRAQ:20000103 FW: Patch issued for AltaVista Search Engine Directory TraversalVulnerability
Reference: BID:896

AltaVista search engine allows remote attackers to read files above
the document root via a .. (dot dot) in the query program.


VOTE:

=================================
Candidate: CAN-2000-0040
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: BUGTRAQ:19991223 Multiple vulnerabilites in glFtpD (current versions)

glFtpD allows local users to gain privileges via metacharacters in the
SITE ZIPCHK command.


VOTE:

=================================
Candidate: CAN-2000-0041
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: BUGTRAQ:19991229 The "Mac DoS Attack," a Scheme for Blocking Internet Connections
Reference: BID:890

Macintosh systems generate large ICMP datagrams in response to
malformed datagrams, allowing them to be used as amplifiers in a flood
attack.


VOTE:

=================================
Candidate: CAN-2000-0042
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: BUGTRAQ:19991229 Local / Remote D.o.S Attack in  CSM Mail Server for Windows 95/NT v.2000.08.A
Reference: BID:895

Buffer overflow in CSM mail server allows remote attackers to cause a
denial of service or execute commands via a long HELO command.


VOTE:

=================================
Candidate: CAN-2000-0043
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: BUGTRAQ:19991230 Local / Remote GET Buffer Overflow Vulnerability in CamShot WebCam HTTP Server v2.5 for Win9x/NT
Reference: BID:905

Buffer overflow in CamShot WebCam HTTP server allows remote attackers
to execute commands via a long GET request.


VOTE:
Prev by Date: [INTERIM] ACCEPT 30 candidates from various clusters (Final 1/18)
Next by Date: [TECH] CVE PGP key available for private candidate assignment
Prev by thread: [INTERIM] ACCEPT 30 candidates from various clusters (Final 1/18)
Next by thread: [TECH] CVE PGP key available for private candidate assignment
Index(es):
- Date
- Thread