ip_input.c in BSD-derived TCP/IP implementations allows remote attackers to cause a denial of service (crash or hang) via crafted packets.CA-1998-135707Buffer overflow in NFS mountd gives root access to remote attackers, mostly in Linux systems.CA-98.12BID 121linux-mountd-bo(1411)19981006-01-IJ-006Execute commands as root via buffer overflow in Tooltalk database server (rpc.ttdbserverd).CA-98.11BID 122aix-ttdbserver(813)tooltalk(1408)19981101-01-A19981101-01-PX122MIME buffer overflow in email clients, e.g. Solaris mailtool and Outlook.CERT:CA-98.10.mime_buffer_overflowsoutlook-long-nameMS98-008Arbitrary command execution via IMAP buffer overflow in authenticate command.CA-98.09.imapdBID 13000177130Buffer overflow in POP servers based on BSD/Qualcomm's qpopper allows remote attackers to gain root access using a long PASS command.qpopper-pass-overflow(1890)CA-98.08.qpopper_vulBID 13319980801-01-I133Information from SSL-encrypted sessions via PKCS #1.CA-98.07.PKCSBID 676MS98-002Buffer overflow in NIS+, in Sun's rpc.nisd program.CA-98.06.nisdnisd-bo-check(962)bugtraq id 10400170Inverse query buffer overflow in BIND 4.9 and BIND 8 Releases.CA-98.05.bind_problemsbind-bo(895)BID 13419980603-01-PXHPSBUX9808-08300180134Denial of Service vulnerability in BIND 8 Releases via maliciously formatted DNS messages.CA-98.05.bind_problemsbind-dos(896)19980603-01-PXHPSBUX9808-083Denial of Service vulnerabilities in BIND 4.9 and BIND 8 Releases via CNAME record and zone transfer.CA-98.05.bind_problemsbind-axfr-dos (2346)19980603-01-PXHPSBUX9808-08300180Some web servers under Microsoft Windows allow remote attackers to bypass access restrictions for files with long file names.CA-98.04.Win32.WebServersnt-web8.3(709)Stolen credentials from SSH clients via ssh-agent program, allowing other local users to access remote accounts belonging to the ssh-agent user.CA-98.03.ssh-agentssh-agent(700)bugtraq id 138Unauthorized privileged access or denial of service via dtappgather program in CDE.CA-98.02.CDEHPSBUX9801-07500185Teardrop IP denial of service.CERT:CA-97.28 Denial of Service AttackLand IP denial of service.CA-97.28.Teardrop_LandFreeBSD-SA-98:01cisco-land(1246)land(288)http://www.cisco.com/warp/public/770/land-pub.shtmlHPSBUX9801-076FTP servers can allow an attacker to connect to arbitrary ports on machines other than the FTP client, aka FTP bounce.CA-97.27.FTP_bounceftp-bounce(199)ftp-privileged-port(892)Buffer overflow in statd allows root privileges.CA-97.26statd(696)127Delete or create a file via rpc.statd, due to invalid information.CA-96.09.rpc.statdrps-stat(109)00135** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-0032. Reason: This candidate is a duplicate of CVE-1999-0032. Notes: All CVE users should reference CVE-1999-0032 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.Arbitrary command execution via buffer overflow in Count.cgi (wwwcount) cgi-bin program.CA-97.24.Count_cgihttp-cgi-count(586)bugtraq id 128128Local user gains root privileges via buffer overflow in rdist, via expstr() function.CA-97.23.rdistBID 129rdist-bo3(559)rdist-sept97(540)00179Local user gains root privileges via buffer overflow in rdist, via lookup() function.CA-96.14.rdist_vulrdist-bo(421)DNS cache poisoning via BIND, by predictable query IDs.CA-97.22.bindbind(485)BID 678root privileges via buffer overflow in df command on SGI IRIX systems.CA-97.21.sgi_buffer_overflowAUSCERT:AA-97.19.IRIX.df.buffer.overflow.vul,XF:df-boCA-1997-21VU#20851346df-bo(440)root privileges via buffer overflow in pset command on SGI IRIX systems.CA-97.21.sgi_buffer_overflowpset-bo(442)root privileges via buffer overflow in eject command on SGI IRIX systems.CERT:CA-97.21.sgi_buffer_overflowAUSCERT:AA-97.21.IRIX.eject.buffer.overflow.vul,XF:eject-boroot privileges via buffer overflow in login/scheme command on SGI IRIX systems.CA-97.21.sgi_buffer_overflowsgi-schemebo(443)root privileges via buffer overflow in ordist command on SGI IRIX systems.CA-97.21.sgi_buffer_overflowordist-bo(444)root privileges via buffer overflow in xlock command on SGI IRIX systems.CERT:CA-97.21.sgi_buffer_overflowJavaScript in Internet Explorer 3.x and 4.x, and Netscape 2.x, 3.x and 4.x, allows remote attackers to monitor a user's web activities, aka the Bell Labs vulnerability.CA-97.20 JavaScript VulnerabilityHPSBUX9707-065Buffer overflow in lpr, as used in BSD-based systems including Linux, allows local users to execute arbitrary code as root via a long -C (classification) command line option.CA-97.19.bsdlpBID 707lpr-bo(843)bsd-lprbo(409)bsd-lprbo2(446)I-04219980402-01-PX707Command execution in Sun systems via buffer overflow in the at program.Vulnerability in the At(1) programsun-atbo(705)Buffer overflow in suidperl (sperl), Perl 4.x and 5.x.CA-97.17.sperlperl-suid(448)bugtraq id 708Race condition in signal handling routine in ftpd, allowing read/write arbitrary files.CA-97.16.ftpdftp-ftpd(449)IRIX login program with a nonzero LOCKOUT parameter allows creation or damage to files.CA-97.15.sgi_loginbugtraq id 392sgi-lockout(557)H-10619970508-02-PX990sgi-lockout(557)Arbitrary command execution via metamail package using message headers, when user processes attacker's message using metamail.CA-97.14.metamailmetamail-header-commands(1676)Buffer overflow in xlock program allows local users to execute commands as root.CA-97.13.xlockBID 224xlock-bo(483)webdist CGI program (webdist.cgi) in SGI IRIX allows remote attackers to execute arbitrary commands via shell metacharacters in the distloc parameter.CA-97.12.webdistBID 374http-sgi-webdist(333)CA-1997-1219970501-02-PX374235http-sgi-webdist(333)Buffer overflow in Xt library of X Windowing System allows local users to execute commands with root privileges.CA-97.11.libXtBID 237libXt-bo(489)Buffer overflow in NLS (Natural Language Service).CA-97.10.nlsBID 711nls-bo(450)Buffer overflow in University of Washington's implementation of IMAP and POP servers.CA-97.09.imap_poppopimap-bo(96)Command execution via shell metachars in INN daemon (innd) 1.5 using "newgroup" and "rmgroup" control messages, and others.CA-97.08.inndBID 687inn-controlmsg(184)fsdump command in IRIX allows local users to obtain root access by modifying sensitive files.BID 355sgi-fsdump(2106)19970301-01-PList of arbitrary files on Web host via nph-test-cgi script.CA-97.07.nph-test-cgi_scriptBID 686http-cgi-nph(289)Buffer overflow of rlogin program using TERM environmental variable.CA-97.06.rlogin-termBID 242rlogin-termbo(423)MIME conversion buffer overflow in sendmail versions 8.8.3 and 8.8.4.CA-97.05.sendmailbugtraq id 685sendmail-mime-bo2(1835)685Talkd, when given corrupt DNS information, can be used to execute arbitrary commands with root privileges.CA-97.04.talkdtalkd-bo(453)netkit-talkd(413)00147Csetup under IRIX allows arbitrary file creation or overwriting.CA_97.04.csetupsgi-csetup(452)Buffer overflow in HP-UX newgrp program.CA-97.02.hp_newgrpBID 683hp-newgrpbo(451)Arbitrary file creation and program execution using FLEXlm LicenseManager, from versions 4.0 to 5.0, in IRIX.CA-97.01.flex_lmsgi-licensemanager(893)IP fragmentation denial of service in FreeBSD allows a remote attacker to cause a crash.BID 120freebsd-ip-frag-dos(1389)908freebsd-ip-frag-dos(1389)TCP RST denial of service in FreeBSD.6094Sun's ftpd daemon can be subjected to a denial of service.BID 709sun-ftpd(1127)00171Buffer overflows in Sun libnsl allow root access.BID 148sun-libnsl(1024)00172IX80543Buffer overflow in Sun's ping program can give root access to local users.sun-ping(1365)00174Vacation program allows command execution by remote users through a sendmail command.vacation(569)HPSBUX9811-087Buffer overflow in PHP cgi program, php.cgi allows shell access.bugtraq id 712http-cgi-phpbo(293)712IRIX fam service allows an attacker to obtain a list of all files on the server.bugtraq id 353irix-fam(325)353164irix-fam(325)Attackers can cause a denial of service in Ascend MAX and Pipeline routers with a malformed packet to the discard port, which is used by the Java Configurator tool.BID 714ascend-config-kill(889)http://www.ascend.com/2695.htmlFile creation and deletion, and remote execution, in the BSD line printer daemon (lpd).bsd-lpd(568)The chpass command in OpenBSD allows a local user to gain root access through file descriptor leakage.openbsd-chpass(1220)7559Cisco IOS 12.0 and other versions can be crashed by malicious UDP packets to the syslog port.BID 675cisco-syslog-crash(1558)Buffer overflow in AIX lquerylv program gives root access to local users.BID 451lquerylv-bo(386)Multiple buffer overflows in how dtmail handles attachments allows a remote attacker to execute commands.BID 175hp-dtmail(1367)00181AnyForm CGI remote execution.BID 719http-cgi-anyform(301)719phf CGI program allows remote command execution through shell metacharacters.bugtraq id 629CA-96.06.cgi_example_codehttp-cgi-phf(148)CA-1996-06629136CGI PHP mylog script allows an attacker to read any file on the target server.bugtraq id 713http-cgi-php-mylog(1468)7133396Solaris ufsrestore buffer overflow.sun-ufsrestore(966)001698158test-cgi program allows an attacker to list files on the server.http-cgi-test(149)Apache httpd cookie buffer overflow for versions 1.1.1 and earlier.http-apache-cookieBuffer overflow in AIX xdat gives root access to local users.bugtraq id 449ibm-xdat(585)Telnet allows a remote client to specify environment variables including LD_LIBRARY_PATH, allowing an attacker to bypass the normal system libraries and gain root access.CA-95.14.Telnetd_Environment_VulnerabilityBID 459linkerbug(67)Listening TCP ports are sequentially allocated, allowing spoofing attacks.seqport(209)PASV core dump in wu-ftpd daemon when attacker uses a QUOTE PASV command after specifying a username and password.ftp-pasvcore(200)5742Buffer overflow in wu-ftp from PASV command causes a core dump.ftp-args(201)Predictable TCP sequence numbers allow spoofing.tcp-seq-predict(139)pcnfsd (aka rpc.pcnfsd) allows local users to change file permissions, or execute arbitrary commands through arguments in the RPC call.Vulnerabilities in PCNFSDRemote attackers can cause a denial of service in FTP by issuing multiple PASV commands, causing the server to run out of available ports.bugtraq id 271ftp-pasv-dos(563)ftp-pasvdos(202)Certain configurations of wu-ftp FTP server 2.4 use a _PATH_EXECPATH setting to a directory with dangerous commands, such as /bin, which allows remote authenticated users to gain root access via the "site exec" command.CA-95.16.wu-ftpd.vulftp-execdotdot(618)wu-ftp allows files to be overwritten via the rnfr command.ftp-rnfr(324)CWD ~root command in ftpd allows root access.ftp-cwd(54)Improving the Security of Your Site by Breaking Into itgetcwd() file descriptor leak in FTP.cwdleak(335)Certain NFS servers allow users to use mknod to gain privileges by creating a writable kmem device and setting the UID to 0.nfs-mknod(78)Buffer overflow in rwhod on AIX and other operating systems allows remote attackers to execute arbitrary code via a UDP packet with a long hostname.rwhod-vuln(118)rwhod(119)rwhod-vuln(118)AIX routed allows remote users to modify sensitive files.IBM-routedDenial of service in AIX telnet can freeze a system and prevent users from accessing the server.ibm-telnetdos(706)7992IRIX and AIX automountd services (autofsd) allow remote users to execute root commands.Buffer overflow in AIX libDtSvc library can allow local users to gain root access.Buffer overflow in AIX rcp command allows local users to obtain root access.BID 400ibm-rcp(2296)Buffer overflow in AIX writesrv command allows local users to obtain root access.BID 399ibm-writesrv(2295)Various vulnerabilities in the AIX portmir command allows local users to obtain root access.IBM-portmirAIX nslookup command allows local users to obtain root access by not dropping privileges correctly.BID 377ibm-nslookup(604)AIX piodmgrsu command allows local users to gain additional group privileges.BID 386ibm-piodmgrsu(593)The debug command in Sendmail is enabled, allowing attackers to execute commands as root.CA-88.01CA-93.14BID 11195Sendmail decode alias can be used to overwrite sensitive files.CA-96.25.sendmail_groupssmtp-dcod(126)00122The AIX FTP client can be forced to execute commands from a malicious server through shell metacharacters (e.g. a pipe character).BID 396ibm-ftp(605)Buffer overflow in SMTP HELO command in Sendmail allows a remote attacker to hide activities.smtp-helo-bo(886)Buffer overflow in syslog utility allows local or remote attackers to gain root privileges.CA-95.13smtp-syslog(129)Remote access in AIX innd 1.5.1, using control messages.inn-controlmsg(184)Buffer overflow in AIX and Solaris "gethostbyname" library call allows root access through corrupt DNS host names.IBM AIX(r) Security Vulnerabilities (gethostbyname,lquerypv)ghbn-bo(1751)Buffer overflow in SLmail 3.x allows attackers to execute commands using a large FROM line.bugtraq id 153slmail-fromheader-overflow(1595)Echo and chargen, or other combinations of UDP services, can be used in tandem to flood the server, a.k.a. UDP bomb or UDP packet storm.CA-96.01.UDP_service_denialA later variation on the Teardrop IP denial of service attack, a.k.a. Teardrop-2.IP Denial of Serviceteardrop-modfinger allows recursive searches by using a long string of @ symbols.fingerbombFinger redirection allows finger bombs.fingerbombBuffer overflow in Apache 1.2.5 and earlier allows a remote attacker to cause a denial of service with a large number of GET requests containing a large number of / characters.apache-dosThe printers program in IRIX has a buffer overflow that gives root access to local users.printers-bo(808)Buffer overflow in ffbconfig in Solaris 2.5.1.BID 202ffbconfig-bo(874)00140** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-0315. Reason: This candidate's original description had a typo that delayed it from being detected as a duplicate of CVE-1999-0315. Notes: All CVE users should reference CVE-1999-0315 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.RIP v1 is susceptible to spoofing.ibm-routed(703)Buffer overflow in AIX dtterm program for the CDE.dtterm-bo(878)dtterm-bo(878)Some implementations of rlogin allow root access if given a -froot parameter.CA-94.09.bin.login.vulnerabilityrlogin-froot(104)BID 458458Local users can execute commands as other users, and read other users' files, through the filter command in the Elm elm-2.4 mail package using a symlink attack.elm-filter2(711)AIX bugfiler program allows local users to gain root access.ibm-bugfiler(500)AIX bugfiler file creation vulnerabilityAIX bugfiler1800Denial of service when an attacker sends many SYN packets to create multiple connections without ever sending an ACK to complete the connection, aka SYN flood.CA-96.21.tcp_syn.flooding19961202-01-PX00136AIX passwd allows local users to gain root access.CA-92.07.AIX.passwd.vulnerabilityibm-passwd(555)AIX infod allows local users to gain root access through an X display.aix-infod(1407)19981119 RSI.0011.11-09-98.AIX.INFODWindows NT 4.0 beta allows users to read and delete shares.Sun/Solaris utmp file allows local users to gain root access if it is writable by users other than root.CA-94.06.umtp.vulnerabilityutmp-write(506)00126Buffer overflow in dtaction command gives root access.Buffer overflow in AIX lchangelv gives root access.bugtraq id 389lchangelv-bo(845)Race condition in Linux mailx command allows local users to read user files.Vulnerabilities in UMN gopher and gopher+ versions 1.12 and 2.0x allow an intruder to read any files that can be accessed by the gopher daemon.gopher-vuln(544)CA-93.11.UMN.UNIX.gopher.vulnerabilityBuffer overflow in SGI IRIX mailx program.BID 393sgi-mailx-bo(1371)19980605-01-PXSGI IRIX buffer overflow in xterm and Xaw allows root access.VN-98.01.XFree86xfree86-xterm-xaw(963)xfree86-xaw(2096)J-010swinstall and swmodify commands in SD-UX package in HP-UX systems allow local users to create or overwrite arbitrary files to gain root access.Vulnerability in HP Software Installation ProgramsOversized ICMP ping packets can result in a denial of service, aka Ping o' Death.CA-96.26.pingping-death(95)Sendmail allows local users to write to a file and gain group permissions via a .forward or :include: file.CA-96.25.sendmail_groupsBID 715Local users can start Sendmail in daemon mode and gain root privileges.CA-96.24.sendmail.daemon.modeBID 716sendmail-daemon-mode(1837)716Buffer overflow and denial of service in Sendmail 8.7.5 and earlier through GECOS field gives root access to local users.CA-96.20.sendmal_vulsmtp-875bo(428)BID 717717Expreserve, as used in vi and ex, allows local users to overwrite arbitrary files and gain root access.CA-96.19.expreserveexpreserve(401)CA-1996-1911723expreserve(401)fm_fls license server for Adobe Framemaker allows local users to overwrite arbitrary files and gain root access.CA-96.18.fm_flsfmaker-logfile(403)vold in Solaris 2.x allows local users to gain root access.CA-96.17.Solaris_vold_vulsol-voldtmp(434)8159admintool in Solaris allows a local user to write to arbitrary files and gain root access.CA-96.16.Solaris_admintool_vulsun-admintool(394)bugtraq id 289Kodak Color Management System (KCMS) on Solaris allows a local user to write to arbitrary files and gain root access.CA-96.15.Solaris_KCMS_vulsol-KCMSvuln(482)The dip program on many Linux systems allows local users to gain root access via a buffer overflow.CA-96.13.dip_vullinux-dipbo(398)BID 86dip-bo(881)The suidperl and sperl program do not give up root privileges when changing UIDs back to the original users, allowing root access.CA-96.12.suidperl_vulsperl-suid(429)Buffer overflow in Solaris x86 mkcookie allows local users to obtain root access.sol-mkcookie(1429)8205Denial of service in RAS/PPTP on NT systems.Java Bytecode Verifier allows malicious applets to execute arbitrary commands as the user of the applet.CA-96.07.java_bytecode_verifierhttp-java-applet(490)00134The Java Applet Security Manager implementation in Netscape Navigator 2.0 and Java Developer's Kit 1.0 allows an applet to connect to arbitrary hosts.http-java-appletsecmgr(492)CA-96.05.java_applet_security_mgrKerberos 4 key servers allow a user to masquerade as another by breaking and generating session keys.CA-96.03.kerberos_4_key_serverkerberos-bf(64)Denial of service in Qmail by specifying a large number of recipients with the RCPT command.qmail-rcpthttp://cr.yp.to/qmail/venema.htmlhttp://www.ornl.gov/its/archives/mailing-lists/qmail/1997/06/threads.html223719970612 qmail-dos-2.c, another denial of service attack19970612 Re: Denial of service (qmail-smtpd)Sendmail WIZ command enabled, allowing root access.Internet Security Scanner (ISS)smtp-wiz(131)CA-1990-11CA-1993-1419950206 sendmail wizard thing...Improving the Security of Your Site by Breaking Into itThe campas CGI program provided with some NCSA web servers allows an attacker to execute arbitrary commands via encoded carriage return characters in the query string, as demonstrated by reading the password file.http-cgi-campas(298)1975http-cgi-campas(298)The aglimpse CGI program of the Glimpse package allows remote execution of arbitrary commands.http-cgi-glimpse(297)The handler CGI program in IRIX allows arbitrary command execution.bugtraq id 380http-sgi-handler(340)19970501-02-PX380The wrap CGI program in IRIX allows remote attackers to view arbitrary directory listings via a .. (dot dot) attack.bugtraq id 373http-sgi-wrap(290)19970501-02-PX373247http-sgi-wrap(290)The Perl fingerd program allows arbitrary command execution from remote users.perl-fingerd(625)The SATAN session key may be disclosed if the user points the web browser to other sites, possibly allowing root access.CA-95.07a.REVISED.satan.vulCA-95.06.satan.vulThe DG/UX finger daemon allows remote command execution through shell metacharacters.dgux-fingerd(302)Windows 95/NT out of band (OOB) data denial of service through NETBIOS port, aka WinNuke.win-oob(173)1666IIS 2.0 and 3.0 allows remote attackers to read the source code for ASP pages by appending a . (dot) to the end of the URL.http-iis-aspdot(336)The ghostscript command with the -dSAFER option allows remote attackers to execute commands.gscript-dsafer(404)CA-95.10.ghostscriptwu-ftpd FTP daemon allows any user and password combination.ftp-pwless(204)Cisco PIX firewall and CBAC IP fragmentation attack results in a denial of service.Cisco PIX and CBAC Fragmentation AttackBID 690cisco-fragmented-attacks(1584)1097Cisco PIX firewall manager (PFM) on Windows NT allows attackers to connect to port 8080 on the PFM server and retrieve any file whose name and location is known.cisco-pix-file-exposure(1583)BID 691685Attackers can crash a Cisco IOS router or device, provided they can get to an interactive prompt (such as a login). This applies to some IOS 9.x, 10.x, and 11.x releases.Cisco IOS Remote Router Crashcisco-ios-crash(1238)BID 692Some classic Cisco IOS devices have a vulnerability in the PPP CHAP authentication to establish unauthorized PPP connections.cisco-CHAP(570)bugtraq id 6931099In Cisco IOS 10.3, with the tacacs-ds or tacacs keyword, an extended IP access control list could bypass filtering.cisco-acl-tacacs(1247)bugtraq id 703797The "established" keyword in some Cisco IOS software allowed an attacker to bypass filtering.cisco-acl-established(1248)bugtraq id 315In older versions of Sendmail, an attacker could use a pipe character to execute root commands.smtp-pipeA race condition in the Solaris ps command allows an attacker to overwrite critical files.CA-95.09.Solaris.ps.vulsol-pstmprace(420)8346NFS cache poisoning.nfs-cache(73)NFS allows users to use a "cd .." command to access other directories besides the exported file system.nfs-cd(75)In SunOS, NFS file handles could be guessed, giving unauthorized access to the exported file system.CA-91.21.SunOS.NFS.Jumbo.and.fsirandnfs-guess(77)bugtraq id 32The portmapper may act as a proxy and redirect service requests from an attacker, making the request appear to come from the local host, possibly bypassing authentication that would otherwise have taken place. For example, NFS file systems could be mounted through the portmapper despite export restrictions.bugtraq id 46decod-portmap-call (673)nfs-portmap (80)NFS allows attackers to read and write any file on the system by specifying a false UID.nfs-uidRemote attackers can mount an NFS file system in Ultrix or OSF, even if it is denied on the access list.nfs-ultrix(83)Denial of service in syslog by sending it a large number of superfluous messages.syslog-floodFormMail CGI program allows remote execution of commands.http-cgi-formmail-exe(299)FormMail CGI program can be used by web servers other than the host server that the program resides on.http-cgi-formmail-use(300)The view-source CGI program allows remote attackers to read arbitrary files via a .. (dot dot) attack.bugtraq id 303http-cgi-viewsrc(291)The convert.bas program in the Novell web server allows a remote attackers to read any file on the system that is internally accessible by the web server.http-nov-convert(339)The Webgais program allows a remote user to execute arbitrary commands.http-webgais-query(1467)The uploader program in the WebSite web server allows a remote attacker to execute arbitrary programs.http-website-uploader(294)Buffer overflow in the win-c-sample program (win-c-sample.exe) in the WebSite web server 1.1e allows remote attackers to execute arbitrary code via a long query string.http-website-winsample(295)19970106 Re: signal handling20788http-website-winsample(295)Windows NT crashes or locks up when a Samba client executes a "cd .." command on a file share.nt-samba-dotdot(397)Q140818in.rshd allows users to login with a NULL username and execute commands.rsh-null(112)The wall daemon can be used for denial of service, social engineering attacks, or to execute remote commands.walld(150)Samba has a buffer overflow which allows a remote attacker to obtain root access by specifying a long password.nt-samba-bo(337)VB-97.10.sambaH-110Linux implementations of TFTP would allow access to files outside the restricted directory.linux-tftp(308)When compiled with the -DALLOW_UPDATES option, bind allows dynamic updates to the DNS server, allowing for malicious modification of DNS records.dns-updates(196)nxt bugCA-99-14-bind.htmlIn SunOS or Solaris, a remote user could connect from an FTP server's data port to an rlogin server on a host that trusts the FTP server, allowing remote command execution.sun-ftpd/logind(607)00156In Solaris, an SNMP subagent has a default community string that allows remote attackers to execute arbitrary commands as root, or modify system parameters.snmp-backdoor-access** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-0022. Reason: This candidate is a duplicate of CVE-1999-0022. Notes: All CVE users should reference CVE-1999-0022 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.The passwd command in Solaris can be subjected to a denial of service.bugtraq id 174sun-passwd-dos(1442)00182Solaris rpcbind listens on a high numbered UDP port, which may not be filtered since the standard port number is 111.#00142rpc-32771(330)00142Solaris rpcbind can be exploited to overwrite arbitrary files and gain root access.bugtraq id 67sun-rpcbind00167IIS newdsn.exe CGI script allows remote users to overwrite files.http-cgi-newdsn(1530)275Buffer overflow in telnet daemon tgetent routing allows remote attackers to gain root access via the TERMCAP environmental variable.BID 588bsd-tel-tgetent(610)Denial of service in Ascend and 3com routers, which can be rebooted by sending a zero length TCP option.ascend-killDenial of service in in.comsat allows attackers to generate messages.comsat(1884)Denial of service in RPC portmapper allows attackers to register or unregister RPC services or spoof RPC services using a spoofed source IP address such as 127.0.0.1.pmap-sset(2308)websendmail in Webgais 1.0 allows a remote user to access arbitrary files and execute arbitrary code via the receiver parameter ($VAR_receiver variable).http-webgais-smail(296)2077237finger 0@host on some systems may print information on some user accounts.finger .@host on some systems may print information on some user accounts.Windows NT FTP server (WFTP) with the guest account enabled without a password allows an attacker to log into the FTP server using any username and password.A quote cwd command on FTP servers can reveal the full path of the home directory of the "ftp" user.ftp-home(203)The GNU tar command, when used in FTP sessions, may allow an attacker to execute arbitrary commands.ftp-exectar(619)In Sendmail, attackers can gain root privileges via SMTP by specifying an improper "mail from" address and an invalid "rcpt to" address that would cause the mail to bounce to a program.CA-95.08.sendmail.v.5.vulnerabilitysmtp-sendmail-version5(518)Sendmail 8.6.9 allows remote attackers to execute root commands, using ident.ident-bo(627)Denial of service in Sendmail 8.6.11 and 8.6.12.19990708 SM 8.6.12MIME buffer overflow in Sendmail 8.8.0 and 8.8.1 gives root access.sendmail-mime-bo(1836)Remote attacker can execute commands through Majordomo using the Reply-To field and a "lists" command.CERT:CA-94.11.majordomo.vulnerabilitiesmajordomo-exe(510)rpc.ypupdated (NIS) allows remote users to execute arbitrary commands.CA-95.17.rpc.ypupodated.vulrpc-update(110)The SunView (SunTools) selection_svc facility allows remote users to read files.CA-90.05.sunselection.vulnerabilityselsvc(122)bugtraq id 88Automount daemon automountd allows local or remote users to gain privileges via shell metacharacters.bugtraq id 235CA-99-05-statd-automountd19971126 Solaris 2.5.1 automountd exploit (fwd)19990103 SUN almost has a clue! (automountd)HPSBUX9910-104235Extra long export lists over 256 characters in some mount daemons allows NFS directories to be mounted by anyone.CA-94.02.REVISED.SunOS.rpc.mountd.vulnerability24Solaris rpc.mountd generates error messages that allow a remote attacker to determine what files are on the server.#00168sun-mountd(967)I-048libnsl in Solaris allowed an attacker to perform a denial of service of rpcbind.sun-libnslDenial of service by sending forged ICMP unreachable packets.bugtraq id 50icmp-unreachable(1883)Routed allows attackers to append data to files.ripapp(320)19981004-01-PXJ-012Denial of service of inetd on Linux through SYN and RST packets.linux-inutid-doshp-inetdMalicious option settings in UDP packets could force a reboot in SunOS 4.1.3 systems.udp-bomb(143)Livingston portmaster machines could be rebooted via a series of commands.portmaster-reboot(1885)Buffer overflow in FTP Serv-U 2.5 allows remote authenticated users to cause a denial of service (crash) via a long (1) CWD or (2) LS (list) command.bugtraq id 269ftp-servu19990503 Buffer overflows in FTP Serv-U 2.519990504 Re: Buffer overflows in FTP Serv-U 2.5269ftp-servu(205)Attackers can do a denial of service of IRC by crashing the server.Denial of service of Ascend routers through port 150 (remote administration).ascend-150-kill(1881)Denial of service in Cisco IOS web server allows attackers to reboot the router using a long URL.cisco-web-crashSolaris syslogd crashes when receiving a message from a host that doesn't have an inverse DNS entry.sol-syslogd-crash(1887)Syslogd and Solaris 2.41878Denial of service in Windows NT messenger service through a long username.bugtraq id 465Windows NT 4.0 allows remote attackers to cause a denial of service via a malformed SMB logon request in which the actual data size does not match the specified size.nt-logondos(342)Q180963Windows NT TCP/IP processes fragmented IP packets improperly, causing a denial of service.Access violation in LSASS.EXE (LSA/LSARPC) program in Windows NT allows a denial of service.nt-lsass-crash(1892)Q154087Denial of service in RPCSS.EXE program (RPC Locator) in Windows NT.bugtraq id 688nt-rpc-ver(17)Q162567Denial of service in Windows NT IIS server using ..\..http-alibaba-dotdotBuffer overflow in Cisco 7xx routers through the telnet service.7xx Router Password Buffer Overflowbugtraq id 7041102Buffer overflow in IP-Switch IMail and Seattle Labs Slmail 2.6 packages using a long VRFY command, causing a denial of service and possibly remote access.Buffer overflow in NCSA WebServer (version 1.5c) gives remote access.http-ncsa-longurlIIS 1.0 allows users to execute arbitrary commands using .bat or .cmd files.http-iis-cmd(63)Q148188Q155056Bash treats any character with a value of 255 as a command separator.CA-96.22.bash_vulsBuffer overflow in NCSA WebServer (1.4.1 and below) gives remote access.CERT:CA-95:04ScriptAlias directory in NCSA and Apache httpd allowed attackers to read CGI programs.http-scriptalias(332)Remote execution of arbitrary commands through Guestbook CGI program.http-cgi-guestbook(321)VB-97.02.sol_questdayphp.cgi allows attackers to read any file on the system.http-cgi-phpfilereadNetscape FastTrack Web server lists files when a lowercase "get" command is used instead of an uppercase GET.bugtraq id 481fastrack-get-directory-list(1731)122Some filters or firewalls allow fragmented SYN packets with IP reserved bits in violation of their implemented policy.Guessable magic cookies in X Windows allows remote attackers to execute commands, e.g. through xterm.http-xguess-cookiesol-mkcookie(1429)Remote attackers can access mail files via POP3 in some Linux systems that are using shadow passwords.linux-pop3dLinux cfingerd could be exploited to gain root access.Livingston RADIUS code has a buffer overflow which can allow remote execution of commands as root.radius-accounting-overflow(1891)Some configurations of NIS+ in Linux allowed attackers to log in as the user "+".linux-plus(307)HP Remote Watch allows a remote user to gain root access.hp-remoteBuffer overflow in nnrpd program in INN up to version 1.6 allows remote users to execute arbitrary commands.1443inn-bo19970721 INN news server vulnerabilitiesA race condition in the authentication agent mechanism of sshd 1.2.17 allows an attacker to steal another user's credentials.http://oliver.efri.hr/~crv/security/bugs/mUNIXes/ssh2.htmlhttp://www.uni-karlsruhe.de/~ig25/ssh-faq/ssh-faq-6.html#ss6.1Windows NT RSHSVC program allows remote users to execute arbitrary commands.rsh-svcDenial of service in Qmail through long SMTP commands.qmail-lenghttp://cr.yp.to/qmail/venema.htmlhttp://www.ornl.gov/its/archives/mailing-lists/qmail/1997/06/threads.html19970612 qmail-dos-2.c, another denial of service attackDenial of service in talk program allows remote attackers to disrupt a user's display.talkd-flash(615)Buffer overflow in listserv allows arbitrary command execution.smtp-listserv(617)IIS 3.0 with the iis-fix hotfix installed allows remote intruders to read source code for ASP programs by using a %2e instead of a . (dot) in the URL.http-iis-2eA hidden SNMP community string in HP OpenView allows remote attackers to modify MIB tables and obtain sensitive information.hpov-hidden-snmp-commBuffer overflow in ircd allows arbitrary command execution.Buffer overflow in War FTP allows remote execution of commands.war-ftpd(345)875Nestea variation of teardrop IP fragmentation denial of service.nestea-linux-dos(897)Bonk variation of teardrop IP fragmentation denial of service.teardrop-modDenial of Service attack (broad)Denial of Service Attacks (Broad)cfingerd lists all users on a system via search.**@target.cfinger-user-enumeration(1811)The jj CGI program allows command execution via shell metacharacters.http-cgi-jj(1808)Netmanager Chameleon SMTPd has several buffer overflows that cause a crash.chameleon-smtp-dos(1987)http://www.insecure.org/sploits/netmanage.chameleon.overflows.htmlHylafax faxsurvey CGI script on Linux allows remote attackers to execute arbitrary commands via shell metacharacters in the query string.http-cgi-faxsurvey(1532)2056http-cgi-faxsurvey(1532)Solaris SUNWadmap can be exploited to obtain root access.bugtraq id 430sun-sunwadmap(1200)00173htmlscript CGI program allows remote read access to files.http-htmlscript-file-access(1466)ICMP redirect messages may crash or lock up a host.icmp-redirect(285)Q154174The info2www CGI script allows remote file access or remote command execution.http-cgi-info2www(1732)1995Buffer overflow in NCSA HTTP daemon v1.3 allows remote command execution.CA-95.04.NCSA.http.daemon.for.unix.vulnerabilityMetaInfo MetaWeb web server allows users to upload, execute, and read scripts.Security vulnerabilities in Metalinfo products1103969Netscape Enterprise servers may list files through the PageServices query.netscape-server-pageservices(1810)Directory traversal vulnerability in pfdispaly.cgi program (sometimes referred to as "pfdisplay") for SGI's Performer API Search Tool (performer_tools) allows remote attackers to read arbitrary files.Performer API Search Tool 2.2 pfdispaly.cgi Vulnerabilitysgi-pfdispaly(810)19980401-01-PI-04164134sgi-pfdispaly(810)Progressive Networks Real Video server (pnserver) can be crashed remotely.Denial of service in Slmail v2.5 through the POP3 port.BID 221slmail-username-bo(1662)Denial of service through Solaris 2.5.1 telnet by sending ^D characters.sun-telnet-kill(1464)Denial of service in Windows NT DNS servers through malicious packet which contains a response to a query that wasn't made.nt-dns-dos(3106)Denial of service in Windows NT DNS servers by flooding port 53 with too many characters.nt-dnscrash(186)mSQL v2.0.1 and below allows remote execution through a buffer overflow.msql-debug-bo(2143)The WorkMan program can be used to overwrite any file to get root access.CA-96.23.workman_vulworkman(435)In IIS, remote attackers can obtain source code for ASP files by appending "::$DATA" to the URL.BID 149iis-asp-data-check(1135)MS98-003oval:org.mitre.oval:def:913Excite for Web Servers (EWS) allows remote command execution via shell metacharacters.excite-cgi-search-vuln(1418)VB-98.01.excite-cgi-search-vulnRemote command execution in Microsoft Internet Explorer using .lnk and .url files.http-ie-lnkurl(463)Denial of service in IIS using long URLs.http-iis-longurl(531)** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-1584, CVE-1999-1586. Reason: This candidate combined references from one issue with the description from another issue. Notes: Users should consult CVE-1999-1584 and CVE-1999-1586 to obtain the appropriate name. All references and descriptions in this candidate have been removed to prevent accidental usage.The Java Web Server would allow remote users to obtain the source code for CGI programs.19970716 Viewable .jhtml source with JavaWebServerDenial of service to NT mail servers including Ipswitch, Mdaemon, and Exchange through a buffer overflow in the SMTP HELO command.mdaemon-helo-bolotus-notes-helo-crashsmtp-exchangedos(344)Denial of service in telnet from the Windows NT Resource Kit, by opening then immediately closing a connection.In some NT web servers, appending a space at the end of a URL may allow attackers to read source code for active pages.Vulnerability in the Wguest CGI program.http-cgi-webcom-guestbook(2072)CGI Webcom guestbookThe WINS server in Microsoft Windows NT 4.0 before SP4 allows remote attackers to cause a denial of service (process termination) via invalid UDP frames to port 137 (NETBIOS Name Service), as demonstrated via a flood of random packets.BID 298nt-winsupd-fix(1233)The Apache web server for Win32 may provide access to restricted files when a . (dot) is appended to a requested URL.The WinGate telnet proxy allows remote attackers to cause a denial of service via a large number of connections to localhost.wingate-dos(2003)The WinGate proxy is installed without a password, which allows remote attackers to redirect connections without authentication.wingate-unpassworded(1849)Denial of service through Winpopup using large user names.nt-winpopup(538)AAA authentication on Cisco systems allows attackers to execute commands without authorization.Cisco IOS 11.3(1.2) and 11.3(1.2)T AAA Failurecisco-ios-aaa-auth(1245)All records in a WINS database can be deleted through SNMP for a denial of service.nt-wins-snmp2(982)Solaris sysdef command allows local users to read kernel memory, potentially leading to root privileges.bugtraq id 241sun-sysdef(608)00157Solaris volrmmount program allows attackers to read any file.sun-volrmmount(708)00162Buffer overflow in Vixie Cron library up to version 3.0 allows local users to obtain root access via a long environmental variable.vixie-cron(3124)ypbind with -ypset and -ypsetme options activated in Linux Slackware and SunOS allows local and remote attackers to overwrite files via a .. (dot dot) attack.BID 144119970205 Vulnerabilities in Ypbind when run with -ypset/-ypsetmeBuffer overflow in FreeBSD lpd through long DNS hostnames.6093nis_cachemgr for Solaris NIS+ allows attackers to add malicious NIS+ servers.BID 239sun-niscache(606)00155Buffer overflow in SunOS/Solaris ps command.BID 220sun-ps2bo(484)00149SunOS/Solaris FTP clients can be forced to execute arbitrary commands from a malicious FTP server.sun-ftp-server(1370)00176Buffer overflow in BNU UUCP daemon (uucpd) through long hostnames.bnu-uucpd-bo(1395)mmap function in BSD allows local attackers in the kmem group to modify memory through devices.bsd-mmap(735)The system configuration control (sysctl) facility in BSD based operating systems OpenBSD 2.2 and earlier, and FreeBSD 2.2.5 and earlier, does not properly restrict source routed packets even when the (1) dosourceroute or (2) forwarding variables are set, which allows remote attackers to spoof TCP connections.bsd-sourceroute(736)11502bsd-sourceroute(736)buffer overflow in HP xlock program.hp-xlockVulnerability in xlockBuffer overflow in HP-UX cstm program allows local users to gain root privileges.hpux-cstm-boHP-UX gwind program allows users to modify arbitrary files.hpux-gwind-overwrite(1414)HPSBUX9410-018HP-UX vgdisplay program gives root access to local users.hpux-vgdisplay(1415)HPSBUX9702-056SSH 1.2.25 on HP-UX allows access to new user accounts.ssh-1225(1423)fpkg2swpk in HP-UX allows local users to gain root access.hpux-fpkg2swpk(1437)HPSBUX9612-042HP ypbind allows attackers with root privileges to modify NIS data.CA-93:01.REVISED.HP.NIS.ypbind.vulnerabilitynis-ypbind(519)bugtraq id 52disk_bandwidth on SGI IRIX 6.4 S2MP for Origin/Onyx2 allows local users to gain root access using relative pathnames.bugtraq id 214sgi-disk-bandwidth(1441)19980701-01-P214936sgi-disk-bandwidth(1441)ioconfig on SGI IRIX 6.4 S2MP for Origin/Onyx2 allows local users to gain root access using relative pathnames.sgi-ioconfig(1199)19980701-01-P2136788sgi-ioconfig(1199)Buffer overflow in Solaris fdformat command gives root access to local users.fdformat-bo(875)00138Buffer overflow in Linux splitvt command gives root access to local users.linux-splitvt(430)Buffer overflow in Linux su command gives root access to local users.su-bo(734)unixware-su-username-boBuffer overflow in xmcd 2.0p12 allows local users to gain access through an environmental variable.xmcd-envbo(436)Buffer overflow in xmcd 2.1 allows local users to gain access through a user resource setting.xmcd-tiflestr(437)SunOS rpc.cmsd allows attackers to obtain root access by overwriting arbitrary files.BID 428sun-rpc.cmsd(818)Buffer overflow in Solaris kcms_configure command allows local users to gain root access.sun-kcms-configure-bo(1473)The open() function in FreeBSD allows local attackers to write to arbitrary files.freebsd-open(591)FreeBSD-SA-97:056092FreeBSD mmap function allows users to modify append-only or immutable files.bsd-mmap(735)1998-003ppl program in HP-UX allows local users to create root files through symlinks.hp-ppllog(419)HPSBUX9702-053vhe_u_mnt program in HP-UX allows local users to create root files through symlinks.hp-vhe(433)HPSBUX9406-013Vulnerability in HP-UX mediainit program.hp-mediainit(567)HPSBUX9710-071SGI syserr program allows local users to corrupt files.bugtraq id 85sgi-syserr19971103-01-PXSGI permissions program allows local users to gain root privileges.BID 417sgi-permtool(692)19971103-01-PXSGI mediad program allows local users to gain root access.BID 394sgi-mediad(1122)19980602-01-PXLinux bdash game has a buffer overflow that allows local users to gain root access.bdash-bo(821)Buffer overflow in Internet Explorer 4.0(1).iemk-bug(917)Buffer overflow in NetMeeting allows denial of service and remote command execution.BID 171nt-netmeeting(1222)Q184346HP OpenView Omniback allows remote execution of commands as root via spoofing, and local users can gain root access via a symlink attack.omniback-remote(1396)In Solaris 2.2 and 2.3, when fsck fails on startup, it allows a local user with physical access to obtain root access.CA-93.19.Solaris.Startup.vulnerabilitysol-startup(552)DEPRECATED. This entry has been deprecated. It is a duplicate of CVE-1999-0032.CA-97.19.bsdlpbsd-lprbo(409)Buffer overflow in mstm in HP-UX allows local users to gain root access.hpux-mstm-bo(1439)AIX batch queue (bsh) allows local and remote users to gain additional privileges when network printing is enabled.CA-94.10.IBM.AIX.bsh.vulnerabilityibm-bsh(509)bugtraq id 349AIX Licensed Program Product performance tools allow local users to gain root access.CA-94.03.AIX.performance.toolsibm-perf-tools(504)Buffer overflow in the libauth library in Solaris allows local users to gain additional privileges, possibly root access.bugtraq id 442sol-sun-libauth(1219)Buffer overflow in Linux Slackware crond program allows local users to gain root access.linux-crond(695)Buffer overflow in the Linux mail program "deliver" allows local users to gain root access.bugtraq id 226linux-deliver(702)Linux PAM modules allow local users to gain root access using temporary files.linux-pam-passwd-tmprace(1474)pamhttp://www.redhat.com/corp/support/errata/rh42-errata-general.html#pamA malicious Palace server can force a client to execute arbitrary programs.palace-malicious-servers-vuln(1631)NT users can gain debug-level access on a system process using the Sechole exploit.nt-priv-fix(1231)MS98-009Q190288Jolt ICMP attack causes a denial of service in Windows 95 and Windows NT systems.ping-death(95)CA-96.26CGI PHP mlog script allows an attacker to read any file on the target server.http-cgi-php-mlog(1505)7133397Internet Explorer 4.01 allows remote attackers to read local files and spoof web pages via a "%01" character in an "about:" Javascript URL, which causes Internet Explorer to use the domain specified after the character.19990126 Javascript ecurity bug in Internet Explorer19990126 Javascript ecurity bug in Internet ExplorerIIS ASP caching problem releases sensitive information when two virtual servers share the same physical directory.bugtraq id 195Q197003930A buffer overflow in the FTP list (ls) command in IIS allows remote attackers to conduct a denial of service and, in some cases, execute arbitrary commands.bugtraq id 192iis-remote-ftp(1654)IIS Remote FTP Exploit/DoS AttackMS99-003Q188348Race condition in the db_loader program in ClearCase gives local users root access by setting SUID bits.BID 538clearcase-temp-race(1718)FTP PASV "Pizza Thief" denial of service and unauthorized data access. Attackers can steal data by connecting to a port that was intended for use by a client.FTP PASV Pizza Thief denial of serviceControlIT 4.5 and earlier (aka Remotely Possible) has weak password encryption.controlit-passwd-encrypt(1651)rpc.pcnfsd in HP gives remote root access by changing the permissions on the main printer spool directory.pcnfsd-world-write(1699)HPSBUX9902-091J-026Internet Explorer 4.x or 5.x with Word 97 allows arbitrary execution of Visual Basic programs to the IE client through the Word 97 template, which doesn't warn the user that the template contains executable content. Also applies to Outlook when the client views a malicious email message.word97-template-macro(3498)MS99-002Local or remote users can force ControlIT 4.5 to reboot or force a user to log out, resulting in a denial of service.controlit-reboot(1653)ControlIT v4.5 and earlier uses weak encryption to store usernames and passwords in an address book.controlit-bookfile-accessWindows 98 and other operating systems allows remote attackers to cause a denial of service via crafted "oshare" packets, possibly involving invalid fragmentation offsets.win98-oshare-dos(2228)Digital Unix 4.0 has a buffer overflow in the inc program of the mh package.du-inc(3137)19990125 Digital Unix 4.0 exploitable buffer overflowsJ-027ptylogin in Unix systems allows users to perform a denial of service by locking out modems, dial out with that modem, or obtain passwords.19990127 UNIX shell modem access vulnerabilitiesMS Site Server 2.0 with IIS 4 can allow users to upload content, including ASP, to the target web site, thus allowing them to execute commands remotely.IIS/MS Site ServerNetWare version of LaserFiche stores usernames and passwords unencrypted, and allows administrative changes without logging.WS_FTP server remote denial of service through cwd command.bugtraq id 217wsftp-remote-dos(1694)AD02021999217SuSE 5.2 PLP lpc program has a buffer overflow that leads to root compromise.plp-lpc-bo(1738)BID 328328Microsoft Access 97 stores a database password as plaintext in a foreign mdb, allowing access to data.19990204 Microsoft Access 97 Stores Database Password as PlaintextThe metamail package allows remote command execution using shell metacharacters that are not quoted in a mailcap entry.BID 110metamail-header-commands(1676)In some cases, Service Pack 4 for Windows NT 4.0 can allow access to network shares using a blank password, through a problem with a null NT hash value.BID 227nt-sp4-auth-error(1719)MS99-004Q214840NetBSD netstat command allows local users to access kernel memory.1999-0027571Buffer overflows in wuarchive ftpd (wu-ftpd) and ProFTPD lead to remote root access, a.k.a. palmetto.CA-99-03-FTP-Buffer-Overflowspalmetto-ftpd-bo(1728)BID 113The Sun sdtcm_convert calendar utility for OpenWindows has a buffer overflow which can gain root access.sun-sdtcm-convert-bo(1729)00183In Sun Solaris and SunOS, man and catman contain vulnerabilities that allow overwriting arbitrary files.sun-manSolaris/SunOS man/catman Vulnerability165Lynx allows a local user to overwrite sensitive files through /tmp symlinks.lynx-temp-files-race(1665)The installer for BackOffice Server includes account names and passwords in a setup file (reboot.ini) which is not deleted.nt-backoffice-setup(1736)MS99-005MS99-005Q217004Buffer overflow in the "Super" utility in Debian GNU/Linux, and other operating systems, allows local users to execute commands as root.bugtraq id 341linux-super-bo(1723)linux-super-logging-bo(1832)Debian GNU/Linux cfengine package is susceptible to a symlink attack.bugtraq id 314linux-cfengine-symlinks(1802)Buffer overflow in webd in Network Flight Recorder (NFR) 2.0.2-Research allows remote attackers to execute commands.nfr-webd-overflow(1775)Local users in Windows NT can obtain administrator privileges by changing the KnownDLLs list to reference malicious programs.BID 234nt-knowndlls-list(1820)MS99-006MS99-006Process table attack in Unix systems allows a remote attacker to perform a denial of service by filling a machine's process tables through multiple connections to network services.unix-process-table-dosKernel process-table DoSInterScan VirusWall for Solaris doesn't scan files for viruses when a single HTTP request includes two GET commands.viruswall-http-request(3280)6167Microsoft Taskpads allows remote web sites to execute commands on the visiting user's machine via certain methods that are marked as Safe for Scripting.bugtraq id 498win-resourcekit-taskpads(1821)MS99-007MS99-0074981019SLMail 3.1 and 3.2 allows local users to access any file in the NTFS file system when the Remote Administration Service (RAS) is enabled by setting a user's Finger File to point to the target file, then running finger on the user.NT SLMail Remote Administration Service Vulnerability199902225 ALERT: SLMail 3.2 (and 3.1) with the Remote Administration Service19990225 ALERT: SLMail 3.2 (and 3.1) with the Remote Administration ServiceSLmail 3.2 Build 3113 (Web Administration Security Fix)497slmail-ras-ntfs-bypass(5392)super 3.11.6 and other versions have a buffer overflow in the syslog utility which allows a local user to gain root access.linux-super-logging-bo(1832 )Debian Super Syslog Buffer Overflow Vulnerability19990225 SUPER buffer overflowThe screen saver in Windows NT does not verify that its security context has been changed properly, allowing attackers to run programs with elevated privileges.BID 474nt-screen-saver(1946)MS99-008MS99-008ACC Tigris allows public access without a login.BID 183acc-tigris-login(1571)183267The Forms 2.0 ActiveX control (included with Visual Basic for Applications 5.0) can be used to read text from a user's clipboard when the user accesses documents with ActiveX content.forms-vuln-patch(1659)MS99-001MS99-001The LDAP bind function in Exchange 5.5 has a buffer overflow that allows a remote attacker to conduct a denial of service or execute commands.bugtraq id 503ldap-mds-dos(1969)MS99-009MS99-009Microsoft Personal Web Server and FrontPage Personal Web Server in some Windows systems allows a remote attacker to read files on the server by using a nonstandard URL.pws-file-access(2036)MS99-010MS99-010111A legacy credential caching mechanism used in Windows 95 and Windows 98 systems allows attackers to read plaintext network passwords.MS99-052MS99-0529x-plaintext-pwd(3574)Bugtraq id 829Q168115829DataLynx suGuard trusts the PATH environment variable to execute the ps command, allowing local users to execute commands as root.bugtraq id 186datalynx-suguard-relative-paths(1543)3186Buffer overflow in the bootp server in the Debian Linux netstd package.Debian GNU/Linux netstd Vulnerabilitiesdebian-netstd-bo(4099)Buffer overflow in Dosemu Slang library in Linux.Bugtraq id 187CSSA-1999-006.1187The cryptographic challenge of SMB authentication in Windows 95 and Windows 98 can be reused, allowing an attacker to replay the response and impersonate a user.BID 233Buffer overflow in Thomas Boutell's cgic library version up to 1.05.http-cgic-library-bo(1603)Remote attackers can cause a denial of service in Sendmail 8.8.x and 8.9.2 by sending messages with a large number of headers.sendmail-parsing-redirection(3477)19990121 Sendmail 8.8.x/8.9.x bugwareDPEC Online Courseware allows an attacker to change another user's password without knowing the original password.A race condition in the BackWeb Polite Agent Protocol allows an attacker to spoof a BackWeb server.backweb-polite-agent-protocol(1611)backweb-polite-agent-protocolA race condition between the select() and accept() calls in NetBSD TCP servers allows remote attackers to cause a denial of service.netbsd-tcp-race(1658)The demo version of the Quakenbush NT Password Appraiser sends passwords across the network in plaintext.In some instances of SSH 1.2.27 and 2.0.11 on Linux systems, SSH will allow users with expired accounts to login.ssh-exp-account-access(3493)The DCC server command in the Mirc 5.5 client doesn't filter characters from file names properly, allowing remote attackers to place a malicious file in a different location, possibly allowing the attacker to execute commands.mirc-dcc-metachar-filenameDenial of service in Linux 2.2.0 running the ldd command on a core file.Linux ldd core VulnerabilityA race condition in Linux 2.2.1 allows local users to read arbitrary memory from /proc files.linux-race-condition-proc(3497)wget 1.5.3 follows symlinks to change permissions of the target file instead of the symlink itself.wget-permissions(1805)A bug in Cyrix CPUs on Linux allows local users to perform a denial of service.cyrix-hang(1716)19990204 Cyrix bug: freeze in hell, badboyBuffer overflow in the Mail-Max SMTP server for Windows systems allows remote command execution.mailmax-bo(1773)A buffer overflow in lsof allows local users to obtain root privilege.bugtraq id 496lsof-bo(1791)3163Digital Unix Networker program nsralist has a buffer overflow which allows local users to obtain root privilege.digital-networker-bo(1807)digital-networker-bo(1807)By default, IIS 4.0 has a virtual directory /IISADMPWD which contains files that can be used as proxies for brute force password attacks, or to identify valid users on the system.19990209 ALERT: IIS4 allows proxied password attacks over NetBIOS19990209 Re: IIS4 allows proxied password attacks over NetBIOSFiles created from interactive shell sessions in Cobalt RaQ microservers (e.g. .bash_history) are world readable, and thus are accessible from the web server.cobalt-raq-history-exposure(1831)bugtraq id 337337Buffer overflow in gnuplot in Linux version 3.5 allows local users to obtain root access.gnuplot-home-overflow(1888)BID 319319The cancel command in Solaris 2.6 (i386) has a buffer overflow that allows local users to obtain root access.bugtraq id 293sol-cancel(1900)293Several startup scripts in SCO OpenServer Enterprise System v 5.0.4p, including S84rpcinit, S95nis, S85tcp, and S89nfs, are vulnerable to a symlink attack, allowing a local user to gain root access.sco-startup-scripts(1930)sco-startup-scriptsIn IIS and other web servers, an attacker can attack commands as SYSTEM if the server is running as SYSTEM and loading an ISAPI extension.bugtraq id 501iis-isapi-execute(1950)501A buffer overflow in the SGI X server allows local users to gain root access through the X server font path.irix-font-path-overflow(1929)19990301-01-PXIn Linux before version 2.0.36, remote attackers can spoof a TCP connection and pass data to the application layer before fully establishing the connection.bugtraq id 580linux-blind-spoof(1932)The HTTP server in Cisco 7xx series routers 3.2 through 4.2 is enabled by default, which allows remote attackers to change the router's configuration.cisco-router-commandscisco-router-commands(1951)19990311 Cisco 7xx TCP and HTTP VulnerabilitiesJ-034Vulnerability in Cisco 7xx series routers allows a remote attacker to cause a system reload via a TCP connection to the router's TELNET port.cisco-router-doscisco-web-crash(1886)19990311 Cisco 7xx TCP and HTTP VulnerabilitiesJ-03464 bit Solaris 7 procfs allows local users to perform a denial of service.solaris-psinfo-crash(1935)BID 4484481001Denial of service in SMTP applications such as Sendmail, when a remote attacker (e.g. spammer) uses many "RCPT TO" commands in the same connection.19990308 SMTP server account probingWhen the Microsoft SMTP service attempts to send a message to a server and receives a 4xx error code, it quickly and repeatedly attempts to redeliver the message, causing a denial of service.smtp-4xx-error-dosumapfs allows local users to gain root privileges by changing their uid through a malicious mount_umap program.During a reboot after an installation of Linux Slackware 3.6, a remote attacker can obtain root access by logging in to the root account without a password.BID 338linux-slackware-install(2040)981In some cases, NetBSD 1.3.3 mount allows local users to execute programs in some file systems that have the "noexec" flag set.Vulnerability in hpterm on HP-UX 10.20 allows local users to gain additional privileges.hp-hpterm-files(2182)HPSBUX9903-093talkback in Netscape 4.5 allows a local user to overwrite arbitrary files of another user whose Netscape crashes.netscape-talkback-overwrite(2006)talkback in Netscape 4.5 allows a local user to kill an arbitrary process of another user whose Netscape crashes.netscape-talkback-kill(2005)19.03.1999The default permissions of /dev/kmem in Linux versions before 2.0.36 allows IP spoofing.linux-dev-kmem-spoofEudora 4.1 allows remote attackers to perform a denial of service by sending attachments with long file names.eudora-long-attachment-filename(4482)BID 1210OpenSSL and SSLeay allow remote attackers to reuse SSL sessions and bypass access controls.ssl-session-reuse(1991)OpenSSL and SSLeay Security Alert3936The Lotus Notes 4.5 client may send a copy of encrypted mail in the clear across the network if the user does not set the "Encrypt Saved Mail" preference.lotus-client-encryption(2047)1999032319990324 Re: LNotes encryption19990326 Lotus Notes Encryption Bug19990326 Re: Lotus Notes security advisoryCisco Catalyst LAN switches running Catalyst 5000 supervisor software allows remote attackers to perform a denial of service by forcing the supervisor module to reload.bugtraq id 705CI-99.03cisco-catalyst-crash(2019)1103Linux 2.2.3 and earlier allow a remote attacker to perform an IP fragmentation attack, causing a denial of service.This problem was fixed in Linux kernel 2.2.4 and later releases.linux-zerolength-fragment(2041)ftp on HP-UX 11.00 allows local users to gain privileges.hp-ftp(2009)HPSBUX9903-094HPSBUX9903-094XFree86 startx command is vulnerable to a symlink attack, allowing local users to create files in restricted directories, possibly allowing them to gain privileges or cause a denial of service.BID 326xfree86-temp-directories(2032)XFree86 xfs command is vulnerable to a symlink attack, allowing local users to create files in restricted directories, possibly allowing them to gain privileges or cause a denial of service.Multiple Vendor xfs Symlink Vulnerabilityxfree86-xfs-symlink-dosMC/ServiceGuard and MC/LockManager in HP-UX allows local users to gain privileges through SAM.hp-serviceguard(2046)hp-serviceguardDomain Enterprise Server Management System (DESMS) in HP-UX allows local users to gain privileges.hp-desms-servers(2045)HPSBUX9903-095HPSBUX9903-095Remote attackers can perform a denial of service in WebRamp systems by sending a malicious string to the HTTP port.webramp-device-crash(2050)Remote attackers can perform a denial of service in WebRamp systems by sending a malicious UDP packet to port 5353, changing its IP address.bugtraq id 577webramp-ipchange(2051)Buffer overflow in procmail before version 3.12 allows remote or local attackers to execute commands via expansions in the procmailrc configuration file.procmail-overflow(2082)The byte code verifier component of the Java Virtual Machine (JVM) allows remote execution through malicious web pages.java-unverified-code(2025)http://java.sun.com/pr/1999/03/pr990329-01.html19990405 Security Hole in Java 2 (and JDK 1.1.x)1939Remote attackers can perform a denial of service in WinGate machines using a buffer overflow in the Winsock Redirector Service.bugtraq id 509AD02221999wingate-redirector-dos(2066)AD02221999509Solaris ff.core allows local users to modify files.BID 327327Patrol management software allows a remote attacker to conduct a replay attack to steal the administrator password.bmc-patrol-replay(2078)19990409 Patrol security bugsRemote attackers can perform a denial of service in Windows machines using malicious ARP packets, forcing a message box display for each packet or filling up log files.windows-arp-dosIn Cisco routers under some versions of IOS 12.0 running NAT, some packets may not be filtered by input access list filters.BID 706cisco-natacl-leakage(2071)1104Local users can perform a denial of service in NetBSD 1.3.3 and earlier versions by creating an unusual symbolic link with the ln command, triggering a bug in VFS.netbsd-vfslocking-panic(2062)1999-0087051Local users can gain privileges using the debug utility in the MPE/iX operating system.mpeix-debug(2073)HPSBMP9904-006HPSBMP9904-006IIS 4.0 and Apache log HTTP request methods, regardless of how long they are, allowing a remote attacker to hide the URL they really request.bugtraq id 191iis-http-request-logging(1656)The ExAir sample site in IIS 4 allows remote attackers to cause a denial of service (CPU consumption) via a direct request to the (1) advsearch.asp, (2) query.asp, or (3) search.asp scripts.bugtraq id 193iis-exair-dos(2229)193234In IIS, an attacker could determine a real path using a request for a non-existent URL that would be interpreted by Perl (perl.exe) .194Denial of service in Linux 2.0.36 allows local users to prevent any server from listening on any non-privileged port.Linux TCP port DoS VulnerabilityA service or application has a backdoor password that was placed there by the developer.An attacker can identify a CISCO device by sending a SYN packet to port 1999, which is for the Cisco Discovery Protocol (CDP).A remote attacker can sometimes identify the operating system of a host based on how it reacts to some IP or ICMP packets, using a tool such as nmap or queso.The Expression Evaluator sample application in ColdFusion allows remote attackers to read or delete files on the server via exprcalc.cfm, which does not restrict access to the server properly.coldfusion-expression-evaluator(1740)Allaire ColdFusion Remote File Display, Deletion, Upload and Execution VulnerabilityLinux ftpwatch program allows local users to gain root privileges.bugtraq id 317ftpwatch-vuln(1607)317L0phtcrack 2.5 used temporary files in the system TEMP directory which could contain password information.l0phtcrack-temp-files(1606)915Local users can perform a denial of service in Alpha Linux, using MILO to force a reboot.linux-milo-halt(1717)linux-milo-halt(1717)Buffer overflow in Linux autofs module through long directory names allows local users to perform a denial of service.Linux autofs VulnerabilityVersions of rpcbind including Linux, IRIX, and Wietse Venema's rpcbind allow a remote attacker to insert and delete entries by spoofing a source address.pmap-sset(2308)suidperl in Linux Perl does not check the nosuid mount option on file systems, allowing local users to gain root access by placing a setuid script in a mountable file system, e.g. a CD-ROM or floppy disk.Perl suidmount Vulnerabilityperl-suidperl-bo(3544)Remote attackers can perform a denial of service using IRIX fcagent.bugtraq id 144sgi-fcagent-dos(1443)19981201-01-PXLocal users can perform a denial of service in Tripwire 1.2 and earlier using long filenames.19990104 Tripwire mess..6609Remote attackers can crash Lynx and Internet Explorer using an IMG tag with a large width parameter.The SVR4 /dev/wabi special device file in NetBSD 1.3.3 and earlier allows a local user to read or write arbitrary files on the disk associated with that device.bugtraq id 114NetBSD-SA1999-009905The Webcom CGI Guestbook programs wguest.exe and rguest.exe allow a remote attacker to read arbitrary files using the "template" parameter.http-cgi-webcom-guestbook(2072)Internet Explorer 5.0 allows a remote server to read arbitrary files on the client's file system using the Microsoft Scriptlet Component.ie-scriplet-fileread(2070)MS99-012MSHTMLInternet Explorer 5.0 allows window spoofing, allowing a remote attacker to spoof a legitimate web site and capture information from the client.ie-window-spoofA weak encryption algorithm is used for passwords in Novell Remote.NLM, allowing them to be easily decrypted.netware-remotenlm-passwords(2081)482The remote proxy server in Winroute allows a remote attacker to reconfigure the proxy without authentication through the "cancel" button.winroute-config(2079)The SNMP default community name "public" is not properly removed in NetApps C630 Netcache, even if the administrator tries to disable it.netcache-snmp(2080)The rsync command before rsync 2.3.1 may inadvertently change the permissions of the client's working directory to the permissions of the directory being transferred.rsync-permissions(2074)19990823145The ICQ Webserver allows remote attackers to use .. to access arbitrary files outside of the user's personal directory.icq-webserver-read(2085)A race condition in how procmail handles .procmailrc files allows a local user to read arbitrary files available to the user who is running procmail.procmail-race(2083)A weak encryption algorithm is used for passwords in SCO TermVision, allowing them to be easily decrypted by a local user.sco-termvision-password(2063)The Expression Evaluator in the ColdFusion Application Server allows a remote attacker to upload files to the server via openfile.cfm, which does not restrict access to the server properly.Allaire ColdFusion Remote File Display, Deletion, Upload and Execution VulnerabilityDenial of service in HP-UX sendmail 8.8.6 related to accepting connections.sendmail-headers-dos(2300)HPSBUX9904-097Denial of service Netscape Enterprise Server with VirtualVault on HP-UX VVOS systems.netscape-server-dos(1964)HPSBUX9903-092Local attackers can conduct a denial of service in Midnight Commander 4.x with a symlink attack.midnight-commander-symlink-dos(3505)Denial of service in "poll" in OpenBSD.7556OpenBSD kernel crash through TSS handling, as caused by the crashme program.7557OpenBSD crash using nlink value in FFS and EXT2FS filesystems.6129Buffer overflow in OpenBSD ping.6130Remote attackers can cause a system crash through ipintr() in ipq in OpenBSD.openbsd-ipintr-race(1829)7558Denial of service in AOL Instant Messenger when a remote attacker sends a malicious hyperlink to the receiving client, potentially causing a system crash.aolim-malformed-ascii-dos(4877)aol-im(819)The DHTML Edit ActiveX control in Internet Explorer allows remote attackers to read arbitrary files.bugtraq id 116MS99-011q226326ie-dhtml-control(2161)MS99-011Internet Explorer 4.0 and 5.0 allows a remote attacker to execute security scripts in a different security context using malicious URLs, a variant of the "cross frame" vulnerability.ie-mshtml-crossframe(2216)MS99-012MSHTML.DLL in Internet Explorer 5.0 allows a remote attacker to paste a file name into the file upload intrinsic control, a variant of "untrusted scripted paste" as described in MS:MS98-013.MS:MS99-015MSHTML.DLL in Internet Explorer 5.0 allows a remote attacker to learn information about a local user's files via an IMG SRC tag.ie-scriplet-filereadMS:MS99-012The prompt parsing in bash allows a local user to execute commands as another user by creating a directory with the name of the command to execute.bugtraq id 119CSSA-1999:008.019990420 Bash Bug119The ffingerd 1.19 allows remote attackers to identify users on the target system based on its responses.rpc.statd allows remote attackers to forward RPC calls to the local operating system via the SM_MON and SM_NOTIFY commands, which in turn could be used to remotely exploit other bugs such as in automountd.BID 450CA-99-05-statd-automountd00186J-04519990103 SUN almost has a clue! (automountd)450Denial of service in WinGate proxy through a buffer overflow in POP3.wingate-pop3-user-bo(1847)A remote attacker can gain access to a file system using .. (dot dot) when accessing SMB shares.A Windows NT 4.0 user can gain administrative rights by forcing NtOpenProcessToken to succeed regardless of the user's permissions, aka GetAdmin.q146965Q146965Anonymous FTP is enabled.This Common Vulnerabilities and Exposures (CVE) entry is a configuration issue and not a software flaw. As such, it doesn’t fit in the CVE software flaw list. The Common Vulnerability Scoring System (CVSS) base score for this CVE entry has been set to 0 because this CVE entry has no impact as a software flaw according to CVSS. This does not mean that the configuration issue is not important and there may be security implications relative to computers having this configuration.Anonymous FTP is an unsecured protocol for Internet facing systems and should only be used on a limited basis to provide a specific functional requirement, otherwise disabled. The software should be patched and configured properly.TFTP is not running in a restricted directory, allowing a remote attacker to access sensitive information such as password files.linux-tftp(308)CERT:CA-91.18.Active.Internet.tftp.AttacksNETBIOS share information may be published through SNMP registry keys in NT.snmp-netbiosA Unix account has a guessable password.default-unix-lp(1005)A Unix account has a default, null, blank, or missing password.passwd-blank(774)passwd-blank-lines(2941)A Windows NT local user or administrator account has a guessable password.nt-guess-admin(282)nt-guessed-powerwd(1328)A Windows NT local user or administrator account has a default, null, blank, or missing password.nt-guestblankpw(159)nt-guestnopwA Windows NT domain user or administrator account has a guessable password.nt-guessed-domain-userpwd(1329)win2k-certpub-usrpwd(3421)A Windows NT domain user or administrator account has a default, null, blank, or missing password.nt-domain-admin-blankpwd(1355)win2k-dhcpadm-blnkpwd(3422)An account on a router, firewall, or other network device has a guessable password.firewall-tisopen(388)An account on a router, firewall, or other network device has a default, null, blank, or missing password.default-netranger(980)motorola-cable-default-passcayman-gatorboxPerl, sh, csh, or other shell interpreters are installed in the cgi-bin directory on a WWW site, which allows remote attackers to execute arbitrary commands.CERT:CA-96.11A router or firewall allows source routed packets from arbitrary hosts.source-routing(639)source-routing-disable(3577)IP forwarding is enabled on a machine which is not a router or firewall.ip-forwarding(193)A mail server is explicitly configured to allow SMTP mail relay, which allows abuse by spammers.ICMP messages to broadcast addresses are allowed, allowing for a Smurf attack that can cause a denial of service.CA-98.01BID 147UDP messages to broadcast addresses are allowed, allowing for a Fraggle attack that can cause a denial of service by flooding the target.fraggle(815)An unrestricted remote trust relationship for Unix systems has been set up, e.g. by using a + sign in /etc/hosts.equiv.An SNMP community name is guessable.snmp-get-guess(1241)An SNMP community name is the default (e.g. public), null, or missing.hpov-hidden-snmp-comm(1387)snmp-comm(133)A NETBIOS/SMB share password is guessable.nt-netbios-perm(182)A NETBIOS/SMB share password is the default, null, or missing.nt-netbios-everyoneaccess(1)nt-netbios-guestaccess(2)nt-netbios-write(19)nt-netbios-share(12)nt-netbios-shareguest(20)A system-critical NETBIOS/SMB share has inappropriate access control.An NIS domain name is easily guessable.nis-dom(85)The permissions for a system-critical NIS+ table (e.g. passwd) are inappropriate.NIS+ Configuration VulnerabilityICMP echo (ping) is allowed from arbitrary hosts.ICMP information such as (1) netmask and (2) timestamp is allowed from arbitrary hosts.icmp-netmask(306)icmp-timestamp(322)