[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PROPOSAL] Cluster RECENT-05 - 20 candidates

The following cluster contains 20 candidates, most of which were
announced between 12/30/1999 and 1/10/2000.

If you discover that any RECENT-XX cluster is incomplete with respect
to the problems discovered during the associated time frame, please
send that information to me so that candidates can be assigned.

- Steve


Summary of votes to use (in ascending order of "severity")
----------------------------------------------------------

ACCEPT - voter accepts the candidate as proposed
NOOP - voter has no opinion on the candidate
MODIFY - voter wants to change some MINOR detail (e.g. reference/description)
REVIEWING - voter is reviewing/researching the candidate, or needs more info
RECAST - candidate must be significantly modified, e.g. split or merged
REJECT - candidate is "not a vulnerability", or a duplicate, etc.

1) Please write your vote on the line that starts with "VOTE: ".  If
   you want to add comments or details, add them to lines after the
   VOTE: line.

2) If you see any missing references, please mention them so that they
   can be included.  References help greatly during mapping.

3) Note that a "MODIFY" is treated as an "ACCEPT" when counting votes.
   So if you don't have sufficient information for a candidate but you
   don't want to NOOP, use a REVIEWING.

********** NOTE ********** NOTE ********** NOTE ********** NOTE **********

Please keep in mind that your vote and comments will be recorded and
publicly viewable in the mailing list archives or in other formats.

=================================
Candidate: CAN-2000-0045
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000125
Assigned: 20000122
Category: SF
Reference: BUGTRAQ:20000111 Serious bug in MySQL password handling.
Reference: BUGTRAQ:20000113 New MySQL Available
Reference: BID:926

MySQL allows local users to modify passwords for arbitrary MySQL users
via the GRANT privilege.


VOTE:

=================================
Candidate: CAN-2000-0046
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000125
Assigned: 20000122
Category: SF
Reference: BID:929
Reference: BUGTRAQ:20000111 ICQ Buffer Overflow Exploit

Buffer overflow in ICQ 99b 1.1.1.1 client allows remote attackers to
execute commands via a malformed URL within an ICQ message.


VOTE:

=================================
Candidate: CAN-2000-0047
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000125
Assigned: 20000122
Category: SF
Reference: BUGTRAQ:20000117 Yahoo Pager/Messanger Buffer Overflow

Buffer overflow in Yahoo Pager/Messenger client allows remote
attackers to cause a denial of service via a long URL within a
message.


VOTE:

=================================
Candidate: CAN-2000-0048
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000125
Assigned: 20000122
Category: SF
Reference: BID:928
Reference: BUGTRAQ:20000112 Serious Bug in Corel Linux.(Local root exploit)

get_it program in Corel Linux Update allows local users to gain root
access by specifying an alternate PATH for the cp program.


VOTE:

=================================
Candidate: CAN-2000-0060
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000125
Assigned: 20000122
Category: SF
Reference: BUGTRAQ:19991227 Local / Remote Remote DoS Attack in Rover POP3 Server V1.1 NT From aVirt
Reference: BID:894

Buffer overflow in aVirt Rover POP3 server allows remote attackers to
cause a denial of service via a long user name.


VOTE:

=================================
Candidate: CAN-2000-0063
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000125
Assigned: 20000122
Category: SF
Reference: BUGTRAQ:20000118 Nortel Contivity Vulnerability
Reference: BID:938

cgiproc CGI script in Nortel Contivity HTTP server allows remote
attackers to read arbitrary files by specifying the filename in a
parameter to the script.


VOTE:

=================================
Candidate: CAN-2000-0064
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000125
Assigned: 20000122
Category: SF
Reference: BUGTRAQ:20000118 Nortel Contivity Vulnerability
Reference: BID:938

cgiproc CGI script in Nortel Contivity HTTP server allows remote
attackers to cause a denial of service via a malformed URL that
includes shell metacharacters.


VOTE:

=================================
Candidate: CAN-2000-0065
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000125
Assigned: 20000122
Category: SF
Reference: NTBUGTRAQ:20000117 Remote Buffer Exploit - InetServ 3.0

Buffer overflow in InetServ allows remote attackers to execute
commands via a long GET request.


VOTE:

=================================
Candidate: CAN-2000-0066
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000125
Assigned: 20000122
Category: SF
Reference: BUGTRAQ:20000112 WebSitePro/2.3.18  is revealing Webdirectories

WebSite Pro allows remote attackers to determine the real pathname of
webdirectories via a malformed URL request.


VOTE:

=================================
Candidate: CAN-2000-0067
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000125
Assigned: 20000122
Category: SF
Reference: BUGTRAQ:20000112 CyberCash MCK 3.2.0.4: Large /tmp hole

CyberCash Merchant Connection Kit (MCK) allows local users to modify
files via a symlink attack.


VOTE:

=================================
Candidate: CAN-2000-0070
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000125
Assigned: 20000122
Category: SF
Reference: BINDVIEW:20000113 Local Promotion Vulnerability in Windows NT 4
Reference: MS:MS00-003
Reference: MSKB:Q247869

NtImpersonateClientOfPort local procedure call in Windows NT 4.0
allows local users to gain privileges, aka "Spoofed LPC Port Request."


VOTE:

=================================
Candidate: CAN-2000-0071
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000125
Assigned: 20000122
Category: SF
Reference: BUGTRAQ:20000111 IIS still revealing paths for web directories
Reference: BUGTRAQ:20000113 SV: IIS still revealing paths for web directories

IIS 4.0 allows a remote attacker to obtain the real pathname of the
document root by requesting non-existent files with .ida or .idq
extensions.


VOTE:

=================================
Candidate: CAN-2000-0072
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000125
Assigned: 20000122
Category: SF
Reference: BUGTRAQ:20000118 Warning: VCasel security hole.
Reference: BID:937

Visual Casel (Vcasel) does not properly prevent users from executing
files, which allows local users to use a relative pathname to specify
an alternate file which has an approved name and possibly gain
privileges.


VOTE:

=================================
Candidate: CAN-2000-0073
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000125
Assigned: 20000122
Category: SF
Reference: MS:MS00-005
Reference: MSKB:Q249973

Buffer overflow in Microsoft Rich Text Format (RTF) reader allows
attackers to cause a denial of service via a malformed control word.


VOTE:

=================================
Candidate: CAN-2000-0074
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000125
Assigned: 20000122
Category: SF
Reference: BUGTRAQ:20000111 PowerScripts PlusMail Vulnerablity

PowerScripts PlusMail CGI program allows remote attackers to execute
commands via a password file with improper permissions.


VOTE:

=================================
Candidate: CAN-2000-0075
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000125
Assigned: 20000122
Category: SF
Reference: NTBUGTRAQ:20000113 Local / Remote D.o.S Attack in Super Mail Transfer Package (SMTP) Server for WinNT Version 1.9x
Reference: BUGTRAQ:20000113 Local / Remote D.o.S Attack in Super Mail Transfer Package (SMTP) Server for WinNT Version 1.9x
Reference: BID:930

Super Mail Transfer Package (SMTP), later called MsgCore, has a memory
leak which allows remote attackers to cause a denial of service by
repeating multiple HELO, MAIL FROM, RCPT TO, and DATA commands in the
same session.


VOTE:

=================================
Candidate: CAN-2000-0076
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000125
Assigned: 20000122
Category: SF
Reference: BUGTRAQ:19991230 vibackup.sh
Reference: DEBIAN:20000109 nvi: incorrect file removal in boot script

nviboot boot script in the Debian nvi package allows local users to
delete files via malformed entries in vi.recover.


VOTE:

=================================
Candidate: CAN-2000-0079
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000125
Assigned: 20000122
Category: SF
Reference: BUGTRAQ:20000118 Re: IIS still revealing paths for web directories
Reference: BID:936

The W3C CERN httpd HTTP server allows remote attackers to determine
the real pathnames of some commands via a request for a nonexistent
URL.


VOTE:

=================================
Candidate: CAN-2000-0086
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000125
Assigned: 20000122
Category: SF
Reference: BUGTRAQ:20000116 TB2 Pro sending NT passwords cleartext
Reference: BID:935

Netopia Timbuktu Pro sends user IDs and passwords in cleartext, which
allows remote attackers to obtain them via sniffing.


VOTE:

=================================
Candidate: CAN-2000-0087
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000125
Assigned: 20000122
Category: SF
Reference: BUGTRAQ:20000113 Misleading sense of security in Netscape

Netscape Mail Notification (nsnotify) utility in Netscape Communicator
uses IMAP without SSL, even if the user has set a preference for
Communicator to use an SSL connection, allowing a remote attacker to
sniff usernames and passwords in plaintext.


VOTE:
Page Last Updated or Reviewed: May 22, 2007