|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[INTERIM] ACCEPT 350 candidates (Final April 2)
- To: cve-editorial-board-list@lists.mitre.org
- Subject: [INTERIM] ACCEPT 350 candidates (Final April 2)
- From: "Steven M. Christey" <coley@rcf-smtp.mitre.org>
- Date: Wed, 26 Mar 2003 18:03:17 -0500 (EST)
- Delivery-Date: Wed Mar 26 18:03:30 2003
- Sender: owner-cve-editorial-board-list@lists.mitre.org
I have made an Interim Decision to ACCEPT the following 350 candidates. I will make a Final Decision on April 2. The following Editorial Board members voted on these candidates: Ozancin ACCEPT(1) Green ACCEPT(90) MODIFY(2) NOOP(1) Magdych NOOP(1) LeBlanc NOOP(2) Cole ACCEPT(335) NOOP(14) Jones ACCEPT(4) MODIFY(9) NOOP(2) Balinsky ACCEPT(2) NOOP(2) Foat ACCEPT(82) MODIFY(3) NOOP(263) Cox ACCEPT(48) MODIFY(19) NOOP(239) Christey NOOP(136) Wall ACCEPT(118) NOOP(221) Ziese ACCEPT(8) NOOP(3) Levy ACCEPT(3) Frech ACCEPT(110) MODIFY(104) Alderson ACCEPT(31) Stracener ACCEPT(1) Baker ACCEPT(279) Prosser ACCEPT(3) Armstrong ACCEPT(159) NOOP(17) ====================================================== Candidate: CAN-1999-1337 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1337 Final-Decision: Interim-Decision: 20030326 Modified: 20030318-01 Proposed: 20010912 Assigned: 20010831 Category: SF Reference: BUGTRAQ:19990801 midnight commander vulnerability(?) (fwd) Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93370073207984&w=2 Reference: XF:midnight-commander-data-disclosure(9873) Reference: URL:http://www.iss.net/security_center/static/9873.php FTP client in Midnight Commander (mc) before 4.5.11 stores usernames and passwords for visited sites in plaintext in the world-readable history file, which allows other local users to gain privileges. Modifications: ADDREF XF:midnight-commander-data-disclosure(9873) Analysis -------- Vendor Acknowledgement: yes followup INFERRED ACTION: CAN-1999-1337 ACCEPT_ACK (2 accept, 1 ack, 0 review) Current Votes: ACCEPT(1) Cole MODIFY(1) Frech NOOP(2) Wall, Foat Voter Comments: Frech> (Task 1765) CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:midnight-commander-data-disclosure(9873) ====================================================== Candidate: CAN-1999-1468 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1468 Final-Decision: Interim-Decision: 20030326 Modified: 20020218-01 Proposed: 20010912 Assigned: 20010831 Category: SF Reference: MISC:http://www.alw.nih.gov/Security/8lgm/8lgm-Advisory-01.html Reference: CERT:CA-91.20 Reference: URL:http://www.cert.org/advisories/CA-91.20.rdist.vulnerability Reference: BID:31 Reference: URL:http://www.securityfocus.com/bid/31 Reference: XF:rdist-popen-gain-privileges(7160) Reference: URL:http://www.iss.net/security_center/static/7160.php rdist in various UNIX systems uses popen to execute sendmail, which allows local users to gain root privileges by modifying the IFS (Internal Field Separator) variable. Modifications: ADDREF XF:rdist-popen-gain-privileges(7160) CHANGEREF MISC [change url] Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-1999-1468 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Foat, Cole, Stracener MODIFY(1) Frech NOOP(2) Christey, Wall Voter Comments: Frech> XF:rdist-popen-gain-privileges(7160) MISC reference is dead. Alternative: http://www.alw.nih.gov/Security/8lgm/8lgm-Advisory-01.html Christey> It is unclear whether this is addressed by SUN:00115, SUN:00110, both, or neither. ====================================================== Candidate: CAN-1999-1490 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1490 Final-Decision: Interim-Decision: 20030326 Modified: 20030318-01 Proposed: 20010912 Assigned: 20010831 Category: SF Reference: BUGTRAQ:19980528 ALERT: Tiresome security hole in "xosview", RedHat5.1? Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221101926021&w=2 Reference: BUGTRAQ:19980529 Re: Tiresome security hole in "xosview" (xosexp.c) Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221101926034&w=2 Reference: BID:362 Reference: URL:http://www.securityfocus.com/bid/362 Reference: XF:linux-xosview-bo(8787) Reference: URL:http://www.iss.net/security_center/static/8787.php xosview 1.5.1 in Red Hat 5.1 allows local users to gain root access via a long HOME environmental variable. Modifications: ADDREF XF:linux-xosview-bo(8787) Analysis -------- Vendor Acknowledgement: yes INFERRED ACTION: CAN-1999-1490 ACCEPT_ACK (2 accept, 1 ack, 0 review) Current Votes: ACCEPT(1) Cole MODIFY(1) Frech NOOP(2) Wall, Foat Voter Comments: Frech> (ACCEPT; Task 2354) CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:linux-xosview-bo(8787) ====================================================== Candidate: CAN-2000-0502 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0502 Final-Decision: Interim-Decision: 20030326 Modified: 20020222-01 Proposed: 20000712 Assigned: 20000711 Category: SF Reference: BUGTRAQ:20000607 Mcafee Alerting DOS vulnerability Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-06/0038.html Reference: BID:1326 Reference: URL:http://www.securityfocus.com/bid/1326 Reference: XF:mcafee-alerting-dos(4641) Reference: URL:http://xforce.iss.net/static/4641.php Mcafee VirusScan 4.03 does not properly restrict access to the alert text file before it is sent to the Central Alert Server, which allows local users to modify alerts in an arbitrary fashion. Modifications: ADDREF XF:mcafee-alerting-dos(4641) Analysis -------- Vendor Acknowledgement: unknown INFERRED ACTION: CAN-2000-0502 ACCEPT (4 accept, 0 ack, 0 review) Current Votes: ACCEPT(3) Ozancin, Levy, Wall MODIFY(1) Frech NOOP(1) LeBlanc Voter Comments: Frech> XF:mcafee-alerting-dos(4641) CHANGE> [Wall changed vote from REVIEWING to ACCEPT] ====================================================== Candidate: CAN-2000-0590 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0590 Final-Decision: Interim-Decision: 20030326 Modified: 20010910-01 Proposed: 20000719 Assigned: 20000719 Category: SF Reference: BUGTRAQ:20000706 Vulnerability in Poll_It cgi v2.0 Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0076.html Reference: BID:1431 Reference: URL:http://www.securityfocus.com/bid/1431 Reference: XF:http-cgi-pollit-variable-overwrite(4878) Reference: URL:http://xforce.iss.net/static/4878.php Poll It 2.0 CGI script allows remote attackers to read arbitrary files by specifying the file name in the data_dir parameter. Modifications: ADDREF XF:http-cgi-pollit-variable-overwrite(4878) Analysis -------- Vendor Acknowledgement: yes via-email ACKNOWLEDGEMENT: Inquiry sent to http://www.cgi-world.com/cgi-bin/forms/forms.cgi on 2/22/2002. Confirmed by vendor on 2/22/2002. INFERRED ACTION: CAN-2000-0590 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(2) Levy, Cole MODIFY(1) Frech NOOP(4) Magdych, LeBlanc, Wall, Christey Voter Comments: Frech> XF;http-cgi-pollit-variable-overwrite(4878) CHANGE> [Magdych changed vote from REVIEWING to NOOP] Christey> MISC:http://www.cgi-world.com/download/pollit.html An item on October 24, 2000 says "Updated to Version 2.05 from 2.0 to Fix Security Issues" but it's not clear whether it's related to *this* security issue; it's probably talking about CVE-2000-1068/1069/1070. Inquiry sent to http://www.cgi-world.com/cgi-bin/forms/forms.cgi on 2/22/2002. Confirmed by vendor on 2/22/2002. ====================================================== Candidate: CAN-2000-1210 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1210 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020830 Assigned: 20020816 Category: SF Reference: BUGTRAQ:20000322 Security bug in Apache project: Jakarta Tomcat Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=95371672300045&w=2 Reference: XF:apache-tomcat-file-contents(4205) Reference: URL:http://www.iss.net/security_center/static/4205.php Directory traversal vulnerability in source.jsp of Apache Tomcat before 3.1 allows remote attackers to read arbitrary files via a .. (dot dot) in the argument to source.jsp. Analysis -------- Vendor Acknowledgement: INFERRED ACTION: CAN-2000-1210 ACCEPT (6 accept, 0 ack, 0 review) Current Votes: ACCEPT(6) Baker, Frech, Cox, Cole, Armstrong, Green NOOP(2) Wall, Foat Voter Comments: Green> APPEARS TO BE ACKNOWLEDGED IN APACHE'S BUGZILLA (#93 SEEMS CLOSE) ====================================================== Candidate: CAN-2000-1211 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1211 Final-Decision: Interim-Decision: 20030326 Modified: 20030318-01 Proposed: 20020830 Assigned: 20020816 Category: SF Reference: BUGTRAQ:20001222 Zope DTML Role Issue Reference: REDHAT:RHSA-2000:125 Reference: CONFIRM:http://www.zope.org/Products/Zope/Hotfix_2000-12-08/security_alert Reference: MANDRAKE:MDKSA-2000:083 Reference: URL:http://www.linux-mandrake.com/en/security/2000/MDKSA-2000-083.php3 Reference: XF:zope-legacy-names(5824) Reference: URL:http://www.iss.net/security_center/static/5824.php Zope 2.2.0 through 2.2.4 does not properly perform security registration for legacy names of object constructors such as DTML method objects, which could allow attackers to perform unauthorized activities. Modifications: ADDREF XF:zope-legacy-names(5824) Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2000-1211 ACCEPT (6 accept, 2 ack, 0 review) Current Votes: ACCEPT(5) Baker, Cox, Cole, Armstrong, Green MODIFY(1) Frech NOOP(2) Wall, Foat Voter Comments: Cox> ADDREF:REDHAT:RHSA-2000:125 Frech> XF:zope-legacy-names(5824) ====================================================== Candidate: CAN-2000-1212 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1212 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020830 Assigned: 20020816 Category: SF Reference: MANDRAKE:MDKSA-2000:086 Reference: CONECTIVA:CLA-2000:365 Reference: DEBIAN:DSA-007 Reference: CONFIRM:http://www.zope.org/Products/Zope/Hotfix_2000-12-18/security_alert Reference: REDHAT:RHSA-2000:135 Reference: XF:zope-image-file(5778) Zope 2.2.0 through 2.2.4 does not properly protect a data updating method on Image and File objects, which allows attackers with DTML editing privileges to modify the raw data of these objects. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2000-1212 ACCEPT (6 accept, 3 ack, 0 review) Current Votes: ACCEPT(6) Baker, Frech, Cox, Cole, Armstrong, Green NOOP(2) Wall, Foat ====================================================== Candidate: CAN-2001-0724 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0724 Final-Decision: Interim-Decision: 20030326 Modified: 20030318-02 Proposed: 20020131 Assigned: 20010927 Category: SF Reference: MS:MS01-055 Reference: URL:http://www.microsoft.com/technet/security/bulletin/MS01-055.asp Reference: XF:ie-incorrect-security-zone-variant(8471) Internet Explorer 5.5 allows remote attackers to bypass security restrictions via malformed URLs that contain dotless IP addresses, which causes Internet Explorer to process the page in the Intranet Zone, which may have fewer security restrictions, aka the "Zone Spoofing Vulnerability variant" of CVE-2001-0664. Modifications: ADDREF XF:ie-incorrect-security-zone-variant(8471) DESC Change "CAN" to "CVE" in description. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-0724 ACCEPT (6 accept, 1 ack, 0 review) Current Votes: ACCEPT(5) Wall, Foat, Cole, Armstrong, Baker MODIFY(1) Frech Voter Comments: Frech> (ACCEPT) CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:ie-incorrect-security-zone-variant(8471) ====================================================== Candidate: CAN-2001-0748 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0748 Final-Decision: Interim-Decision: 20030326 Modified: 20030318-01 Proposed: 20011012 Assigned: 20011012 Category: SF Reference: BUGTRAQ:20010531 Acme.Server v1.7 of 13nov96 Directory Browsing Reference: URL:http://www.securityfocus.com/archive/1/188141 Reference: XF:acme-serve-directory-traversal(6634) Reference: URL:http://www.iss.net/security_center/static/6634.php Reference: CISCO:20020702 Cisco Secure ACS Unix Acme.server Information Disclosure Vulnerability Reference: URL:http://www.cisco.com/warp/public/707/acmeweb-acsunix-dirtravers-vuln-pub.shtml Reference: BID:2809 Reference: URL:http://www.securityfocus.com/bid/2809 Acme.Serve 1.7, as used in Cisco Secure ACS Unix and possibly other products, allows remote attackers to read arbitrary files by prepending several / (slash) characters to the URI. Modifications: ADDREF XF:acme-serve-directory-traversal(6634) ADDREF CISCO:20020702 Cisco Secure ACS Unix Acme.server Information Disclosure Vulnerability DESC replace "." with "/"; change spelling ADDREF BID:2809 Analysis -------- Vendor Acknowledgement: yes INFERRED ACTION: CAN-2001-0748 ACCEPT_ACK (2 accept, 1 ack, 0 review) Current Votes: ACCEPT(1) Armstrong MODIFY(1) Frech NOOP(4) Wall, Foat, Cole, Christey Voter Comments: Frech> XF:acme-serve-directory-traversal(6634) Christey> Change description to say "Acme.Serve". The original discloser spelled it 2 different ways. Christey> Description: Is it . or slash? Christey> Acknowledged by Cisco (!): CISCO:20020702 Cisco Secure ACS Unix Acme.server Information Disclosure Vulnerability URL:http://www.cisco.com/warp/public/707/acmeweb-acsunix-dirtravers-vuln-pub.shtml This affects Cisco Secure ACS Unix installation, and Cisco reports that it's due to multiple / at the end. ====================================================== Candidate: CAN-2001-0763 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0763 Final-Decision: Interim-Decision: 20030326 Modified: 20020821-03 Proposed: 20011012 Assigned: 20011012 Category: SF Reference: BUGTRAQ:20010608 potential buffer overflow in xinetd-2.1.8.9pre11-1 Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-06/0064.html Reference: CONECTIVA:CLA-2001:404 Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000404 Reference: DEBIAN:DSA-063 Reference: URL:http://www.debian.org/security/2001/dsa-063 Reference: SUSE:SA:2001:022 Reference: URL:http://lists.suse.com/archives/suse-security-announce/2001-Jun/0002.html Reference: IMMUNIX:IMNX-2001-70-024-01 Reference: URL:http://download.immunix.org/ImmunixOS/7.0/updates/IMNX-2001-70-024-01 Reference: ENGARDE:ESA-20010621-01 Reference: URL:http://www.linuxsecurity.com/advisories/other_advisory-1469.html Reference: CIAC:L-104 Reference: URL:http://www.ciac.org/ciac/bulletins/l-104.shtml Reference: REDHAT:RHSA-2001:075 Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-075.html Reference: FREEBSD:FreeBSD-SA-01:47 Reference: URL:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:47.xinetd.asc Reference: XF:xinetd-identd-bo(6670) Reference: URL:http://xforce.iss.net/static/6670.php Reference: BID:2840 Reference: URL:http://www.securityfocus.com/bid/2840 Buffer overflow in Linux xinetd 2.1.8.9pre11-1 and earlier may allow remote attackers to execute arbitrary code via a long ident response, which is not properly handled by the svc_logprint function. Modifications: ADDREF XF:xinetd-identd-bo(6670) ADDREF BID:2840 ADDREF IMMUNIX:IMNX-2001-70-029-01 ADDREF ENGARDE:ESA-20010621-01 ADDREF CIAC:L-104 ADDREF REDHAT:RHSA-2001:075 ADDREF FREEBSD:FreeBSD-SA-01:47 ADDREF CONECTIVA:CLA-2001:404 DELREF CONECTIVA:CLA-2001:406 CHANGEREF IMMUNIX:IMNX-2001-70-024-01 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-0763 ACCEPT (5 accept, 5 ack, 0 review) Current Votes: ACCEPT(4) Foat, Cole, Armstrong, Baker MODIFY(1) Frech NOOP(2) Wall, Christey Voter Comments: Frech> XF:xinetd-identd-bo(6670) Christey> Need to sift through the references to make sure they're correct and appropriately distinguish from CAN-2001-0825. Christey> ADDREF CONECTIVA:CLA-2001:404 Christey> ADDREF FREEBSD:FreeBSD-SA-01:47 URL:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:47.xinetd.asc DELREF CONECTIVA:CLA-2001:406 (that's for CAN-2001-0825) ADDREF CONECTIVA:CLA-2001:404 DELREF IMMUNIX:IMNX-2001-70-029-01 (that's for CAN-2001-0825) ADDREF IMMUNIX:IMNX-2001-70-024-01 ====================================================== Candidate: CAN-2001-0873 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0873 Final-Decision: Interim-Decision: 20030326 Modified: 20020818-01 Proposed: 20020131 Assigned: 20011206 Category: SF Reference: BUGTRAQ:20010908 Multiple vendor 'Taylor UUCP' problems. Reference: URL:http://www.securityfocus.com/archive/1/212892 Reference: BUGTRAQ:20011130 Redhat 7.0 local root (via uucp) (attempt 2) Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100715446131820 Reference: CALDERA:CSSA-2001-033.0 Reference: URL:http://www.calderasystems.com/support/security/advisories/CSSA-2001-033.0.txt Reference: CONECTIVA:CLA-2001:425 Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000425 Reference: SUSE:SuSE-SA:2001:38 Reference: URL:http://www.suse.de/de/support/security/2001_038_uucp_txt.txt Reference: BID:3312 Reference: URL:http://www.securityfocus.com/bid/3312 Reference: XF:uucp-argument-gain-privileges(7099) Reference: URL:http://xforce.iss.net/static/7099.php Reference: REDHAT:RHSA-2001:165 Reference: URL:http://rhn.redhat.com/errata/RHSA-2001-165.html uuxqt in Taylor UUCP package does not properly remove dangerous long options, which allows local users to gain privileges by calling uux and specifying an alternate configuration file with the --config option. Modifications: ADDREF REDHAT:RHSA-2001:165 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-0873 ACCEPT (3 accept, 3 ack, 0 review) Current Votes: ACCEPT(3) Cole, Green, Baker NOOP(3) Wall, Foat, Christey Voter Comments: Christey> ADDREF CONECTIVA:CLA-2002:463 Christey> No wait, scratch CONECTIVA:CLA-2002:463... It only mentions this older vulnerability. Christey> REDHAT:RHSA-2001:165 (per Mark Cox) ====================================================== Candidate: CAN-2001-0891 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0891 Final-Decision: Interim-Decision: 20030326 Modified: 20020616-01 Proposed: 20020131 Assigned: 20020116 Category: SF Reference: BUGTRAQ:20011127 UNICOS LOCAL HOLE ALL VERSIONS Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100695627423924&w=2 Reference: SGI:20020101-01-I Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20020101-01-I Reference: XF:unicos-nqsd-format-string(7618) Format string vulnerability in NQS daemon (nqsdaemon) in NQE 3.3.0.16 for CRAY UNICOS and SGI IRIX allows a local user to gain root privileges by using qsub to submit a batch job whose name contains formatting characters. Modifications: ADDREF XF:unicos-nqsd-format-string(7618) DESC Add SGI IRIX versions Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-0891 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Cole, Armstrong, Baker MODIFY(1) Frech NOOP(3) Wall, Foat, Christey Voter Comments: Frech> XF:unicos-nqsd-format-string(7618) Christey> Change desc to include SGI versions ====================================================== Candidate: CAN-2001-0921 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0921 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020131 Assigned: 20020131 Category: SF Reference: BUGTRAQ:20011121 Mac Netscape password fields Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100638816318705&w=2 Reference: XF:macos-netscape-print-passwords(7593) Reference: URL:http://xforce.iss.net/static/7593.php Reference: BID:3565 Reference: URL:http://www.securityfocus.com/bid/3565 Netscape 4.79 and earlier for MacOS allows an attacker with access to the browser to obtain passwords from form fields by printing the document into which the password has been typed, which is printed in cleartext. Analysis -------- Vendor Acknowledgement: unknown INFERRED ACTION: CAN-2001-0921 ACCEPT (3 accept, 0 ack, 0 review) Current Votes: ACCEPT(3) Foat, Cole, Frech NOOP(2) Wall, Armstrong ====================================================== Candidate: CAN-2001-0959 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0959 Final-Decision: Interim-Decision: 20030326 Modified: 20030325-01 Proposed: 20020131 Assigned: 20020131 Category: SF Reference: BUGTRAQ:20010915 ARCserve 6.61 Share Access Vulnerability Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-09/0137.html Reference: MISC:http://support.ca.com/Download/patches/asitnt/QO00945.html Reference: BID:3342 Reference: URL:http://www.securityfocus.com/bid/3342 Reference: XF:arcserve-aremote-plaintext(7122) Reference: URL:http://www.iss.net/security_center/static/7122.php Computer Associates ARCserve for NT 6.61 SP2a and ARCserve 2000 7.0 creates a hidden share named ARCSERVE$, which allows remote attackers to obtain sensitive information and overwrite critical files. Modifications: ADDREF XF:arcserve-aremote-plaintext(7122) Analysis -------- Vendor Acknowledgement: unknown vague ACKNOWLEDGEMENT: document QO00945, dated September 14, states that it "addresses a potential security vulnerability in ARCserve 2000 when performing full backups," which may be a vague acknowledgement of the problem. Followup posts to the original Bugtraq post do not say that the patch does NOT fix the problem, so the combination of these implicit or vague clues may be sufficient to determine that the vendor has fixed the problem and, by extension, acknowledged it. INFERRED ACTION: CAN-2001-0959 ACCEPT (3 accept, 0 ack, 0 review) Current Votes: ACCEPT(1) Cole MODIFY(2) Green, Frech NOOP(2) Wall, Foat Voter Comments: Green> VENDOR ACKNOWLEDGEMENT VAGUE Frech> XF:arcserve-aremote-plaintext(7122) ====================================================== Candidate: CAN-2001-0960 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0960 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020131 Assigned: 20020131 Category: CF Reference: BUGTRAQ:20010915 ARCserve 6.61 Share Access Vulnerability Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-09/0137.html Reference: MISC:http://support.ca.com/Download/patches/asitnt/QO00945.html Reference: XF:arcserve-aremote-plaintext(7122) Reference: URL:http://xforce.iss.net/static/7122.php Reference: BID:3343 Reference: URL:http://www.securityfocus.com/bid/3343 Computer Associates ARCserve for NT 6.61 SP2a and ARCserve 2000 7.0 stores the backup agent user name and password in cleartext in the aremote.dmp file in the ARCSERVE$ hidden share, which allows local and remote attackers to gain privileges. Analysis -------- Vendor Acknowledgement: unknown vague ACKNOWLEDGEMENT: document QO00945, dated September 14, states that it "addresses a potential security vulnerability in ARCserve 2000 when performing full backups," which may be a vague acknowledgement of the problem. Followup posts to the original Bugtraq post do not say that the patch does NOT fix the problem, so the combination of these implicit or vague clues may be sufficient to determine that the vendor has fixed the problem and, by extension, acknowledged it. INFERRED ACTION: CAN-2001-0960 ACCEPT (3 accept, 0 ack, 0 review) Current Votes: ACCEPT(2) Cole, Frech MODIFY(1) Green NOOP(2) Wall, Foat Voter Comments: Green> VENDOR ACKNOWLEDGEMENT MISSING ====================================================== Candidate: CAN-2001-0978 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0978 Final-Decision: Interim-Decision: 20030326 Modified: 20030318-01 Proposed: 20020131 Assigned: 20020131 Category: SF Reference: HPBUG:PHCO_17719 Reference: URL:http://archives.neohapsis.com/archives/hp/2001-q3/0052.html Reference: HPBUG:PHCO_24454 Reference: BID:3289 Reference: URL:http://www.securityfocus.com/bid/3289 Reference: XF:hpux-login-btmp(8632) Reference: URL:http://www.iss.net/security_center/static/8632.php login in HP-UX 10.26 does not record failed login attempts in /var/adm/btmp, which could allow attackers to conduct brute force password guessing attacks without being detected or observed using the lastb program. Modifications: ADDREF XF:hpux-login-btmp(8632) Analysis -------- Vendor Acknowledgement: yes patch INFERRED ACTION: CAN-2001-0978 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Cole, Green, Baker MODIFY(1) Frech NOOP(2) Wall, Foat Voter Comments: CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:hpux-login-btmp(8632) ====================================================== Candidate: CAN-2001-1008 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1008 Final-Decision: Interim-Decision: 20030326 Modified: 20030325-01 Proposed: 20020131 Assigned: 20020131 Category: SF Reference: BUGTRAQ:20010824 Java Plugin 1.4 with JRE 1.3 -> Ignores certificates. Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-08/0359.html Reference: BID:3245 Reference: URL:http://www.securityfocus.com/bid/3245 Reference: XF:javaplugin-jre-expired-certificate(7048) Reference: URL:http://www.iss.net/security_center/static/7048.php Java Plugin 1.4 for JRE 1.3 executes signed applets even if the certificate is expired, which could allow remote attackers to conduct unauthorized activities via an applet that has been signed by an expired certificate. Modifications: ADDREF XF:javaplugin-jre-expired-certificate(7048) Analysis -------- Vendor Acknowledgement: INFERRED ACTION: CAN-2001-1008 ACCEPT (3 accept, 0 ack, 0 review) Current Votes: ACCEPT(2) Cole, Green MODIFY(1) Frech NOOP(3) Wall, Foat, Armstrong Voter Comments: Frech> XF:javaplugin-jre-expired-certificate(7048) ====================================================== Candidate: CAN-2001-1028 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1028 Final-Decision: Interim-Decision: 20030326 Modified: 20020817-01 Proposed: 20020131 Assigned: 20020131 Category: SF Reference: REDHAT:RHSA-2001:072 Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-072.html Reference: XF:man-ultimate-source-bo(8622) Reference: URL:http://www.iss.net/security_center/static/8622.php Buffer overflow in ultimate_source function of man 1.5 and earlier allows local users to gain privileges. Modifications: ADDREF XF:man-ultimate-source-bo(8622) Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-1028 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Cole, Green, Baker MODIFY(1) Frech NOOP(2) Wall, Foat Voter Comments: CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:man-ultimate-source-bo(8622) ====================================================== Candidate: CAN-2001-1036 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1036 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020131 Assigned: 20020131 Category: SF Reference: BUGTRAQ:20010801 Slackware 8.0, 7.1 Vulnerability: /usr/bin/locate Reference: URL:http://www.securityfocus.com/archive/1/200991 Reference: XF:locate-command-execution(6932) Reference: URL:http://xforce.iss.net/static/6932.php Reference: BID:3127 Reference: URL:http://www.securityfocus.com/bid/3127 GNU locate in findutils 4.1 on Slackware 7.1 and 8.0 allows local users to gain privileges via an old formatted filename database (locatedb) that contains an entry with an out-of-range offset, which causes locate to write to arbitrary process memory. Analysis -------- Vendor Acknowledgement: INFERRED ACTION: CAN-2001-1036 ACCEPT (3 accept, 0 ack, 0 review) Current Votes: ACCEPT(3) Cole, Green, Frech NOOP(3) Wall, Foat, Armstrong ====================================================== Candidate: CAN-2001-1059 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1059 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020131 Assigned: 20020131 Category: CF Reference: BUGTRAQ:20010730 vmware bug? Reference: URL:http://www.securityfocus.com/archive/1/200455 Reference: BID:3119 Reference: URL:http://www.securityfocus.com/bid/3119 Reference: XF:vmware-obtain-license-info(6925) Reference: URL:http://xforce.iss.net/static/6925.php VMWare creates a temporary file vmware-log.USERNAME with insecure permissions, which allows local users to read or modify license information. Analysis -------- Vendor Acknowledgement: INFERRED ACTION: CAN-2001-1059 ACCEPT (4 accept, 0 ack, 0 review) Current Votes: ACCEPT(4) Foat, Cole, Green, Frech NOOP(2) Wall, Armstrong ====================================================== Candidate: CAN-2001-1106 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1106 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020315 Assigned: 20020315 Category: SF Reference: BUGTRAQ:20010725 Sambar Server password decryption Reference: URL:http://www.securityfocus.com/archive/1/199418 Reference: BID:3095 Reference: URL:http://www.securityfocus.com/bid/3095 Reference: XF:sambar-insecure-passwords(6909) Reference: URL:http://xforce.iss.net/static/6909.php The default configuration of Sambar Server 5 and earlier uses a symmetric key that is compiled into the binary program for encrypting passwords, which could allow local users to break all user passwords by cracking the key or modifying a copy of the sambar program to call the decryption procedure. Analysis -------- Vendor Acknowledgement: unknown discloser-claimed INFERRED ACTION: CAN-2001-1106 ACCEPT (4 accept, 0 ack, 0 review) Current Votes: ACCEPT(4) Green, Baker, Frech, Ziese NOOP(5) Wall, Foat, Cole, Armstrong, Christey Voter Comments: Green> There is vendor acknowledgement in http://www.security.nnov.ru/advisories/sambarpass.asp Christey> For CVE's purposes, I do not count a vendor quote or excerpt from a third party as acknowledgement. ====================================================== Candidate: CAN-2001-1145 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1145 Final-Decision: Interim-Decision: 20030326 Modified: 20030318-01 Proposed: 20020315 Assigned: 20020315 Category: SF Reference: NETBSD:NetBSD-SA2001-016 Reference: URL:http://archives.neohapsis.com/archives/netbsd/2001-q3/0204.html Reference: FREEBSD:FreeBSD-SA-01:40 Reference: URL:ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:40.fts.v1.1.asc Reference: OPENBSD:20010530 029: SECURITY FIX: May 30, 2001 Reference: URL:http://www.openbsd.org/errata28.html Reference: BID:3205 Reference: URL:http://online.securityfocus.com/bid/3205 Reference: XF:bsd-fts-race-condition(8715) Reference: URL:http://www.iss.net/security_center/static/8715.php fts routines in FreeBSD 4.3 and earlier, NetBSD before 1.5.2, and OpenBSD 2.9 and earlier can be forced to change (chdir) into a different directory than intended when the directory above the current directory is moved, which could cause scripts to perform dangerous actions on the wrong directories. Modifications: ADDREF XF:bsd-fts-race-condition(8715) Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-1145 ACCEPT (6 accept, 3 ack, 0 review) Current Votes: ACCEPT(5) Cole, Armstrong, Green, Baker, Ziese MODIFY(1) Frech NOOP(2) Wall, Foat Voter Comments: CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:bsd-fts-race-condition(8715) ====================================================== Candidate: CAN-2001-1251 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1251 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020502 Assigned: 20020501 Category: SF Reference: BUGTRAQ:20010629 4 New vulns. vWebServer and SmallHTTP Reference: URL:http://online.securityfocus.com/archive/1/194418 Reference: BID:2980 Reference: URL:http://online.securityfocus.com/bid/2980 Reference: XF:vwebserver-long-url-dos(6771) Reference: URL:http://www.iss.net/security_center/static/6771.php SmallHTTP 1.204 through 3.00 beta 8 allows remote attackers to cause a denial of service via multiple long URL requests. Analysis -------- Vendor Acknowledgement: unknown discloser-claimed Discloser claims "all versions vulnerable" but only lists 2.x and 3.x, not 1.x. The lowest version listed (1.204) and the highest version up to the post date (3.00 beta 8) were chosen. INFERRED ACTION: CAN-2001-1251 ACCEPT (3 accept, 0 ack, 0 review) Current Votes: ACCEPT(3) Cole, Green, Frech NOOP(3) Wall, Foat, Cox ====================================================== Candidate: CAN-2001-1291 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1291 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020502 Assigned: 20020501 Category: SF Reference: BUGTRAQ:20010712 3Com TelnetD Reference: URL:http://www.securityfocus.com/archive/1/196957 Reference: XF:3com-telnetd-brute-force(6855) Reference: URL:http://xforce.iss.net/static/6855.php Reference: BID:3034 Reference: URL:http://www.securityfocus.com/bid/3034 The telnet server for 3Com hardware such as PS40 SuperStack II does not delay or disconnect remote attackers who provide an incorrect username or password, which makes it easier to break into the server via brute force password guessing. Analysis -------- Vendor Acknowledgement: INFERRED ACTION: CAN-2001-1291 ACCEPT (3 accept, 0 ack, 0 review) Current Votes: ACCEPT(3) Cole, Green, Frech NOOP(3) Wall, Foat, Cox ====================================================== Candidate: CAN-2001-1296 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1296 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020502 Assigned: 20020501 Category: SF Reference: BUGTRAQ:20011002 results of semi-automatic source code audit Reference: URL:http://www.securityfocus.com/archive/1/218000 Reference: MISC:http://www.moregroupware.org/index.php?action=detail&news_id=24 Reference: XF:php-includedir-code-execution(7215) Reference: URL:http://www.iss.net/security_center/static/7215.php Reference: BID:3383 Reference: URL:http://www.securityfocus.com/bid/3383 More.groupware PHP script allows remote attackers to include arbitrary files from remote web sites via an HTTP request that sets the includedir variable. Analysis -------- Vendor Acknowledgement: unknown vague ACKNOWLEDGEMENT: the release notes dated October 31, 2001 say that the new release includes "some neat security fixes," but it is unclear whether the vendor is fixing *this* issue. INFERRED ACTION: CAN-2001-1296 ACCEPT (3 accept, 0 ack, 0 review) Current Votes: ACCEPT(3) Cole, Green, Frech NOOP(3) Wall, Foat, Cox ====================================================== Candidate: CAN-2001-1301 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1301 Final-Decision: Interim-Decision: 20030326 Modified: 20030325-01 Proposed: 20020502 Assigned: 20020501 Category: SF Reference: BUGTRAQ:20010807 rcs2log Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-08/0093.html Reference: CONFIRM:http://savannah.gnu.org/cgi-bin/viewcvs/emacs/emacs/lib-src/rcs2log?only_with_tag=EMACS_PRETEST_21_0_95 Reference: XF:rcs2log-tmp-symlink(11210) Reference: URL:http://www.iss.net/security_center/static/11210.php rcs2log, as used in Emacs 20.4, xemacs 21.1.10 and other versions before 21.4, and possibly other packages, allows local users to modify files of other users via a symlink attack on a temporary file. Modifications: ADDREF CONFIRM:http://savannah.gnu.org/cgi-bin/viewcvs/emacs/emacs/lib-src/rcs2log?only_with_tag=EMACS_PRETEST_21_0_95 ADDREF XF:rcs2log-tmp-symlink(11210) DESC change versions Analysis -------- Vendor Acknowledgement: yes cve-vote INFERRED ACTION: CAN-2001-1301 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(1) Green MODIFY(2) Frech, Cox NOOP(3) Wall, Foat, Cole Voter Comments: Frech> Task xxxx. CHANGE> [Cox changed vote from REVIEWING to MODIFY] Cox> Addref: http://savannah.gnu.org/cgi-bin/viewcvs/emacs/emacs/lib-src/rcs2log?only_with_tag=EMACS_PRETEST_21_0_95 This was public at least as far back as 28 September 1998, this is the date that the Red Hat emacs package was given a patch for this issue. Cox> Description currently says "xemacs 21.1.10" and it would be more correct to say "xemacs before version 21.4" CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:rcs2log-tmp-symlink(11210) ====================================================== Candidate: CAN-2001-1303 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1303 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020502 Assigned: 20020501 Category: CF Reference: BUGTRAQ:20010718 Firewall-1 Information leak Reference: URL:http://www.securityfocus.com/archive/1/197566 Reference: BID:3058 Reference: URL:http://online.securityfocus.com/bid/3058 Reference: XF:fw1-securemote-gain-information(6857) Reference: URL:http://xforce.iss.net/static/6857.php The default configuration of SecuRemote for Check Point Firewall-1 allows remote attackers to obtain sensitive configuration information for the protected network without authentication. Analysis -------- Vendor Acknowledgement: INFERRED ACTION: CAN-2001-1303 ACCEPT (3 accept, 0 ack, 0 review) Current Votes: ACCEPT(3) Cole, Green, Frech NOOP(3) Wall, Foat, Cox ====================================================== Candidate: CAN-2001-1327 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1327 Final-Decision: Interim-Decision: 20030326 Modified: 20030318-01 Proposed: 20020502 Assigned: 20020501 Category: SF Reference: TURBO:TLSA2001024 Reference: URL:http://www.turbolinux.com/pipermail/tl-security-announce/2001-May/000313.html Reference: XF:pmake-binary-gain-privileges(9988) Reference: URL:http://www.iss.net/security_center/static/9988.php pmake before 2.1.35 in Turbolinux 6.05 and earlier is installed with setuid root privileges, which could allow local users to gain privileges by exploiting vulnerabilities in pmake or programs that are used by pmake. Modifications: ADDREF XF:pmake-binary-gain-privileges(9988) Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-1327 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(2) Cole, Green MODIFY(1) Frech NOOP(3) Wall, Foat, Cox Voter Comments: CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:pmake-binary-gain-privileges(9988) ====================================================== Candidate: CAN-2001-1334 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1334 Final-Decision: Interim-Decision: 20030326 Modified: 20030318-01 Proposed: 20020502 Assigned: 20020501 Category: SF Reference: BUGTRAQ:20010515 PHPSlash : potential vulnerability in URL blocks Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-05/0126.html Reference: CONFIRM:http://marc.theaimsgroup.com/?l=phpslash&m=99029398904419&w=2 Reference: BID:2724 Reference: URL:http://online.securityfocus.com/bid/2724 Reference: XF:phpslash-block-read-files(9990) Reference: URL:http://www.iss.net/security_center/static/9990.php Block_render_url.class in PHPSlash 0.6.1 allows remote attackers with PHPSlash administrator privileges to read arbitrary files by creating a block and specifying the target file as the source URL. Modifications: ADDREF XF:phpslash-block-read-files(9990) Analysis -------- Vendor Acknowledgement: yes INFERRED ACTION: CAN-2001-1334 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(2) Cole, Green MODIFY(1) Frech NOOP(3) Wall, Foat, Cox Voter Comments: CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:phpslash-block-read-files(9990) ====================================================== Candidate: CAN-2001-1349 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1349 Final-Decision: Interim-Decision: 20030326 Modified: 20030318-01 Proposed: 20020502 Assigned: 20020501 Category: SF Reference: BINDVIEW:20010528 Unsafe Signal Handling in Sendmail Reference: URL:http://razor.bindview.com/publish/advisories/adv_sm8120.html Reference: BUGTRAQ:20010529 sendmail 8.11.4 and 8.12.0.Beta10 available (fwd) Reference: URL:http://www.securityfocus.com/archive/1/187127 Reference: REDHAT:RHSA-2001:106 Reference: URL:http://rhn.redhat.com/errata/RHSA-2001-106.html Reference: CONFIRM:http://archives.neohapsis.com/archives/sendmail/2001-q2/0001.html Reference: BID:2794 Reference: URL:http://www.securityfocus.com/bid/2794 Reference: XF:sendmail-signal-handling(6633) Reference: URL:http://www.iss.net/security_center/static/6633.php Sendmail before 8.11.4, and 8.12.0 before 8.12.0.Beta10, allows local users to cause a denial of service and possibly corrupt the heap and gain privileges via race conditions in signal handlers. Modifications: ADDREF REDHAT:RHSA-2001:106 ADDREF XF:sendmail-signal-handling(6633) Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-1349 ACCEPT (5 accept, 3 ack, 0 review) Current Votes: ACCEPT(4) Wall, Cole, Green, Cox MODIFY(1) Frech NOOP(1) Foat Voter Comments: CHANGE> [Cox changed vote from REVIEWING to ACCEPT] Cox> ADDREF: RHSA-2001:106 Frech> XF:sendmail-signal-handling(6633) ====================================================== Candidate: CAN-2001-1359 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1359 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020611 Assigned: 20020607 Category: CF Reference: CALDERA:CSSA-2001-021.0 Reference: URL:http://www.caldera.com/support/security/advisories/CSSA-2001-021.0.txt Reference: BID:2850 Reference: URL:http://www.securityfocus.com/bid/2850 Reference: XF:volution-authentication-failure-access(6672) Reference: URL:http://xforce.iss.net/static/6672.php Volution clients 1.0.7 and earlier attempt to contact the computer creation daemon (CCD) when an LDAP authentication failure occurs, which allows remote attackers to fully control clients via a Trojan horse Volution server. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-1359 ACCEPT (5 accept, 1 ack, 0 review) Current Votes: ACCEPT(5) Wall, Cole, Alderson, Green, Frech NOOP(2) Foat, Cox ====================================================== Candidate: CAN-2001-1369 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1369 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: FREEBSD:FreeBSD-SA-02:14 Reference: URL:ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:14.pam-pgsql.asc Reference: BID:3319 Reference: URL:http://online.securityfocus.com/bid/3319 Reference: XF:postgresql-pam-authentication-module(7110) Reference: URL:http://www.iss.net/security_center/static/7110.php Leon J Breedt pam-pgsql before 0.5.2 allows remote attackers to execute arbitrary SQL code and bypass authentication or modify user account records by injecting SQL statements into user or password fields. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-1369 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Cole, Alderson, Green, Frech NOOP(3) Wall, Foat, Cox ====================================================== Candidate: CAN-2001-1370 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1370 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20010722 [SEC] Hole in PHPLib 7.2 prepend.php3 Reference: URL:http://www.securityfocus.com/archive/1/198768 Reference: BUGTRAQ:20010726 TSLSA-2001-0014 - PHPLib Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=99616122712122&w=2 Reference: BUGTRAQ:20010721 IMP 2.2.6 (SECURITY) released Reference: URL:http://online.securityfocus.com/archive/1/198495 Reference: CONECTIVA:CLA-2001:410 Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000410 Reference: CALDERA:CSSA-2001-027.0 Reference: URL:http://www.calderasystems.com/support/security/advisories/CSSA-2001-027.0.txt Reference: DEBIAN:DSA-073 Reference: URL:http://www.debian.org/security/2001/dsa-073 Reference: BID:3079 Reference: URL:http://www.securityfocus.com/bid/3079 Reference: XF:phplib-script-execution(6892) Reference: URL:http://www.iss.net/security_center/static/6892.php prepend.php3 in PHPLib before 7.2d, when register_globals is enabled for PHP, allows remote attackers to execute arbitrary scripts via an HTTP request that modifies $_PHPLIB[libdir] to point to malicious code on another server, as seen in Horde 1.2.5 and earlier, IMP before 2.2.6, and other packages that use PHPLib. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-1370 ACCEPT (4 accept, 2 ack, 0 review) Current Votes: ACCEPT(4) Cole, Alderson, Green, Frech NOOP(3) Wall, Foat, Cox ====================================================== Candidate: CAN-2001-1371 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1371 Final-Decision: Interim-Decision: 20030326 Modified: 20030318-01 Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020206 Hackproofing Oracle Application Server paper Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101301813117562&w=2 Reference: MISC:http://www.nextgenss.com/papers/hpoas.pdf Reference: CERT-VN:VU#736923 Reference: URL:http://www.kb.cert.org/vuls/id/736923 Reference: CERT:CA-2002-08 Reference: URL:http://www.cert.org/advisories/CA-2002-08.html Reference: CONFIRM:http://technet.oracle.com/deploy/security/pdf/ias_soap_alert.pdf Reference: BID:4289 Reference: URL:http://www.securityfocus.com/bid/4289 Reference: XF:oracle-appserver-soap-components(8449) Reference: URL:http://www.iss.net/security_center/static/8449.php The default configuration of Oracle Application Server 9iAS 1.0.2.2 enables SOAP and allows anonymous users to deploy applications by default via urn:soap-service-manager and urn:soap-provider-manager. Modifications: ADDREF XF:oracle-appserver-soap-components(8449) Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-1371 ACCEPT (6 accept, 3 ack, 0 review) Current Votes: ACCEPT(5) Wall, Foat, Cole, Alderson, Green MODIFY(1) Frech NOOP(1) Cox Voter Comments: Frech> XF:oracle-appserver-soap-components(8449) ====================================================== Candidate: CAN-2001-1372 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1372 Final-Decision: Interim-Decision: 20030326 Modified: 20021116-01 Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20010917 Yet another path disclosure vulnerability Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100074087824021&w=2 Reference: BUGTRAQ:20010921 Response to "Path disclosure vulnerability in Oracle 9i and 8i Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100119633925473&w=2 Reference: MISC:http://www.nii.co.in/research.html Reference: CERT:CA-2002-08 Reference: URL:http://www.cert.org/advisories/CA-2002-08.html Reference: CERT-VN:VU#278971 Reference: URL:http://www.kb.cert.org/vuls/id/278971 Reference: CONFIRM:http://otn.oracle.com/deploy/security/pdf/jspexecute_alert.pdf Reference: BID:3341 Reference: URL:http://www.securityfocus.com/bid/3341 Reference: XF:oracle-jsp-reveal-path(7135) Reference: URL:http://xforce.iss.net/static/7135.php Oracle 9i Application Server 1.0.2 allows remote attackers to obtain the physical path of a file under the server root via a request for a non-existent .JSP file, which leaks the pathname in an error message. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-1372 ACCEPT (5 accept, 3 ack, 0 review) Current Votes: ACCEPT(5) Wall, Cole, Alderson, Green, Frech NOOP(3) Foat, Christey, Cox Voter Comments: Christey> ADDREF MISC:http://www.nii.co.in/research.html ====================================================== Candidate: CAN-2001-1373 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1373 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20010718 ZoneAlarm Pro Reference: URL:http://www.securityfocus.com/archive/1/197681 Reference: CONFIRM:http://www.zonelabs.com/products/zap/rel_history.html#2.6.362 Reference: XF:zonealarm-bypass-mailsafe(6877) Reference: URL:http://xforce.iss.net/static/6877.php Reference: BID:3055 Reference: URL:http://www.securityfocus.com/bid/3055 MailSafe in Zone Labs ZoneAlarm 2.6 and earlier and ZoneAlarm Pro 2.6 and 2.4 does not block prohibited file types with long file names, which allows remote attackers to send potentially dangerous attachments. Analysis -------- Vendor Acknowledgement: yes changelog ACKNOWLEDGEMENT: the product's release history includes a heading titled "New and improved features in ZoneAlarm Pro version 2.6.231," which states: "MailSafe improvements to better handle attachments of long file names" INFERRED ACTION: CAN-2001-1373 ACCEPT (5 accept, 1 ack, 0 review) Current Votes: ACCEPT(5) Wall, Cole, Alderson, Green, Frech NOOP(2) Foat, Cox ====================================================== Candidate: CAN-2001-1374 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1374 Final-Decision: Interim-Decision: 20030326 Modified: 20030318-02 Proposed: 20020611 Assigned: 20020607 Category: SF Reference: CONFIRM:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=22187 Reference: CONFIRM:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=28224 Reference: CONECTIVA:CLA-2001:409 Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000409 Reference: XF:expect-insecure-library-search(6870) Reference: URL:http://xforce.iss.net/static/6870.php Reference: BID:3074 Reference: URL:http://www.securityfocus.com/bid/3074 Reference: REDHAT:RHSA-2002:148 Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-148.html Reference: MANDRAKE:MDKSA-2002:060 Reference: URL:http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2002:060 expect before 5.32 searches for its libraries in /var/tmp before other directories, which could allow local users to gain root privileges via a Trojan horse library that is accessed by mkpasswd. Modifications: ADDREF REDHAT:RHSA-2002:148 ADDREF MANDRAKE:MDKSA-2002:060 Analysis -------- Vendor Acknowledgement: yes changelog INFERRED ACTION: CAN-2001-1374 ACCEPT (6 accept, 2 ack, 0 review) Current Votes: ACCEPT(6) Wall, Cole, Alderson, Green, Frech, Cox NOOP(2) Foat, Christey Voter Comments: CHANGE> [Cox changed vote from REVIEWING to ACCEPT] Christey> REDHAT:RHSA-2002:148 Christey> MANDRAKE:MDKSA-2002:060 ====================================================== Candidate: CAN-2001-1375 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1375 Final-Decision: Interim-Decision: 20030326 Modified: 20030318-02 Proposed: 20020611 Assigned: 20020607 Category: SF Reference: CONFIRM:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=28226 Reference: CONECTIVA:CLA-2001:409 Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000409 Reference: XF:tcltk-insecure-library-search(6869) Reference: URL:http://www.iss.net/security_center/static/6869.php Reference: BID:3073 Reference: URL:http://www.securityfocus.com/bid/3073 Reference: REDHAT:RHSA-2002:148 Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-148.html Reference: MANDRAKE:MDKSA-2002:060 Reference: URL:http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2002:060 tcl/tk package (tcltk) 8.3.1 searches for its libraries in the current working directory before other directories, which could allow local users to execute arbitrary code via a Trojan horse library that is under a user-controlled directory. Modifications: ADDREF REDHAT:RHSA-2002:148 ADDREF MANDRAKE:MDKSA-2002:060 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-1375 ACCEPT (6 accept, 2 ack, 0 review) Current Votes: ACCEPT(6) Foat, Cole, Alderson, Green, Frech, Cox NOOP(2) Wall, Christey Voter Comments: CHANGE> [Cox changed vote from REVIEWING to ACCEPT] Christey> REDHAT:RHSA-2002:148 Christey> MANDRAKE:MDKSA-2002:060 ====================================================== Candidate: CAN-2001-1378 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1378 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020726 Assigned: 20020715 Category: SF Reference: MISC:http://lists.ccil.org/pipermail/fetchmail-announce/2001-March/000015.html Reference: REDHAT:RHSA-2001:103 Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-103.html fetchmailconf in fetchmail before 5.7.4 allows local users to overwrite files of other users via a symlink attack on temporary files. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-1378 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Cole, Armstrong, Baker, Cox NOOP(2) Wall, Foat ====================================================== Candidate: CAN-2001-1380 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1380 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020726 Assigned: 20020725 Category: SF Reference: BUGTRAQ:20011018 Immunix OS update for OpenSSH Reference: BUGTRAQ:20011017 TSLSA-2001-0023 - OpenSSH Reference: BUGTRAQ:20010926 OpenSSH Security Advisory (adv.option) Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100154541809940&w=2 Reference: BUGTRAQ:20011019 TSLSA-2001-0026 - OpenSSH Reference: REDHAT:RHSA-2001:114 Reference: URL:http://rhn.redhat.com/errata/RHSA-2001-114.html Reference: MANDRAKE:MDKSA-2001:081 Reference: URL:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-081.php OpenSSH before 2.9.9, while using keypairs and multiple keys of different types in the ~/.ssh/authorized_keys2 file, may not properly handle the "from" option associated with a key, which could allow remote attackers to login from unauthorized IP addresses. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-1380 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Cole, Armstrong, Baker, Cox NOOP(2) Wall, Foat ====================================================== Candidate: CAN-2001-1382 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1382 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020726 Assigned: 20020725 Category: SF Reference: CONFIRM:http://www.openwall.com/Owl/CHANGES-stable.shtml The "echo simulation" traffic analysis countermeasure in OpenSSH before 2.9.9p2 sends an additional echo packet after the password and carriage return is entered, which could allow remote attackers to determine that the countermeasure is being used. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-1382 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Cole, Armstrong, Baker, Cox NOOP(2) Wall, Foat ====================================================== Candidate: CAN-2001-1383 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1383 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020726 Assigned: 20020725 Category: SF Reference: REDHAT:RHSA-2001:110 Reference: URL:http://rhn.redhat.com/errata/RHSA-2001-110.html Reference: XF:linux-setserial-initscript-symlink(7177) Reference: URL:http://www.iss.net/security_center/static/7177.php Reference: BID:3367 Reference: URL:http://online.securityfocus.com/bid/3367 initscript in setserial 2.17-4 and earlier uses predictable temporary file names, which could allow local users to conduct unauthorized operations on files. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-1383 ACCEPT (5 accept, 1 ack, 0 review) Current Votes: ACCEPT(5) Wall, Cole, Armstrong, Baker, Cox NOOP(1) Foat ====================================================== Candidate: CAN-2001-1385 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1385 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020830 Assigned: 20020729 Category: SF Reference: BUGTRAQ:20010112 PHP Security Advisory - Apache Module bugs Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97957961212852 Reference: REDHAT:RHSA-2000:136 Reference: URL:http://www.redhat.com/support/errata/RHSA-2000-136.html Reference: MANDRAKE:MDKSA-2001:013 Reference: URL:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-013.php3 Reference: CONECTIVA:CLA-2001:373 Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000373 Reference: DEBIAN:DSA-020 Reference: URL:http://www.debian.org/security/2001/dsa-020 Reference: BID:2205 Reference: URL:http://online.securityfocus.com/bid/2205 Reference: XF:php-view-source-code(5939) Reference: URL:http://www.iss.net/security_center/static/5939.php The Apache module for PHP 4.0.0 through PHP 4.0.4, when disabled with the 'engine = off' option for a virtual host, may disable PHP for other virtual hosts, which could cause Apache to serve the source code of PHP scripts. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-1385 ACCEPT (7 accept, 2 ack, 0 review) Current Votes: ACCEPT(7) Wall, Cole, Armstrong, Green, Baker, Frech, Cox NOOP(1) Foat ====================================================== Candidate: CAN-2001-1406 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1406 Final-Decision: Interim-Decision: 20030326 Modified: 20030318-01 Proposed: 20020830 Assigned: 20020830 Category: SF Reference: BUGTRAQ:20010829 Security Advisory for Bugzilla v2.13 and older Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=99912899900567 Reference: CONFIRM:http://bugzilla.mozilla.org/show_bug.cgi?id=66235 Reference: REDHAT:RHSA-2001:107 Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-107.html Reference: XF:bugzilla-processbug-old-restrictions(10478) Reference: URL:http://www.iss.net/security_center/static/10478.php process_bug.cgi in Bugzilla before 2.14 does not set the "groupset" bit when a bug is moved between product groups, which will cause the bug to have the old group's restrictions, which might not be as stringent. Modifications: ADDREF XF:bugzilla-processbug-old-restrictions(10478) Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-1406 ACCEPT (6 accept, 2 ack, 0 review) Current Votes: ACCEPT(5) Cole, Armstrong, Green, Baker, Cox MODIFY(1) Frech NOOP(2) Wall, Foat Voter Comments: Frech> XF:bugzilla-processbug-old-restrictions(10478) ====================================================== Candidate: CAN-2001-1407 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1407 Final-Decision: Interim-Decision: 20030326 Modified: 20030318-01 Proposed: 20020830 Assigned: 20020830 Category: SF Reference: BUGTRAQ:20010829 Security Advisory for Bugzilla v2.13 and older Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=99912899900567 Reference: CONFIRM:http://bugzilla.mozilla.org/show_bug.cgi?id=96085 Reference: REDHAT:RHSA-2001:107 Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-107.html Reference: XF:bugzilla-duplicate-view-restricted(10479) Reference: URL:http://www.iss.net/security_center/static/10479.php Bugzilla before 2.14 allows Bugzilla users to bypass group security checks by marking a bug as the duplicate of a restricted bug, which adds the user to the CC list of the restricted bug and allows the user to view the bug. Modifications: ADDREF XF:bugzilla-duplicate-view-restricted(10479) Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-1407 ACCEPT (6 accept, 2 ack, 0 review) Current Votes: ACCEPT(5) Cole, Armstrong, Green, Baker, Cox MODIFY(1) Frech NOOP(2) Wall, Foat Voter Comments: Frech> XF:bugzilla-duplicate-view-restricted(10479) ====================================================== Candidate: CAN-2002-0006 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0006 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020611 Assigned: 20020108 Category: SF Reference: BUGTRAQ:20020109 xchat IRC session hijacking vulnerability (versions 1.4.1, 1.4.2) Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101060676210255&w=2 Reference: DEBIAN:DSA-099 Reference: URL:http://www.debian.org/security/2002/dsa-099 Reference: REDHAT:RHSA-2002:005 Reference: URL:http://rhn.redhat.com/errata/RHSA-2002-005.html Reference: HP:HPSBTL0201-016 Reference: URL:http://online.securityfocus.com/advisories/3806 Reference: CONECTIVA:CLA-2002:453 Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000453 Reference: XF:xchat-ctcp-ping-command(7856) Reference: URL:http://xforce.iss.net/static/7856.php Reference: BID:3830 Reference: URL:http://www.securityfocus.com/bid/3830 XChat 1.8.7 and earlier, including default configurations of 1.4.2 and 1.4.3, allows remote attackers to execute arbitrary IRC commands as other clients via encoded characters in a PRIVMSG command that calls CTCP PING, which expands the characters in the client response when the percascii variable is set. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0006 ACCEPT (6 accept, 3 ack, 0 review) Current Votes: ACCEPT(6) Baker, Frech, Cox, Wall, Cole, Alderson NOOP(2) Foat, Christey Voter Comments: Christey> Consider adding BID:3830 ====================================================== Candidate: CAN-2002-0009 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0009 Final-Decision: Interim-Decision: 20030326 Modified: 20030319-01 Proposed: 20020131 Assigned: 20020109 Category: SF Reference: BUGTRAQ:20020105 Security Advisory for Bugzilla v2.15 (cvs20020103) and older Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-01/0034.html Reference: CONFIRM:http://www.bugzilla.org/security2_14_1.html Reference: MISC:http://bugzilla.mozilla.org/show_bug.cgi?id=102141 Reference: XF:bugzilla-showbug-reveal-bugs(7802) Reference: URL:http://www.iss.net/security_center/static/7802.php Reference: BID:3798 Reference: URL:http://www.securityfocus.com/bid/3798 show_bug.cgi in Bugzilla before 2.14.1 allows a user with "Bugs Access" privileges to see other products that are not accessible to the user, by submitting a bug and reading the resulting Product pulldown menu. Modifications: ADDREF XF:bugzilla-showbug-reveal-bugs(7802) ADDREF BID:3798 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0009 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Baker, Cole, Green MODIFY(1) Frech NOOP(2) Wall, Foat Voter Comments: Frech> XF:bugzilla-showbug-reveal-bugs(7802) ====================================================== Candidate: CAN-2002-0011 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0011 Final-Decision: Interim-Decision: 20030326 Modified: 20030319-01 Proposed: 20020131 Assigned: 20020109 Category: SF Reference: BUGTRAQ:20020105 Security Advisory for Bugzilla v2.15 (cvs20020103) and older Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-01/0034.html Reference: CONFIRM:http://www.bugzilla.org/security2_14_1.html Reference: MISC:http://bugzilla.mozilla.org/show_bug.cgi?id=98146 Reference: XF:bugzilla-doeditvotes-login-information(7803) Reference: URL:http://www.iss.net/security_center/static/7803.php Reference: BID:3800 Reference: URL:http://www.securityfocus.com/bid/3800 Information leak in doeditvotes.cgi in Bugzilla before 2.14.1 may allow remote attackers to more easily conduct attacks on the login. Modifications: ADDREF XF:bugzilla-doeditvotes-login-information(7803) ADDREF BID:3800 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0011 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Baker, Cole, Green MODIFY(1) Frech NOOP(2) Wall, Foat Voter Comments: Frech> XF:bugzilla-doeditvotes-login-information(7803) ====================================================== Candidate: CAN-2002-0014 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0014 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020726 Assigned: 20020110 Category: SF Reference: BUGTRAQ:20020105 Pine 4.33 (at least) URL handler allows embedded commands. Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101027841605918&w=2 Reference: REDHAT:RHSA-2002:009 Reference: URL:http://rhn.redhat.com/errata/RHSA-2002-009.html Reference: ENGARDE:ESA-20020114-002 Reference: CONECTIVA:CLA-2002:460 Reference: FREEBSD:FreeBSD-SA-02:05 Reference: HP:HPSBTL0201-015 Reference: BID:3815 Reference: URL:http://online.securityfocus.com/bid/3815 URL-handling code in Pine 4.43 and earlier allows remote attackers to execute arbitrary commands via a URL enclosed in single quotes and containing shell metacharacters (&). Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0014 ACCEPT (5 accept, 3 ack, 0 review) Current Votes: ACCEPT(5) Baker, Cox, Wall, Cole, Armstrong NOOP(2) Foat, Christey Voter Comments: Christey> Consider adding BID:3815 ====================================================== Candidate: CAN-2002-0017 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0017 Final-Decision: Interim-Decision: 20030326 Modified: 20030319-01 Proposed: 20020502 Assigned: 20020111 Category: SF Reference: ISS:20020403 Remote Buffer Overflow Vulnerability in IRIX SNMP Daemon Reference: URL:http://www.iss.net/security_center/alerts/advise113.php Reference: SGI:20020201-01-P Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20020201-01-P Reference: BID:4421 Reference: URL:http://www.securityfocus.com/bid/4421 Reference: XF:irix-snmp-bo(7846) Reference: URL:http://www.iss.net/security_center/static/7846.php Buffer overflow in SNMP daemon (snmpd) on SGI IRIX 6.5 through 6.5.15m allows remote attackers to execute arbitrary code via an SNMP request. Modifications: ADDREF BID:4421 ADDREF XF:irix-snmp-bo(7846) Analysis -------- Vendor Acknowledgement: yes advisory ABSTRACTION: while this issue may appear to be the same as CAN-2002-0012 or CAN-2002-0013, it is addressed by a different patch, so CD:SF-LOC suggests keeping this SPLIT. INFERRED ACTION: CAN-2002-0017 ACCEPT (4 accept, 2 ack, 0 review) Current Votes: ACCEPT(4) Levy, Cole, Armstrong, Green MODIFY(1) Frech NOOP(4) Cox, Wall, Foat, Christey Voter Comments: Christey> Consider adding BID:4421 Levy> BID 4421 Frech> XF:irix-snmp-bo(7846) ====================================================== Candidate: CAN-2002-0024 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0024 Final-Decision: Interim-Decision: 20030326 Modified: 20030319-01 Proposed: 20020315 Assigned: 20020114 Category: SF Reference: MS:MS02-005 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-005.asp Reference: BID:4087 Reference: URL:http://www.securityfocus.com/bid/4087 File Download box in Internet Explorer 5.01, 5.5 and 6.0 allows an attacker to use the Content-Disposition and Content-Type HTML header fields to modify how the name of the file is displayed, which could trick a user into believing that a file is safe to download. Modifications: ADDREF BID:4087 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0024 ACCEPT (5 accept, 1 ack, 0 review) Current Votes: ACCEPT(5) Ziese, Wall, Foat, Cole, Green NOOP(1) Christey Voter Comments: Christey> Consider adding BID:4087 ====================================================== Candidate: CAN-2002-0032 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0032 Final-Decision: Interim-Decision: 20030326 Modified: 20030319-01 Proposed: 20020611 Assigned: 20020116 Category: SF Reference: BUGTRAQ:20020527 Yahoo Messenger - Multiple Vulnerabilities Reference: URL:http://online.securityfocus.com/archive/1/274223 Reference: CERT:CA-2002-16 Reference: URL:http://www.cert.org/advisories/CA-2002-16.html Reference: CERT-VN:VU#172315 Reference: URL:http://www.kb.cert.org/vuls/id/172315 Reference: BID:4838 Reference: URL:http://www.securityfocus.com/bid/4838 Reference: XF:yahoo-messenger-script-injection(9184) Reference: URL:http://www.iss.net/security_center/static/9184.php Yahoo! Messenger 5,0,0,1064 and earlier allows remote attackers to execute arbitrary script as other users via the addview parameter of a ymsgr URI. Modifications: ADDREF XF:yahoo-messenger-script-injection(9184) Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0032 ACCEPT (5 accept, 2 ack, 0 review) Current Votes: ACCEPT(4) Baker, Wall, Cole, Armstrong MODIFY(1) Frech NOOP(3) Cox, Foat, Christey Voter Comments: Christey> XF:yahoo-messenger-script-injection(9184) URL:http://www.iss.net/security_center/static/9184.php Frech> XF:yahoo-messenger-script-injection(9184) ====================================================== Candidate: CAN-2002-0033 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0033 Final-Decision: Interim-Decision: 20030326 Modified: 20030319-01 Proposed: 20020611 Assigned: 20020116 Category: SF Reference: BUGTRAQ:20020505 [LSD] Solaris cachefsd remote buffer overflow vulnerability Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-05/0026.html Reference: CERT:CA-2002-11 Reference: URL:http://www.cert.org/advisories/CA-2002-11.html Reference: CONFIRM:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F44309 Reference: CERT-VN:VU#635811 Reference: URL:http://www.kb.cert.org/vuls/id/635811 Reference: BID:4674 Reference: URL:http://www.securityfocus.com/bid/4674 Reference: XF:solaris-cachefsd-name-bo(8999) Reference: URL:http://www.iss.net/security_center/static/8999.php Heap-based buffer overflow in cfsd_calloc function of Solaris cachefsd allows remote attackers to execute arbitrary code via a request with a long directory and cache name. Modifications: ADDREF XF:solaris-cachefsd-name-bo(8999) DESC change "heap overflow" to "heap-based buffer overflow" Analysis -------- Vendor Acknowledgement: yes INFERRED ACTION: CAN-2002-0033 ACCEPT (6 accept, 3 ack, 0 review) Current Votes: ACCEPT(5) Baker, Wall, Foat, Cole, Armstrong MODIFY(1) Frech NOOP(2) Cox, Christey Voter Comments: Christey> Note: this is a different vulnerability than CAN-2002-0084. However, if there are different patches for the 2 issues, then they may need to be merged per CD:SF-LOC. Frech> XF:solaris-cachefsd-name-bo(8999) ====================================================== Candidate: CAN-2002-0042 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0042 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020611 Assigned: 20020116 Category: SF Reference: SGI:20020402-01-P Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20020402-01-P Reference: XF:irix-xfs-dos(8839) Reference: URL:http://www.iss.net/security_center/static/8839.php Reference: BID:4511 Reference: URL:http://www.securityfocus.com/bid/4511 Vulnerability in the XFS file system for SGI IRIX before 6.5.12 allows local users to cause a denial of service (hang) by creating a file that is not properly processed by XFS. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0042 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Baker, Frech, Cole NOOP(3) Cox, Wall, Foat ====================================================== Candidate: CAN-2002-0054 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0054 Final-Decision: Interim-Decision: 20030326 Modified: 20030319-01 Proposed: 20020315 Assigned: 20020202 Category: SF Reference: MS:MS02-011 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-011.asp Reference: BID:4205 Reference: URL:http://www.securityfocus.com/bid/4205 Reference: BUGTRAQ:20020301 IIS SMTP component allows mail relaying via Null Session Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101501580409373&w=2 SMTP service in (1) Microsoft Windows 2000 and (2) Internet Mail Connector (IMC) in Exchange Server 5.5 does not properly handle responses to NTLM authentication, which allows remote attackers to perform mail relaying via an SMTP AUTH command using null session credentials. Modifications: ADDREF BID:4205 ADDREF BUGTRAQ:20020301 IIS SMTP component allows mail relaying via Null Session DESC add "SMTP AUTH" and null session info to desc Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0054 ACCEPT (5 accept, 1 ack, 0 review) Current Votes: ACCEPT(5) Ziese, Wall, Foat, Cole, Green NOOP(1) Christey Voter Comments: Christey> Consider adding BID:4205 Christey> BUGTRAQ:20020301 IIS SMTP component allows mail relaying via Null Session URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101501580409373&w=2 Add details to desc, specifically that the issue is related to null sessions and SMTP AUTH. ====================================================== Candidate: CAN-2002-0061 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0061 Final-Decision: Interim-Decision: 20030326 Modified: 20030319-01 Proposed: 20020611 Assigned: 20020213 Category: SF Reference: BUGTRAQ:20020321 Vulnerability in Apache for Win32 batch file processing - Remote command execution Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101674082427358&w=2 Reference: BUGTRAQ:20020325 Apache 1.3.24 Released! (fwd) Reference: URL:http://online.securityfocus.com/archive/1/263927 Reference: XF:apache-dos-batch-command-execution(8589) Reference: URL:http://www.iss.net/security_center/static/8589.php Reference: BID:4335 Reference: URL:http://www.securityfocus.com/bid/4335 Reference: CONFIRM:http://www.apacheweek.com/issues/02-03-29#apache1324 Apache for Win32 before 1.3.24, and 2.0.x before 2.0.34-beta, allows remote attackers to execute arbitrary commands via shell metacharacters (a | pipe character) provided as arguments to batch (.bat) or .cmd scripts, which are sent unfiltered to the shell interpreter, typically cmd.exe. Modifications: ADDREF CONFIRM:http://www.apacheweek.com/issues/02-03-29#apache1324 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0061 ACCEPT (6 accept, 1 ack, 0 review) Current Votes: ACCEPT(5) Baker, Wall, Foat, Cole, Green MODIFY(1) Cox NOOP(1) Christey Voter Comments: Christey> Consider adding BID:4335 Christey> XF:apache-dos-batch-command-execution(8589) URL:http://www.iss.net/security_center/static/8589.php Cox> ADDREF: http://www.apacheweek.com/issues/02-03-29#apache1324 ====================================================== Candidate: CAN-2002-0062 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0062 Final-Decision: Interim-Decision: 20030326 Modified: 20030319-02 Proposed: 20020315 Assigned: 20020213 Category: SF Reference: REDHAT:RHSA-2002:020 Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-020.html Reference: DEBIAN:DSA-113 Reference: URL:http://www.debian.org/security/2002/dsa-113 Reference: BID:2116 Reference: URL:http://online.securityfocus.com/bid/2116 Reference: XF:gnu-ncurses-window-bo(8222) Reference: URL:http://www.iss.net/security_center/static/8222.php Buffer overflow in ncurses 5.0, and the ncurses4 compatibility package as used in Red Hat Linux, allows local users to gain privileges, related to "routines for moving the physical cursor and scrolling." Modifications: ADDREF BID:2116 DESC clarify ncurses4 package ADDREF XF:gnu-ncurses-window-bo(8222) Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0062 ACCEPT (4 accept, 2 ack, 0 review) Current Votes: ACCEPT(4) Ziese, Wall, Cole, Green NOOP(3) Jones, Foat, Christey Voter Comments: Christey> BID:2116 URL:http://online.securityfocus.com/bid/2116 Also need to add other vendor advisories. Christey> Consider adding BID:2116 Christey> Specifically state that the ncurses4 compatibility package is Red Hat's. Also say that the problem is in the "routines for moving the physical cursor and scrolling" as stated by Daniel Jacobowitz. ====================================================== Candidate: CAN-2002-0067 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0067 Final-Decision: Interim-Decision: 20030326 Modified: 20020817-01 Proposed: 20020315 Assigned: 20020219 Category: SF Reference: BUGTRAQ:20020221 Squid HTTP Proxy Security Update Advisory 2002:1 Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101431040422095&w=2 Reference: CONFIRM:http://www.squid-cache.org/Versions/v2/2.4/bugs/ Reference: REDHAT:RHSA-2002:029 Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-029.html Reference: BUGTRAQ:20020222 TSLSA-2002-0031 - squid Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101443252627021&w=2 Reference: MANDRAKE:MDKSA-2002:016 Reference: URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-016.php Reference: CALDERA:CSSA-2002-SCO.7 Reference: URL:http://archives.neohapsis.com/archives/linux/caldera/2002-q1/0014.html Reference: CONECTIVA:CLA-2002:464 Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000464 Reference: FREEBSD:FreeBSD-SA-02:12 Reference: URL:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:12.squid.asc Reference: XF:squid-htcp-enabled(8261) Reference: URL:http://www.iss.net/security_center/static/8261.php Reference: BID:4150 Reference: URL:http://www.securityfocus.com/bid/4150 Squid 2.4 STABLE3 and earlier does not properly disable HTCP, even when "htcp_port 0" is specified in squid.conf, which could allow remote attackers to bypass intended access restrictions. Modifications: ADDREF BUGTRAQ:20020221 Squid HTTP Proxy Security Update Advisory 2002:1 ADDREF BUGTRAQ:20020222 TSLSA-2002-0031 - squid ADDREF MANDRAKE:MDKSA-2002:016 CHANGEREF REDHAT [normalize] ADDREF CALDERA:CSSA-2002-SCO.7 ADDREF CONECTIVA:CLA-2002:464 ADDREF FREEBSD:FreeBSD-SA-02:12 ADDREF XF:squid-htcp-enabled(8261) ADDREF BID:4150 DESC change version from STABLE2 to STABLE3 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0067 ACCEPT (6 accept, 4 ack, 0 review) Current Votes: ACCEPT(4) Ziese, Wall, Cole, Green MODIFY(2) Cox, Jones NOOP(2) Foat, Christey Voter Comments: Christey> BUGTRAQ:20020221 Squid HTTP Proxy Security Update Advisory 2002:1 URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101431040422095&w=2 Christey> BUGTRAQ:20020222 TSLSA-2002-0031 - squid URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101443252627021&w=2 Christey> MANDRAKE:MDKSA-2002:016 Christey> Fix ref: REDHAT:REDHAT:RHSA-2002:029 Jones> Change description to "Squid 2.4 STABLE3 and earlier" (vice STABLE2). Change description from "...which could allow remote attackers to bypass intended access restrictions" to "...which could allow remote attackers to access and/or modify cached data". Christey> CALDERA:CSSA-2002-SCO.7 URL:http://archives.neohapsis.com/archives/linux/caldera/2002-q1/0014.html CONECTIVA:CLA-2002:464 URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000464 BUGTRAQ:20020222 TSLSA-2002-0031 - squid URL:http://archives.neohapsis.com/archives/bugtraq/2002-02/0257.html MANDRAKE:MDKSA-2002:016 URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-016.php3 FREEBSD:FreeBSD-SA-02:12 URL:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:12.squid.asc XF:squid-htcp-enabled(8261) URL:http://www.iss.net/security_center/static/8261.php BID:4150 URL:http://www.securityfocus.com/bid/4150 Cox> This references REDHAT:REDHAT:RHSA-2002:029 instead of REDHAT:RHSA-2002:029 ====================================================== Candidate: CAN-2002-0068 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0068 Final-Decision: Interim-Decision: 20030326 Modified: 20030319-02 Proposed: 20020315 Assigned: 20020219 Category: SF Reference: BUGTRAQ:20020221 Squid HTTP Proxy Security Update Advisory 2002:1 Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101431040422095&w=2 Reference: CONFIRM:http://www.squid-cache.org/Versions/v2/2.4/bugs/ Reference: BUGTRAQ:20020222 Squid buffer overflow Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101440163111826&w=2 Reference: REDHAT:RHSA-2002:029 Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-029.html Reference: BUGTRAQ:20020222 TSLSA-2002-0031 - squid Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101443252627021&w=2 Reference: MANDRAKE:MDKSA-2002:016 Reference: CALDERA:CSSA-2002-010.0 Reference: URL:http://www.caldera.com/support/security/advisories/CSSA-2002-010.0.txt Reference: CALDERA:CSSA-2002-SCO.7 Reference: URL:http://archives.neohapsis.com/archives/linux/caldera/2002-q1/0014.html Reference: CONECTIVA:CLA-2002:464 Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000464 Reference: SUSE:SuSE-SA:2002:008 Reference: URL:http://www.suse.com/de/support/security/2002_008_squid_txt.html Reference: FREEBSD:FreeBSD-SA-02:12 Reference: URL:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:12.squid.asc Reference: BID:4148 Reference: URL:http://www.securityfocus.com/bid/4148 Reference: XF:squid-ftpbuildtitleurl-bo(8258) Reference: URL:http://www.iss.net/security_center/static/8258.php Squid 2.4 STABLE3 and earlier allows remote attackers to cause a denial of service (core dump) and possibly execute arbitrary code with an ftp:// URL with a larger number of special characters, which exceed the buffer when Squid URL-escapes the characters. Modifications: ADDREF BUGTRAQ:20020221 Squid HTTP Proxy Security Update Advisory 2002:1 ADDREF BUGTRAQ:20020222 TSLSA-2002-0031 - squid ADDREF MANDRAKE:MDKSA-2002:016 CHANGEREF REDHAT [normalize] ADDREF CALDERA:CSSA-2002-010.0 ADDREF CALDERA:CSSA-2002-SCO.7 ADDREF CONECTIVA:CLA-2002:464 ADDREF SUSE:SuSE-SA:2002:008 ADDREF BUGTRAQ:20020222 Squid buffer overflow ADDREF FREEBSD:FreeBSD-SA-02:12 ADDREF BID:4148 ADDREF XF:squid-ftpbuildtitleurl-bo(8258) DESC add that the problem occurs during escape processing Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0068 ACCEPT (6 accept, 5 ack, 0 review) Current Votes: ACCEPT(4) Ziese, Wall, Cole, Green MODIFY(2) Cox, Jones NOOP(2) Foat, Christey Voter Comments: Christey> BUGTRAQ:20020221 Squid HTTP Proxy Security Update Advisory 2002:1 URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101431040422095&w=2 Christey> BUGTRAQ:20020222 TSLSA-2002-0031 - squid URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101443252627021&w=2 Christey> MANDRAKE:MDKSA-2002:016 Christey> Fix ref: REDHAT:REDHAT:RHSA-2002:029 Jones> Drop "malformed" from description; legitimate FTP URL with reasonable userid and password may cause crash. Add enough detail to distinguish this vulnerability (i.e., the flaw is in authenticated FTP URL handling). Reference: BUGTRAQ:20020222 - Squid buffer overflow. Suggest: "Squid 2.4 STABLE3 and earlier contains a flaw in handling authenticated FTP URLs (FTP URLs with userID and passwords) which allows remote attackers to cause a denial of service (core dump) and possibly execute arbitrary code via ftp:// URLs." Christey> fix typo: "possible" should be "possibly" CALDERA:CSSA-2002-010.0 URL:http://www.caldera.com/support/security/advisories/CSSA-2002-010.0.txt CALDERA:CSSA-2002-SCO.7 URL:http://archives.neohapsis.com/archives/linux/caldera/2002-q1/0014.html CONECTIVA:CLA-2002:464 URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000464 SUSE:SuSE-SA:2002:008 URL:http://www.suse.com/de/support/security/2002_008_squid_txt.html BUGTRAQ:20020222 TSLSA-2002-0031 - squid URL:http://archives.neohapsis.com/archives/bugtraq/2002-02/0257.html MANDRAKE:MDKSA-2002:016 URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-016.php3 BUGTRAQ:20020222 Squid buffer overflow URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101440163111826&w=2 FREEBSD:FreeBSD-SA-02:12 URL:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:12.squid.asc BID:4148 URL:http://www.securityfocus.com/bid/4148 XF:squid-ftpbuildtitleurl-bo(8258) URL:http://www.iss.net/security_center/static/8258.php Cox> This references REDHAT:REDHAT:RHSA-2002:029 instead of REDHAT:RHSA-2002:029 Christey> See Bugtraq post for more information... the problem isn't a malformed URL, it's that the string exceeds the buffer size when it is URL-escaped. ====================================================== Candidate: CAN-2002-0069 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0069 Final-Decision: Interim-Decision: 20030326 Modified: 20020817-01 Proposed: 20020315 Assigned: 20020219 Category: SF Reference: CONFIRM:http://www.squid-cache.org/Versions/v2/2.4/bugs/ Reference: REDHAT:RHSA-2002:029 Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-029.html Reference: BUGTRAQ:20020221 Squid HTTP Proxy Security Update Advisory 2002:1 Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101431040422095&w=2 Reference: BUGTRAQ:20020222 TSLSA-2002-0031 - squid Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101443252627021&w=2 Reference: MANDRAKE:MDKSA-2002:016 Reference: URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-016.php Reference: CALDERA:CSSA-2002-SCO.7 Reference: URL:http://archives.neohapsis.com/archives/linux/caldera/2002-q1/0014.html Reference: CONECTIVA:CLA-2002:464 Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000464 Reference: FREEBSD:FreeBSD-SA-02:12 Reference: URL:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:12.squid.asc Reference: XF:squid-snmp-dos(8260) Reference: URL:http://www.iss.net/security_center/static/8260.php Reference: BID:4146 Reference: URL:http://www.securityfocus.com/bid/4146 Memory leak in SNMP in Squid 2.4 STABLE3 and earlier allows remote attackers to cause a denial of service. Modifications: DESC change STABLE2 to STABLE3 ADDREF BUGTRAQ:20020221 Squid HTTP Proxy Security Update Advisory 2002:1 ADDREF BUGTRAQ:20020222 TSLSA-2002-0031 - squid ADDREF MANDRAKE:MDKSA-2002:016 CHANGEREF REDHAT [normalize] ADDREF CALDERA:CSSA-2002-SCO.7 ADDREF CONECTIVA:CLA-2002:464 ADDREF FREEBSD:FreeBSD-SA-02:12 ADDREF XF:squid-snmp-dos(8260) ADDREF BID:4146 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0069 ACCEPT (6 accept, 4 ack, 0 review) Current Votes: ACCEPT(4) Ziese, Wall, Cole, Green MODIFY(2) Cox, Jones NOOP(2) Foat, Christey Voter Comments: Christey> BUGTRAQ:20020221 Squid HTTP Proxy Security Update Advisory 2002:1 URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101431040422095&w=2 Need to add version number to description (2.4) Christey> BUGTRAQ:20020222 TSLSA-2002-0031 - squid URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101443252627021&w=2 Christey> MANDRAKE:MDKSA-2002:016 Christey> Fix ref: REDHAT:REDHAT:RHSA-2002:029 Jones> Add version info to description (like 2002-0068): Squid 2.4 STABLE3 and earlier. Christey> CALDERA:CSSA-2002-SCO.7 URL:http://archives.neohapsis.com/archives/linux/caldera/2002-q1/0014.html CONECTIVA:CLA-2002:464 URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000464 BUGTRAQ:20020222 TSLSA-2002-0031 - squid URL:http://archives.neohapsis.com/archives/bugtraq/2002-02/0257.html MANDRAKE:MDKSA-2002:016 URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-016.php3 FREEBSD:FreeBSD-SA-02:12 URL:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:12.squid.asc XF:squid-snmp-dos(8260) URL:http://www.iss.net/security_center/static/8260.php BID:4146 URL:http://www.securityfocus.com/bid/4146 Cox> This references REDHAT:REDHAT:RHSA-2002:029 instead of REDHAT:RHSA-2002:029 ====================================================== Candidate: CAN-2002-0071 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0071 Final-Decision: Interim-Decision: 20030326 Modified: 20030319-03 Proposed: 20020502 Assigned: 20020221 Category: SF Reference: ATSTAKE:A041002-1 Reference: URL:http://www.atstake.com/research/advisories/2002/a041002-1.txt Reference: BUGTRAQ:20020411 KPMG-2002010: Microsoft IIS .htr ISAPI buffer overrun Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101854087828265&w=2 Reference: VULNWATCH:20020411 [VulnWatch] KPMG-2002010: Microsoft IIS .htr ISAPI buffer overrun Reference: MS:MS02-018 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-018.asp Reference: CERT:CA-2002-09 Reference: URL:http://www.cert.org/advisories/CA-2002-09.html Reference: CISCO:20020415 Microsoft IIS Vulnerabilities in Cisco Products - MS02-018 Reference: URL:http://www.cisco.com/warp/public/707/Microsoft-IIS-vulnerabilities-MS02-018.shtml Reference: CERT-VN:VU#363715 Reference: URL:http://www.kb.cert.org/vuls/id/363715 Reference: XF:iis-htr-isapi-bo(8799) Reference: URL:http://www.iss.net/security_center/static/8799.php Reference: BID:4474 Reference: URL:http://www.securityfocus.com/bid/4474 Buffer overflow in the ism.dll ISAPI extension that implements HTR scripting in Internet Information Server (IIS) 4.0 and 5.0 allows attackers to cause a denial of service or execute arbitrary code via HTR requests with long variable names. Modifications: ADDREF CISCO:20020415 Microsoft IIS Vulnerabilities in Cisco Products - MS02-018 ADDREF XF:iis-htr-isapi-bo(8799) ADDREF BID:4474 ADDREF CERT-VN:VU#363715 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0071 ACCEPT (6 accept, 4 ack, 0 review) Current Votes: ACCEPT(5) Wall, Foat, Cole, Armstrong, Green MODIFY(1) Frech NOOP(2) Cox, Christey Voter Comments: Christey> CISCO:20020415 Microsoft IIS Vulnerabilities in Cisco Products - MS02-018 URL:http://www.cisco.com/warp/public/707/Microsoft-IIS-vulnerabilities-MS02-018.shtml Frech> XF:iis-htr-isapi-bo(8799) ====================================================== Candidate: CAN-2002-0072 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0072 Final-Decision: Interim-Decision: 20030326 Modified: 20030319-01 Proposed: 20020502 Assigned: 20020221 Category: SF Reference: BUGTRAQ:20020411 KPMG-2002009: Microsoft IIS W3SVC Denial of Service Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101853851025208&w=2 Reference: MS:MS02-018 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-018.asp Reference: CISCO:20020415 Microsoft IIS Vulnerabilities in Cisco Products - MS02-018 Reference: URL:http://www.cisco.com/warp/public/707/Microsoft-IIS-vulnerabilities-MS02-018.shtml Reference: CERT:CA-2002-09 Reference: URL:http://www.cert.org/advisories/CA-2002-09.html Reference: CERT-VN:VU#521059 Reference: URL:http://www.kb.cert.org/vuls/id/521059 Reference: XF:iis-isapi-filter-error-dos(8800) Reference: URL:http://www.iss.net/security_center/static/8800.php Reference: BID:4479 Reference: URL:http://www.securityfocus.com/bid/4479 The w3svc.dll ISAPI filter in Front Page Server Extensions and ASP.NET for Internet Information Server (IIS) 4.0, 5.0, and 5.1 does not properly handle the error condition when a long URL is provided, which allows remote attackers to cause a denial of service (crash) when the URL parser accesses a null pointer. Modifications: ADDREF CISCO:20020415 Microsoft IIS Vulnerabilities in Cisco Products - MS02-018 ADDREF CERT-VN:VU#521059 ADDREF XF:iis-isapi-filter-error-dos(8800) ADDREF BID:4479 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0072 ACCEPT (6 accept, 4 ack, 0 review) Current Votes: ACCEPT(5) Wall, Foat, Cole, Armstrong, Green MODIFY(1) Frech NOOP(2) Cox, Christey Voter Comments: Christey> CISCO:20020415 Microsoft IIS Vulnerabilities in Cisco Products - MS02-018 URL:http://www.cisco.com/warp/public/707/Microsoft-IIS-vulnerabilities-MS02-018.shtml Christey> CERT-VN:VU#521059 URL:http://www.kb.cert.org/vuls/id/521059 XF:iis-isapi-filter-error-dos(8800) URL:http://www.iss.net/security_center/static/8800.php BID:4479 URL:http://www.securityfocus.com/bid/4479 Frech> XF:iis-isapi-filter-error-dos(8800) ====================================================== Candidate: CAN-2002-0073 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0073 Final-Decision: Interim-Decision: 20030326 Modified: 20030319-02 Proposed: 20020502 Assigned: 20020221 Category: SF Reference: VULNWATCH:20020416 [VulnWatch] Microsoft FTP Service STAT Globbing DoS Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0023.html Reference: BUGTRAQ:20020417 Microsoft FTP Service STAT Globbing DoS Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101901273810598&w=2 Reference: MISC:http://www.digitaloffense.net/msftpd/advisory.txt Reference: MS:MS02-018 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-018.asp Reference: CERT:CA-2002-09 Reference: URL:http://www.cert.org/advisories/CA-2002-09.html Reference: CISCO:20020415 Microsoft IIS Vulnerabilities in Cisco Products - MS02-018 Reference: URL:http://www.cisco.com/warp/public/707/Microsoft-IIS-vulnerabilities-MS02-018.shtml Reference: XF:iis-ftp-session-status-dos(8801) Reference: URL:http://www.iss.net/security_center/static/8801.php The FTP service in Internet Information Server (IIS) 4.0, 5.0 and 5.1 allows attackers who have established an FTP session to cause a denial of service via a specially crafted status request containing glob characters. Modifications: ADDREF CISCO:20020415 Microsoft IIS Vulnerabilities in Cisco Products - MS02-018 ADDREF VULNWATCH:20020416 [VulnWatch] Microsoft FTP Service STAT Globbing DoS ADDREF XF:iis-ftp-session-status-dos(8801) DESC add details as given in Vulnwatch post ADDREF BUGTRAQ:20020417 Microsoft FTP Service STAT Globbing DoS ADDREF MISC:http://www.digitaloffense.net/msftpd/advisory.txt Analysis -------- Vendor Acknowledgement: yes advisory ACCURACY: Microsft confirmed via e-mail that this is the issue described in the VulnWatch post of April 16, 2002. INFERRED ACTION: CAN-2002-0073 ACCEPT (6 accept, 3 ack, 0 review) Current Votes: ACCEPT(5) Wall, Foat, Cole, Armstrong, Green MODIFY(1) Frech NOOP(2) Cox, Christey Voter Comments: Christey> CISCO:20020415 Microsoft IIS Vulnerabilities in Cisco Products - MS02-018 URL:http://www.cisco.com/warp/public/707/Microsoft-IIS-vulnerabilities-MS02-018.shtml Christey> Looks like this might be related to: VULNWATCH:20020416 [VulnWatch] Microsoft FTP Service STAT Globbing DoS URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0023.html Christey> Yep, confirmed by MS. Frech> XF:iis-ftp-session-status-dos(8801) ====================================================== Candidate: CAN-2002-0074 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0074 Final-Decision: Interim-Decision: 20030326 Modified: 20030320-02 Proposed: 20020502 Assigned: 20020221 Category: SF Reference: BUGTRAQ:20020410 Cgisecurity Advisory #9: Novell Websearch, and Microsoft IIS XSS Issues Reference: URL:http://online.securityfocus.com/archive/1/266888 Reference: MISC:http://www.cgisecurity.com/advisory/9.txt Reference: MS:MS02-018 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-018.asp Reference: CERT:CA-2002-09 Reference: URL:http://www.cert.org/advisories/CA-2002-09.html Reference: CERT-VN:VU#883091 Reference: URL:http://www.kb.cert.org/vuls/id/883091 Reference: CISCO:20020415 Microsoft IIS Vulnerabilities in Cisco Products - MS02-018 Reference: URL:http://www.cisco.com/warp/public/707/Microsoft-IIS-vulnerabilities-MS02-018.shtml Reference: XF:iis-help-file-css(8802) Reference: URL:http://www.iss.net/security_center/static/8802.php Reference: BID:4483 Reference: URL:http://www.securityfocus.com/bid/4483 Cross-site scripting vulnerability in Help File search facility for Internet Information Server (IIS) 4.0, 5.0 and 5.1 allows remote attackers to embed scripts into another user's session. Modifications: ADDREF MISC:http://www.cgisecurity.com/advisory/9.txt ADDREF BUGTRAQ:20020410 Cgisecurity Advisory #9: Novell Websearch, and Microsoft IIS XSS Issues ADDREF CERT-VN:VU#883091 ADDREF CISCO:20020415 Microsoft IIS Vulnerabilities in Cisco Products - MS02-018 ADDREF XF:iis-help-file-css(8802) ADDREF BID:4483 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0074 ACCEPT (6 accept, 4 ack, 0 review) Current Votes: ACCEPT(5) Wall, Foat, Cole, Armstrong, Green MODIFY(1) Frech NOOP(2) Cox, Christey Voter Comments: Christey> MISC:http://www.cgisecurity.com/advisory/9.txt BUGTRAQ:20020410 Cgisecurity Advisory #9: Novell Websearch, and Microsoft IIS XSS Issues URL:http://online.securityfocus.com/archive/1/266888 CERT-VN:VU#883091 URL:http://www.kb.cert.org/vuls/id/883091 Christey> CISCO:20020415 Microsoft IIS Vulnerabilities in Cisco Products - MS02-018 URL:http://www.cisco.com/warp/public/707/Microsoft-IIS-vulnerabilities-MS02-018.shtml Frech> XF:iis-help-file-css(8802) ====================================================== Candidate: CAN-2002-0075 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0075 Final-Decision: Interim-Decision: 20030326 Modified: 20030320-02 Proposed: 20020502 Assigned: 20020221 Category: SF Reference: BUGTRAQ:20020411 [SNS Advisory No.49] A Possibility of Internet Information Server/Services Cross Site Scripting Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101854677802990&w=2 Reference: MS:MS02-018 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-018.asp Reference: CERT:CA-2002-09 Reference: URL:http://www.cert.org/advisories/CA-2002-09.html Reference: CISCO:20020415 Microsoft IIS Vulnerabilities in Cisco Products - MS02-018 Reference: URL:http://www.cisco.com/warp/public/707/Microsoft-IIS-vulnerabilities-MS02-018.shtml Reference: CERT-VN:VU#520707 Reference: URL:http://www.kb.cert.org/vuls/id/520707 Reference: XF:iis-redirected-url-error-css(8804) Reference: URL:http://www.iss.net/security_center/static/8804.php Reference: BID:4487 Reference: URL:http://www.securityfocus.com/bid/4487 Cross-site scripting vulnerability for Internet Information Server (IIS) 4.0, 5.0 and 5.1 allows remote attackers to execute arbitrary script as other web users via the error message used in a URL redirect (""302 Object Moved") message. Modifications: ADDREF CISCO:20020415 Microsoft IIS Vulnerabilities in Cisco Products - MS02-018 ADDREF XF:iis-redirected-url-error-css(8804) ADDREF CERT-VN:VU#520707 ADDREF BID:4487 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0075 ACCEPT (6 accept, 4 ack, 0 review) Current Votes: ACCEPT(5) Wall, Foat, Cole, Armstrong, Green MODIFY(1) Frech NOOP(2) Cox, Christey Voter Comments: Christey> CISCO:20020415 Microsoft IIS Vulnerabilities in Cisco Products - MS02-018 URL:http://www.cisco.com/warp/public/707/Microsoft-IIS-vulnerabilities-MS02-018.shtml Frech> XF:iis-redirected-url-error-css(8804) ====================================================== Candidate: CAN-2002-0076 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0076 Final-Decision: Interim-Decision: 20030326 Modified: 20030320-02 Proposed: 20020502 Assigned: 20020221 Category: SF Reference: MS:MS02-013 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-013.asp Reference: SUN:00218 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/218 Reference: COMPAQ:SSRT0822 Reference: BID:4313 Reference: XF:java-vm-verifier-variant(8480) Reference: URL:http://www.iss.net/security_center/static/8480.php Java Runtime Environment (JRE) Bytecode Verifier allows remote attackers to escape the Java sandbox and execute commands via an applet containing an illegal cast operation, as seen in (1) Microsoft VM build 3802 and earlier as used in Internet Explorer 4.x and 5.x, (2) Netscape 6.2.1 and earlier, and possibly other implementations that use vulnerable versions of SDK or JDK, aka a variant of the "Virtual Machine Verifier" vulnerability. Modifications: ADDREF BID:4313 ADDREF COMPAQ:SSRT0822 ADDREF XF:java-vm-verifier-variant(8480) Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0076 ACCEPT (5 accept, 3 ack, 0 review) Current Votes: ACCEPT(4) Wall, Cole, Armstrong, Green MODIFY(1) Frech NOOP(3) Cox, Foat, Christey Voter Comments: Christey> Consider adding BID:4313 Christey> ADDREF COMPAQ:SSRT0822 Christey> COMPAQ:SSRT0822 Frech> XF:java-vm-verifier-variant(8480) ====================================================== Candidate: CAN-2002-0079 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0079 Final-Decision: Interim-Decision: 20030326 Modified: 20030320-02 Proposed: 20020502 Assigned: 20020221 Category: SF Reference: BUGTRAQ:20020410 Windows 2000 and NT4 IIS .ASP Remote Buffer Overflow Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101846993304518&w=2 Reference: MS:MS02-018 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-018.asp Reference: CERT:CA-2002-09 Reference: URL:http://www.cert.org/advisories/CA-2002-09.html Reference: CISCO:20020415 Microsoft IIS Vulnerabilities in Cisco Products - MS02-018 Reference: URL:http://www.cisco.com/warp/public/707/Microsoft-IIS-vulnerabilities-MS02-018.shtml Reference: CERT-VN:VU#610291 Reference: URL:http://www.kb.cert.org/vuls/id/610291 Reference: XF:iis-asp-chunked-encoding-bo(8795) Reference: URL:http://www.iss.net/security_center/static/8795.php Reference: BID:4485 Reference: URL:http://www.securityfocus.com/bid/4485 Buffer overflow in the chunked encoding transfer mechanism in Internet Information Server (IIS) 4.0 and 5.0 Active Server Pages allows attackers to cause a denial of service or execute arbitrary code. Modifications: ADDREF CISCO:20020415 Microsoft IIS Vulnerabilities in Cisco Products - MS02-018 ADDREF CERT-VN:VU#610291 ADDREF BID:4485 ADDREF XF:iis-asp-chunked-encoding-bo(8795) Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0079 ACCEPT (6 accept, 4 ack, 0 review) Current Votes: ACCEPT(5) Wall, Foat, Cole, Armstrong, Green MODIFY(1) Frech NOOP(2) Cox, Christey Voter Comments: Christey> CISCO:20020415 Microsoft IIS Vulnerabilities in Cisco Products - MS02-018 URL:http://www.cisco.com/warp/public/707/Microsoft-IIS-vulnerabilities-MS02-018.shtml Christey> XF:iis-asp-chunked-encoding-bo(8795) URL:http://www.iss.net/security_center/static/8795.php BID:4485 URL:http://www.securityfocus.com/bid/4485 CERT-VN:VU#610291 URL:http://www.kb.cert.org/vuls/id/610291 Frech> XF:iis-asp-chunked-encoding-bo(8795) ====================================================== Candidate: CAN-2002-0094 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0094 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020315 Assigned: 20020315 Category: SF Reference: BUGTRAQ:20020102 BSCW: Vulnerabilities and Problems Reference: URL:http://www.securityfocus.com/archive/1/248000 Reference: MISC:http://bscw.gmd.de/WhatsNew.html Reference: BID:3776 Reference: URL:http://www.securityfocus.com/bid/3776 Reference: XF:bscw-remote-shell-execution(7774) Reference: URL:http://www.iss.net/security_center/static/7774.php config_converters.py in BSCW (Basic Support for Cooperative Work) 3.x and versions before 4.06 allows remote attackers to execute arbitrary commands via shell metacharacters in the file name during filename conversion. Analysis -------- Vendor Acknowledgement: unknown vague ACKNOWLEDGEMENT: The entry dated December 21, 2001 on the vendor's "What's New" page states "The new release fixes a number of bugs and security issues," but this is too vague to be certain that the vendor has fixed *this* problem. INFERRED ACTION: CAN-2002-0094 ACCEPT (3 accept, 0 ack, 0 review) Current Votes: ACCEPT(3) Frech, Cole, Green NOOP(3) Ziese, Wall, Foat ====================================================== Candidate: CAN-2002-0095 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0095 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020315 Assigned: 20020315 Category: SF Reference: BUGTRAQ:20020102 BSCW: Vulnerabilities and Problems Reference: URL:http://www.securityfocus.com/archive/1/248000 Reference: BID:3777 Reference: URL:http://www.securityfocus.com/bid/3777 Reference: XF:bscw-default-installation-registration(7775) Reference: URL:http://www.iss.net/security_center/static/7775.php The default configuration of BSCW (Basic Support for Cooperative Work) 3.x and possibly version 4 enables user self registration, which could allow remote attackers to upload files and possibly join a user community that was intended to be closed. Analysis -------- Vendor Acknowledgement: unknown vague ACKNOWLEDGEMENT: The entry dated December 21, 2001 on the vendor's "What's New" page states "The new release fixes a number of bugs and security issues," but this is too vague to be certain that the vendor has fixed *this* problem. INFERRED ACTION: CAN-2002-0095 ACCEPT (3 accept, 0 ack, 0 review) Current Votes: ACCEPT(3) Frech, Cole, Green NOOP(3) Ziese, Wall, Foat ====================================================== Candidate: CAN-2002-0120 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0120 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020315 Assigned: 20020315 Category: SF Reference: BUGTRAQ:20020112 Palm Desktop 4.0b76-77 for Mac OS X Reference: URL:http://online.securityfocus.com/archive/1/250093 Reference: BID:3863 Reference: URL:http://online.securityfocus.com/bid/3863 Reference: XF:palm-macos-backup-permissions(7937) Reference: URL:http://www.iss.net/security_center/static/7937.php Apple Palm Desktop 4.0b76 and 4.0b77 creates world-readable backup files and folders when a hotsync is performed, which could allow a local user to obtain sensitive information. Analysis -------- Vendor Acknowledgement: unknown INFERRED ACTION: CAN-2002-0120 ACCEPT (3 accept, 0 ack, 0 review) Current Votes: ACCEPT(3) Frech, Foat, Green NOOP(2) Wall, Cole ====================================================== Candidate: CAN-2002-0123 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0123 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020315 Assigned: 20020315 Category: SF Reference: BUGTRAQ:20020114 Web Server 4D/eCommerce 3.5.3 DoS Vulnerability Reference: URL:http://online.securityfocus.com/archive/1/250242 Reference: BID:3874 Reference: URL:http://online.securityfocus.com/bid/3874 Reference: XF:ws4d-long-url-dos(7879) Reference: URL:http://www.iss.net/security_center/static/7879.php MDG Computer Services Web Server 4D WS4D/eCommerce 3.0 and earlier, and possibly 3.5.3, allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long HTTP request. Analysis -------- Vendor Acknowledgement: yes via-email ACKNOWLEDGEMENT: inquiry sent to support@mdg.com on 3/11/2002. Response received on 3/12/2002 states "This vulnerability was not in 3.5.3, but rather version 3.0 or earlier. It was from some time ago." So, it is not entirely clear whether the discloser correctly reported the version, or if the problem was re-introduced, or appears in a slightly different distribution. INFERRED ACTION: CAN-2002-0123 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Frech, Cole, Green NOOP(4) Ziese, Balinsky, Wall, Foat Voter Comments: Green> website is very vague regarding vulnerabilities, but the upgrade message is clear enough. ====================================================== Candidate: CAN-2002-0146 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0146 Final-Decision: Interim-Decision: 20030326 Modified: 20020817-01 Proposed: 20020611 Assigned: 20020318 Category: SF Reference: REDHAT:RHSA-2002:047 Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-047.html Reference: CALDERA:CSSA-2002-027.0 Reference: URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-027.0.txt Reference: HP:HPSBTL0205-042 Reference: URL:http://online.securityfocus.com/advisories/4145 Reference: MANDRAKE:MDKSA-2002:036 Reference: URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-036.php Reference: BID:4788 Reference: URL:http://www.securityfocus.com/bid/4788 Reference: XF:fetchmail-imap-msgnum-bo(9133) Reference: URL:http://www.iss.net/security_center/static/9133.php fetchmail email client before 5.9.10 does not properly limit the maximum number of messages available, which allows a remote IMAP server to overwrite memory via a message count that exceeds the boundaries of an array. Modifications: ADDREF CALDERA:CSSA-2002-027.0 ADDREF HP:HPSBTL0205-042 ADDREF MANDRAKE:MDKSA-2002:036 ADDREF BID:4788 ADDREF XF:fetchmail-imap-msgnum-bo(9133) Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0146 ACCEPT (6 accept, 3 ack, 0 review) Current Votes: ACCEPT(5) Baker, Cox, Wall, Cole, Armstrong MODIFY(1) Frech NOOP(2) Christey, Foat Voter Comments: Christey> CALDERA:CSSA-2002-027.0 URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-027.0.txt HP:HPSBTL0205-042 URL:http://online.securityfocus.com/advisories/4145 MANDRAKE:MDKSA-2002:036 URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-036.php BID:4788 URL:http://www.securityfocus.com/bid/4788 XF:fetchmail-imap-msgnum-bo(9133) URL:http://www.iss.net/security_center/static/9133.php Frech> XF:fetchmail-imap-msgnum-bo(9133) ====================================================== Candidate: CAN-2002-0147 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0147 Final-Decision: Interim-Decision: 20030326 Modified: 20030320-02 Proposed: 20020502 Assigned: 20020319 Category: SF Reference: MS:MS02-018 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-018.asp Reference: CERT:CA-2002-09 Reference: URL:http://www.cert.org/advisories/CA-2002-09.html Reference: CISCO:20020415 Microsoft IIS Vulnerabilities in Cisco Products - MS02-018 Reference: URL:http://www.cisco.com/warp/public/707/Microsoft-IIS-vulnerabilities-MS02-018.shtml Reference: CERT-VN:VU#669779 Reference: URL:http://www.kb.cert.org/vuls/id/669779 Reference: BID:4490 Reference: URL:http://www.securityfocus.com/bid/4490 Reference: XF:iis-asp-data-transfer-bo(8796) Reference: URL:http://www.iss.net/security_center/static/8796.php Buffer overflow in the ASP data transfer mechanism in Internet Information Server (IIS) 4.0, 5.0, and 5.1 allows remote attackers to cause a denial of service or execute code, aka "Microsoft-discovered variant of Chunked Encoding buffer overrun." Modifications: ADDREF CISCO:20020415 Microsoft IIS Vulnerabilities in Cisco Products - MS02-018 ADDREF CERT-VN:VU#669779 ADDREF BID:4490 ADDREF XF:iis-asp-data-transfer-bo(8796) Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0147 ACCEPT (6 accept, 4 ack, 0 review) Current Votes: ACCEPT(5) Wall, Foat, Cole, Armstrong, Green MODIFY(1) Frech NOOP(2) Christey, Cox Voter Comments: Christey> CISCO:20020415 Microsoft IIS Vulnerabilities in Cisco Products - MS02-018 URL:http://www.cisco.com/warp/public/707/Microsoft-IIS-vulnerabilities-MS02-018.shtml Christey> CERT-VN:VU#669779 URL:http://www.kb.cert.org/vuls/id/669779 BID:4490 URL:http://www.securityfocus.com/bid/4490 Frech> XF:iis-asp-data-transfer-bo(8796) ====================================================== Candidate: CAN-2002-0148 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0148 Final-Decision: Interim-Decision: 20030326 Modified: 20030320-02 Proposed: 20020502 Assigned: 20020319 Category: SF Reference: BUGTRAQ:20020410 IIS allows universal CrossSiteScripting Reference: MS:MS02-018 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-018.asp Reference: CERT:CA-2002-09 Reference: URL:http://www.cert.org/advisories/CA-2002-09.html Reference: CISCO:20020415 Microsoft IIS Vulnerabilities in Cisco Products - MS02-018 Reference: URL:http://www.cisco.com/warp/public/707/Microsoft-IIS-vulnerabilities-MS02-018.shtml Reference: XF:iis-http-error-page-css(8803) Reference: URL:http://www.iss.net/security_center/static/8803.php Reference: CERT-VN:VU#886699 Reference: URL:http://www.kb.cert.org/vuls/id/886699 Reference: BID:4486 Reference: URL:http://www.securityfocus.com/bid/4486 Cross-site scripting vulnerability in Internet Information Server (IIS) 4.0, 5.0 and 5.1 allows remote attackers to execute arbitrary script as other users via an HTTP error page. Modifications: ADDREF CISCO:20020415 Microsoft IIS Vulnerabilities in Cisco Products - MS02-018 ADDREF XF:iis-http-error-page-css(8803) ADDREF CERT-VN:VU#886699 ADDREF BID:4486 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0148 ACCEPT (6 accept, 4 ack, 0 review) Current Votes: ACCEPT(5) Wall, Foat, Cole, Armstrong, Green MODIFY(1) Frech NOOP(2) Christey, Cox Voter Comments: Christey> CISCO:20020415 Microsoft IIS Vulnerabilities in Cisco Products - MS02-018 URL:http://www.cisco.com/warp/public/707/Microsoft-IIS-vulnerabilities-MS02-018.shtml Frech> XF:iis-http-error-page-css(8803) ====================================================== Candidate: CAN-2002-0149 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0149 Final-Decision: Interim-Decision: 20030326 Modified: 20030320-02 Proposed: 20020502 Assigned: 20020319 Category: SF Reference: MS:MS02-018 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-018.asp Reference: CERT:CA-2002-09 Reference: URL:http://www.cert.org/advisories/CA-2002-09.html Reference: CISCO:20020415 Microsoft IIS Vulnerabilities in Cisco Products - MS02-018 Reference: URL:http://www.cisco.com/warp/public/707/Microsoft-IIS-vulnerabilities-MS02-018.shtml Reference: CERT-VN:VU#721963 Reference: URL:http://www.kb.cert.org/vuls/id/721963 Reference: XF:iis-ssi-safety-check-bo(8798) Reference: URL:http://www.iss.net/security_center/static/8798.php Reference: BID:4478 Reference: URL:http://www.securityfocus.com/bid/4478 Buffer overflow in ASP Server-Side Include Function in IIS 4.0, 5.0 and 5.1 allows remote attackers to cause a denial of service and possibly execute arbitrary code via long file names. Modifications: ADDREF CISCO:20020415 Microsoft IIS Vulnerabilities in Cisco Products - MS02-018 ADDREF XF:iis-ssi-safety-check-bo(8798) ADDREF CERT-VN:VU#721963 ADDREF BID:4478 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0149 ACCEPT (6 accept, 4 ack, 0 review) Current Votes: ACCEPT(5) Wall, Foat, Cole, Armstrong, Green MODIFY(1) Frech NOOP(2) Christey, Cox Voter Comments: Christey> CISCO:20020415 Microsoft IIS Vulnerabilities in Cisco Products - MS02-018 URL:http://www.cisco.com/warp/public/707/Microsoft-IIS-vulnerabilities-MS02-018.shtml Frech> XF:iis-ssi-safety-check-bo(8798) ====================================================== Candidate: CAN-2002-0150 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0150 Final-Decision: Interim-Decision: 20030326 Modified: 20030320-02 Proposed: 20020502 Assigned: 20020319 Category: SF Reference: MS:MS02-018 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-018.asp Reference: CERT:CA-2002-09 Reference: URL:http://www.cert.org/advisories/CA-2002-09.html Reference: CISCO:20020415 Microsoft IIS Vulnerabilities in Cisco Products - MS02-018 Reference: URL:http://www.cisco.com/warp/public/707/Microsoft-IIS-vulnerabilities-MS02-018.shtml Reference: CERT-VN:VU#454091 Reference: URL:http://www.kb.cert.org/vuls/id/454091 Reference: XF:iis-asp-http-header-bo(8797) Reference: URL:http://www.iss.net/security_center/static/8797.php Reference: BID:4476 Reference: URL:http://www.securityfocus.com/bid/4476 Buffer overflow in Internet Information Server (IIS) 4.0, 5.0, and 5.1 allows remote attackers to spoof the safety check for HTTP headers and cause a denial of service or execute arbitrary code via HTTP header field values. Modifications: ADDREF CISCO:20020415 Microsoft IIS Vulnerabilities in Cisco Products - MS02-018 ADDREF XF:iis-asp-http-header-bo(8797) ADDREF CERT-VN:VU#454091 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0150 ACCEPT (6 accept, 4 ack, 0 review) Current Votes: ACCEPT(5) Wall, Foat, Cole, Armstrong, Green MODIFY(1) Frech NOOP(2) Christey, Cox Voter Comments: Christey> CISCO:20020415 Microsoft IIS Vulnerabilities in Cisco Products - MS02-018 URL:http://www.cisco.com/warp/public/707/Microsoft-IIS-vulnerabilities-MS02-018.shtml Frech> XF:iis-asp-http-header-bo(8797) ====================================================== Candidate: CAN-2002-0155 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0155 Final-Decision: Interim-Decision: 20030326 Modified: 20030320-01 Proposed: 20020611 Assigned: 20020319 Category: SF Reference: BUGTRAQ:20020508 ADVISORY: MSN Messenger OCX Buffer Overflow Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102089960531919&w=2 Reference: VULNWATCH:20020508 [VulnWatch] ADVISORY: MSN Messenger OCX Buffer Overflow Reference: MS:MS02-022 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-022.asp Reference: CERT:CA-2002-13 Reference: URL:http://www.cert.org/advisories/CA-2002-13.html Reference: XF:msn-chatcontrol-resdll-bo(9041) Reference: URL:http://www.iss.net/security_center/static/9041.php Reference: BID:4707 Reference: URL:http://www.securityfocus.com/bid/4707 Buffer overflow in Microsoft MSN Chat ActiveX Control, as used in MSN Messenger 4.5 and 4.6, and Exchange Instant Messenger 4.5 and 4.6, allows remote attackers to execute arbitrary code via a long ResDLL parameter in the MSNChat OCX. Modifications: ADDREF XF:msn-chatcontrol-resdll-bo(9041) ADDREF BID:4707 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0155 ACCEPT (6 accept, 2 ack, 0 review) Current Votes: ACCEPT(5) Baker, Wall, Foat, Cole, Armstrong MODIFY(1) Frech NOOP(2) Christey, Cox Voter Comments: Christey> XF:msn-chatcontrol-resdll-bo(9041) URL:http://www.iss.net/security_center/static/9041.php BID:4707 URL:http://www.securityfocus.com/bid/4707 Frech> XF:msn-chatcontrol-resdll-bo(9041) ====================================================== Candidate: CAN-2002-0157 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0157 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020611 Assigned: 20020325 Category: SF Reference: BUGTRAQ:20020502 R7-0003: Nautilus Symlink Vulnerability Reference: URL:http://online.securityfocus.com/archive/1/270691/2002-04-29/2002-05-05/0 Reference: REDHAT:RHSA-2002:064 Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-064.html Reference: XF:nautilus-metafile-xml-symlink(8995) Reference: URL:http://www.iss.net/security_center/static/8995.php Reference: BID:4373 Reference: URL:http://www.securityfocus.com/bid/4373 Nautilus 1.0.4 and earlier allows local users to overwrite arbitrary files via a symlink attack on the .nautilus-metafile.xml metadata file. Modifications: ADDREF XF:nautilus-metafile-xml-symlink(8995) Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0157 ACCEPT (6 accept, 1 ack, 0 review) Current Votes: ACCEPT(5) Baker, Cox, Wall, Cole, Armstrong MODIFY(1) Frech NOOP(1) Foat Voter Comments: Frech> XF:nautilus-metafile-xml-symlink(8995) ====================================================== Candidate: CAN-2002-0163 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0163 Final-Decision: Interim-Decision: 20030326 Modified: 20030320-02 Proposed: 20020502 Assigned: 20020328 Category: SF Reference: CONFIRM:http://www.squid-cache.org/Advisories/SQUID-2002_2.txt Reference: FREEBSD:FreeBSD-SA-02:19 Reference: URL:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:19.squid.asc Reference: MANDRAKE:MDKSA-2002:027 Reference: URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-027.php Reference: BUGTRAQ:20020326 updated squid advisory Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101716495023226&w=2 Reference: CALDERA:CSSA-2002-017.1 Reference: URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-017.1.txt Reference: CALDERA:CSSA-2002-SCO.26 Reference: REDHAT:RHSA-2002:051 Reference: URL:http://rhn.redhat.com/errata/RHSA-2002-051.html Reference: BID:4363 Reference: URL:http://www.securityfocus.com/bid/4363 Reference: XF:squid-dns-reply-dos(8628) Reference: URL:http://www.iss.net/security_center/static/8628.php Heap-based buffer overflow in Squid before 2.4 STABLE4, and Squid 2.5 and 2.6 until March 12, 2002 distributions, allows remote attackers to cause a denial of service, and possibly execute arbitrary code, via compressed DNS responses. Modifications: ADDREF BID:4363 ADDREF XF:squid-dns-reply-dos(8628) ADDREF BUGTRAQ:20020326 updated squid advisory ADDREF CALDERA:CSSA-2002-017.0 ADDREF FREEBSD:FreeBSD-SA-02:19 ADDREF CALDERA:CSSA-2002-SCO.26 ADDREF REDHAT:RHSA-2002:051 DESC change "heap overflow" to "heap-based buffer overflow" Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0163 ACCEPT (5 accept, 4 ack, 0 review) Current Votes: ACCEPT(4) Cox, Cole, Armstrong, Green MODIFY(1) Frech NOOP(3) Christey, Wall, Foat Voter Comments: Christey> BID:4363 URL:http://www.securityfocus.com/bid/4363 XF:squid-dns-reply-dos(8628) URL:http://www.iss.net/security_center/static/8628.php BUGTRAQ:20020326 updated squid advisory URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101716495023226&w=2 CALDERA:CSSA-2002-017.0 MANDRAKE:MDKSA-2002:027 FREEBSD:FreeBSD-SA-02:19 Christey> CALDERA:CSSA-2002-017.1 URL:http://www.caldera.com/support/security/advisories/CSSA-2002-017.1.txt BID:4363 URL:http://www.securityfocus.com/bid/4363 Christey> CALDERA:CSSA-2002-SCO.26 Christey> REDHAT:RHSA-2002:051 (per Mark Cox) Frech> XF:squid-dns-reply-dos(8628) ====================================================== Candidate: CAN-2002-0169 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0169 Final-Decision: Interim-Decision: 20030326 Modified: 20020817-01 Proposed: 20020611 Assigned: 20020411 Category: CF Reference: REDHAT:RHSA-2002:062 Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-062.html Reference: HP:HPSBTL0205-038 Reference: URL:http://online.securityfocus.com/advisories/4095 Reference: XF:linux-docbook-stylesheet-insecure(8983) Reference: URL:http://www.iss.net/security_center/static/8983.php Reference: BID:4654 Reference: URL:http://online.securityfocus.com/bid/4654 The default stylesheet for DocBook on Red Hat Linux 6.2 through 7.2 is installed with an insecure option enabled, which could allow users to overwrite files outside of the current directory from an untrusted document by using a full pathname as an element identifier. Modifications: ADDREF HP:HPSBTL0205-038 ADDREF XF:linux-docbook-stylesheet-insecure(8983) ADDREF BID:4654 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0169 ACCEPT (6 accept, 2 ack, 0 review) Current Votes: ACCEPT(5) Baker, Cox, Wall, Cole, Armstrong MODIFY(1) Frech NOOP(1) Foat Voter Comments: Frech> XF:linux-docbook-stylesheet-insecure(8983) ====================================================== Candidate: CAN-2002-0170 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0170 Final-Decision: Interim-Decision: 20030326 Modified: 20030320-01 Proposed: 20020502 Assigned: 20020411 Category: SF Reference: BUGTRAQ:20020301 [matt@zope.com: [Zope-Annce] Zope Hotfix 2002-03-01 (Ownership Roles Enforcement)] Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101503023511996&w=2 Reference: CONFIRM:http://www.zope.org/Products/Zope/hotfixes/ Reference: REDHAT:RHSA-2002:060 Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-060.html Reference: XF:zope-proxy-role-privileges(8334) Reference: URL:http://www.iss.net/security_center/static/8334.php Reference: BID:4229 Reference: URL:http://www.securityfocus.com/bid/4229 Zope 2.2.0 through 2.5.1 does not properly verify the access for objects with proxy roles, which could allow some users to access documents in violation of the intended configuration. Modifications: ADDREF REDHAT:RHSA-2002:060 ADDREF XF:zope-proxy-role-privileges(8334) ADDREF BID:4229 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0170 ACCEPT (5 accept, 2 ack, 0 review) Current Votes: ACCEPT(4) Cox, Cole, Armstrong, Green MODIFY(1) Frech NOOP(3) Christey, Wall, Foat Voter Comments: Frech> XF:zope-proxy-role-privileges(8334) Christey> REDHAT:RHSA-2002:060 URL:http://www.redhat.com/support/errata/RHSA-2002-060.html ====================================================== Candidate: CAN-2002-0171 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0171 Final-Decision: Interim-Decision: 20030326 Modified: 20030320-01 Proposed: 20020502 Assigned: 20020411 Category: SF Reference: SGI:20020406-01-P Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20020406-01-P Reference: XF:irix-irisconsole-icadmin-access(8933) Reference: URL:http://www.iss.net/security_center/static/8933.php Reference: BID:4588 Reference: URL:http://www.securityfocus.com/bid/4588 IRISconsole 2.0 may allow users to log into the icadmin account with an incorrect password in some circumstances, which could allow users to gain privileges. Modifications: ADDREF XF:irix-irisconsole-icadmin-access(8933) ADDREF BID:4588 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0171 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Cole, Armstrong, Green MODIFY(1) Frech NOOP(3) Cox, Wall, Foat Voter Comments: Frech> XF:irix-irisconsole-icadmin-access(8933) ====================================================== Candidate: CAN-2002-0172 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0172 Final-Decision: Interim-Decision: 20030326 Modified: 20030320-01 Proposed: 20020502 Assigned: 20020411 Category: CF Reference: SGI:20020408-01-I Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20020408-01-I Reference: XF:irix-ipfilter-dos(8960) Reference: URL:http://www.iss.net/security_center/static/8960.php Reference: BID:4648 Reference: URL:http://online.securityfocus.com/bid/4648 /dev/ipfilter on SGI IRIX 6.5 is installed by /dev/MAKEDEV with insecure default permissions (644), which could allow a local user to cause a denial of service (traffic disruption). Modifications: ADDREF XF:irix-ipfilter-dos(8960) ADDREF BID:4648 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0172 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Cole, Armstrong, Green MODIFY(1) Frech NOOP(4) Christey, Cox, Wall, Foat Voter Comments: Christey> BID:4648 URL:http://online.securityfocus.com/bid/4648 Frech> XF:irix-ipfilter-dos(8960) ====================================================== Candidate: CAN-2002-0173 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0173 Final-Decision: Interim-Decision: 20030326 Modified: 20030320-01 Proposed: 20020502 Assigned: 20020411 Category: SF Reference: SGI:20020409-01-I Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20020409-01-I Reference: BID:4644 Reference: URL:http://www.securityfocus.com/bid/4644 Reference: XF:irix-cpr-bo(8959) Reference: URL:http://www.iss.net/security_center/static/8959.php Buffer overflow in cpr for the eoe.sw.cpr SGI Checkpoint-Restart Software package on SGI IRIX 6.5.10 and earlier may allow local users to gain root privileges. Modifications: ADDREF BID:4644 ADDREF XF:irix-cpr-bo(8959) Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0173 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Cole, Armstrong, Green MODIFY(1) Frech NOOP(4) Christey, Cox, Wall, Foat Voter Comments: Christey> BID:4644 URL:http://www.securityfocus.com/bid/4644 Frech> XF:irix-cpr-bo(8959) ====================================================== Candidate: CAN-2002-0174 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0174 Final-Decision: Interim-Decision: 20030326 Modified: 20030320-01 Proposed: 20020611 Assigned: 20020411 Category: SF Reference: SGI:20020501-01-I Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20020501-01-I Reference: XF:irix-nsd-symlink(8981) Reference: URL:http://www.iss.net/security_center/static/8981.php Reference: BID:4655 Reference: URL:http://www.securityfocus.com/bid/4655 nsd on SGI IRIX before 6.5.11 allows local users to overwrite arbitrary files and gain root privileges via a symlink attack on the nsd.dump file. Modifications: ADDREF XF:irix-nsd-symlink(8981) ADDREF BID:4655 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0174 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Baker, Cole, Armstrong MODIFY(1) Frech NOOP(3) Cox, Wall, Foat Voter Comments: Frech> XF:irix-nsd-symlink(8981) ====================================================== Candidate: CAN-2002-0178 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0178 Final-Decision: Interim-Decision: 20030326 Modified: 20030320-02 Proposed: 20020611 Assigned: 20020417 Category: SF Reference: MISC:http://www.aerasec.de/security/index.html?id=ae-200204-033&lang=en Reference: REDHAT:RHSA-2002:065 Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-065.html Reference: HP:HPSBTL0205-040 Reference: URL:http://online.securityfocus.com/advisories/4132 Reference: MANDRAKE:MDKSA-2002:052 Reference: URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-052.php Reference: XF:sharutils-uudecode-symlink(9075) Reference: URL:http://www.iss.net/security_center/static/9075.php Reference: BID:4742 Reference: URL:http://www.securityfocus.com/bid/4742 Reference: BUGTRAQ:20021030 GLSA: sharutils Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103599320902432&w=2 Reference: CERT-VN:VU#336083 Reference: URL:http://www.kb.cert.org/vuls/id/336083 Reference: CALDERA:CSSA-2002-040.0 Reference: URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-040.0.txt Reference: COMPAQ:SSRT2301 uudecode, as available in the sharutils package before 4.2.1, does not check whether the filename of the uudecoded file is a pipe or symbolic link, which could allow attackers to overwrite files or execute commands. Modifications: ADDREF HP:HPSBTL0205-040 ADDREF MANDRAKE:MDKSA-2002:052 ADDREF XF:sharutils-uudecode-symlink(9075) ADDREF BID:4742 ADDREF MISC:http://www.aerasec.de/security/index.html?id=ae-200204-033&lang=en ADDREF BUGTRAQ:20021030 GLSA: sharutils ADDREF CERT-VN:VU#336083 ADDREF CALDERA:CSSA-2002-040.0 ADDREF COMPAQ:SSRT2301 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0178 ACCEPT (6 accept, 5 ack, 0 review) Current Votes: ACCEPT(5) Baker, Wall, Foat, Cole, Green MODIFY(1) Cox NOOP(1) Christey Voter Comments: Cox> ADDREF: http://www.aerasec.de/security/index.html?id=ae-200204-033&lang=en Christey> HP:HPSBTL0205-040 URL:http://online.securityfocus.com/advisories/4132 XF:sharutils-uudecode-symlink(9075) URL:http://www.iss.net/security_center/static/9075.php BID:4742 URL:http://www.securityfocus.com/bid/4742 Christey> MANDRAKE:MDKSA-2002:052 Christey> BUGTRAQ:20021030 GLSA: sharutils URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103599320902432&w=2 CERT-VN:VU#336083 URL:http://www.kb.cert.org/vuls/id/336083 Christey> CALDERA:CSSA-2002-040.0 Christey> COMPAQ:SSRT2301 CERT-VN:VU#336083 URL:http://www.kb.cert.org/vuls/id/336083 ====================================================== Candidate: CAN-2002-0181 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0181 Final-Decision: Interim-Decision: 20030326 Modified: 20020817-01 Proposed: 20020502 Assigned: 20020417 Category: SF Reference: BUGTRAQ:20020406 IMP 2.2.8 (SECURITY) released Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101828033830744&w=2 Reference: DEBIAN:DSA-126 Reference: URL:http://www.debian.org/security/2002/dsa-126 Reference: CALDERA:CSSA-2002-016.1 Reference: URL:http://www.calderasystems.com/support/security/advisories/CSSA-2002-016.1.txt Reference: CONECTIVA:CLA-2001:473 Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000473 Reference: MISC:http://bugs.horde.org/show_bug.cgi?id=916 Reference: XF:imp-status-php3-css(8769) Reference: URL:http://www.iss.net/security_center/static/8769.php Reference: BID:4444 Reference: URL:http://www.securityfocus.com/bid/4444 Cross-site scripting vulnerability in status.php3 for IMP 2.2.8 and HORDE 1.2.7 allows remote attackers to execute arbitrary web script and steal cookies of other IMP/HORDE users via the script parameter. Modifications: DESC rephrase CHANGEREF CALDERA [new version number] ADDREF CONECTIVA:CLA-2001:473 ADDREF MISC:http://bugs.horde.org/show_bug.cgi?id=916 ADDREF XF:imp-status-php3-css(8769) ADDREF BID:4444 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0181 ACCEPT (5 accept, 2 ack, 0 review) Current Votes: ACCEPT(3) Cole, Armstrong, Green MODIFY(2) Frech, Cox NOOP(3) Christey, Wall, Foat Voter Comments: Cox> "execute script" sounds like local execution - it's just cross site scripting Christey> Try this desc: "Cross-site scripting vulnerability in status.php3 for IMP 2.2.8 and HORDE 1.2.7 allows remote attackers to execute arbitrary script and steal cookies of other IMP/HORDE users via the script parameter." CONECTIVA:CLA-2001:473 URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000473 MISC:http://bugs.horde.org/show_bug.cgi?id=916 XF:imp-status-php3-css(8769) URL:http://www.iss.net/security_center/static/8769.php BID:4444 URL:http://www.securityfocus.com/bid/4444 CHANGEREF CALDERA:CSSA-2002-016.1 (new version #) Frech> XF:imp-status-php3-css(8769) ====================================================== Candidate: CAN-2002-0184 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0184 Final-Decision: Interim-Decision: 20030326 Modified: 20030320-02 Proposed: 20020502 Assigned: 20020419 Category: SF Reference: BUGTRAQ:20020425 [Global InterSec 2002041701] Sudo Password Prompt Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101974610509912&w=2 Reference: BUGTRAQ:20020425 Sudo version 1.6.6 now available (fwd) Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101975443619600&w=2 Reference: MANDRAKE:MDKSA-2002:028 Reference: URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-028.php3 Reference: DEBIAN:DSA-128 Reference: URL:http://www.debian.org/security/2002/dsa-128 Reference: REDHAT:RHSA-2002:071 Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-071.html Reference: REDHAT:RHSA-2002:072 Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-072.html Reference: ENGARDE:ESA-20020429-010 Reference: URL:http://www.linuxsecurity.com/advisories/other_advisory-2040.html Reference: BUGTRAQ:20020425 [slackware-security] sudo upgrade fixes a potential vulnerability Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101979472822196&w=2 Reference: CONECTIVA:CLA-2002:475 Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000475 Reference: TRUSTIX:TSLSA-2002-0046 Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102010164413135&w=2 Reference: BUGTRAQ:20020429 TSLSA-2002-0046 - sudo Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102010164413135&w=2 Reference: SUSE:SuSE-SA:2002:014 Reference: URL:http://www.suse.de/de/security/2002_014_sudo_txt.html Reference: CERT-VN:VU#820083 Reference: URL:http://www.kb.cert.org/vuls/id/820083 Reference: XF:sudo-password-expansion-overflow(8936) Reference: URL:http://www.iss.net/security_center/static/8936.php Reference: BID:4593 Reference: URL:http://www.securityfocus.com/bid/4593 Heap-based buffer overflow in sudo before 1.6.6 may allow local users to gain root privileges via special characters in the -p (prompt) argument, which are not properly expanded. Modifications: ADDREF BUGTRAQ:20020429 TSLSA-2002-0046 - sudo ADDREF SUSE:SuSE-SA:2002:014 ADDREF XF:sudo-password-expansion-overflow(8936) DESC change terms to "heap-based buffer overflow" ADDREF BID:4593 ADDREF CERT-VN:VU#820083 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0184 ACCEPT (7 accept, 4 ack, 0 review) Current Votes: ACCEPT(6) Cox, Wall, Foat, Cole, Armstrong, Green MODIFY(1) Frech NOOP(1) Christey Voter Comments: Christey> BUGTRAQ:20020429 TSLSA-2002-0046 - sudo URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102010164413135&w=2 SUSE:SuSE-SA:2002:014 Frech> XF:sudo-password-expansion-overflow(8936) ====================================================== Candidate: CAN-2002-0185 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0185 Final-Decision: Interim-Decision: 20030326 Modified: 20030320-01 Proposed: 20020502 Assigned: 20020419 Category: SF Reference: MISC:http://www.modpython.org/pipermail/mod_python/2002-April/001991.html Reference: MISC:http://www.modpython.org/pipermail/mod_python/2002-April/002003.html Reference: REDHAT:RHSA-2002:070 Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-070.html Reference: CONECTIVA:CLA-2002:477 Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000477 Reference: XF:modpython-imported-module-access(8997) Reference: URL:http://www.iss.net/security_center/static/8997.php Reference: BID:4656 Reference: URL:http://www.securityfocus.com/bid/4656 mod_python version 2.7.6 and earlier allows a module indirectly imported by a published module to then be accessed via the publisher, which allows remote attackers to call possibly dangerous functions from the imported module. Modifications: ADDREF REDHAT:RHSA-2002:070 ADDREF CONECTIVA:CLA-2002:477 ADDREF XF:modpython-imported-module-access(8997) ADDREF BID:4656 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0185 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(2) Baker, Cox MODIFY(1) Frech NOOP(6) Christey, Wall, Foat, Cole, Armstrong, Green Voter Comments: Cox> ADDREF: RHSA-2002:070 Christey> ADDREF REDHAT:RHSA-2002:070 Christey> CONECTIVA:CLA-2002:477 URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000477 Frech> XF:modpython-imported-module-access(8997) ====================================================== Candidate: CAN-2002-0186 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0186 Final-Decision: Interim-Decision: 20030326 Modified: 20030320-01 Proposed: 20020726 Assigned: 20020420 Category: SF Reference: BUGTRAQ:20020613 wp-02-0007: Microsoft SQLXML ISAPI Overflow and Cross Site Scripting Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102397345410856&w=2 Reference: VULNWATCH:20020613 [VulnWatch] wp-02-0007: Microsoft SQLXML ISAPI Overflow and Cross Site Scripting Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0100.html Reference: MS:MS02-030 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-030.asp Reference: CERT-VN:VU#811371 Reference: URL:http://www.kb.cert.org/vuls/id/811371 Reference: BID:5004 Reference: URL:http://www.securityfocus.com/bid/5004 Reference: XF:mssql-sqlxml-isapi-bo(9328) Reference: URL:http://www.iss.net/security_center/static/9328.php Buffer overflow in the SQLXML ISAPI extension of Microsoft SQL Server 2000 allows remote attackers to execute arbitrary code via data queries with a long content-type parameter, aka "Unchecked Buffer in SQLXML ISAPI Extension." Modifications: ADDREF CERT-VN:VU#811371 ADDREF BID:5004 ADDREF XF:mssql-sqlxml-isapi-bo(9328) Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0186 ACCEPT (4 accept, 2 ack, 0 review) Current Votes: ACCEPT(4) Baker, Wall, Foat, Cole NOOP(2) Christey, Cox Voter Comments: Christey> CERT-VN:VU#811371 URL:http://www.kb.cert.org/vuls/id/811371 BID:5004 URL:http://www.securityfocus.com/bid/5004 XF:mssql-sqlxml-isapi-bo(9328) URL:http://www.iss.net/security_center/static/9328.php ====================================================== Candidate: CAN-2002-0187 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0187 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020726 Assigned: 20020420 Category: SF Reference: BUGTRAQ:20020613 wp-02-0007: Microsoft SQLXML ISAPI Overflow and Cross Site Scripting Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102397345410856&w=2 Reference: VULNWATCH:20020613 [VulnWatch] wp-02-0007: Microsoft SQLXML ISAPI Overflow and Cross Site Scripting Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0100.html Reference: MS:MS02-030 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-030.asp Cross-site scripting vulnerability in the SQLXML component of Microsoft SQL Server 2000 allows an attacker to execute arbitrary script via the root parameter as part of an XML SQL query, aka "Script Injection via XML Tag." Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0187 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Baker, Wall, Foat, Cole NOOP(2) Christey, Cox Voter Comments: Christey> CERT-VN:VU#139931 URL:http://www.kb.cert.org/vuls/id/139931 XF:mssql-sqlxml-script-injection(9329) URL:http://www.iss.net/security_center/static/9329.php BID:5005 URL:http://www.securityfocus.com/bid/5005 ====================================================== Candidate: CAN-2002-0190 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0190 Final-Decision: Interim-Decision: 20030326 Modified: 20030320-01 Proposed: 20020611 Assigned: 20020420 Category: SF Reference: MS:MS02-023 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-023.asp Reference: CERT-VN:VU#242891 Reference: URL:http://www.kb.cert.org/vuls/id/242891 Reference: XF:ie-netbios-incorrect-security-zone(9084) Reference: URL:http://www.iss.net/security_center/static/9084.php Reference: BID:4753 Reference: URL:http://www.securityfocus.com/bid/4753 Microsoft Internet Explorer 5.01, 5.5 and 6.0 allows remote attackers to execute arbitrary code under fewer security restrictions via a malformed web page that requires NetBIOS connectivity, aka "Zone Spoofing through Malformed Web Page" vulnerability. Modifications: ADDREF XF:ie-netbios-incorrect-security-zone(9084) ADDREF BID:4753 ADDREF CERT-VN:VU#242891 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0190 ACCEPT (6 accept, 2 ack, 0 review) Current Votes: ACCEPT(5) Baker, Wall, Foat, Cole, Armstrong MODIFY(1) Frech NOOP(1) Cox Voter Comments: Frech> XF:ie-netbios-incorrect-security-zone(9084) ====================================================== Candidate: CAN-2002-0191 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0191 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020611 Assigned: 20020420 Category: SF Reference: BUGTRAQ:20020402 Reading portions of local files in IE, depending on structure (GM#004-IE) Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101778302030981&w=2 Reference: MS:MS02-023 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-023.asp Reference: XF:ie-css-read-files (8740) Reference: URL:http://www.iss.net/security_center/static/8740.php Reference: BID:4411 Reference: URL:http://online.securityfocus.com/bid/4411 Microsoft Internet Explorer 5.01, 5.5 and 6.0 allows remote attackers to view arbitrary files that contain the "{" character via script containing the cssText property of the stylesheet object, aka "Local Information Disclosure through HTML Object" vulnerability. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0191 ACCEPT (6 accept, 1 ack, 0 review) Current Votes: ACCEPT(6) Baker, Frech, Wall, Foat, Cole, Armstrong NOOP(1) Cox ====================================================== Candidate: CAN-2002-0213 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0213 Final-Decision: Interim-Decision: 20030326 Modified: 20030320-01 Proposed: 20020502 Assigned: 20020501 Category: CF Reference: BUGTRAQ:20020128 [ Hackerslab bug_paper ] Xkas application vulnerability Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101223525118717&w=2 Reference: SGI:20020604-01-I Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20020604-01-I Reference: BID:3969 Reference: URL:http://online.securityfocus.com/bid/3969 Reference: XF:kashare-xkas-icon-symlink(8002) Reference: URL:http://www.iss.net/security_center/static/8002.php xkas in Xinet K-AShare 0.011.01 for IRIX allows local users to read arbitrary files via a symlink attack on the VOLICON file, which copied to the .HSicon file in a shared directory. Modifications: ADDREF SGI:20020604-01-I Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0213 ACCEPT_ACK (2 accept, 1 ack, 0 review) Current Votes: ACCEPT(2) Baker, Green NOOP(4) Christey, Wall, Foat, Cole Voter Comments: Christey> SGI:20020604-01-I ====================================================== Candidate: CAN-2002-0241 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0241 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020502 Assigned: 20020501 Category: SF Reference: CISCO:20020207 Cisco Secure Access Control Server Novell Directory Service Expired/Disabled User Authentication Vulnerability Reference: URL:http://www.cisco.com/warp/public/707/ciscosecure-acs-nds-authentication-vuln-pub.shtml Reference: XF:ciscosecure-nds-authentication(8106) Reference: URL:http://www.iss.net/security_center/static/8106.php Reference: BID:4048 Reference: URL:http://www.securityfocus.com/bid/4048 NDSAuth.DLL in Cisco Secure Authentication Control Server (ACS) 3.0.1 does not check the Expired or Disabled state of users in the Novell Directory Services (NDS), which could allow those users to authenticate to the server. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0241 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Frech, Cole, Armstrong NOOP(3) Cox, Wall, Foat ====================================================== Candidate: CAN-2002-0246 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0246 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020502 Assigned: 20020501 Category: SF Reference: BUGTRAQ:20020210 Unixware Message catalog exploit code Reference: URL:http://online.securityfocus.com/archive/1/255414 Reference: CALDERA:CSSA-2002-SCO.3 Reference: URL:ftp://stage.caldera.com/pub/security/unixware/CSSA-2002-SCO.3/CSSA-2002-SCO.3.txt Reference: BID:4060 Reference: URL:http://online.securityfocus.com/bid/4060 Reference: XF:unixware-msg-catalog-format-string(8113) Reference: URL:http://www.iss.net/security_center/static/8113.php Format string vulnerability in the message catalog library functions in UnixWare 7.1.1 allows local users to gain privileges by modifying the LC_MESSAGE environment variable to read other message catalogs containing format strings from setuid programs such as vxprint. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0246 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Frech, Cole, Armstrong NOOP(3) Cox, Wall, Foat ====================================================== Candidate: CAN-2002-0250 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0250 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020502 Assigned: 20020501 Category: SF Reference: BUGTRAQ:20020208 Hewlett Packard AdvanceStack Switch Managment Authentication Bypass Vulnerability Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101318469216213&w=2 Reference: HP:HPSBUX0202-185 Reference: URL:http://online.securityfocus.com/advisories/3870 Reference: BID:4062 Reference: URL:http://www.securityfocus.com/bid/4062 Reference: XF:hp-advancestack-bypass-auth(8124) Reference: URL:http://www.iss.net/security_center/static/8124.php Web configuration utility in HP AdvanceStack hubs J3200A through J3210A with firmware version A.03.07 and earlier, allows unauthorized users to bypass authentication via a direct HTTP request to the web_access.html file, which allows the user to change the switch's configuration and modify the administrator password. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0250 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Frech, Cole, Armstrong NOOP(3) Cox, Wall, Foat ====================================================== Candidate: CAN-2002-0267 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0267 Final-Decision: Interim-Decision: 20030326 Modified: 20030320-01 Proposed: 20020502 Assigned: 20020501 Category: SF Reference: BUGTRAQ:20020212 SIPS - vulnerable to anyone gaining admin access. Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101363233905645&w=2 Reference: CONFIRM:http://sips.sourceforge.net/adminvul.html Reference: BID:4097 Reference: URL:http://online.securityfocus.com/bid/4097 Reference: XF:sips-theme-admin-access(8193) Reference: URL:http://www.iss.net/security_center/static/8193.php preferences.php in Simple Internet Publishing System (SIPS) before 0.3.1 allows remote attackers to gain administrative privileges via a linebreak in the "theme" field followed by the Status::admin command, which causes the Status line to be entered into the password file. Modifications: ADDREF XF:sips-theme-admin-access(8193) Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0267 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(2) Cole, Armstrong MODIFY(1) Frech NOOP(3) Cox, Wall, Foat Voter Comments: Frech> XF:sips-theme-admin-access(8193) ====================================================== Candidate: CAN-2002-0274 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0274 Final-Decision: Interim-Decision: 20030326 Modified: 20030320-01 Proposed: 20020502 Assigned: 20020501 Category: SF Reference: BUGTRAQ:20020213 Exim 3.34 and lower (fwd) Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101362618118598&w=2 Reference: CONFIRM:http://www.exim.org/pipermail/exim-announce/2002q1/000053.html Reference: XF:exim-config-arg-bo(8194) Reference: URL:http://www.iss.net/security_center/static/8194.php Reference: BID:4096 Reference: URL:http://www.securityfocus.com/bid/4096 Exim 3.34 and earlier may allow local users to gain privileges via a buffer overflow in long -C (configuration file) and other command line arguments. Modifications: ADDREF XF:exim-config-arg-bo(8194) Analysis -------- Vendor Acknowledgement: yes ACKNOWLEDGEMENT: A post to the Exim-announce mailing list on February 19th refers to problems "raised by the bugtraq posting last week." INFERRED ACTION: CAN-2002-0274 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(2) Cox, Cole MODIFY(1) Frech NOOP(3) Wall, Foat, Armstrong Voter Comments: Frech> XF:exim-config-arg-bo(8194) CHANGE> [Cox changed vote from REVIEWING to ACCEPT] ====================================================== Candidate: CAN-2002-0276 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0276 Final-Decision: Interim-Decision: 20030326 Modified: 20030320-01 Proposed: 20020502 Assigned: 20020501 Category: SF Reference: BUGTRAQ:20020213 [NGSEC-2002-1] Ettercap, remote root compromise Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101370874219511&w=2 Reference: CONFIRM:http://ettercap.sourceforge.net/index.php?s=history Reference: BID:4104 Reference: URL:http://online.securityfocus.com/bid/4104 Reference: XF:ettercap-memcpy-bo(8200) Reference: URL:http://www.iss.net/security_center/static/8200.php Buffer overflow in various decoders in Ettercap 0.6.3.1 and earlier, when running on networks with an MTU greater than 2000, allows remote attackers to execute arbitrary code via large packets. Modifications: ADDREF XF:ettercap-memcpy-bo(8200) Analysis -------- Vendor Acknowledgement: yes changelog ACKNOWLEDGEMENT: the entry for version 0.6.4 in the vendor's history file states "Fixed the possibility of remote exploitation on interface with MTU > 1500" INFERRED ACTION: CAN-2002-0276 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(2) Cole, Armstrong MODIFY(1) Frech NOOP(3) Cox, Wall, Foat Voter Comments: Frech> XF:ettercap-memcpy-bo(8200) ====================================================== Candidate: CAN-2002-0287 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0287 Final-Decision: Interim-Decision: 20030326 Modified: 20030320-01 Proposed: 20020502 Assigned: 20020501 Category: CF Reference: BUGTRAQ:20020216 pforum: mysql-injection-bug Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101389284625019&w=2 Reference: CONFIRM:http://www.powie.de/news/index.php Reference: BID:4114 Reference: URL:http://online.securityfocus.com/bid/4114 Reference: XF:pforum-quotes-sql-injection(8203) Reference: URL:http://www.iss.net/security_center/static/8203.php pforum 1.14 and earlier does no explicitly enable PHP magic quotes, which allows remote attackers to bypass authentication and gain administrator privileges via an SQL injection attack when the PHP server is not configured to use magic quotes by default. Modifications: ADDREF XF:pforum-quotes-sql-injection(8203) Analysis -------- Vendor Acknowledgement: yes ACKNOWLEDGEMENT: While the comment on the News page is in German, it is clear that the vendor's statement on 20020214 constitutes sufficient acknowledgement, even when viewed using basic translation software: "Hiermit m?chte ich alle User des PFORUM auf eine schwere Sicherheitsl?cke aufmerksam machen... Diese Sicherheitsl?cke tritt nur auf, wenn auf den entsprechenden Webserver in der PHP.INI magic_quotes_gpc = Off sind." INFERRED ACTION: CAN-2002-0287 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(2) Cole, Armstrong MODIFY(1) Frech NOOP(3) Cox, Wall, Foat Voter Comments: Frech> XF:pforum-quotes-sql-injection(8203) ====================================================== Candidate: CAN-2002-0290 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0290 Final-Decision: Interim-Decision: 20030326 Modified: 20030320-01 Proposed: 20020502 Assigned: 20020501 Category: SF Reference: BUGTRAQ:20020218 Netwin Webnews Buffer Overflow Vulnerability (#NISR18022002) Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101413521417638&w=2 Reference: CONFIRM:ftp://netwinsite.com/pub/webnews/beta/webnews11m_solaris.tar.Z Reference: BID:4124 Reference: URL:http://online.securityfocus.com/bid/4124 Reference: XF:webnews-cgi-group-bo(8220) Reference: URL:http://www.iss.net/security_center/static/8220.php Buffer overflow in Netwin WebNews CGI program 1.1, Webnews.exe, allows remote attackers to execute arbitrary code via a long group argument. Modifications: ADDREF XF:webnews-cgi-group-bo(8220) Analysis -------- Vendor Acknowledgement: yes changelog ACKNOWLEDGEMENT: the "webnews/manuals/update.htm" file in the WebNews distribution has an entry dated February 21, which states: "Fixed: Buffer Overflow Vulnerability reported by NGSSoftware Insight Security Research." INFERRED ACTION: CAN-2002-0290 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(2) Cole, Armstrong MODIFY(1) Frech NOOP(3) Cox, Wall, Foat Voter Comments: Frech> XF:webnews-cgi-group-bo(8220) ====================================================== Candidate: CAN-2002-0292 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0292 Final-Decision: Interim-Decision: 20030326 Modified: 20030320-01 Proposed: 20020502 Assigned: 20020501 Category: SF Reference: BUGTRAQ:20020219 [SA-2002:01] Slashcode login vulnerability Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101414005501708&w=2 Reference: BID:4116 Reference: URL:http://online.securityfocus.com/bid/4116 Reference: XF:slashcode-site-xss(8221) Reference: URL:http://www.iss.net/security_center/static/8221.php Cross-site scripting vulnerability in Slash before 2.2.5, as used in Slashcode and elsewhere, allows remote attackers to steal cookies and authentication information from other users via Javascript in a URL, possibly in the formkey field. Modifications: ADDREF XF:slashcode-site-xss(8221) Analysis -------- Vendor Acknowledgement: yes INFERRED ACTION: CAN-2002-0292 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(2) Baker, Cole MODIFY(1) Frech NOOP(3) Cox, Wall, Foat Voter Comments: Frech> XF:slashcode-site-xss(8221) ====================================================== Candidate: CAN-2002-0299 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0299 Final-Decision: Interim-Decision: 20030326 Modified: 20030320-01 Proposed: 20020502 Assigned: 20020501 Category: SF Reference: BUGTRAQ:20020220 CNet CatchUp arbitrary code execution Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101438631921749&w=2 Reference: BID:3975 Reference: URL:http://online.securityfocus.com/bid/3975 Reference: XF:cnet-catchup-gain-privileges(8035) Reference: URL:http://www.iss.net/security_center/static/8035.php CNet CatchUp before 1.3.1 allows attackers to execute arbitrary code via a .RVP file that creates a file with an arbitrary extension (such as .BAT), which is executed during a scan. Modifications: ADDREF XF:cnet-catchup-gain-privileges(8035) Analysis -------- Vendor Acknowledgement: yes INFERRED ACTION: CAN-2002-0299 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(2) Baker, Cole MODIFY(1) Frech NOOP(3) Cox, Wall, Foat Voter Comments: Frech> XF:cnet-catchup-gain-privileges(8035) ====================================================== Candidate: CAN-2002-0300 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0300 Final-Decision: Interim-Decision: 20030326 Modified: 20020817-01 Proposed: 20020502 Assigned: 20020501 Category: SF Reference: BUGTRAQ:20020219 gnujsp: dir- and script-disclosure Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101415804625292&w=2 Reference: BUGTRAQ:20020220 Re: gnujsp: dir- and script-disclosure Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101422432123898&w=2 Reference: DEBIAN:DSA-114 Reference: URL:http://www.debian.org/security/2002/dsa-114 Reference: BID:4125 Reference: URL:http://online.securityfocus.com/bid/4125 Reference: XF:gnujsp-jserv-information-disclosure(8240) Reference: URL:http://www.iss.net/security_center/static/8240.php gnujsp 1.0.0 and 1.0.1 allows remote attackers to list directories, read source code of certain scripts, and bypass access restrictions by directly requesting the target file from the gnujsp servlet, which does not work around a limitation of JServ and does not process the requested file. Modifications: ADDREF XF:gnujsp-jserv-information-disclosure(8240) Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0300 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(2) Baker, Cole MODIFY(1) Frech NOOP(3) Cox, Wall, Foat Voter Comments: Frech> XF:gnujsp-jserv-information-disclosure(8240) ====================================================== Candidate: CAN-2002-0302 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0302 Final-Decision: Interim-Decision: 20030326 Modified: 20030320-01 Proposed: 20020502 Assigned: 20020501 Category: SF Reference: BUGTRAQ:20020220 Symantec Enterprise Firewall (SEF) Notify Daemon data loss via SN MP Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101424225814604&w=2 Reference: CONFIRM:http://securityresponse.symantec.com/avcenter/security/Content/2002.02.20a.html Reference: BID:4139 Reference: URL:http://online.securityfocus.com/bid/4139 Reference: XF:sef-smtp-proxy-information(8251) Reference: URL:http://www.iss.net/security_center/static/8251.php The Notify daemon for Symantec Enterprise Firewall (SEF) 6.5.x drops large alerts when SNMP is used as the transport, which could prevent some alerts from being sent in the event of an attack. Modifications: ADDREF XF:sef-smtp-proxy-information(8251) Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0302 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Prosser, Baker, Cole MODIFY(1) Frech NOOP(3) Cox, Wall, Foat Voter Comments: Frech> XF:sef-smtp-proxy-information(8251) Prosser> http://securityresponse.symantec.com/avcenter/security/Content/2002.02.20a.html ====================================================== Candidate: CAN-2002-0309 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0309 Final-Decision: Interim-Decision: 20030326 Modified: 20030320-01 Proposed: 20020502 Assigned: 20020501 Category: SF Reference: BUGTRAQ:20020221 Symantec Enterprise Firewall (SEF) SMTP proxy inconsistencies Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101430810813853&w=2 Reference: BUGTRAQ:20020220 Symantec Enterprise Firewall (SEF) SMTP proxy inconsistencies Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101424307617060&w=2 Reference: CONFIRM:http://securityresponse.symantec.com/avcenter/security/Content/2002.02.20.html Reference: BID:4141 Reference: URL:http://online.securityfocus.com/bid/4141 Reference: XF:sef-smtp-proxy-information(8251) Reference: URL:http://www.iss.net/security_center/static/8251.php SMTP proxy in Symantec Enterprise Firewall (SEF) 6.5.x includes the firewall's physical interface name and address in an SMTP protocol exchange when NAT translation is made to an address other than the firewall, which could allow remote attackers to determine certain firewall configuration information. Modifications: ADDREF CONFIRM:http://securityresponse.symantec.com/avcenter/security/Content/2002.02.20.html ADDREF XF:sef-smtp-proxy-information(8251) Analysis -------- Vendor Acknowledgement: yes followup INFERRED ACTION: CAN-2002-0309 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Prosser, Baker, Cole MODIFY(1) Frech NOOP(3) Cox, Wall, Foat Voter Comments: Frech> XF:sef-smtp-proxy-information(8251) Prosser> http://securityresponse.symantec.com/avcenter/security/Content/2002.02.20.html ====================================================== Candidate: CAN-2002-0318 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0318 Final-Decision: Interim-Decision: 20030326 Modified: 20030320-01 Proposed: 20020502 Assigned: 20020501 Category: SF Reference: BUGTRAQ:20020221 DoS Attack against many RADIUS servers Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101440113410083&w=2 Reference: XF:freeradius-access-request-dos(9968) Reference: URL:http://www.iss.net/security_center/static/9968.php FreeRADIUS RADIUS server allows remote attackers to cause a denial of service (CPU consumption) via a flood of Access-Request packets. Modifications: ADDREF XF:freeradius-access-request-dos(9968) Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0318 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(2) Baker, Cole MODIFY(1) Frech NOOP(3) Cox, Wall, Foat Voter Comments: CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:freeradius-access-request-dos(9968) http://www.freeradius.org/radiusd/doc/ChangeLog Possibly: Fix a bug which would hang the server when many SQL connections were open. ====================================================== Candidate: CAN-2002-0329 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0329 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020502 Assigned: 20020501 Category: SF Reference: BUGTRAQ:20020227 RE: Open Bulletin Board javascript bug. Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101485184605149&w=2 Reference: BUGTRAQ:20020227 Snitz 2000 Code Patch (was RE: Open Bulletin Board javascript bug.) Reference: URL:http://online.securityfocus.com/archive/1/258981 Reference: CONFIRM:http://forum.snitz.com/forum/link.asp?TOPIC_ID=23660 Reference: BID:4192 Reference: URL:http://www.securityfocus.com/bid/4192 Reference: XF:snitz-img-css(8309) Reference: URL:http://www.iss.net/security_center/static/8309.php Cross-site scripting vulnerability in Snitz Forums 2000 3.3.03 and earlier allows remote attackers to execute arbitrary script as other Forums 2000 users via Javascript in an IMG tag. Analysis -------- Vendor Acknowledgement: yes INFERRED ACTION: CAN-2002-0329 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Baker, Frech, Cole NOOP(4) Christey, Cox, Wall, Foat Voter Comments: Christey> DELREF one BID:4192 (mentioned twice) ====================================================== Candidate: CAN-2002-0330 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0330 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020502 Assigned: 20020501 Category: SF Reference: BUGTRAQ:20020225 Open Bulletin Board javascript bug. Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101466092601554&w=2 Reference: CONFIRM:http://community.iansoft.net/read.php?TID=5159 Reference: BID:4171 Reference: URL:http://online.securityfocus.com/bid/4171 Reference: XF:openbb-img-css(8278) Reference: URL:http://www.iss.net/security_center/static/8278.php Cross-site scripting vulnerability in codeparse.php of Open Bulletin Board (OpenBB) 1.0.0 allows remote attackers to execute arbitrary script and steal cookies via Javascript in the IMG tag. Analysis -------- Vendor Acknowledgement: yes INFERRED ACTION: CAN-2002-0330 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Baker, Frech, Cole NOOP(3) Cox, Wall, Foat ====================================================== Candidate: CAN-2002-0339 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0339 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020502 Assigned: 20020501 Category: SF Reference: CISCO:20020227 Cisco Security Advisory: Data Leak with Cisco Express Forwarding Reference: URL:http://www.cisco.com/warp/public/707/IOS-CEF-pub.shtml Reference: XF:ios-cef-information-leak(8296) Reference: URL:http://www.iss.net/security_center/static/8296.php Reference: BID:4191 Reference: URL:http://www.securityfocus.com/bid/4191 Cisco IOS 11.1CC through 12.2 with Cisco Express Forwarding (CEF) enabled includes portions of previous packets in the padding of a MAC level packet when the MAC packet's length is less than the IP level packet length. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0339 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Baker, Frech, Cole NOOP(3) Cox, Wall, Foat ====================================================== Candidate: CAN-2002-0355 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0355 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020611 Assigned: 20020502 Category: SF Reference: SGI:20020503-01-I Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20020503-01-I Reference: BID:4682 Reference: URL:http://www.securityfocus.com/bid/4682 Reference: XF:irix-netstat-file-existence(9023) Reference: URL:http://www.iss.net/security_center/static/9023.php netstat in SGI IRIX before 6.5.12 allows local users to determine the existence of files on the system, even if the users do not have the appropriate permissions. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0355 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Baker, Frech, Cole, Armstrong NOOP(3) Cox, Wall, Foat ====================================================== Candidate: CAN-2002-0356 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0356 Final-Decision: Interim-Decision: 20030326 Modified: 20030320-01 Proposed: 20020611 Assigned: 20020502 Category: SF Reference: SGI:20020504-01-I Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20020504-01-I Reference: XF:irix-fsrxfs-gain-privileges(9042) Reference: URL:http://www.iss.net/security_center/static/9042.php Reference: BID:4706 Reference: URL:http://www.securityfocus.com/bid/4706 Vulnerability in XFS filesystem reorganizer (fsr_xfs) in SGI IRIX 6.5.10 and earlier allows local users to gain root privileges by overwriting critical system files. Modifications: ADDREF XF:irix-fsrxfs-gain-privileges(9042) ADDREF BID:4706 Analysis -------- Vendor Acknowledgement: yes advisory NOTE: CAN-2002-0356 was incorrectly used in a report for the sgdynamo product. The correct identifier for the sgdynamo vulnerability is CAN-2002-0375. INFERRED ACTION: CAN-2002-0356 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Baker, Cole, Armstrong MODIFY(1) Frech NOOP(4) Christey, Cox, Wall, Foat Voter Comments: Christey> NOTE: CAN-2002-0356 was mistakenly referenced in a report for the sgdynamo product. The correct identifier for the sgdynamo vulnerability is CAN-2002-0375. Christey> XF:irix-fsrxfs-gain-privileges(9042) URL:http://www.iss.net/security_center/static/9042.php BID:4706 URL:http://www.securityfocus.com/bid/4706 Frech> XF:irix-fsrxfs-gain-privileges(9042) ====================================================== Candidate: CAN-2002-0358 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0358 Final-Decision: Interim-Decision: 20030326 Modified: 20030320-01 Proposed: 20020611 Assigned: 20020502 Category: SF Reference: SGI:20020602-01-I Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20020602-01-I Reference: XF:irix-mediamail-core-dump(9292) Reference: URL:http://www.iss.net/security_center/static/9292.php Reference: BID:4959 Reference: URL:http://www.securityfocus.com/bid/4959 MediaMail and MediaMail Pro in SGI IRIX 6.5.16 and earlier allows local users to force the program to dump core via certain arguments, which could allow the users to read sensitive data or gain privileges. Modifications: DESC Fix typo: "Medial" Mail ADDREF BID:4959 ADDREF XF:irix-mediamail-core-dump(9292) Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0358 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Baker, Cole, Armstrong MODIFY(1) Frech NOOP(4) Christey, Cox, Wall, Foat Voter Comments: Christey> Fix typo: "Medial" Mail XF:irix-mediamail-core-dump(9292) URL:http://www.iss.net/security_center/static/9292.php BID:4959 URL:http://www.securityfocus.com/bid/4959 Frech> XF:irix-mediamail-core-dump(9292) ====================================================== Candidate: CAN-2002-0359 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0359 Final-Decision: Interim-Decision: 20030326 Modified: 20030320-01 Proposed: 20020726 Assigned: 20020502 Category: SF Reference: BUGTRAQ:20020620 [LSD] IRIX rpc.xfsmd multiple remote root vulnerabilities Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102459162909825&w=2 Reference: SGI:20020606-01-I Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20020606-01-I Reference: CERT-VN:VU#521147 Reference: URL:http://www.kb.cert.org/vuls/id/521147 Reference: XF:irix-xfsmd-bypass-authentication(9401) Reference: URL:http://www.iss.net/security_center/static/9401.php Reference: BID:5072 Reference: URL:http://www.securityfocus.com/bid/5072 xfsmd for IRIX 6.5 through 6.5.16 uses weak authentication, which allows remote attackers to call dangerous RPC functions, including those that can mount or unmount xfs file systems, to gain root privileges. Modifications: ADDREF XF:irix-xfsmd-bypass-authentication(9401) ADDREF BID:5072 ADDREF CERT-VN:VU#521147 DELREF SGI:20020605-01-I Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0359 ACCEPT_ACK (2 accept, 2 ack, 0 review) Current Votes: ACCEPT(2) Baker, Cole NOOP(4) Christey, Cox, Wall, Foat Voter Comments: Christey> XF:irix-xfsmd-bypass-authentication(9401) URL:http://www.iss.net/security_center/static/9401.php BID:5072 URL:http://www.securityfocus.com/bid/5072 Christey> DELREF SGI:20020605-01-I (that one is for CAN-2003-0392) ====================================================== Candidate: CAN-2002-0363 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0363 Final-Decision: Interim-Decision: 20030326 Modified: 20020817-01 Proposed: 20020611 Assigned: 20020507 Category: SF Reference: MISC:http://www.ghostscript.com/pipermail/gs-code-review/2002-January/001801.html Reference: MISC:http://www.ghostscript.com/pipermail/gs-code-review/2002-February/001900.html Reference: REDHAT:RHSA-2002:083 Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-083.html Reference: CALDERA:CSSA-2002-026.0 Reference: URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-026.0.txt Reference: XF:ghostscript-postscript-command-execution(9254) Reference: URL:http://www.iss.net/security_center/static/9254.php Reference: BID:4937 Reference: URL:http://www.securityfocus.com/bid/4937 ghostscript before 6.53 allows attackers to execute arbitrary commands by using .locksafe or .setsafe to reset the current pagedevice. Modifications: ADDREF CALDERA:CSSA-2002-026.0 ADDREF XF:ghostscript-postscript-command-execution(9254) ADDREF BID:4937 Analysis -------- Vendor Acknowledgement: yes INFERRED ACTION: CAN-2002-0363 ACCEPT (5 accept, 2 ack, 0 review) Current Votes: ACCEPT(4) Baker, Cox, Cole, Alderson MODIFY(1) Frech NOOP(3) Christey, Wall, Foat Voter Comments: Christey> CALDERA:CSSA-2002-026.0 Christey> XF:ghostscript-postscript-command-execution(9254) URL:http://www.iss.net/security_center/static/9254.php BID:4937 URL:http://www.securityfocus.com/bid/4937 Frech> XF:ghostscript-postscript-command-execution(9254) ====================================================== Candidate: CAN-2002-0364 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0364 Final-Decision: Interim-Decision: 20030326 Modified: 20030320-01 Proposed: 20020726 Assigned: 20020508 Category: SF Reference: BUGTRAQ:20020612 ADVISORY: Windows 2000 and NT4 IIS .HTR Remote Buffer Overflow [AD20020612] Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102392069305962&w=2 Reference: NTBUGTRAQ:20020612 ADVISORY: Windows 2000 and NT4 IIS .HTR Remote Buffer Overflow Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=102392308608100&w=2 Reference: VULNWATCH:20020612 ADVISORY: Windows 2000 and NT4 IIS .HTR Remote Buffer Overflow [AD20020612] Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0099.html Reference: BUGTRAQ:20020613 VNA - .HTR HEAP OVERFLOW Reference: URL:http://online.securityfocus.com/archive/1/276767 Reference: CERT-VN:VU#313819 Reference: URL:http://www.kb.cert.org/vuls/id/313819 Reference: MS:MS02-028 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-028.asp Reference: BID:4855 Reference: URL:http://www.securityfocus.com/bid/4855 Reference: XF:iis-htr-chunked-encoding-bo(9327) Reference: URL:http://www.iss.net/security_center/static/9327.php Buffer overflow in the chunked encoding transfer mechanism in IIS 4.0 and 5.0 allows attackers to execute arbitrary code via the processing of HTR request sessions, aka "Heap Overrun in HTR Chunked Encoding Could Enable Web Server Compromise." Modifications: ADDREF BID:4855 ADDREF BUGTRAQ:20020613 VNA - .HTR HEAP OVERFLOW ADDREF CERT-VN:VU#313819 ADDREF XF:iis-htr-chunked-encoding-bo(9327) Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0364 ACCEPT (4 accept, 2 ack, 0 review) Current Votes: ACCEPT(4) Baker, Wall, Foat, Cole NOOP(2) Christey, Cox Voter Comments: Christey> BID:4855 URL:http://www.securityfocus.com/bid/4855 BUGTRAQ:20020613 VNA - .HTR HEAP OVERFLOW URL:http://online.securityfocus.com/archive/1/276767 CERT-VN:VU#313819 URL:http://www.kb.cert.org/vuls/id/313819 XF:iis-htr-chunked-encoding-bo(9327) URL:http://www.iss.net/security_center/static/9327.php ====================================================== Candidate: CAN-2002-0366 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0366 Final-Decision: Interim-Decision: 20030326 Modified: 20030320-01 Proposed: 20020726 Assigned: 20020508 Category: SF Reference: BUGTRAQ:20020613 Microsoft RASAPI32.DLL Reference: URL:http://online.securityfocus.com/archive/1/276776 Reference: BUGTRAQ:20020620 VPN and Q318138 Reference: URL:http://online.securityfocus.com/archive/1/278145 Reference: MISC:http://www.nextgenss.com/vna/ms-ras.txt Reference: MS:MS02-029 Reference: URL:http://www.microsoft.com/technet/security/bulletin/MS02-029.asp Reference: BID:4852 Reference: URL:http://www.securityfocus.com/bid/4852 Buffer overflow in Remote Access Service (RAS) phonebook for Windows NT 4.0, 2000, XP, and Routing and Remote Access Server (RRAS) allows local users to execute arbitrary code by modifying the rasphone.pbk file to use a long dial-up entry. Modifications: ADDREF BUGTRAQ:20020613 Microsoft RASAPI32.DLL ADDREF BUGTRAQ:20020620 VPN and Q318138 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0366 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Baker, Wall, Foat, Cole NOOP(2) Christey, Cox Voter Comments: Christey> Add: a long script name is the issue. BUGTRAQ:20020613 Microsoft RASAPI32.DLL URL:http://online.securityfocus.com/archive/1/276776 BUGTRAQ:20020620 VPN and Q318138 URL:http://online.securityfocus.com/archive/1/278145 ====================================================== Candidate: CAN-2002-0367 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0367 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020611 Assigned: 20020508 Category: SF Reference: BUGTRAQ:20020314 Fwd: DebPloit (exploit) Reference: URL:http://www.securityfocus.com/archive/1/262074 Reference: BUGTRAQ:20020326 Re: DebPloit (exploit) Reference: URL:http://www.securityfocus.com/archive/1/264441 Reference: BUGTRAQ:20020327 Local Security Vulnerability in Windows NT and Windows 2000 Reference: URL:http://www.securityfocus.com/archive/1/264927 Reference: NTBUGTRAQ:20020314 DebPloit (exploit) Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=101614320402695&w=2 Reference: BID:4287 Reference: URL:http://www.securityfocus.com/bid/4287 Reference: XF:win-debug-duplicate-handles(8462) Reference: URL:http://www.iss.net/security_center/static/8462.php Reference: MS:MS02-024 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-024.asp smss.exe debugging subsystem in Windows NT and Windows 2000 does not properly authenticate programs that connect to other programs, which allows local users to gain administrator or SYSTEM privileges by duplicating a handle to a privileged process, as demonstrated by DebPloit. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0367 ACCEPT (5 accept, 1 ack, 0 review) Current Votes: ACCEPT(5) Baker, Wall, Foat, Cole, Green NOOP(1) Cox ====================================================== Candidate: CAN-2002-0368 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0368 Final-Decision: Interim-Decision: 20030326 Modified: 20030320-01 Proposed: 20020611 Assigned: 20020508 Category: SF Reference: MS:MS02-025 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-025.asp Reference: XF:exchange-msg-attribute-dos(9195) Reference: URL:http://www.iss.net/security_center/static/9195.php Reference: BID:4881 Reference: URL:http://www.securityfocus.com/bid/4881 The Store Service in Microsoft Exchange 2000 allows remote attackers to cause a denial of service (CPU consumption) via a mail message with a malformed RFC message attribute, aka "Malformed Mail Attribute can Cause Exchange 2000 to Exhaust CPU Resources." Modifications: ADDREF XF:exchange-msg-attribute-dos(9195) ADDREF BID:4881 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0368 ACCEPT (5 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Baker, Wall, Cole, Armstrong MODIFY(1) Frech NOOP(3) Christey, Cox, Foat Voter Comments: Christey> XF:exchange-msg-attribute-dos(9195) URL:http://www.iss.net/security_center/static/9195.php BID:4881 URL:http://www.securityfocus.com/bid/4881 Frech> XF:exchange-msg-attribute-dos(9195) ====================================================== Candidate: CAN-2002-0369 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0369 Final-Decision: Interim-Decision: 20030326 Modified: 20030320-01 Proposed: 20020611 Assigned: 20020508 Category: SF Reference: MS:MS02-026 Reference: URL:http://www.microsoft.com/technet/security/bulletin/MS02-026.asp Reference: XF:ms-aspdotnet-stateserver-bo(9276) Reference: URL:http://www.iss.net/security_center/static/9276.php Reference: BID:4958 Reference: URL:http://www.securityfocus.com/bid/4958 Buffer overflow in ASP.NET Worker Process allows remote attackers to cause a denial of service (restart) and possibly execute arbitrary code via a routine that processes cookies while in StateServer mode. Modifications: ADDREF XF:ms-aspdotnet-stateserver-bo(9276) ADDREF BID:4958 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0369 ACCEPT (5 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Baker, Wall, Cole, Armstrong MODIFY(1) Frech NOOP(3) Christey, Cox, Foat Voter Comments: Christey> XF:ms-aspdotnet-stateserver-bo(9276) http://www.iss.net/security_center/static/9276.php BID:4958 URL:http://www.securityfocus.com/bid/4958 Frech> XF:ms-aspdotnet-stateserver-bo(9276) ====================================================== Candidate: CAN-2002-0372 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0372 Final-Decision: Interim-Decision: 20030326 Modified: 20030320-01 Proposed: 20020726 Assigned: 20020508 Category: SF Reference: MS:MS02-032 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-032.asp Reference: XF:mediaplayer-cache-code-execution(9420) Reference: URL:http://www.iss.net/security_center/static/9420.php Reference: BID:5107 Reference: URL:http://www.securityfocus.com/bid/5107 Microsoft Windows Media Player versions 6.4 and 7.1 and Media Player for Windows XP allow remote attackers to bypass Internet Explorer's (IE) security mechanisms and run code via an executable .wma media file with a license installation requirement stored in the IE cache, aka the "Cache Path Disclosure via Windows Media Player". Modifications: ADDREF XF:mediaplayer-cache-code-execution(9420) ADDREF BID:5107 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0372 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Baker, Wall, Foat, Cole NOOP(2) Christey, Cox Voter Comments: Christey> XF:mediaplayer-cache-code-execution(9420) URL:http://www.iss.net/security_center/static/9420.php BID:5107 URL:http://www.securityfocus.com/bid/5107 ====================================================== Candidate: CAN-2002-0373 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0373 Final-Decision: Interim-Decision: 20030326 Modified: 20030320-01 Proposed: 20020726 Assigned: 20020508 Category: SF Reference: MS:MS02-032 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-032.asp Reference: XF:mediaplayer-wmdm-privilege-elevation(9421) Reference: URL:http://www.iss.net/security_center/static/9421.php Reference: BID:5109 Reference: URL:http://www.securityfocus.com/bid/5109 The Windows Media Device Manager (WMDM) Service in Microsoft Windows Media Player 7.1 on Windows 2000 systems allows local users to obtain LocalSystem rights via a program that calls the WMDM service to connect to an invalid local storage device, aka "Privilege Elevation through Windows Media Device Manager Service". Modifications: ADDREF XF:mediaplayer-wmdm-privilege-elevation(9421) ADDREF BID:5109 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0373 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Baker, Wall, Cole NOOP(3) Christey, Cox, Foat Voter Comments: Christey> XF:mediaplayer-wmdm-privilege-elevation(9421) URL:http://www.iss.net/security_center/static/9421.php BID:5109 URL:http://www.securityfocus.com/bid/5109 ====================================================== Candidate: CAN-2002-0374 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0374 Final-Decision: Interim-Decision: 20030326 Modified: 20020817-01 Proposed: 20020611 Assigned: 20020508 Category: SF Reference: BUGTRAQ:20020506 ldap vulnerabilities Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102070762606525&w=2 Reference: VULNWATCH:20020506 ldap vulnerabilities Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0053.html Reference: CALDERA:CSSA-2002-041.0 Reference: URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-041.0.txt Reference: MANDRAKE:MDKSA-2002:075 Reference: URL:http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2002:075 Reference: REDHAT:RHSA-2002:084 Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-084.html Reference: REDHAT:RHSA-2002:175 Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-175.html Reference: BUGTRAQ:20021030 GLSA: pam_ldap Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103601912505261&w=2 Reference: XF:pamldap-config-format-string(9018) Reference: URL:http://www.iss.net/security_center/static/9018.php Reference: BID:4679 Reference: URL:http://online.securityfocus.com/bid/4679 Format string vulnerability in the logging function for the pam_ldap PAM LDAP module before version 144 allows attackers to execute arbitrary code via format strings in the configuration file name. Modifications: ADDREF XF:pamldap-config-format-string(9018) ADDREF BID:4679 ADDREF BUGTRAQ:20021030 GLSA: pam_ldap ADDREF CALDERA:CSSA-2002-041.0 ADDREF MANDRAKE:MDKSA-2002:075 ADDREF REDHAT:RHSA-2002:175 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0374 ACCEPT (6 accept, 2 ack, 0 review) Current Votes: ACCEPT(5) Baker, Cox, Wall, Cole, Armstrong MODIFY(1) Frech NOOP(2) Christey, Foat Voter Comments: Christey> XF:pamldap-config-format-string(9018) URL:http://www.iss.net/security_center/static/9018.php BID:4679 URL:http://online.securityfocus.com/bid/4679 Frech> XF:pamldap-config-format-string(9018) Christey> REDHAT:RHSA-2002:084 Christey> BUGTRAQ:20021030 GLSA: pam_ldap URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103601912505261&w=2 CALDERA:CSSA-2002-041.0 Christey> MANDRAKE:MDKSA-2002:075 Christey> REDHAT:RHSA-2002:175 URL:http://www.redhat.com/support/errata/RHSA-2002-175.html CALDERA:CSSA-2002-041.0 URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-041.0.txt ====================================================== Candidate: CAN-2002-0377 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0377 Final-Decision: Interim-Decision: 20030326 Modified: 20030320-01 Proposed: 20020611 Assigned: 20020514 Category: SF Reference: BUGTRAQ:20020512 Gaim abritary Email Reading Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102130733815285&w=2 Reference: VULN-DEV:20020511 Gaim abritary Email Reading Reference: URL:http://archives.neohapsis.com/archives/vuln-dev/2002-q2/0584.html Reference: CONFIRM:http://gaim.sourceforge.net/ChangeLog Reference: XF:gaim-email-access(9061) Reference: URL:http://www.iss.net/security_center/static/9061.php Reference: BID:4730 Reference: URL:http://www.securityfocus.com/bid/4730 Gaim 0.57 stores sensitive information in world-readable and group-writable files in the /tmp directory, which allows local users to access MSN web email accounts of other users who run Gaim by reading authentication information from the files. Modifications: ADDREF VULN-DEV:20020511 Gaim abritary Email Reading ADDREF XF:gaim-email-access(9061) ADDREF BID:4730 Analysis -------- Vendor Acknowledgement: yes ACKNOWLEDGEMENT: The Change Log for Gaim version 0.58, dated May 13, says "Tempfiles used for secure MSN/HotMail login (added in 0.57) are now themselves created securely." In addition to a statement on the vendor's News page, dated May 14, regarding "the fix to the recent BugTraq posting about Gaim," this is sufficient acknowledgement. INFERRED ACTION: CAN-2002-0377 ACCEPT (5 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Baker, Cox, Cole, Armstrong MODIFY(1) Frech NOOP(3) Christey, Wall, Foat Voter Comments: Christey> VULN-DEV:20020511 Gaim abritary Email Reading URL:http://archives.neohapsis.com/archives/vuln-dev/2002-q2/0584.html Frech> XF:gaim-email-access(9061) Christey> XF:gaim-email-access(9061) URL:http://www.iss.net/security_center/static/9061.php BID:4730 URL:http://www.securityfocus.com/bid/4730 ====================================================== Candidate: CAN-2002-0379 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0379 Final-Decision: Interim-Decision: 20030326 Modified: 20020817-01 Proposed: 20020611 Assigned: 20020517 Category: SF Reference: BUGTRAQ:20020510 wu-imap buffer overflow condition Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102107222100529&w=2 Reference: REDHAT:RHSA-2002:092 Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-092.html Reference: CONECTIVA:CLA-2002:487 Reference: URL:http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000487 Reference: HP:HPSBTL0205-043 Reference: URL:http://online.securityfocus.com/advisories/4167 Reference: CALDERA:CSSA-2002-021.0 Reference: URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-021.0.txt Reference: MANDRAKE:MDKSA-2002:034 Reference: URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-034.php Reference: ENGARDE:ESA-20020607-013 Reference: URL:http://www.linuxsecurity.com/advisories/other_advisory-2120.html Reference: BID:4713 Reference: URL:http://www.securityfocus.com/bid/4713 Reference: XF:wuimapd-partial-mailbox-bo(9055) Reference: URL:http://www.iss.net/security_center/static/9055.php Buffer overflow in University of Washington imap server (uw-imapd) imap-2001 (imapd 2001.315) and imap-2001a (imapd 2001.315) with legacy RFC 1730 support, and imapd 2000.287 and earlier, allows remote authenticated users to execute arbitrary code via a long BODY request. Modifications: ADDREF CONECTIVA:CLA-2002:487 ADDREF HP:HPSBTL0205-043 ADDREF CALDERA:CSSA-2002-021.0 ADDREF MANDRAKE:MDKSA-2002:034 ADDREF ENGARDE:ESA-20020607-013 ADDREF BID:4713 ADDREF XF:wuimapd-partial-mailbox-bo(9055) Analysis -------- Vendor Acknowledgement: yes followup INFERRED ACTION: CAN-2002-0379 ACCEPT (6 accept, 3 ack, 0 review) Current Votes: ACCEPT(5) Baker, Cox, Wall, Cole, Armstrong MODIFY(1) Frech NOOP(2) Christey, Foat Voter Comments: Christey> Add "long BODY request" to desc. CONECTIVA:CLA-2002:487 URL:http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000487 HP:HPSBTL0205-043 URL:http://online.securityfocus.com/advisories/4167 CALDERA:CSSA-2002-021.0 URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-021.0.txt MANDRAKE:MDKSA-2002:034 URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-034.php ENGARDE:ESA-20020607-013 URL:http://www.linuxsecurity.com/advisories/other_advisory-2120.html BID:4713 URL:http://www.securityfocus.com/bid/4713 XF:wuimapd-partial-mailbox-bo(9055) URL:http://www.iss.net/security_center/static/9055.php Frech> XF:wuimapd-partial-mailbox-bo(9055) ====================================================== Candidate: CAN-2002-0381 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0381 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020611 Assigned: 20020517 Category: SF Reference: MISC:http://www.FreeBSD.org/cgi/query-pr.cgi?pr=35022 Reference: BUGTRAQ:20020317 TCP Connections to a Broadcast Address on BSD-Based Systems Reference: URL:http://online.securityfocus.com/archive/1/262733 Reference: CONFIRM:http://www.openbsd.org/cgi-bin/cvsweb/src/sys/netinet/tcp_input.c.diff?r1=1.109&r2=1.110 Reference: CONFIRM:http://cvsweb.netbsd.org/bsdweb.cgi/syssrc/sys/netinet/tcp_input.c.diff?r1=1.136&r2=1.137 Reference: BID:4309 Reference: URL:http://online.securityfocus.com/bid/4309 Reference: XF:bsd-broadcast-address(8485) Reference: URL:http://www.iss.net/security_center/static/8485.php The TCP implementation in various BSD operating systems (tcp_input.c) does not properly block connections to broadcast addresses, which could allow remote attackers to bypass intended filters via packets with a unicast link layer address and an IP broadcast address. Analysis -------- Vendor Acknowledgement: yes INFERRED ACTION: CAN-2002-0381 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Baker, Cole, Green NOOP(3) Cox, Wall, Foat ====================================================== Candidate: CAN-2002-0382 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0382 Final-Decision: Interim-Decision: 20030326 Modified: 20030320-02 Proposed: 20020611 Assigned: 20020521 Category: SF Reference: BUGTRAQ:20020327 Xchat /dns command execution vulnerability Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101725430425490&w=2 Reference: REDHAT:RHSA-2002:097 Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-097.html Reference: MANDRAKE:MDKSA-2002:051 Reference: URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-051.php Reference: CONECTIVA:CLA-2002:526 Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000526 Reference: XF:xchat-dns-execute-commands(8704) Reference: URL:http://www.iss.net/security_center/static/8704.php Reference: BID:4376 Reference: URL:http://www.securityfocus.com/bid/4376 XChat IRC client allows remote attackers to execute arbitrary commands via a /dns command on a host whose DNS reverse lookup contains shell metacharacters. Modifications: DESC capitalize XChat properly ADDREF MANDRAKE:MDKSA-2002:051 ADDREF CONECTIVA:CLA-2002:526 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0382 ACCEPT (5 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Baker, Frech, Armstrong MODIFY(2) Cox, Foat NOOP(3) Christey, Wall, Cole Voter Comments: Cox> Xchat should be XChat Foat> Agree with Cox modification Christey> MANDRAKE:MDKSA-2002:051 Christey> CONECTIVA:CLA-2002:526 ====================================================== Candidate: CAN-2002-0389 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0389 Final-Decision: Interim-Decision: 20030326 Modified: 20030325-01 Proposed: 20020611 Assigned: 20020523 Category: SF Reference: BUGTRAQ:20020417 Mailman/Pipermail private mailing list/local user vulnerability Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101902003314968&w=2 Reference: MISC:http://sourceforge.net/tracker/?func=detail&atid=100103&aid=474616&group_id=103 Reference: XF:pipermail-view-archives(8874) Reference: URL:http://www.iss.net/security_center/static/8874.php Reference: BID:4538 Reference: URL:http://www.securityfocus.com/bid/4538 Pipermail in Mailman stores private mail messages with predictable filenames in a world-executable directory, which allows local users to read private mailing list archives. Modifications: DESC fix typo ADDREF XF:pipermail-view-archives(8874) ADDREF BID:4538 Analysis -------- Vendor Acknowledgement: no disputed INCLUSION: In a response to the bug report, the vendor says "I'm not inclined to fix this, since this arrangement is crucial to the web security of private archives." INFERRED ACTION: CAN-2002-0389 ACCEPT (3 accept, 0 ack, 0 review) Current Votes: ACCEPT(2) Baker, Cox MODIFY(1) Frech NOOP(4) Christey, Wall, Foat, Cole Voter Comments: Frech> XF: pipermail-view-archives(8874) Christey> Add period to the end of the description. ====================================================== Candidate: CAN-2002-0391 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0391 Final-Decision: Interim-Decision: 20030326 Modified: 20030320-01 Proposed: 20020830 Assigned: 20020528 Category: SF Reference: ISS:20020731 Remote Buffer Overflow Vulnerability in Sun RPC Reference: URL:http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20823 Reference: BUGTRAQ:20020731 Remote Buffer Overflow Vulnerability in Sun RPC Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102813809232532&w=2 Reference: BUGTRAQ:20020801 RPC analysis Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102821785316087&w=2 Reference: BUGTRAQ:20020802 MITKRB5-SA-2002-001: Remote root vulnerability in MIT krb5 admin Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102831443208382&w=2 Reference: CERT:CA-2002-25 Reference: URL:http://www.cert.org/advisories/CA-2002-25.html Reference: CERT-VN:VU#192995 Reference: URL:http://www.kb.cert.org/vuls/id/192995 Reference: AIXAPAR:IY34194 Reference: URL:http://archives.neohapsis.com/archives/aix/2002-q4/0002.html Reference: CALDERA:CSSA-2002-055.0 Reference: URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-055.0.txt Reference: CONECTIVA:CLA-2002:515 Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000515 Reference: CONECTIVA:CLA-2002:535 Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000535 Reference: DEBIAN:DSA-142 Reference: URL:http://www.debian.org/security/2002/dsa-142 Reference: DEBIAN:DSA-143 Reference: URL:http://www.debian.org/security/2002/dsa-143 Reference: DEBIAN:DSA-146 Reference: URL:http://www.debian.org/security/2002/dsa-146 Reference: DEBIAN:DSA-149 Reference: URL:http://www.debian.org/security/2002/dsa-149 Reference: ENGARDE:ESA-20021003-021 Reference: URL:http://www.linuxsecurity.com/advisories/other_advisory-2399.html Reference: FREEBSD:FreeBSD-SA-02:34.rpc Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102821928418261&w=2 Reference: HP:HPSBTL0208-061 Reference: URL:http://online.securityfocus.com/advisories/4402 Reference: HP:HPSBUX0209-215 Reference: URL:http://archives.neohapsis.com/archives/hp/2002-q3/0077.html Reference: MANDRAKE:MDKSA-2002:057 Reference: URL:http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2002:057 Reference: MS:MS02-057 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-057.asp Reference: NETBSD:NetBSD-SA2002-011 Reference: URL:ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-011.txt.asc Reference: REDHAT:RHSA-2002:166 Reference: URL:http://rhn.redhat.com/errata/RHSA-2002-166.html Reference: REDHAT:RHSA-2002:172 Reference: URL:http://rhn.redhat.com/errata/RHSA-2002-172.html Reference: REDHAT:RHSA-2002:167 Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-167.html Reference: SGI:20020801-01-A Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20020801-01-A Reference: SGI:20020801-01-P Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20020801-01-A Reference: SUSE:SuSE-SA:2002:031 Reference: BUGTRAQ:20020803 OpenAFS Security Advisory 2002-001: Remote root vulnerability in OpenAFS servers Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-07/0514.html Reference: BUGTRAQ:20020802 kerberos rpc xdr_array Reference: URL:http://online.securityfocus.com/archive/1/285740 Reference: BUGTRAQ:20020909 GLSA: glibc Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103158632831416&w=2 Reference: XF:sunrpc-xdr-array-bo(9170) Reference: URL:http://www.iss.net/security_center/static/9170.php Reference: BID:5356 Reference: URL:http://www.securityfocus.com/bid/5356 Integer overflow in xdr_array function in RPC servers for operating systems that use libc, glibc, or other code based on SunRPC including dietlibc, allows remote attackers to execute arbitrary code by passing a large number of arguments to xdr_array through RPC services such as rpc.cmsd and dmispd. Modifications: ADDREF REDHAT:RHSA-2002:167 ADDREF XF:sunrpc-xdr-array-bo(9170) ADDREF BID:5356 ADDREF BUGTRAQ:20020803 OpenAFS Security Advisory 2002-001: Remote root vulnerability in OpenAFS servers ADDREF CONECTIVA:CLA-2002:515 ADDREF HP:HPSBTL0208-061 ADDREF BUGTRAQ:20020802 kerberos rpc xdr_array ADDREF BUGTRAQ:20020909 GLSA: glibc ADDREF SUSE:SuSE-SA:2002:031 ADDREF MS:MS02-057 ADDREF HP:HPSBUX0209-215 ADDREF MANDRAKE:MDKSA-2002:057 ADDREF ENGARDE:ESA-20021003-021 ADDREF CALDERA:CSSA-2002-055.0 ADDREF AIXAPAR:IY34194 ADDREF CONECTIVA:CLA-2002:535 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0391 ACCEPT (4 accept, 13 ack, 0 review) Current Votes: ACCEPT(3) Baker, Wall, Cole MODIFY(1) Cox NOOP(2) Christey, Foat Voter Comments: Cox> ADDREF: RHSA-2002:167 Christey> XF:sunrpc-xdr-array-bo(9170) URL:http://www.iss.net/security_center/static/9170.php BID:5356 URL:http://www.securityfocus.com/bid/5356 BUGTRAQ:20020803 OpenAFS Security Advisory 2002-001: Remote root vulnerability in OpenAFS servers URL:http://archives.neohapsis.com/archives/bugtraq/2002-07/0514.html CONECTIVA:CLA-2002:515 URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000515 HP:HPSBTL0208-061 URL:http://online.securityfocus.com/advisories/4402 BUGTRAQ:20020802 kerberos rpc xdr_array URL:http://online.securityfocus.com/archive/1/285740 Christey> BUGTRAQ:20020909 GLSA: glibc URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103158632831416&w=2 Christey> SUSE:SuSE-SA:2002:031 Christey> MS:MS02-057 Christey> HP:HPSBUX0209-215 URL:http://archives.neohapsis.com/archives/hp/2002-q3/0077.html MANDRAKE:MDKSA-2002:057 ENGARDE:ESA-20021003-021 Christey> CALDERA:CSSA-2002-055.0 Christey> AIXAPAR:IY34194 URL:http://archives.neohapsis.com/archives/aix/2002-q4/0002.html CONECTIVA:CLA-2002:535 URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000535 ====================================================== Candidate: CAN-2002-0392 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0392 Final-Decision: Interim-Decision: 20030326 Modified: 20020817-01 Proposed: 20020726 Assigned: 20020530 Category: SF Reference: CONFIRM:http://httpd.apache.org/info/security_bulletin_20020617.txt Reference: VULNWATCH:20020617 [VulnWatch] Apache httpd: vulnerability with chunked encoding Reference: ISS:20020617 Remote Compromise Vulnerability in Apache HTTP Server Reference: BUGTRAQ:20020617 Re: ISS Advisory: Remote Compromise Vulnerability in Apache HTTP Server Reference: BUGTRAQ:20020617 Re: Remote Compromise Vulnerability in Apache HTTP Server Reference: BUGTRAQ:20020618 Fixed version of Apache 1.3 available Reference: BUGTRAQ:20020619 Implications of Apache vuln for Oracle Reference: BUGTRAQ:20020619 Remote Apache 1.3.x Exploit Reference: BUGTRAQ:20020620 Apache Exploit Reference: BUGTRAQ:20020620 TSLSA-2002-0056 - apache Reference: BUGTRAQ:20020621 [SECURITY] Remote exploit for 32-bit Apache HTTP Server known Reference: URL:http://online.securityfocus.com/archive/1/278149 Reference: BUGTRAQ:20020622 Ending a few arguments with one simple attachment. Reference: BUGTRAQ:20020622 blowchunks - protecting existing apache servers until upgrades arrive Reference: CERT:CA-2002-17 Reference: URL:http://www.cert.org/advisories/CA-2002-17.html Reference: SGI:20020605-01-A Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20020605-01-A Reference: SGI:20020605-01-I Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20020605-01-I Reference: REDHAT:RHSA-2002:103 Reference: URL:http://rhn.redhat.com/errata/RHSA-2002-103.html Reference: MANDRAKE:MDKSA-2002:039 Reference: CALDERA:CSSA-2002-029.0 Reference: URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-029.0.txt Reference: CALDERA:CSSA-2002-SCO.31 Reference: URL:ftp://ftp.caldera.com/pub/updates/OpenUNIX/CSSA-2002-SCO.31 Reference: CALDERA:CSSA-2002-SCO.32 Reference: URL:ftp://ftp.caldera.com/pub/updates/OpenServer/CSSA-2002-SCO.32 Reference: COMPAQ:SSRT2253 Reference: CONECTIVA:CLSA-2002:498 Reference: URL:http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000498 Reference: DEBIAN:DSA-131 Reference: URL:http://www.debian.org/security/2002/dsa-131 Reference: DEBIAN:DSA-132 Reference: URL:http://www.debian.org/security/2002/dsa-132 Reference: DEBIAN:DSA-133 Reference: URL:http://www.debian.org/security/2002/dsa-133 Reference: ENGARDE:ESA-20020619-014 Reference: URL:http://www.linuxsecurity.com/advisories/other_advisory-2137.html Reference: REDHAT:RHSA-2002:118 Reference: URL:http://rhn.redhat.com/errata/RHSA-2002-118.html Reference: REDHAT:RHSA-2002:117 Reference: URL:http://rhn.redhat.com/errata/RHSA-2002-117.html Reference: BUGTRAQ:20020619 [OpenPKG-SA-2002.004] OpenPKG Security Advisory (apache) Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-06/0235.html Reference: BUGTRAQ:20020621 [slackware-security] new apache/mod_ssl packages available Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-06/0266.html Reference: SUSE:SuSE-SA:2002:022 Reference: URL:http://www.suse.com/de/security/2002_22_apache.html Reference: CERT-VN:VU#944335 Reference: URL:http://www.kb.cert.org/vuls/id/944335 Reference: HP:HPSBTL0206-049 Reference: URL:http://online.securityfocus.com/advisories/4240 Reference: HP:HPSBUX0207-197 Reference: URL:http://online.securityfocus.com/advisories/4257 Reference: BID:5033 Reference: URL:http://online.securityfocus.com/bid/5033 Reference: XF:apache-chunked-encoding-bo(9249) Reference: URL:http://www.iss.net/security_center/static/9249.php Apache 1.3 through 1.3.24, and Apache 2.0 through 2.0.36, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a chunk-encoded HTTP request that causes Apache to use an incorrect size. Modifications: ADDREF CALDERA:CSSA-2002-029.0 ADDREF CALDERA:CSSA-2002-SCO.31 ADDREF CALDERA:CSSA-2002-SCO.32 ADDREF COMPAQ:SSRT2253 ADDREF CONECTIVA:CLSA-2002:498 ADDREF DEBIAN:DSA-131 ADDREF DEBIAN:DSA-132 ADDREF DEBIAN:DSA-133 ADDREF ENGARDE:ESA-20020619-014 ADDREF REDHAT:RHSA-2002:118 ADDREF REDHAT:RHSA-2002:117 ADDREF BUGTRAQ:20020619 [OpenPKG-SA-2002.004] OpenPKG Security Advisory (apache) ADDREF BUGTRAQ:20020621 [slackware-security] new apache/mod_ssl packages available ADDREF SUSE:SuSE-SA:2002:022 ADDREF CERT-VN:VU#944335 ADDREF HP:HPSBTL0206-049 ADDREF HP:HPSBUX0207-197 ADDREF BID:5033 ADDREF XF:apache-chunked-encoding-bo(9249) Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0392 ACCEPT (5 accept, 11 ack, 0 review) Current Votes: ACCEPT(5) Baker, Cox, Wall, Foat, Cole NOOP(1) Christey Voter Comments: Christey> CALDERA:CSSA-2002-029.0 URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-029.0.txt CALDERA:CSSA-2002-SCO.31 URL:ftp://ftp.caldera.com/pub/updates/OpenUNIX/CSSA-2002-SCO.31 CALDERA:CSSA-2002-SCO.32 URL:ftp://ftp.caldera.com/pub/updates/OpenServer/CSSA-2002-SCO.32 COMPAQ:SSRT2253 CONECTIVA:CLSA-2002:498 URL:http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000498 DEBIAN:DSA-131 URL:http://www.debian.org/security/2002/dsa-131 DEBIAN:DSA-132 URL:http://www.debian.org/security/2002/dsa-132 DEBIAN:DSA-133 URL:http://www.debian.org/security/2002/dsa-133 ENGARDE:ESA-20020619-014 URL:http://www.linuxsecurity.com/advisories/other_advisory-2137.html REDHAT:RHSA-2002:118 URL:http://rhn.redhat.com/errata/RHSA-2002-118.html REDHAT:RHSA-2002:117 URL:http://rhn.redhat.com/errata/RHSA-2002-117.html BUGTRAQ:20020619 [OpenPKG-SA-2002.004] OpenPKG Security Advisory (apache) URL:http://archives.neohapsis.com/archives/bugtraq/2002-06/0235.html BUGTRAQ:20020621 [slackware-security] new apache/mod_ssl packages available URL:http://archives.neohapsis.com/archives/bugtraq/2002-06/0266.html SUSE:SuSE-SA:2002:022 URL:http://www.suse.com/de/security/2002_22_apache.html CERT-VN:VU#944335 URL:http://www.kb.cert.org/vuls/id/944335 BID:5033 URL:http://online.securityfocus.com/bid/5033 XF:apache-chunked-encoding-bo(9249) URL:http://www.iss.net/security_center/static/9249.php HP:HPSBTL0206-049 URL:http://online.securityfocus.com/advisories/4240 HP:HPSBUX0207-197 URL:http://online.securityfocus.com/advisories/4257 ====================================================== Candidate: CAN-2002-0394 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0394 Final-Decision: Interim-Decision: 20030326 Modified: 20030325-01 Proposed: 20020611 Assigned: 20020530 Category: SF Reference: ATSTAKE:A060502-1 Reference: URL:http://www.atstake.com/research/advisories/2002/a060502-1.txt Reference: XF:redm-1050ap-insecure-passwords(9263) Reference: URL:http://www.iss.net/security_center/static/9263.php Red-M 1050 (Bluetooth Access Point) uses case insensitive passwords, which makes it easier for attackers to conduct a brute force guessing attack due to the smaller space of possible passwords. Modifications: ADDREF XF:redm-1050ap-insecure-passwords(9263) Analysis -------- Vendor Acknowledgement: INFERRED ACTION: CAN-2002-0394 ACCEPT (3 accept, 0 ack, 0 review) Current Votes: ACCEPT(2) Baker, Foat MODIFY(1) Frech NOOP(4) Cox, Wall, Cole, Armstrong Voter Comments: Frech> XF:redm-1050ap-insecure-passwords(9263) Baker> The vendor response does not dispute any of the issues, stating the remaining issues will be resolved in a future firmware update. Sounds like confirmation to me. ====================================================== Candidate: CAN-2002-0401 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0401 Final-Decision: Interim-Decision: 20030326 Modified: 20030321-02 Proposed: 20020611 Assigned: 20020603 Category: SF Reference: BUGTRAQ:20020529 Potential security issues in Ethereal Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102268626526119&w=2 Reference: CONFIRM:http://www.ethereal.com/appnotes/enpa-sa-00004.html Reference: DEBIAN:DSA-130 Reference: URL:http://www.debian.org/security/2002/dsa-130 Reference: REDHAT:RHSA-2002:088 Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-088.html Reference: CONECTIVA:CLSA-2002:505 Reference: URL:http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000505 Reference: CALDERA:CSSA-2002-037.0 Reference: URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-037.0.txt Reference: BID:4806 Reference: URL:http://online.securityfocus.com/bid/4806 Reference: XF:ethereal-smb-dissector-dos(9204) Reference: URL:http://www.iss.net/security_center/static/9204.php SMB dissector in Ethereal 0.9.3 and earlier allows remote attackers to cause a denial of service (crash) or execute arbitrary code via malformed packets that cause Ethereal to dereference a NULL pointer. Modifications: ADDREF REDHAT:RHSA-2002:088 ADDREF XF:ethereal-smb-dissector-dos(9204) ADDREF CONECTIVA:CLSA-2002:505 ADDREF CALDERA:CSSA-2002-037.0 Analysis -------- Vendor Acknowledgement: yes INFERRED ACTION: CAN-2002-0401 ACCEPT (6 accept, 4 ack, 0 review) Current Votes: ACCEPT(4) Baker, Foat, Cole, Armstrong MODIFY(2) Frech, Cox NOOP(2) Christey, Wall Voter Comments: Cox> ADDREF: RHSA-2002:088 Christey> Fix version: 0.9.3 is also affected (thanks to Mark Cox for noticing this) Christey> XF:ethereal-smb-dissector-dos(9204) URL:http://www.iss.net/security_center/static/9204.php CONECTIVA:CLSA-2002:505 URL:http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000505 Frech> XF:ethereal-smb-dissector-dos(9204) Christey> CALDERA:CSSA-2002-037.0 URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-037.0.txt ====================================================== Candidate: CAN-2002-0402 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0402 Final-Decision: Interim-Decision: 20030326 Modified: 20030321-02 Proposed: 20020611 Assigned: 20020603 Category: SF Reference: CONFIRM:http://www.ethereal.com/appnotes/enpa-sa-00004.html Reference: DEBIAN:DSA-130 Reference: URL:http://www.debian.org/security/2002/dsa-130 Reference: BUGTRAQ:20020529 Potential security issues in Ethereal Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102268626526119&w=2 Reference: REDHAT:RHSA-2002:088 Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-088.html Reference: CONECTIVA:CLSA-2002:505 Reference: URL:http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000505 Reference: CALDERA:CSSA-2002-037.0 Reference: URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-037.0.txt Reference: XF:ethereal-x11-dissector-bo(9203) Reference: URL:http://www.iss.net/security_center/static/9203.php Reference: BID:4805 Reference: URL:http://online.securityfocus.com/bid/4805 Buffer overflow in X11 dissector in Ethereal 0.9.3 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code while Ethereal is parsing keysyms. Modifications: ADDREF REDHAT:RHSA-2002:088 ADDREF CONECTIVA:CLSA-2002:505 ADDREF XF:ethereal-x11-dissector-bo(9203) ADDREF CALDERA:CSSA-2002-037.0 Analysis -------- Vendor Acknowledgement: yes INFERRED ACTION: CAN-2002-0402 ACCEPT (6 accept, 4 ack, 0 review) Current Votes: ACCEPT(4) Baker, Foat, Cole, Armstrong MODIFY(2) Frech, Cox NOOP(2) Christey, Wall Voter Comments: Cox> ADDREF: RHSA-2002:088 Christey> Fix version: 0.9.3 is also affected (thanks to Mark Cox for noticing this) Christey> XF:ethereal-x11-dissector-bo(9203) URL:http://www.iss.net/security_center/static/9203.php CONECTIVA:CLSA-2002:505 URL:http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000505 Frech> XF:ethereal-x11-dissector-bo(9203) Christey> CALDERA:CSSA-2002-037.0 URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-037.0.txt ====================================================== Candidate: CAN-2002-0403 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0403 Final-Decision: Interim-Decision: 20030326 Modified: 20030321-02 Proposed: 20020611 Assigned: 20020603 Category: SF Reference: CONFIRM:http://www.ethereal.com/appnotes/enpa-sa-00004.html Reference: DEBIAN:DSA-130 Reference: URL:http://www.debian.org/security/2002/dsa-130 Reference: BUGTRAQ:20020529 Potential security issues in Ethereal Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102268626526119&w=2 Reference: REDHAT:RHSA-2002:088 Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-088.html Reference: CONECTIVA:CLSA-2002:505 Reference: URL:http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000505 Reference: CALDERA:CSSA-2002-037.0 Reference: URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-037.0.txt Reference: BID:4807 Reference: URL:http://online.securityfocus.com/bid/4807 Reference: XF:ethereal-dns-dissector-dos(9205) Reference: URL:http://www.iss.net/security_center/static/9205.php DNS dissector in Ethereal before 0.9.3 allows remote attackers to cause a denial of service (CPU consumption) via a malformed packet that causes Ethereal to enter an infinite loop. Modifications: ADDREF REDHAT:RHSA-2002:088 ADDREF CONECTIVA:CLSA-2002:505 ADDREF XF:ethereal-dns-dissector-dos(9205) ADDREF CALDERA:CSSA-2002-037.0 Analysis -------- Vendor Acknowledgement: yes INFERRED ACTION: CAN-2002-0403 ACCEPT (6 accept, 4 ack, 0 review) Current Votes: ACCEPT(4) Baker, Foat, Cole, Armstrong MODIFY(2) Frech, Cox NOOP(2) Christey, Wall Voter Comments: Cox> ADDREF: RHSA-2002:088 Christey> Fix version: 0.9.3 is also affected (thanks to Mark Cox for noticing this) Christey> XF:ethereal-dns-dissector-dos(9205) URL:http://www.iss.net/security_center/static/9205.php CONECTIVA:CLSA-2002:505 URL:http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000505 Frech> XF:ethereal-dns-dissector-dos(9205) Christey> CALDERA:CSSA-2002-037.0 URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-037.0.txt ====================================================== Candidate: CAN-2002-0404 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0404 Final-Decision: Interim-Decision: 20030326 Modified: 20030321-02 Proposed: 20020611 Assigned: 20020603 Category: SF Reference: CONFIRM:http://www.ethereal.com/appnotes/enpa-sa-00004.html Reference: DEBIAN:DSA-130 Reference: URL:http://www.debian.org/security/2002/dsa-130 Reference: BUGTRAQ:20020529 Potential security issues in Ethereal Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102268626526119&w=2 Reference: REDHAT:RHSA-2002:088 Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-088.html Reference: CONECTIVA:CLSA-2002:505 Reference: URL:http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000505 Reference: CALDERA:CSSA-2002-037.0 Reference: URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-037.0.txt Reference: BID:4808 Reference: URL:http://online.securityfocus.com/bid/4808 Reference: XF:ethereal-giop-dissector-dos(9206) Reference: URL:http://www.iss.net/security_center/static/9206.php Vulnerability in GIOP dissector in Ethereal before 0.9.3 allows remote attackers to cause a denial of service (memory consumption). Modifications: ADDREF REDHAT:RHSA-2002:088 ADDREF CONECTIVA:CLSA-2002:505 ADDREF XF:ethereal-giop-dissector-dos(9206) ADDREF CALDERA:CSSA-2002-037.0 Analysis -------- Vendor Acknowledgement: yes INFERRED ACTION: CAN-2002-0404 ACCEPT (6 accept, 4 ack, 0 review) Current Votes: ACCEPT(4) Baker, Foat, Cole, Armstrong MODIFY(2) Frech, Cox NOOP(2) Christey, Wall Voter Comments: Cox> ADDREF: RHSA-2002:088 Christey> Fix version: 0.9.3 is also affected (thanks to Mark Cox for noticing this) Christey> XF:ethereal-giop-dissector-dos(9206) URL:http://www.iss.net/security_center/static/9206.php Frech> XF:ethereal-giop-dissector-dos(9206) Christey> CALDERA:CSSA-2002-037.0 URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-037.0.txt ====================================================== Candidate: CAN-2002-0406 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0406 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020302 Denial of Service in Sphereserver Reference: URL:http://online.securityfocus.com/archive/1/259334 Reference: XF:sphereserver-connections-dos(8338) Reference: URL:http://www.iss.net/security_center/static/8338.php Reference: BID:4258 Reference: URL:http://www.securityfocus.com/bid/4258 Menasoft SPHERE server 0.99x and 0.5x allows remote attackers to cause a denial of service by establishing a large number of connections to the server without providing login credentials, which prevents other users from being able to log in. Analysis -------- Vendor Acknowledgement: INFERRED ACTION: CAN-2002-0406 ACCEPT (3 accept, 0 ack, 0 review) Current Votes: ACCEPT(3) Frech, Cole, Alderson NOOP(3) Cox, Wall, Foat ====================================================== Candidate: CAN-2002-0412 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0412 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020304 [H20020304]: Remotely exploitable format string vulnerability in ntop Reference: URL:http://online.securityfocus.com/archive/1/259642 Reference: BUGTRAQ:20020411 ALERT ALERT ALERT ALERT ALERT ALERT ALERT ALERT ALERT ALERT ALERT Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101854261030453&w=2 Reference: BUGTRAQ:20020411 re: gobbles ntop alert Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101856541322245&w=2 Reference: BUGTRAQ:20020417 segfault in ntop Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101908224609740&w=2 Reference: VULNWATCH:20020304 [VulnWatch] [H20020304]: Remotely exploitable format string vulnerability in ntop Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0056.html Reference: CONFIRM:http://snapshot.ntop.org/ Reference: MISC:http://listmanager.unipi.it/pipermail/ntop-dev/2002-February/000489.html Reference: XF:ntop-traceevent-format-string(8347) Reference: URL:http://www.iss.net/security_center/static/8347.php Reference: BID:4225 Reference: URL:http://www.securityfocus.com/bid/4225 Format string vulnerability in TraceEvent function for ntop before 2.1 allows remote attackers to execute arbitrary code by causing format strings to be injected into calls to the syslog function, via (1) an HTTP GET request, (2) a user name in HTTP authentication, or (3) a password in HTTP authentication. Analysis -------- Vendor Acknowledgement: yes advisory ACKNOWLEDGEMENT: On the front page, the vendor has an item dated March 5, 2002, which states "A security exposure (remote code execution) in ntop was reported to bugtraq (bugtraq@securityfocus.com) by 'hologram'" - the original discloser to Bugtraq. INFERRED ACTION: CAN-2002-0412 ACCEPT (6 accept, 1 ack, 0 review) Current Votes: ACCEPT(5) Baker, Frech, Wall, Cole, Alderson MODIFY(1) Cox NOOP(1) Foat Voter Comments: Cox> I believe this only apples to ntop version 2 not version 1 ====================================================== Candidate: CAN-2002-0414 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0414 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020304 BSD: IPv4 forwarding doesn't consult inbound SPD in KAME-derived IPsec Reference: URL:http://www.securityfocus.com/archive/1/259598 Reference: CONFIRM:http://orange.kame.net/dev/cvsweb.cgi/kame/CHANGELOG Reference: BID:4224 Reference: URL:http://www.securityfocus.com/bid/4224 Reference: XF:kame-forged-packet-forwarding(8416) Reference: URL:http://www.iss.net/security_center/static/8416.php Reference: VULNWATCH:20020304 [VulnWatch] BSD: IPv4 forwarding doesn't consult inbound SPD in KAME-derived IPsec Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0057.html KAME-derived implementations of IPsec on NetBSD 1.5.2, FreeBSD 4.5, and other operating systems, does not properly consult the Security Policy Database (SPD), which could cause a Security Gateway (SG) that does not use Encapsulating Security Payload (ESP) to forward forged IPv4 packets. Analysis -------- Vendor Acknowledgement: yes changelog ACKNOWLEDGEMENT: In a changelog item dated "Mon Feb 25 2:00:06 2002," the vendor says "enforce ipsec policy checking on forwarding case" and credits the Bugtraq poster. INFERRED ACTION: CAN-2002-0414 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Baker, Frech, Cole, Alderson NOOP(3) Cox, Wall, Foat ====================================================== Candidate: CAN-2002-0423 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0423 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020306 efingerd remote buffer overflow and a dangerous feature Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-03/0050.html Reference: CONFIRM:http://melkor.dnp.fmph.uniba.sk/~garabik/efingerd/efingerd_1.5.tar.gz Reference: BID:4239 Reference: URL:http://www.securityfocus.com/bid/4239 Reference: XF:efingerd-reverse-lookup-bo(8380) Reference: URL:http://www.iss.net/security_center/static/8380.php Buffer overflow in efingerd 1.5 and earlier, and possibly up to 1.61, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a finger request from an IP address with a long hostname that is obtained via a reverse DNS lookup. Analysis -------- Vendor Acknowledgement: yes patch ACKNOWLEDGEMENT: an examination of the source code for 1.6.2 has a child.c file, dated several weeks after initial disclosure, whose only change was to terminate the string that is copied. But the source code shows a strncpy call, as opposed to a strcpy as claimed by the discloser. Looking back at the source code for older versions, it appears that the first attempt to fix the overflow was made in version 1.5, where the strcpy was replaced by strncpy. However, since the string was not null terminated until 1.6.2, the discloser may have believed that the overflow still existed since they were probably still able to at least trigger a crash. It is unclear whether the unterminated string in versions 1.5 through 1.6.2 is actually exploitable. INFERRED ACTION: CAN-2002-0423 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Baker, Frech, Cole, Alderson NOOP(3) Cox, Wall, Foat ====================================================== Candidate: CAN-2002-0424 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0424 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020306 efingerd remote buffer overflow and a dangerous feature Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-03/0050.html Reference: CONFIRM:http://melkor.dnp.fmph.uniba.sk/~garabik/efingerd/efingerd_1.6.2.tar.gz Reference: BID:4240 Reference: URL:http://www.securityfocus.com/bid/4240 Reference: XF:efingerd-file-execution(8381) Reference: URL:http://www.iss.net/security_center/static/8381.php efingerd 1.61 and earlier, when configured without the -u option, executes .efingerd files as the efingerd user (typically "nobody"), which allows local users to gain privileges as the efingerd user by modifying their own .efingerd file and running finger. Analysis -------- Vendor Acknowledgement: yes changelog ACKNOWLEDGEMENT: the vendor acknowledges but does not fix the problem in 1.6.2. The README file for efingerd 1.6.2 includes a new "Security Notes" section that states: "unless run with option -u, efingerd executes ... [the .efingerd file] under the same UID as the efingerd daemon... This means that users could gain access to this UID very easily." For the purposes of CVE, vendor acknowledgement is all that is necessary. INFERRED ACTION: CAN-2002-0424 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Baker, Frech, Cole, Alderson NOOP(3) Cox, Wall, Foat ====================================================== Candidate: CAN-2002-0425 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0425 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020306 mIRC DCC Server Security Flaw Reference: URL:http://online.securityfocus.com/archive/1/260244 Reference: XF:mirc-dcc-reveal-info(8393) Reference: URL:http://www.iss.net/security_center/static/8393.php Reference: BID:4247 Reference: URL:http://www.securityfocus.com/bid/4247 mIRC DCC server protocol allows remote attackers to gain sensitive information such as alternate IRC nicknames via a "100 testing" message in a DCC connection request that cannot be ignored or canceled by the user, which may leak the alternate nickname in a response message. Analysis -------- Vendor Acknowledgement: INFERRED ACTION: CAN-2002-0425 ACCEPT (3 accept, 0 ack, 0 review) Current Votes: ACCEPT(3) Frech, Cole, Alderson NOOP(3) Cox, Wall, Foat ====================================================== Candidate: CAN-2002-0429 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0429 Final-Decision: Interim-Decision: 20030326 Modified: 20030321-01 Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020308 linux <=2.4.18 x86 traps.c problem Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101561298818888&w=2 Reference: CONFIRM:http://www.openwall.com/linux/ Reference: REDHAT:RHSA-2002:158 Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-158.html Reference: BID:4259 Reference: URL:http://online.securityfocus.com/bid/4259 Reference: XF:linux-ibcs-lcall-process(8420) Reference: URL:http://www.iss.net/security_center/static/8420.php The iBCS routines in arch/i386/kernel/traps.c for Linux kernels 2.4.18 and earlier on x86 systems allow local users to kill arbitrary processes via a a binary compatibility interface (lcall). Modifications: ADDREF REDHAT:RHSA-2002:158 ADDREF XF:linux-ibcs-lcall-process(8420) Analysis -------- Vendor Acknowledgement: yes ACKNOWLEDGEMENT: the Openwall home page has an item dated March 3, 2002, which states "Linux 2.2.20-ow2 fixes an x86-specific vulnerability in the Linux kernel discovered by Stephan Springl where local users could abuse a binary compatibility interface (lcall) to kill processes not belonging to them ." INFERRED ACTION: CAN-2002-0429 ACCEPT (5 accept, 2 ack, 0 review) Current Votes: ACCEPT(4) Baker, Cox, Cole, Alderson MODIFY(1) Frech NOOP(2) Wall, Foat Voter Comments: Frech> XF:linux-ibcs-lcall-process(8420) CHANGE> [Cox changed vote from REVIEWING to ACCEPT] Cox> Addref: RHSA-2002:158 ====================================================== Candidate: CAN-2002-0431 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0431 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020309 xtux server DoS. Reference: URL:http://online.securityfocus.com/archive/1/260912 Reference: MISC:https://sourceforge.net/tracker/index.php?func=detail&aid=529046&group_id=206&atid=100206 Reference: BID:4260 Reference: URL:http://www.securityfocus.com/bid/4260 Reference: XF:xtux-server-dos(8422) Reference: URL:http://www.iss.net/security_center/static/8422.php XTux allows remote attackers to cause a denial of service (CPU consumption) via random inputs in the initial connection. Analysis -------- Vendor Acknowledgement: ACKNOWLEDGEMENT: as of this writing (20020514), a bug report was filed on 20020319, but the vendor had not responded. INFERRED ACTION: CAN-2002-0431 ACCEPT (3 accept, 0 ack, 0 review) Current Votes: ACCEPT(3) Frech, Cole, Alderson NOOP(3) Cox, Wall, Foat ====================================================== Candidate: CAN-2002-0435 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0435 Final-Decision: Interim-Decision: 20030326 Modified: 20030321-02 Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020310 GNU fileutils - recursive directory removal race condition Reference: URL:http://www.securityfocus.com/archive/1/260936 Reference: CONFIRM:http://mail.gnu.org/archive/html/bug-fileutils/2002-03/msg00028.html Reference: CALDERA:CSSA-2002-018.1 Reference: URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-018.1.txt Reference: XF:gnu-fileutils-race-condition(8432) Reference: URL:http://www.iss.net/security_center/static/8432.php Reference: BID:4266 Reference: URL:http://www.securityfocus.com/bid/4266 Reference: MANDRAKE:MDKSA-2002:031 Reference: URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-031.php Race condition in the recursive (1) directory deletion and (2) directory move in GNU File Utilities (fileutils) 4.1 and earlier allows local users to delete directories as the user running fileutils by moving a low-level directory to a higher level as it is being deleted, which causes fileutils to chdir to a ".." directory that is higher than expected, possibly up to the root file system. Modifications: ADDREF MANDRAKE:MDKSA-2002:032 CHANGEREF CONFIRM [URL changed] CHANGEREF MANDRAKE [wrong number] Analysis -------- Vendor Acknowledgement: yes INFERRED ACTION: CAN-2002-0435 ACCEPT (5 accept, 2 ack, 0 review) Current Votes: ACCEPT(5) Green, Baker, Cox, Foat, Cole NOOP(2) Christey, Wall Voter Comments: Christey> MANDRAKE:MDKSA-2002:032 CHANGE> [Cox changed vote from REVIEWING to ACCEPT] Cox> CONFIRM:http://mail.gnu.org/pipermail/bug-fileutils/2002-March/002440.html is a dead link, I traced the message to the new live link here http://mail.gnu.org/archive/html/bug-fileutils/2002-03/msg00028.html Christey> Mandrake reference should be MANDRAKE:MDKSA-2002:031 (032 is for tcpdump) ====================================================== Candidate: CAN-2002-0437 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0437 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020311 SMStools vulnerabilities in release before 1.4.8 Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-03/0103.html Reference: CONFIRM:http://www.isis.de/members/~s.frings/smstools/history.html Reference: BID:4268 Reference: URL:http://www.securityfocus.com/bid/4268 Reference: XF:sms-tools-format-string(8433) Reference: URL:http://www.iss.net/security_center/static/8433.php Smsd in SMS Server Tools (SMStools) before 1.4.8 allows remote attackers to execute arbitrary commands via shell metacharacters (backquotes) in message text, as described with the term "string format vulnerability" by some sources. Analysis -------- Vendor Acknowledgement: yes changelog ACCURACY: The original discloser (probably a non-native English speaker) says the problem is due to "string format vulnerabilities," which makes it sound like format string vulnerabilities; but the impact is described as "arbitrary command injection," and the vendor's change log says "disable execution of programs by using backquotes in the message text," which makes it sound like a shell metacharacter problem. In addition, a source code review of 1.4.9 indicates that the problem is with shell metacharacters. getSMSdata() in smsd.c removes the quote from a text field, which is then provided to sendsms(), which is then fed into my_system(), which then calls system(). A followup email to the discloser confirms that the discloser was dealing with a metacharacter issue. ACKNOWLEDGEMENT: In a "thanks" page, the vendor credits the researcher, and in the change log, described security issues that match the dates and affected versions from the initial disclosure. INFERRED ACTION: CAN-2002-0437 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Green, Baker, Cole NOOP(3) Cox, Wall, Foat ====================================================== Candidate: CAN-2002-0441 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0441 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020311 Directory traversal vulnerability in phpimglist Reference: URL:http://www.securityfocus.com/archive/1/261221 Reference: CONFIRM:http://www.liquidpulse.net/get.lp?id=17 Reference: XF:phpimglist-dot-directory-traversal(8441) Reference: URL:http://www.iss.net/security_center/static/8441.php Reference: BID:4276 Reference: URL:http://www.securityfocus.com/bid/4276 Directory traversal vulnerability in imlist.php for Php Imglist allows remote attackers to read arbitrary code via a .. (dot dot) in the cwd parameter. Analysis -------- Vendor Acknowledgement: yes changelog ACKNOWLEDGEMENT: The CHANGELOG for version 1.2.2 identifies a bug fix that "stops people from browsing outside of your specified directory." INFERRED ACTION: CAN-2002-0441 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Green, Baker, Cole NOOP(3) Cox, Wall, Foat ====================================================== Candidate: CAN-2002-0442 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0442 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020611 Assigned: 20020607 Category: Reference: CALDERA:CSSA-2002-SCO.8 Reference: URL:ftp://stage.caldera.com/pub/security/openserver/CSSA-2002-SCO.8/CSSA-2002-SCO.8.txt Reference: XF:openserver-dlvraudit-bo(8442) Reference: URL:http://www.iss.net/security_center/static/8442.php Reference: BID:4273 Reference: URL:http://www.securityfocus.com/bid/4273 Buffer overflow in dlvr_audit for Caldera OpenServer 5.0.5 and 5.0.6 allows local users to gain root privileges. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0442 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Green, Baker, Cole NOOP(3) Cox, Wall, Foat ====================================================== Candidate: CAN-2002-0451 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0451 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020313 Command execution in phprojekt. Reference: URL:http://www.securityfocus.com/archive/1/261676 Reference: CONFIRM:http://www.phprojekt.com/modules.php?op=modload&name=News&file=article&sid=19&mode=&order= Reference: BID:4284 Reference: URL:http://www.securityfocus.com/bid/4284 Reference: XF:phpprojekt-filemanager-include-files(8448) Reference: URL:http://www.iss.net/security_center/static/8448.php filemanager_forms.php in PHProjekt 3.1 and 3.1a allows remote attackers to execute arbitrary PHP code by specifying the URL to the code in the lib_path parameter. Analysis -------- Vendor Acknowledgement: yes INFERRED ACTION: CAN-2002-0451 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Green, Baker, Cole NOOP(3) Cox, Wall, Foat ====================================================== Candidate: CAN-2002-0454 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0454 Final-Decision: Interim-Decision: 20030326 Modified: 20030321-01 Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020315 Bug in QPopper (All Versions?) Reference: URL:http://www.securityfocus.com/archive/1/262213 Reference: CONFIRM:ftp://ftp.qualcomm.com/eudora/servers/unix/popper/qpopper4.0.4.tar.gz Reference: XF:qpopper-qpopper-dos(8458) Reference: URL:http://www.iss.net/security_center/static/8458.php Reference: BID:4295 Reference: URL:http://www.securityfocus.com/bid/4295 Reference: CALDERA:CSSA-2002-SCO.20 Reference: URL:ftp://stage.caldera.com/pub/security/openserver/CSSA-2002-SCO.20 Qpopper (aka in.qpopper or popper) 4.0.3 and earlier allows remote attackers to cause a denial of service (CPU consumption) via a very large string, which causes an infinite loop. Modifications: ADDREF CALDERA:CSSA-2002-SCO.20 Analysis -------- Vendor Acknowledgement: yes patch ACKNOWLEDGEMENT: the change log for version 4.0.4 says "Fixed DOS attack seen on some systems," but the description itself is too vague to be certain that the vendor has fixed *this* issue. However, a diff of popper/popper.c in versions 4.0.4 and 4.0.3 reveals a new comment: "getline() now clears out storage buffer when giving up after discarding bytes. Fixes looping DOS attack seen on some systems." That would be consistent with the behavior that was originally reported. INFERRED ACTION: CAN-2002-0454 ACCEPT (4 accept, 2 ack, 0 review) Current Votes: ACCEPT(4) Green, Baker, Wall, Cole NOOP(3) Christey, Cox, Foat Voter Comments: Christey> CALDERA:CSSA-2002-SCO.20 ====================================================== Candidate: CAN-2002-0462 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0462 Final-Decision: Interim-Decision: 20030326 Modified: 20030321-01 Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020318 [ARL02-A11] Big Sam (Built-In Guestbook Stand-Alone Module) Multiple Vulnerabilities Reference: URL:http://www.securityfocus.com/archive/1/262735 Reference: CONFIRM:http://www.gezzed.net/bigsam/bigsam.1_1_12.php.txt Reference: XF:bigsam-displaybegin-dos(8478) Reference: URL:http://www.iss.net/security_center/static/8478.php Reference: XF:bigsam-safemode-path-disclosure(8479) Reference: URL:http://www.iss.net/security_center/static/8479.php Reference: BID:4312 Reference: URL:http://www.securityfocus.com/bid/4312 bigsam_guestbook.php for Big Sam (Built-In Guestbook Stand-Alone Module) 1.1.08 and earlier allows remote attackers to cause a denial of service (CPU consumption) or obtain the absolute path of the web server via a displayBegin parameter with a very large number, which leaks the web path in an error message when PHP safe_mode is enabled, or consumes resources when safe_mode is not enabled. Modifications: DESC rephrase to clarify Analysis -------- Vendor Acknowledgement: yes ACKNOWLEDGEMENT: in the source code for the program, the vendor has a comment that states "Checks if $displayBegin is not too large," and credits the discloser. INFERRED ACTION: CAN-2002-0462 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Green, Baker, Foat, Cole NOOP(2) Cox, Wall ====================================================== Candidate: CAN-2002-0463 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0463 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020319 Re: [ARL02-A07] ARSC Really Simple Chat System Information Path Disclosure Vulnerability Reference: URL:http://www.securityfocus.com/archive/1/262802 Reference: BUGTRAQ:20020316 [ARL02-A07] ARSC Really Simple Chat System Information Path Disclosure Vulnerability Reference: URL:http://www.securityfocus.com/archive/1/262652 Reference: BID:4307 Reference: URL:http://www.securityfocus.com/bid/4307 Reference: XF:arsc-language-path-disclosure(8472) Reference: URL:http://www.iss.net/security_center/static/8472.php home.php in ARSC (Really Simple Chat) 1.0.1 and earlier allows remote attackers to determine the full pathname of the web server via an invalid language in the arsc_language parameter, which leaks the pathname in an error message. Analysis -------- Vendor Acknowledgement: yes followup INFERRED ACTION: CAN-2002-0463 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Green, Baker, Cole NOOP(3) Cox, Wall, Foat ====================================================== Candidate: CAN-2002-0464 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0464 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020318 Hosting Directory Traversal madness... Reference: URL:http://www.securityfocus.com/archive/1/262734 Reference: CONFIRM:http://www.hostingcontroller.com/english/patches/ForAll/download/dot-slash.zip Reference: BID:4311 Reference: URL:http://www.securityfocus.com/bid/4311 Directory traversal vulnerability in Hosting Controller 1.4.1 and earlier allows remote attackers to read and modify arbitrary files and directories via a .. (dot dot) in arguments to (1) file_editor.asp, (2) folderactions.asp, or (3) editoractions.asp. Analysis -------- Vendor Acknowledgement: yes changelog ACKNOWLEDGEMENT: the readme.txt file in a patch labeled "Infamous Dot-Slash Bug Fix," dated March 22, 2002, states: "Folder Manager was vulnerable to infamous ../ bug, if an alternate path was sent using the query string variables, the altered path could be deleted or renamed." ABSTRACTION: Although another directory traversal vulnerability was discovered shortly before this one (January 2002), CD:SF-LOC suggests keeping separate CVE items for them because separate patches were produced. INFERRED ACTION: CAN-2002-0464 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Green, Baker, Cole NOOP(3) Cox, Wall, Foat ====================================================== Candidate: CAN-2002-0473 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0473 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: VULN-DEV:20020318 phpBB2 remote execution command Reference: URL:http://online.securityfocus.com/archive/82/262600 Reference: BUGTRAQ:20020318 Re: phpBB2 remote execution command (fwd) Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-03/0221.html Reference: BUGTRAQ:20020318 phpBB2 remote execution command Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-03/0229.html Reference: CONFIRM:http://prdownloads.sourceforge.net/phpbb/phpBB-2.0.1.zip Reference: MISC:http://phpbb.sourceforge.net/phpBB2/viewtopic.php?t=9483 Reference: BID:4380 Reference: URL:http://www.securityfocus.com/bid/4380 Reference: XF:phpbb-db-command-execution(8476) Reference: URL:http://www.iss.net/security_center/static/8476.php db.php in phBB 2.0 (aka phBB2) RC-3 and earlier allows remote attackers to execute arbitrary code from remote servers via the phpbb_root_path parameter. Analysis -------- Vendor Acknowledgement: yes changelog ACKNOWLEDGEMENT: a followup post to Bugtraq points to a URL that could contain acknowledgement, but no longer exists. A post from the developer to a web forum, dated March 23, 2002, is titled "Security vulnerability in phpBB 2.0" and implies that any "CVS version dated before March 19th 2002" is vulnerable. The comments in the changelog in docs/README.html say that version RC4 "Addressed serious security issue with included files," which would be consistent with the slightly vague Bugtraq post, which says "some backdoor server [is] needed to launch the attack," which implies that the problem is in PHP include files or the rough equivalent. A "diff" between 2.0.1 and 2.0.0 RC3 indicates that the only change to db.php was a check for the IN_PHPBB variable, which (a) does not exist in RC3, (b) is defined in all top-level PHP programs in 2.0.1, and (c) dies with the phrase "Hacking attempt" if IN_PHPBB is not defined. INFERRED ACTION: CAN-2002-0473 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Green, Baker, Cole NOOP(3) Cox, Wall, Foat ====================================================== Candidate: CAN-2002-0484 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0484 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020321 Re: move_uploaded_file breaks safe_mode restrictions in PHP Reference: URL:http://online.securityfocus.com/archive/1/263259 Reference: BUGTRAQ:20020317 move_uploaded_file breaks safe_mode restrictions in PHP Reference: URL:http://online.securityfocus.com/archive/1/262999 Reference: BUGTRAQ:20020322 Re: move_uploaded_file breaks safe_mode restrictions in PHP Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101683938806677&w=2 Reference: CONFIRM:http://bugs.php.net/bug.php?id=16128 Reference: XF:php-moveuploadedfile-create-files(8591) Reference: URL:http://www.iss.net/security_center/static/8591.php Reference: BID:4325 Reference: URL:http://www.securityfocus.com/bid/4325 move_uploaded_file in PHP does not does not check for the base directory (open_basedir), which could allow remote attackers to upload files to unintended locations on the system. Analysis -------- Vendor Acknowledgement: yes followup INFERRED ACTION: CAN-2002-0484 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Green, Baker, Cox, Cole NOOP(2) Wall, Foat Voter Comments: CHANGE> [Cox changed vote from REVIEWING to ACCEPT] ====================================================== Candidate: CAN-2002-0488 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0488 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020321 PHP script: Penguin Traceroute, Remote Command Execution Reference: URL:http://www.securityfocus.com/archive/1/263285 Reference: CONFIRM:http://www.linux-directory.com/scripts/traceroute.pl Reference: XF:penguin-traceroute-command-execution(8600) Reference: URL:http://www.iss.net/security_center/static/8600.php Reference: BID:4332 Reference: URL:http://www.securityfocus.com/bid/4332 Linux Directory Penguin traceroute.pl CGI script 1.0 allows remote attackers to execute arbitrary code via shell metacharacters in the host parameter. Analysis -------- Vendor Acknowledgement: yes patch ACKNOWLEDGEMENT: in the source code, the vendor cleanses the host parameter, adding a comment dated 20020321 that says the line was added. INFERRED ACTION: CAN-2002-0488 ACCEPT (5 accept, 1 ack, 0 review) Current Votes: ACCEPT(5) Green, Baker, Wall, Foat, Cole NOOP(1) Cox ====================================================== Candidate: CAN-2002-0490 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0490 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020323 Instant Web Mail additional POP3 commands and mail headers Reference: URL:http://www.securityfocus.com/archive/1/264041 Reference: CONFIRM:http://instantwebmail.sourceforge.net/#changeLog Reference: XF:instant-webmail-pop-commands(8650) Reference: URL:http://www.iss.net/security_center/static/8650.php Reference: BID:4361 Reference: URL:http://www.securityfocus.com/bid/4361 Instant Web Mail before 0.60 does not properly filter CR/LF sequences, which allows remote attackers to (1) execute arbitrary POP commands via the id parameter in message.php, or (2) modify certain mail message headers via numerous parameters in write.php. Analysis -------- Vendor Acknowledgement: yes changelog ACKNOWLEDGEMENT: the change log for version 0.60, dated March 17, 2002, says "For security reasons it is no longer possible to write extra headers besides the normal ones when composing messages." INFERRED ACTION: CAN-2002-0490 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Baker, Frech, Cole, Armstrong NOOP(3) Cox, Wall, Foat ====================================================== Candidate: CAN-2002-0493 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0493 Final-Decision: Interim-Decision: 20030326 Modified: 20030325-01 Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020325 re: Tomcat Security Exposure Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101709002410365&w=2 Reference: MISC:http://www.apachelabs.org/tomcat-dev/200108.mbox/%3C20010810000819.6350.qmail@icarus.apache.org%3E Reference: XF:tomcat-xml-bypass-restrictions(9863) Reference: URL:http://www.iss.net/security_center/static/9863.php Apache Tomcat may be started without proper security settings if errors are encountered while reading the web.xml file, which could allow attackers to bypass intended restrictions. Modifications: ADDREF XF:tomcat-xml-bypass-restrictions(9863) Analysis -------- Vendor Acknowledgement: INFERRED ACTION: CAN-2002-0493 ACCEPT (4 accept, 0 ack, 0 review) Current Votes: ACCEPT(3) Baker, Cole, Armstrong MODIFY(1) Frech NOOP(3) Cox, Wall, Foat Voter Comments: CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:tomcat-xml-bypass-restrictions(9863) ====================================================== Candidate: CAN-2002-0494 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0494 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020325 WebSight Directory System: cross-site-scripting bug Reference: URL:http://www.securityfocus.com/archive/1/263914 Reference: CONFIRM:http://sourceforge.net/forum/forum.php?forum_id=163389 Reference: BID:4357 Reference: URL:http://www.securityfocus.com/bid/4357 Reference: XF:websight-directory-system-css(8624) Reference: URL:http://www.iss.net/security_center/static/8624.php Cross-site scripting vulnerability in WebSight Directory System 0.1 allows remote attackers to execute arbitrary Javascript and gain access to the WebSight administrator via a new link submission containing the script in a website name. Analysis -------- Vendor Acknowledgement: yes ACKNOWLEDGEMENT: A news item posted by the vendor titled "Important security fix!", dated 20020325, says "the problem was that in the administration area, there was no prevention from javascripts etc to being executed," and credits the poster. INFERRED ACTION: CAN-2002-0494 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Baker, Frech, Cole, Armstrong NOOP(3) Cox, Wall, Foat ====================================================== Candidate: CAN-2002-0495 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0495 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020325 CGIscript.net - csSearch.cgi - Remote Code Execution (up to 17,000 sites vulnerable) Reference: URL:http://www.securityfocus.com/archive/1/264169 Reference: MISC:http://www.cgiscript.net/cgi-script/csNews/csNews.cgi?database=cgi.db&command=viewone&id=7 Reference: BID:4368 Reference: URL:http://www.securityfocus.com/bid/4368 Reference: XF:cssearch-url-execute-commands(8636) Reference: URL:http://www.iss.net/security_center/static/8636.php csSearch.cgi in csSearch 2.3 and earlier allows remote attackers to execute arbitrary Perl code via the savesetup command and the setup parameter, which overwrites the setup.cgi configuration file that is loaded by csSearch.cgi. Analysis -------- Vendor Acknowledgement: unknown vague ACKNOWLEDGEMENT: On the csSearch Pro web page, the vendor states "Security Alert: We recently discovered vulnerabilities in csSearch versions 2.3 and below. Please download and install csSearch 2.5 to correct the problem." This is not enough detail to be certain that the vendor is addressing this particular vulnerability. INFERRED ACTION: CAN-2002-0495 ACCEPT (4 accept, 0 ack, 0 review) Current Votes: ACCEPT(4) Baker, Frech, Foat, Cole NOOP(3) Cox, Wall, Armstrong Voter Comments: Frech> http://online.securityfocus.com/archive/1/266432 ====================================================== Candidate: CAN-2002-0497 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0497 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020306 mtr 0.45, 0.46 Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-03/0048.html Reference: DEBIAN:DSA-124 Reference: URL:http://www.debian.org/security/2002/dsa-124 Reference: BID:4217 Reference: URL:http://www.securityfocus.com/bid/4217 Reference: XF:mtr-options-bo(8367) Reference: URL:http://www.iss.net/security_center/static/8367.php Buffer overflow in mtr 0.46 and earlier, when installed setuid root, allows local users to access a raw socket via a long MTR_OPTIONS environment variable. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0497 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Baker, Frech, Cox, Cole NOOP(2) Wall, Foat ====================================================== Candidate: CAN-2002-0501 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0501 Final-Decision: Interim-Decision: 20030326 Modified: 20030321-01 Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020327 Format String Bug in Posadis DNS Server Reference: URL:http://online.securityfocus.com/archive/1/264450 Reference: CONFIRM:http://sourceforge.net/forum/forum.php?forum_id=165094 Reference: XF:posadis-logging-format-string(8653) Reference: URL:http://www.iss.net/security_center/static/8653.php Reference: BID:4378 Reference: URL:http://www.securityfocus.com/bid/4378 Format string vulnerability in log_print() function of Posadis DNS server before version m5pre2 allows local users and possibly remote attackers to execute arbitrary code via format strings that are inserted into logging messages. Modifications: DESC fix typo Analysis -------- Vendor Acknowledgement: yes ACKNOWLEDGEMENT: a vendor announcement fixes the vulnerability "As reported on Bugtraq March 27 2002." INFERRED ACTION: CAN-2002-0501 ACCEPT (5 accept, 1 ack, 0 review) Current Votes: ACCEPT(5) Baker, Frech, Foat, Cole, Armstrong NOOP(2) Cox, Wall ====================================================== Candidate: CAN-2002-0505 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0505 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: CISCO:20020327 LDAP Connection Leak in CTI when User Authentication Fails Reference: URL:http://www.cisco.com/warp/public/707/callmanager-ctifw-leak-pub.shtml Reference: XF:cisco-cti-memory-leak(8655) Reference: URL:http://www.iss.net/security_center/static/8655.php Reference: BID:4370 Reference: URL:http://www.securityfocus.com/bid/4370 Memory leak in the Call Telephony Integration (CTI) Framework authentication for Cisco CallManager 3.0 and 3.1 before 3.1(3) allows remote attackers to cause a denial of service (crash and reload) via a series of authentication failures, e.g. via incorrect passwords. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0505 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Baker, Frech, Cole, Armstrong NOOP(3) Cox, Wall, Foat ====================================================== Candidate: CAN-2002-0506 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0506 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020328 A possible buffer overflow in libnewt Reference: URL:http://online.securityfocus.com/archive/1/264699 Reference: XF:libnewt-bo(8700) Reference: URL:http://www.iss.net/security_center/static/8700.php Reference: BID:4393 Reference: URL:http://www.securityfocus.com/bid/4393 Buffer overflow in newt.c of newt windowing library (libnewt) 0.50.33 and earlier may allow attackers to cause a denial of service or execute arbitrary code in setuid programs that use libnewt. Modifications: DESC emphasize setuid programs only Analysis -------- Vendor Acknowledgement: yes cve-vote INFERRED ACTION: CAN-2002-0506 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Frech, Cox, Cole NOOP(3) Wall, Foat, Armstrong Voter Comments: Cox> (although only really a problem if you have setuid programs that use libnewt) ====================================================== Candidate: CAN-2002-0511 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0511 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: CALDERA:CSSA-2002-013.0 Reference: URL:http://www.calderasystems.com/support/security/advisories/CSSA-2002-013.0.txt Reference: XF:nscd-dns-ptr-validation(8745) Reference: URL:http://www.iss.net/security_center/static/8745.php Reference: BID:4399 Reference: URL:http://www.securityfocus.com/bid/4399 The default configuration of Name Service Cache Daemon (nscd) in Caldera OpenLinux 3.1 and 3.1.1 uses cached PTR records instead of consulting the authoritative DNS server for the A record, which could make it easier for remote attackers to bypass applications that restrict access based on host names. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0511 ACCEPT (5 accept, 1 ack, 0 review) Current Votes: ACCEPT(5) Baker, Frech, Foat, Cole, Armstrong NOOP(2) Cox, Wall ====================================================== Candidate: CAN-2002-0512 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0512 Final-Decision: Interim-Decision: 20030326 Modified: 20020817-01 Proposed: 20020611 Assigned: 20020607 Category: SF Reference: CALDERA:CSSA-2002-005.0 Reference: URL:http://www.calderasystems.com/support/security/advisories/CSSA-2002-005.0.txt Reference: BID:4400 Reference: URL:http://www.securityfocus.com/bid/4400 Reference: XF:kde-startkde-search-directory(8737) Reference: URL:http://www.iss.net/security_center/static/8737.php startkde in KDE for Caldera OpenLinux 2.3 through 3.1.1 sets the LD_LIBRARY_PATH environment variable to include the current working directory, which could allow local users to gain privileges of other users running startkde via Trojan horse libraries. Modifications: ADDREF XF:kde-startkde-search-directory(8737) Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0512 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Baker, Cole, Armstrong MODIFY(1) Frech NOOP(4) Christey, Cox, Wall, Foat Voter Comments: Frech> XF:kde-startkde-search-directory(8737) Christey> There's a long history of overflows via long -xrm arguments. Need to make sure there's no overlap with other separate vulnerability reports. ====================================================== Candidate: CAN-2002-0513 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0513 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020330 popper_mod 1.2.1 and previous accounts compromise Reference: URL:http://online.securityfocus.com/archive/1/265438 Reference: CONFIRM:http://www.symatec-computer.com/forums/viewtopic.php?t=14 Reference: XF:symatec-popper-admin-access(8746) Reference: URL:http://www.iss.net/security_center/static/8746.php Reference: BID:4412 Reference: URL:http://www.securityfocus.com/bid/4412 The PHP administration script in popper_mod 1.2.1 and earlier relies on Apache .htaccess authentication, which allows remote attackers to gain privileges if the script is not appropriately configured by the administrator. Analysis -------- Vendor Acknowledgement: yes INCLUSION: Whether this dependency on .htaccess is a design problem or a configuration problem, this issue meets the definition of vulnerability and should be included in CVE. INFERRED ACTION: CAN-2002-0513 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Baker, Frech, Cole, Armstrong NOOP(3) Cox, Wall, Foat ====================================================== Candidate: CAN-2002-0516 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0516 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020327 squirrelmail 1.2.5 email user can execute command Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-03/0350.html Reference: BUGTRAQ:20020331 Re: squirrelmail 1.2.5 email user can execute command Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-03/0386.html Reference: BID:4385 Reference: URL:http://www.securityfocus.com/bid/4385 Reference: XF:squirrelmail-theme-command-execution(8671) Reference: URL:http://www.iss.net/security_center/static/8671.php SquirrelMail 1.2.5 and earlier allows authenticated SquirrelMail users to execute arbitrary commands by modifying the THEME variable in a cookie. Analysis -------- Vendor Acknowledgement: yes followup INFERRED ACTION: CAN-2002-0516 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Baker, Frech, Cole, Armstrong NOOP(3) Cox, Wall, Foat ====================================================== Candidate: CAN-2002-0531 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0531 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020403 emumail.cgi Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-04/0066.html Reference: CONFIRM:http://www.emumail.com/downloads/download_unix.html/ Reference: XF:emumail-cgi-view-files(8766) Reference: URL:http://www.iss.net/security_center/static/8766.php Reference: BID:4435 Reference: URL:http://www.securityfocus.com/bid/4435 Directory traversal vulnerability in emumail.cgi in EMU Webmail 4.5.x and 5.1.0 allows remote attackers to read arbitrary files or list arbitrary directories via a .. (dot dot) in the type parameter. Analysis -------- Vendor Acknowledgement: yes ACKNOWLEDGEMENT: the download page for Webmail includes a statement dated April 11, 2002, which says "This patch corrects a security flaw in EMU Webmail which may allow remote users to exploit emumail.cgi under certain conditions to read files on the remote system." INFERRED ACTION: CAN-2002-0531 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Baker, Frech, Cole, Armstrong NOOP(3) Cox, Wall, Foat ====================================================== Candidate: CAN-2002-0532 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0532 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020410 Re: emumail.cgi, one more local vulnerability (not verified) Reference: URL:http://online.securityfocus.com/archive/1/266930 Reference: XF:emumail-http-host-execute(8836) Reference: URL:http://www.iss.net/security_center/static/8836.php Reference: BID:4488 Reference: URL:http://www.securityfocus.com/bid/4488 EMU Webmail allows local users to execute arbitrary programs via a .. (dot dot) in the HTTP Host header that points to a Trojan horse configuration file that contains a pageroot specifier that contains shell metacharacters. Analysis -------- Vendor Acknowledgement: yes via-email ACKNOWLEDGEMENT: an inquiry was posted to http://www.emumail.com/support/tech_inquiry.html on June 3, 2002. WIthin 24 hours, techprod@emumail.com confirmed the vulnerability: "Yes this has been fixed...there is an update patch for 4.5 and 5.1 on our website. Known versions that are affected are 4.5 and 5.x, 4.0 and earlier version may be affected/" INFERRED ACTION: CAN-2002-0532 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Baker, Frech, Cole, Armstrong NOOP(3) Cox, Wall, Foat ====================================================== Candidate: CAN-2002-0536 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0536 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020403 SQL injection in PHPGroupware Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-04/0036.html Reference: BUGTRAQ:20020411 Re: SQL injection in PHPGroupware Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-04/0143.html Reference: XF:phpgroupware-sql-injection(8755) Reference: URL:http://www.iss.net/security_center/static/8755.php Reference: BID:4424 Reference: URL:http://www.securityfocus.com/bid/4424 PHPGroupware 0.9.12 and earlier, when running with the magic_quotes_gpc feature disabled, allows remote attackers to compromise the database via a SQL injection attack. Analysis -------- Vendor Acknowledgement: yes followup INCLUSION: a followup from the vendor indicates that the issue is due to a non-default configuration of magic_quotes_gpc in phpGroupWare's configuration file. While this could be attributed to an apparent limitation of PHP itself (since the quotes apparently can't be cleanly enabled within the PHP programs themselves?), this vendor did not work around this issue, so the problem should be included in CVE. INFERRED ACTION: CAN-2002-0536 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Baker, Frech, Cole NOOP(4) Cox, Wall, Foat, Armstrong ====================================================== Candidate: CAN-2002-0538 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0538 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020415 Raptor Firewall FTP Bounce vulnerability Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-04/0166.html Reference: BUGTRAQ:20020417 Re: Raptor Firewall FTP Bounce vulnerability Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-04/0224.html Reference: CONFIRM:http://securityresponse.symantec.com/avcenter/security/Content/2002.04.17.html Reference: XF:raptor-firewall-ftp-bounce(8847) Reference: URL:http://www.iss.net/security_center/static/8847.php Reference: BID:4522 Reference: URL:h ttp://www.securityfocus.com/bid/4522 FTP proxy in Symantec Raptor Firewall 6.5.3 and Enterprise 7.0 rewrites an FTP server's "FTP PORT" responses in a way that allows remote attackers to redirect FTP data connections to arbitrary ports, a variant of the "FTP bounce" vulnerability. Analysis -------- Vendor Acknowledgement: yes followup INFERRED ACTION: CAN-2002-0538 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Baker, Frech, Cole NOOP(3) Cox, Wall, Foat ====================================================== Candidate: CAN-2002-0539 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0539 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020415 Demarc PureSecure 1.05 may be other (user can bypass login) Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-04/0168.html Reference: BUGTRAQ:20020417 Demarc Security Update Advisory Reference: URL:http://online.securityfocus.com/archive/1/267941 Reference: XF:puresecure-sql-injection(8854) Reference: URL:http://www.iss.net/security_center/static/8854.php Reference: BID:4520 Reference: URL:http://www.securityfocus.com/bid/4520 Demarc PureSecure 1.05 allows remote attackers to gain administrative privileges via a SQL injection attack in a session ID that is stored in the s_key cookie. Analysis -------- Vendor Acknowledgement: yes followup INFERRED ACTION: CAN-2002-0539 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Baker, Frech, Cole NOOP(3) Cox, Wall, Foat ====================================================== Candidate: CAN-2002-0542 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0542 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020411 local root compromise in openbsd 3.0 and below Reference: URL:http://online.securityfocus.com/archive/1/267089 Reference: BUGTRAQ:20020411 OpenBSD Local Root Compromise Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101855467811695&w=2 Reference: CONFIRM:http://www.openbsd.org/errata30.html#mail Reference: XF:openbsd-mail-root-privileges(8818) Reference: URL:http://www.iss.net/security_center/static/8818.php Reference: BID:4495 Reference: URL:http://www.securityfocus.com/bid/4495 mail in OpenBSD 2.9 and 3.0 processes a tilde (~) escape character in a message even when it is not in interactive mode, which could allow local users to gain root privileges via calls to mail in cron. Analysis -------- Vendor Acknowledgement: yes INFERRED ACTION: CAN-2002-0542 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Baker, Frech, Cole NOOP(3) Cox, Wall, Foat ====================================================== Candidate: CAN-2002-0543 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0543 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020409 Abyss Webserver 1.0 Administration password file retrieval exploit Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-04/0110.html Reference: CONFIRM:http://www.aprelium.com/forum/viewtopic.php?t=24 Reference: BID:4466 Reference: URL:http://www.securityfocus.com/bid/4466 Reference: XF:abyss-unicode-directory-traversal(8805) Reference: URL:http://www.iss.net/security_center/static/8805.php Directory traversal vulnerability in Aprelium Abyss Web Server (abyssws) before 1.0.0.2 allows remote attackers to read files outside the web root, including the abyss.conf file, via URL-encoded .. (dot dot) sequences in the HTTP request. Analysis -------- Vendor Acknowledgement: yes ACKNOWLEDGEMENT: a posting to a vendor forum titled "Patched release 1.0.0.2" and dated 20020408 says that the patch is "against some form of dot-dot URLs refering to an aliased directory and that can allow people to read abyss.conf file." INFERRED ACTION: CAN-2002-0543 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Baker, Frech, Cole NOOP(3) Cox, Wall, Foat ====================================================== Candidate: CAN-2002-0545 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0545 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: CISCO:20020409 Aironet Telnet Vulnerability Reference: URL:http://www.cisco.com/warp/public/707/Aironet-Telnet.shtml Reference: BID:4461 Reference: URL:http://www.securityfocus.com/bid/4461 Reference: XF:cisco-aironet-telnet-dos(8788) Reference: URL:http://www.iss.net/security_center/static/8788.php Cisco Aironet before 11.21 with Telnet enabled allows remote attackers to cause a denial of service (reboot) via a series of login attempts with invalid usernames and passwords. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0545 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Baker, Frech, Cole, Armstrong NOOP(3) Cox, Wall, Foat ====================================================== Candidate: CAN-2002-0553 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0553 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020413 SunSop: cross-site-scripting bug Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-04/0154.html Reference: XF:sunshop-new-cust-css(8840) Reference: URL:http://www.iss.net/security_center/static/8840.php Reference: BID:4506 Reference: URL:http://www.securityfocus.com/bid/4506 Cross-site scripting vulnerability in SunShop 2.5 and earlier allows remote attackers to gain administrative privileges to SunShop by injecting the script into fields during new customer registration. Analysis -------- Vendor Acknowledgement: yes via-email ACKNOWLEDGEMENT: An e-mail inquiry sent to support@turnkeywebtools.com on June 3, 2002. A response was sent within an hour, saying "a patch was released before that vulnerability was released. If you upgrade to 2.6 you will have no worries." INFERRED ACTION: CAN-2002-0553 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Baker, Frech, Cole NOOP(3) Cox, Wall, Foat ====================================================== Candidate: CAN-2002-0567 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0567 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020206 Remote Compromise in Oracle 9i Database Server Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101301332402079&w=2 Reference: CERT-VN:VU#180147 Reference: URL:http://www.kb.cert.org/vuls/id/180147 Reference: CERT:CA-2002-08 Reference: URL:http://www.cert.org/advisories/CA-2002-08.html Reference: CONFIRM:http://otn.oracle.com/deploy/security/pdf/plsextproc_alert.pdf Reference: BID:4033 Reference: URL:http://www.securityfocus.com/bid/4033 Reference: XF:oracle-plsql-remote-access(8089) Reference: URL:http://xforce.iss.net/static/8089.php Oracle 8i and 9i with PL/SQL package for External Procedures (EXTPROC) allows remote attackers to bypass authentication and execute arbitrary functions by using the TNS Listener to directly connect to the EXTPROC process. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0567 ACCEPT (5 accept, 3 ack, 0 review) Current Votes: ACCEPT(5) Baker, Frech, Wall, Cole, Alderson NOOP(2) Cox, Foat ====================================================== Candidate: CAN-2002-0569 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0569 Final-Decision: Interim-Decision: 20030326 Modified: 20030321-01 Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020206 Hackproofing Oracle Application Server paper Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101301813117562&w=2 Reference: CERT-VN:VU#977251 Reference: URL:http://www.kb.cert.org/vuls/id/977251 Reference: CERT:CA-2002-08 Reference: URL:http://www.cert.org/advisories/CA-2002-08.html Reference: MISC:http://www.nextgenss.com/papers/hpoas.pdf Reference: BID:4298 Reference: URL:http://www.securityfocus.com/bid/4298 Reference: XF:oracle-appserver-config-file-access(8453) Reference: URL:http://www.iss.net/security_center/static/8453.php Oracle 9i Application Server allows remote attackers to bypass access restrictions for configuration files via a direct request to the XSQL Servlet (XSQLServlet). Modifications: ADDREF XF:oracle-appserver-config-file-access(8453) Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0569 ACCEPT (5 accept, 2 ack, 0 review) Current Votes: ACCEPT(4) Baker, Wall, Cole, Alderson MODIFY(1) Frech NOOP(2) Cox, Foat Voter Comments: Frech> XF:oracle-appserver-config-file-access(8453) ====================================================== Candidate: CAN-2002-0571 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0571 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020611 Assigned: 20020611 Category: SF Reference: BUGTRAQ:20020416 ansi outer join syntax in Oracle allows access to any data Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-04/0175.html Reference: CIAC:M-071 Reference: URL:http://www.ciac.org/ciac/bulletins/m-071.shtml Reference: CONFIRM:http://otn.oracle.com/deploy/security/pdf/sql_joins_alert.pdf Reference: XF:oracle-ansi-sql-bypass-acl(8855) Reference: URL:http://www.iss.net/security_center/static/8855.php Reference: BID:4523 Reference: URL:http://www.securityfocus.com/bid/4523 Oracle Oracle9i database server 9.0.1.x allows local users to access restricted data via a SQL query using ANSI outer join syntax. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0571 ACCEPT (4 accept, 2 ack, 0 review) Current Votes: ACCEPT(4) Baker, Frech, Wall, Cole NOOP(2) Cox, Foat ====================================================== Candidate: CAN-2002-0573 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0573 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020611 Assigned: 20020611 Category: SF Reference: BUGTRAQ:20020430 Adivosry + Exploit for Remote Root Hole in Default Installation of Popular Commercial Operating System Reference: URL:http://online.securityfocus.com/archive/1/270268 Reference: VULNWATCH:20020430 [VulnWatch] Adivosry + Exploit for Remote Root Hole in Default Installation of Popular Commercial Operating System Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0049.html Reference: CERT:CA-2002-10 Reference: URL:http://www.cert.org/advisories/CA-2002-10.html Reference: CERT-VN:VU#638099 Reference: URL:http://www.kb.cert.org/vuls/id/638099 Reference: XF:solaris-rwall-format-string(8971) Reference: URL:http://www.iss.net/security_center/static/8971.php Reference: BID:4639 Reference: URL:http://www.securityfocus.com/bid/4639 Format string vulnerability in RPC wall daemon (rpc.rwalld) for Solaris 2.5.1 through 8 allows remote attackers to execute arbitrary code via format strings in a message that is not properly provided to the syslog function when the wall command cannot be executed. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0573 ACCEPT (4 accept, 2 ack, 0 review) Current Votes: ACCEPT(4) Baker, Frech, Foat, Cole NOOP(2) Cox, Wall ====================================================== Candidate: CAN-2002-0574 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0574 Final-Decision: Interim-Decision: 20030326 Modified: 20020817-01 Proposed: 20020611 Assigned: 20020611 Category: SF Reference: FREEBSD:FreeBSD-SA-02:21 Reference: URL:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:21.tcpip.asc Reference: BID:4539 Reference: URL:http://www.securityfocus.com/bid/4539 Reference: XF:freebsd-icmp-echo-reply-dos(8893) Reference: URL:http://www.iss.net/security_center/static/8893.php Memory leak in FreeBSD 4.5 and earlier allows remote attackers to cause a denial of service (memory exhaustion) via ICMP echo packets that trigger a bug in ip_output() in which the reference count for a routing table entry is not decremented, which prevents the entry from being removed. Modifications: ADDREF XF:freebsd-icmp-echo-reply-dos(8893) Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0574 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(2) Baker, Cole MODIFY(1) Frech NOOP(3) Cox, Wall, Foat Voter Comments: Frech> XF:freebsd-icmp-echo-reply-dos(8893) ====================================================== Candidate: CAN-2002-0575 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0575 Final-Decision: Interim-Decision: 20030326 Modified: 20030321-01 Proposed: 20020611 Assigned: 20020611 Category: SF Reference: BUGTRAQ:20020426 Revised OpenSSH Security Advisory (adv.token) Reference: URL:http://online.securityfocus.com/archive/1/269701 Reference: BUGTRAQ:20020419 OpenSSH 2.2.0 - 3.1.0 server contains a locally exploitable buffer overflow Reference: URL:http://online.securityfocus.com/archive/1/268718 Reference: VULN-DEV:20020419 OpenSSH 2.2.0 - 3.1.0 server contains a locally exploitable buffer overflow Reference: URL:http://marc.theaimsgroup.com/?l=vuln-dev&m=101924296115863&w=2 Reference: BUGTRAQ:20020517 OpenSSH 3.2.2 released (fwd) Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102167972421837&w=2 Reference: BUGTRAQ:20020429 TSLSA-2002-0047 - openssh Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-04/0394.html Reference: BUGTRAQ:20020420 OpenSSH Security Advisory (adv.token) Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-04/0298.html Reference: CALDERA:CSSA-2002-022.2 Reference: URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-022.2.txt Reference: BID:4560 Reference: URL:http://www.securityfocus.com/bid/4560 Reference: XF:openssh-sshd-kerberos-bo(8896) Reference: URL:http://www.iss.net/security_center/static/8896.php Buffer overflow in OpenSSH before 2.9.9, and 3.x before 3.2.1, with Kerberos/AFS support and KerberosTgtPassing or AFSTokenPassing enabled, allows remote and local authenticated users to gain privileges. Modifications: ADDREF BUGTRAQ:20020419 OpenSSH 2.2.0 - 3.1.0 server contains a locally exploitable buffer overflow ADDREF VULN-DEV:20020419 OpenSSH 2.2.0 - 3.1.0 server contains a locally exploitable buffer overflow ADDREF BUGTRAQ:20020517 OpenSSH 3.2.2 released (fwd) Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0575 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Baker, Frech, Cox, Cole NOOP(3) Christey, Wall, Foat Voter Comments: Christey> BUGTRAQ:20020419 OpenSSH 2.2.0 - 3.1.0 server contains a locally exploitable buffer overflow URL:http://online.securityfocus.com/archive/1/268718 VULN-DEV:20020419 OpenSSH 2.2.0 - 3.1.0 server contains a locally exploitable buffer overflow URL:http://marc.theaimsgroup.com/?l=vuln-dev&m=101924296115863&w=2 BUGTRAQ:20020517 OpenSSH 3.2.2 released (fwd) URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102167972421837&w=2 ====================================================== Candidate: CAN-2002-0576 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0576 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020611 Assigned: 20020611 Category: SF Reference: BUGTRAQ:20020418 KPMG-2002013: Coldfusion Path Disclosure Reference: URL:http://online.securityfocus.com/archive/1/268263 Reference: VULNWATCH:20020418 [VulnWatch] KPMG-2002013: Coldfusion Path Disclosure Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0028.html Reference: CONFIRM:http://www.macromedia.com/v1/handlers/index.cfm?ID=22906 Reference: BID:4542 Reference: URL:http://www.securityfocus.com/bid/4542 Reference: XF:coldfusion-dos-device-path-disclosure(8866) Reference: URL:http://www.iss.net/security_center/static/8866.php ColdFusion 5.0 and earlier on Windows systems allows remote attackers to determine the absolute pathname of .cfm or .dbm files via an HTTP request that contains an MS-DOS device name such as NUL, which leaks the pathname in an error message. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0576 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Baker, Frech, Wall, Cole NOOP(2) Cox, Foat ====================================================== Candidate: CAN-2002-0594 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0594 Final-Decision: Interim-Decision: 20030326 Modified: 20030321-01 Proposed: 20020611 Assigned: 20020611 Category: SF Reference: BUGTRAQ:20020430 RE: Reading local files in Netscape 6 and Mozilla (GM#001-NS) Reference: URL:http://online.securityfocus.com/archive/1/270249 Reference: CONECTIVA:CLA-2002:490 Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000490 Reference: BID:4640 Reference: URL:http://www.securityfocus.com/bid/4640 Reference: XF:mozilla-css-files-exist(8977) Reference: URL:http://www.iss.net/security_center/static/8977.php Netscape 6 and Mozilla 1.0 RC1 and earlier allows remote attackers to determine the existence of files on the client system via a LINK element in a Cascading Style Sheet (CSS) page that causes an HTTP redirect. Modifications: ADDREF XF:mozilla-css-files-exist(8977) Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0594 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Baker, Cox, Cole MODIFY(1) Frech NOOP(2) Wall, Foat Voter Comments: Frech> XF:mozilla-css-files-exist(8977) CHANGE> [Cox changed vote from REVIEWING to ACCEPT] ====================================================== Candidate: CAN-2002-0597 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0597 Final-Decision: Interim-Decision: 20030326 Modified: 20030325-01 Proposed: 20020611 Assigned: 20020611 Category: SF Reference: BUGTRAQ:20020417 KPMG-2002011: Windows 2000 microsoft-ds Denial of Service Reference: URL:http://online.securityfocus.com/archive/1/268066 Reference: VULNWATCH:20020417 [VulnWatch] KPMG-2002011: Windows 2000 microsoft-ds Denial of Service Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0025.html Reference: MSKB:Q320751 Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q320751 Reference: XF:win2k-lanman-dos(8867) Reference: URL:http://www.iss.net/security_center/static/8867.php Reference: BID:4532 Reference: URL:http://www.securityfocus.com/bid/4532 LANMAN service on Microsoft Windows 2000 allows remote attackers to cause a denial of service (CPU/memory exhaustion) via a stream of malformed data to microsoft-ds port 445. Modifications: ADDREF MSKB:Q320751 Analysis -------- Vendor Acknowledgement: yes patch ACKNOWLEDGEMENT: a number of data sources suggest that KB article Q320751 addresses this issue, and Q320751 specifically credits KPMG for the discovery. INFERRED ACTION: CAN-2002-0597 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Baker, Frech, Foat, Cole NOOP(2) Cox, Wall ====================================================== Candidate: CAN-2002-0598 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0598 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020611 Assigned: 20020611 Category: SF Reference: BUGTRAQ:20020419 KPMG-2002014: Foundstone Fscan Format String Bug Reference: URL:http://online.securityfocus.com/archive/1/268581 Reference: VULNWATCH:20020419 [VulnWatch] KPMG-2002014: Foundstone Fscan Format String Bug Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0030.html Reference: CONFIRM:http://www.foundstone.com/knowledge/fscan112_advisory.html Reference: XF:fscan-banner-format-string(8895) Reference: URL:http://www.iss.net/security_center/static/8895.php Reference: BID:4549 Reference: URL:http://www.securityfocus.com/bid/4549 Format string vulnerability in Foundstone FScan 1.12 with banner grabbing enabled allows remote attackers to execute arbitrary code on the scanning system via format string specifiers in the server banner. Analysis -------- Vendor Acknowledgement: yes advisory ACKNOWLEDGEMENT: in an advisory dated April 24, 2002, Foundstone states "Using FScan with banner selected via the -b command line switch could cause a problem if the banner received from the remote host contained C-style printf format specifiers e.g. percent symbols that matched string or numeric format specifiers." INFERRED ACTION: CAN-2002-0598 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Baker, Frech, Foat, Cole NOOP(2) Cox, Wall ====================================================== Candidate: CAN-2002-0599 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0599 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020611 Assigned: 20020611 Category: SF Reference: BUGTRAQ:20020428 Blahz-DNS: Authentication bypass vulnerability Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-04/0395.html Reference: CONFIRM:http://sourceforge.net/project/shownotes.php?release_id=87004 Reference: BID:4618 Reference: URL:http://www.securityfocus.com/bid/4618 Reference: XF:blahzdns-auth-bypass(8951) Reference: URL:http://www.iss.net/security_center/static/8951.php Blahz-DNS 0.2 and earlier allows remote attackers to bypass authentication and modify configuration by directly requesting CGI programs such as dostuff.php instead of going through the login screen. Analysis -------- Vendor Acknowledgement: yes changelog ACKNOWLEDGEMENT: the fix for 0.25 says "Fixed the ability to bypass login security by sending commands directly to the backend php files." INFERRED ACTION: CAN-2002-0599 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Baker, Frech, Foat, Cole NOOP(2) Cox, Wall ====================================================== Candidate: CAN-2002-0601 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0601 Final-Decision: Interim-Decision: 20030326 Modified: 20030321-01 Proposed: 20020611 Assigned: 20020611 Category: SF Reference: ISS:20020430 Remote Denial of Service Vulnerability in RealSecure Network Sensor Reference: URL:http://www.iss.net/security_center/alerts/advise116.php Reference: BUGTRAQ:20020430 ISS Advisory: Remote Denial of Service Vulnerability in RealSecure Network Sensor Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-04/0420.html Reference: XF:rs-ns-dhcp-dos(8961) Reference: URL:http://www.iss.net/security_center/static/8961.php Reference: BID:4649 Reference: URL:http://www.securityfocus.com/bid/4649 ISS RealSecure Network Sensor 5.x through 6.5 allows remote attackers to cause a denial of service (crash) via malformed DHCP packets that cause RealSecure to dereference a null pointer. Modifications: ADDREF XF:rs-ns-dhcp-dos(8961) Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0601 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Baker, Wall, Cole MODIFY(1) Frech NOOP(2) Cox, Foat Voter Comments: Frech> XF:rs-ns-dhcp-dos(8961) ====================================================== Candidate: CAN-2002-0605 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0605 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020611 Assigned: 20020611 Category: SF Reference: BUGTRAQ:20020503 Macromedia Flash Activex Buffer overflow Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102039374017185&w=2 Reference: VULN-DEV:20020503 Macromedia Flash Activex Buffer overflow Reference: URL:http://marc.theaimsgroup.com/?l=vuln-dev&m=102038919414726&w=2 Reference: VULNWATCH:20020502 [VulnWatch] Macromedia Flash Activex Buffer overflow Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0051.html Reference: NTBUGTRAQ:20020503 Macromedia Flash Activex Buffer overflow Reference: CONFIRM:http://www.macromedia.com/support/flash/ts/documents/buf_ovflow_623.htm Reference: XF:flash-activex-movie-bo(8993) Reference: URL:http://www.iss.net/security_center/static/8993.php Reference: BID:4664 Reference: URL:http://online.securityfocus.com/bid/4664 Buffer overflow in Flash OCX for Macromedia Flash 6 revision 23 (6,0,23,0) allows remote attackers to execute arbitrary code via a long movie parameter. Analysis -------- Vendor Acknowledgement: yes advisory ACKNOWLEDGEMENT: in an online advisory dated May 6, 2002, Macromedia states "Macromedia has verified a vulnerability in the parameter handling of the Macromedia Flash Player ActiveX control, version 6,0,23,0" and includes a reference to the discloser's original advisory. INFERRED ACTION: CAN-2002-0605 ACCEPT (5 accept, 1 ack, 0 review) Current Votes: ACCEPT(5) Baker, Frech, Wall, Cole, Armstrong NOOP(2) Cox, Foat ====================================================== Candidate: CAN-2002-0613 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0613 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020611 Assigned: 20020611 Category: SF Reference: BUGTRAQ:20020428 dnstools: authentication bypass vulnerability Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-04/0390.html Reference: CONFIRM:http://www.dnstools.com/dnstools_2.0.1.tar.gz Reference: BID:4617 Reference: URL:http://www.securityfocus.com/bid/4617 Reference: XF:dnstools-auth-bypass(8948) Reference: URL:http://www.iss.net/security_center/static/8948.php dnstools.php for DNSTools 2.0 beta 4 and earlier allows remote attackers to bypass authentication and gain privileges by setting the user_logged_in or user_dnstools_administrator parameters. Analysis -------- Vendor Acknowledgement: yes changelog ACKNOWLEDGEMENT: the changelog.txt for Release 2.0 Beta 5 includes an entry dated 2002-04-27 which states: "Fixed major security hole in URL spoofing. No longer trusts the variables $is_logged_in or $user_dnstools_administrator." INFERRED ACTION: CAN-2002-0613 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Baker, Frech, Foat, Cole NOOP(2) Cox, Wall ====================================================== Candidate: CAN-2002-0616 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0616 Final-Decision: Interim-Decision: 20030326 Modified: 20030321-01 Proposed: 20020726 Assigned: 20020612 Category: SF Reference: MS:MS02-031 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-031.asp Reference: XF:excel-inline-macro-execution(9397) Reference: URL:http://www.iss.net/security_center/static/9397.php Reference: BID:5063 Reference: URL:http://www.securityfocus.com/bid/5063 The Macro Security Model in Microsoft Excel 2000 and 2002 for Windows allows remote attackers to execute code by attaching an inline macro to an object within an Excel workbook, aka the "Excel Inline Macros Vulnerability." Modifications: ADDREF XF:excel-inline-macro-execution(9397) Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0616 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Baker, Wall, Foat, Cole NOOP(1) Cox ====================================================== Candidate: CAN-2002-0617 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0617 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020726 Assigned: 20020612 Category: SF Reference: MS:MS02-031 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-031.asp The Macro Security Model in Microsoft Excel 2000 and 2002 for Windows allows remote attackers to execute code by creating a hyperlink on a drawing shape in a source workbook that points to a destination workbook containing an autoexecute macro, aka "Hyperlinked Excel Workbook Macro Bypass." Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0617 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Baker, Wall, Foat, Cole NOOP(1) Cox ====================================================== Candidate: CAN-2002-0618 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0618 Final-Decision: Interim-Decision: 20030326 Modified: 20030321-01 Proposed: 20020726 Assigned: 20020612 Category: SF Reference: NTBUGTRAQ:20020524 Excel XP xml stylesheet problems Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=102256054320377&w=2 Reference: MISC:http://www.guninski.com/ex$el2.html Reference: MS:MS02-031 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-031.asp Reference: BID:4821 Reference: URL:http://online.securityfocus.com/bid/4821 Reference: XF:excel-xsl-script-execution(9399) Reference: URL:http://www.iss.net/security_center/static/9399.php The Macro Security Model in Microsoft Excel 2000 and 2002 for Windows allows remote attackers to execute code in the Local Computer zone by embedding HTML scripts within an Excel workbook that contains an XSL stylesheet, aka "Excel XSL Stylesheet Script Execution". Modifications: ADDREF XF:excel-xsl-script-execution(9399) Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0618 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Baker, Wall, Foat, Cole NOOP(1) Cox ====================================================== Candidate: CAN-2002-0619 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0619 Final-Decision: Interim-Decision: 20030326 Modified: 20030321-01 Proposed: 20020726 Assigned: 20020612 Category: SF Reference: BUGTRAQ:20020514 dH team & SECURITY.NNOV: A variant of "Word Mail Merge" vulnerability Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102139136019862&w=2 Reference: MS:MS02-031 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-031.asp Reference: XF:word-mail-merge-variant(9077) Reference: URL:http://www.iss.net/security_center/static/9077.php Reference: BID:5066 Reference: URL:http://www.securityfocus.com/bid/5066 The Mail Merge Tool in Microsoft Word 2002 for Windows, when Microsoft Access is present on a system, allows remote attackers to execute Visual Basic (VBA) scripts within a mail merge document that is saved in HTML format, aka a "Variant of MS00-071, Word Mail Merge Vulnerability" (CVE-2000-0788). Modifications: DESC rephrase ADDREF XF:word-mail-merge-variant(9077) ADDREF BID:5066 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0619 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Baker, Wall, Cole MODIFY(1) Foat NOOP(2) Christey, Cox Voter Comments: Foat> The candidate is technically correct, but the wording is not grammatically correct. Suggest the following: An attacker's macro code can be run automatically if the user has Microsoft Access present on the system and choses to open a mail merge document that had been saved in HTML format, aka a "Variant of MS00-071, Word Mail Merge Vulnerabilty" (CVE-2000-0788). Christey> desc: missing "*WHEN* access is present..." ====================================================== Candidate: CAN-2002-0621 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0621 Final-Decision: Interim-Decision: 20030326 Modified: 20030321-01 Proposed: 20020726 Assigned: 20020612 Category: SF Reference: BUGTRAQ:20020703 Remotely Exploitable Buffer Overruns in Microsoft's Commerce Server 2000/2 (#NISRNISR03062002) Reference: MS:MS02-033 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-033.asp Reference: XF:mscs-owc-installer-bo(9424) Reference: URL:http://www.iss.net/security_center/static/9424.php Reference: BID:5108 Reference: URL:http://www.securityfocus.com/bid/5108 Buffer overflow in the Office Web Components (OWC) package installer used by Microsoft Commerce Server 2000 allows remote attackers to cause the process to fail or run arbitrary code in the LocalSystem security context via certain input to the OWC package installer. Modifications: DESC fix typos ADDREF XF:mscs-owc-installer-bo(9424) ADDREF BID:5108 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0621 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Baker, Wall, Foat, Cole NOOP(2) Christey, Cox Voter Comments: Christey> XF:mscs-owc-installer-bo(9424) URL:http://www.iss.net/security_center/static/9424.php BID:5108 URL:http://www.securityfocus.com/bid/5108 Christey> "arbitray"? "by via"? ====================================================== Candidate: CAN-2002-0622 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0622 Final-Decision: Interim-Decision: 20030326 Modified: 20030321-01 Proposed: 20020726 Assigned: 20020612 Category: SF Reference: BUGTRAQ:20020703 Remotely Exploitable Buffer Overruns in Microsoft's Commerce Server 2000/2 (#NISRNISR03062002) Reference: MS:MS02-033 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-033.asp Reference: XF:mscs-owc-installer-permissions(9425) Reference: URL:http://www.iss.net/security_center/static/9425.php Reference: BID:5111 Reference: URL:http://www.securityfocus.com/bid/5111 The Office Web Components (OWC) package installer for Microsoft Commerce Server 2000 allows remote attackers to execute commands by passing the commands as input to the OWC package installer, aka "OWC Package Command Execution". Modifications: ADDREF XF:mscs-owc-installer-permissions(9425) ADDREF BID:5111 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0622 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Baker, Wall, Foat, Cole NOOP(2) Christey, Cox Voter Comments: Christey> XF:mscs-owc-installer-permissions(9425) URL:http://www.iss.net/security_center/static/9425.php BID:5111 URL:http://www.securityfocus.com/bid/5111 ====================================================== Candidate: CAN-2002-0623 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0623 Final-Decision: Interim-Decision: 20030326 Modified: 20030321-01 Proposed: 20020726 Assigned: 20020612 Category: SF Reference: MS:MS02-033 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-033.asp Reference: BID:5112 Reference: URL:http://www.securityfocus.com/bid/5112 Reference: XF:mscs-authfilter-isapi-bo-variant(9426) Reference: URL:http://www.iss.net/security_center/static/9426.php Buffer overflow in AuthFilter ISAPI filter on Microsoft Commerce Server 2000 and 2002 allows remote attackers to execute arbitrary code via long authentication data, aka "New Variant of the ISAPI Filter Buffer Overrun". Modifications: ADDREF BID:5112 ADDREF XF:mscs-authfilter-isapi-bo-variant(9426) Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0623 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Baker, Wall, Foat, Cole NOOP(2) Christey, Cox Voter Comments: Christey> BID:5112 URL:http://www.securityfocus.com/bid/5112 XF:mscs-authfilter-isapi-bo-variant(9426) URL:http://www.iss.net/security_center/static/9426.php ====================================================== Candidate: CAN-2002-0631 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0631 Final-Decision: Interim-Decision: 20030326 Modified: 20030321-01 Proposed: 20020726 Assigned: 20020621 Category: SF Reference: SGI:20020607-02-I Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20020607-02-I Reference: BID:5092 Reference: URL:http://www.securityfocus.com/bid/5092 Reference: XF:irix-nveventd-file-write(9418) Reference: URL:http://www.iss.net/security_center/static/9418.php Unknown vulnerability in nveventd in NetVisualyzer on SGI IRIX 6.5 through 6.5.16 allows local users to write arbitrary files and gain root privileges. Modifications: DESC fix typo ADDREF BID:5092 ADDREF XF:irix-nveventd-file-write(9418) Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0631 ACCEPT_ACK (2 accept, 1 ack, 0 review) Current Votes: ACCEPT(2) Baker, Cole NOOP(4) Christey, Cox, Wall, Foat Voter Comments: Christey> fix typo: "root root" BID:5092 URL:http://www.securityfocus.com/bid/5092 XF:irix-nveventd-file-write(9418) URL:http://www.iss.net/security_center/static/9418.php ====================================================== Candidate: CAN-2002-0638 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0638 Final-Decision: Interim-Decision: 20030326 Modified: 20030321-01 Proposed: 20020830 Assigned: 20020627 Category: SF Reference: VULNWATCH:20020729 [VulnWatch] RAZOR advisory: Linux util-linux chfn local root vulnerability Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-07/0357.html Reference: BUGTRAQ:20020729 RAZOR advisory: Linux util-linux chfn local root vulnerability Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102795787713996&w=2 Reference: CERT-VN:VU#405955 Reference: URL:http://www.kb.cert.org/vuls/id/405955 Reference: REDHAT:RHSA-2002:132 Reference: URL:http://rhn.redhat.com/errata/RHSA-2002-132.html Reference: REDHAT:RHSA-2002:137 Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-137.html Reference: CONECTIVA:CLA-2002:523 Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000523 Reference: CALDERA:CSSA-2002-043.0 Reference: URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-043.0.txt Reference: MANDRAKE:MDKSA-2002:047 Reference: URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-047.php Reference: BUGTRAQ:20020730 TSLSA-2002-0064 - util-linux Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-07/0396.html Reference: HP:HPSBTL0207-054 Reference: URL:http://online.securityfocus.com/advisories/4320 Reference: XF:utillinux-chfn-race-condition(9709) Reference: URL:http://www.iss.net/security_center/static/9709.php Reference: BID:5344 Reference: URL:http://www.securityfocus.com/bid/5344 setpwnam.c in the util-linux package, as included in Red Hat Linux 7.3 and earlier, and other operating systems, does not properly lock a temporary file when modifying /etc/passwd, which may allow local users to gain privileges via a complex race condition that uses an open file descriptor in utility programs such as chfn and chsh. Modifications: ADDREF REDHAT:RHSA-2002:137 ADDREF CONECTIVA:CLA-2002:523 ADDREF CALDERA:CSSA-2002-043.0 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0638 ACCEPT (5 accept, 4 ack, 0 review) Current Votes: ACCEPT(4) Baker, Wall, Foat, Cole MODIFY(1) Cox NOOP(1) Christey Voter Comments: Cox> ADDREF:RHSA-2002:137 Christey> CONECTIVA:CLA-2002:523 Christey> CALDERA:CSSA-2002-043.0 ====================================================== Candidate: CAN-2002-0639 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0639 Final-Decision: Interim-Decision: 20030326 Modified: 20030321-02 Proposed: 20020726 Assigned: 20020628 Category: SF Reference: ISS:20020626 OpenSSH Remote Challenge Vulnerability Reference: BUGTRAQ:20020626 OpenSSH Security Advisory (adv.iss) Reference: BUGTRAQ:20020626 Revised OpenSSH Security Advisory (adv.iss) Reference: BUGTRAQ:20020627 How to reproduce OpenSSH Overflow. Reference: NETBSD:2002-005 Reference: CERT-VN:VU#369347 Reference: CERT:CA-2002-18 Reference: HP:HPSBUX0206-195 Reference: CALDERA:CSSA-2002-030.0 Reference: URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-030.0.txt Reference: BUGTRAQ:20020626 [OpenPKG-SA-2002.005] OpenPKG Security Advisory (openssh) Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-06/0335.html Reference: CONECTIVA:CLA-2002:502 Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000502 Reference: ENGARDE:ESA-20020702-016 Reference: URL:http://www.linuxsecurity.com/advisories/other_advisory-2177.html Reference: MANDRAKE:MDKSA-2002:040 Reference: URL:http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2002:040 Reference: BID:5093 Reference: XF:openssh-challenge-response-bo(9169) Reference: URL:http://www.iss.net/security_center/static/9169.php Integer overflow in sshd in OpenSSH 2.9.9 through 3.3 allows remote attackers to execute arbitrary code during challenge response authentication (ChallengeResponseAuthentication) when OpenSSH is using SKEY or BSD_AUTH authentication. Modifications: ADDREF CALDERA:CSSA-2002-030.0 ADDREF BUGTRAQ:20020626 [OpenPKG-SA-2002.005] OpenPKG Security Advisory (openssh) ADDREF CONECTIVA:CLA-2002:502 ADDREF ENGARDE:ESA-20020702-016 ADDREF MANDRAKE:MDKSA-2002:040 ADDREF XF:openssh-challenge-response-bo(9169) Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0639 ACCEPT (4 accept, 6 ack, 0 review) Current Votes: ACCEPT(4) Baker, Cox, Foat, Cole NOOP(2) Christey, Wall Voter Comments: Christey> CALDERA:CSSA-2002-030.0 URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-030.0.txt BUGTRAQ:20020626 [OpenPKG-SA-2002.005] OpenPKG Security Advisory (openssh) URL:http://archives.neohapsis.com/archives/bugtraq/2002-06/0335.html CONECTIVA:CLA-2002:502 URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000502 ENGARDE:ESA-20020702-016 URL:http://www.linuxsecurity.com/advisories/other_advisory-2177.html Christey> MANDRAKE:MDKSA-2002:040 ====================================================== Candidate: CAN-2002-0640 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0640 Final-Decision: Interim-Decision: 20030326 Modified: 20030321-02 Proposed: 20020726 Assigned: 20020628 Category: SF Reference: BUGTRAQ:20020626 Revised OpenSSH Security Advisory (adv.iss) Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102514631524575&w=2 Reference: BUGTRAQ:20020626 OpenSSH Security Advisory (adv.iss) Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102514371522793&w=2 Reference: BUGTRAQ:20020627 How to reproduce OpenSSH Overflow. Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102521542826833&w=2 Reference: BUGTRAQ:20020628 Sun statement on the OpenSSH Remote Challenge Vulnerability Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102532054613894&w=2 Reference: CERT-VN:VU#369347 Reference: URL:http://www.kb.cert.org/vuls/id/369347 Reference: CERT:CA-2002-18 Reference: URL:http://www.cert.org/advisories/CA-2002-18.html Reference: DEBIAN:DSA-134 Reference: URL:http://www.debian.org/security/2002/dsa-134 Reference: HP:HPSBUX0206-195 Reference: BID:5093 Reference: URL:http://www.securityfocus.com/bid/5093 Reference: REDHAT:RHSA-2002:131 Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-131.html Reference: CALDERA:CSSA-2002-030.0 Reference: URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-030.0.txt Reference: CONECTIVA:CLA-2002:502 Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000502 Reference: ENGARDE:ESA-20020702-016 Reference: URL:http://www.linuxsecurity.com/advisories/other_advisory-2177.html Reference: MANDRAKE:MDKSA-2002:040 Reference: URL:http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2002:040 Reference: SUSE:SuSE-SA:2002:024 Reference: URL:http://www.suse.de/de/security/2002_024_openssh_txt.html Reference: REDHAT:RHSA-2002:127 Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-127.html Buffer overflow in sshd in OpenSSH 2.3.1 through 3.3 may allow remote attackers to execute arbitrary code via a large number of responses during challenge response authentication when OpenBSD is using PAM modules with interactive keyboard authentication (PAMAuthenticationViaKbdInt). Modifications: ADDREF REDHAT:RHSA-2002:131 ADDREF CALDERA:CSSA-2002-030.0 ADDREF CONECTIVA:CLA-2002:502 ADDREF ENGARDE:ESA-20020702-016 ADDREF SUSE:SuSE-SA:2002:024 ADDREF REDHAT:RHSA-2002:127 ADDREF MANDRAKE:MDKSA-2002:040 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0640 ACCEPT (4 accept, 7 ack, 0 review) Current Votes: ACCEPT(3) Baker, Foat, Cole MODIFY(1) Cox NOOP(2) Christey, Wall Voter Comments: Cox> ADDREF:RHSA-2002:131 Christey> CALDERA:CSSA-2002-030.0 URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-030.0.txt CONECTIVA:CLA-2002:502 URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000502 ENGARDE:ESA-20020702-016 URL:http://www.linuxsecurity.com/advisories/other_advisory-2177.html SUSE:SuSE-SA:2002:024 URL:http://www.suse.de/de/security/2002_024_openssh_txt.html REDHAT:RHSA-2002:127 URL:http://www.redhat.com/support/errata/RHSA-2002-127.html Christey> MANDRAKE:MDKSA-2002:040 ====================================================== Candidate: CAN-2002-0642 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0642 Final-Decision: Interim-Decision: 20030326 Modified: 20030321-01 Proposed: 20020726 Assigned: 20020628 Category: CF Reference: MS:MS02-034 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-034.asp Reference: CERT:CA-2002-22 Reference: URL:http://www.cert.org/advisories/CA-2002-22.html Reference: CERT-VN:VU#796313 Reference: URL:http://www.kb.cert.org/vuls/id/796313 Reference: XF:mssql-registry-insecure-permissions(9523) Reference: URL:http://www.iss.net/security_center/static/9523.php Reference: BID:5205 Reference: URL:http://www.securityfocus.com/bid/5205 The registry key containing the SQL Server service account information in Microsoft SQL Server 2000, including Microsoft SQL Server Desktop Engine (MSDE) 2000, has insecure permissions, which allows local users to gain privileges, aka "Incorrect Permission on SQL Server Service Account Registry Key." Modifications: ADDREF XF:mssql-registry-insecure-permissions(9523) ADDREF BID:5205 ADDREF CERT:CA-2002-22 ADDREF CERT-VN:VU#796313 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0642 ACCEPT (6 accept, 3 ack, 0 review) Current Votes: ACCEPT(5) Baker, Wall, Foat, Cole, Armstrong MODIFY(1) Frech NOOP(2) Christey, Cox Voter Comments: Christey> XF:mssql-registry-insecure-permissions(9523) URL:http://www.iss.net/security_center/static/9523.php BID:5205 URL:http://www.securityfocus.com/bid/5205 CERT:CA-2002-22 CERT-VN:VU#796313 Frech> XF:mssql-registry-insecure-permissions(9523) ====================================================== Candidate: CAN-2002-0647 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0647 Final-Decision: Interim-Decision: 20030326 Modified: 20030321-01 Proposed: 20020830 Assigned: 20020628 Category: SF Reference: MS:MS02-047 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-047.asp Reference: XF:ms-legacytext-activex-bo(9935) Reference: URL:http://www.iss.net/security_center/static/9935.php Reference: BID:5558 Reference: URL:http://www.securityfocus.com/bid/5558 Buffer overflow in a legacy ActiveX control used to display specially formatted text in Microsoft Internet Explorer 5.01, 5.5, and 6.0 allows remote attackers to execute arbitrary code, aka "Buffer Overrun in Legacy Text Formatting ActiveX Control". Modifications: ADDREF XF:ms-legacytext-activex-bo(9935) ADDREF BID:5558 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0647 ACCEPT (5 accept, 1 ack, 0 review) Current Votes: ACCEPT(5) Baker, Wall, Foat, Cole, Armstrong NOOP(1) Cox ====================================================== Candidate: CAN-2002-0648 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0648 Final-Decision: Interim-Decision: 20030326 Modified: 20030321-01 Proposed: 20020830 Assigned: 20020628 Category: SF Reference: BUGTRAQ:20020823 Accessing remote/local content in IE (GM#009-IE) Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103011639524314&w=2 Reference: MS:MS02-047 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-047.asp Reference: XF:ie-xml-redirect-read-files(9936) Reference: URL:http://www.iss.net/security_center/static/9936.php Reference: BID:5560 Reference: URL:http://www.securityfocus.com/bid/5560 The legacy <script> data-island capability for XML in Microsoft Internet Explorer 5.01, 5.5, and 6.0 allows remote attackers to read arbitrary XML files, and portions of other files, via a URL whose "src" attribute redirects to a local file. Modifications: ADDREF XF:ie-xml-redirect-read-files(9936) ADDREF BID:5560 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0648 ACCEPT (5 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Baker, Wall, Cole, Armstrong MODIFY(1) Foat NOOP(1) Cox Voter Comments: Foat> The description varies somewhat from the detailed references provided. The description indicates that this could lead to compromise of local files, while the other references (including Microsoft) indicate the problem is broader in scope. Suggest modifying the description to replace "redirects to a local file" to "redirects to another domain". ====================================================== Candidate: CAN-2002-0650 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0650 Final-Decision: Interim-Decision: 20030326 Modified: 20030321-01 Proposed: 20020726 Assigned: 20020628 Category: SF Reference: BUGTRAQ:20020725 Microsoft SQL Server 2000 Unauthenticated System Compromise (#NISR25072002) Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102760196931518&w=2 Reference: NTBUGTRAQ:20020725 Microsoft SQL Server 2000 Unauthenticated System Compromise (#NISR25072002) Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=102760479902411&w=2 Reference: MS:MS02-039 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-039.asp Reference: XF:mssql-resolution-keepalive-dos(9662) Reference: URL:http://www.iss.net/security_center/static/9662.php Reference: BID:5312 Reference: URL:http://www.securityfocus.com/bid/5312 The keep-alive mechanism for Microsoft SQL Server 2000 allows remote attackers to cause a denial of service (bandwidth consumption) via a "ping" style packet to the Resolution Service (UDP port 1434) with a spoofed IP address of another SQL Server system, which causes the two servers to exchange packets in an infinite loop. Modifications: ADDREF XF:mssql-resolution-keepalive-dos(9662) ADDREF BID:5312 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0650 ACCEPT (6 accept, 1 ack, 0 review) Current Votes: ACCEPT(5) Baker, Wall, Foat, Cole, Armstrong MODIFY(1) Frech NOOP(2) Christey, Cox Voter Comments: Christey> XF:mssql-resolution-keepalive-dos(9662) URL:http://www.iss.net/security_center/static/9662.php BID:5312 URL:http://www.securityfocus.com/bid/5312 Frech> XF:mssql-resolution-keepalive-dos(9662) ====================================================== Candidate: CAN-2002-0653 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0653 Final-Decision: Interim-Decision: 20030326 Modified: 20020817-01 Proposed: 20020726 Assigned: 20020702 Category: SF Reference: VULN-DEV:20020622 Another flaw in Apache? Reference: URL:http://marc.theaimsgroup.com/?l=vuln-dev&m=102477330617604&w=2 Reference: BUGTRAQ:20020624 Apache mod_ssl off-by-one vulnerability Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102513970919836&w=2 Reference: REDHAT:RHSA-2002:134 Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-134.html Reference: CALDERA:CSSA-2002-031.0 Reference: URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-031.0.txt Reference: MANDRAKE:MDKSA-2002:048 Reference: URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-048.php Reference: DEBIAN:DSA-135 Reference: URL:http://www.debian.org/security/2002/dsa-135 Reference: ENGARDE:ESA-20020702-017 Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102563469326072&w=2 Reference: SUSE:SuSE-SA:2002:028 Reference: URL:http://www.suse.de/de/security/2002_028_mod_ssl.html Reference: CONECTIVA:CLA-2002:504 Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000504 Reference: BUGTRAQ:20020628 TSL-2002-0058 - apache/mod_ssl Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-06/0350.html Reference: HP:HPSBTL0207-052 Reference: URL:http://archives.neohapsis.com/archives/hp/2002-q3/0018.html Reference: BID:5084 Reference: URL:http://online.securityfocus.com/bid/5084 Reference: XF:apache-modssl-htaccess-bo(9415) Reference: URL:http://www.iss.net/security_center/static/9415.php Off-by-one buffer overflow in rewrite_command hook for mod_ssl Apache module 2.8.9 and earlier allows local users to execute arbitrary code as the Apache server user via .htaccess files with long entries. Modifications: ADDREF MANDRAKE:MDKSA-2002:048 ADDREF DEBIAN:DSA-135 ADDREF ENGARDE:ESA-20020702-017 ADDREF SUSE:SuSE-SA:2002:028 ADDREF CONECTIVA:CLA-2002:504 ADDREF BID:5084 ADDREF VULN-DEV:20020622 Another flaw in Apache? ADDREF BUGTRAQ:20020628 TSL-2002-0058 - apache/mod_ssl ADDREF XF:apache-modssl-htaccess-bo(9415) ADDREF HP:HPSBTL0207-052 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0653 ACCEPT (3 accept, 5 ack, 0 review) Current Votes: ACCEPT(3) Baker, Wall, Cole NOOP(3) Christey, Cox, Foat Voter Comments: Christey> MANDRAKE:MDKSA-2002:048 Christey> ADDREF DEBIAN:DSA-135 ADDREF ENGARDE:ESA-20020702-017 ADDREF SUSE:SuSE-SA:2002:028 Add details to desc. ADDREF CONECTIVA:CLA-2002:504 ADDREF BID:5084 ADDREF VULN-DEV:20020622 Another flaw in Apache? BUGTRAQ:20020628 TSL-2002-0058 - apache/mod_ssl HP:HPSBTL0207-052 ====================================================== Candidate: CAN-2002-0658 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0658 Final-Decision: Interim-Decision: 20030326 Modified: 20030321-01 Proposed: 20020830 Assigned: 20020702 Category: SF Reference: MANDRAKE:MDKSA-2002:045 Reference: URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-045.php Reference: REDHAT:RHSA-2002:153 Reference: URL:http://rhn.redhat.com/errata/RHSA-2002-153.html Reference: REDHAT:RHSA-2002:154 Reference: URL:http://rhn.redhat.com/errata/RHSA-2002-154.html Reference: REDHAT:RHSA-2002:156 Reference: URL:http://rhn.redhat.com/errata/RHSA-2002-156.html Reference: REDHAT:RHSA-2002:164 Reference: URL:http://rhn.redhat.com/errata/RHSA-2002-164.html Reference: CALDERA:CSSA-2002-032.0 Reference: URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-032.0.txt Reference: DEBIAN:DSA-137 Reference: URL:http://www.debian.org/security/2002/dsa-137 Reference: BUGTRAQ:20020730 [OpenPKG-SA-2002.007] OpenPKG Security Advisory (mm) Reference: HP:HPSBTL0208-056 Reference: URL:http://online.securityfocus.com/advisories/4392 Reference: FREEBSD:FreeBSD-SN-02:05 Reference: URL:http://online.securityfocus.com/advisories/4431 Reference: SUSE:SuSE-SA:2002:028 Reference: URL:http://www.suse.com/de/security/2002_028_mod_ssl.html Reference: XF:mm-tmpfile-symlink(9719) Reference: URL:http://www.iss.net/security_center/static/9719.php Reference: BID:5352 Reference: URL:http://online.securityfocus.com/bid/5352 OSSP mm library (libmm) before 1.2.0 allows the local Apache user to gain privileges via temporary files, possibly via a symbolic link attack. Modifications: ADDREF REDHAT:RHSA-2002:156 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0658 ACCEPT (4 accept, 6 ack, 0 review) Current Votes: ACCEPT(3) Baker, Wall, Cole MODIFY(1) Cox NOOP(1) Foat Voter Comments: Cox> ADDREF:RHSA-2002:163 RHSA-2002:156 RHSA-2002:154 ====================================================== Candidate: CAN-2002-0663 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0663 Final-Decision: Interim-Decision: 20030326 Modified: 20030321-01 Proposed: 20020726 Assigned: 20020702 Category: SF Reference: ATSTAKE:A071502-1 Reference: URL:http://www.atstake.com/research/advisories/2002/a071502-1.txt Reference: VULNWATCH:20020715 Re: [VulnWatch] Advisory Name: Norton Personal Internet Firewall HTTP Proxy Vulnerability Reference: CONFIRM:http://securityresponse.symantec.com/avcenter/security/Content/2002.07.15.html Reference: XF:norton-fw-http-bo(9579) Reference: URL:http://www.iss.net/security_center/static/9579.php Reference: BID:5237 Reference: URL:http://www.securityfocus.com/bid/5237 Buffer overflow in HTTP Proxy for Symantec Norton Personal Internet Firewall 3.0.4.91 and Norton Internet Security 2001 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a large outgoing HTTP request. Modifications: ADDREF XF:norton-fw-http-bo(9579) ADDREF BID:5237 ADDREF CONFIRM:http://securityresponse.symantec.com/avcenter/security/Content/2002.07.15.html Analysis -------- Vendor Acknowledgement: yes INFERRED ACTION: CAN-2002-0663 ACCEPT (5 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Prosser, Baker, Cole, Armstrong MODIFY(1) Frech NOOP(4) Christey, Cox, Wall, Foat Voter Comments: Christey> XF:norton-fw-http-bo(9579) URL:http://www.iss.net/security_center/static/9579.php BID:5237 URL:http://www.securityfocus.com/bid/5237 Baker> http://securityresponse.symantec.com/avcenter/security/Content/2002.07.15.html Prosser> Validated with discovered and fixed by Symantec http://securityresponse.symantec.com/avcenter/security/Content/2002.07.15.html Frech> XF:norton-fw-http-bo(9579) ====================================================== Candidate: CAN-2002-0665 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0665 Final-Decision: Interim-Decision: 20030326 Modified: 20030321-01 Proposed: 20020726 Assigned: 20020704 Category: SF Reference: BUGTRAQ:20020628 wp-02-0009: Macromedia JRun Admin Server Authentication Bypass Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102529402127195&w=2 Reference: VULNWATCH:20020628 [VulnWatch] wp-02-0009: Macromedia JRun Admin Server Authentication Bypass Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0133.html Reference: CONFIRM:http://www.macromedia.com/v1/handlers/index.cfm?ID=23164 Reference: XF:jrun-forwardslash-auth-bypass(9450) Reference: URL:http://www.iss.net/security_center/static/9450.php Reference: BID:5118 Reference: URL:http://www.securityfocus.com/bid/5118 Macromedia JRun Administration Server allows remote attackers to bypass authentication on the login form via an extra slash (/) in the URL. Modifications: ADDREF XF:jrun-forwardslash-auth-bypass(9450) ADDREF BID:5118 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0665 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Baker, Wall, Cole NOOP(3) Christey, Cox, Foat Voter Comments: Christey> XF:jrun-forwardslash-auth-bypass(9450) URL:http://www.iss.net/security_center/static/9450.php BID:5118 URL:http://www.securityfocus.com/bid/5118 ====================================================== Candidate: CAN-2002-0671 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0671 Final-Decision: Interim-Decision: 20030326 Modified: 20030321-01 Proposed: 20020726 Assigned: 20020709 Category: SF Reference: ATSTAKE:A071202-1 Reference: URL:http://www.atstake.com/research/advisories/2002/a071202-1.txt Reference: CONFIRM:http://www.pingtel.com/PingtelAtStakeAdvisoryResponse.jsp Reference: XF:pingtel-xpressa-dns-spoofing(9566) Reference: URL:http://www.iss.net/security_center/static/9566.php Reference: BID:5224 Reference: URL:http://www.securityfocus.com/bid/5224 Pingtel xpressa SIP-based voice-over-IP phone 1.2.5 through 1.2.7.4 downloads phone applications from a web site but can not verify the integrity of the applications, which could allow remote attackers to install Trojan horse applications via DNS spoofing. Modifications: ADDREF XF:pingtel-xpressa-dns-spoofing(9566) ADDREF BID:5224 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0671 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(2) Baker, Cole MODIFY(1) Frech NOOP(5) Cox, Balinsky, Wall, Foat, Armstrong Voter Comments: Frech> XF:pingtel-xpressa-dns-spoofing(9566) ====================================================== Candidate: CAN-2002-0676 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0676 Final-Decision: Interim-Decision: 20030326 Modified: 20030321-01 Proposed: 20020726 Assigned: 20020709 Category: SF Reference: BUGTRAQ:20020706 MacOS X SoftwareUpdate Vulnerability Reference: MISC:http://www.cunap.com/~hardingr/projects/osx/exploit.html Reference: XF:macos-softwareupdate-no-auth(9502) Reference: URL:http://www.iss.net/security_center/static/9502.php Reference: BID:5176 Reference: URL:http://www.securityfocus.com/bid/5176 SoftwareUpdate for MacOS 10.1.x does not use authentication when downloading a software update, which could allow remote attackers to execute arbitrary code by posing as the Apple update server via techniques such as DNS spoofing or cache poisoning, and supplying Trojan Horse updates. Modifications: ADDREF XF:macos-softwareupdate-no-auth(9502) ADDREF BID:5176 Analysis -------- Vendor Acknowledgement: yes INFERRED ACTION: CAN-2002-0676 ACCEPT (5 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Baker, Balinsky, Cole, Armstrong MODIFY(1) Frech NOOP(4) Christey, Cox, Wall, Foat Voter Comments: Christey> XF:macos-softwareupdate-no-auth(9502) URL:http://www.iss.net/security_center/static/9502.php BID:5176 URL:http://www.securityfocus.com/bid/5176 Balinsky> Vendor addressed the vulnerable application. It isn't clear that this is the same problem, but it is likely. http://docs.info.apple.com/article.html?artnum=75304 Frech> XF:macos-softwareupdate-no-auth(9502) Christey> Since this CAN was reserved by Apple, I think we can safely say that they've acknowledged the bug ;-) ====================================================== Candidate: CAN-2002-0678 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0678 Final-Decision: Interim-Decision: 20030326 Modified: 20030321-01 Proposed: 20020726 Assigned: 20020709 Category: SF Reference: BUGTRAQ:20020710 [CORE-20020528] Multiple vulnerabilities in ToolTalk Database server Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102635906423617&w=2 Reference: CERT:CA-2002-20 Reference: URL:http://www.cert.org/advisories/CA-2002-20.html Reference: CERT-VN:VU#299816 Reference: URL:http://www.kb.cert.org/vuls/id/299816 Reference: HP:HPSBUX0207-199 Reference: URL:http://archives.neohapsis.com/archives/hp/2002-q3/0011.html Reference: AIXAPAR:IY32368 Reference: URL:http://archives.neohapsis.com/archives/aix/2002-q3/0002.html Reference: AIXAPAR:IY32370 Reference: URL:http://archives.neohapsis.com/archives/aix/2002-q3/0002.html Reference: CALDERA:CSSA-2002-SCO.28 Reference: URL:ftp://ftp.caldera.com/pub/updates/OpenUNIX/CSSA-2002-SCO.28/CSSA-2002-SCO.28.txt Reference: SGI:20021101-01-P Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20021101-01-P Reference: XF:tooltalk-ttdbserverd-tttransaction-symlink(9527) Reference: URL:http://www.iss.net/security_center/static/9527.php Reference: BID:5083 Reference: URL:http://www.securityfocus.com/bid/5083 CDE ToolTalk database server (ttdbserver) allows local users to overwrite arbitrary files via a symlink attack on the transaction log file used by the _TT_TRANSACTION RPC procedure. Modifications: ADDREF XF:tooltalk-ttdbserverd-tttransaction-symlink(9527) ADDREF BID:5083 ADDREF AIXAPAR:IY32368 ADDREF AIXAPAR:IY32370 ADDREF HP:HPSBUX0207-199 ADDREF SGI:20021101-01-P Analysis -------- Vendor Acknowledgement: yes advisory MAPPING: while the HP advisory discusses "buffer overflows," it specifically mentions CA-2002-20, and the text of the advisory is included in vendor statements for the CERT-VU's for both ToolTalk issues covered by CA-2002-20. INFERRED ACTION: CAN-2002-0678 ACCEPT (5 accept, 6 ack, 0 review) Current Votes: ACCEPT(4) Baker, Wall, Cole, Armstrong MODIFY(1) Frech NOOP(3) Christey, Cox, Foat Voter Comments: Christey> XF:tooltalk-ttdbserverd-tttransaction-symlink(9527) URL:http://www.iss.net/security_center/static/9527.php BID:5083 URL:http://www.securityfocus.com/bid/5083 HP:HPSBUX0207-199 URL:http://archives.neohapsis.com/archives/hp/2002-q3/0011.html Note: while the HP advisory discusses "buffer overflows," it specifically mentions CA-2002-20, and the text of the advisory is included in vendor statements for the CERT-VU's for both ToolTalk issues covered by CA-2002-20. AIXAPAR:IY32368 URL:http://archives.neohapsis.com/archives/aix/2002-q3/0002.html AIXAPAR:IY32370 URL:http://archives.neohapsis.com/archives/aix/2002-q3/0002.html Christey> HP:HPSBUX0207-199 URL:http://online.securityfocus.com/advisories/4290 Christey> SGI:20021101-01-P Frech> XF:tooltalk-ttdbserverd-tttransaction-symlink(9527) ====================================================== Candidate: CAN-2002-0679 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0679 Final-Decision: Interim-Decision: 20030326 Modified: 20030324-01 Proposed: 20020830 Assigned: 20020709 Category: SF Reference: BUGTRAQ:20020812 ENTERCEPT RICOCHET ADVISORY: Multi-Vendor CDE ToolTalk Database Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102917002523536&w=2 Reference: CERT:CA-2002-26 Reference: URL:http://www.cert.org/advisories/CA-2002-26.html Reference: CERT-VN:VU#387387 Reference: URL:http://www.kb.cert.org/vuls/id/387387 Reference: CALDERA:CSSA-2002-SCO.28.1 Reference: COMPAQ:SSRT2274 Reference: AIXAPAR:IY32792 Reference: AIXAPAR:IY32793 Reference: HP:HPSBUX0207-199 Reference: URL:http://online.securityfocus.com/advisories/4290 Reference: CONFIRM:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F46366&zone_32=category%3Asecurity Reference: XF:tooltalk-ttdbserverd-ttcreatefile-bo(9822) Reference: URL:http://www.iss.net/security_center/static/9822.php Reference: BID:5444 Reference: URL:http://www.securityfocus.com/bid/5444 Buffer overflow in Common Desktop Environment (CDE) ToolTalk RPC database server (rpc.ttdbserverd) allows remote attackers to execute arbitrary code via an argument to the _TT_CREATE_FILE procedure. Modifications: ADDREF XF:tooltalk-ttdbserverd-ttcreatefile-bo(9822) ADDREF BID:5444 ADDREF HP:HPSBUX0207-199 ADDREF CONFIRM:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F46366&zone_32=category%3Asecurity Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0679 ACCEPT (3 accept, 7 ack, 0 review) Current Votes: ACCEPT(3) Baker, Cole, Armstrong NOOP(4) Christey, Cox, Wall, Foat Voter Comments: Christey> XF:tooltalk-ttdbserverd-ttcreatefile-bo(9822) URL:http://www.iss.net/security_center/static/9822.php BID:5444 URL:http://www.securityfocus.com/bid/5444 HP:HPSBUX0207-199 URL:http://online.securityfocus.com/advisories/4290 CONFIRM:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F46366&zone_32=category%3Asecurity ====================================================== Candidate: CAN-2002-0685 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0685 Final-Decision: Interim-Decision: 20030326 Modified: 20030324-01 Proposed: 20020726 Assigned: 20020711 Category: SF Reference: BUGTRAQ:20020710 EEYE: Remote PGP Outlook Encryption Plug-in Vulnerability Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102634756815773&w=2 Reference: NTBUGTRAQ:20020710 EEYE: Remote PGP Outlook Encryption Plug-in Vulnerability Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=102639521518942&w=2 Reference: CONFIRM:http://download.nai.com/products/licensed/pgp/desktop_security/windows/version_7.04/hotfix/ReadMe.txt Reference: XF:pgp-outlook-heap-overflow(9525) Reference: URL:http://www.iss.net/security_center/static/9525.php Reference: BID:5202 Reference: URL:http://www.securityfocus.com/bid/5202 Heap-based buffer overflow in the message decoding functionality for PGP Outlook Encryption Plug-In, as used in NAI PGP Desktop Security 7.0.4, Personal Security 7.0.3, and Freeware 7.0.3, allows remote attackers to modify the heap and gain privileges via a large, malformed mail message. Modifications: ADDREF XF:pgp-outlook-heap-overflow(9525) ADDREF BID:5202 DESC Add "heap-based" to overflow term Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0685 ACCEPT (5 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Baker, Wall, Cole, Armstrong MODIFY(1) Frech NOOP(3) Christey, Cox, Foat Voter Comments: Christey> XF:pgp-outlook-heap-overflow(9525) URL:http://www.iss.net/security_center/static/9525.php BID:5202 URL:http://www.securityfocus.com/bid/5202 Frech> XF:pgp-outlook-heap-overflow(9525) ====================================================== Candidate: CAN-2002-0687 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0687 Final-Decision: Interim-Decision: 20030326 Modified: 20030324-01 Proposed: 20020726 Assigned: 20020712 Category: SF Reference: CONFIRM:http://www.zope.org/Products/Zope/Hotfix_2002-04-15/security_alert Reference: REDHAT:RHSA-2002:060 Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-060.html Reference: BID:5813 Reference: URL:http://www.securityfocus.com/bid/5813 Reference: XF:zope-inject-headers-dos(9621) Reference: URL:http://www.iss.net/security_center/static/9621.php The "through the web code" capability for Zope 2.0 through 2.5.1 b1 allows untrusted users to shut down the Zope server via certain headers. Modifications: ADDREF REDHAT:RHSA-2002:060 ADDREF BID:5813 ADDREF XF:zope-inject-headers-dos(9621) Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0687 ACCEPT (4 accept, 2 ack, 0 review) Current Votes: ACCEPT(4) Baker, Cox, Cole, Armstrong NOOP(3) Christey, Wall, Foat Voter Comments: Christey> REDHAT:RHSA-2002:060 URL:http://www.redhat.com/support/errata/RHSA-2002-060.html BID:5813 URL:http://www.securityfocus.com/bid/5813 ====================================================== Candidate: CAN-2002-0688 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0688 Final-Decision: Interim-Decision: 20030326 Modified: 20030324-01 Proposed: 20020726 Assigned: 20020712 Category: SF Reference: CONFIRM:http://www.zope.org/Products/Zope/Hotfix_2002-06-14/security_alert Reference: REDHAT:RHSA-2002:060 Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-060.html Reference: BID:5812 Reference: URL:http://www.securityfocus.com/bid/5812 Reference: XF:zope-zcatalog-index-bypass(9610) Reference: URL:http://www.iss.net/security_center/static/9610.php ZCatalog plug-in index support capability for Zope 2.4.0 through 2.5.1 allows anonymous users and untrusted code to bypass access restrictions and call arbitrary methods of catalog indexes. Modifications: ADDREF REDHAT:RHSA-2002:060 ADDREF BID:5812 ADDREF XF:zope-zcatalog-index-bypass(9610) Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0688 ACCEPT_ACK (2 accept, 2 ack, 0 review) Current Votes: ACCEPT(2) Baker, Cole NOOP(4) Christey, Cox, Wall, Foat Voter Comments: Christey> REDHAT:RHSA-2002:060 URL:http://www.redhat.com/support/errata/RHSA-2002-060.html BID:5812 URL:http://www.securityfocus.com/bid/5812 ====================================================== Candidate: CAN-2002-0691 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0691 Final-Decision: Interim-Decision: 20030326 Modified: 20030324-01 Proposed: 20020830 Assigned: 20020712 Category: SF Reference: MS:MS02-047 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-047.asp Reference: XF:ie-local-resource-xss(9938) Reference: URL:http://www.iss.net/security_center/static/9938.php Reference: BID:5561 Reference: URL:http://www.securityfocus.com/bid/5561 Microsoft Internet Explorer 5.01 and 5.5 allows remote attackers to execute scripts in the Local Computer zone via a URL that references a local HTML resource file, a variant of "Cross-Site Scripting in Local HTML Resource"as identified by CAN-2002-0189. Modifications: ADDREF XF:ie-local-resource-xss(9938) ADDREF BID:5561 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0691 ACCEPT (5 accept, 1 ack, 0 review) Current Votes: ACCEPT(5) Baker, Wall, Foat, Cole, Armstrong NOOP(2) Christey, Cox Voter Comments: Christey> XF:ie-local-resource-xss(9938) URL:http://www.iss.net/security_center/static/9938.php BID:5561 URL:http://www.securityfocus.com/bid/5561 ====================================================== Candidate: CAN-2002-0695 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0695 Final-Decision: Interim-Decision: 20030326 Modified: 20030324-01 Proposed: 20020830 Assigned: 20020712 Category: SF Reference: MS:MS02-040 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-040.asp Reference: MISC:http://www.nextgenss.com/advisories/mssql-ors.txt Reference: XF:mssql-mdac-openrowset-bo(9734) Reference: URL:http://www.iss.net/security_center/static/9734.php Reference: BID:5372 Reference: URL:http://online.securityfocus.com/bid/5372 Buffer overflow in the Transact-SQL (T-SQL) OpenRowSet component of Microsoft Data Access Components (MDAC) 2.5 through 2.7 for SQL Server 7.0 or 2000 allows remote attackers to execute arbitrary code via a query that calls the OpenRowSet command. Modifications: ADDREF XF:mssql-mdac-openrowset-bo(9734) ADDREF MISC:http://www.nextgenss.com/advisories/mssql-ors.txt ADDREF BID:5372 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0695 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Baker, Wall, Foat, Cole NOOP(2) Christey, Cox Voter Comments: Christey> XF:mssql-mdac-openrowset-bo(9734) URL:http://www.iss.net/security_center/static/9734.php MISC:http://www.nextgenss.com/advisories/mssql-ors.txt BID:5372 URL:http://online.securityfocus.com/bid/5372 ====================================================== Candidate: CAN-2002-0697 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0697 Final-Decision: Interim-Decision: 20030326 Modified: 20030324-01 Proposed: 20020726 Assigned: 20020712 Category: SF Reference: MS:MS02-036 Reference: URL:http://www.microsoft.com/technet/security/bulletin/MS02-036.asp Reference: XF:mms-data-repository-access(9657) Reference: URL:http://www.iss.net/security_center/static/9657.php Reference: BID:5308 Reference: URL:http://www.securityfocus.com/bid/5308 Microsoft Metadirectory Services (MMS) 2.2 allows remote attackers to bypass authentication and modify sensitive data by using an LDAP client to directly connect to MMS and bypass the checks for MMS credentials. Modifications: ADDREF XF:mms-data-repository-access(9657) ADDREF BID:5308 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0697 ACCEPT (5 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Baker, Wall, Cole, Armstrong MODIFY(1) Frech NOOP(3) Christey, Cox, Foat Voter Comments: Christey> XF:mms-data-repository-access(9657) URL:http://www.iss.net/security_center/static/9657.php BID:5308 URL:http://www.securityfocus.com/bid/5308 CHANGE> [Armstrong changed vote from NOOP to ACCEPT] Frech> XF:mms-data-repository-access(9657) ====================================================== Candidate: CAN-2002-0698 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0698 Final-Decision: Interim-Decision: 20030326 Modified: 20030324-01 Proposed: 20020726 Assigned: 20020712 Category: SF Reference: ISS:20020724 Remote Buffer Overflow Vulnerability in Microsoft Exchange Server Reference: URL:http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20759 Reference: MSKB:Q326322 Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q326322 Reference: MS:MS02-037 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-037.asp Reference: XF:exchange-imc-ehlo-bo(9658) Reference: URL:http://www.iss.net/security_center/static/9658.php Reference: BID:5306 Reference: URL:http://www.securityfocus.com/bid/5306 Buffer overflow in Internet Mail Connector (IMC) for Microsoft Exchange Server 5.5 allows remote attackers to execute arbitrary code via an EHLO request from a system with a long name as obtained through a reverse DNS lookup, which triggers the overflow in IMC's hello response. Modifications: ADDREF XF:exchange-imc-ehlo-bo(9658) ADDREF BID:5306 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0698 ACCEPT (5 accept, 3 ack, 0 review) Current Votes: ACCEPT(5) Baker, Wall, Foat, Cole, Armstrong MODIFY(1) Frech NOOP(2) Christey, Cox Voter Comments: Christey> XF:exchange-imc-ehlo-bo(9658) URL:http://www.iss.net/security_center/static/9658.php BID:5306 URL:http://www.securityfocus.com/bid/5306 Frech> XF:exchange-imc-ehlo-bo(9658) ====================================================== Candidate: CAN-2002-0700 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0700 Final-Decision: Interim-Decision: 20030326 Modified: 20030324-01 Proposed: 20020830 Assigned: 20020712 Category: SF Reference: MS:MS02-041 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-041.asp Reference: XF:mcms-authentication-bo(9783) Reference: URL:http://www.iss.net/security_center/static/9783.php Reference: BID:5420 Reference: URL:http://www.securityfocus.com/bid/5420 Buffer overflow in a system function that performs user authentication for Microsoft Content Management Server (MCMS) 2001 allows attackers to execute code in the Local System context by authenticating to a web page that calls the function, aka "Unchecked Buffer in MDAC Function Could Enable SQL Server Compromise." Modifications: ADDREF XF:mcms-authentication-bo(9783) ADDREF BID:5420 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0700 ACCEPT (5 accept, 1 ack, 0 review) Current Votes: ACCEPT(5) Baker, Wall, Foat, Cole, Armstrong NOOP(2) Christey, Cox Voter Comments: Christey> XF:mcms-authentication-bo(9783) URL:http://www.iss.net/security_center/static/9783.php BID:5420 URL:http://www.securityfocus.com/bid/5420 ====================================================== Candidate: CAN-2002-0701 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0701 Final-Decision: Interim-Decision: 20030326 Modified: 20030324-01 Proposed: 20020726 Assigned: 20020712 Category: SF Reference: FREEBSD:FreeBSD-SA-02:30 Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102650797504351&w=2 Reference: OPENBSD:20020627 009: SECURITY FIX: June 27, 2002 Reference: URL:http://www.openbsd.org/errata.html#ktrace Reference: XF:openbsd-ktrace-gain-privileges(9474) Reference: URL:http://www.iss.net/security_center/static/9474.php Reference: BID:5133 Reference: URL:http://www.securityfocus.com/bid/5133 ktrace in BSD-based operating systems allows the owner of a process with special privileges to trace the process after its privileges have been lowered, which may allow the owner to obtain sensitive information that the process obtained while it was running with the extra privileges. Modifications: ADDREF XF:openbsd-ktrace-gain-privileges(9474) ADDREF BID:5133 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0701 ACCEPT_ACK (2 accept, 2 ack, 0 review) Current Votes: ACCEPT(2) Baker, Cole NOOP(4) Christey, Cox, Wall, Foat Voter Comments: Christey> XF:openbsd-ktrace-gain-privileges(9474) URL:http://www.iss.net/security_center/static/9474.php BID:5133 URL:http://www.securityfocus.com/bid/5133 ====================================================== Candidate: CAN-2002-0703 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0703 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020726 Assigned: 20020716 Category: SF Reference: REDHAT:RHSA-2002:081 Reference: URL:http://rhn.redhat.com/errata/RHSA-2002-081.html Reference: MANDRAKE:MDKSA-2002:035 Reference: URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-035.php Reference: XF:linux-utf8-incorrect-md5(9051) Reference: URL:http://www.iss.net/security_center/static/9051.php Reference: BID:4716 Reference: URL:http://www.securityfocus.com/bid/4716 An interaction between the Perl MD5 module (perl-Digest-MD5) and Perl could produce incorrect MD5 checksums for UTF-8 data, which could prevent a system from properly verifying the integrity of the data. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0703 ACCEPT (5 accept, 1 ack, 0 review) Current Votes: ACCEPT(5) Baker, Cox, Wall, Cole, Armstrong NOOP(1) Foat ====================================================== Candidate: CAN-2002-0704 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0704 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020726 Assigned: 20020716 Category: SF Reference: BUGTRAQ:20020508 [CARTSA-20020402] Linux Netfilter NAT/ICMP code information leak Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102088521517722&w=2 Reference: REDHAT:RHSA-2002:086 Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-086.html Reference: MANDRAKE:MDKSA-2002:030 Reference: URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-030.php Reference: HP:HPSBTL0205-039 Reference: URL:http://online.securityfocus.com/advisories/4116 Reference: XF:linux-netfilter-information-leak(9043) Reference: URL:http://www.iss.net/security_center/static/9043.php Reference: BID:4699 Reference: URL:http://www.securityfocus.com/bid/4699 The Network Address Translation (NAT) capability for Netfilter ("iptables") 1.2.6a and earlier leaks translated IP addresses in ICMP error messages. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0704 ACCEPT (5 accept, 2 ack, 0 review) Current Votes: ACCEPT(5) Baker, Cox, Wall, Cole, Armstrong NOOP(1) Foat ====================================================== Candidate: CAN-2002-0710 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0710 Final-Decision: Interim-Decision: 20030326 Modified: 20030324-01 Proposed: 20020830 Assigned: 20020718 Category: SF Reference: BUGTRAQ:20020730 Directory traversal vulnerability in sendform.cgi Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102809084218422&w=2 Reference: VULNWATCH:20020731 [VulnWatch] Directory traversal vulnerability in sendform.cgi Reference: CONFIRM:http://www.scn.org/~bb615/scripts/sendform.html Reference: XF:sendform-blurbfile-directory-traversal(9725) Reference: URL:http://www.iss.net/security_center/static/9725.php Reference: BID:5286 Reference: URL:http://www.securityfocus.com/bid/5286 Directory traversal vulnerability in sendform.cgi 1.44 and earlier allows remote attackers to read arbitrary files by specifying the desired files in the BlurbFilePath parameter. Modifications: ADDREF XF:sendform-blurbfile-directory-traversal(9725) ADDREF BID:5286 Analysis -------- Vendor Acknowledgement: yes changelog ACKNOWLEDGEMENT: On the vendor's home page, an item dated July 22, 2002, says "New: security fix: This limits reading world-readable 'blurb' files (that can be used with HTML forms with this script) to certain directories defined in the script by the Web administrator." INFERRED ACTION: CAN-2002-0710 ACCEPT_ACK (2 accept, 1 ack, 0 review) Current Votes: ACCEPT(2) Baker, Cole NOOP(4) Christey, Cox, Wall, Foat Voter Comments: Christey> XF:sendform-blurbfile-directory-traversal(9725) URL:http://www.iss.net/security_center/static/9725.php ====================================================== Candidate: CAN-2002-0714 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0714 Final-Decision: Interim-Decision: 20030326 Modified: 20030324-01 Proposed: 20020726 Assigned: 20020720 Category: SF Reference: CONFIRM:http://www.squid-cache.org/Advisories/SQUID-2002_3.txt Reference: CONFIRM:http://www.squid-cache.org/Versions/v2/2.4/bugs/ Reference: REDHAT:RHSA-2002:051 Reference: URL:http://rhn.redhat.com/errata/RHSA-2002-051.html Reference: REDHAT:RHSA-2002:130 Reference: URL:http://rhn.redhat.com/errata/RHSA-2002-130.html Reference: SUSE:SuSE-SA:2002:025 Reference: CALDERA:CSSA-2002-046.0 Reference: URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-046.0.txt Reference: CONECTIVA:CLA-2002:506 Reference: MANDRAKE:MDKSA-2002:044 Reference: URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-044.php Reference: BUGTRAQ:20020715 TSLSA-2002-0062 - squid Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102674543407606&w=2 Reference: XF:squid-ftp-data-injection(9479) Reference: URL:http://www.iss.net/security_center/static/9479.php Reference: BID:5158 Reference: URL:http://www.securityfocus.com/bid/5158 FTP proxy in Squid before 2.4.STABLE6 does not compare the IP addresses of control and data connections with the FTP server, which allows remote attackers to bypass firewall rules or spoof FTP server responses. Modifications: ADDREF XF:squid-ftp-data-injection(9479) ADDREF CALDERA:CSSA-2002-046.0 ADDREF REDHAT:RHSA-2002:051 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0714 ACCEPT (6 accept, 4 ack, 0 review) Current Votes: ACCEPT(5) Baker, Cox, Wall, Cole, Armstrong MODIFY(1) Frech NOOP(2) Christey, Foat Voter Comments: Frech> XF:squid-ftp-data-injection(9479) Christey> REDHAT:RHSA-2002:051 URL:http://rhn.redhat.com/errata/RHSA-2002-051.html ====================================================== Candidate: CAN-2002-0716 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0716 Final-Decision: Interim-Decision: 20030326 Modified: 20030324-01 Proposed: 20020726 Assigned: 20020722 Category: SF Reference: BUGTRAQ:20020604 SRT Security Advisory (SRT2002-06-04-1711): SCO crontab Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102323070305101&w=2 Reference: VULN-DEV:20020604 SRT Security Advisory (SRT2002-06-04-1711): SCO crontab Reference: URL:http://marc.theaimsgroup.com/?l=vuln-dev&m=102323386107641&w=2 Reference: CALDERA:CSSA-2002-SCO.35 Reference: BID:4938 Reference: URL:http://www.securityfocus.com/bid/4938 Reference: XF:openserver-crontab-format-string(9271) Reference: URL:http://www.iss.net/security_center/static/9271.php Format string vulnerability in crontab for SCO OpenServer 5.0.5 and 5.0.6 allows local users to gain privileges via format string specifiers in the file name argument. Modifications: ADDREF BID:4938 ADDREF XF:openserver-crontab-format-string(9271) Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0716 ACCEPT_ACK (2 accept, 1 ack, 0 review) Current Votes: ACCEPT(2) Baker, Cole NOOP(4) Christey, Cox, Wall, Foat Voter Comments: Christey> BID:4938 URL:http://www.securityfocus.com/bid/4938 XF:openserver-crontab-format-string(9271) URL:http://www.iss.net/security_center/static/9271.php ====================================================== Candidate: CAN-2002-0718 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0718 Final-Decision: Interim-Decision: 20030326 Modified: 20030324-01 Proposed: 20020830 Assigned: 20020722 Category: SF Reference: MS:MS02-041 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-041.asp Reference: BID:5421 Reference: URL:http://www.securityfocus.com/bid/5421 Reference: XF:mcms-authoring-file-execution(9784) Reference: URL:http://www.iss.net/security_center/static/9784.php Web authoring command in Microsoft Content Management Server (MCMS) 2001 allows attackers to authenticate and upload executable content, by modifying the upload location, aka "Program Execution via MCMS Authoring Function." Modifications: ADDREF BID:5421 ADDREF XF:mcms-authoring-file-execution(9784) Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0718 ACCEPT (5 accept, 1 ack, 0 review) Current Votes: ACCEPT(5) Baker, Wall, Foat, Cole, Armstrong NOOP(2) Christey, Cox Voter Comments: Christey> BID:5421 URL:http://www.securityfocus.com/bid/5421 XF:mcms-authoring-file-execution(9784) URL:http://www.iss.net/security_center/static/9784.php ====================================================== Candidate: CAN-2002-0719 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0719 Final-Decision: Interim-Decision: 20030326 Modified: 20030324-01 Proposed: 20020830 Assigned: 20020722 Category: SF Reference: MS:MS02-041 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-041.asp Reference: BID:5422 Reference: URL:http://www.securityfocus.com/bid/5422 Reference: XF:mcms-resource-sql-injection(9785) Reference: URL:http://www.iss.net/security_center/static/9785.php SQL injection vulnerability in the function that services for Microsoft Content Management Server (MCMS) 2001 allows remote attackers to execute arbitrary commands via an MCMS resource request for image files or other files. Modifications: ADDREF BID:5422 ADDREF XF:mcms-resource-sql-injection(9785) Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0719 ACCEPT (5 accept, 1 ack, 0 review) Current Votes: ACCEPT(5) Baker, Wall, Foat, Cole, Armstrong NOOP(2) Christey, Cox Voter Comments: Christey> BID:5422 URL:http://www.securityfocus.com/bid/5422 XF:mcms-resource-sql-injection(9785) URL:http://www.iss.net/security_center/static/9785.php ====================================================== Candidate: CAN-2002-0720 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0720 Final-Decision: Interim-Decision: 20030326 Modified: 20030324-01 Proposed: 20020830 Assigned: 20020722 Category: SF Reference: MS:MS02-042 Reference: URL:http://www.microsoft.com/technet/security/bulletin/MS02-042.asp Reference: XF:win2k-ncm-gain-privileges(9856) Reference: URL:http://www.iss.net/security_center/static/9856.php Reference: BID:5480 Reference: URL:http://www.securityfocus.com/bid/5480 A handler routine for the Network Connection Manager (NCM) in Windows 2000 allows local users to gain privileges via a complex attack that causes the handler to run in the LocalSystem context with user-specified code. Modifications: ADDREF XF:win2k-ncm-gain-privileges(9856) ADDREF BID:5480 DESC add OS Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0720 ACCEPT (5 accept, 1 ack, 0 review) Current Votes: ACCEPT(5) Baker, Wall, Foat, Cole, Armstrong NOOP(2) Christey, Cox Voter Comments: Christey> XF:win2k-ncm-gain-privileges(9856) URL:http://www.iss.net/security_center/static/9856.php BID:5480 URL:http://www.securityfocus.com/bid/5480 ====================================================== Candidate: CAN-2002-0722 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0722 Final-Decision: Interim-Decision: 20030326 Modified: 20030324-01 Proposed: 20020830 Assigned: 20020722 Category: SF Reference: BUGTRAQ:20020828 Origin of downloaded files can be spoofed in MSIE Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103054692223380&w=2 Reference: MS:MS02-047 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-047.asp Reference: XF:ie-file-origin-spoofing(9937) Reference: URL:http://www.iss.net/security_center/static/9937.php Reference: BID:5559 Reference: URL:http://www.securityfocus.com/bid/5559 Microsoft Internet Explorer 5.01, 5.5, and 6.0 allows remote attackers to misrepresent the source of a file in the File Download dialogue box to trick users into thinking that the file type is safe to download, aka "File Origin Spoofing." Modifications: ADDREF XF:ie-file-origin-spoofing(9937) ADDREF BID:5559 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0722 ACCEPT (5 accept, 1 ack, 0 review) Current Votes: ACCEPT(5) Baker, Wall, Foat, Cole, Armstrong NOOP(2) Christey, Cox Voter Comments: Christey> XF:ie-file-origin-spoofing(9937) URL:http://www.iss.net/security_center/static/9937.php BID:5559 URL:http://www.securityfocus.com/bid/5559 ====================================================== Candidate: CAN-2002-0726 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0726 Final-Decision: Interim-Decision: 20030326 Modified: 20030324-01 Proposed: 20020830 Assigned: 20020722 Category: SF Reference: ATSTAKE:A082802-1 Reference: URL:http://www.atstake.com/research/advisories/2002/a082802-1.txt Reference: MS:MS02-046 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-046.asp Reference: XF:ms-tsac-activex-bo(9934) Reference: URL:http://www.iss.net/security_center/static/9934.php Reference: BID:5554 Reference: URL:http://www.securityfocus.com/bid/5554 Buffer overflow in Microsoft Terminal Services Advanced Client (TSAC) ActiveX control allows remote attackers to execute arbitrary code via a long server name field. Modifications: ADDREF XF:ms-tsac-activex-bo(9934) ADDREF BID:5554 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0726 ACCEPT (5 accept, 1 ack, 0 review) Current Votes: ACCEPT(5) Baker, Wall, Foat, Cole, Armstrong NOOP(2) Christey, Cox Voter Comments: Christey> XF:ms-tsac-activex-bo(9934) URL:http://www.iss.net/security_center/static/9934.php BID:5554 URL:http://www.securityfocus.com/bid/5554 ====================================================== Candidate: CAN-2002-0727 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0727 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020830 Assigned: 20020722 Category: SF Reference: MS:MS02-044 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-044.asp Reference: BUGTRAQ:20020408 Scripting for the scriptless with OWC in IE (GM#005-IE) Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101829645415486&w=2 Reference: XF:owc-spreadsheet-host-script-execution (8777) Reference: URL:http://www.iss.net/security_center/static/8777.php Reference: BID:4449 Reference: URL:http://online.securityfocus.com/bid/4449 The Host function in Microsoft Office Web Components (OWC) 2000 and 2002 is exposed in components that are marked as safe for scripting, which allows remote attackers to execute arbitrary commands via the setTimeout method. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0727 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Baker, Wall, Cole, Armstrong NOOP(2) Cox, Foat ====================================================== Candidate: CAN-2002-0733 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0733 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020726 Assigned: 20020725 Category: SF Reference: VULNWATCH:20020417 Smalls holes on 5 products #1 Reference: URL:http://archives.neohapsis.com/archives/vuln-dev/2002-q2/0155.html Reference: CONFIRM:http://www.acme.com/software/thttpd/#releasenotes Reference: MISC:http://www.ifrance.com/kitetoua/tuto/5holes1.txt Reference: XF:thttpd-error-page-css(9029) Reference: URL:http://www.iss.net/security_center/static/9029.php Reference: BID:4601 Reference: URL:http://www.securityfocus.com/bid/4601 Cross-site scripting vulnerability in thttpd 2.20 and earlier allows remote attackers to execute arbitrary script via a URL to a nonexistent page, which causes thttpd to insert the script into a 404 error message. Analysis -------- Vendor Acknowledgement: yes changelog ACKNOWLEDGEMENT: In the release notes for 2.21, the vendor states "Fixed cross-site scripting bug relating to the built-in error pages." INFERRED ACTION: CAN-2002-0733 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Baker, Cole, Armstrong NOOP(3) Cox, Wall, Foat ====================================================== Candidate: CAN-2002-0734 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0734 Final-Decision: Interim-Decision: 20030326 Modified: 20030324-01 Proposed: 20020726 Assigned: 20020725 Category: SF Reference: BUGTRAQ:20020506 b2 php remote command execution Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-05/0027.html Reference: CONFIRM:http://cafelog.com/ Reference: BID:4673 Reference: URL:http://www.securityfocus.com/bid/4673 Reference: XF:b2-b2inc-command-execution(9013) Reference: URL:http://www.iss.net/security_center/static/9013.php b2edit.showposts.php in B2 2.0.6pre2 and earlier does not properly load the b2config.php file in some configurations, which allows remote attackers to execute arbitrary PHP code via a URL that sets the $b2inc variable to point to a malicious program stored on a remote server. Modifications: DESC remove "Trojan horse" terminology Analysis -------- Vendor Acknowledgement: yes ACKNOWLEDGEMENT: On the vendor's home page, an item dated "04.05.02" (May 4, 2002) states "Someone recently told me about a security hole in b2... The fix for the security hole is very simple: create a file named b2config.php and upload it in your b2-include folder." While this in itself doesn't include enough details to be certain that the vendor is fixing *this* problem, it would fix the problem, and later comments on the vendor's page would line up with the date of public announcement of this problem. INFERRED ACTION: CAN-2002-0734 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Baker, Cole, Armstrong NOOP(3) Cox, Wall, Foat ====================================================== Candidate: CAN-2002-0736 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0736 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020726 Assigned: 20020725 Category: SF Reference: BUGTRAQ:20020416 Back Office Web Administrator Authentication Bypass (#NISR17042002A) Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-04/0208.html Reference: MSKB:Q316838 Reference: URL:http://support.microsoft.com/support/kb/articles/q316/8/38.asp Reference: BID:4528 Reference: URL:http://www.securityfocus.com/bid/4528 Reference: XF:backoffice-bypass-authentication(8862) Reference: URL:http://www.iss.net/security_center/static/8862.php Microsoft BackOffice 4.0 and 4.5, when configured to be accessible by other systems, allows remote attackers to bypass authentication and access the administrative ASP pages via an HTTP request with an authorization type (auth_type) that is not blank. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0736 ACCEPT (5 accept, 1 ack, 0 review) Current Votes: ACCEPT(5) Baker, Wall, Foat, Cole, Armstrong NOOP(1) Cox ====================================================== Candidate: CAN-2002-0737 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0737 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020726 Assigned: 20020725 Category: SF Reference: BUGTRAQ:20020417 KPMG-2002012: Sambar Webserver Serverside Fileparse Bypass Reference: URL:http://online.securityfocus.com/archive/1/268121 Reference: VULNWATCH:20020417 [VulnWatch] KPMG-2002012: Sambar Webserver Serverside Fileparse Bypass Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0026.html Reference: CONFIRM:http://www.sambar.com/security.htm Reference: XF:sambar-script-source-disclosure(8876) Reference: URL:http://www.iss.net/security_center/static/8876.php Reference: BID:4533 Reference: URL:http://www.securityfocus.com/bid/4533 Sambar web server before 5.2 beta 1 allows remote attackers to obtain source code of server-side scripts, or cause a denial of service (resource exhaustion) via DOS devices, using a URL that ends with a space and a null character. Analysis -------- Vendor Acknowledgement: yes ACKNOWLEDGEMENT: on the security page, last updated the day after the initial disclosure, the vendor states that "All releases prior to the 5.2 beta 1 release are vulnerable to having the source code associated with CGI scripts and JSP files exposed via an URL sequence." INFERRED ACTION: CAN-2002-0737 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Baker, Cole, Armstrong NOOP(3) Cox, Wall, Foat ====================================================== Candidate: CAN-2002-0738 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0738 Final-Decision: Interim-Decision: 20030326 Modified: 20030324-01 Proposed: 20020726 Assigned: 20020725 Category: SF Reference: BUGTRAQ:20020418 MHonArc v2.5.2 Script Filtering Bypass Vulnerability Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-04/0260.html Reference: CONFIRM:http://www.mhonarc.org/MHonArc/CHANGES Reference: DEBIAN:DSA-163 Reference: URL:http://www.debian.org/security/2002/dsa-163 Reference: XF:mhonarc-script-filtering-bypass(8894) Reference: URL:http://www.iss.net/security_center/static/8894.php Reference: BID:4546 Reference: URL:http://www.securityfocus.com/bid/4546 MHonArc 2.5.2 and earlier does not properly filter Javascript from archived e-mail messages, which could allow remote attackers to execute script in web clients by (1) splitting the SCRIPT tag into smaller pieces, (2) including the script in a SRC argument to an IMG tag, or (3) using "&={script}" syntax. Modifications: ADDREF DEBIAN:DSA-163 Analysis -------- Vendor Acknowledgement: yes changelog ACKNOWLEDGEMENT: In the changelog for 2002/04/18 (version 2.5.3), the vendor states "Beefed up HTML filtering in mhtxthtml.pl to eliminate some security exploits" and credits the Bugtraq researchers. INFERRED ACTION: CAN-2002-0738 ACCEPT (3 accept, 2 ack, 0 review) Current Votes: ACCEPT(3) Baker, Cole, Armstrong NOOP(4) Christey, Cox, Wall, Foat Voter Comments: Christey> DEBIAN:DSA-163 ====================================================== Candidate: CAN-2002-0741 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0741 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020726 Assigned: 20020725 Category: SF Reference: BUGTRAQ:20020423 PsyBNC Remote Dos POC Reference: URL:http://online.securityfocus.com/archive/1/269131 Reference: BUGTRAQ:20020422 Re: psyBNC 2.3 DoS / Bug Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-04/0322.html Reference: BID:4570 Reference: URL:http://www.securityfocus.com/bid/4570 Reference: XF:psybnc-long-password-dos(8912) Reference: URL:http://www.iss.net/security_center/static/8912.php psyBNC 2.3 allows remote attackers to cause a denial of service (CPU consumption and resource exhaustion) by sending a PASS command with a long password argument and quickly killing the connection, which is not properly terminated by psyBNC. Analysis -------- Vendor Acknowledgement: yes followup INFERRED ACTION: CAN-2002-0741 ACCEPT_ACK (2 accept, 1 ack, 0 review) Current Votes: ACCEPT(2) Baker, Cole NOOP(4) Cox, Wall, Foat, Armstrong ====================================================== Candidate: CAN-2002-0748 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0748 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020726 Assigned: 20020725 Category: SF Reference: BUGTRAQ:20020423 LabVIEW Web Server DoS Vulnerability Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-04/0323.html Reference: CONFIRM:http://digital.ni.com/public.nsf/websearch/4C3F86E655E5389886256BA00064B22F?OpenDocument Reference: XF:labview-http-get-dos(8919) Reference: URL:http://www.iss.net/security_center/static/8919.php Reference: BID:4577 Reference: URL:http://www.securityfocus.com/bid/4577 LabVIEW Web Server 5.1.1 through 6.1 allows remote attackers to cause a denial of service (crash) via an HTTP GET request that ends in two newline characters, instead of the expected carriage return/newline combinations. Analysis -------- Vendor Acknowledgement: yes INFERRED ACTION: CAN-2002-0748 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Baker, Cole, Armstrong NOOP(3) Cox, Wall, Foat ====================================================== Candidate: CAN-2002-0754 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0754 Final-Decision: Interim-Decision: 20030326 Modified: 20030324-01 Proposed: 20020726 Assigned: 20020725 Category: SF Reference: FREEBSD:FreeBSD-SA-02:07 Reference: URL:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:07.k5su.asc Reference: BID:3919 Reference: URL:http://www.securityfocus.com/bid/3919 Reference: XF:kerberos5-k5su-elevate-privileges(7956) Reference: URL:http://www.iss.net/security_center/static/7956.php Kerberos 5 su (k5su) in FreeBSD 4.4 and earlier relies on the getlogin system call to determine if the user running k5su is root, which could allow a root-initiated process to regain its privileges after it has dropped them. Modifications: DESC clarify Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0754 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Baker, Cole, Armstrong NOOP(4) Christey, Cox, Wall, Foat Voter Comments: Christey> need to rewrite desc to make a little more clear. ====================================================== Candidate: CAN-2002-0755 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0755 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020726 Assigned: 20020725 Category: SF Reference: FREEBSD:FreeBSD-SA-02:24 Reference: URL:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:24.k5su.asc Reference: BID:4777 Reference: URL:http://www.securityfocus.com/bid/4777 Reference: XF:freebsd-k5su-gain-privileges(9125) Reference: URL:http://www.iss.net/security_center/static/9125.php Kerberos 5 su (k5su) in FreeBSD 4.5 and earlier does not verify that a user is a member of the wheel group before granting superuser privileges, which could allow unauthorized users to execute commands as root. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0755 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Baker, Cole, Armstrong NOOP(3) Cox, Wall, Foat ====================================================== Candidate: CAN-2002-0758 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0758 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020726 Assigned: 20020725 Category: SF Reference: SUSE:SuSE-SA:2002:016 Reference: URL:http://www.suse.de/de/support/security/2002_016_sysconfig_txt.html Reference: BID:4695 Reference: URL:http://www.securityfocus.com/bid/4695 Reference: XF:suse-sysconfig-command-execution(9040) Reference: URL:http://www.iss.net/security_center/static/9040.php ifup-dhcp script in the sysconfig package for SuSE 8.0 allows remote attackers to execute arbitrary commands via spoofed DHCP responses, which are stored and executed in a file. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0758 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Baker, Cole, Armstrong NOOP(3) Cox, Wall, Foat ====================================================== Candidate: CAN-2002-0759 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0759 Final-Decision: Interim-Decision: 20030326 Modified: 20030324-01 Proposed: 20020726 Assigned: 20020725 Category: SF Reference: FREEBSD:FreeBSD-SA-02:25 Reference: URL:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:25.bzip2.asc Reference: CALDERA:CSSA-2002-039.0 Reference: URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-039.0.txt Reference: XF:bzip2-decompression-file-overwrite(9126) Reference: URL:http://www.iss.net/security_center/static/9126.php Reference: BID:4774 Reference: URL:http://www.securityfocus.com/bid/4774 bzip2 before 1.0.2 in FreeBSD 4.5 and earlier, OpenLinux 3.1 and 3.1.1, and possibly other operating systems, does not use the O_EXCL flag to create files during decompression and does not warn the user if an existing file would be overwritten, which could allow attackers to overwrite files via a bzip2 archive. Modifications: ADDREF CALDERA:CSSA-2002-039.0 DESC add OpenLinux to desc Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0759 ACCEPT (4 accept, 2 ack, 0 review) Current Votes: ACCEPT(4) Baker, Cox, Cole, Armstrong NOOP(3) Christey, Wall, Foat Voter Comments: Christey> CALDERA:CSSA-2002-039.0 ====================================================== Candidate: CAN-2002-0760 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0760 Final-Decision: Interim-Decision: 20030326 Modified: 20030324-01 Proposed: 20020726 Assigned: 20020725 Category: SF Reference: FREEBSD:FreeBSD-SA-02:25 Reference: URL:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:25.bzip2.asc Reference: CALDERA:CSSA-2002-039.0 Reference: URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-039.0.txt Reference: BID:4775 Reference: URL:http://www.securityfocus.com/bid/4775 Reference: XF:bzip2-decompression-race-condition(9127) Reference: URL:http://www.iss.net/security_center/static/9127.php Race condition in bzip2 before 1.0.2 in FreeBSD 4.5 and earlier, OpenLinux 3.1 and 3.1.1, and possibly other operating systems, decompresses files with world-readable permissions before setting the permissions to what is specified in the bzip2 archive, which could allow local users to read the files as they are being decompressed. Modifications: DESC add OpenLinux ADDREF CALDERA:CSSA-2002-039.0 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0760 ACCEPT (4 accept, 2 ack, 0 review) Current Votes: ACCEPT(4) Baker, Cox, Cole, Armstrong NOOP(3) Christey, Wall, Foat Voter Comments: Christey> CALDERA:CSSA-2002-039.0 ====================================================== Candidate: CAN-2002-0761 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0761 Final-Decision: Interim-Decision: 20030326 Modified: 20030324-01 Proposed: 20020726 Assigned: 20020725 Category: SF Reference: FREEBSD:FreeBSD-SA-02:25 Reference: URL:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:25.bzip2.asc Reference: CALDERA:CSSA-2002-039.0 Reference: URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-039.0.txt Reference: XF:bzip2-compression-symlink(9128) Reference: URL:http://www.iss.net/security_center/static/9128.php Reference: BID:4776 Reference: URL:http://www.securityfocus.com/bid/4776 bzip2 before 1.0.2 in FreeBSD 4.5 and earlier, OpenLinux 3.1 and 3.1.1, and possibly systems, uses the permissions of symbolic links instead of the actual files when creating an archive, which could cause the files to be extracted with less restrictive permissions than intended. Modifications: DESC add OpenLinux ADDREF CALDERA:CSSA-2002-039.0 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0761 ACCEPT (4 accept, 2 ack, 0 review) Current Votes: ACCEPT(4) Baker, Cox, Cole, Armstrong NOOP(3) Christey, Wall, Foat Voter Comments: Christey> CALDERA:CSSA-2002-039.0 ====================================================== Candidate: CAN-2002-0762 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0762 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020726 Assigned: 20020725 Category: SF Reference: SUSE:SuSE-SA:2002:017 Reference: URL:http://www.suse.de/de/support/security/2002_17_shadow.html Reference: XF:suse-shadow-filesize-limits(9102) Reference: URL:http://www.iss.net/security_center/static/9102.php Reference: BID:4757 Reference: URL:http://www.securityfocus.com/bid/4757 shadow package in SuSE 8.0 allows local users to destroy the /etc/passwd and /etc/shadow files or assign extra group privileges to some users by changing filesize limits before calling programs that modify the files. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0762 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Baker, Cole, Armstrong NOOP(3) Cox, Wall, Foat ====================================================== Candidate: CAN-2002-0765 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0765 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020726 Assigned: 20020725 Category: SF Reference: BUGTRAQ:20020527 OpenSSH 3.2.3 released (fwd) Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-05/0235.html Reference: OPENBSD:20020522 004: SECURITY FIX: May 22, 2002 Reference: URL:http://www.openbsd.org/errata.html#sshbsdauth Reference: BID:4803 Reference: URL:http://www.securityfocus.com/bid/4803 Reference: XF:bsd-sshd-authentication-error(9215) Reference: URL:http://www.iss.net/security_center/static/9215.php sshd in OpenSSH 3.2.2, when using YP with netgroups and under certain conditions, may allow users to successfully authenticate and log in with another user's password. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0765 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Baker, Foat, Cole, Armstrong NOOP(2) Cox, Wall ====================================================== Candidate: CAN-2002-0766 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0766 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020726 Assigned: 20020725 Category: SF Reference: VULNWATCH:20020509 [VulnWatch] OpenBSD local DoS and root exploit Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0066.html Reference: BUGTRAQ:20020509 OpenBSD local DoS and root exploit Reference: URL:http://online.securityfocus.com/archive/1/271702 Reference: OPENBSD:20020508 003: SECURITY FIX: May 8, 2002 Reference: URL:http://www.openbsd.org/errata.html#fdalloc2 Reference: XF:openbsd-file-descriptor-dos(9048) Reference: URL:http://www.iss.net/security_center/static/9048.php OpenBSD 2.9 through 3.1 allows local users to cause a denial of service (resource exhaustion) and gain root privileges by filling the kernel's file descriptor table and closing file descriptors 0, 1, or 2 before executing a privileged process, which is not properly handled when OpenBSD fails to open an alternate descriptor. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0766 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Baker, Cole, Armstrong NOOP(3) Cox, Wall, Foat ====================================================== Candidate: CAN-2002-0768 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0768 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020726 Assigned: 20020725 Category: Reference: SUSE:SuSE-SA:2002:018 Reference: URL:http://www.suse.com/de/support/security/2002_18_lukemftp.html Reference: XF:lukemftp-pasv-bo(9130) Reference: URL:http://www.iss.net/security_center/static/9130.php Buffer overflow in lukemftp FTP client in SuSE 6.4 through 8.0, and possibly other operating systems, allows a malicious FTP server to execute arbitrary code via a long PASV command. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0768 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Baker, Cole, Armstrong NOOP(3) Cox, Wall, Foat ====================================================== Candidate: CAN-2002-0776 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0776 Final-Decision: Interim-Decision: 20030326 Modified: 20030324-01 Proposed: 20020726 Assigned: 20020725 Category: SF Reference: BUGTRAQ:20020713 Hosting Controller Vulnerability Reference: URL:http://online.securityfocus.com/archive/1/282129 Reference: CONFIRM:http://hostingcontroller.com/english/logs/sp2log.html Reference: XF:hosting-controller-password-modification(9554) Reference: URL:http://www.iss.net/security_center/static/9554.php Reference: BID:5229 Reference: URL:http://www.securityfocus.com/bid/5229 getuserdesc.asp in Hosting Controller 2002 allows remote attackers to change the passwords of arbitrary users and gain privileges by modifying the username parameter, as addressed by the "UpdateUser" hot fix. Modifications: ADDREF XF:hosting-controller-password-modification(9554) ADDREF BID:5229 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0776 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Baker, Balinsky, Cole MODIFY(1) Frech NOOP(4) Cox, Wall, Foat, Armstrong Voter Comments: Frech> XF:hosting-controller-password-modification(9554) ====================================================== Candidate: CAN-2002-0777 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0777 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020726 Assigned: 20020725 Category: SF Reference: BUGTRAQ:20020520 Foundstone Advisory - Buffer Overflow in Ipswitch Imail 7.1 and prior (fwd) Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-05/0172.html Reference: XF:imail-ldap-bo(9116) Reference: URL:http://www.iss.net/security_center/static/9116.php Reference: BID:4780 Reference: URL:http://www.securityfocus.com/bid/4780 Buffer overflow in the LDAP component of Ipswitch IMail 7.1 and earlier allows remote attackers to execute arbitrary code via a long "bind DN" parameter. Analysis -------- Vendor Acknowledgement: yes via-email ACKNOWLEDGEMENT: the only apparent information by the vendor that MAY be related to this issue is at http://support.ipswitch.com/kb/IM-20020703-DM01.htm; there are two comments related to overflows: "Removed a buffer overflow error in Web Calendaring" and "ILDAP: Fixed a buffer overflow which could be used for a DOS attack." While the latter phrase might be related to the LDAP issue, it is in direct conflict with Foundstone's claim that the problem is exploitable, which may indicate that this is not really the same vulnerability. Inquiry posted to http://www.ipswitch.com/cgi/askatech.pl?action=build on July 17, 2002. Tracking number: T200207180016. Vendor confirmed the issue via an E-mail reply from evalhelp@ipswitch.com on July 18: "Yes, this has been repaired... The conclusive evidence is in the knowledge base article." INFERRED ACTION: CAN-2002-0777 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Baker, Cole, Armstrong NOOP(3) Cox, Wall, Foat ====================================================== Candidate: CAN-2002-0778 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0778 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020726 Assigned: 20020725 Category: CF Reference: CISCO:20020528 Transparent Cache Engine and Content Engine TCP Relay Vulnerability Reference: URL:http://www.cisco.com/warp/public/707/transparentcache-tcp-relay-vuln-pub.shtml Reference: XF:cisco-cache-content-tcp-forward(9082) Reference: URL:http://www.iss.net/security_center/static/9082.php Reference: BID:4751 Reference: URL:http://www.securityfocus.com/bid/4751 The default configuration of the proxy for Cisco Cache Engine and Content Engine allows remote attackers to use HTTPS to make TCP connections to allowed IP addresses while hiding the actual source IP. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0778 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Baker, Foat, Cole, Armstrong NOOP(2) Cox, Wall ====================================================== Candidate: CAN-2002-0785 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0785 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020726 Assigned: 20020725 Category: SF Reference: BUGTRAQ:20020508 Hole in AOL Instant Messenger Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-05/0086.html Reference: XF:aim-addbuddy-bo(9058) Reference: URL:http://www.iss.net/security_center/static/9058.php Reference: BID:4709 Reference: URL:http://www.securityfocus.com/bid/4709 AOL Instant Messenger (AIM) allows remote attackers to cause a denial of service (crash) via an "AddBuddy" link with the ScreenName parameter set to a large number of comma-separated values, possibly triggering a buffer overflow. Analysis -------- Vendor Acknowledgement: INFERRED ACTION: CAN-2002-0785 ACCEPT (4 accept, 0 ack, 0 review) Current Votes: ACCEPT(4) Baker, Wall, Cole, Armstrong NOOP(2) Cox, Foat ====================================================== Candidate: CAN-2002-0788 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0788 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020726 Assigned: 20020725 Category: SF Reference: BUGTRAQ:20020508 NTFS and PGP interact to expose EFS encrypted data Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-05/0052.html Reference: CONFIRM:http://download.nai.com/products/licensed/pgp/desktop_security/windows/version_7.1/hotfix/ReadMe.txt Reference: XF:pgp-ntfs-reveal-data(9044) Reference: URL:http://www.iss.net/security_center/static/9044.php Reference: BID:4702 Reference: URL:http://www.securityfocus.com/bid/4702 An interaction between PGP 7.0.3 with the "wipe deleted files" option, when used on Windows Encrypted File System (EFS), creates a cleartext temporary files that cannot be wiped or deleted due to strong permissions, which could allow certain local users or attackers with physical access to obtain cleartext information. Analysis -------- Vendor Acknowledgement: yes advisory ACKNOWLEDGEMENT: In the release notes for the hotfix, the vendor states "There is a conflict between Microsoft's Encrypted File System (EFS) on Windows 2000 and PGP's file wiping feature. When you encrypt a file using EFS, Windows 2000 creates a temporary file that contains the cleartext of the encrypted file." INFERRED ACTION: CAN-2002-0788 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Baker, Cole, Armstrong NOOP(3) Cox, Wall, Foat ====================================================== Candidate: CAN-2002-0789 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0789 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020726 Assigned: 20020725 Category: SF Reference: BUGTRAQ:20020511 Bug in mnogosearch-3.1.19 Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-05/0092.html Reference: CONFIRM:http://www.mnogosearch.org/Download/mnogosearch-3.1.20.tar.gz Reference: MISC:http://www.mnogosearch.org/history.html#log31 Reference: BID:4724 Reference: URL:http://www.securityfocus.com/bid/4724 Reference: XF:mnogosearch-search-cgi-bo(9060) Reference: URL:http://www.iss.net/security_center/static/9060.php Buffer overflow in search.cgi in mnoGoSearch 3.1.19 and earlier allows remote attackers to execute arbitrary code via a long query (q) parameter. Analysis -------- Vendor Acknowledgement: yes changelog ACKNOWLEDGEMENT: a vague comment in the product history page includes an item for version 3.1.20 dated "27 Jun 2002," which states "Security bug has been fixed." This is not sufficient proof that the vendor has fixed *this* issue. HOWEVER, the ChangeLog in the source code for 3.1.20 includes an item dated 27 Jun 2002, which says "A security bug (trap on too long queries) fixed," which *does* qualify as sufficient proof. INFERRED ACTION: CAN-2002-0789 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Baker, Cole, Armstrong NOOP(3) Cox, Wall, Foat ====================================================== Candidate: CAN-2002-0790 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0790 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020726 Assigned: 20020725 Category: SF Reference: AIXAPAR:IY24556 Reference: URL:http://techsupport.services.ibm.com/server/aix.uhuic_getrec?args=DVsteamboat.boulder.ibm.com+DBAIX2+DA6854+STIY24556+USbin clchkspuser and clpasswdremote in AIX expose an encrypted password in the cspoc.log file, which could allow local users to gain privileges. Analysis -------- Vendor Acknowledgement: yes INFERRED ACTION: CAN-2002-0790 ACCEPT_ACK (2 accept, 1 ack, 0 review) Current Votes: ACCEPT(2) Baker, Cole NOOP(4) Cox, Wall, Foat, Armstrong ====================================================== Candidate: CAN-2002-0794 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0794 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020726 Assigned: 20020725 Category: SF Reference: FREEBSD:FreeBSD-SA-02:26 Reference: URL:http://archives.neohapsis.com/archives/freebsd/2002-05/0349.html Reference: BID:4879 Reference: URL:http://www.securityfocus.com/bid/4879 Reference: XF:freebsd-accept-filter-dos(9209) Reference: URL:http://www.iss.net/security_center/static/9209.php The accept_filter mechanism in FreeBSD 4 through 4.5 does not properly remove entries from the incomplete listen queue when adding a syncache, which allows remote attackers to cause a denial of service (network service availability) via a large number of connection attempts, which fills the queue. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0794 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Baker, Cole, Armstrong NOOP(3) Cox, Wall, Foat ====================================================== Candidate: CAN-2002-0795 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0795 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020726 Assigned: 20020725 Category: SF Reference: FREEBSD:FreeBSD-SA-02:27 Reference: URL:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:27.rc.asc Reference: XF:freebsd-rc-delete-directories(9217) Reference: URL:http://www.iss.net/security_center/static/9217.php Reference: BID:4880 Reference: URL:http://www.securityfocus.com/bid/4880 The rc system startup script for FreeBSD 4 through 4.5 allows local users to delete arbitrary files via a symlink attack on X Windows lock files. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0795 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Baker, Cole, Armstrong NOOP(3) Cox, Wall, Foat ====================================================== Candidate: CAN-2002-0801 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0801 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020726 Assigned: 20020725 Category: SF Reference: VULNWATCH:20020529 [VulnWatch] FW: Macromedia JRUN Buffer overflow vulnerability (#NISR29052002) Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0085.html Reference: BUGTRAQ:20020529 Addendum to advisory #NISR29052002 (JRun buffer overflow) Reference: URL:http://online.securityfocus.com/archive/1/274601 Reference: BUGTRAQ:20020529 Macromedia JRUN Buffer overflow vulnerability (#NISR29052002) Reference: URL:http://online.securityfocus.com/archive/1/274528 Reference: CERT-VN:VU#703835 Reference: URL:http://www.kb.cert.org/vuls/id/703835 Reference: CERT:CA-2002-14 Reference: URL:http://www.cert.org/advisories/CA-2002-14.html Reference: XF:jrun-isapi-host-bo(9194) Reference: URL:http://www.iss.net/security_center/static/9194.php Reference: BID:4873 Reference: URL:http://www.securityfocus.com/bid/4873 Buffer overflow in the ISAPI DLL filter for Macromedia JRun 3.1 allows remote attackers to execute arbitrary code via a direct request to the filter with a long HTTP host header field in a URL for a .jsp file. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0801 ACCEPT (4 accept, 2 ack, 0 review) Current Votes: ACCEPT(4) Cole, Armstrong, Baker, Wall NOOP(2) Cox, Foat ====================================================== Candidate: CAN-2002-0802 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0802 Final-Decision: Interim-Decision: 20030326 Modified: 20030324-01 Proposed: 20020830 Assigned: 20020729 Category: SF Reference: MISC:http://marc.theaimsgroup.com/?l=postgresql-general&m=102032794322362 Reference: REDHAT:RHSA-2002:149 Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-149.html Reference: XF:postgresql-sqlascii-sql-injection(10328) Reference: URL:http://www.iss.net/security_center/static/10328.php The multibyte support in PostgreSQL 6.5.x with SQL_ASCII encoding consumes an extra character when processing a character that cannot be converted, which could remove an escape character from the query and make the application subject to SQL injection attacks. Modifications: ADDREF REDHAT:RHSA-2002:149 ADDREF XF:postgresql-sqlascii-sql-injection(10328) Analysis -------- Vendor Acknowledgement: yes INFERRED ACTION: CAN-2002-0802 ACCEPT (7 accept, 1 ack, 0 review) Current Votes: ACCEPT(5) Cole, Armstrong, Alderson, Baker, Jones MODIFY(2) Frech, Cox NOOP(1) Foat Voter Comments: Cox> ADDREF:REDHAT:RHSA-2002:149 Frech> XF:postgresql-sqlascii-sql-injection(10328) ====================================================== Candidate: CAN-2002-0804 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0804 Final-Decision: Interim-Decision: 20030326 Modified: 20030324-01 Proposed: 20020830 Assigned: 20020729 Category: SF Reference: BUGTRAQ:20020608 [BUGZILLA] Security Advisory For Versions of Bugzilla 2.14 Prior To 2.14.2, 2.16 Prior To 2.16rc2 Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-06/0054.html Reference: CONFIRM:http://bugzilla.mozilla.org/show_bug.cgi?id=129466 Reference: REDHAT:RHSA-2002:109 Reference: BID:4964 Reference: URL:http://online.securityfocus.com/bid/4964 Reference: XF:bugzilla-reversedns-hostname-spoof(9301) Reference: URL:http://www.iss.net/security_center/static/9301.php Bugzilla 2.14 before 2.14.2, and 2.16 before 2.16rc2, when configured to perform reverse DNS lookups, allows remote attackers to bypass IP restrictions by connecting from a system with a spoofed reverse DNS hostname. Modifications: ADDREF XF:bugzilla-reversedns-hostname-spoof(9301) Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0804 ACCEPT (4 accept, 2 ack, 0 review) Current Votes: ACCEPT(3) Cole, Baker, Wall MODIFY(1) Frech NOOP(1) Foat Voter Comments: Frech> XF:bugzilla-reversedns-hostname-spoof(9301) ====================================================== Candidate: CAN-2002-0805 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0805 Final-Decision: Interim-Decision: 20030326 Modified: 20030324-01 Proposed: 20020830 Assigned: 20020729 Category: SF Reference: BUGTRAQ:20020608 [BUGZILLA] Security Advisory For Versions of Bugzilla 2.14 before 2.14.2, and 2.16 before 2.16rc2 Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-06/0054.html Reference: CONFIRM:http://bugzilla.mozilla.org/show_bug.cgi?id=134575 Reference: REDHAT:RHSA-2002:109 Reference: BID:4964 Reference: URL:http://online.securityfocus.com/bid/4964 Reference: XF:bugzilla-world-writable-dir(9302) Reference: URL:http://www.iss.net/security_center/static/9302.php Bugzilla 2.14 before 2.14.2, and 2.16 before 2.16rc2, (1) creates new directories with world-writable permissions, and (2) creates the params file with world-writable permissions, which allows local users to modify the files and execute code. Modifications: ADDREF XF:bugzilla-world-writable-dir(9302) Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0805 ACCEPT (4 accept, 2 ack, 0 review) Current Votes: ACCEPT(3) Cole, Baker, Wall MODIFY(1) Frech NOOP(1) Foat Voter Comments: Frech> XF:bugzilla-world-writable-dir(9302) ====================================================== Candidate: CAN-2002-0806 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0806 Final-Decision: Interim-Decision: 20030326 Modified: 20030324-01 Proposed: 20020830 Assigned: 20020729 Category: SF Reference: BUGTRAQ:20020608 [BUGZILLA] Security Advisory For Versions of Bugzilla 2.14 before 2.14.2, and 2.16 before 2.16rc2 Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-06/0054.html Reference: CONFIRM:http://bugzilla.mozilla.org/show_bug.cgi?id=141557 Reference: REDHAT:RHSA-2002:109 Reference: BID:4964 Reference: URL:http://online.securityfocus.com/bid/4964 Reference: XF:bugzilla-edituser-user-delete(9303) Reference: URL:http://www.iss.net/security_center/static/9303.php Bugzilla 2.14 before 2.14.2, and 2.16 before 2.16rc2, allows authenticated users with editing privileges to delete other users by directly calling the editusers.cgi script with the "del" option. Modifications: ADDREF XF:bugzilla-edituser-user-delete(9303) Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0806 ACCEPT (4 accept, 2 ack, 0 review) Current Votes: ACCEPT(3) Cole, Baker, Wall MODIFY(1) Frech NOOP(1) Foat Voter Comments: Frech> XF:bugzilla-edituser-user-delete(9303) ====================================================== Candidate: CAN-2002-0808 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0808 Final-Decision: Interim-Decision: 20030326 Modified: 20030324-01 Proposed: 20020830 Assigned: 20020729 Category: SF Reference: BUGTRAQ:20020608 [BUGZILLA] Security Advisory For Versions of Bugzilla 2.14 before 2.14.2, and 2.16 before 2.16rc2 Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-06/0054.html Reference: CONFIRM:http://bugzilla.mozilla.org/show_bug.cgi?id=107718 Reference: REDHAT:RHSA-2002:109 Reference: BID:4964 Reference: URL:http://online.securityfocus.com/bid/4964 Reference: XF:bugzilla-masschange-change-groupset(9305) Reference: URL:http://www.iss.net/security_center/static/9305.php Bugzilla 2.14 before 2.14.2, and 2.16 before 2.16rc2, when performing a mass change, sets the groupset of all bugs to the groupset of the first bug, which could inadvertently cause insecure groupset permissions to be assigned to some bugs. Modifications: ADDREF XF:bugzilla-masschange-change-groupset(9305) Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0808 ACCEPT (4 accept, 2 ack, 0 review) Current Votes: ACCEPT(3) Cole, Baker, Wall MODIFY(1) Frech NOOP(1) Foat Voter Comments: Frech> XF:bugzilla-masschange-change-groupset(9305) ====================================================== Candidate: CAN-2002-0809 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0809 Final-Decision: Interim-Decision: 20030326 Modified: 20030324-01 Proposed: 20020830 Assigned: 20020729 Category: SF Reference: BUGTRAQ:20020608 [BUGZILLA] Security Advisory For Versions of Bugzilla 2.14 before 2.14.2, and 2.16 before 2.16rc2 Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-06/0054.html Reference: CONFIRM:http://bugzilla.mozilla.org/show_bug.cgi?id=148674 Reference: REDHAT:RHSA-2002:109 Reference: BID:4964 Reference: URL:http://online.securityfocus.com/bid/4964 Reference: XF:bugzilla-group-permissions-removal(10141) Reference: URL:http://www.iss.net/security_center/static/10141.php Bugzilla 2.14 before 2.14.2, and 2.16 before 2.16rc2, does not properly handle URL-encoded field names that are generated by some browsers, which could cause certain fields to appear to be unset, which has the effect of removing group permissions on bugs when buglist.cgi is provided with the encoded field names. Modifications: ADDREF XF:bugzilla-group-permissions-removal(10141) Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0809 ACCEPT (4 accept, 2 ack, 0 review) Current Votes: ACCEPT(3) Cole, Baker, Wall MODIFY(1) Frech NOOP(1) Foat Voter Comments: Frech> XF: bugzilla-group-permissions-removal(10141) ====================================================== Candidate: CAN-2002-0810 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0810 Final-Decision: Interim-Decision: 20030326 Modified: 20030324-01 Proposed: 20020830 Assigned: 20020729 Category: SF Reference: BUGTRAQ:20020608 [BUGZILLA] Security Advisory For Versions of Bugzilla 2.14 before 2.14.2, and 2.16 before 2.16rc2 Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-06/0054.html Reference: CONFIRM:http://bugzilla.mozilla.org/show_bug.cgi?id=92263 Reference: REDHAT:RHSA-2002:109 Reference: BID:4964 Reference: URL:http://online.securityfocus.com/bid/4964 Reference: XF:bugzilla-shadow-database-information(9306) Reference: URL:http://www.iss.net/security_center/static/9306.php Bugzilla 2.14 before 2.14.2, and 2.16 before 2.16rc2, directs error messages from the syncshadowdb command to the HTML output, which could leak sensitive information, including plaintext passwords, if syncshadowdb fails. Modifications: ADDREF XF:bugzilla-shadow-database-information(9306) Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0810 ACCEPT (4 accept, 2 ack, 0 review) Current Votes: ACCEPT(3) Cole, Baker, Wall MODIFY(1) Frech NOOP(1) Foat Voter Comments: Frech> XF:bugzilla-shadow-database-information(9306) ====================================================== Candidate: CAN-2002-0813 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0813 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020830 Assigned: 20020730 Category: SF Reference: BUGTRAQ:20020727 Phenoelit Advisory, 0815 ++ * - Cisco_tftp Reference: URL:http://online.securityfocus.com/archive/1/284634 Reference: CISCO:20020730 TFTP Long Filename Vulnerability Reference: URL:http://www.cisco.com/warp/public/707/ios-tftp-long-filename-pub.shtml Reference: BUGTRAQ:20020822 Cisco IOS exploit PoC Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103002169829669&w=2 Reference: XF:cisco-tftp-filename-bo(9700) Reference: URL:http://www.iss.net/security_center/static/9700.php Reference: BID:5328 Reference: URL:http://www.securityfocus.com/bid/5328 Heap-based buffer overflow in the TFTP server capability in Cisco IOS 11.1, 11.2, and 11.3 allows remote attackers to cause a denial of service (reset) or modify configuration via a long filename. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0813 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Cole, Baker, Wall NOOP(2) Cox, Foat ====================================================== Candidate: CAN-2002-0814 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0814 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020830 Assigned: 20020730 Category: SF Reference: BUGTRAQ:20020724 VMware GSX Server Remote Buffer Overflow Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102752511030425&w=2 Reference: BUGTRAQ:20020726 Re: VMware GSX Server Remote Buffer Overflow Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102765223418716&w=2 Reference: NTBUGTRAQ:20020805 VMware GSX Server 2.0.1 Release and Security Alert Reference: URL:http://archives.neohapsis.com/archives/ntbugtraq/2002-q3/0057.html Reference: CONFIRM:http://www.vmware.com/download/gsx_security.html Reference: XF:vmware-gsx-auth-bo(9663) Reference: URL:http://www.iss.net/security_center/static/9663.php Reference: BID:5294 Reference: URL:http://www.securityfocus.com/bid/5294 Buffer overflow in VMware Authorization Service for VMware GSX Server 2.0.0 build-2050 allows remote authenticated users to execute arbitrary code via a long GLOBAL argument. Analysis -------- Vendor Acknowledgement: yes followup INFERRED ACTION: CAN-2002-0814 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Cole, Baker, Foat NOOP(2) Cox, Wall ====================================================== Candidate: CAN-2002-0816 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0816 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020830 Assigned: 20020731 Category: SF Reference: BUGTRAQ:20020719 tru64 proof of concept /bin/su non-exec bypass Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102709593117171&w=2 Reference: COMPAQ:SSRT2257 Reference: URL:http://archives.neohapsis.com/archives/tru64/2002-q3/0019.html Reference: BID:5272 Reference: URL:http://online.securityfocus.com/bid/5272 Reference: XF:tru64-su-bo(9640) Reference: URL:http://www.iss.net/security_center/static/9640.php Buffer overflow in su in Tru64 Unix 5.x allows local users to gain root privileges via a long username and argument. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0816 ACCEPT_ACK (2 accept, 1 ack, 0 review) Current Votes: ACCEPT(2) Cole, Baker NOOP(3) Cox, Wall, Foat ====================================================== Candidate: CAN-2002-0817 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0817 Final-Decision: Interim-Decision: 20030326 Modified: 20030324-01 Proposed: 20020830 Assigned: 20020801 Category: SF Reference: BUGTRAQ:20020731 The SUPER Bug Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102812622416695&w=2 Reference: VULNWATCH:20020730 The SUPER Bug Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0045.html Reference: DEBIAN:DSA-139 Reference: URL:http://www.debian.org/security/2002/dsa-139 Reference: XF:super-syslog-format-string(9741) Reference: URL:http://www.iss.net/security_center/static/9741.php Reference: BID:5367 Reference: URL:http://www.securityfocus.com/bid/5367 Format string vulnerability in super for Linux allows local users to gain root privileges via a long command line argument. Modifications: ADDREF VULNWATCH:20020730 [VulnWatch] The SUPER Bug ADDREF XF:super-syslog-format-string(9741) ADDREF BID:5367 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0817 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Cole, Baker, Wall NOOP(3) Christey, Cox, Foat Voter Comments: Christey> XF:super-syslog-format-string(9741) URL:http://www.iss.net/security_center/static/9741.php VULNWATCH:20020730 [VulnWatch] The SUPER Bug URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0045.html BID:5367 URL:http://www.securityfocus.com/bid/5367 ====================================================== Candidate: CAN-2002-0818 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0818 Final-Decision: Interim-Decision: 20030326 Modified: 20030324-01 Proposed: 20020830 Assigned: 20020801 Category: SF Reference: BUGTRAQ:20020718 wwwoffle-2.7b and prior segfaults with negative Content-Length value Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-07/0194.html Reference: SUSE:SuSE-SA:2002:029 Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102821890317683&w=2 Reference: DEBIAN:DSA-144 Reference: URL:http://www.debian.org/security/2002/dsa-144 Reference: CALDERA:CSSA-2002-048.0 Reference: URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-048.0.txt Reference: XF:wwwoffle-neg-length-bo(9619) Reference: URL:http://www.iss.net/security_center/static/9619.php Reference: BID:5260 Reference: URL:http://www.securityfocus.com/bid/5260 wwwoffled in World Wide Web Offline Explorer (WWWOFFLE) allows remote attackers to cause a denial of service and possibly execute arbitrary code via a negative Content-Length value. Modifications: ADDREF CALDERA:CSSA-2002-048.0 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0818 ACCEPT (3 accept, 3 ack, 0 review) Current Votes: ACCEPT(3) Cole, Armstrong, Baker NOOP(4) Christey, Cox, Wall, Foat Voter Comments: Christey> CALDERA:CSSA-2002-048.0 ====================================================== Candidate: CAN-2002-0823 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0823 Final-Decision: Interim-Decision: 20030326 Modified: 20030324-01 Proposed: 20020830 Assigned: 20020802 Category: SF Reference: BUGTRAQ:20020801 Winhelp32 Remote Buffer Overrun Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102822806329440&w=2 Reference: NTBUGTRAQ:20020801 Winhlp32.exe Remote BufferOverrun Reference: MSKB:Q293338 Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;en-us;q293338 Reference: XF:htmlhelp-item-bo(9746) Reference: URL:http://www.iss.net/security_center/static/9746.php Reference: BID:4857 Reference: URL:http://www.securityfocus.com/bid/4857 Buffer overflow in Winhlp32.exe allows remote attackers to execute arbitrary code via an HTML document that calls the HTML Help ActiveX control (HHCtrl.ocx) with a long pathname in the Item parameter. Modifications: ADDREF XF:htmlhelp-item-bo(9746) ADDREF BID:4857 Analysis -------- Vendor Acknowledgement: yes INFERRED ACTION: CAN-2002-0823 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Cole, Armstrong, Baker, Wall NOOP(3) Christey, Cox, Foat Voter Comments: Christey> XF:htmlhelp-item-bo(9746) URL:http://www.iss.net/security_center/static/9746.php BID:4857 URL:http://www.securityfocus.com/bid/4857 MSKB:Q293338 URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q293338 ====================================================== Candidate: CAN-2002-0824 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0824 Final-Decision: Interim-Decision: 20030326 Modified: 20030324-01 Proposed: 20020830 Assigned: 20020803 Category: SF Reference: FREEBSD:FreeBSD-SA-02:32.pppd Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102812546815606&w=2 Reference: NETBSD:NetBSD-SA2002-010 Reference: URL:ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-010.txt.asc Reference: OPENBSD:20020729 011: SECURITY FIX: July 29, 2002 Reference: URL:http://www.openbsd.org/errata31.html Reference: XF:pppd-race-condition(9738) Reference: URL:http://www.iss.net/security_center/static/9738.php Reference: BID:5355 Reference: URL:http://www.securityfocus.com/bid/5355 BSD pppd allows local users to change the permissions of arbitrary files via a symlink attack on a file that is specified as a tty device. Modifications: DESC Add "BSD" ADDREF XF:pppd-race-condition(9738) ADDREF BID:5355 ADDREF OPENBSD:20020729 011: SECURITY FIX: July 29, 2002 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0824 ACCEPT (3 accept, 3 ack, 0 review) Current Votes: ACCEPT(2) Cole, Baker MODIFY(1) Cox NOOP(3) Christey, Wall, Foat Voter Comments: Cox> change to "BSD pppd" Christey> XF:pppd-race-condition(9738) URL:http://www.iss.net/security_center/static/9738.php BID:5355 URL:http://www.securityfocus.com/bid/5355 ====================================================== Candidate: CAN-2002-0826 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0826 Final-Decision: Interim-Decision: 20030326 Modified: 20030324-01 Proposed: 20020830 Assigned: 20020806 Category: SF Reference: ATSTAKE:A080802-1 Reference: URL:http://www.atstake.com/research/advisories/2002/a080802-1.txt Reference: CONFIRM:http://www.ipswitch.com/Support/WS_FTP-Server/patch-upgrades.html Reference: XF:wsftp-site-cpwd-bo(9794) Reference: URL:http://www.iss.net/security_center/static/9794.php Reference: BID:5427 Reference: URL:http://www.securityfocus.com/bid/5427 Buffer overflow in WS_FTP FTP Server 3.1.1 allows remote authenticated users to execute arbitrary code via a long SITE CPWD command. Modifications: ADDREF XF:wsftp-site-cpwd-bo(9794) ADDREF BID:5427 Analysis -------- Vendor Acknowledgement: yes changelog ACKNOWLEDGEMENT: the vendor's patches/upgrades page includes an item for 3.1.2 that "corrects a security issue relating to the processing of the SITE CPWD command... Fixed buffer overrun in CPWD command" INFERRED ACTION: CAN-2002-0826 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Cole, Armstrong, Baker, Wall NOOP(3) Christey, Cox, Foat Voter Comments: Christey> XF:wsftp-site-cpwd-bo(9794) URL:http://www.iss.net/security_center/static/9794.php BID:5427 URL:http://www.securityfocus.com/bid/5427 ====================================================== Candidate: CAN-2002-0829 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0829 Final-Decision: Interim-Decision: 20030326 Modified: 20030324-01 Proposed: 20020830 Assigned: 20020806 Category: SF Reference: FREEBSD:FreeBSD-SA-02:35.ffs Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102865404413458&w=2 Reference: XF:freebsd-ffs-integer-overflow(9771) Reference: URL:http://www.iss.net/security_center/static/9771.php Reference: BID:5399 Reference: URL:http://www.securityfocus.com/bid/5399 Integer overflow in the Berkeley Fast File System (FFS) in FreeBSD 4.6.1 RELEASE-p4 and earlier allows local users to access arbitrary file contents within FFS to gain privileges by creating a file that is larger than allowed by the virtual memory system. Modifications: ADDREF XF:freebsd-ffs-integer-overflow(9771) ADDREF BID:5399 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0829 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Cole, Armstrong, Baker NOOP(4) Christey, Cox, Wall, Foat Voter Comments: Christey> XF:freebsd-ffs-integer-overflow(9771) URL:http://www.iss.net/security_center/static/9771.php BID:5399 URL:http://www.securityfocus.com/bid/5399 ====================================================== Candidate: CAN-2002-0830 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0830 Final-Decision: Interim-Decision: 20030326 Modified: 20030325-01 Proposed: 20020830 Assigned: 20020806 Category: SF Reference: FREEBSD:FreeBSD-SA-02:36.nfs Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102865517214722&w=2 Reference: CONFIRM:http://www.info.apple.com/usen/security/security_updates.html Reference: NETBSD:NetBSD-SA2002-013 Reference: URL:ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-013.txt.asc Network File System (NFS) in FreeBSD 4.6.1 RELEASE-p7 and earlier, NetBSD 1.5.3 and earlier, and possibly other operating systems, allows remote attackers to cause a denial of service (hang) via an RPC message with a zero length payload, which causes NFS to reference a previous payload and enter an infinite loop. Modifications: ADDREF CONFIRM:http://www.info.apple.com/usen/security/security_updates.html ADDREF NETBSD:NetBSD-SA2002-013 DESC include other OSes Analysis -------- Vendor Acknowledgement: yes advisory ACKNOWLEDGEMENT: Apple acknowledges this in its security update dated 2002-11-21 (a direct reference could not be found). INFERRED ACTION: CAN-2002-0830 ACCEPT (3 accept, 3 ack, 0 review) Current Votes: ACCEPT(3) Cole, Armstrong, Baker NOOP(4) Christey, Cox, Wall, Foat Voter Comments: Christey> CONFIRM:http://www.info.apple.com/usen/security/security_updates.html (Apple says "This is FreeBSD-SA-02:36.nfs") Christey> NETBSD:NetBSD-SA2002-013 URL:ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-013.txt.asc ====================================================== Candidate: CAN-2002-0831 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0831 Final-Decision: Interim-Decision: 20030326 Modified: 20030325-01 Proposed: 20020830 Assigned: 20020806 Category: SF Reference: FREEBSD:FreeBSD-SA-02:37.kqueue Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102865142610126&w=2 Reference: XF:freebsd-kqueue-dos(9774) Reference: URL:http://www.iss.net/security_center/static/9774.php Reference: BID:5405 Reference: URL:http://www.securityfocus.com/bid/5405 The kqueue mechanism in FreeBSD 4.3 through 4.6 STABLE allows local users to cause a denial of service (kernel panic) via a pipe call in which one end is terminated and an EVFILT_WRITE filter is registered for the other end. Modifications: ADDREF XF:freebsd-kqueue-dos(9774) ADDREF BID:5405 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0831 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Cole, Armstrong, Baker NOOP(4) Christey, Cox, Wall, Foat Voter Comments: Christey> XF:freebsd-kqueue-dos(9774) URL:http://www.iss.net/security_center/static/9774.php BID:5405 URL:http://www.securityfocus.com/bid/5405 ====================================================== Candidate: CAN-2002-0845 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0845 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020830 Assigned: 20020809 Category: SF Reference: BUGTRAQ:20020808 EEYE: Sun(TM) ONE / iPlanet Web Server 4.1 and 6.0 Remote Buffer Overflow Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102890933623192&w=2 Reference: CONFIRM:http://www.sun.com/service/support/software/iplanet/alerts/transferencodingalert-23july2002.html Reference: XF:iplanet-chunked-encoding-bo(9799) Reference: URL:http://www.iss.net/security_center/static/9799.php Reference: BID:5433 Reference: URL:http://www.securityfocus.com/bid/5433 Buffer overflow in Sun ONE / iPlanet Web Server 4.1 and 6.0 allows remote attackers to execute arbitrary code via an HTTP request using chunked transfer encoding. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0845 ACCEPT (5 accept, 1 ack, 0 review) Current Votes: ACCEPT(5) Cole, Armstrong, Baker, Wall, Foat NOOP(1) Cox ====================================================== Candidate: CAN-2002-0846 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0846 Final-Decision: Interim-Decision: 20030326 Modified: 20030325-01 Proposed: 20020830 Assigned: 20020809 Category: SF Reference: BUGTRAQ:20020808 EEYE: Macromedia Shockwave Flash Malformed Header Overflow Reference: BUGTRAQ:20020830 RE: Macromedia Shockwave Flash Malformed Header Overflow Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103072708329280&w=2 Reference: CONFIRM:http://www.macromedia.com/v1/handlers/index.cfm?ID=23293 Reference: XF:flash-swf-header-bo(9798) Reference: URL:http://www.iss.net/security_center/static/9798.php Reference: BID:5430 Reference: URL:http://www.securityfocus.com/bid/5430 The decoder for Macromedia Shockwave Flash allows remote attackers to execute arbitrary code via a malformed SWF header that contains more data than the specified length. Modifications: ADDREF BUGTRAQ:20020830 RE: Macromedia Shockwave Flash Malformed Header Overflow ADDREF XF:flash-swf-header-bo(9798) ADDREF BID:5430 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0846 ACCEPT (5 accept, 1 ack, 0 review) Current Votes: ACCEPT(5) Cole, Armstrong, Baker, Cox, Wall NOOP(2) Christey, Foat Voter Comments: Christey> BUGTRAQ:20020830 RE: Macromedia Shockwave Flash Malformed Header Overflow URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103072708329280&w=2 Christey> XF:flash-swf-header-bo(9798) URL:http://www.iss.net/security_center/static/9798.php BID:5430 URL:http://www.securityfocus.com/bid/5430 ====================================================== Candidate: CAN-2002-0847 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0847 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020830 Assigned: 20020809 Category: SF Reference: DEBIAN:DSA-145 Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102874450402924&w=2 Reference: CONFIRM:http://sourceforge.net/project/shownotes.php?release_id=88790 Reference: XF:tinyproxy-memory-corruption(9079) Reference: URL:http://www.iss.net/security_center/static/9079.php Reference: BID:4731 Reference: URL:http://www.securityfocus.com/bid/4731 tinyproxy HTTP proxy 1.5.0, 1.4.3, and earlier allows remote attackers to execute arbitrary code via memory that is freed twice (double-free). Analysis -------- Vendor Acknowledgement: yes advisory ACKNOWLEDGEMENT: the vendor's changelog for 1.5.0 states: "Fixed a bunch of memory leaks, and situations where memory was being freed twice (a potential security problem.)" INFERRED ACTION: CAN-2002-0847 ACCEPT (3 accept, 2 ack, 0 review) Current Votes: ACCEPT(3) Cole, Armstrong, Baker NOOP(3) Cox, Wall, Foat ====================================================== Candidate: CAN-2002-0848 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0848 Final-Decision: Interim-Decision: 20030326 Modified: 20030325-01 Proposed: 20020830 Assigned: 20020809 Category: SF Reference: CISCO:20020807 Cisco VPN 5000 Series Concentrator RADIUS PAP Authentication Vulnerability Reference: URL:http://www.cisco.com/warp/public/707/vpn5k-radius-pap-vuln-pub.shtml Reference: XF:cisco-vpn5000-plaintext-password(9781) Reference: URL:http://www.iss.net/security_center/static/9781.php Reference: BID:5417 Reference: URL:http://www.securityfocus.com/bid/5417 Cisco VPN 5000 series concentrator hardware 6.0.21.0002 and earlier, and 5.2.23.0003 and earlier, when using RADIUS with a challenge type of Password Authentication Protocol (PAP) or Challenge, sends the user password in cleartext in a validation retry request, which could allow remote attackers to steal passwords via sniffing. Modifications: ADDREF XF:cisco-vpn5000-plaintext-password(9781) ADDREF BID:5417 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0848 ACCEPT (5 accept, 1 ack, 0 review) Current Votes: ACCEPT(5) Cole, Armstrong, Baker, Wall, Foat NOOP(2) Christey, Cox Voter Comments: Christey> XF:cisco-vpn5000-plaintext-password(9781) URL:http://www.iss.net/security_center/static/9781.php BID:5417 URL:http://www.securityfocus.com/bid/5417 ====================================================== Candidate: CAN-2002-0851 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0851 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020830 Assigned: 20020810 Category: SF Reference: VULNWATCH:20020809 Local Root Exploit Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0068.html Reference: SUSE:SuSE-SA:2002:030 Reference: XF:isdn4linux-ipppd-format-string(9811) Reference: URL:http://www.iss.net/security_center/static/9811.php Reference: BID:5437 Reference: URL:http://www.securityfocus.com/bid/5437 Format string vulnerability in ISDN Point to Point Protocol (PPP) daemon (ipppd) in the ISDN4Linux (i4l) package allows local users to gain root privileges via format strings in the device name command line argument, which is not properly handled in a call to syslog. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0851 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Cole, Armstrong, Baker, Wall NOOP(2) Cox, Foat ====================================================== Candidate: CAN-2002-0853 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0853 Final-Decision: Interim-Decision: 20030326 Modified: 20030325-01 Proposed: 20020830 Assigned: 20020812 Category: SF Reference: CISCO:20020812 Cisco VPN Client Multiple Vulnerabilities Reference: URL:http://www.cisco.com/warp/public/707/vpnclient-multiple-vuln-pub.shtml Reference: CERT-VN:VU#287771 Reference: URL:http://www.kb.cert.org/vuls/id/287771 Reference: XF:cisco-vpn-zerolength-dos(9821) Reference: URL:http://www.iss.net/security_center/static/9821.php Reference: BID:5440 Reference: URL:http://www.securityfocus.com/bid/5440 Cisco Virtual Private Network (VPN) Client 3.5.4 and earlier allows remote attackers to cause a denial of service (CPU consumption) via a packet with a zero-length payload. Modifications: ADDREF CERT-VN:VU#287771 ADDREF XF:cisco-vpn-zerolength-dos(9821) ADDREF BID:5440 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0853 ACCEPT (5 accept, 2 ack, 0 review) Current Votes: ACCEPT(5) Cole, Armstrong, Baker, Wall, Foat NOOP(2) Christey, Cox Voter Comments: Christey> CERT-VN:VU#287771 URL:http://www.kb.cert.org/vuls/id/287771 XF:cisco-vpn-zerolength-dos(9821) URL:http://www.iss.net/security_center/static/9821.php BID:5440 URL:http://www.securityfocus.com/bid/5440 ====================================================== Candidate: CAN-2002-0856 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0856 Final-Decision: Interim-Decision: 20030326 Modified: 20030325-01 Proposed: 20020830 Assigned: 20020813 Category: SF Reference: ISS:20020813 Remote Denial of Service Vulnerability in Oracle9i SQL*NET Reference: URL:http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20941 Reference: VULNWATCH:20020813 ISS Security Brief: Remote Denial of Service Vulnerability in Oracle9i SQL*NET Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0072.html Reference: CONFIRM:http://otn.oracle.com/deploy/security/pdf/2002alert38rev1.pdf Reference: XF:oracle-listener-debug-dos(9237) Reference: URL:http://www.iss.net/security_center/static/9237.php Reference: BID:5457 Reference: URL:http://www.securityfocus.com/bid/5457 SQL*NET listener for Oracle Net Oracle9i 9.0.x and 9.2 allows remote attackers to cause a denial of service (crash) via certain debug requests that are not properly handled by the debugging feature. Modifications: ADDREF BID:5457 ADDREF VULNWATCH:20020813 ISS Security Brief: Remote Denial of Service Vulnerability in Oracle9i SQL*NET Analysis -------- Vendor Acknowledgement: yes INFERRED ACTION: CAN-2002-0856 ACCEPT_ACK (2 accept, 2 ack, 0 review) Current Votes: ACCEPT(2) Armstrong, Baker NOOP(5) Cole, Christey, Cox, Wall, Foat Voter Comments: Christey> BID:5457 URL:http://www.securityfocus.com/bid/5457 VULNWATCH:20020813 ISS Security Brief: Remote Denial of Service Vulnerability in Oracle9i SQL*NET URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0072.html ====================================================== Candidate: CAN-2002-0859 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0859 Final-Decision: Interim-Decision: 20030326 Modified: 20030325-01 Proposed: 20020830 Assigned: 20020815 Category: SF Reference: BUGTRAQ:20020619 Microsoft SQL Server 2000 OpenDataSource Buffer Overflow (#NISR19062002) Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102450188620081&w=2 Reference: MISC:http://www.nextgenss.com/advisories/mssql-ods.txt Reference: XF:mssql-jet-ods-bo(9375) Reference: URL:http://www.iss.net/security_center/static/9375.php Reference: BID:5057 Reference: URL:http://www.securityfocus.com/bid/5057 Reference: MSKB:Q282010 Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q282010 Buffer overflow in the OpenDataSource function of the Jet engine on Microsoft SQL Server 2000 allows remote attackers to execute arbitrary code. Modifications: ADDREF XF:mssql-jet-ods-bo(9375) ADDREF MSKB:Q282010 ADDREF BID:5057 ADDREF MISC:http://www.nextgenss.com/advisories/mssql-ods.txt Analysis -------- Vendor Acknowledgement: yes via-email ACKNOWLEDGEMENT: the KB article referenced by NGSSoftware does not explicitly acknowledge the issue; however, Microsoft did acknowledge the issue via an email inquiry. INFERRED ACTION: CAN-2002-0859 ACCEPT (5 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Cole, Green, Baker, Wall MODIFY(1) Frech NOOP(2) Cox, Foat Voter Comments: Frech> XF:mssql-jet-ods-bo(9375) ====================================================== Candidate: CAN-2002-0860 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0860 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020830 Assigned: 20020815 Category: SF Reference: MS:MS02-044 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-044.asp Reference: BUGTRAQ:20020408 Reading local files with OWC in IE (GM#006-IE) Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101829911018463&w=2 Reference: XF:owc-spreadsheet-loadtext-read-files (8778) Reference: URL:http://www.iss.net/security_center/static/8778.php Reference: BID:4453 Reference: URL:http://online.securityfocus.com/bid/4453 The LoadText method in the spreadsheet component in Microsoft Office Web Components (OWC) 2000 and 2002 allows remote attackers to read arbitrary files through Internet Explorer via a URL that redirects to the target file. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0860 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Cole, Armstrong, Baker, Wall NOOP(2) Cox, Foat ====================================================== Candidate: CAN-2002-0871 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0871 Final-Decision: Interim-Decision: 20030326 Modified: 20030325-01 Proposed: 20020830 Assigned: 20020816 Category: SF Reference: DEBIAN:DSA-151 Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102927065426172&w=2 Reference: MANDRAKE:MDKSA-2002:053 Reference: URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-053.php Reference: REDHAT:RHSA-2002:196 Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-196.html Reference: BUGTRAQ:20020814 GLSA: xinetd Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102935383506155&w=2 Reference: XF:xinetd-signal-leak-dos(9844) Reference: URL:http://www.iss.net/security_center/static/9844.php Reference: BID:5458 Reference: URL:http://www.securityfocus.com/bid/5458 xinetd 2.3.4 leaks file descriptors for the signal pipe to services that are launched by xinetd, which could allow those services to cause a denial of service via the pipe. Modifications: DESC fix typo ADDREF MANDRAKE:MDKSA-2002:053 ADDREF XF:xinetd-signal-leak-dos(9844) ADDREF BID:5458 ADDREF REDHAT:RHSA-2002:196 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0871 ACCEPT (5 accept, 2 ack, 0 review) Current Votes: ACCEPT(5) Cole, Armstrong, Baker, Cox, Foat NOOP(2) Christey, Wall Voter Comments: Christey> MANDRAKE:MDKSA-2002:053 URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-053.php XF:xinetd-signal-leak-dos(9844) URL:http://www.iss.net/security_center/static/9844.php BID:5458 URL:http://www.securityfocus.com/bid/5458 Christey> typo: "allow those services cause" Christey> REDHAT:RHSA-2002:196 fix typo: say "to cause" ====================================================== Candidate: CAN-2002-0872 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0872 Final-Decision: Interim-Decision: 20030326 Modified: 20030325-01 Proposed: 20020830 Assigned: 20020816 Category: SF Reference: BUGTRAQ:20020813 New l2tpd release 0.68 Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-08/0102.html Reference: DEBIAN:DSA-152 Reference: URL:http://www.debian.org/security/2002/dsa-152 Reference: BID:5451 Reference: URL:http://www.securityfocus.com/bid/5451 Reference: XF:l2tpd-rand-number-predictable(9845) Reference: URL:http://www.iss.net/security_center/static/9845.php l2tpd 0.67 does not initialize the random number generator, which allows remote attackers to hijack sessions. Modifications: ADDREF BUGTRAQ:20020813 New l2tpd release 0.68 ADDREF BID:5451 ADDREF XF:l2tpd-rand-number-predictable(9845) Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0872 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Cole, Armstrong, Baker NOOP(4) Christey, Cox, Wall, Foat Voter Comments: Christey> BUGTRAQ:20020813 New l2tpd release 0.68 URL:http://archives.neohapsis.com/archives/bugtraq/2002-08/0102.html BID:5451 URL:http://www.securityfocus.com/bid/5451 XF:l2tpd-rand-number-predictable(9845) URL:http://www.iss.net/security_center/static/9845.php ====================================================== Candidate: CAN-2002-0873 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0873 Final-Decision: Interim-Decision: 20030326 Modified: 20030325-01 Proposed: 20020830 Assigned: 20020816 Category: SF Reference: BUGTRAQ:20020813 New l2tpd release 0.68 Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102925612907148&w=2 Reference: DEBIAN:DSA-152 Reference: URL:http://www.debian.org/security/2002/dsa-152 Reference: XF:l2tpd-vendor-field-bo(10460) Reference: URL:http://www.iss.net/security_center/static/10460.php Vulnerability in l2tpd 0.67 allows remote attackers to overwrite the vendor field via a long value in an attribute/value pair, possibly via a buffer overflow. Modifications: ADDREF XF:l2tpd-vendor-field-bo(10460) Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0873 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Cole, Armstrong, Baker NOOP(4) Christey, Cox, Wall, Foat Voter Comments: Christey> Consider deleting the Bugtraq reference, as it doesn't seem to mention this issue, unless it's the one with the title "Fix some off by 6 errors in avp handling" ====================================================== Candidate: CAN-2002-0875 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0875 Final-Decision: Interim-Decision: 20030326 Modified: 20030325-01 Proposed: 20020830 Assigned: 20020816 Category: SF Reference: DEBIAN:DSA-154 Reference: URL:http://www.debian.org/security/2002/dsa-154 Reference: SGI:20000301-03-I Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20000301-03-I Reference: FREEBSD:FreeBSD-SN-02:05 Reference: URL:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SN-02:05.asc Reference: BID:5487 Reference: URL:http://online.securityfocus.com/bid/5487 Reference: XF:sgi-fam-insecure-permissions(9880) Reference: URL:http://www.iss.net/security_center/static/9880.php Vulnerability in FAM 2.6.8, 2.6.6, and other versions allows unprivileged users to obtain the names of files whose access is restricted to the root group. Modifications: ADDREF SGI:20000301-03-I ADDREF FREEBSD:FreeBSD-SN-02:05 ADDREF BID:5487 ADDREF XF:sgi-fam-insecure-permissions(9880) Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0875 ACCEPT (3 accept, 3 ack, 0 review) Current Votes: ACCEPT(3) Cole, Armstrong, Baker NOOP(4) Christey, Cox, Wall, Foat Voter Comments: Christey> SGI:20000301-03-I FREEBSD:FreeBSD-SN-02:05 URL:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SN-02:05.asc BID:5487 URL:http://online.securityfocus.com/bid/5487 XF:sgi-fam-insecure-permissions(9880) URL:http://www.iss.net/security_center/static/9880.php ====================================================== Candidate: CAN-2002-0887 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0887 Final-Decision: Interim-Decision: 20030326 Modified: 20030325-01 Proposed: 20020830 Assigned: 20020816 Category: SF Reference: BUGTRAQ:20010522 [SRT2001-10] - scoadmin /tmp issues Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=99057164129869&w=2 Reference: CALDERA:CSSA-2002-SCO.22 Reference: URL:ftp://stage.caldera.com/pub/security/openserver/CSSA-2002-SCO.22/CSSA-2002-SCO.22.txt Reference: BID:4875 Reference: URL:http://www.securityfocus.com/bid/4875 Reference: XF:openserver-scoadmin-symlink(9210) Reference: URL:http://www.iss.net/security_center/static/9210.php scoadmin for Caldera/SCO OpenServer 5.0.5 and 5.0.6 allows local users to overwrite arbitrary files via a symlink attack on temporary files, as demonstrated using log files. Modifications: DESC clarify role of log files Analysis -------- Vendor Acknowledgement: yes advisory ACKNOWLEDGEMENT: The Caldera advisory credits "Kevin Finisterre (dotslash@snosoft.com)" with this issue, and he is credited by the original poster to Bugtraq. INFERRED ACTION: CAN-2002-0887 ACCEPT (6 accept, 1 ack, 0 review) Current Votes: ACCEPT(5) Cole, Armstrong, Alderson, Baker, Frech MODIFY(1) Jones NOOP(2) Cox, Foat Voter Comments: Jones> Suggest removing "log" from CVE description (i.e., "... on temporary files."). Caldera indicates "temporary files", which could be other than log files; log file was used by discoverer as a proof-of-concept, but problem is application's creation and use of temporary files in general. ====================================================== Candidate: CAN-2002-0889 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0889 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020830 Assigned: 20020816 Category: SF Reference: VULN-DEV:20020428 QPopper 4.0.4 buffer overflow Reference: URL:http://marc.theaimsgroup.com/?l=vuln-dev&m=102003707432457&w=2 Reference: BUGTRAQ:20020428 QPopper 4.0.4 buffer overflow Reference: URL:http://online.securityfocus.com/archive/1/269969 Reference: CALDERA:CSSA-2002-SCO.20 Reference: URL:ftp://stage.caldera.com/pub/security/openserver/CSSA-2002-SCO.20/CSSA-2002-SCO.20.txt Reference: XF:qpopper-bulldir-bo(8949) Reference: URL:http://www.iss.net/security_center/static/8949.php Reference: BID:4614 Reference: URL:http://www.securityfocus.com/bid/4614 Buffer overflow in Qpopper (popper) 4.0.4 and earlier allows local users to cause a denial of service and possibly execute arbitrary code via a long bulldir argument in the user's .qpopper-options configuration file. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0889 ACCEPT (6 accept, 1 ack, 0 review) Current Votes: ACCEPT(6) Cole, Armstrong, Alderson, Baker, Frech, Jones NOOP(2) Cox, Foat ====================================================== Candidate: CAN-2002-0891 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0891 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020830 Assigned: 20020816 Category: SF Reference: BUGTRAQ:20020527 Netscreen 25 unauthorised reboot issue Reference: URL:http://online.securityfocus.com/archive/1/274240 Reference: CONFIRM:http://www.netscreen.com/support/ns25_reboot.html Reference: XF:netscreen-screenos-username-dos(9186) Reference: URL:http://www.iss.net/security_center/static/9186.php Reference: BID:4842 Reference: URL:http://www.securityfocus.com/bid/4842 The web interface (WebUI) of NetScreen ScreenOS before 2.6.1r8, and certain 2.8.x and 3.0.x versions before 3.0.3r1, allows remote attackers to cause a denial of service (crash) via a long user name. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0891 ACCEPT (6 accept, 1 ack, 0 review) Current Votes: ACCEPT(5) Cole, Armstrong, Alderson, Baker, Frech MODIFY(1) Jones NOOP(3) Christey, Cox, Foat Voter Comments: Jones> Per NetScreen Alert, vulnerable versions should be: "versions prior to 2.6.1r8, 2.8.0r2, 2.8.1r1, 3.0.1r2, 3.0.2r3, and 3.0.3r1." Christey> The NetScreen alert referenced in the CONFIRM URL, dated June 3, 2002, says that the problem was "addressed in all versions of ScreenOS released after April 23, 2002. This list includes versions 2.6.1r8 and later, 2.8.0r2 and later, 2.8.1r1 and later, 3.0.1r2 and later, 3.0.2r3 and later, 3.0.3r1 and later" I've modified the description to reflect these ranges, though not to the level of detail covered by the advisory. ====================================================== Candidate: CAN-2002-0892 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0892 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020830 Assigned: 20020816 Category: CF Reference: BUGTRAQ:20020522 Multiple vulnerabilities in NewAtlanta ServletExec ISAPI 4.1 Reference: URL:http://online.securityfocus.com/archive/1/273615 Reference: VULNWATCH:20020522 [VulnWatch] Multiple vulnerabilities in NewAtlanta ServletExec ISAPI 4.1 Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0077.html Reference: CONFIRM:http://www.newatlanta.com/do/findFaq?faq_id=151 Reference: BID:4793 Reference: URL:http://www.securityfocus.com/bid/4793 Reference: XF:servletexec-jsp10servlet-path-disclosure(9139) Reference: URL:http://www.iss.net/security_center/static/9139.php The default configuration of NewAtlanta ServletExec ISAPI 4.1 allows remote attackers to determine the path of the web root via a direct request to com.newatlanta.servletexec.JSP10Servlet without a filename, which leaks the pathname in an error message. Analysis -------- Vendor Acknowledgement: yes ACKNOWLEDGEMENT: The ServletExec FAQ item 151 has the question "If I request a JSP page that does not exist I receive a response in my browser which discloses the absolute path to my web server's document root or to the document root of my web application. Isn't this a security risk?" The response is: "Use the errorPage init parameter with the JSP10Servlet so that the JSP10Servlet will no longer use the default response which discloses the path." INFERRED ACTION: CAN-2002-0892 ACCEPT (6 accept, 1 ack, 0 review) Current Votes: ACCEPT(5) Cole, Armstrong, Alderson, Baker, Frech MODIFY(1) Jones NOOP(2) Cox, Foat Voter Comments: Jones> CVE description should read "... via a direct request to /servlet/com.newatlanta.servletexec.JSP10Servlet/ without ..." ====================================================== Candidate: CAN-2002-0897 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0897 Final-Decision: Interim-Decision: 20030326 Modified: 20030325-01 Proposed: 20020830 Assigned: 20020816 Category: SF Reference: VULNWATCH:20020524 [SecurityOffice] LocalWeb2000 Web Server Protected File Access Vulnerability Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0079.html Reference: BUGTRAQ:20020524 [SecurityOffice] LocalWeb2000 Web Server Protected File Access Vulnerability Reference: URL:http://online.securityfocus.com/archive/1/274020 Reference: BID:4820 Reference: URL:http://www.securityfocus.com/bid/4820 Reference: XF:localweb2k-protection-bypass(9165) Reference: URL:http://www.iss.net/security_center/static/9165.php LocalWEB2000 2.1.0 web server allows remote attackers to bypass access restrictions for restricted files via a URL that contains the "/./" directory. Modifications: CHANGEREF VULNWATCH [normalize] Analysis -------- Vendor Acknowledgement: ACKNOWLEDGEMENT: email inquiry sent to bugalert@intranet-server.co.uk on July 28, 2002. INFERRED ACTION: CAN-2002-0897 ACCEPT (3 accept, 0 ack, 0 review) Current Votes: ACCEPT(3) Alderson, Frech, Jones NOOP(4) Cole, Armstrong, Cox, Foat ====================================================== Candidate: CAN-2002-0898 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0898 Final-Decision: Interim-Decision: 20030326 Modified: 20030325-01 Proposed: 20020830 Assigned: 20020816 Category: SF Reference: NTBUGTRAQ:20020527 Reading ANY local file in Opera (GM#001-OP) Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=102256058220402&w=2 Reference: BUGTRAQ:20020527 Reading ANY local file in Opera (GM#001-OP) Reference: URL:http://online.securityfocus.com/archive/1/274202 Reference: CONFIRM:http://www.opera.com/windows/changelog/log603.html Reference: BID:4834 Reference: URL:http://www.securityfocus.com/bid/4834 Reference: XF:opera-browser-file-retrieval(9188) Reference: URL:http://www.iss.net/security_center/static/9188.php Opera 6.0.1 and 6.0.2 allows a remote web site to upload arbitrary files from the client system, without prompting the client, via an input type=file tag whose value contains a newline. Modifications: DESC fix typo Analysis -------- Vendor Acknowledgement: yes changelog ACKNOWLEDGEMENT: the change log for Opera 6.0.3 says "Fixed security issue with file upload, as reported by GreyMagic Software," the discoverers of the issue. INFERRED ACTION: CAN-2002-0898 ACCEPT (6 accept, 1 ack, 0 review) Current Votes: ACCEPT(5) Cole, Armstrong, Alderson, Baker, Frech MODIFY(1) Jones NOOP(2) Cox, Foat Voter Comments: Jones> "arbiotrary" should be "arbitrary". ====================================================== Candidate: CAN-2002-0900 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0900 Final-Decision: Interim-Decision: 20030326 Modified: 20030325-01 Proposed: 20020830 Assigned: 20020816 Category: SF Reference: BUGTRAQ:20020524 pks public key server DOS and remote execution Reference: URL:http://online.securityfocus.com/archive/1/274107 Reference: CONFIRM:http://www.rubin.ch/pgp/src/patch_buffoverflow20020525 Reference: BID:4828 Reference: URL:http://www.securityfocus.com/bid/4828 Reference: XF:pgp-pks-search-bo(9171) Reference: URL:http://www.iss.net/security_center/static/9171.php Buffer overflow in pks PGP public key web server before 0.9.5 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long search argument to the lookup capability. Modifications: ADDREF CONFIRM:http://www.rubin.ch/pgp/src/patch_buffoverflow20020525 Analysis -------- Vendor Acknowledgement: yes ACKNOWLEDGEMENT: The PKS developer, Richard Laager, sent an email February 25, 2003, saying that a patch was available. He also said that 0.9.5 and later versions were fixed. INFERRED ACTION: CAN-2002-0900 ACCEPT_ACK (2 accept, 1 ack, 0 review) Current Votes: ACCEPT(2) Alderson, Frech NOOP(6) Foat, Cole, Armstrong, Christey, Cox, Jones Voter Comments: Jones> Unclear which versions are vulnerable. Christey> The PKS developer, Richard Laager, sent an email February 25, 2003, saying that a patch was available. CONFIRM:http://www.rubin.ch/pgp/src/patch_buffoverflow20020525 He also says that 0.9.5 and later versions were fixed. ====================================================== Candidate: CAN-2002-0904 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0904 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020830 Assigned: 20020816 Category: SF Reference: VULN-DEV:20020529 New Kismet Packages available - SayText() and suid kismet_server issues Reference: URL:http://marc.theaimsgroup.com/?l=vuln-dev&m=102269718506080&w=2 Reference: BUGTRAQ:20020528 New Kismet Packages available - SayText() and suid kismet_server issues Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-05/0259.html Reference: CONFIRM:http://www.kismetwireless.net/CHANGELOG Reference: BID:4883 Reference: URL:http://www.securityfocus.com/bid/4883 Reference: XF:kismet-saytext-command-execution(9213) Reference: URL:http://www.iss.net/security_center/static/9213.php SayText function in Kismet 2.2.1 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters (backtick or pipe) in the essid argument. Analysis -------- Vendor Acknowledgement: yes changelog ACKNOWLEDGEMENT: In the vendor changelog, an entry dated "May 27 2002" says "Fixed remote-exploitable hole (ack!) with specially crafted SSID's" INFERRED ACTION: CAN-2002-0904 ACCEPT (6 accept, 1 ack, 0 review) Current Votes: ACCEPT(6) Cole, Armstrong, Alderson, Baker, Frech, Jones NOOP(2) Foat, Cox ====================================================== Candidate: CAN-2002-0906 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0906 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020830 Assigned: 20020816 Category: SF Reference: CERT-VN:VU#814627 Reference: URL:http://www.kb.cert.org/vuls/id/814627 Reference: CONFIRM:http://www.sendmail.org/8.12.5.html Reference: BID:5122 Reference: URL:http://www.securityfocus.com/bid/5122 Reference: XF:sendmail-dns-txt-bo(9443) Reference: URL:http://www.iss.net/security_center/static/9443.php Buffer overflow in Sendmail before 8.12.5, when configured to use a custom DNS map to query TXT records, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a malicious DNS server. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0906 ACCEPT (7 accept, 2 ack, 0 review) Current Votes: ACCEPT(7) Foat, Cole, Green, Baker, Frech, Cox, Wall ====================================================== Candidate: CAN-2002-0911 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0911 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020830 Assigned: 20020816 Category: SF Reference: CALDERA:CSSA-2002-024.0 Reference: URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-024.0.txt Reference: BID:4923 Reference: URL:http://www.securityfocus.com/bid/4923 Reference: XF:volution-manager-plaintext-password(9240) Reference: URL:http://www.iss.net/security_center/static/9240.php Caldera Volution Manager 1.1 stores the Directory Administrator password in cleartext in the slapd.conf file, which could allow local users to gain privileges. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0911 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Cole, Baker, Frech NOOP(2) Foat, Wall ====================================================== Candidate: CAN-2002-0914 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0914 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020830 Assigned: 20020816 Category: SF Reference: BUGTRAQ:20020601 SECURITY.NNOV: Courier CPU exhaustion + bonus on imap-uw Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-05/0295.html Reference: CONFIRM:http://sourceforge.net/project/shownotes.php?release_id=93065 Reference: BID:4908 Reference: URL:http://www.securityfocus.com/bid/4908 Reference: XF:courier-mta-year-dos(9228) Reference: URL:http://www.iss.net/security_center/static/9228.php Double Precision Courier e-mail MTA allows remote attackers to cause a denial of service (CPU consumption) via a message with an extremely large or negative value for the year, which causes a tight loop. Analysis -------- Vendor Acknowledgement: yes changelog ACKNOWLEDGEMENT: the changelog includes an item dated 2002-05-20 that says "rfc822_parsedt.c (rfc822_parsedt): Ignore obviously invalid years (someone else can worry about Y10K)." INFERRED ACTION: CAN-2002-0914 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Cole, Baker, Frech NOOP(2) Foat, Wall ====================================================== Candidate: CAN-2002-0916 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0916 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020830 Assigned: 20020816 Category: SF Reference: VULNWATCH:20020603 [VulnWatch] [DER #11] - Remotey exploitable fmt string bug in squid Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0087.html Reference: BUGTRAQ:20020604 [DER #11] - Remotey exploitable fmt string bug in squid Reference: URL:http://online.securityfocus.com/archive/1/275347 Reference: CONFIRM:http://www.squid-cache.org/Versions/v2/2.4/diff-2.4.STABLE6-2.4.STABLE7.gz Reference: BID:4929 Reference: URL:http://www.securityfocus.com/bid/4929 Reference: XF:msntauth-squid-format-string(9248) Reference: URL:http://www.iss.net/security_center/static/9248.php Format string vulnerability in the allowuser code for the Stellar-X msntauth authentication module, as distributed in Squid 2.4.STABLE6 and earlier, allows remote attackers to execute arbitrary code via format strings in the user name, which are not properly handled in a syslog call. Analysis -------- Vendor Acknowledgement: yes diff ACKNOWLEDGEMENT: while there are no vendor advisories that explicitly mention the format string issues, it is obvious from the diff (and via e-mail confirmation) that major changes were made to the code, which addressed the format string and buffer overflow issues as originally reported. It should be noted that the Squid distribution is fixed, but the original Stellar-X is not (as of July 29). INFERRED ACTION: CAN-2002-0916 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Cole, Baker, Frech NOOP(2) Foat, Wall ====================================================== Candidate: CAN-2002-0935 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0935 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020830 Assigned: 20020816 Category: SF Reference: VULNWATCH:20020620 [VulnWatch] KPMG-2002025: Apache Tomcat Denial of Service Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0120.html Reference: BUGTRAQ:20020620 KPMG-2002025: Apache Tomcat Denial of Service Reference: URL:http://online.securityfocus.com/archive/1/277940 Reference: XF:tomcat-null-thread-dos(9396) Reference: URL:http://www.iss.net/security_center/static/9396.php Reference: BID:5067 Reference: URL:http://www.securityfocus.com/bid/5067 Apache Tomcat 4.0.3, and possibly other versions before 4.1.3 beta, allows remote attackers to cause a denial of service (resource exhaustion) via a large number of requests to the server with null characters, which causes the working threads to hang. Analysis -------- Vendor Acknowledgement: unknown discloser-claimed INFERRED ACTION: CAN-2002-0935 ACCEPT (4 accept, 0 ack, 0 review) Current Votes: ACCEPT(4) Cole, Green, Baker, Frech NOOP(3) Foat, Cox, Wall Voter Comments: Green> - SECURITYTRACKER REPORTS THAT THE ISSUE HAS BEEN ACKNOWLEDGED BY APACHE ====================================================== Candidate: CAN-2002-0938 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0938 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020830 Assigned: 20020816 Category: SF Reference: BUGTRAQ:20020614 XSS in CiscoSecure ACS v3.0 Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-06/0156.html Reference: BUGTRAQ:20020621 Re: XSS in CiscoSecure ACS v3.0 Reference: URL:http://online.securityfocus.com/archive/1/278222 Reference: BID:5026 Reference: URL:http://www.securityfocus.com/bid/5026 Reference: XF:ciscosecure-web-css(9353) Reference: URL:http://www.iss.net/security_center/static/9353.php Cross-site scripting vulnerability in CiscoSecure ACS 3.0 allows remote attackers to execute arbitrary script or HTML as other web users via the action argument in a link to setup.exe. Analysis -------- Vendor Acknowledgement: yes followup INFERRED ACTION: CAN-2002-0938 ACCEPT (5 accept, 1 ack, 0 review) Current Votes: ACCEPT(5) Cole, Green, Baker, Frech, Wall NOOP(2) Foat, Cox ====================================================== Candidate: CAN-2002-0941 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0941 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020830 Assigned: 20020816 Category: SF Reference: BUGTRAQ:20020617 nCipher Advisory #4: Console Java apps can leak passphrases on Windows Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-06/0172.html Reference: BID:5024 Reference: URL:http://www.securityfocus.com/bid/5024 Reference: XF:ncipher-consolecallback-passphrase-leak(9354) Reference: URL:http://www.iss.net/security_center/static/9354.php The ConsoleCallBack class for nCipher running under JRE 1.4.0 and 1.4.0_01, as used by the TrustedCodeTool and possibly other applications, may leak a passphrase when the user aborts an application that is prompting for the passphrase, which could allow attackers to gain privileges. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0941 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Cole, Green, Baker, Frech NOOP(3) Foat, Cox, Wall ====================================================== Candidate: CAN-2002-0945 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0945 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020830 Assigned: 20020816 Category: SF Reference: BUGTRAQ:20020608 SeaNox Devwex - Denial of Service and Directory traversal Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-06/0056.html Reference: CONFIRM:http://www.seanox.de/projects.devwex.php Reference: XF:devwex-get-bo(9298) Reference: URL:http://www.iss.net/security_center/static/9298.php Reference: BID:4979 Reference: URL:http://www.securityfocus.com/bid/4979 Buffer overflow in SeaNox Devwex allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long HTTP GET request. Analysis -------- Vendor Acknowledgement: yes changelog ACKNOWLEDGEMENT: The vendor's "Historie" page (accessible on the left hand menu) has an item dated June 1, 2002, which states (based on a Google translation): "the directory handling [was] revised around a safe and errortolerant path processing. The ms Java could be brought by ueberladene [long?] Requests to VM to [cause a] crash." INFERRED ACTION: CAN-2002-0945 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Cole, Baker, Frech NOOP(2) Foat, Wall ====================================================== Candidate: CAN-2002-0946 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0946 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020830 Assigned: 20020816 Category: SF Reference: BUGTRAQ:20020608 SeaNox Devwex - Denial of Service and Directory traversal Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-06/0056.html Reference: CONFIRM:http://www.seanox.de/projects.devwex.php Reference: BID:4978 Reference: URL:http://www.securityfocus.com/bid/4978 Reference: XF:devwex-dotdot-directory-traversal(9299) Reference: URL:http://www.iss.net/security_center/static/9299.php Directory traversal vulnerability in SeaNox Devwex before 1.2002.0601 allows remote attackers to read arbitrary files via ..\ (dot dot) sequences in an HTTP request. Analysis -------- Vendor Acknowledgement: yes changelog ACKNOWLEDGEMENT: The vendor's "Historie" page (accessible on the left hand menu) has an item dated June 1, 2002, which states (based on a Google translation): "the directory handling [was] revised around a safe and errortolerant path processing. The ms Java could be brought by ueberladene [long?] Requests to VM to [cause a] crash." INFERRED ACTION: CAN-2002-0946 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Cole, Baker, Frech NOOP(2) Foat, Wall ====================================================== Candidate: CAN-2002-0947 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0947 Final-Decision: Interim-Decision: 20030326 Modified: 20030325-01 Proposed: 20020830 Assigned: 20020816 Category: SF Reference: BUGTRAQ:20020612 Oracle Reports Server Buffer Overflow (#NISR12062002B) Reference: URL:http://online.securityfocus.com/archive/1/276524 Reference: VULNWATCH:20020612 [VulnWatch] Oracle Reports Server Buffer Overflow (#NISR12062002B) Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0097.html Reference: CERT-VN:VU#997403 Reference: URL:http://www.kb.cert.org/vuls/id/997403 Reference: CONFIRM:http://technet.oracle.com/deploy/security/pdf/reports6i_alert.pdf Reference: MISC:http://www.nextgenss.com/vna/ora-reports.txt Reference: BID:4848 Reference: URL:http://www.securityfocus.com/bid/4848 Reference: XF:oracle-reports-server-bo(9289) Reference: URL:http://www.iss.net/security_center/static/9289.php Buffer overflow in rwcgi60 CGI program for Oracle Reports Server 6.0.8.18.0 and earlier, as used in Oracle9iAS and other products, allows remote attackers to execute arbitrary code via a long database name parameter. Modifications: DESC clarify role of Oracle9iAS Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0947 ACCEPT (6 accept, 2 ack, 0 review) Current Votes: ACCEPT(5) Cole, Armstrong, Alderson, Baker, Frech MODIFY(1) Jones NOOP(2) Foat, Cox Voter Comments: Jones> Suggest description read "...for Oracle Reports Server 6i Release 6.0.8.18.0 and earlier...", removing "9iAS" since Oracle advisory states "any Oracle product" containing vulnerable version of the reports server. ====================================================== Candidate: CAN-2002-0952 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0952 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020830 Assigned: 20020816 Category: SF Reference: CISCO:20020619 Cisco ONS15454 IP TOS Bit Vulnerability Reference: URL:http://www.cisco.com/warp/public/707/ons-tos-vuln-pub.shtml Reference: XF:cisco-ons-tcc-dos(9377) Reference: URL:http://www.iss.net/security_center/static/9377.php Reference: BID:5058 Reference: URL:http://www.securityfocus.com/bid/5058 Cisco ONS15454 optical transport platform running ONS 3.1.0 to 3.2.0 allows remote attackers to cause a denial of service (reset) by sending IP packets with non-zero Type of Service (TOS) bits to the Timing Control Card (TCC) LAN interface. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0952 ACCEPT (5 accept, 1 ack, 0 review) Current Votes: ACCEPT(5) Cole, Green, Baker, Frech, Wall NOOP(2) Foat, Cox ====================================================== Candidate: CAN-2002-0953 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0953 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020830 Assigned: 20020816 Category: SF Reference: BUGTRAQ:20020617 PHP source injection in PHPAddress Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-06/0182.html Reference: BUGTRAQ:20020619 Source Injection into PHPAddress Reference: URL:http://online.securityfocus.com/archive/1/277987 Reference: XF:phpaddress-include-remote-files(9379) Reference: URL:http://www.iss.net/security_center/static/9379.php Reference: BID:5039 Reference: URL:http://www.securityfocus.com/bid/5039 globals.php in PHP Address before 0.2f, with the PHP allow_url_fopen and register_globals variables enabled, allows remote attackers to execute arbitrary PHP code via a URL to the code in the LangCookie parameter. Analysis -------- Vendor Acknowledgement: yes followup INFERRED ACTION: CAN-2002-0953 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Cole, Green, Baker, Frech NOOP(3) Foat, Cox, Wall ====================================================== Candidate: CAN-2002-0958 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0958 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020830 Assigned: 20020816 Category: SF Reference: BUGTRAQ:20020606 [ARL02-A12] PHP(Reactor) Cross Site Scripting Vulnerability Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-06/0034.html Reference: CONFIRM:http://sourceforge.net/project/shownotes.php?release_id=91877 Reference: XF:phpreactor-browse-xss(9280) Reference: URL:http://www.iss.net/security_center/static/9280.php Reference: BID:4952 Reference: URL:http://www.securityfocus.com/bid/4952 Cross-site scripting vulnerability in browse.php for PHP(Reactor) 1.2.7 allows remote attackers to execute script as other users via the go parameter in the comments section. Analysis -------- Vendor Acknowledgement: yes changelog ACKNOWLEDGEMENT: the vendor changelog for 1.2.7p1 says "fixed 2 XSS errors." A source code diff of inc/global.inc.php in phpreactor-1.2.7 and phpreactor-1.2.7p1 shows that the only change was a call to strip_tags() when setting the $go variable. INFERRED ACTION: CAN-2002-0958 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Cole, Baker, Frech NOOP(2) Foat, Wall ====================================================== Candidate: CAN-2002-0964 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0964 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020830 Assigned: 20020816 Category: SF Reference: BUGTRAQ:20020620 Half-life fake players bug Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-06/0248.html Reference: XF:halflife-mulitple-player-dos(9412) Reference: URL:http://www.iss.net/security_center/static/9412.php Reference: BID:5076 Reference: URL:http://www.securityfocus.com/bid/5076 Half-Life Server 1.1.1.0 and earlier allows remote attackers to cause a denial of service (resource exhaustion) via multiple responses to the initial challenge with different cd_key values, which reaches the player limit and prevents other players from connecting until the original responses have timed out. Analysis -------- Vendor Acknowledgement: INFERRED ACTION: CAN-2002-0964 ACCEPT (3 accept, 0 ack, 0 review) Current Votes: ACCEPT(3) Green, Baker, Frech NOOP(4) Foat, Cole, Cox, Wall ====================================================== Candidate: CAN-2002-0965 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0965 Final-Decision: Interim-Decision: 20030326 Modified: 20030325-01 Proposed: 20020830 Assigned: 20020816 Category: SF Reference: BUGTRAQ:20020612 Oracle TNS Listener Buffer Overflow (#NISR12062002A) Reference: URL:http://online.securityfocus.com/archive/1/276526 Reference: VULNWATCH:20020612 [VulnWatch] Oracle TNS Listener Buffer Overflow (#NISR12062002A) Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0096.html Reference: CONFIRM:http://otn.oracle.com/deploy/security/pdf/net9_dos_alert.pdf Reference: BID:4845 Reference: URL:http://www.securityfocus.com/bid/4845 Reference: XF:oracle-listener-servicename-bo(9288) Reference: URL:http://www.iss.net/security_center/static/9288.php Buffer overflow in TNS Listener for Oracle 9i Database Server on Windows systems, and Oracle 8 on VM, allows local users to execute arbitrary code via a long SERVICE_NAME parameter, which is not properly handled when writing an error message to a log file. Modifications: DESC fix affected versions ADDREF XF:oracle-listener-servicename-bo(9288) Analysis -------- Vendor Acknowledgement: yes advisory ACKNOWLEDGEMENT: while the Oracle advisory itself does not explicitly mention a buffer overflow, the link to this document on Oracle's advisory page says "Buffer Overflow Vulnerability in Oracle Net (Oracle9i Database Server)." This, combined with the acknowledgement to the disclosers and correlated dates, provides sufficient information to indicate acknowledgement. INFERRED ACTION: CAN-2002-0965 ACCEPT (6 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Cole, Armstrong, Alderson, Baker MODIFY(2) Frech, Jones NOOP(2) Foat, Cox Voter Comments: Jones> Oracle 9i Database Server on Windows systems and Oracle 8 on VM allows local users to execute arbitrary code via a long SERVICE_NAME parameter, which is not properly handled when forming an error message prior to writing to a log file." Frech> XF:oracle-listener-servicename-bo(9288) ====================================================== Candidate: CAN-2002-0967 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0967 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020830 Assigned: 20020816 Category: SF Reference: BUGTRAQ:20020606 eDonkey 2000 ed2k: URL Buffer Overflow Reference: URL:http://online.securityfocus.com/archive/1/275708 Reference: CONFIRM:http://www.edonkey2000.com/ Reference: XF:edonkey2000-ed2k-filename-bo(9278) Reference: URL:http://www.iss.net/security_center/static/9278.php Reference: BID:4951 Reference: URL:http://www.securityfocus.com/bid/4951 Buffer overflow in eDonkey 2000 35.16.60 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long "ed2k:" URL. Analysis -------- Vendor Acknowledgement: yes changelog ACKNOWLEDGEMENT: on the vendor's home page, an item dated 6.5.02 states "An security exploit in the windows GUI client has been fixed... Thanks to Shane Hird [the notifier] for pointing it out to us." INFERRED ACTION: CAN-2002-0967 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Cole, Baker, Frech NOOP(2) Foat, Wall ====================================================== Candidate: CAN-2002-0968 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0968 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020830 Assigned: 20020816 Category: SF Reference: BUGTRAQ:20020613 Remote DoS in AnalogX SimpleServer:www 1.16 Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-06/0106.html Reference: BUGTRAQ:20020702 Re: Remote DoS in AnlaogX SimpleServer:www 1.16 Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102563702928443&w=2 Reference: CONFIRM:http://www.analogx.com/contents/download/network/sswww.htm Reference: BID:5006 Reference: URL:http://www.securityfocus.com/bid/5006 Reference: XF:analogx-simpleserver-at-dos(9338) Reference: URL:http://www.iss.net/security_center/static/9338.php Buffer overflow in AnalogX SimpleServer:WWW 1.16 and earlier allows remote attackers to cause a denial of service (crash) and execute code via a long HTTP request method name. Analysis -------- Vendor Acknowledgement: yes changelog ACKNOWLEDGEMENT: the change log for version 1.23 says "Fixed possible exploit with large string commands." INFERRED ACTION: CAN-2002-0968 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Cole, Green, Baker, Frech NOOP(3) Foat, Cox, Wall ====================================================== Candidate: CAN-2002-0981 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0981 Final-Decision: Interim-Decision: 20030326 Modified: 20030325-01 Proposed: 20020830 Assigned: 20020822 Category: SF Reference: CALDERA:CSSA-2002-SCO.36 Reference: URL:ftp://ftp.caldera.com/pub/updates/OpenUNIX/CSSA-2002-SCO.36/CSSA-2002-SCO.36.txt Reference: XF:openunix-unixware-ndcfg-bo(9945) Reference: URL:http://www.iss.net/security_center/static/9945.php Reference: BID:5551 Reference: URL:http://www.securityfocus.com/bid/5551 Buffer overflow in ndcfg command for UnixWare 7.1.1 and Open UNIX 8.0.0 allows local users to execute arbitrary code via a long command line. Modifications: ADDREF XF:openunix-unixware-ndcfg-bo(9945) ADDREF BID:5551 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0981 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Cole, Armstrong, Baker NOOP(4) Foat, Christey, Cox, Wall Voter Comments: Christey> XF:openunix-unixware-ndcfg-bo(9945) URL:http://www.iss.net/security_center/static/9945.php BID:5551 URL:http://www.securityfocus.com/bid/5551 ====================================================== Candidate: CAN-2002-0984 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0984 Final-Decision: Interim-Decision: 20030326 Modified: 20030325-01 Proposed: 20020830 Assigned: 20020823 Category: SF Reference: BUGTRAQ:20020822 Light Security Advisory: Remotely-exploitable code execution Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-08/0231.html Reference: DEBIAN:DSA-156 Reference: URL:http://www.debian.org/security/2002/dsa-156 Reference: XF:light-channel-execute-script(9943) Reference: URL:http://www.iss.net/security_center/static/9943.php Reference: BID:5555 Reference: URL:http://www.securityfocus.com/bid/5555 The IRC script included in Light 2.7.x before 2.7.30p5, and 2.8.x before 2.8pre10, running EPIC allows remote attackers to execute arbitrary code if the user joins a channel whose topic includes EPIC4 code. Modifications: ADDREF BUGTRAQ:20020822 Light Security Advisory: Remotely-exploitable code execution ADDREF XF:light-channel-execute-script(9943) ADDREF BID:5555 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0984 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Cole, Armstrong, Baker NOOP(4) Foat, Christey, Cox, Wall Voter Comments: Christey> XF:light-channel-execute-script(9943) URL:http://www.iss.net/security_center/static/9943.php BID:5555 URL:http://www.securityfocus.com/bid/5555 Christey> BUGTRAQ:20020822 Light Security Advisory: Remotely-exploitable code execution URL:http://archives.neohapsis.com/archives/bugtraq/2002-08/0231.html XF:light-channel-execute-script(9943) URL:http://www.iss.net/security_center/static/9943.php BID:5555 URL:http://www.securityfocus.com/bid/5555 ====================================================== Candidate: CAN-2002-0987 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0987 Final-Decision: Interim-Decision: 20030326 Modified: 20030325-01 Proposed: 20020830 Assigned: 20020826 Category: SF Reference: CALDERA:CSSA-2002-SCO.38 Reference: URL:ftp://ftp.sco.com/pub/updates/OpenUNIX/CSSA-2002-SCO.38 Reference: XF:openunix-unixware-xsco-privileges(9976) Reference: URL:http://www.iss.net/security_center/static/9976.php Reference: BID:5575 Reference: URL:http://www.securityfocus.com/bid/5575 X server (Xsco) in OpenUNIX 8.0.0 and UnixWare 7.1.1 does not drop privileges before calling programs such as xkbcomp using popen, which could allow local users to gain privileges. Modifications: ADDREF XF:openunix-unixware-xsco-privileges(9976) ADDREF BID:5575 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0987 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Cole, Armstrong, Baker NOOP(3) Foat, Cox, Wall ====================================================== Candidate: CAN-2002-0988 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0988 Final-Decision: Interim-Decision: 20030326 Modified: 20030325-01 Proposed: 20020830 Assigned: 20020826 Category: SF Reference: CALDERA:CSSA-2002-SCO.38 Reference: URL:ftp://ftp.sco.com/pub/updates/OpenUNIX/CSSA-2002-SCO.38 Reference: XF:openunix-unixware-xsco-bo(9977) Reference: URL:http://www.iss.net/security_center/static/9977.php Reference: BID:5577 Reference: URL:http://www.securityfocus.com/bid/5577 Buffer overflow in X server (Xsco) in OpenUNIX 8.0.0 and UnixWare 7.1.1, possibly related to XBM/xkbcomp capabilities. Modifications: ADDREF XF:openunix-unixware-xsco-bo(9977) ADDREF BID:5577 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0988 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Cole, Armstrong, Baker NOOP(3) Foat, Cox, Wall ====================================================== Candidate: CAN-2002-0989 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0989 Final-Decision: Interim-Decision: 20030326 Modified: 20030325-01 Proposed: 20020830 Assigned: 20020827 Category: SF Reference: CONFIRM:http://gaim.sourceforge.net/ChangeLog Reference: DEBIAN:DSA-158 Reference: URL:http://www.debian.org/security/2002/dsa-158 Reference: CONFIRM:http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=72728 Reference: MANDRAKE:MDKSA-2002:054 Reference: URL:http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2002:054 Reference: REDHAT:RHSA-2002:189 Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-189.html Reference: CONECTIVA:CLA-2002:521 Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000521 Reference: HP:HPSBTL0209-067 Reference: URL:http://online.securityfocus.com/advisories/4471 Reference: FREEBSD:FreeBSD-SN-02:06 Reference: URL:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SN-02:06.asc Reference: BUGTRAQ:20020827 GLSA: gaim Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103046442403404&w=2 Reference: BID:5574 Reference: URL:http://www.securityfocus.com/bid/5574 Reference: XF:gaim-url-handler-command-execution(9978) Reference: URL:http://www.iss.net/security_center/static/9978.php The URL handler in the manual browser option for Gaim before 0.59.1 allows remote attackers to execute arbitrary script via shell metacharacters in a link. Modifications: ADDREF MANDRAKE:MDKSA-2002:054 ADDREF REDHAT:RHSA-2002:189 ADDREF CONECTIVA:CLA-2002:521 ADDREF HP:HPSBTL0209-067 ADDREF FREEBSD:FreeBSD-SN-02:06 ADDREF XF:gaim-url-handler-command-execution(9978) ADDREF BID:5574 Analysis -------- Vendor Acknowledgement: yes INFERRED ACTION: CAN-2002-0989 ACCEPT (4 accept, 5 ack, 0 review) Current Votes: ACCEPT(4) Cole, Armstrong, Baker, Cox NOOP(3) Foat, Christey, Wall Voter Comments: Christey> ADDREF MANDRAKE:MDKSA-2002:054 Christey> REDHAT:RHSA-2002:189 URL:http://www.redhat.com/support/errata/RHSA-2002-189.html Christey> CONECTIVA:CLA-2002:521 URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000521 BID:5574 URL:http://www.securityfocus.com/bid/5574 HP:HPSBTL0209-067 URL:http://online.securityfocus.com/advisories/4471 FREEBSD:FreeBSD-SN-02:06 URL:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SN-02:06.asc XF:gaim-url-handler-command-execution(9978) URL:http://www.iss.net/security_center/static/9978.php ====================================================== Candidate: CAN-2002-0995 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0995 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020830 Assigned: 20020827 Category: SF Reference: BUGTRAQ:20020702 PHPAuction bug Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-07/0014.html Reference: CONFIRM:http://www.phpauction.org/viewnew.php?id=5 Reference: XF:phpauction-admin-account-creation(9462) Reference: URL:http://www.iss.net/security_center/static/9462.php Reference: BID:5141 Reference: URL:http://www.securityfocus.com/bid/5141 login.php for PHPAuction allows remote attackers to gain privileges via a direct call to login.php with the action parameter set to "insert," which adds the provided username to the adminUsers table. Analysis -------- Vendor Acknowledgement: yes advisory ACKNOWLEDGEMENT: the vendor's web site includes an advisory dated the day after the initial Bugtraq post, which states "This fix addresses the admin/login.php file and the possible security breach that could occur without this change. It now has certain security checks added for a safer admin back-end." INFERRED ACTION: CAN-2002-0995 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Cole, Baker, Frech NOOP(3) Foat, Cox, Wall ====================================================== Candidate: CAN-2002-1000 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1000 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020830 Assigned: 20020827 Category: SF Reference: BUGTRAQ:20020626 Foundstone Advisory - Buffer Overflow in AnalogX SimpleServer:Shout (fwd) Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-06/0338.html Reference: CONFIRM:http://www.analogx.com/contents/download/network/ssshout.htm Reference: BID:5104 Reference: URL:http://www.securityfocus.com/bid/5104 Reference: XF:analogx-simpleserver-shout-bo(9427) Reference: URL:http://www.iss.net/security_center/static/9427.php Buffer overflow in AnalogX SimpleServer:Shout 1.0 allows remote attackers to cause a denial of service and execute arbitrary code via a long request to TCP port 8001. Analysis -------- Vendor Acknowledgement: yes changelog ACKNOWLEDGEMENT: the changelog on the vendor web site includes an entry for version 1.02 that "Fixed assert error found by Foundstone [the discloser]." INFERRED ACTION: CAN-2002-1000 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Green, Baker, Frech, Cole NOOP(3) Cox, Wall, Foat ====================================================== Candidate: CAN-2002-1002 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1002 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020830 Assigned: 20020827 Category: SF Reference: BUGTRAQ:20020812 NOVL-2002-2963081 - Novell iManager (eMFrame 1.2.1) DoS Attack Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-08/0093.html Reference: BUGTRAQ:20020627 Cluestick Advisory #001 Reference: URL:http://online.securityfocus.com/archive/1/279683 Reference: XF:netware-imanage-username-dos(9444) Reference: URL:http://www.iss.net/security_center/static/9444.php Reference: BID:5117 Reference: URL:http://www.securityfocus.com/bid/5117 Buffer overflow in Novell iManager (eMFrame 1.2.1) allows remote attackers to cause a denial of service (crash) via a long user name. Analysis -------- Vendor Acknowledgement: yes followup INFERRED ACTION: CAN-2002-1002 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Green, Baker, Frech, Cole NOOP(3) Cox, Wall, Foat ====================================================== Candidate: CAN-2002-1004 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1004 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020830 Assigned: 20020827 Category: SF Reference: BUGTRAQ:20020703 Argosoft Mail Server Plus/Pro Webmail Reverse Directory Traversal Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-07/0029.html Reference: CONFIRM:http://www.argosoft.com/applications/mailserver/changelist.asp Reference: BID:5144 Reference: URL:http://www.securityfocus.com/bid/5144 Reference: XF:argosoft-dotdot-directory-traversal(9477) Reference: URL:http://www.iss.net/security_center/static/9477.php Directory traversal vulnerability in webmail feature of ArGoSoft Mail Server Plus or Pro 1.8.1.5 and earlier allows remote attackers to read arbitrary files via .. (dot dot) sequences in a URL. Analysis -------- Vendor Acknowledgement: yes changelog ACKNOWLEDGEMENT: the vendor's change log includes an entry for 1.8.1.6 dated July 03, 2002, which states "Fixed security problem with the Webmail Reverse Directory Traversal, discovered by team n. finity [the discloser]." INFERRED ACTION: CAN-2002-1004 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Baker, Frech, Cole NOOP(3) Cox, Wall, Foat ====================================================== Candidate: CAN-2002-1006 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1006 Final-Decision: Interim-Decision: 20030326 Modified: 20030325-01 Proposed: 20020830 Assigned: 20020827 Category: SF Reference: BUGTRAQ:20020701 PTL-2002-03 Betsie XSS Vuln Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-07/0002.html Reference: CONFIRM:http://www.bbc.co.uk/education/betsie/parser.pl.txt Reference: BID:5135 Reference: URL:http://www.securityfocus.com/bid/5135 Reference: XF:betsie-parserl-xss(9468) Reference: URL:http://www.iss.net/security_center/static/9468.php Cross-site scripting (XSS) vulnerability in BBC Education Text to Speech Internet Enhancer (Betsie) 1.5.11 and earlier allows remote attackers to execute arbitrary web script via parserl.pl. Modifications: DESC add "XSS" acronym Analysis -------- Vendor Acknowledgement: yes patch ACKNOWLEDGEMENT: the comments inside the parserl.pl script itself (version 1.5.12 on August 18, 2002) include a statement to "Beat cross-site scripting vulnerability," and the original Bugtraq poster is thanked at the top of the page. INFERRED ACTION: CAN-2002-1006 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Baker, Frech, Cole NOOP(3) Cox, Wall, Foat ====================================================== Candidate: CAN-2002-1013 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1013 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020830 Assigned: 20020827 Category: SF Reference: BUGTRAQ:20020702 CORE-20020620: Inktomi Traffic Server Buffer Overflow Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-07/0023.html Reference: CONFIRM:http://support.inktomi.com/kb/070202-003.html Reference: BID:5098 Reference: URL:http://www.securityfocus.com/bid/5098 Reference: XF:inktomi-trafficserver-manager-bo(9465) Reference: URL:http://www.iss.net/security_center/static/9465.php Buffer overflow in traffic_manager for Inktomi Traffic Server 4.0.18 through 5.2.2, Traffic Edge 1.1.2 and 1.5.0, and Media-IXT 3.0.4 allows local users to gain root privileges via a long -path argument. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-1013 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Baker, Frech, Cole NOOP(4) Christey, Cox, Wall, Foat Voter Comments: Frech> CONFIRM is now http://support.inktomi.com/kb/Private/070202-003.html, and is only available to customers with a current support contract. Christey> I will keep the original CONFIRM URL to indicate that, at one point in time, the entire public could access a confirmation note. ====================================================== Candidate: CAN-2002-1014 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1014 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020830 Assigned: 20020827 Category: SF Reference: BUGTRAQ:20020712 [SPSadvisory#48]RealONE Player Gold / RealJukebox2 Buffer Overflow Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-07/0127.html Reference: CONFIRM:http://service.real.com/help/faq/security/bufferoverrun07092002.html Reference: XF:realplayer-rjs-controlnimage-bo(9538) Reference: URL:http://www.iss.net/security_center/static/9538.php Reference: BID:5217 Reference: URL:http://www.securityfocus.com/bid/5217 Buffer overflow in RealJukebox 2 1.0.2.340 and 1.0.2.379, and RealOne Player Gold 6.0.10.505, allows remote attackers to execute arbitrary code via an RFS skin file whose skin.ini contains a long value in a CONTROLnImage argument, such as CONTROL1Image. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-1014 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Baker, Frech, Cole NOOP(3) Cox, Wall, Foat ====================================================== Candidate: CAN-2002-1015 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1015 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020830 Assigned: 20020827 Category: SF Reference: BUGTRAQ:20020712 [SPSadvisory#47]RealONE Player Gold / RealJukebox2 skin file download vulnerability Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-07/0130.html Reference: CONFIRM:http://service.real.com/help/faq/security/bufferoverrun07092002.html Reference: XF:realplayer-rjs-file-download(9539) Reference: URL:http://www.iss.net/security_center/static/9539.php Reference: BID:5210 Reference: URL:http://www.securityfocus.com/bid/5210 RealJukebox 2 1.0.2.340 and 1.0.2.379, and RealOne Player Gold 6.0.10.505, allows remote attackers to execute arbitrary script in the Local computer zone by inserting the script into the skin.ini file of an RJS archive, then referencing skin.ini from a web page after it has been extracted, which is parsed as HTML by Internet Explorer or other Microsoft-based web readers. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-1015 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Baker, Frech, Cole NOOP(3) Cox, Wall, Foat ====================================================== Candidate: CAN-2002-1024 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1024 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020830 Assigned: 20020827 Category: SF Reference: CERT-VN:VU#290140 Reference: URL:http://www.kb.cert.org/vuls/id/290140 Reference: CISCO:20020627 Scanning for SSH Can Cause a Crash Reference: URL:http://www.cisco.com/warp/public/707/SSH-scanning.shtml Reference: XF:cisco-ssh-scan-dos(9437) Reference: URL:http://www.iss.net/security_center/static/9437.php Reference: BID:5114 Reference: URL:http://www.securityfocus.com/bid/5114 Cisco IOS 12.0 through 12.2, when supporting SSH, allows remote attackers to cause a denial of service (CPU consumption) via a large packet that was designed to exploit the SSH CRC32 attack detection overflow (CVE-2001-0144). Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-1024 ACCEPT (5 accept, 2 ack, 0 review) Current Votes: ACCEPT(5) Green, Baker, Frech, Wall, Cole NOOP(2) Cox, Foat ====================================================== Candidate: CAN-2002-1025 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1025 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020830 Assigned: 20020827 Category: SF Reference: VULNWATCH:20020701 [VulnWatch] KPMG-2002026: Jrun sourcecode Disclosure Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0138.html Reference: BUGTRAQ:20020701 KPMG-2002026: Jrun sourcecode Disclosure Reference: URL:http://online.securityfocus.com/archive/1/280062 Reference: CONFIRM:http://www.macromedia.com/v1/handlers/index.cfm?ID=23164 Reference: BID:5134 Reference: URL:http://www.securityfocus.com/bid/5134 Reference: XF:jrun-null-view-source(9459) Reference: URL:http://www.iss.net/security_center/static/9459.php JRun 3.0 through 4.0 allows remote attackers to read JSP source code via an encoded null byte in an HTTP GET request, which causes the server to send the .JSP file unparsed. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-1025 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Baker, Frech, Cole NOOP(3) Cox, Wall, Foat ====================================================== Candidate: CAN-2002-1030 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1030 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020830 Assigned: 20020827 Category: SF Reference: VULNWATCH:20020708 [VulnWatch] KPMG-2002029: Bea Weblogic Performance Pack Denial of Service Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0008.html Reference: BUGTRAQ:20020708 KPMG-2002029: Bea Weblogic Performance Pack Denial of Service Reference: URL:http://online.securityfocus.com/archive/1/281046 Reference: CONFIRM:http://dev2dev.bea.com/resourcelibrary/advisoriesdetail.jsp?highlight=advisoriesnotifications&path=components%2Fdev2dev%2Fresourcelibrary%2Fadvisoriesnotifications%2Fadvisory_BEA02-19.htm Reference: BID:5159 Reference: URL:http://www.securityfocus.com/bid/5159 Reference: XF:weblogic-race-condition-dos(9486) Reference: URL:http://www.iss.net/security_center/static/9486.php Race condition in Performance Pack in BEA WebLogic Server and Express 5.1.x, 6.0.x, 6.1.x and 7.0 allows remote attackers to cause a denial of service (crash) via a flood of data and connections. Analysis -------- Vendor Acknowledgement: yes advisory ACKNOWLEDGEMENT: the advisory credits KPMG (the discloser) for discovering the issue. INFERRED ACTION: CAN-2002-1030 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Baker, Frech, Cole NOOP(3) Cox, Wall, Foat ====================================================== Candidate: CAN-2002-1031 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1031 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020830 Assigned: 20020827 Category: SF Reference: BUGTRAQ:20020707 KF Web Server version 1.0.2 shows file and directory content Reference: URL:http://online.securityfocus.com/archive/1/281102 Reference: VULNWATCH:20020707 [VulnWatch] KF Web Server version 1.0.2 shows file and directory content Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0007.html Reference: CONFIRM:http://www.keyfocus.net/kfws/support/ Reference: BID:5177 Reference: URL:http://www.securityfocus.com/bid/5177 Reference: XF:kfwebserver-null-view-dir(9500) Reference: URL:http://www.iss.net/security_center/static/9500.php KeyFocus (KF) web server 1.0.2 allows remote attackers to list directories and read restricted files via an HTTP request containing a %00 (null) character. Analysis -------- Vendor Acknowledgement: yes changelog ACKNOWLEDGEMENT: the vendor's change log for 1.0.3, dated July 4, 2002, states: "Security vulnerability - %00. If the requested URL contains a %00 after a directory name, then the server used to generate an index of the files in the directory." INFERRED ACTION: CAN-2002-1031 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Baker, Frech, Cole NOOP(3) Cox, Wall, Foat ====================================================== Candidate: CAN-2002-1035 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1035 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020830 Assigned: 20020827 Category: SF Reference: BUGTRAQ:20020701 BufferOverflow in OmniHTTPd 2.09 Reference: URL:http://online.securityfocus.com/archive/1/280132 Reference: XF:omnihttpd-http-version-bo(9457) Reference: URL:http://www.iss.net/security_center/static/9457.php Reference: BID:5136 Reference: URL:http://www.securityfocus.com/bid/5136 Omnicron OmniHTTPd 2.09 allows remote attackers to cause a denial of service (crash) via an HTTP request with a long, malformed HTTP 1version number. Analysis -------- Vendor Acknowledgement: yes via-email ACKNOWLEDGEMENT: an email inquiry was sent to support@omnicron.ca on August 22, 2002, and the vendor replied on August 24 that the vulnerability was fixed in version 2.10. INFERRED ACTION: CAN-2002-1035 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Baker, Frech, Cole NOOP(3) Cox, Wall, Foat ====================================================== Candidate: CAN-2002-1039 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1039 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020830 Assigned: 20020827 Category: SF Reference: VULNWATCH:20020714 [VulnWatch] Double Choco Latte multiple vulnerabilities Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0022.html Reference: BUGTRAQ:20020714 Double Choco Latte multiple vulnerabilities Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102668783632589&w=2 Reference: CONFIRM:http://dcl.sourceforge.net/index.php Reference: XF:dcl-dotdot-directory-traversal(9743) Reference: URL:http://www.iss.net/security_center/static/9743.php Directory traversal vulnerability in Double Choco Latte (DCL) before 20020706 allows remote attackers to read arbitrary files via .. (dot dot) sequences when downloading files from the Projects: Attachments feature. Analysis -------- Vendor Acknowledgement: yes changelog ACKNOWLEDGEMENT: the vendor's changelog, dated July 6, 2002, states: "Fix to prevent file download spoofing." INFERRED ACTION: CAN-2002-1039 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Baker, Frech, Cole NOOP(3) Cox, Wall, Foat ====================================================== Candidate: CAN-2002-1046 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1046 Final-Decision: Interim-Decision: 20030326 Modified: 20030325-01 Proposed: 20020830 Assigned: 20020827 Category: SF Reference: VULNWATCH:20020709 KPMG-2002030: Watchguard Firebox Dynamic VPN Configuration Protocol DoS Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0012.html Reference: BID:5186 Reference: URL:http://www.securityfocus.com/bid/5186 Reference: XF:firebox-dvcp-dos(9509) Reference: URL:http://www.iss.net/security_center/static/9509.php Dynamic VPN Configuration Protocol service (DVCP) in Watchguard Firebox firmware 5.x.x allows remote attackers to cause a denial of service (crash) via a malformed packet containing tab characters to TCP port 4110. Modifications: CHANGEREF VULNWATCH [normalize] Analysis -------- Vendor Acknowledgement: unknown discloser-claimed INFERRED ACTION: CAN-2002-1046 ACCEPT (3 accept, 0 ack, 0 review) Current Votes: ACCEPT(3) Baker, Frech, Foat NOOP(3) Cox, Wall, Cole ====================================================== Candidate: CAN-2002-1049 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1049 Final-Decision: Interim-Decision: 20030326 Modified: 20030325-01 Proposed: 20020830 Assigned: 20020830 Category: SF Reference: BUGTRAQ:20020729 HylaFAX - Various Vulnerabilities Fixed Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-07/0358.html Reference: DEBIAN:DSA-148 Reference: URL:http://www.debian.org/security/2002/dsa-148 Reference: MANDRAKE:MDKSA-2002:055 Reference: URL:http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2002:055 Reference: SUSE:SuSE-SA:2002:035 Reference: URL:http://www.suse.de/de/security/2002_035_hylafax.html Reference: CONFIRM:http://bugs.hylafax.org/bugzilla/show_bug.cgi?id=300 Reference: BID:5348 Reference: URL:http://www.securityfocus.com/bid/5348 Reference: XF:hylafax-faxgetty-tsi-dos(9728) Reference: URL:http://www.iss.net/security_center/static/9728.php Format string vulnerability in HylaFAX faxgetty before 4.1.3 allows remote attackers to cause a denial of service (crash) via the TSI data element. Modifications: ADDREF MANDRAKE:MDKSA-2002:055 ADDREF SUSE:SuSE-SA:2002:035 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-1049 ACCEPT_ACK (2 accept, 3 ack, 0 review) Current Votes: ACCEPT(2) Baker, Cole NOOP(4) Christey, Cox, Wall, Foat Voter Comments: Christey> MANDRAKE:MDKSA-2002:055 Christey> SUSE:SuSE-SA:2002:035 ====================================================== Candidate: CAN-2002-1050 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1050 Final-Decision: Interim-Decision: 20030326 Modified: 20030325-01 Proposed: 20020830 Assigned: 20020830 Category: SF Reference: BUGTRAQ:20020729 HylaFAX - Various Vulnerabilities Fixed Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-07/0358.html Reference: DEBIAN:DSA-148 Reference: URL:http://www.debian.org/security/2002/dsa-148 Reference: CONFIRM:http://bugs.hylafax.org/bugzilla/show_bug.cgi?id=312 Reference: MANDRAKE:MDKSA-2002:055 Reference: URL:http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2002:055 Reference: SUSE:SuSE-SA:2002:035 Reference: URL:http://www.suse.de/de/security/2002_035_hylafax.html Reference: BID:5349 Reference: URL:http://www.securityfocus.com/bid/5349 Reference: XF:hylafax-faxgetty-image-bo(9729) Reference: URL:http://www.iss.net/security_center/static/9729.php Buffer overflow in HylaFAX faxgetty before 4.1.3 allows remote attackers to cause a denial of service, and possibly execute arbitrary code, via a long line of image data. Modifications: ADDREF MANDRAKE:MDKSA-2002:055 ADDREF SUSE:SuSE-SA:2002:035 DESC fix typo Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-1050 ACCEPT_ACK (2 accept, 3 ack, 0 review) Current Votes: ACCEPT(2) Baker, Cole NOOP(4) Christey, Cox, Wall, Foat Voter Comments: Christey> MANDRAKE:MDKSA-2002:055 Christey> SUSE:SuSE-SA:2002:035 Close off parenthesis in desc. Christey> fix typo (extra parenthesis) ====================================================== Candidate: CAN-2002-1051 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1051 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020830 Assigned: 20020830 Category: SF Reference: BUGTRAQ:20020606 Format String bug in TrACESroute 6.0 GOLD Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-06/0040.html Reference: BUGTRAQ:20020721 Nanog traceroute format string exploit. Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102737546927749&w=2 Reference: BUGTRAQ:20020723 Re: Nanog traceroute format string exploit. Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-07/0254.html Reference: BUGTRAQ:20020724 Re: Nanog traceroute format string exploit. Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102753136231920&w=2 Reference: SUSE:SuSE-SA:2000:041 Reference: URL:http://www.suse.de/de/security/2000_041_traceroute_txt.html Reference: BID:4956 Reference: URL:http://www.securityfocus.com/bid/4956 Reference: XF:tracesroute-t-format-string(9291) Reference: URL:http://www.iss.net/security_center/static/9291.php Format string vulnerability in TrACESroute 6.0 GOLD (aka NANOG traceroute) allows local users to execute arbitrary code via the -T (terminator) command line argument. Analysis -------- Vendor Acknowledgement: yes followup NOTE: Debian confirmed via email that it is not vulnerable. INFERRED ACTION: CAN-2002-1051 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Baker, Frech, Foat, Cole NOOP(1) Wall ====================================================== Candidate: CAN-2002-1053 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1053 Final-Decision: Interim-Decision: 20030326 Modified: 20030325-01 Proposed: 20020830 Assigned: 20020830 Category: SF Reference: BUGTRAQ:20020817 W3C Jigsaw Proxy Server: Cross-Site Scripting Vulnerability (REPOST) Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-08/0190.html Reference: CONFIRM:http://www.w3.org/Jigsaw/RelNotes.html#2.2.1 Reference: BID:5506 Reference: URL:http://www.securityfocus.com/bid/5506 Reference: XF:jigsaw-http-proxy-xss(9914) Reference: URL:http://www.iss.net/security_center/static/9914.php Cross-site scripting (XSS) vulnerability in W3C Jigsaw Proxy Server before 2.2.1 allows remote attackers to execute arbitrary script via a URL that contains a reference to a nonexistent host followed by the script, which is included in the resulting error message. Modifications: DESC add "XSS" term Analysis -------- Vendor Acknowledgement: yes changelog ACKNOWLEDGEMENT: the vendor's changelog for 2.2.1 says "Added a flag to remove the URI from default error pages as well as the proxy module (SECURITY FIX: avoiding cross scripting attacks)." INFERRED ACTION: CAN-2002-1053 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Baker, Cole, Armstrong NOOP(3) Cox, Wall, Foat ====================================================== Candidate: CAN-2002-1054 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1054 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020830 Assigned: 20020830 Category: SF Reference: BUGTRAQ:20020722 Pablo Sofware Solutions FTP server Directory Traversal Vulnerability Reference: URL:http://online.securityfocus.com/archive/1/283665 Reference: VULNWATCH:20020722 [VulnWatch] Pablo Sofware Solutions FTP server Directory Traversal Vulnerability Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0035.html Reference: CONFIRM:http://www.pablovandermeer.nl/ftpserversrc.zip Reference: BID:5283 Reference: URL:http://www.securityfocus.com/bid/5283 Reference: XF:pablo-ftp-directory-traversal(9647) Reference: URL:http://www.iss.net/security_center/static/9647.php Directory traversal vulnerability in Pablo FTP server 1.0 build 9 and earlier allows remote authenticated users to list arbitrary directories via "..\" (dot-dot backslash) sences in a LIST command. Analysis -------- Vendor Acknowledgement: yes changelog ACKNOWLEDGEMENT: the Release/whatsnew.txt file in the source code includes an item dated [07/21/2002], Version 1.10, states "Fixed security hole in GetDirectoryList (LIST \..\) (thanks to: http://www.sec uriteinfo.com) [the discloser]" INFERRED ACTION: CAN-2002-1054 ACCEPT_ACK (2 accept, 1 ack, 0 review) Current Votes: ACCEPT(2) Baker, Cole NOOP(3) Cox, Wall, Foat ====================================================== Candidate: CAN-2002-1057 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1057 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020830 Assigned: 20020830 Category: SF Reference: BUGTRAQ:20020723 MailMax security advisory/exploit/patch Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-07/0245.html Reference: BID:5285 Reference: URL:http://www.securityfocus.com/bid/5285 Reference: XF:mailmax-pop3max-user-bo(9651) Reference: URL:http://www.iss.net/security_center/static/9651.php Buffer overflow in SmartMax MailMax POP3 daemon (popmax) 4.8 allows remote attackers to execute arbitrary code via a long USER command. Analysis -------- Vendor Acknowledgement: yes via-email ACKNOWLEDGEMENT: e-mail inquiry sent on August 28, 2002, via interface at https://supportcenteronline.com/ics/support/default.asp?deptID=468. Vendor acknowledged the issue on August 29: "This report is accurate and we have a patch fixing the issue available for our customers." INFERRED ACTION: CAN-2002-1057 ACCEPT_ACK (2 accept, 1 ack, 0 review) Current Votes: ACCEPT(2) Baker, Cole NOOP(3) Cox, Wall, Foat ====================================================== Candidate: CAN-2002-1059 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1059 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020830 Assigned: 20020830 Category: SF Reference: BUGTRAQ:20020723 Arbitrary Code Execution Vulnerability in VanDyke SecureCRT 3.4 & 4.0 beta Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102744150718462&w=2 Reference: BUGTRAQ:20020723 Re: Arbitrary Code Execution Vulnerability in VanDyke SecureCRT Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102746007908689&w=2 Reference: CONFIRM:http://www.vandyke.com/products/securecrt/security07-25-02.html Reference: XF:securecrt-ssh1-identifier-bo(9650) Reference: URL:http://www.iss.net/security_center/static/9650.php Reference: BID:5287 Reference: URL:http://www.securityfocus.com/bid/5287 Buffer overflow in Van Dyke SecureCRT SSH client before 3.4.6, and 4.x before 4.0 beta 3, allows an SSH server to execute arbitrary code via a long SSH1 protocol version string. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-1059 ACCEPT_ACK (2 accept, 1 ack, 0 review) Current Votes: ACCEPT(2) Baker, Cole NOOP(3) Cox, Wall, Foat ====================================================== Candidate: CAN-2002-1060 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1060 Final-Decision: Interim-Decision: 20030326 Modified: 20030325-01 Proposed: 20020830 Assigned: 20020830 Category: SF Reference: BUGTRAQ:20020724 CacheFlow CacheOS Cross-site Scripting Vulnerability Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-07/0283.html Reference: CONFIRM:http://download.cacheflow.com/release/CA/4.1.00-docs/CACacheOS41fixes.htm Reference: BID:5305 Reference: URL:http://www.securityfocus.com/bid/5305 Reference: XF:cacheos-unresolved-error-xss(9674) Reference: URL:http://www.iss.net/security_center/static/9674.php Cross-site scripting (XSS) vulnerability in CacheFlow CacheOS 4.1.06 and earlier allows remote attackers to insert arbitrary HTML, including script, via a URL to a nonexistent hostname that includes the HTML, which is inserted into the resulting error message. Modifications: DESC add XSS term Analysis -------- Vendor Acknowledgement: yes changelog ACKNOWLEDGEMENT: the changelog, dated 07/15/2002, includes the following item for V4.1.07(build 18110): "Modified default user-configurable error pages to eliminate cross-site scripting attack." INFERRED ACTION: CAN-2002-1060 ACCEPT_ACK (2 accept, 1 ack, 0 review) Current Votes: ACCEPT(2) Baker, Cole NOOP(3) Cox, Wall, Foat ====================================================== Candidate: CAN-2002-1076 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1076 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020830 Assigned: 20020830 Category: SF Reference: BUGTRAQ:20020725 IPSwitch IMail ADVISORY/EXPLOIT/PATCH Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-07/0326.html Reference: BUGTRAQ:20020729 Hoax Exploit Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-07/0363.html Reference: BUGTRAQ:20020729 Re: Hoax Exploit (2c79cbe14ac7d0b8472d3f129fa1df55 RETURNS) Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-07/0368.html Reference: CONFIRM:http://support.ipswitch.com/kb/IM-20020731-DM02.htm Reference: CONFIRM:http://support.ipswitch.com/kb/IM-20020729-DM01.htm Reference: BID:5323 Reference: URL:http://www.securityfocus.com/bid/5323 Reference: XF:imail-web-messaging-bo(9679) Reference: URL:http://www.iss.net/security_center/static/9679.php Buffer overflow in the Web Messaging daemon for Ipswitch IMail before 7.12 allows remote attackers to execute arbitrary code via a long HTTP GET request for HTTP/1.0. Analysis -------- Vendor Acknowledgement: yes changelog ACKNOWLEDGEMENT: the release notes for version 7.12 say "Fixed a buffer over-run which could result in a vulnerability (bugtraq id 5323)." INFERRED ACTION: CAN-2002-1076 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Baker, Wall, Cole NOOP(2) Cox, Foat ====================================================== Candidate: CAN-2002-1079 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1079 Final-Decision: Interim-Decision: 20030326 Modified: 20030325-01 Proposed: 20020830 Assigned: 20020830 Category: SF Reference: BUGTRAQ:20020822 Abyss 1.0.3 directory traversal and administration bugs Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-08/0229.html Reference: CONFIRM:http://www.aprelium.com/news/patch1033.html Reference: XF:abyss-get-directory-traversal(9941) Reference: URL:http://www.iss.net/security_center/static/9941.php Reference: XF:abyss-http-directory-traversal(9940) Reference: URL:http://www.iss.net/security_center/static/9940.php Reference: BID:5547 Reference: URL:http://www.securityfocus.com/bid/5547 Directory traversal vulnerability in Abyss Web Server 1.0.3 allows remote attackers to read arbitrary files via ..\ (dot-dot backslash) sequences in an HTTP GET request. Modifications: ADDREF BID:5547 Analysis -------- Vendor Acknowledgement: yes ACKNOWLEDGEMENT: the vendor includes a statement dated August 19, 2002, of a patch for 1.03 regarding "two bugs related to URLs decoding (thanks to Auriemma Luigi)," the original discloser. INFERRED ACTION: CAN-2002-1079 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Baker, Cole, Armstrong NOOP(4) Christey, Cox, Wall, Foat Voter Comments: Christey> BID:5547 URL:http://www.securityfocus.com/bid/5547 ====================================================== Candidate: CAN-2002-1081 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1081 Final-Decision: Interim-Decision: 20030326 Modified: 20030325-01 Proposed: 20020830 Assigned: 20020830 Category: SF Reference: BUGTRAQ:20020822 Abyss 1.0.3 directory traversal and administration bugs Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-08/0229.html Reference: CONFIRM:http://www.aprelium.com/news/patch1033.html Reference: XF:abyss-plus-file-disclosure(9956) Reference: URL:http://www.iss.net/security_center/static/9956.php Reference: BID:5549 Reference: URL:http://www.securityfocus.com/bid/5549 The Administration console for Abyss Web Server 1.0.3 allows remote attackers to read files without providing login credentials via an HTTP request to a target file that ends in a "+" character. Modifications: ADDREF BID:5549 Analysis -------- Vendor Acknowledgement: yes ACKNOWLEDGEMENT: the vendor includes a statement dated August 19, 2002, of a patch for 1.03 regarding "two bugs related to URLs decoding (thanks to Auriemma Luigi)," the original discloser. INFERRED ACTION: CAN-2002-1081 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Baker, Cole, Armstrong NOOP(4) Christey, Cox, Wall, Foat Voter Comments: Christey> BID:5549 URL:http://www.securityfocus.com/bid/5549 ====================================================== Candidate: CAN-2002-1088 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1088 Final-Decision: Interim-Decision: 20030326 Modified: Proposed: 20020830 Assigned: 20020830 Category: SF Reference: BUGTRAQ:20020725 Novell GroupWise 6.0.1 Support Pack 1 Bufferoverflow Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-07/0296.html Reference: CONFIRM:http://support.novell.com/servlet/tidfinder/2963273 Reference: BID:5313 Reference: URL:http://www.securityfocus.com/bid/5313 Reference: XF:groupwise-rcpt-bo(9671) Reference: URL:http://www.iss.net/security_center/static/9671.php Buffer overflow in Novell GroupWise 6.0.1 Support Pack 1 allows remote attackers to execute arbitrary code via a long RCPT TO command. Analysis -------- Vendor Acknowledgement: yes ACKNOWLEDGEMENT: while the Novell TID does not itself contain vendor acknowledgement, the vendor's security advisory page has a link to the TID with the phrase "Buffer overflow in Novell GroupWise 6.0.1 Support Pack 1." INFERRED ACTION: CAN-2002-1088 ACCEPT_ACK (2 accept, 1 ack, 0 review) Current Votes: ACCEPT(2) Baker, Cole NOOP(3) Cox, Wall, Foat
- Prev by Date: [PROPOSAL] Cluster UNIX-2003a - 35 candidates
- Prev by thread: [PROPOSAL] Cluster UNIX-2003a - 35 candidates
- Index(es):