ip_input.c in BSD-derived TCP/IP implementations allows remote attackers to cause a denial of service (crash or hang) via crafted packets.CA-1998-135707Buffer overflow in NFS mountd gives root access to remote attackers, mostly in Linux systems.CA-98.12BID 121linux-mountd-bo(1411)19981006-01-IJ-006Execute commands as root via buffer overflow in Tooltalk database server (rpc.ttdbserverd).CA-98.11BID 122aix-ttdbserver(813)tooltalk(1408)19981101-01-A19981101-01-PX122MIME buffer overflow in email clients, e.g. Solaris mailtool and Outlook.CERT:CA-98.10.mime_buffer_overflowsoutlook-long-nameMS98-008Arbitrary command execution via IMAP buffer overflow in authenticate command.CA-98.09.imapdBID 13000177130Buffer overflow in POP servers based on BSD/Qualcomm's qpopper allows remote attackers to gain root access using a long PASS command.qpopper-pass-overflow(1890)CA-98.08.qpopper_vulBID 13319980801-01-I133Information from SSL-encrypted sessions via PKCS #1.CA-98.07.PKCSBID 676MS98-002Buffer overflow in NIS+, in Sun's rpc.nisd program.CA-98.06.nisdnisd-bo-check(962)bugtraq id 10400170Inverse query buffer overflow in BIND 4.9 and BIND 8 Releases.CA-98.05.bind_problemsbind-bo(895)BID 13419980603-01-PXHPSBUX9808-08300180134Denial of Service vulnerability in BIND 8 Releases via maliciously formatted DNS messages.CA-98.05.bind_problemsbind-dos(896)19980603-01-PXHPSBUX9808-083Denial of Service vulnerabilities in BIND 4.9 and BIND 8 Releases via CNAME record and zone transfer.CA-98.05.bind_problemsbind-axfr-dos (2346)19980603-01-PXHPSBUX9808-08300180Some web servers under Microsoft Windows allow remote attackers to bypass access restrictions for files with long file names.CA-98.04.Win32.WebServersnt-web8.3(709)Stolen credentials from SSH clients via ssh-agent program, allowing other local users to access remote accounts belonging to the ssh-agent user.CA-98.03.ssh-agentssh-agent(700)bugtraq id 138Unauthorized privileged access or denial of service via dtappgather program in CDE.CA-98.02.CDEHPSBUX9801-07500185Teardrop IP denial of service.CERT:CA-97.28 Denial of Service AttackLand IP denial of service.CA-97.28.Teardrop_LandFreeBSD-SA-98:01cisco-land(1246)land(288)http://www.cisco.com/warp/public/770/land-pub.shtmlHPSBUX9801-076FTP servers can allow an attacker to connect to arbitrary ports on machines other than the FTP client, aka FTP bounce.CA-97.27.FTP_bounceftp-bounce(199)ftp-privileged-port(892)Buffer overflow in statd allows root privileges.CA-97.26statd(696)127Delete or create a file via rpc.statd, due to invalid information.CA-96.09.rpc.statdrps-stat(109)00135** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-0032. Reason: This candidate is a duplicate of CVE-1999-0032. Notes: All CVE users should reference CVE-1999-0032 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.Arbitrary command execution via buffer overflow in Count.cgi (wwwcount) cgi-bin program.CA-97.24.Count_cgihttp-cgi-count(586)bugtraq id 128128Local user gains root privileges via buffer overflow in rdist, via expstr() function.CA-97.23.rdistBID 129rdist-bo3(559)rdist-sept97(540)00179Local user gains root privileges via buffer overflow in rdist, via lookup() function.CA-96.14.rdist_vulrdist-bo(421)DNS cache poisoning via BIND, by predictable query IDs.CA-97.22.bindbind(485)BID 678root privileges via buffer overflow in df command on SGI IRIX systems.CA-97.21.sgi_buffer_overflowAUSCERT:AA-97.19.IRIX.df.buffer.overflow.vul,XF:df-boCA-1997-21VU#20851346df-bo(440)root privileges via buffer overflow in pset command on SGI IRIX systems.CA-97.21.sgi_buffer_overflowpset-bo(442)root privileges via buffer overflow in eject command on SGI IRIX systems.CERT:CA-97.21.sgi_buffer_overflowAUSCERT:AA-97.21.IRIX.eject.buffer.overflow.vul,XF:eject-boroot privileges via buffer overflow in login/scheme command on SGI IRIX systems.CA-97.21.sgi_buffer_overflowsgi-schemebo(443)root privileges via buffer overflow in ordist command on SGI IRIX systems.CA-97.21.sgi_buffer_overflowordist-bo(444)root privileges via buffer overflow in xlock command on SGI IRIX systems.CERT:CA-97.21.sgi_buffer_overflowJavaScript in Internet Explorer 3.x and 4.x, and Netscape 2.x, 3.x and 4.x, allows remote attackers to monitor a user's web activities, aka the Bell Labs vulnerability.CA-97.20 JavaScript VulnerabilityHPSBUX9707-065Buffer overflow in lpr, as used in BSD-based systems including Linux, allows local users to execute arbitrary code as root via a long -C (classification) command line option.CA-97.19.bsdlpBID 707lpr-bo(843)bsd-lprbo(409)bsd-lprbo2(446)I-04219980402-01-PX707Command execution in Sun systems via buffer overflow in the at program.Vulnerability in the At(1) programsun-atbo(705)Buffer overflow in suidperl (sperl), Perl 4.x and 5.x.CA-97.17.sperlperl-suid(448)bugtraq id 708Race condition in signal handling routine in ftpd, allowing read/write arbitrary files.CA-97.16.ftpdftp-ftpd(449)IRIX login program with a nonzero LOCKOUT parameter allows creation or damage to files.CA-97.15.sgi_loginbugtraq id 392sgi-lockout(557)H-10619970508-02-PX990sgi-lockout(557)Arbitrary command execution via metamail package using message headers, when user processes attacker's message using metamail.CA-97.14.metamailmetamail-header-commands(1676)Buffer overflow in xlock program allows local users to execute commands as root.CA-97.13.xlockBID 224xlock-bo(483)webdist CGI program (webdist.cgi) in SGI IRIX allows remote attackers to execute arbitrary commands via shell metacharacters in the distloc parameter.CA-97.12.webdistBID 374http-sgi-webdist(333)CA-1997-1219970501-02-PX374235http-sgi-webdist(333)Buffer overflow in Xt library of X Windowing System allows local users to execute commands with root privileges.CA-97.11.libXtBID 237libXt-bo(489)Buffer overflow in NLS (Natural Language Service).CA-97.10.nlsBID 711nls-bo(450)Buffer overflow in University of Washington's implementation of IMAP and POP servers.CA-97.09.imap_poppopimap-bo(96)Command execution via shell metachars in INN daemon (innd) 1.5 using "newgroup" and "rmgroup" control messages, and others.CA-97.08.inndBID 687inn-controlmsg(184)fsdump command in IRIX allows local users to obtain root access by modifying sensitive files.BID 355sgi-fsdump(2106)19970301-01-PList of arbitrary files on Web host via nph-test-cgi script.CA-97.07.nph-test-cgi_scriptBID 686http-cgi-nph(289)Buffer overflow of rlogin program using TERM environmental variable.CA-97.06.rlogin-termBID 242rlogin-termbo(423)MIME conversion buffer overflow in sendmail versions 8.8.3 and 8.8.4.CA-97.05.sendmailbugtraq id 685sendmail-mime-bo2(1835)685Talkd, when given corrupt DNS information, can be used to execute arbitrary commands with root privileges.CA-97.04.talkdtalkd-bo(453)netkit-talkd(413)00147Csetup under IRIX allows arbitrary file creation or overwriting.CA_97.04.csetupsgi-csetup(452)Buffer overflow in HP-UX newgrp program.CA-97.02.hp_newgrpBID 683hp-newgrpbo(451)Arbitrary file creation and program execution using FLEXlm LicenseManager, from versions 4.0 to 5.0, in IRIX.CA-97.01.flex_lmsgi-licensemanager(893)IP fragmentation denial of service in FreeBSD allows a remote attacker to cause a crash.BID 120freebsd-ip-frag-dos(1389)908freebsd-ip-frag-dos(1389)TCP RST denial of service in FreeBSD.6094Sun's ftpd daemon can be subjected to a denial of service.BID 709sun-ftpd(1127)00171Buffer overflows in Sun libnsl allow root access.BID 148sun-libnsl(1024)00172IX80543Buffer overflow in Sun's ping program can give root access to local users.sun-ping(1365)00174Vacation program allows command execution by remote users through a sendmail command.vacation(569)HPSBUX9811-087Buffer overflow in PHP cgi program, php.cgi allows shell access.bugtraq id 712http-cgi-phpbo(293)712IRIX fam service allows an attacker to obtain a list of all files on the server.bugtraq id 353irix-fam(325)353164irix-fam(325)Attackers can cause a denial of service in Ascend MAX and Pipeline routers with a malformed packet to the discard port, which is used by the Java Configurator tool.BID 714ascend-config-kill(889)http://www.ascend.com/2695.htmlFile creation and deletion, and remote execution, in the BSD line printer daemon (lpd).bsd-lpd(568)The chpass command in OpenBSD allows a local user to gain root access through file descriptor leakage.openbsd-chpass(1220)7559Cisco IOS 12.0 and other versions can be crashed by malicious UDP packets to the syslog port.BID 675cisco-syslog-crash(1558)Buffer overflow in AIX lquerylv program gives root access to local users.BID 451lquerylv-bo(386)Multiple buffer overflows in how dtmail handles attachments allows a remote attacker to execute commands.BID 175hp-dtmail(1367)00181AnyForm CGI remote execution.BID 719http-cgi-anyform(301)719phf CGI program allows remote command execution through shell metacharacters.bugtraq id 629CA-96.06.cgi_example_codehttp-cgi-phf(148)CA-1996-06629136CGI PHP mylog script allows an attacker to read any file on the target server.bugtraq id 713http-cgi-php-mylog(1468)7133396Solaris ufsrestore buffer overflow.sun-ufsrestore(966)001698158test-cgi program allows an attacker to list files on the server.http-cgi-test(149)Apache httpd cookie buffer overflow for versions 1.1.1 and earlier.http-apache-cookieBuffer overflow in AIX xdat gives root access to local users.bugtraq id 449ibm-xdat(585)Telnet allows a remote client to specify environment variables including LD_LIBRARY_PATH, allowing an attacker to bypass the normal system libraries and gain root access.CA-95.14.Telnetd_Environment_VulnerabilityBID 459linkerbug(67)Listening TCP ports are sequentially allocated, allowing spoofing attacks.seqport(209)PASV core dump in wu-ftpd daemon when attacker uses a QUOTE PASV command after specifying a username and password.ftp-pasvcore(200)5742Buffer overflow in wu-ftp from PASV command causes a core dump.ftp-args(201)Predictable TCP sequence numbers allow spoofing.tcp-seq-predict(139)pcnfsd (aka rpc.pcnfsd) allows local users to change file permissions, or execute arbitrary commands through arguments in the RPC call.Vulnerabilities in PCNFSDRemote attackers can cause a denial of service in FTP by issuing multiple PASV commands, causing the server to run out of available ports.bugtraq id 271ftp-pasv-dos(563)ftp-pasvdos(202)Certain configurations of wu-ftp FTP server 2.4 use a _PATH_EXECPATH setting to a directory with dangerous commands, such as /bin, which allows remote authenticated users to gain root access via the "site exec" command.CA-95.16.wu-ftpd.vulftp-execdotdot(618)wu-ftp allows files to be overwritten via the rnfr command.ftp-rnfr(324)CWD ~root command in ftpd allows root access.ftp-cwd(54)Improving the Security of Your Site by Breaking Into itgetcwd() file descriptor leak in FTP.cwdleak(335)Certain NFS servers allow users to use mknod to gain privileges by creating a writable kmem device and setting the UID to 0.nfs-mknod(78)Buffer overflow in rwhod on AIX and other operating systems allows remote attackers to execute arbitrary code via a UDP packet with a long hostname.rwhod-vuln(118)rwhod(119)rwhod-vuln(118)AIX routed allows remote users to modify sensitive files.IBM-routedDenial of service in AIX telnet can freeze a system and prevent users from accessing the server.ibm-telnetdos(706)7992IRIX and AIX automountd services (autofsd) allow remote users to execute root commands.Buffer overflow in AIX libDtSvc library can allow local users to gain root access.Buffer overflow in AIX rcp command allows local users to obtain root access.BID 400ibm-rcp(2296)Buffer overflow in AIX writesrv command allows local users to obtain root access.BID 399ibm-writesrv(2295)Various vulnerabilities in the AIX portmir command allows local users to obtain root access.IBM-portmirAIX nslookup command allows local users to obtain root access by not dropping privileges correctly.BID 377ibm-nslookup(604)AIX piodmgrsu command allows local users to gain additional group privileges.BID 386ibm-piodmgrsu(593)The debug command in Sendmail is enabled, allowing attackers to execute commands as root.CA-88.01CA-93.14BID 11195Sendmail decode alias can be used to overwrite sensitive files.CA-96.25.sendmail_groupssmtp-dcod(126)00122The AIX FTP client can be forced to execute commands from a malicious server through shell metacharacters (e.g. a pipe character).BID 396ibm-ftp(605)Buffer overflow in SMTP HELO command in Sendmail allows a remote attacker to hide activities.smtp-helo-bo(886)Buffer overflow in syslog utility allows local or remote attackers to gain root privileges.CA-95.13smtp-syslog(129)Remote access in AIX innd 1.5.1, using control messages.inn-controlmsg(184)Buffer overflow in AIX and Solaris "gethostbyname" library call allows root access through corrupt DNS host names.IBM AIX(r) Security Vulnerabilities (gethostbyname,lquerypv)ghbn-bo(1751)Buffer overflow in SLmail 3.x allows attackers to execute commands using a large FROM line.bugtraq id 153slmail-fromheader-overflow(1595)Echo and chargen, or other combinations of UDP services, can be used in tandem to flood the server, a.k.a. UDP bomb or UDP packet storm.CA-96.01.UDP_service_denialA later variation on the Teardrop IP denial of service attack, a.k.a. Teardrop-2.IP Denial of Serviceteardrop-modfinger allows recursive searches by using a long string of @ symbols.fingerbombFinger redirection allows finger bombs.fingerbombBuffer overflow in Apache 1.2.5 and earlier allows a remote attacker to cause a denial of service with a large number of GET requests containing a large number of / characters.apache-dosThe printers program in IRIX has a buffer overflow that gives root access to local users.printers-bo(808)Buffer overflow in ffbconfig in Solaris 2.5.1.BID 202ffbconfig-bo(874)00140** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-0315. Reason: This candidate's original description had a typo that delayed it from being detected as a duplicate of CVE-1999-0315. Notes: All CVE users should reference CVE-1999-0315 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.RIP v1 is susceptible to spoofing.ibm-routed(703)Buffer overflow in AIX dtterm program for the CDE.dtterm-bo(878)dtterm-bo(878)Some implementations of rlogin allow root access if given a -froot parameter.CA-94.09.bin.login.vulnerabilityrlogin-froot(104)BID 458458Local users can execute commands as other users, and read other users' files, through the filter command in the Elm elm-2.4 mail package using a symlink attack.elm-filter2(711)AIX bugfiler program allows local users to gain root access.ibm-bugfiler(500)AIX bugfiler file creation vulnerabilityAIX bugfiler1800Denial of service when an attacker sends many SYN packets to create multiple connections without ever sending an ACK to complete the connection, aka SYN flood.CA-96.21.tcp_syn.flooding19961202-01-PX00136AIX passwd allows local users to gain root access.CA-92.07.AIX.passwd.vulnerabilityibm-passwd(555)AIX infod allows local users to gain root access through an X display.aix-infod(1407)19981119 RSI.0011.11-09-98.AIX.INFODWindows NT 4.0 beta allows users to read and delete shares.Sun/Solaris utmp file allows local users to gain root access if it is writable by users other than root.CA-94.06.umtp.vulnerabilityutmp-write(506)00126Buffer overflow in dtaction command gives root access.Buffer overflow in AIX lchangelv gives root access.bugtraq id 389lchangelv-bo(845)Race condition in Linux mailx command allows local users to read user files.Vulnerabilities in UMN gopher and gopher+ versions 1.12 and 2.0x allow an intruder to read any files that can be accessed by the gopher daemon.gopher-vuln(544)CA-93.11.UMN.UNIX.gopher.vulnerabilityBuffer overflow in SGI IRIX mailx program.BID 393sgi-mailx-bo(1371)19980605-01-PXSGI IRIX buffer overflow in xterm and Xaw allows root access.VN-98.01.XFree86xfree86-xterm-xaw(963)xfree86-xaw(2096)J-010swinstall and swmodify commands in SD-UX package in HP-UX systems allow local users to create or overwrite arbitrary files to gain root access.Vulnerability in HP Software Installation ProgramsOversized ICMP ping packets can result in a denial of service, aka Ping o' Death.CA-96.26.pingping-death(95)Sendmail allows local users to write to a file and gain group permissions via a .forward or :include: file.CA-96.25.sendmail_groupsBID 715Local users can start Sendmail in daemon mode and gain root privileges.CA-96.24.sendmail.daemon.modeBID 716sendmail-daemon-mode(1837)716Buffer overflow and denial of service in Sendmail 8.7.5 and earlier through GECOS field gives root access to local users.CA-96.20.sendmal_vulsmtp-875bo(428)BID 717717Expreserve, as used in vi and ex, allows local users to overwrite arbitrary files and gain root access.CA-96.19.expreserveexpreserve(401)CA-1996-1911723expreserve(401)fm_fls license server for Adobe Framemaker allows local users to overwrite arbitrary files and gain root access.CA-96.18.fm_flsfmaker-logfile(403)vold in Solaris 2.x allows local users to gain root access.CA-96.17.Solaris_vold_vulsol-voldtmp(434)8159admintool in Solaris allows a local user to write to arbitrary files and gain root access.CA-96.16.Solaris_admintool_vulsun-admintool(394)bugtraq id 289Kodak Color Management System (KCMS) on Solaris allows a local user to write to arbitrary files and gain root access.CA-96.15.Solaris_KCMS_vulsol-KCMSvuln(482)The dip program on many Linux systems allows local users to gain root access via a buffer overflow.CA-96.13.dip_vullinux-dipbo(398)BID 86dip-bo(881)The suidperl and sperl program do not give up root privileges when changing UIDs back to the original users, allowing root access.CA-96.12.suidperl_vulsperl-suid(429)Buffer overflow in Solaris x86 mkcookie allows local users to obtain root access.sol-mkcookie(1429)8205Denial of service in RAS/PPTP on NT systems.Java Bytecode Verifier allows malicious applets to execute arbitrary commands as the user of the applet.CA-96.07.java_bytecode_verifierhttp-java-applet(490)00134The Java Applet Security Manager implementation in Netscape Navigator 2.0 and Java Developer's Kit 1.0 allows an applet to connect to arbitrary hosts.http-java-appletsecmgr(492)CA-96.05.java_applet_security_mgrKerberos 4 key servers allow a user to masquerade as another by breaking and generating session keys.CA-96.03.kerberos_4_key_serverkerberos-bf(64)Denial of service in Qmail by specifying a large number of recipients with the RCPT command.qmail-rcpthttp://cr.yp.to/qmail/venema.htmlhttp://www.ornl.gov/its/archives/mailing-lists/qmail/1997/06/threads.html223719970612 qmail-dos-2.c, another denial of service attack19970612 Re: Denial of service (qmail-smtpd)Sendmail WIZ command enabled, allowing root access.Internet Security Scanner (ISS)smtp-wiz(131)CA-1990-11CA-1993-1419950206 sendmail wizard thing...Improving the Security of Your Site by Breaking Into itThe campas CGI program provided with some NCSA web servers allows an attacker to execute arbitrary commands via encoded carriage return characters in the query string, as demonstrated by reading the password file.http-cgi-campas(298)1975http-cgi-campas(298)The aglimpse CGI program of the Glimpse package allows remote execution of arbitrary commands.http-cgi-glimpse(297)The handler CGI program in IRIX allows arbitrary command execution.bugtraq id 380http-sgi-handler(340)19970501-02-PX380The wrap CGI program in IRIX allows remote attackers to view arbitrary directory listings via a .. (dot dot) attack.bugtraq id 373http-sgi-wrap(290)19970501-02-PX373247http-sgi-wrap(290)The Perl fingerd program allows arbitrary command execution from remote users.perl-fingerd(625)The SATAN session key may be disclosed if the user points the web browser to other sites, possibly allowing root access.CA-95.07a.REVISED.satan.vulCA-95.06.satan.vulThe DG/UX finger daemon allows remote command execution through shell metacharacters.dgux-fingerd(302)Windows 95/NT out of band (OOB) data denial of service through NETBIOS port, aka WinNuke.win-oob(173)1666IIS 2.0 and 3.0 allows remote attackers to read the source code for ASP pages by appending a . (dot) to the end of the URL.http-iis-aspdot(336)The ghostscript command with the -dSAFER option allows remote attackers to execute commands.gscript-dsafer(404)CA-95.10.ghostscriptwu-ftpd FTP daemon allows any user and password combination.ftp-pwless(204)Cisco PIX firewall and CBAC IP fragmentation attack results in a denial of service.Cisco PIX and CBAC Fragmentation AttackBID 690cisco-fragmented-attacks(1584)1097Cisco PIX firewall manager (PFM) on Windows NT allows attackers to connect to port 8080 on the PFM server and retrieve any file whose name and location is known.cisco-pix-file-exposure(1583)BID 691685Attackers can crash a Cisco IOS router or device, provided they can get to an interactive prompt (such as a login). This applies to some IOS 9.x, 10.x, and 11.x releases.Cisco IOS Remote Router Crashcisco-ios-crash(1238)BID 692Some classic Cisco IOS devices have a vulnerability in the PPP CHAP authentication to establish unauthorized PPP connections.cisco-CHAP(570)bugtraq id 6931099In Cisco IOS 10.3, with the tacacs-ds or tacacs keyword, an extended IP access control list could bypass filtering.cisco-acl-tacacs(1247)bugtraq id 703797The "established" keyword in some Cisco IOS software allowed an attacker to bypass filtering.cisco-acl-established(1248)bugtraq id 315In older versions of Sendmail, an attacker could use a pipe character to execute root commands.smtp-pipeA race condition in the Solaris ps command allows an attacker to overwrite critical files.CA-95.09.Solaris.ps.vulsol-pstmprace(420)8346NFS cache poisoning.nfs-cache(73)NFS allows users to use a "cd .." command to access other directories besides the exported file system.nfs-cd(75)In SunOS, NFS file handles could be guessed, giving unauthorized access to the exported file system.CA-91.21.SunOS.NFS.Jumbo.and.fsirandnfs-guess(77)bugtraq id 32The portmapper may act as a proxy and redirect service requests from an attacker, making the request appear to come from the local host, possibly bypassing authentication that would otherwise have taken place. For example, NFS file systems could be mounted through the portmapper despite export restrictions.bugtraq id 46decod-portmap-call (673)nfs-portmap (80)NFS allows attackers to read and write any file on the system by specifying a false UID.nfs-uidRemote attackers can mount an NFS file system in Ultrix or OSF, even if it is denied on the access list.nfs-ultrix(83)Denial of service in syslog by sending it a large number of superfluous messages.syslog-floodFormMail CGI program allows remote execution of commands.http-cgi-formmail-exe(299)FormMail CGI program can be used by web servers other than the host server that the program resides on.http-cgi-formmail-use(300)The view-source CGI program allows remote attackers to read arbitrary files via a .. (dot dot) attack.bugtraq id 303http-cgi-viewsrc(291)The convert.bas program in the Novell web server allows a remote attackers to read any file on the system that is internally accessible by the web server.http-nov-convert(339)The Webgais program allows a remote user to execute arbitrary commands.http-webgais-query(1467)The uploader program in the WebSite web server allows a remote attacker to execute arbitrary programs.http-website-uploader(294)Buffer overflow in the win-c-sample program (win-c-sample.exe) in the WebSite web server 1.1e allows remote attackers to execute arbitrary code via a long query string.http-website-winsample(295)19970106 Re: signal handling20788http-website-winsample(295)Windows NT crashes or locks up when a Samba client executes a "cd .." command on a file share.nt-samba-dotdot(397)Q140818in.rshd allows users to login with a NULL username and execute commands.rsh-null(112)The wall daemon can be used for denial of service, social engineering attacks, or to execute remote commands.walld(150)Samba has a buffer overflow which allows a remote attacker to obtain root access by specifying a long password.nt-samba-bo(337)VB-97.10.sambaH-110Linux implementations of TFTP would allow access to files outside the restricted directory.linux-tftp(308)When compiled with the -DALLOW_UPDATES option, bind allows dynamic updates to the DNS server, allowing for malicious modification of DNS records.dns-updates(196)nxt bugCA-99-14-bind.htmlIn SunOS or Solaris, a remote user could connect from an FTP server's data port to an rlogin server on a host that trusts the FTP server, allowing remote command execution.sun-ftpd/logind(607)00156In Solaris, an SNMP subagent has a default community string that allows remote attackers to execute arbitrary commands as root, or modify system parameters.snmp-backdoor-access** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-0022. Reason: This candidate is a duplicate of CVE-1999-0022. Notes: All CVE users should reference CVE-1999-0022 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.The passwd command in Solaris can be subjected to a denial of service.bugtraq id 174sun-passwd-dos(1442)00182Solaris rpcbind listens on a high numbered UDP port, which may not be filtered since the standard port number is 111.#00142rpc-32771(330)00142Solaris rpcbind can be exploited to overwrite arbitrary files and gain root access.bugtraq id 67sun-rpcbind00167IIS newdsn.exe CGI script allows remote users to overwrite files.http-cgi-newdsn(1530)275Buffer overflow in telnet daemon tgetent routing allows remote attackers to gain root access via the TERMCAP environmental variable.BID 588bsd-tel-tgetent(610)Denial of service in Ascend and 3com routers, which can be rebooted by sending a zero length TCP option.ascend-killDenial of service in in.comsat allows attackers to generate messages.comsat(1884)Denial of service in RPC portmapper allows attackers to register or unregister RPC services or spoof RPC services using a spoofed source IP address such as 127.0.0.1.pmap-sset(2308)websendmail in Webgais 1.0 allows a remote user to access arbitrary files and execute arbitrary code via the receiver parameter ($VAR_receiver variable).http-webgais-smail(296)2077237finger 0@host on some systems may print information on some user accounts.finger .@host on some systems may print information on some user accounts.Windows NT FTP server (WFTP) with the guest account enabled without a password allows an attacker to log into the FTP server using any username and password.A quote cwd command on FTP servers can reveal the full path of the home directory of the "ftp" user.ftp-home(203)The GNU tar command, when used in FTP sessions, may allow an attacker to execute arbitrary commands.ftp-exectar(619)In Sendmail, attackers can gain root privileges via SMTP by specifying an improper "mail from" address and an invalid "rcpt to" address that would cause the mail to bounce to a program.CA-95.08.sendmail.v.5.vulnerabilitysmtp-sendmail-version5(518)Sendmail 8.6.9 allows remote attackers to execute root commands, using ident.ident-bo(627)Denial of service in Sendmail 8.6.11 and 8.6.12.19990708 SM 8.6.12MIME buffer overflow in Sendmail 8.8.0 and 8.8.1 gives root access.sendmail-mime-bo(1836)Remote attacker can execute commands through Majordomo using the Reply-To field and a "lists" command.CERT:CA-94.11.majordomo.vulnerabilitiesmajordomo-exe(510)rpc.ypupdated (NIS) allows remote users to execute arbitrary commands.CA-95.17.rpc.ypupodated.vulrpc-update(110)The SunView (SunTools) selection_svc facility allows remote users to read files.CA-90.05.sunselection.vulnerabilityselsvc(122)bugtraq id 88Automount daemon automountd allows local or remote users to gain privileges via shell metacharacters.bugtraq id 235CA-99-05-statd-automountd19971126 Solaris 2.5.1 automountd exploit (fwd)19990103 SUN almost has a clue! (automountd)HPSBUX9910-104235Extra long export lists over 256 characters in some mount daemons allows NFS directories to be mounted by anyone.CA-94.02.REVISED.SunOS.rpc.mountd.vulnerability24Solaris rpc.mountd generates error messages that allow a remote attacker to determine what files are on the server.#00168sun-mountd(967)I-048libnsl in Solaris allowed an attacker to perform a denial of service of rpcbind.sun-libnslDenial of service by sending forged ICMP unreachable packets.bugtraq id 50icmp-unreachable(1883)Routed allows attackers to append data to files.ripapp(320)19981004-01-PXJ-012Denial of service of inetd on Linux through SYN and RST packets.linux-inutid-doshp-inetdMalicious option settings in UDP packets could force a reboot in SunOS 4.1.3 systems.udp-bomb(143)Livingston portmaster machines could be rebooted via a series of commands.portmaster-reboot(1885)Buffer overflow in FTP Serv-U 2.5 allows remote authenticated users to cause a denial of service (crash) via a long (1) CWD or (2) LS (list) command.bugtraq id 269ftp-servu19990503 Buffer overflows in FTP Serv-U 2.519990504 Re: Buffer overflows in FTP Serv-U 2.5269ftp-servu(205)Attackers can do a denial of service of IRC by crashing the server.Denial of service of Ascend routers through port 150 (remote administration).ascend-150-kill(1881)Denial of service in Cisco IOS web server allows attackers to reboot the router using a long URL.cisco-web-crashSolaris syslogd crashes when receiving a message from a host that doesn't have an inverse DNS entry.sol-syslogd-crash(1887)Syslogd and Solaris 2.41878Denial of service in Windows NT messenger service through a long username.bugtraq id 465Windows NT 4.0 allows remote attackers to cause a denial of service via a malformed SMB logon request in which the actual data size does not match the specified size.nt-logondos(342)Q180963Windows NT TCP/IP processes fragmented IP packets improperly, causing a denial of service.Access violation in LSASS.EXE (LSA/LSARPC) program in Windows NT allows a denial of service.nt-lsass-crash(1892)Q154087Denial of service in RPCSS.EXE program (RPC Locator) in Windows NT.bugtraq id 688nt-rpc-ver(17)Q162567Denial of service in Windows NT IIS server using ..\..http-alibaba-dotdotBuffer overflow in Cisco 7xx routers through the telnet service.7xx Router Password Buffer Overflowbugtraq id 7041102Buffer overflow in IP-Switch IMail and Seattle Labs Slmail 2.6 packages using a long VRFY command, causing a denial of service and possibly remote access.Buffer overflow in NCSA WebServer (version 1.5c) gives remote access.http-ncsa-longurlIIS 1.0 allows users to execute arbitrary commands using .bat or .cmd files.http-iis-cmd(63)Q148188Q155056Bash treats any character with a value of 255 as a command separator.CA-96.22.bash_vulsBuffer overflow in NCSA WebServer (1.4.1 and below) gives remote access.CERT:CA-95:04ScriptAlias directory in NCSA and Apache httpd allowed attackers to read CGI programs.http-scriptalias(332)Remote execution of arbitrary commands through Guestbook CGI program.http-cgi-guestbook(321)VB-97.02.sol_questdayphp.cgi allows attackers to read any file on the system.http-cgi-phpfilereadNetscape FastTrack Web server lists files when a lowercase "get" command is used instead of an uppercase GET.bugtraq id 481fastrack-get-directory-list(1731)122Some filters or firewalls allow fragmented SYN packets with IP reserved bits in violation of their implemented policy.Guessable magic cookies in X Windows allows remote attackers to execute commands, e.g. through xterm.http-xguess-cookiesol-mkcookie(1429)Remote attackers can access mail files via POP3 in some Linux systems that are using shadow passwords.linux-pop3dLinux cfingerd could be exploited to gain root access.Livingston RADIUS code has a buffer overflow which can allow remote execution of commands as root.radius-accounting-overflow(1891)Some configurations of NIS+ in Linux allowed attackers to log in as the user "+".linux-plus(307)HP Remote Watch allows a remote user to gain root access.hp-remoteBuffer overflow in nnrpd program in INN up to version 1.6 allows remote users to execute arbitrary commands.1443inn-bo19970721 INN news server vulnerabilitiesA race condition in the authentication agent mechanism of sshd 1.2.17 allows an attacker to steal another user's credentials.http://oliver.efri.hr/~crv/security/bugs/mUNIXes/ssh2.htmlhttp://www.uni-karlsruhe.de/~ig25/ssh-faq/ssh-faq-6.html#ss6.1Windows NT RSHSVC program allows remote users to execute arbitrary commands.rsh-svcDenial of service in Qmail through long SMTP commands.qmail-lenghttp://cr.yp.to/qmail/venema.htmlhttp://www.ornl.gov/its/archives/mailing-lists/qmail/1997/06/threads.html19970612 qmail-dos-2.c, another denial of service attackDenial of service in talk program allows remote attackers to disrupt a user's display.talkd-flash(615)Buffer overflow in listserv allows arbitrary command execution.smtp-listserv(617)IIS 3.0 with the iis-fix hotfix installed allows remote intruders to read source code for ASP programs by using a %2e instead of a . (dot) in the URL.http-iis-2eA hidden SNMP community string in HP OpenView allows remote attackers to modify MIB tables and obtain sensitive information.hpov-hidden-snmp-commBuffer overflow in ircd allows arbitrary command execution.Buffer overflow in War FTP allows remote execution of commands.war-ftpd(345)875Nestea variation of teardrop IP fragmentation denial of service.nestea-linux-dos(897)Bonk variation of teardrop IP fragmentation denial of service.teardrop-modDenial of Service attack (broad)Denial of Service Attacks (Broad)cfingerd lists all users on a system via search.**@target.cfinger-user-enumeration(1811)The jj CGI program allows command execution via shell metacharacters.http-cgi-jj(1808)Netmanager Chameleon SMTPd has several buffer overflows that cause a crash.chameleon-smtp-dos(1987)http://www.insecure.org/sploits/netmanage.chameleon.overflows.htmlHylafax faxsurvey CGI script on Linux allows remote attackers to execute arbitrary commands via shell metacharacters in the query string.http-cgi-faxsurvey(1532)2056http-cgi-faxsurvey(1532)Solaris SUNWadmap can be exploited to obtain root access.bugtraq id 430sun-sunwadmap(1200)00173htmlscript CGI program allows remote read access to files.http-htmlscript-file-access(1466)ICMP redirect messages may crash or lock up a host.icmp-redirect(285)Q154174The info2www CGI script allows remote file access or remote command execution.http-cgi-info2www(1732)1995Buffer overflow in NCSA HTTP daemon v1.3 allows remote command execution.CA-95.04.NCSA.http.daemon.for.unix.vulnerabilityMetaInfo MetaWeb web server allows users to upload, execute, and read scripts.Security vulnerabilities in Metalinfo products1103969Netscape Enterprise servers may list files through the PageServices query.netscape-server-pageservices(1810)Directory traversal vulnerability in pfdispaly.cgi program (sometimes referred to as "pfdisplay") for SGI's Performer API Search Tool (performer_tools) allows remote attackers to read arbitrary files.Performer API Search Tool 2.2 pfdispaly.cgi Vulnerabilitysgi-pfdispaly(810)19980401-01-PI-04164134sgi-pfdispaly(810)Progressive Networks Real Video server (pnserver) can be crashed remotely.Denial of service in Slmail v2.5 through the POP3 port.BID 221slmail-username-bo(1662)Denial of service through Solaris 2.5.1 telnet by sending ^D characters.sun-telnet-kill(1464)Denial of service in Windows NT DNS servers through malicious packet which contains a response to a query that wasn't made.nt-dns-dos(3106)Denial of service in Windows NT DNS servers by flooding port 53 with too many characters.nt-dnscrash(186)mSQL v2.0.1 and below allows remote execution through a buffer overflow.msql-debug-bo(2143)The WorkMan program can be used to overwrite any file to get root access.CA-96.23.workman_vulworkman(435)In IIS, remote attackers can obtain source code for ASP files by appending "::$DATA" to the URL.BID 149iis-asp-data-check(1135)MS98-003oval:org.mitre.oval:def:913Excite for Web Servers (EWS) allows remote command execution via shell metacharacters.excite-cgi-search-vuln(1418)VB-98.01.excite-cgi-search-vulnRemote command execution in Microsoft Internet Explorer using .lnk and .url files.http-ie-lnkurl(463)Denial of service in IIS using long URLs.http-iis-longurl(531)** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-1584, CVE-1999-1586. Reason: This candidate combined references from one issue with the description from another issue. Notes: Users should consult CVE-1999-1584 and CVE-1999-1586 to obtain the appropriate name. All references and descriptions in this candidate have been removed to prevent accidental usage.The Java Web Server would allow remote users to obtain the source code for CGI programs.19970716 Viewable .jhtml source with JavaWebServerDenial of service to NT mail servers including Ipswitch, Mdaemon, and Exchange through a buffer overflow in the SMTP HELO command.mdaemon-helo-bolotus-notes-helo-crashsmtp-exchangedos(344)Denial of service in telnet from the Windows NT Resource Kit, by opening then immediately closing a connection.In some NT web servers, appending a space at the end of a URL may allow attackers to read source code for active pages.Vulnerability in the Wguest CGI program.http-cgi-webcom-guestbook(2072)CGI Webcom guestbookThe WINS server in Microsoft Windows NT 4.0 before SP4 allows remote attackers to cause a denial of service (process termination) via invalid UDP frames to port 137 (NETBIOS Name Service), as demonstrated via a flood of random packets.BID 298nt-winsupd-fix(1233)The Apache web server for Win32 may provide access to restricted files when a . (dot) is appended to a requested URL.The WinGate telnet proxy allows remote attackers to cause a denial of service via a large number of connections to localhost.wingate-dos(2003)The WinGate proxy is installed without a password, which allows remote attackers to redirect connections without authentication.wingate-unpassworded(1849)Denial of service through Winpopup using large user names.nt-winpopup(538)AAA authentication on Cisco systems allows attackers to execute commands without authorization.Cisco IOS 11.3(1.2) and 11.3(1.2)T AAA Failurecisco-ios-aaa-auth(1245)All records in a WINS database can be deleted through SNMP for a denial of service.nt-wins-snmp2(982)Solaris sysdef command allows local users to read kernel memory, potentially leading to root privileges.bugtraq id 241sun-sysdef(608)00157Solaris volrmmount program allows attackers to read any file.sun-volrmmount(708)00162Buffer overflow in Vixie Cron library up to version 3.0 allows local users to obtain root access via a long environmental variable.vixie-cron(3124)ypbind with -ypset and -ypsetme options activated in Linux Slackware and SunOS allows local and remote attackers to overwrite files via a .. (dot dot) attack.BID 144119970205 Vulnerabilities in Ypbind when run with -ypset/-ypsetmeBuffer overflow in FreeBSD lpd through long DNS hostnames.6093nis_cachemgr for Solaris NIS+ allows attackers to add malicious NIS+ servers.BID 239sun-niscache(606)00155Buffer overflow in SunOS/Solaris ps command.BID 220sun-ps2bo(484)00149SunOS/Solaris FTP clients can be forced to execute arbitrary commands from a malicious FTP server.sun-ftp-server(1370)00176Buffer overflow in BNU UUCP daemon (uucpd) through long hostnames.bnu-uucpd-bo(1395)mmap function in BSD allows local attackers in the kmem group to modify memory through devices.bsd-mmap(735)The system configuration control (sysctl) facility in BSD based operating systems OpenBSD 2.2 and earlier, and FreeBSD 2.2.5 and earlier, does not properly restrict source routed packets even when the (1) dosourceroute or (2) forwarding variables are set, which allows remote attackers to spoof TCP connections.bsd-sourceroute(736)11502bsd-sourceroute(736)buffer overflow in HP xlock program.hp-xlockVulnerability in xlockBuffer overflow in HP-UX cstm program allows local users to gain root privileges.hpux-cstm-boHP-UX gwind program allows users to modify arbitrary files.hpux-gwind-overwrite(1414)HPSBUX9410-018HP-UX vgdisplay program gives root access to local users.hpux-vgdisplay(1415)HPSBUX9702-056SSH 1.2.25 on HP-UX allows access to new user accounts.ssh-1225(1423)fpkg2swpk in HP-UX allows local users to gain root access.hpux-fpkg2swpk(1437)HPSBUX9612-042HP ypbind allows attackers with root privileges to modify NIS data.CA-93:01.REVISED.HP.NIS.ypbind.vulnerabilitynis-ypbind(519)bugtraq id 52disk_bandwidth on SGI IRIX 6.4 S2MP for Origin/Onyx2 allows local users to gain root access using relative pathnames.bugtraq id 214sgi-disk-bandwidth(1441)19980701-01-P214936sgi-disk-bandwidth(1441)ioconfig on SGI IRIX 6.4 S2MP for Origin/Onyx2 allows local users to gain root access using relative pathnames.sgi-ioconfig(1199)19980701-01-P2136788sgi-ioconfig(1199)Buffer overflow in Solaris fdformat command gives root access to local users.fdformat-bo(875)00138Buffer overflow in Linux splitvt command gives root access to local users.linux-splitvt(430)Buffer overflow in Linux su command gives root access to local users.su-bo(734)unixware-su-username-boBuffer overflow in xmcd 2.0p12 allows local users to gain access through an environmental variable.xmcd-envbo(436)Buffer overflow in xmcd 2.1 allows local users to gain access through a user resource setting.xmcd-tiflestr(437)SunOS rpc.cmsd allows attackers to obtain root access by overwriting arbitrary files.BID 428sun-rpc.cmsd(818)Buffer overflow in Solaris kcms_configure command allows local users to gain root access.sun-kcms-configure-bo(1473)The open() function in FreeBSD allows local attackers to write to arbitrary files.freebsd-open(591)FreeBSD-SA-97:056092FreeBSD mmap function allows users to modify append-only or immutable files.bsd-mmap(735)1998-003ppl program in HP-UX allows local users to create root files through symlinks.hp-ppllog(419)HPSBUX9702-053vhe_u_mnt program in HP-UX allows local users to create root files through symlinks.hp-vhe(433)HPSBUX9406-013Vulnerability in HP-UX mediainit program.hp-mediainit(567)HPSBUX9710-071SGI syserr program allows local users to corrupt files.bugtraq id 85sgi-syserr19971103-01-PXSGI permissions program allows local users to gain root privileges.BID 417sgi-permtool(692)19971103-01-PXSGI mediad program allows local users to gain root access.BID 394sgi-mediad(1122)19980602-01-PXLinux bdash game has a buffer overflow that allows local users to gain root access.bdash-bo(821)Buffer overflow in Internet Explorer 4.0(1).iemk-bug(917)Buffer overflow in NetMeeting allows denial of service and remote command execution.BID 171nt-netmeeting(1222)Q184346HP OpenView Omniback allows remote execution of commands as root via spoofing, and local users can gain root access via a symlink attack.omniback-remote(1396)In Solaris 2.2 and 2.3, when fsck fails on startup, it allows a local user with physical access to obtain root access.CA-93.19.Solaris.Startup.vulnerabilitysol-startup(552)DEPRECATED. This entry has been deprecated. It is a duplicate of CVE-1999-0032.CA-97.19.bsdlpbsd-lprbo(409)Buffer overflow in mstm in HP-UX allows local users to gain root access.hpux-mstm-bo(1439)AIX batch queue (bsh) allows local and remote users to gain additional privileges when network printing is enabled.CA-94.10.IBM.AIX.bsh.vulnerabilityibm-bsh(509)bugtraq id 349AIX Licensed Program Product performance tools allow local users to gain root access.CA-94.03.AIX.performance.toolsibm-perf-tools(504)Buffer overflow in the libauth library in Solaris allows local users to gain additional privileges, possibly root access.bugtraq id 442sol-sun-libauth(1219)Buffer overflow in Linux Slackware crond program allows local users to gain root access.linux-crond(695)Buffer overflow in the Linux mail program "deliver" allows local users to gain root access.bugtraq id 226linux-deliver(702)Linux PAM modules allow local users to gain root access using temporary files.linux-pam-passwd-tmprace(1474)pamhttp://www.redhat.com/corp/support/errata/rh42-errata-general.html#pamA malicious Palace server can force a client to execute arbitrary programs.palace-malicious-servers-vuln(1631)NT users can gain debug-level access on a system process using the Sechole exploit.nt-priv-fix(1231)MS98-009Q190288Jolt ICMP attack causes a denial of service in Windows 95 and Windows NT systems.ping-death(95)CA-96.26CGI PHP mlog script allows an attacker to read any file on the target server.http-cgi-php-mlog(1505)7133397Internet Explorer 4.01 allows remote attackers to read local files and spoof web pages via a "%01" character in an "about:" Javascript URL, which causes Internet Explorer to use the domain specified after the character.19990126 Javascript ecurity bug in Internet Explorer19990126 Javascript ecurity bug in Internet ExplorerIIS ASP caching problem releases sensitive information when two virtual servers share the same physical directory.bugtraq id 195Q197003930A buffer overflow in the FTP list (ls) command in IIS allows remote attackers to conduct a denial of service and, in some cases, execute arbitrary commands.bugtraq id 192iis-remote-ftp(1654)IIS Remote FTP Exploit/DoS AttackMS99-003Q188348Race condition in the db_loader program in ClearCase gives local users root access by setting SUID bits.BID 538clearcase-temp-race(1718)FTP PASV "Pizza Thief" denial of service and unauthorized data access. Attackers can steal data by connecting to a port that was intended for use by a client.FTP PASV Pizza Thief denial of serviceControlIT 4.5 and earlier (aka Remotely Possible) has weak password encryption.controlit-passwd-encrypt(1651)rpc.pcnfsd in HP gives remote root access by changing the permissions on the main printer spool directory.pcnfsd-world-write(1699)HPSBUX9902-091J-026Internet Explorer 4.x or 5.x with Word 97 allows arbitrary execution of Visual Basic programs to the IE client through the Word 97 template, which doesn't warn the user that the template contains executable content. Also applies to Outlook when the client views a malicious email message.word97-template-macro(3498)MS99-002Local or remote users can force ControlIT 4.5 to reboot or force a user to log out, resulting in a denial of service.controlit-reboot(1653)ControlIT v4.5 and earlier uses weak encryption to store usernames and passwords in an address book.controlit-bookfile-accessWindows 98 and other operating systems allows remote attackers to cause a denial of service via crafted "oshare" packets, possibly involving invalid fragmentation offsets.win98-oshare-dos(2228)Digital Unix 4.0 has a buffer overflow in the inc program of the mh package.du-inc(3137)19990125 Digital Unix 4.0 exploitable buffer overflowsJ-027ptylogin in Unix systems allows users to perform a denial of service by locking out modems, dial out with that modem, or obtain passwords.19990127 UNIX shell modem access vulnerabilitiesMS Site Server 2.0 with IIS 4 can allow users to upload content, including ASP, to the target web site, thus allowing them to execute commands remotely.IIS/MS Site ServerNetWare version of LaserFiche stores usernames and passwords unencrypted, and allows administrative changes without logging.WS_FTP server remote denial of service through cwd command.bugtraq id 217wsftp-remote-dos(1694)AD02021999217SuSE 5.2 PLP lpc program has a buffer overflow that leads to root compromise.plp-lpc-bo(1738)BID 328328Microsoft Access 97 stores a database password as plaintext in a foreign mdb, allowing access to data.19990204 Microsoft Access 97 Stores Database Password as PlaintextThe metamail package allows remote command execution using shell metacharacters that are not quoted in a mailcap entry.BID 110metamail-header-commands(1676)In some cases, Service Pack 4 for Windows NT 4.0 can allow access to network shares using a blank password, through a problem with a null NT hash value.BID 227nt-sp4-auth-error(1719)MS99-004Q214840NetBSD netstat command allows local users to access kernel memory.1999-0027571Buffer overflows in wuarchive ftpd (wu-ftpd) and ProFTPD lead to remote root access, a.k.a. palmetto.CA-99-03-FTP-Buffer-Overflowspalmetto-ftpd-bo(1728)BID 113The Sun sdtcm_convert calendar utility for OpenWindows has a buffer overflow which can gain root access.sun-sdtcm-convert-bo(1729)00183In Sun Solaris and SunOS, man and catman contain vulnerabilities that allow overwriting arbitrary files.sun-manSolaris/SunOS man/catman Vulnerability165Lynx allows a local user to overwrite sensitive files through /tmp symlinks.lynx-temp-files-race(1665)The installer for BackOffice Server includes account names and passwords in a setup file (reboot.ini) which is not deleted.nt-backoffice-setup(1736)MS99-005MS99-005Q217004Buffer overflow in the "Super" utility in Debian GNU/Linux, and other operating systems, allows local users to execute commands as root.bugtraq id 341linux-super-bo(1723)linux-super-logging-bo(1832)Debian GNU/Linux cfengine package is susceptible to a symlink attack.bugtraq id 314linux-cfengine-symlinks(1802)Buffer overflow in webd in Network Flight Recorder (NFR) 2.0.2-Research allows remote attackers to execute commands.nfr-webd-overflow(1775)Local users in Windows NT can obtain administrator privileges by changing the KnownDLLs list to reference malicious programs.BID 234nt-knowndlls-list(1820)MS99-006MS99-006Process table attack in Unix systems allows a remote attacker to perform a denial of service by filling a machine's process tables through multiple connections to network services.unix-process-table-dosKernel process-table DoSInterScan VirusWall for Solaris doesn't scan files for viruses when a single HTTP request includes two GET commands.viruswall-http-request(3280)6167Microsoft Taskpads allows remote web sites to execute commands on the visiting user's machine via certain methods that are marked as Safe for Scripting.bugtraq id 498win-resourcekit-taskpads(1821)MS99-007MS99-0074981019SLMail 3.1 and 3.2 allows local users to access any file in the NTFS file system when the Remote Administration Service (RAS) is enabled by setting a user's Finger File to point to the target file, then running finger on the user.NT SLMail Remote Administration Service Vulnerability199902225 ALERT: SLMail 3.2 (and 3.1) with the Remote Administration Service19990225 ALERT: SLMail 3.2 (and 3.1) with the Remote Administration ServiceSLmail 3.2 Build 3113 (Web Administration Security Fix)497slmail-ras-ntfs-bypass(5392)super 3.11.6 and other versions have a buffer overflow in the syslog utility which allows a local user to gain root access.linux-super-logging-bo(1832 )Debian Super Syslog Buffer Overflow Vulnerability19990225 SUPER buffer overflowThe screen saver in Windows NT does not verify that its security context has been changed properly, allowing attackers to run programs with elevated privileges.BID 474nt-screen-saver(1946)MS99-008MS99-008ACC Tigris allows public access without a login.BID 183acc-tigris-login(1571)183267The Forms 2.0 ActiveX control (included with Visual Basic for Applications 5.0) can be used to read text from a user's clipboard when the user accesses documents with ActiveX content.forms-vuln-patch(1659)MS99-001MS99-001The LDAP bind function in Exchange 5.5 has a buffer overflow that allows a remote attacker to conduct a denial of service or execute commands.bugtraq id 503ldap-mds-dos(1969)MS99-009MS99-009Microsoft Personal Web Server and FrontPage Personal Web Server in some Windows systems allows a remote attacker to read files on the server by using a nonstandard URL.pws-file-access(2036)MS99-010MS99-010111A legacy credential caching mechanism used in Windows 95 and Windows 98 systems allows attackers to read plaintext network passwords.MS99-052MS99-0529x-plaintext-pwd(3574)Bugtraq id 829Q168115829DataLynx suGuard trusts the PATH environment variable to execute the ps command, allowing local users to execute commands as root.bugtraq id 186datalynx-suguard-relative-paths(1543)3186Buffer overflow in the bootp server in the Debian Linux netstd package.Debian GNU/Linux netstd Vulnerabilitiesdebian-netstd-bo(4099)Buffer overflow in Dosemu Slang library in Linux.Bugtraq id 187CSSA-1999-006.1187The cryptographic challenge of SMB authentication in Windows 95 and Windows 98 can be reused, allowing an attacker to replay the response and impersonate a user.BID 233Buffer overflow in Thomas Boutell's cgic library version up to 1.05.http-cgic-library-bo(1603)Remote attackers can cause a denial of service in Sendmail 8.8.x and 8.9.2 by sending messages with a large number of headers.sendmail-parsing-redirection(3477)19990121 Sendmail 8.8.x/8.9.x bugwareDPEC Online Courseware allows an attacker to change another user's password without knowing the original password.A race condition in the BackWeb Polite Agent Protocol allows an attacker to spoof a BackWeb server.backweb-polite-agent-protocol(1611)backweb-polite-agent-protocolA race condition between the select() and accept() calls in NetBSD TCP servers allows remote attackers to cause a denial of service.netbsd-tcp-race(1658)The demo version of the Quakenbush NT Password Appraiser sends passwords across the network in plaintext.In some instances of SSH 1.2.27 and 2.0.11 on Linux systems, SSH will allow users with expired accounts to login.ssh-exp-account-access(3493)The DCC server command in the Mirc 5.5 client doesn't filter characters from file names properly, allowing remote attackers to place a malicious file in a different location, possibly allowing the attacker to execute commands.mirc-dcc-metachar-filenameDenial of service in Linux 2.2.0 running the ldd command on a core file.Linux ldd core VulnerabilityA race condition in Linux 2.2.1 allows local users to read arbitrary memory from /proc files.linux-race-condition-proc(3497)wget 1.5.3 follows symlinks to change permissions of the target file instead of the symlink itself.wget-permissions(1805)A bug in Cyrix CPUs on Linux allows local users to perform a denial of service.cyrix-hang(1716)19990204 Cyrix bug: freeze in hell, badboyBuffer overflow in the Mail-Max SMTP server for Windows systems allows remote command execution.mailmax-bo(1773)A buffer overflow in lsof allows local users to obtain root privilege.bugtraq id 496lsof-bo(1791)3163Digital Unix Networker program nsralist has a buffer overflow which allows local users to obtain root privilege.digital-networker-bo(1807)digital-networker-bo(1807)By default, IIS 4.0 has a virtual directory /IISADMPWD which contains files that can be used as proxies for brute force password attacks, or to identify valid users on the system.19990209 ALERT: IIS4 allows proxied password attacks over NetBIOS19990209 Re: IIS4 allows proxied password attacks over NetBIOSFiles created from interactive shell sessions in Cobalt RaQ microservers (e.g. .bash_history) are world readable, and thus are accessible from the web server.cobalt-raq-history-exposure(1831)bugtraq id 337337Buffer overflow in gnuplot in Linux version 3.5 allows local users to obtain root access.gnuplot-home-overflow(1888)BID 319319The cancel command in Solaris 2.6 (i386) has a buffer overflow that allows local users to obtain root access.bugtraq id 293sol-cancel(1900)293Several startup scripts in SCO OpenServer Enterprise System v 5.0.4p, including S84rpcinit, S95nis, S85tcp, and S89nfs, are vulnerable to a symlink attack, allowing a local user to gain root access.sco-startup-scripts(1930)sco-startup-scriptsIn IIS and other web servers, an attacker can attack commands as SYSTEM if the server is running as SYSTEM and loading an ISAPI extension.bugtraq id 501iis-isapi-execute(1950)501A buffer overflow in the SGI X server allows local users to gain root access through the X server font path.irix-font-path-overflow(1929)19990301-01-PXIn Linux before version 2.0.36, remote attackers can spoof a TCP connection and pass data to the application layer before fully establishing the connection.bugtraq id 580linux-blind-spoof(1932)The HTTP server in Cisco 7xx series routers 3.2 through 4.2 is enabled by default, which allows remote attackers to change the router's configuration.cisco-router-commandscisco-router-commands(1951)19990311 Cisco 7xx TCP and HTTP VulnerabilitiesJ-034Vulnerability in Cisco 7xx series routers allows a remote attacker to cause a system reload via a TCP connection to the router's TELNET port.cisco-router-doscisco-web-crash(1886)19990311 Cisco 7xx TCP and HTTP VulnerabilitiesJ-03464 bit Solaris 7 procfs allows local users to perform a denial of service.solaris-psinfo-crash(1935)BID 4484481001Denial of service in SMTP applications such as Sendmail, when a remote attacker (e.g. spammer) uses many "RCPT TO" commands in the same connection.19990308 SMTP server account probingWhen the Microsoft SMTP service attempts to send a message to a server and receives a 4xx error code, it quickly and repeatedly attempts to redeliver the message, causing a denial of service.smtp-4xx-error-dosumapfs allows local users to gain root privileges by changing their uid through a malicious mount_umap program.During a reboot after an installation of Linux Slackware 3.6, a remote attacker can obtain root access by logging in to the root account without a password.BID 338linux-slackware-install(2040)981In some cases, NetBSD 1.3.3 mount allows local users to execute programs in some file systems that have the "noexec" flag set.Vulnerability in hpterm on HP-UX 10.20 allows local users to gain additional privileges.hp-hpterm-files(2182)HPSBUX9903-093talkback in Netscape 4.5 allows a local user to overwrite arbitrary files of another user whose Netscape crashes.netscape-talkback-overwrite(2006)talkback in Netscape 4.5 allows a local user to kill an arbitrary process of another user whose Netscape crashes.netscape-talkback-kill(2005)19.03.1999The default permissions of /dev/kmem in Linux versions before 2.0.36 allows IP spoofing.linux-dev-kmem-spoofEudora 4.1 allows remote attackers to perform a denial of service by sending attachments with long file names.eudora-long-attachment-filename(4482)BID 1210OpenSSL and SSLeay allow remote attackers to reuse SSL sessions and bypass access controls.ssl-session-reuse(1991)OpenSSL and SSLeay Security Alert3936The Lotus Notes 4.5 client may send a copy of encrypted mail in the clear across the network if the user does not set the "Encrypt Saved Mail" preference.lotus-client-encryption(2047)1999032319990324 Re: LNotes encryption19990326 Lotus Notes Encryption Bug19990326 Re: Lotus Notes security advisoryCisco Catalyst LAN switches running Catalyst 5000 supervisor software allows remote attackers to perform a denial of service by forcing the supervisor module to reload.bugtraq id 705CI-99.03cisco-catalyst-crash(2019)1103Linux 2.2.3 and earlier allow a remote attacker to perform an IP fragmentation attack, causing a denial of service.This problem was fixed in Linux kernel 2.2.4 and later releases.linux-zerolength-fragment(2041)ftp on HP-UX 11.00 allows local users to gain privileges.hp-ftp(2009)HPSBUX9903-094HPSBUX9903-094XFree86 startx command is vulnerable to a symlink attack, allowing local users to create files in restricted directories, possibly allowing them to gain privileges or cause a denial of service.BID 326xfree86-temp-directories(2032)XFree86 xfs command is vulnerable to a symlink attack, allowing local users to create files in restricted directories, possibly allowing them to gain privileges or cause a denial of service.Multiple Vendor xfs Symlink Vulnerabilityxfree86-xfs-symlink-dosMC/ServiceGuard and MC/LockManager in HP-UX allows local users to gain privileges through SAM.hp-serviceguard(2046)hp-serviceguardDomain Enterprise Server Management System (DESMS) in HP-UX allows local users to gain privileges.hp-desms-servers(2045)HPSBUX9903-095HPSBUX9903-095Remote attackers can perform a denial of service in WebRamp systems by sending a malicious string to the HTTP port.webramp-device-crash(2050)Remote attackers can perform a denial of service in WebRamp systems by sending a malicious UDP packet to port 5353, changing its IP address.bugtraq id 577webramp-ipchange(2051)Buffer overflow in procmail before version 3.12 allows remote or local attackers to execute commands via expansions in the procmailrc configuration file.procmail-overflow(2082)The byte code verifier component of the Java Virtual Machine (JVM) allows remote execution through malicious web pages.java-unverified-code(2025)http://java.sun.com/pr/1999/03/pr990329-01.html19990405 Security Hole in Java 2 (and JDK 1.1.x)1939Remote attackers can perform a denial of service in WinGate machines using a buffer overflow in the Winsock Redirector Service.bugtraq id 509AD02221999wingate-redirector-dos(2066)AD02221999509Solaris ff.core allows local users to modify files.BID 327327Patrol management software allows a remote attacker to conduct a replay attack to steal the administrator password.bmc-patrol-replay(2078)19990409 Patrol security bugsRemote attackers can perform a denial of service in Windows machines using malicious ARP packets, forcing a message box display for each packet or filling up log files.windows-arp-dosIn Cisco routers under some versions of IOS 12.0 running NAT, some packets may not be filtered by input access list filters.BID 706cisco-natacl-leakage(2071)1104Local users can perform a denial of service in NetBSD 1.3.3 and earlier versions by creating an unusual symbolic link with the ln command, triggering a bug in VFS.netbsd-vfslocking-panic(2062)1999-0087051Local users can gain privileges using the debug utility in the MPE/iX operating system.mpeix-debug(2073)HPSBMP9904-006HPSBMP9904-006IIS 4.0 and Apache log HTTP request methods, regardless of how long they are, allowing a remote attacker to hide the URL they really request.bugtraq id 191iis-http-request-logging(1656)The ExAir sample site in IIS 4 allows remote attackers to cause a denial of service (CPU consumption) via a direct request to the (1) advsearch.asp, (2) query.asp, or (3) search.asp scripts.bugtraq id 193iis-exair-dos(2229)193234In IIS, an attacker could determine a real path using a request for a non-existent URL that would be interpreted by Perl (perl.exe) .194Denial of service in Linux 2.0.36 allows local users to prevent any server from listening on any non-privileged port.Linux TCP port DoS VulnerabilityA service or application has a backdoor password that was placed there by the developer.An attacker can identify a CISCO device by sending a SYN packet to port 1999, which is for the Cisco Discovery Protocol (CDP).A remote attacker can sometimes identify the operating system of a host based on how it reacts to some IP or ICMP packets, using a tool such as nmap or queso.The Expression Evaluator sample application in ColdFusion allows remote attackers to read or delete files on the server via exprcalc.cfm, which does not restrict access to the server properly.coldfusion-expression-evaluator(1740)Allaire ColdFusion Remote File Display, Deletion, Upload and Execution VulnerabilityLinux ftpwatch program allows local users to gain root privileges.bugtraq id 317ftpwatch-vuln(1607)317L0phtcrack 2.5 used temporary files in the system TEMP directory which could contain password information.l0phtcrack-temp-files(1606)915Local users can perform a denial of service in Alpha Linux, using MILO to force a reboot.linux-milo-halt(1717)linux-milo-halt(1717)Buffer overflow in Linux autofs module through long directory names allows local users to perform a denial of service.Linux autofs VulnerabilityVersions of rpcbind including Linux, IRIX, and Wietse Venema's rpcbind allow a remote attacker to insert and delete entries by spoofing a source address.pmap-sset(2308)suidperl in Linux Perl does not check the nosuid mount option on file systems, allowing local users to gain root access by placing a setuid script in a mountable file system, e.g. a CD-ROM or floppy disk.Perl suidmount Vulnerabilityperl-suidperl-bo(3544)Remote attackers can perform a denial of service using IRIX fcagent.bugtraq id 144sgi-fcagent-dos(1443)19981201-01-PXLocal users can perform a denial of service in Tripwire 1.2 and earlier using long filenames.19990104 Tripwire mess..6609Remote attackers can crash Lynx and Internet Explorer using an IMG tag with a large width parameter.The SVR4 /dev/wabi special device file in NetBSD 1.3.3 and earlier allows a local user to read or write arbitrary files on the disk associated with that device.bugtraq id 114NetBSD-SA1999-009905The Webcom CGI Guestbook programs wguest.exe and rguest.exe allow a remote attacker to read arbitrary files using the "template" parameter.http-cgi-webcom-guestbook(2072)Internet Explorer 5.0 allows a remote server to read arbitrary files on the client's file system using the Microsoft Scriptlet Component.ie-scriplet-fileread(2070)MS99-012MSHTMLInternet Explorer 5.0 allows window spoofing, allowing a remote attacker to spoof a legitimate web site and capture information from the client.ie-window-spoofA weak encryption algorithm is used for passwords in Novell Remote.NLM, allowing them to be easily decrypted.netware-remotenlm-passwords(2081)482The remote proxy server in Winroute allows a remote attacker to reconfigure the proxy without authentication through the "cancel" button.winroute-config(2079)The SNMP default community name "public" is not properly removed in NetApps C630 Netcache, even if the administrator tries to disable it.netcache-snmp(2080)The rsync command before rsync 2.3.1 may inadvertently change the permissions of the client's working directory to the permissions of the directory being transferred.rsync-permissions(2074)19990823145The ICQ Webserver allows remote attackers to use .. to access arbitrary files outside of the user's personal directory.icq-webserver-read(2085)A race condition in how procmail handles .procmailrc files allows a local user to read arbitrary files available to the user who is running procmail.procmail-race(2083)A weak encryption algorithm is used for passwords in SCO TermVision, allowing them to be easily decrypted by a local user.sco-termvision-password(2063)The Expression Evaluator in the ColdFusion Application Server allows a remote attacker to upload files to the server via openfile.cfm, which does not restrict access to the server properly.Allaire ColdFusion Remote File Display, Deletion, Upload and Execution VulnerabilityDenial of service in HP-UX sendmail 8.8.6 related to accepting connections.sendmail-headers-dos(2300)HPSBUX9904-097Denial of service Netscape Enterprise Server with VirtualVault on HP-UX VVOS systems.netscape-server-dos(1964)HPSBUX9903-092Local attackers can conduct a denial of service in Midnight Commander 4.x with a symlink attack.midnight-commander-symlink-dos(3505)Denial of service in "poll" in OpenBSD.7556OpenBSD kernel crash through TSS handling, as caused by the crashme program.7557OpenBSD crash using nlink value in FFS and EXT2FS filesystems.6129Buffer overflow in OpenBSD ping.6130Remote attackers can cause a system crash through ipintr() in ipq in OpenBSD.openbsd-ipintr-race(1829)7558Denial of service in AOL Instant Messenger when a remote attacker sends a malicious hyperlink to the receiving client, potentially causing a system crash.aolim-malformed-ascii-dos(4877)aol-im(819)The DHTML Edit ActiveX control in Internet Explorer allows remote attackers to read arbitrary files.bugtraq id 116MS99-011q226326ie-dhtml-control(2161)MS99-011Internet Explorer 4.0 and 5.0 allows a remote attacker to execute security scripts in a different security context using malicious URLs, a variant of the "cross frame" vulnerability.ie-mshtml-crossframe(2216)MS99-012MSHTML.DLL in Internet Explorer 5.0 allows a remote attacker to paste a file name into the file upload intrinsic control, a variant of "untrusted scripted paste" as described in MS:MS98-013.MS:MS99-015MSHTML.DLL in Internet Explorer 5.0 allows a remote attacker to learn information about a local user's files via an IMG SRC tag.ie-scriplet-filereadMS:MS99-012The prompt parsing in bash allows a local user to execute commands as another user by creating a directory with the name of the command to execute.bugtraq id 119CSSA-1999:008.019990420 Bash Bug119The ffingerd 1.19 allows remote attackers to identify users on the target system based on its responses.rpc.statd allows remote attackers to forward RPC calls to the local operating system via the SM_MON and SM_NOTIFY commands, which in turn could be used to remotely exploit other bugs such as in automountd.BID 450CA-99-05-statd-automountd00186J-04519990103 SUN almost has a clue! (automountd)450Denial of service in WinGate proxy through a buffer overflow in POP3.wingate-pop3-user-bo(1847)A remote attacker can gain access to a file system using .. (dot dot) when accessing SMB shares.A Windows NT 4.0 user can gain administrative rights by forcing NtOpenProcessToken to succeed regardless of the user's permissions, aka GetAdmin.q146965Q146965Anonymous FTP is enabled.This Common Vulnerabilities and Exposures (CVE) entry is a configuration issue and not a software flaw. As such, it doesn’t fit in the CVE software flaw list. The Common Vulnerability Scoring System (CVSS) base score for this CVE entry has been set to 0 because this CVE entry has no impact as a software flaw according to CVSS. This does not mean that the configuration issue is not important and there may be security implications relative to computers having this configuration.Anonymous FTP is an unsecured protocol for Internet facing systems and should only be used on a limited basis to provide a specific functional requirement, otherwise disabled. The software should be patched and configured properly.TFTP is not running in a restricted directory, allowing a remote attacker to access sensitive information such as password files.linux-tftp(308)CERT:CA-91.18.Active.Internet.tftp.AttacksNETBIOS share information may be published through SNMP registry keys in NT.snmp-netbiosA Unix account has a guessable password.default-unix-lp(1005)A Unix account has a default, null, blank, or missing password.passwd-blank(774)passwd-blank-lines(2941)A Windows NT local user or administrator account has a guessable password.nt-guess-admin(282)nt-guessed-powerwd(1328)A Windows NT local user or administrator account has a default, null, blank, or missing password.nt-guestblankpw(159)nt-guestnopwA Windows NT domain user or administrator account has a guessable password.nt-guessed-domain-userpwd(1329)win2k-certpub-usrpwd(3421)A Windows NT domain user or administrator account has a default, null, blank, or missing password.nt-domain-admin-blankpwd(1355)win2k-dhcpadm-blnkpwd(3422)An account on a router, firewall, or other network device has a guessable password.firewall-tisopen(388)An account on a router, firewall, or other network device has a default, null, blank, or missing password.default-netranger(980)motorola-cable-default-passcayman-gatorboxPerl, sh, csh, or other shell interpreters are installed in the cgi-bin directory on a WWW site, which allows remote attackers to execute arbitrary commands.CERT:CA-96.11A router or firewall allows source routed packets from arbitrary hosts.source-routing(639)source-routing-disable(3577)IP forwarding is enabled on a machine which is not a router or firewall.ip-forwarding(193)A mail server is explicitly configured to allow SMTP mail relay, which allows abuse by spammers.ICMP messages to broadcast addresses are allowed, allowing for a Smurf attack that can cause a denial of service.CA-98.01BID 147UDP messages to broadcast addresses are allowed, allowing for a Fraggle attack that can cause a denial of service by flooding the target.fraggle(815)An unrestricted remote trust relationship for Unix systems has been set up, e.g. by using a + sign in /etc/hosts.equiv.An SNMP community name is guessable.snmp-get-guess(1241)An SNMP community name is the default (e.g. public), null, or missing.hpov-hidden-snmp-comm(1387)snmp-comm(133)A NETBIOS/SMB share password is guessable.nt-netbios-perm(182)A NETBIOS/SMB share password is the default, null, or missing.nt-netbios-everyoneaccess(1)nt-netbios-guestaccess(2)nt-netbios-write(19)nt-netbios-share(12)nt-netbios-shareguest(20)A system-critical NETBIOS/SMB share has inappropriate access control.An NIS domain name is easily guessable.nis-dom(85)The permissions for a system-critical NIS+ table (e.g. passwd) are inappropriate.NIS+ Configuration VulnerabilityICMP echo (ping) is allowed from arbitrary hosts.ICMP information such as (1) netmask and (2) timestamp is allowed from arbitrary hosts.icmp-netmask(306)icmp-timestamp(322)95icmp-netmask(306)icmp-timestamp(322)IP traceroute is allowed from arbitrary hosts.traceroute(142)An X server's access control is disabled (e.g. through an "xhost +" command) and allows anyone to connect to the server.xcheck-keystroke(155)VU#704969The permissions for system-critical data in an anonymous FTP account are inappropriate. For example, the root directory is writeable by world, a real password file is obtainable, or executable commands such as "ls" can be overwritten.A router or firewall forwards external packets that claim to come from inside the network that the router/firewall is in front of.A router or firewall forwards packets that claim to come from IANA reserved or private addresses, e.g. 10.x.x.x, 127.x.x.x, 217.x.x.x, etc.A system is operating in "promiscuous" mode which allows it to perform packet sniffing.** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "An SMTP service supports EXPN, VRFY, HELP, ESMTP, and/or EHLO."This Common Vulnerabilities and Exposures (CVE) entry is a configuration issue and not a software flaw. As such, it doesn’t fit in the CVE software flaw list. The Common Vulnerability Scoring System (CVSS) base score for this CVE entry has been set to 0 because this CVE entry has no impact as a software flaw according to CVSS. This does not mean that the configuration issue is not important and there may be security implications relative to computers having this configuration.This functionality should be disabled, because these commands can be used for attack reconnaissance.A DNS server allows zone transfers.dns-zonexfer(212)A DNS server allows inverse queries.dns-iquery(206)A Windows NT user has inappropriate rights or privileges, e.g. Act as System, Add Workstation, Backup, Change System Time, Create Pagefile, Create Permanent Object, Create Token Name, Debug, Generate Security Audit, Increase Priority, Increase Quota, Load Driver, Lock Memory, Profile Single Process, Remote Shutdown, Replace Process Token, Restore, System Environment, Take Ownership, or Unsolicited Input.nt-lock-memory(235)nt-increase-quota(236)nt-unsol-input(237)A Windows NT account policy for passwords has inappropriate, security-critical settings, e.g. for password length, password age, or uniqueness.nt-pwlen(97)nt-maxage(220)nt-minage(221)A configuration in a web browser such as Internet Explorer or Netscape Navigator allows execution of active content such as ActiveX, Java, Javascript, etc.nav-java-enabled(365)A trust relationship exists between two Unix hosts.A password for accessing a WWW URL is guessable.http-password(59)The Windows NT guest account is enabled.nt-guest-account(1326)An SSH server allows authentication through the .rhosts file.A superfluous NFS server is running, but it is not importing or exporting any file systems.Windows NT automatically logs in an administrator upon rebooting.A router's routing tables can be obtained from arbitrary hosts.routed(107)rip(103)HP OpenMail can be misconfigured to allow users to run arbitrary commands using malicious print requests.bugtraq id 96#00078hp-openmail(965)HPSBUX9804-078NFS exports system-critical data to the world, e.g. / or a password file.A Unix account with a name other than "root" has UID 0, i.e. root privileges.Two or more Unix accounts have the same UID.A system-critical Unix file or directory has inappropriate permissions.A system-critical Windows NT file or directory has inappropriate permissions.IIS has the #exec function enabled for Server Side Include (SSI) files.The registry in Windows NT can be accessed remotely by users who are not administrators.nt-winreg-all(151)nt-winreg-net(152)OVAL1023oval:org.mitre.oval:def:1023An attacker can force a printer to print arbitrary documents (e.g. if the printer doesn't require a password) or to become disabled.A Sendmail alias allows input to be piped to a program.An attacker can write to syslog files from any location, causing a denial of service by filling up the logs, and hiding activities.ibm-syslogd(493)rpc.admind in Solaris is not running in a secure mode.A URL for a WWW directory allows auto-indexing, which provides a list of all files in that directory if it does not contain an index.html file.Windows NT is not using a password filter utility, e.g. PASSFILT.DLL.A router's configuration service or management interface (such as a web server or telnet) is configured to allow connections from arbitrary hosts..reg files are associated with the Windows NT registry editor (regedit), making the registry susceptible to Trojan Horse attacks.nt-regfile(178)A Windows NT system's user audit policy does not log an event success or failure, e.g. for Logon and Logoff, File and Object Access, Use of User Rights, User and Group Management, Security Policy Changes, Restart, Shutdown, and System, and Process Tracking.nt-system-audit(226)nt-object-audit(228)nt-privil-audit(229)nt-process-audit(230)nt-policy-audit(231)A Windows NT system's file audit policy does not log an event success or failure for security-critical files or directories.nt-object-audit(228)A Windows NT system's file audit policy does not log an event success or failure for non-critical files or directories.A Windows NT system's registry audit policy does not log an event success or failure for security-critical registry keys.A Windows NT system's registry audit policy does not log an event success or failure for non-critical registry keys.The HKEY_LOCAL_MACHINE key in a Windows NT system has inappropriate, system-critical permissions.The HKEY_CLASSES_ROOT key in a Windows NT system has inappropriate, system-critical permissions.A Windows NT account policy has inappropriate, security-critical settings for lockout, e.g. lockout duration, lockout after bad logon attempts, etc.nt-thres-lockout(68)There is a one-way or two-way trust relationship between Windows NT domains.A Windows NT file system is not NTFS.A Windows NT administrator account has the default name of Administrator.nt-adminexists(28)A network service is running on a nonstandard port.A WWW server is not running in a restricted file system, e.g. through a chroot, thus allowing access to system-critical data.A filter in a router or firewall allows unusual fragmented packets.A system-critical Windows NT registry key has inappropriate permissions.A system does not present an appropriate legal message or warning to a user who is accessing it.J-043g: Creating Login BannersAn event log in Windows NT has inappropriate access permissions.The Logon box of a Windows NT system displays the name of the last user who logged in.The default setting for the Winlogon key entry ShutdownWithoutLogon in Windows NT allows users with physical access to shut down a Windows NT system without logging in.A Windows NT system does not restrict access to removable media drives such as a floppy disk drive or CDROM drive.A Windows NT system does not clear the system page file during shutdown, which might allow sensitive information to be recorded.A Windows NT log file has an inappropriate maximum size or retention period.A Windows NT account policy does not forcibly disconnect remote users from the server when their logon hours expire.A network intrusion detection system (IDS) does not properly handle packets that are sent out of order, allowing an attacker to escape detection.A network intrusion detection system (IDS) does not properly handle packets with improper sequence numbers.A network intrusion detection system (IDS) does not verify the checksum on a packet.A network intrusion detection system (IDS) does not properly handle data within TCP handshake packets.A network intrusion detection system (IDS) does not properly reassemble fragmented packets.In Windows NT, an inappropriate user is a member of a group, e.g. Administrator, Backup Operators, Domain Admins, Domain Guests, Power Users, Print Operators, Replicators, System Operators, etc.An incorrect configuration of the WebStore 1.0 shopping cart CGI program "web_store.cgi" could disclose private information.Shopping Carts exposing CC data19990420 Shopping Carts exposing CC dataAn incorrect configuration of the Order Form 1.0 shopping cart CGI program could disclose private information.Shopping Carts exposing CC data19990420 Shopping Carts exposing CC dataAn incorrect configuration of the EZMall 2000 shopping cart CGI program "mall2000.cgi" could disclose private information.Shopping Carts exposing CC data19990420 Shopping Carts exposing CC dataquikstore.cgi in QuikStore shopping cart stores quikstore.cfg under the web document root with insufficient access control, which allows remote attackers to obtain the cleartext administrator password and gain privileges.Shopping Carts exposing CC data19990420 Shopping Carts exposing CC dataAn incorrect configuration of the PDG Shopping Cart CGI program "shopper.cgi" could disclose private information.Shopping Carts exposing CC datahttp://www.pdgsoft.com/Security/security.html.19990420 Shopping Carts exposing CC datapdgsoftcart-misconfig(3857)An incorrect configuration of the SoftCart CGI program "SoftCart.exe" could disclose private information.Shopping Carts exposing CC data19990420 Shopping Carts exposing CC dataAn incorrect configuration of the Webcart CGI program could disclose private information.Shopping Carts exposing CC data19990420 Shopping Carts exposing CC dataA system-critical Windows NT registry key has an inappropriate value.A version of finger is running that exposes valid user information to any entity on the network.This Common Vulnerabilities and Exposures (CVE) entry is a configuration issue and not a software flaw. As such, it doesn’t fit in the CVE software flaw list. The Common Vulnerability Scoring System (CVSS) base score for this CVE entry has been set to 0 because this CVE entry has no impact as a software flaw according to CVSS. This does not mean that the configuration issue is not important and there may be security implications relative to computers having this configuration.The FTP Service should be disabled because it could reveal information about a host's users, which could be used as reconnaissance information for attacks. finger-running(46)The rpc.sprayd service is running.This Common Vulnerabilities and Exposures (CVE) entry is a configuration issue and not a software flaw. As such, it doesn’t fit in the CVE software flaw list. The Common Vulnerability Scoring System (CVSS) base score for this CVE entry has been set to 0 because this CVE entry has no impact as a software flaw according to CVSS. This does not mean that the configuration issue is not important and there may be security implications relative to computers having this configuration.rpc.sprayd is an unsecured protocol for Internet facing systems and should only be used on a trusted network segment, otherwise disabled. The software should be patched and configured properly. ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The FTP service is running."This Common Vulnerabilities and Exposures (CVE) entry is a configuration issue and not a software flaw. As such, it doesn’t fit in the CVE software flaw list. The Common Vulnerability Scoring System (CVSS) base score for this CVE entry has been set to 0 because this CVE entry has no impact as a software flaw according to CVSS. This does not mean that the configuration issue is not important and there may be security implications relative to computers having this configuration.The FTP Service is an unsecured protocol for Internet facing systems and should only be used on a limited basis to provide a specific functional requirement, otherwise disabled. Secure alternatives that encrypt communications are available. The software should be patched and configured properly.** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The SNMP service is running."This Common Vulnerabilities and Exposures (CVE) entry is a configuration issue and not a software flaw. As such, it doesn’t fit in the CVE software flaw list. The Common Vulnerability Scoring System (CVSS) base score for this CVE entry has been set to 0 because this CVE entry has no impact as a software flaw according to CVSS. This does not mean that the configuration issue is not important and there may be security implications relative to computers having this configuration.SNMPv3 is a secure protocol for management of networked systems, provided the cryptographic security mechanisms are used. SNMPv1 and SNMPv2 are unsecured protocols for Internet facing systems and should only be used on a trusted network segment. For all versions, the software should be patched and configured properly.** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The TFTP service is running."This Common Vulnerabilities and Exposures (CVE) entry is a configuration issue and not a software flaw. As such, it doesn’t fit in the CVE software flaw list. The Common Vulnerability Scoring System (CVSS) base score for this CVE entry has been set to 0 because this CVE entry has no impact as a software flaw according to CVSS. This does not mean that the configuration issue is not important and there may be security implications relative to computers having this configuration.The TFTP Service is an unsecured protocol and it should used only on a limited basis on rare occasion to provide a specific functional requirement, otherwise disabled. Secure alternatives are available. ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The SMTP service is running."This Common Vulnerabilities and Exposures (CVE) entry is a configuration issue and not a software flaw. As such, it doesn’t fit in the CVE software flaw list. The Common Vulnerability Scoring System (CVSS) base score for this CVE entry has been set to 0 because this CVE entry has no impact as a software flaw according to CVSS. This does not mean that the configuration issue is not important and there may be security implications relative to computers having this configuration.The SMTP Service is an unsecured protocol for Internet facing systems (e.g., user authentication not required, communications not encrypted) and should only be used on a limited basis to provide a specific functional requirement, otherwise disabled. The software should be patched and configured properly.The rexec service is running.** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The Telnet service is running."This Common Vulnerabilities and Exposures (CVE) entry is a configuration issue and not a software flaw. As such, it doesn’t fit in the CVE software flaw list. The Common Vulnerability Scoring System (CVSS) base score for this CVE entry has been set to 0 because this CVE entry has no impact as a software flaw according to CVSS. This does not mean that the configuration issue is not important and there may be security implications relative to computers having this configuration.The Telnet Service is an unsecured and obsolete protocol and it should be disabled. Secure alternatives such as SSH are available. ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "A component service related to NIS is running."This Common Vulnerabilities and Exposures (CVE) entry is a configuration issue and not a software flaw. As such, it doesn’t fit in the CVE software flaw list. The Common Vulnerability Scoring System (CVSS) base score for this CVE entry has been set to 0 because this CVE entry has no impact as a software flaw according to CVSS. This does not mean that the configuration issue is not important and there may be security implications relative to computers having this configuration.These protocols, such as RPC ypbind, yppasswd, ypserv, ypupdated, and ypxfrd, are unsecured protocols for Internet facing systems and should only be used on a trusted network segment, otherwise disabled. The software should be patched and configured properly.** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "A component service related to NETBIOS is running."This Common Vulnerabilities and Exposures (CVE) entry is a configuration issue and not a software flaw. As such, it doesn’t fit in the CVE software flaw list. The Common Vulnerability Scoring System (CVSS) base score for this CVE entry has been set to 0 because this CVE entry has no impact as a software flaw according to CVSS. This does not mean that the configuration issue is not important and there may be security implications relative to computers having this configuration.This component service should not be allowed to communicate over untrusted networks, such as the Internet, because it is an unsecured protocol (e.g., communications not encrypted). The software should be patched and configured properly.oval:org.mitre.oval:def:1024** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "A component service related to DNS service is running."This Common Vulnerabilities and Exposures (CVE) entry is a configuration issue and not a software flaw. As such, it doesn’t fit in the CVE software flaw list. The Common Vulnerability Scoring System (CVSS) base score for this CVE entry has been set to 0 because this CVE entry has no impact as a software flaw according to CVSS. This does not mean that the configuration issue is not important and there may be security implications relative to computers having this configuration.DNS is a critical network service. It should be fully patched and properly configured for Internet facing servers to avoid common attacks such as DNS spoofing, poisoning, and unauthorized zone transfers.** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The X Windows service is running."This Common Vulnerabilities and Exposures (CVE) entry is a configuration issue and not a software flaw. As such, it doesn’t fit in the CVE software flaw list. The Common Vulnerability Scoring System (CVSS) base score for this CVE entry has been set to 0 because this CVE entry has no impact as a software flaw according to CVSS. This does not mean that the configuration issue is not important and there may be security implications relative to computers having this configuration.The XWindows service is an unsecured protocol for Internet facing system and should only be used on a trusted network segment, otherwise disabled. The software should be patched and configured properly.The rstat/rstatd service is running.This Common Vulnerabilities and Exposures (CVE) entry is a configuration issue and not a software flaw. As such, it doesn’t fit in the CVE software flaw list. The Common Vulnerability Scoring System (CVSS) base score for this CVE entry has been set to 0 because this CVE entry has no impact as a software flaw according to CVSS. This does not mean that the configuration issue is not important and there may be security implications relative to computers having this configuration.These are unsecured and obsolete protocols and they should be disabled. The rpc.rquotad service is running.This Common Vulnerabilities and Exposures (CVE) entry is a configuration issue and not a software flaw. As such, it doesn’t fit in the CVE software flaw list. The Common Vulnerability Scoring System (CVSS) base score for this CVE entry has been set to 0 because this CVE entry has no impact as a software flaw according to CVSS. This does not mean that the configuration issue is not important and there may be security implications relative to computers having this configuration.rpc.rquotad is an unsecured and obsolete protocol and it should be disabled. A version of rusers is running that exposes valid user information to any entity on the network.This Common Vulnerabilities and Exposures (CVE) entry is a configuration issue and not a software flaw. As such, it doesn’t fit in the CVE software flaw list. The Common Vulnerability Scoring System (CVSS) base score for this CVE entry has been set to 0 because this CVE entry has no impact as a software flaw according to CVSS. This does not mean that the configuration issue is not important and there may be security implications relative to computers having this configuration.rusers is an unsecured and obsolete protocol and it should be disabled. ruser(183)The rexd service is running, which uses weak authentication that can allow an attacker to execute commands.This Common Vulnerabilities and Exposures (CVE) entry is a configuration issue and not a software flaw. As such, it doesn’t fit in the CVE software flaw list. The Common Vulnerability Scoring System (CVSS) base score for this CVE entry has been set to 0 because this CVE entry has no impact as a software flaw according to CVSS. This does not mean that the configuration issue is not important and there may be security implications relative to computers having this configuration.The rexd service is an unsecured protocol for Internet facing systems and should only be used on a trusted network segment, otherwise disabled. The software should be patched and configured properly.bugtraq id 37CA-92.05The rwho/rwhod service is running, which exposes machine status and user information.rwhod-vuln(118)The ident/identd service is running.The NT Alerter and Messenger services are running.** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The NFS service is running."This Common Vulnerabilities and Exposures (CVE) entry is a configuration issue and not a software flaw. As such, it doesn’t fit in the CVE software flaw list. The Common Vulnerability Scoring System (CVSS) base score for this CVE entry has been set to 0 because this CVE entry has no impact as a software flaw according to CVSS. This does not mean that the configuration issue is not important and there may be security implications relative to computers having this configuration.NFS Service is an unsecured protocol for Internet facing systems (e.g., user authentication not required, communications not encrypted) and should only be used on a trusted managed network, otherwise disabled. The software should be patched and configured properly.The RPC portmapper service is running.This Common Vulnerabilities and Exposures (CVE) entry is a configuration issue and not a software flaw. As such, it doesn’t fit in the CVE software flaw list. The Common Vulnerability Scoring System (CVSS) base score for this CVE entry has been set to 0 because this CVE entry has no impact as a software flaw according to CVSS. This does not mean that the configuration issue is not important and there may be security implications relative to computers having this configuration.The RPC portmapper service is an unsecured protocol for Internet facing systems and should only be used on a trusted network segment, otherwise disabled. The software should be patched and configured properly. ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The HTTP/WWW service is running."This Common Vulnerabilities and Exposures (CVE) entry is a configuration issue and not a software flaw. As such, it doesn’t fit in the CVE software flaw list. The Common Vulnerability Scoring System (CVSS) base score for this CVE entry has been set to 0 because this CVE entry has no impact as a software flaw according to CVSS. This does not mean that the configuration issue is not important and there may be security implications relative to computers having this configuration.The software should be patched and configured properly. SSL/TLS should be used to protect transmissions of sensitive data. The presence of HTTP may be an indication that an web application server is running on the system.** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The SSH service is running."This Common Vulnerabilities and Exposures (CVE) entry is a configuration issue and not a software flaw. As such, it doesn’t fit in the CVE software flaw list. The Common Vulnerability Scoring System (CVSS) base score for this CVE entry has been set to 0 because this CVE entry has no impact as a software flaw according to CVSS. This does not mean that the configuration issue is not important and there may be security implications relative to computers having this configuration.SSH is a secure protocol, provided it is fully patched, properly configured, and uses FIPS approved algorithms. SSH version 2 is preferred over SSH version 1 because of known flaws in version 1.The echo service is running.This Common Vulnerabilities and Exposures (CVE) entry is a configuration issue and not a software flaw. As such, it doesn’t fit in the CVE software flaw list. The Common Vulnerability Scoring System (CVSS) base score for this CVE entry has been set to 0 because this CVE entry has no impact as a software flaw according to CVSS. This does not mean that the configuration issue is not important and there may be security implications relative to computers having this configuration.The Echo Service is an unsecured and obsolete protocol and it should be disabled. Historically it has been used to perform denial of service attacks.20060116 ACT P202S VoIP wireless phone multiple undocumented ports/services18514The discard service is running.The systat service is running.This Common Vulnerabilities and Exposures (CVE) entry is a configuration issue and not a software flaw. As such, it doesn’t fit in the CVE software flaw list. The Common Vulnerability Scoring System (CVSS) base score for this CVE entry has been set to 0 because this CVE entry has no impact as a software flaw according to CVSS. This does not mean that the configuration issue is not important and there may be security implications relative to computers having this configuration.The systat service is an unsecured and obsolete protocol and it should be disabled because it can reveal information about a host's operations. The daytime service is running.This Common Vulnerabilities and Exposures (CVE) entry is a configuration issue and not a software flaw. As such, it doesn’t fit in the CVE software flaw list. The Common Vulnerability Scoring System (CVSS) base score for this CVE entry has been set to 0 because this CVE entry has no impact as a software flaw according to CVSS. This does not mean that the configuration issue is not important and there may be security implications relative to computers having this configuration.The daytime service is an unsecured and obsolete protocol and it should be disabled.The chargen service is running.This Common Vulnerabilities and Exposures (CVE) entry is a configuration issue and not a software flaw. As such, it doesn’t fit in the CVE software flaw list. The Common Vulnerability Scoring System (CVSS) base score for this CVE entry has been set to 0 because this CVE entry has no impact as a software flaw according to CVSS. This does not mean that the configuration issue is not important and there may be security implications relative to computers having this configuration.chargen service is an unsecured and obsolete protocol and it should be disabled. Historically it has been used to perform denial of service attacks. Ping and traceroute can be used to provide the same functionality.The Gopher service is running.The UUCP service is running.This Common Vulnerabilities and Exposures (CVE) entry is a configuration issue and not a software flaw. As such, it doesn’t fit in the CVE software flaw list. The Common Vulnerability Scoring System (CVSS) base score for this CVE entry has been set to 0 because this CVE entry has no impact as a software flaw according to CVSS. This does not mean that the configuration issue is not important and there may be security implications relative to computers having this configuration.The UUCP Service is an unsecured and obsolete protocol and it should be disabled. ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "A POP service is running."This Common Vulnerabilities and Exposures (CVE) entry is a configuration issue and not a software flaw. As such, it doesn’t fit in the CVE software flaw list. The Common Vulnerability Scoring System (CVSS) base score for this CVE entry has been set to 0 because this CVE entry has no impact as a software flaw according to CVSS. This does not mean that the configuration issue is not important and there may be security implications relative to computers having this configuration.POP3 is an unsecured protocol for Internet facing systems that does not encrypt its transmissions. POP3 should be tunneled over SSL/TLS or another encrypted tunnel. The software should be patched and configured properly. Earlier versions of POP, such as POP2, are unsecured and obsolete, and should be disabled.** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The IMAP service is running."This Common Vulnerabilities and Exposures (CVE) entry is a configuration issue and not a software flaw. As such, it doesn’t fit in the CVE software flaw list. The Common Vulnerability Scoring System (CVSS) base score for this CVE entry has been set to 0 because this CVE entry has no impact as a software flaw according to CVSS. This does not mean that the configuration issue is not important and there may be security implications relative to computers having this configuration.IMAP Service is an unsecured protocol for Internet facing systems that does not encrypt its transmissions. IMAP should be tunneled over SSL/TLS or another encrypted tunnel. The software should be patched and configured properly.** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The NNTP news service is running."This Common Vulnerabilities and Exposures (CVE) entry is a configuration issue and not a software flaw. As such, it doesn’t fit in the CVE software flaw list. The Common Vulnerability Scoring System (CVSS) base score for this CVE entry has been set to 0 because this CVE entry has no impact as a software flaw according to CVSS. This does not mean that the configuration issue is not important and there may be security implications relative to computers having this configuration.NNTP news service is an unsecured protocol for Internet facing systems (e.g., user authentication not required, communications not encrypted). It could be tunneled over SSL/TLS. The software should be patched and configured properly.** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The IRC service is running."This Common Vulnerabilities and Exposures (CVE) entry is a configuration issue and not a software flaw. As such, it doesn’t fit in the CVE software flaw list. The Common Vulnerability Scoring System (CVSS) base score for this CVE entry has been set to 0 because this CVE entry has no impact as a software flaw according to CVSS. This does not mean that the configuration issue is not important and there may be security implications relative to computers having this configuration.IRC Service is an unsecured protocol that typically does not authenticate the identity of users and does not encrypt its network communications. IRC is not commonly deployed on enterprise networks. If an organization decides to use it, it should be patched and configured properly, otherwise it should be disabled.** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The LDAP service is running."This Common Vulnerabilities and Exposures (CVE) entry is a configuration issue and not a software flaw. As such, it doesn’t fit in the CVE software flaw list. The Common Vulnerability Scoring System (CVSS) base score for this CVE entry has been set to 0 because this CVE entry has no impact as a software flaw according to CVSS. This does not mean that the configuration issue is not important and there may be security implications relative to computers having this configuration.The software should be patched and configured properly to prevent information disclosure. It can be tunneled over SSL/TLS.** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The bootparam (bootparamd) service is running."This Common Vulnerabilities and Exposures (CVE) entry is a configuration issue and not a software flaw. As such, it doesn’t fit in the CVE software flaw list. The Common Vulnerability Scoring System (CVSS) base score for this CVE entry has been set to 0 because this CVE entry has no impact as a software flaw according to CVSS. This does not mean that the configuration issue is not important and there may be security implications relative to computers having this configuration.The bootparam service is an unsecured protocol for Internet facing systems and should only be used on a trusted network segment, otherwise disabled. The software should be patched and configured properly. ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The X25 service is running."This Common Vulnerabilities and Exposures (CVE) entry is a configuration issue and not a software flaw. As such, it doesn’t fit in the CVE software flaw list. The Common Vulnerability Scoring System (CVSS) base score for this CVE entry has been set to 0 because this CVE entry has no impact as a software flaw according to CVSS. This does not mean that the configuration issue is not important and there may be security implications relative to computers having this configuration.X25 is an unsecured protocol for Internet facing systems and should only be used on a limited basis to provide a specific functional requirement, otherwise disabled. The software should be patched and configured properly.** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The FSP service is running."The netstat service is running, which provides sensitive information to remote attackers.The rsh/rlogin service is running.** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "A database service is running, e.g. a SQL server, Oracle, or mySQL."This Common Vulnerabilities and Exposures (CVE) entry is a configuration issue and not a software flaw. As such, it doesn’t fit in the CVE software flaw list. The Common Vulnerability Scoring System (CVSS) base score for this CVE entry has been set to 0 because this CVE entry has no impact as a software flaw according to CVSS. This does not mean that the configuration issue is not important and there may be security implications relative to computers having this configuration.The software should be patched and configured properly to prevent information leakage and unauthorized access.A component service related to NIS+ is running.The OS/2 or POSIX subsystem in NT is enabled.** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is not about any specific product, protocol, or design, so it is out of scope of CVE. Notes: the former description is: "A service may include useful information in its banner or help function (such as the name and version), making it useful for information gathering activities."This Common Vulnerabilities and Exposures (CVE) entry is a configuration issue and not a software flaw. As such, it doesn’t fit in the CVE software flaw list. The Common Vulnerability Scoring System (CVSS) base score for this CVE entry has been set to 0 because this CVE entry has no impact as a software flaw according to CVSS. This does not mean that the configuration issue is not important and there may be security implications relative to computers having this configuration.The ugidd RPC interface, by design, allows remote attackers to enumerate valid usernames by specifying arbitrary UIDs that ugidd maps to local user and group names.This Common Vulnerabilities and Exposures (CVE) entry is a configuration issue and not a software flaw. As such, it doesn’t fit in the CVE software flaw list. The Common Vulnerability Scoring System (CVSS) base score for this CVE entry has been set to 0 because this CVE entry has no impact as a software flaw according to CVSS. This does not mean that the configuration issue is not important and there may be security implications relative to computers having this configuration.linux-ugidd(348)WinGate is being used.This Common Vulnerabilities and Exposures (CVE) entry is a configuration issue and not a software flaw. As such, it doesn’t fit in the CVE software flaw list. The Common Vulnerability Scoring System (CVSS) base score for this CVE entry has been set to 0 because this CVE entry has no impact as a software flaw according to CVSS. This does not mean that the configuration issue is not important and there may be security implications relative to computers having this configuration.** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "DCOM is running."This Common Vulnerabilities and Exposures (CVE) entry is a configuration issue and not a software flaw. As such, it doesn’t fit in the CVE software flaw list. The Common Vulnerability Scoring System (CVSS) base score for this CVE entry has been set to 0 because this CVE entry has no impact as a software flaw according to CVSS. This does not mean that the configuration issue is not important and there may be security implications relative to computers having this configuration.** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "A Windows NT Primary Domain Controller (PDC) or Backup Domain Controller (BDC) is present."This Common Vulnerabilities and Exposures (CVE) entry is a configuration issue and not a software flaw. As such, it doesn’t fit in the CVE software flaw list. The Common Vulnerability Scoring System (CVSS) base score for this CVE entry has been set to 0 because this CVE entry has no impact as a software flaw according to CVSS. This does not mean that the configuration issue is not important and there may be security implications relative to computers having this configuration.** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is not about any specific product, protocol, or design, so it is out of scope of CVE. It might be more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "A hacker utility, back door, or Trojan Horse is installed on a system, e.g. NetBus, Back Orifice, Rootkit, etc."This Common Vulnerabilities and Exposures (CVE) entry is a configuration issue and not a software flaw. As such, it doesn’t fit in the CVE software flaw list. The Common Vulnerability Scoring System (CVSS) base score for this CVE entry has been set to 0 because this CVE entry has no impact as a software flaw according to CVSS. This does not mean that the configuration issue is not important and there may be security implications relative to computers having this configuration.A system is running a version of software that was replaced with a Trojan Horse at one of its distribution points, such as (1) TCP Wrappers 7.6, (2) util-linux 2.9g, (3) wuarchive ftpd (wuftpd) 2.2 and 2.1f, (4) IRC client (ircII) ircII 2.2.9, (5) OpenSSH 3.4p1, or (6) Sendmail 8.12.6.CA-1994-07CA-1994-14CA-1999-01CA-1999-02CA-2002-2820021009 Re: CERT Advisory CA-2002-28 Trojan Horse Sendmail5921sendmail-backdoor(10313)20020801 trojan horse in recent openssh (version 3.4 portable 1)20020801 OpenSSH Security Advisory: Trojaned Distribution FilesA system-critical program or library does not have the appropriate patch, hotfix, or service pack installed, or is outdated or obsolete.A system-critical program, library, or file has a checksum or other integrity measurement that indicates that it has been modified.An application-critical Windows NT registry key has inappropriate permissions.An application-critical Windows NT registry key has an inappropriate value.The ARP protocol allows any host to spoof ARP replies and poison the ARP cache to conduct IP address spoofing or a denial of service.The scriptlet.typelib ActiveX control is marked as "safe for scripting" for Internet Explorer, which allows a remote attacker to execute arbitrary commands as demonstrated by Bubbleboy.ms-scriptlet-eyedog-unsafe(3244)BID 598MS99-032J-064598Q240308The Eyedog ActiveX control is marked as "safe for scripting" for Internet Explorer, which allows a remote attacker to execute arbitrary commands as demonstrated by Bubbleboy.Update Available for Scriptlet.Typelib and Eyedog Security Vulnerabilityms-scriptlet-eyedog-unsafe(3244)J-064Buffer overflow in the Eyedog ActiveX control allows a remote attacker to execute arbitrary commands.Update Available for Scriptlet.Typelib and Eyedog Security Vulnerabilityms-scriptlet-eyedog-unsafe(3244)MS99-032J-064Buffer overflow in ToxSoft NextFTP client through CWD command.ToxSoft NextFTP Buffer Overflow Vulnerabilitytoxsoft-nextftp-cwd-bo(4286)572Buffer overflow in Fujitsu Chocoa IRC client via IRC channel topics.fujitsu-topic-bo(4287)Fujitsu Chocoa "Topic" Buffer Overflow Vulnerability573Buffer overflow in ALMail32 POP3 client via From: or To: headers.CREAR ALMail32 Buffer Overflow Vulnerabilityalmail-bo(3541)574The BSD profil system call allows a local user to modify the internal data space of a program via profiling and execve.BID 5701999-011J-067Check Point FireWall-1 can be subjected to a denial of service via UDP packets that are sent through VPN-1 to port 0 of a host.Firewall-1 Port 0 Denial of Service Vulnerabilitycheckpoint-port(3233)19990809 FW1 UDP Port 0 DoS5761038sdtcm_convert in Solaris 2.6 allows a local user to overwrite sensitive files via a symlink attack.bugtraq id 575sun-sdtcm-convert(3116)19990808 sdtcm_convert575The WebRamp web administration utility has a default password.WebRamp Default Adminstrative Login Vulnerabilitywebramp-default-password(3830)Password hunting with webramp577A default configuration of Apache on Debian GNU/Linux sets the ServerRoot to /usr/doc, which allows remote users to read documentation files for the entire server.apache-debian-usrdoc(2084)bugtraq id 318318Buffer overflow in hybrid-6 IRC server commonly used on EFnet allows remote attackers to execute commands via m_invite invite option.Ircd hybrid-6 Buffer Overflow Vulnerabilityhybrid-ircd-minvite-bo(4320)w00w00's efnet ircd advisoryhttp://www.efnet.org/archive/servers/hybrid/ChangeLog581Windows NT Terminal Server performs extra work when a client opens a new connection but before it is authenticated, allowing for a denial of service.BID 571nt-terminal-dos(3104)MS99-028MS99-028MS99-028Q238600J-057Buffer overflow in Microsoft FrontPage Server Extensions (PWS) 3.0.2.926 on Windows 95, and possibly other versions, allows remote attackers to cause a denial of service via a long URL.bid 568frontpage-pws-dos(3117)BUGTRAQ:19990807 Crash FrontPage RemotelyMicrosoft Exchange 5.5 allows a remote attacker to relay email (i.e. spam) using encapsulated SMTP addresses, even if the anti-relaying features are enabled.BID 567MS99-027MS99-027exchange-relay(3107)MS99-027Q237927567J-056Denial of service in Gauntlet Firewall via a malformed ICMP packet.bugtraq id 556gauntlet-dos(3108)1029Denial of service in Sendmail 8.8.6 in HPUX.hp-sendmail-connect-dosSecurity Vulnerability in sendmailHP-UX Security Vulnerability in sendmailBuffer overflow in Netscape Communicator via EMBED tags in the pluginspage option.bugtraq id 618618Denial of service in Netscape Enterprise Server (NES) in HP Virtual Vault (VVOS) via a long URL.hp-tgad-dos(2194)HPSBUX9906-098J-046The ToolTalk ttsession daemon uses weak RPC authentication, which allows a remote attacker to execute commands.bugtraq id 641cde-ttsession-rpc-auth(3693)CA-99-11-CDE00192HPSBUX9909-103K-001637Buffer overflows in HP Software Distributor (SD) for HPUX 10.x and 11.x.hp-sd-bo(3125)HPSBUX9907-101545The CDE dtspcd daemon allows local users to execute arbitrary commands via a symlink attack.CA-99-11-CDEcde-dtspcd-file-auth(3699)BID 63600192HPSBUX9909-103oval:org.mitre.oval:def:1880636HP CDE program includes the current directory in root's PATH variable.HP Current Directory Vulnerabilityhp-cde-directory(2342)HPSBUX9907-100Buffer overflow in the AddSuLog function of the CDE dtaction utility allows local users to gain root privileges via a long user name.CA-99-11-CDEcde-dtaction-username-bo(3241)BID 63500192HPSBUX9909-103635oval:org.mitre.oval:def:3078The default configuration of the Array Services daemon (arrayd) disables authentication, allowing remote users to gain root privileges.CA-99-09-arraydsgi-arrayd(2367)J-05219990701-01-PBuffer overflow in TT_SESSION environment variable in ToolTalk shared library allows local users to gain root privileges.CA-99-11-CDEcde-dtsession-env-bo(3242)bugtraq id 64100192HPSBUX9909-103641oval:org.mitre.oval:def:4374Denial of service in AIX ptrace system call allows local users to crash the system.aix-ptrace-halt(3134)The Sybase PowerDynamo personal web server allows attackers to read arbitrary files through a .. (dot dot) attack.bugtraq id 620http-powerdynamo-dotdotslash6201064Buffer overflow in CDE Calendar Manager Service Daemon (rpc.cmsd).sun-cmsd-bo(2345)CA-99-08-cmsd00188HPSBUX9908-102J-051SCO Doctor allows local users to gain root privileges through a Tools option.sco-doctor-executeSCO 5.0.5 /bin/doctor nightmareSCO OpenServer Doctor Command Execution Vulnerability621Denial of service in IP protocol logger (ippl) on Red Hat and Debian Linux.The Bluestone Sapphire web server allows session hijacking via easily guessable session IDs.BID 623623Buffer overflow in Microsoft Phone Dialer (dialer.exe), via a malformed dialer entry in the dialer.ini file.nt-malformed-dialer(3109)MS99-026Q237185MS99-026After an unattended installation of Windows NT 4.0, an installation file could include sensitive information such as the local Administrator password.bugtraq id 626nt-install-unattend-file(3226)MS99-036MS99-036MS99-036Q173039626Internet Explorer 5.0 and 5.01 allows remote attackers to modify or execute files via the Import/Export Favorites feature, aka the "ImportExportFavorites" vulnerability.bugtraq id 627ie5-import-export-favorites(3229)MS99-037MS99-037MS99-037Q241361627OpenBSD, BSDI, and other Unix operating systems allow users to set chflags and fchflags on character and block devices.openbsd-chflags-fchflags-permitted(3344)J-066Buffer overflow in Berkeley automounter daemon (amd) logging facility provided in the Linux am-utils package and others.amd-bo(3171)bugtraq id 614614Buffer overflow in INN inews program.inn-inews-bo(3170)BID 616616Linux xmonisdn package allows local users to gain root privileges by modifying the IFS or PATH environmental variables.BID 616583The default FTP configuration in HP Visualize Conference allows conference users to send a file to other participants without authorization.HP-UX Visualize Conference Vulnerabilityhp-visualize-conference-ftp(2309)HPSBUX9906-099493Buffer overflow in cfingerd allows local users to gain root privileges via a long GECOS field.bugtraq id 651651The Squid package in Red Hat Linux 5.2 and 6.0, and other distributions, installs cachemgr.cgi in a public web directory, which allows remote attackers to use it as an intermediary to connect to other systems.DSA-576FEDORA-2005-373FLSA-2006:152809RHSA-1999:025RHSA-2005:4892059http-cgi-cachemgr(2385)The oratclsh interpreter in Oracle 8.x Intelligent Agent for Unix allows local users to execute Tcl commands as root.BID 159oracle-oratclsh(2177)19990430 *Huge* security hole in Oracle 8.0.5 with Intellegent agent installed19990506 Oracle Security Followup, patch and FAQ: setuid on oratclshA vulnerability in Caldera Open Administration System (COAS) allows the /etc/shadow password file to be made world-readable.CSSA-1999:009.0linux-coasThe dtlogin program in Compaq Tru64 UNIX allows local users to gain root privileges.cde-dtlogin(2191)J-044Vulnerability in Compaq Tru64 UNIX edauth command.du-edauth(2198)Buffer overflow in Remote Access Service (RAS) client allows an attacker to execute commands or cause a denial of service via a malformed phonebook entry.nt-ras-bo(2200)MS99-016MS99-016Q230677Buffer overflow in Windows NT 4.0 help file utility via a malformed help file.nt-helpfile-bo(2190)MS99-015Q231605A remote attacker can disable the virus warning mechanism in Microsoft Excel 97.excel-virus-warning(2186)MS99-014MS99-014Q231304IBM GINA, when used for OS/2 domain authentication of Windows NT users, allows local users to gain administrator privileges by changing the GroupMapping registry key.bid 608ibm-gina-group-add(3166)19990823 IBM Gina security warningThe Guile plugin for the Gnumeric spreadsheet package allows attackers to execute arbitrary code.gnu-guile-plugin-export(4288)bugtraq id 563563The pt_chown command in Linux allows local users to modify TTY terminal devices that belong to other users.bugtraq id 597linux-pt-chown(3167)19990823 [Linux] glibc 2.1.x / wu-ftpd <=2.5 / BeroFTPD / lynx / vlock / mc / glibc 2.0.x597Denial of service in Windows NT Local Security Authority (LSA) through a malformed LSA request.msrpc-lsa-lookupnames-dos(2291)MS99-020Q231457MS99-020J-049The default configuration of Cobalt RaQ2 servers allows remote users to install arbitrary software packages.CA-99-10-cobalt-raq2cobalt-raq2-default-config(3132)558The Windows NT Client Server Runtime Subsystem (CSRSS) can be subjected to a denial of service when all worker threads are waiting for user input.nt-csrss-dos(2299)MS99-021MS99-021Q233323J-049478Buffer overflow in OpenBSD procfs and fdescfs file systems via uio_offset in the readdir() function.openbsd-uio_offset-bo(3341)6128When IIS is run with a default language of Chinese, Korean, or Japanese, it allows a remote attacker to view the source code of certain files, a.k.a. "Double Byte Code Page".iis-double-byte-code-page(2302)MS99-022Q233335MS99-022477iis-double-byte-code-page(2302)An attacker can conduct a denial of service in Windows NT by executing a program with a malformed file image header.nt-malformed-image-header(2313)MS99-023MS99-023Q234557499A kernel leak in the OpenBSD kernel allows IPsec packets to be sent unencrypted.openbsd-ipsec-cleartext(3342)6127A Windows NT user can disable the keyboard or mouse by directly calling the IOCTLs which control them.nt-ioctl-dos(2340)MS99-024MS99-024Q236359Buffer overflow in Lotus Notes LDAP (NLDAP) allows an attacker to conduct a denial of service through the ldap_search request.bid 601lotus-ldap-bo19990823 Denial of Service Attack against Lotus Notes Domino Server 4.6J-0611057The zsoelim program in the Debian man-db package allows local users to overwrite files via a symlink attack.The KDE klock program allows local users to unlock a session using malformed input.BID 489489The logging facilitity of the Debian smtp-refuser package allows local users to delete arbitrary files using symbolic links.smtp-refuser-tmp(3146)smtp-refuserBuffer overflow in VMWare 1.0.1 for Linux via a long HOME environmental variable.vmware-bo(2301)490A default configuration of CiscoSecure Access Control Server (ACS) allows remote users to modify the server database without authentication.ciscosecure-read-write(3133)KDE K-Mail allows local users to gain privileges via a symlink attack in temporary user directories.KDE K-Mail File Creation VulnerabilityRHSA-1999:015-01The showcode.asp sample file in IIS and Site Server allows remote attackers to read arbitrary files.Microsoft Security Bulletin (MS99-013)iis-samples-showcode(2381)L0pht Security AdvisoryOVAL932oval:org.mitre.oval:def:932The viewcode.asp sample file in IIS and Site Server allows remote attackers to read arbitrary files.iis-samples-showcode(2381)L0pht Security AdvisoryMS99-013The code.asp sample file in IIS and Site Server allows remote attackers to read arbitrary files.iis-samples-showcode(2381)L0pht Security AdvisoryMS99-013The codebrws.asp sample file in IIS and Site Server allows remote attackers to read arbitrary files.iis-samples-showcode(2381)L0pht Security AdvisoryMS99-013Remote attackers can cause a denial of service on Linux in.telnetd telnet daemon through a malformed TERM environmental variable.linux-telnetd-term(3139)BID 594594QMS CrownNet Unix Utilities for 2060 allows root to log on without a password.qms-2060-no-root-passwordQMS 2060 Printer Passwordless Root VulnerabilityQMS 2060 printer security hole593The Debian mailman package uses weak authentication, which allows attackers to gain privileges.BID 480480Trn allows local users to overwrite other users' files via symlinks.trn-symlinks(3144)trn: /tmp file creation problemtrn-symlinks(3144)Buffer overflow in Netscape Enterprise Server and FastTrask Server allows remote attackers to gain privileges via a long HTTP GET request.603Buffer overflow in Source Code Browser Program Database Name Server Daemon (pdnsd) for the IBM AIX C Set ++ compiler.BID 590aix-pdnsd-bo(3135)J-059590A default configuration of in.identd in SuSE Linux waits 120 seconds between requests, allowing a remote attacker to conduct a denial of service.linux-identd-dos(3128)SUSE:19990824 Security hole in netcfgBID 587587Denial of service in BSDi Symmetric Multiprocessing (SMP) when an fstat call is made when the system has a high CPU load.BID 589bsdi-smp-dos(3145)19990816 Symmetric Multiprocessing (SMP) Vulnerbility in BSDi 4.0.1589Buffer overflows in Red Hat net-tools package.redhat-net-tool-bo(4095)Potential security problem in Red Hat 6.0 net-tools.Buffer overflow in Microsoft Telnet client in Windows 95 and Windows 98 via a malformed Telnet argument.BID 586win-ie5-telnet-heap-overflow(3129)MS99-033MS99-033MS99-033586Hotmail allows Javascript to be executed via the HTML STYLE tag, allowing remote attackers to execute commands on the user's Hotmail account.Hotmail Javascript STYLE VulnerabilityHotmail Security Vulnerability630Buffer overflow in Accept command in Netscape Enterprise Server 3.6 with the SSL Handshake Patch.BUGTRAQ:19990913 Accept overflow on Netscape Enterprise Server 3.6 SP2BID 631631netscape-accept-bo(3256)Denial of service in Netscape Enterprise Server via a buffer overflow in the SSL handshake.BUGTRAQ:19990706 Netscape Enterprise Server SSL Handshake BugThe w3-msql CGI script provided with Mini SQL allows remote attackers to view restricted directories.mini-sql-w3-msql-cgi(3245)BUGTRAQ:19990817 Stupid bug in W3-msql591The INN inndstart program allows local users to gain privileges by specifying an alternate configuration file using the INNCONF environmental variable.inn-innconf-env(2180)BID 255CSSA-1999-011.0255Windows NT RRAS and RAS clients cache a user's password even if the user has not selected the "Save password" option.nt-ras-pwcache(2243)MS99-017Q230681MS99-017ColdFusion Administrator with Advanced Security enabled allows remote users to stop the ColdFusion server via the Start/Stop utility.coldfusion-admin-dos(2207)ASB99-07The ColdFusion CFCRYPT program for encrypting CFML templates has weak encryption, allowing attackers to decrypt the templates.ASB99-08coldfusion-encryption(2208)Netscape Enterprise 3.5.1 and FastTrack 3.01 servers allow a remote attacker to view source code to scripts by appending a %20 to the script's URL.ASB00-06netscape-space-view(2206)Buffer overflow in FuseMAIL POP service via long USER and PASS commands.FuseWare FuseMail POP Mail Buffer Overflow Vulnerabilityfuseware-popmail-bo(3300)Many kind of POP3/SMTP server softwares for Windows have buffer overflow bughttp://www.crosswinds.net/~fuseware/faq.html#8634Undocumented ColdFusion Markup Language (CFML) tags and functions in the ColdFusion Administrator allow users to gain additional privileges.coldfusion-server-cfml-tags(3288)bid 550ASB99-10Buffer overflow in FreeBSD fts library routines allows local user to modify arbitrary files via the periodic program.BID 644freebsd-fts-lib-bo(3304)6441074When Javascript is embedded within the TITLE tag, Netscape Communicator allows a remote attacker to use the "about" protocol to gain access to browser information.BUGTRAQ:19990524 Netscape Communicator JavaScript in <TITLE> security vulnerabilityNetBSD on a multi-homed host allows ARP packets on one network to modify ARP entries on another connected network.NETBSD:1999-010,XF:netbsd-arp6540NetBSD allows ARP packets to overwrite static ARP entries.netbsd-arp(2202)6539SGI IRIX midikeys program allows local users to modify arbitrary files via a text editor.irix-midikeys(2195)19990501-01-A262The Microsoft Java Virtual Machine allows a malicious Java applet to execute arbitrary commands outside of the sandbox environment.msvm-verifier-java(3378)MS99-045BID 600MS99-031Q240346600Buffer overflow in Solaris libc, ufsrestore, and rcp via LC_MESSAGES environmental variable.sun-libc-lcmessages(3235)LC_MESSAGESSunOS LC_MESSAGES Environment Variable VulnerabilityBuffer overflow in Vixie Cron on Red Hat systems via the MAILTO environmental variable.BID 602602Vixie Cron on Linux systems allows local users to set parameters of sendmail commands via the MAILTO environmental variable.BID 611611Firewall-1 sets a long timeout for connections that begin with ACK or other packets except SYN, allowing an attacker to conduct a denial of service via a large number of connection attempts to unresponsive systems.BUGTRAQ:19990729 Simple DOS attack on FW-1BID 5491027The web components of Compaq Management Agents and the Compaq Survey Utility allow a remote attacker to read arbitrary files via a .. (dot dot) attack.BUGTRAQ:19990526 Infosecmanagement-agent-file-read(2258)Denial of service in Compaq Management Agents and the Compaq Survey Utility via a long string sent to port 2301.management-agent-dos(2259)SSRT0612UBuffer overflow in Solaris lpset program allows local users to gain root access.BID 251sol-lpset-bo(2183)19990511 Solaris2.6 and 2.7 lpset overflowBuffer overflows in Mars NetWare Emulation (NWE, mars_nwe) package via long directory names.BUGTRAQ:19990830 Babcia Padlina Ltd. security advisory: mars_nwe buffer overfBID 617617Cisco Gigabit Switch routers running IOS allow remote attackers to forward unauthorized packets due to improper handling of the "established" keyword in an access list.cisco-gigaswitch(2267)Cisco IOS Software established Access List Keyword ErrorAlibaba HTTP server allows remote attackers to read files via a .. (dot dot) attack.http-alibaba-dotdot".."-hole in Alibaba 2.0IIS FTP servers may allow a remote attacker to read or delete files on the server, even if they have "No Access" permissions.BID 658MS99-039Q241407Q242559658Buffer overflow in Xi Graphics Accelerated-X server allows local users to gain root access via a long display or query parameter.KSRT:011,XF:accelx-display-boaccelx-display-bo(2306)488Denial of service in HP-UX SharedX recserv program.hp-sharedx(1393)HPSBUX9810-086KDE klock allows local users to kill arbitrary processes by specifying an arbitrary PID in the .kss.pid file.kde-klock-process-kill(1647)19981118 Multiple KDE security vulnerabilities (root compromise)KDE allows local users to execute arbitrary commands by setting the KDEDIR environmental variable to modify the search path that KDE uses to locate its executables.kde-klock-bindir-trojans(1648)19981118 Multiple KDE security vulnerabilities (root compromise)KDE kppp allows local users to create a directory in an arbitrary location via the HOME environmental variable.BUGTRAQ:19981118 Multiple KDE security vulnerabilities (root compromise),XF:kde-kppp-directory-createkde-kppp-directory-create(1649)19981118 Multiple KDE security vulnerabilities (root compromise)FreeBSD allows local users to conduct a denial of service by creating a hard link from a device special file to a file on an NFS file system.freebsd-nfs-link-dos(3827)FreeBSD-SA-98:05I-0576090Denial of service in Oracle TNSLSNR SQL*Net Listener via a malformed string to the listener port, aka NERP.19990104 Re: Fw:19981228 Oracle8 TNSLSNR DoS19980827 NERP DoS attack possible in OracleThe INN inndstart program allows local users to gain root privileges via the "pathrun" parameter in the inn.conf file.BUGTRAQ:19990511 INN 2.0 and higher. Root compromise potentialBID 254inn-pathrun(2179)254The dynamic linker in Solaris allows a local user to create arbitrary files via the LD_PROFILE environmental variable and a symlink attack.BID 659BUGTRAQ:19990922 LD_PROFILE local root exploit for solaris 2.6659The SSH authentication agent follows symlinks via a UNIX domain socket.ssh-socket-auth-symlink-dosSSH Authentication Socket File Creation Vulnerability19990917 A few bugs...19990924 [Fwd: Truth about ssh 1.2.27 vulnerability]660Arkiea nlservd allows remote attackers to conduct a denial of service.arkiea-backup-nlserverd-remote-dos(3321)Arkiea Backup nlserverd Remote Denial of Service VulnerabilityMultiple vendor Knox Arkiea local root/remote DoS19990924 Multiple vendor Knox Arkiea local root/remote DoS662Buffer overflow in AIX ftpd in the libc library.aix-ftpd-bo(3758)BID 679J-072679A remote attacker can read information from a Netscape user's cache via JavaScript.netscape-javascript-cookies(4308)http://home.netscape.com/security/notes/jscachebrowsing.htmlHybrid Network cable modems do not include an authentication mechanism for administration, allowing remote attackers to compromise the system through the HSMP protocol.hybrid-anon-cable-modem-reconfigKSR[T] Advisories #012: Hybrid Network's Cable ModemsHybrid Network's Cable Modems695ROUTERmate has a default SNMP community name which allows remote attackers to modify its configuration.routermate-snmp-communityOsicom Technologies ROUTERmate Security Advisoryhttp://www2.merton.ox.ac.uk/~security/rootshell/0022.htmlInternet Explorer allows remote attackers to read files by redirecting data to a Javascript applet.ie-java-redirect(3327)MS99-043MS99-043Microsoft Excel does not warn a user when a macro is present in a Symbolic Link (SYLK) format file.excel-sylk-macro(3369)MS99-044Q241900Q241901Q241902The NIS+ rpc.nisd server allows remote attackers to execute certain RPC calls without authentication to obtain system information, disable logging, or modify caches.sun-nisplusFreeBSD T/TCP Extensions for Transactions can be subjected to spoofing attacks.freebsd-ttcp-spoof(3828)FreeBSD-SA-98:036089NIS finger allows an attacker to conduct a denial of service via a large number of finger requests, resulting in a large number of NIS queries.sun-nis-nisplus(1205)I-070Buffer overflow in bootpd on OpenBSD, FreeBSD, and Linux systems via a malformed header type.bootp-remote-bo(1608)SECURITY FIXbootpd remote vulnerabilityBuffer overflow in bootpd 2.4.3 and earlier via a long boot file location.bootpd-bo(4143)The GetFile.cfm file in Allaire Forums allows remote attackers to read files through a parameter to GetFile.cfm.ASB99-05NTBUGTRAQ:19990211 ACFUG List: Alert: Allaire Forums GetFile bugallaire-forums-file-read(1748)944BMC Patrol allows remote attackers to gain access to an agent by spoofing frames.bmc-patrol-framesPatrol security bugs19990409 Patrol security bugsbmc-patrol-frames(2075)Buffer overflow in Internet Explorer 5 allows remote attackers to execute commands via a malformed Favorites icon.ie-favicon(2244)MS99-018MS99-018Q231450The fwluser script in AIX eNetwork Firewall allows local users to write to arbitrary files via a symlink attack.BID 287ibm-enfirewall-tmpfiles(2249)19990525 IBM eNetwork Firewall for AIX962Denial of service in Linux 2.2.x kernels via malformed ICMP packets containing unusual types, codes, and IP header lengths.BID 302302Novell NetWare Transaction Tracking System (TTS) in Novell 4.11 and earlier allows remote attackers to cause a denial of service via a large number of requests.novell-tts-dos(2184)19990512 DoS with Netware 4.x's TTSBuffer overflow in Solaris dtprintinfo program.cde-dtprintinfo(2188)6552The Netscape Directory Server installation procedure leaves sensitive information in a file that is accessible to local users.netscape-dirsvc-password(2174)Multiple buffer overflows in ISC DHCP Distribution server (dhcpd) 1.0 and 2.0 allow a remote attacker to cause a denial of service (crash) and possibly execute arbitrary commands via long options.I-05319980518 DHCP 1.0 and 2.0 SECURITY ALERT! (fwd)Netscape Communicator 4.x with Javascript enabled does not warn a user of cookie settings, even if they have selected the option to "Only accept cookies originating from the same server as the page being viewed".BUGTRAQ:19990709 Communicator 4.[56]x, JavaScript used to bypass cookie settingsDenial of service in Samba NETBIOS name service daemon (nmbd).Buffer overflow in Samba smbd program via a malformed message command.samba-message-bo(3225)BID 536536Race condition in Samba smbmnt allows local users to mount file systems in arbitrary locations.Cfingerd with ALLOW_EXECUTION enabled does not properly drop privileges when it executes a program on behalf of the user, allowing local users to gain root privileges.BUGTRAQ:19990810 Severe bug in cfingerd before 1.4.0cfingerd-privileges(4112)Red Hat pump DHCP client allows remote attackers to gain root access in some configurations.REDHAT:RHSA-1999:027RHSA-1999:027Memory leak in SNMP agent in Windows NT 4.0 before SP5 allows remote attackers to conduct a denial of service (memory exhaustion) via a large number of queries.nt-snmpagent-leak(1974)oval:org.mitre.oval:def:952The Motorola CableRouter allows any remote user to connect to and configure the router on port 1024.Security Vulnerability in Motorola CableRoutersmotorola-cable-default-pass(2002)Lynx WWW client allows a remote attacker to specify command-line parameters which Lynx uses when calling external programs to handle certain protocols, e.g. telnet.Buffer overflow in Solaris kcms_configure via a long NETPATH environmental variable.another hole of Solaris7 kcms_configureSolaris kcms_configuresol-kcms-conf-netpath-bo(3651)83119991130 another hole of Solaris7 kcms_configureNTMail does not disable the VRFY command, even if the administrator has explicitly disabled it.nt-mail-vrfy(3719)19991130 NTmail and VRFYFreeBSD seyon allows users to gain privileges via a modified PATH variable for finding the xterm and seyon-emu commands.BID 838freebsd-seyon-dir-add(3483)8385996FreeBSD seyon allows local users to gain privileges by providing a malicious program in the -emulator argument.FreeBSD Seyon setgid dialer Vulnerabilityfreebsd-seyon-dir-addFreeBSD 3.3's seyon vulnerability838Buffer overflow in Qpopper (qpop) 3.0 allows remote root access via AUTH command.qpopper-auth-boQualcomm qpopper Remote Buffer Overflow Vulnerabilityserious Qpopper 3.0 vulnerability830Buffer overflow in FreeBSD xmindpath allows local users to gain privileges via -f argument.FreeBSD xmindpath Buffer Overflow VulnerabilitySeveral FreeBSD-3.3 vulnerabilitiesfreebsd-xmindpath8391150A Windows NT user can use SUBST to map a drive letter to a folder, which is not unmapped after the user logs off, potentially allowing that user to modify the location of folders accessed by later users.BID 833833The default permissions for UnixWare /var/mail allow local users to read and modify other users' mail.sco-mail-permissions(3634)SCO UnixWare '/var/mail' permissions VulnerabilitySecurity holes in mail clientsUnixWare read/modify users' mail849Buffer overflow in FreeBSD angband allows local users to gain privileges.FreeBSD angband Buffer Overflow Vulnerabilityangband-boSeveral FreeBSD-3.3 vulnerabilities8401151By default, Internet Explorer 5.0 and other versions enables the "Navigate sub-frames across different domains" option, which allows frame spoofing.http-frame-spoof"Frame Spoof"fixThe Frame-Spoofing VulnerabilityUnixWare pkg commands such as pkginfo, pkgcat, and pkgparam allow local users to read arbitrary files via the dacread permission.sco-pkg-dacread-fileread(3633)Package Tool Security PatchUnixWare and the dacread permission UnixWare pkg* command exploits853HP Secure Web Console uses weak encryption. HP Secure Web Consolehp-secure-console(3725)Buffer overflow in SCO UnixWare Xsco command via a long argument.sco-unixware-xsco(3726)Multiple Vulnerabilities Found In SCO OpenServerSCO OpenServer Security StatusUnixWare 7's XscoDenial of service in Linux syslogd via a large number of connections.BUGTRAQ:19991130 [david@slackware.com: New Patches for Slackware 4.0 Available)BID 809CSSA-1999-035.0809Buffer overflow in NFS server on Linux allows attackers to execute commands via a long pathname.S.u.S.E. Linux Redhat nfs-server < 2.2beta47 within nkitalinux-nfs-maxpath-bo(3501)BID 78219991109 undocumented bugs - nfsd19991111 buffer overflow in nfs server19991110 Security hole in nfs-server < 2.2beta47 within nkitaCSSA-1999-033.0RHSA-1999:053-01782Buffer overflow in BIND 8.2 via NXT records.CA-99-14-bindBID 788bind-nxt-bo(3476)CSSA-1999-034.1788Buffer overflow in RSAREF2 via the encryption and decryption functions in the RSAREF library.CA-99-15-RSAREF2BUGTRAQ:19991201 Security Advisory: Buffer overflow in RSAREF2ssh-rsaref-bo(3514)bugtraq id 843843Denial of service in BIND named via malformed SIG records.CA-99-14-bindBID 788bind-sigrecord-dos(3525)CSSA-1999-034.1788UnixWare uidadmin allows local users to modify arbitrary files via a symlink attack.unixware-uid-admin(3730)BID 84219991202 UnixWare 7 uidadmin exploit + discussionSB-99.22a842Denial of service in BIND by improperly closing TCP sessions via so_linger.CA-99-14-bindBID 788bind-solinger-dos(3511)CSSA-1999-034.100194788Buffer overflow in Serv-U FTP 2.5 allows remote users to conduct a denial of service via the SITE command.servu-ftp-site-bo(3647)859Windows NT Task Scheduler installed with Internet Explorer 5 allows a user to gain privileges by modifying the job after it has been scheduled.bugtraq id 828ie-task-scheduler-privs(3664)MS99-051MS99-051MS99-051Q246972828Buffer overflow in CDE dtmail and dtmailpr programs allows local users to gain privileges via a long -f option.Multiple Vendor CDE dtmail/mailtool Buffer Overflow VulnerabilitySolaris7 dtmail/dtmailpr/mailtool Buffer Overflowsolaris-dtmail-overflow83219991129 Solaris7 dtmail/dtmailpr/mailtool Buffer Overflowhttp://www.securiteam.com/exploits/3J5QQPPQ0O.htmlsolaris-dtmail-overflow(3579)solaris-dtmailpr-overflow(3580)Buffer overflow in CDE mailtool allows local users to gain root privileges via a long MIME Content-Type.Multiple Vendor CDE dtmail/mailtool Buffer Overflow VulnerabilitySolaris7 dtmail/dtmailpr/mailtool Buffer Overflowsolaris-dtmail-overflow83219991129 Solaris7 dtmail/dtmailpr/mailtool Buffer Overflowhttp://www.securiteam.com/exploits/3J5QQPPQ0O.htmlcde-mailtool-bo(3732)Symantec Mail-Gear 1.0 web interface server allows remote users to read arbitrary files via a .. (dot dot) attack.symantec-mail-dir-traversal(3649)BID 82719991129 Symantec Mail-Gear 1.0 Web interface Server Directory Traversal Vulnerability8271144Denial of service in Cisco routers running NAT via a PORT command from an FTP client to a Telnet port.cisco-nat-dos(3733): Cisco NAT DoSDenial of service in MDaemon WorldClient and WebConfig services via a long URL.mdaemon-worldclient-dos(3555)Remote DoS Attack in WorldClient Server v2.0.0.0 VulnerabilityRecent DoS attack reported on Mdaemon823820Buffer overflow in SCO su program allows local users to gain root access via a long username.sco-su-username-bo(3584)su Security PatchUnixWare 7's suDenial of service in MDaemon 2.7 via a large number of connection attempts.Recent DoS attack reported on MdaemonMultiples Remotes DoS Attacks in MDaemonServer v2.8.5.0VulnerabilityBuffer overflow in free internet chess server (FICS) program, xboard.Denial of service in BIND named via consuming more than "fdmax" file descriptors.CA-99-14-bindBID 788bind-fdmax-dos(3512)CSSA-1999-034.100194788Denial of service in BIND named via maxdname.CA-99-14-bindbind-maxdname-bo(3529)maxdname bugCSSA-1999-034.100194788The default permissions for Endymion MailMan allow local users to read email or modify files.Insecure default permissions for MailMan Professional Edition, version 3.0.18endymion-mailman-perms(3736)845Denial of service in BIND named via naptr.CA-99-14-bindbind-naptr-dos(3527)CSSA-1999-034.100194788IBM WebSphere sets permissions that allow a local user to modify a deinstallation script or its data files stored in /usr/bin.IBM Websphere Installation Permissions Vulnerabilitywebsphere-protect(3737)WebSphere protections from installation844Buffer overflow in Netscape Enterprise Server and Netscape FastTrack Server allows remote attackers to gain privileges via the HTTP Basic Authentication procedure.netscape-fasttrack-auth-bo(3586)BID 847847Ultimate Bulletin Board stores data files in the cgi-bin directory, allowing remote attackers to view the data if an error occurs when the HTTP server attempts to execute the file.http-ultimate-bbs(3738)http://www.ultimatebb.com/home/versions.shtml20000225 FW: Important UBB News For Licensed UsersBuffer overflow in FreeBSD gdc program.FreeBSD gdc Buffer Overflow Vulnerabilityfreebsd-gdc-bo(3739)FreeBSD 3.3 gated-3.1.5 local exploit834login in Slackware 7.0 allows remote attackers to identify valid users on the system by reporting an encryption error when an account is locked or does not exist.slackware-remote-login(3740)FreeBSD gdc program allows local users to modify files via a symlink attack.freebsd-gdc(3741)FreeBSD 3.3 gated-3.1.5 local exploitFreeBSD gdc Symlink Vulnerability835Internet Explorer 5 allows a remote attacker to modify the IE client's proxy configuration via a malicious Web Proxy Auto-Discovery (WPAD) server.ie-wpad-proxy-settings(3666)BID 846MS99-054MS99-054MS99-054Q247333846Solaris arp allows local users to read files via the -f parameter, which lists lines in the file that do not parse properly.sol-arp-parse(3742)BID 8378376994Solaris chkperm allows local users to read files owned by bin via the VMSYS environmental variable and a symlink attack.sol-chkperm-vmsysSolaris arp VulnerabilitiesSolaris 2.x chkperm/arp vulnerabilities837Race condition in the SSL ISAPI filter in IIS and other servers may leak information in plaintext.MS99-053iis-ssl-isapi-filter(3646)MS99-053Q244613Insecure directory permissions in RPM distribution for PostgreSQL allows local users to gain privileges by reading a plaintext password file.postgresql-insecure-permsPostgreSQL RPM's permission problemsBuffer overflow in FreeBSD seyon via HOME environmental variable, -emulator argument, -modems argument, or the GUI.FreeBSD Seyon setgid dialer Vulnerabilityfreebsd-seyon-dir-addFreeBSD 3.3's seyon vulnerabilityUnixWare programs that dump core allow a local user to modify files via a symlink attack on the ./core.pid file.sco-coredump-symlink(3637)BID 85119991202 UnixWare coredumps follow symlinks19991215 Recent postings about SCO UnixWare 719991223 FYI, SCO Security patches available.19991220 SCO OpenServer Security Status851Buffer overflow in CommuniGatePro via a long string to the HTTP configuration port.communigate-pro-bo(3746)BID 86019991203 CommuniGatePro 3.1 for NT DoS19991203 CommuniGatePro 3.1 for NT Buffer Overflow860Buffer overflow in UnixWare xauto program allows local users to gain root privilege.sco-xauto-bo(3635)BID 84819991215 Recent postings about SCO UnixWare 719991223 FYI, SCO Security patches available.19991220 SCO OpenServer Security StatusSB-99.24a848Denial of service in IIS 4.0 via a flood of HTTP requests with malformed headers.http-iis-malformed-header(3115)BID 579MS99-029MS99-029MS99-029Q238349J-058579ucbmail allows remote attackers to execute commands via shell metacharacters that are passed to it from INN.CA-97.08.inndinn-ucbmail-shell-meta(3701)Internet Explorer 3.x to 4.01 allows a remote attacker to insert malicious content into a frame of another web site, aka frame spoofing.http-frame-spoof(1598)MS98-020MS98-020Internet Explorer 4.01 allows remote attackers to read arbitrary files by pasting a file name into the file upload control, aka untrusted scripted paste.ie-usp-cuartango(2213)MS98-015MS98-015Internet Explorer 4.0 and 4.01 allow a remote attacker to read files via IE's cross frame security, aka the "Cross Frame Navigate" vulnerability.ie-crossframe-file-read(3668)MS98-013MS98-0137837ie-crossframe-file-read(3668)Buffer overflow in Vixie cron allows local users to gain root access via a long MAILTO environment variable in a crontab file.Vixie Cron MAILTO Sendmail Vulnerabilitycron-sendmail-bo-root(4096)Buffer overflow in cron daemoncron-3.0.1-75 (Vixie Cron)cron: Root exploit in cron759611Buffer overflow in Skyfull mail server via MAIL FROM command.Skyfull Mail Server MAIL FROM Buffer Overflow Vulnerabilityskyfull-mail-from-bo(3430)759Buffer overflow in IIS 4.0 allows remote attackers to cause a denial of service via a malformed request for files with .HTR, .IDC, or .STM extensions.iis-htr-overflow(2281)CA-99-07-IIS-Buffer-OverflowMS99-019Q234905AD06081999J-048oval:org.mitre.oval:def:915DHCP clients with ICMP Router Discovery Protocol (IRDP) enabled allow remote attackers to modify their default routes.irdp-gateway-spoof(3123)BID 578Q216141578Buffer overflow in Internet Explorer 4.0 via EMBED tag.Description of Internet Explorer 4.01 Service Pack 1Microsoft Internet Explorer EMBED VulnerabilityInternet Explorer Embed issueQ185959Q176697Internet Explorer 5 allows remote attackers to read files via an ExecCommand method called on an IFRAME.ie-iframe-exec(3313)MS99-042Q243638MS99-042Buffer overflow in WU-FTPD and related FTP servers allows remote attackers to gain root privileges via MAPPING_CHDIR.CA-99-13-wuftpdBID 599wu-ftpd-dir-name(3158)599Buffer overflow in WU-FTPD and related FTP servers allows remote attackers to gain root privileges via macro variables in a message file.CA-99-13-wuftpdwuftp-message-file-root(3375)Denial of service in WU-FTPD via the SITE NEWER command, which does not free memory properly.CA-99-13-wuftpdwuftp-site-newer-dos(3376)Falcon web server allows remote attackers to read arbitrary files via a .. (dot dot) attack.falcon-path-parsing(3386)BID 7437431127Falcon web server allows remote attackers to determine the absolute path of the web root via long file names.falcon-server-long-filename(3832)Falcon Web ServerFalcon Web Server Technical AdvisoryZeus web server allows remote attackers to read arbitrary files by specifying the file name in an option to the search engine.BID 7427421126zeus-remote-root(3380)The Zeus web server administrative interface uses weak encryption for its passwords.BID 7427428186zeus-weak-password(3833)Alibaba web server allows remote attackers to execute commands via a pipe character in a malformed URL.More Alibaba Web Server problemsAlibaba Multiple CGI Vulnerabiltiesalibaba-url-file-manipulation77019991103 More Alibaba Web Server problems...The security descriptor for RASMAN allows users to point to an alternate location via the Windows NT Service Control Manager.BID 645MS99-041nt-rasman-pathname(3248)Q242294MS99-041645FTGate web interface server allows remote attackers to read files via a .. (dot dot) attack.BID 772AD052619991137dbsnmp in Oracle Intelligent Agent allows local users to gain privileges by setting the ORACLE_HOME environmental variable, which dbsnmp uses to find the nmiconf.tcl script.BID 585oracle-dbsnmp585Cisco 675 routers running CBOS allow remote attackers to establish telnet sessions if an exec or superuser password has not been set.cisco-cbos-telnet(4251)39iHTML Merchant allows remote attackers to obtain sensitive information or execute commands via a code parsing error.ihtml-merchant-file-access(3273)19990928 Team Asylum: iHTML Merchant Vulnerabilities694The "download behavior" in Internet Explorer 5 allows remote attackers to read arbitrary files via a server-side redirect.ie-download-behavior(3278)MS99-040MS99-040Q242542VU#37828K-00267411274Buffer overflow in Netscape Communicator before 4.7 via a dynamic font whose length field is less than the size of the font.BID 893userOsa in SCO OpenServer allows local users to corrupt files via a symlink attack.sco-openserver-userosa-script(3368)Red Hat Linux screen program does not use Unix98 ptys, allowing local users to write to other terminals.Firewall-1 does not properly restrict access to LDAP attributes.BID 725checkpoint-ldap-auth(3374)19991020 Checkpoint FireWall-1 V4.0: possible bug in LDAP authentication7251117Buffer overflow in RealNetworks RealServer administration utility allows remote attackers to execute arbitrary commands via a long username and password.realserver-g2-pw-bo(3448)BID 767http://service.real.com/help/faq/servg260.html767iChat ROOMS Webserver allows remote attackers to read arbitrary files via a .. (dot dot) attack.BUGTRAQ:19980908 bug in iChat 3.0 (maybe others)ichat-file-read-vuln(1623)19980908 bug in iChat 3.0 (maybe others)Buffer overflows in Windows NT 4.0 print spooler allow remote attackers to gain privileges or cause a denial of service via a malformed spooler request.MS99-047BID 768nt-printer-spooler-bo(3457)MS99-047Q243649768The Windows NT 4.0 print spooler allows a local user to execute arbitrary commands due to inappropriate permissions that allow the user to specify an alternate print provider.MS99-047BID 769nt-printer-spooler-bo(3457)MS99-047Q243649769Buffer overflow in rpc.yppasswdd allows a local user to gain privileges via MD5 hash generation.RHSA1999046-01ypserv allows a local user to modify the GECOS and login shells of other users.REDHAT:RHSA1999046-01ypserv allows local administrators to modify password tables.REDHAT:RHSA1999046-01genfilt in the AIX Packet Filtering Module does not properly filter traffic to destination ports greater than 32767.BID 744Buffer overflow in BFTelnet allows remote attackers to cause a denial of service via a long username.Byte Fusion BFTelnet Long Username DoS Vulnerabilitybftelnet-username-dos(3455)Remote DoS Attack in BFTelnet Server v1.1 for Windows NT771Denial of service in Axent Raptor firewall via malformed zero-length IP options.raptor-ipoptions-dos(3350)BID 7367361121Buffer overflow in sccw allows local users to gain root access via the HOME environmental variable.BID 656linux-sccw-bo(4114)656sccw allows local users to read arbitrary files.BUGTRAQ:19990916 SuSE 6.2 /usr/bin/sccw read any fileDenial of service in Solaris TCP streams driver via a malicious connection that causes the server to panic as a result of recursive calls to mutex_enter.19990921 solaris DoSsun-tcp-mutex-enter-dos(3307)BID 655Sun BugID 4178455655Multihomed Windows systems allow a remote attacker to bypass IP source routing restrictions via a malformed packet with IP options, aka the "Spoofed Route Pointer" vulnerability.BID 646nt-ip-source-route(3251)MS99-038MS99-038MS99-038Q238453646Microsoft Site Server and Commercial Internet System (MCIS) do not set an expiration for a cookie, which could then be cached by a proxy and inadvertently used by a different user.Patch Available for Microsoft Site Server and CIS Cookie Caching Vulnerabilitysiteserver-cis-cookie-cache(3228)625Buffer overflow in ProFTPD, wu-ftpd, and beroftpd allows remote attackers to gain root access via a series of MKD and CWD commands that create nested directories.ProFTPD Remote Buffer Overflowproftpd-long-dir-bo(3399)ProFTP-1.2.0pre4 buffer overflow -- once more19990210612FreeBSD VFS cache (vfs_cache) allows local users to cause a denial of service by opening a large number of files.FreeBSD vfs_cache Denial of Service Vulnerabilityfreebsd-vfscache-dos(3441)FreeBSD-specific denial of service6531079dfire.cgi script in Dragon-Fire IDS allows remote users to execute commands via shell metacharacters.Dragon-Fire IDS Vulnerabilitydragon-fire-ids-metachar(3834)NSW Dragon Fire gets drowned56419990804 NSW Dragon Fire gets drownedBuffer overflow in the FTP client in the Debian GNU/Linux netstd package.BID 324324URL Live! web server allows remote attackers to read arbitrary files via a .. (dot dot) attack.BID 7467461129WebTrends software stores account names and passwords in a file which does not have restricted access permissions.Bad Permissions on Passwords Stored by WebTrends SoftwareThe Preloader ActiveX control used by Internet Explorer allows remote attackers to read arbitrary files.legacy-activex-local-drive(3526)MS99-018MS99-018Q231452Denial of service in various Windows systems via malformed, fragmented IGMP packets.BUGTRAQ:19990703 IGMP fragmentation bug in Windows 98/2000BID 514igmp-dos(2341)Q238329MS99-034514A memory leak in a Motorola CableRouter allows remote attackers to conduct a denial of service via a large number of telnet connections.motorola-cable-crash(2004)Security Vulnerability in Motorola CableRoutersBuffer overflow in the pop-2d POP daemon in the IMAP package allows remote attackers to gain privileges via the FOLD command.pop2-fold-bo(3114)283BMC Patrol allows any remote attacker to flood its UDP port, causing a denial of service.bmc-patrol-udp-dos(4291)Patrol security bugs19990409 Patrol security bugsbmc-patrol-udp-dos(4291)1879An example application in ColdFusion Server 4.0 allows remote attackers to view source code via the sourcewindow.cfm file.coldfusion-sourcewindow(1744)ASB99-02Sample runnable code snippets in ColdFusion Server 4.0 allow remote attackers to read files, conduct a denial of service, or use the server as a proxy for other HTTP calls.ASB99-02The Syntax Checker in ColdFusion Server 4.0 allows remote attackers to conduct a denial of service.ASB99-02coldfusion-syntax-checker(1742)3236UnityMail allows remote attackers to conduct a denial of service via a large number of MIME headers.unitymail-web-dos(1630)Re: Web servers / possible DOS Attack / mime header flooding19980903 Web servers / possible DOS Attack / mime header floodingApache allows remote attackers to conduct a denial of service via a large number of MIME headers.NTMail allows remote attackers to read arbitrary files via a .. (dot dot) attack.ntmail-fileread(2242)Multiple Web Interface Security HolesAD05261999279Buffer overflow in SmartDesk WebSuite allows remote attackers to cause a denial of service via a long URL.websuite-dos(2280)Buffer overflow in SmartDesk WebSuite v2.1278Novell NetWare with Novell-HTTP-Server or YAWN web servers allows remote attackers to conduct a denial of service via a large number of HTTP GET requests.novell-webserver-dos(2287)Novell NetWare webservers DoSwwwboard allows a remote attacker to delete message board articles via a malformed argument.http-cgi-wwwboard-defaultwwwboard.pl vulnerabilityhttp://www.worldwidemart.com/scripts/faq/wwwboard/q5.shtmlhttp-cgi-wwwboard(2344)1795Buffer overflow in Mediahouse Statistics Server allows remote attackers to execute commands.BID 734mediahouse-stats-login-bo(3286)BUGTRAQ:19990930 Security flaw in Mediahouse Statistics Server v4.28 & 5.01734Mediahouse Statistics Server allows remote attackers to read the administrator password, which is stored in cleartext in the ss.cfg file.mediahouse-stats-adminpw-cleartextMediahouse Statistics Server 4.28 & 5.01Mediahouse Statistics Server Cleartext Password Vulnerability735TeamTrack web server allows remote attackers to read arbitrary files via a .. (dot dot) attack.BID 689BUGTRAQ:19991001 RFP99046891096classifieds.cgi allows remote attackers to read arbitrary files via shell metacharacters.2020http-cgi-classifieds-read(3102)classifieds.cgi allows remote attackers to execute arbitrary commands by specifying them in a hidden variable in a CGI form.BNBSurvey survey.cgi program allows remote attackers to execute commands via shell metacharacters.BNBForm allows remote attackers to read arbitrary files via the automessage hidden form variable.MBone SDR Package allows remote attackers to execute commands via shell metacharacters in Sesion Initiation Protocol (SIP) messages.CERT:VN-99-03,XF:sdr-executesdr-execute(2338)Denial of service in Debian IRC Epic/epic4 client via a long string.BID 605605Buffer overflow in mutt mail client allows remote attackers to execute commands via malformed MIME messages.Mutt mail client allows a remote attacker to execute commands via shell metacharacters.mutt-1.0pre3 is out / security fixmutt-text-enriched-mime-bo(3315)mutt x.xUnixWare dos7utils allows a local user to gain root privileges by using the STATICMERGE environmental variable to find a script which it executes.sco-unixware-dos7utils-root-privs(3360)SCO UnixWare 7.1 local root exploitBuffer overflow in OpenLink 3.2 allows remote attackers to gain privileges via a long GET request to the web configurator.BUGTRAQ:19991015 OpenLink 3.2 Advisory720IBM WebSphere ikeyman tool uses weak encryption to store a password for a key database that is used for SSL connections.Buffer overflow in Internet Mail Service (IMS) for Microsoft Exchange 5.5 and 5.0 allows remote attackers to conduct a denial of service via AUTH or AUTHINFO commands.19980724 Denial of Service attacks against Microsoft Exchange 5.0 to 5.5I-080Q169174exchange-dos(1223)Buffer overflow in Yamaha MidiPlug via a Text variable in an EMBED tag.Microsoft IE Yamaha MidiPlug Buffer Overflow VulnerabilitySome holes for Win/UNIX softwares19991102 Some holes for Win/UNIX softwares760AN-HTTPd provides example CGI scripts test.bat, input.bat, input2.bat, and envout.bat, which allow remote attackers to execute commands via shell metacharacters.BID 76219991102 Some holes for Win/UNIX softwares762Buffer overflow in uum program for Canna input system allows local users to gain root privileges.Canna subsystem 'uum' Buffer Overflow Vulnerabilitycanna-uum-bo(3424)Some holes for Win/UNIX softwares757Buffer overflow in canuum program for Canna input system allows local users to gain root privileges.Canna subsystem 'uum' Buffer Overflow Vulnerabilitycanna-uum-bo(3424)Some holes for Win/UNIX softwares757Buffer overflow in WFTPD FTP server allows remote attackers to gain root access via a series of MKD and CWD commands that create nested directories.BID 747wftpd-mkd-bo(3417)747Buffer overflow in OmniHTTPd CGI program imagemap.exe allows remote attackers to execute commands.BID 7397393380Buffer overflow in Solaris lpstat via class argument allows local users to gain root access.Re: Buffer overflow in Solaris 2.6/2.7 /usr/bin/lpstatsolaris-lpstat-bo(4115)Buffer overflow in Solaris 2.6/2.7 /usr/bin/lpstatWWWBoard stores encrypted passwords in a password file that is under the web root and thus accessible by remote attackers.BUGTRAQ:19980903 wwwboard.pl vulnerability,BUGTRAQ:19990916 More fun with WWWBoardWWWBoard has a default username and default password.WWWBoard Password Disclosure Vulnerabilityhttp-cgi-wwwboard-defaultMore fun with WWWBoard649Race condition in wu-ftpd and BSDI ftpd allows remote attackers gain root access via the SITE EXEC command.CA-94:08.ftpd.vulnerabilitiesftp-exec(55)The NeXT NetInfo _writers property allows local users to gain root privileges or conduct a denial of service.CA-93.02a.NeXT.NetInfo._writers.vulnerabilitiesnext-netinfo(520)MajorCool mj_key_cache program allows local users to modify files via a symlink attack.majorcool-file-overwrite-vuln(1626)sudo 1.5.x allows local users to execute arbitrary commands via a .. (dot dot) attack.BUGTRAQ:19980112 Re: hole in sudo for MP-RASsudo-dot-dot-attack(4155)19980112 Re: hole in sudo for MP-RAS.IRIX startmidi program allows local users to modify arbitrary files via a symlink attack.irix-startmidi-file-creation(1634)19980301-01-PX4698447IRIX cdplayer allows local users to create directories in arbitrary locations via a command line option.AUSCERT:AA-96.11,SGI:19980301-01-PX,XFirix-cdplayer-directory-create(1632)19980301-01-PXHPUX sysdiag allows local users to gain root privileges via a symlink attack during log file creation.BUGTRAQ:19960921 Vunerability in HP sysdiag ?hp-sysdiag-symlink(4122)19960921 Vunerability in HP sysdiag ?Buffer overflow in HPUX passwd command allows local users to gain root privileges via a command line option.AUSCERT:AA-96.13,HP:HPSBUX9701-045,XFhp-password-cmd-bo(3704)HPSBUX9701-0456415FreeBSD mount_union command allows local users to gain root privileges via a symlink attack.VB-96.06.freebsdfreebsd-mount-union-root(3705)6088Buffer overflow in FreeBSD setlocale in the libc module allows attackers to execute arbitrary code via a long PATH_LOCALE environment variable.freebsd-setlocale-bo(3829)6086Race condition in xterm allows local users to modify arbitrary files via the logging option.CA-93.17.xterm.logging.vulnerabilityxterm(550)Buffer overflow in Solaris getopt in libc allows local users to gain root privileges via a long argv[0].L0PHT:19970127 Solaris libc - getopt(3)Solaris libc getopt(3) contains buffer overflowBuffer overflow in the HTML library used by Internet Explorer, Outlook Express, and Windows Explorer via the res: local resource protocol.L0PHT:19971101 Microsoft Internet Explorer 4.0 SuiteBuffer overflow in BNC IRC proxy allows remote attackers to gain privileges.bnc-proxy-bobnc exploit19981226 bnc exploitbnc-proxy-bo(1546)1927The Windows NT RPC service allows remote attackers to conduct a denial of service using spoofed malformed RPC packets which generate an error message that is sent to the spoofed host, potentially setting up a loop, aka Snork.snork-dos(1372)MS98-014MS98-014Q193233The OmniHTTPD visadmin.exe program allows a remote attacker to conduct a denial of service via a malformed URL which causes a large number of temporary files to be created.Remote Exploit (Bug) in OmniHTTPd Web Serveromnihttpd-dos(2271)19990605 Remote Exploit (Bug) in OmniHTTPd Web Server1808Buffer overflow in Exim allows local users to gain root privileges via a long :include: option in a .forward file.exim-include-overflow(1893)Security hole in exim 1.62: local root exploit19970722 Security hole in exim 1.62: local root exploitBuffer overflow in Xshipwars xsw program.BID 863863Buffer overflow in Solaris snoop program allows remote attackers to gain root privileges via a long domain name when snoop is running in verbose mode.BID 858858Buffer overflow in Solaris snoop allows remote attackers to gain root privileges via GETQUOTA requests to the rpc.rquotad service.BID 86400190864The Windows help system can allow a local user to execute commands as another user by editing a table of contents metafile with a .CNT extension and modifying the topic action to include the commands to be executed when the .hlp file is accessed.BID 868868Sendmail allows local users to reinitialize the aliases database via the newaliases command, then cause a denial of service by interrupting Sendmail.sendmail-bi-alias(3795)bugtraq id 857857Buffer overflow in Solaris sadmind allows remote attackers to gain root privileges using a NETMGT_PROC_SERVICE request.BID 866CA-99-16-sadmind0019186623542558htdig allows remote attackers to execute commands via filenames with shell metacharacters.BID 867867The SCO UnixWare privileged process system allows local users to gain root privileges by using a debugger such as gdb to insert traps into _init before the privileged process is executed.bugtraq id 86919991215 Recent postings about SCO UnixWare 7869Windows NT Service Control Manager (SCM) allows remote attackers to cause a denial of service via a malformed argument in a resource enumeration request.MS99-055MS99-055Q246045Internet Explorer 5.01 and earlier allows a remote attacker to create a reference to a client window and use a server-side redirect to access local files via that window, aka "Server-side Page Reference Redirect."MS99-050MS99-050Q246094The Sun Web-Based Enterprise Management (WBEM) installation script stores a password in plaintext in a world readable file.Whois Internic Lookup program whois.cgi allows remote attackers to execute commands via shell metacharacters in the domain entry.http-cgi-whois-meta(3798)Whois.cgi - ADVISORY.Matt's Whois program whois.cgi allows remote attackers to execute commands via shell metacharacters in the domain entry.http-cgi-matts-whois-meta(3799)Whois.cgi - ADVISORY.CC Whois program whois.cgi allows remote attackers to execute commands via shell metacharacters in the domain entry.cc-whois-meta(3800)Whois.cgi - ADVISORY.The ping command in Linux 2.0.3x allows local users to cause a denial of service by sending large packets with the -R (record route) option.BID 870870Windows NT does not properly download a system policy if the domain user logs into the domain with a space at the end of the domain name.Q237923UnixWare pkgtrans allows local users to read arbitrary files via a symlink attack.unixware-pkgtrans-symlink(3802)Package Tool Security PatchUnixWare pkg* command exploitsBuffer overflow in Internet Explorer 5 directshow filter (MSDXM.OCX) allows remote attackers to execute commands via the vnd.ms.radio protocol.BID 861861Error messages generated by gdm with the VerboseAuth setting allows an attacker to identify valid users on a system.gdm thingverbose-auth-identify-user(3804)Buffer overflow in GoodTech Telnet Server NT allows remote users to cause a denial of service via a long login name.BID 862862HP VirtualVault with the PHSS_17692 patch allows unprivileged processes to bypass access restrictions via the Trusted Gateway Proxy (TGP).HPSBUX9912-107Modifications to ACLs (Access Control Lists) in Microsoft Exchange 5.5 do not take effect until the directory store cache is refreshed.exchange-acl-changes(3916)Changing ACL's in Exchange ServerWindows NT with SYSKEY reuses the keystream that is used for encrypting SAM password hashes, allowing an attacker to crack passwords.MS99-056BID 873MS99-056Q248183873Windows NT Local Security Authority (LSA) allows remote attackers to cause a denial of service via malformed arguments to the LsaLookupSids function which looks up the SID, aka "Malformed Security Identifier Request."MS99-057BID 875MS99-057Q248185875Buffer overflow in Infoseek Ultraseek search engine allows remote attackers to execute commands via a long GET request.AD19991215infoseek-ultraseek-bo(3951)AD199912156490wu-ftp with FTP conversion enabled allows an attacker to execute commands via a malformed file name that is interpreted as an argument to the program that does the conversion, e.g. tar or uncompress.DSA-377Cisco Cache Engine allows an attacker to replace content in the cache.CISCO:19991216 Cisco Cache Engine Authentication Vulnerabilitiescisco-cache-engine-replace(3918)Microsoft SQL 7.0 server allows a remote attacker to cause a denial of service via a malformed TDS packet.MS99-059BID 817MS99-059Q248749817The web administration interface for Cisco Cache Engine allows remote attackers to view performance statistics.CISCO:19991216 Cisco Cache Engine Authentication Vulnerabilitiescisco-cache-engine-performance(3919)Cisco Cache Engine allows a remote attacker to gain access via a null username and password.CISCO:19991216 Cisco Cache Engine Authentication VulnerabilitiesNetscape Navigator uses weak encryption for storing a user's Netscape mail password.Reliable Software Technologies Discovers Security Flaw in Netscape Navigatornetscape-mail-notify-plaintext(4385)Misleading sense of security in Netscape19991216 Reinventing the wheel (aka "Decoding Netscape Mail passwords")19991220 Netscape password scramblingWar FTP Daemon 1.70 allows remote attackers to cause a denial of service by flooding it with connections.warftp-connection-flood(3953)Local / Remote D.o.S Attack in War FTP Daemon 1.70 VulnerabilityStatement: Local / Remote D.o.S Attack in War FTP DaemonBuffer overflow in the POP server POProxy for the Norton Anti-Virus protection NAV2000 program via a large USER command.nav-pop-user(3807)NAV2000 Email Protection DoS[w00giving '99 #11] Norton Antivirus' POProxy19991217 NAV2000 Email Protection DoS19991220 Norton Email Protection Remote Overflow (Addendum)6267Groupwise web server GWWEB.EXE allows remote attackers to read arbitrary files with .htm extensions via a .. (dot dot) attack using the HELP parameter.bugtraq id 87919991219 Groupewise Web Interface8793413Groupwise web server GWWEB.EXE allows remote attackers to determine the real path of the web server via the HELP parameter.Groupewise Web Interfacegroupwise-web-read-files(3923)Groupewise Web InterfaceBuffer overflow in VDO Live Player allows remote attackers to execute commands on the VDO client via a malformed .vdo file.BID 872vdolive-bo-execute(3924)19991213 VDO Live Player 3.02 Buffer Overflow872xsoldier program allows local users to gain root access via a long argument.BID 871871The Disney Go Express Search allows remote attackers to access and modify search information for users by connecting to an HTTP server on the user's system.disney-search-info(3955)Privacy hole in Go Express SearchPrivacy hole in Go Express SearchAn SSH 1.2.27 server allows a client to use the "none" cipher, even if it is not allowed by the server policy.19991214 sshd1 allows unencrypted sessions regardless of server policyThe Remote Data Service (RDS) DataFactory component of Microsoft Data Access Components (MDAC) in IIS 3.x and 4.x exposes unsafe methods, which allows remote attackers to execute arbitrary commands.nt-iis-rds(1212)BID 529MS98-004MS99-025MS99-025J-054272SMTP component of Lotus Domino 4.6.1 on AS/400, and possibly other operating systems, allows a remote attacker to crash the mail server via a long string.bid173named-xfer in AIX 4.1.5 and 4.2.1 allows members of the system group to overwrite system files to gain root access via the -f parameter and a malformed zone file.bid673Buffer overflow in mail command in Solaris 2.7 and 2.7 allows local users to gain privileges via a long -m argument.sun-usrbinmail-local-bo(3297)bid672Buffer overflow in Apple AppleShare Mail Server 5.0.3 on MacOS 8.1 and earlier allows a remote attacker to cause a denial of service (crash) via a long HELO command.bid61Microsoft HTML control as used in (1) Internet Explorer 5.0, (2) FrontPage Express, (3) Outlook Express 5, and (4) Eudora, and possibly others, allows remote malicious web site or HTML emails to cause a denial of service (100% CPU consumption) via large HTML form fields such as text inputs in a table cell.bid606Seattle Labs Emurl 2.0, and possibly earlier versions, stores e-mail attachments in a specific directory with scripting enabled, which allows a malicious ASP file attachment to execute when the recipient opens the message.bid544IPChains in Linux kernels 2.2.10 and earlier does not reassemble IP fragments before checking the header information, which allows a remote attacker to bypass the filtering rules using several fragments with 0 offsets.bid543SpectroSERVER in Cabletron Spectrum Enterprise Manager 5.0 installs a directory tree with insecure permissions, which allows local users to replace a privileged executable (processd) with a Trojan horse, facilitating a root or Administrator compromise.bid495The installation of Novell Netware NDS 5.99 provides an unauthenticated client with Read access for the tree, which allows remote attackers to access sensitive information such as users, groups, and readable objects via CX.EXE and NLIST.EXE.NMRC Advisory - Default NDS Rightsbid 484novell-nds(1364)NFS on SunOS 4.1 through 4.1.2 ignores the high order 16 bits in a 32 bit UID, which allows a local user to gain root access if the lower 16 bits are set to 0, as fixed by the NFS jumbo patch upgrade.CA-1992-15#00117bid47nfs-uid(82)serial_ports administrative program in IRIX 4.x and 5.x trusts the user's PATH environmental variable to find and execute the ls program, which allows local users to gain root privileges via a Trojan horse ls program.IRIX Race Conditionssgi-serialports (2111)bid464useradd in Solaris 7.0 does not properly interpret certain date formats as specified in the "-e" (expiration date) argument, which could allow users to login after their accounts have expired.bid426ip_print procedure in Tcpdump 3.4a allows remote attackers to cause a denial of service via a packet with a zero length header, which causes an infinite loop and core dump when tcpdump prints the packet.bid313CDE screen lock program (screenlock) on Solaris 2.6 does not properly lock an unprivileged user's console session when the host is an NIS+ client, which allows others with physical access to login with any string.106027-10bid29419981012 Annoying Solaris/CDE/NIS+ bugaspppd on Solaris 2.5 x86 allows local users to modify arbitrary files and gain root privileges via a symlink attack on the /tmp/.asppp.fifo file.Solaris 2.5 x86 aspppdbid292Solaris 2.6 HW3/98 installs admintool with world-writable permissions, which allows local users to gain privileges by replacing it with a Trojan horse program.bid290solaris-admintool-world-writable(7296)Symantec pcAnywhere 8.0 allows remote attackers to cause a denial of service (CPU utilization) via a large amount of data to port 5631.bid288pcanywhere-dos(2256)SSH server (sshd2) before 2.0.12 does not properly record login attempts if the connection is closed before the maximum number of tries, allowing a remote attacker to guess the password without showing up in the audit logs.bid277ssh2-bruteforce(2193)counter.exe 2.70 allows a remote attacker to cause a denial of service (hang) via an HTTP request that ends in %0A (newline), which causes a malformed entry in the counter log that produces an access violation.bid267counter.exe 2.70 allows a remote attacker to cause a denial of service (hang) via a long argument.Vulnerability in LAT/Telnet Gateway (lattelnet) on Ultrix 4.1 and 4.2 allows attackers to gain root privileges.CA-1991-11bid26B-36ultrix-telnet(584)Microsoft Outlook Express before 4.72.3612.1700 allows a malicious user to send a message that contains a .., which can inadvertently cause Outlook to re-enter POP3 command mode and cause the POP3 session to hang.bid25219990512 Outlook Express Win98 bug, addition.Vulnerability in login in AT&T System V Release 4 allows local users to gain privileges.CA-1991-08bid23B-28sysv-login(583)IIS 3.0 and 4.0 on x86 and Alpha allows remote attackers to cause a denial of service (hang) via a malformed GET request, aka the IIS "GET" vulnerability.MS98-019iis-get-dos(1823)COPS 1.04 allows local users to overwrite or create arbitrary files via a symlink attack on temporary files in (1) res_diff, (2) ca.src, and (3) mail.chk.19980626 vulnerability in satan, cops & tigerrex.satan in SATAN 1.1.1 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/rex.$$ file.vulnerability in satan, cops & tigerRe: vulnerability in satan v1.1.119980627 Re: vulnerability in satan, cops & tigersatan-rexsatan-symlink(7167)3147Tiger 2.2.3 allows local users to overwrite arbitrary files via a symlink attack on various temporary files in Tiger's default working directory, as defined by the WORKDIR variable.19980626 vulnerability in satan, cops & tigerVulnerability in (1) diskalign and (2) diskperf in IRIX 6.4 patches 2291 and 2848 allow a local user to create root-owned files leading to a root compromise.19980502-01-P3030sgi-diskperf (2103)Vulnerabilities in (1) ipxchk and (2) ipxlink in NetWare Client 1.0 on IRIX 6.3 and 6.4 allows local users to gain root access via a modified IFS environmental variable.19980501-01-P2869SGI IRIX Vulnerabilities (NetWare Client,diskperf/diskalign)19980408 SGI O2 ipx security issueBuffer overflow in mscreen on SCO OpenServer 5.0 and SCO UNIX 3.2v4 allows a local user to gain root access via (1) a long TERM environmental variable and (2) a long entry in the .mscreenrc file.SB-98.05a19980926 Root exploit for SCO OpenServer.Cisco Resource Manager (CRM) 1.0 and 1.1 creates world-readable log files and temporary files, which may expose sensitive information, to local users such as user IDs, passwords and SNMP community strings.Microsoft Exchange Server 5.5 and 5.0 does not properly handle (1) malformed NNTP data, or (2) malformed SMTP data, which allows remote attackers to cause a denial of service (application error).MS98-007Vulnerability in Advanced File System Utility (advfs) in Digital UNIX 4.0 through 4.0d allows local users to gain privileges.I-050dgux-advfs-softlinks (7431)dgux-advfs-softlinks(7431)pnserver in RealServer 5.0 and earlier allows remote attackers to cause a denial of service by sending a short, malformed request.http://service.real.com/help/faq/serv501.htmlrealserver-pnserver-remote-dos(7297)6979Buffer overflow in IMonitor in IMail 5.0 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long string to port 8181.19990302 Multiple IMail Vulnerabilites504imail-imonitor-overflow(1897)When BSDI patches for Gauntlet 5.0 BSDI are installed in a particular order, Gauntlet allows remote attackers to bypass firewall access restrictions, and does not log the activities.19991019 Re: Gauntlet 5.0 BSDI warninggauntlet-bsdi-bypass(3397)Buffer overflow in bash 2.0.0, 1.4.17, and other versions allows local attackers to gain privileges by creating an extremely large directory name, which is inserted into the password prompt via the \w option in the PS1 environmental variable when another user changes into that directory.BASH buffer overflow, LiNUX x86 exploitBuffer overflow in /bin/bashproblem with very long pathnameslinux-bash-bo (3414)8345ARCserve NT agents use weak encryption (XOR) for passwords, which allows remote attackers to sniff the authentication request to port 6050 and decrypt the password.19990222 Severe Security Hole in ARCserve NT agents (fwd)ARCserve 6.5 NT Client Agent Security Protocol EnhancementsDirectory traversal vulnerability in Matt Wright FormHandler.cgi script allows remote attackers to read arbitrary files via (1) a .. (dot dot) in the reply_message_attach attachment parameter, or (2) by specifying the filename as a template.bid798bid799formhandler-cgi-absolute-path(3550)19991112 FormHandler.cgiDefault configuration in Matt Wright FormHandler.cgi script allows arbitrary directories to be used for attachments, and only restricts access to the /etc/ directory, which allows remote attackers to read arbitrary files via the reply_message_attach attachment parameter.Microsoft FrontPage stores form results in a default location in /_private/form_results.txt, which is world-readable and accessible in the document root, which allows remote attackers to read possibly sensitive information submitted by other users.guestbook.pl cleanses user-inserted SSI commands by removing text between "<!--" and "-->" separators, which allows remote attackers to execute arbitrary commands when guestbook.pl is run on Apache 1.3.9 and possibly other versions, since Apache allows other closing sequences besides "-->".bid776The default configuration of FLEXlm license manager 6.0d, and possibly other versions, allows remote attackers to shut down the server via the lmdown command.Globetrotter FlexLM 'Imdown' bogosityMicrosoft Excel 97 does not warn the user before executing worksheet functions, which could allow attackers to execute arbitrary commands by using the CALL function to execute a malicious DLL, aka the Excel "CALL Vulnerability."MS98-018bid179excel-call(1737)179** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-1395. Reason: This candidate is a duplicate of CVE-1999-1395. Notes: All CVE users should reference CVE-1999-1395 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.VMS 4.0 through 5.3 allows local users to gain privileges via the ANALYZE/PROCESS_DUMP dcl command.CA-1990-0712vms-analyze-processdump-privileges(7137)Buffer overflow in Vermillion FTP Daemon VFTPD 1.23 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via several long CWD commands.vermillion-ftp-cwd-overflow(3543)bid81881819991122 Remote DoS Attack in Vermillion FTP Daemon (VFTPD) v1.23 VulnerabilityVulnerability in rexec daemon (rexecd) in AT&T TCP/IP 4.0 for various SVR4 systems allows remote attackers to execute arbitrary commands.CA-1992-0436att-rexecd(3159)Buffer overflow in Tetrix TetriNet daemon 1.13.16 allows remote attackers to cause a denial of service and possibly execute arbitrary commands by connecting to port 31457 from a host with a long DNS hostname.19990217 Tetrix 1.13.16 is Vulnerable340HP Laserjet printers with JetDirect cards, when configured with TCP/IP, can be configured without a password, which allows remote attackers to connect to the printer and change its IP address or disable logging.HP Laserjet 4M Plus DirectJet Problemlaserjet-unpassworded (1876)HP Laserjet printers with JetDirect cards, when configured with TCP/IP, allow remote attackers to bypass print filters by directly sending PostScript documents to TCP ports 9099 and 9100.HP Laserjet 4M Plus DirectJet Problemlaserjet-unpassworded (1876)CDomain whois_raw.cgi whois CGI script allows remote attackers to execute arbitrary commands via shell metacharacters in the fqdn parameter.http-cgi-cdomain(2251)304Multiple buffer overflows in WindowMaker 0.52 through 0.60.0 allow attackers to cause a denial of service and possibly execute arbitrary commands by executing WindowMaker with a long program name (argv[0]).596Palm Pilot HotSync Manager 3.0.4 in Windows 98 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long string to port 14238 while the manager is in network mode.Quake 1 server responds to an initial UDP game connection request with a large amount of traffic, which allows remote attackers to use the server as an amplifier in a "Smurf" style attack on another host, by spoofing the connection request.SGI MachineInfo CGI program, installed by default on some web servers, prints potentially sensitive system status information, which could be used by remote attackers for information gathering activities.sgi-machineinfo (1730)19970507 Re: SGI Security Advisory 19970501-01-A - Vulnerability in webdist.cgiOracle Webserver 2.1, when serving PL/SQL stored procedures, allows remote attackers to cause a denial of service via a long HTTP GET request.DoS against Oracle Webserver 2.1 with PL/SQL stored proceduresDirectory traversal vulnerability in carbo.dll in iCat Carbo Server 3.0.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the icatcommand parameter.Security bug in iCat Suite version 3.0bid2126icat-carbo-server-vuln (1620)Buffer overflow in ping CGI program in Xylogics Annex terminal service allows remote attackers to cause a denial of service via a long query parameter.Annex DoSExcite for Web Servers (EWS) 1.1 installs the Architext.conf authentication file with world-writeable permissions, which allows local users to gain access to Excite accounts by modifying the file.Security bugs in Excite for Web Servers 1.1excite-world-write(1417)Excite for Web Servers (EWS) 1.1 allows local users to gain privileges by obtaining the encrypted password from the world-readable Architext.conf authentication file and replaying the encrypted password in an HTTP request to AT-generated.cgi or AT-admin.cgi.Security bugs in Excite for Web Servers 1.1Excite for Web Servers (EWS) 1.1 records the first two characters of a plaintext password in the beginning of the encrypted password, which makes it easier for an attacker to guess passwords via a brute force or dictionary attack.Security bugs in Excite for Web Servers 1.1Webmin before 0.5 does not restrict the number of invalid passwords that are entered for a valid username, which could allow remote attackers to gain privileges via brute force password cracking.bid9898inetd in AIX 4.1.5 dynamically assigns a port N when starting ttdbserver (ToolTalk server), but also inadvertently listens on port N-1 without passing control to ttdbserver, which allows remote attackers to cause a denial of service via a large number of connections to port N-1, which are not properly closed by inetd.Idle locking function in MacOS 9 allows local users to bypass the password protection of idled sessions by selecting the "Log Out" option and selecting a "Cancel" option in the dialog box for an application that attempts to verify that the user wants to log out, which returns the attacker into the locked session.bid745Idle locking function in MacOS 9 allows local attackers to bypass the password protection of idled sessions via the programmer's switch or CMD-PWR keyboard sequence, which brings up a debugger that the attacker can use to disable the lock.bid756WS_FTP Pro 6.0 uses weak encryption for passwords in its initialization files, which allows remote attackers to easily decrypt the passwords and gain privileges.547Vulnerability in ptrace in AIX 4.3 allows local users to gain privileges by attaching to a setgid program.bid43919990506 AIX Security Fixes Update19990825 AIX security summaryIX80470rmmount in SunOS 5.7 may mount file systems without the nosuid flag set, contrary to the documentation and its use in previous versions of SunOS, which could allow local users with physical access to gain root privileges by mounting a floppy or CD-ROM that contains a setuid program and running volcheck, when the file systems do not have the nosuid option specified in rmmount.conf.250solaris-rmmount-gain-root(8350)Vulnerability in files.pl script in Novell WebServer Examples Toolkit 2 allows remote attackers to read arbitrary files.http-nov-files (2054)http://www.w3.org/Security/Faq/wwwsf8.html#Q87http://www.roxanne.org/faqs/www-secure/wwwsf4.html#Q35Directory traversal vulnerability in Jana proxy web server 1.40 allows remote attackers to ready arbitrary files via a "......" (modified dot dot) attack.bid69919991008 Jana webserver exploitDirectory traversal vulnerability in Jana proxy web server 1.45 allows remote attackers to ready arbitrary files via a .. (dot dot) attack.20000502 Security Bug in Jana HTTP Server699The "AEDebug" registry key is installed with insecure permissions, which allows local users to modify the key to specify a Trojan Horse debugger which is automatically executed on a system crash.MS00-008K-029bid104419980622 Yet another SSH 1.2.25, 1.2.23, and other versions, when used in in CBC (Cipher Block Chaining) or CFB (Cipher Feedback 64 bits) modes, allows remote attackers to insert arbitrary data into an existing stream between an SSH client and server by using a known plaintext attack and computing a valid CRC-32 checksum for the packet, aka the "SSH insertion attack."CORE-SDI-04VU#13877ssh-insert(1126)Novell 5 and earlier, when running over IPX with a packet signature level less than 3, allows remote attackers to gain administrator privileges by spoofing the MAC address in IPC fragmented packets that make NetWare Core Protocol (NCP) calls.bid528Internet Explorer 4 treats a 32-bit number ("dotless IP address") in the a URL as the hostname instead of an IP address, which causes IE to apply Local Intranet Zone settings to the resulting web page, allowing remote malicious web servers to conduct unauthorized activities by using URLs that contain the dotless IP address for their server.MS98-016ie-dotless(2209)http://www.microsoft.com/Windows/Ie/security/dotless.asp7828Vulnerability in chsh command in HP-UX 9.X through 10.20 allows local users to gain privileges.H-21: HP Security Vulnerabilitieshp-chsh (2012)Buffer overflow in chfn command in HP-UX 9.X through 10.20 allows local users to gain privileges via a long command line argument.the HP Bug of the Week!H-21: HP Security VulnerabilitiesH-16: HP-UX Security Vulnerabilities (chfn, Remote Watch)The default configuration of NCSA Telnet package for Macintosh and PC enables FTP, even though it does not include an "ftp=yes" line, which allows remote attackers to read and modify arbitrary files.CA-1991-15ftp-ncsa(1844)UNIX news readers tin and rtin create the /tmp/.tin_log file with insecure permissions and follow symlinks, which allows attackers to modify the permissions of files writable by the user via a symlink attack.tin-tmpfile (431)19960903 [BUG] Vulnerability in TIN19960903 Re: BoS: [BUG] Vulnerability in TIN19970329 symlink bug in tin/rtintin 1.40 creates the .tin directory with insecure permissions, which allows local users to read passwords from the .inputhistory file.Buffer overflow in the Window.External function in the JScript Scripting Engine in Internet Explorer 4.01 SP1 and earlier allows remote attackers to execute arbitrary commands via a malicious web page.MS98-011Q191200java-script-patch(1276)Buffer overflow in Internet Explorer 4.01 and earlier allows remote attackers to execute arbitrary commands via a long URL with the "mk:" protocol, aka the "MK Overrun security issue."iemk-bug(917)sort creates temporary files and follows symbolic links, which allows local users to modify arbitrary files that are writable by the user running sort, as observed in updatedb and other programs that use sort.updatedb / crontabsupdatedb stuffoverwrite any file with updatedbBuffer overflow in kscreensaver in KDE klock allows local users to gain root privileges via a long HOME environmental variable.kde-klock-home-bo(1644)19980516 kde exploit19980517 simple kde exploit fixMicrosoft NetMeeting 2.1 allows one client to read the contents of another client's clipboard via a CTRL-C in the chat box when the box is empty.netmeeting-clipboard(2187)19990504 Microsoft Netmeeting HoleVulnerability in BSD Telnet client with encryption and Kerberos 4 authentication allows remote attackers to decrypt the session via sniffing.CA-1995-03bsd-telnet(516)4881Kerberos 4 allows remote attackers to obtain sensitive information via a malformed UDP packet that generates an error string that inadvertently includes the realm name and the last user.L0pht Kerberos Advisorykerberos-user-grab (65)Cisco PIX Private Link 4.1.6 and earlier does not properly process certain commands in the configuration file, which reduces the effective key length of the DES key to 48 bits instead of 56 bits, which makes it easier for an attacker to find the proper key via a brute force attack.cisco-pix-parse-error(1579)I-056Kabsoftware Lydia utility uses weak encryption to store user passwords in the lydia.ini file, which allows local users to easily decrypt the passwords and gain privileges.19990219 Yet Another password storing problem (was: Re: Possible Netscape Crypto Security Flaw)lydia-ini-passwords (7501) lpr on SunOS 4.1.1, BSD 4.3, A/UX 2.0.1, and other BSD-based operating systems allows local users to create or overwrite arbitrary files via a symlink attack that is triggered after invoking lpr 1000 times.E-25a: BSD lpr Vulnerability in SGI IRIX19940307 8lgm Advisory Releasesdxconsole in DEC OSF/1 3.2C and earlier allows local users to read arbitrary files by specifying the file with the -file parameter.G-18http://www.tao.ca/fire/bos/0209.htmlosf-dxconsole-gain-privileges(7138)Windows 95 uses weak encryption for the password list (.pwl) file used when password caching is enabled, which allows local users to gain privileges by decrypting the passwords.Q140557win95-nbsmbpwl(71)Windows 95, when Remote Administration and File Sharing for NetWare Networks is enabled, creates a share (C$) when an administrator logs in remotely, which allows remote attackers to read arbitrary files by mapping the network drive.win95-netware-hidden-share(7231)Buffer overflow in kppp in KDE allows local users to gain root access via a long -c (account_name) command line argument.kde-kppp-account-bo(1643)92Buffer overflow in kppp in KDE allows local users to gain root access via a long PATH environmental variable.Multiple KDE security vulnerabilities (root compromise)kde-kppp-path-bo(1650)** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-1107. Reason: This candidate is a duplicate of CVE-1999-1107. Notes: All CVE users should reference CVE-1999-1107 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.Sendmail before 8.10.0 allows remote attackers to cause a denial of service by sending a series of ETRN commands then disconnecting from the server, while Sendmail continues to process the commands after the connection has been terminated.904sendmail-etrn-dos(7760)Windows Media Player ActiveX object as used in Internet Explorer 5.0 returns a specific error code when a file does not exist, which allows remote malicious web sites to determine the existence of files on the client.bid793Vulnerability in StackGuard before 1.21 allows remote attackers to bypass the Random and Terminator Canary security mechanisms by using a non-linear attack which directly modifies a pointer to a return address instead of using a buffer overflow to reach the return address entry itself.Immunix-1999:01immunix-stackguard-bo(3524)786Buffer overflow in IrfanView32 3.07 and earlier allows attackers to execute arbitrary commands via a long string after the "8BPS" image type in a Photo Shop image header.irfan-view32-bo(3549)bid781Buffer overflow in Eudora Internet Mail Server (EIMS) 2.01 and earlier on MacOS systems allows remote attackers to cause a denial of service via a long USER command to port 106.75Buffer overflow in Korn Shell (ksh) suid_exec program on IRIX 6.x and earlier, and possibly other operating systems, allows local users to gain root privileges.Korn Shell (ksh) suid_exec Vulnerabilitysuid_exec Buffer Overflowksh-suid_exec (2100)bid467AA-96.17Vulnerability in the /etc/suid_exec program in HP Apollo Domain/OS sr10.2 and sr10.3 beta, related to the Korn Shell (ksh).CA-1990-04A-307apollo-suidexec-unauthorized-access(6721)Vulnerability in runpriv in Indigo Magic System Administration subsystem of SGI IRIX 6.3 and 6.4 allows local users to gain root privileges.19970503-01-PXbid462sgi-runpriv (2108)1009lquerypv in AIX 4.1 and 4.2 allows local users to read arbitrary files by specifying the file in the -h command line parameter.H-13: IBM AIX(r) Security Vulnerabilities (gethostbyname,lquerypv)bid455ibm-lquerypv(1752)1996112419961125 lquerypv fix455ndd in Solaris 2.6 allows local users to cause a denial of service by modifying certain TCP/IP parameters.#00165bid433sun-ndd (817)FTP installation script anon.ftp in AIX insecurely configures anonymous FTP, which allows remote attackers to execute arbitrary commands.CA-1992-09aix-anon-ftp(3154)41netprint in SGI IRIX 6.4 and earlier trusts the PATH environmental variable for finding and executing the disable program, which allows local users to gain privileges.Irix: netprint story19961203-02-PXbid395sgi-netprint (2107)19961203-01-PX993The default configuration for UUCP in AIX before 3.2 allows local users to gain root privileges.CA-1992-06ibm-uucp(554)38891Vulnerability in restore in SunOS 4.0.3 and earlier allows local users to gain privileges.CA-1989-02CIAC-083sun-restore-gain-privileges(6695)sun-restore-gain-privileges(6695)The installation of Sun Source (sunsrc) tapes allows local users to gain root privileges via setuid root programs (1) makeinstall or (2) winstall.CA-1991-07#00107sun-sourcetapes(582)2122HTTP Client application in ColdFusion allows remote attackers to bypass access restrictions for web pages on other ports by providing the target page to the mainframeset.cfm application, which requests the page from the server, making it look like the request is coming from the local host.http://packetstorm.securify.com/mag/phrack/phrack54/P54-08Oracle Webserver 2.1 and earlier runs setuid root, but the configuration file is owned by the oracle account, which allows any local or remote attacker who obtains access to the oracle account to gain privileges or modify arbitrary files by modifying the configuration file.oracle-webserver-gain-root (7174)19970919 Instresting practises of Oracle [Oracle Webserver]Cisco Resource Manager (CRM) 1.1 and earlier creates certain files with insecure permissions that allow local users to obtain sensitive configuration information including usernames, passwords, and SNMP community strings, from (1) swim_swd.log, (2) swim_debug.log, (3) dbi_debug.log, and (4) temporary files whose names begin with "DPR_".cisco-crm-file-vuln(1575)Windows NT 4.0 does not properly shut down invalid named pipe RPC connections, which allows remote attackers to cause a denial of service (resource exhaustion) via a series of connections containing malformed data, aka the "Named Pipes Over RPC" vulnerability.MS98-017nt-spoolss(523)Internet Explorer 3.01 on Windows 95 allows remote malicious web sites to execute arbitrary commands via a .isp file, which is automatically downloaded and executed without prompting the user.http-ie-exec (462)http://oliver.efri.hr/~crv/security/bugs/NT/ie3.htmlhttp://members.tripod.com/~unibyte/iebug3.htmCisco Catalyst 2900 Virtual LAN (VLAN) switches allow remote attackers to inject 802.1q frames into another VLAN by forging the VLAN identifier in the trunking tag.cisco-catalyst-vlan-frames(3294)bid615Default configuration of the search engine in Netscape Enterprise Server 3.5.1, and possibly other versions, allows remote attackers to read the source of JHTML files by specifying a search command using the HTML-tocrec-demo1.pat pattern file.55919990730 Netscape Enterprise Server yeilds source of JHTMLBuffer overflow in OSF Distributed Computing Environment (DCE) security demon (secd) in IRIX 6.4 and earlier allows attackers to cause a denial of service via a long principal, group, or organization.VB-97.12I-06019980601-01-PXsgi-osf-dce-dos(1123)Windows NT 4.0 allows remote attackers to cause a denial of service (crash) via extra source routing data such as (1) a Routing Information Field (RIF) field with a hop count greater than 7, or (2) a list containing duplicate Token Ring IDs.19981002 NMRC Advisory - Lame NT Token Ring DoStoken-ring-dos(1399)HP-UX 9.x and 10.x running X windows may allow local attackers to gain privileges via (1) vuefile, (2) vuepad, (3) dtfile, or (4) dtpad, which do not authenticate users.ecurity Vulnerability in libXt for HP-UX 9.X & 10.Xhp-vue-dt (499)Vulnerability in Vue 3.0 in HP 9.x allows local users to gain root privileges, as fixed by PHSS_4038, PHSS_4055, and PHSS_4066.hp-vue (2284)E-23bHPSBUX9404-008hp-vue(2284)Vulnerability in VUE 3.0 in HP 9.x allows local users to gain root privileges, as fixed by PHSS_4994 and PHSS_5438.E-23bhp-vue (2284HPSBUX9504-027Vulnerability in Predictive on HP-UX 11.0 and earlier, and MPE/iX 5.5 and earlier, allows attackers to compromise data transfer for Predictive messages (using e-mail or modem) between customer and Response Center Predictive systems.HPSBUX9807-081HPSBMP9807-005HP-UX Predictive & Netscape SSL VulnerabilitiesI-081mpeix-predictive (1413)The permissions for the /dev/audio device on Solaris 2.2 and earlier, and SunOS 4.1.x, allow any local user to read from the device, which could be used by an attacker to monitor conversations happening near a machine that has a microphone.E-01#00122sun-audio (549)6436SCO UNIX System V/386 Release 3.2, and other SCO products, installs the home directories (1) /tmp for the dos user, and (2) /usr/tmp for the asg user, which allows other users to gain access to those accounts since /tmp and /usr/tmp are world-writable.CA-1993-13sco-homedir(546)Character-Terminal User Environment (CUE) in HP-UX 11.0 and earlier allows local users to overwrite arbitrary files and gain root privileges via a symlink attack on the IOERROR.mytty file.HPSBUX9801-074HP-UX CUE, CUD and LAND vulnerabilitiesHP UX BugI-027Bhp-cue(2007)Buffer overflow in CrackLib 2.5 may allow local users to gain root privileges via a long GECOS field.VB-97.16cracklib-bo(1539)Ascom Timeplex router allows remote attackers to obtain sensitive information or conduct unauthorized activities by entering debug mode through a sequence of CTRL-D characters.ascom-timeplex-debug (1824)19970515 MicroSolved finds hole in Ascom Timeplex Router SecuritySunOS 4.1.2 and earlier allows local users to gain privileges via "LD_*" environmental variables to certain dynamically linked setuid or setgid programs such as (1) login, (2) su, or (3) sendmail, that change the real and effective user ids to the same user.CA-1992-11sun-env(3152)00116Vulnerability in runtime linker program rld in SGI IRIX 6.x and earlier allows local users to gain privileges via setuid and setgid programs.H-65: SGI IRIX rld Security Vulnerabilitysgi-rld (210919970504-01-PXCertain files in MPower in HP-UX 10.x are installed with insecure permissions, which allows local users to gain privileges.HPSBUX9701-051hp-mpower (2056)Vulnerability in Glance programs in GlancePlus for HP-UX 10.20 and earlier allows local users to access arbitrary files and gain privileges.H-21: HP Security Vulnerabilitieshp-glanceplus (2059)HPSBUX9701-044Vulnerability in Glance and gpm programs in GlancePlus for HP-UX 9.x and earlier allows local users to access arbitrary files and gain privileges.Security Vulnerability in HP GlancePlushp-glanceplus-gpm (2060)Buffer overflow in Platinum Policy Compliance Manager (PCM) 7.0 allows remote attackers to execute arbitrary commands via a long string to the Agent port (1827), which is handled by smaxagent.exe.[SAFER-981204.DOS.1.3] Buffer Overflow in Platinum PCM 7.0pcm-dos-execute(1430)3164FTP service in IIS 4.0 and earlier allows remote attackers to cause a denial of service (resource exhaustion) via many passive (PASV) connections at the same time.MS98-006iis-passive-ftp(1215)Buffer overflow in CSM Proxy 4.1 allows remote attackers to cause a denial of service (crash) via a long string to the FTP port.S.A.F.E.R. Security Bulletin 980708.DOS.1.1csm-proxy-dos(1422)Livingston Portmaster routers running ComOS use the same initial sequence number (ISN) for TCP connections, which allows remote attackers to conduct spoofing and hijack TCP sessions.portmaster-fixed-isn(1882)Compaq/Microcom 6000 Access Integrator does not cause a session timeout after prompting for a username or password, which allows remote attackers to cause a denial of service by connecting to the integrator without providing a username or password.microcom-dos(2089)Compaq/Microcom 6000 Access Integrator does not disconnect a client after a certain number of failed login attempts, which allows remote attackers to guess usernames or passwords via a brute force attack.HAMcards Postcard CGI script 1.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the recipient email address.cgi-perl-mail-programs(1400)LakeWeb Filemail CGI script allows remote attackers to execute arbitrary commands via shell metacharacters in the recipient email address.Several new CGI vulnerabilitiescgi-perl-mail-programs(1400)LakeWeb Mail List CGI script allows remote attackers to execute arbitrary commands via shell metacharacters in the recipient email address.Several new CGI vulnerabilitiescgi-perl-mail-programs(1400)BisonWare FTP Server 4.1 and earlier allows remote attackers to cause a denial of service via a malformed PORT command that contains a non-numeric character and a large number of carriage returns.bisonware-port-crash(2254)Tcpip.sys in Windows NT 4.0 before SP4 allows remote attackers to cause a denial of service via an ICMP Subnet Mask Address Request packet, when certain multiple IP addresses are bound to the same network interface.tcpipsys-icmp-dos(3894)Buffer overflow in (1) pluggable authentication module (PAM) on Solaris 2.5.1 and 2.5 and (2) unix_scheme in Solaris 2.4 and 2.3 allows local users to gain root privileges via programs that use these modules such as passwd, yppasswd, and nispasswd.AA-97.09SSH 2.0.11 and earlier allows local users to request remote forwarding from privileged ports without being root.ssh2 security problem (and patch) (fwd)ssh-privileged-port-forward(1471)Vulnerability in ftpd/kftpd in HP-UX 10.x and 9.x allows local and possibly remote users to gain root privileges.HPSBUX9702-055H-33: HP-UX ftpd/kftpd Vulnerabilityhp-ftpd-kftpd(7437)Vulnerability in ppl in HP-UX 10.x and earlier allows local users to gain root privileges by forcing ppl to core dump.Untitledppl bugsHPSBUX9704-057H-32: HP-UX ppl Core Dump Vulnerabilityhp-ppl(7438)Vulnerability in passwd in SCO UNIX 4.0 and earlier allows attackers to cause a denial of service by preventing users from being able to log into the system.CA-1993-08 SCOsco-passwd-deny(542)Vulnerability in HP Series 800 S/X/V Class servers allows remote attackers to gain access to the S/X/V Class console via the Service Support Processor (SSP) Teststation.HPSBUX9911-105hp-ssp (7439)hp-ssp(7439)Microsoft Outlook client allows remote attackers to cause a denial of service by sending multiple email messages with the same X-UIDL headers, which causes Outlook to hang.GNU fingerd 1.37 does not properly drop privileges before accessing user information, which could allow local users to (1) gain root privileges via a malicious program in the .fingerrc file, or (2) read arbitrary files via symbolic links from .plan, .forward, or .project files.NU finger 1.37 executes ~/.fingerrc with gid rootbid53519990721 old gnu finger bugsLinux 2.0.37 does not properly encode the Custom segment limit, which allows local users to gain root privileges by accessing and modifying kernel memory.bid523Cross-site scripting vulnerability in Third Voice Web annotation utility allows remote users to read sensitive data and generate fake web pages for other Third Voice users by injecting malicious Javascript into an annotation.thirdvoice-cross-site-scripting(7252)install.iss installation script for Internet Security Scanner (ISS) for Linux, version 5.3, allows local users to change the permissions of arbitrary files via a symlink attack on a temporary file.19990220 ISS install.iss security holenobo 1.2 allows remote attackers to cause a denial of service (crash) via a series of large UDP packets.19990204 NOBO denial of serviceNOBO large UDP packet denial of serviceIPswitch IMail allows local users to gain additional privileges and modify or add mail accounts by setting the "flags" registry key to 1920.19990204 WS FTP Server Remote DoS Attack218IPswitch WS_FTP allows local users to gain additional privileges and modify or add mail accounts by setting the "flags" registry key to 1920.19990204 WS FTP Server Remote DoS Attack218 IMail Server and WS_FTP Server Privilege Escalation VulnerabilityBy design, Maximizer Enterprise 4 calendar and address book program allows arbitrary users to modify the calendar of other users when the calendar is being shared.19990114 security hole in MaximizerCorel Word Perfect 8 for Linux creates a temporary working directory with world-writable permissions, which allows local users to (1) modify Word Perfect behavior by modifying files in the working directory, or (2) modify files of other users via a symlink attack.wordperfect 8 for linux securityZIP drive for Iomega ZIP-100 disks allows attackers with physical access to the drive to bypass password protection by inserting a known disk with a known password, waiting for the ZIP drive to power down, manually replacing the known disk with the target disk, and using the known password to access the target disk.Iomega Zip Diskshttp://www.counterpane.com/crypto-gram-9812.html#doghouseWeb Cache Control Protocol (WCCP) in Cisco Cache Engine for Cisco IOS 11.2 and earlier does not use authentication, which allows remote attackers to redirect HTTP traffic to arbitrary hosts via WCCP packets to UDP port 2048.I-054: Cisco Web Cache Control Protocol Router Vulnerabilitycisco-wccp-vuln(1577)Buffer overflow in cidentd ident daemon allows local users to gain root privileges via a long line in the .authlie script.19980110 Cidentd19980911 Re: security problems with jidentdDirectory traversal vulnerability in nph-publish before 1.2 allows remote attackers to overwrite arbitrary files via a .. (dot dot) in the pathname for an upload operation.http-cgi-nphpublish(2055)Sambar Server 4.1 beta allows remote attackers to obtain sensitive information about the server via an HTTP request for the dumpenv.pl script.sambar-dump-env(3223)Vulnerability in man.sh CGI script, included in May 1998 issue of SysAdmin Magazine, allows remote attackers to execute arbitrary commands.O'Reilly WebSite 1.1e and Website Pro 2.0 allows remote attackers to execute arbitrary commands via shell metacharacters in an argument to (1) args.cmd or (2) args.bat.O'Reilly has corrected this issue in WebSite Professional 2.5, which is now available from: http://website.oreilly.comCOVERT-2000-08: OReilly WebSite Professional OverflowWebsite Pro v2.0 (NT) Configuration IssuesVulnerability in On-Line Customer Registration software for IRIX 6.2 through 6.4 allows local users to gain root privileges.J-003: SGI IRIX On-Line Customer Registration Vulnerabilities19980901-01-PXirix-register(7441)Buffer overflow in run-time linkers (1) ld.so or (2) ld-linux.so for Linux systems allows local users to gain privileges by calling a setuid program with a long program name (argv[0]) and forcing ld.so/ld-linux.so to report an error.KSR[T] Advisory #2: ld.sold.so vulnerabilityAn old ld-linux.so holeSystem Manager sysmgr GUI in SGI IRIX 6.4 and 6.3 allows remote attackers to execute commands by providing a trojan horse (1) runtask or (2) runexec descriptor file, which is used to execute a System Manager Task when the user's Mailcap entry supports the x-sgi-task or x-sgi-exec type.19980403-02-PX19980403-01-PXsgi-mailcap(809)8556Buffer overflow in Elm 2.4 and earlier allows local users to gain privileges via a long TERM environmental variable.Buffer overflow in SCO mscreen allows local users to gain root privileges via a long terminal entry (TERM) in the .mscreenrc file.98.05sco-openserver-mscreen-bo(1379)19980926 Root exploit for SCO OpenServer.rxvt, when compiled with the PRINT_PIPE option in various Linux operating systems including Linux Slackware 3.0 and RedHat 2.1, allows local users to gain root privileges by specifying a malicious program using the -print-pipe command line parameter.rxvt security holePine before version 3.94 allows local users to gain privileges via a symlink attack on a lockfile that is created when a user receives new mail.Vulnerability in PINEpine-tmpfile (416)mysqld in MySQL 3.21 creates log files with world-readable permissions, which allows local users to obtain passwords for users who are added to the user database.mysql: mysqld creates world readable logsmysql-readable-log-files(1568)Buffer overflow in Netscape Navigator/Communicator 4.7 for Windows 95 and Windows 98 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long argument after the ? character in a URL that references an .asp, .cgi, .html, or .pl file.bid822Netscape Communicator long URL argument buffer overflowBuffer overflow in POP3 server of Admiral Systems EmailClub 1.05 allows remote attackers to execute arbitrary commands via a long "From" header in an e-mail message.bid801Buffer overflow in chkey in Solaris 2.5.1 and earlier allows local users to gain root privileges via a long command line argument.Finally, most of an exploit for Solaris 2.5.1's psAA-97.18#00144bid207solaris-chkey-bo(7442)Buffer overflow in eeprom in Solaris 2.5.1 and earlier allows local users to gain root privileges via a long command line argument.#00143bid206solaris-eeprom-bo(7444)The "me" user in NeXT NeXTstep 2.1 and earlier has wheel group privileges, which could allow the me user to use the su command to become root.CA-1991-06next-me(581)20chroot in Digital Ultrix 4.1 and 4.0 is insecurely installed, which allows local users to gain privileges.CA-1991-05dec-chroot(57717NAI VirusScan NT 4.0.2 does not properly modify the scan.dat virus definition file during an update via FTP, but it reports that the update was successful, which could cause a system administrator to believe that the definitions have been updated correctly.16919990505 NAI AntiVirus Update ProblemHummingbird Exceed X version 5 allows remote attackers to cause a denial of service via malformed data to port 6000.Upgrade to a non-vulnerable version of Exceed (Hummingbird Exceed 6.0.1 Hummingbird Exceed 6.0.2 Hummingbird Exceed 6.1)19990427 NT/Exceed D.O.S.158TIOCCONS in SunOS 4.1.1 does not properly check the permissions of a user who tries to redirect console output and input, which could allow a local user to gain privileges.CA-1990-1214sunos-tioccons-console-redirection(7140)BuildDisk program on NeXT systems before 2.0 does not prompt users for the root password, which allows local users to gain root privileges.CA-1990-0611nextstep-builddisk-root-access(7141)Apache WWW server 1.3.1 and earlier allows remote attackers to cause a denial of service (resource exhaustion) via a large number of MIME headers with the same name, aka the "sioux" vulnerability.YA Apache DoS attackDebian Apache Security UpdateApache DoS AttackApache 'sioux' DOS fix for TurboLinuxhttp://www.redhat.com/support/errata/rh51-errata-general.html#apacheVintra SMTP MailServer allows remote attackers to cause a denial of service via a malformed "EXPN *@" command.DOS in Vintra systems Mailserver softwarevintra-mail-dos(1617)Windows 95 and Windows 98 systems, when configured with multiple TCP/IP stacks bound to the same MAC address, allow remote attackers to cause a denial of service (traffic amplification) via a certain ICMP echo (ping) packet, which causes all stacks to send a ping response, aka TCP Chorusing.Windows 9x TCP Chorusing VulnerabilityWindows 95 and 98 with multiple TCP/IP stacks ICMP packet denial of service19990206 New Windows 9x Bug: TCP Chorusing225StarTech (1) POP3 proxy server and (2) telnet server allows remote attackers to cause a denial of service via a long USER command.Windows95 Proxy DoS Vulnerabilitesstartech-pop3-overflow(2088)Multilink PPP for ISDN dialup users in Ascend before 4.6 allows remote attackers to cause a denial of service via a spoofed endpoint identifier.PPP/ISDN multilink security issue - summary19990210 Security problems in ISDN equipment authentication19990212 PPP/ISDN multilink security issue - summaryascend-ppp-isdn-dos(7498)Check Point Firewall-1 does not properly handle certain restricted keywords (e.g., Mail, auth, time) in user-defined objects, which could produce a rule with a default "ANY" address and result in access to more systems than intended by the administrator.http://www.checkpoint.com/techsupport/config/keywords.htmlfw1-user-defined-keywords-access(7293)4416nettune in HP-UX 10.01 and 10.00 is installed setuid root, which allows local users to cause a denial of service by modifying critical networking configuration information.HP-UX B.10.01 vulnerabilityERS-OAR-E01-1996:008.1hp-nettune(414)SystemSoft SystemWizard package in HP Pavilion PC with Windows 98, and possibly other platforms and operating systems, installs two ActiveX controls that are marked as safe for scripting, which allows remote attackers to execute arbitrary commands via a malicious web page that references (1) the Launch control, or (2) the RegObj control.bid555555Buffer overflow in web-admin tool in NetXRay 2.6 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long HTTP request.netxray-bo(907)http://www.efri.hr/~crv/security/bugs/NT/netxtray.htmlBuffer overflow in ping in AIX 4.2 and earlier allows local users to gain root privileges via a long command line argument.AIX ping, lchangelv, xlock fixesAIX ping (Exploit)ping-bo (803)Vulnerability in scoterm in SCO OpenServer 5.0 and SCO Open Desktop/Open Server 3.0 allows local users to gain root privileges.19971204 scoterm exploitsco-scoterm(690)xterm in Digital UNIX 4.0B *with* patch kit 5 allows local users to overwrite arbitrary files via a symlink attack on a core dump file, which is created when xterm is called with a DISPLAY environmental variable set to a display that xterm cannot access.Digital Unix Security Problemdec-xterm (613)Vulnerability in in.telnetd in SunOS 4.1.1 and earlier allows local users to gain root privileges.CA-1991-02sun-intelnetd(574)Vulnerability in in.rlogind in SunOS 4.0.3 and 4.0.3c allows local users to gain root privileges.CA-1991-02sun-intelnetd(574)Vulnerability in telnet service in HP-UX 10.30 allows attackers to cause a denial of service.Security Bulletin for telnet services in HP-UX rel. 10.30hp-telnetdos (571)The asynchronous I/O facility in 4.4 BSD kernel does not check user credentials when setting the recipient of I/O notification, which allows local users to cause a denial of service by using certain ioctl and fcntl calls to cause the signal to be sent to an arbitrary process ID.Vulnerability in I/O Signal Handlingopenbsd-iosig (55611062LOGIN.EXE program in Novell Netware 4.0 and 4.01 temporarily writes user name and password information to disk, which could allow local users to gain privileges.D-21CA-1993-12novell-login(545)Cisco routers 9.17 and earlier allow remote attackers to bypass security restrictions via certain IP source routed packets that should normally be denied using the "no ip source-route" command.CA-1993-07D-15cisco-sourceroute(541)The PATH in Windows NT includes the current working directory (.), which could allow local users to gain privileges by placing Trojan horse programs with the same name as commonly used system programs into certain directories.NT security - why bother?NT security - why bother?nt-path (526)Vulnerability in finger in Commodore Amiga UNIX 2.1p2a and earlier allows local users to read arbitrary files.CA-1993-04amiga-finger(522)Vulnerability in sgihelp in the SGI help system and print manager in IRIX 5.2 and earlier allows local users to gain root privileges, possibly through the clogin command.CA-1994-13E-33sgi-prn-mgr(511)bid468Majordomo 1.94.3 and earlier allows remote attackers to execute arbitrary commands when the advertise or noadvertise directive is used in a configuration file, via shell metacharacters in the Reply-To header.Vulnerability in Majordomomajordomo-advertise (502)dxchpwd in Digital Unix (OSF/1) 3.x allows local users to modify arbitrary files via a symlink attack on the dxchpwd.log file.dgux-chpwd (399)19961117 Digital Unix v3.x (v4.x?) security vulnerabilityNetbt.sys in Windows NT 4.0 allows remote malicious DNS servers to cause a denial of service (crash) by returning 0.0.0.0 as the IP address for a DNS host name lookup.dns-netbtsys-dos(3893)IIS 3.0 allows remote attackers to cause a denial of service via a request to an ASP page in which the URL contains a large number of / (forward slash) characters.url-asp-av(3892)IMAP 4.1 BETA, and possibly other versions, does not properly handle the SIGABRT (abort) signal, which allows local users to crash the server (imapd) via certain sequences of commands, which causes a core dump that may contain sensitive password information.IMAP4rev1 imapd serverimapd-core (349rpc.mountd on Linux, Ultrix, and possibly other operating systems, allows remote attackers to determine the existence of a file on the server by attempting to mount that file, which generates different error messages depending on whether the file exists or not.Serious security flaw in rpc.mountd on several operating systemsmountd-file-exists (347)19970824 Serious security flaw in rpc.mountd on several operating systems.Netscape Communicator 4.7 and earlier allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long certificate key.Netscape 4.7 and earlier vulnerable to netscape-huge-key-dos(3436)Ethereal allows local users to overwrite arbitrary files via a symlink attack on the packet capture file.ethereal-dev-capturec-root(3334)Various modems that do not implement a guard time, or are configured with a guard time of 0, can allow remote attackers to execute arbitrary modem commands such as ATH, ATH0, etc., via a "+++" sequence that appears in ICMP packets, the subject of an e-mail message, IRC commands, and others.1+2=3, +++ATH0=Old school DoSglobal-village-modem-dos(3320)Quake 2 server 3.13 on Linux does not properly check file permissions for the config.cfg configuration file, which allows local users to read arbitrary files via a symlink from config.cfg to the target file.linux-quake2(733)Quake 2 server allows remote attackers to cause a denial of service via a spoofed UDP packet with a source address of 127.0.0.1, which causes the server to attempt to connect to itself.Quake II Remote Denial of Servicequake2-dos (698)ssh 2.0.12, and possibly other versions, allows valid user names to attempt to enter the correct password multiple times, but only prompts an invalid user name for a password once, which allows remote attackers to determine user account names on the server.ssh-leak(2276)Untrusted search path vulnerability in day5datacopier in SGI IRIX 6.2 allows local users to execute arbitrary commands via a modified PATH environment variable that points to a malicious cp program.Irix and WWWsgi-day5datacopier (3316)8559IIS 4.0 does not properly restrict access for the initial session request from a user's IP address if the address does not resolve to a DNS domain, aka the "Domain Resolution" vulnerability.MS99-039bid657iis-unresolved-domain-access(3306)LSA (LSASS.EXE) in Windows NT 4.0 allows remote attackers to cause a denial of service via a NULL policy handle in a call to (1) SamrOpenDomain, (2) SamrEnumDomainUsers, and (3) SamrQueryDomainInfo.msrpc-samr-open-dos(3293)Internet Explorer 5.0 records the username and password for FTP servers in the URL history, which could allow (1) local users to read the information from another user's index.dat, or (2) people who are physically observing ("shoulder surfing") another user to read the information from the status bar when the user moves the mouse over a link.nt-ie5-user-ftp-password(3289)Internet Anywhere Mail Server 2.3.1 stores passwords in plaintext in the msgboxes.dbf file, which could allow local users to gain privileges by extracting the passwords from msgboxes.dbf.bid731iams-passwords-plaintext(3285)Multiple buffer overflows in smbvalid/smbval SMB authentication library, as used in Apache::AuthenSmb and possibly other modules, allows remote attackers to execute arbitrary commands via (1) a long username, (2) a long password, and (3) other unspecified methods.smbvalid-bo(2272)Vulnerability in CORE-DIAG fileset in HP message catalog in HP-UX 9.05 and earlier allows local users to gain privileges.Security Vulnerability in CORE-DIAG filesethp-core-diag-fileset (2262HP-UX 9.x does not properly enable the Xauthority mechanism in certain conditions, which could allow local users to access the X display even when they have not explicitly been authorized to do so.Xauthority problemhp-xauthority (2261)Buffer overflow in cddbd CD database server allows remote attackers to execute arbitrary commands via a long log message.cddbd-bo (2203)Internet Explorer, with a security setting below Medium, allows remote attackers to execute arbitrary commands via a malicious web page that uses the FileSystemObject ActiveX object.ie-filesystemobject(2173)http://oliver.efri.hr/~crv/security/bugs/NT/activex4.htmlVulnerability in subnetconfig in HP-UX 9.01 and 9.0 allows local users to gain privileges.Security Vulnerability in Subnetconfighp-subnet-config (2162)SGI Desktop Permissions Tool in IRIX 6.0.1 and earlier allows local users to modify permissions for arbitrary files and gain privileges.SGI IRIX Desktop Permissions Tool Vulnerability19950301-01-P373sgi-permissions (2113)IPFilter 3.2.3 through 3.2.10 allows local users to modify arbitrary files via a symlink attack on the saved output file.19990415 FSA-99.04-IPFILTER-v3.2.10ipfilter-temp-file(2087)vacm ucd-snmp SNMP server, version 3.52, does not properly disable access to the public community string, which could allow remote attackers to obtain sensitive information.This vulnerability was fixed in version 3.6 of ucd-snmpd.ucd-snmpd-community(2086)Direct Mailer feature in Microsoft Site Server 3.0 saves user domain names and passwords in plaintext in the TMLBQueue network share, which has insecure default permissions, allowing remote attackers to read the passwords and gain privileges.siteserver-directmail-passwords(2068)Vulnerability in HP Camera component of HP DCE/9000 in HP-UX 9.x allows attackers to gain root privileges.Security Vulnerability in DCE/9000hp-dce9000 (2061)Vulnerability in Support Watch (aka SupportWatch) in HP-UX 8.0 through 9.0 allows local users to gain privileges.Security Vulnerability in HP SupportWatchhp-supportwatch (2058)movemail in HP-UX 10.20 has insecure permissions, which allows local users to gain privileges.HPSBUX9701-047hp-movemail (2057)8099Vulnerability in CGI program in the Lasso application by Blue World, as used on WebSTAR and other servers, allows remote attackers to read arbitrary files.Lasso CGI security holehttp-cgi-lasso (2044)Vulnerability in direct audio user space code on HP-UX 10.20 and 10.10 allows local users to cause a denial of service.Vulnerability with direct audio user space codehp-audio-panic (2010)Vulnerability in a certain system call in SCO UnixWare 2.0.x and 2.1.0 allows local users to access arbitrary files and gain root privileges.96:002sco-system-call(1966)96:002Vulnerability in a kernel error handling routine in SCO OpenServer 5.0.2 and earlier, and SCO Internet FastStart 1.0, allows local users to gain root privileges.96:001sco-kernel(1965)96:001Windows 95, 98, and NT 4.0 allow remote attackers to cause a denial of service by spoofing ICMP redirect messages from a router, which causes Windows to change its routing tables.win-redirects-freeze(1947)19990308 Winfreeze EXPLOIT Win9x/NTHyperseek allows remote attackers to modify the hyperseek configuration by directly calling the admin.cgi program with an edit_file action parameter.hyperseek-modify(1914)Oracle Database Assistant 1.0 in Oracle 8.0.3 Enterprise Edition stores the database master password in plaintext in the spoolmain.log file when a new database is created, which allows local users to obtain the password from that file.19990304 Oracle Plaintext Password19990304 Oracle Plaintext Passwordoracle-passwords(1902)Xyplex terminal server 6.0.1S1, and possibly other versions, allows remote attackers to bypass the password prompt by entering (1) a CTRL-Z character, or (2) a ? (question mark).Xyplex terminal server bugxyplex-controlz-login (1825xyplex-question-login (1826)rpc.pwdauthd in SunOS 4.1.1 and earlier does not properly prevent remote access to the daemon, which allows remote attackers to obtain sensitive system information. rpc.pwdauthd can be used to gain remote system knowledgesun-pwdauthd (1782)Microsoft Office 98, Macintosh Edition, does not properly initialize the disk space used by Office 98 files and effectively inserts data from previously deleted files into the Office file, which could allow attackers to obtain sensitive information.office-extraneous-data(1780)mSQL (Mini SQL) 2.0.6 allows remote attackers to obtain sensitive server information such as logged users, database names, and server version via the ServerStats query.19990215 KSR[T] Advisory #10: mSQL ServerStatsmsql-serverstats(1777)Buffer overflow in Rainbow Six Multiplayer allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long nickname (nick) command.Vulnerability in metamailmetamail-file-creation (167719990211 Rainbow Six Buffer Overflow.....rainbowsix-nick-bo(1772)Java in Netscape 4.5 does not properly restrict applets from connecting to other hosts besides the one from which the applet was loaded, which violates the Java security model and could allow remote attackers to conduct unauthorized activities.Java Redirect Bug - Netscpape 4.0[678] and 4.5Demo of Browser Security Hole19990202 Unsecured server in applets under Netscapejava-socket-open(1727)Metamail before 2.7-7.2 allows remote attackers to overwrite arbitrary files via an e-mail message containing a uuencoded attachment that specifies the full pathname for the file to be modified, which is processed by uuencode in Metamail scripts such as sun-audio-file.SCO Security Advisory 19971024 Vulnerability in metamailmetamail-file-creation(1677)WebRamp M3 router does not disable remote telnet or HTTP access to itself, even when access has been expliticly disabled.19990121 WebRamp M3 remote network access bug19990203 WebRamp M3 Perceived Bugwebramp-remote-access(1670)SMTP server in SLmail 3.1 and earlier allows remote attackers to cause a denial of service via malformed commands whose arguments begin with a "(" (parenthesis) character, such as (1) SEND, (2) VRFY, (3) EXPN, (4) MAIL FROM, (5) RCPT TO.Re: WARNING! SMTP Denial of Service in SLmail ver 3.1WARNING! SMTP Denial of Service in SLmail ver 3.1slmail-parens-overload(1664)rsh daemon (rshd) generates different error messages when a valid username is provided versus an invalid name, which allows remote attackers to determine valid users on the system. rshd gives away usernamesrsh-username-leaks (1660)KDE file manager (kfm) uses a TCP server for certain file operations, which allows remote attackers to modify arbitrary files by sending a copy command to the server.Hole in the KDE desktopkde-flawed-ipc (1646)Vulnerability in KDE konsole allows local users to hijack or observe sessions of other users by accessing certain devices.http://lists.kde.org/?l=kde-devel&m=91560433413263&w=2kde-konsole-hijack(1645)Screen savers in KDE beta 3 allows local users to overwrite arbitrary files via a symlink attack on the .kss.pid file.kde-kss-file-clobber(1641)KMail in KDE 1.0 provides a PGP passphrase as a command line argument to other programs, which could allow local users to obtain the passphrase and compromise the PGP keys of other users by viewing the arguments via programs that list process information, such as ps.KMail/PGP security bugkde-kmail-passphrase-leak(1639)Macromedia Dreamweaver uses weak encryption to store FTP passwords, which could allow local users to easily decrypt the passwords of other users.dreamweaver-weak-passwords(1636)Buffer overflows in CDROM Confidence Test program (cdrom) allow local users to gain root privileges.19980301-01-PXirix-cdrom-confidence (1635)Squid Internet Object Cache 1.1.20 allows users to bypass access control lists (ACLs) by encoding the URL with hexadecimal escape sequences.squid-regexp-acl(1627)iPass RoamServer 3.1 creates temporary files with world-writable permissions.iPass RoamServer 3.1ipass-temporary-files (1625)Lotus cc:Mail release 8 stores the postoffice password in plaintext in a hidden file which has insecure permissions, which allows local users to gain privileges.Password unsecurity in cc:Mail release 8lotus-ccmail-passwords (1619fte-console in the fte package before 0.46b-4.1 does not drop root privileges, which allows local users to gain root access via the virtual console device.fte-console: does not drop its root priviligesfte-console-privileges (1609BackWeb client stores the username and password in cleartext for proxy authentication in the Communication registry key, which could allow other local users to gain privileges by reading the password.BackWeb - Password issue (used by NAI for Corporate customer notification)backweb-cleartext-passwords(1565)nlog CGI scripts do not properly filter shell metacharacters from the IP address argument, which could allow remote attackers to execute certain commands via (1) nlog-smb.pl or (2) rpc-nlog.pl.http-cgi-nlog-netbios(1550)19981225 Re: Nlog v1.0 Released - Nmap 2.x log management / analyzing tool19981226 Nlog 1.1b released - security holes fixedAn interaction between the AS/400 shared folders feature and Microsoft SNA Server 3.0 and earlier allows users to view each other's folders when the users share the same Local APPC LU.snaserver-shared-folders(1548)Hummingbird Exceed 6.0.1.0 inadvertently includes a DLL that was meant for development and testing, which logs user names and passwords in cleartext in the test.log file.Remote Tools w/Exceed v.6.0.1.0 fer 95exceed-cleartext-passwords(1547)Development version of Breeze Network Server allows remote attackers to cause the system to reboot by accessing the configbreeze CGI program.Breeze Network Server remote reboot and other bogositybreeze-remote-reboot(1544)RealSystem G2 server stores the administrator password in cleartext in a world-readable configuration file, which allows local users to gain privileges.RealSystem passwordsrealsystem-readable-conf-file(1542)Opera 3.2.1 allows remote attackers to cause a denial of service (application crash) via a URL that contains an extra / in the http:// tag.URL exploit to crash Opera Browseropera-slash-crash(1541)NukeNabber allows remote attackers to cause a denial of service by connecting to the NukeNabber port (1080) without sending any data, which causes the CPU usage to rise to 100% from the report.exe program that is executed upon the connection.various *lame* DoS attacksnukenabber-timeout-dos(1540)http://www.dynamsol.com/puppet/text/new.txt19981107 Re: various *lame* DoS attacksLinux 2.1.132 and earlier allows local users to cause a denial of service (resource exhaustion) by reading a large buffer from a random device (e.g. /dev/urandom), which cannot be interrupted until the read has completed.[patch] fix for urandom read(2) not interruptiblelinux-random-read-dos(1472)addnetpr in SGI IRIX 6.2 and earlier allows local users to modify arbitrary files and possibly gain root access via a symlink attack on a temporary file.Irix: miscirix-addnetpr (1433)3308560Vulnerability in Analog 3.0 and earlier allows remote attackers to read arbitrary files via the forms interface.analog-remote-file(1410)Samba 1.9.18 inadvertently includes a prototype application, wsmbconf, which is installed with incorrect permissions including the setgid bit, which allows local users to read and write files and possibly gain privileges via bugs in the program.Suid problem in sambasamba-wsmbconf (1406)19981119 Vulnerability in Samba on RedHat, Caldera and PHT TurboLinuxICQ 98 beta on Windows NT leaks the internal IP address of a client in the TCP data segment of an ICQ packet instead of the public address (e.g. through NAT), which provides remote attackers with potentially sensitive information about the client or the internal network configuration.WARNING: Another ICQ IP address vulnerabilityicq-ip-info(1398)Buffer overflow in nftp FTP client version 1.40 allows remote malicious FTP servers to cause a denial of service, and possibly execute arbitrary commands, via a long response string.nftp-bo(1397)TCP/IP implementation in Microsoft Windows 95, Windows NT 4.0, and possibly others, allows remote attackers to reset connections by forcing a reset (RST) via a PSH ACK or other means, obtaining the target's last sequence number from the resulting packet, then spoofing a reset to the target.New Windows Vulnerabilitynt-brkill(1383)Buffer overflow in web administration feature of Kolban Webcam32 4.8.3 and earlier allows remote attackers to execute arbitrary commands via a long URL.Remote Buffer Overflow in the Kolban Webcam32 Programwebcam32-buffer-overflow(1366)mod_proxy in Apache 1.2.5 and earlier allows remote attackers to cause a denial of service via malformed FTP commands, which causes Apache to dump core.Office Shortcut Bar (OSB) in Windows 3.51 enables backup and restore permissions, which are inherited by programs such as File Manager that are started from the Shortcut Bar, which could allow local users to read folders for which they do not have permission.nt-filemgr(562)Transarc DCE Distributed File System (DFS) 1.1 for Solaris 2.4 and 2.5 does not properly initialize the grouplist for users who belong to a large number of groups, which could allow those users to gain access to resources that are protected by DFS.VB-96.16dfs-login-groups(7154)Buffer overflow in Kerberos IV compatibility libraries as used in Kerberos V allows local users to gain root privileges via a long line in a kerberos configuration file, which can be specified via the KRB_CONF environmental variable.vulnerabilities in kerberoscmdtool in OpenWindows 3.0 and XView 3.0 in SunOS 4.1.4 and earlier allows attackers with physical access to the system to display unechoed characters (such as those from password prompts) via the L2/AGAIN key.100452-74sun-cmdtool-echo (7482)Sysinstall in FreeBSD 2.2.1 and earlier, when configuring anonymous FTP, creates the ftp user without a password and with /bin/date as the shell, which could allow attackers to gain access to certain system resources.FreeBSD-SA-97:03freebsd-sysinstall-ftp-password (7537)freebsd-sysinstall-ftp-password(7537)6087rcp on various Linux systems including Red Hat 4.0 allows a "nobody" user or other user with UID of 65535 to overwrite arbitrary files, since 65535 is interpreted as -1 by chown and other system calls, which causes the calls to fail to modify the ownership of the file.Linux rcp bugVulnerability in accton in Cray UNICOS 6.1 and 6.0 allows local users to read arbitrary files and modify system accounting configuration.A design flaw in the Z-Modem protocol allows the remote sender of a file to execute arbitrary programs on the client, as implemented in rz in the rzsz module of FreeBSD before 2.1.5, and possibly other programs.G-31: FreeBSD Security Vulnerabilities (ppp, rdist, rz)FreeBSD-SA-96:17rzsz-command-execution(7540)Unspecified vulnerability in pt_chmod in SCO UNIX 4.2 and earlier allows local users to gain root access.F-05: SCO Unix at, login, prwarn, sadc, and pt_chmod Patches Availablesco-pt_chmod (7586VB-94:018797sco-pt_chmod(7586)Vulnerability in prwarn in SCO UNIX 4.2 and earlier allows local users to gain root access.F-05: SCO Unix at, login, prwarn, sadc, and pt_chmod Patches Availablesco-prwarn (7587)Vulnerability in login in SCO UNIX 4.2 and earlier allows local users to gain root access.F-05: SCO Unix at, login, prwarn, sadc, and pt_chmod Patches Availablesco-login (7588)Vulnerability in "at" program in SCO UNIX 4.2 and earlier allows local users to gain root access.F-05: SCO Unix at, login, prwarn, sadc, and pt_chmod Patches Availablesco-at (7589)Cisco IOS 9.1 and earlier does not properly handle extended IP access lists when the IP route cache is enabled and the "established" keyword is set, which could allow attackers to bypass filters.CA-1992-20Vulnerability in urestore in Novell UnixWare 1.1 allows local users to gain root privileges.Certain programs in HP-UX 10.20 do not properly handle large user IDs (UID) or group IDs (GID) over 60000, which could allow local users to gain privileges.H-91: HP-UX Large UID's and GID's VulnerabilityH-09hp-large-uid-gid(7594)Sendmail before 8.6.7 allows local users to gain root access via a large value in the debug (-d) command line option.CA-94:1219940315 so...19940327 sendmail exploit script - resendsendmail-debug-gain-root(7155)** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-1022. Reason: This candidate is a duplicate of CVE-1999-1022. Notes: All CVE users should reference CVE-1999-1022 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.Vulnerability in dtlogin and dtsession in HP-UX 10.20 and 10.10 allows local users to bypass authentication and gain privileges.H-21: HP Security Vulnerabilitieshp-dt-bypass-auth (7668Vulnerability in DEC OpenVMS VAX 5.5-2 through 5.0, and OpenVMS AXP 1.0, allows local users to gain system privileges.CA-1993-05openvms-local-privilege-elevation(7142)Manual page reader (man) in FreeBSD 2.2 and earlier allows local users to gain privileges via a sequence of commands.G-24: FreeBSD Security VulnerabilitiesFreeBSD-SA-96:11bsd-man-command-sequence(7348)Vulnerability in union file system in FreeBSD 2.2 and earlier, and possibly other operating systems, allows local users to cause a denial of service (system reload) via a series of certain mount_union commands.unionfs-mount-ordering (7429)FreeBSD-SA-96:10G-24unionfs-mount-ordering(7429)Vulnerabilities in DECnet/OSI for OpenVMS before 5.8 on DEC Alpha AXP and VAX/VMS systems allow local users to gain privileges or cause a denial of service.F-04: Security Vulnerabilities in DECnet/OSI for OpenVMSPassfilt.dll in Windows NT SP2 allows users to create a password that contains the user's name, which could make it easier for an attacker to guess.passfilt-fullname(7391)Windows NT 4.0 SP4 and earlier allows local users to gain privileges by modifying the symbolic link table in the \?? object folder using a different case letter (upper or lower) to point to a different device.nt-symlink-case(7398)/usr/5bin/su in SunOS 4.1.3 and earlier uses a search path that includes the current working directory (.), which allows local users to gain privileges via Trojan horse programs.100630-02sun-su-path (7480)sun-su-path(7480)Vulnerability in object server program in SGI IRIX 5.2 through 6.1 allows remote attackers to gain root privileges in certain configurations.19960101-01-PXirix-object-server (7430)irix-object-server(7430)Vulnerability in Novell NetWare 3.x and earlier allows local users to gain privileges via packet spoofing.D-01: Novell NetWare Access Rights Vulnerabilitynetware-packet-spoofing-privileges(7213)Buffer overflow in ssh 1.2.26 client with Kerberos V enabled could allow remote attackers to cause a denial of service or execute arbitrary commands via a long DNS hostname that is not properly handled during TGT ticket passing.security patch for ssh-1.2.26 kerberos code4883The installation of 1ArcServe Backup and Inoculan AV client modules for Exchange create a log file, exchverify.log, which contains usernames and passwords in plaintext.19981112 exchverify.log19981117 Re: exchverify.log - update #1Norton AntiVirus for Internet Email Gateways (NAVIEG) 1.0.1.7 and earlier, and Norton AntiVirus for MS Exchange (NAVMSE) 1.5 and earlier, store the administrator password in cleartext in (1) the navieg.ini file for NAVIEG, and (2) the ModifyPassword registry key in NAVMSE.19990409 NAV for MS Exchange & Internet Email GatewaysVAXstations running Open VMS 5.3 through 5.5-2 with VMS DECwindows or MOTIF do not properly disable access to user accounts that exceed the break-in limit threshold for failed login attempts, which makes it easier for attackers to conduct brute force password guessing.openvms-sysgen-enabled(7225)SAS System 5.18 on VAX/VMS is installed with insecure permissions for its directories and startup file, which allows local users to gain privileges.vaxvms-sas-gain-privileges(7261)wu-ftpd 2.4 FTP server does not properly drop privileges when an ABOR (abort file transfer) command is executed during a file transfer, which causes a signal to be handled incorrectly and allows local and possibly remote attackers to read arbitrary files.serious security bug in wu-ftpd v2.4serious security bug in wu-ftpd v2.4 -- PATCHwuftpd-abor-gain-privileges(7169)Buffer overflow in linuxconf 1.11r11-rh2 on Red Hat Linux 5.1 allows local users to gain root privileges via a long LANG environmental variable.http://www.redhat.com/support/errata/rh51-errata-general.html#linuxconflinuxconf-lang-bo(7239)6065linuxconf before 1.11.r11-rh3 on Red Hat Linux 5.1 allows local users to overwrite arbitrary files and gain root access via a symlink attack.http://www.redhat.com/support/errata/rh51-errata-general.html#linuxconflinuxconf-symlink-gain-privileges(7232)6068Buffer overflow in SysVInit in Red Hat Linux 5.1 and earlier allows local users to gain privileges.http://www.redhat.com/support/errata/rh50-errata-general.html#SysVinitsysvinit-root-bo(7250)The snprintf function in the db library 1.85.4 ignores the size parameter, which could allow attackers to exploit buffer overflows that would be prevented by a properly implemented snprintf.Bug#11120http://www.redhat.com/support/errata/rh42-errata-general.html#dblinux-libdb-snprintf-bo(7244)netcfg 2.16-1 in Red Hat Linux 4.2 allows the Ethernet interface to be controlled by users on reboot when an option is set, which allows local users to cause a denial of service by shutting down the interface.http://www.redhat.com/support/errata/rh42-errata-general.html#netcfgnetcfg-ethernet-dos(7245)gzexe in the gzip package on Red Hat Linux 5.0 and earlier allows local users to overwrite files of other users via a symlink attack on a temporary file.http://www.redhat.com/support/errata/rh50-errata-general.html#gzipDSA-30878453812gzip-gzexe-tmp-symlink(7241)automatic download option in ncftp 2.4.2 FTP client in Red Hat Linux 5.0 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the names of files that are to be downloaded.http://www.redhat.com/support/errata/rh50-errata-general.html#ncftpncftp-autodownload-command-execution(7240)6111Multiple buffer overflows in filter command in Elm 2.4 allows attackers to execute arbitrary commands via (1) long From: headers, (2) long Reply-To: headers, or (3) via a long -f (filterfile) command line argument.ID #: filt-bof-007http://www.redhat.com/support/errata/rh50-errata-general.html#elmsnmpd server in cmu-snmp SNMP package before 3.3-1 in Red Hat Linux 4.0 is configured to allow remote attackers to read and write sensitive information.http://www.redhat.com/support/errata/rh40-errata-general.html#cmu-snmpcmusnmp-read-write(7251)3Com HiPer Access Router Card (HiperARC) 4.0 through 4.2.29 allows remote attackers to cause a denial of service (reboot) via a flood of IAC packets to the telnet port.6057FTP client in Midnight Commander (mc) before 4.5.11 stores usernames and passwords for visited sites in plaintext in the world-readable history file, which allows other local users to gain privileges.midnight-commander-data-disclosure(9873)5921Delegate proxy 5.9.3 and earlier creates files and directories in the DGROOT with world-writable permissions.19990721 Delegate creates directories writable for anyoneVulnerability when Network Address Translation (NAT) is enabled in Linux 2.2.10 and earlier with ipchains, or FreeBSD 3.2 with ipfw, allows remote attackers to cause a denial of service (kernel panic) via a ping -R (record route) command.ipchains-ping-route-dos(7257)6105Buffer overflow in faxalter in hylafax 4.0.2 allows local users to gain privileges via a long -m command line argument.bid765Linux kernel before 2.3.18 or 2.2.13pre15, with SLIP and PPP options, allows local unprivileged users to forge IP packets via the TIOCSETD option on tty devices.linux-tiocsetd-forge-packets(7858)ICQ ActiveList Server allows remote attackers to cause a denial of service (crash) via malformed packets to the server's UDP port.HTTP server for Xerox DocuColor 4 LP allows remote attackers to cause a denial of service (hang) via a long URL that contains a large number of . characters.Auto_FTP.pl script in Auto_FTP 0.2 stores usernames and passwords in plaintext in the auto_ftp.conf configuration file.19991005 Auto_FTP v0.02 AdvisoryAuto_FTP.pl script in Auto_FTP 0.2 uses the /tmp/ftp_tmp as a shared directory with insecure permissions, which allows local users to (1) send arbitrary files to the remote server by placing them in the directory, and (2) view files that are being transferred.19991005 Auto_FTP v0.02 AdvisoryPAM configuration file for rlogin in Red Hat Linux 6.1 and earlier includes a less restrictive rule before a more restrictive one, which allows users to access the host via rlogin even if rlogin has been explicitly disabled using the /etc/nologin file.Xsession in Red Hat Linux 6.1 and earlier can allow local users with restricted accounts to bypass execution of the .xsession file by starting kde, gnome or anotherlevel from kdm.Linuxconf on Red Hat Linux 6.0 and earlier does not properly disable PAM-based access to the shutdown command, which could allow local users to cause a denial of service.NFS daemon (nfsd.exe) for Omni-NFS/X 6.1 allows remote attackers to cause a denial of service (resource exhaustion) via certain packets, possibly with the Urgent (URG) flag set, to port 111.ARCAD Systemhaus 0.078-5 installs critical programs and files with world-writeable permissions, which could allow local users to gain privileges by replacing a program with a Trojan horse.Directory traversal vulnerability in KVIrc IRC client 0.9.0 with the "Listen to !nick <soundname> requests" option enabled allows remote attackers to read arbitrary files via a .. (dot dot) in a DCC GET request.19990924 Kvirc bugkvirc-dot-directory-traversal(7761)mknod in Linux 2.2 follows symbolic links, which could allow local users to overwrite files or gain privileges.Nosque MsgCore 2.14 stores passwords in cleartext: (1) the administrator password in the AdmPasswd registry key, and (2) user passwords in the Userbase.dbf data file, which could allow local users to gain privielges.E-mail client in Softarc FirstClass Internet Server 5.506 and earlier stores usernames and passwords in cleartext in the files (1) home.fc for version 5.506, (2) network.fc for version 3.5, or (3) FCCLIENT.LOG when logging is enabled.BMC Patrol component, when installed with Compaq Insight Management Agent 4.23 and earlier, or Management Agents for Servers 4.40 and earlier, creates a PFCUser account with a default password and potentially dangerous privileges.management-pfcuser(3231)19990915 (I) UPDATE - PFCUser Account,19991105 UPDATE: SSRT0620 Compaq Foundation Agents v4.40B PFCUser issuesCompaq Integration Maintenance Utility as used in Compaq Insight Manager agent before SmartStart 4.50 modifies the legal notice caption (LegalNoticeCaption) and text (LegalNoticeText) in Windows NT, which could produce a legal notice that is in violation of the security policy.19990902 Compaq CIM UG Overwrites Legal Noticecompaq-smartstart-legal-notice(7763)Netscape Communicator 4.04 through 4.7 (and possibly other versions) in various UNIX operating systems converts the 0x8b character to a "<" sign, and the 0x9b character to a ">" sign, which could allow remote attackers to attack other clients via cross-site scripting (CSS) in CGI programs that do not filter these characters.When an administrator in Windows NT or Windows 2000 changes a user policy, the policy is not properly updated if the local ntconfig.pol is not writable by the user, which could allow local users to bypass restrictions that would otherwise be enforced by the policy, possibly by changing the policy file to be read-only.nt-user-policy-update(7400)When the Ntconfig.pol file is used on a server whose name is longer than 13 characters, Windows NT does not properly enforce policies for global groups, which could allow users to bypass restrictions that were intended by those policies.nt-group-policy-longname(7401)Windows NT 4.0 allows local users to cause a denial of service via a user mode application that closes a handle that was opened in kernel mode, which causes a crash when the kernel attempts to close the handle.nt-kernel-handle-dos(7402)Windows NT 3.51 and 4.0 running WINS (Windows Internet Name Service) allows remote attackers to cause a denial of service (resource exhaustion) via a flood of malformed packets, which causes the server to slow down and fill the event logs with error messages.Win32k.sys in Windows NT 4.0 before SP2 allows local users to cause a denial of service (crash) by calling certain WIN32K functions with incorrect parameters.nt-win32k-dos(7403)Windows NT 3.51 and 4.0 allow local users to cause a denial of service (crash) by running a program that creates a large number of locks on a file, which exhausts the NonPagedPool.nt-nonpagedpool-dos(7405)Windows NT 4.0 allows local users to cause a denial of service (crash) via an illegal kernel mode address to the functions (1) GetThreadContext or (2) SetThreadContext.nt-threadcontext-dos(7421)Windows NT searches a user's home directory (%systemroot% by default) before other directories to find critical programs such as NDDEAGNT.EXE, EXPLORER.EXE, USERINIT.EXE or TASKMGR.EXE, which could allow local users to bypass access restrictions or gain privileges by placing a Trojan horse program into the root directory, which is writable by default.NT Login Default Folder VulnerabilityWindows NT login default folder allows a user to bypass policiesPegasus e-mail client 3.0 and earlier uses weak encryption to store POP3 passwords in the pmail.ini file, which allows local users to easily decrypt the passwords and read e-mail.19990515 Pegasus Mail weak encryptionInternet Explorer 5.0 does not properly reset the username/password cache for Web sites that do not use standard cache controls, which could allow users on the same system to access restricted web sites that were visited by other users.AV Option for MS Exchange Server option for InoculateIT 4.53, and possibly other versions, only scans the Inbox folder tree of a Microsoft Exchange server, which could allow viruses to escape detection if a user's rules cause the message to be moved to a different mailbox.Real Media RealServer (rmserver) 6.0.3.353 stores a password in plaintext in the world-readable rmserver.cfg file, which allows local users to gain privileges.RealServer stores password insecurely during installation19990414 Real Media Server stores passwords in plain textThe setup wizard (ie5setup.exe) for Internet Explorer 5.0 disables (1) the screen saver, which could leave the system open to users with physical access if a failure occurs during an unattended installation, and (2) the Task Scheduler Service, which might prevent the scheduled execution of security-critical programs.19990323 MSIE 5 installer disables screen saverBuffer overflow in /usr/bin/write in Solaris 2.6 and 7 allows local users to gain privileges via a long string in the terminal name argument.19990308 Solaris http://www.securiteam.com/exploits/5ZP0O1P35O.htmlsolaris-write-bo(7546)Triactive Remote Manager with Basic authentication enabled stores the username and password in cleartext in registry keys, which could allow local users to gain privileges.19990219 Plaintext Password in Tractives Remote Manager SoftwareTriActive Remote Management stores plaintext usernames and passwords in the registryFORE PowerHub before 5.0.1 allows remote attackers to cause a denial of service (hang) via a TCP SYN scan with TCP/IP OS fingerprinting, e.g. via nmap.19990105 Re: Network Scan Vulnerability [SUMMARY]perlshop.cgi shopping cart program stores sensitive customer information in directories and files that are under the web root, which allows remote attackers to obtain that information via an HTTP request.19990427 Re: Shopping Carts exposing CC dataperlshop.cgi could allow an attacker to obtain sensitive customer informationFileSystemObject (FSO) in the showfile.asp Active Server Page (ASP) allows remote attackers to read arbitrary files by specifying the name in the file parameter.19990211 Using FSO in ASP to view just about anything230Buffer overflow in fpcount.exe in IIS 4.0 with FrontPage Server Extensions allows remote attackers to execute arbitrary commands.MS IIS 4.0 Security Advisorybid 225219990114 MS IIS 4.0 Security AdvisoryMatt Wright's download.cgi 1.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the f parameter.dbmlparser.exe CGI guestbook program does not perform a chroot operation properly, which allows remote attackers to read arbitrary files.19990917 improper chroot in dbmlparser.exeDNS allows remote attackers to use DNS name servers as traffic amplifiers via a UDP DNS query with a spoofed source address, which produces more traffic to the victim than was sent by the attacker.SPJ-002-000AL-1999.004J-063: Domain Name System (DNS) Denial of Service (DoS) Attacksdns-udp-query-dos(7238)Symantec Norton Utilities 2.0 for Windows 95 marks the TUNEOCX.OCX ActiveX control as safe for scripting, which allows remote attackers to execute arbitrary commands via the run option through malicious web pages that are accessed by browsers such as Internet Explorer 3.0.http://www.net-security.sk/bugs/NT/nu20.htmlnu-tuneocx-activex-control(7188)Buffer overflow in dbadmin CGI program 1.0.1 on Linux allows remote attackers to execute arbitrary commands.19981008 buffer overflow in dbadminNetWare NFS mode 1 and 2 implements the "Read Only" flag in Unix by changing the ownership of a file to root, which allows local users to gain root privileges by creating a setuid program and setting it to "Read Only," which NetWare-NFS changes to a setuid root program.netware-nfs-file-ownership(7246)(1) bash before 1.14.7, and (2) tcsh 6.05 allow local users to gain privileges via directory names that contain shell metacharacters (` back-tick), which can cause the commands enclosed in the directory name to be executed when the shell expands filenames using the \w option in the PS1 variable.Vulnerability in expansion of PS1 in bash & tcsh19960913 tee see shell problemsIndigo Magic System Tour in the SGI system tour package (systour) for IRIX 5.x through 6.3 allows local users to gain root privileges via a Trojan horse .exitops program, which is called by the inst command that is executed by the RemoveSystemTour program.vulnerability in new SGIsAA-96.0819961101-01-Ibid470irix-systour(7456)Buffer overflow in ppp program in FreeBSD 2.1 and earlier allows local users to gain privileges via a long HOME environment variable.ppp-bo (7465)FreeBSD-SA-96:2019961219 Exploit for ppp bug (FreeBSD 2.1.0).ppp-bo(7465)6085Perl 5.004_04 and earlier follows symbolic links when running with the -e option, which allows local users to overwrite arbitrary files via a symlink attack on the /tmp/perl-eaXXXXX file.http://www.redhat.com/support/errata/rh50-errata-general.html#perlperl-e-tmp-symlink(7243)Windows NT 4.0 SP2 allows remote attackers to cause a denial of service (crash), possibly via malformed inputs or packets, such as those generated by a Linux smbmount command that was compiled on the Linux 2.0.29 kernel but executed on Linux 2.0.25.Fatal bug in NT 4.0 serverFatal bug in NT 4.0 server (more comments)DUMP of NT system crashpasswd in SunOS 4.1.x allows local users to overwrite arbitrary files via a symlink attack and the -F command line argument.UNIX.passwd.11-May-1994UNIX.passwd.11-May-1994.NEWFIXSun Patch Id #102060-01US Robotics/3Com Total Control Chassis with Frame Relay between 3.6.22 and 3.7.24 does not properly enforce access filters when the "set host prompt" setting is made for a port, which allows attackers to bypass restrictions by providing the hostname twice at the "host: " prompt.bid99suidexec in suidmanager 0.18 on Debian 2.0 allows local users to gain root privileges by specifying a malicious program on the command line.94Vulnerability in NeXT 1.0a and 1.0 with publicly accessible printers allows local users to gain privileges via a combination of the npd program and weak directory permissions.CA-1990-0610nextstep-npd-root-access(7143)Vulnerability in restore0.9 installation script in NeXT 1.0a and 1.0 allows local users to gain root privileges.CA-1990-06bid9nextstep-restore09-root-access(7144)Control Panel "Password Security" option for Apple Powerbooks allows attackers with physical access to the machine to bypass the security by booting it with an emergency startup disk and using a disk editor to modify the on/off toggle or password in the aaaaaaaAPWD file, which is normally inaccessible.bid532BSD 4.4 based operating systems, when running at security level 1, allow the root user to clear the immutable and append-only flags for files by unmounting the file system and using a file system editor such as fsdb to directly modify the file through a device.510Vulnerability in Monitor utility (SYS$SHARE:SPISHR.EXE) in VMS 5.0 through 5.4-2 allows local users to gain privileges.CA-1992-18CA-92:1651vms-monitor-gain-privileges(7136)Vulnerability in integer multiplication emulation code on SPARC architectures for SunOS 4.1 through 4.1.2 allows local users to gain root access or cause a denial of service (crash).CA-1992-1549sun-integer-multiplication-access(7150)Index Server 2.0 on IIS 4.0 stores physical path information in the ContentIndex\Catalogs subkey of the AllowedPaths registry key, whose permissions allows local and remote users to obtain the physical paths of directories that are being indexed.Index Server 2.0 and the RegistryNT Index Server Remote Registry Vulnerability19990323 Index Server 2.0 and the Registry476iis-indexserver-reveal-path(7559)Vulnerability in xfsdump in SGI IRIX may allow local users to obtain root privileges via the bck.log log file, possibly via a symlink attack.Irix: miscbid472http://www.insecure.org/sploits/irix.xfsdump.htmlspaceball program in SpaceWare 7.3 v1.0 in IRIX 6.2 allows local users to gain root privileges by setting the HOSTNAME environmental variable to contain the commands to be executed.SpaceWare 7.3 v1.0bid471The Economist screen saver 1999 with the "Password Protected" option enabled allows users with physical access to the machine to bypass the screen saver and read files by running Internet Explorer while the screen is still locked.46619990604 Official response from The Economist re: 1999 Screen SaverVulnerability in Desktop searchbook program in IRIX 5.0.x through 6.2 sets insecure permissions for certain user files (iconbook and searchbook).19961201-01-PXbid463irix-searchbook-permissions(7575)8563The access permissions for a UNIX domain socket are ignored in Solaris 2.x and SunOS 4.x, and other BSD-based operating systems before 4.4, which could allow local users to connect to the socket and possibly disrupt or control the operations of the program using that socket.UNIX domain socket (Solarisx86 2.5)Solaris 2.6 and socketsbid456sun-domain-socket-permissions(7172)IBM/Tivoli OPC Tracker Agent version 2 release 1 creates files, directories, and IPC message queues with insecure permissions (world-readable and world-writable), which could allow local users to disrupt operations and possibly gain privileges by modifying or deleting files.Several potential security problems in IBM/Tivoli OPC Tracker Age ntbid 382382IBM/Tivoli OPC Tracker Agent version 2 release 1 allows remote attackers to cause a denial of service (resource exhaustion) via malformed data to the localtracker client port (5011), which prevents the connection from being closed properly.Several potential security problems in IBM/Tivoli OPC Tracker Age ntbid 382382snap command in AIX before 4.3.2 creates the /tmp/ibmsupt directory with world-readable permissions and does not remove or clear the directory when snap -a is executed, which could allow local users to access the shadowed password file by creating /tmp/ibmsupt/general/passwd before root runs snap -a.Fixed in AIX 4.3 and 4.3.2 AIX 4.3.x APAR: IX88263 AIX 4.2.x APAR: IX88261AIX snap Insecure Temporary File Creation Vulnerability19990217 snap utility for AIX.19990220 Re: snap utility for AIX.dumpreg in Red Hat Linux 5.1 opens /dev/mem with O_RDWR access, which allows local users to cause a denial of service (crash) by redirecting fd 1 (stdout) to the kernel.Crash a redhat 5.1 linux boxFD's 0..2 and suid/sgid procs (Was: Crash a redhat 5.1 linux box)bid 372372ifdhcpc-done script for configuring DHCP on Red Hat Linux 5 allows local users to append text to arbitrary files via a symlink attack on the dhcplog file.http://www.redhat.com/support/errata/rh50-errata-general.html#initscripts368initscripts-ifdhcpdone-dhcplog-symlink(7294)Vulnerability in AIX 4.1.4 and HP-UX 10.01 and 9.05 allows local users to cause a denial of service (crash) by using a socket to connect to a port on the localhost, calling shutdown to clear the socket, then using the same socket to connect to a different port on localhost.Bug in connect() for aix 4.1.4bid352The at program in IRIX 6.2 and NetBSD 1.3.2 and earlier allows local users to read portions of arbitrary files by submitting the file to at with the -f argument, which generates error messages that at sends to the user via e-mail.more about 'at'at-f-read-files (7577)bid33119980805 irix-6.2 "at -f" vulnerabilityNetBSD-SA1998-004at-f-read-files(7577)addnetpr in IRIX 5.3 and 6.2 allows local users to overwrite arbitrary files and possibly gain root privileges via a symlink attack on the printers temporary file.19961203-02-PXbid33019970509 Re: Irix: miscThe installation of the fsp package 2.71-10 in Debian GNU/Linux 2.0 adds the anonymous FTP user without notifying the administrator, which could automatically enable anonymous FTP on some servers such as wu-ftp.Security flaw in FSPbid31619981126 new version of fsp fixes security flaw19981130 Debian: Security flaw in FSP19990217 Debian GNU/Linux 2.0r5 released (fwd)fsp-anon-ftp-access(7574)A possible interaction between Apple MacOS X release 1.0 and Apache HTTP server allows remote attackers to cause a denial of service (crash) via a flood of HTTP GET requests to CGI programs, which generates a large number of processes.306Solaris 2.4 before kernel jumbo patch -35 allows set-gid programs to dump core even if the real user id is not in the set-gid group, which allows local users to overwrite or create files at higher privileges by causing a core dump, e.g. through dmesg.Exploiting Zolaris 2.4 ??bid296IBM Netfinity Remote Control allows local users to gain administrator privileges by starting programs from the process manager, which runs with system level privileges.284Vulnerability in /usr/bin/mail in DEC ULTRIX before 4.2 allows local users to gain privileges.CA-91:1327AnswerBook2 (AB2) web server dwhttpd 3.1a4 allows remote attackers to cause a denial of service (resource exhaustion) via an HTTP POST request with a large content-length.Solaris ab2 web server is junkbid 253253Format string vulnerability in AnswerBook2 (AB2) web server dwhttpd 3.1a4 allows remote attackers to cause a denial of service and possibly execute arbitrary commands via encoded % characters in an HTTP request, which is improperly logged.19980823 Solaris ab2 web server is junkbid 253253ICQ99 ICQ web server build 1701 with "Active Homepage" enabled generates allows remote attackers to determine the existence of files on the server by comparing server responses when a file exists ("404 Forbidden") versus when a file does not exist ("404 not found").246Buffer overflow in nss_nisplus.so.1 library in NIS+ in Solaris 2.3 and 2.4 allows local users to gain root privileges.#00148bid219sun-nisplus-bo(7535)NBase switches NH2012, NH2012R, NH2015, and NH2048 have a back door password that cannot be disabled, which allows remote attackers to modify the switch's configuration.N-Base Vulnerability AdvisoryN-Base Vulnerability Advisory Followupbid 212212NBase switches NH208 and NH215 run a TFTP server which allows remote attackers to send software updates to modify the switch or cause a denial of service (crash) by guessing the target filenames, which have default names.N-Base Vulnerability AdvisoryN-Base Vulnerability Advisory Followupbid 212212The default configuration of Slackware 3.4, and possibly other versions, includes . (dot, the current directory) in the PATH environmental variable, which could allow local users to create Trojan horse programs that are inadvertently executed by other users.19990102 PATH variable in zip-slackware 2.0.35ping in Solaris 2.3 through 2.6 allows local users to cause a denial of service (crash) via a ping request to a multicast address through the loopback interface, e.g. via ping -i.Solaris Ping bug (DoS)SUMMARY: Solaris Ping bug (DoS)#00146Solaris Ping Bug and other [bc] odditiesbid20919970627 Solaris Ping bug(inetsvc)ping-multicast-loopback-dos(7492)Solaris Solstice AdminSuite (AdminSuite) 2.1 uses unsafe permissions when adding new users to the NIS+ password table, which allows local users to gain root access by modifying their password table entries.#00145bid208Solaris Solstice AdminSuite (AdminSuite) 2.1 incorrectly sets write permissions on source files for NIS maps, which could allow local users to gain privileges by modifying /etc/passwd.#00145bid20800145Solaris Solstice AdminSuite (AdminSuite) 2.1 follows symbolic links when updating an NIS database, which allows local users to overwrite arbitrary files.#00145bid208Solaris Solstice AdminSuite (AdminSuite) 2.1 and 2.2 create lock files insecurely, which allows local users to gain root privileges.#00145bid208Solaris Solstice AdminSuite (AdminSuite) 2.1 and 2.2 allows local users to gain privileges via the save option in the Database Manager, which is running with setgid bin privileges.#00145bid208DIT TransferPro installs devices with world-readable and world-writable permissions, which could allow local users to damage disks through the ff device driver.204PIM software for Royal daVinci does not properly password-protext access to data stored in the .mdb (Microsoft Access) file, which allows local users to read the data without a password by directly accessing the files with a different application, such as Access.19990102 security problem with Royal daVinciDa Vinci database access VulnerabilityZAK in Appstation mode allows users to bypass the "Run only allowed apps" policy by starting Explorer from Office 97 applications (such as Word), installing software into the TEMP directory, and changing the name to that for an allowed application, such as Winword.exe.19990107 WinNT, ZAK and Office 9719990109 WinNT, ZAK and Office 97181Power management (Powermanagement) on Solaris 2.4 through 2.6 does not start the xlock process until after the sys-suspend has completed, which allows an attacker with physical access to input characters to the last active application from the keyboard for a short period after the system is restoring, which could lead to increased privileges.Security risk with powermanagemnet on Solaris 2.6bid 160160HP JetAdmin D.01.09 on Solaris allows local users to change the permissions of arbitrary files via a symlink attack on the /tmp/jetadmin.log file.JetAdmin softwareRe: JetAdmin softwarebid 157157login in Slackware Linux 3.2 through 3.5 does not properly check for an error when the /etc/group file is missing, which prevents it from dropping privileges, causing it to assign root privileges to any local user who logs on to the server.Slackware Shadow Insecuritybid 155155Buffer overflow in libsocks5 library of Socks 5 (socks5) 1.0r5 allows local users to gain privileges via long environmental variables.socks5 1.0r5 buffer overflowbid 154154Ray Chan WWW Authorization Gateway 0.1 CGI program allows remote attackers to execute arbitrary commands via shell metacharacters in the "user" parameter.WWW Authorization Gatewaybid 152152ePerl 2.2.12 allows remote attackers to read arbitrary files and possibly execute certain commands by specifying a full pathname of the target file as an argument to bar.phtml.ePerl: bad handling of ISINDEX queriesePerl Security Update Availablebid 151151Vulnerability in /bin/mail in SunOS 4.1.1 and earlier allows local users to gain root privileges via certain command line arguments.CA-91:01a#0010515gcc 2.7.2 allows local users to overwrite arbitrary files via a symlink attack on temporary .i, .s, or .o files.146Win32 ICQ 98a 1.30, and possibly other versions, does not display the entire portion of long filenames, which could allow attackers to send an executable file with a long name that contains so many spaces that the .exe extension is not displayed, which could make the user believe that the file is safe to open from the client.19990101 Win32 ICQ 98a flawMirabilis ICQ 98a VulnerabilityLinux 2.0.34 does not properly prevent users from sending SIGIO signals to arbitrary processes, which allows local users to cause a denial of service by sending SIGIO to processes that do not catch it.111Bug in AMD K6 processor on Linux 2.0.x and 2.1.x kernels allows local users to cause a denial of service (crash) via a particular sequence of instructions, possibly related to accessing addresses outside of segments.105Micah Software Full Armor Network Configurator and Zero Administration allow local users with physical access to bypass the desktop protection by (1) using <CTRL><ALT><DEL> and kill the process using the task manager, (2) booting the system from a separate disk, or (3) interrupting certain processes that execute while the system is booting.103genkey utility in Alibaba 2.0 generates RSA key pairs with an exponent of 1, which results in transactions that are sent in cleartext.http://catless.ncl.ac.uk/Risks/20.41.html#subj4Vulnerability in imapd and ipop3d in Slackware 3.4 and 3.3 with shadowing enabled, and possibly other operating systems, allows remote attackers to cause a core dump via a short sequence of USER and PASS commands that do not provide valid usernames or passwords.Internet Explorer 3 records a history of all URL's that are visited by a user in DAT files located in the Temporary Internet Files and History folders, which are not cleared when the user selects the "Clear History" option, and are not visible when the user browses the folders because of tailored displays.Strange behavior regarding directoryStrange behavior regarding directoryInternet Explorer 4.0 allows remote attackers to cause a denial of service (crash) via HTML code that contains a long CLASSID parameter in an OBJECT tag.Object tag crashes Internet Explorer 4.019980730 Re: Object tag crashes Internet Explorer 4.0Eudora and Eudora Light before 3.05 allows remote attackers to cause a crash and corrupt the user's mailbox via an e-mail message with certain dates, such as (1) dates before 1970, which cause a Divide By Zero error, or (2) dates that are 100 years after the current date, which causes a segmentation fault.Eudora exploit (was Microsoft Security Bulletin (MS98-008))SunOS 4.1.4 on a Sparc 20 machine allows local users to cause a denial of service (kernel panic) by reading from the /dev/tcx0 TCX device./dev/tcx0 crashes SunOS 4.1.4 on Sparc 20'sSunOS 4.1.4 crashes when (l)users read /dev/tcx0Vulnerability in (1) rlogin daemon rshd and (2) scheme on SCO UNIX OpenServer 5.0.5 and earlier, and SCO UnixWare 7.0.1 and earlier, allows remote attackers to gain privileges.sco-rshd (7466)System Security Enhancement (SSE) 023System Security Enhancement (SSE) 020SB-99.03bSB-99.06bSSE020The Winmsdp.exe sample file in IIS 4.0 and Site Server 3.0 allows remote attackers to read arbitrary files.MS99-013iis-samples-winmsdp(3271)GINA in Windows NT 4.0 allows attackers with physical access to display a portion of the clipboard of the user who has locked the workstation by pasting (CTRL-V) the contents into the username prompt.bid19819990129 ole objects in a "secured" environment?nt-gina-clipboard(1975)Internet Explorer 4 allows remote attackers (malicious web site operators) to read the contents of the clipboard via the Internet WebBrowser ActiveX object.19990222 New IE4 vulnerability : the clipboard again.Microsoft IE4 Clipboard Paste VulnerabilityMacromedia "The Matrix" screen saver on Windows 95 with the "Password protected" option enabled allows attackers with physical access to the machine to bypass the password prompt by pressing the ESC (Escape) key.RSH service utility RSHSVC in Windows NT 3.5 through 4.0 does not properly restrict access as specified in the .Rhosts file when a user comes from an authorized host, which could allow unauthorized users to access the service by logging in from an authorized host.nt-rshsvc-ale-bypass(7422)thttpd HTTP server 2.03 and earlier allows remote attackers to read arbitrary files via a GET request with more than one leading / (slash) character in the filename.thttpd-file-read(1809)http://www.acme.com/software/thttpd/thttpd.html#releasenotesBuffer overflow in thttpd HTTP server before 2.04-31 allows remote attackers to execute arbitrary commands via a long date string, which is not properly handled by the tdate_parse function.thttpd 1.90a - 2.04thttpd-ifmodifiedsince-header (4852)19991116 thttpdBuffer overflow in at program in Digital UNIX 4.0 allows local users to gain root privileges via a long command line argument.Digital Unix 4.0 exploitable buffer overflowsSSRT0583U du-at (3138)BMC PATROL Agent before 3.2.07 allows local users to gain root privileges via a symlink attack on a temporary file.BMC PATROL File Creation Vulnerabilitybmc-patrol-file-create(1388)bid 534BMC PATROL SNMP Agent before 3.2.07 allows local users to create arbitrary world-writeable files as root by specifying the target file as the second argument to the snmpmagt program.bid525inpview in InPerson on IRIX 5.3 through IRIX 6.5.10 trusts the PATH environmental variable to find and execute the ttsession program, which allows local users to obtain root access by modifying the PATH to point to a Trojan horse ttsession program.Irix: misc20001101-01-Ibid38119970507 Irix: miscVulnerability in bb-hist.sh CGI History module in Big Brother 1.09b and 1.09c allows remote attacker to read portions of arbitrary files.http-cgi-bigbrother-bbhist(3755)bid142http://bb4.com/README.CHANGESWindows NT 4.0 before SP3 allows remote attackers to bypass firewall restrictions or cause a denial of service (crash) by sending improperly fragmented IP packets without the first fragment, which the TCP/IP stack incorrectly reassembles into a valid session.A New Fragmentation Attacknt-frag (528)Vulnerability in Cisco IOS 11.1CC and 11.1CT with distributed fast switching (DFS) enabled allows remote attackers to bypass certain access control lists when the router switches traffic from a DFS-enabled interface to an interface that does not have DFS enabled, as described by Cisco bug CSCdk35564.J-016: Cisco IOS DFS Access List Leakage Vulnerabilitiescisco-acl-leakage(1401)Vulnerability in Cisco IOS 11.1 through 11.3 with distributed fast switching (DFS) enabled allows remote attackers to bypass certain access control lists when the router switches traffic from a DFS-enabled input interface to an output interface with a logical subinterface, as described by Cisco bug CSCdk43862.J-016: Cisco IOS DFS Access List Leakage Vulnerabilitiescisco-acl-leakage(1401)Vulnerability in Cisco routers versions 8.2 through 9.1 allows remote attackers to bypass access control lists when extended IP access lists are used on certain interfaces, the IP route cache is enabled, and the access list uses the "established" keyword.CA-1992-20bid53Vulnerability in rcp on SunOS 4.0.x allows remote attackers from trusted hosts to execute arbitrary commands as root, possibly related to the configuration of the nobody user.CA-1989-07bid5sun-rcp(3165)rdist in various UNIX systems uses popen to execute sendmail, which allows local users to gain root privileges by modifying the IFS (Internal Field Separator) variable.CA-91:20bid31http://www.alw.nih.gov/Security/8lgm/8lgm-Advisory-01.htmlrdist-popen-gain-privileges(7160)8106Buffer overflow in w3-auth CGI program in miniSQL package allows remote attackers to execute arbitrary commands via an HTTP request with (1) a long URL, or (2) a long User-Agent MIME header.Eastman Work Management 3.21 stores passwords in cleartext in the COMMON and LOCATOR registry keys, which could allow local users to gain privileges.eastman-cleartext-passwords(2303)bid485Buffer overflow in passwd in BSD based operating systems 4.3 and earlier allows local users to gain root privileges by specifying a long shell or GECOS field.CA-1989-01bid4bsd-passwd-bo(7152)Internet Explorer 4.0 allows remote attackers to read arbitrary text and HTML files on the user's machine via a small IFRAME that uses Dynamic HTML (DHTML) to send the data to the attacker, aka the Freiburg text-viewing issue.http-ie-spy(587)http://www.microsoft.com/Windows/ie/security/freiburg.asp19971017 Security Hole in Explorer 4.07819When a Web site redirects the browser to another site, Internet Explorer 3.02 and 4.0 automatically resends authentication information to the second site, aka the "Page Redirect Issue."ie-page-redirect(7426)7818PowerPoint 95 and 97 allows remote attackers to cause an application to be run automatically without prompting the user, possibly through the slide show, when the document is opened in browsers such as Internet Explorer.nt-ppt-patch(179)http://www.microsoft.com/windows/ie/security/powerpoint.aspProFTPd 1.2 compiled with the mod_sqlpw module records user passwords in the wtmp log file, which allows local users to obtain the passwords and gain privileges by reading wtmp, e.g. via the last command.bid812A bug in Intel Pentium processor (MMX and Overdrive) allows local users to cause a denial of service (hang) in Intel-based operating systems such as Windows NT and Windows 95, via an invalid instruction, aka the "Invalid Operand with Locked CMPXCHG8B Instruction" problem.pentium-crash(704)Buffer overflow in GNOME libraries 1.0.8 allows local user to gain root access via a long --espeaker argument in programs such as nethack.bid663gnome-espeaker-local-bo(3349)The Sun HotSpot Performance Engine VM allows a remote attacker to cause a denial of service on any server running HotSpot via a URL that includes the [ character.sun-hotspot-vm(2348)522The textcounter.pl by Matt Wright allows remote attackers to execute arbitrary commands via shell metacharacters.http-cgi-textcounter(2052)19980624 textcounter.pl SECURITY HOLE 2265(1) acledit and (2) aclput in AIX 4.3 allow local users to create or modify files via a symlink attack.bid429Squid 2.2.STABLE5 and below, when using external authentication, allows attackers to bypass access controls via a newline in the user/password pair.bid741squid-proxy-auth-access(3433)19991025 [squid] exploit for external authentication problemSVGAlib zgv 3.0-7 and earlier allows local users to gain root access via a privilege leak of the iopl(3) privileges to child processes.19990219 Security hole: Buffer overflow in zgv in svgalib 1.2.10 and earlier allows local users to execute arbitrary code via a long HOME environment variable.svgalib/zgvBuffer overflow in MSN Setup BBS 4.71.0.10 ActiveX control (setupbbs.ocx) allows a remote attacker to execute arbitrary commands via the methods (1) vAddNewsServer or (2) bIsNewsServerConfigured.msn-setup-bbs-activex-bo(3310)bid668nsd in IRIX 6.5 through 6.5.2 exports a virtual filesystem on a UDP port, which allows remote attackers to view files and cause a possible denial of service by mounting the nsd virtual file system.sgi-nsd-view(2246)sgi-nsd-create(2247)41219990531 IRIX 6.5 nsd virtual filesystem vulnerability8564sadc in IBM AIX 4.1 through 4.3, when called from programs such as timex that are setgid adm, allows local users to overwrite arbitrary files via a symlink attack.http://techsupport.services.ibm.com/aix/fixes/v4/os/bos.acct.4.3.1.0.infobid408aix-sadc-timex (7675)IX75554IX76853IX76330aix-sadc-timex(7675)Vulnerability in digest in AIX 4.3 allows printq users to gain root privileges by creating and/or modifing any file on the system.IX74599bid405aix-digest(7477)sdrd daemon in IBM SP2 System Data Repository (SDR) allows remote attackers to read files without authentication.bid371ibm-sdr-read-files(7217)Buffer overflow in TestChip function in XFree86 SuperProbe in Slackware Linux 3.1 allows local users to gain root privileges via a long -nopr argument.Linux SuperProbe exploitbid364xosview 1.5.1 in Red Hat 5.1 allows local users to gain root access via a long HOME environmental variable.bid36219980529 Re: Tiresome security hole in "xosview" (xosexp.c)linux-xosview-bo(8787)abuse.console in Red Hat 2.1 uses relative pathnames to find and execute the undrv program, which allows local users to execute arbitrary commands via a path that points to a Trojan horse program.abuse Red Hat 2.1 security holebid354Vulnerability in (1) diskperf and (2) diskalign in IRIX 6.4 allows local attacker to create arbitrary root owned files, leading to root privileges.19980502-01-P3030sgi-diskalign(2104)sgi-diskperf (2103)bid348Vulnerability in crp in Hewlett Packard Apollo Domain OS SR10 through SR10.3 allows remote attackers to gain root privileges via insecure system calls, (1) pad_$dm_cmd and (2) pad_$def_pfk().CA-1991-2334apollo-crp-root-access(7158)colorview in Silicon Graphics IRIX 5.1, 5.2, and 6.0 allows local attackers to read arbitrary files via the -text argument.IRIX 5.2 Security Advisoryanother Irix 5.2 holesgi-colorview (2112)19950209-00-Pbid336xtvscreen in SuSE Linux 6.0 allows local users to overwrite arbitrary files via a symlink attack on the pic000.pnm file.19990218 xtvscreen and suse 6 xtvscreen-overwrite(1792)325Sudo 1.5 in Debian Linux 2.1 and Red Hat 6.0 allows local users to determine the existence of arbitrary files by attempting to execute the target filename as a program, which generates a different error message when the file does not exist.bid321sudo-file-exists(2277)Ipswitch IMail 5.0 and 6.0 uses weak encryption to store passwords in registry keys, which allows local attackers to read passwords for e-mail accounts.bid880Slackware Linux 3.4 pkgtool allows local attacker to read and write to arbitrary files via a symlink attack on the reply file.82named in ISC BIND 4.9 and 8.1 allows local users to destroy files via a symlink attack on (1) named_dump.db when root kills the process with a SIGINT, or (2) named.stats when SIGIOT is used.bid80Internet Anywhere POP3 Mail Server 2.3.1 allows remote attackers to cause a denial of service (crash) via (1) LIST, (2) TOP, or (3) UIDL commands using letters as arguments.bid733(1) ipxchk and (2) ipxlink in SGI OS2 IRIX 6.3 does not properly clear the IFS environmental variable before executing system calls, which allows local users to execute arbitrary commands.bid70bid7119980408 SGI O2 ipx security issue19980408 SGI O2 ipx security issueBuffer overflows in Quake 1.9 client allows remote malicious servers to execute arbitrary commands via long (1) precache paths, (2) server name, (3) server address, or (4) argument to the map console command.bid68bid69Network Flight Recorder (NFR) 1.5 and 1.6 allows remote attackers to cause a denial of service in nfrd (crash) via a TCP packet with a null header and data field.bid63Stalker Internet Mail Server 1.6 allows a remote attacker to cause a denial of service (crash) via a long HELO command.bid62Buffer overflow in QuakeWorld 2.10 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary commands via a long initial connect packet.bid60Vulnerability in SMI Sendmail 4.0 and earlier, on SunOS up to 4.0.3, allows remote attackers to access user bin.CA-90:01bid6Sun SunOS 4.1 through 4.1.3 allows local attackers to gain root access via insecure permissions on files and directories such as crash.CA-1993-03bid59sun-dir(521)Web server in Tektronix PhaserLink Printer 840.0 and earlier allows a remote attacker to gain administrator access by directly calling undocumented URLs such as ncl_items.html and ncl_subjects.html.bid806Directory traversal vulnerability in Etype Eserv 2.50 web server allows a remote attacker to read any file in the file system via a .. (dot dot) in a URL.bid77319991104 Eserv 2.50 Web interface Server Directory Traversal VulnerabilityBuffer overflows in Bisonware FTP server prior to 4.1 allow remote attackers to cause a denial of service, and possibly execute arbitrary commands, via long (1) USER, (2) LIST, or (3) CWD commands.bisonware-command-bo(3234)Buffer overflows in Xtramail 1.11 allow attackers to cause a denial of service (crash) and possibly execute arbitrary commands via (1) a long PASS command in the POP3 service, (2) a long HELO command in the SMTP service, or (3) a long user name in the Control Service.bid791xtramail-pass-dos(3488)The AMaViS virus scanner 0.2.0-pre4 and earlier allows remote attackers to execute arbitrary commands as root via an infected mail message with shell metacharacters in the reply-to field.bid527amavis-command-execute(2349)Management information base (MIB) for a 3Com SuperStack II hub running software version 2.10 contains an object identifier (.1.3.6.1.4.1.43.10.4.2) that is accessible by a read-only community string, but lists the entire table of community strings, which could allow attackers to conduct unauthorized activities.Buffer overflow in Celtech ExpressFS FTP server 2.x allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long USER command.bid749expressfs-command-bo(3401)19990729 ExpressFS 2.x FTPServer remotely exploitable buffer overflow vulnerabilityA non-default configuration in TenFour TFS Gateway 4.0 allows an attacker to cause a denial of service via messages with incorrect sender and recipient addresses, which causes the gateway to continuously try to return the message every 10 seconds.bid613tfs-gateway-dos(3290)A buffer overflow in TenFour TFS Gateway SMTP mail server 3.2 allows an attacker to crash the mail server and possibly execute arbitrary code by offering more than 128 bytes in a MAIL FROM string.runtar in the Amanda backup system used in various UNIX operating systems executes tar with root privileges, which allows a user to overwrite or read arbitrary files by providing the target files to runtar.bid750Operating systems with shared memory implementations based on BSD 4.4 code allow a user to conduct a denial of service and bypass memory limits (e.g., as specified with rlimits) using mmap or shmget to allocate memory and cause page faults.bid526bsd-shared-memory-dos(2351)Gene6 G6 FTP Server 2.0 allows a remote attacker to cause a denial of service (resource exhaustion) via a long (1) user name or (2) password.bid805g6ftp-username-dos(3513)A configuration problem in the Ad Server Sample directory (AdSamples) in Microsoft Site Server 3.0 allows an attacker to obtain the SITE.CSC file, which exposes sensitive SQL database information.bid256siteserver-site-csc(2270)Computalynx CMail 2.4 and CMail 2.3 SP2 SMTP servers are vulnerable to a buffer overflow attack in the MAIL FROM command that may allow a remote attacker to execute arbitrary code on the server.bid633cmail-command-bo(2240)Vulnerability in htmlparse.pike in Roxen Web Server 1.3.11 and earlier, possibly related to recursive parsing and referer tags in RXML.Buffer overflow in Sambar Web Server 4.2.1 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long HTTP GET request.http://xforce.iss.net/static/1672.phpFlowPoint DSL router firmware versions prior to 3.0.8 allows a remote attacker to exploit a password recovery feature from the network and conduct brute force password guessing, instead of limiting the feature to the serial console port.Macromedia Shockwave before 6.0 allows a malicious webmaster to read a user's mail box and possibly access internal web servers via the GetNextText command on a Shockwave movie.Shockwave Security Alertshockwave-internal-access (1585shockwave-file-read-vuln (1586)http-ns-shockwave (460)Auto-update feature of Macromedia Shockwave 7 transmits a user's password and hard disk information back to Macromedia.Shockwave 7 Security Holeshockwave-updater (1931)Internal HTTP server in Sun Netbeans Java IDE in Netbeans Developer 3.0 Beta and Forte Community Edition 1.0 Beta does not properly restrict access to IP addresses as specified in its configuration, which allows arbitrary remote attackers to access the server.bid816ProSoft Netware Client 5.12 on Macintosh MacOS 9 does not automatically log a user out of the NDS tree when the user logs off the system, which allows other users of the same system access to the unprotected NDS session.bid794A buffer overflow exists in the HELO command in Trend Micro Interscan VirusWall SMTP gateway 3.23/3.3 for NT, which may allow an attacker to execute arbitrary code.bid787viruswall-helo-bo(3465)19991107 Interscan VirusWall NT 3.23/3.3 buffer overflow.19991108 Re: Interscan VirusWall NT 3.23/3.3 buffer overflow.19991108 Patch for VirusWall 3.23.cgiwrap as used on Cobalt RaQ 2.0 and RaQ 3i does not properly identify the user for running certain scripts, which allows a malicious site administrator to view or modify data located at another virtual site on the same system.bid777cobalt-cgiwrap-incorrect-permissions(7764)35Buffer overflow in IBM HomePagePrint 1.0.7 for Windows98J allows a malicious Web site to execute arbitrary code on a viewer's system via a long IMG_SRC HTML tag.bid763ibm-homepageprint-bo(7767)Netscape Messaging Server 3.54, 3.55, and 3.6 allows a remote attacker to cause a denial of service (memory exhaustion) via a series of long RCPT TO commands.bid748Eicon Technology Diva LAN ISDN modem allows a remote attacker to cause a denial of service (hang) via a long password argument to the login.htm file in its HTTP service.bid787viruswall-helo-bo(3465)665diva-lan-isdn-dos(3317)19990926 DoS Exploit in Eicon Diehl LAN ISDN ModemBuffer overflow in (1) nlservd and (2) rnavc in Knox Software Arkeia backup product allows local users to obtain root access via a long HOME environmental variable.bid661Buffer overflow in AspUpload.dll in Persits Software AspUpload before 1.4.0.2 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long argument in the HTTP request.bid592http-aspupload-bo(3291).sbstart startup script in AcuShop Salesbuilder is world writable, which allows local users to gain privileges by appending commands to the file.bid560 13557IIS 3.x and 4.x does not distinguish between pages requiring encryption and those that do not, which allows remote attackers to cause a denial of service (resource exhaustion) via SSL requests to the HTTPS port for normally unencrypted files, which will cause IIS to perform extra work to send the files over SSL.bid521ssl-iis-dos(2352)When IIS 2 or 3 is upgraded to IIS 4, ism.dll is inadvertently left in /scripts/iisadmin, which does not restrict access to the local machine and allows an unauthorized user to gain access to sensitive server information, including the Administrator's password.19990114 MS IIS 4.0 Security Advisory19990114 MS IIS 4.0 Security AdvisoryNT IIS4 Remote Web-Based Administration VulnerabilityBuffer overflow in FTP server in QPC Software's QVT/Term Plus versions 4.2d and 4.3 and QVT/Net 4.3 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long (1) user name or (2) password.bid796qvtterm-login-dos(3491)19991110 Remote DoS Attack in QVT/Term 'Plus' 4.2d FTP Server Vulnerabilityshell-lock in Cactus Software Shell Lock uses weak encryption (trivial encoding) which allows attackers to easily decrypt and obtain the source code.cactus-shell-lock-retrieve-shell-code(3356)shell-lock in Cactus Software Shell Lock allows local users to read or modify decoded shell files before they are executed, via a symlink attack on a temporary file.cactus-shell-lock-root-privs(3358)1999100419991005 Cactus Software's shell-lockRPMMail before 1.4 allows remote attackers to execute commands via an e-mail message with shell metacharacters in the "MAIL FROM" command.linux-rh-rpmmail(3353)19991004 RH6.0 local/remote command executionMacOS uses weak encryption for passwords that are stored in the Users & Groups Data File.bid519Buffer overflow in FTP server in Microsoft IIS 3.0 and 4.0 allows local and sometimes remote attackers to cause a denial of service via a long NLST (ls) command.19990124 Advisory: IIS FTP Exploit/DoS AttackJoe's Own Editor (joe) 2.8 sets the world-readable permission on its crash-save file, DEADJOE, which could allow local users to read files that were being edited by other users.19990714 netstation.navio-com.rte 1.1.0.1 configuration script for Navio NC on IBM AIX exports /tmp over NFS as world-readable and world-writable.19990129 TROJAN: netstation.navio-comm.rte 1.1.0.1navionc-config-script(1724)Oracle Web Listener 2.1 allows remote attackers to bypass access restrictions by replacing a character in the URL with its HTTP-encoded (hex) equivalent.bid84119991125 Oracle Web ListenerCabletron SmartSwitch Router (SSR) 8000 firmware 2.x can only handle 200 ARP requests per second allowing a denial of service attack to succeed with a flood of ARP requests exceeding that limit.821Lynx 2.x does not properly distinguish between internal and external HTML, which may allow a local attacker to read a "secure" hidden form value from a temporary file and craft a LYNXOPTIONS: URL that causes Lynx to modify the user's configuration file and execute commands.bid804bigconf.conf in F5 BIG/ip 2.1.2 and earlier allows remote attackers to read arbitrary files by specifying the target file in the "file" parameter.bid778bigip-bigconf-view-files(7771)Buffer overflow in Ipswitch IMail Service 5.0 allows an attacker to cause a denial of service (crash) and possibly execute arbitrary commands via a long URL.19990302 Multiple IMail Vulnerabilites505imail-websvc-overflow(1898)dpsexec (DPS Server) when running under XDM in IBM AIX 3.2.5 and earlier does not properly check privileges, which allows local users to overwrite arbitrary files and gain privileges.bid358aix-dpsexec-root (7208)19940720 xnews and XDMBuffer overflow in XCmail 0.99.6 with autoquote enabled allows remote attackers to execute arbitrary commands via a long subject line.The authors were notified of this problem and it was fixed in devel-release 0.99.7.19990301 [0z0n3] XCmail remotely exploitable vulnerability311xcmail-reply-overflow(1859)/usr/sbin/Mail on SGI IRIX 3.3 and 3.3.1 does not properly set the group ID to the group ID of the user who started Mail, which allows local users to read the mail of other users.CA-1990-08bid13sgi-irix-reset(3164)Cheyenne InocuLAN Anti-Virus Server in Inoculan 4.0 before Service Pack 2 creates an update directory with "EVERYONE FULL CONTROL" permissions, which allows local users to cause Inoculan's antivirus update feature to install a Trojan horse dll.inoculan-bad-permissions(1536)Microsoft SQL Server 6.5 uses weak encryption for the password for the SQLExecutiveCmdExec account and stores it in an accessible portion of the registry, which could allow local users to gain privileges by reading and decrypting the CmdExecAccount value.bid109Microsoft SQL Server 6.5 stores the SQLExecutiveCmdExec in registry using weak encryption algorithmBuffer overflow in the login functions in IMAP server (imapd) in Ipswitch IMail 5.0 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary code via (1) a long user name or (2) a long password.19990301 Multiple IMail Vulnerabilitesimail-imap-overflow(1895)Vulnerability in loginout in Digital OpenVMS 7.1 and earlier allows unauthorized access when external authentication is enabled.I-071Abid161openvms-loginout-unauth-access(7151)Xylan OmniSwitch before 3.2.6 allows remote attackers to bypass the login prompt via a CTRL-D (control d) character, which locks other users out of the switch because it only supports one session at a time.19990331 Xylan OmniSwitch xylan-omniswitch-login(2064)Vulnerability in a script in Texas A&M University (TAMU) Tiger allows local users to execute arbitrary commands as the Tiger user, usually root.tiger-script-execute(2369)Nullsoft SHOUTcast server stores the administrative password in plaintext in a configuration file (sc_serv.conf), which could allow a local user to gain administrative privileges on the server.gFTP FTP client 1.13, and other versions before 2.0.0, records a password in plaintext in (1) the log window, or (2) in a log file.DSA-0843446Nachuatec D435 and D445 printer allows remote attackers to cause a denial of service via ICMP redirect storm.FreeBSD 3.2 and possibly other versions allows a local user to cause a denial of service (panic) with a large number accesses of an NFS v3 mounted directory from a large number of processes.Man2html 2.1 and earlier allows local users to overwrite arbitrary files via a symlink attack on a temporary file.6291Buffer overflow in iParty server 1.2 and earlier allows remote attackers to cause a denial of service (crash) by connecting to default port 6004 and sending repeated extended characters.Seapine Software TestTrack server allows a remote attacker to cause a denial of service (high CPU) via (1) TestTrackWeb.exe and (2) ttcgi.exe by connecting to port 99 and disconnecting without sending any data.testtrack-dos(1948)Off-by-one error in NcFTPd FTP server before 2.4.1 allows a remote attacker to cause a denial of service (crash) via a long PORT command.CVE-1999-1568CAN-1999-156819990223 Comments on NcFTPd "theoretical root compromise"ncftpd-port-bo(1833)Quake 1 and NetQuake servers allow remote attackers to cause a denial of service (resource exhaustion or forced disconnection) via a flood of spoofed UDP connection packets, which exceeds the server's player limit.quake-spoofed-client-dos(6871)ID Software Quake Denial of Service Vulnerability20010716 Quake client and server denial-of-service19980502 NetQuake Protocol problem resulting in smurf like effect.Buffer overflow in sar for OpenServer 5.0.5 allows local users to gain root privileges via a long -o parameter.Multiple Vendor SNMP Request Handling Vulnerabilitiesopenserver-sar-bo(8989)CSSA-2002-SCO.1719990909 19 SCO 5.0.5+Skunware98 buffer overflows20020509 Sar -o exploitation process info.Buffer overflow in sar for SCO OpenServer 5.0.0 through 5.0.5 may allow local users to gain root privileges via a long -f parameter, a different vulnerability than CVE-1999-1570.Caldera OpenServer /usr/bin/sar buffer overflowMultiple vulnerabilities in OpenServer 5.0.0 through 5.0.519990909 19 SCO 5.0.5+Skunware98 buffer overflowsSB-99.17cftp://stage.caldera.com/pub/security/sse/sse037c/sse037c.ltr64364319991020 Re: recent SCO 5.0.x vulnerabilities19991105 SCO Security Bulletin 99.1720020509 Sar -o exploitation process info.cpio on FreeBSD 2.1.0, Debian GNU/Linux 3.0, and possibly other operating systems, uses a 0 umask when creating files using the -O (archive) or -F options, which creates the files with mode 0666 and allows local users to read or overwrite those files.Fixed in rev 1.3 of cpio/main.c.http://www.freebsd.org/cgi/query-pr.cgi?pr=bin/1391DSA-664MDKSA-2005:032RHSA-2005:073RHSA-2005:0802005-0003cpio-o-archive-insecure-permissions(19167)RHSA-2005:80614357170631753220050204 [USN-75-1] cpio vulnerabilityMDKSA-2005:032Multiple unknown vulnerabilities in the "r-cmnds" (1) remshd, (2) rexecd, (3) rlogind, (4) rlogin, (5) remsh, (6) rcp, (7) rexec, and (8) rdist for HP-UX 10.00 through 11.00 allow attackers to gain privileges or access files.HPSBUX9812-090ESB-98.186VU#13217J-022hp-rcmnds-gain-privileges(7860)Buffer overflow in the lex routines of nslookup for AIX 4.3 may allow attackers to cause a core dump and possibly execute arbitrary code via "long input strings."IX79909VU#182777aix-nslookup-lex-bo(7867)The Kodak/Wang (1) Image Edit (imgedit.ocx), (2) Image Annotation (imgedit.ocx), (3) Image Scan (imgscan.ocx), (4) Thumbnail Image (imgthumb.ocx), (5) Image Admin (imgadmin.ocx), (6) HHOpen (hhopen.ocx), (7) Registration Wizard (regwizc.dll), and (8) IE Active Setup (setupctl.dll) ActiveX controls for Internet Explorer (IE) 4.01 and 5.0 are marked as "Safe for Scripting," which allows remote attackers to create and modify files and execute arbitrary commands.19990924 Several ActiveX Buffer OverrunsMS99-037VU#23412VU#24839VU#26924VU#41408VU#9162wang-kodak-activex-control(7097)Buffer overflow in Adobe Acrobat ActiveX control (pdf.ocx, PDF.PdfCtrl.1) 1.3.188 for Acrobat Reader 4.0 allows remote attackers to execute arbitrary code via the pdf.setview method.19990924 Several ActiveX Buffer OverrunsVU#25919666adobe-acrobat-pdf-bo(3318)Buffer overflow in HHOpen ActiveX control (hhopen.ocx) 1.0.0.1 for Internet Explorer 4.01 and 5 allows remote attackers to execute arbitrary commands via long arguments to the OpenHelp method.19990924 Several ActiveX Buffer OverrunsVU#29795Microsoft hhopen OLE Control Buffer Overflow Vulnerabilityie-hhopen-bo(3314)Buffer overflow in Registration Wizard ActiveX control (regwizc.dll, InvokeRegWizard) 3.0.0.0 for Internet Explorer 4.01 and 5 allows remote attackers to execute arbitrary commands.19990924 Several ActiveX Buffer OverrunsVU#37556671ie-registration-wiz-bo(3311)The Cenroll ActiveX control (xenroll.dll) for Terminal Server Editions of Windows NT 4.0 and Windows NT Server 4.0 before SP6 allows remote attackers to cause a denial of service (resource consumption) by creating a large number of arbitrary files on the target machine.Q242366VU#3062Windows NT Xenroll Library Storage Consumption Vulnerabilitywinnt-xenroll-dos(7107)SunOS sendmail 5.59 through 5.65 uses popen to process a forwarding host argument, which allows local users to gain root privileges by modifying the IFS (Internal Field Separator) variable and passing crafted values to the -oR option.http://www.alw.nih.gov/Security/8lgm/8lgm-Advisory-21.htmlAA-95.09CA-1995-11VU#32787829Memory leak in Simple Network Management Protocol (SNMP) agent (snmp.exe) for Windows NT 4.0 before Service Pack 4 allows remote attackers to cause a denial of service (memory consumption) via a large number of SNMP packets with Object Identifiers (OIDs) that cannot be decoded.Q178381VU#4923winnt-snmp-oid-memory-leak(8231)By design, the "established" command on the Cisco PIX firewall allows connections from one host to arbitrary ports of a target host if an alternative conduit has already been allowed, which can cause administrators to configure less restrictive access controls than intended if they do not understand this functionality.19980715 PIX Firewall VU#6733cisco-pix-established-bypass(8052)Buffer overflow in nslookup for AIX 4.3 allows local users to execute arbitrary code via a long hostname command line argument.IY02120VU#872443aix-nslookup-hostname-bo(8031)Unknown vulnerability in (1) loadmodule, and (2) modload if modload is installed with setuid/setgid privileges, in SunOS 4.1.1 through 4.1.3c, and Open Windows 3.0, allows local users to gain root privileges via environment variables, a different vulnerability than CVE-1999-1586.00124CA-93.18The (1) rcS and (2) mountall programs in Sun Solaris 2.x, possibly before 2.4, start a privileged shell on the system console if fsck fails while the system is booting, which allows attackers with physical access to gain root privileges.00124loadmodule in SunOS 4.1.x, as used by xnews, does not properly sanitize its environment, which allows local users to gain privileges, a different vulnerability than CVE-1999-1584.CA-95.12G-02sun-loadmodule(498)/usr/ucb/ps in Sun Microsystems Solaris 8 and 9, and certain earlier releases, allows local users to view the environment variables and values of arbitrary processes via the -e option.102215ADV-2006-1123101583319426solaris-ps-information-disclosure(25460)2420019662oval:org.mitre.oval:def:1470Buffer overflow in nlps_server in Sun Solaris x86 2.4, 2.5, and 2.5.1 allows remote attackers to execute arbitrary code as root via a long string beginning with "NLPS:002:002:" to the listen (aka System V listener) port, TCP port 2766.2319Unspecified vulnerability in crontab in IBM AIX 3.2 allows local users to gain root privileges via unknown attack vectors.CA-1992-10357Directory traversal vulnerability in Muhammad A. Muquit wwwcount (Count.cgi) 2.3 allows remote attackers to read arbitrary GIF files via ".." sequences in the image parameter, a different vulnerability than CVE-1999-0021.19971010 Security flaw in Count.cgi (wwwcount)Microsoft Internet Information Services (IIS) server 4.0 SP4, without certain hotfixes released for SP4, does not require authentication credentials under certain conditions, which allows remote attackers to bypass authentication requirements, as demonstrated by connecting via Microsoft Visual InterDev 6.0.19990118 IIS4.0 and Visual Interdev19990119 Re: IIS4.0 and Visual Interdev190Multiple unspecified vulnerabilities in sendmail 5, as installed on Sun SunOS 4.1.3_U1 and 4.1.4, have unspecified attack vectors and impact. NOTE: this might overlap CVE-1999-0129.00159243RealMedia server allows remote attackers to cause a denial of service via a long ramgen request.BID 888realserver-ramgen-dos(4296)888Buffer overflow in ZBServer Pro 1.50 allows remote attackers to execute commands via a long GET request.zbserver-get-bo(3809)Local / Remote GET Buffer Overflow Vulnerability in ZBServer 1.5 Pro Edition for Win98/NTLocal / Remote GET Buffer Overflow Vulnerability in ZBServer 1.5 Pro Edition for Win98/NT19991223 Local / Remote GET Buffer Overflow Vulnerability in ZBServer 1.5 Pro Edition for Win98/NT19991223 Local / Remote GET Buffer Overflow Vulnerability in ZBServer 1.5 Pro Edition for Win98/NT20000128 ZBServer 1.50-r1x exploit (WinNT)889Buffer overflow in UnixWare rtpm program allows local users to gain privileges via a long environmental variable.local-buffer overflow20000127 New SCO patches...ZBServer Pro allows remote attackers to read source code for executable files by inserting a . (dot) into the URL.zbserver-url-dot(4319)19991223 Local / Remote GET Buffer Overflow Vulnerability in ZBServer 1.5 Pro Edition for Win98/NT19991223 Re: Local / Remote GET Buffer Overflow Vulnerability in ZBServer 1.5 Pro Edition for Win98/NTHP-UX aserver program allows local users to gain privileges via a symlink attack.hp-aserverK-014: HP-UX Aserver Vulnerabilitystrace allows local users to read arbitrary files via memory mapped file names.linux-strace(4554)strace can lie19991225 strace can lieTrend Micro PC-Cillin does not restrict access to its internal proxy port, allowing remote attackers to conduct a denial of service.pccillin-proxy-remote-dos(4491)PC-Cillin 6.x DoS Attack1740FTPPro allows local users to read sensitive information, which is stored in plain text.ftppro-plaintext-information(4490)FTPPro insecuitiesThe bna_pass program in Optivity NETarchitect uses the PATH environmental variable for finding the "rm" program, which allows local users to execute arbitrary commands.netarchitect-path-vulnerability(4489)Optivity NETarchitect PATH Vulnerabilitybna,sh907WebWho+ whois.cgi program allows remote attackers to execute commands via shell metacharacters in the TLD parameter.BID 892http-cgi-webwhoplus(3748)Buffer overflow in AnalogX SimpleServer:WWW HTTP server allows remote attackers to execute commands via a long GET request.BID 906simpleserver-get-bo(4297)http://www.analogx.com/contents/download/network/sswww.htm9061184Buffer overflow in w3-msql CGI program in miniSQL package allows remote attackers to execute commands.w3-msql-scanf-bo(3766)BID 898898IRIX soundplayer program allows local users to gain privileges by including shell metacharacters in a .wav file, which is executed via the midikeys program.BID 909irix-soundplayer-symlink(4298) irix-soundplayer.sh909Denial of service in Savant web server via a null character in the requested URL.BID 897savant-server-null-dos(3762) Local / Remote D.o.S Attack in Savant Web Server V2.0 WIN9X / NT / 2K897CascadeView TFTP server allows local users to gain privileges via a symlink attack.BID 910cascadeview-tftp-symlink(4388) tftpserv.sh910Buffer overflow in Internet Anywhere POP3 Mail Server allows remote attackers to cause a denial of service or execute commands via a long username.iams-pop3-command-dosVulnerabilities in the Internet Anywhere Mail ServerInternet Anywhere Mail Server Multiple Buffer Overflow Vulnerabilities730Buffer overflow in Linux linuxconf package allows remote attackers to gain root privileges via a long parameter.(Possible) Linuxconf Remote Buffer Overflow Vulnerability(Possible) Linuxconf Remote Buffer Overflow Vulnerabilitywmmon in FreeBSD allows local users to gain privileges via the .wmmonrc configuration file.BID 885freebsd-wmmon-root-exploit(4382) Wmmon under FreeBSD8851169IMail POP3 daemon uses weak encryption, which allows local users to read files.imail-passwordsIMAIL password recovery is trivialDNS PRO allows remote attackers to conduct a denial of service via a large number of connections.Remote D.o.S Attack in DNS PRO v5.7 WinNT From FBLI Software Vulnerabilitydnspro-flood-dos(3811)USSR Advisory Code: 22Lotus Domino HTTP server allows remote attackers to determine the real path of the server via a request to a non-existent script in /cgi-bin.http-cgi-lotus-domino(4389)Re: Lotus Domino HTTP denial of service attackDomino Web Server Crashes When CGI Scripts are Being Accessed881Lotus Domino HTTP server does not properly disable anonymous access for the cgi-bin directory. serious Lotus Domino HTTP denial of servicelotus-domino-anonymous-access(4390)BID 885881Buffer overflow in Lotus Domino HTTP server allows remote attackers to cause a denial of service via a long URL. serious Lotus Domino HTTP denial of serviceBID 881lotus-domino-http-dos(4391)88151IIS does not properly canonicalize URLs, potentially allowing remote attackers to bypass access restrictions in third-party software via escape characters, aka the "Escape Character Parsing" vulnerability.BID 886MS99-06119991229 More info on MS99-061 (IIS escape character vulnerability)iis-badescapes(3731)MS99-061Q246401IIS 4.0 and Site Server 3.0 allow remote attackers to read source code for ASP files if the file is in a virtual directory whose name includes extensions such as .com, .exe, .sh, .cgi, or .dll, aka the "Virtual Directory Naming" vulnerability.MS99-058iis-virtual-directory-naming(4392)BID 882MS99-058Q2386068098Buffer overflow in UnixWare i2odialogd daemon allows remote attackers to gain root access via a long username/password authorization string.UnixWare i2odialogd remote root exploitsco-i2odialogd-bo(4062)BID 87619991223 FYI, SCO Security patches available.8766310IBM Network Station Manager NetStation allows local users to gain privileges via a symlink attack.IBM Network Station Manager Race Condition VulnerabilityIBM NetStation/UnixWare local root exploit19991227 IBM NetStation/UnixWare local root exploit900ibm-netstat-race-condition(5381)Internet Explorer 5.0 and 5.01 allows remote attackers to bypass the cross frame security policy and read files via the external.NavigateAndFind function.ie-navigateandfind(4456)Re: IE 5.01 vulnerabilities in external.NavigateAndFind()IE 5.01 vulnerabilities in external.NavigateAndFind()UnixWare pis and mkpis commands allow local users to gain privileges via a symlink attack.BID 90119991227 UnixWare local pis exploitsco-pis-symlink(4393)20000113 Info on some security holes reported against SCO Unixware.901Solaris dmispd dmi_cmd allows local users to fill up restricted disk space by adding files to the /var/dmi/db database.BID 878sol-dmispd-fill-disk(4394) Solaris 2.7 dmispd local/remote problems878The initscripts package in Red Hat Linux allows local users to gain privileges via a symlink attack.linux-initscripts-race(4159)initscriptsAdvisory Released 12.27.1999Solaris dmi_cmd allows local users to crash the dmispd daemon by adding a malformed file to the /var/dmi/db database.BID 878sol-dmispd-dos(4395) Solaris 2.7 dmispd local/remote problems8787582InterScan VirusWall SMTP scanner does not properly scan messages with malformed attachments.BID 899interscan-viruswall-bypass(3767)Trend Micro InterScan VirusWall SMTP bug899Netscape 4.7 records user passwords in the preferences.js file during an IMAP or POP session, even if the user has not enabled "remember passwords."netscape-password-preferences(4492)More Netscape Passwords availiableresend command in Majordomo allows local users to gain privileges via shell metacharacters.majordomo-local-resend(3764)majordomo local exploit90220000113 Info on some security holes reported against SCO Unixware.Outlook Express 5 for Macintosh downloads attachments to HTML mail without prompting the user, aka the "HTML Mail Attachment" vulnerability.MS99-060macos-outlook-file-download(3551)BID 883Q249082Majordomo wrapper allows local users to gain privileges by specifying an alternate configuration file.BID 903majordomo-local-c-parameter(3761)20000113 Info on some security holes reported against SCO Unixware.RHSA-2000:005903glFtpD includes a default glftpd user account with a default password and a UID of 0.glftpd-default-account(4457)Multiple vulnerabilites in glFtpD (current versions)Example attackglFtpD home pageAltaVista search engine allows remote attackers to read files above the document root via a .. (dot dot) in the query.cgi CGI program.BID 896Traversal Vulnerabilityhttp-cgi-avsearch(3754)89615glFtpD allows local users to gain privileges via metacharacters in the SITE ZIPCHK command.Multiple vulnerabilites in glFtpDglftpd-site-zipchk(4458)BID 891Macintosh systems generate large ICMP datagrams in response to malformed datagrams, allowing them to be used as amplifiers in a flood attack.19991229 The "Mac DoS Attack," a Scheme for Blocking Internet ConnectionsBID 890Asymmetric traffic from MacOS 9macos-opentransport-dos(3752)890Buffer overflow in CSM mail server allows remote attackers to cause a denial of service or execute commands via a long HELO command.BID 895csm-server-bo(3760)USSR-99027895Buffer overflow in CamShot WebCam HTTP server allows remote attackers to execute commands via a long GET request.BID 905Remote GET Buffer Overflow Vulnerability in CamShot WebCamcamshot-http-get-overflow(3806)905Macros in War FTP 1.70 and 1.67b2 allow local or remote attackers to read arbitrary files or execute commands.BID 919warftp-macro-access-files(3871) Re: SECURITY ALERT - WAR FTP DAEMON ALL VERSIONS919MySQL allows local users to modify passwords for arbitrary MySQL users via the GRANT privilege.BID 926mysql-pwd-grant(3848)Serious bug in MySQL password handling926Buffer overflow in ICQ 99b 1.1.1.1 client allows remote attackers to execute commands via a malformed URL within an ICQ message.ICQ URL Remote Buffer Overflow Vulnerabilityicq-url-boICQ Buffer Overflow Exploit929Buffer overflow in Yahoo Pager/Messenger client allows remote attackers to cause a denial of service via a long URL within a message.yahoo-messenger-dosTeam Asylum: Yahoo! Messenger DoSget_it program in Corel Linux Update allows local users to gain root access by specifying an alternate PATH for the cp program.Corel Linux get_it PATH Vulnerabilitylinux-corel-updateSerious Bug in Corel Linux.(Local root exploit)http://linux.corel.com/support/clos_patch1.htm928Buffer overflow in Winamp client allows remote attackers to execute commands via a long entry in a .pls file.winamp-playlist-boWinamp buffer overflowBuffer overflow with WinAmp 2.1092512022The Allaire Spectra Webtop allows authenticated users to access other Webtop sections by specifying explicit URLs.BID 915allaire-webtop-access(3897)Allaire Security Bulletin (ASB00-01)915The Allaire Spectra Configuration Wizard allows remote attackers to cause a denial of service by repeatedly resubmitting data collections for indexing via a URL.BID 916allaire-spectra-config-dos(3898)Addressing Potential Denial Of Service Problem With Installation Files In Allaire Spectra 1.0916Red Hat userhelper program in the usermode package allows local users to gain root access via PAM and a .. (dot dot) attack.BID 913linux-pam-userhelper(3886)RHSA-2000:001-0320000104 PamSlamRHSA-2000:001linux-pam-userhelper913Microsoft Commercial Internet System (MCIS) IMAP server allows remote attackers to cause a denial of service via a malformed IMAP request.BID 912MS00-001imail-imap-overflow(1895)Q246731912search.cgi in the SolutionScripts Home Free package allows remote attackers to view directories via a .. (dot dot) attack.SolutionScripts Home Free search.cgi Directory Traversal VulnerabilityAnother search.cgi vulnerabilityHome Page921Buffer overflow in Solaris chkperm command allows local users to gain root access via a long -n option.sol-chkperm-bo(3870)Solaris chkperm Buffer Overflow Vulnerability[Hackerslab bug_paper] Solaris chkperm buffer overflow918IMail IMONITOR status.cgi CGI script allows remote attackers to cause a denial of service with many calls to status.cgi.IMail IMonitor status.cgi DoS Vulnerabilityimail-imonitor-overflowMultiple IMail Vulnerabilites914Cold Fusion CFCACHE tag places temporary cache files within the web document root, allowing remote attackers to obtain sensitive system information.BID 917coldfusion-cfcache(3862)Allaire Security Bulletin (ASB00-03)917Network HotSync program in Handspring Visor does not have authentication, which allows remote attackers to retrieve email and files.Handspring Visor Network HotSync Vulnerabilityhandspring-visor-auth(3873)Handspring Visor Network HotSync Security Hole20000105 Handspring Visor Network HotSync Security Hole920PHP3 with safe_mode enabled does not properly filter shell metacharacters from commands that are executed by popen, which could allow remote attackers to execute commands.PHP3 'safe_mode' Failure Vulnerabilityphp3-popen-execute(3900)PHP3 safe_mode and popen()911Buffer overflow in aVirt Rover POP3 server 1.1 allows remote attackers to cause a denial of service via a long user name.aVirt Rover POP3 Server Buffer Overflow DoS VulnerabilityLocal / Remote Remote DoS Attack in Rover POP3 Server V1.1 NT From aVirtRover POP3 Server V1.1 NT From aVirt and possibly others versions.19991227 Local / Remote Remote DoS Attack in Rover POP3 Server V1.1 NT From aVirt19991227 Local / Remote Remote DoS Attack in Rover POP3 Server V1.1 NT From aVirt894avirt-rover-pop3-dos(3765)Internet Explorer 5 does not modify the security zone for a document that is being loaded into a window until after the document has been loaded, which could allow remote attackers to execute Javascript in a different security context while the document is loading.ie-crossframe-file-read(3668)BID 923MS00-009: Patch Available for "Image Source Redirect" Vulnerability923The DTML implementation in the Z Object Publishing Environment (Zope) allows remote attackers to conduct unauthorized activities.BID 922zope-dtml(3902)SECURITY ALERT20000104 [petrilli@digicool.com: [Zope] SECURITY ALERT]922cgiproc CGI script in Nortel Contivity HTTP server allows remote attackers to read arbitrary files by specifying the filename in a parameter to the script.Nortel Contivity Denial of Service and File Viewing Vulnerabilitieshttp-cgi-cgiproc-file-read(4316)Nortel Contivity Vulnerability938cgiproc CGI script in Nortel Contivity HTTP server allows remote attackers to cause a denial of service via a malformed URL that includes shell metacharacters.Nortel Contivity Denial of Service and File Viewing Vulnerabilitieshttp-cgi-cgiproc-dos(4317)Nortel Contivity Vulnerability9387583Buffer overflow in InetServ 3.0 allows remote attackers to execute commands via a long GET request.inetserv-get-bo(4318)InetServRemote Buffer Exploit - InetServ 3.0WebSite Pro allows remote attackers to determine the real pathname of webdirectories via a malformed URL request.website-pro-dir-path(3839)Re: WebSitePro/2.3.18 + 2.4.9 is revealing WebdirectoriesCyberCash Merchant Connection Kit (MCK) allows local users to modify files via a symlink attack.cybercash-mck-tmp(3823)CyberCash MCK 3.2.0.4: Large /tmp holedaynad program in Intel InBusiness E-mail Station does not require authentication, which allows remote attackers to modify its configuration, delete files, or read mail.intel-email-unauthenticate-users[rootshell] Security Bulletin #27InBusiness E-mail Station20000104 [rootshell] Security Bulletin #27The recover program in Solstice Backup allows local users to restore sensitive files.solstice-backup-restore-files(3904)Security problem with Solstice Backup/Legato Networker recover commandNtImpersonateClientOfPort local procedure call in Windows NT 4.0 allows local users to gain privileges, aka "Spoofed LPC Port Request."BID 93420000113 Local Promotion Vulnerability in Windows NT 4MS00-003nt-spoofed-lpc-port(3821)MS00-003Q247869nt-spoofed-lpc-port934IIS 4.0 allows a remote attacker to obtain the real pathname of the document root by requesting non-existent files with .ida or .idq extensions.iis-ida-idq-paths(4346)Security problem with Solstice Backup/Legato Networker recover command20000111 IIS still revealing paths for web directories20000113 SV: IIS still revealing paths for web directoriesVisual Casel (Vcasel) does not properly prevent users from executing files, which allows local users to use a relative pathname to specify an alternate file which has an approved name and possibly gain privileges.VCasel Filename Trusting Vulnerabilityvcasel-filename-trustingWarning: VCasel security hole20000118 Warning: VCasel security hole.937vcasel-filename-trusting(3867)Buffer overflow in Microsoft Rich Text Format (RTF) reader allows attackers to cause a denial of service via a malformed control word.Re: Microsoft Security Bulletin (MS00-005)win-malformed-rtf-control-word(3868)MS00-005Q249973win-malformed-rtf-control-wordPowerScripts PlusMail CGI program allows remote attackers to execute commands via a password file with improper permissions.plusmail-password-permissionsPowerScripts PlusMail VulnerablityPowerScripts PlusMail password vulnerability (password change)Super Mail Transfer Package (SMTP), later called MsgCore, has a memory leak which allows remote attackers to cause a denial of service by repeating multiple HELO, MAIL FROM, RCPT TO, and DATA commands in the same session.supermail-memleak-dosLocal / Remote D.o.S Attack in Super Mail Transfer Package (SMTP) Server for WinNT Version 1.9xUSSR-2000031930nviboot boot script in the Debian nvi package allows local users to delete files via malformed entries in vi.recover.Multiple Vendor nvi Root Directory File Removal Vulnerabilitynvi: incorrect file removal in boot scriptnvi-delete-files19991230 vibackup.sh1439The October 1998 version of the HP-UX aserver program allows local users to gain privileges by specifying an alternate PATH which aserver uses to find the ps and grep commands.hp-aserverHPUX Aserver revisited.K-014K-014: HP-UX Aserver VulnerabilityThe June 1999 version of the HP-UX aserver program allows local users to gain privileges by specifying an alternate PATH which aserver uses to find the awk command.hp-aserverHPUX Aserver revisited.K-014The W3C CERN httpd HTTP server allows remote attackers to determine the real pathnames of some commands via a request for a nonexistent URL.w3c-httpd-reveal-pathsW3C httpd (Formerly 'CERN httpd') Path Revealing VulnerabilityRe: IIS still revealing paths for web directories936AIX techlibss allows local users to overwrite files via a symlink attack.aix-techlibss-symbolic-linkAIX techlibss Symbolic Link Vulnerability2nd attempt: AIX techlibss follows links20000110 2nd attempt: AIX techlibss follows links931Hotmail does not properly filter JavaScript code from a user's mailbox, which allows a remote attacker to execute the code by using hexadecimal codes to specify the javascript: protocol, e.g. j&#x41;vascript.WebTV email client allows remote attackers to force the client to send email without the user's knowledge via HTML.HP asecure creates the Audio Security File audio.sec with insecure permissions, which allows local users to cause a denial of service or gain additional privileges.Security Bulletins DigestHP Security AdvisoryHPSBUX0001-109CuteFTP uses weak encryption to store password information in its tree.dat file.cuteftp-weak-encryptCuteFTP saved password 'encryption' weaknessHotmail does not properly filter JavaScript code from a user's mailbox, which allows a remote attacker to execute code via the LOWSRC or DYNRC parameters in the IMG tag.hotmail-java-executeYet another Hotmail security hole - injecting JavaScript in IENetopia Timbuktu Pro sends user IDs and passwords in cleartext, which allows remote attackers to obtain them via sniffing.timbuktu-password-cleartextNetopia Timbuktu Cleartext Username/Password VulnerabilityTB2 Pro sending NT passwords cleartext935Netscape Mail Notification (nsnotify) utility in Netscape Communicator uses IMAP without SSL, even if the user has set a preference for Communicator to use an SSL connection, allowing a remote attacker to sniff usernames and passwords in plaintext.netscape-mail-notify-plaintextMisleading sense of security in Netscape20000113 Misleading sense of security in Netscapenetscape-mail-notify-plaintext(4385)Buffer overflow in the conversion utilities for Japanese, Korean and Chinese Word 5 documents allows an attacker to execute commands, aka the "Malformed Conversion Data" vulnerability.MS00-002office-malformed-convert(946)BID 946MS00-002946The rdisk utility in Microsoft Terminal Server Edition and Windows NT 4.0 stores registry hive information in a temporary file with permissions that allow local users to read it, aka the "RDISK Registry Enumeration File" vulnerability.MS00-004MS00-004BID 947MS00-004Q249108947VMWare 1.1.2 allows local users to cause a denial of service via a symlink attack.linux-vmware-symlinkVMware Symlink VulnerabilityVMware 1.1.2 Symlink Vulnerability9431205Buffer overflow in vchkpw/vpopmail POP authentication package allows remote attackers to gain root privileges via a long username or password.BID 942inter7-vpopmail-bo(4572)remote root qmail-pop with vpopmail advisory and exploit with patchhttp://www.inter7.com/vpopmail/ChangeLoghttp://www.inter7.com/vpopmail/942The BSD make program allows local users to modify files via a symlink attack when the -j option is being used.BID 939gnu-makefile-tmp-root(3985)Insecure temporary file handling in make(1)939An installation of Red Hat uses DES password encryption with crypt() for the initial password, instead of md5.linux-initial-password-encryption(4578)NIS security advisory : password method downgradeRh 6.1 initial root password encryptionprocfs in BSD systems allows local users to gain root privileges by modifying the /proc/pid/mem interface via a modified file descriptor for stderr.netbsd-procfsNetBSD Security Advisory 2000-001procfs PatchNetBSD-SA2000-00194020760netbsd-procfs(3995)The PMTU discovery procedure used by HP-UX 10.30 and 11.00 for determining the optimum MTU generates large amounts of traffic in response to small packets, allowing remote attackers to cause the system to be used as a packet amplifier.BID 944HPSBUX0001-110hp-packet-amplifier-dos(4581)HPSBUX0001-110944Buffer overflow in qpopper 3.0 beta versions allows local users to gain privileges via a long LIST command.Qualcomm qpopper 'LIST' Buffer Overflow Vulnerabilityqpopper-list-bo(4573)Qpopper downloadQpopper security bug948The WebHits ISAPI filter in Microsoft Index Server allows remote attackers to read arbitrary files, aka the "Malformed Hit-Highlighting Argument" vulnerability.MS00-006http-indexserver-asp-source(4227)BID 9509501210Microsoft Index Server allows remote attackers to determine the real path for a web directory via a request to an Internet Data Query file that does not exist.http-indexserver-view-files(4232)MS00-006Cerberus Information Security Advisory (CISADV000202)MS00-006Buffer overflow in UnixWare ppptalk command allows local users to gain privileges via a long prompt argument.Unixware ppptalksco-ppptalk-bo(4594)Unixware ppptalk overflow20000119 Unixware ppptalkThe SMS Remote Control program is installed with insecure permissions, which allows local users to gain privileges by modifying or replacing the program.BID 945MS00-012sms-remote-control-permissions(4196)20000115 Security Vulnerability with SMS 2.0 Remote ControlThe Make-a-Store OrderPage shopping cart application allows remote users to modify sensitive purchase information via hidden form fields.shopping-cart-form-tampering(4621)Shopping Carts exposing CC dataISS E-Security AlertThe SalesCart shopping cart application allows remote users to modify sensitive purchase information via hidden form fields.shopping-cart-form-tampering(4621)ISS E-Security AlertThe SmartCart shopping cart application allows remote users to modify sensitive purchase information via hidden form fields.shopping-cart-form-tampering(4621)ISS E-Security AlertThe Shoptron shopping cart application allows remote users to modify sensitive purchase information via hidden form fields.shopping-cart-form-tampering(4621)ISS E-Security AlertOutlook Express 5.01 and Internet Explorer 5.01 allow remote attackers to view a user's email messages via a script that accesses a variable that references subsequent email messages that are read by the client.MS Outlook Express 5 Javascript Email Access Vulnerabilityemail-active-script-html(4018)Outlook Express 5 vulnerability - Active Scripting may read email messagesMicrosoft Security Bulletin (MS00-045)962The EasyCart shopping cart application allows remote users to modify sensitive purchase information via hidden form fields.shopping-cart-form-tampering(4621)ISS E-Security AlertLinux apcd program allows local attackers to modify arbitrary files via a symlink attack.BID 95820000201debian-apcd-symlink-root(4017)20000201958The Intellivend shopping cart application allows remote users to modify sensitive purchase information via hidden form fields.shopping-cart-form-tampering(4621)ISS E-Security AlertThe mcsp Client Site Processor system (MultiCSP) in Standard and Poor's ComStock is installed with several accounts that have no passwords or easily guessable default passwords.comstock-multicsp-passwords(4639)Security issues with S&P ComStock multiCSP (Linux)The WebSiteTool shopping cart application allows remote users to modify sensitive purchase information via hidden form fields.shopping-cart-form-tampering(4621)ISS E-Security AlertThe RightFax web client uses predictable session numbers, which allows remote attackers to hijack user sessions.BID 953BUGTRAQ:20000129 [LoWNOISE] Rightfax web client 5.2953The default installation of Debian GNU/Linux uses an insecure Master Boot Record (MBR) which allows a local user to boot from a floppy disk during the installation.BID 960debian-mbr-bypass-security(4013)Re: vulnerability in Linux Debian default boot configuration20000202 vulnerability in Linux Debian default boot configuration960The SyGate Remote Management program does not properly restrict access to its administration service, which allows remote attackers to cause a denial of service, or access network traffic statistics.BID 952sygate-remote-admin(3963)Undocumented back doorhttp://www.sybergen.com/support/fix.htm20000128 SyGate 3.11 Port 7323 / Remote Admin hole20000202 SV: SyGate 3.11 Port 7323 / Remote Admin hole20000203 UPDATE: Sygate 3.11 Port 7323 Telnet Hole952Frontpage Server Extensions allows remote attackers to determine the name of the anonymous account via an RPC POST request to shtml.dll in the /_vti_bin/ virtual directory.iis-frontpage-infoAlert: IIS 4 / IS 2 IDQ Cerberus Information Security Advisory (CISADV000202)Microsoft Security Bulletin (MS00-006)IIS allows local users to cause a denial of service via invalid regular expressions in a Visual Basic script in an ASP page.Strange behaviour IIS and RegExpFirewall-1 does not properly filter script tags, which allows remote attackers to bypass the "Strip Script Tags" restriction by including an extra < in front of the SCRIPT tag.http-script-bypass(3905)"Strip Script Tags" in FW-1 can be circumventedRe: "Strip Script Tags" in FW-1 can be circumvented9541212The siteUserMod.cgi program in Cobalt RaQ2 servers allows any Site Administrator to modify passwords for other users, site administrators, and possibly admin (root).http-cgi-cobalt-passwords(4595)[ Cobalt ] Security Advisory -- 01.31.2000Cobalt RaQ2 - a user of mine changed my admin password951The Red Hat Linux su program does not log failed password guesses if the su process is killed before it times out, which allows local attackers to conduct brute force password guessing.su-brute(2278)Solaris 2.5 /bin/su [was: vulnerability in su/PAM in redhat]vulnerability in su/PAM in redhat20000130 RedHat 6.1 /and others/ PAMThe default configurations for McAfee Virus Scan and Norton Anti-Virus virus checkers do not check files in the RECYCLED folder that is used by the Windows Recycle Bin utility, which allows attackers to store malicious code without detection.win-trojan-detection-bypass(3810)Bypass Virus Checking under 95/98/NTRe: Bypass Virus Checking20000130 Bypass Virus CheckingThe Remote Access Service invoke.cfm template in Allaire Spectra 1.0 allows users to bypass authentication via the bAuthenticated parameter.Allaire Spectra 1.0 invoke.cfm Unauthenticated RAS Access Vulnerabilityallaire-spectra-ras-access(4025)Patch Available for Allaire Spectra 1.0 Security Authentication System955The Recycle Bin utility in Windows NT and Windows 2000 allows local users to read or modify files by creating a subdirectory with the victim's SID in the recycler directory, aka the "Recycle Bin Creation" vulnerability.MS00-007BID 963nt-recycle-bin-access(4016)MS00-007Q248399963Frontpage Server Extensions allows remote attackers to determine the physical path of a virtual directory via a GET request to the htimage.exe CGI program.ms-frontpage-get-htimage(4008)2 MS Frontpage issues Cerberus Information Security Advisory (CISADV000203)MS Frontpage htimage.exe Path Leak Vulnerability96420070603 CERN &#304;mage Map Dispatcherfrontpage-cern-information-disclosure(34719)The shopping cart application provided with Filemaker allows remote users to modify sensitive purchase information via hidden form fields.shopping-cart-form-tampering(4621)ISS E-Security AlertsurfCONTROL SuperScout does not properly asign a category to web sites with a . (dot) at the end, which may allow users to bypass web access restrictions.surfCONTROL SuperScout Content Filtering Bypass Vulnerabilitysurfcontrol-superscout-bypass-filter(4009)surfCONTROL SuperScout v2.6.1.6 flaw965wwwthreads does not properly cleanse numeric data or table names that are passed to SQL queries, which allows remote attackers to gain privileges for wwwthreads forums.wwwthreads-sql-command-privs(4011)Urgent updateRFP2K01 - 96720000203 RFP2K01 - Sample Internet Data Query (IDQ) scripts in IIS 3 and 4 allow remote attackers to read files via a .. (dot dot) attack.Alert: IIS 4 / IS 2 IDQ Cerberus Information Security Advisoryiis-dir-traversal-read(4014)Webhits.dll buffer truncationThe Webspeed configuration program does not properly disable access to the WSMadmin utility, which allows remote attackers to gain privileges via wsisa.dll.Progress WebSpeed Administration Utility Configuration Vulnerabilitywebspeed-adminutil-auth(4012)Webspeed security issue969The Finger Server 0.82 allows remote attackers to execute commands via shell metacharacters.finger-server-input(4006)"The Finger Server"Home pagehttp://www.glazed.org/finger/changelog.txt7610Buffer overflow in the SHGetPathFromIDList function of the Serv-U FTP server allows attackers to cause a denial of service by performing a LIST command on a malformed .lnk file.win-shortcut-api-bo(4049)Local / Remote D.o.S Attack in Serv-U FTP-Server v2.5b for Win9x/WinNT VulnerabilityWindows Api SHGetPathFromIDList Buffer OverflowBuffer overflow in SCO scohelp program allows remote attackers to execute commands.sco-help-bo(4272)New SCO patchesSB-00.02aBuffer overflow in War FTPd 1.6x allows users to cause a denial of service via long MKD and CWD commands.BID 966war-ftpd 1.6x DoSBuffer overflow problem in 1.6*20000201 war-ftpd 1.6x DoS9664677Microsoft Java Virtual Machine allows remote attackers to read files via the getSystemResourceAsStream function.virtual-machine-file-read(4577)Microsoft Java Virtual Machine getSystemResource Vulnerability[JavaHouse-Brewers:30411] Re: Warning: Yet Another Security Hole of `Microsoft VM for Java'Patch Available for 957Buffer overflows in Tiny FTPd 0.52 beta3 FTP server allows users to execute commands via the STOR, RNTO, MKD, XMKD, RMD, XRMD, APPE, SIZE, and RNFR commands.Tiny FTPd Multiple Buffer Overflow Vulnerabilitiestinyftp-command-overflow(4000)Tiny FTPd 0.52 beta3 Buffer Overflow961The Check It Out shopping cart application allows remote users to modify sensitive purchase information via hidden form fields.shopping-cart-form-tampering(4621)ISS E-Security AlertThe @Retail shopping cart application allows remote users to modify sensitive purchase information via hidden form fields.shopping-cart-form-tampering(4621)ISS E-Security AlertThe Cart32 shopping cart application allows remote users to modify sensitive purchase information via hidden form fields.shopping-cart-form-tampering(4621)ISS E-Security AlertThe CartIt shopping cart application allows remote users to modify sensitive purchase information via hidden form fields.shopping-cart-form-tampering(4621)ISS E-Security AlertA system has a distributed denial of service (DDOS) attack master, agent, or zombie installed, such as (1) Trinoo, (2) Tribe Flood Network (TFN), (3) Tribe Flood Network 2000 (TFN2K), (4) stacheldraht, (5) mstream, or (6) shaft. ISS:20000502 "mstream" Distributed Denial of Service ToolCERT:CA-2000-0120000502 "mstream" Distributed Denial of Service Tool20000429 Re: Source code to mstream, a DDoS tool20000429 Re: Source code to mstream, a DDoS toolInternet Anywhere POP3 Mail Server allows local users to cause a denial of service via a malformed RETR command.BID 98220000210 remote DoS on Internet Anywhere Mail Server Ver.3.1.3anywhere-mailserver-retr-dos(3988)20000210 remote DoS on Internet Anywhere Mail Server Ver.3.1.3982Internet Anywhere POP3 Mail Server allows remote attackers to cause a denial of service via a large number of connections.BID 980anywhere-mailserver-connect-dos(3989)remote DoS on Internet Anywhere Mail Server Ver.3.1.320000210 remote DoS on Internet Anywhere Mail Server Ver.3.1.3980Infopop Ultimate Bulletin Board (UBB) allows remote attackers to execute commands via shell metacharacters in the topic hidden field.perl-cgi hole in UltimateBB by Infopop Corp.http-cgi-ultimatebb(3964)Re: perl-cgi hole in UltimateBB by Infopop Corp.http://www.ultimatebb.com/home/versions.shtml20000211 perl-cgi hole in UltimateBB by Infopop Corp.20000225 FW: Important UBB News For Licensed Users991The authentication protocol in Timbuktu Pro 2.0b650 allows remote attackers to cause a denial of service via connections to port 407 and 1417.timbuktu-auth-dos(3962)Timbuktu Pro 2.0b650 DoSTimbuktu Pro Remote Control SoftwareThe SSH protocol server sshd allows local users without shell access to redirect a TCP connection through a service that uses the standard system password database for authentication, such as POP or FTP.ssh-redirect-tcp-connection(4683)20000211 sshd and pop/ftponly users incorrect configurationAxis 700 Network Scanner does not properly restrict access to administrator URLs, which allows users to bypass the password protection via a .. (dot dot) attack.BID 971Infosec.20000207.axis700.aaxis-bypass-authentication(4684)20000207 Infosec.20000207.axis700.a971The libguile.so library file used by gnucash in Debian GNU/Linux is installed with world-writable permissions.Debian (frozen): Perms on /usr/lib/libguile.so.6.0.0debian-libguile-world-writable(4791)debian-libguile-world-writableThe Java Server in the Novell GroupWise Web Access Enhancement Pack allows remote attackers to cause a denial of service via a long URL to the servlet.Novell GroupWise 5.5 Enhancement Pack DoS VulnerabilityNovell GroupWise 5.5 Enhancement Pack Web Access Denial of Servic eGroupWise Support20000207 Novell GroupWise 5.5 Enhancement Pack Web Access Denial of Servic esnmpd in SCO OpenServer has an SNMP community string that is writable by default, which allows local attackers to modify the host's configuration.SNMPD configuration Vulnerability in SCO OpenServerSCO OpenServer SNMPD vulnerability973MySQL 3.22 allows remote attackers to bypass password authentication and access a database via a short check string.mysql-remote-access(4228)BID 975mysql322-server20000208 Remote access vulnerability in all MySQL server versions975Zeus web server allows remote attackers to view the source code for CGI programs via a null character (%00) at the end of a URL.Zeus Web Server - obtaining source of CGI scriptsBID 977zeus-server-null-string(3982)20000208 Zeus Web Server: Null Terminated Strings977254zeus-server-null-string(3982)Check Point Firewall-1 allows remote attackers to bypass port access restrictions on an FTP server by forcing it to send malicious packets that Firewall-1 misinterprets as a valid 227 response to a client's PASV attempt.FireWall-1 FTP Server VulnerabilityPassive FTP VulnerabilityBID 979checkpoint-pasv-ftp(3983)VU#3288679794417GNU make follows symlinks when it reads a Makefile from stdin, which allows other local users to execute commands.gnu-makefile-tmp-root(3985)GNU make /tmp Vulnerabilitymake: symlink attack in makeRemote attackers can cause a denial of service in Novell BorderManager 3.5 by pressing the enter key in a telnet connection to port 2000.BorderManager csatpxy.nlm fix avalable.novell-audit-trail-dos(4007)BID 9769767468FrontPage Personal Web Server (PWS) allows remote attackers to read files via a .... (dot dot) attack.Doubledot bug in FrontPage FrontPage Personal Web Server.pws-file-accessPatch Available for File Access Vulnerability in Personal Web Server989The ARCserve agent in UnixWare allows local attackers to modify arbitrary files via a symlink attack.SCO Unixware ARCserver /tmp symlink Vulnerabilitysco-openserver-arc-symlinkARCserve symlink vulnerabilityhttp://www.sco.com/security/20000215 ARCserve symlink vulnerabilityWindows NT Autorun executes the autorun.inf file on non-removable media, which allows local attackers to specify an alternate program to execute when other users access a drive.nt-autorun-notdefault(1274)BID 993AUTORUN.INF VulnerabilityCD-ROM Does Not Run Automatically When Inserted20000218 AUTORUN.INF VulnerabilityInternet Explorer 4.x and 5.x allows remote web servers to access files on the client that are outside of its security domain, aka the "Image Source Redirect" vulnerability.MS00-009ie-source-redirect advisoryMS00-0097827ie-image-source-redirect(3996)NetBSD ptrace call on VAX allows local users to gain privileges by modifying the PSL contents in the debugging process.netbsd-ptrace(3994)BID 992NetBSD Security Advisory 1999-0121999-012992Buffer overflow in MMDF server allows remote attackers to gain privileges via a long MAIL FROM command to the SMTP daemon.Remote Vulnerability in the MMDF SMTP Daemonsco-mmdf-bo(4344)Buffer Overflow Vulnerabilities in OpenServer MMDF subsystem99720000218 MMDFHP Ignite-UX does not save /etc/passwd when it creates an image of a trusted system, which can set the password field to a blank and allow an attacker to gain privileges.BID 1027HPSBUX0002-111hp-ignite-blank-password(4782)HPSBUX0002-111The Microsoft Active Setup ActiveX component in Internet Explorer 4.x and 5.x allows a remote attacker to install software components without prompting the user by stating that the software's manufacturer is Microsoft.win-active-setupMicrosoft signed software can be install software without prompting users20000221 Microsoft signed software can be install software without prompting usersSample web sites on Microsoft Site Server 3.0 Commerce Edition do not validate an identification number, which allows remote attackers to execute SQL commands.siteserver-sitebuilder(3997)MS00-010bugtraq id 994MS00-010994The Microsoft virtual machine (VM) in Internet Explorer 4.x and 5.x allows a remote attacker to read files via a malicious Java applet that escapes the Java sandbox, aka the "VM File Reading" vulnerability.MS00-011msvm-java-file-read(4024)BID 600asmon and ascpu in FreeBSD allow local users to gain root privileges via a configuration file.asmon-ascpu-execute-commands(4182)FreeBSD-SA-00:03: Asmon/Ascpu ports fail to drop privilegesbugtraq id 996FreeBSD-SA-00:03996The installation of Sun Internet Mail Server (SIMS) creates a world-readable file that allows local users to obtain passwords.sims-temp-world-readable(4783)Sun Internet Mail Serverbugtraq id 100420000220 Sun Internet Mail ServerThe Delegate application proxy has several buffer overflows which allow a remote attacker to execute commands.BID 808FreeBSD-SA-00:04delegate-proxy-bo(4195)FreeBSD-SA-00:04K-023Buffer overflow in the InterAccess telnet server TelnetD allows remote attackers to execute commands via a long login name.interaccess-telnet-login-bo(4032)Local / Remote Exploiteable Buffer Overflow Vulnerability in InterAccess TelnetD Server 4.0 for Windows NTLocal / Remote Exploiteable Buffer Overflow Vulnerability in InterAccess TelnetD Server 4.0 for Windows NT20000221 Local / Remote Exploiteable Buffer Overflow Vulnerability in InterAccess TelnetD Server 4.0 for Windows NT995IIS Inetinfo.exe allows local users to cause a denial of service by creating a mail file with a long name and a .txt.eml extension in the pickup directory.iis-pickup-directory-dos(4790)20000215 Crashing Inetinfo.exe by using a longfilename in the \mailroot\pickup directoryMicrosoft Windows 9x operating systems allow an attacker to cause a denial of service via a pathname that includes file device names, aka the "DOS Device in Path Name" vulnerability.BID 1043win-dos-devicename-dos(4107)20000306 con\con is a old thing (anyway is cool)MS00-0171043Batch files in the Oracle web listener ows-bin directory allow remote attackers to execute commands via a malformed URL that includes '?&'.oracle-weblistener-remote-attack(4198)BID 1053 Oracle Web Listener 4.0.x20000314 Oracle Web Listener 4.0.x1053Buffer overflow in the man program in Linux allows local users to gain privileges via the MANPAGER environmental variable.BID 1011man bugs might lead to root compromiseman-bo(4043)1011atsadc in the atsar package for Linux does not properly check the permissions of an output file, which allows local users to gain root privileges.atsar-root-access(4208)BID 1048TESO advisory -- atsadc20000311 TESO advisory -- atsadc1048The mtr program only uses a seteuid call when attempting to drop privileges, which could allow local users to gain root privileges.BID 1038mtr-drop-privileges(4162)FreeBSD Port Exploits for mh/nmh, Lynx, and mtr1038Vulnerability in the EELS system in SCO UnixWare 7.1.x allows remote attackers to cause a denial of service.EELS security patchsco-eels-dos(4341)StarOffice StarScheduler web server allows remote attackers to read arbitrary files via a .. (dot dot) attack.Bugtraq id 1040staroffice-scheduler-fileread(4076) [SAFER 000309.EXP.1.4] StarScheduler (StarOffice) vulnerabilities20000308 [SAFER 000309.EXP.1.4] StarScheduler (StarOffice) vulnerabilities1040Buffer overflow in StarOffice StarScheduler web server allows remote attackers to gain root access via a long GET command.BID 1039staroffice-scheduler-bo(4075)[SAFER 000309.EXP.1.4] StarScheduler (StarOffice) vulnerabilities20000308 [SAFER 000309.EXP.1.4] StarScheduler (StarOffice) vulnerabilities1039The default configuration of Serv-U 2.5d and earlier allows remote attackers to determine the real pathname of the server by requesting a URL for a directory or file that does not exist.BID 1016servu-ftp-server-path(4060)Re: Serv-U FTP-Server v2.4a showing real path20000228 Serv-U FTP-Server v2.4a showing real pathDNSTools CGI applications allow remote attackers to execute arbitrary commands via shell metacharacters.dnstools-invalid-input(4876)DNSTools v1.08 has no input validationDNSTools Software - Security Concernsbugtraq id 102820000302 DNSTools v1.08 has no input validation1028ServerIron switches by Foundry Networks have predictable TCP/IP sequence numbers, which allows remote attackers to spoof or hijack sessions.BID 101720000227 Advisory: Foundry Networks ServerIron TCP/IP sequence predictabilityfoundry-serveriron-tcp-seq(4054)1017HP OpenView OmniBack 2.55 allows remote attackers to cause a denial of service via a large number of connections to port 5555.omniback-connection-dos(4022)BID 1015HP Omniback remote DoS20000228 HP Omniback remote DoSHPSBUX0006-115Sojourn search engine allows remote attackers to read arbitrary files via a .. (dot dot) attack.BID 1052SOJOURN Search engine exposes filessojourn-file-read(4197)Firewall-1 3.0 and 4.0 leaks packets with private IP address information, which could allow remote attackers to determine the real IP address of the host that is making the connection.BID 105420000311 Our old friend Firewall-1checkpoint-exposes-internal-addresses(4207)20000311 Our old friend Firewall-110541256iPlanet Web Server 4.1 allows remote attackers to cause a denial of service via a large number of GET commands, which consumes memory and causes a kernel panic.DoS for the iPlanet Web Server, Enterprise Edition 4.1iplanet-get-dos(4293)Re: DoS for the iPlanet Web Server, Enterprise Edition 4.1Buffer overflow in ircII 4.4 IRC client allows remote attackers to execute commands via the DCC chat capability.BID 1046irc-dcc-bo(4184)Fwd: ircii-4.4 buffer overflow20000310 Fwd: ircii-4.4 buffer overflowRHSA-2000:0081046Linux printtool sets the permissions of printer configuration files to be world-readable, which allows local attackers to obtain printer share passwords.BID 1037printtool-world-readable(4212)[ Hackerslab bug_paper ] Linux printtool get printer password200003091037RealMedia RealServer reveals the real IP address of a Real Server, even if the address is supposed to be private.BID 1049realserver-exposes-addresses(4367)Re: RealServer exposes internal IP addresses20000308 RealServer exposes internal IP addresses1049Buffer overflow in the dump utility in the Linux ext2fs backup package allows local users to gain privileges via a long command line argument.BID 1020linux-dump-bo(4048)[ Hackerslab bug_paper ] Linux dump buffer overflowRHSA-2000:1001020EZShopper 3.0 loadpage.cgi CGI script allows remote attackers to read arbitrary files via a .. (dot dot) attack or execute commands via shell metacharacters.BID 1014ezshopper-loadpage-cgi(4044)EZ Shopper 3.0 shopping cart CGI remote command execution20000227 EZ Shopper 3.0 shopping cart CGI remote command executionEZShopper 3.0 search.cgi CGI script allows remote attackers to read arbitrary files via a .. (dot dot) attack or execute commands via shell metacharacters.ezshopper-loadpage-cgi(4044)EZ Shopper 3.0 shopping cart CGI remote command execution20000227 EZ Shopper 3.0 shopping cart CGI remote command execution1014ColdFusion Server 4.x allows remote attackers to determine the real pathname of the server via an HTTP request to the application.cfm or onrequestend.cfm files.BID 102120000301 ColdFusions application.cfm shows full pathcoldfusion-reveal-pathname(4021)1021AOL Instant Messenger (AIM) client allows remote attackers to cause a denial of service via a message with a malformed ASCII value.aolim-malformed-ascii-dos(4877)Aol Instant Messenger DoS vulnerability20000303 Aol Instant Messenger DoS vulnerabilityAxis StorPoint CD allows remote attackers to access administrator URLs without authentication via a .. (dot dot) attack.axis-storpoint-auth(4078)bugtraq id 1025Infosec.20000229.axisstorpointcd.a19The default installation of Caldera OpenLinux 2.3 includes the CGI program rpm_query, which allows remote attackers to determine what packages are installed on the system.BID 1036linux-rpm-query(4168) OpenLinux 2.3: rpm_query20000304 OpenLinux 2.3: rpm_query1036The default configuration of Dosemu in Corel Linux 1.0 allows local users to execute the system.com program and gain privileges.linux-dosemu-config(4066)bugtraq id 1030Corel Linux 1.0 dosemu default configuration: Local root vuln20000302 Corel Linux 1.0 dosemu default configuration: Local root vulnbuildxconf in Corel Linux allows local users to modify or create arbitrary files via the -x or -f parameters.BID 1007Corel Linux 1.0 local root compromisecorel-linux-create-file(4031)20000224 Corel Linux 1.0 local root compromise1007setxconf in Corel Linux allows local users to gain root access via the -T parameter, which executes the user's .xserverrc file.BID 1008corel-linux-setxconf-root(4027)Corel Linux 1.0 local root compromise20000224 Corel Linux 1.0 local root compromise1008Buffer overflow in mhshow in the Linux nmh package allows remote attackers to execute commands via malformed MIME headers in an email message.BID 1018nmh: remote exploit in nmhnmh-execute-code(4051)emote exploit in nmhRHSA-2000:0061018The Windows NT scheduler uses the drive mapping of the interactive user who is currently logged onto the system, which allows the local user to gain privileges by providing a Trojan horse batch file in place of the original batch file.nt-at-drive-mappjngs(4221)bugtraq id 1050FW: [NTBUGTRAQ] AT Jobs - Denial of serice/Privilege Elevation20000313 AT Jobs - Denial of serice/Privilege ElevationBuffer overflow in POP3 and IMAP servers in the MERCUR mail server suite allows remote attackers to cause a denial of service.Local / Remote Multiples DoS Attacks in MERCUR v3.2* Vulnerabilitymercur-login-dos(4365)Product support20000314 Local / Remote Multiples Remote DoS Attacks in MERCUR v3.2* for Windows 98/NT Vulnerability20000314 Local / Remote Multiples Remote DoS Attacks in MERCUR v3.2* for Windows 98/NT Vulnerability1051When a new SQL Server is registered in Enterprise Manager for Microsoft SQL Server 7.0 and the "Always prompt for login name and password" option is not set, then the Enterprise Manager uses weak encryption to store the login ID and password.Vulnerability in Microsoft SQL Server 7.0 Encryption Used to Storebugtraq id 1055K-026: Microsoft SQL Server Admin Login Encryption VulnerabilityBuffer overflow in Microsoft Clip Art Gallery allows remote attackers to cause a denial of service or execute commands via a malformed CIL (clip art library) file, aka the "Clip Art Buffer Overrun" vulnerability.BID 1034MS00-015clipart-cil-bo(4109)03/06/00MS00-0151034The window.showHelp() method in Internet Explorer 5.x does not restrict HTML help files (.chm) to be executed from the local host, which allows remote attackers to execute arbitrary commands via Microsoft Networking.BID 1033E 5.x allows executing arbitrary programs using .chm filesie-html-helpfile-execute(4601)UNC Path Can Be Used to Start Programs by Using .chm Files1033Microsoft SQL Server 7.0 and Microsoft Data Engine (MSDE) 1.0 allow remote attackers to gain privileges via a malformed Select statement in an SQL query.BID 1041MS00-014Microsoft SQL Query Abuse Vulnerabilitymssql-query-abuse(4110)MS00-0141041The Trend Micro OfficeScan client tmlisten.exe allows remote attackers to cause a denial of service via malformed data to port 12345.Re: TrendMicro OfficeScan tmlisten.exe DoStrendmicro-tmlisten-dos(4039)Trend Security Bulletin - OfficeScan DoS & Command Replay Vulnerabilities101320000315 Trend Micro release patch for "OfficeScan DoS & Message Replay" V ulnerabiliesThe Trend Micro OfficeScan client allows remote attackers to cause a denial of service by making 5 connections to port 12345, which raises CPU utilization to 100%.Re: TrendMicro OfficeScan tmlisten.exe DoStrendmicro-tmlisten-dos(4039)20000226 DOS in Trendmicro OfficeScan20000315 Trend Micro release patch for "OfficeScan DoS & Message Replay" V ulnerabilies1013Trend Micro OfficeScan allows remote attackers to replay administrative commands and modify the configuration of OfficeScan clients.TrendMicro OfficeScan, numerous security holes, remote files modification.trendmicro-admin-command(4041)Trend Security Bulletin - OfficeScan DoS & Command Replay Vulnerabilities101320000315 Trend Micro release patch for "OfficeScan DoS & Message Replay" V ulnerabiliesThe installation of Oracle 8.1.5.x on Linux follows symlinks and creates the orainstRoot.sh file with world-writeable permissions, which allows local users to gain privileges.BID 1035Oracle installer problemoracle-installer(4163)20000305 Oracle installer problem1035SGI InfoSearch CGI program infosrch.cgi allows remote attackers to execute commands via shell metacharacters.BID 103120000301 infosrch.cgi vulnerability (IRIX 6.5)20000501-01-P20000501-01-P1031The htdig (ht://Dig) CGI program htsearch allows remote attackers to read arbitrary files by enclosing the file name with backticks (`) in parameters to htsearch.BID 1026htdig-remote-read(4052)ht://Dig remote information exposure1026Buffer overflow in Lynx 2.x allows remote attackers to crash Lynx and possibly execute commands via a long URL in a malicious web page.BID 1012lynxproxy-long-url-bo(4046)lynx - someone is deaf and blind1012The lit program in Sun Flex License Manager (FlexLM) follows symlinks, which allows local users to modify arbitrary files.BID 998sol-licensemanager-symlink(4294)998The Windows Media server allows remote attackers to cause a denial of service via a series of client handshake packets that are sent in an improper sequence, aka the "Misordered Windows Media Services Handshake" vulnerability.BID 1000win-media-dos(4034)MS00-013MS00-0131000InterAccess TelnetID Server 4.0 allows remote attackers to conduct a denial of service via malformed terminal client configuration information.BID 1001USSR-2000034interaccess-telnet-dos(4033)1001interaccess-telnet-dos(4033)The Sambar server includes batch files ECHO.BAT and HELLO.BAT in the CGI directory, which allow remote attackers to execute commands via shell metacharacters.Sambar Server alert!Release Historysambar-batfilesBID 1002FTP Explorer uses weak encryption for storing the username, password, and profile of FTP sites.How the password could be recover using FTP Explorer's registry!Login Security DLLftp-explorer-weak-pwd(4038)1003Vulnerability in SCO cu program in UnixWare 7.x allows local users to gain privileges.BID 1019sco-cu-patch(4275)SCO Security Bulletin 2000.051019Microsoft email clients in Outlook, Exchange, and Windows Messaging automatically respond to Read Receipt and Delivery Receipt tags, which could allow an attacker to flood a mail system with responses by forging a Read Receipt request that is redirected to a large distribution list.mailbombing DoS easily exploitable against mail systems using MS mail clients.microsoft-mail-client-dos(4893)The default configuration of SSH allows X forwarding, which could allow a remote attacker to control a client's X sessions via a malicious xauth program.BID 1006SSH & xauthssh-xauth-client(4037)1006Buffer overflow in Linux mount and umount allows local users to gain root privileges via a long relative pathname.CSSA-2000-002.0Security hole in util < 2.10flinux-mount(411)CSSA-2000-002.069807004Red Hat 6.0 allows local users to gain root access by booting single user and hitting ^C at the password prompt.BID 1005redhat-single-user-auth(4026) redhat 6.0: single user boot security holeZoneAlarm sends sensitive system and network information in cleartext to the Zone Labs server if a user requests more information about an event.zonealarm-exposes-info(4295) Zonealarm exports sensitive dataThe Nautica Marlin bridge allows remote attackers to cause a denial of service via a zero length UDP packet to the SNMP port.BID 1009Scorpion Marlinnautica-marlin-router-dos(4200)1009The installation for Windows 2000 does not activate the Administrator password until the system has rebooted, which allows remote attackers to connect to the ADMIN$ share without a password until the reboot occurs.BID 990Windows 2000 installation process weakness990Buffer overflow in the wmcdplay CD player program for the WindowMaker desktop allows local users to gain root privileges via a long parameter.BID 104720000311 TESO advisory -- wmcdplaywmcdplaywmcdplay-bo(4185)20000311 TESO advisory -- wmcdplay1047ARCserve agent in SCO UnixWare 7.x allows local attackers to gain root privileges via a symlink attack.BID 988sco-openserver-arc-symlink(3991)SCO Security Bulletin 2000.0720000215 ARCserve symlink vulnerabilityThe Pocsag POC32 program does not properly prevent remote users from accessing its server port, even if the option has been disabled.bugtraq id 1032Pocsag remote access to client can't be disabled20000303 Pocsag remote access to client can't be disabled.259IIS 4.0 allows attackers to cause a denial of service by requesting a large buffer in a POST or PUT command which consumes memory, aka the "Chunked Transfer Encoding Buffer Overflow Vulnerability."iis-chunked-encoding-dos(4117)BID 1066MS00-0181066The Linux 2.2.x kernel does not restrict the number of Unix domain sockets as defined by the wmem_max paremeter, which allows local users to cause a denial of service by requesting a large number of sockets. Local Denial-of-Service attack against Linux20000323 Local Denial-of-Service attack against Linux1072linux-domain-socket-dos(4186)20000328 Re: Local Denial-of-Service attack against LinuxMicrosoft Windows Media License Manager allows remote attackers to cause a denial of service by sending a malformed request that causes the manager to halt, aka the "Malformed Media License Request" Vulnerability.mwmt-malformed-media-license(4108)BID 1058MS00-0161058gpm-root in the gpm package does not properly drop privileges, which allows local users to gain privileges by starting a utility from gpm-root.linux-gpm-root(4151)BID 1069gpm-root,SUSERHSA-2000:009-02RHSA-2000:009-0220000322 gpm-root20000405 Security hole in gpm < 1.18.1RHSA-2000:009RHSA-2000:0451069Buffer overflow in imwheel allows local users to gain root privileges via the imwheel-solo script and a long HOME environmental variable.linux-imwheel-bo(4201)BID 1060TESO & C-Skills development advisoryRHSA-2000:016-0220000316 TESO & C-Skills development advisory -- imwheelRHSA-2000:0161060Linux kreatecd trusts a user-supplied path that is used to find the cdrecord program, allowing local users to gain root privileges.linux-kreatecd-path(4124)BID 1061Security hole in kreatec20000316 "TESO & C-Skills development advisory -- kreatecd" at:1061Microsoft TCP/IP Printing Services, aka Print Services for Unix, allows an attacker to cause a denial of service via a malformed TCP/IP print request.win-tcpip-printing-dos(4203)BID 1082MS00-02120000330 Remote DoS Attack in Windows 2000/NT 4.0 TCP/IP Print Request Server Vulnerability1082SuSE Linux IMAP server allows remote attackers to bypass IMAP authentication and gain privileges.SuSE Linux IMAP Serverlinux-imap-remote-unauthorized-access(4166)BID 127720000327 Security hole in SuSE Linux IMAP ServerThe default configuration of Cobalt RaQ2 and RaQ3 as specified in access.conf allows remote attackers to view sensitive contents of a .htaccess file.cobalt-raq-remote-access(4239)BID 1083Cobalt-00-006: .htaccesshttp://www.securityfocus.com/templates/advisory.html?id=215020000330 Cobalt apache configuration exposes .htaccess1083Buffer overflow in the huh program in the orville-write package allows local users to gain root privileges.freebsd-orvillewrite-bo(4242)BID 1070FreeBSD-SA-00:110701263Netscape Enterprise Server with Directory Indexing enabled allows remote attackers to list server directories via web publishing tags such as ?wp-ver-info and ?wp-cs-dump.BID 1063netscape-server-directory-indexing(4116)[SAFER 000317.EXP.1.5] Netscape Enterprise Server and '?wp' tags20000317 [SAFER 000317.EXP.1.5] Netscape Enterprise Server and '?wp' tags1063Netscape Enterprise Server with Web Publishing enabled allows remote attackers to list arbitrary directories via a GET request for the /publisher directory, which provides a Java applet that allows the attacker to browse the directories.netscape-webpublisher-invalid-access(4202)bugtraq id 1075 [zsh] Advisory : Netscape WebPublisher Allows Directory Listing and Accesshttp://zsh.stupidphat.com/advisory.cgi?000311-1Buffer overflow in the web server for Norton AntiVirus for Internet Email Gateways allows remote attackers to cause a denial of service via a long URL.bugtraq id 1064DoS with NAVIEGnav-email-gateway-dos20000317 DoS with NAVIEGBuffer overflow in the MERCUR WebView WebMail server allows remote attackers to cause a denial of service via a long mail_user parameter in the GET request.Local / Remote Multiples DoS Attacks in MERCUR v3.2* Vulnerabilitymercur-login-dos(4365)Product support20000315 Local / Remote DoS Attack in MERCUR WebView WebMail-Client 1.020000315 Local / Remote DoS Attack in MERCUR WebView WebMail-Client 1.01056vqSoft vqServer program allows remote attackers to read arbitrary files via a /........../ in the URL, a variation of a .. (dot dot) attack.bugtraq id 1067Product sitevqserver-dir-traversevqserver /........../http://www.vqsoft.com/vq/server/faqs/dotdotbug.html20000321 vqserver /........../270vqSoft vqServer stores sensitive information such as passwords in cleartext in the server.cfg file, which allows attackers to gain privileges.bugtraq id 1068vqserver /........../vqserver-passwd-plaintextWindMail allows remote attackers to read arbitrary files or execute commands via shell metacharacters.windmail-filereadWindmail allow web user get any fileBID 107320000325 Windmail allow web user get any fileAnalogX SimpleServer:WWW HTTP server 1.03 allows remote attackers to cause a denial of service via a short GET request to cgi-bin.bugtraq id 1076simpleserver-exception-dos AnalogX SimpleServer 1.03 Remote Crashhttp://www.analogx.com/contents/download/network/sswww.htm20000324 AnalogX SimpleServer 1.03 Remote Crash" at: simpleserver-exception-dos(4189)1265The Citrix ICA (Independent Computing Architecture) protocol uses weak encryption (XOR) for user authentication.citrix-encryption(4216)bugtraq id 1077Citrix ICA Basic Encryption20000328 Citrix ICA Basic EncryptionVulnerability in SGI IRIX objectserver daemon allows remote attackers to create user accounts.irix-objectserver-create-accounts(4206)BID 1079Objectserver vulnerability20000303-01-PXK-03010791267irix-objectserver-create-accounts(4206)IIS 4.0 and 5.0 does not properly perform ISAPI extension processing if a virtual directory is mapped to a UNC share, which allows remote attackers to read the source code of ASP and other files, aka the "Virtualized UNC Share" vulnerability.iis-virtual-unc-shareBID 1081MS00-019Q2495991081Unknown vulnerability in Generic-NQS (GNQS) allows local users to gain root privileges.http://ftp.gnqs.org/pub/gnqs/source/by-version-number/v3.50/Generic-NQS-3.50.8-ChangeLog.txtLocal root compromise in GNQS 3.50.6 and 3.50.7Generic NQS local rootGNQS Root Access VulnerabilityFreeBSD-SA-00:13The web GUI for the Linux Virtual Server (LVS) software in the Red Hat Linux Piranha package has a backdoor password that allows remote attackers to execute arbitrary commands.Backdoor Password in Red Hat Linux Virtual Server PackageBID1148piranha default password/exploitThe AIX Fast Response Cache Accelerator (FRCA) allows local users to modify arbitrary files via the configuration capability in the frcactrl program.BID 1152aix-frcactrl(3926)Insecure file handling in IBM AIX frcactrl program20000426 Insecure file handling in IBM AIX frcactrl program1152The crypt function in QNX uses weak encryption, which allows local users to decrypt passwords.BID 1114qnx crypt comprimisedqnx-weak-encryption(4866)HP-UX 11.04 VirtualVault (VVOS) sends data to unprivileged processes via an interface that has multiple aliased IP addresses.BID 1090hp-virtual-vault(4237)RE: [fw-wiz] Re: Anti-Defacement Products...HPSBUX0004-1121090The dansie shopping cart application cart.pl allows remote attackers to execute commands via a shell metacharacters in a form variable.BID 1115 more problems with that POS dansie cart software!Back Door in Commercial Shopping Cartdansie-shell-metacharactersThe dansie shopping cart application cart.pl allows remote attackers to modify sensitive purchase information via hidden form fields.shopping-cart-form-tampering(4621)BID 1115Form Tampering Vulnerabilities in Several Web-Based Shopping Cart ApplicationsThe dansie shopping cart application cart.pl allows remote attackers to obtain the shopping cart database and configuration information via a URL that references either the env, db, or vars form variables.BID 1115dansie-form-variables(4954)Re: more problems with that POS dansie cart software!The Nbase-Xyplex EdgeBlaster router allows remote attackers to cause a denial of service via a scan for the FormMail CGI program.BID 1091SilverBack Security Advisory: Nbase-Xyplex DoSnbase-xyplex-router(4236)Buffer overflows in htimage.exe and Imagemap.exe in FrontPage 97 and 98 Server Extensions allow a user to conduct activities that are not otherwise available through the web site, aka the "Server-Side Image Map Components" vulnerability.BID 1117Microsoft Security Bulletin (MS00-028)frontpage-ext-image-map(4484)20070603 CERN &#304;mage Map Dispatcherfrontpage-cern-bo(34720)Buffer overflow in the NetWare remote web administration utility allows remote attackers to cause a denial of service or execute commands via a long URL.BID 1118Novell Netware 5.1 (server 5.00h, Dec 11, 1999)netware-remote-admin-overflow(4310)IIS 4.0 and 5.0 allows remote attackers to cause a denial of service by sending many URLs with a large number of escaped characters, aka the "Myriad Escaped Characters" Vulnerability.MS00-023BID 1101iis-myriad-escape-chars(4279)1101The default permissions for the Cryptography\Offload registry key used by the OffloadModExpo in Windows NT 4.0 allows local users to obtain compromise the cryptographic keys of other users.winnt-cryptkeys-compromise(4332)BID 1105Microsoft Security Bulletin (MS00-024)Buffer overflow in the dvwssr.dll DLL in Microsoft Visual Interdev 1.0 allows users to cause a denial of service or execute commands, aka the "Link View Server-Side Component" vulnerability.BID 1109MS00-025frontpage-ext-dvwssr-bo(4333)1109282The AVM KEN! web server allows remote attackers to read arbitrary files via a .. (dot dot) attack.BID 1103ken-download-files(4303)AVM's Statement20000415 (no subject)20000418 AVM's Statement11031282The AVM KEN! ISDN Proxy server allows remote attackers to cause a denial of service via a malformed request.BID 1103ken-dos(4301)AVM's Statement20000415 (no subject)20000418 AVM's Statement1103The X font server xfs in Red Hat Linux 6.x allows an attacker to cause a denial of service via a malformed request.BID 1111xfsredhat-fontserver-dos(4305)Panda Security 3.0 with registry editing disabled allows users to edit the registry and gain privileges by directly executing a .reg file or using other methods.BID 1119panda-admin-privileges(4334)bugs in Panda Security 3.0http://updates.pandasoftware.com/docs/us/Avoidvulnerability.zip20000417 bugs in Panda Security 3.01119Panda Security 3.0 allows users to uninstall the Panda software via its Add/Remove Programs applet.panda-uninstall-program(4865)BID 1119bugs in Panda Security 3.0http://updates.pandasoftware.com/docs/us/Avoidvulnerability.zipInternet Explorer 5.01 allows remote attackers to bypass the cross frame security policy via a malicious applet that interacts with the Java JSObject to modify the DOM properties to set the IFRAME to an arbitrary Javascript URL.ie-java-crossframe-security(4387) IE 5 security vulnerablity - circumventing Cross-frame security policy using Java/JavaScript (and disabling Active Scripting is not that easy) Re: IE 5 security vulnerablity - circumventing Cross-framesecurity policy using Java/JavaScript (and disabling ActiveScripting is not that easy)112120000418 IE 5 security vulnerablity - circumventing Cross-frame security policy using Java/JavaScript (and disabling Active Scripting is not that easy)Cisco Catalyst 5.4.x allows a user to gain access to the "enable" mode without a password.BID 1122cisco-catalyst-password-bypass(4313)Cisco Catalyst Enable Password Bypass Vulnerability11221288Cisco IOS 11.x and 12.x allows remote attackers to cause a denial of service by sending the ENVIRON option to the Telnet daemon before it is ready to accept it, which causes the system to reboot.BID 1123Cisco IOS Software TELNET Option Handling Vulnerabilitycisco-ios-option-handling(4312)11231289Emacs 20 does not properly set permissions for a slave PTY device when starting a new subprocess, which allows local users to read or modify communications between Emacs and the subprocess.emacs-local-eavesdropRUS-CERT Advisory 200004-01: GNU Emacs 2020000418 RUS-CERT Advisory 200004-01: GNU Emacs 20BID 1125The make-temp-name Lisp function in Emacs 20 creates temporary files with predictable names, which allows attackers to conduct a symlink attack.BID 1126emacs-tempfile-creationRUS-CERT Advisory 200004-01: GNU Emacs 2020000418 RUS-CERT Advisory 200004-01: GNU Emacs 20read-passwd and other Lisp functions in Emacs 20 do not properly clear the history of recently typed keys, which allows an attacker to read unencrypted passwords.BID 1125emacs-password-historyRUS-CERT Advisory 200004-01: GNU Emacs 2020000418 RUS-CERT Advisory 200004-01: GNU Emacs 20RealNetworks RealServer allows remote attackers to cause a denial of service by sending malformed input to the server at port 7070.realserver-remote-dos(4400)bugtraq id 1128Remote DoS attack in Real Networks Real Server Vulnerabilityhttp://service.real.com/help/faq/servg270.htmlPCAnywhere allows remote attackers to cause a denial of service by terminating the connection before PCAnywhere provides a login prompt.BID 1095pcanywhere-login-dosA funny way to DOS pcANYWHERE8.0 and 9.0The Linux trustees kernel patch allows attackers to cause a denial of service by accessing a file or directory with a long name.BID 1096linux-trustees-patch-dos(4243)linux trustees 1.5 long path name vulnerabilityhttp://www.braysystems.com/linux/trustees.html20000410 linux trustees 1.5 long path name vulnerability1096CRYPTOCard CryptoAdmin for PalmOS uses weak encryption to store a user's PIN number, which allows an attacker with access to the .PDB file to generate valid PT-1 tokens after cracking the PIN.cryptoadmin-weak-encryption(4300)CRYPTOCard PalmToken PIN Extraction20000410 CRYPTOAdmin 4.1 server with PalmPilot PT-1 token 1.04 PIN Extract ion1097BeOS 4.5 and 5.0 allow local users to cause a denial of service via malformed direct system calls using interrupt 37.bugtraq id 1098BeOS syscall bugbeos-syscall-dos20000410 BeOS syscall bugMicrosoft Excel 97 and 2000 does not warn the user when executing Excel Macro Language (XLM) macros in external text files, which could allow an attacker to execute a macro virus, aka the "XLM Text Macro" vulnerability.BID 1087MS00-022excel-xlm(4224)10871272The SalesLogix Eviewer allows remote attackers to cause a denial of service by accessing the URL for the slxweb.dll administration program, which does not authenticate the user.BID 1089 SalesLogix Eviewer Web App Bug: URL request crashes eviewer web applicationeviewer-admin-request-dos(4217)20000331 SalesLogix Eviewer Web App Bug: URL request crashes eviewer web applicationBeOS allows remote attackers to cause a denial of service via malformed packets whose length field is less than the length of the headers.BID 1100beos-networking-dos(4277)BeOS Networking DOS20000407 BeOS Networking DOS1100Buffer overflow in the RealNetworks RealPlayer client versions 6 and 7 allows remote attackers to cause a denial of service via a long Location URL.Win32 RealPlayer 6/7 Buffer OverflowBID 1088Buffer overflow in the Napster client beta 5 allows remote attackers to cause a denial of service via a long message.Napster, Inc. response to Colten Edwardsneat little napster bugTalentSoft webpsvr daemon in the Web+ shopping cart application allows remote attackers to read arbitrary files via a .. (dot dot) attack on the webplus CGI program.bugtraq id 1102TalentSoft Web+ Input Validation Bug VulnerabilitySecurity updatetalentsoft-web-input(4282)ftp://ftp.talentsoft.com/Download/Webplus/Unix/Patches/Webplus46p%20Read%20me.htmlThe default installation of IRIX Performance Copilot allows remote attackers to access sensitive system information via the pmcd daemon.irix-pmcd-info(4283)bugtraq id 1106Performance Copilot for IRIX 6.5Buffer overflow in University of Washington imapd version 4.7 allows users with a valid account to execute commands via LIST or other commands.bugtraq id 1110imap-mailserver-bo(4338)imapd4r1 v12.26420000416 imapd4r1 v12.264Buffer overflow in XFree86 3.3.x allows local users to execute arbitrary commands via a long -xkbmap parameter.xfree86-xkbmap-parameter-bo(4867)XFree86 server overflow1306X fontserver xfs allows local users to cause a denial of service via malformed input to the server.bugtraq id 1111redhat-fontserver-dos(4305) xfs20000416 xfsThe BizDB CGI script bizdb-search.cgi allows remote attackers to execute arbitrary commands via shell metacharacters in the dbname parameter.http-cgi-bizdb(4246)bugtraq id 1104BizDB Search Script Enables Shell Command Execution at the Server20000412 BizDB Search Script Enables Shell Command Execution at the ServerInfonautics getdoc.cgi allows remote attackers to bypass the payment phase for accessing documents via a modified form variable.http-cgi-infonautics-getdoc(4289)Infonautic's getdoc.cgi may allow unauthorized access to documentsIP masquerading in Linux 2.2.x allows remote attackers to route UDP packets through the internal interface by modifying the external source IP address and port number to match those of an established connection.BID 1078linux-ip-masquerading(4233)Security Problems with Linux 2.2.x IP Masquerading20000520 Security hole in kernel < 2.2.15Buffer overflow in Webstar HTTP server allows remote attackers to cause a denial of service via a long GET request.Webstar 4.0 Buffer overflow vulnerabilitymacos-webstar-get-bo(4792)1822Buffer overflow in Star Office 5.1 allows attackers to cause a denial of service by embedding a long URL within a document.bugtraq id 1112staroffice-long-url-bo(4304)StarOffice 5.1The Adtran MX2800 M13 Multiplexer allows remote attackers to cause a denial of service via a ping flood to the Ethernet interface, which causes the device to crash.adtran-ping-dosbugtraq id 1129Adtran DoSaaa_base in SuSE Linux 6.3, and cron.daily in earlier versions, allow local users to delete arbitrary files by creating files whose names include spaces, which are then incorrectly interpreted by aaa_base when it deletes expired files from the /tmp directory.BID 1130aaabase-file-deletionSuSE Security AnnouncementBuffer overflow in healthd for FreeBSD allows local users to gain root privileges.BID 1107freebsd-healthd(4281)FreeBSD-SA-00:12FreeBSD-SA-00:121107606Buffer overflow in LCDproc allows remote attackers to gain root privileges via the screen_add command.bugtraq id 1131lcdproc-remote-overflow(4315) Remote vulnerability in LCDproc 0.4GLSA-200301-077829lcdproc-remote-overflow(4315)fcheck allows local users to gain privileges by embedding shell metacharacters into file names that are processed by fcheck.bugtraq id 1086 fcheck v.2.7.45 and insecure use of Perl's system()20000331 fcheck v.2.7.45 and insecure use of Perl's system()Allaire Forums 2.0.5 allows remote attackers to bypass access restrictions to secure conferences via the rightAccessAllForums or rightModerateAllForums variables.BID 1085allaire-forums-allaccess(4226)Allaire Security Bulletin (ASB00-06)ASB00-0610851270The unattended installation of Windows 2000 with the OEMPreinstall option sets insecure permissions for the All Users and Default Users directories.win2k-unattended-installAll Users startup folder left open if unattended install and OEMP reinstall=120000407 All Users startup folder left open if unattended install and OEMP reinstall=1win2k-unattended-install(4278)1758Buffer overflow in WebObjects.exe in the WebObjects Developer 4.5 package allows remote attackers to cause a denial of service via an HTTP request with long headers such as Accept.webobjects-post-dosWebObjects DoS20000404 WebObjects DoSThe default encryption method of PcAnywhere 9.x uses weak encryption, which allows remote attackers to sniff and decrypt PcAnywhere or NT domain accounts.bugtraq id 1093PcAnywhere weak password encryptionpcanywhere-weak-encryption(4234)Ipswitch IMAIL server 6.02 and earlier allows remote attackers to cause a denial of service via the AUTH CRAM-MD5 command.bugtraq id 1094ipswitch-imail-dos(4238)Re: IMAIL (Ipswitch) DoS with Eudora (Qualcomm)IMail - SMTP login problem for EudoraMicrosoft Index Server allows remote attackers to view the source code of ASP files by appending a %20 to the filename in the CiWebHitsFile argument to the null.htw URL.MS:MS00-006Alert: MS Index Server (CISADV000330)BID 1084271Quake3 Arena allows malicious server operators to read or modify files on a client via a dot dot (..) attack.Vulnerability in Quake3Arena Auto-DownloadBID 1169quake3-auto-download20000503 Vulnerability in Quake3Arena Auto-Download Feature11697531Microsoft IIS 4.0 and 5.0 with the IISADMPWD virtual directory installed allows a remote attacker to cause a denial of service via a malformed request to the inetinfo.exe program, aka the "Undelimited .HTR Request" vulnerability.BID 1191MS00-03120000511 Microsoft IIS Remote Denial of Service Attack20000511 Microsoft IIS Remote Denial of Service AttackMS00-0311191Windows 95, Windows 98, Windows 2000, Windows NT 4.0, and Terminal Server systems allow a remote attacker to cause a denial of service by sending a large number of identical fragmented IP packets, aka jolt2 or the "IP Fragment Reassembly" vulnerability.BID 1236ip-fragment-reassembly-dos(4518)MS00-02920000519 jolt2 - Remote DoS against NT, W2K, 9x1236Buffer overflow in calserver in SCO OpenServer allows remote attackers to gain root access via a long message.BUGTRAQ:19981229 Local/remote exploit for SCO UNIX.SB-99.02Vulnerability in xserver in SCO UnixWare 2.1.x and OpenServer 5.05 and earlier allows an attacker to cause a denial of service which prevents access to reserved port numbers below 1024.Security Bulletin 99.07Insecure file permissions for Netscape FastTrack Server 2.x, Enterprise Server 2.0, and Proxy Server 2.5 in SCO UnixWare 7.0.x and 2.1.3 allow an attacker to gain root privileges.The i386 trace-trap handling in OpenBSD 2.4 with DDB enabled allows a local user to cause a denial of service.19990212 i386 trace-trap handling when DDB was configured could cause a system crash.19990212 i386 trace-trap handling when DDB was configured could cause a system crash.6126IP fragment assembly in OpenBSD 2.4 allows a remote attacker to cause a denial of service by sending a large number of fragmented packets.19990217 IP fragment assembly can bog the machine excessively and cause problems.19990217 IP fragment assembly can bog the machine excessively and cause problems.7539The Windows 2000 domain controller allows a malicious user to modify Active Directory information by modifying an unprotected attribute, aka the "Mixed Object Access" vulnerability.ms-mixed-object(4336)BID 1145MS00-0261145cron in OpenBSD 2.5 allows local users to gain root privileges via an argv[] that is not NULL terminated, which is passed to cron's fake popen function.19990830 In cron(8), make sure argv[] is NULL terminated in the fake popen() and run sendmail as the user, not as root.Vulnerability in OpenBSD 2.6 allows a local user to change interface media configurations.19991109 Any user can change interface media configurations.7540traceroute in NetBSD 1.3.3 and Linux systems allows local users to flood other systems by providing traceroute with a large waittime (-w) option, which is not parsed properly and sets the time delay for sending packets to zero.BUGTRAQ:19990213 traceroute as a flooderNetBSD-SA1999-0047574traceroute in NetBSD 1.3.3 and Linux systems allows local unprivileged users to modify the source address of the packets, which could be used in spoofing attacks.BUGTRAQ:19990213 traceroute as a flooderNetBSD-SA1999-0047575Buffer overflow in Solaris 7 lp allows local users to gain root privileges via a long -d option.solaris-lp-bo(4361)BID 1143Re: Solaris 7 x86 lp exploit20000424 Solaris 7 x86 lp exploit1143Buffer overflow in Solaris 7 lpset allows local users to gain root privileges via a long -r option.Solaris 7 x86 lpset exploitRe: Solaris Sparc 2.6 & 7 lp/lpset/lpstat root compromise exploitbugtraaq id 1138solaris-lpset-bo20000427 Re: Solaris/SPARC 2.7 lpset exploit (well not likely !)Atrium Mercur Mail Server 3.2 allows local attackers to read other user's email and create arbitrary files via a dot dot (..) attack.mercur-remote-dot-attack(4368)Security problems with Atrium Mercur Mailserver 3.20BID 114420000413 Security problems with Atrium Mercur Mailserver 3.20mail.local in Sendmail 8.10.x does not properly identify the .\n string which identifies the end of message text, which allows a remote attacker to cause a denial of service or corrupt mailboxes via a message line that is 2047 characters long and ends in .\n.Re: [TL-Security-Announce] Linux Kernel TLSA2000013-1BID 1146sendmail-maillocal-dos(4556)20000424 unsafe fgets() in sendmail's mail.localQpopper 2.53 and 3.0 does not properly identify the \n string which identifies the end of message text, which allows a remote attacker to cause a denial of service or corrupt mailboxes via a message line that is 1023 characters long and ends in \n.BID 1133unsafe fgets() in qpopperqpopper-fgets-spoofingBuffer overflow in IC Radius package allows a remote attacker to cause a denial of service via a long user name.BID 1147Buffer Overflow in version .14icradius-username-boThe passwd.php3 CGI script in the Red Hat Piranha Virtual Server Package allows local users to execure arbitrary commands via shell metacharacters.bugtraq id 1149piranha-passwd-executepiranha default password/exploit20000424 piranha default password/exploitRHSA-2000:014The Microsoft Jet database engine allows an attacker to modify text files via a database query, aka the "Text I-ISAM" vulnerability. Alert : MS Office 97jet-text-isam(3156)BID 59519990728 Alert : MS Office 97 VulnerabilityMS99-030595pcAnywhere 8.x and 9.0 allows remote attackers to cause a denial of service via a TCP SYN scan, e.g. by nmap.20010212 Re: Symantec pcAnywhere 9.0 DoS / Buffer Overflow pcanywhere-tcpsyn-dos(4347)1301BID 1150Denial of Service Against pcAnywhere.pcanywhere-tcpsyn-dos20010211 Symantec pcAnywhere 9.0 DoS / Buffer OverflowThe Microsoft Jet database engine allows an attacker to execute commands via a database query, aka the "VBA Shell" vulnerability.Microsoft Security Program: Microsoft Security Bulletin (MS99-030)jet-vba-shell(3155)548Meeting Maker uses weak encryption (a polyalphabetic substitution cipher) for passwords, which allows remote attackers to sniff and decrypt passwords for Meeting Maker accounts.BID 1151MEETING MAKER TECH NOTEfinding Meeting Maker passwords using tcpdumpmeetingmaker-weak-encryptionMicrosoft Virtual Machine (VM) allows remote attackers to escape the Java sandbox and execute commands via an applet containing an illegal cast operation, aka the "Virtual Machine Verifier" vulnerability.msvm-verifier-java(3378)MS99-045BID 74019991014 Another Microsoft Java Flaw DisoveredWindows NT 4.0 generates predictable random TCP initial sequence numbers (ISN), which allows remote attackers to perform spoofing and session hijacking.tcp-seq-predict(139)BID 604MS99-04619990824 NT Predictable Initial TCP Sequence numbers - changes observed with SP4604A Microsoft ActiveX control allows a remote attacker to execute a malicious cabinet file via an attachment and an embedded script in an HTML mail, aka the "Active Setup Control" vulnerability.ie-active-setup-control(3494)MS99-048BID 775The networking software in Windows 95 and Windows 98 allows remote attackers to execute commands via a long file name string, aka the "File Access URL" vulnerability.win-fileurl-overflow(3492)MS99-049Patch Available for "File Access URL" VulnerabilityBuffer overflow in Microsoft command processor (CMD.EXE) for Windows NT and Windows 2000 allows a local user to cause a denial of service via a long environment variable, aka the "Malformed Environment Variable" vulnerability.nt-cmd-overflow(4337)BID 1135MS00-02720000421 CMD.EXE overflow (CISADV000420)UltraBoard.pl or UltraBoard.cgi CGI scripts in UltraBoard 1.6 allows remote attackers to read arbitrary files via a pathname string that includes a dot dot (..) and ends with a null byte.BID 1164Fun with UltraBoard V1.6Xultraboard-printabletopic-fileread20000502 Fun with UltraBoard V1.6X13094065tcpdump, Ethereal, and other sniffer packages allow remote attackers to cause a denial of service via malformed DNS packets in which a jump offset refers to itself, which causes tcpdump to enter an infinite loop while decompressing the packet.bugtraq id 1165sniffer-dns-decode-dosDenial of service attack against tcpdumpThe Allaire Spectra container editor preview tool does not properly enforce object security, which allows an attacker to conduct unauthorized activities via an object-method that is added to the container object with a publishing rule.allaire-spectra-container-editor-preview(4555)Bugtraq id 1181Allaire Security Bulletin (ASB00-10)1181The resolver in glibc 2.1.3 uses predictable IDs, which allows a local attacker to spoof DNS query results.BID 1166glibc-resolver-id-predictableglibc resolver weaknessLinux OpenLDAP server allows local users to modify arbitrary files via a symlink attack.openldap-symlink-attack(4369)BID 1232misconfigured OpenLDAPRHSA-2000:012TLSA2000010-11232Buffer overflow in Xsun X server in Solaris 7 allows local users to gain root privileges via a long -dev parameter.BID 1140solaris-xsun-bo(4360)Solaris x86 Xsun overflow.20000424 Solaris x86 Xsun overflow.1140Concurrent Versions Software (CVS) uses predictable temporary file names for locking, which allows local users to cause a denial of service by creating the lock directory before it is created for use by a legitimate CVS user.BID 1136cvs-tempfile-dosCVS DoS20000423 CVS DoSZoneAlarm 2.1.10 and earlier does not filter UDP packets with a source port of 67, which allows remote attackers to bypass the firewall rules.zonealarm-portscan(4356)BID 1137ZoneAlarm20000420 ZoneAlarm11371294Buffer overflow in Gnomelib in SuSE Linux 6.3 allows local users to execute arbitrary commands via the DISPLAY environmental variable.BID 1155linux-gnomelib-boSuSE 6.3 Gnomelib buffer overflowhttp://www.suse.com/us/support/download/updates/axp_63.htmlATRIUM Cassandra NNTP Server 1.10 allows remote attackers to cause a denial of service via a long login name.bugtraq id 1156Remote DoS attack in CASSANDRA NNTPServer v1.10 from ATRIUMEudora 4.x allows remote attackers to bypass the user warning for executable attachments such as .exe, .com, and .bat by using a .lnk file that refers to the attachment, aka "Stealth Attachment."eudora-warning-message(4383)BID 1157Qualcomm warns of Eudora security holehttp://www.peacefire.org/security/stealthattach/explanation.html1157Buffer overflow in Sniffit 0.3.x with the -L logging option enabled allows remote attackers to execute arbitrary commands via a long MAIL FROM mail header.BID 1158sniffit-lmail-bospj-003-000 - S0ftPj Advisory'sniffit -L mail' vulnerabilities20000502 spj-003-000 - S0ftPj AdvisoryThe knfsd NFS server in Linux kernel 2.2.x allows remote attackers to cause a denial of service via a negative size value.BID 1160linux-knfsd-dosLinux knfsd DoS issueUpdated kernel available for Red Hat LinuxThe on-line help system options in Cisco routers allows non-privileged users without "enabled" access to obtain sensitive information via the show command.BID 1161cisco-online-helpPossible issue with Cisco on-line help?20000502 Possible issue with Cisco on-line help?AppleShare IP 6.1 and later allows a remote attacker to read potentially sensitive information via an invalid range request to the web server.BID 1162macos-appleshare-invalid-range(4429)INFO:AppleShare IP 6.3.2 squashes security bughttp://asu.info.apple.com/swupdates.nsf/artnum/n1167020000502 INFO:AppleShare IP 6.3.2 squashes security bug1162Windows 95 and Windows 98 allow a remote attacker to cause a denial of service via a NetBIOS session request packet with a NULL source name.win-netbios-source-null(4397)BID 116320000501 el8.org advisory - Win 95/98 DoS (RFParalyze.c)1163A vulnerability in the Sendmail configuration file sendmail.cf as installed in SCO UnixWare 7.1.0 and earlier allows an attacker to gain root privileges.SB-99.10Vulnerability in the passthru driver in SCO UnixWare 7.1.0 allows an attacker to cause a denial of service.SB-99.13A debugging feature in NetworkICE ICEcap 2.0.23 and earlier is enabled, which allows a remote attacker to bypass the weak authentication and post unencrypted events.BID 1216Grinding passwords on ICEcapnetice-icecap-default(4476)http://www.securityfocus.com/templates/advisory.html?id=2220http://advice.networkice.com/advice/Support/KB/q000166/1216312Some packaging commands in SCO UnixWare 7.1.0 have insecure privileges, which allows local users to add or remove software packages.SB-99.09SB-99.09Pine before version 4.21 does not properly filter shell metacharacters from URLs, which allows remote attackers to execute arbitrary commands via a malformed URL.BID 810pine-remote-exe(1695) Pine: expanding env vars in URLs (seems to be fixed as of 4.21)19991117 Pine: expanding env vars in URLs (seems to be fixed as of 4.21)CSSA-1999-036.019991227 Security hole in Pine < 4.21810Pine 4.x allows a remote attacker to execute arbitrary commands via an index.html file which executes lynx and obtains a uudecoded file from a malicious web server, which is then executed by Pine.HHP-Pine_remote_exploitBID 1247pine-lynx-execute-commands(4851)19990628 Execution of commands in Pine 4.x19990911 Update for Pine (fixed IMAP support)1247mirror 2.8.x in Linux systems allows remote attackers to create files one level above the local target directory.mirror-perl-remote-file-creation(3319)BID 681mirror 2.9 hole19990928 mirror 2.9 hole19991018 Incorrect directory name handling in mirror19991001 Security hole in mirror681pg and pb in SuSE pbpg 1.x package allows an attacker to read arbitrary files.linux-pg-fileread(3237)linux-pb-fileread(3239)BID 127119990920 Security hole in pbpgPluggable Authentication Modules (PAM) in Red Hat Linux 6.1 does not properly lock access to disabled NIS accounts.BID 697linux-pam-nis-login(3330)nis: various security problems in nisRHSA-1999:040697ORBit and esound in Red Hat Linux 6.1 do not use sufficiently random numbers, which allows local users to guess the authentication keys.linux-orbit-esound-authentication-keys(4157)RedHat Linux 6.1 ORBit and esound Weak Authentication VulnerabilityRHSA-1999:058-01ORBit and gnome-session in Red Hat Linux 6.1 allows remote attackers to crash a program.RedHat Linux 6.1 ORBit and gnome-session Remote DoS VulnerabilityRHSA-1999:058-01Buffer overflow in Trivial HTTP (THTTPd) allows remote attackers to cause a denial of service or execute arbitrary commands via a long If-Modified-Since header.BID 1248thttpd-ifmodifiedsince-header(4852)thttpd 2.04 stack overflow (VD#6)19991113 thttpd 2.04 stack overflow (VD#6)19991116 Security hole in thttpd 1.90a - 2.041248Buffer overflow in INN 2.2.1 and earlier allows remote attackers to cause a denial of service via a maliciously formatted article.inn-remote-dos(4176)BID 1249DoS attack on inn19991124 Security hole in inn <= 2.2.11249The PPP wvdial.lxdialog script in wvdial 1.4 and earlier creates a .config file with world readable permissions, which allows a local attacker in the dialout group to access login and password information.wvdial-gain-dialup-info(4172)Security hole in wvdiaSuSE Security Announcement wvdial <= 1.419991214 Security hole in wvdial <= 1.4Buffer overflows in Linux cdwtools 093 and earlier allows local users to gain root privileges.linux-cdda2cdr(3282)Bugtraq id 73819991019 Security hole in cdwtools < 093738Linux cdwtools 093 and earlier allows local users to gain root privileges via the /tmp directory.linux-cdda2cdr(3282)Bugtraq id 738Linux cdda2cdr local exploit19991019 Security hole in cdwtools < 093738screen and rxvt in Red Hat Linux 6.0 do not properly set the modes of tty devices, which allows local users to write to other ttys.linux-tty-improper-mode(4857)RHSA1999014_0130919990606 RedHat 6.0, /dev/pts permissions bug when using xterm19990606 RedHat 6.0, /dev/pts permissions bug when using xtermRed Hat Linux 6.0 installs the /dev/pts file system with insecure modes, which allows local users to write to other tty devices.linux-dev-insecure-mode(4858)RHSA1999014_0130819990606 RedHat 6.0, /dev/pts permissions bug when using xterm19990606 RedHat 6.0, /dev/pts permissions bug when using xtermdump in Debian GNU/Linux 2.1 does not properly restore symlinks, which allows a local user to modify the ownership of arbitrary files.Debian Linux 2.1 dump Symlink Restore Vulnerability19991202 problem restoring symlinks1442Vulnerability in eterm 0.8.8 in Debian GNU/Linux allows an attacker to gain root privileges.linux-eterm(1804)19990218 Root exploit in etermClassic Cisco IOS 9.1 and later allows attackers with access to the loging prompt to obtain portions of the command history of previous users, which may allow the attacker to access sensitive data.J-009Cisco IOS Command History Release at Login PromptThe IDENT server in Caldera Linux 2.3 creates multiple threads for each IDENT request, which allows remote attackers to cause a denial of service.caldera-ident-server-dos(4860)Caldera IDENT daemon Denial of Service VulnerabilityCSSA-1999-029.11266The debug option in Caldera Linux smail allows remote attackers to execute commands via shell metacharacters in the -D option for the rmail command.Bugtraq id 1268caldera-smail-rmail-command(4854)rmail problem in smail1268The libmediatool library used for the KDE mediatool allows local users to create arbitrary files via a symlink attack.kde-mediatool(2160)BID 1269KDE mediatool(multimedia) lib1269Vulnerability in Caldera rmt command in the dump package 0.4b4 allows a local user to gain root privileges.linux-rmt(2268)CSSA-1999-014.0/sbin/rmt with suid allows superuser privileges7940Vulnerabilities in the KDE kvt terminal program allow local users to gain root privileges.kde-kvt(2266)CSSA-1999:015.0RHSA-1999:015-01CSSA-1999-015.0The default configuration of kdm in Caldera and Mandrake Linux, and possibly other distributions, allows XDMCP connections from any host, which allows remote attackers to obtain sensitive information or bypass additional access restrictions.Caldera kdm XDMCP Access Control Vulnerabilitycaldera-kdm-default-configuration(4856)CSSA-1999-021.0MDKSA-2002:0251446xdmcp-kdm-default-configuration(4856)The kernel in FreeBSD 3.2 follows symbolic links when it creates core dump files, which allows local attackers to modify arbitrary files.6084Buffer overflow in the HTTP proxy server for the i-drive Filo software allows remote attackers to execute arbitrary commands via a long HTTP GET request.BID 1324idrive-filo-bo(4613) Internet Security Systems Security Advisory: Buffer Overflow in i-drive Filo (tm) software1324The Remote Registry server in Windows NT 4.0 allows local authenticated users to cause a denial of service via a malformed request, which causes the winlogon process to fail, aka the "Remote Registry Access Authentication" vulnerability.BID 1331nt-registry-request-dos(4648)MS00-040Q2646841331oval:org.mitre.oval:def:1021The pam_console PAM module in Linux systems performs a chown on various devices upon a user login, but an open file descriptor for those devices can be maintained after the user logs out, which allows that user to sniff activity on these devices when subsequent users log in.linux-pam-sniff-activities(4869)Multiple Linux Vendor pam_console Vulnerability20000502 pam_console bug1176The Netopia R9100 router does not prevent authenticated users from modifying SNMP tables, even if the administrator has configured it to do so.BID 1177netopia-snmp-comm-strings(4428)Advisory: Netopia R9100 router vulnerabilityhttp://www.netopia.com/equipment/purchase/fmw_update.html1177The IOS HTTP service in Cisco routers and switches running IOS 11.1 through 12.1 allows remote attackers to cause a denial of service by requesting a URL that contains a %% string.BID 1154cisco-ios-http-dos(4357)Re: Cisco HTTP possible bug:20000426 Cisco HTTP possible bug:20000514 Cisco IOS HTTP Server Vulnerability11541302The Gossamer Threads DBMan db.cgi CGI script allows remote attackers to view environmental variables and setup information by referencing a non-existing database in the db parameter.BID 1178http-cgi-dbman-db(4494)Black Watch Labs Vulnerability Alerthttp://www.perfectotech.com/blackwatchlabs/vul5_05.html20000505 Black Watch Labs Vulnerability Alert1178ColdFusion ClusterCATS appends stale query string arguments to a URL during HTML redirection, which may provide sensitive information to the redirected site.BID 1179allaire-clustercats-url-redirect(4436)Allaire Security Bulletin (ASB00-12)1179The file transfer component of AOL Instant Messenger (AIM) reveals the physical path of the transferred file to the remote recipient.AOL Instant Messenger Path Disclosure Vulnerabilityaolim-file-path(4427)118020000507 AOL Instant MessengerNetStructure 7110 and 7180 have undocumented accounts (servnow, root, and wizard) whose passwords are easily guessable from the NetStructure's MAC address, which could allow remote attackers to gain root access.20000508 NetStructure 7180 remote backdoor vulnerability20000508 NetStructure 7110 console backdoorBID 1182BID 1183http://216.188.41.136/FileMaker Pro 5 Web Companion allows remote attackers to bypass Field-Level database security restrictions via the XML publishing or email capabilities.macos-filemaker-xml(4431)macos-filemaker-email(4432)FileMaker Pro 5.0 Web Companion Software Multiple Vulnerabilitieshttp://www.blueworld.com/blueworld/news/05.01.00-FM5_Security.htmlhttp://www.filemaker.com/support/webcompanion.htmlFileMaker Pro 5 Web Companion allows remote attackers to send anonymous or forged email.macos-filemaker-anonymous-email(4433)FileMaker Pro 5.0 Web Companion Software Multiple Vulnerabilitieshttp://www.blueworld.com/blueworld/news/05.01.00-FM5_Security.htmlhttp://www.filemaker.com/support/webcompanion.htmlThe makelev program in the golddig game from the FreeBSD ports collection allows local users to overwrite arbitrary files.BID 1184golddig-overwrite-files(4424)FreeBSD Security Advisory: FreeBSD-SA-00:16.golddigFreeBSD-SA-00:161184Buffer overflow in FreeBSD libmytinfo library allows local users to execute commands via a long TERMCAP environmental variable.BID 1185libmytinfo-bo(4422)FreeBSD Security Advisory: FreeBSD-SA-00:17.libmytinfoFreeBSD-SA-00:171185Buffer overflow in krb_rd_req function in Kerberos 4 and 5 allows remote attackers to gain root privileges.BID 1220kerberos-krb-rd-req-bo(4519)CA-2000-0620000516 BUFFER OVERRUN VULNERABILITIES IN KERBEROSFreeBSD-SA-00:20RHSA-2000:0251220Buffer overflow in krb425_conv_principal function in Kerberos 5 allows remote attackers to gain root privileges.BID 1220kerberos-krb425-conv-principal-bo(4520)CA-2000-0620000516 BUFFER OVERRUN VULNERABILITIES IN KERBEROSFreeBSD-SA-00:20RHSA-2000:02512204884Buffer overflow in krshd in Kerberos 5 allows remote attackers to gain root privileges.BID 1220kerberos-krshd-bo(4521)CA-2000-0620000516 BUFFER OVERRUN VULNERABILITIES IN KERBEROSFreeBSD-SA-00:20RHSA-2000:02512204876Buffer overflow in ksu in Kerberos 5 allows local users to gain root privileges.BID 1220kerberos-ksu-bo(4522)CA-2000-0620000516 BUFFER OVERRUN VULNERABILITIES IN KERBEROSFreeBSD-SA-00:20RHSA-2000:0251220The KDE kscd program does not drop privileges when executing a program specified in a user's SHELL environmental variable, which allows the user to gain privileges by specifying an alternate program to execute.bugtraq id 1206kscd-shell-env-variable(4468)kscd vulnerability20000516 kscd vulnerability20000529 kmulti <= 1.1.21206NetProwler 3.0 allows remote attackers to cause a denial of service by sending malformed IP packets that trigger NetProwler's Man-in-the-Middle signature.BID 1225axent-netprowler-ipfrag-dos(4493) RFP2K05: NetProwler vs. RFProwler20000519 RFP2K05: NetProwler vs. RFProwler20000522 RFP2K05 - NetProwler "Fragmentation" Issue 1225Buffer overflow in CProxy 3.3 allows remote users to cause a denial of service via a long HTTP request.BID 1213cproxy-http-dos(4460)CProxy v3.3 SP 2 DoS20000516 CProxy v3.3 SP 2 DoS1213The add.exe program in the Carello shopping cart software allows remote attackers to duplicate files on the server, which could allow the attacker to read source code for web scripts such as .ASP files.BID 1245carello-file-duplication(4542)Cerberus Information Security Advisory (CISADV000524b)20000524 Alert: Carello File Creation flaw1245The EMURL web-based email account software encodes predictable identifiers in user session URLs, which allows a remote attacker to access a user's email account.BID 1203http://xforce.iss.net/static/4454.phpBuffer Overflow Vulnerabilities in OpenServer pkg* tools20000515 Vulnerability in EMURL-based e-mail providers1203Buffer overflow in wconsole.dll in Rockliffe MailSite Management Agent allows remote attackers to execute arbitrary commands via a long query_string parameter in the HTTP GET request.BID 1244mailsite-get-overflow(4537)Cerberus Information Security Advisory (CISADV000524a)20000524 Alert: Buffer overflow in Rockliffe's MailSite1244Buffer overflow in MDaemon POP server allows remote attackers to cause a denial of service via a long user name.BID 1250deerfield-mdaemon-dos(4539)Deerfield Communications MDaemon Mail Server DoS20000524 Deerfield Communications MDaemon Mail Server DoS1250The Microsoft Active Movie ActiveX Control in Internet Explorer 5 does not restrict which file types can be downloaded, which allows an attacker to download any type of file to a user's system by encoding it within an email message or news post.Microsoft Active Movie Control Filetype Vulnerabilityie-active-movie-control(4513)122120000516 MICROSOFT SECURITY FLAW?Buffer overflows in redirect.exe and changepw.exe in PDGSoft shopping cart allow remote attackers to execute arbitrary commands via a long query string.pdgsoft-changepw-bo(4546)pdgsoft-redirect-bo(4545)http://www.pdgsoft.com/Security/security2.html125620000525 Alert: PDG Cart Overflows20000525 Alert: PDG Cart OverflowsThe Mixed Mode authentication capability in Microsoft SQL Server 7.0 stores the System Administrator (sa) account in plaintext in a log file which is readable by any user, aka the "SQL Server 7.0 Service Pack Password" vulnerability.BID 1281mssql-sa-pw-in-sqlsplog(4584)MS00-035Q2639681281The CIFS Computer Browser service on Windows NT 4.0 allows a remote attacker to cause a denial of service by sending a large number of host announcement requests to the master browse tables, aka the "HostAnnouncement Flooding" or "HostAnnouncement Frame" vulnerability.BID 1261win-browser-hostannouncement(4547)ms00-036Q2633071261The CIFS Computer Browser service allows remote attackers to cause a denial of service by sending a ResetBrowser frame to the Master Browser, aka the "ResetBrowser Frame" vulnerability.BID 1262win-browser-reset-frame(4552)MS00-036Q2626941262Buffer overflow in L0pht AntiSniff allows remote attackers to execute arbitrary commands via a malformed DNS response packet.BID 1207antisniff-dns-overflow(4459)AntiSniff version 1.0112073179Netscape Communicator before version 4.73 and Navigator 4.07 do not properly validate SSL certificates, which allows remote attackers to steal information by redirecting traffic from a legitimate web server to their own malicious server, aka the "Acros-Suencksen SSL" vulnerability.BID 1188CA-2000-05netscape-invalid-ssl-sessions(4474)RHSA-2000:0281188Buffer overflow in Solaris netpr program allows local users to execute arbitrary commands via a long -p option.BID 1200sol-netpr-bo(4451)New Solaris root exploit for /usr/lib/lp/bin/netpr20000512 New Solaris root exploit for /usr/lib/lp/bin/netpr1200IIS 4.05 and 5.0 allow remote attackers to cause a denial of service via a long, complex URL that appears to contain a large number of file extensions, aka the "Malformed Extension Data in URL" vulnerability.BID 1190iis-url-extension-data-dos(4430)ms00-030http://www.ussrback.com/labs40.htmlQ2602051190Netscape 4.73 and earlier follows symlinks when it imports a new certificate, which allows local users to overwrite files of the user importing the certificate.BID 1201netscape-import-certificate-symlink(4478)Possible symlink problems with Netscape 4.7320000510 Possible symlink problems with Netscape 4.731201ColdFusion Server 4.5.1 allows remote attackers to cause a denial of service by making repeated requests to a CFCACHE tagged cache file that is not stored in memory.bugtraq id 1192coldfusion-cfcache-dos(4435)Cold Fusion Server 4.5.1 DoS Vulnerability.1192Matt Wright's FormMail CGI script allows remote attackers to obtain environmental variables via the env_report parameter.BID 1187http-cgi-formmail-environment(4480)issues with free Perl CGI's (Re: Black Watch Labs...)http://www.perfectotech.com/blackwatchlabs/vul5_10.html20000510 Black Watch Labs Vulnerability Alert1187The gnapster and knapster clients for Napster do not properly restrict access only to MP3 files, which allows remote attackers to read arbitrary files from the client by specifying the full pathname for the file.knapster-view-files(4462)20000510 KNapster Vulnerability Compromises User-readable Files20000510 Gnapster Vulnerability Compromises User-readable FilesFreeBSD-SA-00:181186The shtml.exe program in the FrontPage extensions package of IIS 4.0 and 5.0 allows remote attackers to determine the physical path of HTML, HTM, ASP, and SHTML files by requesting a file that does not exist, which generates an error message that reveals the path.iis-shtml-reveal-path(4439)Microsoft Frontpage Server Extensions Path Disclosure Vulnerability20000506 shtml.exe reveal local path of IIS web directory1174Vulnerability in shutdown command for HP-UX 11.X and 10.X allows allows local users to gain privileges via malformed input variables.BID 1214hp-shutdown-privileges(4418)HPSBUX0005-1131214Buffer overflow in Outlook Express 4.x allows attackers to cause a denial of service via a mail or news message that has a .jpg or .bmp attachment with a long file name.BID 119520000512 Overflow in Outlook Express 4.* - too long filenames with graphic format extensionNTMail 5.x allows network users to bypass the NTMail proxy restrictions by redirecting their requests to NTMail's web configuration server.BID 1196ntmail-bypass-proxy(4815)NTMail Proxy Exploithttp://www.gordano.com/support/archives/ntmail/2000-05/00001114.htm20000511 NTMail Proxy Exploit1196The HTTP administration interface to the Cayman 3220-H DSL router allows remote attackers to cause a denial of service via a long username or password.BID 1219cayman-router-dos(4479)Cayman 3220-H DSL Router DOS20000505 Cayman 3220-H DSL Router DOS20000523 Cayman 3220H DSL Router Software Update and New Bonus Attack1219The Cayman 3220-H DSL router allows remote attackers to cause a denial of service via oversized ICMP echo (ping) requests.BID 1240cayman-dsl-dos(4532)Cayman 3220H DSL Router Software Update and New Bonus Attack20000523 Cayman 3220H DSL Router Software Update and New Bonus Attack1240The Office 2000 UA ActiveX Control is marked as "safe for scripting," which allows remote attackers to conduct unauthorized activities via the "Show Me" function in Office Help, aka the "Office 2000 UA Control" vulnerability.BID 1197MS00-034office-ua-control(4445)Q262767CA-2000-071197The default configuration of SYSKEY in Windows 2000 stores the startup key in the registry, which could allow an attacker tor ecover it and use it to decrypt Encrypted File System (EFS) data.win2k-syskey-default-configuration(4819)Microsoft Windows 2000 Default SYSKEY Configuration Vulnerability20000511 ISS SAVANT Advisory 00/261198The process_bug.cgi script in Bugzilla allows remote attackers to execute arbitrary commands via shell metacharacters.BID 1199bugzilla-unchecked-system-call(4816)Advisory: Unchecked system(blaat $var blaat) call in Bugzilla 2.820000510 Advisory: Unchecked system(blaat $var blaat) call in Bugzilla 2.81199Buffer overflow in Netwin DMailWeb CGI program allows remote attackers to execute arbitrary commands via a long utoken parameter.Netwin Dmailweb Server utoken Buffer Overflow Vulnerabilityhttp-cgi-dmailweb-bo(4420)117120000504 Alert: DMailWeb buffer overflowBuffer overflow in Netwin DNEWSWEB CGI program allows remote attackers to execute arbitrary commands via long parameters such as group, cmd, and utag.BID 1172http-cgi-dnews-bo(4421)117220000505 Alert: DNewsWeb buffer overflowThe CGI counter 4.0.7 by George Burgyan allows remote attackers to execute arbitrary commands via shell metacharacters.BID 1202http-cgi-textcounter(2052)Vulnerability in CGI counter 4.0.7 by George Burgyan20000514 Vulnerability in CGI counter 4.0.7 by George Burgyan1202Buffer overflow in the Web Archives component of L-Soft LISTSERV 1.8 allows remote attackers to execute arbitrary commands.BID 1167http-cgi-listserv-wa-bo(4419)http://www.lsoft.com/news/default.asp?item=Advisory020000505 Alert: Listserv Web Archives (wa) buffer overflow1167UltraBoard 1.6 and other versions allow remote attackers to cause a denial of service by referencing UltraBoard in the Session parameter, which causes UltraBoard to fork copies of itself.BID 1175ultraboard-cgi-dos(4438)20000505 Re: Fun with UltraBoard V1.6X1175The Aladdin Knowledge Systems eToken device allows attackers with physical access to the device to obtain sensitive information without knowing the PIN of the owner by resetting the PIN in the EEPROM.BID 1170aladdin-etoken-pin-reset(4434)eToken Private Information Extraction and Physical Attack20000504 eToken Private Information Extraction and Physical Attack11703266Buffer overflow in the SMTP gateway for InterScan Virus Wall 3.32 and earlier allows a remote attacker to execute arbitrary commands via a long filename for a uuencoded attachment.BID 1168interscan-viruswall-bypass(3767)BlackHats Advisory -- InterScan VirusWall20000503 Trend Micro InterScan VirusWall Remote Overflow1168A backdoor password in Cart32 3.0 and earlier allows remote attackers to execute arbitrary commands.BID 1153cart32-admin-password(4351)http://www.cart32.com/kbshow.asp?article=c04820000427 Alert: Cart32 secret password backdoor (CISADV000427)Cart32 allows remote attackers to access sensitive debugging information by appending /expdate to the URL request.BID 1358cart32-expdate(4398)20000503 Another interesting Cart32 command1358Cobalt RaQ2 and RaQ3 does not properly set the access permissions and ownership for files that are uploaded via FrontPage, which allows attackers to bypass cgiwrap and modify files.Problem with FrontPage on Cobalt RaQ2/RaQ3BID 1238cobalt-cgiwrap-bypass(4531)http://archives.neohapsis.com/archives/bugtraq/2000-05/0305.html20000522 Problem with FrontPage on Cobalt RaQ2/RaQ31346The calender.pl and the calendar_admin.pl calendar scripts by Matt Kruse allow remote attackers to execute arbitrary commands via shell metacharacters.BID 1215Vuln in calender.pl (Matt Kruse calender script)20000516 Vuln in calender.pl (Matt Kruse calender script)1215The SuSE aaa_base package installs some system accounts with home directories set to /tmp, which allows local users to gain privileges to those accounts by creating standard user startup scripts such as profiles.SuSE Linux aaabase User Account with /tmp Home Vulnerabilityaaabase-execute-dot-files(4403)20000502 aaabase < 2000.5.2The administrative password for the Allmanage web site administration software is stored in plaintext in a file which could be accessed by remote attackers.Allmanage Administrator Password Retrieval Vulnerabilityhttp-cgi-allmanage-plaintext-admin(4466)20000516 Allmanage.pl Vulnerabilities1217The allmanageup.pl file upload CGI script in the Allmanage Website administration software 2.6 can be called directly by remote attackers, which allows them to modify user accounts or web pages.BID 1217Allmanage.pl Vulnerabilitieshttp-cgi-allmanage-account-access(4465)20000516 Allmanage.pl Vulnerabilities12171337MetaProducts Offline Explorer 1.2 and earlier allows remote attackers to access arbitrary files via a .. (dot dot) attack.BID 1231MetaProducts Offline Explorer Directory Traversal VulnerabilityOffline Explorer Development History20000522 MetaProducts Offline Explorer Directory Traversal Vulnerability1231Buffer overflow in the CyberPatrol daemon "cyberdaemon" used in gauntlet and WebShield allows remote attackers to cause a denial of service or execute arbitrary commands.BID 1234gauntlet-cyberdaemon-bo(4503)ISN] Security Hole found in NAI Firewallhttp://www.tis.com/support/cyberadvisory.htmlhttp://www.pgp.com/jump/gauntlet_advisory.asp20000522 Gauntlet CyberPatrol Buffer Overflow1234322Buffer overflow in fdmount on Linux systems allows local users in the "floppy" group to execute arbitrary commands via a long mountpoint parameter.BID 1239linux-fdmount-bo(4534)Re: fdmount buffer overflow20000522 fdmount buffer overflow1239Internet Explorer 4.0 and 5.0 allows a malicious web site to obtain client cookies from another domain by including that domain name and escaped characters in a URL, aka the "Unauthorized Cookie Access" vulnerability.BID 1194ie-cookie-disclosure(4447)ms00-3320000510 IE Domain Confusion Vulnerability20000511 IE Domain Confusion Vulnerability is an Email problem also11941326ie-cookie-disclosure(4447)NetBSD 1.4.2 and earlier allows remote attackers to cause a denial of service by sending a packet with an unaligned IP timestamp option.netbsd-unaligned-ip-options(4868)NetBSD-SA2000-00220000506 [NHC20000504a.0: NetBSD Panics when sent unaligned IP options]1173Vulnerability in AIX 3.2.x and 4.x allows local users to gain write access to files on locally or remotely mounted AIX filesystems.BID 1241aix-local-filesystem(4533)Filesystem vulnerability in AIXERS-OAR-E01-2000:087.11241Qpopper 2.53 and earlier allows local users to gain privileges via a formatting string in the From: header, which is processed by the euidl command.BID 1242qualcomm-qpopper-euidl(4548)popper port contains remote vulnerability [REVISED]20000523 Qpopper 2.53 remote problem, user can gain gid=mail20000608 pop <= 2000.3.41242The web interface server in HP Web JetAdmin 5.6 allows remote attackers to read arbitrary files via a .. (dot dot) attack.HP Web JetAdmin Directory Traversal Vulnerabilityhp-jetadmin-directory-traversal(4525)20000524 HP Web JetAdmin Version 5.6 Web interface Server Directory Traversal Vulnerability12431350HP Web JetAdmin 6.0 allows remote attackers to cause a denial of service via a malformed URL to port 8000.HP Web JetAdmin 6.0 Printing DoS Vulnerabilityhp-jetadmin-malformed-url-dos(4524)20000524 HP Web JetAdmin Version 6.0 Remote DoS attack Vulnerability1246The pgpk command in PGP 5.x on Unix systems uses an insufficiently random data source for non-interactive key pair generation, which may produce predictable keys.Multiple Vendor PGP5 Automatic Key Generation Routine Vulnerabilitypgp-key-predictable(4570)20000523 Key Generation Security Flaw in PGP 5.0CA-2000-0912511355Buffer overflow in MDBMS database server allows remote attackers to execute arbitrary commands via a long string.MDBMS Buffer Overflow Vulnerability20000524 Remote xploit for MDBMS1252Buffer overflow in WebShield SMTP 4.5.44 allows remote attackers to execute arbitrary commands via a long configuration parameter to the WebShield remote management service.nai-webshield-bo(4540)20000525 DST2K0003 : Buffer Overrun in NAI WebShield SMTP v4.5.44 Managem ent Tool 1254327The WebShield SMTP Management Tool version 4.5.44 does not properly restrict access to the management port when an IP address does not resolve to a hostname, which allows remote attackers to access the configuration via the GET_CONFIG command.nai-webshield(4540)20000525 DST2K0003 : Buffer Overrun in NAI WebShield SMTP v4.5.44 Managem ent Tool 1253326Omnis Studio 2.4 uses weak encryption (trivial encoding) for encrypting database fields.omnis-studio-weak-encryption(4543)20000525 Omnis Weak Encryption - Many products affected1255Vulnerability in bbd server in Big Brother System and Network Monitor allows an attacker to execute arbitrary commands.Big Brother bbd.c Buffer Overflow Vulnerabilitybig-brother-bbd-bo(4817)20000518 FW: Security Notice: Big Brother System and Network Monitor1257The Intel express 8100 ISDN router allows remote attackers to cause a denial of service via oversized or fragmented ICMP packets.Intel Express 8100 ISDN Router Fragmented ICMP Vulnerabilityintel-8100-remote-dos(4818)20000518 Remote Dos attack against Intel express 8100 router1228Buffer overflow in the ESMTP service of Lotus Domino Server 5.0.1 allows remote attackers to cause a denial of service via a long MAIL FROM command.BID 1229lotus-domino-esmtp-bo(4499)Lotus ESMTP Service (Lotus Domino Release 5.0.1 (Intl))20000518 Lotus ESMTP Service (Lotus Domino Release 5.0.1 (Intl))1229321XFree86 3.3.x and 4.0 allows a user to cause a denial of service via a negative counter value in a malformed TCP packet that is sent to port 6000.BID 1235CSSA-2000-012.0Nasty XFree Xserver DoS20000518 Nasty XFree Xserver DoSCSSA-2000-012.01235Buffer overflow in Linux cdrecord allows local users to gain privileges via the dev parameter.bugtraq id 1265linux-cdrecord-execute(4559)Conectiva Linux Security Announcement - cdrecord20000527 Mandrake 7.0: /usr/bin/cdrecord gid=80 (strike #2)20000603 [Gael Duval ] [Security Announce] cdrecord20000607 Conectiva Linux Security Announcement - cdrecord1265Buffer overflow in xlockmore xlock program version 4.16 and earlier allows local users to read sensitive data from memory via a long -mode option.BID 1267xlock-bo-read-passwd(4561)NetBSD-SA2000-00320000529 Initialized Data Overflow in XlockNetBSD-SA2000-003TLSA2000012-11267NetBSD 1.4.2 and earlier allows local users to cause a denial of service by repeatedly running certain system calls in the kernel which do not yield the CPU, aka "cpu-hog".BID 1272bsd-syscall-cpu-dos(4562)NetBSD-SA2000-005NetBSD-SA2000-00512721365ISM.DLL in IIS 4.0 and 5.0 allows remote attackers to read file contents by requesting the file and appending a large number of encoded spaces (%20) and terminated with a .htr extension, aka the ".HTR File Fragment Reading" or "File Fragment Reading via .HTR" vulnerability.Microsoft IIS 4.0/5.0 Malformed Filename Request Vulnerabilityiis-ism-file-access(4448)20000511 Alert: IIS ism.dll exposes file contentsMS00-0311193The MSWordView application in IMP creates world-readable files in the /tmp directory, which allows other local users to read potentially sensitive information.imp-tmpfile-view(4330)IMP/MSWordView /tmp File Permission Vulnerability20000424 Two Problems in IMP 21360IMP does not remove files properly if the MSWordView application quits, which allows local users to cause a denial of service by filling up the disk space by requesting a large number of documents and prematurely stopping the request.imp-wordfile-dos(4331)IMP/MSWordView /tmp File Deletion Denial of Service Vulnerability20000424 Two Problems in IMP 21361Buffer overflow in KDE kdesud on Linux allows local uses to gain privileges via a long DISPLAY environmental variable.BID 1274kde-display-environment-overflow(4557)KDE: /usr/bin/kdesud, gid = 0 exploit1274The undocumented semconfig system call in BSD freezes the state of semaphores, which allows local users to cause a denial of service of the semaphore system by using the semconfig call.BID 1270NetBSD-SA2000-004bsd-semaphore-dos(4560)20000526NetBSD-SA2000-004FreeBSD-SA-00:191270ftpd in NetBSD 1.4.2 does not properly parse entries in /etc/ftpchroot and does not chroot the specified users, which allows those users to access other files outside of their home directory.BID 1273NetBSD-SA2000-006netbsd-ftpchroot-parsing(4358)NetBSD-SA2000-00612731366BeOS 5.0 allows remote attackers to cause a denial of service via fragmented TCP packets.BID 1222beos-tcp-frag-dos(4483)AUX Security Advisory on Be/OS 5.0 (DoS)20000517 AUX Security Advisory on Be/OS 5.0 (DoS)1222Internet Explorer 4.x and 5.x allows remote attackers to execute arbitrary commands via a buffer overflow in the ActiveX parameter parsing capability, aka the "Malformed Component Attribute" vulnerability.BID 1223ie-malformed-component-attribute(4502)MS00-033Q2612571223Internet Explorer 4.x and 5.x does properly verify the domain of a frame within a browser window, which allows a remote attacker to read client files via the frame, aka the "Frame Domain Verification" vulnerability.BID 1224ie-frame-domain-verification(4500)MS00-033Q251108Q2556761224AIX cdmount allows local users to gain root privileges via shell metacharacters.bugtraq id 1384Buffer overflow in Linux splitvt 1.6.3 and earlier allows local users to gain root privileges via a long password in the screen locking function.bugtraq id 134620000605 root exploit in splitvt20000614 Splitvt exploit1346man in HP-UX 10.20 and 11 allows local attackers to overwrite files via a symlink attack.BID 1302HP Securtity vulnerability in man commandHP man-file-overwrite20000601 HP Security vulnerability in the man commandSelena Sol WebBanner 4.0 allows remote attackers to read arbitrary files via a .. (dot dot) attack.Malicious HTML Tags Embedded in Client Web RequestsCGI: Selena Sol's WebBanner ( Random Banner Generator ) VulnerabilityWebBanner input validation error20000620 Re: CGI: Selena Sol's WebBanner ( Random Banner Generator ) Vulnerability1347Allegro RomPager HTTP server allows remote attackers to cause a denial of service via a malformed authentication request.Hardware Exploit - Gets network Downrompager-malformed-dosAllegro rompager20000601 Hardware Exploit - Gets network Down1290Buffer overflow in ufsrestore in Solaris 8 and earlier allows local users to gain root privileges via a long pathname.BID 1348Solaris ufsrestore buffer overflow20000614 Vulnerability in Solaris ufsrestore00210VU#368661398Buffer overflow in innd 2.2.2 allows remote attackers to execute arbitrary commands via a cancel request containing a long message ID.CERT* Advisory CA-97.08innd-cancel-overflowinnd 2.2.2 remote buffer overflow20000106 innd 2.2.2 remote buffer overflowCSSA-2000-016.020000707 inn update20000721 [ANNOUNCE] INN 2.2.3 available20000722 MDKSA-2000:023 inn update1316Buffer overflow in AnalogX SimpleServer 1.05 allows a remote attacker to cause a denial of service via a long GET request for a program in the cgi-bin directory.BID 1349Product home pagesimpleserver-get-bo(4297)Real Networks RealServer 7.x allows remote attackers to cause a denial of service via a malformed request for a page in the viewsource directory.realserver-remote-dos(4400)BID 1288realserver-malformed-remote-dos(4587)20000601 Remote DoS attack in Real Networks Real Server (Strike #2) Vulnerability20000601 Remote DoS attack in RealServer: USSR-2000043Windows 2000 allows a local user process to access another user's desktop within the same windows station, aka the "Desktop Separation" vulnerability.Desktop SeparationBID 1350win2k-desktop-separation(4714)xterm, Eterm, and rxvt allow an attacker to cause a denial of service by embedding certain escape characters which force the window to be resized.[rootshell.com] Xterm DoS AttackBID 1298xterm-control-characters-dos(4987)20000601 [rootshell.com] Xterm DoS AttackBuffer overflow in Norton Antivirus for Exchange (NavExchange) allows remote attackers to cause a denial of service via a .zip file that contains long file names.BID 1351Vulnerabilities in Norton Antivirus for Exchangeantivirus-nav-zip-bo20000614 Vulnerabilities in Norton Antivirus for Exchangeantivirus-nav-zip-boIn some cases, Norton Antivirus for Exchange (NavExchange) enters a "fail-open" state which allows viruses to pass through the server.Vulnerabilities in Norton Antivirus for Exchangeantivirus-nav-fail-openBID 135120000614 Vulnerabilities in Norton Antivirus for Exchangeantivirus-nav-fail-open6266Dragon FTP server allows remote attackers to cause a denial of service via a long USER command.dragon-ftp-dos(4691)BID 1352Multiples Remotes DoS Attacks in Dragon Server v1.00 and v2.00 Vulnerability20000616 Multiples Remotes DoS Attacks in Dragon Server v1.00 and v2.00Dragon telnet server allows remote attackers to cause a denial of service via a long username.bugtraq id 1352Multiples Remotes DoS Attacks in Dragon Server v1.00 and v2.00 Vulnerabilitydragon-telnet-dos(4690)20000616 Multiples Remotes DoS Attacks in Dragon Server v1.00 and v2.00Buffer overflow in KDE Kmail allows a remote attacker to cause a denial of service via an attachment with a long file name.BID 1380kde-kmail(2265)KDE Heap Overflowkde-kmail-attachment-dosCheck Point Firewall-1 allows remote attackers to cause a denial of service by sending a large number of malformed fragmented IP packets.bugtraq id 1312IP Fragment-driven Denial of Service VulnerabilityFW-1 IP Fragmentation Vulnerabilityhttp://www.checkpoint.com/techsupport/alerts/list_vun.html#IP_Fragmentation20000605 FW-1 IP Fragmentation Vulnerabilityfw1-packet-fragment-dos1379The DocumentTemplate package in Zope 2.2 and earlier allows a remote attacker to modify DTMLDocuments or DTMLMethods without authorization.zope-dtml-remote-modifyZope security alert and 2.1.7 updateZope security alert and hotfix productRHSA-2000:038FreeBSD-SA-00:3820000728 MDKSA-2000:026 Zope update2000615 Conectiva Linux Security Announcement - ZOPE1354Buffer overflow in Small HTTP Server allows remote attackers to cause a denial of service via a long GET request.small-http-get-overflow-dos(4692)Remote DoS Attack in Small HTTP Server ver. 1.212 VulnerabilitySmall HTTP Server20000616 Remote DoS Attack in Small HTTP Server ver. 1.212 Vulnerability20000616 Remote DoS Attack in Small HTTP Server ver. 1.212 Vulnerability1355Microsoft SQL Server allows local users to obtain database passwords via the Data Transformation Service (DTS) package Properties dialog, aka the "DTS Password" vulnerability.bugtraq id 1292mssql-dts-reveal-passwords(4582)Microsoft Security Bulletin (MS00-041)20000530 Fw: Steal Passwords Using SQL Server EM1292Buffer overflow in Cisco TACACS+ tac_plus server allows remote attackers to cause a denial of service via a malformed packet with a long length field.bugtraq id 1293tacacsplus-replay(4598)An Analysis of the TACACS+ Protocol and its Implementationshttp://archives.neohapsis.com/archives/bugtraq/2000-05/0370.html1293tacacsplus-packet-length-dosThe Protected Store in Windows 2000 does not properly select the strongest encryption when available, which causes it to use a default of 40-bit encryption instead of 56-bit DES encryption, aka the "Protected Store Key Length" vulnerability.BID 1295ms-protected-store(4589)Microsoft Security Bulletin (MS00-032)Buffer overflow in ITHouse mail server 1.04 allows remote attackers to execute arbitrary commands via a long RCPT TO mail command.BID 1285ithouse-rcpt-overflow(4580)Buffer Overrun in ITHouse Mail Server v1.041285FreeBSD, NetBSD, and OpenBSD allow an attacker to cause a denial of service by creating a large number of socket pairs using the socketpair function, setting a large buffer size via setsockopt, then writing large buffers.bsd-setsockopt-dos(3298)Local DoS in FreeBSD19990826 Local DoS in FreeBSD20000601 Local FreeBSD, Openbsd, NetBSD, DoS Vulnerability - Mac OS X affected622Buffer overflow in the NetWin DSMTP 2.7q in the NetWin dmail package allows remote attackers to execute arbitrary commands via a long ETRN request.BID 1297dmail-etrn-dos(4579)Gain root remotelyhttp://netwinsite.com/dmail/security.htm20000601 Netwin's Dmail packageBuffer overflow in the XDMCP parsing code of GNOME gdm, KDE kdm, and wdm allows remote attackers to execute arbitrary commands or cause a denial of service via a long FORWARD_QUERY request.gnome-gdm-bo(4530)SuSE Security Announcement20000521 "gdm" remote hole20000524 Security hole in gdm <= 2.0beta4-2520000607 Conectiva Linux Security Announcement - gdmCSSA-2000-013.0123312791370PassWD 1.2 uses weak encryption (trivial encoding) to store passwords, which allows an attacker who can read the password file to easliy decrypt the passwords.BID 1300passwd-weak-encryption(4596)Insecure encryption in PassWD v1.21300Buffer overflow in Simple Network Time Sync (SMTS) daemon allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long string.BID 1289timesync-bo-execute(4602Vulnerability in SNTS1289Veritas Volume Manager creates a world writable .server_pids file, which allows local users to add arbitrary commands into the file, which is then executed by the vmsa_server script.BID 1356Veritas Volume Manager security holeVeritas Volume Manager 3.0.x holehttp://seer.support.veritas.com/tnotes/volumeman/230053.htmMicrosoft Windows Media Encoder allows remote attackers to cause a denial of service via a malformed request, aka the "Malformed Windows Media Encoder Request" vulnerability.ms-malformed-media-dos(4585bugtraq id 1282Microsoft Security Bulletin (MS00-038)1282IBM WebSphere server 3.0.2 allows a remote attacker to view source code of a JSP program by requesting a URL which provides the JSP extension in upper case.BID 1328websphere-jsp-source-read(4697)IBM WebSphere JSP showcode vulnerabilityhttp://www-4.ibm.com/software/webservers/appserv/efix.html1328Unify eWave ServletExec allows a remote attacker to view source code of a JSP program by requesting a URL which provides the JSP extension in upper case.BID 1328Potential vulnerability in Unify eWave ServletExecFromewave-servletexec-jsp-source-read(4649)1328The default configuration of BEA WebLogic 3.1.8 through 4.5.1 allows a remote attacker to view source code of a JSP program by requesting a URL which provides the JSP extension in upper case.BID 1328BEA WebLogic JSP showcode vulnerabilityweblogic-file-source-read(4775)http://developer.bea.com/alerts/security_000612.html20000612 BEA WebLogic JSP showcode vulnerabilityweblogic-jsp-source-readThe default configuration of BEA WebLogic 5.1.0 allows a remote attacker to view source code of programs by requesting a URL beginning with /file/, which causes the default servlet to display the file without further processing.BID 1378weblogic-file-source-read(4775)Using the WebLogic Server as a webserverhttp://www.weblogic.com/docs51/admindocs/http.html#file20000621 BEA WebLogic /file/ showcode vulnerabilityRace condition in MDaemon 2.8.5.0 POP server allows local users to cause a denial of service by entering a UIDL command and quickly exiting the server.mdaemon-pass-dos(4745)BID 1366mdaemon 2.8.5.0 WinNT and Win9x remote DoS1366Mcafee VirusScan 4.03 does not properly restrict access to the alert text file before it is sent to the Central Alert Server, which allows local users to modify alerts in an arbitrary fashion.BID 1326Mcafee Alerting DOS vulnerabilitymcafee-alerting-dos(4641)6287The IFRAME of the WebBrowser control in Internet Explorer 5.01 allows a remote attacker to violate the cross frame security policy via the NavigateComplete2 event.BID 1311IE 5 Cross-frame security vulnerability using IFRAME and WebBrowser controlie-frame-domain-verification(4500)CERT Advisory CA-97.20 JavaScript Vulnerability1311libICE in XFree86 allows remote attackers to cause a denial of service by specifying a large value which is not properly checked by the SKIP_STRING macro.BID 1369linux-libice-dos(4761)XFree86: libICE DoShttp://www.xfree86.org/security/The Apache 1.3.x HTTP server for Windows platforms allows remote attackers to list directory contents by requesting a URL containing a large number of / characters.BID 1284 Apache for Windows vulnerable to root directory revealingIBM HTTP SERVER / APACHEibm-http-file-retrieveThe "capabilities" feature in Linux before 2.2.16 allows local users to cause a denial of service or gain privileges by setting the capabilities to prevent a setuid program from dropping privileges, aka the "Linux kernel setuid/setcap vulnerability."Sendmail & procmail local root exploits on Linux kernel up to 2.2.16pre5RHSA-2000:03720000802-01-P20000609 Trustix Security Advisory20000608 CONECTIVA LINUX SECURITY ANNOUNCEMENT - kernel1322Imate Webmail Server 2.5 allows remote attackers to cause a denial of service via a long HELO command.BID 1286nt-webmail-dos(4586)Denial of Service Possibilityrpc.lockd in Red Hat Linux 6.1 and 6.2 allows remote attackers to cause a denial of service via a malformed request.BID 1372Remote DOS in linux rpc.lockdlinux-lockd-remote-dosBuffer overflows in the finger and whois demonstration scripts in Sambar Server 4.3 allow remote attackers to execute arbitrary commands via a long hostname.BID 1287sambar-dll-bo(4592)20000601 DST2K0008: Buffer Overrun in Sambar Server 4.3CUPS (Common Unix Printing System) 1.04 and earlier allows remote attackers to cause a denial of service via a malformed IPP request.BID 1373debian-cups-malformed-ipp (4736)CUPS 1.0.5 Denial of Service Patch Set #120000620 CUPS DoS Bugsdebian-cups-malformed-ippCUPS (Common Unix Printing System) 1.04 and earlier allows remote attackers to cause a denial of service via a CGI POST request.BID 1373debian-cups-malformed-ipp (4736)CUPS 1.0.5 Denial of Service Patch Set #1ftp://ftp.easysw.com/pub/cups/1.0.5/cups-DoS.patch20000620 CUPS DoS Bugsdebian-cups-postsCUPS (Common Unix Printing System) 1.04 and earlier does not properly delete request files, which allows a remote attacker to cause a denial of service.BID 1373debian-cups-malformed-ipp (4736)CUPS 1.0.5 Denial of Service Patch Set #120000620 CUPS DoS Bugsdebian-cups-postsCUPS (Common Unix Printing System) 1.04 and earlier allows remote attackers to cause a denial of service by authenticating with a user name that does not exist or does not have a shadow password.BID 1373debian-cups-malformed-ipp (4736)CUPS 1.0.5 Denial of Service20000620 CUPS DoS Bugs1373debian-cups-postsGSSFTP FTP daemon in Kerberos 5 1.1.x does not properly restrict access to some FTP commands, which allows remote attackers to cause a denial of service, and local users to gain root privileges.REMOTE ROOT VULNERABILITY IN GSSFTP DAEMONkerberos-gssftpd-dos(4734)REMOTE ROOT VULNERABILITY IN GSSFTP DAEMON20000614 Security Advisory: REMOTE ROOT VULNERABILITY IN GSSFTP DAEMON13744885The snmpd.conf configuration file for the SNMP daemon (snmpd) in HP-UX 11.0 is world writable, which allows local users to modify SNMP configuration or gain privileges.HP-UX SNMP daemon vulnerabilityhpux-snmp-daemonBID 128220000607 [ Hackerslab bug_paper ] HP-UX SNMP daemon vulnerability20000608 Re: HP-UX SNMP daemon vulnerability1327When configured to store configuration information in an LDAP directory, Shiva Access Manager 5.0.0 stores the root DN (Distinguished Name) name and password in cleartext in a file that is world readable, which allows local users to compromise the LDAP server.BID 1329Shiva Access Manager 5.0.0 Plaintext LDAP root passwordshiva-plaintext-ldap-password(4612)1329Netscape 4.73 and earlier does not properly warn users about a potentially invalid certificate if the user has previously accepted the certificate for a different web site, which could allow remote attackers to spoof a legitimate web site by compromising that site's DNS information.CERT Advisory CA-2000-08 Inconsistent Warning Messages in Netscape NavigatorBID 1260netscape-ssl-certificate(4550)Internet Explorer 4.x and 5.x does not properly verify all contents of an SSL certificate if a connection is made to the server via an image or a frame, aka one of two different "SSL Certificate Validation" vulnerabilities.BID 1309Patch Available for SSL Certificate Validation Vulnerabilitiesie-revalidate-certificate(4627)CERT Advisory CA-2000-10 Inconsistent Warning Messages in Internet ExplorerInternet Explorer 4.x and 5.x does not properly re-validate an SSL certificate if the user establishes a new SSL session with the same server during the same Internet Explorer session, aka one of two different "SSL Certificate Validation" vulnerabilities.BID 1309Patch Available for SSL Certificate Validationie-revalidate-certificate(4627)CERT Advisory CA-2000-10 Inconsistent Warning Messages in Internet ExplorerBuffer overflow in restore program 0.4b17 and earlier in dump package allows local users to execute arbitrary commands via a long tape name.BID 1330Typo in tape.c potential hazardMDKSA-2000:018 dump update20000630 CONECTIVA LINUX SECURITY ANNOUNCEMENT - dumpSavant web server allows remote attackers to read source code of CGI scripts via a GET request that does not include the HTTP version number.BID 1313savant-source-read(4616)Reading of CGI Scripts under Savant WebserverRSA ACE/Server allows remote attackers to cause a denial of service by flooding the server's authentication request port with UDP packets, which causes the server to crash.BID 1332RSA Aceserver UDP Flood VulnerabilityACE/Serveraceserver-udp-packet-dos(5053)20000608 Potential DoS Attack on RSA's ACE/ServerBuffer overflow in the logging feature of EServ 2.9.2 and earlier allows an attacker to execute arbitrary commands via a long MKD command.bugtraq id 1315eserv-logging-overflow(4614)MDMA Advisory #6: EServ Logging Heap Overflow VulnerabilityMicrosoft Outlook and Outlook Express allow remote attackers to cause a denial of service by sending email messages with blank fields such as BCC, Reply-To, Return-Path, or From.BID 1333Microsoft Outlook (Express) bug..outlook-header-dos(4645)OpenSSH does not properly drop privileges when the UseLogin option is enabled, which allows local users to execute arbitrary commands by providing the command to the ssh daemon.openssh-uselogin-remote-exec(4646)OpenSSH's UseLogin option allows remote access with root privilegeCONECTIVA LINUX SECURITY ANNOUNCEMENT20000609 OpenSSH's UseLogin option allows remote access with root privilege.20000606 The non-default UseLogin feature in /etc/sshd_config is broken and should not be used.1334341mailview.cgi CGI program in MailStudio 2000 2.0 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) attack.BID 1335mailstudio-view-files(4737)Mailstudio2000 CGI Vulnerabilities [S0ftPj.4]userreg.cgi CGI program in MailStudio 2000 2.0 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters.http-cgi-mailstudio-bo(4740)BID 1335Re: Mailstudio2000 CGI Vulnerabilities20000609 Mailstudio2000 CGI Vulnerabilities [S0ftPj.4]Net Tools PKI Server does not properly restrict access to remote attackers when the XUDA template files do not contain absolute pathnames for other files.BID 1364nettools-pki-unauthenticated-access(4743)Net Tools PKI server exploitsftp://ftp.tis.com/gauntlet/hide/pki/hotfix.txt4353Net Tools PKI Server allows remote attackers to cause a denial of service via a long HTTP request.BID 1363Net Tools PKI server exploitsnettools-pki-http-bo(4744)ftp://ftp.tis.com/gauntlet/hide/pki/hotfix.txt4352The KApplication class in the KDE 1.1.2 configuration file management capability allows local users to overwrite arbitrary files.kde-configuration-file-creation(4583)BID 1291KDE::KApplication feature?CSSA-2000-015.0RHSA-2000:032Linux gpm program allows local users to cause a denial of service by flooding the /dev/gpmctl device with STREAM sockets.BID 1377Bug in gpmlinux-gpm-gpmctl-dos(5010)RHSA-2000:04520000728 MDKSA:2000-025 gpm updateA FreeBSD patch for SSH on 2000-01-14 configures ssh to listen on port 722 as well as port 22, which might allow remote attackers to access SSH through port 722 even if port 22 is otherwise filtered.BID 1323FreeBSD Security Advisory: FreeBSD-SA-00:21.ssh [REVISEDfreebsd-ssh-ports(4638)1387Vulnerability in cvconnect in SGI IRIX WorkShop allows local users to overwrite arbitrary files.BID 1379irix-workshop-cvconnect-overwrite(4725)20000601-01-PThe apsfilter software in the FreeBSD ports package does not properly read user filter configurations, which allows local users to execute commands as the lpd user.BID 1325freebsd-port-apsfilter(4642): FreeBSD Security Advisory: FreeBSD-SA-00:22.apsfilterapsfilter-elevate-privileges1389OpenSSL 0.9.4 and OpenSSH for FreeBSD do not properly check for the existence of the /dev/random or /dev/urandom devices, which are absent on FreeBSD Alpha systems, which causes them to produce weak keys which may be more easily broken.BID 1340FreeBSD Security Advisory: FreeBSD-SA-00:25.alpha-dev-randomfreebsd-alpha-weak-encryption(4704)xinetd 2.1.8.x does not properly restrict connections if hostnames are used for access control and the connecting host does not have a reverse DNS entry.hompepageBID 1381xinetd-improper-restrictions(4986)20000619 xinetd: bug in access control mechanismBRU backup software allows local users to append data to arbitrary files by specifying an alternate configuration file with the BRUEXECLOG environmental variable.bru-execlog-env-variable(4644)BID 1321BRU VulnerabilityCSSA-2000-018.0ColdFusion Administrator for ColdFusion 4.5.1 and earlier allows remote attackers to cause a denial of service via a long login password.coldfusion-parse-dos(4611)BID 1314Workaround available for Denial of Service attack against ColdFusion Administrator20000607 New Allaire ColdFusion DoS3399Servlet examples in Allaire JRun 2.3.x allow remote attackers to obtain sensitive information, e.g. listing HttpSession ID's via the SessionServlet servlet.jrun-read-sample-files(4774)BID 1386Workaround available for vulnerabilities exposed by JRun 2.3.x code sample818JSP sample files in Allaire JRun 2.3.x allow remote attackers to access arbitrary files (e.g. via viewsource.jsp) or obtain configuration information.jrun-read-sample-files(4774)BID 1386Workaround available for vulnerabilities exposed by JRun 2.3.x code sample2713The Panda Antivirus console on port 2001 allows local users to execute arbitrary commands without authentication via the CMD command.BID 1359panda-antivirus-remote-admin(4707)Infosec.20000617.panda.apanda-antivirus-remote-admin(4707)Tigris remote access server before 11.5.4.22 does not properly record Radius accounting information when a user fails the initial login authentication but subsequently succeeds.bugtraq id 1345tigris-radius-login-failureACC/Ericsson Tigris Accounting FailureThe command port for PGP Certificate Server 2.5.0 and 2.5.1 allows remote attackers to cause a denial of service if their hostname does not have a reverse DNS entry and they connect to port 4000.bugtraq id 1343XF:pgp-cert-server-dos(4695)Remote DoS attack in Networks Associates PGP Certificate Server Version 2.5 VulnerabilityWindows NT and Windows 2000 hosts allow a remote attacker to cause a denial of service via malformed DCE/RPC SMBwriteX requests that contain an invalid data length.BID 1304nt-smb-request-dos(4600)anonymous SMBwriteX DoSBuffer overflow in mailx mail command (aka Mail) on Linux systems allows local users to gain privileges via a long -c (carbon copy) parameter.mailxsgi-mailx-bo(1371)/usr/bin/Mail exploit for Slackware 7.0 (mail-slack.c)20000605 mailx: mail group exploit in mailx1305Buffer overflow in Kerberos 4 KDC program allows remote attackers to cause a denial of service via the lastrealm variable in the set_tgtkey function.CERT Advisory CA-2000-11 MIT Kerberos Vulnerable to Denial-of-Service Attackskerberos-lastrealm-boMULTIPLE DENIAL OF SERVICE VULNERABILITIES IN KRB4 KDChttp://web.mit.edu/kerberos/www/advisories/krb4kdc.txtK-0511338Buffer overflow in Kerberos 4 KDC program allows remote attackers to cause a denial of service via the localrealm variable in the process_v4 function.CA-2000-11kerberos-lastrealm-bo20000609 Security Advisory: MULTIPLE DENIAL OF SERVICE VULNERABILITIES IN KRB4 KDChttp://web.mit.edu/kerberos/www/advisories/krb4kdc.txtK-0511338Buffer overflow in Kerberos 4 KDC program allows remote attackers to cause a denial of service via the e_msg variable in the kerb_err_reply function.CERT Advisory CA-2000-11 MIT Kerberos Vulnerable to Denial-of-Service Attackskerberos-emsg-boMULTIPLE DENIAL OF SERVICE VULNERABILITIES IN KRB4 KDChttp://web.mit.edu/kerberos/www/advisories/krb4kdc.txtRHSA-2000:031K-0514875Kerberos 4 KDC program does not properly check for null termination of AUTH_MSG_KDC_REQUEST requests, which allows remote attackers to cause a denial of service via a malformed request.BID 1464CERT Advisory CA-2000-11MULTIPLE DENIAL OF SERVICE VULNERABILITIES IN KRB4 KDChttp://web.mit.edu/kerberos/www/advisories/krb4kdc.txtRHSA-2000:031K-051Kerberos 4 KDC program improperly frees memory twice (aka "double-free"), which allows remote attackers to cause a denial of service.BID 1464kerberos-free-memoryCERT Advisory CA-2000-11http://web.mit.edu/kerberos/www/advisories/krb4kdc.txt20000609 Security Advisory: MULTIPLE DENIAL OF SERVICE VULNERABILITIES IN KRB4 KDCRHSA-2000:031K-0511465The file transfer mechanism in Danware NetOp 6.0 does not provide authentication, which allows remote attackers to access and modify arbitrary files.BID 1263danware-netop-bypass-security(4569)I ThinkICQwebmail client for ICQ 2000A creates a world readable temporary file during login and does not delete it, which allows local users to obtain sensitive information.BID 1307ICQwebmail temparary internet linkicq-temp-link(4607)Race condition in IPFilter firewall 3.4.3 and earlier, when configured with overlapping "return-rst" and "keep state" rules, allows remote attackers to bypass access restrictions.BID 1308Security Vulnerability in IPFilter 3.3.15 and 3.4.3ipfilter-firewall-race-condition1377Ceilidh allows remote attackers to obtain the real path of the Ceilidh directory via the translated_path hidden form field.BID 1320ceilidh-path-disclosureDoS, Path Revealing & Buffer Overrun Vulnerability in Ceilidh > v2.60aCeilidh allows remote attackers to cause a denial of service via a large number of POST requests.BID 1320ceilidh-post-dos(4622)Title : DoS, Path Revealing & Buffer Overrun Vulnerability in Ceilidh > v2.60aBuffer overflow in the web interface for Cmail 2.4.7 allows remote attackers to cause a denial of service by sending a large user name to the user dialog running on port 8002.BID 1319cmail-long-username-dos(4625)DoS & BufferOverrun in CMail v2.4.7 WebMailhttp://www.computalynx.net/news/Jun2000/news0806200001.htmlBuffer overflow in the web interface for Cmail 2.4.7 allows remote attackers to execute arbitrary commands via a long GET request.bugtraq id 1318:cmail-get-overflow-execute(4626)DoS & BufferOverrun in CMail v2.4.7 WebMailBuffer overflow in HP Openview Network Node Manager 6.1 allows remote attackers to execute arbitrary commands via the Alarm service (OVALARMSRV) on port 2345.hp-openview-nnm-bo(4619)BID 1317BufferOverrun in HP Openview Network Node Manager v6.1eTrust Intrusion Detection System (formerly SessionWall-3) uses weak encryption (XOR) to store administrative passwords in the registry, which allows local users to easily decrypt the passwords.BID 1341etrust-weak-password-encryption(5051)20000607 SessionWall-3 Paper + (links to) codeBuffer overflow in WebBBS 1.15 allows remote attackers to execute arbitrary commands via a long HTTP GET request.BID 1365webbbs-get-request-overflow(4742)Multiple BufferOverruns in WebBBS HTTP Server v1.153544BlackIce Defender 2.1 and earlier, and BlackIce Pro 2.0.23 and earlier, do not properly block Back Orifice traffic when the security setting is Nervous or lower.blackice-security-level-nervous(4777)BID 1389BlackICE by Network ICE Corp vulnerability against Back Orifice 1.2The URLConnection function in MacOS Runtime Java (MRJ) 2.1 and earlier and the Microsoft virtual machine (VM) for MacOS allows a malicious web site operator to connect to arbitrary hosts using a HTTP redirection, in violation of the Java security model.Security Holes Found in URLConnection of MRJ and IE of Mac OS (was Re: Reappearance of an old IE security bug133620000513 Re: Reappearance of an old IE security bugThe guestbook CGI program in ICQ Web Front service for ICQ 2000a, 99b, and others allows remote attackers to cause a denial of service via a URL with a long name parameter.BID 1463icq-pws-guestbook-dos(4077ICQ Web Front Remote DoS Attack VulnerabilitySmartFTP Daemon 0.2 allows a local user to access arbitrary files by uploading and specifying an alternate user configuration file via a .. (dot dot) attack.BID 1344smartftp-directory-traversal(4706)SmartFTP Daemon v0.2 Beta Build 9 - Remote Exploit1394makewhatis in Linux man package allows local users to overwrite files via a symlink attack.BID 1434linux-man-makewhatis-tmp(4900)man package's 'makewhatis' uses insecure handling of files in /tmpRHSA-2000:041CSSA-2000-021.0MDKSA-2000:01520000727 CONECTIVA LINUX SECURITY ANNOUNCEMENT - MAN1434Buffer overflow in Microsoft Outlook and Outlook Express allows remote attackers to execute arbitrary commands via a long Date field in an email header, aka the "Malformed E-mail Header" vulnerability.BID 1481Buffer Overflow in Microsoft Outlook and Outlook Express Mail ClientsMicrosoft Security Bulletin (MS00-043):MS00-0431481outlook-date-overflowSybergen Secure Desktop 2.1 does not properly protect against false router advertisements (ICMP type 9), which allows remote attackers to modify default routes.BID 1417sybergen-routing-table-modify: Multiple vulnerabilities in Sybergen Secure Desktop1417Sybergen Sygate allows remote attackers to cause a denial of service by sending a malformed DNS UDP packet to its internal interface.BID 1420Any LAN user can crash Sygatesygate-udp-packet-dos(5049)FirstClass Internet Services server 5.770, and other versions before 6.1, allows remote attackers to cause a denial of service by sending an email with a long To: mail header.BID 1421firstclass-large-bcc-dosDoS in FirstClass Internet Services 5.7705718LocalWEB HTTP server 1.2.0 allows remote attackers to cause a denial of service via a long GET request.BID 1423localweb-get-bo(4896): Remote DoS Attack in LocalWEB HTTP Server 1.2.0 Vulnerability1423The Razor configuration management tool uses weak encryption for its password file, which allows local users to gain privileges.BID 1424razor-weak-encryption(4875)Recovering Passwords in Visible Systems' Razor1424The lreply function in wu-ftpd 2.6.0 and earlier does not properly cleanse an untrusted format string, which allows remote attackers to execute arbitrary commands via the SITE EXEC command.BID 1505CERT Advisory CA-2000-13 Two Input Validation Problems In FTPDVulnerability in ftpd20000622 WuFTPD: Providing *remote* root since at least199420000623 WUFTPD 2.6.0 remote root exploit20000707 New Released Version of the WuFTPD Sploit20000623 ftpd: the advisory versionAA-2000.02CSSA-2000-020.0RHSA-2000:03920000723 CONECTIVA LINUX SECURITY ANNOUNCEMENT - WU-FTPD (re-release)20000702 [Security Announce] wu-ftpd updateFreeBSD-SA-00:29NetBSD-SA2000-0091387wuftp-format-string-stack-overwrite(4773)FTP servers such as OpenBSD ftpd, NetBSD ftpd, ProFTPd and Opieftpd do not properly cleanse untrusted format strings that are used in the setproctitle function (sometimes called by set_proc_title), which allows remote attackers to cause a denial of service or execute arbitrary commands.ftp-setproctitle-format-string(4908)CERT Advisory CA-2000-13 Two Input Validation Problems In FTPDVulnerability in ftpd20000705 proftp advisory20000706 ftpd and setproctitle()20000710 opieftpd setproctitle() patchesNetBSD-SA2000-00914251438SSH 1.2.27 with Kerberos authentication support stores Kerberos tickets in a file which is created in the current directory of the user who is logging in, which could allow remote attackers to sniff the ticket cache if the home directory is installed on NFS.BID 1426ssh-kerberos-tickets-disclosure(4903)The ftp server (ftpd) on HP-UX allows users root access20000630 Kerberos security vulnerability in SSH-1.2.27Oracle Web Listener for AIX versions 4.0.7.0.0 and 4.0.8.1.0 allows remote attackers to cause a denial of service via a malformed URL.BID 1427Oracle Web Listener for AIX DoSoracle-web-listener-dos(4874)Netscape Professional Services FTP Server 1.3.6 allows remote attackers to read arbitrary files via a .. (dot dot) attack.netscape-ftpserver-chroot(4760)Netscape FTP Server - 20000629 (forw) Re: Netscape ftp Server (fwd)1411SGI MIPSPro compilers C, C++, F77 and F90 generate temporary files in /tmp with predictable file names, which could allow local users to insert malicious contents into these files as they are being compiled by another user.BID 1412Poor Tempfile Use in IRIX: Compilers and Cronsgi-mipspro-modify-files(5007)IRIX crontab creates temporary files with predictable file names and with the umask of the user, which could allow local users to modify another user's crontab file as it is being edited.BID 1413Predictability Problems in IRIX Cron and Compilersirix-cron-modify-crontab(5008)Windows 2000 Server allows remote attackers to cause a denial of service by sending a continuous stream of binary zeros to various TCP and UDP ports, which significantly increases the CPU utilization.BID 1415win2k-cpu-overload-dosSecureXpert Advisory [SX-20000620-2]Windows 2000 Telnet Server allows remote attackers to cause a denial of service by sending a continuous stream of binary zeros, which causes the server to crash.BID 1414win2k-telnetserver-dos(4823)SecureXpert Advisory [SX-20000620-1]1414Check Point FireWall-1 4.0 and 4.1 allows remote attackers to cause a denial of service by sending a stream of invalid commands (such as binary zeros) to the SMTP Security Server proxy.BID1416fw1-resource-overload-dosSecureXpert Advisory [SX-20000620-3http://www.checkpoint.com/techsupport/alerts/list_vun.html#SMTP_Security14161438vchkpw program in vpopmail before version 4.8 does not properly cleanse an untrusted format string used in a call to syslog, which allows remote attackers to cause a denial of service via a USER or PASS command that contains arbitrary formatting directives.BID 1418inter7-vpopmail-bo(4572)vpopmail-3.4.11 problemshttp://www.vpopmail.cx/vpopmail-ChangeLog1418Buffer overflow in Canna input system allows remote attackers to execute arbitrary commands via an SR_INIT command with a long user name or group name.FreeBSD-SA-00:31canna-bin-execute-bo(4912)canna server: buffer overflowhttp://shadowpenguin.backsection.net/advisories/advisory038.html1445ISC DHCP client program dhclient allows remote attackers to execute arbitrary commands via shell metacharacters.openbsd-isc-dhcp-bo(4772)Possible root exploit in ISC DHCP client[Security Announce] dhcp update20000628 dhcp client: remote root exploit in dhcp client FreeBSD-SA-00:3420000702 [Security Announce] dhcp update20000711 Security Hole in dhclient < 2.0NetBSD-SA2000-0081388Buffer overflow in Dalnet IRC server 4.6.5 allows remote attackers to cause a denial of service or execute arbitrary commands via the SUMMON command.BID 1404ircd-dalnet-summon-bo(4826)20000628 dalnet 4.6.5 remote vulnerability1404The privpath directive in glftpd 1.18 allows remote attackers to bypass access restrictions for directories by using the file name completion capability.glftpd-privpath-directiveGlftpd privpath bugs... +fixProduct home page20000627 Re: Glftpd privpath bugs... +fix1401SawMill 5.0.21 CGI program allows remote attackers to read the first line of arbitrary files by listing the file in the rfcf parameter, whose contents SawMill attempts to parse as configuration commands.BID 1402Flowerfire Sawmill File Access Vulnerabilitysawmill5.0.21 old path bug & weak hash algorithm20000706 Patch for Flowerfire Sawmill Vulnerabilities Available1402SawMill 5.0.21 uses weak encryption to store passwords, which allows attackers to easily decrypt the password and modify the SawMill configuration.BID1404sawmill-weak-encryption(4837)sawmill5.0.21 old path bug & weak hash algorithm20000706 Patch for Flowerfire Sawmill Vulnerabilities Available1403Poll It 2.0 CGI script allows remote attackers to read arbitrary files by specifying the file name in the data_dir parameter.BID 1431http-cgi-pollit-variable-overwrite(4878)Vulnerability in Poll_It cgi v2.0Novell BorderManager 3.0 and 3.5 allows remote attackers to bypass URL filtering by encoding characters in the requested URL.BID 1432bordermanager-bypass-url-restriction(4906)Novell BorderManager 3.0 EE - Encoded URL rule bypass1432Buffer overflows in POP3 service in WinProxy 2.0 and 2.0.1 allow remote attackers to execute arbitrary commands via long USER, PASS, LIST, RETR, or DELE commands.BID 1400winproxy-command-bo(4832)WinProxy 2.0.0/2.0.1 DoS and Exploitable Buffer Overflow1400WinProxy 2.0 and 2.0.1 allows remote attackers to cause a denial of service by sending an HTTP GET request without listing an HTTP version number.BID 1400winproxy-get-dos(4831)WinProxy 2.0.0/2.0.1 DoS and Exploitable Buffer Overflow20000627 [SPSadvisory #37]WinProxy 2.0.0/2.0.1 DoS and Exploitable Buffer Overflow1400BitchX IRC client does not properly cleanse an untrusted format string, which allows remote attackers to cause a denial of service via an invite to a channel whose name includes special formatting characters.bitchx port contains client-side vulnerabilityirc-bitchx-invite-dos(4897)BitchX /ignore bug20000704 BitchX /ignore bug20000704 BitchX exploit possibly waiting to happen, certain DoSRHSA-2000:042FreeBSD-SA-00:32CSSA-2000-022.020000707 BitchX update20000707 CONECTIVA LINUX SECURITY ANNOUNCEMENT - BitchX1436libedit searches for the .editrc file in the current directory instead of the user's home directory, which may allow local users to execute arbitrary commands by installing a modified .editrc in another directory.BID 1437libedit reads config file from current directorybsd-libedit-editrc(4911)1446Internet Explorer 5.x does not warn a user before opening a Microsoft Access database file that is referenced within ActiveX OBJECT tags in an HTML document, which could allow remote attackers to execute arbitrary commands, aka the "IE Script" vulnerability.ie-access-script-vulnerability(4924)Microsoft Security Bulletin (MS00-049): IE 5 and Access 2000 vulnerability - executing programs20000627 FW: IE 5 and Access 2000 vulnerability - executing programsCA-2000-161398Microsoft Office 2000 (Excel and PowerPoint) and PowerPoint 97 are marked as safe for scripting, which allows remote attackers to force Internet Explorer or some email clients to save files to arbitrary locations via the Visual Basic for Applications (VBA) SaveAs function, aka the "Office HTML Script" vulnerability.MS Security Bulletin MS00-049office-html-script-vulnerability(4923)IE 5 and Excel 2000, PowerPoint 2000 vulnerability - executing programs1399Fortech Proxy+ allows remote attackers to bypass access restrictions for to the administration service by redirecting their connections through the telnet proxy.BID 1395fortech-proxy-telnet-gateway(4779)Proxy+ Telnet Gateway Problemshttp://www.proxyplus.cz/faq/articles/EN/art01002.htm1395Buffer overflow in iMesh 1.02 allows remote attackers to execute arbitrary commands via a long string to the iMesh port.BID 1407imesh-tcp-port-overflow(4829) iMesh 1.02 vulnerabilityhttp://www.imesh.com/download/download.html1407Netscape Enterprise Server in NetWare 5.1 allows remote attackers to cause a denial of service or execute arbitrary commands via a malformed URL.BID 1393netscape-virtual-directory-bo(4780)Netscape Enterprise Server for NetWare Virtual Directory Vulnerab ilityLeafChat 1.7 IRC client allows a remote IRC server to cause a denial of service by rapidly sending a large amount of error messages.BID 1396irc-leafchat-dos(4778)LeafChat Denial of Servicehttp://www.leafdigital.com/Software/leafChat/history.html1396Secure Locate (slocate) in Red Hat Linux allows local users to gain privileges via a malformed configuration file that is specified in the LOCATE_PATH environmental variable.BID 1385redhat-secure-locate-path(4726): rh 6.2 - gid compromises, etc20000621 rh 6.2 - gid compromises, etc1385Microsoft SQL Server 7.0 allows a local user to bypass permissions for stored procedures by referencing them via a temporary stored procedure, aka the "Stored Procedure Permissions" vulnerability.BID 1444Microsoft Security Bulletin (MS00-048)mssql-extended-procs(1762)mssql-procedure-permsgkermit in Red Hat Linux is improperly installed with setgid uucp, which allows local users to modify files owned by uucp.BID 1383redhat-gkermit(4727)rh 6.2 - gid compromises, etcBlackboard CourseInfo 4.0 stores the local and SQL administrator user names and passwords in cleartext in a registry key whose access control allows users to access the passwords.BID 1460blackboard-courseinfo-plaintext(4904)Security Fix for Blackboard CourseInfo 4.0146020000710 Two issues: Blackboard CourseInfo 4.0 stores admin password in clear text; strange settings on the winreg key.Buffer overflow in kon program in Kanji on Console (KON) package on Linux may allow local users to gain root privileges via a long -StartupMessage parameter.BID 1371linux-kon-bo(4763)Problems with "kon2" package1371Buffer overflow in fld program in Kanji on Console (KON) package on Linux may allow local users to gain root privileges via an input file containing long CHARSET_REGISTRY or CHARSET_ENCODING settings.BID 1371linux-kon-bo(4763)Problems with "kon2" package1371NetWin dMailWeb and cwMail 2.6i and earlier allows remote attackers to cause a denial of service via a long POP parameter (pophost).BID 1376dmailweb-long-pophost-dos(4759)NetWin dMailWeb Denial of ServiceNetWin dMailWeb and cwMail 2.6g and earlier allows remote attackers to cause a denial of service via a long username parameter.BID 1376dmailweb-long-username-dos(4758NetWin dMailWeb Denial of Service1376NetWin dMailWeb and cwMail 2.6g and earlier allows remote attackers to bypass authentication and use the server for mail relay via a username that contains a carriage return.BID 1390 NetWin dMailWeb Unrestricted Mail Relayhttp://xforce.iss.net/static/4770.php20000623 NetWin dMailWeb Unrestricted Mail RelayThe default configuration of NetWin dMailWeb and cwMail trusts all POP servers, which allows attackers to bypass normal authentication and cause a denial of service.BID 1391netwin-dmailweb-auth(4771NetWin dMailWeb Unrestricted Mail RelayWindows 95 and Windows 98 do not properly process spoofed ARP packets, which allows remote attackers to overwrite static entries in the cache table.BID 1406win-arp-spoofing(4828)Buggy ARP handling in WindozeCisco Secure PIX Firewall does not properly identify forged TCP Reset (RST) packets, which allows remote attackers to force the firewall to close legitimate connections.PIX DMZ Denial of Service - TCP Resetscisco-pix-firewall-tcp20000711 Cisco Secure PIX Firewall TCP Reset Vulnerability1454cisco-pix-firewall-tcp1457Tnef program in Linux systems allows remote attackers to overwrite arbitrary files via TNEF encoded compressed attachments which specify absolute path names for the decompressed output.BID 1450linux-tnef-email-overwrite(4915)[suse-security-announce] SuSE Security Announcement: tnefLPRng 3.6.x improperly installs lpd as setuid root, which can allow local users to append lpd trace and logging messages to files.bid1447lpd-suid-root(7361)Vulnerability in HP TurboIMAGE DBUTIL allows local users to gain additional privileges via DBUTIL.PUB.SYS.bugtraq id 1405hp-turboimage-dbutil(4943)HPSBMP0006-007 Sec. Vulnerability in TurboIMAGE DBUTILBuffer overflow in xconq and cconq game programs on Red Hat Linux allows local users to gain additional privileges via long USER environmental variable.BID 1495xconq-elevate-privileges(4995)RHL 6.2 xconq package - overflows yield gid gamesBuffer overflow in xconq and cconq game programs on Red Hat Linux allows local users to gain additional privileges via long DISPLAY environmental variable.BID 1495xconq-elevate-privileges(4995)RHL 6.2 xconq package - overflows yield gid gamesTop Layer AppSwitch 2500 allows remote attackers to cause a denial of service via malformed ICMP packets.bid1258toplayer-icmp-dos(7364)libX11 X library allows remote attackers to cause a denial of service via a resource mask of 0, which causes libX11 to go into an infinite loop.BID 1409libx11-infinite-loop-dos(4996)XFree86: Various nasty libX11 holes20000619 XFree86: Various nasty libX11 holesMicrosoft Outlook 98 and 2000, and Outlook Express 4.0x and 5.0x, allow remote attackers to read files on the client's system via a malformed HTML message that stores files outside of the cache, aka the "Cache Bypass" vulnerability.CERT Advisory CA-2000-14 Microsoft Outlook and Outlook Express Cache Bypass VulnerabilityBID 1501Microsoft Security Bulletin (MS00-046)outlook-cache-bypassBuffer overflow in Webfind CGI program in O'Reilly WebSite Professional web server 2.x allows remote attackers to execute arbitrary commands via a URL containing a long "keywords" parameter.BID 1487WebSite Professional 2.x UpdatesO'Reilly WebSite Professional version 2.x for Windows 9x/NT/2000http://website.oreilly.com/support/software/wspro25_releasenotes.txt20000719 O'Reilly WebSite Professional Overflowwebsite-webfind-bo(4962)1487Buffer overflow in O'Reilly WebSite Professional web server 2.4 and earlier allows remote attackers to execute arbitrary commands via a long GET request or Referrer header.BID 1492O'Reilly WebSite GET Buffer Overflow VulnerabilityAlert: Buffer Overrun is O'Reilly WebsitePro httpd32.exe (CISADV000717Buffer overflow in Winamp 2.64 and earlier allows remote attackers to execute arbitrary commands via a long #EXTINF: extension in the M3U playlist.BID 1496winamp-playlist-parser-bo(4956)Winamp M3U playlist parser buffer overflow security vulnerabilityhttp://www.winamp.com/getwinamp/newfeatures.jhtmlNetZero 3.0 and earlier uses weak encryption for storing a user's login information, which allows a local user to decrypt the password.BID 1483NetZero Password Encryption Algorithmnetzero-password-disclosure(4461)Buffer overflow in Alibaba web server allows remote attackers to cause a denial of service via a long GET request.BID 1482alibaba-get-dos(4934)Multiple bugs in Alibaba 2.0BlackBoard CourseInfo 4.0 does not properly authenticate users, which allows local users to modify CourseInfo database information and gain privileges by directly calling the supporting CGI programs such as user_update_passwd.pl and user_update_admin.pl.BID 1486blackboard-courseinfo-dbase-modification(4946Blackboard Courseinfo v4.0 User Authentication20000719 Security Fix for Blackboard CourseInfo 4.0The source.asp example script in the Apache ASP module Apache::ASP 1.93 and earlier allows remote attackers to modify files.BID 1457apache-source-asp-file-write(4931)ANNOUNCE Apache::ASP v1.95 - Security Hole Fixedhttp://www.nodeworks.com/asp/changes.htmlThe default configuration of the Sun Java web server 2.0 and earlier allows remote attackers to execute arbitrary commands by uploading Java code to the server via board.html, then directly calling the JSP compiler servlet.BID 1459Removing Examples and Unnecessary Servlets Java Web Server 2.0Sun's Java Web Server remote command execution vulnerabilityCERT Advisory CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests1459IIS 4.0 and 5.0 allows remote attackers to obtain fragments of source code by appending a +.htr to the URL, a variant of the "File Fragment Reading via .HTR" vulnerability.BID 1488iis-ism-file-access(4448)Microsoft Security Bulletin (MS00-044)1488iis-htr-obtain-codeAn administrative script from IIS 3.0, later included in IIS 4.0 and 5.0, allows remote attackers to cause a denial of service by accessing the script without a particular argument, aka the "Absent Directory Browser Argument" vulnerability.BID 1476iis-absent-directory-dos(4951)Microsoft Security Bulletin (MS00-044)20000718 ISBASE Security Advisory(SA2000-02)Buffer overflow in the web archive component of L-Soft Listserv 1.8d and earlier allows remote attackers to execute arbitrary commands via a long query string.BID 1490http-cgi-listserv-wa-bo(4419)[COVERT-2000-07] LISTSERV Web Archive Remote Overflowhttp://www.lsoft.com/news/default.asp?item=Advisory120000717 [COVERT-2000-07] LISTSERV Web Archive Remote Overflow1490lsoft-listserv-querystring-boVulnerability in Mandrake Linux usermode package allows local users to to reboot or halt the system.BID 1489linux-usermode-dos(4944)MDKSA-2000:020 usermode updateRHSA-2000:05320000812 Conectiva Linux security announcement - usermodeThe web administration interface for CommuniGate Pro 3.2.5 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) attack.BID 1493Vulnerabilities in Stalker's CommuniGate Pro v3.2.4Vulnerabilities in CommuniGate Pro v3.2.4communigate-pro-file-read5774The view_page.html sample page in the MiniVend shopping cart program allows remote attackers to execute arbitrary commands via shell metacharacters.BID 1449minivend-viewpage-sample(4880)Akopia MiniVend Piped Command Execution Vulnerabilityhttp://www.zdnet.com/zdnn/stories/news/0,4586,2600258,00.htmlHP JetDirect printers versions G.08.20 and H.08.20 and earlier allow remote attackers to cause a denial of service via a malformed FTP quote command.BID 1491HP Jetdirect - Invalid FTP Command DoShp-jetdirect-quote-dosMicrosoft Excel 97 and 2000 allows an attacker to execute arbitrary commands by specifying a malicious .dll using the Register.ID function, aka the "Excel REGISTER.ID Function" vulnerability.excel-register-function(5016)Excel 2000 vulnerability - executing programsMicrosoft Security Bulletin (MS00-051)1451bb-hostsvc.sh in Big Brother 1.4h1 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) attack on the HOSTSVC parameter.Re: BIG BROTHER EXPLOIThttp://bb4.com/README.CHANGES20000711 BIG BROTHER EXPLOIT20000711 REMOTE EXPLOIT IN ALL CURRENT VERSIONS OF BIG BROTHER1455http-cgi-bigbrother-bbhostsvcThe default configuration of Big Brother 1.4h2 and earlier does not include proper access restrictions, which allows remote attackers to execute arbitrary commands by using bbd to upload a file whose extension will cause it to be executed as a CGI script by the web server.BID 1494Big Brother filename extension vulnerabilityhttp-cgi-bigbrother-bbhostsvc(4879big-brother-filename-extension1472Guild FTPd allows remote attackers to determine the existence of files outside the FTP root via a .. (dot dot) attack, which provides different error messages depending on whether the file exists or not.BID 1452guild-ftpd-disclosure(4922)Big Brother filename extension vulnerability573Savant web server allows remote attackers to execute arbitrary commands via a long GET request.BID 1453savant-get-bo(4901)gnu-pop3d (FTGate problem), Savant Webserver, Guild FTPdThe default configuration of WebActive HTTP Server 1.00 stores the web access log active.log in the document root, which allows remote attackers to view the logs by directly requesting the page.BID 1497Lame DoS in WEBactive win65/NT serverwebactive-active-logBuffer overflow in WebActive HTTP Server 1.00 allows remote attackers to cause a denial of service via a long URL.BID 1470webactive-long-get-dos(4949)Lame DoS in WEBactive win65/NT serveWFTPD and WFTPD Pro 2.41 allows remote attackers to cause a denial of service by executing a STAT command while the LIST command is still executing.BID 1506wftpd-stat-info(5005)WFTPD/WFTPD Pro 2.41 RC11 vulnerabilitieswftpd-stat-dos1477WFTPD and WFTPD Pro 2.41 allows remote attackers to cause a denial of service by using the RESTART (REST) command and writing beyond the end of a file, or writing to a file that does not exist, via commands such as STORE UNIQUE (STOU), STORE (STOR), or APPEND (APPE).BID 1506wftpd-rest-dos(5004)WFTPD/WFTPD Pro 2.41 RC11 vulnerabilitiesWFTPD and WFTPD Pro 2.41 allows remote attackers to obtain the real pathname for a file by executing a STATUS (STAT) command while the file is being transferred.BID 1506wftpd-stat-dos(5003)WFTPD/WFTPD Pro 2.41 RC11 vulnerabilitiesWFTPD and WFTPD Pro 2.41 allows remote attackers to cause a denial of service by executing an MLST command before logging into the server.BID 1506wftpd-mlst-dos(5006)WFTPD/WFTPD Pro 2.41 RC11 vulnerabilities.WFTPD and WFTPD Pro 2.41 allows local users to cause a denial of service by executing the RENAME TO (RNTO) command before a RENAME FROM (RNFR) command.BID 1456niteserver-rename-file-dos(4511WFTPD/WFTPD Pro 2.41 RC10 denial-of-serviceIIS 4.0 allows remote attackers to obtain the internal IP address of the server via an HTTP 1.0 request for a web page which is protected by basic authentication and has no realm defined.BID 1499Internet Information Server Returns IP Address in HTTP Header (Content-Location) IIS4 Basic authentication realm issueThe default installation of VirusScan 4.5 and NetShield 4.5 has insecure permissions for the registry key that identifies the AutoUpgrade directory, which allows local users to execute arbitrary commands by replacing SETUP.EXE in that directory with a Trojan Horse.BID 1458Potential Vulnerability in McAfee Netshield and VirusScan 4.5nai-virusscan-netshield-autoupgrade(5177)14584200The ClientTrust program in Novell BorderManager does not properly verify the origin of authentication requests, which could allow remote attackers to impersonate another user by replaying the authentication requests and responses from port 3024 of the victim's machine.BID 1440Bypass url restrictions 4906Unauthenticated user can web surf as any authenticated user20000707 Novell Border Manger - Anyone can pose as an authenticated usernovell-bordermanager-verificationIBM WebSphere allows remote attackers to read source code for executable web files by directly calling the default InvokerServlet using a URL which contains the "/servlet/file" string.BID 1500websphere-jsp-source-read(4697) IBM WebSphere default servlet handler showcode vulnerabilitywebsphere-showcodeMicrosoft Outlook Express allows remote attackers to monitor a user's email by creating a persistent browser link to the Outlook Express windows, aka the "Persistent Mail-Browser Link" vulnerability.BID 1502outlook-express-mail-browser-link(4973)Microsoft Security Bulletin (MS00-045)Microsoft Enterprise Manager allows local users to obtain database passwords via the Data Transformation Service (DTS) package Registered Servers Dialog dialog, aka a variant of the "DTS Password" vulnerability.BID 1466mssql-dts-reveal-passwords(4582)Microsoft Security Bulletin (MS00-041)Netscape Communicator 4.73 and earlier allows remote attackers to cause a denial of service or execute arbitrary commands via a JPEG image containing a comment with an illegal field length of 1.BID 1503Incorrect processing of JPEG imagesJPEG COM Marker Processing Vulnerability in Netscape BrowsersRHSA-2000:04620000823 Security Hole in Netscape, Versions 4.x, possibly othersTLSA2000017-1NetBSD-SA2000-011FreeBSD-SA-00:3920000801 MDKSA-2000:027-1 netscape update20000810 Conectiva Linux Security Announcement - netscape1503Buffer overflow in AnalogX proxy server 4.04 and earlier allows remote attackers to cause a denial of service via a long USER command in the FTP protocol.BID 1504analogx-proxy-ftp-crashAnalogX Proxy DoShttp://www.analogx.com/contents/download/network/proxy.htmBuffer overflow in AnalogX proxy server 4.04 and earlier allows remote attackers to cause a denial of service via a long HELO command in the SMTP protocol.BID 1504AnalogX Proxy DoShttp://www.analogx.com/contents/download/network/proxy.htmBuffer overflow in AnalogX proxy server 4.04 and earlier allows remote attackers to cause a denial of service via a long USER command in the POP3 protocol.BID 1504analogx-proxy-pop3-crashAnalogX Proxy DoShttp://www.analogx.com/contents/download/network/proxy.htmBuffer overflow in AnalogX proxy server 4.04 and earlier allows remote attackers to cause a denial of service via a long user ID in a SOCKS4 CONNECT request.BID 1504analogx-proxy-socks4-crashhAnalogX Proxy DoSThe WDaemon web server for WorldClient 2.1 allows remote attackers to read arbitrary files via a .. (dot dot) attack.BID 1462worldclient-dir-traverse(4913)Infosec.20000712.worldclient.2.1http://www.altn.com/Downloads/WorldClient/Release/RelNotes.txt1459WircSrv IRC Server 5.07s allows remote attackers to cause a denial of service via a long string to the server port.BID 1448wircsrv-character-flood-dos(4914)Remote DoS Attack in WircSrv Irc Server v5.07s VulnerabilityInternet Explorer 5.x and Microsoft Outlook allows remote attackers to read arbitrary files by redirecting the contents of an IFRAME using the DHTML Edit Control (DHTMLED).BID 1474ie-dhtml-control(2161)IE 5.5 and 5.01 vulnerability - reading at least local and from any host text and parsed html files1474ie-dhtmled-file-read(5107)The registry entry for the Windows Shell executable (Explorer.exe) in Windows NT and Windows 2000 uses a relative path name, which allows local users to execute arbitrary commands by inserting a Trojan Horse named Explorer.exe into the %Systemdrive% directory, aka the "Relative Shell Path" vulnerability.BID 1507 Registry-Invoked Programs Use Standard Search Pathexplorer-relative-path-name(5040)Q269049AnalogX SimpleServer:WWW 1.06 and earlier allows remote attackers to read arbitrary files via a modified .. (dot dot) attack that uses the %2E URL encoding for the dots.BID 1508analogx-simpleserver-directory-pathAnalogX http://www.analogx.com/contents/download/network/sswww.htm1508analogx-simpleserver-directory-path388GAMSoft TelSrv telnet server 1.5 and earlier allows remote attackers to cause a denial of service via a long username.BID 1478gamsoft-telsrv-dos(4945)DoS in Gamsoft TelSrv telnet server for MS Windows 95/98/NT/2k.20000729 TelSrv Reveals Usernames & Passwords After DoS Attack373rpc.statd in the nfs-utils package in various Linux distributions does not properly cleanse untrusted format strings, which allows remote attackers to gain root privileges.BID 1480linux-rpcstatd-format-overwrite(4939)Lots and lots of fun with rpc.statdRHSA-2000:04320000717 CONECTIVA LINUX SECURITY ANNOUNCEMENT - nfs-utils20000718 Trustix Security Advisory - nfs-utils20000718 [Security Announce] MDKSA-2000:021 nfs-utils updateCSSA-2000-025.0CA-2000-17Vulnerability in gpm in Caldera Linux allows local users to delete arbitrary files or conduct a denial of service.bugtraq id 1512linux-gpm-file-removal(4998)Security Update: DoS on gpmpam_console PAM module in Linux systems allows a user to access the system console and reboot the system when a display manager such as gdm or kdm has XDMCP enabled.BID 1513linux-pam-console(5001)Updated PAM packages are availableRHSA-2000:04420000727 CONECTIVA LINUX SECURITY ANNOUNCEMENT - PAM20000801 MDKSA-2000:029 pam updateNovell NetWare 5.0 allows remote attackers to cause a denial of service by flooding port 40193 with random data.BID 1467netware-port40193-dos(4932)Remote Denial Of Service -- NetWare 5.0 with SP 5The cvsweb CGI script in CVSWeb 1.80 allows remote attackers with write access to a CVS repository to execute arbitrary commands via shell metacharacters.BID 1469cvsweb-shell-access(4925)MDKSA-2000:019 cvsweb update20000712 cvsweb: remote shell for cvs committersFreeBSD-SA-00:37TLSA2000016-11469Roxen web server earlier than 2.0.69 allows allows remote attackers to bypass access restrictions, list directory contents, and read source code by inserting a null character (%00) to the URL.BID 1510roxen-null-char-urlRoxen security alert: Problems with URLs containing null characters20000721 Roxen Web Server Vulnerability1510roxen-null-char-urlThe default configuration of Jakarta Tomcat does not restrict access to the /admin context, which allows remote attackers to read arbitrary files by directly calling the administrative servlets to add a context for the root directory.BID 1548apache-tomcat-file-contents(4205)Jakarta-tomcat.../admin1548jakarta-tomcat-adminThe NetBIOS Name Server (NBNS) protocol does not perform authentication, which allows remote attackers to cause a denial of service by sending a spoofed Name Conflict or Name Release datagram, aka the "NetBIOS Name Server Protocol Spoofing" vulnerability.BID 1514netbios-name-server-spoofing(5035)Microsoft Security Bulletin (MS00-047)20000727 Windows NetBIOS Name Conflicts1515ftp.pl CGI program for Virtual Visions FTP browser allows remote attackers to read directories outside of the document root via a .. (dot dot) attack.bugtraq id 1471ftp.pl vulnerabilityvirtualvision-ftp-browserBuffer overflow in Infopulse Gatekeeper 3.5 and earlier allows remote attackers to execute arbitrary commands via a long string.BID 1477gatekeeper-long-string-bo(4948)The MDMA Crew's GateKeeper ExploitNetscape Communicator and Navigator 4.04 through 4.74 allows remote attackers to read arbitrary files by using a Java applet to open a connection to a URL using the "file", "http", "https", and "ftp" protocols, as demonstrated by Brown Orifice.BID 1546CERT:CA-2000-15Brown Orifice, BOHTTPD, a Platform Independent Java Vulnerability in Netscape20000804 Dangerous Java/Netscape Security HoleRHSA-2000:054CSSA-2000-027.1FreeBSD-SA-00:3920000823 Security Hole in Netscape, Versions 4.x, possibly others20000810 MDKSA-2000:033 Netscape Java vulnerability20000821 MDKSA-2000:036 - netscape update20000818 Conectiva Linux Security Announcement - netscapeBuffer overflow in IBM Net.Data db2www CGI program allows remote attackers to execute arbitrary commands via a long PATH_INFO environmental variable.Internet Security Systems Security Advisoryibm-netdata-db2www-boPGP 5.5.x through 6.5.3 does not properly check if an Additional Decryption Key (ADK) is stored in the signed portion of a public certificate, which allows an attacker who can modify a victim's public certificate to decrypt any data that has been encrypted with the modified certificate.CERT:CA-2000-18BID 1606Serious bug in PGP - versions 5 and 64354The CVS 1.10.8 client trusts pathnames that are provided by the CVS server, which allows the server to force the client to create arbitrary files.cvs security problemBID 1523The CVS 1.10.8 server does not properly restrict users from creating arbitrary Checkin.prog or Update.prog programs, which allows remote CVS committers to modify or create Trojan horse programs with the Checkin.prog or Update.prog names, then performing a CVS commit action.cvs security problemBID 1524Buffer overflow in BEA WebLogic server proxy plugin allows remote attackers to execute arbitrary commands via a long URL with a .JSP extension.CORE-081300BID 1570BEA WebLogic 5.1.x allows remote attackers to read source code for parsed pages by inserting /ConsoleHelp/ into the URL, which invokes the FileServlet.FS-072800-9-BEABID 1518http://developer.bea.com/alerts/security_000731.html1481BEA WebLogic 5.1.x allows remote attackers to read source code for parsed pages by inserting /*.shtml/ into the URL, which invokes the SSIServlet.20000728 BEA's WebLogic force handlers show code vulnerabilityBID 1517http://developer.bea.com/alerts/security_000728.html1480BEA WebLogic 5.1.x does not properly restrict access to the JSPServlet, which could allow remote attackers to compile and execute Java JSP code by directly invoking the servlet on any source file.20000731 BEA's WebLogic *.jsp/*.jhtml remote command executionBID 1525CA-2000-02http://developer.bea.com/alerts/security_000731.htmlBEA WebLogic 5.1.x does not properly restrict access to the PageCompileServlet, which could allow remote attackers to compile and execute Java JHTML code by directly invoking the servlet on any source file.FS-073100-10-BEABID 1525CA-2000-02http://developer.bea.com/alerts/security_000731.htmlAuction Weaver CGI script 1.03 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) attack in the fromfile parameter.20000823 Auction WeaverT LITE 1.0BID 1630Auction Weaver CGI script 1.03 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) attack in the catdir parameter.20000823 Auction WeaverT LITE 1.0BID 1630Subscribe Me LITE does not properly authenticate attempts to change the administrator password, which allows remote attackers to gain privileges for the Account Manager by directly calling the subscribe.pl script with the setpwd parameter.20000823 Subscribe Me VulnerabilityBID 1607http://www.cgiscriptcenter.com/subscribe/20000823 Re: Subscribe Me CGI VulnerabilityAccount Manager LITE does not properly authenticate attempts to change the administrator password, which allows remote attackers to gain privileges for the Account Manager by directly calling the amadmin.pl script with the setpasswd parameter.20000823 Account Manager CGI VulnerabilityBID 1604http://www.cgiscriptcenter.com/acctlite/13341account-manager-overwrite-password(5125)Auction Weaver CGI script 1.02 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the fromfile parameter.20000830 More problems with Auction Weaver & CGI Script Center.20000830 More problems with Auction Weaver & CGI Script Center.The faxrunq and faxrunqd in the mgetty package allows local users to create or modify arbitrary files via a symlink attack which creates a symlink in from /var/spool/fax/outgoing/.last_run to the target file.20000826 Advisory: mgetty local compromiseCSSA-2000-029.0BID 1612http://archives.neohapsis.com/archives/bugtraq/2000-08/0330.htmlISS RealSecure 3.2.1 and 3.2.2 allows remote attackers to cause a denial of service via a flood of fragmented packets with the SYN flag set.20000822 DOS on RealSecure 3.2BID 1597pgxconfig in the Raptor GFX configuration tool uses a relative path name for a system call to the "cp" program, which allows local users to execute arbitrary commands by modifying their path to point to an alternate "cp" program.20000802 Local root compromise in PGX Config Sun Sparc SolarisBID 15631501pgxconfig in the Raptor GFX configuration tool allows local users to gain privileges via a symlink attack.20000802 Local root compromise in PGX Config Sun Sparc Solaris5740Buffer overflows in pgxconfig in the Raptor GFX configuration tool allow local users to gain privileges via command line options.20000802 Local root compromise in PGX Config Sun Sparc SolarisThe administration interface for the dwhttpd web server in Solaris AnswerBook2 does not properly authenticate requests to its supporting CGI scripts, which allows remote attackers to add user accounts to the interface by directly calling the admin CGI script.SUN:00196BID 155420000807 Vulnerabilities in Sun Solaris AnswerBook2 dwhttpd serversolaris-answerbook2-admin-interface(5069)The administration interface for the dwhttpd web server in Solaris AnswerBook2 allows interface users to remotely execute commands via shell metacharacters.SUN:00196BID 155620000807 Vulnerabilities in Sun Solaris AnswerBook2 dwhttpd serversolaris-answerbook2-remote-execution(5058)Minicom 1.82.1 and earlier on some Linux systems allows local users to create arbitrary files owned by the uucp user via a symlink attack.BUGTRAQ:20000819 RH 6.1 / 6.2 minicom vulnerabilityBID 1599minicom-capture-groupownFormat string vulnerability in ftpd in HP-UX 10.20 allows remote attackers to cause a denial of service or execute arbitrary commands via format strings in the PASS command.BUGTRAQ:20000806 HPUX FTPd vulnerabilityBID 1560Cisco Gigabit Switch Routers (GSR) with Fast Ethernet / Gigabit Ethernet cards, from IOS versions 11.2(15)GS1A up to 11.2(19)GS0.2 and some versions of 12.0, do not properly handle line card failures, which allows remote attackers to bypass ACLs or force the interface to stop forwarding packets.20000803 Possible Access Control Bypass and Denial of Service in Gigabit Switch Routers Using Gigabit Ethernet or Fast Ethernet CardsBID 1541793798The wrapper program in mailman 2.0beta3 and 2.0beta4 does not properly cleanse untrusted format strings, which allows local users to gain privileges.20000801 Advisory: mailman local compromise20000802 CONECTIVA LINUX SECURITY ANNOUNCEMENT - mailman20000802 MDKSA-2000:030 - Linux-Mandrake not affected by mailman problemRHSA-2000:030-03BID 1539RHSA-2000:030The net.init rc script in HP-UX 11.00 (S008net.init) allows local users to overwrite arbitrary files via a symlink attack that points from /tmp/stcp.conf to the targeted file.BUGTRAQ:20000821 [HackersLab bugpaper] HP-UX net.init rc scriptBID 1602hp-netinit-symlinksuidperl (aka sperl) does not properly cleanse the escape sequence "~!" before calling /bin/mail to send an error report, which allows local users to gain privileges by setting the "interactive" environmental variable and calling suidperl with a filename that contains the escape sequence.BUGTRAQ:20000805 sperl 5.00503 (and newer ;) exploitSUSE:20000810 Security Hole in perl, all versionsCALDERA:CSSA-2000-026.0BID 154720000810 Security Hole in perl, all versionsRHSA-2000:048TLSA2000018-120000814 Trustix Security Advisory - perl and mailx20000808 MDKSA-2000:031 perl update20000810 Conectiva Linux security announcemente - PERLBuffer overflow in SGI Omron WorldView Wnn allows remote attackers to execute arbitrary commands via long JS_OPEN, JS_MKDIR, or JS_FILE_INFO commands.BID 160320000803-01-A11080irix-worldview-wnn-bo(5163)ntop running in web mode allows remote attackers to read arbitrary files via a .. (dot dot) attack.20000802 [ Hackerslab bug_paper ] ntop web mode vulnerabilityREDHAT:RHSA-2000:049-02BID 1550RHSA-2000:0491496Buffer overflows in ntop running in web mode allows remote attackers to execute arbitrary commands.FREEBSD:FreeBSD-SA-00:36DEBIAN:20000830 ntop: Still remotely exploitable using bufferBID 1576FreeBSD-SA-00:361513PCCS MySQLDatabase Admin Tool Manager 1.2.4 and earlier installs the file dbconnect.inc within the web root, which allows remote attackers to obtain sensitive information such as the administrative password.BUGTRAQ:20000804 PCCS MySQL DB Admin Tool v1.2.3- AdvisoryBID:1557Buffer overflow in Pragma Systems TelnetServer 2000 version 4.0 allows remote attackers to cause a denial of service via a long series of null characters to the rexec port.NTBUGTRAQ:20000824 Remote DoS Attack in Pragma TelnetServer 2000BID 1605http://www.pragmasys.com/TelnetServer/The shtml.exe component of Microsoft FrontPage 2000 Server Extensions 1.1 allows remote attackers to cause a denial of service in some components by requesting a URL whose name includes a standard DOS device name.20000823 Xato Advisory: FrontPage DOS Device DoSBID 1608http://msdn.microsoft.com/workshop/languages/fp/2000/sr12.aspThe shtml.exe component of Microsoft FrontPage 2000 Server Extensions 1.1 allows remote attackers determine the physical path of the server components by requesting an invalid URL whose name includes a standard DOS device name.20000823 Xato Advisory: FrontPage DOS Device DoSBID 1608http://msdn.microsoft.com/workshop/languages/fp/2000/sr12.aspNetscape Communicator does not properly prevent a ServerSocket object from being created by untrusted entities, which allows remote attackers to create a server on the victim's system via a malicious applet, as demonstrated by Brown Orifice.20000816 JDK 1.1.x Listening Socket Vulnerability (was Re: BrownOrifice can break firewalls!)20000805 Dangerous Java/Netscape Security HoleCA-2000-15BID 1545Linux Intrusion Detection System (LIDS) 0.9.7 allows local users to gain root privileges when LIDS is disabled via the security=0 boot option.BUGTRAQ:2000803 LIDS severe bugBID 1549http://www.egroups.com/message/lids/1038http://www.lids.org/changelog.html1495Buffer overflow in Adobe Acrobat 4.05, Reader, Business Tools, and Fill In products that handle PDF files allows attackers to execute arbitrary commands via a long /Registry or /Ordering specifier.20000726 [SPSadvisory#39]Adobe Acrobat Series PDF File Buffer OverflowBID 1509http://www.adobe.com/misc/pdfsecurity.htmlumb-scheme 3.2-11 for Red Hat Linux is installed with world-writeable files.REDHAT:RHSA-2000:047-03BID 1551RHSA-2000:047DiskCheck script diskcheck.pl in Red Hat Linux 6.2 allows local users to create or overwrite arbitrary files via a symlink attack on a temporary file.BID 155220000805 Diskcheck 3.1.1 Symlink Vulnerability20000622 Re: rh 6.2 - gid compromises, etc [+ MORE!!!]20000805 Diskcheck 3.1.1 Symlink Vulnerability20000807 Re: Diskcheck 3.1.1 Symlink VulnerabilityWorldClient email client in MDaemon 2.8 includes the session ID in the referer field of an HTTP request when the user clicks on a URL, which allows the visited web site to hijcak the session ID and read the user's email.20000809BID 1553mdaemon-session-id-hijackGoodTech FTP server allows remote attackers to cause a denial of service via a large number of RNTO commands.20000830 [EXPL] GoodTech's FTP Server vulnerable to a DoS (RNTO)BID 1619ftp-goodtech-rnto-dos(5166)A race condition in MandrakeUpdate allows local users to modify RPM files while they are in the /tmp directory before they are installed.NTBUGTRAQ:20000809 Session hijacking in Alt-N's MDaemon 2.8BID 1567VariCAD 7.0 is installed with world-writeable files, which allows local users to replace the VariCAD programs with a Trojan horse program.20000810 VariCAD 7.0 premission vulnerabilitynews.cgi in GWScripts News Publisher does not properly authenticate requests to add an author to the author index, which allows remote attackers to add new authors by directly posting an HTTP request to the new.cgi program with an addAuthor parameter, and setting the Referer to the news.cgi program.BUGTRAQ:20000929 News Publisher CGI VulnerabilityBID 1621news-publisher-add-author(5169)The FSserial, FlagShip_c, and FlagShip_p programs in the FlagShip package are installed world-writeable, which allows local users to replace them with Trojan horses.20000810 FlagShip v4.48.7449 premission vulnerabilityBID 1586Helix GNOME Updater helix-update 0.5 and earlier allows local users to install arbitrary RPM packages by creating the /tmp/helix-install installation directory before root has begun installing packages.20000820 Helix Code Security Advisory - Helix GNOME Update20000820 [Helix Beta] Helix Code Security Advisory - Helix GNOME InstallerBID 159320000819 Multiple Local Vulnerabilities in Helix Gnome InstallerHelix GNOME Updater helix-update 0.5 and earlier does not properly create /tmp directories, which allows local users to create empty system configuration files such as /etc/config.d/bashrc, /etc/config.d/csh.cshrc, and /etc/rc.config.20000820 [Helix Beta] Helix Code Security Advisory - Helix GNOME InstallerBID 159620000819 Multiple Local Vulnerabilities in Helix Gnome InstallerThe go-gnome Helix GNOME pre-installer allows local users to overwrite arbitrary files via a symlink attack on various files in /tmp, including uudecode, snarf, and some installer files.20000829 More Helix Code installation problems (go-gnome)20000829 Helix Code Security Advisory - go-gnome pre-installerBID 1622Zope before 2.2.1 does not properly restrict access to the getRoles method, which allows users who can edit DTML to add or modify roles by modifying the roles list that is included in a request.REDHAT:RHSA-2000:052-02DEBIAN:20000821 zope: unauthorized escalation of privilege (update)BUGTRAQ:20000821 Conectiva Linux Security Announcement - ZopeBUGTRAQ:20000816 MDKSA-2000:035 Zope updateBID 1577http://www.zope.org/Products/Zope/Hotfix_08_09_2000/security_alertRHSA-2000:052CGIMail.exe CGI program in Stalkerlab Mailers 1.1.2 allows remote attackers to read arbitrary files by specifying the file in the $Attach$ hidden form variable.20000829 Stalker's CGImail Gives Read Access to All Server FilesBID 1623mailers-cgimail-spoof(5165)xpdf PDF viewer client earlier than 0.91 does not properly launch a web browser for embedded URL's, which allows an attacker to execute arbitrary commands via a URL that contains shell metacharacters.BUGTRAQ:20000829 MDKSA-2000:041 - xpdf updateDEBIAN:20000910 xpdf: local exploitCALDERA:CSSA-2000-031.0BID 162420000913 Conectiva Linux Security Announcement - xpdfRHSA-2000:060xpdf PDF viewer client earlier than 0.91 allows local users to overwrite arbitrary files via a symlink attack.BUGTRAQ:20000829 MDKSA-2000:041 - xpdf updateBUGTRAQ:20000913 Conectiva Linux Security Announcement - xpdfDEBIAN:20000910 xpdf: local exploitREDHAT:RHSA-2000:060-03BID 1624RHSA-2000:060CSSA-2000-031.0FreeBSD 5.x, 4.x, and 3.x allows local users to cause a denial of service by executing a program with a malformed ELF image header.FreeBSD-SA-00:41BID 1625freebsd-elf-dos(5967)1534Vulnerability in newgrp command in HP-UX 11.0 allows local users to gain privileges.HPSBUX0008-118BID 1580Directory traversal vulnerability in Worm HTTP server allows remote attackers to read arbitrary files via a .. (dot dot) attack.20000825 DST2K0023BID 1626wormhttp-dir-traverse(5148)1535Worm HTTP server allows remote attackers to cause a denial of service via a long URL.20000825 DST2K0023: Directory Traversal Possible & Denial of Service in Wo rm HTTP ServerBID 1626wormhttp-filename-dosTelnetd telnet server in IRIX 5.2 through 6.1 does not properly cleans user-injected format strings, which allows remote attackers to execute arbitrary commands via a long RLD variable in the IAC-SB-TELOPT_ENVIRON request.20000814BID 157220000801-02-PeEye IRIS 1.01 beta allows remote attackers to cause a denial of service via a large number of UDP connections.BID 162720000831 Remote DoS Attack in Eeye Iris 1.01 and SpyNet CaptureNet v3.12Buffer overflow in Becky! Internet Mail client 1.26.03 and earlier allows remote attackers to cause a denial of service via a long Content-type: MIME header when the user replies to a message.20000818 Becky! Internet Mail Buffer overflowBID 1588http://member.nifty.ne.jp/rimarts/becky-e/Readme.txtBuffer overflow in Becky! Internet Mail client 1.26.04 and earlier allows remote attackers to cause a denial of service via a long Content-type: MIME header when the user forwards a message.20000818 Becky! Internet Mail Buffer overflowBID 1588http://member.nifty.ne.jp/rimarts/becky-e/Readme.txtThe Service Control Manager (SCM) in Windows 2000 creates predictable named pipes, which allows a local user with console access to gain administrator privileges, aka the "Service Control Manager Named Pipe Impersonation" vulnerability.MS:MS00-053BID 1535WebShield SMTP 4.5 allows remote attackers to cause a denial of service by sending e-mail with a From: address that has a . (period) at the end, which causes WebShield to continuously send itself copies of the e-mail.NTBUGTRAQ:20000818 WebShield SMTP infinite loop DoS AttackBID 1589webshield-smtp-dosDirectory traversal vulnerability in strong.exe program in NAI Net Tools PKI server 1.0 before HotFix 3 allows remote attackers to read arbitrary files via a .. (dot dot) attack in an HTTPS request to the enrollment server.BUGTRAQ:20000802 NAI Net Tools PKI Server vulnerabilitiesBID 1537http://download.nai.com/products/licensed/pgp/hf3pki10.txtnettools-pki-dir-traverse(5066)1489Buffer overflow in strong.exe program in NAI Net Tools PKI server 1.0 before HotFix 3 allows remote attackers to execute arbitrary commands via a long URL in the HTTPS port.BUGTRAQ:20000802 NAI Net Tools PKI Server vulnerabilitiesBID 1536http://download.nai.com/products/licensed/pgp/hf3pki10.txtnai-nettools-strong-bo(5026)1488Format string vulnerability in strong.exe program in NAI Net Tools PKI server 1.0 before HotFix 3 allows remote attackers to execute arbitrary code via format strings in a URL with a .XUDA extension.BUGTRAQ:20000802 NAI Net Tools PKI Server vulnerabilitiesBID 1538http://download.nai.com/products/licensed/pgp/hf3pki10.txt1490The IPX protocol implementation in Microsoft Windows 95 and 98 allows remote attackers to cause a denial of service by sending a ping packet with a source IP address that is a broadcast address, aka the "Malformed IPX Ping Packet" vulnerability.BUGTRAQ:20000602 ipx stormMS:MS00-054BID 1544win-ipx-ping-packet(5079)Buffer overflow in University of Minnesota (UMN) gopherd 2.x allows remote attackers to execute arbitrary commands via a DES key generation request (GDESkey) that contains a long ticket value.BUGTRAQ:20000810 Remote vulnerability in Gopherd 2.xBID 1569DEPRECATED. This entry has been deprecated. It is a duplicate of CVE-2000-0743.BUGTRAQ:20000810 Remote vulnerability in Gopherd 2.xBID 1569admin.php3 in PHP-Nuke does not properly verify the PHP-Nuke administrator password, which allows remote attackers to gain privileges by requesting a URL that does not specify the aid or pwd parameter.20000821 Vuln. in all sites using PHP-Nuke, versions less than 3BID 15921521Vulnerabilities in IIS 4.0 and 5.0 do not properly protect against cross-site scripting (CSS) attacks. They allow a malicious web site operator to embed scripts in a link to a trusted site, which are returned without quoting in an error message back to the client. The client then executes those scripts in the same context as the trusted site, aka the "IIS Cross-Site Scripting" vulnerabilities.MS:MS00-060BID 1594BID 159520000821 IIS 5.0 cross site scripting vulnerability - using .shtml files or /_vti_bin/shtml.dllThe logrotate script for OpenLDAP before 1.2.11 in Conectiva Linux sends an improper signal to the kernel log daemon (klogd) and kills it.BUGTRAQ:20000726 CONECTIVA LINUX SECURITY ANNOUNCEMENT - OPENLDAPOpenLDAP logrotate script denial of serviceOpenLDAP 1.2.11 and earlier improperly installs the ud binary with group write permissions, which could allow any user in that group to replace the binary with a Trojan horse.20000726 Group-writable executable in OpenLDAPBID 1511Buffer overflow in the Linux binary compatibility module in FreeBSD 3.x through 5.x allows local users to gain root privileges via long filenames in the linux shadow file system.FREEBSD:FreeBSD-SA-00:42BID 1628freebsd-linux-module-bo(5968)1536Buffer overflow in mopd (Maintenance Operations Protocol loader daemon) allows remote attackers to execute arbitrary commands via a long file name.REDHAT:RHSA-2000-050-01BUGTRAQ:20000808 OpenBSD 2.7 / NetBSD 1.4.2 mopd buffer overflowFREEBSD:FreeBSD-SA-00:40OPENBSD:20000705 Mopd contained a buffer overflow.BID 155820000705 Mopd contained a buffer overflow.RHSA-2000:050mopd (Maintenance Operations Protocol loader daemon) does not properly cleanse user-injected format strings, which allows remote attackers to execute arbitrary commands.BUGTRAQ:20000808 OpenBSD 2.7 / NetBSD 1.4.2 mopd buffer overflowFREEBSD:FreeBSD-SA-00:40BID 155920000705 Mopd contained a buffer overflow.RHSA-2000:050Buffer overflows in brouted in FreeBSD and possibly other OSes allows local users to gain root privileges via long command line arguments.FREEBSD:FreeBSD-SA-00:43BID 1629The Microsoft Outlook mail client identifies the physical path of the sender's machine within a winmail.dat attachment to Rich Text Format (RTF) files.BUGTRAQ:20000824 Outlook winmail.datBID 163120000824 Outlook winmail.dat20010802 Outlook 2000 Rich Text information disclosureoutlook-reveal-path(5508)Vulnerability in HP OpenView Network Node Manager (NMM) version 6.1 related to passwords.HP:HPSBUX0008-119BID 1581Vulnerability in the newgrp command in HP-UX 11.00 allows local users to gain privileges.HP:HPSBUX0008-118BID 1581Microsoft Outlook 2000 does not properly process long or malformed fields in vCard (.vcf) files, which allows attackers to cause a denial of service.BID 163320000831 vCard DoS on Outlook 2000The sysgen service in Aptis Totalbill does not perform authentication, which allows remote attackers to gain root privileges by connecting to the service and specifying the commands to be executed.20000808 Exploit for Totalbill...BID 1555The web interface for Lyris List Manager 3 and 4 allows list subscribers to obtain administrative access by modifying the value of the list_admin hidden form field.BUGTRAQ:20000811 Lyris List Manager Administration HoleBID 1584http://www.lyris.com/lm/lm_updates.htmlJakarta Tomcat 3.1 under Apache reveals physical path information when a remote attacker requests a URL that does not exist, which generates an error message that includes the physical path.20000719 [LoWNOISE] Tomcat 3.1 Path Revealing Problem.BID 1531tomcat-error-path-reveal(4967)The Snoop servlet in Jakarta Tomcat 3.1 and 3.0 under Apache reveals sensitive system information when a remote attacker requests a nonexistent URL with a .snp extension.20000719 [LoWNOISE] Snoop Servlet (Tomcat 3.1 and 3.0)BID 1532OS2/Warp 4.5 FTP server allows remote attackers to cause a denial of service via a long username.BUGTRAQ:20000815 OS/2 Warp 4.5 FTP Server DoSBID 1582ftp://ftp.software.ibm.com/ps/products/tcpip/fixes/v4.3os2/ic27721/READMEThe default installation of eTrust Access Control (formerly SeOS) uses a default encryption key, which allows remote attackers to spoof the eTrust administrator and gain privileges.20000811 eTrust Access Control - Root compromise for default installBID 1583http://support.ca.com/techbases/eTrust/etrust_access_control-response.htmletrust-access-control-default1517xlockmore and xlockf do not properly cleanse user-injected format strings, which allows local users to gain root privileges via the -d option.BUGTRAQ:20000816 xlock vulnerabilityDEBIAN:20000816 xlockmore: possible shadow file compromiseFREEBSD:FreeBSD-SA-00:44.xlockmoreBID 158520000817 Conectiva Linux Security Announcement - xlockmore20000823 MDKSA-2000:038 - xlockmore updateIntel Express 500 series switches allow a remote attacker to cause a denial of service via a malformed IP packet.BUGTRAQ:20000828 Intel Express Switch 500 series DoSBID 1609intel-express-switch-dosBuffer overflow in the HTML interpreter in Microsoft Office 2000 allows an attacker to execute arbitrary commands via a long embedded object tag, aka the "Microsoft Office HTML Object Tag" vulnerability.MS:MS00-056BID 1561Buffer overflow in vqSoft vqServer 1.4.49 allows remote attackers to cause a denial of service or possibly gain privileges via a long HTTP GET request.BUGTRAQ:20000819 D.o.S Vulnerability in vqServerBID 1610vqserver-get-dosThe ActiveX control for invoking a scriptlet in Internet Explorer 4.x and 5.x renders arbitrary file types instead of HTML, which allows an attacker to read arbitrary files, aka the "Scriptlet Rendering" vulnerability.MS:MS00-055BID 1564A function in Internet Explorer 4.x and 5.x does not properly verify the domain of a frame within a browser window, which allows a remote attacker to read client files, aka a variant of the "Frame Domain Verification" vulnerability.MS:MS00-055BID 1564O'Reilly WebSite Pro 2.3.7 installs the uploader.exe program with execute permissions for all users, which allows remote attackers to create and execute arbitrary files by directly calling uploader.exe.BID 1611http-website-uploader(294)[Alert] Website's uploader.exe (from demo) vulnerable20000824 WebServer Pro 2.3.7 VulnerabilityIIS 4.0 and 5.0 does not properly restrict access to certain types of files when their parent folders have less restrictive permissions, which could allow remote attackers to bypass access restrictions to some files, aka the "File Permission Canonicalization" vulnerability.MS:MS00-057BID 1565MS00-057Microsoft Windows 2000 allows local users to cause a denial of service by corrupting the local security policy via malformed RPC traffic, aka the "Local Security Policy Corruption" vulnerability.MS:MS00-062BID 1613The installation of Tumbleweed Messaging Management System (MMS) 4.6 and earlier (formerly Worldtalk Worldsecure) creates a default account "sa" with no password.20000810 Tumbleweed Worldsecure (MMS) BLANK 'sa' account password vulnerabilityBID 1562http://thompson.tumbleweed.com/NewKB/bulletin/UPFiles/sa-official.htmtumbleweed-mms-blank-passwordBajie HTTP web server 0.30a allows remote attackers to read arbitrary files via a URL that contains a "....", a variant of the dot dot directory traversal attack.BUGTRAQ:20000731 Two security flaws in Bajie WebserverBID 1522Bajie HTTP server allows attacker to view arbitrary filesThe sample Java servlet "test" in Bajie HTTP web server 0.30a reveals the real pathname of the web document root.20000731 Two security flaws in Bajie WebserverBID 1521Buffer overflow in RobTex Viking server earlier than 1.06-370 allows remote attackers to cause a denial of service or execute arbitrary commands via a long HTTP GET request, or long Unless-Modified-Since, If-Range, or If-Modified-Since headers.BID 1614http://www.robtex.com/viking/bugs.htm20000828 [NT] Viking security vulnerabilities enable remote code execution (long URL, date parsing)Mediahouse Statistics Server 5.02x allows remote attackers to execute arbitrary commands via a long HTTP GET request.20000810 [DeepZone Advisory] Statistics Server 5.02x stack overflow (Win2k remote exploit)BID 1568mediahouse-stats-livestats-bo(5113)The password protection feature of Microsoft Money can store the password in plaintext, which allows attackers with physical access to the system to obtain the password, aka the "Money Password" vulnerability.MS:MS00-061BID 1615IIS 5.0 allows remote attackers to obtain source code for .ASP files and other scripts via an HTTP GET request with a "Translate: f" header, aka the "Specialized Header" vulnerability.MS:MS00-058BUGTRAQ:20000815 Translate:f summary, history and thoughtsNTBUGTRAQ:20000816 Translate: fBID 1578oval:org.mitre.oval:def:927Checkpoint Firewall-1 with the RSH/REXEC setting enabled allows remote attackers to bypass access restrictions and connect to a RSH/REXEC client via malformed connection requests.BID 1534Potential Security Issues in VPN-1/FireWall-1http://www.checkpoint.com/techsupport/alerts/list_vun.html#Improper_stderr1487The web server in IPSWITCH IMail 6.04 and earlier allows remote attackers to read and delete arbitrary files via a .. (dot dot) attack.BUGTRAQ:20000830 Vulnerability Report On IPSWITCH's IMailBID 1617http://www.ipswitch.com/Support/IMail/news.htmluagentsetup in ARCServeIT Client Agent 6.62 does not properly check for the existence or ownership of a temporary file which is moved to the agent.cfg configuration file, which allows local users to execute arbitrary commands by modifying the temporary file before it is moved.BUGTRAQ:20000728 Client Agent 6.62 for Unix VulnerabilityBID 1519ARCServeIT Client Agent uagent temp file20000728 Client Agent 6.62 for Unix Vulnerabilitynetauth.cgi program in Netwin Netauth 4.2e and earlier allows remote attackers to read arbitrary files via a .. (dot dot) attack.BUGTRAQ:20000817 Netauth: Web Based Email Management SystemBID 1587http://netwinsite.com/netauth/updates.htmnetwin-netauth-dir-traverse(5090)Watchguard Firebox II allows remote attackers to cause a denial of service by sending a malformed URL to the authentication service on port 4100.BUGTRAQ:20000815 Watchguard Firebox Authentication DoSBID 1573firebox-url-dossshd program in the Rapidstream 2.1 Beta VPN appliance has a hard-coded "rsadmin" account with a null password, which allows remote attackers to execute arbitrary commands via ssh.20000816 Remote Root Compromise On All RapidStream VPNBID 1574WircSrv IRC Server 5.07s allows IRC operators to read arbitrary files via the importmotd command, which sets the Message of the Day (MOTD) to the specified file.BID 144820000713 More wIRCSrv stupidityGNU userv 1.0.0 and earlier does not properly perform file descriptor swapping, which can corrupt the USERV_GROUPS and USERV_GIDS environmental variables and allow local users to bypass some access restrictions.BUGTRAQ:20000726 userv security boundary tool 1.0.1 (SECURITY FIX)DEBIAN:20000727 userv: local exploitBID 1516IRC Xchat client versions 1.4.2 and earlier allows remote attackers to execute arbitrary commands by encoding shell metacharacters into a URL which XChat uses to launch a web browser.BUGTRAQ: 20000817 XChat URL handler vulnerabiltyBID 1601REDHAT:RHSA-2000:055-03BUGTRAQ:20000824 MDKSA-2000:039 - xchat updateBUGTRAQ:20000825 Conectiva Linux Security Announcement - xchatRHSA-2000:055The Mail Merge tool in Microsoft Word does not prompt the user before executing Visual Basic (VBA) scripts in an Access database, which could allow an attacker to execute arbitrary commands.MS Word and MS Access vulnerability - executing arbitrary programs, may be exploited by IE/OutlookBID 1566MS00-071word-mail-merge(5322)WinU 5.x and earlier uses weak encryption to store its configuration password, which allows local users to decrypt the password and gain privileges.20000816 WinU 4/5 weak password vulnerabilityThe web-based folder display capability in Microsoft Internet Explorer 5.5 on Windows 98 allows local users to insert Trojan horse programs by modifying the Folder.htt file and using the InvokeVerb method in the ShellDefView ActiveX control to specify a default execute option for the first file that is listed in the folder.20000828 IE 5.5/5.x for Win98 may execute arbitrary files that can be accessed thru Microsoft Networking. Also local Administrator compromise at least on default Windows 2000.BID 1571ie-folder-remote-exe(5097)Trustix installs the httpsd program for Apache-SSL with world-writeable permissions, which allows local users to replace it with a Trojan horse.20000815 Trustix security advisory - apache-sslBID 1575Gnome Lokkit firewall package before 0.41 does not properly restrict access to some ports, even if a user does not make any services available.BUGTRAQ:20000819 Security update for Gnome-LokkitBID 15901520Norton AntiVirus 5.00.01C with the Novell Netware client does not properly restart the auto-protection service after the first user has logged off of the system.BID 153320000728 Norton Antivirus Protection Disabled under Novell NetwareBuffer overflow in IRIX libgl.so library allows local users to gain root privileges via a long HOME variable to programs such as (1) gmemusage and (2) gr_osview.BID 1527irix-libgl-bo(5063)20000802 [LSD] some unpublished LSD exploit codes8568Buffer overflow in lpstat in IRIX 6.2 and 6.3 allows local users to gain root privileges via a long -n option.BUGTRAQ:20000802 [LSD] some unpublished LSD exploit codesBID 15291485Buffer overflow in dmplay in IRIX 6.2 and 6.3 allows local users to gain root privileges via a long command line option.BUGTRAQ:20000802 [LSD] some unpublished LSD exploit codesBID 15281484irix-dmplay-bo(5064)Buffer overflow in gr_osview in IRIX 6.2 and 6.3 allows local users to gain privileges via a long -D option.BUGTRAQ:20000802 [LSD] some unpublished LSD exploit codesBID 1526IRIX gr_osview buffer overflow20040104-01-P3815The truncate function in IRIX 6.x does not properly check for privileges when the file is in the xfs file system, which allows local users to delete the contents of arbitrary files.BID 154020000802 [LSD] some unpublished LSD exploit codes8569inpview in InPerson in SGI IRIX 5.3 through IRIX 6.5.10 allows local users to gain privileges via a symlink attack on the .ilmpAAA temporary file.BUGTRAQ:20000802 [LSD] some unpublished LSD exploit codesBID 153020001101-01-Iirix-inpview-symlink(5065)String parsing error in rpc.kstatd in the linuxnfs or knfsd packages in SuSE and possibly other Linux systems allows remote attackers to gain root privileges.SUSE:20000810 Security Hole in knfsd, all versions20000810 Security Hole in knfsd, all versionsBuffer overflow in bdf program in HP-UX 11.00 may allow local users to gain root privileges via a long -t option.20000727 [ Hackerslab bug_paper ] HP-UX bdf -t option buffer overflow vul.BID 1520The BAIR program does not properly restrict access to the Internet Explorer Internet options menu, which allows local users to obtain access to the menu by modifying the registry key that starts BAIR.20000722 More bad censorwareGNU Groff uses the current working directory to find a device description file, which allows a local user to gain additional privileges by including a malicious postpro directive in the description file, which is executed when another user runs groff.gnu-groff-utilities(5280)Check Point VPN-1/FireWall-1 4.1 and earlier allows remote attackers to bypass the directionality check via fragmented TCP connection requests or reopening closed TCP connection requests, aka "One-way Connection Enforcement Bypass."One-way_Connectionhttp://www.checkpoint.com/techsupport/alerts/list_vun.html#One-way_Connectionfw1-remote-bypass4419Check Point VPN-1/FireWall-1 4.1 and earlier improperly retransmits encapsulated FWS packets, even if they do not come from a valid FWZ client, aka "Retransmission of Encapsulated Packets."Retransmission of Encapsulated Packetshttp://www.checkpoint.com/techsupport/alerts/list_vun.html#Retransmission_offw1-client-spoof4415The inter-module authentication mechanism (fwa1) in Check Point VPN-1/FireWall-1 4.1 and earlier may allow remote attackers to conduct a denial of service, aka "Inter-module Communications Bypass."Inter-module Communications Bypasshttp://www.checkpoint.com/techsupport/alerts/list_vun.html#Inter-module_Communicationsfw1-fwa1-auth-replay4413The OPSEC communications authentication mechanism (fwn1) in Check Point VPN-1/FireWall-1 4.1 and earlier allows remote attackers to spoof connections, aka the "OPSEC Authentication Vulnerability."OPSEC_Authenticationhttp://www.checkpoint.com/techsupport/alerts/list_vun.html#OPSEC_Authenticationfw1-opsec-auth-spoof4420The seed generation mechanism in the inter-module S/Key authentication mechanism in Check Point VPN-1/FireWall-1 4.1 and earlier allows remote attackers to bypass authentication via a brute force attack, aka "One-time (s/key) Password Authentication."One-time (s/key) Password Authenticationhttp://www.checkpoint.com/techsupport/alerts/list_vun.html#One-time_Passwordfw1-localhost-auth4421Buffer overflow in Getkey in the protocol checker in the inter-module communication mechanism in Check Point VPN-1/FireWall-1 4.1 and earlier allows remote attackers to cause a denial of service.Getkey_Bufferhttp://www.checkpoint.com/techsupport/alerts/list_vun.html#Getkey_Bufferfw1-getkey-bo4422Auction Weaver 1.0 through 1.04 does not properly validate the names of form fields, which allows remote attackers to delete arbitrary files and directories via a .. (dot dot) attack.17821782auction-weaver-delete-files1600Auction Weaver 1.0 through 1.04 allows remote attackers to read arbitrary files via a .. (dot dot) attack on the username or bidfile form fields.17831783auction-weaver-username-bidfile4053The administration module in Sun Java web server allows remote attackers to execute arbitrary commands by uploading Java code to the module and invoke the com.sun.server.http.pagecompile.jsp92.JspServlet by requesting a URL that begins with a /servlet/ tag.SUN:001971600sunjava-webadmin-bbsCheck Point VPN-1/FireWall-1 4.1 and earlier allows remote attackers to redirect FTP connections to other servers ("FTP Bounce") via invalid FTP commands that are processed improperly by FireWall-1, aka "FTP Connection Enforcement Bypass."FTP_Connectionhttp://www.checkpoint.com/techsupport/alerts/list_vun.html#FTP_Connectionfw1-ftp-redirect4434Linux tmpwatch --fuser option allows local users to execute arbitrary commands by creating files whose names contain shell metacharacters.ISS:20001006 Insecure call of external programs in Red Hat Linux tmpwatchBID 1785RHSA-2000:080MDKSA-2000:0561785linux-tmpwatch-fuser(5320)Buffer overflow in the HTTP protocol parser for Microsoft Network Monitor (Netmon) allows remote attackers to execute arbitrary commands via malformed data, aka the "Netmon Protocol Parsing" vulnerability.The default installation for the Oracle listener program 7.3.4, 8.0.6, and 8.1.6 allows an attacker to cause logging information to be appended to arbitrary files and execute commands via the SET TRC_FILE or SET LOG_FILE commands.oracle-listener-connect-statements(5380)The unsetenv function in glibc 2.1.1 does not properly unset an environmental variable if the variable is provided twice to a program, which could allow local users to execute arbitrary commands in setuid programs by specifying their own duplicate environmental variables such as LD_PRELOAD or LD_LIBRARY_PATH.BUGTRAQ:20000831 glibc unsetenv bugBID 64819990917 A few bugs...CSSA-2000-028.020000902 glibc: local root exploitMDKSA-2000:040MDKSA-2000:045RHSA-2000:057TLSA2000020-120000924 glibc locale security problem20000902 Conectiva Linux Security Announcement - glibc20000905 Conectiva Linux Security Announcement - glibc20000906 [slackware-security]: glibc 2.1.3 vulnerabilities patched6481639glibc-ld-unsetenvIpswitch Imail 6.0 allows remote attackers to cause a denial of service via a large number of connections in which a long Host: header is sent, which causes a thread to crash.WIN2KSEC:20000817 Imail Web Service Remote DoS Attack v.220000817 Imail Web Service Remote DoS Attack v.220000817 Imail Web Service Remote DoS Attack v.2ipswitch-imail-remote-dos(5475)2011Buffer overflow in ddicgi.exe program in Mobius DocumentDirect for the Internet 1.2 allows remote attackers to execute arbitrary commands via a long GET request.XF:documentdirect-get-boBID 1657A090800-1Buffer overflow in the web authorization form of Mobius DocumentDirect for the Internet 1.2 allows remote attackers to cause a denial of service or execute arbitrary commands via a long username.BID 1657XF:documentdirect-username-boA090800-1Buffer overflow in ddicgi.exe in Mobius DocumentDirect for the Internet 1.2 allows remote attackers to execute arbitrary commands via a long User-Agent parameter.XF:documentdirect-user-agent-boBID 1657A090800-1The tmpwatch utility in Red Hat Linux forks a new process for each directory level, which allows local users to cause a denial of service by creating deeply nested directories in /tmp or /var/tmp/.BID 1664XF:linux-tmpwatch-fork-dos20000909 tmpwatch: local DoS : fork()bomb as rootRHSA-2000:080annclist.exe in webTV for Windows allows remote attackers to cause a denial of service by via a large, malformed UDP packet to ports 22701 through 22705.XF:webtv-udp-dosBID 167120000913 trivial DoS in webTVMS00-074Buffer overflow in Fastream FTP++ 2.0 allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long username.WIN2KSEC:20000912 DST2K0027: DoS in Faststream FTP++ 2.0Htgrep CGI program allows remote attackers to read arbitrary files by specifying the full pathname in the hdr parameter.20000817 Htgrep CGI Arbitrary File Viewing Vulnerabilityhtgrep-cgi-view-files(5476)Buffer overflow in WinSMTP 1.06f and 2.X allows remote attackers to cause a denial of service via a long (1) USER or (2) HELO command.XF:winsmtp-helo-boBID:16802000911 WinSMTPD remote exploit/DoS problemThe Windows 2000 telnet client attempts to perform NTLM authentication by default, which allows remote attackers to capture and replay the NTLM challenge/response via a telnet:// URL that points to the malicious server, aka the "Windows 2000 Telnet Client NTLM Authentication" vulnerability.BID 1683MS:MS00-067A091400-1win2k-telnet-ntlm-authenticationsearch.dll Sambar ISAPI Search utility in Sambar Server 4.4 Beta 3 allows remote attackers to read arbitrary directories by specifying the directory in the query paraeater.BID 168420000915 Sambar Server search CGI vulnerabilityBuffer overflow in CamShot WebCam Trial2.6 allows remote attackers to execute arbitrary commands via a long Authorization header.BID 1685BUGTRAQ:20000915 [NEWS] Vulnerability in CamShot server (Authorization)camshot-password-boFTP Serv-U 2.5e allows remote attackers to cause a denial of service by sending a large number of null bytes.BUGTRAQ:20000804 FTP Serv-U 2.5e vulnerability.XF:servu-null-character-dos1543Fastream FUR HTTP server 1.0b allows remote attackers to cause a denial of service via a long GET request.XF:fur-get-dosWIN2KSEC:DST2K0028: DoS in FUR HTTP Server v1.0bWinCOM LPD 1.00.90 allows remote attackers to cause a denial of service via a large number of LPD options to the LPD port (515).XF:wincom-lpd-dosBID 170120000919 VIGILANTE-2000013: WinCOM LPD DoSBuffer overflow in XMail POP3 server before version 0.59 allows remote attackers to execute arbitrary commands via a long USER command.BID 1652BUGTRAQ:20000906 [NEWS] XMail vulnerable to a remotely exploitable buffer overflow (APOP, USER)xmail-long-user-boBuffer overflow in XMail POP3 server before version 0.59 allows remote attackers to execute arbitrary commands via a long APOP command.BID 1652BUGTRAQ:20000906 [NEWS] XMail vulnerable to a remotely exploitable buffer overflow (APOP, USER)XF:xmail-long-apop-bo1652The search97cgi/vtopic" in the UnixWare 7 scohelphttp webserver allows remote attackers to read arbitrary files via a .. (dot dot) attack.BID 1663BUGTRAQ:20000911 SCO scohelhttp documentation webserver exposes local filesBuffer overflow in pam_smb and pam_ntdom pluggable authentication modules (PAM) allow remote attackers to execute arbitrary commands via a login with a long user name.BID 1666DEBIAN:20000911 libpam-smb: remote root exploit20000910 (SRADV00002) Remote root compromise through pam_smb and pam_ntdom20000913 pam_smb remotely exploitable buffer overflowMDKSA-2000:04720000911 Conectiva Linux Security Announcement - pam_smbSome functions that implement the locale subsystem on Unix do not properly cleanse user-injected format strings, which allows local attackers to execute arbitrary commands via functions such as gettext and catopen.BID 1634BUGTRAQ:20000904 UNIX locale format string vulnerability20000902 glibc: local root exploitCSSA-2000-030.0RHSA-2000:05720000906 glibc locale security problemTLSA2000020-1IY13753SSRT0689U20000901-01-P20000902 Conectiva Linux Security Announcement - glibcunix-locale-format-string(5176)kdebug daemon (kdebugd) in Digital Unix 4.0F allows remote attackers to read arbitrary files by specifying the full file name in the initialization packet.BUGTRAQ:20000918 [ENIGMA] Digital UNIX/Tru64 UNIX remote kdebug VulnerabilityBuffer overflow in Darxite 0.4 and earlier allows a remote attacker to execute arbitrary commands via a long username or password.BID 1598BUGTRAQ:20000821 Darxite daemon remote exploit/DoS problemdarxite-login-boBuffer overflow in University of Washington c-client library (used by pine and other programs) allows remote attackers to execute arbitrary commands via a long X-Keywords header.BID 1646BUGTRAQ:20000901 More about UW c-client library20000901 UW c-client library vulnerabilityFreeBSD-SA-00:47.pine1687c-client-dos(5223)Buffer overflow in IBM WebSphere web application server (WAS) allows remote attackers to execute arbitrary commands via a long Host: request header.BID 1691BUGTRAQ:20000915 WebSphere application server plugin issue & vendor fixhttp://www-4.ibm.com/software/webservers/appserv/doc/v3022/fxpklst.htm#Securitywebsphere-header-dosRace condition in Microsoft Windows Media server allows remote attackers to cause a denial of service in the Windows Media Unicast Service via a malformed request, aka the "Unicast Service Race Condition" vulnerability.BID 1655MS:MS00-064unicast-service-dos(5193)Netegrity SiteMinder before 4.11 allows remote attackers to bypass its authentication mechanism by appending "$/FILENAME.ext" (where ext is .ccc, .class, or .jpg) to the requested URL. XF:siteminder-bypass-authenticationBID:1681ATSTAKE:A091100-1Buffer overflow in the Still Image Service in Windows 2000 allows local users to gain additional privileges via a long WM_USER message, aka the "Still Image Service Privilege Escalation" vulnerability.BID 1651MS:MS00-065ATSTAKE:A090700-1w2k-still-image-serviceMultiple buffer overflows in eject on FreeBSD and possibly other OSes allows local users to gain root privileges.BID 1686XF:freebsd-eject-portFreeBSD-SA-00:491559YaBB Bulletin Board 9.1.2000 allows remote attackers to read arbitrary files via a .. (dot dot) attack.BID 1668BUGTRAQ:20000909 YaBB 1.9.2000 VulnerabilitieXF:yabb-file-accessWhen a Microsoft Office 2000 document is launched, the directory of that document is first used to locate DLL's such as riched20.dll and msi.dll, which could allow an attacker to execute arbitrary commands by inserting a Trojan Horse DLL into the same directory as the document.WIN2KSEC:20000918 Double clicking on MS Office documents from Windows Explorer may execute arbitrary programs in some casesBID 169920000922 Eudora + riched20.dll affects WinZip v8.0 as well20000921 Mitigators for possible exploit of Eudora via Guninski #21,2000office-dll-execution(5263)SunFTP build 9(1) allows remote attackers to cause a denial of service by connecting to the server and disconnecting before sending a newline.BID 1637BUGTRAQ:20000901 [EXPL] SunFTP vulnerable to two Denial-of-Service attacks (long buffer, half-open)Buffer overflow in SunFTP build 9(1) allows remote attackers to cause a denial of service or possibly execute arbitrary commands via a long GET request.BID 1638BUGTRAQ:20000901 [EXPL] SunFTP vulnerable to two Denial-of-Service attacks (long buffer, half-open)The logging capability in muh 2.05d IRC server does not properly cleanse user-injected format strings, which allows remote attackers to cause a denial of service or execute arbitrary commands via a malformed nickname.BUGTRAQ:20000909 Re: format string bug in muhBUGTRAQ:20000909 format string bug in muhBID 1665muh-log-dosVulnerability in Microsoft Windows NT 4.0 allows remote attackers to cause a denial of service in IIS by sending it a series of malformed requests which cause INETINFO.EXE to fail, aka the "Invalid URL" vulnerability.BID 1642MS:MS00-063BUGTRAQ:20000906 VIGILANTE-2000009: "Invalid URL" DoSiis-invald-url-dosThe web configuration server for NTMail V5 and V6 allows remote attackers to cause a denial of service via a series of partial HTTP requests.BID 1640BUGTRAQ:20000904 VIGILANTE-2000008: NTMail Configuration Service DoSntmail-incomplete-http-requestsThe file upload capability in PHP versions 3 and 4 allows remote attackers to read arbitrary files by setting hidden form fields whose names match the names of internal PHP script variables.BUGTRAQ:20000903 (SRADV00001) Arbitrary file disclosure through PHP file uploadBID 164920000904 Re: [PHP-DEV] RE: (SRADV00001) Arbitrary file disclosure through PHP file uploadMDKSA-2000:048php-file-uploadMailman 1.1 allows list administrators to execute arbitrary commands via shell metacharacters in the %(listname) macro expansion.FREEBSD:FreeBSD-SA-00:51BUGTRAQ:20000907 Mailman 1.1 + external archiver vulnerabilityBID 1667mailman-execute-external-commands(5493)Vulnerability in an administrative interface utility for Allaire Spectra 1.0.1 allows remote attackers to read and modify sensitive configuration information.ALLAIRE:ASB00-23ALLAIRE:ASB00-23allaire-spectra-admin-accessBuffer overflow in listmanager earlier than 2.105.1 allows local users to gain additional privileges.FREEBSD:FreeBSD-SA-00:50listmanager-port-boRace condition in the creation of a Unix domain socket in GNOME esound 0.2.19 and earlier allows a local user to change the permissions of arbitrary files and directories, and gain additional privileges, via a symlink attack.FREEBSD:FreeBSD-SA-00:45BID 165920000911 Patch for esound-0.2.19MDKSA-2000:051RHSA-2000:07720001008 esound: race condition20001006 Immunix OS Security Update for esound20001012 esound daemon race conditiongnome-esound-symlinkBuffer overflow in dvtermtype in Tridia Double Vision 3.07.00 allows local users to gain root privileges via a long terminal type argument.BID 1697BUGTRAQ:20000916 Advisory: Tridia DoubleVision / SCO UnixWaredoublevision-dvtermtype-boInterbase 6 SuperServer for Linux allows an attacker to cause a denial of service via a query containing 0 bytes.BID 165420000907 SEGFAULTING Interbase 6 SS Linuxinterbase-query-dosKernel logging daemon (klogd) in Linux does not properly cleanse user-injected format strings, which allows local users to gain root privileges by triggering malformed kernel messages.BUGTRAQ:20000917 klogd format bugXF:klogd-format-stringRHSA-2000:061MDKSA-2000:050CSSA-2000-032.0TLSA2000022-220000920 syslogd + klogd format string parsing error20000918 Conectiva Linux Security Announcement - sysklogd5824The default configuration of Apache 1.3.12 in SuSE Linux 6.4 allows remote attackers to read source code for CGI scripts by replacing the /cgi-bin/ in the requested URL with /cgi-bin-sdb/.BID 1658SUSE:20000907ATSTAKE:A090700-2suse-apache-cgi-source-codeThe default configuration of Apache 1.3.12 in SuSE Linux 6.4 enables WebDAV, which allows remote attackers to list arbitrary diretories via the PROPFIND HTTP request method.BID 1656SUSE:20000907ATSTAKE:A090700-3apache-webdav-directory-listingsBuffer overflow in EFTP allows remote attackers to cause a denial of service via a long string.BID 1675BUGTRAQ:20000911[EXPL] EFTP vulnerable to two DoS attackseftp-bo1555Buffer overflow in EFTP allows remote attackers to cause a denial of service by sending a string that does not contain a newline, then disconnecting from the server.BID 1677BUGTRAQ:20000911[EXPL] EFTP vulnerable to two DoS attackseftp-newline-dos409explorer.php in PhotoAlbum 0.9.9 allows remote attackers to read arbitrary files via a .. (dot dot) attack.BID 1650BUGTRAQ:20000906 PhotoAlbum 0.9.9 explorer.php Vulnerabilityphpphoto-dir-traversenetstat in AIX 4.x.x does not properly restrict access to the -Zi option, which allows local users to clear network interface statistics and possibly hide evidence of unusual network activities.BID 1660BUGTRAQ:20000903 aix allows clearing the interface statsaix-clear-netstatEudora mail client includes the absolute path of the sender's host within a virtual card (VCF).BID 1653BUGTRAQ:20000907 Eudora disclosureXF:eudora-path-disclosure1545WFTPD and WFTPD Pro 2.41 RC12 allows remote attackers to cause a denial of service by sending a long string of unprintable characters.BUGTRAQ:20000905 WFTPD/WFTPD Pro 2.41 RC12 vulnerabilitiesXF:wftpd-long-string-doshttp://www.wftpd.com/bug_gpf.htmWFTPD and WFTPD Pro 2.41 RC12 allows remote attackers to obtain the full pathname of the server via a "%C" command, which generates an error message that includes the pathname.BUGTRAQ:20000905 WFTPD/WFTPD Pro 2.41 RC12 vulnerabilitiesXF:wftpd-path-disclosure5829mailform.pl CGI script in MailForm 2.0 allows remote attackers to read arbitrary files by specifying the file name in the XX-attach_file parameter, which MailForm then sends to the attacker.BID 1670BUGTRAQ:20000911 Unsafe passing of variables to mailform.pl in MailForm V2.0mailform-attach-fileThe mailto CGI script allows remote attacker to execute arbitrary commands via shell metacharacters in the emailadd form field.BID 1669BUGTRAQ:20000911 Fwd: Poor variable checking in mailto.cgimailto-piped-addressLPPlus programs dccsched, dcclpdser, dccbkst, dccshut, dcclpdshut, and dccbkstshut are installed setuid root and world executable, which allows arbitrary local users to start and stop various LPD services.BUGTRAQ:20000906 Multiple Security Holes in LPPlusBID 1643lpplus-permissions-dosLPPlus creates the lpdprocess file with world-writeable permissions, which allows local users to kill arbitrary processes by specifying an alternate process ID and using the setuid dcclpdshut program to kill the process that was specified in the lpdprocess file.BID 1643BUGTRAQ:20000906 Multiple Security Holes in LPPluslpplus-process-perms-dosThe dccscan setuid program in LPPlus does not properly check if the user has the permissions to print the file that is specified to dccscan, which allows local users to print arbitrary files.BID 1644BUGTRAQ:20000906 Multiple Security Holes in LPPluslpplus-dccscan-file-readIntel Express 500 series switches allow a remote attacker to cause a denial of service via a malformed ICMP packet, which causes the CPU to crash.BID 1647BUGTRAQ:20000906 VIGILANTE-2000010: Intel Express Switch series 500 DoS #2The default configuration of mod_perl for Apache as installed on Mandrake Linux 6.1 through 7.1 sets the /perl/ directory to be browseable, which allows remote attackers to list the contents of that directory.BID 1678XF:linux-mod-perlMANDRAKE:MDKSA-2000:046IIS 4.0 and 5.0 allows remote attackers to read documents outside of the web root, and possibly execute arbitrary commands, via malformed URLs that contain UNICODE encoded characters, aka the "Web Server Folder Traversal" vulnerability.bugtraq id 1806MS00-0781806iis-unicode-translation436oval:org.mitre.oval:def:44Buffer overflows in Microsoft Network Monitor (Netmon) allow remote attackers to execute arbitrary commands via a long Browser Name in a CIFS Browse Frame, a long SNMP community name, or a long username or filename in an SMB session, aka the "Netmon Protocol Parsing" vulnerability. NOTE: It is highly likely that this candidate will be split into multiple candidates.MS:MS00-083IIS 5.0 allows remote attackers to execute arbitrary commands via a malformed request for an executable file whose name is appended with operating system commands, aka the "Web Server File Request Parsing" vulnerability.BID 1912MS:MS00-086BUGTRAQ:20001107 NSFOCUS SA2000-07 : Microsoft IIS 4.0/5.0 CGI File Name Inspection Vulnerability1912iis-invalid-filename-passing(5470)oval:org.mitre.oval:def:191named in BIND 8.2 through 8.2.2-P6 allows remote attackers to cause a denial of service by making a compressed zone transfer (ZXFR) request and performing a name service query on an authoritative record that is not cached, aka the "zxfr bug."BID 1923CONECTIVA:CLSA-2000:33920001107 BIND 8.2.2-P5 Possible DOSCA-2000-20RHSA-2000:10720001112 bind: remote Denial of Service20001115 Trustix Security Advisory - bind and openssh (and modutils)SuSE-SA:2000:45MDKSA-2000:067CLSA-2000:338bind-zxfr-dos(5540)named in BIND 8.2 through 8.2.2-P6 allows remote attackers to cause a denial of service by sending an SRV record to the server, aka the "srv bug."CERT:CA-2000-20CONECTIVA:CLSA-2000:339RHSA-2000:107MDKSA-2000:067CLSA-2000:33820001112 bind: remote Denial of ServiceSuSE-SA:2000:45bind-srv-dos(5814)Two Sun security certificates have been compromised, which could allow attackers to insert malicious code such as applets and make it appear that it is signed by Sun.CA-2000-19#00198periodic in FreeBSD 4.1.1 and earlier, and possibly other operating systems, allows local users to overwrite arbitrary files via a symlink attack.VU#626919periodic-temp-file-symlink(6047)23251754A default ECL in Lotus Notes before 5.02 allows remote attackers to execute arbitrary commands by attaching a malicious program in an email message that is automatically executed when the user opens the email.VU:5962SPR#CBAT45TU9Slotus-notes-bypass-ecl(5045)Some telnet clients allow remote telnet servers to request environment variables from the client that may contain sensitive information, or remote web servers to obtain the information via a telnet: URL.VU:#22404telnet-obtain-env-variable(6644)The presence of the Distributed GL Daemon (dgld) service on port 5232 on SGI IRIX systems allows remote attackers to identify the target host as an SGI system.VU#28027HTTP server on the WatchGuard SOHO firewall does not properly restrict access to administrative functions such as password resets or rebooting, which allows attackers to cause a denial of service or conduct unauthorized activities.ISS:20001214 Multiple vulnerabilities in the WatchGuard SOHO FirewallWatchguard SOHO Firewall HTTP Request Vulnerabilitywatchguard-soho-web-auth(5554)4404Buffer overflow in HTTP server on the WatchGuard SOHO firewall allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long GET request.ISS:20001214 Multiple vulnerabilities in the WatchGuard SOHO Firewallbid 2114WatchGuard SOHO configuration server can be remotely crashed4403WatchGuard SOHO firewall allows remote attackers to cause a denial of service via a flood of fragmented IP packets, which causes the firewall to drop connections and stop forwarding packets.bid 2113watchguard-soho-fragmented-packetsISS:20001214 Multiple vulnerabilities in the WatchGuard SOHO1690Small HTTP Server 2.03 and earlier allows remote attackers to cause a denial of service by repeatedly requesting a URL that references a directory that does not contain an index.html file, which consumes memory that is not released after the request is completed.BID 1941BUGTRAQ:20001114 Vulnerabilites in SmallHTTP Serverhttp://home.lanck.net/mf/srv/index.htmsmall-http-nofile-dos(5524)Small HTTP Server 2.01 does not properly process Server Side Includes (SSI) tags that contain null values, which allows local users, and possibly remote attackers, to cause the server to crash by inserting the SSI into an HTML file.BUGTRAQ:20001114 Vulnerabilites in SmallHTTP ServerSmall HTTP Server 2.01 allows remote attackers to cause a denial of service by connecting to the server and sending out multiple GET, HEAD, or POST requests and closing the connection before the server responds to the requests.BID 1942BUGTRAQ:20001114 Vulnerabilites in SmallHTTP ServerDirectory traversal vulnerability in ssi CGI program in thttpd 2.19 and earlier allows remote attackers to read arbitrary files via a "%2e%2e" string, a variation of the .. (dot dot) attack.BID 1737XF:acme-thttpd-ssiBUGTRAQ:20001002 thttpd ssi: retrieval of arbitrary world-readable filesFreeBSD-SA-00:73Format string vulnerability in screen 3.9.5 and earlier allows local users to gain root privileges via format characters in the vbell_msg initialization variable.XF:screen-format-stringBID 164120000906 Screen-3.7.6 local compromise20000905 screen 3.9.5 root vulnerabilityMDKSA-2000:04420000906 screen format string parsing security problemRHSA-2000:058FreeBSD-SA-00:46getalbum.php in PhotoAlbum before 0.9.9 allows remote attackers to read arbitrary files via a .. (dot dot) attack.XF:phpphotoalbum-getalbum-directory-traversalBID 165020000907 Re: PhotoAlbum 0.9.9 explorer.php VulnerabilityDirectory traversal vulnerability in Voyager web server 2.01B in the demo disks for QNX 405 allows remote attackers to read arbitrary files via a .. (dot dot) attack.BID 1648BUGTRAQ:20000901 Multiple QNX Voyager IssuesVoyager web server 2.01B in the demo disks for QNX 405 stores sensitive web client information in the .photon directory in the web document root, which allows remote attackers to obtain that information.BID 1648BUGTRAQ:20000901 Multiple QNX Voyager IssuesQNX Embedded Resource Manager in Voyager web server 2.01B in the demo disks for QNX 405 allows remote attackers to read sensitive system statistics information via the embedded.html web page.BID 1648BUGTRAQ:20000901 Multiple QNX Voyager IssuesDirectory traversal vulnerability in Moreover.com cached_feed.cgi script version 4.July.00 allows remote attackers to read arbitrary files via a .. (dot dot) attack on the category or format parameters.BID 1762XF:moreover-cgi-dir-traverseBUGTRAQ:20001002 Moreover Cached_Feed CGI VulnerabilityEServ 2.92 Build 2982 allows remote attackers to cause a denial of service and possibly execute arbitrary commands via long HELO and MAIL FROM commands.WIN2KSEC:20000925 DST2K0030: DoS in EServ 2.92 Build 2982BrowseGate 2.80 allows remote attackers to cause a denial of service and possibly execute arbitrary commands via long Authorization or Referer MIME headers in the HTTP request.BID 1702XF:browsegate-http-doshttp://www.netcplus.com/browsegate.htm#BGLatest20000921 DST2K0031: DoS in BrowseGate(Home) v2.80(H)20000921 DST2K0031: DoS in BrowseGate(Home) v2.80(H)Buffer overflow in the automatic mail checking component of Pine 4.21 and earlier allows remote attackers to execute arbitrary commands via a long From: header.XF:pine-check-mail-boBID 170920000922 [ no subject ]20001031 FW: Pine 4.30 now availableFreeBSD-SA-00:59RHSA-2000:102MDKSA-2000:073Horde library 1.02 allows attackers to execute arbitrary commands via shell metacharacters in the "from" address.XF:horde-imp-sendmail-commandBID 1674DEBIAN:20000910 imp: remote compromisehttp://ssl.coc-ag.de/sec/hordelib-1.2.0.frombug.patch20000908 horde library bug - unchecked from-addressIMP 2.2 and earlier allows attackers to read and delete arbitrary files by modifying the attachment_name hidden form variable, which causes IMP to send the file to the attacker as an attachment.XF:imp-attach-fileBID 1679BUGTRAQ:20000912 (SRADV00003) Arbitrary file disclosure through IMPMultiHTML CGI script allows remote attackers to read arbitrary files and possibly execute arbitrary commands by specifying the file name to the "multi" parameter.XF:http-cgi-multihtmlBUGTRAQ:20000913 MultiHTML vulnerabilitymod_rewrite in Apache 1.3.12 and earlier allows remote attackers to read arbitrary files if a RewriteRule directive is expanded to include a filename whose name contains a regular expression.BID 1728XF:apache-rewrite-view-files20000929 Security vulnerability in Apache mod_rewriteMDKSA-2000:060RHSA-2000:088RHSA-2000:095CSSA-2000-035.0HPSBUX0010-12620001011 Conectiva Linux Security Announcement - apacheOpenBSD 2.6 and earlier allows remote attackers to cause a denial of service by flooding the server with ARP requests.XF:bsd-arp-request-dosBID 1759BUGTRAQ:20001005 obsd_fun.c1592fingerd in FreeBSD 4.1.1 allows remote attackers to read arbitrary files by specifying the target file name instead of a regular user name.XF:freebsd-fingerd-filesBID 180320001002 [sa2c@and.or.jp: bin/21704: enabling fingerd makes files world readable]FreeBSD-SA-00:54433FreeBSD 4.1.1 and earlier, and possibly other BSD-based OSes, uses an insufficient random number generator to generate initial TCP sequence numbers (ISN), which allows remote attackers to spoof TCP connections.BID 1766FREEBSD:FreeBSD-SA-00:52Format string vulnerability in use_syslog() function in LPRng 3.6.24 allows remote attackers to execute arbitrary commands.BID 1712XF:lprng-format-string20000925 Format strings: bug #2: LPRngCA-2000-22CSSA-2000-033.0RHSA-2000:065FreeBSD-SA-00:56Format string vulnerability in kvt in KDE 1.1.2 may allow local users to execute arbitrary commands via a DISPLAY environmental variable that contains formatting characters.BUGTRAQ:20000919 kvt format bugBID 1700Directory traversal vulnerability in PHPix Photo Album 1.0.2 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) attack.XF:phpix-dir-traversalBID 177320001007 PHPix advisory472Directory traversal vulnerability in BOA web server 0.94.8.2 and earlier allows remote attackers to read arbitrary files via a modified .. (dot dot) attack in the GET HTTP request that uses a "%2E" instead of a "."BID 1770XF:boa-webserver-get-dir-traversal20001006 Vulnerability in BOA web server v0.94.8.2FreeBSD-SA-00:6020001009 boa: exposes contents of local filesDirectory traversal vulnerability in Hassan Consulting shop.cgi shopping cart program allows remote attackers to read arbitrary files via a .. (dot dot) attack on the page parameter.XF:hassan-shopping-cart-dir-traversalBID 177720001007 Security Advisory: Hassan Consulting's shop.cgi Directory Traversal Vulnerability.1596Directory traversal vulnerability in Bytes Interactive Web Shopper shopping cart program (shopper.cgi) 2.0 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) attack on the newpage parameter.XF:web-shopper-directory-traversalBID 177620001008 Security Advisory: Bytes Interactive's Web Shopper (shopper.cgi) Directory Traversal Vulnerabilityauthenticate.cgi CGI program in Aplio PRO allows remote attackers to execute arbitrary commands via shell metacharacters in the password parameter.BID 1784XF:uclinux-apliophone-bin-executeBUGTRAQ:20001006 Fwd: APlio PRO web shellDirectory traversal vulnerability in search.cgi CGI script in Armada Master Index allows remote attackers to read arbitrary files via a .. (dot dot) attack in the "catigory" parameter.BID 1772BUGTRAQ:20001009 Master Index traverse advisorymaster-index-directory-traversal461The default installation of SmartWin CyberOffice Shopping Cart 2 (aka CyberShop) installs the _private directory with world readable permissions, which allows remote attackers to obtain sensitive information.BID 1734WIN2KSEC:20001002 DST2K0035: Credit card (customer) details exposed within CyberOff ice Shopping Cart v220001002 DST2K0035: Credit card (customer) details exposed within CyberOff ice Shopping Cart v2cyberoffice-world-readable-directorySmartWin CyberOffice Shopping Cart 2 (aka CyberShop) allows remote attackers to modify price information by changing the "Price" hidden form variable.BID 1733WIN2KSEC:20001002 DST2K0036: Price modification possible in CyberOffice Shopping Cart20001002 DST2K0036: Price modification possible in CyberOffice Shopping Cartcyberoffice-price-modificationWQuinn QuotaAdvisor 4.1 does not properly record file sizes if they are stored in alternative data streams, which allows users to bypass quota restrictions.BID 1724XF:quotaadvisor-quota-bypass20000928 DST2K0037: QuotaAdvisor 4.1 by WQuinn is susceptible to alternati ve datastreams to bypass quotas.20000928 DST2K0037: QuotaAdvisor 4.1 by WQuinn is susceptible to alternati ve datastreams to bypass quotas.WQuinn QuotaAdvisor 4.1 allows users to list directories and files by running a report on the targeted shares.BID:1765BUGTRAQ:20001006 DST2K0040: QuotaAdvisor 4.1 by WQuinn susceptible to any user bei ng able to list (not read) all files on any server running QuotaAdvisor.quotaadvisor-list-filesMicrosoft Windows Media Player 7 allows attackers to cause a denial of service in RTF-enabled email clients via an embedded OCX control that is not closed properly, aka the "OCX Attachment" vulnerability.XF:mediaplayer-outlook-dosBID 1714MS:MS00-06820000929 Malformed Embedded Windows Media Player 7 "OCX Attachment"Pegasus Mail 3.12 allows remote attackers to read arbitrary files via an embedded URL that calls the mailto: protocol with a -F switch.XF:pegasus-file-forwardingBID 1738BUGTRAQ:20001030 Pegasus Mail file reading vulnerability20001003 Pegasus mail file reading vulnerabilityBuffer overflow in Pegasus Mail 3.11 allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long email message containing binary data.BID 1750BUGTRAQ:20001004 Another Pegasus Mail vulnerabilityMAILsweeper for SMTP 3.x does not properly handle corrupt CDA documents in a ZIP file and hangs, which allows remote attackers to cause a denial of service.NTBUGTRAQ:20000926 FW: DOS for Content Technologies' MAILsweeper for SMTP.mailsweeper-smtp-dosThe Input Method Editor (IME) in the Simplified Chinese version of Windows 2000 does not disable access to privileged functionality that should normally be restricted, which allows local users to gain privileges, aka the "Simplified Chinese IME State Recognition" vulnerability.XF:win2k-simplified-chinese-imeBID 1729MS:MS00-069Glint in Red Hat Linux 5.2 allows local users to overwrite arbitrary files and cause a denial of service via a symlink attack.XF:glint-symlinkBID 1703REDHAT:RHSA-2000:062-03RHSA-2000:062Samba Web Administration Tool (SWAT) in Samba 2.0.7 allows local users to overwrite arbitrary files via a symlink attack on the cgi.log file.XF:samba-swat-logging-sym-linkBID:1872BUGTRAQ:20001030 Samba 2.0.7 SWAT vulnerabilitiesSamba Web Administration Tool (SWAT) in Samba 2.0.7 installs the cgi.log logging file with world readable permissions, which allows local users to read sensitive information such as user names and passwords.XF:samba-swat-logfile-infoBID:1874BUGTRAQ:20001030 Samba 2.0.7 SWAT vulnerabilitiesSamba Web Administration Tool (SWAT) in Samba 2.0.7 does not log login attempts in which the username is correct but the password is wrong, which allows remote attackers to conduct brute force password guessing attacks.XF:samba-swat-brute-forceBID 1873BUGTRAQ:20001030 Samba 2.0.7 SWAT vulnerabilitiesSamba Web Administration Tool (SWAT) in Samba 2.0.7 supplies a different error message when a valid username is provided versus an invalid name, which allows remote attackers to identify valid users on the server.BUGTRAQ:20001030 Samba 2.0.7 SWAT vulnerabilitiessamba-swat-brute-force(5442)Samba Web Administration Tool (SWAT) in Samba 2.0.7 allows remote attackers to cause a denial of service by repeatedly submitting a nonstandard URL in the GET HTTP request and forcing it to restart.XF:samba-swat-url-filename-dosBUGTRAQ:20001030 Samba 2.0.7 SWAT vulnerabilitiesDirectory traversal vulnerability in Metertek pagelog.cgi allows remote attackers to read arbitrary files via a .. (dot dot) attack on the "name" or "display" parameter.XF:pagelog-cgi-dir-traverseBID 1864BUGTRAQ:20001029 Minor bug in Pagelog.cgiKootenay Web KW Whois 1.0 CGI program allows remote attackers to execute arbitrary commands via shell metacharacters in the "whois" parameter.BID 1883XF:kw-whois-metaBUGTRAQ:20001029 Re: Remote command execution via KW Whois 1.0 (addition)http://www.kootenayweb.bc.ca/scripts/whois.txt20001029 Remote command execution via KW Whois 1.0The CiWebHitsFile component in Microsoft Indexing Services for Windows 2000 allows remote attackers to conduct a cross site scripting (CSS) attack via a CiRestriction parameter in a .htw request, aka the "Indexing Services Cross Site Scripting" vulnerability. XF:iis-htw-cross-scriptingBID 1861MS:MS00-08420001028 IIS 5.0 cross site scripting vulnerability - using .htwBuffer overflow in bftp daemon (bftpd) 1.0.11 allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long USER command.XF:bftpd-user-boBUGTRAQ:20001027 Potential Security Problem in bftpd-1.0.111858CGI Script Center News Update 1.1 does not properly validate the original news administration password during a password change operation, which allows remote attackers to modify the password without knowing the original password.XF:news-update-bypass-passwordBID 1881BUGTRAQ:20001027 CGI-Bug: News Update 1.1 administration password bugThe web configuration interface for Catalyst 3500 XL switches allows remote attackers to execute arbitrary commands without authentication when the enable password is not set, via a URL containing the /exec/ directory.XF:cisco-catalyst-remote-commandsBUGTRAQ:20001026 Advisory def-2000-02: Cisco Catalyst remote command executionBID 184620001113 Re: 3500XL444Compaq Easy Access Keyboard software 1.3 does not properly disable access to custom buttons when the screen is locked, which could allow an attacker to gain privileges or execute programs without authorization.NTBUGTRAQ:20001012 Security issue with Compaq Easy Access Keyboard softwarehttp://www5.compaq.com/support/files/desktops/us/revision/1723.htmlcompaq-ea-elevate-privileges5831Format string vulnerability in cfd daemon in GNU CFEngine before 1.6.0a11 allows attackers to execute arbitrary commands via format characters in the CAUTH command.BID 1757MANDRAKE:MDKSA-2000:06120001002 Very probable remote root vulnerability in cfengineNetBSD-SA2000-013cfengine-cfd-format-stringGnoRPM before 0.95 allows local users to modify arbitrary files via a symlink attack.BID 1761XF:gnorpm-temp-symlink20001002 GnoRPM local /tmp vulnerability20001003 Conectiva Linux Security Announcement - gnorpmMDKSA-2000:055RHSA-2000:07220001011 Immunix OS Security Update for gnorpm packageHeap overflow in savestr function in LBNL traceroute 1.4a5 and earlier allows a local user to execute arbitrary commands via the -g option.BID 1739XF:traceroute-heap-overflow20000928 Very interesting traceroute flawCSSA-2000-034.0MDKSA-2000:053RHSA-2000:07820001013 traceroute: local root exploitTLSA2000023-120000930 Conectiva Linux Security Announcement - tracerouteFormat string vulnerability in x-gw in TIS Firewall Toolkit (FWTK) allows local users to execute arbitrary commands via a malformed display name.XF:tisfwtk-xgw-execute-codeBUGTRAQ:20001026 FWTK x-gw Security Advisory [GSA2000-01]A misconfiguration in IIS 5.0 with Index Server enabled and the Index property set allows remote attackers to list directories in the web root via a Web Distributed Authoring and Versioning (WebDAV) search.XF:iis-index-dir-traverseBID 1756A100400-1Q272079global.cgi CGI program in Global 3.55 and earlier on NetBSD allows remote attackers to execute arbitrary commands via shell metacharacters.XF:global-execute-remote-commandsNETBSD:NetBSD-SA2000-014BID 18546486Shambala Server 4.5 allows remote attackers to cause a denial of service by opening then closing a connection.XF:shambala-connection-dosBID 1778BUGTRAQ:20001009 Shambala 4.5 vulnerabilityShambala Server 4.5 stores passwords in plaintext, which could allow local users to obtain the passwords and compromise the server.XF:shambala-password-plaintextBID 1771BUGTRAQ:20001009 Shambala 4.5 vulnerabilityCisco Virtual Central Office 4000 (VCO/4K) uses weak encryption to store usernames and passwords in the SNMP MIB, which allows an attacker who knows the community name to crack the password and gain privileges. XF:cisco-vco-snmp-passwordsBID 1885ATSTAKE:A102600-1cyrus-sasl before 1.5.24 in Red Hat Linux 7.0 does not properly verify the authorization for a local user, which could allow the users to bypass specified access restrictions.XF:cyrus-sasl-gain-accessBID 1875REDHAT:RHSA-2000:094-01The pluggable authentication module for mysql (pam_mysql) before 0.4.7 does not properly cleanse user input when constructing SQL statements, which allows attackers to obtain plaintext passwords or hashes.XF:pammysql-auth-inputBUGTRAQ:20001026 (SRADV00004) Remote and local vulnerabilities in pam_mysqlBID 1850HotJava Browser 3.0 allows remote attackers to access the DOM of a web page by opening a javascript: URL in a named window.XF:hotjava-browser-dom-accessBUGTRAQ:20001025 HotJava Browser 3.0 JavaScript security vulnerabilityglibc2 does not properly clear the LD_DEBUG_OUTPUT and LD_DEBUG environmental variables when a program is spawned from a setuid program, which could allow local users to overwrite files via a symlink attack.XF:glibc-unset-symlinkBID 171920000926 ld.so bug - LD_DEBUG_OUTPUT follows symlinksThe POP3 server in Netscape Messaging Server 4.15p1 generates different error messages for incorrect user names versus incorrect passwords, which allows remote attackers to determine valid users on the system and harvest email addresses for spam abuse.XF:netscape-messaging-email-verifyBID 178720001011 Netscape Messaging server 4.15 poor error stringsBuffer overflow in IMAP server in Netscape Messaging Server 4.15 Patch 2 allows local users to execute arbitrary commands via a long LIST command.XF:netscape-messaging-list-dosBID 172120000928 commercial products and security [ + new bug ]The IPSEC implementation in OpenBSD 2.7 does not properly handle empty AH/ESP packets, which allows remote attackers to cause a denial of service.BID 1723BUGTRAQ:20000925 Nmap Protocol Scanning DoS against OpenBSD IPSECopenbsd-nmap-dos1574Buffer overflow in ncurses library allows local users to execute arbitrary commands via long environmental information such as TERM or TERMINFO_DIRS.BID 1142CALDERA:CSSA-2000-036.020001009 ncurses buffer overflowsgnu-ncurses-term-terminfodirs-bo(44487)Buffer overflow in the web administration service for the HiNet LP5100 IP-phone allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long GET request.XF:hinet-ipphone-get-boBID 172720000928 Another thingy.The NSAPI plugins for TGA and the Java Servlet proxy in HP-UX VVOS 10.24 and 11.04 allows an attacker to cause a denial of service (high CPU utilization).HP:HPSBUX0010-124XF:hp-virtualvault-nsapi-dosBuffer overflows in lpspooler in the fileset PrinterMgmt.LP-SPOOL of HP-UX 11.0 and earlier allows local users to gain privileges.XF:hp-lpspooler-boHP:HPSBUX0010-1257244PHP 3 and 4 do not properly cleanse user-injected format strings, which allows remote attackers to execute arbitrary commands by triggering error messages that are improperly written to the error logs.BID 1786XF:php-logging-format-stringA101200-1MDKSA-2000:062CSSA-2000-037.0FreeBSD-SA-00:75RHSA-2000:088RHSA-2000:09520001012 Conectiva Linux Security Announcement - mod_php3Buffer overflow in Half Life dedicated server before build 3104 allows remote attackers to execute arbitrary commands via a long rcon command.BID 1799XF:halflife-server-changelevel-bo20001016 Half-Life Dedicated Server Vulnerability20001024 Tamandua Sekure Labs Security Advisory 2000-0120001027 Re: Half Life dedicated server PatchFormat string vulnerability in Half Life dedicated server build 3104 and earlier allows remote attackers to execute arbitrary commands by injecting format strings into the changelevel command, via the system console or rcon.XF:halflife-rcon-format-stringBID 184720001016 Half-Life Dedicated Server Vulnerability20001024 Tamandua Sekure Labs Security Advisory 2000-0120001027 Re: Half Life dedicated server Patch6983IIS 4.0 and 5.0 .ASP pages send the same Session ID cookie for secure and insecure web sessions, which could allow remote attackers to hijack the secure web session of the user if that user moves to an insecure session, aka the "Session ID Cookie Marking" vulnerability.XF:session-cookie-remote-retrievalMS:MS00-0807265Avirt Mail 4.0 and 4.2 allows remote attackers to cause a denial of service and possible execute arbitrary commands via a long "RCPT TO" or "MAIL FROM" command.XF:avirt-rcpt-to-dosXF:avirt-mail-from-dosBUGTRAQ:20001023 Avirt Mail 4.x DoSHP-UX 11.00 crontab allows local users to read arbitrary files via the -e option by creating a symlink to the target file during the crontab session, quitting the session, and reading the error messages that crontab generates.XF:hp-crontab-read-filesBUGTRAQ:20001020 [ Hackerslab bug_paper ] HP-UX crontab temporary file symbolic link vulnerabilityBuffer overflow in curl earlier than 6.0-1.1, and curl-ssl earlier than 6.0-1.2, allows remote attackers to execute arbitrary commands by forcing a long error message to be generated.XF:curl-error-boBID 1804RHBA-2000:092-01FreeBSD-SA-00:72GnuPG (gpg) 1.0.3 does not properly check all signatures of a file containing multiple documents, which allows an attacker to modify contents of all documents but the first without detection.BID 1797XF:gnupg-message-modify20001011 GPG 1.0.3 doesn't detect modifications to files with multiple signatures20001111 gnupg: incorrect signature verificationFreeBSD-SA-00:67RHSA-2000:089CSSA-2000-038.0CLSA-2000:33420001025 Immunix OS Security Update for gnupg package1608Directory traversal vulnerability in apexec.pl in Anaconda Foundation Directory allows remote attackers to read arbitrary files via a .. (dot dot) attack.BUGTRAQ:20001012 Anaconda Advisoryanaconda-apexec-directory-traversal435Buffer overflow in xlib in XFree 3.3.x possibly allows local users to execute arbitrary commands via a long DISPLAY environment variable or a -display command line parameter.BID 1805BUGTRAQ:20001012 another Xlib buffer overflow20020502-01-Ixfree-xlib-bo(5751)mailfile.cgi CGI program in MailFile 1.10 allows remote attackers to read arbitrary files by specifying the target file name in the "filename" parameter in a POST request, which is then sent by email to the address specified in the "email" parameter.BID 1807BUGTRAQ:20001011 Mail File POST Vulnerabilitymailfile-post-file-readbbd server in Big Brother System and Network Monitor before 1.5c2 allows remote attackers to execute arbitrary commands via the "&" shell metacharacter.BID 1779BUGTRAQ:20001010 Big Brother Systems and Network Monitor vulnerabilitybb4-netmon-execute-commandsFile and Print Sharing service in Windows 95, Windows 98, and Windows Me does not properly check the password for a file share, which allows remote attackers to bypass share access controls by sending a 1-byte password that matches the first character of the real password, aka the "Share Level Password" vulnerability.XF:win9x-share-level-passwordBID 1780MS:MS00-07220001012 NSFOCUS SA2000-05: Microsoft Windows 9x NETBIOS passwordoval:org.mitre.oval:def:996NMPI (Name Management Protocol on IPX) listener in Microsoft NWLink does not properly filter packets from a broadcast address, which allows remote attackers to cause a broadcast storm and flood the network.XF:win-nmpi-packet-dosBID 1781MS:MS00-073MySQL Database Engine uses a weak authentication method which leaks information that could be used by a remote attacker to recover the password.XF:mysql-authenticationBID 1826http://www.mysql.com/documentation/mysql/commented/manual.php?section=Security20001023 [CORE SDI ADVISORY] MySQL weak authenticationInternet Explorer before 5.5 forwards cached user credentials for a secure web site to insecure pages on the same web site, which could allow remote attackers to obtain the credentials by monitoring connections to the web server, aka the "Cached Web Credentials" vulnerability.XF:ie-cache-infoBID 1793MS:MS00-076Microsoft NetMeeting with Remote Desktop Sharing enabled allows remote attackers to cause a denial of service (CPU utilization) via a sequence of null bytes to the NetMeeting port, aka the "NetMeeting Desktop Sharing" vulnerability.XF:netmeeting-desktop-sharing-dosBID 179820001018 Denial of Service attack against computers running Microsoft NetMeetingMS00-077Q273854The HTTP server in Cisco IOS 12.0 through 12.1 allows local users to cause a denial of service (crash and reload) via a URL containing a "?/" string.XF:cisco-ios-query-dosCISCO:20001025 Cisco IOS HTTP Server Query VulnerabilityBID 1838cisco-ios-query-dos(5412)Buffer overflow in All-Mail 1.1 allows remote attackers to execute arbitrary commands via a long "MAIL FROM" or "RCPT TO" command.BID 1789ATSTAKE:A101200-2Buffer overflow in Oracle 8.1.5 applications such as names, namesctl, onrsd, osslogin, tnslsnr, tnsping, trcasst, and trcroute possibly allow local users to gain privileges via a long ORACLE_HOME environmental variable.XF:oracle-home-boBUGTRAQ:20001020 [ Hackerslab bug_paper ] Linux ORACLE 8.1.5 vulnerabilityBuffer overflow in oidldapd in Oracle 8.1.6 allow local users to gain privileges via a long "connect" command line parameter.BUGTRAQ:20001020 In response to posting 10/18/2000 vulnerability in Oracle Internet Directory in Oracle 8.1.6XF:oracle-oidldap-boBID 182820001018 vulnerability in Oracle Internet Directory in Oracle 8.1.6WinU 1.0 through 5.1 has a backdoor password that allows remote attackers to gain access to its administrative interface and modify configuration.XF:winu-backdoorBID 180120001013 WinU Backdoor passwords!!!!http://www.bardon.com/pwdcrack.htmBuffer overflow in Intel InBusiness eMail Station 1.04.87 POP service allows remote attackers to cause a denial of service and possibly execute commands via a long username.XF:intel-email-username-boBUGTRAQ:20001020 DoS in Intel corporation 'InBusiness eMail Station'BID 18446488cmd5checkpw 0.21 and earlier allows remote attackers to cause a denial of service via an "SMTP AUTH" command with an unknown username.XF:cmd5checkpw-qmail-bypass-authenticationBID 1809BUGTRAQ:20001016 Authentication failure in cmd5checkpw 0.21http://members.elysium.pl/brush/cmd5checkpw/changes.htmlBuffer overflow in Hilgraeve, Inc. HyperTerminal client on Windows 98, ME, and 2000 allows remote attackers to execute arbitrary commands via a long telnet URL, aka the "HyperTerminal Buffer Overflow" vulnerability.XF:win-hyperterminal-telnet-boBID 1815MS:MS00-079Directory traversal vulnerability in scp in sshd 1.2.xx allows a remote malicious scp server to overwrite arbitrary files via a .. (dot dot) attack.BID 1742BUGTRAQ:20000930 scp file transfer holeMDKSA-2000:057scp-overwrite-filesFormat string vulnerability in pw_error function in BSD libutil library allows local users to gain root privileges via a malformed password in commands such as chpass or passwd.XF:bsd-libutil-formatBID 174420001003 A format string vulnerability exists in the pw_error(3) function.NetBSD-SA2000-015FreeBSD-SA-00:5820001004 Re: OpenBSD Security AdvisoryFormat string vulnerability in OpenBSD fstat program (and possibly other BSD-based operating systems) allows local users to gain root privileges via the PWD environmental variable.XF:bsd-fstat-formatBID 1746OPENBSD:20001006 There are printf-style format string bugs in several privileged programs.20001004 Re: OpenBSD Security AdvisoryFormat string vulnerability in OpenBSD yp_passwd program (and possibly other BSD-based operating systems) allows attackers to gain root privileges a malformed name.OPENBSD:20001006 There are printf-style format string bugs in several privileged programs.bsd-yp-passwd-format6125Format string vulnerability in OpenBSD su program (and possibly other BSD-based operating systems) allows local attackers to gain root privileges via a malformed shell.OPENBSD:20001006 There are printf-style format string bugs in several privileged programs.bsd-su-format6124Format string vulnerabilities in eeprom program in OpenBSD, NetBSD, and possibly other operating systems allows local attackers to gain root privileges.XF:bsd-eeprom-formatBID 1752ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.7/common/028_format_strings.patchFormat string vulnerability in top program allows local attackers to gain root privileges via the "kill" or "renice" function.BID 1895FREEBSD:FreeBSD-SA-00:62ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.7/common/028_format_strings.patchFormat string vulnerabilities in OpenBSD ssh program (and possibly other BSD-based operating systems) allow attackers to gain root privileges.OPENBSD:20001006 There are printf-style format string bugs in several privileged programs.Format string vulnerability in AOL Instant Messenger (AIM) 4.1.2010 allows remote attackers to cause a denial of service and possibly execute arbitrary commands by transferring a file whose name includes format characters.XF:aim-file-transfer-dosBID 1747BUGTRAQ:20001003 AOL Instant Messenger DoSadd_2_basket.asp in Element InstantShop allows remote attackers to modify price information via the "price" hidden form variable.BUGTRAQ:200024 Price modification in Element InstantShopBID 1836instantshop-modify-price6487POP3 daemon in Stalker CommuniGate Pro 3.3.2 generates different error messages for invalid usernames versus invalid passwords, which allows remote attackers to determine valid email addresses on the server for SPAM attacks.BID 1792XF:communigate-email-verifyBUGTRAQ:20001012 Re: Netscape Messaging server 4.15 poor error stringsNETBIOS client in Windows 95 and Windows 98 allows a remote attacker to cause a denial of service by changing a file sharing service to return an unknown driver type, which causes the client to crash.XF:win-netbios-driver-type-dosBID 179420001012 NSFOCUS SA2000-04: Microsoft Win9x client driver type comparing vulnerabilityFormat string vulnerability in OpenBSD photurisd allows local users to execute arbitrary commands via a configuration file directory name that contains formatting characters.XF:bsd-photurisd-formatBUGTRAQ:20001004 Re: OpenBSD Security Advisory6123Directory traversal vulnerability in html_web_store.cgi and web_store.cgi CGI programs in eXtropia WebStore allows remote attackers to read arbitrary files via a .. (dot dot) attack on the page parameter.XF:extropia-webstore-filereadBID 177420001009 Security Advisory : eXtropia WebStore (web_store.cgi) Directory Traversal VulnerabilityMicrosoft Exchange Server 5.5 does not properly handle a MIME header with a blank charset specified, which allows remote attackers to cause a denial of service via a charset="" command, aka the "Malformed MIME Header" vulnerability.BID 1869XF:ms-exchange-mime-dosMS:MS00-082I-gear 3.5.7 and earlier does not properly process log entries in which a URL is longer than 255 characters, which allows an attacker to cause reporting errors.NTBUGTRAQ:20001025 I-gear 3.5.x for Microsoft Proxy logging vulnerability + temporary fix.igear-invalid-log(5791)PalmOS 3.5.2 and earlier uses weak encryption to store the user password, which allows attackers with physical access to the Palm device to decrypt the password and gain access to the device.BID 1715ATSTAKE:A092600- 1dump in Red Hat Linux 6.2 trusts the pathname specified by the RSH environmental variable, which allows local users to obtain root privileges by modifying the RSH variable to point to a Trojan horse program.BID 1871XF:linux-dump-execute-code20001030 Redhat 6.2 dump command executes external program with suid priviledge.Format string vulnerability in talkd in OpenBSD and possibly other BSD-based OSes allows remote attackers to execute arbitrary commands via a user name that contains format characters.XF:linux-talkd-overwrite-rootBID 1764BUGTRAQ:20001006 talkd [WAS: Re: OpenBSD Security Advisory]Buffer overflow in catopen() function in FreeBSD 5.0 and earlier, and possibly other OSes, allows local users to gain root privileges via a long environmental variable.FREEBSD:FreeBSD-SA-00:53freebsd-catopen-bo6070The catopen function in FreeBSD 5.0 and earlier, and possibly other OSes, allows local users to read arbitrary files via the LANG environmental variable.FREEBSD:FreeBSD-SA-00:53The setlocale function in FreeBSD 5.0 and earlier, and possibly other OSes, allows local users to read arbitrary files via the LANG environmental variable.FREEBSD:FreeBSD-SA-00:53Format string vulnerability in the search97.cgi CGI script in SCO help http server for Unixware 7 allows remote attackers to execute arbitrary commands via format characters in the queryText parameter.XF:unixware-scohelp-formatBID:171720000927 Unixware SCOhelp http server format string vulnerability3240The default configuration of Slashcode before version 2.0 Alpha has a default administrative password, which allows remote attackers to gain Slashcode priviliges and possibly execute arbitrary commands.XF:slashcode-default-admin-passwordsBID 1731BUGTRAQ:20000929 Default admin password with Slashcode.The default configuration of Apache (httpd.conf) on SuSE 6.4 includes an alias for the /usr/doc directory, which allows remote attackers to read package documentation and obtain system configuration information via an HTTP request for the /doc/packages URL.XF:suse-installed-packages-exposedBID 170720000921 httpd.conf in Suse 6.4Webteachers Webdata allows remote attackers with valid Webdata accounts to read arbitrary files by posting a request to import the file into the WebData database.BID 1732BUGTRAQ:20001003 Update to DST2K0039: Webteachers Webdata: Importing files lower t han web root possible in to database20001002 DST2K0039: Webteachers Webdata: Importing files lower than web ro ot possible in to databaseshred 1.0 file wiping utility does not properly open a file for overwriting or flush its buffers, which prevents shred from properly replacing the file's data and allows local users to recover the file.BID 1788BUGTRAQ:20001011 Shred v1.0 Fix20001010 Shred 1.0 Bug Reportshred-recover-filesSearch engine in Ultraseek 3.1 and 3.1.10 (aka Inktomi Search) allows remote attackers to cause a denial of service via a malformed URL.XF:ultraseek-malformed-url-dosBID 186620001030 Ultraseek 3.1.x Remote DoS VulnerabilityHeap overflow in Worldclient in Mdaemon 3.1.1 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long URL.XF:mdaemon-url-dosBID 168920000917 VIGILANTE-2000012: Mdaemon Web Services Heap Overflow DoSHeap overflow in WebConfig in Mdaemon 3.1.1 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long URL.XF:mdaemon-url-dosBID 168920000917 VIGILANTE-2000012: Mdaemon Web Services Heap Overflow DoSThe mailguard feature in Cisco Secure PIX Firewall 5.2(2) and earlier does not properly restrict access to SMTP commands, which allows remote attackers to execute restricted commands by sending a DATA command before sending the restricted commands.BID 1698XF:cisco-pix-smtp-filtering20000919 Cisco PIX Firewall (smtp content filtering hack)20000920 Re: Cisco PIX Firewall (smtp content filtering hack) - Version 4.2(1) not exploitable20001005 Cisco Secure PIX Firewall Mailguard VulnerabilityThe Alabanza Control Panel does not require passwords to access administrative commands, which allows remote attackers to modify domain name information via the nsManager.cgi CGI program.XF:alabanza-unauthorized-accessBID 171020000924 Major Vulnerability in Alabanza Control PaneleWave ServletExec 3.0C and earlier does not restrict access to the UploadServlet Java/JSP servlet, which allows remote attackers to upload files and execute arbitrary commands.http://xforce.iss.net/static/5450.phpBID 187620001101 Unify eWave ServletExec uploadeWave ServletExec JSP/Java servlet engine, versions 3.0C and earlier, allows remote attackers to cause a denial of service via a URL that contains the "/servlet/" string, which invokes the ServletExec servlet and causes an exception if the servlet is already running.BID 1868BUGTRAQ:20001030 Unify eWave ServletExec DoSewave-servletexec-dosMultiple buffer overflows in LBNL tcpdump allow remote attackers to execute arbitrary commands.BID 1870FreeBSD-SA-00:61SuSE-SA:2000:46tcpdump-afs-packet-overflow(5480)Cisco Secure PIX Firewall 5.2(2) allows remote attackers to determine the real IP address of a target FTP server by flooding the server with PASV requests, which includes the real IP address in the response when passive mode is established.BID 1877BUGTRAQ:20001003 Cisco PIX Firewall allow external users to discover internal Ipscisco-pix-reveal-address1623Buffer overflow in cu program in HP-UX 11.0 may allow local users to gain privileges via a long -l command line argument.BID 1886BUGTRAQ:20001102 HPUX cu -l option buffer overflow vulnerabilitBuffer overflow in host command allows a remote attacker to execute arbitrary commands via a long response to an AXFR query.BID 1887BUGTRAQ:20001027 old version of host command vulnearbilityCS&T CorporateTime for the Web returns different error messages for invalid usernames and invalid passwords, which allows remote attackers to determine valid usernames on the server.BID 188820001031 Re: Samba 2.0.7 SWAT vulnerabilitiesBuffer overflow in dtterm in HP-UX 11.0 and HP Tru64 UNIX 4.0f through 5.1a allows local users to execute arbitrary code via a long -tn option.BID:1889HP:HPSBUX0011-12820000810 Re: Possible vulnerability in HPUX ( Add vulnerability List )20020902 Happy Labor Day from Snosoft20020919 iDEFENSE OSF1/Tru64 3.x vuln clarificationSSRT2275VU#320067hp-dtterm(5461)The client authentication interface for Check Point Firewall-1 4.0 and earlier generates different error messages for invalid usernames versus invalid passwords, which allows remote attackers to identify valid usernames on the firewall.BID 1890BUGTRAQ:20001101 Re: Samba 2.0.7 SWAT vulnerabilitiesfw1-login-response(5816)1632Serv-U FTP Server allows remote attackers to bypass its anti-hammering feature by first logging on as a valid user (possibly anonymous) and then attempting to guess the passwords of other users.XF:ftp-servu-brute-forceBID 186020001029 Brute Forcing FTP Servers with enabled anti-hammering (anti brute-force) modusBuffer overflow in the System Monitor ActiveX control in Windows 2000 allows remote attackers to execute arbitrary commands via a long LogFileName parameter in HTML source code, aka the "ActiveX Parameter Validation" vulnerability.BID 1899MS:MS00-08520001106 System Monitor ActiveX Buffer Overflow Vulnerabilitysystem-monitor-activex-bo(5467)Buffer overflows in TYPSoft FTP Server 0.78 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long USER, PASS, or CWD command.BID 1690http://www.synnergy.net/Archives/Advisories/dethy/typsoft-ftpd.txt20000912 TYPSoft FTP Server remote DoS ProblemDirectory traversal vulnerability in Extent RBS ISP web server allows remote attackers to read sensitive information via a .. (dot dot) attack on the Image parameter.BID 1704XF:rbs-isp-directory-traversalBUGTRAQ:20000920 Extent RBS directory Transversal.Check Point Firewall-1 session agent 3.0 through 4.1 generates different error messages for invalid user names versus invalid passwords, which allows remote attackers to determine valid usernames and guess a password via a brute force attack.BID 1662BUGTRAQ:20000815 Firewall-1 session agent 3.0 -> 4.1, dictionnary and brute force attackThe web administration interface for IBM AS/400 Firewall allows remote attackers to cause a denial of service via an empty GET request.XF:as400-firewall-dosAIXAPAR:SA90544SA90544Various TCP/IP stacks and network applications allow remote attackers to cause a denial of service by flooding a target host with TCP connection attempts and completing the TCP/IP handshake without maintaining the connection state on the attacker host, aka the "NAPTHA" class of vulnerabilities. NOTE: this candidate may change significantly as the security community discusses the technical nature of NAPTHA and learns more about the affected applications. This candidate is at a higher level of abstraction than is typical for CVE.BID 2022CERT:CA-2000-21MS:MS00-09120001130 The NAPTHA DoS vulnerabilities20001204 NAPTHA Advisory Updated - BindView RAZORFormat string vulnerability in logging function of ypbind 3.3, while running in debug mode, leaks file descriptors and allows an attacker to cause a denial of service.BID 1820REDHAT:RHSA-2000:086-0520001014 nis: local exploitMDKSA-2000:064SuSE-SA:2000:042RHSA-2000:086CSSA-2000-039.020001025 Immunix OS Security Update for ypbind package20001030 Trustix Security Advisory - ping gnupg ypbindypbind-printf-format-stringBuffer overflow in ypbind 3.3 possibly allows an attacker to gain root privileges.CALDERA:CSSA-2000-039.0SUSE:SuSE-SA:2000:042MANDRAKE:MDKSA-2000:064ypbind-remote-boBuffer overflow in ypserv in Mandrake Linux 7.1 and earlier, and possibly other Linux operating systems, allows an attacker to gain root privileges when ypserv is built without a vsyslog() function.MANDRAKE:MDKSA-2000:064linux-ypserv-boFormat string vulnerability in ypserv in Mandrake Linux 7.1 and earlier, and possibly other Linux operating systems, allows an attacker to gain root privileges when ypserv is built without a vsyslog() function.MANDRAKE:MDKSA-2000:064linux-ypserv-format-stringFormat string vulnerability in ypbind-mt in SuSE SuSE-6.2, and possibly other Linux operating systems, allows an attacker to gain root privileges.BID 1820SUSE:SuSE-SA:2000:042ypbind-printf-format-stringnss_ldap earlier than 121, when run with nscd (name service caching daemon), allows remote attackers to cause a denial of service via a flood of LDAP requests.MANDRAKE:MDKSA-2000-066BID 1863REDHAT:RHSA-2000:024nssldap-nscd-dosMultiple buffer overflows in the ESMTP service of Lotus Domino 5.0.2c and earlier allow remote attackers to cause a denial of service and possibly execute arbitrary code via long (1) "RCPT TO," (2) "SAML FROM," or (3) "SOML FROM" commands.BUGTRAQ:20000911 Advisory Code: VIGILANTE-2000011 Lotus Domino ESMTP Service Buffer overflowBuffer overflow in SMTP service of Lotus Domino 5.0.4 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long ENVID keyword in the "MAIL FROM" command.BID:1905BUGTRAQ:20001103 [SAFER] Buffer overflow in Lotus Domino SMTP Serverlotus-domino-smtp-envid(5488)442Directory traversal vulnerability in the logfile service of Wingate 4.1 Beta A and earlier allows remote attackers to read arbitrary files via a .. (dot dot) attack via an HTTP GET request that uses encoded characters in the URL.XF:wingate-view-filesBUGTRAQ:20001016 Wingate 4.1 Beta A vulnerabilityAllaire JRun 3.0 http servlet server allows remote attackers to cause a denial of service via a URL that contains a long string of "." characters.XF:allaire-jrun-servlet-dos ALLAIRE:ASB00-03020001101 Allaire's JRUN DoSAllaire JRun 3.0 http servlet server allows remote attackers to directly access the WEB-INF directory via a URL request that contains an extra "/" in the beginning of the request (aka the "extra leading slash").XF:allaire-jrun-webinf-accessALLAIRE:ASB00-02720001023 Allaire's JRUN Unauthenticated Access to WEB-INF directory500Directory traversal vulnerability in Allaire JRun 2.3 server allows remote attackers to read arbitrary files via the SSIFilter servlet. XF:allaire-jrun-ssifilter-url ALLAIRE:ASB00-02820001023 Allaire JRUN 2.3 Arbitrary File RetrievalAllaire JRun 2.3 server allows remote attackers to obtain source code for executable content by directly calling the SSIFilter servlet.BUGTRAQ:20001023 Allaire JRUN 2.3 Arbitrary File RetrievalAllaire JRun 2.3.3 server allows remote attackers to compile and execute JSP code by inserting it via a cross-site scripting (CSS) attack and directly calling the com.livesoftware.jrun.plugins.JSP JSP servlet.XF:allaire-jrun-jsp-executeALLAIRE:ASB00-029BUGTRAQ:20001023 Allaire JRUN 2.3 Remote command executionBuffer overflow in CSAdmin module in CiscoSecure ACS Server 2.4(2) and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a large packet.XF:ciscosecure-csadmin-boBID 1705CISCO:20000921 Multiple Vulnerabilities in CiscoSecure ACS for Windows NT ServerBuffer overflow in CiscoSecure ACS Server 2.4(2) and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a large TACACS+ packet.BID 1706XF:ciscosecure-tacacs-dosCISCO:20000921 Multiple Vulnerabilities in CiscoSecure ACS for Windows NT Server1569CiscoSecure ACS Server 2.4(2) and earlier allows remote attackers to bypass LDAP authentication on the server if the LDAP server allows null passwords.XF:ciscosecure-ldap-bypass-authenticationBID 1708CISCO:20000921 Multiple Vulnerabilities in CiscoSecure ACS for Windows NT ServerVulnerabilities in database configuration scripts in HP OpenView Network Node Manager (NNM) 6.1 and earlier allows local users to gain privileges, possibly via insecure permissions.XF:hp-openview-nnm-scriptsBID 1682HP:HPSBUX0009-120Buffer overflow in OverView5 CGI program in HP OpenView Network Node Manager (NNM) 6.1 and earlier allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, in the SNMP service (snmp.exe), aka the "Java SNMP MIB Browser Object ID parsing problem."XF:openview-nmm-snmp-boHP:HPSBUX0009-121BUGTRAQ:20000926 DST2K0014: BufferOverrun in HP Openview Network Node Manager v6.1 (Round2)The default configuration of the Xsession file in Mandrake Linux 7.1 and 7.0 bypasses the Xauthority access control mechanism with an "xhost + localhost" command, which allows local users to sniff X Windows events and gain privileges.XF:xinitrc-bypass-xauthorityBID 173520000929 Mandrake 7.1 bypasses Xauthority X session security.MDKSA-2000:052The default configuration of XFCE 3.5.1 bypasses the Xauthority access control mechanism with an "xhost + localhost" command in the xinitrc program, which allows local users to sniff X Windows traffic and gain privileges.XF:xinitrc-bypass-xauthorityBID 173620001002 Local vulnerability in XFCE 3.5.1Microsoft Virtual Machine (VM) in Internet Explorer 4.x and 5.x allows an unsigned applet to create and use ActiveX controls, which allows a remote attacker to bypass Internet Explorer's security settings and execute arbitrary commands via a malicious web page or email, aka the "Microsoft VM ActiveX Component" vulnerability.MS:MS00-075java-vm-appletBuffer overflow in the FTP service in HP JetDirect printer card Firmware x.08.20 and earlier allows remote attackers to cause a denial of service.XF:hp-jetdirect-firmware-dosBID 1775BUGTRAQ:20001010 VIGILANTE-2000014: HP Jetdirect multiple DoSBuffer overflow in the Telnet service in HP JetDirect printer card Firmware x.08.20 and earlier allows remote attackers to cause a denial of service.XF:hp-jetdirect-firmware-dosBID 177520001010 VIGILANTE-2000014: HP Jetdirect multiple DoSBuffer overflow in the LPD service in HP JetDirect printer card Firmware x.08.20 and earlier allows remote attackers to cause a denial of service.XF:hp-jetdirect-firmware-dosBID 177520001010 VIGILANTE-2000014: HP Jetdirect multiple DoSVulnerability in IP implementation of HP JetDirect printer card Firmware x.08.20 and earlier allows remote attackers to cause a denial of service (printer crash) via a malformed packet.XF:hp-jetdirect-ip-implementationBID 1775BUGTRAQ:20001010 VIGILANTE-2000014: HP Jetdirect multiple DoSThe getnameinfo function in FreeBSD 4.1.1 and earlier, and possibly other operating systems, allows a remote attacker to cause a denial of service via a long DNS hostname.BID 1894FreeBSD-SA-00:63pollit.cgi in Poll It 2.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the poll_options parameter.BUGTRAQ:20001023 Re: Poll It v2.0 cgi (again)http://www.cgi-world.com/pollit.htmlpollit-polloptions-execute-commandspollit.cgi in Poll It 2.01 and earlier allows remote attackers to access administrative functions without knowing the real password by specifying the same value to the entered_password and admin_password parameters. XF:pollit-admin-password-varBUGTRAQ:20001023 Re: Poll It v2.0 cgi (again)pollit.cgi in Poll It 2.01 and earlier uses data files that are located under the web document root, which allows remote attackers to access sensitive or private information.BUGTRAQ:20001023 Re: Poll It v2.0 cgi (again)pollit-webroot-gain-accessThe GUI installation for iCal 2.1 Patch 2 disables access control for the X server using an "xhost +" command, which allows remote attackers to monitor X Windows events and gain privileges.BID 1767ATSTAKE:A100900-1ical-xhost-gain-privileges7213iCal 2.1 Patch 2 installs many files with world-writeable permissions, which allows local users to modify the iCal configuration and execute arbitrary commands by replacing the iplncal.sh program with a Trojan horse.BID 1768ATSTAKE:A100900-1ical-iplncal-gain-access7212csstart program in iCal 2.1 Patch 2 searches for the cshttpd program in the current working directory, which allows local users to gain root privileges by creating a Trojan Horse cshttpd program in a directory and calling csstart from that directory.BID 1769ATSTAKE:A100900-1ical-csstart-gain-access7210csstart program in iCal 2.1 Patch 2 uses relative pathnames to install the libsocket and libnsl libraries, which could allow the icsuser account to gain root privileges by creating a Trojan Horse library in the current or parent directory.BID 1769ATSTAKE:A100900-1ical-csstart-gain-access7209Directory traversal vulnerability in iPlanet Certificate Management System 4.2 and Directory Server 4.12 allows remote attackers to read arbitrary files via a .. (dot dot) attack in the Agent, End Entity, or Administrator services. XF:iplanet-netscape-directory-traversalBID 1839http://www.iplanet.com/downloads/patches/0122.html20001026 [CORE SDI ADVISORY] iPlanet Certificate Management System 4.2 path traversal bug4086486Netscape (iPlanet) Certificate Management System 4.2 and Directory Server 4.12 stores the administrative password in plaintext, which could allow local and possibly remote attackers to gain administrative privileges on the server.XF:iplanet-netscape-plaintext-passwordCORE-2000-10-2620001026 [CORE SDI ADVISORY] iPlanet Certificate Management System 4.2 path traversal bugBuffer overflow in the SHTML logging functionality of iPlanet Web Server 4.x allows remote attackers to execute arbitrary commands via a long filename with a .shtml extension.XF:iplanet-web-server-shtml-boBUGTRAQ:20001026 Buffer overflow in iPlanet Web Server 4 server side SHTML parsing moduleICQ Web Front HTTPd allows remote attackers to cause a denial of service by requesting a URL that contains a "?" character.XF:icq-webfront-url-dosBUGTRAQ:20001007 ICQ WebFront HTTPd DoSInteractions between the CIFS Browser Protocol and NetBIOS as implemented in Microsoft Windows 95, 98, NT, and 2000 allow remote attackers to modify dynamic NetBIOS name cache entries via a spoofed Browse Frame Request in a unicast or UDP broadcast datagram.BID 1620XF:win-netbios-corrupt-cacheWindows NetBIOS Unsolicited Cache Corruption20000829 Windows NetBIOS Unsolicited Cache Corruption20000829 Re: [COVERT-2000-10] Windows NetBIOS Unsolicited Cache CorruptionOVAL1079oval:org.mitre.oval:def:1079Quake 1 (quake1) and ProQuake 1.01 and earlier allow remote attackers to cause a denial of service via a malformed (empty) UDP packet.BID 1900BUGTRAQ:20001102 dos on quake1 servershttp://proquake.ai.mit.edu/quake-empty-udp-dos(5527)The xp_displayparamstmt function in SQL Server and Microsoft SQL Server Desktop Engine (MSDE) does not properly restrict the length of a buffer before calling the srv_paraminfo function in the SQL Server API for Extended Stored Procedures (XP), which allows an attacker to cause a denial of service or execute arbitrary commands, aka the "Extended Stored Procedure Parameter Parsing" vulnerability.BID 2030MS:MS00-092OVAL23120001201 Microsoft SQL Server extended stored procedure vulnerabilityoval:org.mitre.oval:def:231The xp_enumresultset function in SQL Server and Microsoft SQL Server Desktop Engine (MSDE) does not properly restrict the length of a buffer before calling the srv_paraminfo function in the SQL Server API for Extended Stored Procedures (XP), which allows an attacker to cause a denial of service or execute arbitrary commands, aka the "Extended Stored Procedure Parameter Parsing" vulnerability.BID 2031MS:MS00-09220001201 Microsoft SQL Server extended stored procedure vulnerabilityThe xp_showcolv function in SQL Server and Microsoft SQL Server Desktop Engine (MSDE) does not properly restrict the length of a buffer before calling the srv_paraminfo function in the SQL Server API for Extended Stored Procedures (XP), which allows an attacker to cause a denial of service or execute arbitrary commands, aka the "Extended Stored Procedure Parameter Parsing" vulnerability.BID 2038MS:MS00-09220001201 Microsoft SQL Server extended stored procedure vulnerabilityThe xp_updatecolvbm function in SQL Server and Microsoft SQL Server Desktop Engine (MSDE) does not properly restrict the length of a buffer before calling the srv_paraminfo function in the SQL Server API for Extended Stored Procedures (XP), which allows an attacker to cause a denial of service or execute arbitrary commands, aka the "Extended Stored Procedure Parameter Parsing" vulnerability.BID 2039MS:MS00-09220001201 Microsoft SQL Server extended stored procedure vulnerabilityThe xp_peekqueue function in Microsoft SQL Server 2000 and SQL Server Desktop Engine (MSDE) does not properly restrict the length of a buffer before calling the srv_paraminfo function in the SQL Server API for Extended Stored Procedures (XP), which allows an attacker to cause a denial of service or execute arbitrary commands, aka the "Extended Stored Procedure Parameter Parsing" vulnerability.BID 2040MS:MS00-09220001201 SQL Server 2000 Extended Stored Procedure VulnerabilityThe xp_printstatements function in Microsoft SQL Server 2000 and SQL Server Desktop Engine (MSDE) does not properly restrict the length of a buffer before calling the srv_paraminfo function in the SQL Server API for Extended Stored Procedures (XP), which allows an attacker to cause a denial of service or execute arbitrary commands, aka the "Extended Stored Procedure Parameter Parsing" vulnerability.BID 2041MS:MS00-09220001201 SQL Server 2000 Extended Stored Procedure VulnerabilityThe xp_proxiedmetadata function in Microsoft SQL Server 2000 and SQL Server Desktop Engine (MSDE) does not properly restrict the length of a buffer before calling the srv_paraminfo function in the SQL Server API for Extended Stored Procedures (XP), which allows an attacker to cause a denial of service or execute arbitrary commands, aka the "Extended Stored Procedure Parameter Parsing" vulnerability.BID 2042MS:MS00-09220001201 SQL Server 2000 Extended Stored Procedure VulnerabilityThe xp_SetSQLSecurity function in Microsoft SQL Server 2000 and SQL Server Desktop Engine (MSDE) does not properly restrict the length of a buffer before calling the srv_paraminfo function in the SQL Server API for Extended Stored Procedures (XP), which allows an attacker to cause a denial of service or execute arbitrary commands, aka the "Extended Stored Procedure Parameter Parsing" vulnerability.BID 2043MS:MS00-09220001201 SQL Server 2000 Extended Stored Procedure VulnerabilityBuffer overflow in Microsoft Phone Book Service allows local users to execute arbitrary commands, aka the "Phone Book Service Buffer Overflow" vulnerability.BID 2048MS:MS00-094ATSTAKE:A120400-1phone-book-service-bo(5623)Microsoft IIS for Far East editions 4.0 and 5.0 allows remote attackers to read source code for parsed pages via a malformed URL that uses the lead-byte of a double-byte character.bid 2100microsoft-iis-file-disclosure(5729)loadpage.cgi CGI program in EZshopper 3.0 and 2.0 allows remote attackers to list and read files in the EZshopper data directory by inserting a "/" in front of the target filename in the "file" parameter.BID 21092109ezshopper-cgi-file-disclosure(5740)20001213 NSFOCUS SA2000-09 : AHG EZshopper Loadpage.cgi File ListBuffer overflow in AOL Instant Messenger before 4.3.2229 allows remote attackers to execute arbitrary commands via a long "goim" command.ATSTAKE:A121200-1Buffer overflow in AOL Instant Messenger (AIM) before 4.3.2229 allows remote attackers to execute arbitrary commands via a "buddyicon" command with a long "src" argument.ATSTAKE:A121200-120001213 Administrivia & AOL IM Advisory20001214 Re: AIM & @stake's advisory1692modprobe in the modutils 2.3.x package on Linux systems allows a local user to execute arbitrary commands via shell metacharacters.BID 1936REDHAT:RHSA-2000:108-0520001112 RedHat 7.0 (and SuSE): modutils + netkit = root compromise. (fwd)SuSE-SA:2000:44MDKSA-2000:07120001120 modutils: local exploitCLSA-2000:340linux-modprobe-execute-codecrontab by Paul Vixie uses predictable file names for a temporary file and does not properly ensure that the file is owned by the user executing the crontab -e command, which allows local users with write access to the crontab spool directory to execute arbitrary commands by creating world-writeable temporary files and modifying them while the victim is editing the file.BID1960DEBIAN:20001118 cron: local privilege escalation20001116 vixie cron...vixie-cron-execute-commands(5543)The web server for the SonicWALL SOHO firewall allows remote attackers to cause a denial of service via a long username in the authentication page.BID 2013BUGTRAQ:20001129 DoS in Sonicwall SOHO firewall20001201 FW: SonicWALL SOHO Vulnerability (fwd)sonicwall-soho-dos(5596)1667The web server for the SonicWALL SOHO firewall allows remote attackers to cause a denial of service via an empty GET or POST request.BUGTRAQ:20001201 FW: SonicWALL SOHO Vulnerability (fwd)BUGTRAQ:20001201 Re: DoS in Sonicwall SOHO firewallJava Runtime Environment in Java Development Kit (JDK) 1.2.2_05 and earlier can allow an untrusted Java class to call into a disallowed class, which could allow an attacker to escape the Java sandbox and conduct unauthorized activities.SUN:00199HP:HPSBUX0011-132HPSBUX0011-132jdk-untrusted-java-class(5605)7255The default configuration for PostACI webmail system installs the /includes/global.inc configuration file within the web root, which allows remote attackers to read sensitive information such as database usernames and passwords via a direct HTTP GET request.BID 2029BUGTRAQ:20001130 PostACI Webmail VulnerabilityDirectory traversal vulnerability in Winsock FTPd (WFTPD) 3.00 and 2.41 with the "Restrict to home directory" option enabled allows local users to escape the home directory via a "/../" string, a variation of the .. (dot dot) attack.BID 2005BUGTRAQ:20001127 Vulnerability in Winsock FTPD 2.41/3.00 (Pro)wftpd-dir-traverse(5608)PTlink IRCD 3.5.3 and PTlink Services 1.8.1 allow remote attackers to cause a denial of service (server crash) via "mode +owgscfxeb" and "oper" commands.BUGTRAQ:20001126 Vulnerablity in PTlink3.5.3ircd + PTlink.Services.1.8.1...BID 2008rcvtty in BSD 3.0 and 4.0 does not properly drop privileges before executing a script, which allows local attackers to gain privileges by specifying an alternate Trojan horse script on the command line.BID 2009BUGTRAQ:20001127 BSDi 3.0/4.0 rcvtty gid=tty exploit... (mh package)Variant of the "IIS Cross-Site Scripting" vulnerability as originally discussed in MS:MS00-060 (CVE-2000-0746) allows a malicious web site operator to embed scripts in a link to a trusted site, which are returned without quoting in an error message back to the client. The client then executes those scripts in the same context as the trusted site.MS:MS00-060The ixsso.query ActiveX Object is marked as safe for scripting, which allows malicious web site operators to embed a script that remotely determines the existence of files on visiting Windows 2000 systems that have Indexing Services enabled.BID 1933 WIN2KSEC:20001110 IE 5.x Win2000 Indexing service vulnerability20001110 IE 5.x Win2000 Indexing service vulnerabilityTrend Micro InterScan VirusWall creates an "Intscan" share to the "InterScan" directory with permissions that grant Full Control permissions to the Everyone group, which allows attackers to gain privileges by modifying the VirusWall programs.BID 2014BUGTRAQ:20001128 TrendMicro InterScan VirusWall shared folder problem20001201 Responding to BugTraq ID 2014 - "Trend Micro InterScan VirusWall Shared Directory Vulnerability"interscan-viruswall-unauth-accessin.identd ident server in SuSE Linux 6.x and 7.0 allows remote attackers to cause a denial of service via a long request, which causes the server to access a NULL pointer and crash.BID 2015BUGTRAQ:20001128 SuSE Linux 6.x 7.0 Ident buffer overflowlinux-ident-bocons.saver in Midnight Commander (mc) 4.5.42 and earlier does not properly verify if an output file descriptor is a TTY, which allows local users to corrupt files by creating a symbolic link to the target file, calling mc, and specifying that link as a TTY argument.BID 1945DEBIAN:20001125 mc: local DoS20001113 Problems with cons.saverMDKSA-2000:078midnight-commander-conssaver-symlink(5519)Midnight Commander (mc) 4.5.51 and earlier does not properly process malformed directory names when a user opens a directory, which allows other local users to gain privileges by creating directories that contain special characters followed by the commands to be executed.BID 2016BUGTRAQ:20001127 Midnight CommanderDSA-036SuSE-SA:2001:11midnight-commander-elevate-privileges(5929)document.d2w CGI program in the IBM Net.Data db2www package allows remote attackers to determine the physical path of the web server by sending a nonexistent command to the program.BID 2017BUGTRAQ:20001128 IBM Net.Data Local Path Disclosure Vulnerability?Telnet Service for Windows 2000 Professional does not properly terminate incomplete connection attempts, which allows remote attackers to cause a denial of service by connecting to the server and not providing any input.BID 2018BUGTRAQ:20001129 Windows 2000 Telnet Service DoSwin2k-telnet-dos(5598)Microsoft Windows Media Player 7 executes scripts in custom skin (.WMS) files, which could allow remote attackers to gain privileges via a skin that contains a malicious script, aka the ".WMS Script Execution" vulnerability.BID 1976MS:MS00-090mediaplayer-wms-script-exeBuffer overflow in Microsoft Windows Media Player allows remote attackers to execute arbitrary commands via a malformed Active Stream Redirector (.ASX) file, aka the ".ASX Buffer Overrun" vulnerability.BID 1980MS:MS00-090A112300-1mediaplayer-asx-boUnify ServletExec AS v3.0C allows remote attackers to read source code for JSP pages via an HTTP request that ends with characters such as ".", or "+", or "%20".BID 1970BUGTRAQ:20001121 Disclosure of JSP source code with ServletExec AS v3.0c + web ins tanceBuffer overflow in remote web administration component (webprox.dll) of 602Pro LAN SUITE before 2000.0.1.33 allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long GET request.BID 1979BUGTRAQ:20001122 602Pro Lan Suite Web Admin Overflowhttp://www.software602.com/products/ls/support/newbuild.htmlsoftware602-lan-suite-boBuffer overflow in TransSoft Broker FTP Server before 4.3.0.1 allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long command.XF:broker-ftp-username-dos20001018 TransSoft's Broker FTP Server 3.x & 4.x Remote DoS attack VulnerabilityThe Extended Control List (ECL) feature of the Java Virtual Machine (JVM) in Lotus Notes Client R5 allows malicious web site operators to determine the existence of files on the client by measuring delays in the execution of the getSystemResource method.BID 1994BUGTRAQ:20001124 Security Hole in ECL Feature of Java VM Embedded in Lotus Notes Client R520001124 Security Hole in ECL Feature of Java VM Embedded in Lotus Notes Client R524Link 1.06 web server allows remote attackers to bypass access restrictions by prepending strings such as "/+/" or "/." to the HTTP GET request.BUGTRAQ:20001127 24Link WebserverBuffer overflow in setsenv command in IBM AIX 4.3.x and earlier allows local users to execute arbitrary commands via a long "x=" argument.BID 2032BUGTRAQ:20001201 Fixed local AIX V43 vulnerabilitiesIY08812IY10721aix-setsenv-bo(5621)1676Buffer overflow in digest command in IBM AIX 4.3.x and earlier allows local users to execute arbitrary commands.BID 2033BUGTRAQ:20001201 Fixed local AIX V43 vulnerabilitiesIY08143IY08287aix-digest-bo(5620)Buffer overflow in enq command in IBM AIX 4.3.x and earlier may allow local users to execute arbitrary commands via a long -M argument.BID 2034BUGTRAQ:20001201 Fixed local AIX V43 vulnerabilitiesIY08143IY08287aix-enq-bo(5619)Buffer overflow in setclock command in IBM AIX 4.3.x and earlier may allow local users to execute arbitrary commands via a long argument.BID 2035BUGTRAQ:20001201 Fixed local AIX V43 vulnerabilitiesIY07831IY07790Buffer overflow in pioout command in IBM AIX 4.3.x and earlier may allow local users to execute arbitrary commands.BID 2036BUGTRAQ:20001201 Fixed local AIX V43 vulnerabilitiesIY12638aix-pioout-boBuffer overflow in piobe command in IBM AIX 4.3.x allows local users to gain privileges via long environmental variables.BID 2037BUGTRAQ:20001201 Fixed local AIX V43 vulnerabilitiesIY12638aix-piobe-bo(5616)restore 0.4b15 and earlier in Red Hat Linux 6.2 trusts the pathname specified by the RSH environmental variable, which allows local users to obtain root privileges by modifying the RSH variable to point to a Trojan horse program.BID 1914BUGTRAQ:20001104 Redhat 6.2 restore exploitVulnerability in auto_parms and set_parms in HP-UX 11.00 and earlier allows remote attackers to execute arbitrary commands or cause a denial of service.BID 1954HP:HPSBUX0011-130registrar in the HP resource monitor service allows local users to read and modify arbitrary files by renaming the original registrar.log log file and creating a symbolic link to the target file, to which registrar appends log information and sets the permissions to be world readable.BID 1919BUGTRAQ:20001108 HP-UX 10.20 resource monitor serviceThe default configuration of McAfee VirusScan 4.5 does not quote the ImagePath variable, which improperly sets the search path and allows local users to place a Trojan horse "common.exe" program in the C:\Program Files directory.BID 1920NTBUGTRAQ:20001103 Elevation of Privileges Exploit with McAfee VirusScan 4.5McAfee WebShield SMTP 4.5 allows remote attackers to cause a denial of service via a malformed recipient field.BID 1999BUGTRAQ:20001123 McAfee WebShield SMTP vulnerabilitiesMcAfee WebShield SMTP 4.5 allows remote attackers to bypass email content filtering rules by including Extended ASCII characters in name of the attachment.BID:1993BUGTRAQ:20001123 McAfee WebShield SMTP vulnerabilitiesBill Kendrick web site guestbook (GBook) allows remote attackers to execute arbitrary commands via shell metacharacters in the _MAILTO form variable.BID 1940BUGTRAQ:20001110 [hacksware] gbook.cgi remote command execution vulnerabilitygbook-cgi-remote-executionDCForum cgforum.cgi CGI script allows remote attackers to read arbitrary files, and delete the program itself, via a malformed "forum" variable.BID:1951BUGTRAQ:20001114 Cgisecurity.com advisory on dcforumhttp://www.dcscripts.com/dcforum/dcfNews/124.html#1dcforum-cgi-view-files(5533)1646Authentix Authentix100 allows remote attackers to bypass authentication by inserting a . (dot) into the URL for a protected directory.BID 1907BUGTRAQ:20001107 Explanation Authentix Input Validation Error20001106 Authentix Security AdvisoryMultiple shell programs on various Unix systems, including (1) tcsh, (2) csh, (3) sh, and (4) bash, follow symlinks when processing << redirects (aka here-documents or in-here documents), which allows local users to overwrite files of other users via a symlink attack.BID 2006FREEBSD:FreeBSD-SA-00:7620001128 /bin/sh creates insecure tmp files20001111aMDKSA-2000-069CSSA-2000-043.0CSSA-2000-042.0RHSA-2000:117RHSA-2000:121MDKSA-2000:0751926SSRT1-41U20011103-02-PVU#10277OVAL404720001028 tcsh: unsafe tempfile in << redirects20001130 [ADV/EXP]: RH6.x root from bash /tmp vuln + MORECLSA-2000:354CLA-2000:350oval:org.mitre.oval:def:4047fshd (fsh daemon) in Debian GNU/Linux allows local users to overwrite files of other users via a symlink attack.Note: fixed in potato versionDEBIAN:20001130 DSA-002-1 fsh: symlink attacklinux-fsh-symlink(5633)7208elvis-tiny before 1.4-10 in Debian GNU/Linux, and possibly other Linux operating systems, allows local users to overwrite files of other users via a symlink attack.BID 1984BUGTRAQ:20001122 New version of elvis-tiny releasedlinux-tinyelvis-tmpfilesGNU ed before 0.2-18.1 allows local users to overwrite the files of other users via a symlink attack.REDHAT:RHSA-2000:123-01BID 209520001129 DSA-001-1 ed: symlink attackMDKSA-2000:076CLA-2000:359-2gnu-ed-symlink(5723)6491Lotus Notes R5 client R5.0.5 and earlier does not properly warn users when an S/MIME email message has been modified, which could allow an attacker to modify the email in transit without being detected.BID 1925BUGTRAQ:20001108 Lotus Notes R5 clients - no warning for broken signature or encryptionThe installation of Microsoft Exchange 2000 before Rev. A creates a user account with a known password, which could allow attackers to gain privileges, aka the "Exchange User Account" vulnerability.BID 1958MS:MS00-088ms-exchange-username-pwd(5537)Recourse ManTrap 1.6 does not properly hide processes from attackers, which could allow attackers to determine that they are in a honeypot system by comparing the results from kill commands with the process listing in the /proc filesystem.BID 1908BUGTRAQ:20001107 Vendor Response Re: Mantrap Advisory Vendor Followup - Fate Research LabsBUGTRAQ:20001102 Mantrap By Recourse Technologies - Fate Advisory (11-01-00)mantrap-hidden-processesRecourse ManTrap 1.6 modifies the kernel so that ".." does not appear in the /proc listing, which allows attackers to determine that they are in a honeypot system.BUGTRAQ:20001105 Mantrap Advisory Vendor Followup - Fate Research LabsBUGTRAQ:20001107 Vendor Response Re: Mantrap Advisory Vendor Followup - Fate Research Labs20001102 Mantrap By Recourse Technologies - Fate Advisory (11-01-00)mantrap-hidden-processesRecourse ManTrap 1.6 generates an error when an attacker cd's to /proc/self/cwd and executes the pwd command, which allows attackers to determine that they are in a honeypot system.BUGTRAQ:20001105 Mantrap Advisory Vendor Followup - Fate Research LabsBUGTRAQ:20001107 Vendor Response Re: Mantrap Advisory Vendor Followup - Fate Research Labs20001102 Mantrap By Recourse Technologies - Fate Advisory (11-01-00)mantrap-pwd-reveal-informationRecourse ManTrap 1.6 hides the first 4 processes that run on a Solaris system, which allows attackers to determine that they are in a honeypot system.BUGTRAQ:20001105 Mantrap Advisory Vendor Followup - Fate Research LabsBUGTRAQ:20001107 Vendor Response Re: Mantrap Advisory Vendor Followup - Fate Research LabsBUGTRAQ:20001102 Mantrap By Recourse Technologies - Fate Advisory (11-01-00)mantrap-hidden-processesRecourse ManTrap 1.6 sets up a chroot environment to hide the fact that it is running, but the inode number for the resulting "/" file system is higher than normal, which allows attackers to determine that they are in a chroot environment.BID 1909BUGTRAQ:20001107 Vendor Response Re: Mantrap Advisory Vendor Followup - Fate Research Labs20001102 Mantrap By Recourse Technologies - Fate Advisory (11-01-00)20001105 Mantrap Advisory Vendor Followup - Fate Research Labsmantrap-inode-disclosureRecourse ManTrap 1.6 allows attackers who have gained root access to use utilities such as crash or fsdb to read /dev/mem and raw disk devices to identify ManTrap processes or modify arbitrary data files.BUGTRAQ:20001105 Mantrap Advisory Vendor Followup - Fate Research LabsBUGTRAQ:20001107 Vendor Response Re: Mantrap Advisory Vendor Followup - Fate Research Labs20001102 Mantrap By Recourse Technologies - Fate Advisory (11-01-00)mantrap-identify-processesRecourse ManTrap 1.6 allows attackers to cause a denial of service via a sequence of commands that navigate into and out of the /proc/self directory and executing various commands such as ls or pwd.BID 1913BUGTRAQ:20001107 Vendor Response Re: Mantrap Advisory Vendor Followup - Fate Research Labs20001102 Mantrap By Recourse Technologies - Fate Advisory (11-01-00)20001105 Mantrap Advisory Vendor Followup - Fate Research Labsmantrap-dir-dosBuffer overflow in IIS ISAPI .ASP parsing mechanism allows attackers to execute arbitrary commands via a long string to the "LANGUAGE" argument in a script tag.BID 1911BUGTRAQ:20001103 IIS ASP $19.95 hack - IISHack 1.5iis-isapi-asp-boThe installation of VolanoChatPro chat server sets world-readable permissions for its configuration file and stores the server administrator passwords in plaintext, which allows local users to gain privileges on the server.BID 1906BUGTRAQ:20001106 Re: FW: Filesystem Access + VolanoChat = VChat admin (fwd)BUGTRAQ:20001104 Filesystem Access + VolanoChat = VChat admin (fwd)volanochatpro-plaintext-passwordBuffer overflow in RegAPI.DLL used by Windows NT 4.0 Terminal Server allows remote attackers to execute arbitrary commands via a long username, aka the "Terminal Server Login Buffer Overflow" vulnerability.BID 1924MS:MS00-087BUGTRAQ:20001108 [CORE SDI ADVISORY] MS NT4.0 Terminal Server Edition GINA buffer overflownt-termserv-gina-boFelix IRC client in BeOS r5 pro and earlier allows remote attackers to conduct a denial of service via a message that contains a long URL.BUGTRAQ:20001113 beos vulnerabilitiesBID 1946Baxter IRC client in BeOS r5 pro and earlier allows remote attackers to conduct a denial of service via a message that contains a long URL.BUGTRAQ:20001113 beos vulnerabilitiesBID 1947Browser IRC client in BeOS r5 pro and earlier allows remote attackers to conduct a denial of service via a message that contains a long URL.BUGTRAQ:20001113 beos vulnerabilitiesPostMaster 1.0 in BeOS r5 pro and earlier allows remote attackers to conduct a denial of service via a message that contains a long URL.BID 1943BUGTRAQ:20001113 beos vulnerabilitiesRHConsole in RobinHood 1.1 web server in BeOS r5 pro and earlier allows remote attackers to cause a denial of service via long HTTP request.BUGTRAQ:20001113 beos vulnerabilitiesBID 1944RHDaemon in RobinHood 1.1 web server in BeOS r5 pro and earlier allows remote attackers to cause a denial of service via long HTTP request.BUGTRAQ:20001113 beos vulnerabilitiesBID 1944StarOffice 5.2 follows symlinks and sets world-readable permissions for the /tmp/soffice.tmp directory, which allows a local user to read files of the user who is using StarOffice.BID 1922BUGTRAQ:20001108 StarOffice 5.2 Temporary Dir Vulnerabilitystaroffice-tmp-sym-linkBuffer overflow in NAI Sniffer Agent allows remote attackers to execute arbitrary commands via a long SNMP community name.BID 1901BUGTRAQ:20001102 Remotely exploitable buffer overflow in NAI's Distributed Sniffer AgentNAI Sniffer Agent uses base64 encoding for authentication, which allows attackers to sniff the network and easily decrypt usernames and passwords.BUGTRAQ:20001102 Remotely exploitable buffer overflow in NAI's Distributed Sniffer AgentNAI Sniffer Agent allows remote attackers to gain privileges on the agent by sniffing the initial UDP authentication packets and spoofing commands.BID 1902BUGTRAQ:20001102 Remotely exploitable buffer overflow in NAI's Distributed Sniffer AgentNAI Sniffer Agent allows remote attackers to cause a denial of service (crash) by sending a large number of login requests.BID 1903BUGTRAQ:20001102 Remotely exploitable buffer overflow in NAI's Distributed Sniffer AgentThe installation of AdCycle banner management system leaves the build.cgi program in a web-accessible directory, which allows remote attackers to execute the program and view passwords or delete databases.BID 1969BUGTRAQ:20001120 security problem in AdCycle installationghostscript before 5.10-16 allows local users to overwrite files of other users via a symlink attack.BID 1990CALDERA:CSSA-2000-041MDKSA-2000:074CLSA-2000:343RHSA-2000:11420001123 ghostscript: symlink attackghostscript-sym-linkghostscript before 5.10-16 uses an empty LD_RUN_PATH environmental variable to find libraries in the current directory, which could allow local users to execute commands as other users by placing a Trojan horse library into a directory from which another user executes ghostscript.BID 1991DEBIAN:20001123 ghostscript: symlink attackCSSA-2000-041MDKSA-2000:074CLSA-2000:343ghostscript-env-variableWinVNC installs the WinVNC3 registry key with permissions that give Special Access (read and modify) to the Everybody group, which allows users to read and modify sensitive information such as passwords and gain access to the system.BID 1961BUGTRAQ:20001118 WinVNC 3.3.xwinvnc-modify-registry(5545)Balabit syslog-ng allows remote attackers to cause a denial of service (application crash) via a malformed log message that does not have a closing > in the priority specifier.BID 1981BUGTRAQ:20001122 DoS possibility in syslog-nghttp://www.balabit.hu/products/syslog-ng/FreeBSD-SA-01:02balabit-syslog-ng-dos(5576)Twig webmail system does not properly set the "vhosts" variable if it is not configured on the site, which allows remote attackers to insert arbitrary PHP (PHP3) code by specifying an alternate vhosts as an argument to the index.php3 program.BID 1998BUGTRAQ:20001124 Security problems with TWIG webmail systemhttp://twig.screwdriver.net/file.php3?file=CHANGELOGtwig-php3-script-execute(5581)ppp utility in FreeBSD 4.1.1 and earlier does not properly restrict access as specified by the "nat deny_incoming" command, which allows remote attackers to connect to the target system.BID 1974FreeBSD-SA-00:70freebsd-ppp-bypass-gateway(5584)1655IBM HTTP Server 1.3.6 (based on Apache) allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long GET request.BID 1988BUGTRAQ:20001123 IBM HTTP Server 1.3.6 Remote OverflowOpenSSH SSH client before 2.3.0 does not properly disable X11 or agent forwarding, which could allow a malicious SSH server to gain access to the X11 display and sniff X11 events, or gain access to the ssh-agent.BUGTRAQ:20001123 OpenSSH Security Advisory (adv.fwd)MDKSA-2000:06820001115 Trustix Security Advisory - bind and openssh (and modutils)20001118 openssh: possible remote exploitCLSA-2000:345RHSA-2000:111SuSE-SA:2000:47openssh-unauthorized-access(5517)21146248BID 1949Buffer overflow in Netsnap webcam HTTP server before 1.2.9 allows remote attackers to execute arbitrary commands via a long GET request.BID 1956BUGTRAQ:20001115 Netsnap Webcam Software Remote Overflowhttp://www.netsnap.com/new.htmnetsnap-remote-bo(5534)Directory traversal vulnerability in cgiforum.pl script in CGIForum 1.0 allows remote attackers to ready arbitrary files via a .. (dot dot) attack in the "thesection" parameter.BID 1963BUGTRAQ:20001120 CGIForum 1.0 Vulnerabilitycgiforum-view-files(5553)Buffer overflow in Gaim 0.10.3 and earlier using the OSCAR protocol allows remote attackers to conduct a denial of service and possibly execute arbitrary commands via a long HTML tag.BID 1948BUGTRAQ:20001110 Advisory: Gaim remote vulnerabilityMicrosys CyberPatrol uses weak encryption (trivial encoding) for credit card numbers and uses no encryption for the remainder of the information during registration, which could allow attackers to sniff network traffic and obtain this sensitive information.BID 1977BUGTRAQ:20001122 CyberPatrol - poor credit card protectionMultiple buffer overflows in AFS ACL parser for Ethereal 0.8.13 and earlier allows remote attackers to execute arbitrary commands via a packet with a long username.BID 197220001118 [hacksware] Ethereal 0.8.13 AFS ACL parsing buffer overflow bug20001121 ethereal: remote exploitCLSA-2000:342RHSA-2000:116FreeBSD-SA-00:81ethereal-afs-bo(5557)Buffer overflow in Koules 1.4 allows local users to execute arbitrary commands via a long command line argument.BID 1967BUGTRAQ:20001120 local exploit for linux's Koules1.4 packageDirectory traversal vulnerability in YaBB search.pl CGI script allows remote attackers to read arbitrary files via a .. (dot dot) attack in the "catsearch" form field.BID 1921BUGTRAQ:20001107 Insecure input balidation in YaBB Search.plbb-hist.sh, bb-histlog.sh, bb-hostsvc.sh, bb-rep.sh, bb-replog.sh, and bb-ack.sh in Big Brother (BB) before 1.5d3 allows remote attackers to determine the existence of files and user ID's by specifying the target file in the HISTFILE parameter.BID 1971BUGTRAQ:20001121 Big Brother Advisory - Fate Research Labshttp://bb4.com/incident.nov21Joe text editor follows symbolic links when creating a rescue copy called DEADJOE during an abnormal exit, which allows local users to overwrite the files of other users whose joe session crashes.BID 1959BUGTRAQ:20001116 Joe's Own Editor File Link VulnerabilityRHSA-2000:110MDKSA-2000:072CLA-2000:35620001201 DSA-003-1 joe: symlink attack20001121 Immunix OS Security update for joejoe-symlink-corruption(5546)Netopia ISDN Router 650-ST before 4.3.5 allows remote attackers to read system logs without authentication by directly connecting to the login screen and typing certain control characters.BID 1952BUGTRAQ:20001115 Netopia ISDN Router 650-ST: Viewing of all system logs without loginnetopia-view-system-log(5536)Buffer overflow in cmctl program in Oracle 8.1.5 Connection Manager Control allows local users to gain privileges via a long command line argument.BID 1968BUGTRAQ:20001120 vulnerability in Connection Manager Control binary in Oracleoracle-cmctl-bo(5551)Real Networks RealServer 7 and earlier allows remote attackers to obtain portions of RealServer's memory contents, possibly including sensitive information, by accessing the /admin/includes/ URL.BID 1957BUGTRAQ:20001116 [CORE SDI ADVISORY] RealServer memory contents disclosurehttp://service.real.com/help/faq/security/memory.htmlrealserver-gain-access(5538)WatchGuard Firebox II allows remote attackers to cause a denial of service by flooding the Firebox with a large number of FTP or SMTP requests, which disables proxy handling.BID 1953BUGTRAQ:20001116 Possible Watchguard Firebox II DoSwatchguard-firebox-ftp-dos(5535)Buffer overflow in socks5 server on Linux allows attackers to execute arbitrary commands via a long connection request.BUGTRAQ:20001115 socks5 remote exploit / linux x86BID 154telnetd in FreeBSD 4.2 and earlier, and possibly other operating systems, allows remote attackers to cause a denial of service by specifying an arbitrary large file in the TERMCAP environmental variable, which consumes resources as the server processes the file.FREEBSD:FreeBSD-SA-00:69telnetd-termcap-dos(5959)6083The telnet proxy in RideWay PN proxy server allows remote attackers to cause a denial of service via a flood of connections that contain malformed requests.BID 1938BUGTRAQ:20001113 Rideway PN Telnet DoSBuffer overflow in phf CGI program allows remote attackers to execute arbitrary commands by specifying a large number of arguments and including a long MIME header.BUGTRAQ:20001115 Exploit: phf buffer overflow (CGI)phf-cgi-bo(5970)Buffer overflow in the HTML parser for Netscape 4.75 and earlier allows remote attackers to execute arbitrary commands via a long password value in a form field.FREEBSD:FreeBSD-SA-00:66REDHAT:RHSA-2000:109-05CLSA-2000:344SuSE-SA:2000:4820001121 Immunix OS Security update for netscapenetscape-client-html-bo7207Directory traversal vulnerability in Quikstore shopping cart program allows remote attackers to read arbitrary files via a .. (dot dot) attack in the "page" parameter.BUGTRAQ:20001120 Cgisecurity Quickstore Shopping cartBID 2049Buffer overflow in pam_localuser PAM module in Red Hat Linux 7.x and 6.x allows attackers to gain privileges.REDHAT:RHSA-2000:120CLA-2000:358MDKSA-2000:082-1pam-localuser-bo(5747)imwheel-solo in imwheel package allows local users to modify arbitrary files via a symlink attack from the .imwheelrc file.RHSA-2000:016-0320000531 Re: strike#2RHSA-2000:016linux-imwheel-symlink(4941)htsearch program in htDig 3.2 beta, 3.1.6, 3.1.5, and earlier allows remote attackers to determine the physical path of the server by requesting a non-existent configuration file using the config parameter, which generates an error message that includes the full path.http://www.securiteam.com/exploits/htDig_reveals_web_server_configuration_paths.html4366htdig-htsearch-path-disclosure(7367)Buffer overflow in BTT Software SNMP Trap Watcher 1.16 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long string trap.bid985985Performance Metrics Collector Daemon (PMCD) in Performance Copilot in IRIX 6.x allows remote attackers to cause a denial of service (resource exhaustion) via an extremely long string to the PMCD port.irix-pcp-pmcd-dos(4284)20020407-01-IArgosoft FRP server 1.0 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long string to the (1) USER or (2) CWD commands.bid1227http://www.mdma.za.net/fk/FK9.ziptelnet daemon (telnetd) from the Linux netkit package before netkit-telnet-0.16 allows remote attackers to bypass authentication when telnetd is running with the -L command line option.CSSA-2000-008.0telnetd-login-bypass(4225)PSCOErrPage.htm in Netscape PublishingXpert 2.5 before SP2 allows remote attackers to read arbitrary files by specifying the target file in the errPagePath parameter.publishingxpert-pscoerrpage-url(7362)POP2 or POP3 server (pop3d) in imap-uw IMAP package on FreeBSD and other operating systems creates lock files with predictable names, which allows local users to cause a denial of service (lack of mail access) for other users by creating lock files for other mail boxes.bid11321132qpopper POP server creates lock files with predictable names, which allows local users to cause a denial of service for other users (lack of mail access) by creating lock files for other mail boxes.bid11321132PostgreSQL stores usernames and passwords in plaintext in (1) pg_shadow and (2) pg_pwd, which allows attackers with sufficient privileges to gain access to databases.postgresql-plaintext-passwords(4364)bid1139Windows NT allows remote attackers to list all users in a domain by obtaining the domain SID with the LsaQueryInformationPolicy policy function via a null session and using the SID to list the users.nt-lsa-domain-sid(4015)bid959Check Point FireWall-1 allows remote attackers to cause a denial of service (high CPU) via a flood of packets to port 264.CheckPoint FW1 BUG (fwd)ikeyman in IBM IBMHSSSB 1.0 sets the CLASSPATH environmental variable to include the user's own CLASSPATH directories before the system's directories, which allows a malicious local user to execute arbitrary code as root via a Trojan horse Ikeyman class.bid1092ibm-ikeyman(4235)Lotus Domino SMTP server 4.63 through 5.08 allows remote attackers to cause a denial of service (CPU consumption) by forging an email message with the sender as bounce@[127.0.0.1] (localhost), which causes Domino to enter a mail loop.Lotus Domino Mail Loop Denial of Service VulnerabilityLotus Domino SMTP server bounced message loop denial of service20010820 Lotus Domino DoS20010823 Lotus Domino DoS solutionVulnerability in the mod_vhost_alias virtual hosting module for Apache 1.3.9, 1.3.11 and 1.3.12 allows remote attackers to obtain the source code for CGI programs if the cgi-bin directory is under the document root.Security vulnerability in mod_rewriteCross site scripting vulnerabilities in Apache 1.3.0 through 1.3.11 allow remote attackers to execute script as other web site visitors via (1) the printenv CGI (printenv.pl), which does not encode its output, (2) pages generated by the ap_send_error_response function such as a default 404, which does not add an explicit charset, or (3) various messages that are generated by certain Apache modules or core code. NOTE: the printenv issue might still exist for web browsers that can render text/plain content types as HTML, such as Internet Explorer, but CVE regards this as a design limitation of those browsers, not Apache. The printenv.pl/acuparam vector, discloser on 20070724, is one such variant.20021222 'printenv' XSS vulnerabilityapache-printenv-xss(10938)20021223 Re: 'printenv' XSS vulnerability20070724 printenv.pl(all versions) cross site scripting Vulnerabilityapache-printenv-acuparam-xss(35597)Vulnerability in Apache httpd before 1.3.11, when configured for mass virtual hosting using mod_rewrite, or mod_vhost_alias in Apache 1.3.9, allows remote attackers to retrieve arbitrary files.http://www.apacheweek.com/issues/00-01-07#statususerhelper in the usermode package on Red Hat Linux executes non-setuid programs as root, which does not activate the security measures in glibc and allows the programs to be exploited via format string vulnerabilities in glibc via the LANG or LC_ALL environment variables (CVE-2000-0844).glibc and userhelper - local rootUpdated usermode packages availableMandrakeSoft Update Advisory MDKSA-2000:059 : usermode20001003 SuSE: userhelper/usermodeFormat string vulnerability in startprinting() function of printjob.c in BSD-based lpr lpd package may allow local users to gain privileges via an improper syslog call that uses format strings from the checkremote() call.lpr has a format string security bug, LPRng compat issues, and a race condlpr-checkremote-format-string(5286)bid 171120001004 Immunix OS Security Update for lpr171120000925 Format strings: bug #1: BSD-lprThe "sa" account is installed with a default null password on (1) Microsoft SQL Server 2000, (2) SQL Server 7.0, and (3) Data Engine (MSDE) 1.0, including third party packages that use these products such as (4) Tumbleweed Secure Mail (MMS) (5) Compaq Insight Manager, and (6) Visio 2000, which allows remote attackers to gain privileges, as exploited by worms such as Voyager Alpha Force and Spida.Microsoft SQL Server and Microsoft Data Engine (MSDE) ship with a null default passwordbid 4797mssql-no-sapassword(1459)20000815 MS-SQL 'sa' user exploit codeQ313418Q321081http://www.microsoft.com/security/security_bulletins/ms02020_sql.asp479720000710 MSDE / Re: Default Password Database20000810 Tumbleweed Worldsecure (MMS) BLANK 'sa' account password20000816 Released Patch: Tumbleweed Worldsecure (MMS) BLANK 'sa' account password20020522 Opty-Way Enterprise includes MSDE with sa <blank>3570Directory traversal vulnerability in source.jsp of Apache Tomcat before 3.1 allows remote attackers to read arbitrary files via a .. (dot dot) in the argument to source.jsp.apache-tomcat-file-contents(4205)Zope 2.2.0 through 2.2.4 does not properly perform security registration for legacy names of object constructors such as DTML method objects, which could allow attackers to perform unauthorized activities.MDKSA-2000:083RHSA-2000:125zope-legacy-names(5824)6282Zope 2.2.0 through 2.2.4 does not properly protect a data updating method on Image and File objects, which allows attackers with DTML editing privileges to modify the raw data of these objects.RHSA-2000:135zope-image-file(5778)MDKSA-2000:086CLA-2000:365DSA-007RHSA-2000:135zope-image-file(5778)6283ping in iputils before 20001010, as distributed on Red Hat Linux 6.2 through 7J and other operating systems, does not drop privileges after acquiring a raw socket, which increases ping's exposure to bugs that otherwise would occur at lower privileges.RHSA-2000:08720001025 Immunix OS Security Update for ping package20001030 Trustix Security Advisory - ping gnupg ypbind20001030 Trustix Security Advisory - ping gnupg ypbindBuffer overflows in the (1) outpack or (2) buf variables of ping in iputils before 20001010, as distributed on Red Hat Linux 6.2 through 7J and other operating systems, may allow local users to gain privileges.RedHat Linux ping Buffer Overflow Vulnerabilityping-buf-bo(5431)RHSA-2000:087-0220001025 Immunix OS Security Update for ping package20001020 Re: [RHSA-2000:087-02] Potential security problems in ping fixed.20001030 Trustix Security Advisory - ping gnupg ypbind181320001030 Trustix Security Advisory - ping gnupg ypbindThe default configuration of Lotus Domino server 5.0.8 includes system information (version, operating system, and build date) in the HTTP headers of replies, which allows remote attackers to obtain sensitive information.20010919 lotus domino server 5.08 is very gabbyhttp://www-10.lotus.com/ldd/r5fixlist.nsf/5c087391999d06e7852569280062619d/5552251934afaa9585256c0000737a7f?OpenDocument&Highlight=0,AWHN4A8QWMVU#984555lotus-domino-information-disclosure(10685)20010919 lotus domino server 5.08 is very gabbyBuffer overflow in portmir for AIX 4.3.0 allows local users to corrupt lock files and gain root privileges via the echo_error routine.IY07832VU#433499aix-portmir-echoerror-bo(7929)Microsoft Windows 2000 before Service Pack 2 (SP2), when running in a non-Windows 2000 domain and using NTLM authentication, and when credentials of an account are locally cached, allows local users to bypass account lockout policies and make an unlimited number of login attempts, aka the "Domain Account Lockout" vulnerability.MS00-089VU#818496Microsoft Windows 2000 Domain Account Lockout Bypass Vulnerabilitywin2k-brute-force(5585)The default configuration for the domain name resolver for Microsoft Windows 98, NT 4.0, 2000, and XP sets the QueryIpMatching parameter to 0, which causes Windows to accept DNS updates from hosts that it did not query, which allows remote attackers to poison the DNS cache.VU#458659win2k-dns-resolver(4280)The -ftrapv compiler option in gcc and g++ 3.3.3 and earlier does not handle all types of integer overflows, which may leave applications vulnerable to vulnerabilities related to overflows.[gcc-bugs] 20020506 c/6586: -ftrapv doesnt catch multiplication overflowVU#540517The line printer daemon (lpd) in the lpr package in multiple Linux operating systems allows local users to gain root privileges by causing sendmail to execute with arbitrary command line arguments, as demonstrated using the -C option to specify a configuration file.20000108 L0pht Advisory: LPD, RH 4.x,5.x,6.x20000108 Quadruple Inverted Backflip20000109 lpr -- access control problem and root exploitRHSA-2000:00220021104-01-PVU#39001Multiple Vendor lpd Vulnerabilitiesredhat-lpd-print-control(3841)The line printer daemon (lpd) in the lpr package in multiple Linux operating systems authenticates by comparing the reverse-resolved hostname of the local machine to the hostname of the print server as returned by gethostname, which allows remote attackers to bypass intended access controls by modifying the DNS for the attacking IP.20000108 Quadruple Inverted Backflip20000109 lpr -- access control problem and root exploitRHSA-2000:00220021104-01-PVU#30308927redhat-lpd-auth(3840)AIX sysback before 4.2.1.13 uses a relative path to find and execute the hostname program, which allows local users to gain privileges by modifying the path to point to a malicious hostname program.VU#17566aix-sysback-elevate-privileges(6432)quikstore.cgi in Quikstore Shopping Cart allows remote attackers to execute arbitrary commands via shell metacharacters in the URL portion of an HTTP GET request.VU#671444Caucho Technology Resin 1.2 and possibly earlier allows remote attackers to view JSP source via an HTTP request to a .jsp file with certain characters appended to the file name, such as (1) "..", (2) "%2e..", (3) "%81", (4) "%82", and others.20001123 RESIN ServletExec JSP Source Disclosure Vulnerability(Apache 1.3.6 Win2k))20001123 Re: RESIN ServletExec JSP Source Disclosure Vulnerability(Apache 1.3.6 Win2k))1986resin-jsp-source-disclosure(5568)Xitami 2.5b installs the testcgi.exe program by default in the cgi-bin directory, which allows remote attackers to gain sensitive configuration information about the web server by accessing the program.Xitami Web/Ftp Server Multiple Security Vulnerabilities - NSSI Advisory [1st Vulnerability]Snort 1.6, when running in straight ASCII packet logging mode or IDS mode with straight decoded ASCII packet logging selected, allows remote attackers to cause a denial of service (crash) by sending non-IP protocols that Snort does not know about, as demonstrated by an nmap protocol scan.20000614 Snort 1.6 and nmap 2.54beta120000614 Re: Snort 1.6 and nmap 2.54beta1Windows NT 4.0 and Windows 2000 hosts allow remote attackers to cause a denial of service (unavailable connections) by sending multiple SMB SMBnegprots requests but not reading the response that is sent back.1301Phorum 3.0.7 allows remote attackers to change the administrator password without authentication via an HTTP request for admin.php3 that sets step, option, confirm and newPssword variables.20000106 Phorum 3.0.7 exploits and IDS signatures2271Directory traversal vulnerability in Phorum 3.0.7 allows remote Phorum administrators to read arbitrary files via ".." (dot dot) sequences in the default .langfile name field in the Master Settings administrative function, which causes the file to be displayed in admin.php3.20000106 Phorum 3.0.7 exploits and IDS signaturesBackdoor in auth.php3 in Phorum 3.0.7 allows remote attackers to access restricted web pages via an HTTP request with the PHP_AUTH_USER parameter set to "boogieman".20000106 Phorum 3.0.7 exploits and IDS signatureshttp://www.digitalsec.net/stuff/z-mirrors/hispahack/mi020.htm2274code.php3 in Phorum 3.0.7 allows remote attackers to read arbitrary files in the phorum directory via the query string.20000106 Phorum 3.0.7 exploits and IDS signaturesupgrade.php3 in Phorum 3.0.7 could allow remote attackers to modify certain Phorum database tables via an unknown method.20000106 Phorum 3.0.7 exploits and IDS signaturesSQL injection vulnerability in read.php3 and other scripts in Phorum 3.0.7 allows remote attackers to execute arbitrary SQL queries via the sSQL parameter.20000106 Phorum 3.0.7 exploits and IDS signaturesviolation.php3 in Phorum 3.0.7 allows remote attackers to send e-mails to arbitrary addresses and possibly use Phorum as a "spam proxy" by setting the Mod and ForumName parameters.20000106 Phorum 3.0.7 exploits and IDS signatures2272The default configurations of (1) the port listener and (2) modplsql in Oracle Internet Application Server (IAS) 3.0.7 and earlier allow remote attackers to view privileged database information via HTTP requests for Database Access Descriptor (DAD) files.20001219 Oracle WebDb engine brain-damagse20001221 Re: Oracle WebDb engine brain-damagse20001223 Potential Vulnerabilities in Oracle Internet Application Server2150oracle-webdb-admin-access(5818)SQL injection vulnerability in mod_sql in Oracle Internet Application Server (IAS) 3.0.7 and earlier allows remote attackers to execute arbitrary SQL commands via the query string of the URL.2150oracle-execute-plsql(5817)20001219 Oracle WebDb engine brain-damagse20001221 Re: Oracle WebDb engine brain-damagse20001223 Potential Vulnerabilities in Oracle Internet Application ServerThe POP3 server in FTGate returns an -ERR code after receiving an invalid USER request, which makes it easier for remote attackers to determine valid usernames and conduct brute force password guessing.20000626 Problems with FTGateftgate-invalid-user-requests(4793)BEA Systems WebLogic Express and WebLogic Server 5.1 SP1-SP6 allows remote attackers to bypass access controls for restricted JSP or servlet pages via a URL with multiple / (forward slash) characters before the restricted pages.This vulnerability is addressed in the following product releases: BEA Systems Weblogic Server 5.1 SP 7 BEA Systems WebLogic Express 5.1 SP 75089weblogic-bypass-auth(5588)The HTTP interface of Tivoli Lightweight Client Framework (LCF) in IBM Tivoli Management Framework 3.7.1 sets http_disable to zero at install time, which allows remote authenticated users to bypass file permissions on Tivoli Endpoint Configuration data files via an unspecified manipulation of log files.17085tivoli-lcf-file-read(3927)Unspecified vulnerability in siteman.php3 in AnyPortal(php) before 22 APR 00 allows remote attackers to obtain sensitive information via unknown attack vectors, which reveal the absolute path. NOTE: the provenance of this information is unknown; the details are obtained from third party information.23983anyportalphp-siteman-information-disclosure(25441)Unspecified vulnerability in Haakon Nilsen simple, integrated publishing system (SIPS) before 0.2.4 allows attackers to has an unknown impact and unspecified vectors, related to a "grave security fault."The HTTP service in American Power Conversion (APC) PowerChute uses a default username and password, which allows remote attackers to gain system access.30768Privacy leak in Dansie Shopping Cart 3.04, and probably earlier versions, sends sensitive information such as user credentials to an e-mail address controlled by the product developers.20000411 Back Door in Commercial Shopping Cart20000413 Re: Back Door in Commercial Shopping Cart20000413 Re: Back Door in Commercial Shopping Cart [RESOLVED]20000413 Re: Back Door in Commercial Shopping Cart [Stormer Hosting]20070603 Dansie Cart Script Exploit ReportedComputer Associates InoculateIT Agent for Exchange Server does not recognize an e-mail virus attachment if the SMTP header is missing the "From" field, which allows remote attackers to bypass virus protection.20001110 CA's InoculateIT Agent for Exchange Servercookiedecode function in PHP-Nuke 4.4 allows users to bypass authentication and gain access to other user accounts by extracting the authentication information from a cookie.php-nuke-elevate-privileges(6183)Internet Explorer 5.5 and earlier allows remote attackers to obtain the physical location of cached content and open the content in the Local Computer Zone, then use compiled HTML help (.chm) files to execute arbitrary programs.bid1978MS:MS01-015MS01-01524567823oval:org.mitre.oval:def:920ie-chm-execute-files(5567)Web Extender Client (WEC) in Microsoft Office 2000, Windows 2000, and Windows Me does not properly process Internet Explorer security settings for NTLM authentication, which allows attackers to obtain NTLM credentials and possibly obtain the password, aka the "Web Client NTLM Authentication" vulnerability.MS01-001BID 2199wec-ntlm-authenticationIIS 5.0 and 4.0 allows remote attackers to read the source code for executable web server programs by appending "%3F+.htr" to the requested URL, which causes the files to be parsed by the .HTR ISAPI extension, aka a variant of the "File Fragment Reading via .HTR" vulnerability.MS01-004BUGTRAQ:20010108 IIS 5.0 allows viewing files using %3F+.htr2313iis-read-files(5903)Buffer overflow in the parsing mechanism of the file loader in Microsoft PowerPoint 2000 allows attackers to execute arbitrary commands.MS01-002bid 2297Parsing Overflow in Microsoft PowerPoint 2000powerpoint-execute-code(5996)The Winsock2ProtocolCatalogMutex mutex in Windows NT 4.0 has inappropriate Everyone/Full Control permissions, which allows local users to modify the permissions to "No Access" and disable Winsock network connectivity to cause a denial of service, aka the "Winsock Mutex" vulnerability.ntsecurity.nu advisory: Winsock Mutex Vulnerability in Windows NT 4.0 SP6 and belowMS01-003winnt-mutex-dos(6006)Buffer overflow in NetScreen Firewall WebUI allows remote attackers to cause a denial of service via a long URL request to the web administration interface.bid 217620000109 NSFOCUS SA2001-01: NetScreen Firewall WebUI Buffer Overflow vulnerabilitynetscreen-webui-bo(5908)1707Backdoor account in Interbase database server allows remote attackers to overwrite arbitrary files using stored procedures.CA-2001-01bid 2192interbase-backdoor-account(5911)Directory traversal vulnerability in Lotus Domino 5.0.5 web server allows remote attackers to read arbitrary files via a .. attack.bid 2173BUGTRAQ:20010109 bugtraq id 2173 Lotus Domino ServerBUGTRAQ:20010105 Lotus Domino 5.0.5 Web Server vulnerability - reading files outside the web rootlotus-domino-directory-traversal(5899)1703Buffer overflow in transaction signature (TSIG) handling code in BIND 8 allows remote attackers to gain root privileges.CA-2001-02Vulnerabilities in BIND 4 and 8bid 230220010129 Vulnerabilities in BIND 4 and 8DSA-026RHSA-2001:007Buffer overflow in nslookupComplain function in BIND 4 allows remote attackers to gain root privileges.CA-2001-02Vulnerabilities in BIND 4 and 820010129 Vulnerabilities in BIND 4 and 8RHSA-2001:0072307BIND 4 and BIND 8 allow remote attackers to access sensitive information such as environment variables.CA-2001-02Vulnerabilities in BIND 4 and 820010129 Vulnerabilities in BIND 4 and 8DSA-026RHSA-2001:0072321Format string vulnerability in nslookupComplain function in BIND 4 allows remote attackers to gain root privileges.CA-2001-02Vulnerabilities in BIND 4 and 820010129 Vulnerabilities in BIND 4 and 8RHSA-2001:0072309Remote Data Protocol (RDP) in Windows 2000 Terminal Service does not properly handle certain malformed packets, which allows remote attackers to cause a denial of service, aka the "Invalid RDP Data" vulnerability.MS01-006bid 2326Network Dynamic Data Exchange (DDE) in Windows 2000 allows local users to gain SYSTEM privileges via a "WM_COPYDATA" message to an invisible window that is running with the privileges of the WINLOGON process.MS01-007A020501-12341win-dde-elevate-privileges(6062)NTLM Security Support Provider (NTLMSSP) service does not properly check the function number in an LPC request, which could allow local users to gain administrator level access.MS01-008Local promotion vulnerability in NT4's NTLM Security Support Provider2348ntlm-ssp-elevate-privileges(6076)Memory leak in PPTP server in Windows NT 4.0 allows remote attackers to cause a denial of service via a malformed data packet, aka the "Malformed PPTP Packet Stream" vulnerability.MS01-0092368winnt-pptp-dos(6103)Windows 2000 domain controller in Windows 2000 Server, Advanced Server, or Datacenter Server allows remote attackers to cause a denial of service via a flood of malformed service requests.MS01-01120001202 UDP Ping-pong in Win2kMS01-011win2k-domain-controller-dos(6136)L-049Arrowpoint (aka Cisco Content Services, or CSS) allows local users to cause a denial of service via a long argument to the "show script," "clear script," "show archive," "clear archive," "show log," or "clear log" commands.A013101-1Security Advisory: Cisco Content Services Switch VulnerabilityDirectory traversal vulnerability in Arrowpoint (aka Cisco Content Services, or CSS) allows local unprivileged users to read arbitrary files via a .. (dot dot) attack.A013101-1Security Advisory: Cisco Content Services Switch Vulnerabilitycisco-ccs-file-access(6031)23311757MailMan Webmail 3.0.25 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the alternate_template parameter.bid 2063mailman-alternate-templates(5649)BUGTRAQ:20001206 (SRADV00005) Remote command executionhttp://www.endymion.com/products/mailman/history.htmsimplestguest.cgi CGI program by Leif Wright allows remote attackers to execute arbitrary commands via shell metacharacters in the guestbook parameter.bid 2106http-cgi-simplestguest(5743)BUGTRAQ:20001213 Re: Insecure input validation in simplestmail.cgieverythingform.cgi CGI program by Leif Wright allows remote attackers to execute arbitrary commands via shell metacharacters in the config parameter.bid 2101http-cgi-everythingform(5736)BUGTRAQ:20001211 Insecure input validation in everythingform.cgi (remote command execution)simplestmail.cgi CGI program by Leif Wright allows remote attackers to execute arbitrary commands via shell metacharacters in the MyEmail parameter.bid 2102http-cgi-simplestmail(5739)BUGTRAQ:20001211 Insecure input validation in simplestmail.cgi (remote command execution)ad.cgi CGI program by Leif Wright allows remote attackers to execute arbitrary commands via shell metacharacters in the file parameter.bid 2103http-cgi-ad(5741)BUGTRAQ:20001211 Insecure input validation in ad.cgirp-pppoe PPPoE client allows remote attackers to cause a denial of service via the Clamp MSS option and a TCP packet with a zero-length TCP option.bid 2098rppppoe-zero-length-dos(5727)BUGTRAQ:20001211 DoS vulnerability in rp-pppoe versions <= 2.4RHSA-2000:130-05CLA-2000:357MDKSA-2000:084mod_sqlpw module in ProFTPD does not reset a cached password when a user uses the "user" command to change accounts, which allows authenticated attackers to gain privileges of other users.BUGTRAQ:20001211 mod_sqlpw Password Caching Bugproftpd-modsqlpw-unauth-access(5737)Buffer overflow in the HTML parsing code in oops WWW proxy server 1.5.2 and earlier allows remote attackers to execute arbitrary commands via a large number of " (quotation) characters.bid 2099oops-ftputils-bo(5725)BUGTRAQ:20001211 [pkc] remote heap buffer overflow in oopsFreeBSD-SA-00:79Buffer overflow in oops WWW proxy server 1.4.6 (and possibly other versions) allows remote attackers to execute arbitrary commands via a long host or domain name that is obtained from a reverse DNS lookup.BUGTRAQ:20001212 Re: [pkc] remote heap buffer overflow in oopsbid 2099http://zipper.paco.net/~igor/oops/ChangeLogoops-dns-bo(6122)FoolProof 3.9 allows local users to bypass program execution restrictions by downloading the restricted executables from another source and renaming them.bid 2089foolproof-security-bypass(5758)BroadVision One-To-One Enterprise allows remote attackers to determine the physical path of server files by requesting a .JSP file name that does not exist.broadvision-bv1to1-reveal-path(5661)BUGTRAQ:20001207 BroadVision One-To-One Enterprise Path Disclosure VulnerabilityFormat string vulnerability in ssldump possibly allows remote attackers to cause a denial of service and possibly gain root privileges via malicious format string specifiers in a URL.bid 2096ssldump-format-strings(5717)BUGTRAQ:20001208 format string in ssl dumpKTH Kerberos IV allows local users to change the configuration of a Kerberos server running at an elevated privilege by specifying an alternate directory using with the KRBCONFDIR environmental variable, which allows the user to gain additional privileges.BUGTRAQ:20001210 KTH upgrade and FIXBUGTRAQ:20001208 Vulnerabilities in KTH Kerberos IVkerberos4-user-config(5738)KTH Kerberos IV allows local users to specify an alternate proxy using the krb4_proxy variable, which allows the user to generate false proxy responses and possibly gain privileges.BUGTRAQ:20001210 KTH upgrade and FIXBUGTRAQ:20001208 Vulnerabilities in KTH Kerberos IVkerberos4-arbitrary-proxy(5733)Buffer overflow in the kdc_reply_cipher function in KTH Kerberos IV allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long authentication request.BUGTRAQ:20001210 KTH upgrade and FIXBUGTRAQ:20001208 Vulnerabilities in KTH Kerberos IVkerberos4-auth-packet-overflow(5734)20010130 Buffer overflow in old ssh-1.2.2x-afs-kerberosv4 patchesKTH Kerberos IV allows local users to overwrite arbitrary files via a symlink attack on a ticket file.BUGTRAQ:20001210 KTH upgrade and FIXBUGTRAQ:20001208 Vulnerabilities in KTH Kerberos IVkerberos4-tmpfile-dos(5754)RHSA-2001:025Directory traversal vulnerability in HomeSeer before 1.4.29 allows remote attackers to read arbitrary files via a URL containing .. (dot dot) specifiers.bid 2085BUGTRAQ:20001207 HomeSeer Directory Traversal Vulnerabilityhomeseer-directory-traversal(5663)http://www.keware.com/hsbetachanges.htmOffline Explorer 1.4 before Service Release 2 allows remote attackers to read arbitrary files by specifying the drive letter (e.g. C:) in the requested URL.bid 2084offline-explorer-reveal-files(5728)BUGTRAQ:20001207 MetaProducts Offline ExplorerIPSwitch IMail 6.0.5 allows remote attackers to cause a denial of service using the SMTP AUTH command by sending a base64-encoded user password whose length is between 80 and 136 bytes.BUGTRAQ:20001206 DoS by SMTP AUTH command in IPSwitch IMail serverimail-smtp-auth-dos(5674)bid 2083http://www.ipswitch.com/Support/IMail/news.htmlAPC UPS daemon, apcupsd, saves its process ID in a world-writable file, which allows local users to kill an arbitrary process by specifying the target process ID in the apcupsd.pid file.bid 2070apc-apcupsd-dos(5654)BUGTRAQ:20001206 apcupsd 3.7.2 Denial of ServiceMDKSA-2000:077Memory leak in Cisco Catalyst 4000, 5000, and 6000 series switches allows remote attackers to cause a denial of service via a series of failed telnet authentication attempts.bid 2072cisco-catalyst-telnet-dos(5656)CSCds66191801PHP 3.x (PHP3) on Apache 1.3.6 allows remote attackers to read arbitrary files via a modified .. (dot dot) attack containing "%5c" (encoded backslash) sequences.bid 2060apache-php-disclose-files(5659)BUGTRAQ:20001206 CHINANSL Security Advisory(CSA-200011)phpGroupWare before 0.9.7 allows remote attackers to execute arbitrary PHP commands by specifying a malicious include file in the phpgw_info parameter of the phpgw.inc.php program.bid 2069phpgroupware-include-files(5650)BUGTRAQ:20001206 (SRADV00006) Remote command execution vulnerabilities in phpGroupWare1682Multiple buffer overflows in Lexmark MarkVision printer driver programs allows local users to gain privileges via long arguments to the cat_network, cat_paraller, and cat_serial commands.bid 2075markvision-printer-driver-bo(5651)The default permissions for the RAS Administration key in Windows NT 4.0 allows local users to execute arbitrary commands by changing the value to point to a malicious DLL, aka one of the "Registry Permissions" vulnerabilities.bid 2064MS00-095nt-ras-reg-perms(5671)OVAL500oval:org.mitre.oval:def:500The default permissions for the SNMP Parameters registry key in Windows NT 4.0 allows remote attackers to read and possibly modify the SNMP community strings to obtain sensitive information or modify network configuration, aka one of the "Registry Permissions" vulnerabilities.bid 2066MS00-095nt-snmp-reg-perms(5672)OVAL139oval:org.mitre.oval:def:139The default permissions for the MTS Package Administration registry key in Windows NT 4.0 allows local users to install or modify arbitrary Microsoft Transaction Server (MTS) packages and gain privileges, aka one of the "Registry Permissions" vulnerabilities.bid 2065MS00-095nt-mts-reg-perms(5673)OVAL140oval:org.mitre.oval:def:140The "Configure Your Server" tool in Microsoft 2000 domain controllers installs a blank password for the Directory Service Restore Mode, which allows attackers with physical access to the controller to install malicious programs, aka the "Directory Service Restore Mode Password" vulnerability.bid 2133MS00-099WatchGuard SOHO FireWall 2.2.1 and earlier allows remote attackers to cause a denial of service via a large number of GET requests.bid 2082BUGTRAQ:20001207 WatchGuard SOHO v2.2.1 DoSwatchguard-soho-get-dos(5665)Buffer overflow in BitchX IRC client allows remote attackers to cause a denial of service and possibly execute arbitrary commands via an IP address that resolves to a long DNS hostname or domain name.bid 2087irc-bitchx-dns-bo(5701)BUGTRAQ:20001207 BitchX DNS Overflow PatchBUGTRAQ:20001207 bitchx/ircd DNS overflow demonstrationRHSA-2000:126MDKSA-2000:079FreeBSD-SA-00:78CLA-2000:364IBM DB2 Universal Database version 6.1 creates an account with a default user name and password, which allows remote attackers to gain access to the databasse.bid 2068ibm-db2-gain-access(5662)BUGTRAQ:20001205 IBM DB2 default account and password VulnerabilityIBM DB2 Universal Database version 6.1 allows users to cause a denial of service via a malformed query.bid 2067ibm-db2-dos(5664)BUGTRAQ:20001205 IBM DB2 SQL DOSOne-byte buffer overflow in replydirname function in BSD-based ftpd allows remote attackers to gain root privileges.bid 2124bsd-ftpd-replydirname-bo(5776)BUGTRAQ:20001218 Trustix Security Advisory - ed, tcsh, and ftpd-BSDOPENBSD:20001218NetBSD-SA2000-018Directory traversal vulnerability in FTP Serv-U before 2.5i allows remote attackers to escape the FTP root and read arbitrary files by appending a string such as "/..%20." to a CD command, a variant of a .. (dot dot) attack.bid 2052ftp-servu-homedir-travers(5639)BUGTRAQ:20001205 (no subject)BUGTRAQ:20001205 Serv-U FTP directory traversal vunerability (all versions)464CBOS 2.4.1 and earlier in Cisco 600 routers allows remote attackers to cause a denial of service via a slow stream of TCP SYN packets.cisco-cbos-syn-packets(5627)CISCO:20001204 Multiple Vulnerabilities in CBOSThe Cisco Web Management interface in routers running CBOS 2.4.1 and earlier does not log invalid logins, which allows remote attackers to guess passwords without detection.cisco-cbos-invalid-login(5628)CISCO:20001204 Multiple Vulnerabilities in CBOSCisco 600 routers running CBOS 2.4.1 and earlier allow remote attackers to cause a denial of service via a large ICMP echo (ping) packet.cisco-cbos-icmp-echo(5629)CISCO:20001204 Multiple Vulnerabilities in CBOSThe Web interface to Cisco 600 routers running CBOS 2.4.1 and earlier allow remote attackers to cause a denial of service via a URL that does not end in a space character.cisco-cbos-web-access(5626)CISCO:20001204 Multiple Vulnerabilities in CBOS460patchadd in Solaris allows local users to overwrite arbitrary files via a symlink attack.bid 2127solaris-patchadd-symlink(5789)BUGTRAQ:20001218 Solaris patchadd(1) (3) symlink vulnerabiltyFormat string vulnerability in stunnel 3.8 and earlier allows attackers to execute arbitrary commands via a malformed ident username.bid 2128stunnel-format-logfile(5807)BUGTRAQ:20001218 Stunnel format bugBUGTRAQ:20001209 Trustix Security Advisory - stunnelRHSA-2000:129CLA-2000:363DSA-009procfs in FreeBSD and possibly other operating systems does not properly restrict access to per-process mem and ctl files, which allows local users to gain root privileges by forking a child process and executing a privileged process from the child, while the parent retains access to the child's address space.bid 2130FreeBSD-SA-00:77procfs-elevate-privileges(6106)1697procfs in FreeBSD and possibly other operating systems allows local users to cause a denial of service by calling mmap on the process' own mem file, which causes the kernel to hang.bid 2131FreeBSD-SA-00:77procfs-mmap-dos(6107)16986082procfs in FreeBSD and possibly other operating systems allows local users to bypass access control restrictions for a jail environment and gain additional privileges.bid 2132FreeBSD-SA-00:77procfs-access-control-bo(6108)1691Webconfig, IMAP, and other services in MDaemon 3.5.0 and earlier allows remote attackers to cause a denial of service via a long URL terminated by a "\r\n" string.bid 2134BUGTRAQ:20001219 def-2000-03: MDaemon 3.5.0 DoSBuffer overflow in bftpd 1.0.13 allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long SITE CHOWN command.bftpd-site-chown-bo(5775)BUGTRAQ:20001213 Potential Buffer Overflow vulnerability in bftpd-1.0.13Secure Locate (slocate) allows local users to corrupt memory via a malformed database file that specifies an offset value that accesses memory outside of the intended buffer.bid 2004BUGTRAQ:20001126 [MSY] S(ecure)Locate heap corruption vulnerabilityDSA-005-1MDKSA-2000:085RHSA-2000:128CLA-2001:369TLSA2001002-1slocate-heap-execute-code(5594)The installation of J-Pilot creates the .jpilot directory with the user's umask, which could allow local attackers to read other users' PalmOS backup information if their umasks are not securely set.BUGTRAQ:20001214 J-Pilot Permissions VulnerabilityMDKSA-2000:081jpilot-perms(5762)Mac OS Runtime for Java (MRJ) 2.2.3 allows remote attackers to use malicious applets to read files outside of the CODEBASE context via the ARCHIVE applet parameter.mrj-runtime-malicious-applets(5784)BUGTRAQ:20001215 Security Hole of MRJ 2.2.3 (Mac OS Runtime for Java) - Inconsistent Use of CODEBASE and ARCHIVE Attributesdialog before 0.9a-20000118-3bis in Debian GNU/Linux allows local users to overwrite arbitrary files via a symlink attack.DSA-008-1bid 2151dialog-symlink(5809)Buffer overflow in 1st Up Mail Server 4.1 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long MAIL FROM command.bid 21521stup-mail-server-boBUGTRAQ:20001226 1st Up Mail Server v4.1 Buffer Overflow Vulnerabilitygpg (aka GnuPG) 1.0.4 and other versions does not properly verify detached signatures, which allows attackers to modify the contents of a file without detection.bid 214120001220 Trustix Security Advisory - gnupg, ftpd-BSDRHSA-2000:131-02gnupg-detached-sig-modifyMDKSA-2000-087DSA-010-1CLA-2000:3681699gpg (aka GnuPG) 1.0.4 and other versions imports both public and private keys from public key servers without notifying the user about the private keys, which could allow an attacker to break the web of trust.bid 2153RHSA-2000:131MDKSA-2000-087DSA-010-1CLA-2000:36820001220 Trustix Security Advisory - gnupg, ftpd-BSDgnupg-reveal-private1702Buffer overflow in the find_default_type function in libsecure in NSA Security-enhanced Linux, which may allow attackers to modify critical data in memory.bid 2154BUGTRAQ:20001226 buffer overflow in libsecure (NSA Security-enhanced Linux)Directory traversal vulnerability in print.cgi in Technote allows remote attackers to read arbitrary files via a .. (dot dot) attack in the board parameter.bid 2155BUGTRAQ:20001223 TechnoteDirectory traversal vulnerability in main.cgi in Technote allows remote attackers to read arbitrary files via a .. (dot dot) attack in the filename parameter.BUGTRAQ:20001227 [Ksecurity Advisory] main.cgi in technotebid 2156register.cgi in Ikonboard 2.1.7b and earlier allows remote attackers to execute arbitrary commands via the SEND_MAIL parameter, which overwrites an internal program variable that references a program to be executed.bid 2157BUGTRAQ:20001228 Remote vulnerability in Ikonboard upto version 2.1.7bhttp-cgi-ikonboardThe clustmon service in Sun Cluster 2.x does not require authentication, which allows remote attackers to obtain sensitive information such as system logs and cluster configurations.BUGTRAQ:20001212 Two Holes in Sun Cluster 2.xclustmon-no-authentication(6123)in.mond in Sun Cluster 2.x allows local users to read arbitrary files via a symlink attack on the status file of a host running HA-NFS.BUGTRAQ:20001212 Two Holes in Sun Cluster 2.xha-nfs-symlink(6125)6437Support Tools Manager (STM) A.22.00 for HP-UX allows local users to overwrite arbitrary files via a symlink attack on the tool_stat.txt log file.BUGTRAQ:20001213 STM symlink VulnerabilityCisco Catalyst 6000, 5000, or 4000 switches allow remote attackers to cause a denial of service by connecting to the SSH service with a non-SSH client, which generates a protocol mismatch error.cisco-catalyst-ssh-mismatch(5760)CISCO:20001213 Cisco Catalyst SSH Protocol Mismatch Vulnerability2117swinit in nCipher does not properly disable the Operator Card Set recovery feature even when explicitly disabled by the user, which could allow attackers to gain access to application keys.20001212 nCipher Security Advisory: Operator Cards unexpectedly recoverablenCipher Security Advisory: Operator Cards unexpectedly recoverablehttp://active.ncipher.com/updates/advisory.txtncipher-recover-operator-cards(5999)4849Check Point VPN-1/FireWall-1 4.1 SP2 with Fastmode enabled allows remote attackers to bypass access restrictions via malformed, fragmented packets.BUGTRAQ:20001218 FireWall-1 Fastmode VulnerabilityWindows Media Unicast Service in Windows Media Services 4.0 and 4.1 does not properly shut down some types of connections, producing a memory leak that allows remote attackers to cause a denial of service via a series of severed connections, aka the "Severed Windows Media Server Connection" vulnerability.MS00-097mediaservices-dropped-connection-dos(5785)Q281256GTK+ library allows local users to specify arbitrary modules via the GTK_MODULES environmental variable, which could allow local users to gain privileges if GTK+ is used by a setuid/setgid program.bid 2165BUGTRAQ:20010102 gtk+ security hole.BUGTRAQ:20010103 Claimed vulnerability in GTK_MODULEShttp://www.gtk.org/setuid.htmlBuffer overflow in Kermit communications software in HP-UX 11.0 and earlier allows local users to cause a denial of service and possibly execute arbitrary commands.bid 2170hpux-kermit-bo(5793)HPSBUX0012-135CGI Script Center Subscribe Me LITE 2.0 and earlier allows remote attackers to delete arbitrary mailing list users without authentication by directly calling subscribe.pl with the target address as a parameter.BUGTRAQ:20001212 Security Advisory: Subscribe Me Lite 1.0 - 2.0 Unix or 1.0 - 2.0 NT and below.bid 2108subscribemelite-gain-admin-access(5735)itetris/xitetris 1.6.2 and earlier trusts the PATH environmental variable to find and execute the gunzip program, which allows local users to gain root privileges by changing their PATH so that it points to a malicious gunzip program.bid 2139BUGTRAQ:20001219 itetris[v1.6.2] local root exploit (system()+../ protection)itetris-svgalib-pathcommon.inc.php in phpWebLog 0.4.2 does not properly initialize the $CONF array, which inadvertently sets the password to a single character, allowing remote attackers to easily guess the SiteKey and gain administrative privileges to phpWebLog.bid 2047phpweblog-bypass-authentication(5625)BUGTRAQ:20001202 Bypassing admin authentication in phpWebLogInternet Explorer 5.0 through 5.5 allows remote attackers to read arbitrary files from the client via the INPUT TYPE element in an HTML form, aka the "File Upload via Form" vulnerability.MS00-093ie-form-file-upload(5615)The Print Templates feature in Internet Explorer 5.5 executes arbitrary custom print templates without prompting the user, which could allow an attacker to execute arbitrary ActiveX controls, aka the "Browser Print Template" vulnerability.bid 2046MS00-093ie-print-template(5614)The ActiveX control for invoking a scriptlet in Internet Explorer 5.0 through 5.5 renders arbitrary file types instead of HTML, which allows an attacker to read arbitrary files, aka a variant of the "Scriptlet Rendering" vulnerability.bid 1564MS00-093ie-scriptlet-rendering-read-files(6085)7820A function in Internet Explorer 5.0 through 5.5 does not properly verify the domain of a frame within a browser window, which allows a remote attacker to read client files, aka a new variant of the "Frame Domain Verification" vulnerability.bid 1224MS00-093ie-frame-verification-read-files(6086)7817Vulnerability in telnetd in FreeBSD 1.5 allows local users to gain root privileges by modifying critical environmental variables that affect the behavior of telnetd.NetBSD-SA2000-017Buffer overflow in kdc_reply_cipher of libkrb (Kerberos 4 authentication library) in NetBSD 1.5 and FreeBSD 4.2 and earlier, as used in Kerberised applications such as telnetd and login, allows local users to gain root privileges.Exploitable bugs in kerberised telnetd and libkrbFreeBSD-SA-01:25kerberos4-auth-packet-overflow(5734)catman in Solaris 2.7 and 2.8 allows local users to overwrite arbitrary files via a symlink attack on the sman_PID temporary file.BUGTRAQ:20001218 Catman file clobbering vulnerability Solaris 2.xsolaris-catman-symlink(5788)6024FrontPage Server Extensions (FPSE) in IIS 4.0 and 5.0 allows remote attackers to cause a denial of service via a malformed form, aka the "Malformed Web Form Submission" vulnerability.MS00-100iis-web-form-submitThe Web interface for Infinite Interchange 3.6.1 allows remote attackers to cause a denial of service (application crash) via a large POST request.bid 2140infinite-interchange-dosBUGTRAQ:20001221 Infinite InterChange DoSBuffer overflow in Bea WebLogic Server before 5.1.0 allows remote attackers to execute arbitrary commands via a long URL that begins with a ".." string.BUGTRAQ:20001219 def-2000-04: Bea WebLogic Server dotdot-overflowbid 2138weblogic-dot-bobsguest.cgi guestbook script allows remote attackers to execute arbitrary commands via shell metacharacters in the email address.BUGTRAQ:20001221 BS Scripts Vulnerabilitiesbsguest-cgi-execute-commandsbsguest-cgi-execute-commandsbslist.cgi mailing list script allows remote attackers to execute arbitrary commands via shell metacharacters in the email address.BUGTRAQ:20001221 BS Scripts Vulnerabilitiesbslist-cgi-execute-commandsVulnerability in fetchmail 5.5.0-2 and earlier in the AUTHENTICATE GSSAPI command.TLSA2000024-1RHBA-2000:106-04fetchmail-authenticate-gssapi(7455)"Multiple Users" Control Panel in Mac OS 9 allows Normal users to gain Owner privileges by removing the Users & Groups Data File, which effectively removes the Owner password and allows the Normal user to log in as the Owner account without a password.BUGTRAQ:20001229 Mac OS 9 Multiple Users Control Panel Password Vulnerabilitymacos-multiple-usersCoffeeCup Direct and Free FTP clients uses weak encryption to store passwords in the FTPServers.ini file, which could allow attackers to easily decrypt the passwords.bid 2107coffeecup-ftp-weak-encryption(5744)MDaemon Pro 3.5.1 and earlier allows local users to bypass the "lock server" security setting by pressing the Cancel button at the password prompt, then pressing the enter key.bid 2115mdaemon-lock-bypass-password(5763)20001214 Bypass MDaemon 3.5.1 "Lock Server" ProtectionVulnerability in top in HP-UX 11.04 and earlier allows local users to overwrite files owned by the "sys" group.hp-top-sys-files(5773)HPSBUX0012-134Vulnerability in inetd server in HP-UX 11.04 and earlier allows attackers to cause a denial of service when the "swait" state is used by a server.HPSBUX0101-136hp-inetd-swait-dos(5904)Veritas Backup agent on Linux allows remote attackers to cause a denial of service by establishing a connection without sending any data, which causes the process to hang.bid 2204BUGTRAQ:20010115 Veritas BackupExec (remote DoS)20010115 Veritas BackupExec (remote DoS)PHP Apache module 4.0.4 and earlier allows remote attackers to bypass .htaccess access restrictions via a malformed HTTP request on an unrestricted page that causes PHP to use those access controls on the next page that is requested.bid 2206BUGTRAQ:20010112 PHP Security Advisory - Apache Module bugs20010112 PHP Security Advisory - Apache Module bugsMDKSA-2001:013CLA-2001:373DSA-020RHSA-2000:136php-htaccess-unauth-access(5940)rctab in SuSE 7.0 and earlier allows local users to create or overwrite arbitrary files via a symlink attack on the rctmp temporary file.bid 2207BUGTRAQ:20010113 Serious security flaw in SuSE rctab20010117 Re: Serious security flaw in SuSE rctabrctab-elevate-privileges(5945)Buffer overflow in jaZip Zip/Jaz drive manager allows local users to gain root privileges via a long DISPLAY environmental variable.bid 2209BUGTRAQ:20010114 Vulnerability in jaZip.DSA-017-1 jazip: buffer overflowjazip-display-bo(5942)Format string vulnerability in splitvt before 1.6.5 allows local users to execute arbitrary commands via the -rcfile command line argument.bid 2210BUGTRAQ:20010114 [MSY] Multiple vulnerabilities in splitvtDSA-014-2 splitvtsplitvt-perserc-format-string(5948)Multiple buffer overflows in splitvt before 1.6.5 allow local users to execute arbitrary commands.bid 2210BUGTRAQ:20010114 [MSY] Multiple vulnerabilities in splitvtDSA-014-2statsconfig.pl in OmniHTTPd 2.07 allows remote attackers to execute arbitrary commands via the mostbrowsers parameter, whose value is used as part of a generated Perl script.bid 2211BUGTRAQ:20010116 Vulnerabilities in OmniHTTPd default installationstatsconfig.pl in OmniHTTPd 2.07 allows remote attackers to overwrite arbitrary files via the cgidir parameter.bid 221120010116 Vulnerabilities in OmniHTTPd default installationBuffer overflow in arp command in Solaris 7 and earlier allows local users to execute arbitrary commands via a long -f parameter.bid 2193BUGTRAQ:20010112 arp exploitBUGTRAQ:20010111 Solaris Arp Vulnerability#00200solaris-arp-bo(5928)gpm 1.19.3 allows local users to overwrite arbitrary files via a symlink attack.BUGTRAQ:20010110 Immunix OS Security update for lots of temp file problemsbid 2188MDKSA-2001:006linux-gpm-symlink(5917)sdiff 2.7 in the diffutils package allows local users to overwrite files via a symlink attack.BUGTRAQ:20010110 Immunix OS Security update for lots of temp file problemsbid 2191MDKSA-2001:008IMNX-2000-70-028-01RHSA-2001:116VU#579928linux-diffutils-sdiff-symlink(5914)rdist 6.1.5 allows local users to overwrite arbitrary files via a symlink attack.BUGTRAQ:20010110 Immunix OS Security update for lots of temp file problemsbid 2195MDKSA-2001:005rdist-symlink(5925)getty_ps 2.0.7j allows local users to overwrite arbitrary files via a symlink attack.BUGTRAQ:20010110 Immunix OS Security update for lots of temp file problemsbid 2194MDKSA-2001:004gettyps-symlink(5924)useradd program in shadow-utils program may allow local users to overwrite arbitrary files via a symlink attack.BUGTRAQ:20010110 Immunix OS Security update for lots of temp file problemsbid 2196MDKSA-2001:007shadow-utils-useradd-symlink(5927)ImageCast Control Center 4.1.0 allows remote attackers to cause a denial of service (resource exhaustion or system crash) via a long string to port 12002.BUGTRAQ:20010108 def-2001-01: ImageCast IC3 Control Center DoSbid 2174storagesoft-imagecast-dos(5901)Kernel leak in AfpaCache module of the Fast Response Cache Accelerator (FRCA) component of IBM HTTP Server 1.3.x and Websphere 3.52 allows remote attackers to cause a denial of service via a series of malformed HTTP requests that generate a "bad request" error.BUGTRAQ:20010108 def-2001-02: IBM Websphere 3.52 Kernel Leak DoSbid 2175http://www-4.ibm.com/software/webservers/security.html20010307 def-2001-02: IBM HTTP Server Kernel Leak DoS (re-release)ibm-websphere-dos(5900)Directory traversal vulnerability in eXtropia bbs_forum.cgi 1.0 allows remote attackers to read arbitrary files via a .. (dot dot) attack on the file parameter.bid 2177BUGTRAQ:20010107 Cgisecurity.com Advisory #3.1http://www.extropia.com/hacks/bbs_security.htmlhttp-cgi-bbs-forum(5906)3546Buffer overflow in exrecover in Solaris 2.6 and earlier possibly allows local users to gain privileges via a long command line argument.bid 2179BUGTRAQ:20010109 Solaris /usr/lib/exrecover buffer overflowsolaris-exrecover-bo(5913)exmh 2.2 and earlier allows local users to overwrite arbitrary files via a symlink attack on the exmhErrorMsg temporary file.BUGTRAQ:20001231 Advisory: exmh symlink vulnerabilityBUGTRAQ:20010112 exmh security vulnerabilityexmh-error-symlink(5829)MDKSA-2001:015FreeBSD-SA-01:17DSA-022Oracle XSQL servlet 1.0.3.0 and earlier allows remote attackers to execute arbitrary Java code by redirecting the XSQL server to another source via the xml-stylesheet parameter in the xslt stylesheet.BUGTRAQ:20010109 Oracle XSQL servlet and xml-stylesheet allowBUGTRAQ:20010123 Patch for Potential Vulnerability in Oracle XSQL Servlet20010123 Patch for Potential Vulnerability in Oracle XSQL Servletoracle-xsql-execute-code(5905)Buffer overflow in Olivier Debon Flash plugin (not the Macromedia plugin) allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long DefineSound tag.bid 2214BUGTRAQ:20010115 Flash plugin write-overflowVU#451096Zope before 2.2.4 does not properly compute local roles, which could allow users to bypass specified access restrictions and gain privileges.zope-calculate-roles(5777)MDKSA-2000:083FreeBSD-SA-01:06RHSA-2000:127-06DSA-006-1 zope: privilege escalationCLA-2000:365RHSA-2000:1276284Buffer overflow in Tinyproxy HTTP proxy 1.3.3 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long connect request.bid 2217BUGTRAQ:20010117 [pkc] remote heap overflow in tinyproxyDSA-018-1 tinyproxy: remote nobody exploittinyproxy-remote-bo(5954)Buffer overflow in HTML parser of the Lotus R5 Domino Server before 5.06, and Domino Client before 5.05, allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a malformed font size specifier.Alert-2001-001SPR # RTOA4L3QTQlotus-html-bo(6207)htpasswd and htdigest in Apache 2.0a9, 1.3.14, and others allows local users to overwrite arbitrary files via a symlink attack.bid 2182BUGTRAQ:20010110 Immunix OS Security update for lots of temp file problemsDSA-021-1 apache: insecure tempfile bug, broken mod_rewritelinux-apache-symlink(5926)Interscan VirusWall 3.6.x and earlier follows symbolic links when uninstalling the product, which allows local users to overwrite arbitrary files via a symlink attack.bid 2213BUGTRAQ:20010114 Trend Micro's VirusWall: Multiple vunerabilitiesThe web administration interface for Interscan VirusWall 3.6.x and earlier does not use encryption, which could allow remote attackers to obtain the administrator password to sniff the administrator password via the setpasswd.cgi program or other HTTP GET requests that contain base64 encoded usernames and passwords.bid 2212BUGTRAQ:20010114 Trend Micro's VirusWall: Multiple vunerabilitiesBuffer overflow in cpqlogin.htm in web-enabled agents for various Compaq management software products such as Insight Manager and Management Agents allows remote attackers to execute arbitrary commands via a long user name.bid 2200BUGTRAQ:20010116 iXsecurity.20001120.compaq-authbo.aSSRT0705The default installation of Ultraboard 2000 2.11 creates the Skins, Database, and Backups directories with world-writeable permissions, which could allow local users to modify sensitive information or possibly insert and execute CGI programs.bid 2197BUGTRAQ:20010112 UltraBoard cgi directory permission problemMemory leak in ProFTPd 1.2.0rc2 allows remote attackers to cause a denial of service via a series of USER commands, and possibly SIZE commands if the server has been improperly installed.proftpd-size-memory-leak(5801)BUGTRAQ:20001220 ProFTPD 1.2.0 Memory leakage - denial of serviceBUGTRAQ:20010109 Memory leakage in ProFTPd leads to remote DoS (SIZE FTP); (Exploit Code)BUGTRAQ:20010110 Re: Memory leakage in ProFTPd leads to remote DoS (SIZE FTP); (Exploit Code)MDKSA-2001:021DSA-029CLA-2001:38020010213 Trustix Security Advisory - proftpd, kernelWindows Media Player 7 allows remote attackers to execute malicious Java applets in Internet Explorer clients by enclosing the applet in a skin file named skin.wmz, then referencing that skin in the codebase parameter to an applet tag, aka the Windows Media Player Skins File Download" vulnerability.bid 2203BUGTRAQ:20010115 Windows Media Player 7 and IE java vulnerability - executing arbitrary programsMS01-010win-mediaplayer-arbitrary-code(5937)privatepw program in wu-ftpd before 2.6.1-6 allows local users to overwrite arbitrary files via a symlink attack.bid 2189BUGTRAQ:20010110 Immunix OS Security update for lots of temp file problems20010110 Immunix OS Security update for lots of temp file problemsMDKSA-2001-001DSA-016linux-wuftpd-privatepw-symlink(5915)inn 2.2.3 allows local users to overwrite arbitrary files via a symlink attack in some configurations.bid 2190BUGTRAQ:20010110 Immunix OS Security update for lots of temp file problemsMDKSA-2001:010CSSA-2001-001.020010110 Immunix OS Security update for lots of temp file problemslinux-inn-symlink(5916)arpwatch 2.1a4 allows local users to overwrite arbitrary files via a symlink attack in some configurations.bid 2183BUGTRAQ:20010110 Immunix OS Security update for lots of temp file problemsMDKSA-2001:00220010110 Immunix OS Security update for lots of temp file problemstcpdump-arpwatch-symlink(5922)mgetty 1.1.22 allows local users to overwrite arbitrary files via a symlink attack in some configurations.bid 2187BUGTRAQ:20010110 Immunix OS Security update for lots of temp file problemsMDKSA-2001:009DSA-011-1 mgetty: insecure tempfile handlingCSSA-2001-002.020010110 Immunix OS Security update for lots of temp file problemsRHSA-2001:050linux-mgetty-symlink(5918)squid 2.3 and earlier allows local users to overwrite arbitrary files via a symlink attack in some configurations.bid 2184BUGTRAQ:20010110 Immunix OS Security update for lots of temp file problemsBUGTRAQ:20010112 Trustix Security Advisory - diffutils squidMDKSA-2001:00320010110 Immunix OS Security update for lots of temp file problemsDSA-019squid-email-symlink(5921)vpop3d program in linuxconf 1.23r and earlier allows local users to overwrite arbitrary files via a symlink attack.bid 2186BUGTRAQ:20010110 Immunix OS Security update for lots of temp file problemsMDKSA-2001:01120010110 Immunix OS Security update for lots of temp file problemslinuxconf-vpop3d-symlink(5923)CORE SDI SSH1 CRC-32 compensation attack detector allows remote attackers to execute arbitrary commands on an SSH server or client via an integer overflow.bid 2347BUGTRAQ:20010208 [CORE SDI ADVISORY] SSH1 CRC-32 compensation attack detectorRemote vulnerability in SSH daemon crc32 compensation attack detectorCA-2001-35503795ssh-deattack-overwrite-memory(6083)Buffer overflow in VCard handler in Outlook 2000 and 98, and Outlook Express 5.x, allows an attacker to execute arbitrary commands via a malformed vCard birthday field.MS01-012A022301-1IIS 5.0 and Microsoft Exchange 2000 allow remote attackers to cause a denial of service (memory allocation error) by repeatedly sending a series of specially formatted URL's.MS01-014VU#79658424402441iis-malformed-url-dos(6171)exchange-malformed-url-dos(6172)Buffer overflow in Windows 2000 event viewer snap-in allows attackers to execute arbitrary commands via a malformed field that is improperly handled during the detailed view of event records.MS01-013The WMP ActiveX Control in Windows Media Player 7 allows remote attackers to execute commands in Internet Explorer via javascript URLs, a variant of the "Frame Domain Verification" vulnerability.31, 2001MS01-015media-player-execute-commands(6227)Windows Scripting Host in Internet Explorer 5.5 and earlier allows remote attackers to read arbitrary files via the GetObject Javascript function and the htmlfile ActiveX object.22,2000MS01-0151718ie-getobject-expose-files(5293)Internet Explorer 5.5 and earlier executes Telnet sessions using command line arguments that are specified by the web site, which could allow remote attackers to execute arbitrary commands if the IE client is using the Telnet client provided in Services for Unix (SFU) 2.0, which creates session transcripts.MS01-01524637816ie-telnet-execute-commands(6230)IIS 5.0 allows remote attackers to cause a denial of service via a series of malformed WebDAV requests.MS01-016bid 2453iis-webdav-dos(6205)oval:org.mitre.oval:def:90The password protection option for the Compressed Folders feature in Plus! for Windows 98 and Windows Me writes password information to a file, which allows local users to recover the passwords and read the compressed folders.MS01-019Buffer overflow in VB-TSQL debugger object (vbsdicli.exe) in Visual Studio 6.0 Enterprise Edition allows remote attackers to execute arbitrary commands.MS01-018HTML e-mail feature in Internet Explorer 5.5 and earlier allows attackers to execute attachments by setting an unusual MIME type for the attachment, which Internet Explorer does not process correctly.MS01-020CA-2001-06L-06625247806oval:org.mitre.oval:def:1411001197ie-mime-execute-code(6306)Format string vulnerability in VShell SSH gateway 1.0.1 and earlier allows remote attackers to execute arbitrary commands via a user name that contains format string specifiers.http://www.vandyke.com/products/vshell/security102.htmlVShell SSH gateway 1.0.1 and earlier has a default port forwarding rule of 0.0.0.0/0.0.0.0, which could allow local users conduct arbitrary port forwarding to other systems.http://www.vandyke.com/products/vshell/security102.htmlvshell-port-forwarding-rule(6148)2402Debugging utility in the backdoor mode of Palm OS 3.5.2 and earlier allows attackers with physical access to a Palm device to bypass access restrictions and obtain passwords, even if the system lockout mechanism is enabled.palm-debug-bypass-password(6196)Lucent/ORiNOCO WaveLAN cards generate predictable Initialization Vector (IV) values for the Wireless Encryption Protocol (WEP) which allows remote attackers to quickly compile information that will let them decrypt messages.http://www.cs.jhu.edu/~seny/pubs/wince802.pdfCisco 340-series Aironet access point using firmware 11.01 does not use 6 of the 24 available IV bits for WEP encryption, which makes it easier for remote attackers to mount brute force attacks.http://www.cs.jhu.edu/~seny/pubs/wince802.pdfWinCE 3.0.9348 generates predictable TCP Initial Sequence Numbers (ISNs), which allows remote attackers to spoof or hijack TCP connections.http://www.cs.jhu.edu/~seny/pubs/wince802.pdfCisco AP340 base station produces predictable TCP Initial Sequence Numbers (ISNs), which allows remote attackers to spoof or hijack TCP connections.http://www.cs.jhu.edu/~seny/pubs/wince802.pdfBuffer overflow in Netscape Directory Server 4.12 and earlier allows remote attackers to cause a denial of service or execute arbitrary commands via a malformed recipient field.netscape-directory-server-bo(6233)Buffer overflow in ximp40 shared library in Solaris 7 and Solaris 8 allows local users to gain privileges via a long "arg0" (process name) argument.bid 2322BUGTRAQ:20010131 [SPSadvisory#40]Solaris7/8 ximp40 shared library buffer overflowsolaris-ximp40-bo(6039)Macromedia Shockwave Flash plugin version 8 and earlier allows remote attackers to cause a denial of service via malformed tag length specifiers in a SWF file.BUGTRAQ:20001229 Shockwave Flash buffer overflowshockwave-flash-swf-bo(5826)Buffer overflow in AT&T WinVNC (Virtual Network Computing) client 3.3.3r7 and earlier allows remote attackers to execute arbitrary commands via a long rfbConnFailed packet with a long reason string.bid 2305winvnc-client-bo(6025)BUGTRAQ:20010129 [CORE SDI ADVISORY] WinVNC client buffer overflowBuffer overflow in AT&T WinVNC (Virtual Network Computing) server 3.3.3r7 and earlier allows remote attackers to execute arbitrary commands via a long HTTP GET request when the DebugLevel registry key is greater than 0.bid 2306winvnc-server-bo(6026)BUGTRAQ:20010129 [CORE SDI ADVISORY] WinVNC server buffer overflowVU#598581When using the LD_PRELOAD environmental variable in SUID or SGID applications, glibc does not verify that preloaded libraries in /etc/ld.so.cache are also SUID/SGID, which could allow a local user to overwrite arbitrary files by loading a library from /lib or /usr/lib.bid 2223linux-glibc-preload-overwrite(5971)BUGTRAQ:20010121 Trustix Security Advisory - glibcMDKSA-2001:012RHSA-2001:002-03SuSE-SA:2001:01CSSA-2001-007DSA-039TLSA2000021-2glibc 2.1.9x and earlier does not properly clear the RESOLV_HOST_CONF, HOSTALIASES, or RES_OPTIONS environmental variables when executing setuid/setgid programs, which could allow local users to read arbitrary files.bid 2181BUGTRAQ:20010110 Glibc Local Root ExploitBUGTRAQ:20010110 [slackware-security] glibc 2.2 local vulnerability on setuid binarieslinux-glibc-read-files(5907)RHSA-2001:001-06Buffer overflow in SlimServe HTTPd 1.0 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long GET request.bid 2318slimserve-httpd-dos(6028)BUGTRAQ:20010130 DOS Vulnerability in SlimServe HTTPdBuffer overflow in ReiserFS 3.5.28 in SuSE Linux allows local users to cause a denial of service and possibly execute arbitrary commands by via a long directory name.bid 2180suse-reiserfs-long-filenames(5910)BUGTRAQ:20010109 major security bug in reiserfs (may affect SuSE Linux)Buffer overflow in qDecoder library 5.08 and earlier, as used in CrazyWWWBoard, CrazySearch, and other CGI programs, allows remote attackers to execute arbitrary commands via a long MIME Content-Type header.bid 2329crazywwwboard-qdecoder-bo(6033)BUGTRAQ:20010130 Nobreak Tecnologies CrazyWWWBoard Remote Buffer OverflowBuffer overflow in Trend Micro Virus Buster 2001 8.00 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a large "To" address.BUGTRAQ:20010130 Security hole in Virus Buster 2001virusbuster-mua-bo(6034)6138The caching module in Netscape Fasttrack Server 4.1 allows remote attackers to cause a denial of service (resource exhaustion) by requesting a large number of non-existent URLs.bid 2273netscape-fasttrack-cache-dos(5985)BUGTRAQ:20010124 iPlanet FastTrack/Enterprise 4.1 DoS clarificationsBUGTRAQ:20010122 def-2001-05: Netscape Fasttrack Server Caching DoSThe setuid doroot program in Voyant Sonata 3.x executes arbitrary command line arguments, which allows local users to gain root privileges.bid 2125BUGTRAQ:20001218 More Sonata Conferencing software vulnerabilities.sonata-command-execute(5787)WebMaster ConferenceRoom 1.8.1 allows remote attackers to cause a denial of service via a buddy relationship between the IRC server and a server clone.bid 2178conferenceroom-developer-dos(5909)BUGTRAQ:20010110 Vulnerable: Conference Room Professional-Developer Edititon.kdesu program in KDE2 (KDE before 2.2.0-6) does not properly verify the owner of a UNIX socket that is used to send a password, which allows local users to steal passwords and gain privileges.kde2-kdesu-retrieve-passwords(5995)MDKSA-2001:018SuSE-SA:2001:02CSSA-2001-005.0bid 2320SuSE-SA:2001:02Allaire JRun 3.0 allows remote attackers to list contents of the WEB-INF directory, and the web.xml file in the WEB-INF directory, via a malformed URL that contains a "."allaire-jrun-webinf-dotslash(6008)ASB01-02Lars Ellingsen guestserver.cgi allows remote attackers to execute arbitrary commands via shell metacharacters in the "email" parameter.guestserver-cgi-execute-commands(6027)BUGTRAQ:20010129 Remote Command Execution in guestserver.cgi + exploitFormat string vulnerability in the error logging code of DHCP server and client in Caldera Linux allows remote attackers to execute arbitrary commands.bid 2215dhcp-format-string(5953)CSSA-2001-003.0FireWall-1 4.1 with a limited-IP license allows remote attackers to cause a denial of service by sending a large number of spoofed IP packets with various source addresses to the inside interface, which floods the console with warning messages and consumes CPU resources.bid 2238fw1-limited-license-dos(5966)BUGTRAQ:20010117 Licensing Firewall-1 DoS Attack1733ipfw and ip6fw in FreeBSD 4.2 and earlier allows remote attackers to bypass access restrictions by setting the ECE flag in a TCP packet, which makes the packet appear to be part of an established connection.bid 2293ipfw-bypass-firewall(5998)FreeBSD-SA-01:0820010125 ecepass - proof of concept code for FreeBSD ipfw bypassL-0291743ipfw-bypass-firewall(5998)eEye Iris 1.01 beta allows remote attackers to cause a denial of service via a malformed packet, which causes Iris to crash when a user views the packet.bid 2278eeye-iris-dos(5981)BUGTRAQ:20010121 eEye Iris the Network traffic analyser DoSBUGTRAQ:20010121 eEye Iris the Network traffic analyser DoSNetopia R9100 router version 4.6 allows authenticated users to cause a denial of service by using the router's telnet program to connect to the router's IP address, which causes a crash.BUGTRAQ:20010123 Make The Netopia R9100 Router To Crashbid 2287netopia-telnet-dos(6001)Directory traversal vulnerability in Free Java Web Server 1.0 allows remote attackers to read arbitrary files via a .. (dot dot) attack.BUGTRAQ:20010204 Vulnerability in Free Java Web ServerFormat string vulnerability in wu-ftp 2.6.1 and earlier, when running with debug mode enabled, allows remote attackers to execute arbitrary commands via a malformed argument that is recorded in a PASV port assignment.bid 2296wuftp-debug-format-string(6020)DSA-016-3 wu-ftpd: temp file creation and format stringftp://ftp.wu-ftpd.org/pub/wu-ftpd/patches/apply_to_current/missing_format_strings.patchCLA-2001:443GoodTech FTP server 3.0.1.2.1.0 and earlier allows remote attackers to cause a denial of service via a flood of connections to the server, which causes it to crash.bid 2270goodtech-ftp-dos(5984)BUGTRAQ:20010122 def-2001-03: GoodTech Systems FTP Connection DoSDirectory traversal vulnerability in LocalWEB2000 HTTP server allows remote attackers to read arbitrary commands via a .. (dot dot) attack in an HTTP GET request.bid 2268localweb2k-directory-traversal(5982)BUGTRAQ:20010119 LocalWEB2000 Directory Traversal VulnerabilityBuffer overflow in /usr/bin/cu in Solaris 2.8 and earlier, and possibly other operating systems, allows local users to gain privileges by executing cu with a long program name (arg0).BUGTRAQ:20010117 Solaris /usr/bin/cu VulnerabilityBUGTRAQ:20010123 Solaris /usr/bin/cu Vulnerability20010123 Solaris /usr/bin/cu Vulnerabilitycu-argv-bo(6224)gnuserv before 3.12, as shipped with XEmacs, does not properly check the specified length of an X Windows MIT-MAGIC-COOKIE cookie, which allows remote attackers to execute arbitrary commands via a buffer overflow, or brute force authentication by using a short cookie length.BUGTRAQ:20010202 Remote vulnerability in gnuserv/XEmacsRHSA-2001:010-07RHSA-2001:011-04MDKSA-2001:019gnuserv-tcp-cookie-overflow(6056)Buffer overflows in CTRLServer in XMail allows attackers to execute arbitrary commands via the cfgfileget or domaindel functions.20010201 XMail CTRLServer remote buffer overflow vulnerabilityFormat string vulnerability in man in some Linux distributions allows local users to gain privileges via a malformed -l parameter.bid 2327DSA-028-1 man-db: format string vulnerabilityBUGTRAQ:20010131 SuSe / Debian man package format string vulnerabilityman-i-format-string(6059)Buffer overflow in httpGets function in CUPS 1.1.5 allows remote attackers to execute arbitrary commands via a long input line.MDKSA-2001:020cups-httpgets-dos(6043)6064sash before 3.4-4 in Debian GNU/Linux does not properly clone /etc/shadow, which makes it world-readable and could allow local users to gain privileges via password cracking.linux-sash-shadow-readable(5994)DSA-015-1 sash: broken maintainer scriptinetd ident server in FreeBSD 4.x and earlier does not properly set group permissions, which allows remote attackers to read the first 16 bytes of files that are accessible by the wheel group.bid 2324FreeBSD-SA-01:11inetd-ident-read-files(6052)1753Format string vulnerability in print_client in icecast 1.3.8beta2 and earlier allows remote attackers to execute arbitrary commands.bid 2264BUGTRAQ:20010121 [pkc] format bugs in icecast 1.3.8b2 and prioricecast-format-string(5978)RHSA-2001:004-04CLSA-2001:374Buffer overflow in QuickTime Player plugin 4.1.2 (Japanese) allows remote attackers to execute arbitrary commands via a long HREF parameter in an EMBED tag.bid 2328quicktime-embedded-tag-bo(6040)BUGTRAQ:20010131 [SPSadvisory#41]Apple Quick Time Plug-in Buffer OverflowDirectory traversal vulnerability in SEDUM HTTP Server 2.0 allows remote attackers to read arbitrary files via a .. (dot dot) attack in the HTTP GET request.bid 2335BUGTRAQ:20010204 Vulnerability in SEDUM HTTP ServerVU#65199414797sedum-directory-traversal(6063)HSWeb 2.0 HTTP server allows remote attackers to obtain the physical path of the server via a request to the /cgi/ directory, which will list the path if directory browsing is enabled.bid 2336BUGTRAQ:20010204 Web root exposure in HSWeb WebserverThe Postaci frontend for PostgreSQL does not properly filter characters such as semicolons, which could allow remote attackers to execute arbitrary SQL queries via the deletecontact.php program.bid 2230postaci-sql-command-injection(5972)BUGTRAQ:20010117 Postaci allows arbitrary SQL query executionpostaci-sql-command-injectionPicserver web server allows remote attackers to read arbitrary files via a .. (dot dot) attack in an HTTP GET request.bid 2339BUGTRAQ:20010205 Vulnerability in PicserverWatchguard Firebox II firewall allows users with read-only access to gain read-write access, and administrative privileges, by accessing a file that contains hashed passphrases, and using the hashes during authentication.bid 2284firebox-obtain-passphrase(5979)BUGTRAQ:20010120 Watchguard Firewall Elevated Privilege VulnerabilityWatchguard Firebox II allows remote attackers to cause a denial of service by establishing multiple connections and sending malformed PPTP packets.def-2001-072369firebox-pptp-dos(6109)Directory traversal vulnerability in AOLserver 3.2 and earlier allows remote attackers to read arbitrary files by inserting "..." into the requested pathname, a modified .. (dot dot) attack.bid 2343BUGTRAQ:20010208 Vulnerability in AOLserverBUGTRAQ:20010208 Vulnerability in AOLserverDirectory traversal vulnerability in Soft Lite ServerWorx 3.00 allows remote attackers to read arbitrary files by inserting a .. (dot dot) or ... into the requested pathname of an HTTP GET request.2346Buffer overflow in bing allows remote attackers to execute arbitrary commands via a long hostname, which is copied to a small buffer after a reverse DNS lookup using the gethostbyaddr function.bid 2279linux-bing-bo(6036)BUGTRAQ:20010119 Buffer overflow in bingBUGTRAQ:20010119 Buffer overflow in bingMicroFocus Cobol 4.1, with the AppTrack feature enabled, installs the mfaslmf directory and the nolicense file with insecure permissions, which allows local users to gain privileges by modifying files.2359Buffer overflow in Shoutcast Distributed Network Audio Server (DNAS) 1.7.1 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long description.shoutcast-description-bo(5965)20010118 Shoutcast Server Buffer Crashes ServerDirectory traversal vulnerability in commerce.cgi CGI program allows remote attackers to read arbitrary files via a .. (dot dot) attack in the page parameter.2361Directory traversal vulnerability in WebSPIRS 3.1 allows remote attackers to read arbitrary files via a .. (dot dot) attack on the sp.nextform parameter.2362Directory traversal vulnerability in HIS Auktion 1.62 allows remote attackers to read arbitrary files via a .. (dot dot) in the menue parameter, and possibly execute commands via shell metacharacters.2367Buffer overflow in pi program in PlanetIntra 2.5 allows remote attackers to execute arbitrary commands.planetintra-pi-bo(6002)BUGTRAQ:200101125 [SAFER] Security Bulletin 010125.EXP.1.12Way-board CGI program allows remote attackers to read arbitrary files by specifying the filename in the db parameter and terminating the filename with a null byte.2370ROADS search.pl program allows remote attackers to read arbitrary files by specifying the file name in the form parameter and terminating the filename with a null byte.http://www.roads.lut.ac.uk/lists/open-roads/2001/02/0001.htmlroads-search-view-files(6097)PALS Library System pals-cgi program allows remote attackers to execute arbitrary commands via shell metacharacters in the documentName parameter.webpals-library-cgi-url(6102)Directory traversal vulnerability in PALS Library System pals-cgi program allows remote attackers to read arbitrary files via a .. (dot dot) in the documentName parameter.webpals-library-cgi-url(6102)Format string vulnerability in mars_nwe 0.99.pl19 allows remote attackers to execute arbitrary commands.bid 2324mars-nwe-format-string(6019)FreeBSD-SA-01:20FREEBSD:FreeBSD-SA-01:20Vulnerability in Support Tools Manager (xstm,cstm,stm) in HP-UX 11.11 and earlier allows local users to cause a denial of service.bid 2239hp-stm-dos(5957)HPSBUX0101-137699170297030Buffer overflow in ja-elvis and ko-helvis ports of elvis allow local users to gain root privileges.Buffer overflow in ja-xklock 2.7.1 and earlier allows local users to gain root privileges.ja-xklock-bo(6073)webmin 0.84 and earlier allows local users to overwrite and create arbitrary files via a symlink attack.linux-webmin-tmpfiles(6011)bid 2399MDKSA-2001:016CSSA-2001-004.0linux-webmin-tmpfilesBuffer overflow in wwwwais allows remote attackers to execute arbitrary commands via a long QUERY_STRING (HTTP GET request).wwwwais-cgi-dos(5980)20010117 numerous holesMuscat Empower CGI program allows remote attackers to obtain the absolute pathname of the server via an invalid request in the DB parameter.2374muskat-empower-url-dir(6093)fortran math component in Infobot 0.44.5.3 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters.Directory traversal vulnerability in BiblioWeb web server 2.0 allows remote attackers tor ead arbitrary files via a .. (dot dot) or ... attack in an HTTP GET request.BUGTRAQ:20010205 Vulnerabilities in BiblioWeb ServerBuffer overflow in BiblioWeb web server 2.0 allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long HTTP GET request.BUGTRAQ:20010205 Vulnerabilities in BiblioWeb ServerDirectory traversal vulnerability in GoAhead web server 2.1 and earlier allows remote attackers to read arbitrary files via a .. attack in an HTTP GET request.BUGTRAQ:20010202 GoAhead Web Server Directory Traversal VulnerabilityChili!Soft ASP for Linux before 3.6 does not properly set group privileges when running in inherited mode, which could allow attackers to gain privileges via malicious scripts.BUGTRAQ:20010206 Security hole in ChiliSoft ASP on Linux.Buffer overflow in dc20ctrl before 0.4_1 in FreeBSD, and possibly other operating systems, allows local users to gain privileges.dc20ctrl-port-bo(6077)6081Directory traversal vulnerability in newsdesk.cgi in News Desk 1.2 allows remote attackers to read arbitrary files via a .. in the "t" parameter.bid 2172newsdesk-cgi-read-files(5898)BUGTRAQ:20010103 News Desk 1.2 CGI VulnerbilityVU#496064newsdesk.cgi in News Desk 1.2 allows remote attackers to read arbitrary files via shell metacharacters.BUGTRAQ:20010103 News Desk 1.2 CGI VulnerbilityBuffer overflow in micq client 0.4.6 and earlier allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long Description field.micq-sprintf-remote-bo(5962)BUGTRAQ:20010124 patch Re: [PkC] Advisory #003: micq-0.4.6 remote buffer overflowRHSA-2001:005-03DSA-012-1 micq: remote buffer overflowFreeBSD-SA-01:1420010118 [PkC] Advisory #003: micq-0.4.6 remote buffer overflowNewsDaemon before 0.21b allows remote attackers to execute arbitrary SQL queries and gain privileges via a malformed user_username parameter.newsdaemon-gain-admin-access(6010)BUGTRAQ:20010126 NewsDaemon remote administrator accesshttp://sourceforge.net/forum/forum.php?forum_id=60570Vulnerability in crontab allows local users to read crontab files of other users by replacing the temporary file that is being edited while crontab is running.DSA-024-1 cron: local insecure crontab handlingFreeBSD-SA-01:092332crontab-read-files(6225)Buffer overflow in Solaris snmpXdmid SNMP to DMI mapper daemon allows remote attackers to execute arbitrary commands via a long "indication" event.BID:2417http://www.cert.org/advisories/CA-2001-05.htmlL-06500207solaris-snmpxdmid-bo(6245)Memory leak in Microsoft 2000 domain controller allows remote attackers to cause a denial of service by repeatedly connecting to the Kerberos service and then disconnecting without sending any data.BUGTRAQ:20010509 def-2001-24: Windows 2000 Kerberos DoSMS:MS01-024L-079win2k-kerberos-dos(6506)2707Microsoft Data Access Component Internet Publishing Provider 8.103.2519.0 and earlier allows remote attackers to bypass Security Zone restrictions via WebDAV requests.MS01-022L-074ms-dacipp-webdav-access(6405)Microsoft Internet Security and Acceleration (ISA) Server 2000 Web Proxy allows remote attackers to cause a denial of service via a long web request with a specific type.SX-20010320-2BUGTRAQ:20010427 Microsoft ISA Server VulnerabilitySX-20010320-2bMS01-021bid2600L-073isa-web-proxy-dos(6383)Microsoft Word before Word 2002 allows attackers to automatically execute macros without warning the user via a Rich Text Format (RTF) document that links to a template with the embedded macro.MS:MS01-028word-rtf-macro-execution(6571)2753Buffer overflow in Internet Printing ISAPI extension in Windows 2000 allows remote attackers to gain root privileges via a long print request that is passed to the extension through IIS 5.0.BUGTRAQ:20010501 Windows 2000 IIS 5.0 Remote buffer overflow vulnerability (Remote SYSTEM Level Access)MS:MS01-023BID:2674CA-2001-10iis-isapi-printer-bo(6485)3323oval:org.mitre.oval:def:1068Buffer overflows in Microsoft Windows Media Player 7 and earlier allow remote attackers to execute arbitrary commands via (1) a long version tag in an .ASX file, or (2) a long banner tag, a variant of the ".ASX Buffer Overrun" vulnerability as discussed in MS:MS00-090.MS:MS01-029BID:267720010502 Microsoft Media Player ASX Parser buffer overflow vulnerability20010506 Re: Microsoft Media Player ASX Parser buffer overflow vulnerability2686VU#187528mediaplayer-asx-bo(5574)Windows Media Player 7 and earlier stores Internet shortcuts in a user's Temporary Files folder with a fixed filename instead of in the Internet Explorer cache, which causes the HTML in those shortcuts to run in the Local Computer Zone instead of the Internet Zone, which allows remote attackers to read certain files.MS:MS01-029mediaplayer-html-shortcut(6584)2765Buffer overflow in Microsoft Index Server 2.0 allows remote attackers to execute arbitrary commands via a long search parameter.MS:MS01-0252709winnt-indexserver-search-bo(6517)Microsoft Index Server 2.0 in Windows NT 4.0, and Indexing Service in Windows 2000, allows remote attackers to read server-side include files via a malformed search request, aka a new variant of the "Malformed Hit-Highlighting" vulnerability.MS:MS01-025win-indexserver-view-files(6518)Internet Explorer 5.5 and earlier does not properly verify the domain of a frame within a browser window, which allows remote web site operators to read certain files on the client by sending information from a local frame to a frame in a different domain, aka a variant of the "Frame Domain Verification" vulnerability.MS:MS01-027Buffer overflows in BSD-based FTP servers allows remote attackers to execute arbitrary commands via a long pattern string containing a {} sequence, as seen in (1) g_opendir, (2) g_lstat, (3) g_stat, and (4) the glob0 buffer as used in the glob functions glob2 and glob3.NAI:20010409 Globbing Vulnerabilities in Multiple FTP DaemonsCERT:CA-2001-07NETBSD:NetBSD-SA2000-018FREEBSD:FreeBSD-SA-01:33018.txt.asc20010409 Globbing Vulnerabilities in Multiple FTP DaemonsFreeBSD-SA-01:3320010802-01-Pftp-glob-expansion(6332)Buffer overflow in FTP server in HPUX 11 allows remote attackers to execute arbitrary commands by creating a long pathname and calling the STAT command, which uses glob to generate long strings.NAI:20010409 Globbing Vulnerabilities in Multiple FTP DaemonsCERT:CA-2001-07BID:255220010409 Globbing Vulnerabilities in Multiple FTP Daemonsftp-glob-expansion(6332)Heap overflow in FTP daemon in Solaris 8 allows remote attackers to execute arbitrary commands by creating a long pathname and calling the LIST command, which uses glob to generate long strings.NAI:20010409 Globbing Vulnerabilities in Multiple FTP DaemonsCERT:CA-2001-07BID:255020010409 Globbing Vulnerabilities in Multiple FTP Daemonsftp-glob-expansion(6332)The Web Publishing feature in Netscape Enterprise Server 4.x and earlier allows remote attackers to list arbitrary directories under the web server root via the INDEX command.Bugtraq id 2285netscape-enterprise-list-directories(5997)The Web Publishing feature in Netscape Enterprise Server 3.x allows remote attackers to cause a denial of service via the REVLOG command.Bugtraq id 2294netscape-enterprise-revlog-dos(6003)iPlanet (formerly Netscape) Enterprise Server 4.1 allows remote attackers to cause a denial of service via a long HTTP GET request that contains many "/../" (dot dot) sequences.Bugtraq id 2282netscape-enterprise-dot-dos(5983)Directory traversal vulnerability in hsx.cgi program in iWeb Hyperseek 2000 allows remote attackers to read arbitrary files and directories via a .. (dot dot) attack in the show parameter.Bugtraq id 2314hyperseek-cgi-reveal-info(6012)VU#146704FaSTream FTP++ Server 2.0 allows remote attackers to obtain the real pathname of the server via the "pwd" command.FaSTream FTP++ Server 2.0 allows remote attackers to list arbitrary directories by using the "ls" command and including the drive letter name (e.g. C:) in the requested pathname.Bugtraq id 2267fastream-ftp-path-disclosure(5977)FaSTream FTP++ Server 2.0 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long username.Bugtraq id 2261fastream-ftp-server-dos(5976)Buffer overflow in Easycom/Safecom Print Server Web service, version 404.590 and earlier, allows remote attackers to execute arbitrary commands via (1) a long URL or (2) a long HTTP header field such as "Host:".Bugtraq id 2291easycom-safecom-url-bo(5988)The Easycom/Safecom Print Server (firmware 404.590) PrintGuide server allows remote attackers to cause a denial of service via a large number of connections that send null characters.easycom-safecom-url-bo(5988)ssh-keygen in ssh 1.2.27 - 1.2.30 with Secure-RPC can allow local attackers to recover a SUN-DES-1 magic phrase generated by another user, which the attacker can use to decrypt that user's private key file.SSH1 Secure RPC VulnerabilityBugtraq id 2222ssh-rpc-private-key(5963)Buffer overflow in Lotus Domino Mail Server 5.0.5 and earlier allows a remote attacker to crash the server or execute arbitrary code via a long "RCPT TO" command.lotus-domino-smtp-bo(5993)Bugtraq id 22833321Microsoft Windows 2000 Encrypted File System does not properly destroy backups of files that are encrypted, which allows a local attacker to recover the text of encrypted files.Bugtraq id 2243win2k-efs-recover-data(5973)Buffer overflow in Netscape SmartDownload 1.3 allows remote attackers (malicious web pages) to execute arbitrary commands via a long URL.ATSTAKE:A041301-1Gene6 G6 FTP Server 2.0 (aka BPFTP Server 2.10) allows attackers to read file attributes outside of the web root via the (1) SIZE and (2) MDTM commands when the "show relative paths" option is not enabled.ATSTAKE:A040301-12537bpftp-obtain-credentials(6330)2537Gene6 G6 FTP Server 2.0 (aka BPFTP Server 2.10) allows remote attackers to obtain NETBIOS credentials by requesting information on a file that is in a network share, which causes the server to send the credentials to the host that owns the share, and allows the attacker to sniff the connection.ATSTAKE:A040301-1BID:2534ASCII Armor parser in Windows PGP 7.0.3 and earlier allows attackers to create files in arbitrary locations via a malformed ASCII armored file.ATSTAKE:A040901-1pgp-armor-code-execution(6643)25561782Vulnerability in Software Distributor SD-UX in HP-UX 11.0 and earlier allows local users to gain privileges.6033NM debug in HP MPE/iX 6.5 and earlier does not properly handle breakpoints, which allows local users to gain privileges.HPSBMP0102-008hp-nmdebug-gain-privileges(6226)6032The i386_set_ldt system call in NetBSD 1.5 and earlier, and OpenBSD 2.8 and earlier, when the USER_LDT kernel option is enabled, does not validate a call gate target, which allows local users to gain root privileges by creating a segment call gate in the Local Descriptor Table (LDT) with a target that specifies an arbitrary kernel address.NetBSD Security Advisory 2001-002022: SECURITY FIX: Mar 2, 2001CSSA-2001-SCO.3520010219 Re: your mail20010302 The USER_LDT kernel option allows an attacker to gain access to privileged areas of kernel memory.VU#35896027396141user-ldt-validation(6222)pam_ldap authentication module in Solaris 8 allows remote attackers to bypass authentication via a NULL password.solaris-pamldap-bypass-authentication(6440)6030Marconi ASX-1000 ASX switches allow remote attackers to cause a denial of service in the telnet and web management interfaces via a malformed packet with the SYN-FIN and More Fragments attributes set.Bugtraq id 2400mailnews.cgi 1.3 and earlier allows remote attackers to execute arbitrary commands via a user name that contains shell metacharacters. 2391Directory traversal vulnerability in sendtemp.pl in W3.org Anaya Web development server allows remote attackers to read arbitrary files via a .. (dot dot) attack in the templ parameter.pgp4pine Pine/PGP interface version 1.75-6 does not properly check to see if a public key has expired when obtaining the keys via Gnu Privacy Guard (GnuPG), which causes the message to be sent in cleartext.VU#5666402405pgp4pine-expired-keys(6135)kicq IRC client 1.0.0, and possibly later versions, allows remote attackers to execute arbitrary commands via shell metacharacters in a URL.kicq-execute-commands(6112)Moby Netsuite Web Server 1.02 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long HTTP request.ext.dll in BadBlue 1.02.07 Personal Edition web server allows remote attackers to determine the physical path of the server by directly calling ext.dll without any arguments, which produces an error message that contains the path.Bugtraq id 2390http://www.badblue.com/p010219.htmbadblue-ext-reveal-path(6130)Buffer overflow in ext.dll in BadBlue 1.02.07 Personal Edition allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long HTTP GET request.Bugtraq id 2392Vulnerability in linkeditor in HP MPE/iX 6.5 and earlier allows local users to gain privileges.HP:HPSBMP0102-009hp-linkeditor-gain-privileges(6223)Buffer overflow in sudo earlier than 1.6.3p6 allows local users to gain root privileges.MDKSA-2001:024CLA-2001:381RHSA-2001:018RHSA-2001:01920010225 [slackware-security] buffer overflow in sudo fixed20010226 Trustix Security Advisory - sudoBuffer overflow in MERCUR SMTP server 3.30 allows remote attackers to execute arbitrary commands via a long EXPN command.mercur-expn-bo(6149)6027Format string vulnerability in DbgPrint function, used in debug messages for some Windows NT drivers (possibly when called through DebugMessage), may allow local users to gain privileges.SEDUM 2.1 HTTP server allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long HTTP request.Directory traversal vulnerability in SunFTP build 9 allows remote attackers to read arbitrary files via .. (dot dot) characters in various commands, including (1) GET, (2) MKDIR, (3) RMDIR, (4) RENAME, or (5) PUT.Buffer overflow in IPSEC authentication mechanism for OpenBSD 2.8 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a malformed Authentication header (AH) IPv4 option.20010302 Insufficient checks in the IPSEC AH IPv4 option handling code can lead to a buffer overrun in the kernel.6026Buffer overflow in A1 HTTP server 1.0a allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long HTTP request.Directory traversal vulnerability in A1 HTTP server 1.0a allows remote attackers to read arbitrary files via a .. (dot dot) in an HTTP GET request.VERITAS Cluster Server (VCS) 1.3.0 on Solaris allows local users to cause a denial of service (system panic) via the -L option to the lltstat command.6025Cisco switches and routers running IOS 12.1 and earlier produce predictable TCP Initial Sequence Numbers (ISNs), which allows remote attackers to spoof or hijack TCP connections.Joe text editor 2.8 searches the current working directory (CWD) for the .joerc configuration file, which could allow local users to gain privileges of other users by placing a Trojan Horse .joerc file into a directory, then waiting for users to execute joe from that directory.MDKSA-2001:026RHSA-2001:024Vulnerability in Mailman 2.0.1 and earlier allows list administrators to obtain user passwords.Buffer overflow in post-query sample CGI program allows remote attackers to execute arbitrary commands via an HTTP POST request that contains at least 10001 parameters.PHP-Nuke 4.4.1a allows remote attackers to modify a user's email address and obtain the password by guessing the user id (UID) and calling user.php with the saveuser operator.Directory traversal vulnerability in FtpXQ FTP server 2.0.93 allows remote attackers to read arbitrary files via a .. (dot dot) in the GET command.BID:2426Directory traversal vulnerability in TYPSoft FTP Server 0.85 allows remote attackers to read arbitrary files via (1) a .. (dot dot) in a GET command, or (2) a ... in a CWD command.Directory traversal vulnerability in War FTP 1.67.04 allows remote attackers to list directory contents and possibly read files via a "dir *./../.." command.BID:2444874Buffer overflow in WFTPD Pro 3.00 allows remote attackers to execute arbitrary commands via a long CWD command.Directory traversal vulnerability in Simple Server HTTPd 1.0 (originally Free Java Server) allows remote attackers to read arbitrary files via a .. (dot dot) in the URL.BID:2415Buffer overflow in WebReflex 1.55 HTTPd allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long HTTP GET request.BID:242520010227 WebReflex 1.55 HTTPd DoSBuffer overflow in Voyager web administration server for Nokia IP440 allows local users to cause a denial of service, and possibly execute arbitrary commands, via a long URL.Bugtraq id 2054nokia-ip440-bo(5640)6020oidldapd 2.1.1.1 in Oracle 8.1.7 records log files in a directory (ldaplog) that has world-writable permissions, which may allow local users to delete logs and/or overwrite other files via a symlink attack.VU#610904oracle-oidldap-write-permission(5804)Buffer overflow in Analog before 4.16 allows remote attackers to execute arbitrary commands by using the ALIAS command to construct large strings.SECURITY ADVISORY 13th February 2001security2RHSA-2001:017-03DSA-033-1Bugtraq id 2377analog-alias-bo(6105)1762Buffer overflow in tstisapi.dll in Pi3Web 1.0.1 web server allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long URL.Bugtraq id 2381tstisapi.dll in Pi3Web 1.0.1 web server allows remote attackers to determine the physical path of the server via a URL that requests a non-existent file.2381Directory traversal vulnerability in Caucho Resin 1.2.2 allows remote attackers to read arbitrary files via a "\.." (dot dot) in a URL request.Bugtraq id 2384Directory traversal vulnerability in store.cgi in Thinking Arts ES.One package allows remote attackers to read arbitrary files via a .. (dot dot) in the StartID parameter.Bugtraq id 2385Directory traversal vulnerability in ITAfrica WEBactive HTTP Server 1.00 allows remote attackers to read arbitrary files via a .. (dot dot) in a URL.Bugtraq id 2386Bajie HTTP JServer 0.78, and other versions before 0.80, allows remote attackers to execute arbitrary commands via shell metacharacters in an HTTP request for a CGI program that does not exist.UploadServlet in Bajie HTTP JServer 0.78, and possibly other versions before 0.80, allows remote attackers to execute arbitrary commands by calling the servlet to upload a program, then using a ... (modified ..) to access the file that was created for the program.Bugtraq id 2388inetd in Red Hat 6.2 does not properly close sockets for internal services such as chargen, daytime, echo, etc., which allows remote attackers to cause a denial of service via a series of connections to the internal services.RHSA-2001:006-03inetd-internal-socket-dos(6380)sort in FreeBSD 4.1.1 and earlier, and possibly other operating systems, uses predictable temporary file names and does not properly handle when the temporary file already exists, which causes sort to crash and possibly impacts security-sensitive scripts.sort-temp-file-abort(6038)FreeBSD-SA-01:133960Vulnerability in OmniBackII A.03.50 in HP 11.x and earlier allows attackers to gain unauthorized access to an OmniBack client.HPSBUX0102-142PHSS_22914PHSS_22915omniback-unauthorized-access(6434)IBM WebSphere plugin for Netscape Enterprise server allows remote attackers to read source code for JSP files via an HTTP request that contains a host header that references a host that is not in WebSphere's host aliases list, which will bypass WebSphere processing.Borderware Firewall Server 6.1.2 allows remote attackers to cause a denial of service via a ping to the broadcast address of the public network on which the server is placed, which causes the server to continuously send pings (echo requests) to the network.borderware-ping-dos(6004)Buffer overflow in www.tol module in America Online (AOL) 5.0 may allow remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long URL in a link.aol-malformed-url-dos(6009)The locking feature in mIRC 5.7 allows local users to bypass the password mechanism by modifying the LockOptions registry key.mirc-bypass-password(6013)20010125 mIRC allows password protection to be bypassedLinux kernel 2.4 and 2.2 allows local users to read kernel memory and possibly gain privileges via a negative argument to the sysctl call.CSSA-2001-009.0CSSA-2001-009.0BID 2364RHSA-2001:01323646017linux-sysctl-read-memory(6079)Race condition in ptrace in Linux kernel 2.4 and 2.2 allows local users to gain privileges by using ptrace to track and modify a running setuid process.CSSA-2001-009.0CSSA-2001-009.0RHSA-2001:013linux-ptrace-modify-process(6080)Format string vulnerability in ProFTPD 1.2.0rc2 may allow attackers to execute arbitrary commands by shutting down the FTP server while using a malformed working directory (cwd).DSA-029-2 proftpdMDKSA-2001:02120010110 proftpd 1.2.0rc2 -- example of bad codingCLA-2001:380proftpd-format-string(6433)orderdspc.d2w macro in IBM Net.Commerce 3.x allows remote attackers to execute arbitrary SQL queries by inserting them into the order_rn option of the report capability.Bugtraq id 2350ibm-netcommerce-reveal-information(6067)bb_smilies.php and bbcode_ref.php in PHP-Nuke 4.4 allows remote attackers to read arbitrary files and gain PHP administrator privileges by inserting a null character and .. (dot dot) sequences into a malformed username argument.opendir.php script in PHP-Nuke allows remote attackers to read arbitrary files by specifying the filename as an argument to the requesturl parameter.phpnuke-opendir-read-files(6512)MSHTML.DLL HTML parser in Internet Explorer 4.0, and other versions, allows remote attackers to cause a denial of service (application crash) via a script that creates and deletes an object that is associated with the browser window object.Bugtraq id 2202ie-mshtml-dos(5938)The ICMP path MTU (PMTU) discovery feature in various UNIX systems allows remote attackers to cause a denial of service by spoofing "ICMP Fragmentation needed but Don't Fragment (DF) set" packets between two target hosts, which could cause one host to lower its MTU when transmitting to the other host.icmp-pmtu-dos(5975)Windows 98 and Windows 2000 Java clients allow remote attackers to cause a denial of service via a Java applet that opens a large number of UDP sockets, which prevents the host from establishing any additional UDP connections, and possibly causes a crash.Bugtraq id 2340Buffer overflow in QNX RTP 5.60 allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a large number of arguments to the stat command.Bugtraq id 2342Oracle Java Virtual Machine (JVM ) for Oracle 8.1.7 and Oracle Application Server 9iAS Release 1.0.2.0.1 allows remote attackers to read arbitrary files via the .jsp and .sqljsp file extensions when the server is configured to use the <<ALL FILES>> FilePermission.oracle-jvm-file-permissions(6438)5706iPlanet Web Server Enterprise Edition 4.1 and earlier allows remote attackers to retrieve sensitive data from memory allocation pools, or cause a denial of service, via a URL-encoded Host: header in the HTTP request, which reveals memory in the Location: header that is returned by the server.ATSTAKE:A041601-1http://www.iplanet.com/products/iplanet_web_enterprise/iwsalert4.16.htmlVU#2767675704TCP implementations that use random increments for initial sequence numbers (ISN) can allow remote attackers to perform session hijacking or disruption by injecting a flood of packets with a range of ISN values, one of which may match the expected ISN.CERT:CA-2001-0920030201-01-P578044Bugzilla 2.10 allows remote attackers to execute arbitrary commands via shell metacharacters in a username that is then processed by (1) the Bugzilla_login cookie in post_bug.cgi, or (2) the who parameter in process_bug.cgi.ATSTAKE:A043001-1BID:2670http://www.mozilla.org/projects/bugzilla/security2_12.html1199Bugzilla 2.10 allows remote attackers to access sensitive information, including the database username and password, via an HTTP request for the globals.pl file, which is normally returned by the web server without being executed.ATSTAKE:A043001-1BID:2671bugzilla-gobalpl-gain-information(6489)Buffer overflow in Embedded Support Partner (ESP) daemon (rpc.espd) in IRIX 6.5.8 and earlier allows remote attackers to execute arbitrary commands.ISS:20010509 Remote Buffer Overflow Vulnerability in IRIX Embedded Support Partner Infrastructure20010501-01-PVU#25863227141822irix-espd-bo(6502)Internet Explorer 5.5 and earlier does not properly verify the domain of a frame within a browser window, which allows remote web site operators to read certain files on the client by sending information from a local frame to a frame in a different domain using MSScriptControl.ScriptControl and GetObject, aka a variant of the "Frame Domain Verification" vulnerability.BUGTRAQ:20010330 Security bug in Internet Explorer - MSScriptControl.ScriptControlMS:MS01-027Directory traversal vulnerability in IIS 5.0 and earlier allows remote attackers to execute arbitrary commands by encoding .. (dot dot) and "\" characters twice.BUGTRAQ:20010515 NSFOCUS SA2001-02 : Microsoft IIS CGI Filename Decode Error VulnerabilityMS:MS01-026CA-2001-12iis-url-decoding(6534)2708oval:org.mitre.oval:def:1018oval:org.mitre.oval:def:1051oval:org.mitre.oval:def:37oval:org.mitre.oval:def:78FTP service in IIS 5.0 and earlier allows remote attackers to cause a denial of service via a wildcard sequence that generates a long string when it is expanded.MS:MS01-026iis-ftp-wildcard-dos(6535)FTP service in IIS 5.0 and earlier allows remote attackers to enumerate Guest accounts in trusted domains by preceding the username with a special sequence of characters.MS:MS01-026iis-ftp-domain-authentication(6545)2719The Microsoft MS00-060 patch for IIS 5.0 and earlier introduces an error which allows attackers to cause a denial of service via a malformed request.MS:MS01-026iis-crosssitescripting-patch-dos(6858)5693The Microsoft MS01-014 and MS01-016 patches for IIS 5.0 and earlier introduce a memory leak which allows attackers to cause a denial of service via a series of requests.MS:MS01-026Internet Explorer 5.5 and earlier does not properly validate digital certificates when Certificate Revocation List (CRL) checking is enabled, which could allow remote attackers to spoof trusted web sites, aka the "Server certificate validation vulnerability."MS:MS01-027L-087ie-crl-certificate-spoofing(6555)2735Internet Explorer 5.5 and earlier allows remote attackers to display a URL in the address bar that is different than the URL that is actually being displayed, which could be used in web site spoofing attacks, aka the "Web page spoofing vulnerability."MS:MS01-027L-087ie-html-url-spoofing(6556)27375694oval:org.mitre.oval:def:1096An interaction between the Outlook Web Access (OWA) service in Microsoft Exchange 2000 Server and Internet Explorer allows attackers to execute malicious script code against a user's mailbox via a message attachment that contains HTML code, which is executed automatically.MS01-030L-091exchange-owa-script-execution(6652)Buffer overflow in Microsoft Visual Studio RAD Support sub-component of FrontPage Server Extensions allows remote attackers to execute arbitrary commands via a long registration request (URL) to fp30reg.dll.SA2001-03MS01-035bid2906frontpage-ext-rad-bo(6730)577An SQL query method in Microsoft SQL Server 2000 Gold and 7.0 using Mixed Mode allows local database users to gain privileges by reusing a cached connection of the sa administrator account.MS01-032L-095mssql-cached-connection-access(6684)oval:org.mitre.oval:def:71Microsoft Windows 2000 telnet service allows attackers to prevent idle Telnet sessions from timing out, causing a denial of service by creating a large number of idle sessions.MS01-031bid 28432843win2k-telnet-idle-sessions-dos(6667)Handle leak in Microsoft Windows 2000 telnet service allows attackers to cause a denial of service by starting a large number of sessions and terminating them.MS01-031bid 2844MS01-031win2k-telnet-handle-leak-dos(6668)Information disclosure vulnerability in Microsoft Windows 2000 telnet service allows remote attackers to determine the existence of user accounts such as Guest, or log in to the server without specifying the domain name, via a malformed userid.MS01-031L-0922847win2k-telnet-domain-authentication(6665)5686Microsoft Windows 2000 telnet service allows attackers to cause a denial of service (crash) via a long logon command that contains a backspace.MS01-031bid 283820010608 Range checking fault condition in Microsoft Windows 2000 Telnet serverL-092win2k-telnet-username-dos(6666)Microsoft Windows 2000 telnet service creates named pipes with predictable names and does not properly verify them, which allows local users to execute arbitrary commands by creating a named pipe with the predictable name and associating a malicious program with it, the first of two variants of this vulnerability.MS01-031VU#5875872849win2k-telnet-pipe-privileges(6664)Microsoft Windows 2000 telnet service creates named pipes with predictable names and does not properly verify them, which allows local users to execute arbitrary commands by creating a named pipe with the predictable name and associating a malicious program with it, the second of two variants of this vulnerability.MS01-031win2k-telnet-pipe-privileges(6664)Microsoft Windows 2000 telnet service allows a local user to make a certain system call that allows the user to terminate a Telnet session and cause a denial of service.MS01-031bid 2846L-092win2k-telnet-system-call-dos(6669)2846SNMP agents in 3Com AirConnect AP-4111 and Symbol 41X1 Access Point allow remote attackers to obtain the WEP encryption key by reading it from a MIB when the value should be write-only, via (1) dot11WEPDefaultKeyValue in the dot11WEPDefaultKeysTable of the IEEE 802.11b MIB, or (2) ap128bWepKeyValue in the ap128bWEPKeyTable in the Symbol MIB.Wired-side SNMP WEP key exposure in 802.11b Access PointsBuffer overflow in the line printer daemon (in.lpd) for Solaris 8 and earlier allows local and remote attackers to gain root privileges via a "transfer job" routine.solaris-lpd-bo(6718)Remote Buffer Overflow Vulnerability in Solaris Print Protocol Daemon00206CA-2001-152894TheNet CheckBO 1.56 allows remote attackers to cause a denial of service via a flood of characters to the TCP ports which it is listening on.BUGTRAQ:20010420 CheckBO Win9x memo overflowbid2634Novell Groupwise 5.5 (sp1 and sp2) allows a remote user to access arbitrary files via an implementation error in Groupwise system policies.FormMail.pl in FormMail 1.6 and earlier allows a remote attacker to send anonymous email (spam) by modifying the recipient and message parameters.formmail-anonymous-flooding(6242)Buffer overflows in Sierra Half-Life build 1573 and earlier allow remote attackers to execute arbitrary code via (1) a long map command, (2) a long exec command, or (3) long input in a configuration file.62216218Format string vulnerability in Sierra Half-Life build 1573 and earlier allows a remote attacker to execute arbitrary code via the map command.6220Directory traversal vulnerability in help.cgi in Ikonboard 2.1.7b and earlier allows a remote attacker to read arbitary files via a .. (dot dot) attack in the helpon parameter.bid 24716216Implementations of SSH version 1.5, including (1) OpenSSH up to version 2.3.0, (2) AppGate, and (3) ssh-1 up to version 1.2.31, in certain configurations, allow a remote attacker to decrypt and/or alter traffic via a "Bleichenbacher attack" on PKCS#1 version 1.5.CORE-20010116bid 234420010207 [CORE SDI ADVISORY] SSH1 session key recovery vulnerabilityL-047FreeBSD-SA-01:24DSA-023DSA-027DSA-086SuSE-SA:2001:04ssh-session-key-recovery(6082)2116SSH Communications Security sshd 2.4 for Windows allows remote attackers to create a denial of service via a large number of simultaneous connections.USSR-2001001bid 24776241Eudora before 5.1 allows a remote attacker to execute arbitrary code, when the 'Use Microsoft Viewer' and 'allow executables in HTML content' options are enabled, via an HTML email message containing Javascript, with ActiveX controls and malicious code within IMG tags.62622490saposcol in SAP R/3 Web Application Server Demo before 1.5 trusts the PATH environmental variable to find and execute the expand program, which allows local users to obtain root access by modifying the PATH to point to a Trojan horse expand program.BUGTRAQ:20010429 SAP R/3 Web Application Server Demo for Linux: root exploitBID:2662ftp://ftp.sap.com/pub/linuxlab/saptools/README.saposcollinux-sap-execute-code(6487)Mirabilis ICQ WebFront Plug-in ICQ2000b Build 3278 allows a remote attacker to create a denial of service via HTTP URL requests containing a large number of % characters.BUGTRAQ:20010428 Mirabilis ICQ WebFront Plug-in Denial of ServiceBID:2664Directory traversal vulnerability in BearShare 2.2.2 and earlier allows a remote attacker to read certain files via a URL containing a series of . characters, a variation of the .. (dot dot) attack.BUGTRAQ:20010430 A Serious Security Vulnerability Found in BearShare (Directory Traversal)BID:2672bearshare-dot-download-files(6481)1810Buffer overflow in lpsched on DGUX version R4.20MU06 and MU02 allows a local attacker to obtain root access via a long command line argument (non-existent printer name).6258fcheck prior to 2.57.59 calls the file signature checking program insecurely, which can allow a local user to run arbitrary commands via a file name that contains shell metacharacters.6256Race condition in the UFS and EXT2FS file systems in FreeBSD 4.2 and earlier, and possibly other operating systems, makes deleted data available to user processes before it is zeroed out, which allows a local user to access otherwise restricted information.FREEBSD:FreeBSD-SA-01:30XF:ufs-ext2fs-data-disclosure5682Akopia Interchange 4.5.3 through 4.6.3 installs demo stores with a default group account :backup with no password, which allows a remote attacker to gain administrative access via the demo stores (1) barry, (2) basic, or (3) construct.BUGTRAQ:20010323 FW: Akopia Interchange E-commerce Package Demo Files VulnerabilityBID:2499XF:akopia-interchange-gain-accesshttp://lists.akopia.com/pipermail/interchange-announce/2001/000009.htmlThe default configuration of the Dr. Watson program in Windows NT and Windows 2000 generates user.dmp crash dump files with world-readable permissions, which could allow a local user to gain access to sensitive information.BID:2501XF:win-userdmp-insecure-permission20010323 NT crash dump files insecure by default5683The HTTP server in Compaq web-enabled management software for (1) Foundation Agents, (2) Survey, (3) Power Manager, (4) Availability Agents, (5) Intelligent Cluster Administrator, and (6) Insight Manager can be used as a generic proxy server, which allows remote attackers to bypass access restrictions via the management port, 2301.COMPAQ:SSRT0715BUGTRAQ:20010322 Compaq Insight Manager Proxy VulnXF:compaq-wbm-bypass-proxyCisco PIX Firewall 515 and 520 with 5.1.4 OS running aaa authentication to a TACACS+ server allows remote attackers to cause a denial of service via a large number of authentication requests.BUGTRAQ:20010406 PIX Firewall 5.1 DoS VulnerabilityCisco PIX denial of service due to multiple TACACS+ requestsCisco PIX TACACS+ Denial of Service Vulnerability20011003 Cisco PIX Firewall Authentication Denial of Service VulnerabilitySonicWALL Tele2 and SOHO firewalls with 6.0.0.0 firmware using IPSEC with IKE pre-shared keys do not allow for the use of full 128 byte IKE pre-shared keys, which is the intended design of the IKE pre-shared key, and only support 48 byte keys. This allows a remote attacker to brute force attack the pre-shared keys with significantly less resources than if the full 128 byte IKE pre-shared keys were used.BUGTRAQ:20010327 SonicWall IKE pre-shared key length bug and security concern XF:sonicwall-ike-shared-keysInfradig Inframail prior to 3.98a allows a remote attacker to create a denial of service via a malformed POST request which includes a space followed by a large string.20010328 Inframail Denial of Service Vulnerabilityinframail-post-dos5685readline prior to 4.1, in OpenBSD 2.8 and earlier, creates history files with insecure permissions, which allows a local attacker to recover potentially sensitive information via readline history files.bsd-readline-permissions(6586)5680Vulnerability in the newgrp program included with HP9000 servers running HP-UX 11.11 allows a local attacker to obtain higher access rights.HP:HPSBUX0103-147VU#249224hp-newgrp-additional-privileges(6282)5681Crosscom/Olicom XLT-F running XL 80 IM Version 5.5 Build Level 2 allows a remote attacker SNMP read and write access via a default, undocumented community string 'ILMI'.BUGTRAQ:200103 ILMI community in olicom/crosscomm routersThe OpenPGP PGP standard allows an attacker to determine the private signature key via a cryptanalytic attack in which the attacker alters the encrypted private key file and captures a single message signed with the signature key.CSSA-2001-017.0RHSA-2001:063267311966openpgp-private-key-disclosure(6558)Computer Associates CCC\Harvest 5.0 for Windows NT/2000 uses weak encryption for passwords, which allows a remote attacker to gain privileges on the application.NTBUGTRAQ:20010327 CA CCC\Harvest exploitbanners.php in PHP-Nuke 4.4 and earlier allows remote attackers to modify banner ad URLs by directly calling the Change operation, which does not require authentication.BUGTRAQ:20010401 Php-nuke exploithttp://phpnuke.org/download.php?dcategory=Fixesphp-nuke-url-redirect(6342)2544ppd in Reliant Sinix allows local users to corrupt arbitrary files via a symlink attack in the /tmp/ppd.trace file.bid260620010414 Re: Reliant Unix 5.43 / 5.44 ICMP port unreachable problemGoAhead webserver 2.1 allows remote attackers to cause a denial of service via an HTTP request to the /aux directory.BUGTRAQ:20010417 Advisory for GoAhead Webserver v2.1bid 26076664goahead-aux-dos(6400)AnalogX SimpleServer:WWW 1.08 allows remote attackers to cause a denial of service via an HTTP request to the /aux directory.ADV-0103bid2608analogx-simpleserver-aux-dos(6395)3781Format string vulnerability in hfaxd in HylaFAX before 4.1.b2_2 allows local users to gain privileges via the -q command line argument.bid2574BUGTRAQ:20010415 **SECURITY ADVISORY** - HylaFAX format string vulnerabilityBUGTRAQ:20010412 HylaFAX vulnerabilitySuSE-SA:2001:15MDKSA-2001:041FreeBSD-SA-01:34hylafax-hfaxd-format-string(6377)5679time server daemon timed allows remote attackers to cause a denial of service via malformed packets.01:282001:0342001:076228SuSE-SA:2001:07IBM Websphere/NetCommerce3 3.1.2 allows remote attackers to determine the real path of the server by directly calling the macro.d2w macro with a NOEXISTINGHTMLBLOCK argument.bid258720010413 [LoWNOISE] IBM Websphere/NetCommerce3 DoS and one more.IBM Websphere/NetCommerce3 3.1.2 allows remote attackers to cause a denial of service by directly calling the macro.d2w macro with a long string of %0a characters.BUGTRAQ:20010413 [LoWNOISE] IBM Websphere/NetCommerce3 DoS and one more.bid2588Xitami 2.5d4 and earlier allows remote attackers to crash the server via an HTTP request to the /aux directory.262220010417 Advisory for Xitami 2.4d7, 2.5d4Navision Financials Server 2.60 and earlier allows remote attackers to cause a denial of service by sending a null character and a long string to the server port (2407), which causes the server to crash.BUGTRAQ:20010403 def-2001-17: Navision Financials Server DoSBID:2539Navision Financials Server 2.0 allows remote attackers to cause a denial of service via a series of connections to the server without providing a username/password combination, which consumes the license limits.BUGTRAQ:20010404 Re: def-2001-17: Navision Financials Server DoSRemote manager service in Website Pro 3.0.37 allows remote attackers to cause a denial of service via a series of malformed HTTP requests to the /dyn directory.def-2001-15website-pro-remote-dos(6295)5669Lightwave ConsoleServer 3200 does not disconnect users after unsuccessful login attempts, which could allow remote attackers to conduct brute force password guessing.BUGTRAQ:20010410 Console 3200 telnetd problem.bid2578The pre-login mode in the System Administrator interface of Lightwave ConsoleServer 3200 allows remote attackers to obtain sensitive information such as system status, configuration, and users.BUGTRAQ:20010410 Console 3200 telnetd problem.bid2578Buffer overflow in Silent Runner Collector (SRC) 1.6.1 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long SMTP HELO command.BUGTRAQ:20010329 Silent Runner Collector - HELO buffer overflow vulnerabilityThe BAT! mail client allows remote attackers to bypass user warnings of an executable attachment and execute arbitrary commands via an attachment whose file name contains many spaces, which also causes the BAT! to misrepresent the attachment's type with a different icon.BUGTRAQ:20010402 ~..~!guanoBID:2530Caucho Resin 1.3b1 and earlier allows remote attackers to read source code for Javabean files by inserting a .jsp before the WEB-INF specifier in an HTTP request.BID:2533BUGTRAQ:20010403 CHINANSL Security Advisory(CSA-200111)nph-maillist.pl allows remote attackers to execute arbitrary commands via shell metacharacters ("`") in the email address.BUGTRAQ:20010410 CGI - nph-maillist.pl vulnerabilitybid2563Buffer overflow in tip in Solaris 8 and earlier allows local users to execute arbitrary commands via a long HOME environmental variable.BUGTRAQ:20010327 Solaris /usr/bin/tip VulnerabilityXF:solaris-tip-boIPFilter 3.4.16 and earlier does not include sufficient session information in its cache, which allows remote attackers to bypass access restrictions by sending fragmented packets to a restricted port after sending unfragmented packets to an unrestricted port.BUGTRAQ:20010408 A fragmentation attack against IP FilterFREEBSD:FreeBSD-SA-01:32ipfilter-access-ports(6331)/opt/JSparm/bin/perfmon program in Solaris allows local users to create arbitrary files as root via the Logging File option in the GUI.BUGTRAQ:20010323 [ Hackerslab bug_paper ] SunOS application perfmon vulnerabilityXF:solaris-perfmon-create-filesDirectory traversal vulnerability in JavaServer Web Dev Kit (JSWDK) 1.0.1 allows remote attackers to read arbitrary files via a .. (dot dot) in an HTTP request to the WEB-INF directory.BUGTRAQ:20010328 CHINANSL Security Advisory(CSA-200106)ip_conntrack_ftp in the IPTables firewall for Linux 2.4 allows remote attackers to bypass access restrictions for an FTP server via a PORT command that lists an arbitrary IP address and port number, which is added to the RELATED table and allowed by the firewall.20010416 Tempest Security Techonologies -- Advisory #01/2001 -- Linux IPTablesRHSA-2001:052bid2602RHSA-2001:084MDKSA-2001:071linux-netfilter-iptables(6390)Samba before 2.2.0 allows local attackers to overwrite arbitrary files via a symlink attack using (1) a printer queue query, (2) the more command in smbclient, or (3) the mput command in smbclient.BUGTRAQ:20010417 Samba 2.0.8 security fixDSA-048-3CSSA-2001-015.0TSLSA-2001-0005PROGENY-SA-2001-05FreeBSD-SA-01:36MDKSA-2001:040VU#6705682617CLA-2001:395Directory traversal vulnerability in MySQL before 3.23.36 allows local users to modify arbitrary files and gain privileges by creating a database whose name starts with .. (dot dot).mysql-dot-directory-traversal(6617)2522vim (aka gvim) processes VIM control codes that are embedded in a file, which could allow attackers to execute arbitrary commands when another user opens a file containing malicious VIM control codes.BID:2510REDHAT:RHSA-2001:008CALDERA:CSSA-2001-014.0MDKSA-2001:035SuSE-SA:2001:1220010329 Immunix OS Security update for vimvim-elevate-privileges(6259)vim (aka gvim) allows local users to modify files being edited by other users via a symlink attack on the backup and swap files, when the victim is editing the file in a world writable directory.SUSE:SuSE-SA:2001:12CALDERA:CSSA-2001-014.0SuSE-SA:2001:12vim-tmp-symlink(6628)Buffer overflow in Trend Micro Virus Buster 2001 8.02 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long "From" header.BUGTRAQ:20010330 Virus Buster 2001(ver8.02) Buffer OverflowReliant Unix 5.44 and earlier allows remote attackers to cause a denial of service via an ICMP port unreachable packet, which causes Reliant to drop all connections to the source address of the packet.BUGTRAQ:20010406 Reliant Unix 5.43 / 5.44 ICMP port unreachable problemCisco Content Services (CSS) switch products 11800 and earlier, aka Arrowpoint, allows local users to gain privileges by entering debug mode.CISCO:20010404 Cisco Content Services Switch User Account Vulnerability2559cisco-css-elevate-privileges(6322)1784BinTec X4000 Access router, and possibly other versions, allows remote attackers to cause a denial of service via a SYN port scan, which causes the router to hang.BUGTRAQ:20010404 BinTec X4000 Access Router DoS VulnerabilityBUGTRAQ:20010406 X4000 DoS: Details and workaroundBUGTRAQ:20010410 BinTec Router DoS: Workaround and Details20010409 BINTEC X1200bintec-x4000-nmap-dos(6323)Buffer overflow in ntpd ntp daemon 4.0.99k and earlier (aka xntpd and xntp3) allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long readvar argument.BID:2540MANDRAKE:MDKSA-2001:036DEBIAN:DSA-04520010404 ntpd =< 4.0.99k remote buffer overflow20010405 Re: ntpd =< 4.0.99k remote buffer overflow]RHSA-2001:045CSSA-2001-013NetBSD-SA2001-004SuSE-SA:2001:10CLA-2001:392FreeBSD-SA-01:31SSE073SSE07420010408 [slackware-security] buffer overflow fix for NTP20010409 PROGENY-SA-2001-02: ntpd remote buffer overflow20010409 ntpd - new Debian 2.2 (potato) version is also vulnerable20010406 Immunix OS Security update for ntp and xntp320010409 ntp-4.99k23.tar.gz is available20010418 IBM MSS Outside Advisory Redistribution: IBM AIX: Buffer Overflow Vulnerability in (x)ntp20010409 [ESA-20010409-01] xntp buffer overflow20010413 PROGENY-SA-2001-02A: [UPDATE] ntpd remote buffer overflow805oval:org.mitre.oval:def:3831ntpd-remote-bo(6321)REDIPlus program, REDI.exe, stores passwords and user names in cleartext in the StartLog.txt log file, which allows local users to gain access to other accounts.24956276sgml-tools (aka sgmltools) before 1.0.9-15 creates temporary files with insecure permissions, which allows other users to read files that are being processed by sgml-tools.DSA-038-1RHSA-2001:027-02IMNK-2001-70-008-01MDKSA-2001:030CLSA-2001:390sgmltools-symlinkSuSE-SA:2001:1626832506Kerberos 4 (aka krb4) allows local users to overwrite arbitrary files via a symlink attack on new ticket files.RHSA-2001:025content.pl script in NCM Content Management System allows remote attackers to read arbitrary contents of the content database by inserting SQL characters into the id parameter.BUGTRAQ:20010413 Exploitable NCM.at - Content Management Systembid2584Buffer overflow in shared library ndwfn4.so for iPlanet Web Server (iWS) 4.1, when used as a web listener for Oracle application server 4.0.8.2, allows remote attackers to execute arbitrary commands via a long HTTP request that is passed to the application server, such as /jsp/.BUGTRAQ:20010410 Oracle Application Server shared library buffer overflowbid2569Directory traversal vulnerability in talkback.cgi program allows remote attackers to read arbitrary files via a .. (dot dot) in the article parameter.BUGTRAQ:20010409 talkback.cgi vulnerability may allow users to read any fileBID:2547FTP server in Solaris 8 and earlier allows local and remote attackers to cause a core dump in the root directory, possibly with world-readable permissions, by providing a valid username with an invalid password followed by a CWD ~ command, which could release sensitive information such as shadowed passwords, or fill the disk partition.bid260120010417 Re: SUN SOLARIS 5.6/5.7 FTP Globbing Exploit !Buffer overflow in Xsun in Solaris 8 and earlier allows local users to execute arbitrary commands via a long HOME environmental variable.BUGTRAQ:20010410 Solaris Xsun buffer overflow vulnerabilitybid2561oval:org.mitre.oval:def:555solaris-xsun-home-bo(6343)Buffer overflow in ipcs in Solaris 7 x86 allows local users to execute arbitrary code via a long TZ (timezone) environmental variable, a different vulnerability than CAN-2002-0093.BUGTRAQ:20010412 Solaris ipcs vulnerabilitybid2581Solaris ipcs utility buffer overflowBubbleMon 1.31 does not properly drop group privileges before executing programs, which allows local users to execute arbitrary commands with the kmem group id.BUGTRAQ:20010415 BubbleMon 1.31bid2609AdLibrary.pm in AdCycle 0.78b allows remote attackers to gain privileges to AdCycle via a malformed Agent: header in the HTTP request, which is inserted into a resulting SQL query that is used to verify login information.2393Buffer overflow in dtsession on Solaris, and possibly other operating systems, allows local users to gain privileges via a long LANG environmental variable.BUGTRAQ:20010411 [LSD] Solaris kcsSUNWIOsolf.so and dtsession vulnerabilitiesbid2603Cisco VPN 3000 series concentrators before 2.5.2(F) allow remote attackers to cause a denial of service via a flood of invalid login requests to (1) the SSL service, or (2) the telnet service, which do not properly disconnect the user after several failed login attempts.CISCO:20010328 VPN3000 Concentrator TELNET Vulnerabilitycisco-vpn-telnet-dos(6298)5643Cisco VPN 3000 series concentrators before 2.5.2(F) allow remote attackers to cause a denial of service via an IP packet with an invalid IP option.CSCds92460bid2573cisco-vpn-ip-dos(6360)1786Cisco Catalyst 5000 series switches 6.1(2) and earlier will forward an 802.1x frame on a Spanning Tree Protocol (STP) blocked port, which causes a network storm and a denial of service.CSCdt62732bid2604L-072cisco-catalyst-8021x-dos(6379)Vulnerability in exuberant-ctags before 3.2.4-0.1 insecurely creates temporary files.DSA-046-1exuberant-ctags-symlink(6388)5642Vulnerability in iPlanet Web Server Enterprise Edition 4.x.BUGTRAQ:20010417 iPlanet Web Server 4.x Product AlertBuffer overflows in various CGI programs in the remote administration service for Trend Micro Interscan VirusWall 3.01 allow remote attackers to execute arbitrary commands.BUGTRAQ:20010413 Trend Micro Interscan VirusWall 3.01 vulnerabilitybid2579Buffer overflow in Savant 3.0 web server allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long Host HTTP header.BUGTRAQ:20010405 Savant 3.0 Denial Of ServiceThe LogDataListToFile ActiveX function used in (1) Knowledge Center and (2) Back web components of Compaq Presario computers allows remote attackers to modify arbitrary files and cause a denial of service.SSRT0716compaq-activex-dos(6355)The split key mechanism used by PGP 7.0 allows a key share holder to obtain access to the entire key by setting the "Cache passphrase while logged on" option and capturing the passphrases of other share holders as they authenticate.WSIR-01/02-03dcboard.cgi in DCForum 2000 1.0 allows remote attackers to execute arbitrary commands by uploading a Perl program to the server and using a .. (dot dot) in the AZ parameter to reference the program.QDAV-5-2000-5bid2611dcforum-az-expr(6392)3862upload_file.pl in DCForum 2000 1.0 allows remote attackers to upload arbitrary files without authentication by setting the az parameter to upload_file.QDAV-5-2001-1bid2611dcforum-az-file-upload(6393)Preview version of Timbuktu for Mac OS X allows local users to modify System Preferences without logging in via the About Timbuktu menu.BUGTRAQ:20010418 Hole in Netopia's Mac OS X Timbuktulicq before 1.0.3 allows remote attackers to execute arbitrary commands via shell metacharacters in a URL.CLSA-2001:389MDKSA-2001:032FreeBSD-SA-01:356261RHSA-2001:022RHSA-2001:0235641Buffer overflow in logging functions of licq before 1.0.3 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands.CLSA-2001:389MDKSA-2001:032FreeBSD-SA-01:35RHSA-2001:022RHSA-2001:023licq-logging-bo(6645)5601Buffer overflow in (1) wrapping and (2) unwrapping functions of slrn news reader before 0.9.7.0 allows remote attackers to execute arbitrary commands via a long message header.DSA-040-1MDKSA-2001-028RHSA-2001:028-02FreeBSD-SA-01:372493slrn-wrapping-boCLA-2001:38320010316 Immunix OS Security update for slrnBuffer overflow in Mercury MTA POP3 server for NetWare 1.48 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long APOP command.BUGTRAQ:20010421 Mercury for NetWare POP3 server vulnerable to remote buffer overflowBID:264120010424 Re: Mercury for NetWare POP3 server vulnerable to remote buffer overflowmercury-mta-bo(6444)Buffer overflow in QPC QVT/Net Popd 4.20 in QVT/Net 5.0 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via (1) a long username, or (2) a long password.BUGTRAQ:20010413 QPC POPd Buffer Overflow Vulnerability2618Cisco CBOS 2.3.0.053 sends output of the "sh nat" (aka "show nat") command to the terminal of the next user who attempts to connect to the router via telnet, which could allow that user to obtain sensitive information.BUGTRAQ:20010420 Bug in Cisco CBOS v2.3.0.053bid2635cisco-cbos-gain-information(6453)1796IBM WCS (WebSphere Commerce Suite) 4.0.1 with Application Server 3.0.2 allows remote attackers to read source code for .jsp files by appending a / to the requested URL.BUGTRAQ:20010328 CHINANSL Security Advisory(CSA-200107)Web configuration server in 602Pro LAN SUITE allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long HTTP request containing "%2e" (dot dot) characters.BUGTRAQ:20010326 602Pro Lansuite Denial Of Service 1.0.34BID:2514Web configuration server in 602Pro LAN SUITE allows remote attackers to cause a denial of service via an HTTP GET HTTP request to the aux directory, and possibly other directories with legacy DOS device names.BUGTRAQ:20010326 602Pro Lansuite Denial Of Service 1.0.34Buffer overflow in WinZip 8.0 allows attackers to execute arbitrary commands via a long file name that is processed by the /zipandemail command line option.def-2001-096191Directory traversal vulnerability in Transsoft FTP Broker before 5.5 allows attackers to (1) delete arbitrary files via DELETE, or (2) list arbitrary directories via LIST, via a .. (dot dot) in the file name.61906189INDEXU 2.0 beta and earlier allows remote attackers to bypass authentication and gain privileges by setting the cookie_admin_authenticated cookie value to 1.6202BRS WebWeaver FTP server before 0.64 Beta allows remote attackers to obtain the real pathname of the server via a "CD *" command followed by an ls command.BUGTRAQ:20010428 Vulnerabilities in BRS WebWeaverBID:2676http://members.nbci.com/_XMCM/BSoutham/WebWeaver/WebWeaverHistory.htmlDirectory traversal vulnerability in BRS WebWeaver HTTP server allows remote attackers to read arbitrary files via a .. (dot dot) attack in the (1) syshelp, (2) sysimages, or (3) scripts directories.BUGTRAQ:20010428 Vulnerabilities in BRS WebWeaverBID:2675http://members.nbci.com/_XMCM/BSoutham/WebWeaver/WebWeaverHistory.htmlDirectory traversal vulnerability in SlimServe HTTPd 1.1a allows remote attackers to read arbitrary files via a ... (modified dot dot) in the HTTP request.6186Cisco Aironet 340 Series wireless bridge before 8.55 does not properly disable access to the web interface, which allows remote attackers to modify its configuration.GMT-080062005597postinst installation script for Proftpd in Debian 2.2 does not properly change the "run as uid/gid root" configuration when the user enables anonymous access, which causes the server to run at a higher privilege than intended.DSA-032-16208man2html before 1.5-22 allows remote attackers to cause a denial of service (memory exhaustion).DSA-035-162115631Multiple buffer overflows in ePerl before 2.2.14-0.7 allow local and remote attackers to execute arbitrary commands.DSA-034-01MDKSA-2001:027SuSE-SA:2001:0824646198SuSE-SA:2001:08Buffer overflows in ascdc Afterstep while running setuid allows local users to gain root privileges via a long (1) -d option, (2) -m option, or (3) -f option.620420010308 ascdc Buffer Overflow VulnerabilityWebsweeper 4.0 does not limit the length of certain HTTP headers, which allows remote attackers to cause a denial of service (memory exhaustion) via an extremely large HTTP Referrer: header.dev-2001-016214template.cgi in Free On-Line Dictionary of Computing (FOLDOC) allows remote attackers to read files and execute commands via shell metacharacters in the argument to template.cgi.6217http://wombat.doc.ic.ac.uk/foldoc/index.html5591Directory traversal vulnerability in Perl web server 0.3 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the URL.BUGTRAQ:20010424 Advisory for perl webserverBID:2648perl-webserver-directory-traversal(6451)Directory traversal vulnerability in cal_make.pl in PerlCal allows remote attackers to read arbitrary files via a .. (dot dot) in the p0 parameter.BUGTRAQ:20010427 PerlCal (CGI) show files vulnerabilityBID:2663perlcal-calmake-directory-traversal(6480)Buffer overflow in websync.exe in Cyberscheduler allows remote attackers to execute arbitrary commands via a long tzs (timezone) parameter.def-2000-18bid2628TurboTax saves passwords in a temporary file when a user imports investment tax information from a financial institution, which could allow local users to obtain sensitive information.BUGTRAQ:20010405http://www.turbotax.com/atr/update/turbotax-save-passwords(6622)Directory traversal vulnerability in ustorekeeper 1.61 allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter.BUGTRAQ:20010403 new advisoryDirectory traversal vulnerability in RobTex Viking Web server before 1.07-381 allows remote attackers to read arbitrary files via a \... (modified dot dot) in an HTTP URL request.BUGTRAQ:20010423 Vulnerability in Viking Web ServerBID:2643http://www.robtex.com/files/viking/beta/chglog.txtviking-dot-directory-traversal(6450)Buffer overflow in FTPFS allows local users to gain root privileges via a long user name.6234rwho daemon rwhod in FreeBSD 4.2 and earlier, and possibly other operating systems, allows remote attackers to cause a denial of service via malformed packets with a short length.FreeBSD-SA-01:2924736229Buffer overflow in SNMP proxy agent snmpd in Solaris 8 may allow local users to gain root privileges by calling snmpd with a long program name.6239SSH daemon version 1 (aka SSHD-1 or SSH-1) 1.2.30 and earlier does not log repeated login attempts, which could allow remote attackers to compromise accounts without detection via a brute force attack.2345Hursley Software Laboratories Consumer Transaction Framework (HSLCTF) HTTP object allows remote attackers to cause a denial of service (crash) via an extremely long HTTP request.6250Format string vulnerability in Mutt before 1.2.5 allows a remote malicious IMAP server to execute arbitrary commands.MDKSA-2001:031RHSA-2001:029IMNX-2001-70-006-016235CLA-2001:3855615Utah-glx in Mesa before 3.3-14 on Mandrake Linux 7.2 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/glxmemory file.MDKSA-2001:0296231index.php in Jelsoft vBulletin does not properly initialize a PHP variable that is used to store template information, which allows remote attackers to execute arbitrary PHP code via special characters in the templatecache parameter.24746237Multiple buffer overflows in s.cgi program in Aspseek search engine 1.03 and earlier allow remote attackers to execute arbitrary commands via (1) a long HTTP query string, or (2) a long tmpl parameter.24926248Vulnerability in WebCalendar 0.9.26 allows remote command execution.BUGTRAQ:20010423 (SRPRE00004) WebCalendar 0.9.26BID:2639Directory traversal vulnerability in phpMyAdmin 2.2.0 and earlier versions allows remote attackers to execute arbitrary code via a .. (dot dot) in an argument to the sql.php script.BUGTRAQ:20010423 (SRPRE00001) phpMyAdmin 2.1.0 and phpPgAdmin 2.2.1BID:2642Directory traversal vulnerability in phpPgAdmin 2.2.1 and earlier versions allows remote attackers to execute arbitrary code via a .. (dot dot) in an argument to the sql.php script.BUGTRAQ:20010423 (SRPRE00001) phpMyAdmin 2.1.0 and phpPgAdmin 2.2.1BID:2640http://www.greatbridge.org/project/phppgadmin/cvs/checkout.php/phpPgAdmin/ChangeLog?r=1.13Directory traversal vulnerability in Alex's FTP Server 0.7 allows remote attackers to read arbitrary files via a ... (modified dot dot) in the (1) GET or (2) CD commands.BUGTRAQ:20010428 Vulnerabilities in Alex's FTP ServerBID:2668Vulnerability in rpmdrake in Mandrake Linux 8.0 related to insecure temporary file handling.MANDRAKE:MDKSA-2001:043linux-rpmdrake-temp-file(6494)5612Configuration error in Argus PitBull LX allows root users to bypass specified access control restrictions and cause a denial of service or execute arbitrary commands by modifying kernel variables such as MaxFiles, MaxInodes, and ModProbePath in /proc/sys via calls to sysctl.BUGTRAQ:20010330 Serious Pitbull LX Vulnerabilitypitbull-lx-modify-kernel(6623)Configuration error in Axent Raptor Firewall 6.5 allows remote attackers to use the firewall as a proxy to access internal web resources when the http.noproxy Rule is not set.BUGTRAQ:20010324 Raptor 6.5 http vulnerabilityBUGTRAQ:20010327 RE: Raptor 6.5 http vulnerabilityBID:2517Tektronix PhaserLink 850 does not require authentication for access to configuration pages such as _ncl_subjects.shtml and _ncl_items.shtml, which allows remote attackers to modify configuration information and cause a denial of service by accessing the pages.BUGTRAQ:20010425 Tektronix (Xerox) PhaserLink 850 Webserver Vulnerability (NEW)tektronix-phaserlink-webserver-backdoor(6482)Unknown vulnerability in netprint in IRIX 6.2, and possibly other versions, allows local users with lp privileges attacker to execute arbitrary commands via the -n option.BUGTRAQ:20010426 IRIX /usr/lib/print/netprint local root symbols exploit.IRIX netprint -n allows attacker to access shared libraryIRIX &#39;netprint&#39; Arbitrary Shared Library Usage Vulnerability20010427 Re: IRIX /usr/lib/print/netprint local root symbols exploit.20010701-01-P8571Remote attackers can cause a denial of service in Novell BorderManager 3.6 and earlier by sending TCP SYN flood to port 353.VULN-DEV:20010402HI2001012959062BUGTRAQ:20010501 Re: Proof of concept DoS against novell border manager enterprise edition 3.5bid262320010429 Proof of concept DoS against novell border manager enterprisebordermanager-vpn-syn-dos(6429)AIX SNMP server snmpd allows remote attackers to cause a denial of service via a RST during the TCP connection.AIXAPAR:IY17630IY17630aix-snmpd-rst-dos(6996)5611pcltotiff in HP-UX 10.x has unnecessary set group id permissions, which allows local users to cause a denial of service.HP:HPSBUX0104-149BID:2646HPSBUX0104-149hp-pcltotiff-insecure-permissions(6447)2188Format string vulnerability in gftp prior to 2.0.8 allows remote malicious FTP servers to execute arbitrary commands.REDHAT:RHSA-2001:053MANDRAKE:MDKSA-2001-04420010417 gftp exploitable?DSA-0572657gftp-format-string(6478)1805Buffer overflow in WINAMP 2.6x and 2.7x allows attackers to execute arbitrary code via a long string in an AIP file.BUGTRAQ:20010429 Winamp 2.6x / 2.7x buffer overflowDirectory traversal vulnerability in RaidenFTPD Server 2.1 before build 952 allows attackers to access files outside the ftp root via dot dot attacks, such as (1) .... in CWD, (2) .. in NLST, or (3) ... in NLST.BUGTRAQ:20010425 Vulnerabilities in RaidenFTPD Serverraidenftpd-dot-directory-traversal(6455)Netcruiser Web server version 0.1.2.8 and earlier allows remote attackers to determine the physical path of the server via a URL containing (1) con, (2) com2, or (3) com3.BUGTRAQ:20010424 Advisory for NetcruiserBID:2650netcruiser-server-path-disclosure(6468)Small HTTP server 2.03 allows remote attackers to cause a denial of service via a URL that contains an MS-DOS device name such as aux.BUGTRAQ:20010424 Advisory for Small HTTP ServerBID:2649http://home.lanck.net/mf/srv/index.htmsmall-http-aux-dos(6446)Buffer overflow in IPSwitch IMail SMTP server 6.06 and possibly prior versions allows remote attackers to execute arbitrary code via a long From: header.BUGTRAQ:20010424 IPSwitch IMail 6.06 SMTP Remote System Access Vulnerabilityhttp://ipswitch.com/Support/IMail/news.htmlipswitch-imail-smtp-bo(6445)5610Directory traversal in DataWizard WebXQ server 1.204 allows remote attackers to view files outside of the web root via a .. (dot dot) attack.BUGTRAQ:20010426 Vulnerability in WebXQ ServerBID:2660webxq-dot-directory-traversal(6466)1799kdesu in kdelibs package creates world readable temporary files containing authentication info, which can allow local users to gain privileges.REDHAT:RHSA-2001:059MANDRAKE:MDKSA-2001:046kdelibs-kdesu-insecure-tmpfile(6856)dnskeygen in BIND 8.2.4 and earlier, and dnssec-keygen in BIND 9.1.2 and earlier, set insecure permissions for a HMAC-MD5 shared secret key file used for DNS Transactional Signatures (TSIG), which allows attackers to obtain the keys and perform dynamic DNS updates.BIND Inadvertent Local Exposure of HMAC-MD5 (TSIG) Keysbind-local-key-exposure(6694)5609Transparent Network Substrate (TNS) over Net8 (SQLNet) in Oracle 8i 8.1.7 and earlier allows remote attackers to cause a denial of service via a malformed SQLNet connection request with a large offset in the header extension.NAI:20010627 Oracle 8i SQLNet Header Vulnerability20010627 Oracle 8i SQLNet Header VulnerabilityBuffer overflow in Transparent Network Substrate (TNS) Listener in Oracle 8i 8.1.7 and earlier allows remote attackers to gain privileges via a long argument to the commands (1) STATUS, (2) PING, (3) SERVICES, (4) TRC_FILE, (5) SAVE_CONFIG, or (6) RELOAD.NAI:20010627 Vulnerability in Oracle 8i TNS Listener20010627 Vulnerability in Oracle 8i TNS ListenerCA-2001-16VU#6204952941oracle-tns-listener-bo(6758)Buffer overflow in ISAPI extension (idq.dll) in Index Server 2.0 and Indexing Service 2000 in IIS 6.0 beta and earlier allows remote attackers to execute arbitrary commands via a long argument to Internet Data Administration (.ida) and Internet Data Query (.idq) files such as default.ida, as commonly exploited by Code Red.MS01-033CA-2001-1320010618 All versions of Microsoft Internet Information Services, Remote buffer overflow (SYSTEM Level Access)2880iis-isapi-idq-bo(6705)L-098oval:org.mitre.oval:def:197Microsoft Word 2002 and earlier allows attackers to automatically execute macros without warning the user by embedding the macros in a manner that escapes detection by the security scanner.BUGTRAQ:20010622 Fwd: Microsoft Word macro vulnerability advisory MS01-034MS01-034bid2876msword-macro-bypass-security(6732)Running Windows 2000 LDAP Server over SSL, a function does not properly check the permissions of a user request when the directory principal is a domain user and the data attribute is the domain password, which allows local users to modify the login password of other users.MS01-036L-101win2k-ldap-change-passwords(6745)2929Microsoft NetMeeting 3.01 with Remote Desktop Sharing enabled allows remote attackers to cause a denial of service via a malformed string to the NetMeeting service port, aka a variant of the "NetMeeting Desktop Sharing" vulnerability.MS00-077netmeeting-desktop-sharing-dos(5368)5608Vulnerability in authentication process for SMTP service in Microsoft Windows 2000 allows remote attackers to use incorrect credentials to gain privileges and conduct activites such as mail relaying.MS01-037win2k-smtp-mail-relay(6803)2988L-107VU#435963Multiple memory leaks in Microsoft Services for Unix 2.0 allow remote attackers to cause a denial of service (memory exhaustion) via a large number of malformed requests to (1) the Telnet service, or (2) the NFS service.MS01-039VU#581603VU#9948513089sfu-nfs-dos(6882)sfu-telnet-dos(6883)Buffer overflow in ssinc.dll in IIS 5.0 and 4.0 allows local users to gain system privileges via a Server-Side Includes (SSI) directive for a long filename, which triggers the overflow when the directory name is added, aka the "SSI privilege elevation" vulnerability.MS01-044bid319020010817 NSFOCUS SA2001-06 : Microsoft IIS ssinc.dll Buffer Overflow Vulnerability20011127 IIS Server Side Include Buffer overflow exploit codeL-132iis-ssi-directive-bo(6984)IIS 5.0 uses relative paths to find system files that will run in-process, which allows local users to gain privileges via a Trojan horse file, aka the "System file listing privilege elevation" vulnerability.MS01-04420010816 ENTERCEPT SECURITY ALERT: Privilege Escalation Vulnerability in Microsoft IISiis-relative-path-privilege-elevation(6985)L-1325607oval:org.mitre.oval:def:909oval:org.mitre.oval:def:912Vulnerability in IIS 5.0 allows remote attackers to cause a denial of service (restart) via a long, invalid WebDAV request.MS01-04420010506 IIS 5.0 PROPFIND DOS #2iis-webdav-long-request-dos(6982)269056065633Vulnerabilities in RPC servers in (1) Microsoft Exchange Server 2000 and earlier, (2) Microsoft SQL Server 2000 and earlier, (3) Windows NT 4.0, and (4) Windows 2000 allow remote attackers to cause a denial of service via malformed inputs.MS01-041ms-malformed-rp