[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PROPOSAL] Cluster RECENT-06 - 24 candidates



The following cluster contains 24 candidates, all of which were
announced between 1/10/2000 and 1/18/2000.

If you discover that any RECENT-XX cluster is incomplete with respect
to the problems discovered during the associated time frame, please
send that information to me so that candidates can be assigned.

- Steve


Summary of votes to use (in ascending order of "severity")
----------------------------------------------------------

ACCEPT - voter accepts the candidate as proposed
NOOP - voter has no opinion on the candidate
MODIFY - voter wants to change some MINOR detail (e.g. reference/description)
REVIEWING - voter is reviewing/researching the candidate, or needs more info
RECAST - candidate must be significantly modified, e.g. split or merged
REJECT - candidate is "not a vulnerability", or a duplicate, etc.

1) Please write your vote on the line that starts with "VOTE: ".  If
   you want to add comments or details, add them to lines after the
   VOTE: line.

2) If you see any missing references, please mention them so that they
   can be included.  References help greatly during mapping.

3) Note that a "MODIFY" is treated as an "ACCEPT" when counting votes.
   So if you don't have sufficient information for a candidate but you
   don't want to NOOP, use a REVIEWING.

********** NOTE ********** NOTE ********** NOTE ********** NOTE **********

Please keep in mind that your vote and comments will be recorded and
publicly viewable in the mailing list archives or in other formats.

=================================
Candidate: CAN-2000-0044
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000125
Assigned: 20000122
Category: SF
Reference: BUGTRAQ:20000105 SECURITY ALERT - WAR FTP DAEMON ALL VERSIONS
Reference: BID:919

Macros in War FTP 1.70 and 1.67b2 allow local or remote attackers to
read arbitrary files or execute commands.


VOTE:

=================================
Candidate: CAN-2000-0049
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000125
Assigned: 20000122
Category: SF
Reference: BID:925
Reference: NTBUGTRAQ:20000107 Winamp buffer overflow advisory
Reference: BUGTRAQ:20000109 Buffer overflow with WinAmp 2.10

Buffer overflow in Winamp client allows remote attackers to execute
commands via a long entry in a .pls file.


VOTE:

=================================
Candidate: CAN-2000-0050
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000125
Assigned: 20000122
Category: SF
Reference: BID:915
Reference: ALLAIRE:ASB00-01

The Allaire Spectra Webtop allows authenticated users to access other
Webtop sections by specifying explicit URLs.


VOTE:

=================================
Candidate: CAN-2000-0051
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000125
Assigned: 20000122
Category: SF
Reference: BID:916
Reference: ALLAIRE:ASB00-02

The Allaire Spectra Configuration Wizard allows remote attackers to
cause a denial of service by repeatedly resubmitting data collections
for indexing via a URL.


VOTE:

=================================
Candidate: CAN-2000-0052
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000125
Assigned: 20000122
Category: SF
Reference: BID:913
Reference: L0PHT:20000104 PamSlam
Reference: REDHAT:RHSA-2000:001-01

Red Hat userhelper program in the usermode package allows local users
to gain root access via PAM and a .. (dot dot) attack.


VOTE:

=================================
Candidate: CAN-2000-0053
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000125
Assigned: 20000122
Category: SF
Reference: BID:912
Reference: MS:MS00-001
Reference: MSKB:Q246731

Microsoft Commercial Internet System (MCIS) IMAP server allows remote
attackers to cause a denial of service via a malformed IMAP request.


VOTE:

=================================
Candidate: CAN-2000-0054
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000125
Assigned: 20000122
Category: SF
Reference: BUGTRAQ:20000104 Another search.cgi vulnerability
Reference: BID:921

search.cgi in the SolutionScripts Home Free package allows remote
attackers to view directories via a .. (dot dot) attack.


VOTE:

=================================
Candidate: CAN-2000-0055
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000125
Assigned: 20000122
Category: SF
Reference: BUGTRAQ:20000106 [Hackerslab bug_paper] Solaris chkperm buffer overflow
Reference: BID:918

Buffer overflow in Solaris chkperm command allows local users to
gain root access via a long -n option.


VOTE:

=================================
Candidate: CAN-2000-0056
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000125
Assigned: 20000122
Category: SF
Reference: BUGTRAQ:20000105 Local / Remote D.o.S Attack in IMail IMONITOR Server for WinNT Version 5.08
Reference: BID:914

IMail IMONITOR status.cgi CGI script allows remote attackers to cause
a denial of service with many calls to status.cgi.


VOTE:

=================================
Candidate: CAN-2000-0057
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000125
Assigned: 20000122
Category: SF
Reference: BID:917
Reference: ALLAIRE:ASB00-03

Cold Fusion CFCACHE tag places temporary cache files within the web
document root, allowing remote attackers to obtain sensitive system
information.


VOTE:

=================================
Candidate: CAN-2000-0058
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000125
Assigned: 20000122
Category: SF
Reference: http://www.security-express.com/archives/bugtraq/2000-01/0085.html
Reference: BUGTRAQ:20000105 Handspring Visor Network HotSync Security Hole
Reference: BID:920

Network HotSync program in Handspring Visor does not have
authentication, which allows remote attackers to retrieve email and
files.


VOTE:

=================================
Candidate: CAN-2000-0059
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000125
Assigned: 20000122
Category: SF
Reference: BUGTRAQ:20000103 PHP3 safe_mode and popen()
Reference: BID:911

PHP3 with safe_mode enabled does not properly filter shell
metacharacters from commands that are executed by popen, which could
allow remote attackers to execute commands.


VOTE:

=================================
Candidate: CAN-2000-0061
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000125
Assigned: 20000122
Category: SF
Reference: BUGTRAQ:20000107 IE 5 security vulnerablity - circumventing Cross-frame security policy and accessing the DOM of "old" documents.
Reference: BID:923

Internet Explorer 5 does not modify the security zone for a document
that is being loaded into a window until after the document has been
loaded, which could allow remote attackers to execute Javascript in a
different security context while the document is loading.


VOTE:

=================================
Candidate: CAN-2000-0062
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000125
Assigned: 20000122
Category: SF
Reference: BID:922
Reference: BUGTRAQ:20000104 [petrilli@digicool.com: [Zope] SECURITY ALERT]

The DTML implementation in the Z Object Publishing Environment (Zope)
allows remote attackers to conduct unauthorized activities.


VOTE:

=================================
Candidate: CAN-2000-0068
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000125
Assigned: 20000122
Category: SF
Reference: BUGTRAQ:20000104 [rootshell] Security Bulletin #27

daynad program in Intel InBusiness E-mail Station does not require
authentication, which allows remote attackers to modify its
configuration, delete files, or read mail.


VOTE:

=================================
Candidate: CAN-2000-0069
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000125
Assigned: 20000122
Category: SF
Reference: BUGTRAQ:20000104 Security problem with Solstice Backup/Legato Networker recover command

The recover program in Solstice Backup allows local users to restore
sensitive files.


VOTE:

=================================
Candidate: CAN-2000-0077
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000125
Assigned: 20000122
Category: SF
Reference: BUGTRAQ:20000102 HPUX Aserver revisited.
Reference: HP:HPSBUX0001-108

The October 1998 version of the HP-UX aserver program allows local
users to gain privileges by specifying an alternate PATH which aserver
uses to find the ps and grep commands.


VOTE:

=================================
Candidate: CAN-2000-0078
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000125
Assigned: 20000122
Category: SF
Reference: BUGTRAQ:20000102 HPUX Aserver revisited.
Reference: HP:HPSBUX0001-108

The June 1999 version of the HP-UX aserver program allows local users
to gain privileges by specifying an alternate PATH which aserver uses
to find the awk command.


VOTE:

=================================
Candidate: CAN-2000-0080
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000125
Assigned: 20000122
Category: SF
Reference: BUGTRAQ:20000110 2nd attempt: AIX techlibss follows links
Reference: BID:931

AIX techlibss allows local users to overwrite files via a symlink
attack.


VOTE:

=================================
Candidate: CAN-2000-0081
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000125
Assigned: 20000122
Category: SF
Reference: BUGTRAQ:20000110 Yet another Hotmail security hole - injecting JavaScript using "jAvascript:"

Hotmail does not properly filter JavaScript code from a user's
mailbox, which allows a remote attacker to execute the code by using
hexadecimal codes to specify the javascript: protocol,
e.g. jAvascript.


VOTE:

=================================
Candidate: CAN-2000-0082
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000125
Assigned: 20000122
Category: SF
Reference: http://net4tv.com/voice/story.cfm?StoryID=1823
Reference: MISC:http://www.wired.com/news/technology/0,1282,33420,00.html
Reference: BUGTRAQ:20000104 The WebTV Email Exploit

WebTV email client allows remote attackers to force the client to send
email without the user's knowledge via HTML.


VOTE:

=================================
Candidate: CAN-2000-0083
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000125
Assigned: 20000122
Category: SF
Reference: HP:HPSBUX0001-109

HP asecure creates the Audio Security File audio.sec with insecure
permissions, which allows local users to cause a denial of service or
gain additional privileges.


VOTE:

=================================
Candidate: CAN-2000-0084
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000125
Assigned: 20000122
Category: SF
Reference: BUGTRAQ:20000105 CuteFTP saved password 'encryption' weakness

CuteFTP uses weak encryption to store password information in its
tree.dat file.


VOTE:

=================================
Candidate: CAN-2000-0085
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000125
Assigned: 20000122
Category: SF
Reference: BUGTRAQ:20000103 Hotmail security hole - injecting JavaScript using <IMG LOWSRC="javascript:....">
Reference: BUGTRAQ:20000104 Yet another Hotmail security hole - injecting JavaScript in IE using <IMG DYNRC="javascript:....">

Hotmail does not properly filter JavaScript code from a user's
mailbox, which allows a remote attacker to execute code via the LOWSRC
or DYNRC parameters in the IMG tag.


VOTE:

Page Last Updated or Reviewed: May 22, 2007