ip_input.c in BSD-derived TCP/IP implementations allows remote attackers to cause a denial of service (crash or hang) via crafted packets. 5707 http://www.openbsd.org/errata23.html#tcpfix Buffer overflow in NFS mountd gives root access to remote attackers, mostly in Linux systems. 121 J-006 19981006-01-I Execute commands as root via buffer overflow in Tooltalk database server (rpc.ttdbserverd). 122 19981101-01-PX 19981101-01-A MIME buffer overflow in email clients, e.g. Solaris mailtool and Outlook. MS98-008 Arbitrary command execution via IMAP buffer overflow in authenticate command. 130 00177 Buffer overflow in POP servers based on BSD/Qualcomm's qpopper allows remote attackers to gain root access using a long PASS command. 133 19980801-01-I Information from SSL-encrypted sessions via PKCS #1. MS98-002 Buffer overflow in NIS+, in Sun's rpc.nisd program. 00170 Inverse query buffer overflow in BIND 4.9 and BIND 8 Releases. HPSBUX9808-083 134 00180 19980603-01-PX Denial of Service vulnerability in BIND 8 Releases via maliciously formatted DNS messages. HPSBUX9808-083 19980603-01-PX Denial of Service vulnerabilities in BIND 4.9 and BIND 8 Releases via CNAME record and zone transfer. HPSBUX9808-083 00180 19980603-01-PX Some web servers under Microsoft Windows allow remote attackers to bypass access restrictions for files with long file names. Stolen credentials from SSH clients via ssh-agent program, allowing other local users to access remote accounts belonging to the ssh-agent user. Unauthorized privileged access or denial of service via dtappgather program in CDE. HPSBUX9801-075 00185 Teardrop IP denial of service. oval:org.mitre.oval:def:5579 Land IP denial of service. HPSBUX9801-076 FTP servers can allow an attacker to connect to arbitrary ports on machines other than the FTP client, aka FTP bounce. Buffer overflow in statd allows root privileges. 127 Delete or create a file via rpc.statd, due to invalid information. 00135 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-0032. Reason: This candidate is a duplicate of CVE-1999-0032. Notes: All CVE users should reference CVE-1999-0032 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Arbitrary command execution via buffer overflow in Count.cgi (wwwcount) cgi-bin program. 128 Local user gains root privileges via buffer overflow in rdist, via expstr() function. 00179 Local user gains root privileges via buffer overflow in rdist, via lookup() function. DNS cache poisoning via BIND, by predictable query IDs. root privileges via buffer overflow in df command on SGI IRIX systems. VU#20851 CA-1997-21 df-bo(440) 346 root privileges via buffer overflow in pset command on SGI IRIX systems. root privileges via buffer overflow in eject command on SGI IRIX systems. root privileges via buffer overflow in login/scheme command on SGI IRIX systems. root privileges via buffer overflow in ordist command on SGI IRIX systems. root privileges via buffer overflow in xlock command on SGI IRIX systems. JavaScript in Internet Explorer 3.x and 4.x, and Netscape 2.x, 3.x and 4.x, allows remote attackers to monitor a user's web activities, aka the Bell Labs vulnerability. HPSBUX9707-065 Buffer overflow in lpr, as used in BSD-based systems including Linux, allows local users to execute arbitrary code as root via a long -C (classification) command line option. 707 I-042 19980402-01-PX Command execution in Sun systems via buffer overflow in the at program. Buffer overflow in suidperl (sperl), Perl 4.x and 5.x. Race condition in signal handling routine in ftpd, allowing read/write arbitrary files. IRIX login program with a nonzero LOCKOUT parameter allows creation or damage to files. sgi-lockout(557) 990 H-106 19970508-02-PX Arbitrary command execution via metamail package using message headers, when user processes attacker's message using metamail. Buffer overflow in xlock program allows local users to execute commands as root. webdist CGI program (webdist.cgi) in SGI IRIX allows remote attackers to execute arbitrary commands via shell metacharacters in the distloc parameter. CA-1997-12 http-sgi-webdist(333) 374 235 19970501-02-PX Buffer overflow in Xt library of X Windowing System allows local users to execute commands with root privileges. Buffer overflow in NLS (Natural Language Service). Buffer overflow in University of Washington's implementation of IMAP and POP servers. Command execution via shell metachars in INN daemon (innd) 1.5 using "newgroup" and "rmgroup" control messages, and others. fsdump command in IRIX allows local users to obtain root access by modifying sensitive files. 19970301-01-P List of arbitrary files on Web host via nph-test-cgi script. Buffer overflow of rlogin program using TERM environmental variable. MIME conversion buffer overflow in sendmail versions 8.8.3 and 8.8.4. 685 Talkd, when given corrupt DNS information, can be used to execute arbitrary commands with root privileges. 00147 Csetup under IRIX allows arbitrary file creation or overwriting. Buffer overflow in HP-UX newgrp program. Arbitrary file creation and program execution using FLEXlm LicenseManager, from versions 4.0 to 5.0, in IRIX. IP fragmentation denial of service in FreeBSD allows a remote attacker to cause a crash. freebsd-ip-frag-dos(1389) 908 TCP RST denial of service in FreeBSD. 6094 Sun's ftpd daemon can be subjected to a denial of service. 00171 Buffer overflows in Sun libnsl allow root access. IX80543 00172 Buffer overflow in Sun's ping program can give root access to local users. 00174 Vacation program allows command execution by remote users through a sendmail command. HPSBUX9811-087 Buffer overflow in PHP cgi program, php.cgi allows shell access. 712 IRIX fam service allows an attacker to obtain a list of all files on the server. irix-fam(325) 353 164 Attackers can cause a denial of service in Ascend MAX and Pipeline routers with a malformed packet to the discard port, which is used by the Java Configurator tool. File creation and deletion, and remote execution, in the BSD line printer daemon (lpd). The chpass command in OpenBSD allows a local user to gain root access through file descriptor leakage. 7559 Cisco IOS 12.0 and other versions can be crashed by malicious UDP packets to the syslog port. Buffer overflow in AIX lquerylv program gives root access to local users. Multiple buffer overflows in how dtmail handles attachments allows a remote attacker to execute commands. 00181 AnyForm CGI remote execution. 719 phf CGI program allows remote command execution through shell metacharacters. CA-1996-06 629 136 CGI PHP mylog script allows an attacker to read any file on the target server. 713 3396 Solaris ufsrestore buffer overflow. 8158 00169 test-cgi program allows an attacker to list files on the server. Apache httpd cookie buffer overflow for versions 1.1.1 and earlier. Buffer overflow in AIX xdat gives root access to local users. Telnet allows a remote client to specify environment variables including LD_LIBRARY_PATH, allowing an attacker to bypass the normal system libraries and gain root access. Listening TCP ports are sequentially allocated, allowing spoofing attacks. PASV core dump in wu-ftpd daemon when attacker uses a QUOTE PASV command after specifying a username and password. 5742 Buffer overflow in wu-ftp from PASV command causes a core dump. Predictable TCP sequence numbers allow spoofing. tcp-seq-predict(139) pcnfsd (aka rpc.pcnfsd) allows local users to change file permissions, or execute arbitrary commands through arguments in the RPC call. Remote attackers can cause a denial of service in FTP by issuing multiple PASV commands, causing the server to run out of available ports. Certain configurations of wu-ftp FTP server 2.4 use a _PATH_EXECPATH setting to a directory with dangerous commands, such as /bin, which allows remote authenticated users to gain root access via the "site exec" command. wu-ftp allows files to be overwritten via the rnfr command. CWD ~root command in ftpd allows root access. Improving the Security of Your Site by Breaking Into it getcwd() file descriptor leak in FTP. Certain NFS servers allow users to use mknod to gain privileges by creating a writable kmem device and setting the UID to 0. nfs-mknod(78) Buffer overflow in rwhod on AIX and other operating systems allows remote attackers to execute arbitrary code via a UDP packet with a long hostname. rwhod(119) rwhod-vuln(118) AIX routed allows remote users to modify sensitive files. Denial of service in AIX telnet can freeze a system and prevent users from accessing the server. 7992 IRIX and AIX automountd services (autofsd) allow remote users to execute root commands. Buffer overflow in AIX libDtSvc library can allow local users to gain root access. Buffer overflow in AIX rcp command allows local users to obtain root access. Buffer overflow in AIX writesrv command allows local users to obtain root access. Various vulnerabilities in the AIX portmir command allows local users to obtain root access. AIX nslookup command allows local users to obtain root access by not dropping privileges correctly. AIX piodmgrsu command allows local users to gain additional group privileges. The debug command in Sendmail is enabled, allowing attackers to execute commands as root. 1 195 Sendmail decode alias can be used to overwrite sensitive files. 00122 The AIX FTP client can be forced to execute commands from a malicious server through shell metacharacters (e.g. a pipe character). Buffer overflow in SMTP HELO command in Sendmail allows a remote attacker to hide activities. Buffer overflow in syslog utility allows local or remote attackers to gain root privileges. Remote access in AIX innd 1.5.1, using control messages. Buffer overflow in AIX and Solaris "gethostbyname" library call allows root access through corrupt DNS host names. H-13 Buffer overflow in SLmail 3.x allows attackers to execute commands using a large FROM line. Echo and chargen, or other combinations of UDP services, can be used in tandem to flood the server, a.k.a. UDP bomb or UDP packet storm. A later variation on the Teardrop IP denial of service attack, a.k.a. Teardrop-2. oval:org.mitre.oval:def:5743 finger allows recursive searches by using a long string of @ symbols. Finger redirection allows finger bombs. Buffer overflow in Apache 1.2.5 and earlier allows a remote attacker to cause a denial of service with a large number of GET requests containing a large number of / characters. The printers program in IRIX has a buffer overflow that gives root access to local users. Buffer overflow in ffbconfig in Solaris 2.5.1. 00140 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-0315. Reason: This candidate's original description had a typo that delayed it from being detected as a duplicate of CVE-1999-0315. Notes: All CVE users should reference CVE-1999-0315 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. RIP v1 is susceptible to spoofing. Buffer overflow in AIX dtterm program for the CDE. dtterm-bo(878) Some implementations of rlogin allow root access if given a -froot parameter. 458 Local users can execute commands as other users, and read other users' files, through the filter command in the Elm elm-2.4 mail package using a symlink attack. AIX bugfiler program allows local users to gain root access. 1800 Denial of service when an attacker sends many SYN packets to create multiple connections without ever sending an ACK to complete the connection, aka SYN flood. 00136 19961202-01-PX AIX passwd allows local users to gain root access. AIX infod allows local users to gain root access through an X display. 19981119 RSI.0011.11-09-98.AIX.INFOD Windows NT 4.0 beta allows users to read and delete shares. Sun/Solaris utmp file allows local users to gain root access if it is writable by users other than root. 00126 Buffer overflow in dtaction command gives root access. Buffer overflow in AIX lchangelv gives root access. Race condition in Linux mailx command allows local users to read user files. Vulnerabilities in UMN gopher and gopher+ versions 1.12 and 2.0x allow an intruder to read any files that can be accessed by the gopher daemon. Buffer overflow in SGI IRIX mailx program. 19980605-01-PX SGI IRIX buffer overflow in xterm and Xaw allows root access. J-010 swinstall and swmodify commands in SD-UX package in HP-UX systems allow local users to create or overwrite arbitrary files to gain root access. Oversized ICMP ping packets can result in a denial of service, aka Ping o' Death. Sendmail allows local users to write to a file and gain group permissions via a .forward or :include: file. Local users can start Sendmail in daemon mode and gain root privileges. 716 Buffer overflow and denial of service in Sendmail 8.7.5 and earlier through GECOS field gives root access to local users. 717 Expreserve, as used in vi and ex, allows local users to overwrite arbitrary files and gain root access. CA-1996-19 expreserve(401) 11723 fm_fls license server for Adobe Framemaker allows local users to overwrite arbitrary files and gain root access. vold in Solaris 2.x allows local users to gain root access. 8159 admintool in Solaris allows a local user to write to arbitrary files and gain root access. Kodak Color Management System (KCMS) on Solaris allows a local user to write to arbitrary files and gain root access. The dip program on many Linux systems allows local users to gain root access via a buffer overflow. The suidperl and sperl program do not give up root privileges when changing UIDs back to the original users, allowing root access. Buffer overflow in Solaris x86 mkcookie allows local users to obtain root access. 8205 Denial of service in RAS/PPTP on NT systems. Java Bytecode Verifier allows malicious applets to execute arbitrary commands as the user of the applet. 00134 The Java Applet Security Manager implementation in Netscape Navigator 2.0 and Java Developer's Kit 1.0 allows an applet to connect to arbitrary hosts. Kerberos 4 key servers allow a user to masquerade as another by breaking and generating session keys. Denial of service in Qmail by specifying a large number of recipients with the RCPT command. qmail-rcpt 2237 http://www.ornl.gov/its/archives/mailing-lists/qmail/1997/06/threads.html http://cr.yp.to/qmail/venema.html 19970612 Re: Denial of service (qmail-smtpd) 19970612 qmail-dos-2.c, another denial of service attack Sendmail WIZ command enabled, allowing root access. CA-1993-14 CA-1990-11 19950206 sendmail wizard thing... Improving the Security of Your Site by Breaking Into it The campas CGI program provided with some NCSA web servers allows an attacker to execute arbitrary commands via encoded carriage return characters in the query string, as demonstrated by reading the password file. http-cgi-campas(298) 1975 The aglimpse CGI program of the Glimpse package allows remote execution of arbitrary commands. The handler CGI program in IRIX allows arbitrary command execution. 380 19970501-02-PX The wrap CGI program in IRIX allows remote attackers to view arbitrary directory listings via a .. (dot dot) attack. http-sgi-wrap(290) 373 247 19970501-02-PX The Perl fingerd program allows arbitrary command execution from remote users. The SATAN session key may be disclosed if the user points the web browser to other sites, possibly allowing root access. The DG/UX finger daemon allows remote command execution through shell metacharacters. Windows 95/NT out of band (OOB) data denial of service through NETBIOS port, aka WinNuke. 1666 IIS 2.0 and 3.0 allows remote attackers to read the source code for ASP pages by appending a . (dot) to the end of the URL. The ghostscript command with the -dSAFER option allows remote attackers to execute commands. wu-ftpd FTP daemon allows any user and password combination. Cisco PIX firewall and CBAC IP fragmentation attack results in a denial of service. 1097 Cisco PIX firewall manager (PFM) on Windows NT allows attackers to connect to port 8080 on the PFM server and retrieve any file whose name and location is known. 20010913 Cisco PIX Firewall Manager File Exposure 685 Attackers can crash a Cisco IOS router or device, provided they can get to an interactive prompt (such as a login). This applies to some IOS 9.x, 10.x, and 11.x releases. Some classic Cisco IOS devices have a vulnerability in the PPP CHAP authentication to establish unauthorized PPP connections. 1099 In Cisco IOS 10.3, with the tacacs-ds or tacacs keyword, an extended IP access control list could bypass filtering. 797 The "established" keyword in some Cisco IOS software allowed an attacker to bypass filtering. In older versions of Sendmail, an attacker could use a pipe character to execute root commands. A race condition in the Solaris ps command allows an attacker to overwrite critical files. 8346 NFS cache poisoning. NFS allows users to use a "cd .." command to access other directories besides the exported file system. In SunOS, NFS file handles could be guessed, giving unauthorized access to the exported file system. The portmapper may act as a proxy and redirect service requests from an attacker, making the request appear to come from the local host, possibly bypassing authentication that would otherwise have taken place. For example, NFS file systems could be mounted through the portmapper despite export restrictions. NFS allows attackers to read and write any file on the system by specifying a false UID. Remote attackers can mount an NFS file system in Ultrix or OSF, even if it is denied on the access list. Denial of service in syslog by sending it a large number of superfluous messages. FormMail CGI program allows remote execution of commands. FormMail CGI program can be used by web servers other than the host server that the program resides on. The view-source CGI program allows remote attackers to read arbitrary files via a .. (dot dot) attack. The convert.bas program in the Novell web server allows a remote attackers to read any file on the system that is internally accessible by the web server. The Webgais program allows a remote user to execute arbitrary commands. The uploader program in the WebSite web server allows a remote attacker to execute arbitrary programs. Buffer overflow in the win-c-sample program (win-c-sample.exe) in the WebSite web server 1.1e allows remote attackers to execute arbitrary code via a long query string. http-website-winsample(295) 2078 8 19970106 Re: signal handling Windows NT crashes or locks up when a Samba client executes a "cd .." command on a file share. Q140818 in.rshd allows users to login with a NULL username and execute commands. The wall daemon can be used for denial of service, social engineering attacks, or to execute remote commands. Samba has a buffer overflow which allows a remote attacker to obtain root access by specifying a long password. H-110 Linux implementations of TFTP would allow access to files outside the restricted directory. When compiled with the -DALLOW_UPDATES option, bind allows dynamic updates to the DNS server, allowing for malicious modification of DNS records. In SunOS or Solaris, a remote user could connect from an FTP server's data port to an rlogin server on a host that trusts the FTP server, allowing remote command execution. 00156 In Solaris, an SNMP subagent has a default community string that allows remote attackers to execute arbitrary commands as root, or modify system parameters. http://support.novell.com/cgi-bin/search/searchtid.cgi?/10080762.htm ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-0022. Reason: This candidate is a duplicate of CVE-1999-0022. Notes: All CVE users should reference CVE-1999-0022 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. The passwd command in Solaris can be subjected to a denial of service. 00182 Solaris rpcbind listens on a high numbered UDP port, which may not be filtered since the standard port number is 111. 00142 Solaris rpcbind can be exploited to overwrite arbitrary files and gain root access. 00167 IIS newdsn.exe CGI script allows remote users to overwrite files. 275 Buffer overflow in telnet daemon tgetent routing allows remote attackers to gain root access via the TERMCAP environmental variable. Denial of service in Ascend and 3com routers, which can be rebooted by sending a zero length TCP option. Denial of service in in.comsat allows attackers to generate messages. Denial of service in RPC portmapper allows attackers to register or unregister RPC services or spoof RPC services using a spoofed source IP address such as 127.0.0.1. websendmail in Webgais 1.0 allows a remote user to access arbitrary files and execute arbitrary code via the receiver parameter ($VAR_receiver variable). 2077 237 finger 0@host on some systems may print information on some user accounts. finger .@host on some systems may print information on some user accounts. Windows NT FTP server (WFTP) with the guest account enabled without a password allows an attacker to log into the FTP server using any username and password. A quote cwd command on FTP servers can reveal the full path of the home directory of the "ftp" user. The GNU tar command, when used in FTP sessions, may allow an attacker to execute arbitrary commands. In Sendmail, attackers can gain root privileges via SMTP by specifying an improper "mail from" address and an invalid "rcpt to" address that would cause the mail to bounce to a program. Sendmail 8.6.9 allows remote attackers to execute root commands, using ident. Denial of service in Sendmail 8.6.11 and 8.6.12. MIME buffer overflow in Sendmail 8.8.0 and 8.8.1 gives root access. Remote attacker can execute commands through Majordomo using the Reply-To field and a "lists" command. rpc.ypupdated (NIS) allows remote users to execute arbitrary commands. The SunView (SunTools) selection_svc facility allows remote users to read files. 8 Automount daemon automountd allows local or remote users to gain privileges via shell metacharacters. CA-99-05 HPSBUX9910-104 235 19990103 SUN almost has a clue! (automountd) 19971126 Solaris 2.5.1 automountd exploit (fwd) Extra long export lists over 256 characters in some mount daemons allows NFS directories to be mounted by anyone. 24 Solaris rpc.mountd generates error messages that allow a remote attacker to determine what files are on the server. I-048 libnsl in Solaris allowed an attacker to perform a denial of service of rpcbind. Denial of service by sending forged ICMP unreachable packets. Routed allows attackers to append data to files. J-012 19981004-01-PX Denial of service of inetd on Linux through SYN and RST packets. Malicious option settings in UDP packets could force a reboot in SunOS 4.1.3 systems. Livingston portmaster machines could be rebooted via a series of commands. Buffer overflow in FTP Serv-U 2.5 allows remote authenticated users to cause a denial of service (crash) via a long (1) CWD or (2) LS (list) command. ftp-servu(205) 269 19990504 Re: Buffer overflows in FTP Serv-U 2.5 19990503 Buffer overflows in FTP Serv-U 2.5 Attackers can do a denial of service of IRC by crashing the server. Denial of service of Ascend routers through port 150 (remote administration). Denial of service in Cisco IOS web server allows attackers to reboot the router using a long URL. Solaris syslogd crashes when receiving a message from a host that doesn't have an inverse DNS entry. 1878 http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?patchid=103291&collection=fpatches Denial of service in Windows NT messenger service through a long username. Windows NT 4.0 allows remote attackers to cause a denial of service via a malformed SMB logon request in which the actual data size does not match the specified size. 19980214 Windows NT Logon Denial of Service Q180963 Windows NT TCP/IP processes fragmented IP packets improperly, causing a denial of service. Access violation in LSASS.EXE (LSA/LSARPC) program in Windows NT allows a denial of service. Q154087 Denial of service in RPCSS.EXE program (RPC Locator) in Windows NT. Q162567 Denial of service in Windows NT IIS server using ..\.. Buffer overflow in Cisco 7xx routers through the telnet service. 1102 Buffer overflow in IP-Switch IMail and Seattle Labs Slmail 2.6 packages using a long VRFY command, causing a denial of service and possibly remote access. Buffer overflow in NCSA WebServer (version 1.5c) gives remote access. IIS 1.0 allows users to execute arbitrary commands using .bat or .cmd files. Q155056 Q148188 Bash treats any character with a value of 255 as a command separator. Buffer overflow in NCSA WebServer (1.4.1 and below) gives remote access. ScriptAlias directory in NCSA and Apache httpd allowed attackers to read CGI programs. Remote execution of arbitrary commands through Guestbook CGI program. php.cgi allows attackers to read any file on the system. Netscape FastTrack Web server lists files when a lowercase "get" command is used instead of an uppercase GET. 122 Some filters or firewalls allow fragmented SYN packets with IP reserved bits in violation of their implemented policy. Guessable magic cookies in X Windows allows remote attackers to execute commands, e.g. through xterm. Remote attackers can access mail files via POP3 in some Linux systems that are using shadow passwords. Linux cfingerd could be exploited to gain root access. Livingston RADIUS code has a buffer overflow which can allow remote execution of commands as root. Some configurations of NIS+ in Linux allowed attackers to log in as the user "+". HP Remote Watch allows a remote user to gain root access. Buffer overflow in nnrpd program in INN up to version 1.6 allows remote users to execute arbitrary commands. 1443 19970721 INN news server vulnerabilities A race condition in the authentication agent mechanism of sshd 1.2.17 allows an attacker to steal another user's credentials. http://www.uni-karlsruhe.de/~ig25/ssh-faq/ssh-faq-6.html#ss6.1 http://oliver.efri.hr/~crv/security/bugs/mUNIXes/ssh2.html Windows NT RSHSVC program allows remote users to execute arbitrary commands. Denial of service in Qmail through long SMTP commands. http://www.ornl.gov/its/archives/mailing-lists/qmail/1997/06/threads.html http://cr.yp.to/qmail/venema.html 19970612 qmail-dos-2.c, another denial of service attack Denial of service in talk program allows remote attackers to disrupt a user's display. Buffer overflow in listserv allows arbitrary command execution. IIS 3.0 with the iis-fix hotfix installed allows remote intruders to read source code for ASP programs by using a %2e instead of a . (dot) in the URL. A hidden SNMP community string in HP OpenView allows remote attackers to modify MIB tables and obtain sensitive information. Buffer overflow in ircd allows arbitrary command execution. Buffer overflow in War FTP allows remote execution of commands. 875 Nestea variation of teardrop IP fragmentation denial of service. Bonk variation of teardrop IP fragmentation denial of service. cfingerd lists all users on a system via search.**@target. The jj CGI program allows command execution via shell metacharacters. Netmanager Chameleon SMTPd has several buffer overflows that cause a crash. http://www.insecure.org/sploits/netmanage.chameleon.overflows.html Hylafax faxsurvey CGI script on Linux allows remote attackers to execute arbitrary commands via shell metacharacters in the query string. http-cgi-faxsurvey(1532) 2056 Solaris SUNWadmap can be exploited to obtain root access. 00173 htmlscript CGI program allows remote read access to files. ICMP redirect messages may crash or lock up a host. Q154174 The info2www CGI script allows remote file access or remote command execution. 1995 Buffer overflow in NCSA HTTP daemon v1.3 allows remote command execution. MetaInfo MetaWeb web server allows users to upload, execute, and read scripts. 3969 110 Netscape Enterprise servers may list files through the PageServices query. Directory traversal vulnerability in pfdispaly.cgi program (sometimes referred to as "pfdisplay") for SGI's Performer API Search Tool (performer_tools) allows remote attackers to read arbitrary files. sgi-pfdispaly(810) 64 134 I-041 19980401-01-P Progressive Networks Real Video server (pnserver) can be crashed remotely. Denial of service in Slmail v2.5 through the POP3 port. Denial of service through Solaris 2.5.1 telnet by sending ^D characters. Denial of service in Windows NT DNS servers through malicious packet which contains a response to a query that wasn't made. Denial of service in Windows NT DNS servers by flooding port 53 with too many characters. mSQL v2.0.1 and below allows remote execution through a buffer overflow. The WorkMan program can be used to overwrite any file to get root access. In IIS, remote attackers can obtain source code for ASP files by appending "::$DATA" to the URL. MS98-003 oval:org.mitre.oval:def:913 Excite for Web Servers (EWS) allows remote command execution via shell metacharacters. Remote command execution in Microsoft Internet Explorer using .lnk and .url files. Denial of service in IIS using long URLs. ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-1584, CVE-1999-1586. Reason: This candidate combined references from one issue with the description from another issue. Notes: Users should consult CVE-1999-1584 and CVE-1999-1586 to obtain the appropriate name. All references and descriptions in this candidate have been removed to prevent accidental usage. The Java Web Server would allow remote users to obtain the source code for CGI programs. 19970716 Viewable .jhtml source with JavaWebServer Denial of service to NT mail servers including Ipswitch, Mdaemon, and Exchange through a buffer overflow in the SMTP HELO command. Denial of service in telnet from the Windows NT Resource Kit, by opening then immediately closing a connection. In some NT web servers, appending a space at the end of a URL may allow attackers to read source code for active pages. Vulnerability in the Wguest CGI program. The WINS server in Microsoft Windows NT 4.0 before SP4 allows remote attackers to cause a denial of service (process termination) via invalid UDP frames to port 137 (NETBIOS Name Service), as demonstrated via a flood of random packets. nt-winsupd-fix(1233) http://safenetworks.com/Windows/wins.html The Apache web server for Win32 may provide access to restricted files when a . (dot) is appended to a requested URL. The WinGate telnet proxy allows remote attackers to cause a denial of service via a large number of connections to localhost. The WinGate proxy is installed without a password, which allows remote attackers to redirect connections without authentication. Denial of service through Winpopup using large user names. AAA authentication on Cisco systems allows attackers to execute commands without authorization. All records in a WINS database can be deleted through SNMP for a denial of service. Solaris sysdef command allows local users to read kernel memory, potentially leading to root privileges. 00157 Solaris volrmmount program allows attackers to read any file. 00162 Buffer overflow in Vixie Cron library up to version 3.0 allows local users to obtain root access via a long environmental variable. ypbind with -ypset and -ypsetme options activated in Linux Slackware and SunOS allows local and remote attackers to overwrite files via a .. (dot dot) attack. 19970205 Vulnerabilities in Ypbind when run with -ypset/-ypsetme Buffer overflow in FreeBSD lpd through long DNS hostnames. 6093 nis_cachemgr for Solaris NIS+ allows attackers to add malicious NIS+ servers. 00155 Buffer overflow in SunOS/Solaris ps command. 00149 SunOS/Solaris FTP clients can be forced to execute arbitrary commands from a malicious FTP server. 00176 Buffer overflow in BNU UUCP daemon (uucpd) through long hostnames. mmap function in BSD allows local attackers in the kmem group to modify memory through devices. The system configuration control (sysctl) facility in BSD based operating systems OpenBSD 2.2 and earlier, and FreeBSD 2.2.5 and earlier, does not properly restrict source routed packets even when the (1) dosourceroute or (2) forwarding variables are set, which allows remote attackers to spoof TCP connections. bsd-sourceroute(736) 11502 http://www.openbsd.org/advisories/sourceroute.txt buffer overflow in HP xlock program. Buffer overflow in HP-UX cstm program allows local users to gain root privileges. HP-UX gwind program allows users to modify arbitrary files. HPSBUX9410-018 HP-UX vgdisplay program gives root access to local users. HPSBUX9702-056 SSH 1.2.25 on HP-UX allows access to new user accounts. fpkg2swpk in HP-UX allows local users to gain root access. HPSBUX9612-042 HP ypbind allows attackers with root privileges to modify NIS data. disk_bandwidth on SGI IRIX 6.4 S2MP for Origin/Onyx2 allows local users to gain root access using relative pathnames. sgi-disk-bandwidth(1441) 214 http://www.securityfocus.com/bid/213/exploit 936 19980701-01-P ioconfig on SGI IRIX 6.4 S2MP for Origin/Onyx2 allows local users to gain root access using relative pathnames. sgi-ioconfig(1199) http://www.securityfocus.com/bid/213/exploit 213 6788 19980701-01-P Buffer overflow in Solaris fdformat command gives root access to local users. 00138 Buffer overflow in Linux splitvt command gives root access to local users. Buffer overflow in Linux su command gives root access to local users. Buffer overflow in xmcd 2.0p12 allows local users to gain access through an environmental variable. Buffer overflow in xmcd 2.1 allows local users to gain access through a user resource setting. SunOS rpc.cmsd allows attackers to obtain root access by overwriting arbitrary files. Buffer overflow in Solaris kcms_configure command allows local users to gain root access. The open() function in FreeBSD allows local attackers to write to arbitrary files. 6092 FreeBSD mmap function allows users to modify append-only or immutable files. 1998-003 ppl program in HP-UX allows local users to create root files through symlinks. HPSBUX9702-053 vhe_u_mnt program in HP-UX allows local users to create root files through symlinks. HPSBUX9406-013 Vulnerability in HP-UX mediainit program. HPSBUX9710-071 SGI syserr program allows local users to corrupt files. 19971103-01-PX SGI permissions program allows local users to gain root privileges. 19971103-01-PX SGI mediad program allows local users to gain root access. 19980602-01-PX Linux bdash game has a buffer overflow that allows local users to gain root access. Buffer overflow in Internet Explorer 4.0(1). Buffer overflow in NetMeeting allows denial of service and remote command execution. Q184346 HP OpenView Omniback allows remote execution of commands as root via spoofing, and local users can gain root access via a symlink attack. In Solaris 2.2 and 2.3, when fsck fails on startup, it allows a local user with physical access to obtain root access. DEPRECATED. This entry has been deprecated. It is a duplicate of CVE-1999-0032. Buffer overflow in mstm in HP-UX allows local users to gain root access. AIX batch queue (bsh) allows local and remote users to gain additional privileges when network printing is enabled. AIX Licensed Program Product performance tools allow local users to gain root access. Buffer overflow in the libauth library in Solaris allows local users to gain additional privileges, possibly root access. Buffer overflow in Linux Slackware crond program allows local users to gain root access. Buffer overflow in the Linux mail program "deliver" allows local users to gain root access. Linux PAM modules allow local users to gain root access using temporary files. A malicious Palace server can force a client to execute arbitrary programs. NT users can gain debug-level access on a system process using the Sechole exploit. Q190288 MS98-009 Jolt ICMP attack causes a denial of service in Windows 95 and Windows NT systems. CGI PHP mlog script allows an attacker to read any file on the target server. 713 3397 Internet Explorer 4.01 allows remote attackers to read local files and spoof web pages via a "%01" character in an "about:" Javascript URL, which causes Internet Explorer to use the domain specified after the character. 19990126 Javascript ecurity bug in Internet Explorer 19990126 Javascript ecurity bug in Internet Explorer IIS ASP caching problem releases sensitive information when two virtual servers share the same physical directory. Q197003 930 A buffer overflow in the FTP list (ls) command in IIS allows remote attackers to conduct a denial of service and, in some cases, execute arbitrary commands. IIS Remote FTP Exploit/DoS Attack Q188348 MS99-003 Race condition in the db_loader program in ClearCase gives local users root access by setting SUID bits. FTP PASV "Pizza Thief" denial of service and unauthorized data access. Attackers can steal data by connecting to a port that was intended for use by a client. pasv-pizza-thief-dos(3389) http://attrition.org/security/advisory/misc/infowar/iw_sec_01.txt ControlIT 4.5 and earlier (aka Remotely Possible) has weak password encryption. rpc.pcnfsd in HP gives remote root access by changing the permissions on the main printer spool directory. HPSBUX9902-091 J-026 Internet Explorer 4.x or 5.x with Word 97 allows arbitrary execution of Visual Basic programs to the IE client through the Word 97 template, which doesn't warn the user that the template contains executable content. Also applies to Outlook when the client views a malicious email message. MS99-002 Local or remote users can force ControlIT 4.5 to reboot or force a user to log out, resulting in a denial of service. ControlIT v4.5 and earlier uses weak encryption to store usernames and passwords in an address book. Windows 98 and other operating systems allows remote attackers to cause a denial of service via crafted "oshare" packets, possibly involving invalid fragmentation offsets. Digital Unix 4.0 has a buffer overflow in the inc program of the mh package. 19990125 Digital Unix 4.0 exploitable buffer overflows J-027 ptylogin in Unix systems allows users to perform a denial of service by locking out modems, dial out with that modem, or obtain passwords. MS Site Server 2.0 with IIS 4 can allow users to upload content, including ASP, to the target web site, thus allowing them to execute commands remotely. 19990130 Security Advisory for Internet Information Server 4 with Site NetWare version of LaserFiche stores usernames and passwords unencrypted, and allows administrative changes without logging. WS_FTP server remote denial of service through cwd command. 217 AD02021999 SuSE 5.2 PLP lpc program has a buffer overflow that leads to root compromise. 328 Microsoft Access 97 stores a database password as plaintext in a foreign mdb, allowing access to data. 19990204 Microsoft Access 97 Stores Database Password as Plaintext The metamail package allows remote command execution using shell metacharacters that are not quoted in a mailcap entry. In some cases, Service Pack 4 for Windows NT 4.0 can allow access to network shares using a blank password, through a problem with a null NT hash value. Q214840 MS99-004 NetBSD netstat command allows local users to access kernel memory. 7571 Buffer overflows in wuarchive ftpd (wu-ftpd) and ProFTPD lead to remote root access, a.k.a. palmetto. The Sun sdtcm_convert calendar utility for OpenWindows has a buffer overflow which can gain root access. 00183 In Sun Solaris and SunOS, man and catman contain vulnerabilities that allow overwriting arbitrary files. 165 Lynx allows a local user to overwrite sensitive files through /tmp symlinks. The installer for BackOffice Server includes account names and passwords in a setup file (reboot.ini) which is not deleted. Q217004 MS99-005 Buffer overflow in the "Super" utility in Debian GNU/Linux, and other operating systems, allows local users to execute commands as root. Debian GNU/Linux cfengine package is susceptible to a symlink attack. Buffer overflow in webd in Network Flight Recorder (NFR) 2.0.2-Research allows remote attackers to execute commands. Local users in Windows NT can obtain administrator privileges by changing the KnownDLLs list to reference malicious programs. MS99-006 Process table attack in Unix systems allows a remote attacker to perform a denial of service by filling a machine's process tables through multiple connections to network services. InterScan VirusWall for Solaris doesn't scan files for viruses when a single HTTP request includes two GET commands. 6167 Microsoft Taskpads allows remote web sites to execute commands on the visiting user's machine via certain methods that are marked as Safe for Scripting. 498 1019 MS99-007 SLMail 3.1 and 3.2 allows local users to access any file in the NTFS file system when the Remote Administration Service (RAS) is enabled by setting a user's Finger File to point to the target file, then running finger on the user. slmail-ras-ntfs-bypass(5392) 497 SLmail 3.2 Build 3113 (Web Administration Security Fix) 199902225 ALERT: SLMail 3.2 (and 3.1) with the Remote Administration Service 19990225 ALERT: SLMail 3.2 (and 3.1) with the Remote Administration Service super 3.11.6 and other versions have a buffer overflow in the syslog utility which allows a local user to gain root access. 342 19990225 SUPER buffer overflow The screen saver in Windows NT does not verify that its security context has been changed properly, allowing attackers to run programs with elevated privileges. MS99-008 ACC Tigris allows public access without a login. 183 267 The Forms 2.0 ActiveX control (included with Visual Basic for Applications 5.0) can be used to read text from a user's clipboard when the user accesses documents with ActiveX content. MS99-001 The LDAP bind function in Exchange 5.5 has a buffer overflow that allows a remote attacker to conduct a denial of service or execute commands. MS99-009 Microsoft Personal Web Server and FrontPage Personal Web Server in some Windows systems allows a remote attacker to read files on the server by using a nonstandard URL. 111 MS99-010 A legacy credential caching mechanism used in Windows 95 and Windows 98 systems allows attackers to read plaintext network passwords. 829 MS99-052 Q168115 DataLynx suGuard trusts the PATH environment variable to execute the ps command, allowing local users to execute commands as root. 3186 Buffer overflow in the bootp server in the Debian Linux netstd package. 324 Buffer overflow in Dosemu Slang library in Linux. 187 CSSA-1999-006.1 The cryptographic challenge of SMB authentication in Windows 95 and Windows 98 can be reused, allowing an attacker to replay the response and impersonate a user. Buffer overflow in Thomas Boutell's cgic library version up to 1.05. Remote attackers can cause a denial of service in Sendmail 8.8.x and 8.9.2 by sending messages with a large number of headers. 19990121 Sendmail 8.8.x/8.9.x bugware DPEC Online Courseware allows an attacker to change another user's password without knowing the original password. A race condition in the BackWeb Polite Agent Protocol allows an attacker to spoof a BackWeb server. 19990118 Vulnerability in the BackWeb Polite Agent Protocol A race condition between the select() and accept() calls in NetBSD TCP servers allows remote attackers to cause a denial of service. The demo version of the Quakenbush NT Password Appraiser sends passwords across the network in plaintext. In some instances of SSH 1.2.27 and 2.0.11 on Linux systems, SSH will allow users with expired accounts to login. The DCC server command in the Mirc 5.5 client doesn't filter characters from file names properly, allowing remote attackers to place a malicious file in a different location, possibly allowing the attacker to execute commands. Denial of service in Linux 2.2.0 running the ldd command on a core file. 344 A race condition in Linux 2.2.1 allows local users to read arbitrary memory from /proc files. wget 1.5.3 follows symlinks to change permissions of the target file instead of the symlink itself. A bug in Cyrix CPUs on Linux allows local users to perform a denial of service. 19990204 Cyrix bug: freeze in hell, badboy Buffer overflow in the Mail-Max SMTP server for Windows systems allows remote command execution. A buffer overflow in lsof allows local users to obtain root privilege. 3163 Digital Unix Networker program nsralist has a buffer overflow which allows local users to obtain root privilege. By default, IIS 4.0 has a virtual directory /IISADMPWD which contains files that can be used as proxies for brute force password attacks, or to identify valid users on the system. 19990209 Re: IIS4 allows proxied password attacks over NetBIOS 19990209 ALERT: IIS4 allows proxied password attacks over NetBIOS Files created from interactive shell sessions in Cobalt RaQ microservers (e.g. .bash_history) are world readable, and thus are accessible from the web server. 337 Buffer overflow in gnuplot in Linux version 3.5 allows local users to obtain root access. 319 The cancel command in Solaris 2.6 (i386) has a buffer overflow that allows local users to obtain root access. 293 Several startup scripts in SCO OpenServer Enterprise System v 5.0.4p, including S84rpcinit, S95nis, S85tcp, and S89nfs, are vulnerable to a symlink attack, allowing a local user to gain root access. In IIS and other web servers, an attacker can attack commands as SYSTEM if the server is running as SYSTEM and loading an ISAPI extension. 501 A buffer overflow in the SGI X server allows local users to gain root access through the X server font path. 19990301-01-PX In Linux before version 2.0.36, remote attackers can spoof a TCP connection and pass data to the application layer before fully establishing the connection. The HTTP server in Cisco 7xx series routers 3.2 through 4.2 is enabled by default, which allows remote attackers to change the router's configuration. 19990311 Cisco 7xx TCP and HTTP Vulnerabilities J-034 Vulnerability in Cisco 7xx series routers allows a remote attacker to cause a system reload via a TCP connection to the router's TELNET port. 19990311 Cisco 7xx TCP and HTTP Vulnerabilities J-034 64 bit Solaris 7 procfs allows local users to perform a denial of service. 448 1001 Denial of service in SMTP applications such as Sendmail, when a remote attacker (e.g. spammer) uses many "RCPT TO" commands in the same connection. 19990308 SMTP server account probing When the Microsoft SMTP service attempts to send a message to a server and receives a 4xx error code, it quickly and repeatedly attempts to redeliver the message, causing a denial of service. umapfs allows local users to gain root privileges by changing their uid through a malicious mount_umap program. During a reboot after an installation of Linux Slackware 3.6, a remote attacker can obtain root access by logging in to the root account without a password. 338 981 In some cases, NetBSD 1.3.3 mount allows local users to execute programs in some file systems that have the "noexec" flag set. Vulnerability in hpterm on HP-UX 10.20 allows local users to gain additional privileges. HPSBUX9903-093 talkback in Netscape 4.5 allows a local user to overwrite arbitrary files of another user whose Netscape crashes. talkback in Netscape 4.5 allows a local user to kill an arbitrary process of another user whose Netscape crashes. The default permissions of /dev/kmem in Linux versions before 2.0.36 allows IP spoofing. Eudora 4.1 allows remote attackers to perform a denial of service by sending attachments with long file names. OpenSSL and SSLeay allow remote attackers to reuse SSL sessions and bypass access controls. 3936 The Lotus Notes 4.5 client may send a copy of encrypted mail in the clear across the network if the user does not set the "Encrypt Saved Mail" preference. 19990326 Re: Lotus Notes security advisory 19990326 Lotus Notes Encryption Bug 19990324 Re: LNotes encryption 19990323 Cisco Catalyst LAN switches running Catalyst 5000 supervisor software allows remote attackers to perform a denial of service by forcing the supervisor module to reload. 1103 Linux 2.2.3 and earlier allow a remote attacker to perform an IP fragmentation attack, causing a denial of service. This problem was fixed in Linux kernel 2.2.4 and later releases. ftp on HP-UX 11.00 allows local users to gain privileges. HPSBUX9903-094 XFree86 startx command is vulnerable to a symlink attack, allowing local users to create files in restricted directories, possibly allowing them to gain privileges or cause a denial of service. XFree86 xfs command is vulnerable to a symlink attack, allowing local users to create files in restricted directories, possibly allowing them to gain privileges or cause a denial of service. 359 MC/ServiceGuard and MC/LockManager in HP-UX allows local users to gain privileges through SAM. Domain Enterprise Server Management System (DESMS) in HP-UX allows local users to gain privileges. HPSBUX9903-095 Remote attackers can perform a denial of service in WebRamp systems by sending a malicious string to the HTTP port. Remote attackers can perform a denial of service in WebRamp systems by sending a malicious UDP packet to port 5353, changing its IP address. Buffer overflow in procmail before version 3.12 allows remote or local attackers to execute commands via expansions in the procmailrc configuration file. The byte code verifier component of the Java Virtual Machine (JVM) allows remote execution through malicious web pages. http://java.sun.com/pr/1999/03/pr990329-01.html 1939 19990405 Security Hole in Java 2 (and JDK 1.1.x) Remote attackers can perform a denial of service in WinGate machines using a buffer overflow in the Winsock Redirector Service. 509 AD02221999 Solaris ff.core allows local users to modify files. 327 Patrol management software allows a remote attacker to conduct a replay attack to steal the administrator password. 19990409 Patrol security bugs Remote attackers can perform a denial of service in Windows machines using malicious ARP packets, forcing a message box display for each packet or filling up log files. In Cisco routers under some versions of IOS 12.0 running NAT, some packets may not be filtered by input access list filters. 1104 Local users can perform a denial of service in NetBSD 1.3.3 and earlier versions by creating an unusual symbolic link with the ln command, triggering a bug in VFS. 7051 Local users can gain privileges using the debug utility in the MPE/iX operating system. HPSBMP9904-006 IIS 4.0 and Apache log HTTP request methods, regardless of how long they are, allowing a remote attacker to hide the URL they really request. The ExAir sample site in IIS 4 allows remote attackers to cause a denial of service (CPU consumption) via a direct request to the (1) advsearch.asp, (2) query.asp, or (3) search.asp scripts. 193 4 3 2 In IIS, an attacker could determine a real path using a request for a non-existent URL that would be interpreted by Perl (perl.exe). 194 Denial of service in Linux 2.0.36 allows local users to prevent any server from listening on any non-privileged port. 343 A service or application has a backdoor password that was placed there by the developer. An attacker can identify a CISCO device by sending a SYN packet to port 1999, which is for the Cisco Discovery Protocol (CDP). Please see the following link for more information: http://seclists.org/bugtraq/1999/Jan/0215.html A remote attacker can sometimes identify the operating system of a host based on how it reacts to some IP or ICMP packets, using a tool such as nmap or queso. The Expression Evaluator sample application in ColdFusion allows remote attackers to read or delete files on the server via exprcalc.cfm, which does not restrict access to the server properly. 115 Linux ftpwatch program allows local users to gain root privileges. 317 L0phtcrack 2.5 used temporary files in the system TEMP directory which could contain password information. 915 Local users can perform a denial of service in Alpha Linux, using MILO to force a reboot. Buffer overflow in Linux autofs module through long directory names allows local users to perform a denial of service. 312 Versions of rpcbind including Linux, IRIX, and Wietse Venema's rpcbind allow a remote attacker to insert and delete entries by spoofing a source address. suidperl in Linux Perl does not check the nosuid mount option on file systems, allowing local users to gain root access by placing a setuid script in a mountable file system, e.g. a CD-ROM or floppy disk. 339 Remote attackers can perform a denial of service using IRIX fcagent. 19981201-01-PX Local users can perform a denial of service in Tripwire 1.2 and earlier using long filenames. http://marc.theaimsgroup.com/?l=bugtraq&m=91592136122066&w=2 6609 19990104 Tripwire mess.. Remote attackers can crash Lynx and Internet Explorer using an IMG tag with a large width parameter. The SVR4 /dev/wabi special device file in NetBSD 1.3.3 and earlier allows a local user to read or write arbitrary files on the disk associated with that device. 905 The Webcom CGI Guestbook programs wguest.exe and rguest.exe allow a remote attacker to read arbitrary files using the "template" parameter. Internet Explorer 5.0 allows a remote server to read arbitrary files on the client's file system using the Microsoft Scriptlet Component. MS99-012 Internet Explorer 5.0 allows window spoofing, allowing a remote attacker to spoof a legitimate web site and capture information from the client. A weak encryption algorithm is used for passwords in Novell Remote.NLM, allowing them to be easily decrypted. 482 The remote proxy server in Winroute allows a remote attacker to reconfigure the proxy without authentication through the "cancel" button. The SNMP default community name "public" is not properly removed in NetApps C630 Netcache, even if the administrator tries to disable it. The rsync command before rsync 2.3.1 may inadvertently change the permissions of the client's working directory to the permissions of the directory being transferred. 145 The ICQ Webserver allows remote attackers to use .. to access arbitrary files outside of the user's personal directory. A race condition in how procmail handles .procmailrc files allows a local user to read arbitrary files available to the user who is running procmail. A weak encryption algorithm is used for passwords in SCO TermVision, allowing them to be easily decrypted by a local user. The Expression Evaluator in the ColdFusion Application Server allows a remote attacker to upload files to the server via openfile.cfm, which does not restrict access to the server properly. 115 Denial of service in HP-UX sendmail 8.8.6 related to accepting connections. HPSBUX9904-097 Denial of service Netscape Enterprise Server with VirtualVault on HP-UX VVOS systems. HPSBUX9903-092 Local attackers can conduct a denial of service in Midnight Commander 4.x with a symlink attack. Denial of service in "poll" in OpenBSD. 7556 OpenBSD kernel crash through TSS handling, as caused by the crashme program. 7557 OpenBSD crash using nlink value in FFS and EXT2FS filesystems. 6129 Buffer overflow in OpenBSD ping. 6130 Remote attackers can cause a system crash through ipintr() in ipq in OpenBSD. 7558 Denial of service in AOL Instant Messenger when a remote attacker sends a malicious hyperlink to the receiving client, potentially causing a system crash. The DHTML Edit ActiveX control in Internet Explorer allows remote attackers to read arbitrary files. MS99-011 Internet Explorer 4.0 and 5.0 allows a remote attacker to execute security scripts in a different security context using malicious URLs, a variant of the "cross frame" vulnerability. MS99-012 MSHTML.DLL in Internet Explorer 5.0 allows a remote attacker to paste a file name into the file upload intrinsic control, a variant of "untrusted scripted paste" as described in MS:MS98-013. MS99-015 MSHTML.DLL in Internet Explorer 5.0 allows a remote attacker to learn information about a local user's files via an IMG SRC tag. MS99-012 The prompt parsing in bash allows a local user to execute commands as another user by creating a directory with the name of the command to execute. 119 The ffingerd 1.19 allows remote attackers to identify users on the target system based on its responses. rpc.statd allows remote attackers to forward RPC calls to the local operating system via the SM_MON and SM_NOTIFY commands, which in turn could be used to remotely exploit other bugs such as in automountd. CA-99-05 450 J-045 00186 19990103 SUN almost has a clue! (automountd) Denial of service in WinGate proxy through a buffer overflow in POP3. A remote attacker can gain access to a file system using .. (dot dot) when accessing SMB shares. A Windows NT 4.0 user can gain administrative rights by forcing NtOpenProcessToken to succeed regardless of the user's permissions, aka GetAdmin. Q146965 Anonymous FTP is enabled. This Common Vulnerabilities and Exposures (CVE) entry is a configuration issue and not a software flaw. As such, it doesn’t fit in the CVE software flaw list. The Common Vulnerability Scoring System (CVSS) base score for this CVE entry has been set to 0 because this CVE entry has no impact as a software flaw according to CVSS. This does not mean that the configuration issue is not important and there may be security implications relative to computers having this configuration. Anonymous FTP is an unsecured protocol for Internet facing systems and should only be used on a limited basis to provide a specific functional requirement, otherwise disabled. The software should be patched and configured properly. TFTP is not running in a restricted directory, allowing a remote attacker to access sensitive information such as password files. NETBIOS share information may be published through SNMP registry keys in NT. A Unix account has a guessable password. A Unix account has a default, null, blank, or missing password. A Windows NT local user or administrator account has a guessable password. A Windows NT local user or administrator account has a default, null, blank, or missing password. A Windows NT domain user or administrator account has a guessable password. A Windows NT domain user or administrator account has a default, null, blank, or missing password. An account on a router, firewall, or other network device has a guessable password. An account on a router, firewall, or other network device has a default, null, blank, or missing password. Perl, sh, csh, or other shell interpreters are installed in the cgi-bin directory on a WWW site, which allows remote attackers to execute arbitrary commands. A router or firewall allows source routed packets from arbitrary hosts. IP forwarding is enabled on a machine which is not a router or firewall. A mail server is explicitly configured to allow SMTP mail relay, which allows abuse by spammers. ICMP messages to broadcast addresses are allowed, allowing for a Smurf attack that can cause a denial of service. UDP messages to broadcast addresses are allowed, allowing for a Fraggle attack that can cause a denial of service by flooding the target. An unrestricted remote trust relationship for Unix systems has been set up, e.g. by using a + sign in /etc/hosts.equiv. An SNMP community name is guessable. An SNMP community name is the default (e.g. public), null, or missing. A NETBIOS/SMB share password is guessable. A NETBIOS/SMB share password is the default, null, or missing. A system-critical NETBIOS/SMB share has inappropriate access control. An NIS domain name is easily guessable. The permissions for a system-critical NIS+ table (e.g. passwd) are inappropriate. ICMP echo (ping) is allowed from arbitrary hosts. ICMP information such as (1) netmask and (2) timestamp is allowed from arbitrary hosts. icmp-timestamp(322) icmp-netmask(306) 95 http://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&externalId=1434 http://descriptions.securescout.com/tc/11011 http://descriptions.securescout.com/tc/11010 IP traceroute is allowed from arbitrary hosts. An X server's access control is disabled (e.g. through an "xhost +" command) and allows anyone to connect to the server. VU#704969 The permissions for system-critical data in an anonymous FTP account are inappropriate. For example, the root directory is writeable by world, a real password file is obtainable, or executable commands such as "ls" can be overwritten. A router or firewall forwards external packets that claim to come from inside the network that the router/firewall is in front of. A router or firewall forwards packets that claim to come from IANA reserved or private addresses, e.g. 10.x.x.x, 127.x.x.x, 217.x.x.x, etc. A system is operating in "promiscuous" mode which allows it to perform packet sniffing. ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "An SMTP service supports EXPN, VRFY, HELP, ESMTP, and/or EHLO." This Common Vulnerabilities and Exposures (CVE) entry is a configuration issue and not a software flaw. As such, it doesn’t fit in the CVE software flaw list. The Common Vulnerability Scoring System (CVSS) base score for this CVE entry has been set to 0 because this CVE entry has no impact as a software flaw according to CVSS. This does not mean that the configuration issue is not important and there may be security implications relative to computers having this configuration. This functionality should be disabled, because these commands can be used for attack reconnaissance. A DNS server allows zone transfers. A DNS server allows inverse queries. A Windows NT user has inappropriate rights or privileges, e.g. Act as System, Add Workstation, Backup, Change System Time, Create Pagefile, Create Permanent Object, Create Token Name, Debug, Generate Security Audit, Increase Priority, Increase Quota, Load Driver, Lock Memory, Profile Single Process, Remote Shutdown, Replace Process Token, Restore, System Environment, Take Ownership, or Unsolicited Input. A Windows NT account policy for passwords has inappropriate, security-critical settings, e.g. for password length, password age, or uniqueness. A configuration in a web browser such as Internet Explorer or Netscape Navigator allows execution of active content such as ActiveX, Java, Javascript, etc. A trust relationship exists between two Unix hosts. A password for accessing a WWW URL is guessable. The Windows NT guest account is enabled. An SSH server allows authentication through the .rhosts file. A superfluous NFS server is running, but it is not importing or exporting any file systems. Windows NT automatically logs in an administrator upon rebooting. A router's routing tables can be obtained from arbitrary hosts. HP OpenMail can be misconfigured to allow users to run arbitrary commands using malicious print requests. HPSBUX9804-078 NFS exports system-critical data to the world, e.g. / or a password file. A Unix account with a name other than "root" has UID 0, i.e. root privileges. Two or more Unix accounts have the same UID. A system-critical Unix file or directory has inappropriate permissions. A system-critical Windows NT file or directory has inappropriate permissions. IIS has the #exec function enabled for Server Side Include (SSI) files. The registry in Windows NT can be accessed remotely by users who are not administrators. oval:org.mitre.oval:def:1023 An attacker can force a printer to print arbitrary documents (e.g. if the printer doesn't require a password) or to become disabled. A Sendmail alias allows input to be piped to a program. An attacker can write to syslog files from any location, causing a denial of service by filling up the logs, and hiding activities. rpc.admind in Solaris is not running in a secure mode. A URL for a WWW directory allows auto-indexing, which provides a list of all files in that directory if it does not contain an index.html file. Windows NT is not using a password filter utility, e.g. PASSFILT.DLL. A router's configuration service or management interface (such as a web server or telnet) is configured to allow connections from arbitrary hosts. .reg files are associated with the Windows NT registry editor (regedit), making the registry susceptible to Trojan Horse attacks. A Windows NT system's user audit policy does not log an event success or failure, e.g. for Logon and Logoff, File and Object Access, Use of User Rights, User and Group Management, Security Policy Changes, Restart, Shutdown, and System, and Process Tracking. A Windows NT system's file audit policy does not log an event success or failure for security-critical files or directories. A Windows NT system's file audit policy does not log an event success or failure for non-critical files or directories. A Windows NT system's registry audit policy does not log an event success or failure for security-critical registry keys. A Windows NT system's registry audit policy does not log an event success or failure for non-critical registry keys. The HKEY_LOCAL_MACHINE key in a Windows NT system has inappropriate, system-critical permissions. The HKEY_CLASSES_ROOT key in a Windows NT system has inappropriate, system-critical permissions. A Windows NT account policy has inappropriate, security-critical settings for lockout, e.g. lockout duration, lockout after bad logon attempts, etc. There is a one-way or two-way trust relationship between Windows NT domains. A Windows NT file system is not NTFS. A Windows NT administrator account has the default name of Administrator. A network service is running on a nonstandard port. A WWW server is not running in a restricted file system, e.g. through a chroot, thus allowing access to system-critical data. A filter in a router or firewall allows unusual fragmented packets. A system-critical Windows NT registry key has inappropriate permissions. A system does not present an appropriate legal message or warning to a user who is accessing it. An event log in Windows NT has inappropriate access permissions. The Logon box of a Windows NT system displays the name of the last user who logged in. The default setting for the Winlogon key entry ShutdownWithoutLogon in Windows NT allows users with physical access to shut down a Windows NT system without logging in. nt-shutdown-without-logon(1291) http://www.microsoft.com/technet/archive/winntas/deploy/confeat/06wntpcc.mspx?mfr=true http://technet.microsoft.com/en-us/library/cc722469.aspx 59333 A Windows NT system does not restrict access to removable media drives such as a floppy disk drive or CDROM drive. A Windows NT system does not clear the system page file during shutdown, which might allow sensitive information to be recorded. A Windows NT log file has an inappropriate maximum size or retention period. A Windows NT account policy does not forcibly disconnect remote users from the server when their logon hours expire. A network intrusion detection system (IDS) does not properly handle packets that are sent out of order, allowing an attacker to escape detection. A network intrusion detection system (IDS) does not properly handle packets with improper sequence numbers. A network intrusion detection system (IDS) does not verify the checksum on a packet. A network intrusion detection system (IDS) does not properly handle data within TCP handshake packets. A network intrusion detection system (IDS) does not properly reassemble fragmented packets. In Windows NT, an inappropriate user is a member of a group, e.g. Administrator, Backup Operators, Domain Admins, Domain Guests, Power Users, Print Operators, Replicators, System Operators, etc. An incorrect configuration of the WebStore 1.0 shopping cart CGI program "web_store.cgi" could disclose private information. 19990420 Shopping Carts exposing CC data An incorrect configuration of the Order Form 1.0 shopping cart CGI program could disclose private information. 19990420 Shopping Carts exposing CC data An incorrect configuration of the EZMall 2000 shopping cart CGI program "mall2000.cgi" could disclose private information. 19990420 Shopping Carts exposing CC data quikstore.cgi in QuikStore shopping cart stores quikstore.cfg under the web document root with insufficient access control, which allows remote attackers to obtain the cleartext administrator password and gain privileges. 19990420 Shopping Carts exposing CC data An incorrect configuration of the PDG Shopping Cart CGI program "shopper.cgi" could disclose private information. http://www.pdgsoft.com/Security/security.html. pdgsoftcart-misconfig(3857) 19990420 Shopping Carts exposing CC data An incorrect configuration of the SoftCart CGI program "SoftCart.exe" could disclose private information. 19990420 Shopping Carts exposing CC data An incorrect configuration of the Webcart CGI program could disclose private information. 19990420 Shopping Carts exposing CC data A system-critical Windows NT registry key has an inappropriate value. A version of finger is running that exposes valid user information to any entity on the network. This Common Vulnerabilities and Exposures (CVE) entry is a configuration issue and not a software flaw. As such, it doesn’t fit in the CVE software flaw list. The Common Vulnerability Scoring System (CVSS) base score for this CVE entry has been set to 0 because this CVE entry has no impact as a software flaw according to CVSS. This does not mean that the configuration issue is not important and there may be security implications relative to computers having this configuration. The FTP Service should be disabled because it could reveal information about a host's users, which could be used as reconnaissance information for attacks. The rpc.sprayd service is running. This Common Vulnerabilities and Exposures (CVE) entry is a configuration issue and not a software flaw. As such, it doesn’t fit in the CVE software flaw list. The Common Vulnerability Scoring System (CVSS) base score for this CVE entry has been set to 0 because this CVE entry has no impact as a software flaw according to CVSS. This does not mean that the configuration issue is not important and there may be security implications relative to computers having this configuration. rpc.sprayd is an unsecured protocol for Internet facing systems and should only be used on a trusted network segment, otherwise disabled. The software should be patched and configured properly. ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The FTP service is running." This Common Vulnerabilities and Exposures (CVE) entry is a configuration issue and not a software flaw. As such, it doesn’t fit in the CVE software flaw list. The Common Vulnerability Scoring System (CVSS) base score for this CVE entry has been set to 0 because this CVE entry has no impact as a software flaw according to CVSS. This does not mean that the configuration issue is not important and there may be security implications relative to computers having this configuration. The FTP Service is an unsecured protocol for Internet facing systems and should only be used on a limited basis to provide a specific functional requirement, otherwise disabled. Secure alternatives that encrypt communications are available. The software should be patched and configured properly. ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The SNMP service is running." This Common Vulnerabilities and Exposures (CVE) entry is a configuration issue and not a software flaw. As such, it doesn’t fit in the CVE software flaw list. The Common Vulnerability Scoring System (CVSS) base score for this CVE entry has been set to 0 because this CVE entry has no impact as a software flaw according to CVSS. This does not mean that the configuration issue is not important and there may be security implications relative to computers having this configuration. SNMPv3 is a secure protocol for management of networked systems, provided the cryptographic security mechanisms are used. SNMPv1 and SNMPv2 are unsecured protocols for Internet facing systems and should only be used on a trusted network segment. For all versions, the software should be patched and configured properly. ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The TFTP service is running." This Common Vulnerabilities and Exposures (CVE) entry is a configuration issue and not a software flaw. As such, it doesn’t fit in the CVE software flaw list. The Common Vulnerability Scoring System (CVSS) base score for this CVE entry has been set to 0 because this CVE entry has no impact as a software flaw according to CVSS. This does not mean that the configuration issue is not important and there may be security implications relative to computers having this configuration. The TFTP Service is an unsecured protocol and it should used only on a limited basis on rare occasion to provide a specific functional requirement, otherwise disabled. Secure alternatives are available. ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The SMTP service is running." This Common Vulnerabilities and Exposures (CVE) entry is a configuration issue and not a software flaw. As such, it doesn’t fit in the CVE software flaw list. The Common Vulnerability Scoring System (CVSS) base score for this CVE entry has been set to 0 because this CVE entry has no impact as a software flaw according to CVSS. This does not mean that the configuration issue is not important and there may be security implications relative to computers having this configuration. The SMTP Service is an unsecured protocol for Internet facing systems (e.g., user authentication not required, communications not encrypted) and should only be used on a limited basis to provide a specific functional requirement, otherwise disabled. The software should be patched and configured properly. The rexec service is running. ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The Telnet service is running." This Common Vulnerabilities and Exposures (CVE) entry is a configuration issue and not a software flaw. As such, it doesn’t fit in the CVE software flaw list. The Common Vulnerability Scoring System (CVSS) base score for this CVE entry has been set to 0 because this CVE entry has no impact as a software flaw according to CVSS. This does not mean that the configuration issue is not important and there may be security implications relative to computers having this configuration. The Telnet Service is an unsecured and obsolete protocol and it should be disabled. Secure alternatives such as SSH are available. ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "A component service related to NIS is running." This Common Vulnerabilities and Exposures (CVE) entry is a configuration issue and not a software flaw. As such, it doesn’t fit in the CVE software flaw list. The Common Vulnerability Scoring System (CVSS) base score for this CVE entry has been set to 0 because this CVE entry has no impact as a software flaw according to CVSS. This does not mean that the configuration issue is not important and there may be security implications relative to computers having this configuration. These protocols, such as RPC ypbind, yppasswd, ypserv, ypupdated, and ypxfrd, are unsecured protocols for Internet facing systems and should only be used on a trusted network segment, otherwise disabled. The software should be patched and configured properly. ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "A component service related to NETBIOS is running." This Common Vulnerabilities and Exposures (CVE) entry is a configuration issue and not a software flaw. As such, it doesn’t fit in the CVE software flaw list. The Common Vulnerability Scoring System (CVSS) base score for this CVE entry has been set to 0 because this CVE entry has no impact as a software flaw according to CVSS. This does not mean that the configuration issue is not important and there may be security implications relative to computers having this configuration. This component service should not be allowed to communicate over untrusted networks, such as the Internet, because it is an unsecured protocol (e.g., communications not encrypted). The software should be patched and configured properly. oval:org.mitre.oval:def:1024 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "A component service related to DNS service is running." This Common Vulnerabilities and Exposures (CVE) entry is a configuration issue and not a software flaw. As such, it doesn’t fit in the CVE software flaw list. The Common Vulnerability Scoring System (CVSS) base score for this CVE entry has been set to 0 because this CVE entry has no impact as a software flaw according to CVSS. This does not mean that the configuration issue is not important and there may be security implications relative to computers having this configuration. DNS is a critical network service. It should be fully patched and properly configured for Internet facing servers to avoid common attacks such as DNS spoofing, poisoning, and unauthorized zone transfers. ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The X Windows service is running." This Common Vulnerabilities and Exposures (CVE) entry is a configuration issue and not a software flaw. As such, it doesn’t fit in the CVE software flaw list. The Common Vulnerability Scoring System (CVSS) base score for this CVE entry has been set to 0 because this CVE entry has no impact as a software flaw according to CVSS. This does not mean that the configuration issue is not important and there may be security implications relative to computers having this configuration. The XWindows service is an unsecured protocol for Internet facing system and should only be used on a trusted network segment, otherwise disabled. The software should be patched and configured properly. The rstat/rstatd service is running. This Common Vulnerabilities and Exposures (CVE) entry is a configuration issue and not a software flaw. As such, it doesn’t fit in the CVE software flaw list. The Common Vulnerability Scoring System (CVSS) base score for this CVE entry has been set to 0 because this CVE entry has no impact as a software flaw according to CVSS. This does not mean that the configuration issue is not important and there may be security implications relative to computers having this configuration. These are unsecured and obsolete protocols and they should be disabled. The rpc.rquotad service is running. This Common Vulnerabilities and Exposures (CVE) entry is a configuration issue and not a software flaw. As such, it doesn’t fit in the CVE software flaw list. The Common Vulnerability Scoring System (CVSS) base score for this CVE entry has been set to 0 because this CVE entry has no impact as a software flaw according to CVSS. This does not mean that the configuration issue is not important and there may be security implications relative to computers having this configuration. rpc.rquotad is an unsecured and obsolete protocol and it should be disabled. A version of rusers is running that exposes valid user information to any entity on the network. This Common Vulnerabilities and Exposures (CVE) entry is a configuration issue and not a software flaw. As such, it doesn’t fit in the CVE software flaw list. The Common Vulnerability Scoring System (CVSS) base score for this CVE entry has been set to 0 because this CVE entry has no impact as a software flaw according to CVSS. This does not mean that the configuration issue is not important and there may be security implications relative to computers having this configuration. rusers is an unsecured and obsolete protocol and it should be disabled. The rexd service is running, which uses weak authentication that can allow an attacker to execute commands. This Common Vulnerabilities and Exposures (CVE) entry is a configuration issue and not a software flaw. As such, it doesn’t fit in the CVE software flaw list. The Common Vulnerability Scoring System (CVSS) base score for this CVE entry has been set to 0 because this CVE entry has no impact as a software flaw according to CVSS. This does not mean that the configuration issue is not important and there may be security implications relative to computers having this configuration. The rexd service is an unsecured protocol for Internet facing systems and should only be used on a trusted network segment, otherwise disabled. The software should be patched and configured properly. The rwho/rwhod service is running, which exposes machine status and user information. The ident/identd service is running. The NT Alerter and Messenger services are running. ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The NFS service is running." This Common Vulnerabilities and Exposures (CVE) entry is a configuration issue and not a software flaw. As such, it doesn’t fit in the CVE software flaw list. The Common Vulnerability Scoring System (CVSS) base score for this CVE entry has been set to 0 because this CVE entry has no impact as a software flaw according to CVSS. This does not mean that the configuration issue is not important and there may be security implications relative to computers having this configuration. NFS Service is an unsecured protocol for Internet facing systems (e.g., user authentication not required, communications not encrypted) and should only be used on a trusted managed network, otherwise disabled. The software should be patched and configured properly. The RPC portmapper service is running. This Common Vulnerabilities and Exposures (CVE) entry is a configuration issue and not a software flaw. As such, it doesn’t fit in the CVE software flaw list. The Common Vulnerability Scoring System (CVSS) base score for this CVE entry has been set to 0 because this CVE entry has no impact as a software flaw according to CVSS. This does not mean that the configuration issue is not important and there may be security implications relative to computers having this configuration. The RPC portmapper service is an unsecured protocol for Internet facing systems and should only be used on a trusted network segment, otherwise disabled. The software should be patched and configured properly. ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The HTTP/WWW service is running." This Common Vulnerabilities and Exposures (CVE) entry is a configuration issue and not a software flaw. As such, it doesn’t fit in the CVE software flaw list. The Common Vulnerability Scoring System (CVSS) base score for this CVE entry has been set to 0 because this CVE entry has no impact as a software flaw according to CVSS. This does not mean that the configuration issue is not important and there may be security implications relative to computers having this configuration. The software should be patched and configured properly. SSL/TLS should be used to protect transmissions of sensitive data. The presence of HTTP may be an indication that an web application server is running on the system. ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The SSH service is running." This Common Vulnerabilities and Exposures (CVE) entry is a configuration issue and not a software flaw. As such, it doesn’t fit in the CVE software flaw list. The Common Vulnerability Scoring System (CVSS) base score for this CVE entry has been set to 0 because this CVE entry has no impact as a software flaw according to CVSS. This does not mean that the configuration issue is not important and there may be security implications relative to computers having this configuration. SSH is a secure protocol, provided it is fully patched, properly configured, and uses FIPS approved algorithms. SSH version 2 is preferred over SSH version 1 because of known flaws in version 1. The echo service is running. This Common Vulnerabilities and Exposures (CVE) entry is a configuration issue and not a software flaw. As such, it doesn’t fit in the CVE software flaw list. The Common Vulnerability Scoring System (CVSS) base score for this CVE entry has been set to 0 because this CVE entry has no impact as a software flaw according to CVSS. This does not mean that the configuration issue is not important and there may be security implications relative to computers having this configuration. The Echo Service is an unsecured and obsolete protocol and it should be disabled. Historically it has been used to perform denial of service attacks. 18514 20060116 ACT P202S VoIP wireless phone multiple undocumented ports/services The discard service is running. The systat service is running. This Common Vulnerabilities and Exposures (CVE) entry is a configuration issue and not a software flaw. As such, it doesn’t fit in the CVE software flaw list. The Common Vulnerability Scoring System (CVSS) base score for this CVE entry has been set to 0 because this CVE entry has no impact as a software flaw according to CVSS. This does not mean that the configuration issue is not important and there may be security implications relative to computers having this configuration. The systat service is an unsecured and obsolete protocol and it should be disabled because it can reveal information about a host's operations. The daytime service is running. This Common Vulnerabilities and Exposures (CVE) entry is a configuration issue and not a software flaw. As such, it doesn’t fit in the CVE software flaw list. The Common Vulnerability Scoring System (CVSS) base score for this CVE entry has been set to 0 because this CVE entry has no impact as a software flaw according to CVSS. This does not mean that the configuration issue is not important and there may be security implications relative to computers having this configuration. The daytime service is an unsecured and obsolete protocol and it should be disabled. The chargen service is running. This Common Vulnerabilities and Exposures (CVE) entry is a configuration issue and not a software flaw. As such, it doesn’t fit in the CVE software flaw list. The Common Vulnerability Scoring System (CVSS) base score for this CVE entry has been set to 0 because this CVE entry has no impact as a software flaw according to CVSS. This does not mean that the configuration issue is not important and there may be security implications relative to computers having this configuration. chargen service is an unsecured and obsolete protocol and it should be disabled. Historically it has been used to perform denial of service attacks. Ping and traceroute can be used to provide the same functionality. The Gopher service is running. The UUCP service is running. This Common Vulnerabilities and Exposures (CVE) entry is a configuration issue and not a software flaw. As such, it doesn’t fit in the CVE software flaw list. The Common Vulnerability Scoring System (CVSS) base score for this CVE entry has been set to 0 because this CVE entry has no impact as a software flaw according to CVSS. This does not mean that the configuration issue is not important and there may be security implications relative to computers having this configuration. The UUCP Service is an unsecured and obsolete protocol and it should be disabled. ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "A POP service is running." This Common Vulnerabilities and Exposures (CVE) entry is a configuration issue and not a software flaw. As such, it doesn’t fit in the CVE software flaw list. The Common Vulnerability Scoring System (CVSS) base score for this CVE entry has been set to 0 because this CVE entry has no impact as a software flaw according to CVSS. This does not mean that the configuration issue is not important and there may be security implications relative to computers having this configuration. POP3 is an unsecured protocol for Internet facing systems that does not encrypt its transmissions. POP3 should be tunneled over SSL/TLS or another encrypted tunnel. The software should be patched and configured properly. Earlier versions of POP, such as POP2, are unsecured and obsolete, and should be disabled. ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The IMAP service is running." This Common Vulnerabilities and Exposures (CVE) entry is a configuration issue and not a software flaw. As such, it doesn’t fit in the CVE software flaw list. The Common Vulnerability Scoring System (CVSS) base score for this CVE entry has been set to 0 because this CVE entry has no impact as a software flaw according to CVSS. This does not mean that the configuration issue is not important and there may be security implications relative to computers having this configuration. IMAP Service is an unsecured protocol for Internet facing systems that does not encrypt its transmissions. IMAP should be tunneled over SSL/TLS or another encrypted tunnel. The software should be patched and configured properly. ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The NNTP news service is running." This Common Vulnerabilities and Exposures (CVE) entry is a configuration issue and not a software flaw. As such, it doesn’t fit in the CVE software flaw list. The Common Vulnerability Scoring System (CVSS) base score for this CVE entry has been set to 0 because this CVE entry has no impact as a software flaw according to CVSS. This does not mean that the configuration issue is not important and there may be security implications relative to computers having this configuration. NNTP news service is an unsecured protocol for Internet facing systems (e.g., user authentication not required, communications not encrypted). It could be tunneled over SSL/TLS. The software should be patched and configured properly. ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The IRC service is running." This Common Vulnerabilities and Exposures (CVE) entry is a configuration issue and not a software flaw. As such, it doesn’t fit in the CVE software flaw list. The Common Vulnerability Scoring System (CVSS) base score for this CVE entry has been set to 0 because this CVE entry has no impact as a software flaw according to CVSS. This does not mean that the configuration issue is not important and there may be security implications relative to computers having this configuration. IRC Service is an unsecured protocol that typically does not authenticate the identity of users and does not encrypt its network communications. IRC is not commonly deployed on enterprise networks. If an organization decides to use it, it should be patched and configured properly, otherwise it should be disabled. ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The LDAP service is running." This Common Vulnerabilities and Exposures (CVE) entry is a configuration issue and not a software flaw. As such, it doesn’t fit in the CVE software flaw list. The Common Vulnerability Scoring System (CVSS) base score for this CVE entry has been set to 0 because this CVE entry has no impact as a software flaw according to CVSS. This does not mean that the configuration issue is not important and there may be security implications relative to computers having this configuration. The software should be patched and configured properly to prevent information disclosure. It can be tunneled over SSL/TLS. ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The bootparam (bootparamd) service is running." This Common Vulnerabilities and Exposures (CVE) entry is a configuration issue and not a software flaw. As such, it doesn’t fit in the CVE software flaw list. The Common Vulnerability Scoring System (CVSS) base score for this CVE entry has been set to 0 because this CVE entry has no impact as a software flaw according to CVSS. This does not mean that the configuration issue is not important and there may be security implications relative to computers having this configuration. The bootparam service is an unsecured protocol for Internet facing systems and should only be used on a trusted network segment, otherwise disabled. The software should be patched and configured properly. ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The X25 service is running." This Common Vulnerabilities and Exposures (CVE) entry is a configuration issue and not a software flaw. As such, it doesn’t fit in the CVE software flaw list. The Common Vulnerability Scoring System (CVSS) base score for this CVE entry has been set to 0 because this CVE entry has no impact as a software flaw according to CVSS. This does not mean that the configuration issue is not important and there may be security implications relative to computers having this configuration. X25 is an unsecured protocol for Internet facing systems and should only be used on a limited basis to provide a specific functional requirement, otherwise disabled. The software should be patched and configured properly. ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The FSP service is running." The netstat service is running, which provides sensitive information to remote attackers. The rsh/rlogin service is running. ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "A database service is running, e.g. a SQL server, Oracle, or mySQL." This Common Vulnerabilities and Exposures (CVE) entry is a configuration issue and not a software flaw. As such, it doesn’t fit in the CVE software flaw list. The Common Vulnerability Scoring System (CVSS) base score for this CVE entry has been set to 0 because this CVE entry has no impact as a software flaw according to CVSS. This does not mean that the configuration issue is not important and there may be security implications relative to computers having this configuration. The software should be patched and configured properly to prevent information leakage and unauthorized access. A component service related to NIS+ is running. The OS/2 or POSIX subsystem in NT is enabled. ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is not about any specific product, protocol, or design, so it is out of scope of CVE. Notes: the former description is: "A service may include useful information in its banner or help function (such as the name and version), making it useful for information gathering activities." This Common Vulnerabilities and Exposures (CVE) entry is a configuration issue and not a software flaw. As such, it doesn’t fit in the CVE software flaw list. The Common Vulnerability Scoring System (CVSS) base score for this CVE entry has been set to 0 because this CVE entry has no impact as a software flaw according to CVSS. This does not mean that the configuration issue is not important and there may be security implications relative to computers having this configuration. The ugidd RPC interface, by design, allows remote attackers to enumerate valid usernames by specifying arbitrary UIDs that ugidd maps to local user and group names. This Common Vulnerabilities and Exposures (CVE) entry is a configuration issue and not a software flaw. As such, it doesn’t fit in the CVE software flaw list. The Common Vulnerability Scoring System (CVSS) base score for this CVE entry has been set to 0 because this CVE entry has no impact as a software flaw according to CVSS. This does not mean that the configuration issue is not important and there may be security implications relative to computers having this configuration. linux-ugidd(348) http://ca.com/au/securityadvisor/vulninfo/Vuln.aspx?ID=1638 WinGate is being used. This Common Vulnerabilities and Exposures (CVE) entry is a configuration issue and not a software flaw. As such, it doesn’t fit in the CVE software flaw list. The Common Vulnerability Scoring System (CVSS) base score for this CVE entry has been set to 0 because this CVE entry has no impact as a software flaw according to CVSS. This does not mean that the configuration issue is not important and there may be security implications relative to computers having this configuration. ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "DCOM is running." This Common Vulnerabilities and Exposures (CVE) entry is a configuration issue and not a software flaw. As such, it doesn’t fit in the CVE software flaw list. The Common Vulnerability Scoring System (CVSS) base score for this CVE entry has been set to 0 because this CVE entry has no impact as a software flaw according to CVSS. This does not mean that the configuration issue is not important and there may be security implications relative to computers having this configuration. ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "A Windows NT Primary Domain Controller (PDC) or Backup Domain Controller (BDC) is present." This Common Vulnerabilities and Exposures (CVE) entry is a configuration issue and not a software flaw. As such, it doesn’t fit in the CVE software flaw list. The Common Vulnerability Scoring System (CVSS) base score for this CVE entry has been set to 0 because this CVE entry has no impact as a software flaw according to CVSS. This does not mean that the configuration issue is not important and there may be security implications relative to computers having this configuration. ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is not about any specific product, protocol, or design, so it is out of scope of CVE. It might be more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "A hacker utility, back door, or Trojan Horse is installed on a system, e.g. NetBus, Back Orifice, Rootkit, etc." This Common Vulnerabilities and Exposures (CVE) entry is a configuration issue and not a software flaw. As such, it doesn’t fit in the CVE software flaw list. The Common Vulnerability Scoring System (CVSS) base score for this CVE entry has been set to 0 because this CVE entry has no impact as a software flaw according to CVSS. This does not mean that the configuration issue is not important and there may be security implications relative to computers having this configuration. A system is running a version of software that was replaced with a Trojan Horse at one of its distribution points, such as (1) TCP Wrappers 7.6, (2) util-linux 2.9g, (3) wuarchive ftpd (wuftpd) 2.2 and 2.1f, (4) IRC client (ircII) ircII 2.2.9, (5) OpenSSH 3.4p1, or (6) Sendmail 8.12.6. CA-2002-28 CA-1999-02 CA-1999-01 CA-1994-14 CA-1994-07 5921 sendmail-backdoor(10313) 20021009 Re: CERT Advisory CA-2002-28 Trojan Horse Sendmail 20020801 OpenSSH Security Advisory: Trojaned Distribution Files 20020801 trojan horse in recent openssh (version 3.4 portable 1) A system-critical program or library does not have the appropriate patch, hotfix, or service pack installed, or is outdated or obsolete. A system-critical program, library, or file has a checksum or other integrity measurement that indicates that it has been modified. An application-critical Windows NT registry key has inappropriate permissions. An application-critical Windows NT registry key has an inappropriate value. The ARP protocol allows any host to spoof ARP replies and poison the ARP cache to conduct IP address spoofing or a denial of service. The scriptlet.typelib ActiveX control is marked as "safe for scripting" for Internet Explorer, which allows a remote attacker to execute arbitrary commands as demonstrated by Bubbleboy. MS99-032 598 Q240308 J-064 The Eyedog ActiveX control is marked as "safe for scripting" for Internet Explorer, which allows a remote attacker to execute arbitrary commands as demonstrated by Bubbleboy. J-064 Buffer overflow in the Eyedog ActiveX control allows a remote attacker to execute arbitrary commands. MS99-032 J-064 Buffer overflow in ToxSoft NextFTP client through CWD command. 572 Buffer overflow in Fujitsu Chocoa IRC client via IRC channel topics. 573 Buffer overflow in ALMail32 POP3 client via From: or To: headers. 574 The BSD profil system call allows a local user to modify the internal data space of a program via profiling and execve. 570 J-067 Check Point FireWall-1 can be subjected to a denial of service via UDP packets that are sent through VPN-1 to port 0 of a host. 576 19990809 FW1 UDP Port 0 DoS 1038 sdtcm_convert in Solaris 2.6 allows a local user to overwrite sensitive files via a symlink attack. 19990808 sdtcm_convert 575 The WebRamp web administration utility has a default password. 577 A default configuration of Apache on Debian GNU/Linux sets the ServerRoot to /usr/doc, which allows remote users to read documentation files for the entire server. 318 Buffer overflow in hybrid-6 IRC server commonly used on EFnet allows remote attackers to execute commands via m_invite invite option. http://www.efnet.org/archive/servers/hybrid/ChangeLog 581 Windows NT Terminal Server performs extra work when a client opens a new connection but before it is authenticated, allowing for a denial of service. 571 MS99-028 J-057 Q238600 Buffer overflow in Microsoft FrontPage Server Extensions (PWS) 3.0.2.926 on Windows 95, and possibly other versions, allows remote attackers to cause a denial of service via a long URL. frontpage-pws-dos 568 19990807 Crash FrontPage Remotely... Microsoft Exchange 5.5 allows a remote attacker to relay email (i.e. spam) using encapsulated SMTP addresses, even if the anti-relaying features are enabled. 567 MS99-027 J-056 Q237927 Denial of service in Gauntlet Firewall via a malformed ICMP packet. 556 1029 Denial of service in Sendmail 8.8.6 in HPUX. Buffer overflow in Netscape Communicator via EMBED tags in the pluginspage option. 618 Denial of service in Netscape Enterprise Server (NES) in HP Virtual Vault (VVOS) via a long URL. HPSBUX9906-098 J-046 The ToolTalk ttsession daemon uses weak RPC authentication, which allows a remote attacker to execute commands. HPSBUX9909-103 637 K-001 00192 Buffer overflows in HP Software Distributor (SD) for HPUX 10.x and 11.x. HPSBUX9907-101 545 The CDE dtspcd daemon allows local users to execute arbitrary commands via a symlink attack. HPSBUX9909-103 636 00192 oval:org.mitre.oval:def:1880 HP CDE program includes the current directory in root's PATH variable. J-053 HPSBUX9907-100 Buffer overflow in the AddSuLog function of the CDE dtaction utility allows local users to gain root privileges via a long user name. HPSBUX9909-103 635 00192 oval:org.mitre.oval:def:3078 The default configuration of the Array Services daemon (arrayd) disables authentication, allowing remote users to gain root privileges. J-052 19990701-01-P Buffer overflow in TT_SESSION environment variable in ToolTalk shared library allows local users to gain root privileges. HPSBUX9909-103 641 00192 oval:org.mitre.oval:def:4374 Denial of service in AIX ptrace system call allows local users to crash the system. J-055 The Sybase PowerDynamo personal web server allows attackers to read arbitrary files through a .. (dot dot) attack. 620 1064 Buffer overflow in CDE Calendar Manager Service Daemon (rpc.cmsd). HPSBUX9908-102 J-051 00188 SCO Doctor allows local users to gain root privileges through a Tools option. 621 Denial of service in IP protocol logger (ippl) on Red Hat and Debian Linux. The Bluestone Sapphire web server allows session hijacking via easily guessable session IDs. 623 Buffer overflow in Microsoft Phone Dialer (dialer.exe), via a malformed dialer entry in the dialer.ini file. MS99-026 Q237185 After an unattended installation of Windows NT 4.0, an installation file could include sensitive information such as the local Administrator password. 626 MS99-036 Q173039 Internet Explorer 5.0 and 5.01 allows remote attackers to modify or execute files via the Import/Export Favorites feature, aka the "ImportExportFavorites" vulnerability. 627 MS99-037 Q241361 OpenBSD, BSDI, and other Unix operating systems allow users to set chflags and fchflags on character and block devices. J-066 Buffer overflow in Berkeley automounter daemon (amd) logging facility provided in the Linux am-utils package and others. 614 Buffer overflow in INN inews program. 616 Linux xmonisdn package allows local users to gain root privileges by modifying the IFS or PATH environmental variables. 583 The default FTP configuration in HP Visualize Conference allows conference users to send a file to other participants without authorization. J-050 HPSBUX9906-099 493 Buffer overflow in cfingerd allows local users to gain root privileges via a long GECOS field. 651 The Squid package in Red Hat Linux 5.2 and 6.0, and other distributions, installs cachemgr.cgi in a public web directory, which allows remote attackers to use it as an intermediary to connect to other systems. http-cgi-cachemgr(2385) 2059 RHSA-2005:489 RHSA-1999:025 http://www.redhat.com/support/errata/archives/rh52-errata-general.html#squid FEDORA-2005-373 DSA-576 FLSA-2006:152809 The oratclsh interpreter in Oracle 8.x Intelligent Agent for Unix allows local users to execute Tcl commands as root. 19990430 *Huge* security hole in Oracle 8.0.5 with Intellegent agent installed 19990506 Oracle Security Followup, patch and FAQ: setuid on oratclsh A vulnerability in Caldera Open Administration System (COAS) allows the /etc/shadow password file to be made world-readable. The dtlogin program in Compaq Tru64 UNIX allows local users to gain root privileges. J-044 Vulnerability in Compaq Tru64 UNIX edauth command. Buffer overflow in Remote Access Service (RAS) client allows an attacker to execute commands or cause a denial of service via a malformed phonebook entry. Q230677 MS99-016 Buffer overflow in Windows NT 4.0 help file utility via a malformed help file. MS99-015 Q231605 A remote attacker can disable the virus warning mechanism in Microsoft Excel 97. Q231304 MS99-014 IBM GINA, when used for OS/2 domain authentication of Windows NT users, allows local users to gain administrator privileges by changing the GroupMapping registry key. ibm-gina-group-add 608 19990823 IBM Gina security warning The Guile plugin for the Gnumeric spreadsheet package allows attackers to execute arbitrary code. 563 The pt_chown command in Linux allows local users to modify TTY terminal devices that belong to other users. 19990823 [Linux] glibc 2.1.x / wu-ftpd <=2.5 / BeroFTPD / lynx / vlock / mc / glibc 2.0.x 597 Denial of service in Windows NT Local Security Authority (LSA) through a malformed LSA request. MS99-020 J-049 Q231457 The default configuration of Cobalt RaQ2 servers allows remote users to install arbitrary software packages. 558 The Windows NT Client Server Runtime Subsystem (CSRSS) can be subjected to a denial of service when all worker threads are waiting for user input. MS99-021 478 J-049 Q233323 Buffer overflow in OpenBSD procfs and fdescfs file systems via uio_offset in the readdir() function. 6128 When IIS is run with a default language of Chinese, Korean, or Japanese, it allows a remote attacker to view the source code of certain files, a.k.a. "Double Byte Code Page". iis-double-byte-code-page(2302) 477 MS99-022 Q233335 An attacker can conduct a denial of service in Windows NT by executing a program with a malformed file image header. 499 MS99-023 Q234557 A kernel leak in the OpenBSD kernel allows IPsec packets to be sent unencrypted. 6127 A Windows NT user can disable the keyboard or mouse by directly calling the IOCTLs which control them. MS99-024 Q236359 Buffer overflow in Lotus Notes LDAP (NLDAP) allows an attacker to conduct a denial of service through the ldap_search request. 19990823 Denial of Service Attack against Lotus Notes Domino Server 4.6 601 J-061 1057 The zsoelim program in the Debian man-db package allows local users to overwrite files via a symlink attack. The KDE klock program allows local users to unlock a session using malformed input. 489 The logging facilitity of the Debian smtp-refuser package allows local users to delete arbitrary files using symbolic links. Buffer overflow in VMWare 1.0.1 for Linux via a long HOME environmental variable. 490 A default configuration of CiscoSecure Access Control Server (ACS) allows remote users to modify the server database without authentication. KDE K-Mail allows local users to gain privileges via a symlink attack in temporary user directories. 300 RHSA-1999:015-01 The showcode.asp sample file in IIS and Site Server allows remote attackers to read arbitrary files. MS99-013 oval:org.mitre.oval:def:932 The viewcode.asp sample file in IIS and Site Server allows remote attackers to read arbitrary files. MS99-013 The code.asp sample file in IIS and Site Server allows remote attackers to read arbitrary files. MS99-013 The codebrws.asp sample file in IIS and Site Server allows remote attackers to read arbitrary files. MS99-013 Remote attackers can cause a denial of service on Linux in.telnetd telnet daemon through a malformed TERM environmental variable. 594 QMS CrownNet Unix Utilities for 2060 allows root to log on without a password. 593 The Debian mailman package uses weak authentication, which allows attackers to gain privileges. 480 Trn allows local users to overwrite other users' files via symlinks. trn-symlinks(3144) Buffer overflow in Netscape Enterprise Server and FastTrask Server allows remote attackers to gain privileges via a long HTTP GET request. 603 Buffer overflow in Source Code Browser Program Database Name Server Daemon (pdnsd) for the IBM AIX C Set ++ compiler. 590 J-059 A default configuration of in.identd in SuSE Linux waits 120 seconds between requests, allowing a remote attacker to conduct a denial of service. 587 Denial of service in BSDi Symmetric Multiprocessing (SMP) when an fstat call is made when the system has a high CPU load. 19990816 Symmetric Multiprocessing (SMP) Vulnerbility in BSDi 4.0.1 589 Buffer overflows in Red Hat net-tools package. Buffer overflow in Microsoft Telnet client in Windows 95 and Windows 98 via a malformed Telnet argument. 586 MS99-033 Hotmail allows Javascript to be executed via the HTML STYLE tag, allowing remote attackers to execute commands on the user's Hotmail account. 630 Buffer overflow in Accept command in Netscape Enterprise Server 3.6 with the SSL Handshake Patch. netscape-accept-bo(3256) 631 Denial of service in Netscape Enterprise Server via a buffer overflow in the SSL handshake. The w3-msql CGI script provided with Mini SQL allows remote attackers to view restricted directories. 591 The INN inndstart program allows local users to gain privileges by specifying an alternate configuration file using the INNCONF environmental variable. http://www.redhat.com/corp/support/errata/inn99_05_22.html 255 CSSA-1999-011.0 Windows NT RRAS and RAS clients cache a user's password even if the user has not selected the "Save password" option. MS99-017 Q230681 ColdFusion Administrator with Advanced Security enabled allows remote users to stop the ColdFusion server via the Start/Stop utility. coldfusion-admin-dos(2207) ASB99-07 The ColdFusion CFCRYPT program for encrypting CFML templates has weak encryption, allowing attackers to decrypt the templates. coldfusion-encryption ASB99-08 Netscape Enterprise 3.5.1 and FastTrack 3.01 servers allow a remote attacker to view source code to scripts by appending a %20 to the script's URL. Buffer overflow in FuseMAIL POP service via long USER and PASS commands. http://www.crosswinds.net/~fuseware/faq.html#8 634 Undocumented ColdFusion Markup Language (CFML) tags and functions in the ColdFusion Administrator allow users to gain additional privileges. 550 coldfusion-server-cfml-tags ASB99-10 Buffer overflow in FreeBSD fts library routines allows local user to modify arbitrary files via the periodic program. 644 1074 When Javascript is embedded within the TITLE tag, Netscape Communicator allows a remote attacker to use the "about" protocol to gain access to browser information. NetBSD on a multi-homed host allows ARP packets on one network to modify ARP entries on another connected network. 6540 NetBSD allows ARP packets to overwrite static ARP entries. 6539 SGI IRIX midikeys program allows local users to modify arbitrary files via a text editor. 262 19990501-01-A The Microsoft Java Virtual Machine allows a malicious Java applet to execute arbitrary commands outside of the sandbox environment. 600 MS99-031 Q240346 Buffer overflow in Solaris libc, ufsrestore, and rcp via LC_MESSAGES environmental variable. Buffer overflow in Vixie Cron on Red Hat systems via the MAILTO environmental variable. 602 Vixie Cron on Linux systems allows local users to set parameters of sendmail commands via the MAILTO environmental variable. 611 Firewall-1 sets a long timeout for connections that begin with ACK or other packets except SYN, allowing an attacker to conduct a denial of service via a large number of connection attempts to unresponsive systems. 549 1027 The web components of Compaq Management Agents and the Compaq Survey Utility allow a remote attacker to read arbitrary files via a .. (dot dot) attack. Denial of service in Compaq Management Agents and the Compaq Survey Utility via a long string sent to port 2301. Buffer overflow in Solaris lpset program allows local users to gain root access. 19990511 Solaris2.6 and 2.7 lpset overflow Buffer overflows in Mars NetWare Emulation (NWE, mars_nwe) package via long directory names. 617 Cisco Gigabit Switch routers running IOS allow remote attackers to forward unauthorized packets due to improper handling of the "established" keyword in an access list. Alibaba HTTP server allows remote attackers to read files via a .. (dot dot) attack. 19990506 ".."-hole in Alibaba 2.0 IIS FTP servers may allow a remote attacker to read or delete files on the server, even if they have "No Access" permissions. 658 MS99-039 Q242559 Q241407 Buffer overflow in Xi Graphics Accelerated-X server allows local users to gain root access via a long display or query parameter. 488 Denial of service in HP-UX SharedX recserv program. HPSBUX9810-086 KDE klock allows local users to kill arbitrary processes by specifying an arbitrary PID in the .kss.pid file. 19981118 Multiple KDE security vulnerabilities (root compromise) KDE allows local users to execute arbitrary commands by setting the KDEDIR environmental variable to modify the search path that KDE uses to locate its executables. 19981118 Multiple KDE security vulnerabilities (root compromise) KDE kppp allows local users to create a directory in an arbitrary location via the HOME environmental variable. 19981118 Multiple KDE security vulnerabilities (root compromise) FreeBSD allows local users to conduct a denial of service by creating a hard link from a device special file to a file on an NFS file system. 6090 I-057 Denial of service in Oracle TNSLSNR SQL*Net Listener via a malformed string to the listener port, aka NERP. 19980827 NERP DoS attack possible in Oracle 19990104 Re: Fw:"NERP" DoS attack possible in Oracle 19981228 Oracle8 TNSLSNR DoS The INN inndstart program allows local users to gain root privileges via the "pathrun" parameter in the inn.conf file. 254 The dynamic linker in Solaris allows a local user to create arbitrary files via the LD_PROFILE environmental variable and a symlink attack. 659 The SSH authentication agent follows symlinks via a UNIX domain socket. 660 19990924 [Fwd: Truth about ssh 1.2.27 vulnerability] 19990917 A few bugs... Arkiea nlservd allows remote attackers to conduct a denial of service. 662 19990924 Multiple vendor Knox Arkiea local root/remote DoS Buffer overflow in AIX ftpd in the libc library. 679 J-072 A remote attacker can read information from a Netscape user's cache via JavaScript. http://home.netscape.com/security/notes/jscachebrowsing.html Hybrid Network cable modems do not include an authentication mechanism for administration, allowing remote attackers to compromise the system through the HSMP protocol. 695 ROUTERmate has a default SNMP community name which allows remote attackers to modify its configuration. http://www2.merton.ox.ac.uk/~security/rootshell/0022.html Internet Explorer allows remote attackers to read files by redirecting data to a Javascript applet. MS99-043 Microsoft Excel does not warn a user when a macro is present in a Symbolic Link (SYLK) format file. MS99-044 Q241902 Q241901 Q241900 The NIS+ rpc.nisd server allows remote attackers to execute certain RPC calls without authentication to obtain system information, disable logging, or modify caches. FreeBSD T/TCP Extensions for Transactions can be subjected to spoofing attacks. 6089 NIS finger allows an attacker to conduct a denial of service via a large number of finger requests, resulting in a large number of NIS queries. I-070 Buffer overflow in bootpd on OpenBSD, FreeBSD, and Linux systems via a malformed header type. 19981204 bootpd remote vulnerability Buffer overflow in bootpd 2.4.3 and earlier via a long boot file location. The GetFile.cfm file in Allaire Forums allows remote attackers to read files through a parameter to GetFile.cfm. ASB99-05 19990211 ACFUG List: Alert: Allaire Forums GetFile bug allaire-forums-file-read(1748) 944 BMC Patrol allows remote attackers to gain access to an agent by spoofing frames. 19990409 Patrol security bugs bmc-patrol-frames(2075) Buffer overflow in Internet Explorer 5 allows remote attackers to execute commands via a malformed Favorites icon. MS99-018 Q231450 The fwluser script in AIX eNetwork Firewall allows local users to write to arbitrary files via a symlink attack. 962 19990525 IBM eNetwork Firewall for AIX Denial of service in Linux 2.2.x kernels via malformed ICMP packets containing unusual types, codes, and IP header lengths. 302 Novell NetWare Transaction Tracking System (TTS) in Novell 4.11 and earlier allows remote attackers to cause a denial of service via a large number of requests. novell-tts-dos 19990512 DoS with Netware 4.x's TTS Buffer overflow in Solaris dtprintinfo program. 6552 The Netscape Directory Server installation procedure leaves sensitive information in a file that is accessible to local users. Multiple buffer overflows in ISC DHCP Distribution server (dhcpd) 1.0 and 2.0 allow a remote attacker to cause a denial of service (crash) and possibly execute arbitrary commands via long options. I-053 ftp://ftp.isc.org/isc/dhcp/dhcp-1.0-history/dhcp-1.0.0-1.0pl1.diff.gz 19980518 DHCP 1.0 and 2.0 SECURITY ALERT! (fwd) Netscape Communicator 4.x with Javascript enabled does not warn a user of cookie settings, even if they have selected the option to "Only accept cookies originating from the same server as the page being viewed". Denial of service in Samba NETBIOS name service daemon (nmbd). Buffer overflow in Samba smbd program via a malformed message command. 536 Race condition in Samba smbmnt allows local users to mount file systems in arbitrary locations. Cfingerd with ALLOW_EXECUTION enabled does not properly drop privileges when it executes a program on behalf of the user, allowing local users to gain root privileges. Red Hat pump DHCP client allows remote attackers to gain root access in some configurations. RHSA-1999:027 Memory leak in SNMP agent in Windows NT 4.0 before SP5 allows remote attackers to conduct a denial of service (memory exhaustion) via a large number of queries. Q196270 nt-snmpagent-leak(1974) oval:org.mitre.oval:def:952 The Motorola CableRouter allows any remote user to connect to and configure the router on port 1024. 19980510 Security Vulnerability in Motorola CableRouters Lynx WWW client allows a remote attacker to specify command-line parameters which Lynx uses when calling external programs to handle certain protocols, e.g. telnet. Buffer overflow in Solaris kcms_configure via a long NETPATH environmental variable. 831 19991130 another hole of Solaris7 kcms_configure NTMail does not disable the VRFY command, even if the administrator has explicitly disabled it. 19991130 NTmail and VRFY FreeBSD seyon allows users to gain privileges via a modified PATH variable for finding the xterm and seyon-emu commands. 838 5996 FreeBSD seyon allows local users to gain privileges by providing a malicious program in the -emulator argument. 838 Buffer overflow in Qpopper (qpop) 3.0 allows remote root access via AUTH command. 830 Buffer overflow in FreeBSD xmindpath allows local users to gain privileges via -f argument. 839 1150 A Windows NT user can use SUBST to map a drive letter to a folder, which is not unmapped after the user logs off, potentially allowing that user to modify the location of folders accessed by later users. 833 The default permissions for UnixWare /var/mail allow local users to read and modify other users' mail. 849 Buffer overflow in FreeBSD angband allows local users to gain privileges. 840 1151 By default, Internet Explorer 5.0 and other versions enables the "Navigate sub-frames across different domains" option, which allows frame spoofing. UnixWare pkg commands such as pkginfo, pkgcat, and pkgparam allow local users to read arbitrary files via the dacread permission. 853 HP Secure Web Console uses weak encryption. Buffer overflow in SCO UnixWare Xsco command via a long argument. Denial of service in Linux syslogd via a large number of connections. 809 CSSA-1999-035.0 Buffer overflow in NFS server on Linux allows attackers to execute commands via a long pathname. 19991109 undocumented bugs - nfsd 782 RHSA-1999:053-01 19991110 Security hole in nfs-server < 2.2beta47 within nkita 19991111 buffer overflow in nfs server CSSA-1999-033.0 Buffer overflow in BIND 8.2 via NXT records. 788 CSSA-1999-034.1 Buffer overflow in RSAREF2 via the encryption and decryption functions in the RSAREF library. 843 Denial of service in BIND named via malformed SIG records. 788 CSSA-1999-034.1 UnixWare uidadmin allows local users to modify arbitrary files via a symlink attack. 19991202 UnixWare 7 uidadmin exploit + discussion 842 SB-99.22a Denial of service in BIND by improperly closing TCP sessions via so_linger. 788 00194 CSSA-1999-034.1 Buffer overflow in Serv-U FTP 2.5 allows remote users to conduct a denial of service via the SITE command. 859 Windows NT Task Scheduler installed with Internet Explorer 5 allows a user to gain privileges by modifying the job after it has been scheduled. 828 MS99-051 Q246972 Buffer overflow in CDE dtmail and dtmailpr programs allows local users to gain privileges via a long -f option. 832 solaris-dtmailpr-overflow(3580) solaris-dtmail-overflow(3579) 19991129 Solaris7 dtmail/dtmailpr/mailtool Buffer Overflow http://www.securiteam.com/exploits/3J5QQPPQ0O.html Buffer overflow in CDE mailtool allows local users to gain root privileges via a long MIME Content-Type. 832 cde-mailtool-bo(3732) 19991129 Solaris7 dtmail/dtmailpr/mailtool Buffer Overflow http://www.securiteam.com/exploits/3J5QQPPQ0O.html Symantec Mail-Gear 1.0 web interface server allows remote users to read arbitrary files via a .. (dot dot) attack. 19991129 Symantec Mail-Gear 1.0 Web interface Server Directory Traversal Vulnerability 827 1144 Denial of service in Cisco routers running NAT via a PORT command from an FTP client to a Telnet port. Denial of service in MDaemon WorldClient and WebConfig services via a long URL. 823 820 Buffer overflow in SCO su program allows local users to gain root access via a long username. Denial of service in MDaemon 2.7 via a large number of connection attempts. Buffer overflow in free internet chess server (FICS) program, xboard. Denial of service in BIND named via consuming more than "fdmax" file descriptors. 788 00194 CSSA-1999-034.1 Denial of service in BIND named via maxdname. 788 00194 CSSA-1999-034.1 The default permissions for Endymion MailMan allow local users to read email or modify files. 845 Denial of service in BIND named via naptr. 788 00194 CSSA-1999-034.1 IBM WebSphere sets permissions that allow a local user to modify a deinstallation script or its data files stored in /usr/bin. 844 Buffer overflow in Netscape Enterprise Server and Netscape FastTrack Server allows remote attackers to gain privileges via the HTTP Basic Authentication procedure. 847 Ultimate Bulletin Board stores data files in the cgi-bin directory, allowing remote attackers to view the data if an error occurs when the HTTP server attempts to execute the file. http://www.ultimatebb.com/home/versions.shtml 20000225 FW: Important UBB News For Licensed Users Buffer overflow in FreeBSD gdc program. 834 login in Slackware 7.0 allows remote attackers to identify valid users on the system by reporting an encryption error when an account is locked or does not exist. FreeBSD gdc program allows local users to modify files via a symlink attack. 835 Internet Explorer 5 allows a remote attacker to modify the IE client's proxy configuration via a malicious Web Proxy Auto-Discovery (WPAD) server. 846 MS99-054 Q247333 Solaris arp allows local users to read files via the -f parameter, which lists lines in the file that do not parse properly. 837 6994 Solaris chkperm allows local users to read files owned by bin via the VMSYS environmental variable and a symlink attack. 837 Race condition in the SSL ISAPI filter in IIS and other servers may leak information in plaintext. MS99-053 Q244613 Insecure directory permissions in RPM distribution for PostgreSQL allows local users to gain privileges by reading a plaintext password file. Buffer overflow in FreeBSD seyon via HOME environmental variable, -emulator argument, -modems argument, or the GUI. UnixWare programs that dump core allow a local user to modify files via a symlink attack on the ./core.pid file. 19991202 UnixWare coredumps follow symlinks 851 19991223 FYI, SCO Security patches available. 19991220 SCO OpenServer Security Status 19991215 Recent postings about SCO UnixWare 7 Buffer overflow in CommuniGatePro via a long string to the HTTP configuration port. 860 19991203 CommuniGatePro 3.1 for NT Buffer Overflow 19991203 CommuniGatePro 3.1 for NT DoS Buffer overflow in UnixWare xauto program allows local users to gain root privilege. 848 19991223 FYI, SCO Security patches available. 19991220 SCO OpenServer Security Status 19991215 Recent postings about SCO UnixWare 7 SB-99.24a Denial of service in IIS 4.0 via a flood of HTTP requests with malformed headers. 579 MS99-029 J-058 Q238349 ucbmail allows remote attackers to execute commands via shell metacharacters that are passed to it from INN. Internet Explorer 3.x to 4.01 allows a remote attacker to insert malicious content into a frame of another web site, aka frame spoofing. MS98-020 Internet Explorer 4.01 allows remote attackers to read arbitrary files by pasting a file name into the file upload control, aka untrusted scripted paste. MS98-015 Internet Explorer 4.0 and 4.01 allow a remote attacker to read files via IE's cross frame security, aka the "Cross Frame Navigate" vulnerability. ie-crossframe-file-read(3668) 7837 MS98-013 Buffer overflow in Vixie cron allows local users to gain root access via a long MAILTO environment variable in a crontab file. 759 611 Buffer overflow in Skyfull mail server via MAIL FROM command. 759 Buffer overflow in IIS 4.0 allows remote attackers to cause a denial of service via a malformed request for files with .HTR, .IDC, or .STM extensions. MS99-019 AD06081999 J-048 Q234905 oval:org.mitre.oval:def:915 DHCP clients with ICMP Router Discovery Protocol (IRDP) enabled allow remote attackers to modify their default routes. 578 Q216141 Buffer overflow in Internet Explorer 4.0 via EMBED tag. Q176697 Q185959 Internet Explorer 5 allows remote attackers to read files via an ExecCommand method called on an IFRAME. MS99-042 Q243638 Buffer overflow in WU-FTPD and related FTP servers allows remote attackers to gain root privileges via MAPPING_CHDIR. 599 Buffer overflow in WU-FTPD and related FTP servers allows remote attackers to gain root privileges via macro variables in a message file. Denial of service in WU-FTPD via the SITE NEWER command, which does not free memory properly. Falcon web server allows remote attackers to read arbitrary files via a .. (dot dot) attack. 743 1127 Falcon web server allows remote attackers to determine the absolute path of the web root via long file names. Zeus web server allows remote attackers to read arbitrary files by specifying the file name in an option to the search engine. zeus-remote-root(3380) 742 1126 The Zeus web server administrative interface uses weak encryption for its passwords. zeus-weak-password(3833) 742 8186 Alibaba web server allows remote attackers to execute commands via a pipe character in a malformed URL. 770 19991103 More Alibaba Web Server problems... The security descriptor for RASMAN allows users to point to an alternate location via the Windows NT Service Control Manager. 645 MS99-041 Q242294 FTGate web interface server allows remote attackers to read files via a .. (dot dot) attack. 1137 AD05261999 dbsnmp in Oracle Intelligent Agent allows local users to gain privileges by setting the ORACLE_HOME environmental variable, which dbsnmp uses to find the nmiconf.tcl script. 585 Cisco 675 routers running CBOS allow remote attackers to establish telnet sessions if an exec or superuser password has not been set. 39 iHTML Merchant allows remote attackers to obtain sensitive information or execute commands via a code parsing error. http://www.ihtmlmerchant.com/support_patches_feedback.htm 694 The "download behavior" in Internet Explorer 5 allows remote attackers to read arbitrary files via a server-side redirect. VU#37828 674 11274 MS99-040 K-002 Q242542 Buffer overflow in Netscape Communicator before 4.7 via a dynamic font whose length field is less than the size of the font. userOsa in SCO OpenServer allows local users to corrupt files via a symlink attack. Red Hat Linux screen program does not use Unix98 ptys, allowing local users to write to other terminals. Firewall-1 does not properly restrict access to LDAP attributes. 19991020 Checkpoint FireWall-1 V4.0: possible bug in LDAP authentication 725 1117 Buffer overflow in RealNetworks RealServer administration utility allows remote attackers to execute arbitrary commands via a long username and password. http://service.real.com/help/faq/servg260.html 767 iChat ROOMS Webserver allows remote attackers to read arbitrary files via a .. (dot dot) attack. 19980908 bug in iChat 3.0 (maybe others) Buffer overflows in Windows NT 4.0 print spooler allow remote attackers to gain privileges or cause a denial of service via a malformed spooler request. 768 MS99-047 Q243649 The Windows NT 4.0 print spooler allows a local user to execute arbitrary commands due to inappropriate permissions that allow the user to specify an alternate print provider. 769 MS99-047 Q243649 Buffer overflow in rpc.yppasswdd allows a local user to gain privileges via MD5 hash generation. ypserv allows a local user to modify the GECOS and login shells of other users. ypserv allows local administrators to modify password tables. genfilt in the AIX Packet Filtering Module does not properly filter traffic to destination ports greater than 32767. Buffer overflow in BFTelnet allows remote attackers to cause a denial of service via a long username. 771 Denial of service in Axent Raptor firewall via malformed zero-length IP options. 736 1121 Buffer overflow in sccw allows local users to gain root access via the HOME environmental variable. 656 sccw allows local users to read arbitrary files. Denial of service in Solaris TCP streams driver via a malicious connection that causes the server to panic as a result of recursive calls to mutex_enter. 655 Multihomed Windows systems allow a remote attacker to bypass IP source routing restrictions via a malformed packet with IP options, aka the "Spoofed Route Pointer" vulnerability. MS99-038 646 Q238453 Microsoft Site Server and Commercial Internet System (MCIS) do not set an expiration for a cookie, which could then be cached by a proxy and inadvertently used by a different user. MS99-035 625 Buffer overflow in ProFTPD, wu-ftpd, and beroftpd allows remote attackers to gain root access via a series of MKD and CWD commands that create nested directories. 612 19990210 FreeBSD VFS cache (vfs_cache) allows local users to cause a denial of service by opening a large number of files. 653 1079 dfire.cgi script in Dragon-Fire IDS allows remote users to execute commands via shell metacharacters. 564 19990804 NSW Dragon Fire gets drowned Buffer overflow in the FTP client in the Debian GNU/Linux netstd package. 324 URL Live! web server allows remote attackers to read arbitrary files via a .. (dot dot) attack. 746 1129 WebTrends software stores account names and passwords in a file which does not have restricted access permissions. The Preloader ActiveX control used by Internet Explorer allows remote attackers to read arbitrary files. Q231452 MS99-018 Denial of service in various Windows systems via malformed, fragmented IGMP packets. MS99-034 514 Q238329 A memory leak in a Motorola CableRouter allows remote attackers to conduct a denial of service via a large number of telnet connections. motorola-cable-crash(2004) 19980510 Security Vulnerability in Motorola CableRouters Buffer overflow in the pop-2d POP daemon in the IMAP package allows remote attackers to gain privileges via the FOLD command. 283 BMC Patrol allows any remote attacker to flood its UDP port, causing a denial of service. 1879 19990409 Patrol security bugs bmc-patrol-udp-dos(4291) An example application in ColdFusion Server 4.0 allows remote attackers to view source code via the sourcewindow.cfm file. ASB99-02 Sample runnable code snippets in ColdFusion Server 4.0 allow remote attackers to read files, conduct a denial of service, or use the server as a proxy for other HTTP calls. ASB99-02 The Syntax Checker in ColdFusion Server 4.0 allows remote attackers to conduct a denial of service. ASB99-02 coldfusion-syntax-checker(1742) 3236 UnityMail allows remote attackers to conduct a denial of service via a large number of MIME headers. 19980903 Web servers / possible DOS Attack / mime header flooding Apache allows remote attackers to conduct a denial of service via a large number of MIME headers. 19990903 Web servers / possible DOS Attack / mime header flooding NTMail allows remote attackers to read arbitrary files via a .. (dot dot) attack. 279 AD05261999 Buffer overflow in SmartDesk WebSuite allows remote attackers to cause a denial of service via a long URL. 278 Novell NetWare with Novell-HTTP-Server or YAWN web servers allows remote attackers to conduct a denial of service via a large number of HTTP GET requests. wwwboard allows a remote attacker to delete message board articles via a malformed argument. http://www.worldwidemart.com/scripts/faq/wwwboard/q5.shtml http-cgi-wwwboard(2344) 1795 Buffer overflow in Mediahouse Statistics Server allows remote attackers to execute commands. 734 Mediahouse Statistics Server allows remote attackers to read the administrator password, which is stored in cleartext in the ss.cfg file. 735 TeamTrack web server allows remote attackers to read arbitrary files via a .. (dot dot) attack. 689 1096 classifieds.cgi allows remote attackers to read arbitrary files via shell metacharacters. http-cgi-classifieds-read(3102) 2020 classifieds.cgi allows remote attackers to execute arbitrary commands by specifying them in a hidden variable in a CGI form. BNBSurvey survey.cgi program allows remote attackers to execute commands via shell metacharacters. BNBForm allows remote attackers to read arbitrary files via the automessage hidden form variable. MBone SDR Package allows remote attackers to execute commands via shell metacharacters in Sesion Initiation Protocol (SIP) messages. Denial of service in Debian IRC Epic/epic4 client via a long string. 605 Buffer overflow in mutt mail client allows remote attackers to execute commands via malformed MIME messages. Mutt mail client allows a remote attacker to execute commands via shell metacharacters. 19980728 mutt x.x UnixWare dos7utils allows a local user to gain root privileges by using the STATICMERGE environmental variable to find a script which it executes. Buffer overflow in OpenLink 3.2 allows remote attackers to gain privileges via a long GET request to the web configurator. 720 IBM WebSphere ikeyman tool uses weak encryption to store a password for a key database that is used for SSL connections. Buffer overflow in Internet Mail Service (IMS) for Microsoft Exchange 5.5 and 5.0 allows remote attackers to conduct a denial of service via AUTH or AUTHINFO commands. 19980724 Denial of Service attacks against Microsoft Exchange 5.0 to 5.5 I-080 exchange-dos(1223) Q169174 Buffer overflow in Yamaha MidiPlug via a Text variable in an EMBED tag. 760 19991102 Some holes for Win/UNIX softwares AN-HTTPd provides example CGI scripts test.bat, input.bat, input2.bat, and envout.bat, which allow remote attackers to execute commands via shell metacharacters. 762 19991102 Some holes for Win/UNIX softwares Buffer overflow in uum program for Canna input system allows local users to gain root privileges. 757 Buffer overflow in canuum program for Canna input system allows local users to gain root privileges. 757 Buffer overflow in WFTPD FTP server allows remote attackers to gain root access via a series of MKD and CWD commands that create nested directories. 747 Buffer overflow in OmniHTTPd CGI program imagemap.exe allows remote attackers to execute commands. 739 3380 Buffer overflow in Solaris lpstat via class argument allows local users to gain root access. 19990126 Buffer overflow in Solaris 2.6/2.7 /usr/bin/lpstat WWWBoard stores encrypted passwords in a password file that is under the web root and thus accessible by remote attackers. WWWBoard has a default username and default password. 649 Race condition in wu-ftpd and BSDI ftpd allows remote attackers gain root access via the SITE EXEC command. The NeXT NetInfo _writers property allows local users to gain root privileges or conduct a denial of service. MajorCool mj_key_cache program allows local users to modify files via a symlink attack. sudo 1.5.x allows local users to execute arbitrary commands via a .. (dot dot) attack. 19980112 Re: hole in sudo for MP-RAS. IRIX startmidi program allows local users to modify arbitrary files via a symlink attack. 469 8447 19980301-01-PX IRIX cdplayer allows local users to create directories in arbitrary locations via a command line option. 19980301-01-PX HPUX sysdiag allows local users to gain root privileges via a symlink attack during log file creation. 19960921 Vunerability in HP sysdiag ? Buffer overflow in HPUX passwd command allows local users to gain root privileges via a command line option. HPSBUX9701-045 6415 FreeBSD mount_union command allows local users to gain root privileges via a symlink attack. 6088 Buffer overflow in FreeBSD setlocale in the libc module allows attackers to execute arbitrary code via a long PATH_LOCALE environment variable. 6086 Race condition in xterm allows local users to modify arbitrary files via the logging option. Buffer overflow in Solaris getopt in libc allows local users to gain root privileges via a long argv[0]. Buffer overflow in the HTML library used by Internet Explorer, Outlook Express, and Windows Explorer via the res: local resource protocol. Buffer overflow in BNC IRC proxy allows remote attackers to gain privileges. bnc-proxy-bo(1546) 1927 19981226 bnc exploit The Windows NT RPC service allows remote attackers to conduct a denial of service using spoofed malformed RPC packets which generate an error message that is sent to the spoofed host, potentially setting up a loop, aka Snork. Q193233 MS98-014 The OmniHTTPD visadmin.exe program allows a remote attacker to conduct a denial of service via a malformed URL which causes a large number of temporary files to be created. omnihttpd-dos(2271) 1808 19990605 Remote Exploit (Bug) in OmniHTTPd Web Server Buffer overflow in Exim allows local users to gain root privileges via a long :include: option in a .forward file. 19970722 Security hole in exim 1.62: local root exploit Buffer overflow in Xshipwars xsw program. 863 Buffer overflow in Solaris snoop program allows remote attackers to gain root privileges via a long domain name when snoop is running in verbose mode. 858 Buffer overflow in Solaris snoop allows remote attackers to gain root privileges via GETQUOTA requests to the rpc.rquotad service. 864 00190 The Windows help system can allow a local user to execute commands as another user by editing a table of contents metafile with a .CNT extension and modifying the topic action to include the commands to be executed when the .hlp file is accessed. 868 Sendmail allows local users to reinitialize the aliases database via the newaliases command, then cause a denial of service by interrupting Sendmail. 857 Buffer overflow in Solaris sadmind allows remote attackers to gain root privileges using a NETMGT_PROC_SERVICE request. 866 2354 2558 00191 htdig allows remote attackers to execute commands via filenames with shell metacharacters. 867 The SCO UnixWare privileged process system allows local users to gain root privileges by using a debugger such as gdb to insert traps into _init before the privileged process is executed. 869 19991215 Recent postings about SCO UnixWare 7 Windows NT Service Control Manager (SCM) allows remote attackers to cause a denial of service via a malformed argument in a resource enumeration request. MS99-055 Q246045 Internet Explorer 5.01 and earlier allows a remote attacker to create a reference to a client window and use a server-side redirect to access local files via that window, aka "Server-side Page Reference Redirect." MS99-050 Q246094 The Sun Web-Based Enterprise Management (WBEM) installation script stores a password in plaintext in a world readable file. Whois Internic Lookup program whois.cgi allows remote attackers to execute commands via shell metacharacters in the domain entry. Matt's Whois program whois.cgi allows remote attackers to execute commands via shell metacharacters in the domain entry. CC Whois program whois.cgi allows remote attackers to execute commands via shell metacharacters in the domain entry. The ping command in Linux 2.0.3x allows local users to cause a denial of service by sending large packets with the -R (record route) option. 870 Windows NT does not properly download a system policy if the domain user logs into the domain with a space at the end of the domain name. Q237923 UnixWare pkgtrans allows local users to read arbitrary files via a symlink attack. Buffer overflow in Internet Explorer 5 directshow filter (MSDXM.OCX) allows remote attackers to execute commands via the vnd.ms.radio protocol. 861 Error messages generated by gdm with the VerboseAuth setting allows an attacker to identify valid users on a system. Buffer overflow in GoodTech Telnet Server NT allows remote users to cause a denial of service via a long login name. 862 HP VirtualVault with the PHSS_17692 patch allows unprivileged processes to bypass access restrictions via the Trusted Gateway Proxy (TGP). HPSBUX9912-107 Modifications to ACLs (Access Control Lists) in Microsoft Exchange 5.5 do not take effect until the directory store cache is refreshed. Windows NT with SYSKEY reuses the keystream that is used for encrypting SAM password hashes, allowing an attacker to crack passwords. 873 MS99-056 Q248183 Windows NT Local Security Authority (LSA) allows remote attackers to cause a denial of service via malformed arguments to the LsaLookupSids function which looks up the SID, aka "Malformed Security Identifier Request." 875 MS99-057 Q248185 Buffer overflow in Infoseek Ultraseek search engine allows remote attackers to execute commands via a long GET request. 6490 AD19991215 wu-ftp with FTP conversion enabled allows an attacker to execute commands via a malformed file name that is interpreted as an argument to the program that does the conversion, e.g. tar or uncompress. DSA-377 Cisco Cache Engine allows an attacker to replace content in the cache. Microsoft SQL 7.0 server allows a remote attacker to cause a denial of service via a malformed TDS packet. 817 MS99-059 Q248749 The web administration interface for Cisco Cache Engine allows remote attackers to view performance statistics. Cisco Cache Engine allows a remote attacker to gain access via a null username and password. Netscape Navigator uses weak encryption for storing a user's Netscape mail password. http://www.rstcorp.com/news/bad-crypto.html 19991220 Netscape password scrambling 19991216 Reinventing the wheel (aka "Decoding Netscape Mail passwords") War FTP Daemon 1.70 allows remote attackers to cause a denial of service by flooding it with connections. Buffer overflow in the POP server POProxy for the Norton Anti-Virus protection NAV2000 program via a large USER command. 19991220 Norton Email Protection Remote Overflow (Addendum) 19991217 NAV2000 Email Protection DoS 6267 http://service1.symantec.com/SUPPORT/nav.nsf/df0a595864594c86852567ac0063608c/6206f660a1f2516a882568660082c930?OpenDocument&Highlight=0,poproxy Groupwise web server GWWEB.EXE allows remote attackers to read arbitrary files with .htm extensions via a .. (dot dot) attack using the HELP parameter. 879 3413 19991219 Groupewise Web Interface Groupwise web server GWWEB.EXE allows remote attackers to determine the real path of the web server via the HELP parameter. 19991219 Groupewise Web Interface Buffer overflow in VDO Live Player allows remote attackers to execute commands on the VDO client via a malformed .vdo file. 872 19991213 VDO Live Player 3.02 Buffer Overflow xsoldier program allows local users to gain root access via a long argument. 871 http://marc.theaimsgroup.com/?l=freebsd-security&m=94531826621620&w=2 The Disney Go Express Search allows remote attackers to access and modify search information for users by connecting to an HTTP server on the user's system. An SSH 1.2.27 server allows a client to use the "none" cipher, even if it is not allowed by the server policy. 19991214 sshd1 allows unencrypted sessions regardless of server policy The Remote Data Service (RDS) DataFactory component of Microsoft Data Access Components (MDAC) in IIS 3.x and 4.x exposes unsafe methods, which allows remote attackers to execute arbitrary commands. MS99-025 272 MS98-004 529 J-054 SMTP component of Lotus Domino 4.6.1 on AS/400, and possibly other operating systems, allows a remote attacker to crash the mail server via a long string. 173 19990504 AS/400 named-xfer in AIX 4.1.5 and 4.2.1 allows members of the system group to overwrite system files to gain root access via the -f parameter and a malformed zone file. 673 19990923 named-xfer hole on AIX (fwd) Buffer overflow in mail command in Solaris 2.7 and 2.7 allows local users to gain privileges via a long -m argument. sun-usrbinmail-local-bo(3297) 672 19990927 Working Solaris x86 /usr/bin/mail exploit 19990913 Solaris 2.7 /usr/bin/mail Buffer overflow in Apple AppleShare Mail Server 5.0.3 on MacOS 8.1 and earlier allows a remote attacker to cause a denial of service (crash) via a long HELO command. 61 19980408 AppleShare IP Mail Server Microsoft HTML control as used in (1) Internet Explorer 5.0, (2) FrontPage Express, (3) Outlook Express 5, and (4) Eudora, and possibly others, allows remote malicious web site or HTML emails to cause a denial of service (100% CPU consumption) via large HTML form fields such as text inputs in a table cell. 606 19990827 HTML code to crash IE5 and Outlook Express 5 Seattle Labs Emurl 2.0, and possibly earlier versions, stores e-mail attachments in a specific directory with scripting enabled, which allows a malicious ASP file attachment to execute when the recipient opens the message. 544 19990728 Seattle Labs EMURL Vulnerability IPChains in Linux kernels 2.2.10 and earlier does not reassemble IP fragments before checking the header information, which allows a remote attacker to bypass the filtering rules using several fragments with 0 offsets. 543 19990727 Linux 2.2.10 ipchains Advisory SpectroSERVER in Cabletron Spectrum Enterprise Manager 5.0 installs a directory tree with insecure permissions, which allows local users to replace a privileged executable (processd) with a Trojan horse, facilitating a root or Administrator compromise. 495 19990623 Cabletron Spectrum security vulnerability 19990624 Re: Cabletron Spectrum security vulnerability The installation of Novell Netware NDS 5.99 provides an unauthenticated client with Read access for the tree, which allows remote attackers to access sensitive information such as users, groups, and readable objects via CX.EXE and NLIST.EXE. novell-nds(1364) 484 19980918 NMRC Advisory - Default NDS Rights NFS on SunOS 4.1 through 4.1.2 ignores the high order 16 bits in a 32 bit UID, which allows a local user to gain root access if the lower 16 bits are set to 0, as fixed by the NFS jumbo patch upgrade. CA-1992-15 47 00117 nfs-uid(82) serial_ports administrative program in IRIX 4.x and 5.x trusts the user's PATH environmental variable to find and execute the ls program, which allows local users to gain root privileges via a Trojan horse ls program. sgi-serialports(2111) 464 19941002 useradd in Solaris 7.0 does not properly interpret certain date formats as specified in the "-e" (expiration date) argument, which could allow users to login after their accounts have expired. 426 19990610 Sun Useradd program expiration date bug ip_print procedure in Tcpdump 3.4a allows remote attackers to cause a denial of service via a packet with a zero length header, which causes an infinite loop and core dump when tcpdump prints the packet. 313 19990620 Re: tcpdump 3.4 bug? (final) 19990617 Re: tcpdump 3.4 bug? 19990616 tcpdump 3.4 bug? CDE screen lock program (screenlock) on Solaris 2.6 does not properly lock an unprivileged user's console session when the host is an NIS+ client, which allows others with physical access to login with any string. 294 4115685 19981012 Annoying Solaris/CDE/NIS+ bug aspppd on Solaris 2.5 x86 allows local users to modify arbitrary files and gain root privileges via a symlink attack on the /tmp/.asppp.fifo file. 292 19961220 Solaris 2.5 x86 aspppd (semi-exploitable-hole) Solaris 2.6 HW3/98 installs admintool with world-writable permissions, which allows local users to gain privileges by replacing it with a Trojan horse program. 290 19980507 admintool mode 0777 in Solaris 2.6 HW3/98 solaris-admintool-world-writable(7296) Symantec pcAnywhere 8.0 allows remote attackers to cause a denial of service (CPU utilization) via a large amount of data to port 5631. 288 19990528 DoS against PC Anywhere pcanywhere-dos(2256) SSH server (sshd2) before 2.0.12 does not properly record login attempts if the connection is closed before the maximum number of tries, allowing a remote attacker to guess the password without showing up in the audit logs. ssh2-bruteforce(2193) 277 19990513 - J.J.F. / Hackers Team warns for SSHD 2.x brute force password hacking counter.exe 2.70 allows a remote attacker to cause a denial of service (hang) via an HTTP request that ends in %0A (newline), which causes a malformed entry in the counter log that produces an access violation. 267 19990519 Denial of Service in Counter.exe version 2.70 19990519 Denial of Service in Counter.exe version 2.70 counter.exe 2.70 allows a remote attacker to cause a denial of service (hang) via a long argument. 267 19990519 Denial of Service in Counter.exe version 2.70 19990519 Denial of Service in Counter.exe version 2.70 Vulnerability in LAT/Telnet Gateway (lattelnet) on Ultrix 4.1 and 4.2 allows attackers to gain root privileges. CA-1991-11 26 ultrix-telnet(584) B-36 Microsoft Outlook Express before 4.72.3612.1700 allows a malicious user to send a message that contains a .., which can inadvertently cause Outlook to re-enter POP3 command mode and cause the POP3 session to hang. 252 19990511 Outlook Express Win98 bug 19990512 Outlook Express Win98 bug, addition. Vulnerability in login in AT&T System V Release 4 allows local users to gain privileges. CA-1991-08 23 sysv-login(583) B-28 IIS 3.0 and 4.0 on x86 and Alpha allows remote attackers to cause a denial of service (hang) via a malformed GET request, aka the IIS "GET" vulnerability. MS98-019 Q192296 iis-get-dos(1823) COPS 1.04 allows local users to overwrite or create arbitrary files via a symlink attack on temporary files in (1) res_diff, (2) ca.src, and (3) mail.chk. 19980626 vulnerability in satan, cops & tiger rex.satan in SATAN 1.1.1 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/rex.$$ file. 19980626 vulnerability in satan, cops & tiger 3147 satan-rexsatan-symlink(7167) 19980627 Re: vulnerability in satan, cops & tiger Tiger 2.2.3 allows local users to overwrite arbitrary files via a symlink attack on various temporary files in Tiger's default working directory, as defined by the WORKDIR variable. 19980626 vulnerability in satan, cops & tiger Vulnerability in (1) diskalign and (2) diskperf in IRIX 6.4 patches 2291 and 2848 allow a local user to create root-owned files leading to a root compromise. 19980502-01-P3030 Vulnerabilities in (1) ipxchk and (2) ipxlink in NetWare Client 1.0 on IRIX 6.3 and 6.4 allows local users to gain root access via a modified IFS environmental variable. I-055 19980501-01-P 19980408 SGI O2 ipx security issue Buffer overflow in mscreen on SCO OpenServer 5.0 and SCO UNIX 3.2v4 allows a local user to gain root access via (1) a long TERM environmental variable and (2) a long entry in the .mscreenrc file. VB-98.10 19980827 SCO mscreen vul. SB-98.05a 19980926 Root exploit for SCO OpenServer. Cisco Resource Manager (CRM) 1.0 and 1.1 creates world-readable log files and temporary files, which may expose sensitive information, to local users such as user IDs, passwords and SNMP community strings. 19980813 CRM Temporary File Vulnerability Microsoft Exchange Server 5.5 and 5.0 does not properly handle (1) malformed NNTP data, or (2) malformed SMTP data, which allows remote attackers to cause a denial of service (application error). MS98-007 Vulnerability in Advanced File System Utility (advfs) in Digital UNIX 4.0 through 4.0d allows local users to gain privileges. SSRT0495U I-050 dgux-advfs-softlinks(7431) pnserver in RealServer 5.0 and earlier allows remote attackers to cause a denial of service by sending a short, malformed request. http://service.real.com/help/faq/serv501.html 19980817 Re: Real Audio Server Version 5 bug? 19980115 pnserver exploit.. 19980115 [rootshell] Security Bulletin #7 6979 realserver-pnserver-remote-dos(7297) Buffer overflow in IMonitor in IMail 5.0 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long string to port 8181. imail-imonitor-overflow(1897) 504 19990302 Multiple IMail Vulnerabilites When BSDI patches for Gauntlet 5.0 BSDI are installed in a particular order, Gauntlet allows remote attackers to bypass firewall access restrictions, and does not log the activities. 19991018 Gauntlet 5.0 BSDI warning gauntlet-bsdi-bypass(3397) 19991019 Re: Gauntlet 5.0 BSDI warning Buffer overflow in bash 2.0.0, 1.4.17, and other versions allows local attackers to gain privileges by creating an extremely large directory name, which is inserted into the password prompt via the \w option in the PS1 environmental variable when another user changes into that directory. linux-bash-bo(3414) 19980909 problem with very long pathnames 19980905 BASH buffer overflow, LiNUX x86 exploit 19970821 Buffer overflow in /bin/bash 8345 ARCserve NT agents use weak encryption (XOR) for passwords, which allows remote attackers to sniff the authentication request to port 6050 and decrypt the password. 19990222 Severe Security Hole in ARCserve NT agents (fwd) Directory traversal vulnerability in Matt Wright FormHandler.cgi script allows remote attackers to read arbitrary files via (1) a .. (dot dot) in the reply_message_attach attachment parameter, or (2) by specifying the filename as a template. formhandler-cgi-absolute-path(3550) 799 798 19991116 Re: FormHandler.cgi 19991112 FormHandler.cgi Default configuration in Matt Wright FormHandler.cgi script allows arbitrary directories to be used for attachments, and only restricts access to the /etc/ directory, which allows remote attackers to read arbitrary files via the reply_message_attach attachment parameter. 19991116 Re: FormHandler.cgi Microsoft FrontPage stores form results in a default location in /_private/form_results.txt, which is world-readable and accessible in the document root, which allows remote attackers to read possibly sensitive information submitted by other users. 19990824 Front Page form_results guestbook.pl cleanses user-inserted SSI commands by removing text between "<!--" and "-->" separators, which allows remote attackers to execute arbitrary commands when guestbook.pl is run on Apache 1.3.9 and possibly other versions, since Apache allows other closing sequences besides "-->". 776 19990916 Re: Guestbook perl script (error fix) 19990913 Guestbook perl script (long) 19991105 Guestbook.pl, sloppy SSI handling in Apache? (VD#2) The default configuration of FLEXlm license manager 6.0d, and possibly other versions, allows remote attackers to shut down the server via the lmdown command. 19980925 Globetrotter FlexLM 'lmdown' bogosity Microsoft Excel 97 does not warn the user before executing worksheet functions, which could allow attackers to execute arbitrary commands by using the CALL function to execute a malicious DLL, aka the Excel "CALL Vulnerability." excel-call(1737) MS98-018 179 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-1395. Reason: This candidate is a duplicate of CVE-1999-1395. Notes: All CVE users should reference CVE-1999-1395 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. VMS 4.0 through 5.3 allows local users to gain privileges via the ANALYZE/PROCESS_DUMP dcl command. CA-1990-07 B-04 12 vms-analyze-processdump-privileges(7137) Buffer overflow in Vermillion FTP Daemon VFTPD 1.23 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via several long CWD commands. vermillion-ftp-cwd-overflow(3543) 818 19991122 Remote DoS Attack in Vermillion FTP Daemon (VFTPD) v1.23 Vulnerability 19991122 Remote DoS Attack in Vermillion FTP Daemon (VFTPD) v1.23 Vulnerability Vulnerability in rexec daemon (rexecd) in AT&T TCP/IP 4.0 for various SVR4 systems allows remote attackers to execute arbitrary commands. CA-1992-04 36 att-rexecd(3159) Buffer overflow in Tetrix TetriNet daemon 1.13.16 allows remote attackers to cause a denial of service and possibly execute arbitrary commands by connecting to port 31457 from a host with a long DNS hostname. 340 19990217 Tetrix 1.13.16 is Vulnerable HP Laserjet printers with JetDirect cards, when configured with TCP/IP, can be configured without a password, which allows remote attackers to connect to the printer and change its IP address or disable logging. laserjet-unpassworded(1876) 19971004 HP Laserjet 4M Plus DirectJet Problem HP Laserjet printers with JetDirect cards, when configured with TCP/IP, allow remote attackers to bypass print filters by directly sending PostScript documents to TCP ports 9099 and 9100. laserjet-unpassworded(1876) 19971004 HP Laserjet 4M Plus DirectJet Problem CDomain whois_raw.cgi whois CGI script allows remote attackers to execute arbitrary commands via shell metacharacters in the fqdn parameter. http-cgi-cdomain(2251) 304 19990601 whois_raw.cgi problem Multiple buffer overflows in WindowMaker 0.52 through 0.60.0 allow attackers to cause a denial of service and possibly execute arbitrary commands by executing WindowMaker with a long program name (argv[0]). 596 19990824 Re: WindowMaker bugs (was sub:none ) 19990822 Palm Pilot HotSync Manager 3.0.4 in Windows 98 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long string to port 14238 while the manager is in network mode. 19991104 Palm Hotsync vulnerable to DoS attack Quake 1 server responds to an initial UDP game connection request with a large amount of traffic, which allows remote attackers to use the server as an amplifier in a "Smurf" style attack on another host, by spoofing the connection request. 19991222 Quake "smurf" - Quake War Utils SGI MachineInfo CGI program, installed by default on some web servers, prints potentially sensitive system status information, which could be used by remote attackers for information gathering activities. 19970507 Re: SGI Security Advisory 19970501-01-A - Vulnerability in webdist.cgi Oracle Webserver 2.1, when serving PL/SQL stored procedures, allows remote attackers to cause a denial of service via a long HTTP GET request. 19970723 DoS against Oracle Webserver 2.1 with PL/SQL stored procedures Directory traversal vulnerability in carbo.dll in iCat Carbo Server 3.0.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the icatcommand parameter. icat-carbo-server-vuln(1620) 2126 19971108 Security bug in iCat Suite version 3.0 Buffer overflow in ping CGI program in Xylogics Annex terminal service allows remote attackers to cause a denial of service via a long query parameter. 19980725 Annex DoS Excite for Web Servers (EWS) 1.1 installs the Architext.conf authentication file with world-writeable permissions, which allows local users to gain access to Excite accounts by modifying the file. excite-world-write(1417) 19981130 Security bugs in Excite for Web Servers 1.1 Excite for Web Servers (EWS) 1.1 allows local users to gain privileges by obtaining the encrypted password from the world-readable Architext.conf authentication file and replaying the encrypted password in an HTTP request to AT-generated.cgi or AT-admin.cgi. 19981130 Security bugs in Excite for Web Servers 1.1 Excite for Web Servers (EWS) 1.1 records the first two characters of a plaintext password in the beginning of the encrypted password, which makes it easier for an attacker to guess passwords via a brute force or dictionary attack. 19981130 Security bugs in Excite for Web Servers 1.1 Webmin before 0.5 does not restrict the number of invalid passwords that are entered for a valid username, which could allow remote attackers to gain privileges via brute force password cracking. 19980501 Warning! Webmin Security Advisory http://www.webmin.com/webmin/changes.html 98 inetd in AIX 4.1.5 dynamically assigns a port N when starting ttdbserver (ToolTalk server), but also inadvertently listens on port N-1 without passing control to ttdbserver, which allows remote attackers to cause a denial of service via a large number of connections to port N-1, which are not properly closed by inetd. 19980318 AIX 4.1.5 DoS attack (aka "Port 1025 problem") Idle locking function in MacOS 9 allows local users to bypass the password protection of idled sessions by selecting the "Log Out" option and selecting a "Cancel" option in the dialog box for an application that attempts to verify that the user wants to log out, which returns the attacker into the locked session. 745 19991026 Mac OS 9 Idle Lock Bug Idle locking function in MacOS 9 allows local attackers to bypass the password protection of idled sessions via the programmer's switch or CMD-PWR keyboard sequence, which brings up a debugger that the attacker can use to disable the lock. 756 19991101 Re: Mac OS 9 Idle Lock Bug WS_FTP Pro 6.0 uses weak encryption for passwords in its initialization files, which allows remote attackers to easily decrypt the passwords and gain privileges. 547 19990729 WS_FTP Pro 6.0 Weak Password Encryption Vulnerability Vulnerability in ptrace in AIX 4.3 allows local users to gain privileges by attaching to a setgid program. 439 IX80470 19990825 AIX security summary 19990506 AIX Security Fixes Update rmmount in SunOS 5.7 may mount file systems without the nosuid flag set, contrary to the documentation and its use in previous versions of SunOS, which could allow local users with physical access to gain root privileges by mounting a floppy or CD-ROM that contains a setuid program and running volcheck, when the file systems do not have the nosuid option specified in rmmount.conf. 19990510 SunOS 5.7 rmmount, no nosuid. 19991011 solaris-rmmount-gain-root(8350) 250 Vulnerability in files.pl script in Novell WebServer Examples Toolkit 2 allows remote attackers to read arbitrary files. http-nov-files(2054) http://www.w3.org/Security/Faq/wwwsf8.html#Q87 http://www.roxanne.org/faqs/www-secure/wwwsf4.html#Q35 Directory traversal vulnerability in Jana proxy web server 1.40 allows remote attackers to ready arbitrary files via a "......" (modified dot dot) attack. 699 19991008 Jana webserver exploit Directory traversal vulnerability in Jana proxy web server 1.45 allows remote attackers to ready arbitrary files via a .. (dot dot) attack. 699 20000502 Security Bug in Jana HTTP Server The "AEDebug" registry key is installed with insecure permissions, which allows local users to modify the key to specify a Trojan Horse debugger which is automatically executed on a system crash. 1044 MS00-008 K-029 Q103861 19980622 Yet another "get yourself admin rights exploit": SSH 1.2.25, 1.2.23, and other versions, when used in in CBC (Cipher Block Chaining) or CFB (Cipher Feedback 64 bits) modes, allows remote attackers to insert arbitrary data into an existing stream between an SSH client and server by using a known plaintext attack and computing a valid CRC-32 checksum for the packet, aka the "SSH insertion attack." VU#13877 19980703 UPDATE: SSH insertion attack 19980612 CORE-SDI-04: SSH insertion attack ssh-insert(1126) Novell 5 and earlier, when running over IPX with a packet signature level less than 3, allows remote attackers to gain administrator privileges by spoofing the MAC address in IPC fragmented packets that make NetWare Core Protocol (NCP) calls. 528 19990715 NMRC Advisory: Netware 5 Client Hijacking Internet Explorer 4 treats a 32-bit number ("dotless IP address") in the a URL as the hostname instead of an IP address, which causes IE to apply Local Intranet Zone settings to the resulting web page, allowing remote malicious web servers to conduct unauthorized activities by using URLs that contain the dotless IP address for their server. ie-dotless(2209) MS98-016 Q168617 http://www.microsoft.com/Windows/Ie/security/dotless.asp 7828 Vulnerability in chsh command in HP-UX 9.X through 10.20 allows local users to gain privileges. hp-chsh(2012) H-21 Buffer overflow in chfn command in HP-UX 9.X through 10.20 allows local users to gain privileges via a long command line argument. H-21 H-16 19961209 the HP Bug of the Week! The default configuration of NCSA Telnet package for Macintosh and PC enables FTP, even though it does not include an "ftp=yes" line, which allows remote attackers to read and modify arbitrary files. CA-1991-15 ftp-ncsa(1844) UNIX news readers tin and rtin create the /tmp/.tin_log file with insecure permissions and follow symlinks, which allows attackers to modify the permissions of files writable by the user via a symlink attack. tin-tmpfile(431) 19970329 symlink bug in tin/rtin 19960903 Re: BoS: [BUG] Vulnerability in TIN 19960903 [BUG] Vulnerability in TIN tin 1.40 creates the .tin directory with insecure permissions, which allows local users to read passwords from the .inputhistory file. 19991117 default permissions for tin Buffer overflow in the Window.External function in the JScript Scripting Engine in Internet Explorer 4.01 SP1 and earlier allows remote attackers to execute arbitrary commands via a malicious web page. MS98-011 java-script-patch(1276) Q191200 Buffer overflow in Internet Explorer 4.01 and earlier allows remote attackers to execute arbitrary commands via a long URL with the "mk:" protocol, aka the "MK Overrun security issue." iemk-bug(917) Q176697 19980114 L0pht Advisory MSIE4.0(1) sort creates temporary files and follows symbolic links, which allows local users to modify arbitrary files that are writable by the user running sort, as observed in updatedb and other programs that use sort. 19980303 updatedb stuff 19971006 KSR[T] Advisory #3: updatedb / crontabs 19980302 overwrite any file with updatedb Buffer overflow in kscreensaver in KDE klock allows local users to gain root privileges via a long HOME environmental variable. kde-klock-home-bo(1644) 19980517 simple kde exploit fix 19980516 kde exploit Microsoft NetMeeting 2.1 allows one client to read the contents of another client's clipboard via a CTRL-C in the chat box when the box is empty. netmeeting-clipboard(2187) 19990504 Microsoft Netmeeting Hole Vulnerability in BSD Telnet client with encryption and Kerberos 4 authentication allows remote attackers to decrypt the session via sniffing. CA-1995-03 F-12 4881 bsd-telnet(516) Kerberos 4 allows remote attackers to obtain sensitive information via a malformed UDP packet that generates an error string that inadvertently includes the realm name and the last user. kerberos-user-grab(65) 19961122 L0pht Kerberos Advisory Cisco PIX Private Link 4.1.6 and earlier does not properly process certain commands in the configuration file, which reduces the effective key length of the DES key to 48 bits instead of 56 bits, which makes it easier for an attacker to find the proper key via a brute force attack. cisco-pix-parse-error(1579) 19980616 PIX Private Link Key Processing and Cryptography Issues I-056 Kabsoftware Lydia utility uses weak encryption to store user passwords in the lydia.ini file, which allows local users to easily decrypt the passwords and gain privileges. 19990219 Yet Another password storing problem (was: Re: Possible Netscape Crypto Security Flaw) lpr on SunOS 4.1.1, BSD 4.3, A/UX 2.0.1, and other BSD-based operating systems allows local users to create or overwrite arbitrary files via a symlink attack that is triggered after invoking lpr 1000 times. E-25a http://www.phreak.org/archives/security/8lgm/8lgm.lpr 19940307 8lgm Advisory Releases dxconsole in DEC OSF/1 3.2C and earlier allows local users to read arbitrary files by specifying the file with the -file parameter. VB-96.05 G-18 http://www.tao.ca/fire/bos/0209.html osf-dxconsole-gain-privileges(7138) Windows 95 uses weak encryption for the password list (.pwl) file used when password caching is enabled, which allows local users to gain privileges by decrypting the passwords. 19980121 How to recover private keys for various Microsoft products 19980120 How to recover private keys for various Microsoft products 19951205 Cracked: WINDOWS.PWL win95-nbsmbpwl(71) Q140557 Windows 95, when Remote Administration and File Sharing for NetWare Networks is enabled, creates a share (C$) when an administrator logs in remotely, which allows remote attackers to read arbitrary files by mapping the network drive. http://www.zdnet.com/eweek/reviews/1016/tr42bug.html http://www.net-security.sk/bugs/NT/netware1.html win95-netware-hidden-share(7231) Buffer overflow in kppp in KDE allows local users to gain root access via a long -c (account_name) command line argument. kde-kppp-account-bo(1643) 92 19980429 Security hole in kppp Buffer overflow in kppp in KDE allows local users to gain root access via a long PATH environmental variable. kde-kppp-path-bo(1650) 19981118 Multiple KDE security vulnerabilities (root compromise) ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-1107. Reason: This candidate is a duplicate of CVE-1999-1107. Notes: All CVE users should reference CVE-1999-1107 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Sendmail before 8.10.0 allows remote attackers to cause a denial of service by sending a series of ETRN commands then disconnecting from the server, while Sendmail continues to process the commands after the connection has been terminated. 20000113 Re: procmail / Sendmail - five bugs 19991222 Re: procmail / Sendmail - five bugs 904 sendmail-etrn-dos(7760) Windows Media Player ActiveX object as used in Internet Explorer 5.0 returns a specific error code when a file does not exist, which allows remote malicious web sites to determine the existence of files on the client. 793 19991114 IE 5.0 and Windows Media Player ActiveX object allow checking the existence of local files and directories Vulnerability in StackGuard before 1.21 allows remote attackers to bypass the Random and Terminator Canary security mechanisms by using a non-linear attack which directly modifies a pointer to a return address instead of using a buffer overflow to reach the return address entry itself. immunix-stackguard-bo(3524) 19911109 ImmuniX OS Security Alert: StackGuard 1.21 Released 786 Buffer overflow in IrfanView32 3.07 and earlier allows attackers to execute arbitrary commands via a long string after the "8BPS" image type in a Photo Shop image header. irfan-view32-bo(3549) 781 19991109 Irfan view 3.07 buffer overflow http://stud4.tuwien.ac.at/~e9227474/main2.html Buffer overflow in Eudora Internet Mail Server (EIMS) 2.01 and earlier on MacOS systems allows remote attackers to cause a denial of service via a long USER command to port 106. 75 19980414 MacOS based buffer overflows... Buffer overflow in Korn Shell (ksh) suid_exec program on IRIX 6.x and earlier, and possibly other operating systems, allows local users to gain root privileges. ksh-suid_exec(2100) 467 H-15A 19980405-01-I AA-96.17 Vulnerability in the /etc/suid_exec program in HP Apollo Domain/OS sr10.2 and sr10.3 beta, related to the Korn Shell (ksh). CA-1990-04 7 apollo-suidexec-unauthorized-access(6721) A-30 Vulnerability in runpriv in Indigo Magic System Administration subsystem of SGI IRIX 6.3 and 6.4 allows local users to gain root privileges. sgi-runpriv(2108) 462 19970503-01-PX 1009 lquerypv in AIX 4.1 and 4.2 allows local users to read arbitrary files by specifying the file in the -h command line parameter. ibm-lquerypv(1752) H-13 19961125 AIX lquerypv 455 19961124 19961125 lquerypv fix ndd in Solaris 2.6 allows local users to cause a denial of service by modifying certain TCP/IP parameters. sun-ndd(817) 433 00165 FTP installation script anon.ftp in AIX insecurely configures anonymous FTP, which allows remote attackers to execute arbitrary commands. CA-1992-09 aix-anon-ftp(3154) 41 netprint in SGI IRIX 6.4 and earlier trusts the PATH environmental variable for finding and executing the disable program, which allows local users to gain privileges. sgi-netprint(2107) 395 19970104 Irix: netprint story 19961203-02-PX 993 19961203-01-PX The default configuration for UUCP in AIX before 3.2 allows local users to gain root privileges. CA-1992-06 ibm-uucp(554) 38 891 Vulnerability in restore in SunOS 4.0.3 and earlier allows local users to gain privileges. CA-1989-02 sun-restore-gain-privileges(6695) 3 CIAC-08 The installation of Sun Source (sunsrc) tapes allows local users to gain root privileges via setuid root programs (1) makeinstall or (2) winstall. CA-1991-07 sun-sourcetapes(582) 00107 22 21 HTTP Client application in ColdFusion allows remote attackers to bypass access restrictions for web pages on other ports by providing the target page to the mainframeset.cfm application, which requests the page from the server, making it look like the request is coming from the local host. http://packetstorm.securify.com/mag/phrack/phrack54/P54-08 Oracle Webserver 2.1 and earlier runs setuid root, but the configuration file is owned by the oracle account, which allows any local or remote attacker who obtains access to the oracle account to gain privileges or modify arbitrary files by modifying the configuration file. 19970919 Instresting practises of Oracle [Oracle Webserver] Cisco Resource Manager (CRM) 1.1 and earlier creates certain files with insecure permissions that allow local users to obtain sensitive configuration information including usernames, passwords, and SNMP community strings, from (1) swim_swd.log, (2) swim_debug.log, (3) dbi_debug.log, and (4) temporary files whose names begin with "DPR_". cisco-crm-file-vuln(1575) 19980813 CRM Temporary File Vulnerability I-086 Windows NT 4.0 does not properly shut down invalid named pipe RPC connections, which allows remote attackers to cause a denial of service (resource exhaustion) via a series of connections containing malformed data, aka the "Named Pipes Over RPC" vulnerability. MS98-017 Q195733 nt-spoolss(523) Internet Explorer 3.01 on Windows 95 allows remote malicious web sites to execute arbitrary commands via a .isp file, which is automatically downloaded and executed without prompting the user. http://oliver.efri.hr/~crv/security/bugs/NT/ie3.html http://members.tripod.com/~unibyte/iebug3.htm Cisco Catalyst 2900 Virtual LAN (VLAN) switches allow remote attackers to inject 802.1q frames into another VLAN by forging the VLAN identifier in the trunking tag. cisco-catalyst-vlan-frames(3294) 615 19990901 VLAN Security http://www.cisco.com/univercd/cc/td/doc/product/lan/28201900/1928v8x/eescg8x/aleakyv.htm Default configuration of the search engine in Netscape Enterprise Server 3.5.1, and possibly other versions, allows remote attackers to read the source of JHTML files by specifying a search command using the HTML-tocrec-demo1.pat pattern file. 19990730 Netscape Enterprise Server yeilds source of JHTML 559 19990730 Netscape Enterprise Server yeilds source of JHTML Buffer overflow in OSF Distributed Computing Environment (DCE) security demon (secd) in IRIX 6.4 and earlier allows attackers to cause a denial of service via a long principal, group, or organization. VB-97.12 sgi-osf-dce-dos(1123) I-060 19980601-01-PX Windows NT 4.0 allows remote attackers to cause a denial of service (crash) via extra source routing data such as (1) a Routing Information Field (RIF) field with a hop count greater than 7, or (2) a list containing duplicate Token Ring IDs. Q179157 19981005 NMRC Advisory - Lame NT Token Ring DoS token-ring-dos(1399) 19981002 NMRC Advisory - Lame NT Token Ring DoS HP-UX 9.x and 10.x running X windows may allow local attackers to gain privileges via (1) vuefile, (2) vuepad, (3) dtfile, or (4) dtpad, which do not authenticate users. hp-vue-dt(499) HPSBUX9709-069 Vulnerability in Vue 3.0 in HP 9.x allows local users to gain root privileges, as fixed by PHSS_4038, PHSS_4055, and PHSS_4066. E-23 hp-vue(2284) HPSBUX9404-008 Vulnerability in VUE 3.0 in HP 9.x allows local users to gain root privileges, as fixed by PHSS_4994 and PHSS_5438. hp-vue(2284) HPSBUX9504-027 Vulnerability in Predictive on HP-UX 11.0 and earlier, and MPE/iX 5.5 and earlier, allows attackers to compromise data transfer for Predictive messages (using e-mail or modem) between customer and Response Center Predictive systems. mpeix-predictive(1413) HPSBUX9807-081 I-081 19980729 HP-UX Predictive & Netscape SSL Vulnerabilities HPSBMP9807-005 The permissions for the /dev/audio device on Solaris 2.2 and earlier, and SunOS 4.1.x, allow any local user to read from the device, which could be used by an attacker to monitor conversations happening near a machine that has a microphone. sun-audio(549) E-01 00122 6436 SCO UNIX System V/386 Release 3.2, and other SCO products, installs the home directories (1) /tmp for the dos user, and (2) /usr/tmp for the asg user, which allows other users to gain access to those accounts since /tmp and /usr/tmp are world-writable. CA-1993-13 sco-homedir(546) Character-Terminal User Environment (CUE) in HP-UX 11.0 and earlier allows local users to overwrite arbitrary files and gain root privileges via a symlink attack on the IOERROR.mytty file. HPSBUX9801-074 19980121 HP-UX CUE, CUD and LAND vulnerabilities 19970901 HP UX Bug :) hp-cue(2007) I-027B Buffer overflow in CrackLib 2.5 may allow local users to gain root privileges via a long GECOS field. VB-97.16 cracklib-bo(1539) 19971214 buffer overflows in cracklib?! Ascom Timeplex router allows remote attackers to obtain sensitive information or conduct unauthorized activities by entering debug mode through a sequence of CTRL-D characters. ascom-timeplex-debug(1824) 19970515 MicroSolved finds hole in Ascom Timeplex Router Security SunOS 4.1.2 and earlier allows local users to gain privileges via "LD_*" environmental variables to certain dynamically linked setuid or setgid programs such as (1) login, (2) su, or (3) sendmail, that change the real and effective user ids to the same user. CA-1992-11 sun-env(3152) 00116 Vulnerability in runtime linker program rld in SGI IRIX 6.x and earlier allows local users to gain privileges via setuid and setgid programs. sgi-rld(2109) H-065 19970504-01-PX Certain files in MPower in HP-UX 10.x are installed with insecure permissions, which allows local users to gain privileges. hp-mpower(2056) HPSBUX9701-051 Vulnerability in Glance programs in GlancePlus for HP-UX 10.20 and earlier allows local users to access arbitrary files and gain privileges. hp-glanceplus(2059) H-21 HPSBUX9701-044 Vulnerability in Glance and gpm programs in GlancePlus for HP-UX 9.x and earlier allows local users to access arbitrary files and gain privileges. hp-glanceplus-gpm(2060) HPSBUX9405-011 Buffer overflow in Platinum Policy Compliance Manager (PCM) 7.0 allows remote attackers to execute arbitrary commands via a long string to the Agent port (1827), which is handled by smaxagent.exe. pcm-dos-execute(1430) 19981204 [SAFER-981204.DOS.1.3] Buffer Overflow in Platinum PCM 7.0 3164 FTP service in IIS 4.0 and earlier allows remote attackers to cause a denial of service (resource exhaustion) via many passive (PASV) connections at the same time. iis-passive-ftp(1215) MS98-006 Q189262 Buffer overflow in CSM Proxy 4.1 allows remote attackers to cause a denial of service (crash) via a long string to the FTP port. csm-proxy-dos(1422) 19980716 S.A.F.E.R. Security Bulletin 980708.DOS.1.1 Livingston Portmaster routers running ComOS use the same initial sequence number (ISN) for TCP connections, which allows remote attackers to conduct spoofing and hijack TCP sessions. portmaster-fixed-isn(1882) 19980630 Livingston Portmaster - ISN generation is loosy! Compaq/Microcom 6000 Access Integrator does not cause a session timeout after prompting for a username or password, which allows remote attackers to cause a denial of service by connecting to the integrator without providing a username or password. microcom-dos(2089) 19980603 Compaq/Microcom 6000 DoS + more Compaq/Microcom 6000 Access Integrator does not disconnect a client after a certain number of failed login attempts, which allows remote attackers to guess usernames or passwords via a brute force attack. 19980603 Compaq/Microcom 6000 DoS + more HAMcards Postcard CGI script 1.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the recipient email address. cgi-perl-mail-programs(1400) LakeWeb Filemail CGI script allows remote attackers to execute arbitrary commands via shell metacharacters in the recipient email address. cgi-perl-mail-programs(1400) 19981109 Several new CGI vulnerabilities http://lakeweb.com/scripts/ LakeWeb Mail List CGI script allows remote attackers to execute arbitrary commands via shell metacharacters in the recipient email address. cgi-perl-mail-programs(1400) 19981109 Several new CGI vulnerabilities http://lakeweb.com/scripts/ BisonWare FTP Server 4.1 and earlier allows remote attackers to cause a denial of service via a malformed PORT command that contains a non-numeric character and a large number of carriage returns. bisonware-port-crash(2254) Tcpip.sys in Windows NT 4.0 before SP4 allows remote attackers to cause a denial of service via an ICMP Subnet Mask Address Request packet, when certain multiple IP addresses are bound to the same network interface. tcpipsys-icmp-dos(3894) Q192774 Buffer overflow in (1) pluggable authentication module (PAM) on Solaris 2.5.1 and 2.5 and (2) unix_scheme in Solaris 2.4 and 2.3 allows local users to gain root privileges via programs that use these modules such as passwd, yppasswd, and nispasswd. 00139 AA-97.09 SSH 2.0.11 and earlier allows local users to request remote forwarding from privileged ports without being root. ssh-privileged-port-forward(1471) 19981229 ssh2 security problem (and patch) (fwd) Vulnerability in ftpd/kftpd in HP-UX 10.x and 9.x allows local and possibly remote users to gain root privileges. HPSBUX9702-055 H-33 hp-ftpd-kftpd(7437) Vulnerability in ppl in HP-UX 10.x and earlier allows local users to gain root privileges by forcing ppl to core dump. HPSBUX9704-057 H-32 19961104 ppl bugs 19961103 Re: Untitled hp-ppl(7438) Vulnerability in passwd in SCO UNIX 4.0 and earlier allows attackers to cause a denial of service by preventing users from being able to log into the system. CA-1993-08 sco-passwd-deny(542) Vulnerability in HP Series 800 S/X/V Class servers allows remote attackers to gain access to the S/X/V Class console via the Service Support Processor (SSP) Teststation. HPSBUX9911-105 hp-ssp(7439) Microsoft Outlook client allows remote attackers to cause a denial of service by sending multiple email messages with the same X-UIDL headers, which causes Outlook to hang. 19990625 Outlook denial of service GNU fingerd 1.37 does not properly drop privileges before accessing user information, which could allow local users to (1) gain root privileges via a malicious program in the .fingerrc file, or (2) read arbitrary files via symbolic links from .plan, .forward, or .project files. 535 19950317 GNU finger 1.37 executes ~/.fingerrc with gid root 19990721 old gnu finger bugs Linux 2.0.37 does not properly encode the Custom segment limit, which allows local users to gain root privileges by accessing and modifying kernel memory. 523 19990711 Linux 2.0.37 segment limit bug Cross-site scripting vulnerability in Third Voice Web annotation utility allows remote users to read sensitive data and generate fake web pages for other Third Voice users by injecting malicious Javascript into an annotation. http://www.wired.com/news/technology/0,1282,20677,00.html http://www.wired.com/news/technology/0,1282,20636,00.html thirdvoice-cross-site-scripting(7252) install.iss installation script for Internet Security Scanner (ISS) for Linux, version 5.3, allows local users to change the permissions of arbitrary files via a symlink attack on a temporary file. 19990220 ISS install.iss security hole nobo 1.2 allows remote attackers to cause a denial of service (crash) via a series of large UDP packets. 19990204 NOBO denial of service IPswitch IMail allows local users to gain additional privileges and modify or add mail accounts by setting the "flags" registry key to 1920. 218 19990204 WS FTP Server Remote DoS Attack IPswitch WS_FTP allows local users to gain additional privileges and modify or add mail accounts by setting the "flags" registry key to 1920. 218 19990204 WS FTP Server Remote DoS Attack By design, Maximizer Enterprise 4 calendar and address book program allows arbitrary users to modify the calendar of other users when the calendar is being shared. 19990114 security hole in Maximizer Corel Word Perfect 8 for Linux creates a temporary working directory with world-writable permissions, which allows local users to (1) modify Word Perfect behavior by modifying files in the working directory, or (2) modify files of other users via a symlink attack. 19981218 wordperfect 8 for linux security ZIP drive for Iomega ZIP-100 disks allows attackers with physical access to the drive to bypass password protection by inserting a known disk with a known password, waiting for the ZIP drive to power down, manually replacing the known disk with the target disk, and using the known password to access the target disk. http://www.counterpane.com/crypto-gram-9812.html#doghouse Web Cache Control Protocol (WCCP) in Cisco Cache Engine for Cisco IOS 11.2 and earlier does not use authentication, which allows remote attackers to redirect HTTP traffic to arbitrary hosts via WCCP packets to UDP port 2048. 19980513 Cisco Web Cache Control Protocol Router Vulnerability I-054 cisco-wccp-vuln(1577) Buffer overflow in cidentd ident daemon allows local users to gain root privileges via a long line in the .authlie script. 19980911 Re: security problems with jidentd 19980110 Cidentd Directory traversal vulnerability in nph-publish before 1.2 allows remote attackers to overwrite arbitrary files via a .. (dot dot) in the pathname for an upload operation. http://www-genome.wi.mit.edu/WWW/tools/CGI_scripts/server_publish/nph-publish http://www.w3.org/Security/Faq/wwwsf4.html http-cgi-nphpublish(2055) Sambar Server 4.1 beta allows remote attackers to obtain sensitive information about the server via an HTTP request for the dumpenv.pl script. sambar-dump-env(3223) 19980610 Sambar Server Beta BUG.. Vulnerability in man.sh CGI script, included in May 1998 issue of SysAdmin Magazine, allows remote attackers to execute arbitrary commands. 19980515 May SysAdmin man.sh security hole O'Reilly WebSite 1.1e and Website Pro 2.0 allows remote attackers to execute arbitrary commands via shell metacharacters in an argument to (1) args.cmd or (2) args.bat. O'Reilly has corrected this issue in WebSite Professional 2.5, which is now available from: http://website.oreilly.com Vulnerability in On-Line Customer Registration software for IRIX 6.2 through 6.4 allows local users to gain root privileges. J-003 19980901-01-PX irix-register(7441) Buffer overflow in run-time linkers (1) ld.so or (2) ld-linux.so for Linux systems allows local users to gain privileges by calling a setuid program with a long program name (argv[0]) and forcing ld.so/ld-linux.so to report an error. 19970722 ld.so vulnerability 19970717 KSR[T] Advisory #2: ld.so 19980204 An old ld-linux.so hole System Manager sysmgr GUI in SGI IRIX 6.4 and 6.3 allows remote attackers to execute commands by providing a trojan horse (1) runtask or (2) runexec descriptor file, which is used to execute a System Manager Task when the user's Mailcap entry supports the x-sgi-task or x-sgi-exec type. 19980403-02-PX 19980403-01-PX sgi-mailcap(809) 8556 Buffer overflow in Elm 2.4 and earlier allows local users to gain privileges via a long TERM environmental variable. 19970514 Re: ELM overflow 19970513 Buffer overflow in SCO mscreen allows local users to gain root privileges via a long terminal entry (TERM) in the .mscreenrc file. 19980926 Root exploit for SCO OpenServer. rxvt, when compiled with the PRINT_PIPE option in various Linux operating systems including Linux Slackware 3.0 and RedHat 2.1, allows local users to gain root privileges by specifying a malicious program using the -print-pipe command line parameter. 19960102 rxvt security hole Pine before version 3.94 allows local users to gain privileges via a symlink attack on a lockfile that is created when a user receives new mail. pine-tmpfile(416) 19960826 [BUG] Vulnerability in PINE mysqld in MySQL 3.21 creates log files with world-readable permissions, which allows local users to obtain passwords for users who are added to the user database. mysql-readable-log-files(1568) 19981227 mysql: mysqld creates world readable logs.. Buffer overflow in Netscape Navigator/Communicator 4.7 for Windows 95 and Windows 98 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long argument after the ? character in a URL that references an .asp, .cgi, .html, or .pl file. 822 netscape-long-argument-bo(7884) 19991127 Netscape Communicator 4.7 - Navigator Overflows 19991124 Netscape Communicator 4.7 - Navigator Overflows Buffer overflow in POP3 server of Admiral Systems EmailClub 1.05 allows remote attackers to execute arbitrary commands via a long "From" header in an e-mail message. 801 http://www.securiteam.com/exploits/E-MailClub__FROM__remote_buffer_overflow.html Buffer overflow in chkey in Solaris 2.5.1 and earlier allows local users to gain root privileges via a long command line argument. AA-97.18 207 00144 19970519 Re: Finally, most of an exploit for Solaris 2.5.1's ps. solaris-chkey-bo(7442) Buffer overflow in eeprom in Solaris 2.5.1 and earlier allows local users to gain root privileges via a long command line argument. 206 00143 solaris-eeprom-bo(7444) The "me" user in NeXT NeXTstep 2.1 and earlier has wheel group privileges, which could allow the me user to use the su command to become root. CA-1991-06 next-me(581) 20 chroot in Digital Ultrix 4.1 and 4.0 is insecurely installed, which allows local users to gain privileges. CA-1991-05 dec-chroot(577) 17 NAI VirusScan NT 4.0.2 does not properly modify the scan.dat virus definition file during an update via FTP, but it reports that the update was successful, which could cause a system administrator to believe that the definitions have been updated correctly. 19990505 NAI AntiVirus Update Problem 169 19990505 NAI AntiVirus Update Problem Hummingbird Exceed X version 5 allows remote attackers to cause a denial of service via malformed data to port 6000. Upgrade to a non-vulnerable version of Exceed (Hummingbird Exceed 6.0.1 Hummingbird Exceed 6.0.2 Hummingbird Exceed 6.1) 158 19990427 NT/Exceed D.O.S. TIOCCONS in SunOS 4.1.1 does not properly check the permissions of a user who tries to redirect console output and input, which could allow a local user to gain privileges. CA-1990-12 14 sunos-tioccons-console-redirection(7140) BuildDisk program on NeXT systems before 2.0 does not prompt users for the root password, which allows local users to gain root privileges. CA-1990-06 B-01 11 nextstep-builddisk-root-access(7141) Apache WWW server 1.3.1 and earlier allows remote attackers to cause a denial of service (resource exhaustion) via a large number of MIME headers with the same name, aka the "sioux" vulnerability. 19980807 YA Apache DoS attack http://www.redhat.com/support/errata/rh51-errata-general.html#apache 19980810 Apache DoS Attack 19980811 Apache 'sioux' DOS fix for TurboLinux 19980808 Debian Apache Security Update Vintra SMTP MailServer allows remote attackers to cause a denial of service via a malformed "EXPN *@" command. vintra-mail-dos(1617) 19980720 DOS in Vintra systems Mailserver software. Windows 95 and Windows 98 systems, when configured with multiple TCP/IP stacks bound to the same MAC address, allow remote attackers to cause a denial of service (traffic amplification) via a certain ICMP echo (ping) packet, which causes all stacks to send a ping response, aka TCP Chorusing. win-multiple-ip-dos(7542) 225 19990206 New Windows 9x Bug: TCP Chorusing StarTech (1) POP3 proxy server and (2) telnet server allows remote attackers to cause a denial of service via a long USER command. startech-pop3-overflow(2088) 19980703 Windows95 Proxy DoS Vulnerabilites Multilink PPP for ISDN dialup users in Ascend before 4.6 allows remote attackers to cause a denial of service via a spoofed endpoint identifier. ascend-ppp-isdn-dos(7498) 19990212 PPP/ISDN multilink security issue - summary 19990210 Security problems in ISDN equipment authentication Check Point Firewall-1 does not properly handle certain restricted keywords (e.g., Mail, auth, time) in user-defined objects, which could produce a rule with a default "ANY" address and result in access to more systems than intended by the administrator. 19980511 Firewall-1 Reserved Keywords Vulnerability http://www.checkpoint.com/techsupport/config/keywords.html fw1-user-defined-keywords-access(7293) 4416 nettune in HP-UX 10.01 and 10.00 is installed setuid root, which allows local users to cause a denial of service by modifying critical networking configuration information. HPSBUX9607-035 19960607 HP-UX B.10.01 vulnerability hp-nettune(414) SystemSoft SystemWizard package in HP Pavilion PC with Windows 98, and possibly other platforms and operating systems, installs two ActiveX controls that are marked as safe for scripting, which allows remote attackers to execute arbitrary commands via a malicious web page that references (1) the Launch control, or (2) the RegObj control. http://www.systemsoft.com/l-2/l-3/support-systemwizard.htm 19990729 New ActiveX security problems in Windows 98 PCs 555 Buffer overflow in web-admin tool in NetXRay 2.6 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long HTTP request. netxray-bo(907) http://www.efri.hr/~crv/security/bugs/NT/netxtray.html Buffer overflow in ping in AIX 4.2 and earlier allows local users to gain root privileges via a long command line argument. ping-bo(803) 19970721 AIX ping, lchangelv, xlock fixes 19970721 AIX ping (Exploit) Vulnerability in scoterm in SCO OpenServer 5.0 and SCO Open Desktop/Open Server 3.0 allows local users to gain root privileges. VB-97.14 sco-scoterm(690) 19971204 scoterm exploit xterm in Digital UNIX 4.0B *with* patch kit 5 allows local users to overwrite arbitrary files via a symlink attack on a core dump file, which is created when xterm is called with a DISPLAY environmental variable set to a display that xterm cannot access. dec-xterm(613) 19971112 Digital Unix Security Problem Vulnerability in in.telnetd in SunOS 4.1.1 and earlier allows local users to gain root privileges. CA-1991-02 sun-intelnetd(574) Vulnerability in in.rlogind in SunOS 4.0.3 and 4.0.3c allows local users to gain root privileges. CA-1991-02 sun-intelnetd(574) Vulnerability in telnet service in HP-UX 10.30 allows attackers to cause a denial of service. hp-telnetdos(571) HPSBUX9710-070 The asynchronous I/O facility in 4.4 BSD kernel does not check user credentials when setting the recipient of I/O notification, which allows local users to cause a denial of service by using certain ioctl and fcntl calls to cause the signal to be sent to an arbitrary process ID. openbsd-iosig(556) http://www.openbsd.com/advisories/signals.txt 11062 19970915 Vulnerability in I/O Signal Handling LOGIN.EXE program in Novell Netware 4.0 and 4.01 temporarily writes user name and password information to disk, which could allow local users to gain privileges. CA-1993-12 novell-login(545) D-21 Cisco routers 9.17 and earlier allow remote attackers to bypass security restrictions via certain IP source routed packets that should normally be denied using the "no ip source-route" command. CA-1993-07 cisco-sourceroute(541) D-15 The PATH in Windows NT includes the current working directory (.), which could allow local users to gain privileges by placing Trojan horse programs with the same name as commonly used system programs into certain directories. nt-path(526) 19970725 Re: NT security - why bother? 19970723 NT security - why bother? Vulnerability in finger in Commodore Amiga UNIX 2.1p2a and earlier allows local users to read arbitrary files. CA-1993-04 amiga-finger(522) Vulnerability in sgihelp in the SGI help system and print manager in IRIX 5.2 and earlier allows local users to gain root privileges, possibly through the clogin command. CA-1994-13 sgi-prn-mgr(511) 468 E-33 Majordomo 1.94.3 and earlier allows remote attackers to execute arbitrary commands when the advertise or noadvertise directive is used in a configuration file, via shell metacharacters in the Reply-To header. majordomo-advertise(502) 19970824 Vulnerability in Majordomo dxchpwd in Digital Unix (OSF/1) 3.x allows local users to modify arbitrary files via a symlink attack on the dxchpwd.log file. dgux-chpwd(399) 19961117 Digital Unix v3.x (v4.x?) security vulnerability Netbt.sys in Windows NT 4.0 allows remote malicious DNS servers to cause a denial of service (crash) by returning 0.0.0.0 as the IP address for a DNS host name lookup. dns-netbtsys-dos(3893) Q188571 IIS 3.0 allows remote attackers to cause a denial of service via a request to an ASP page in which the URL contains a large number of / (forward slash) characters. url-asp-av(3892) Q187503 IMAP 4.1 BETA, and possibly other versions, does not properly handle the SIGABRT (abort) signal, which allows local users to crash the server (imapd) via certain sequences of commands, which causes a core dump that may contain sensitive password information. imapd-core(349) 19971008 L0pht Advisory: IMAP4rev1 imapd server rpc.mountd on Linux, Ultrix, and possibly other operating systems, allows remote attackers to determine the existence of a file on the server by attempting to mount that file, which generates different error messages depending on whether the file exists or not. mountd-file-exists(347) 19970824 Serious security flaw in rpc.mountd on several operating systems. Netscape Communicator 4.7 and earlier allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long certificate key. netscape-huge-key-dos(3436) Ethereal allows local users to overwrite arbitrary files via a symlink attack on the packet capture file. ethereal-dev-capturec-root(3334) http://www.ethereal.com/lists/ethereal-dev/199907/msg00130.html http://www.ethereal.com/lists/ethereal-dev/199907/msg00126.html Various modems that do not implement a guard time, or are configured with a guard time of 0, can allow remote attackers to execute arbitrary modem commands such as ATH, ATH0, etc., via a "+++" sequence that appears in ICMP packets, the subject of an e-mail message, IRC commands, and others. global-village-modem-dos(3320) 19980927 1+2=3, +++ATH0=Old school DoS http://www.macintouch.com/modemsecurity.html Quake 2 server 3.13 on Linux does not properly check file permissions for the config.cfg configuration file, which allows local users to read arbitrary files via a symlink from config.cfg to the target file. linux-quake2(733) 19980225 Quake 2 Linux 3.13 (and lower) allow users to read arbitrary files Quake 2 server allows remote attackers to cause a denial of service via a spoofed UDP packet with a source address of 127.0.0.1, which causes the server to attempt to connect to itself. quake2-dos(698) 19971224 Quake II Remote Denial of Service ssh 2.0.12, and possibly other versions, allows valid user names to attempt to enter the correct password multiple times, but only prompts an invalid user name for a password once, which allows remote attackers to determine user account names on the server. 19990609 ssh advirsory ssh-leak(2276) Untrusted search path vulnerability in day5datacopier in SGI IRIX 6.2 allows local users to execute arbitrary commands via a modified PATH environment variable that points to a malicious cp program. sgi-day5datacopier(3316) 8559 19970516 Irix and WWW IIS 4.0 does not properly restrict access for the initial session request from a user's IP address if the address does not resolve to a DNS domain, aka the "Domain Resolution" vulnerability. iis-unresolved-domain-access(3306) 657 MS99-039 241562 LSA (LSASS.EXE) in Windows NT 4.0 allows remote attackers to cause a denial of service via a NULL policy handle in a call to (1) SamrOpenDomain, (2) SamrEnumDomainUsers, and (3) SamrQueryDomainInfo. msrpc-samr-open-dos(3293) 19991026 Re: LSA vulnerability on NT40 SP5 Internet Explorer 5.0 records the username and password for FTP servers in the URL history, which could allow (1) local users to read the information from another user's index.dat, or (2) people who are physically observing ("shoulder surfing") another user to read the information from the status bar when the user moves the mouse over a link. nt-ie5-user-ftp-password(3289) Internet Anywhere Mail Server 2.3.1 stores passwords in plaintext in the msgboxes.dbf file, which could allow local users to gain privileges by extracting the passwords from msgboxes.dbf. iams-passwords-plaintext(3285) 731 19991001 Vulnerabilities in the Internet Anywhere Mail Server Multiple buffer overflows in smbvalid/smbval SMB authentication library, as used in Apache::AuthenSmb and possibly other modules, allows remote attackers to execute arbitrary commands via (1) a long username, (2) a long password, and (3) other unspecified methods. smbvalid-bo(2272) 19990606 Buffer overflows in smbval library Vulnerability in CORE-DIAG fileset in HP message catalog in HP-UX 9.05 and earlier allows local users to gain privileges. hp-core-diag-fileset(2262) HPSBUX9409-017 HP-UX 9.x does not properly enable the Xauthority mechanism in certain conditions, which could allow local users to access the X display even when they have not explicitly been authorized to do so. hp-xauthority(2261) HPSBUX9407-015 Buffer overflow in cddbd CD database server allows remote attackers to execute arbitrary commands via a long log message. cddbd-bo(2203) Internet Explorer, with a security setting below Medium, allows remote attackers to execute arbitrary commands via a malicious web page that uses the FileSystemObject ActiveX object. ie-filesystemobject(2173) http://oliver.efri.hr/~crv/security/bugs/NT/activex4.html Vulnerability in subnetconfig in HP-UX 9.01 and 9.0 allows local users to gain privileges. hp-subnet-config(2162) HPSBUX9402-003 SGI Desktop Permissions Tool in IRIX 6.0.1 and earlier allows local users to modify permissions for arbitrary files and gain privileges. sgi-permissions(2113) F-16 19950301-01-P373 IPFilter 3.2.3 through 3.2.10 allows local users to modify arbitrary files via a symlink attack on the saved output file. ipfilter-temp-file(2087) 19990415 FSA-99.04-IPFILTER-v3.2.10 vacm ucd-snmp SNMP server, version 3.52, does not properly disable access to the public community string, which could allow remote attackers to obtain sensitive information. This vulnerability was fixed in version 3.6 of ucd-snmpd. ucd-snmpd-community(2086) Direct Mailer feature in Microsoft Site Server 3.0 saves user domain names and passwords in plaintext in the TMLBQueue network share, which has insecure default permissions, allowing remote attackers to read the passwords and gain privileges. siteserver-directmail-passwords(2068) Q229972 Vulnerability in HP Camera component of HP DCE/9000 in HP-UX 9.x allows attackers to gain root privileges. hp-dce9000(2061) HPSBUX9402-006 Vulnerability in Support Watch (aka SupportWatch) in HP-UX 8.0 through 9.0 allows local users to gain privileges. hp-supportwatch(2058) HPSBUX9411-019 movemail in HP-UX 10.20 has insecure permissions, which allows local users to gain privileges. hp-movemail(2057) HPSBUX9701-047 8099 Vulnerability in CGI program in the Lasso application by Blue World, as used on WebSTAR and other servers, allows remote attackers to read arbitrary files. http-cgi-lasso(2044) 19970819 Lasso CGI security hole (fwd) Vulnerability in direct audio user space code on HP-UX 10.20 and 10.10 allows local users to cause a denial of service. hp-audio-panic(2010) HPSBUX9612-043 Vulnerability in a certain system call in SCO UnixWare 2.0.x and 2.1.0 allows local users to access arbitrary files and gain root privileges. VB-96.15 sco-system-call(1966) 96:002 Vulnerability in a kernel error handling routine in SCO OpenServer 5.0.2 and earlier, and SCO Internet FastStart 1.0, allows local users to gain root privileges. VB-96.10 sco-kernel(1965) 96:001 Windows 95, 98, and NT 4.0 allow remote attackers to cause a denial of service by spoofing ICMP redirect messages from a router, which causes Windows to change its routing tables. win-redirects-freeze(1947) 19990308 Winfreeze EXPLOIT Win9x/NT Hyperseek allows remote attackers to modify the hyperseek configuration by directly calling the admin.cgi program with an edit_file action parameter. hyperseek-modify(1914) Oracle Database Assistant 1.0 in Oracle 8.0.3 Enterprise Edition stores the database master password in plaintext in the spoolmain.log file when a new database is created, which allows local users to obtain the password from that file. oracle-passwords(1902) 19990304 Oracle Plaintext Password 19990304 Oracle Plaintext Password Xyplex terminal server 6.0.1S1, and possibly other versions, allows remote attackers to bypass the password prompt by entering (1) a CTRL-Z character, or (2) a ? (question mark). xyplex-question-login(1826) xyplex-controlz-login(1825) 19971126 Xyplex terminal server bug rpc.pwdauthd in SunOS 4.1.1 and earlier does not properly prevent remote access to the daemon, which allows remote attackers to obtain sensitive system information. sun-pwdauthd(1782) 00102 Microsoft Office 98, Macintosh Edition, does not properly initialize the disk space used by Office 98 files and effectively inserts data from previously deleted files into the Office file, which could allow attackers to obtain sensitive information. office-extraneous-data(1780) Q189529 mSQL (Mini SQL) 2.0.6 allows remote attackers to obtain sensitive server information such as logged users, database names, and server version via the ServerStats query. msql-serverstats(1777) 19990215 KSR[T] Advisory #10: mSQL ServerStats Buffer overflow in Rainbow Six Multiplayer allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long nickname (nick) command. rainbowsix-nick-bo(1772) 19990211 Rainbow Six Buffer Overflow..... Java in Netscape 4.5 does not properly restrict applets from connecting to other hosts besides the one from which the applet was loaded, which violates the Java security model and could allow remote attackers to conduct unauthorized activities. java-socket-open(1727) 19990202 Unsecured server in applets under Netscape Metamail before 2.7-7.2 allows remote attackers to overwrite arbitrary files via an e-mail message containing a uuencoded attachment that specifies the full pathname for the file to be modified, which is processed by uuencode in Metamail scripts such as sun-audio-file. metamail-file-creation(1677) 19971024 Vulnerability in metamail WebRamp M3 router does not disable remote telnet or HTTP access to itself, even when access has been expliticly disabled. 19990203 WebRamp M3 Perceived Bug webramp-remote-access(1670) 19990121 WebRamp M3 remote network access bug SMTP server in SLmail 3.1 and earlier allows remote attackers to cause a denial of service via malformed commands whose arguments begin with a "(" (parenthesis) character, such as (1) SEND, (2) VRFY, (3) EXPN, (4) MAIL FROM, (5) RCPT TO. slmail-parens-overload(1664) 19980922 WARNING! SMTP Denial of Service in SLmail ver 3.1 19980922 WARNING! SMTP Denial of Service in SLmail ver 3.1 rsh daemon (rshd) generates different error messages when a valid username is provided versus an invalid name, which allows remote attackers to determine valid users on the system. rsh-username-leaks(1660) 19970613 rshd gives away usernames KDE file manager (kfm) uses a TCP server for certain file operations, which allows remote attackers to modify arbitrary files by sending a copy command to the server. kde-flawed-ipc(1646) 19970505 Hole in the KDE desktop Vulnerability in KDE konsole allows local users to hijack or observe sessions of other users by accessing certain devices. http://lists.kde.org/?l=kde-devel&m=91560433413263&w=2 kde-konsole-hijack(1645) Screen savers in KDE beta 3 allows local users to overwrite arbitrary files via a symlink attack on the .kss.pid file. kde-kss-file-clobber(1641) 19980206 serious security hole in KDE Beta 3 KMail in KDE 1.0 provides a PGP passphrase as a command line argument to other programs, which could allow local users to obtain the passphrase and compromise the PGP keys of other users by viewing the arguments via programs that list process information, such as ps. kde-kmail-passphrase-leak(1639) http://lists.kde.org/?l=kde-devel&m=90221974029738&w=2 Macromedia Dreamweaver uses weak encryption to store FTP passwords, which could allow local users to easily decrypt the passwords of other users. dreamweaver-weak-passwords(1636) 19980611 Unsecure passwords in Macromedia Dreamweaver Buffer overflows in CDROM Confidence Test program (cdrom) allow local users to gain root privileges. irix-cdrom-confidence(1635) 19980301-01-PX Squid Internet Object Cache 1.1.20 allows users to bypass access control lists (ACLs) by encoding the URL with hexadecimal escape sequences. squid-regexp-acl(1627) 19980220 Simple way to bypass squid ACLs iPass RoamServer 3.1 creates temporary files with world-writable permissions. ipass-temporary-files(1625) 19971229 iPass RoamServer 3.1 Lotus cc:Mail release 8 stores the postoffice password in plaintext in a hidden file which has insecure permissions, which allows local users to gain privileges. lotus-ccmail-passwords(1619) 19970908 Password unsecurity in cc:Mail release 8 fte-console in the fte package before 0.46b-4.1 does not drop root privileges, which allows local users to gain root access via the virtual console device. fte-console-privileges(1609) 19981207 fte-console: does not drop its root priviliges BackWeb client stores the username and password in cleartext for proxy authentication in the Communication registry key, which could allow other local users to gain privileges by reading the password. backweb-cleartext-passwords(1565) 19981224 BackWeb - Password issue (used by NAI for Corporate customer notification). nlog CGI scripts do not properly filter shell metacharacters from the IP address argument, which could allow remote attackers to execute certain commands via (1) nlog-smb.pl or (2) rpc-nlog.pl. http-cgi-nlog-netbios(1550) 19981226 Nlog 1.1b released - security holes fixed 19981225 Re: Nlog v1.0 Released - Nmap 2.x log management / analyzing tool An interaction between the AS/400 shared folders feature and Microsoft SNA Server 3.0 and earlier allows users to view each other's folders when the users share the same Local APPC LU. Q138001 snaserver-shared-folders(1548) Hummingbird Exceed 6.0.1.0 inadvertently includes a DLL that was meant for development and testing, which logs user names and passwords in cleartext in the test.log file. exceed-cleartext-passwords(1547) 19981203 Remote Tools w/Exceed v.6.0.1.0 fer 95 Development version of Breeze Network Server allows remote attackers to cause the system to reboot by accessing the configbreeze CGI program. breeze-remote-reboot(1544) 19981226 Breeze Network Server remote reboot and other bogosity. RealSystem G2 server stores the administrator password in cleartext in a world-readable configuration file, which allows local users to gain privileges. realsystem-readable-conf-file(1542) 19981210 RealSystem passwords Opera 3.2.1 allows remote attackers to cause a denial of service (application crash) via a URL that contains an extra / in the http:// tag. opera-slash-crash(1541) 19980814 URL exploit to crash Opera Browser NukeNabber allows remote attackers to cause a denial of service by connecting to the NukeNabber port (1080) without sending any data, which causes the CPU usage to rise to 100% from the report.exe program that is executed upon the connection. nukenabber-timeout-dos(1540) 19981105 various *lame* DoS attacks http://www.dynamsol.com/puppet/text/new.txt 19981107 Re: various *lame* DoS attacks Linux 2.1.132 and earlier allows local users to cause a denial of service (resource exhaustion) by reading a large buffer from a random device (e.g. /dev/urandom), which cannot be interrupted until the read has completed. 19981227 [patch] fix for urandom read(2) not interruptible linux-random-read-dos(1472) addnetpr in SGI IRIX 6.2 and earlier allows local users to modify arbitrary files and possibly gain root access via a symlink attack on a temporary file. irix-addnetpr(1433) 19970509 Re: Irix: misc 330 8560 ftp://patches.sgi.com/support/free/security/advisories/19961203-02-PX Vulnerability in Analog 3.0 and earlier allows remote attackers to read arbitrary files via the forms interface. analog-remote-file(1410) http://www.statslab.cam.ac.uk/~sret1/analog/security.html Samba 1.9.18 inadvertently includes a prototype application, wsmbconf, which is installed with incorrect permissions including the setgid bit, which allows local users to read and write files and possibly gain privileges via bugs in the program. samba-wsmbconf(1406) SA-1998.35 19981119 Vulnerability in Samba on RedHat, Caldera and PHT TurboLinux ICQ 98 beta on Windows NT leaks the internal IP address of a client in the TCP data segment of an ICQ packet instead of the public address (e.g. through NAT), which provides remote attackers with potentially sensitive information about the client or the internal network configuration. icq-ip-info(1398) 19981111 WARNING: Another ICQ IP address vulnerability Buffer overflow in nftp FTP client version 1.40 allows remote malicious FTP servers to cause a denial of service, and possibly execute arbitrary commands, via a long response string. nftp-bo(1397) http://www.ayukov.com/nftp/history.html 19981117 nftp vulnerability (fwd) TCP/IP implementation in Microsoft Windows 95, Windows NT 4.0, and possibly others, allows remote attackers to reset connections by forcing a reset (RST) via a PSH ACK or other means, obtaining the target's last sequence number from the resulting packet, then spoofing a reset to the target. nt-brkill(1383) 19981005 New Windows Vulnerability Buffer overflow in web administration feature of Kolban Webcam32 4.8.3 and earlier allows remote attackers to execute arbitrary commands via a long URL. webcam32-buffer-overflow(1366) 19980901 Remote Buffer Overflow in the Kolban Webcam32 Program mod_proxy in Apache 1.2.5 and earlier allows remote attackers to cause a denial of service via malformed FTP commands, which causes Apache to dump core. http://www.apache.org/info/security_bulletin_1.2.5.html 19980106 Apache security advisory Office Shortcut Bar (OSB) in Windows 3.51 enables backup and restore permissions, which are inherited by programs such as File Manager that are started from the Shortcut Bar, which could allow local users to read folders for which they do not have permission. Q146604 nt-filemgr(562) Transarc DCE Distributed File System (DFS) 1.1 for Solaris 2.4 and 2.5 does not properly initialize the grouplist for users who belong to a large number of groups, which could allow those users to gain access to resources that are protected by DFS. VB-96.16 dfs-login-groups(7154) Buffer overflow in Kerberos IV compatibility libraries as used in Kerberos V allows local users to gain root privileges via a long line in a kerberos configuration file, which can be specified via the KRB_CONF environmental variable. 19970429 vulnerabilities in kerberos cmdtool in OpenWindows 3.0 and XView 3.0 in SunOS 4.1.4 and earlier allows attackers with physical access to the system to display unechoed characters (such as those from password prompts) via the L2/AGAIN key. sun-cmdtool-echo(7482) 1077164 Sysinstall in FreeBSD 2.2.1 and earlier, when configuring anonymous FTP, creates the ftp user without a password and with /bin/date as the shell, which could allow attackers to gain access to certain system resources. FreeBSD-SA-97:03 6087 freebsd-sysinstall-ftp-password(7537) rcp on various Linux systems including Red Hat 4.0 allows a "nobody" user or other user with UID of 65535 to overwrite arbitrary files, since 65535 is interpreted as -1 by chown and other system calls, which causes the calls to fail to modify the ownership of the file. 19970203 Linux rcp bug Vulnerability in accton in Cray UNICOS 6.1 and 6.0 allows local users to read arbitrary files and modify system accounting configuration. B-31 A design flaw in the Z-Modem protocol allows the remote sender of a file to execute arbitrary programs on the client, as implemented in rz in the rzsz module of FreeBSD before 2.1.5, and possibly other programs. G-31 FreeBSD-SA-96:17 rzsz-command-execution(7540) Unspecified vulnerability in pt_chmod in SCO UNIX 4.2 and earlier allows local users to gain root access. 94:001 sco-pt_chmod(7586) 8797 VB-94:01 F-05 Vulnerability in prwarn in SCO UNIX 4.2 and earlier allows local users to gain root access. F-05 F-05 Vulnerability in login in SCO UNIX 4.2 and earlier allows local users to gain root access. F-05 F-05 Vulnerability in "at" program in SCO UNIX 4.2 and earlier allows local users to gain root access. 94:001 F-05 Cisco IOS 9.1 and earlier does not properly handle extended IP access lists when the IP route cache is enabled and the "established" keyword is set, which could allow attackers to bypass filters. CA-1992-20 Vulnerability in urestore in Novell UnixWare 1.1 allows local users to gain root privileges. F-06 19941209 Novell security advisory on sadc, urestore and the suid_exec feature Certain programs in HP-UX 10.20 do not properly handle large user IDs (UID) or group IDs (GID) over 60000, which could allow local users to gain privileges. H-91 hp-large-uid-gid(7594) H-91 H-09 Sendmail before 8.6.7 allows local users to gain root access via a large value in the debug (-d) command line option. CA-1994-12 19940315 Security problem in sendmail versions 8.x.x 19940315 anyone know details? 19940314 sendmail -d problem (OLD yet still here) sendmail-debug-gain-root(7155) 19940327 sendmail exploit script - resend 19940315 so... ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-1022. Reason: This candidate is a duplicate of CVE-1999-1022. Notes: All CVE users should reference CVE-1999-1022 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Vulnerability in dtlogin and dtsession in HP-UX 10.20 and 10.10 allows local users to bypass authentication and gain privileges. HPSBUX9701-046 H-21 Vulnerability in DEC OpenVMS VAX 5.5-2 through 5.0, and OpenVMS AXP 1.0, allows local users to gain system privileges. CA-1993-05 openvms-local-privilege-elevation(7142) Manual page reader (man) in FreeBSD 2.2 and earlier allows local users to gain privileges via a sequence of commands. G-24 FreeBSD-SA-96:11 bsd-man-command-sequence(7348) Vulnerability in union file system in FreeBSD 2.2 and earlier, and possibly other operating systems, allows local users to cause a denial of service (system reload) via a series of certain mount_union commands. FreeBSD-SA-96:10 unionfs-mount-ordering(7429) G-24 Vulnerabilities in DECnet/OSI for OpenVMS before 5.8 on DEC Alpha AXP and VAX/VMS systems allow local users to gain privileges or cause a denial of service. F-04 Passfilt.dll in Windows NT SP2 allows users to create a password that contains the user's name, which could make it easier for an attacker to guess. Q247975 passfilt-fullname(7391) Windows NT 4.0 SP4 and earlier allows local users to gain privileges by modifying the symbolic link table in the \?? object folder using a different case letter (upper or lower) to point to a different device. Q222159 19990314 AW: [ ALERT ] Case Sensitivity and Symbolic Links 19990312 [ ALERT ] Case Sensitivity and Symbolic Links nt-symlink-case(7398) /usr/5bin/su in SunOS 4.1.3 and earlier uses a search path that includes the current working directory (.), which allows local users to gain privileges via Trojan horse programs. 1121935 sun-su-path(7480) Vulnerability in object server program in SGI IRIX 5.2 through 6.1 allows remote attackers to gain root privileges in certain configurations. 19960101-01-PX irix-object-server(7430) Vulnerability in Novell NetWare 3.x and earlier allows local users to gain privileges via packet spoofing. D-01 netware-packet-spoofing-privileges(7213) Buffer overflow in ssh 1.2.26 client with Kerberos V enabled could allow remote attackers to cause a denial of service or execute arbitrary commands via a long DNS hostname that is not properly handled during TGT ticket passing. 19981105 security patch for ssh-1.2.26 kerberos code 4883 The installation of 1ArcServe Backup and Inoculan AV client modules for Exchange create a log file, exchverify.log, which contains usernames and passwords in plaintext. 19981117 Re: exchverify.log - update #1 19981112 exchverify.log Norton AntiVirus for Internet Email Gateways (NAVIEG) 1.0.1.7 and earlier, and Norton AntiVirus for MS Exchange (NAVMSE) 1.5 and earlier, store the administrator password in cleartext in (1) the navieg.ini file for NAVIEG, and (2) the ModifyPassword registry key in NAVMSE. 19990409 NAV for MS Exchange & Internet Email Gateways VAXstations running Open VMS 5.3 through 5.5-2 with VMS DECwindows or MOTIF do not properly disable access to user accounts that exceed the break-in limit threshold for failed login attempts, which makes it easier for attackers to conduct brute force password guessing. D-06 openvms-sysgen-enabled(7225) SAS System 5.18 on VAX/VMS is installed with insecure permissions for its directories and startup file, which allows local users to gain privileges. C-19 vaxvms-sas-gain-privileges(7261) wu-ftpd 2.4 FTP server does not properly drop privileges when an ABOR (abort file transfer) command is executed during a file transfer, which causes a signal to be handled incorrectly and allows local and possibly remote attackers to read arbitrary files. 19970105 BoS: serious security bug in wu-ftpd v2.4 -- PATCH 19970104 serious security bug in wu-ftpd v2.4 wuftpd-abor-gain-privileges(7169) Buffer overflow in linuxconf 1.11r11-rh2 on Red Hat Linux 5.1 allows local users to gain root privileges via a long LANG environmental variable. http://www.redhat.com/support/errata/rh51-errata-general.html#linuxconf 19980601 Re: SECURITY: Red Hat Linux 5.1 linuxconf bug (fwd) 6065 linuxconf-lang-bo(7239) linuxconf before 1.11.r11-rh3 on Red Hat Linux 5.1 allows local users to overwrite arbitrary files and gain root access via a symlink attack. 19980823 Security concerns in linuxconf shipped w/RedHat 5.1 http://www.redhat.com/support/errata/rh51-errata-general.html#linuxconf 6068 linuxconf-symlink-gain-privileges(7232) Buffer overflow in SysVInit in Red Hat Linux 5.1 and earlier allows local users to gain privileges. http://www.redhat.com/support/errata/rh50-errata-general.html#SysVinit sysvinit-root-bo(7250) The snprintf function in the db library 1.85.4 ignores the size parameter, which could allow attackers to exploit buffer overflows that would be prevented by a properly implemented snprintf. 19970709 [linux-security] so-called snprintf() in db-1.85.4 (fwd) http://www.redhat.com/support/errata/rh42-errata-general.html#db http://lists.openresources.com/Debian/debian-bugs-closed/msg00581.html linux-libdb-snprintf-bo(7244) netcfg 2.16-1 in Red Hat Linux 4.2 allows the Ethernet interface to be controlled by users on reboot when an option is set, which allows local users to cause a denial of service by shutting down the interface. http://www.redhat.com/support/errata/rh42-errata-general.html#netcfg netcfg-ethernet-dos(7245) gzexe in the gzip package on Red Hat Linux 5.0 and earlier allows local users to overwrite files of other users via a symlink attack on a temporary file. http://www.redhat.com/support/errata/rh50-errata-general.html#gzip 19980128 GZEXE - the big problem 7845 3812 gzip-gzexe-tmp-symlink(7241) DSA-308 automatic download option in ncftp 2.4.2 FTP client in Red Hat Linux 5.0 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the names of files that are to be downloaded. 19980319 ncftp 2.4.2 MkDirs bug http://www.redhat.com/support/errata/rh50-errata-general.html#ncftp 6111 ncftp-autodownload-command-execution(7240) Multiple buffer overflows in filter command in Elm 2.4 allows attackers to execute arbitrary commands via (1) long From: headers, (2) long Reply-To: headers, or (3) via a long -f (filterfile) command line argument. 19980129 KSR[T] Advisory #7: filter http://www.redhat.com/support/errata/rh50-errata-general.html#elm snmpd server in cmu-snmp SNMP package before 3.3-1 in Red Hat Linux 4.0 is configured to allow remote attackers to read and write sensitive information. http://www.redhat.com/support/errata/rh40-errata-general.html#cmu-snmp cmusnmp-read-write(7251) 3Com HiPer Access Router Card (HiperARC) 4.0 through 4.2.29 allows remote attackers to cause a denial of service (reboot) via a flood of IAC packets to the telnet port. 19990816 Re: 3com hiperarch flaw [hiperbomb.c] 19990812 3com hiperarch flaw [hiperbomb.c] 6057 FTP client in Midnight Commander (mc) before 4.5.11 stores usernames and passwords for visited sites in plaintext in the world-readable history file, which allows other local users to gain privileges. 19990801 midnight commander vulnerability(?) (fwd) 5921 midnight-commander-data-disclosure(9873) Delegate proxy 5.9.3 and earlier creates files and directories in the DGROOT with world-writable permissions. 19990721 Delegate creates directories writable for anyone Vulnerability when Network Address Translation (NAT) is enabled in Linux 2.2.10 and earlier with ipchains, or FreeBSD 3.2 with ipfw, allows remote attackers to cause a denial of service (kernel panic) via a ping -R (record route) command. http://www.kernel.org/pub/linux/kernel/v2.2/patch-2.2.11.gz 19990722 Re: ping -R causes kernel panic on a forwarding machine ( 2.2.5 a nd 2 .2.10) 19990722 Linux +ipchains+ ping -R 6105 ipchains-ping-route-dos(7257) Buffer overflow in faxalter in hylafax 4.0.2 allows local users to gain privileges via a long -m command line argument. 765 19991104 hylafax-4.0.2 local exploit Linux kernel before 2.3.18 or 2.2.13pre15, with SLIP and PPP options, allows local unprivileged users to forge IP packets via the TIOCSETD option on tty devices. 19991022 Local user can send forged packets linux-tiocsetd-forge-packets(7858) ICQ ActiveList Server allows remote attackers to cause a denial of service (crash) via malformed packets to the server's UDP port. 19991017 ICQ ActiveList Server Exploit... HTTP server for Xerox DocuColor 4 LP allows remote attackers to cause a denial of service (hang) via a long URL that contains a large number of . characters. 19991013 Xerox DocuColor 4 LP D.O.S Auto_FTP.pl script in Auto_FTP 0.2 stores usernames and passwords in plaintext in the auto_ftp.conf configuration file. 19991005 Auto_FTP v0.02 Advisory Auto_FTP.pl script in Auto_FTP 0.2 uses the /tmp/ftp_tmp as a shared directory with insecure permissions, which allows local users to (1) send arbitrary files to the remote server by placing them in the directory, and (2) view files that are being transferred. 19991005 Auto_FTP v0.02 Advisory PAM configuration file for rlogin in Red Hat Linux 6.1 and earlier includes a less restrictive rule before a more restrictive one, which allows users to access the host via rlogin even if rlogin has been explicitly disabled using the /etc/nologin file. 19991007 Problems with redhat 6 Xsession and pam.d/rlogin. Xsession in Red Hat Linux 6.1 and earlier can allow local users with restricted accounts to bypass execution of the .xsession file by starting kde, gnome or anotherlevel from kdm. 19991007 Problems with redhat 6 Xsession and pam.d/rlogin. Linuxconf on Red Hat Linux 6.0 and earlier does not properly disable PAM-based access to the shutdown command, which could allow local users to cause a denial of service. 19990630 linuxconf doesn't seem to deal correctly with /etc/pam.d/reboot NFS daemon (nfsd.exe) for Omni-NFS/X 6.1 allows remote attackers to cause a denial of service (resource exhaustion) via certain packets, possibly with the Urgent (URG) flag set, to port 111. 19991006 Omni-NFS/X Enterprise (nfsd.exe) DOS ARCAD Systemhaus 0.078-5 installs critical programs and files with world-writeable permissions, which could allow local users to gain privileges by replacing a program with a Trojan horse. 19990929 Multiple Vendor ARCAD permission problems Directory traversal vulnerability in KVIrc IRC client 0.9.0 with the "Listen to !nick <soundname> requests" option enabled allows remote attackers to read arbitrary files via a .. (dot dot) in a DCC GET request. kvirc-dot-directory-traversal(7761) 19990924 Kvirc bug mknod in Linux 2.2 follows symbolic links, which could allow local users to overwrite files or gain privileges. 19990928 Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Nosque MsgCore 2.14 stores passwords in cleartext: (1) the administrator password in the AdmPasswd registry key, and (2) user passwords in the Userbase.dbf data file, which could allow local users to gain privielges. 19990907 MsgCore mailserver stores passwords in clear text E-mail client in Softarc FirstClass Internet Server 5.506 and earlier stores usernames and passwords in cleartext in the files (1) home.fc for version 5.506, (2) network.fc for version 3.5, or (3) FCCLIENT.LOG when logging is enabled. 19990909 SoftArc's FirstClass E-mail Client 19990830 SoftArc's FirstClass E-mail Client BMC Patrol component, when installed with Compaq Insight Management Agent 4.23 and earlier, or Management Agents for Servers 4.40 and earlier, creates a PFCUser account with a default password and potentially dangerous privileges. management-pfcuser(3231) http://www.compaq.com/products/servers/management/advisory.html 19990905 Case ID SSRT0620 - PFCUser account communication 19990817 Compaq PFCUser account 19991105 UPDATE: SSRT0620 Compaq Foundation Agents v4.40B PFCUser issues 19990915 (I) UPDATE - PFCUser Account, Compaq Integration Maintenance Utility as used in Compaq Insight Manager agent before SmartStart 4.50 modifies the legal notice caption (LegalNoticeCaption) and text (LegalNoticeText) in Windows NT, which could produce a legal notice that is in violation of the security policy. 19990917 Re: Compaq CIM UG Overwrites Legal Notice 19990902 Compaq CIM UG Overwrites Legal Notice compaq-smartstart-legal-notice(7763) 19990902 Compaq CIM UG Overwrites Legal Notice Netscape Communicator 4.04 through 4.7 (and possibly other versions) in various UNIX operating systems converts the 0x8b character to a "<" sign, and the 0x9b character to a ">" sign, which could allow remote attackers to attack other clients via cross-site scripting (CSS) in CGI programs that do not filter these characters. 19991005 Time to update those CGIs again When an administrator in Windows NT or Windows 2000 changes a user policy, the policy is not properly updated if the local ntconfig.pol is not writable by the user, which could allow local users to bypass restrictions that would otherwise be enforced by the policy, possibly by changing the policy file to be read-only. Q157673 nt-user-policy-update(7400) When the Ntconfig.pol file is used on a server whose name is longer than 13 characters, Windows NT does not properly enforce policies for global groups, which could allow users to bypass restrictions that were intended by those policies. Q163875 nt-group-policy-longname(7401) Windows NT 4.0 allows local users to cause a denial of service via a user mode application that closes a handle that was opened in kernel mode, which causes a crash when the kernel attempts to close the handle. Q160650 nt-kernel-handle-dos(7402) Windows NT 3.51 and 4.0 running WINS (Windows Internet Name Service) allows remote attackers to cause a denial of service (resource exhaustion) via a flood of malformed packets, which causes the server to slow down and fill the event logs with error messages. 19980509 coke.c Win32k.sys in Windows NT 4.0 before SP2 allows local users to cause a denial of service (crash) by calling certain WIN32K functions with incorrect parameters. Q160601 nt-win32k-dos(7403) Windows NT 3.51 and 4.0 allow local users to cause a denial of service (crash) by running a program that creates a large number of locks on a file, which exhausts the NonPagedPool. Q163143 nt-nonpagedpool-dos(7405) Windows NT 4.0 allows local users to cause a denial of service (crash) via an illegal kernel mode address to the functions (1) GetThreadContext or (2) SetThreadContext. Q142653 nt-threadcontext-dos(7421) Windows NT searches a user's home directory (%systemroot% by default) before other directories to find critical programs such as NDDEAGNT.EXE, EXPLORER.EXE, USERINIT.EXE or TASKMGR.EXE, which could allow local users to bypass access restrictions or gain privileges by placing a Trojan horse program into the root directory, which is writable by default. 0515 19990628 NT runs Explorer.exe, Taskmgr.exe etc. from wrong location nt-login-default-folder(2336) 19990630 Update: NT runs explorer.exe, etc... Pegasus e-mail client 3.0 and earlier uses weak encryption to store POP3 passwords in the pmail.ini file, which allows local users to easily decrypt the passwords and read e-mail. 19990515 Pegasus Mail weak encryption Internet Explorer 5.0 does not properly reset the username/password cache for Web sites that do not use standard cache controls, which could allow users on the same system to access restricted web sites that were visited by other users. http://www.pcworld.com/news/article/0,aid,10842,00.asp AV Option for MS Exchange Server option for InoculateIT 4.53, and possibly other versions, only scans the Inbox folder tree of a Microsoft Exchange server, which could allow viruses to escape detection if a user's rules cause the message to be moved to a different mailbox. 20001116 InoculateIT AV Option for MS Exchange Server 19990512 InoculateIT 4.53 Real-Time Exchange Scanner Flawed Real Media RealServer (rmserver) 6.0.3.353 stores a password in plaintext in the world-readable rmserver.cfg file, which allows local users to gain privileges. 19990414 Real Media Server stores passwords in plain text The setup wizard (ie5setup.exe) for Internet Explorer 5.0 disables (1) the screen saver, which could leave the system open to users with physical access if a failure occurs during an unattended installation, and (2) the Task Scheduler Service, which might prevent the scheduled execution of security-critical programs. 19990323 MSIE 5 installer disables screen saver Buffer overflow in /usr/bin/write in Solaris 2.6 and 7 allows local users to gain privileges via a long string in the terminal name argument. solaris-write-bo(7546) http://www.securiteam.com/exploits/5ZP0O1P35O.html 19990308 Solaris "/usr/bin/write" bug Triactive Remote Manager with Basic authentication enabled stores the username and password in cleartext in registry keys, which could allow local users to gain privileges. 19990219 Plaintext Password in Tractive's Remote Manager Software FORE PowerHub before 5.0.1 allows remote attackers to cause a denial of service (hang) via a TCP SYN scan with TCP/IP OS fingerprinting, e.g. via nmap. 19990105 Re: Network Scan Vulnerability [SUMMARY] perlshop.cgi shopping cart program stores sensitive customer information in directories and files that are under the web root, which allows remote attackers to obtain that information via an HTTP request. 19990427 Re: Shopping Carts exposing CC data FileSystemObject (FSO) in the showfile.asp Active Server Page (ASP) allows remote attackers to read arbitrary files by specifying the name in the file parameter. 230 19990211 Using FSO in ASP to view just about anything Buffer overflow in fpcount.exe in IIS 4.0 with FrontPage Server Extensions allows remote attackers to execute arbitrary commands. 19990114 MS IIS 4.0 Security Advisory 19990114 MS IIS 4.0 Security Advisory Matt Wright's download.cgi 1.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the f parameter. http://pulhas.org/phrack/55/P55-07.html dbmlparser.exe CGI guestbook program does not perform a chroot operation properly, which allows remote attackers to read arbitrary files. 19990917 improper chroot in dbmlparser.exe DNS allows remote attackers to use DNS name servers as traffic amplifiers via a UDP DNS query with a spoofed source address, which produces more traffic to the victim than was sent by the attacker. AL-1999.004 19990810 Possible Denial Of Service using DNS J-063 19990730 Possible Denial Of Service using DNS dns-udp-query-dos(7238) Symantec Norton Utilities 2.0 for Windows 95 marks the TUNEOCX.OCX ActiveX control as safe for scripting, which allows remote attackers to execute arbitrary commands via the run option through malicious web pages that are accessed by browsers such as Internet Explorer 3.0. http://mlarchive.ima.com/win95/1997/May/0342.html http://www.net-security.sk/bugs/NT/nu20.html http://news.zdnet.co.uk/story/0,,s2065518,00.html nu-tuneocx-activex-control(7188) Buffer overflow in dbadmin CGI program 1.0.1 on Linux allows remote attackers to execute arbitrary commands. 19981008 buffer overflow in dbadmin NetWare NFS mode 1 and 2 implements the "Read Only" flag in Unix by changing the ownership of a file to root, which allows local users to gain root privileges by creating a setuid program and setting it to "Read Only," which NetWare-NFS changes to a setuid root program. http://support.novell.com/cgi-bin/search/tidfinder.cgi?2940551 19980812 Re: Netware NFS (fwd) 19980108 NetWare NFS netware-nfs-file-ownership(7246) (1) bash before 1.14.7, and (2) tcsh 6.05 allow local users to gain privileges via directory names that contain shell metacharacters (` back-tick), which can cause the commands enclosed in the directory name to be executed when the shell expands filenames using the \w option in the PS1 variable. 19960919 Vulnerability in expansion of PS1 in bash & tcsh 19960913 tee see shell problems Indigo Magic System Tour in the SGI system tour package (systour) for IRIX 5.x through 6.3 allows local users to gain root privileges via a Trojan horse .exitops program, which is called by the inst command that is executed by the RemoveSystemTour program. AA-96.08 470 19961030 (Another) vulnerability in new SGIs 19961101-01-I irix-systour(7456) Buffer overflow in ppp program in FreeBSD 2.1 and earlier allows local users to gain privileges via a long HOME environment variable. FreeBSD-SA-96:20 6085 ppp-bo(7465) 19961219 Exploit for ppp bug (FreeBSD 2.1.0). Perl 5.004_04 and earlier follows symbolic links when running with the -e option, which allows local users to overwrite arbitrary files via a symlink attack on the /tmp/perl-eaXXXXX file. 19980308 another /tmp race: `perl -e' opens temp file not safely http://www.redhat.com/support/errata/rh50-errata-general.html#perl perl-e-tmp-symlink(7243) Windows NT 4.0 SP2 allows remote attackers to cause a denial of service (crash), possibly via malformed inputs or packets, such as those generated by a Linux smbmount command that was compiled on the Linux 2.0.29 kernel but executed on Linux 2.0.25. 19970407 DUMP of NT system crash 19970403 Fatal bug in NT 4.0 server (more comments) 19970402 Fatal bug in NT 4.0 server passwd in SunOS 4.1.x allows local users to overwrite arbitrary files via a symlink attack and the -F command line argument. 19940514 [8lgm]-Advisory-7.UNIX.passwd.11-May-1994.NEWFIX 19940513 [8lgm]-Advisory-7.UNIX.passwd.11-May-1994 19941218 Sun Patch Id #102060-01 US Robotics/3Com Total Control Chassis with Frame Relay between 3.6.22 and 3.7.24 does not properly enforce access filters when the "set host prompt" setting is made for a port, which allows attackers to bypass restrictions by providing the hostname twice at the "host: " prompt. 99 19980511 3Com/USR Total Control Chassis dialup port access filters suidexec in suidmanager 0.18 on Debian 2.0 allows local users to gain root privileges by specifying a malicious program on the command line. 19980428 [Debian 2.0] /usr/bin/suidexec gives root access 94 Vulnerability in NeXT 1.0a and 1.0 with publicly accessible printers allows local users to gain privileges via a combination of the npd program and weak directory permissions. CA-1990-06 B-01 10 nextstep-npd-root-access(7143) Vulnerability in restore0.9 installation script in NeXT 1.0a and 1.0 allows local users to gain root privileges. CA-1990-06 9 B-01 nextstep-restore09-root-access(7144) Control Panel "Password Security" option for Apple Powerbooks allows attackers with physical access to the machine to bypass the security by booting it with an emergency startup disk and using a disk editor to modify the on/off toggle or password in the aaaaaaaAPWD file, which is normally inaccessible. 532 http://freaky.staticusers.net/macsec/data/powerbooksecurity-data.html BSD 4.4 based operating systems, when running at security level 1, allow the root user to clear the immutable and append-only flags for files by unmounting the file system and using a file system editor such as fsdb to directly modify the file through a device. 19990702 BSD-fileflags 510 Vulnerability in Monitor utility (SYS$SHARE:SPISHR.EXE) in VMS 5.0 through 5.4-2 allows local users to gain privileges. CA-92.16 CA-1992-18 51 vms-monitor-gain-privileges(7136) 59332 Vulnerability in integer multiplication emulation code on SPARC architectures for SunOS 4.1 through 4.1.2 allows local users to gain root access or cause a denial of service (crash). CA-1992-15 49 sun-integer-multiplication-access(7150) Index Server 2.0 on IIS 4.0 stores physical path information in the ContentIndex\Catalogs subkey of the AllowedPaths registry key, whose permissions allows local and remote users to obtain the physical paths of directories that are being indexed. 19990323 Index Server 2.0 and the Registry 476 iis-indexserver-reveal-path(7559) 19990323 Index Server 2.0 and the Registry Vulnerability in xfsdump in SGI IRIX may allow local users to obtain root privileges via the bck.log log file, possibly via a symlink attack. 472 http://www.insecure.org/sploits/irix.xfsdump.html 19970507 Irix: misc spaceball program in SpaceWare 7.3 v1.0 in IRIX 6.2 allows local users to gain root privileges by setting the HOSTNAME environmental variable to contain the commands to be executed. 471 19970820 SpaceWare 7.3 v1.0 The Economist screen saver 1999 with the "Password Protected" option enabled allows users with physical access to the machine to bypass the screen saver and read files by running Internet Explorer while the screen is still locked. 466 19990603 Re: Huge Exploit in NT 4.0 SP5 Screensaver with Password Protecti on Enabled. 19990603 Huge Exploit in NT 4.0 SP5 Screensaver with Password Protection Enabled 19990604 Official response from The Economist re: 1999 Screen Saver Vulnerability in Desktop searchbook program in IRIX 5.0.x through 6.2 sets insecure permissions for certain user files (iconbook and searchbook). 463 19961201-01-PX irix-searchbook-permissions(7575) 8563 The access permissions for a UNIX domain socket are ignored in Solaris 2.x and SunOS 4.x, and other BSD-based operating systems before 4.4, which could allow local users to connect to the socket and possibly disrupt or control the operations of the program using that socket. 456 19971003 Solaris 2.6 and sockets 19970517 UNIX domain socket (Solarisx86 2.5) sun-domain-socket-permissions(7172) IBM/Tivoli OPC Tracker Agent version 2 release 1 creates files, directories, and IPC message queues with insecure permissions (world-readable and world-writable), which could allow local users to disrupt operations and possibly gain privileges by modifying or deleting files. 382 19981002 Several potential security problems in IBM/Tivoli OPC Tracker Age nt IBM/Tivoli OPC Tracker Agent version 2 release 1 allows remote attackers to cause a denial of service (resource exhaustion) via malformed data to the localtracker client port (5011), which prevents the connection from being closed properly. 382 19981002 Several potential security problems in IBM/Tivoli OPC Tracker Age nt snap command in AIX before 4.3.2 creates the /tmp/ibmsupt directory with world-readable permissions and does not remove or clear the directory when snap -a is executed, which could allow local users to access the shadowed password file by creating /tmp/ibmsupt/general/passwd before root runs snap -a. Fixed in AIX 4.3 and 4.3.2 AIX 4.3.x APAR: IX88263 AIX 4.2.x APAR: IX88261 375 19990220 Re: snap utility for AIX. 19990217 snap utility for AIX. dumpreg in Red Hat Linux 5.1 opens /dev/mem with O_RDWR access, which allows local users to cause a denial of service (crash) by redirecting fd 1 (stdout) to the kernel. 19980729 Crash a redhat 5.1 linux box 372 19980730 FD's 0..2 and suid/sgid procs (Was: Crash a redhat 5.1 linux box) ifdhcpc-done script for configuring DHCP on Red Hat Linux 5 allows local users to append text to arbitrary files via a symlink attack on the dhcplog file. http://www.redhat.com/support/errata/rh50-errata-general.html#initscripts 19980309 *sigh* another RH5 /tmp problem 368 initscripts-ifdhcpdone-dhcplog-symlink(7294) Vulnerability in AIX 4.1.4 and HP-UX 10.01 and 9.05 allows local users to cause a denial of service (crash) by using a socket to connect to a port on the localhost, calling shutdown to clear the socket, then using the same socket to connect to a different port on localhost. 352 19970305 Bug in connect() for aix 4.1.4 ? The at program in IRIX 6.2 and NetBSD 1.3.2 and earlier allows local users to read portions of arbitrary files by submitting the file to at with the -f argument, which generates error messages that at sends to the user via e-mail. 19980703 more about 'at' 331 at-f-read-files(7577) 19980805 irix-6.2 "at -f" vulnerability NetBSD-SA1998-004 addnetpr in IRIX 5.3 and 6.2 allows local users to overwrite arbitrary files and possibly gain root privileges via a symlink attack on the printers temporary file. 330 ftp://patches.sgi.com/support/free/security/advisories/19961203-02-PX 19970509 Re: Irix: misc The installation of the fsp package 2.71-10 in Debian GNU/Linux 2.0 adds the anonymous FTP user without notifying the administrator, which could automatically enable anonymous FTP on some servers such as wu-ftp. 316 19981128 Debian: Security flaw in FSP fsp-anon-ftp-access(7574) 19990217 Debian GNU/Linux 2.0r5 released (fwd) 19981130 Debian: Security flaw in FSP 19981126 new version of fsp fixes security flaw A possible interaction between Apple MacOS X release 1.0 and Apache HTTP server allows remote attackers to cause a denial of service (crash) via a flood of HTTP GET requests to CGI programs, which generates a large number of processes. 19990603 MacOS X system panic with CGI 306 Solaris 2.4 before kernel jumbo patch -35 allows set-gid programs to dump core even if the real user id is not in the set-gid group, which allows local users to overwrite or create files at higher privileges by causing a core dump, e.g. through dmesg. 296 19960803 Exploiting Zolaris 2.4 ?? :) IBM Netfinity Remote Control allows local users to gain administrator privileges by starting programs from the process manager, which runs with system level privileges. 19990609 IBM's response to "Security Leak with IBM Netfinity Remote Control Software 19990525 Security Leak with IBM Netfinity Remote Control Software 284 Vulnerability in /usr/bin/mail in DEC ULTRIX before 4.2 allows local users to gain privileges. CA-91.13 27 AnswerBook2 (AB2) web server dwhttpd 3.1a4 allows remote attackers to cause a denial of service (resource exhaustion) via an HTTP POST request with a large content-length. 253 19980823 Solaris ab2 web server is junk Format string vulnerability in AnswerBook2 (AB2) web server dwhttpd 3.1a4 allows remote attackers to cause a denial of service and possibly execute arbitrary commands via encoded % characters in an HTTP request, which is improperly logged. 253 19980823 Solaris ab2 web server is junk ICQ99 ICQ web server build 1701 with "Active Homepage" enabled generates allows remote attackers to determine the existence of files on the server by comparing server responses when a file exists ("404 Forbidden") versus when a file does not exist ("404 not found"). 19990501 Update: security hole in the ICQ-Webserver 246 Buffer overflow in nss_nisplus.so.1 library in NIS+ in Solaris 2.3 and 2.4 allows local users to gain root privileges. 219 00148 sun-nisplus-bo(7535) NBase switches NH2012, NH2012R, NH2015, and NH2048 have a back door password that cannot be disabled, which allows remote attackers to modify the switch's configuration. 212 19980722 N-Base Vulnerability Advisory Followup 19980720 N-Base Vulnerability Advisory NBase switches NH208 and NH215 run a TFTP server which allows remote attackers to send software updates to modify the switch or cause a denial of service (crash) by guessing the target filenames, which have default names. 212 19980722 N-Base Vulnerability Advisory Followup 19980720 N-Base Vulnerability Advisory The default configuration of Slackware 3.4, and possibly other versions, includes . (dot, the current directory) in the PATH environmental variable, which could allow local users to create Trojan horse programs that are inadvertently executed by other users. 19990102 PATH variable in zip-slackware 2.0.35 ping in Solaris 2.3 through 2.6 allows local users to cause a denial of service (crash) via a ping request to a multicast address through the loopback interface, e.g. via ping -i. 209 00146 19971005 Solaris Ping Bug and other [bc] oddities 19970627 SUMMARY: Solaris Ping bug (DoS) 19970626 Solaris Ping bug (DoS) ping-multicast-loopback-dos(7492) 19970627 Solaris Ping bug(inetsvc) Solaris Solstice AdminSuite (AdminSuite) 2.1 uses unsafe permissions when adding new users to the NIS+ password table, which allows local users to gain root access by modifying their password table entries. 208 00145 Solaris Solstice AdminSuite (AdminSuite) 2.1 incorrectly sets write permissions on source files for NIS maps, which could allow local users to gain privileges by modifying /etc/passwd. 208 00145 Solaris Solstice AdminSuite (AdminSuite) 2.1 follows symbolic links when updating an NIS database, which allows local users to overwrite arbitrary files. 208 00145 Solaris Solstice AdminSuite (AdminSuite) 2.1 and 2.2 create lock files insecurely, which allows local users to gain root privileges. 208 00145 Solaris Solstice AdminSuite (AdminSuite) 2.1 and 2.2 allows local users to gain privileges via the save option in the Database Manager, which is running with setgid bin privileges. 208 00145 DIT TransferPro installs devices with world-readable and world-writable permissions, which could allow local users to damage disks through the ff device driver. 204 19980105 Security flaw in either DIT TransferPro or Solaris PIM software for Royal daVinci does not properly password-protext access to data stored in the .mdb (Microsoft Access) file, which allows local users to read the data without a password by directly accessing the files with a different application, such as Access. 185 19990102 security problem with Royal daVinci ZAK in Appstation mode allows users to bypass the "Run only allowed apps" policy by starting Explorer from Office 97 applications (such as Word), installing software into the TEMP directory, and changing the name to that for an allowed application, such as Winword.exe. 181 19990109 WinNT, ZAK and Office 97 19990107 WinNT, ZAK and Office 97 Power management (Powermanagement) on Solaris 2.4 through 2.6 does not start the xlock process until after the sys-suspend has completed, which allows an attacker with physical access to input characters to the last active application from the keyboard for a short period after the system is restoring, which could lead to increased privileges. 19980716 Security risk with powermanagemnet on Solaris 2.6 160 HP JetAdmin D.01.09 on Solaris allows local users to change the permissions of arbitrary files via a symlink attack on the /tmp/jetadmin.log file. 19980722 Re: JetAdmin software 19980715 JetAdmin software 157 login in Slackware Linux 3.2 through 3.5 does not properly check for an error when the /etc/group file is missing, which prevents it from dropping privileges, causing it to assign root privileges to any local user who logs on to the server. 19980713 Slackware Shadow Insecurity 155 Buffer overflow in libsocks5 library of Socks 5 (socks5) 1.0r5 allows local users to gain privileges via long environmental variables. 19980710 socks5 1.0r5 buffer overflow.. 154 Ray Chan WWW Authorization Gateway 0.1 CGI program allows remote attackers to execute arbitrary commands via shell metacharacters in the "user" parameter. 19980708 WWW Authorization Gateway 152 ePerl 2.2.12 allows remote attackers to read arbitrary files and possibly execute certain commands by specifying a full pathname of the target file as an argument to bar.phtml. 19980710 ePerl Security Update Available 19980707 ePerl: bad handling of ISINDEX queries 151 Vulnerability in /bin/mail in SunOS 4.1.1 and earlier allows local users to gain root privileges via certain command line arguments. CA-1991-01 00105 15 gcc 2.7.2 allows local users to overwrite arbitrary files via a symlink attack on temporary .i, .s, or .o files. 146 19980108 GCC Exploit 19980115 GCC 2.7.? /tmp files 19980102 Symlink bug with GCC 2.7.2 Win32 ICQ 98a 1.30, and possibly other versions, does not display the entire portion of long filenames, which could allow attackers to send an executable file with a long name that contains so many spaces that the .exe extension is not displayed, which could make the user believe that the file is safe to open from the client. 132 19990101 Win32 ICQ 98a flaw Linux 2.0.34 does not properly prevent users from sending SIGIO signals to arbitrary processes, which allows local users to cause a denial of service by sending SIGIO to processes that do not catch it. 19980630 Serious Linux 2.0.34 security problem 111 Bug in AMD K6 processor on Linux 2.0.x and 2.1.x kernels allows local users to cause a denial of service (crash) via a particular sequence of instructions, possibly related to accessing addresses outside of segments. 105 http://www.cs.helsinki.fi/linux/linux-kernel/Year-1998/1998-25/0816.html http://uwsg.iu.edu/hypermail/linux/kernel/9805.3/0855.html Micah Software Full Armor Network Configurator and Zero Administration allow local users with physical access to bypass the desktop protection by (1) using <CTRL><ALT><DEL> and kill the process using the task manager, (2) booting the system from a separate disk, or (3) interrupting certain processes that execute while the system is booting. 103 19980602 Full Armor.... Fool Proof etc... bugs 19980609 Full Armor genkey utility in Alibaba 2.0 generates RSA key pairs with an exponent of 1, which results in transactions that are sent in cleartext. http://catless.ncl.ac.uk/Risks/20.41.html#subj4 Vulnerability in imapd and ipop3d in Slackware 3.4 and 3.3 with shadowing enabled, and possibly other operating systems, allows remote attackers to cause a core dump via a short sequence of USER and PASS commands that do not provide valid usernames or passwords. 19980202 imapd/ipop3d coredump in slackware 3.4 Internet Explorer 3 records a history of all URL's that are visited by a user in DAT files located in the Temporary Internet Files and History folders, which are not cleared when the user selects the "Clear History" option, and are not visible when the user browses the folders because of tailored displays. 19970806 Re: Strange behavior regarding directory 19970805 Re: Strange behavior regarding directory Internet Explorer 4.0 allows remote attackers to cause a denial of service (crash) via HTML code that contains a long CLASSID parameter in an OBJECT tag. 19980728 Object tag crashes Internet Explorer 4.0 19980730 Re: Object tag crashes Internet Explorer 4.0 Eudora and Eudora Light before 3.05 allows remote attackers to cause a crash and corrupt the user's mailbox via an e-mail message with certain dates, such as (1) dates before 1970, which cause a Divide By Zero error, or (2) dates that are 100 years after the current date, which causes a segmentation fault. 19980729 Eudora exploit (was Microsoft Security Bulletin (MS98-008)) SunOS 4.1.4 on a Sparc 20 machine allows local users to cause a denial of service (kernel panic) by reading from the /dev/tcx0 TCX device. http://www.insecure.org/sploits/sunos.dev.tcx0.write.wierd.shit.to.device.bug.html 19970519 /dev/tcx0 crashes SunOS 4.1.4 on Sparc 20's Vulnerability in (1) rlogin daemon rshd and (2) scheme on SCO UNIX OpenServer 5.0.5 and earlier, and SCO UnixWare 7.0.1 and earlier, allows remote attackers to gain privileges. SSE020 SB-99.06b SB-99.03b The Winmsdp.exe sample file in IIS 4.0 and Site Server 3.0 allows remote attackers to read arbitrary files. iis-samples-winmsdp(3271) MS99-013 Q231368 GINA in Windows NT 4.0 allows attackers with physical access to display a portion of the clipboard of the user who has locked the workstation by pasting (CTRL-V) the contents into the username prompt. 198 Q214802 19990205 Alert: MS releases GINA-fix for SP3, SP4, and TS 19990129 ole objects in a "secured" environment? nt-gina-clipboard(1975) 19990129 ole objects in a "secured" environment? Internet Explorer 4 allows remote attackers (malicious web site operators) to read the contents of the clipboard via the Internet WebBrowser ActiveX object. 215 19990222 New IE4 vulnerability : the clipboard again. Macromedia "The Matrix" screen saver on Windows 95 with the "Password protected" option enabled allows attackers with physical access to the machine to bypass the password prompt by pressing the ESC (Escape) key. 19991004 Weakness In "The Matrix" Screensaver For Windows RSH service utility RSHSVC in Windows NT 3.5 through 4.0 does not properly restrict access as specified in the .Rhosts file when a user comes from an authorized host, which could allow unauthorized users to access the service by logging in from an authorized host. Q158320 nt-rshsvc-ale-bypass(7422) thttpd HTTP server 2.03 and earlier allows remote attackers to read arbitrary files via a GET request with more than one leading / (slash) character in the filename. thttpd-file-read(1809) 19980819 thttpd 2.04 released (fwd) http://www.acme.com/software/thttpd/thttpd.html#releasenotes Buffer overflow in thttpd HTTP server before 2.04-31 allows remote attackers to execute arbitrary commands via a long date string, which is not properly handled by the tdate_parse function. 19991116 thttpd Buffer overflow in at program in Digital UNIX 4.0 allows local users to gain root privileges via a long command line argument. du-at(3138) 19990125 Digital Unix 4.0 exploitable buffer overflows SSRT0583U BMC PATROL Agent before 3.2.07 allows local users to gain root privileges via a symlink attack on a temporary file. bmc-patrol-file-create(1388) 19981102 BMC PATROL File Creation Vulnerability 534 BMC PATROL SNMP Agent before 3.2.07 allows local users to create arbitrary world-writeable files as root by specifying the target file as the second argument to the snmpmagt program. 525 19990713 Root Perms Gained with Patrol SNMP Agent 3.2 (all others?) 19990801 Re: Root Perms Gained with Patrol SNMP Agent 3.2 (all others?) inpview in InPerson on IRIX 5.3 through IRIX 6.5.10 trusts the PATH environmental variable to find and execute the ttsession program, which allows local users to obtain root access by modifying the PATH to point to a Trojan horse ttsession program. 381 20001101-01-I 19970507 Irix: misc Vulnerability in bb-hist.sh CGI History module in Big Brother 1.09b and 1.09c allows remote attacker to read portions of arbitrary files. http-cgi-bigbrother-bbhist(3755) 142 19990426 FW: Security Notice: Big Brother 1.09b/c http://bb4.com/README.CHANGES Windows NT 4.0 before SP3 allows remote attackers to bypass firewall restrictions or cause a denial of service (crash) by sending improperly fragmented IP packets without the first fragment, which the TCP/IP stack incorrectly reassembles into a valid session. nt-frag(528) 19970710 A New Fragmentation Attack Vulnerability in Cisco IOS 11.1CC and 11.1CT with distributed fast switching (DFS) enabled allows remote attackers to bypass certain access control lists when the router switches traffic from a DFS-enabled interface to an interface that does not have DFS enabled, as described by Cisco bug CSCdk35564. cisco-acl-leakage(1401) 19981105 Cisco IOS DFS Access List Leakage J-016 Vulnerability in Cisco IOS 11.1 through 11.3 with distributed fast switching (DFS) enabled allows remote attackers to bypass certain access control lists when the router switches traffic from a DFS-enabled input interface to an output interface with a logical subinterface, as described by Cisco bug CSCdk43862. cisco-acl-leakage(1401) 19981105 Cisco IOS DFS Access List Leakage J-016 Vulnerability in Cisco routers versions 8.2 through 9.1 allows remote attackers to bypass access control lists when extended IP access lists are used on certain interfaces, the IP route cache is enabled, and the access list uses the "established" keyword. CA-1992-20 53 Vulnerability in rcp on SunOS 4.0.x allows remote attackers from trusted hosts to execute arbitrary commands as root, possibly related to the configuration of the nobody user. CA-1989-07 sun-rcp(3165) 5 rdist in various UNIX systems uses popen to execute sendmail, which allows local users to gain root privileges by modifying the IFS (Internal Field Separator) variable. CA-91.20 31 http://www.alw.nih.gov/Security/8lgm/8lgm-Advisory-01.html 8106 rdist-popen-gain-privileges(7160) Buffer overflow in w3-auth CGI program in miniSQL package allows remote attackers to execute arbitrary commands via an HTTP request with (1) a long URL, or (2) a long User-Agent MIME header. 19990930 mini-sql Buffer Overflow Eastman Work Management 3.21 stores passwords in cleartext in the COMMON and LOCATOR registry keys, which could allow local users to gain privileges. eastman-cleartext-passwords(2303) 485 19990624 Eastman Software Work Management 3.21 Buffer overflow in passwd in BSD based operating systems 4.3 and earlier allows local users to gain root privileges by specifying a long shell or GECOS field. CA-1989-01 4 bsd-passwd-bo(7152) Internet Explorer 4.0 allows remote attackers to read arbitrary text and HTML files on the user's machine via a small IFRAME that uses Dynamic HTML (DHTML) to send the data to the attacker, aka the Freiburg text-viewing issue. http-ie-spy(587) http://www.insecure.org/sploits/Internet_explorer_4.0.hack.html Q176794 Q176697 http://www.microsoft.com/Windows/ie/security/freiburg.asp 7819 19971017 Security Hole in Explorer 4.0 When a Web site redirects the browser to another site, Internet Explorer 3.02 and 4.0 automatically resends authentication information to the second site, aka the "Page Redirect Issue." Q176697 7818 ie-page-redirect(7426) PowerPoint 95 and 97 allows remote attackers to cause an application to be run automatically without prompting the user, possibly through the slide show, when the document is opened in browsers such as Internet Explorer. nt-ppt-patch(179) http://www.microsoft.com/windows/ie/security/powerpoint.asp ProFTPd 1.2 compiled with the mod_sqlpw module records user passwords in the wtmp log file, which allows local users to obtain the passwords and gain privileges by reading wtmp, e.g. via the last command. 812 19991119 ProFTPd - mod_sqlpw.c A bug in Intel Pentium processor (MMX and Overdrive) allows local users to cause a denial of service (hang) in Intel-based operating systems such as Windows NT and Windows 95, via an invalid instruction, aka the "Invalid Operand with Locked CMPXCHG8B Instruction" problem. pentium-crash(704) Q163852 Buffer overflow in GNOME libraries 1.0.8 allows local user to gain root access via a long --espeaker argument in programs such as nethack. gnome-espeaker-local-bo(3349) 663 19990923 Linux GNOME exploit The Sun HotSpot Performance Engine VM allows a remote attacker to cause a denial of service on any server running HotSpot via a URL that includes the [ character. sun-hotspot-vm(2348) 19990716 FW: (Review ID: 85125) Hotspot crashes bringing down webserver 19990706 Bug in SUN's Hotspot VM 522 The textcounter.pl by Matt Wright allows remote attackers to execute arbitrary commands via shell metacharacters. http-cgi-textcounter(2052) 19980624 textcounter.pl SECURITY HOLE 2265 (1) acledit and (2) aclput in AIX 4.3 allow local users to create or modify files via a symlink attack. 429 Squid 2.2.STABLE5 and below, when using external authentication, allows attackers to bypass access controls via a newline in the user/password pair. squid-proxy-auth-access(3433) http://www.squid-cache.org/Versions/v2/2.2/bugs/ 741 19991025 [squid] exploit for external authentication problem 19991025 [squid] exploit for external authentication problem SVGAlib zgv 3.0-7 and earlier allows local users to gain root access via a privilege leak of the iopl(3) privileges to child processes. 19990219 Security hole: "zgv" Buffer overflow in zgv in svgalib 1.2.10 and earlier allows local users to execute arbitrary code via a long HOME environment variable. 19970619 svgalib/zgv Buffer overflow in MSN Setup BBS 4.71.0.10 ActiveX control (setupbbs.ocx) allows a remote attacker to execute arbitrary commands via the methods (1) vAddNewsServer or (2) bIsNewsServerConfigured. msn-setup-bbs-activex-bo(3310) 668 19990924 Several ActiveX Buffer Overruns nsd in IRIX 6.5 through 6.5.2 exports a virtual filesystem on a UDP port, which allows remote attackers to view files and cause a possible denial of service by mounting the nsd virtual file system. sgi-nsd-create(2247) sgi-nsd-view(2246) 412 8564 19990531 IRIX 6.5 nsd virtual filesystem vulnerability sadc in IBM AIX 4.1 through 4.3, when called from programs such as timex that are setgid adm, allows local users to overwrite arbitrary files via a symlink attack. 408 http://techsupport.services.ibm.com/aix/fixes/v4/os/bos.acct.4.3.1.0.info aix-sadc-timex(7675) IX76853 IX76330 IX75554 Vulnerability in digest in AIX 4.3 allows printq users to gain root privileges by creating and/or modifing any file on the system. 405 aix-digest(7477) IX74599 sdrd daemon in IBM SP2 System Data Repository (SDR) allows remote attackers to read files without authentication. 371 I-079A ibm-sdr-read-files(7217) Buffer overflow in TestChip function in XFree86 SuperProbe in Slackware Linux 3.1 allows local users to gain root privileges via a long -nopr argument. 364 19970304 Linux SuperProbe exploit xosview 1.5.1 in Red Hat 5.1 allows local users to gain root access via a long HOME environmental variable. 362 19980528 ALERT: Tiresome security hole in "xosview", RedHat5.1? linux-xosview-bo(8787) 19980529 Re: Tiresome security hole in "xosview" (xosexp.c) abuse.console in Red Hat 2.1 uses relative pathnames to find and execute the undrv program, which allows local users to execute arbitrary commands via a path that points to a Trojan horse program. 354 19960202 abuse Red Hat 2.1 security hole Vulnerability in (1) diskperf and (2) diskalign in IRIX 6.4 allows local attacker to create arbitrary root owned files, leading to root privileges. sgi-diskalign(2104) sgi-diskperf(2103) 348 19980502-01-P3030 Vulnerability in crp in Hewlett Packard Apollo Domain OS SR10 through SR10.3 allows remote attackers to gain root privileges via insecure system calls, (1) pad_$dm_cmd and (2) pad_$def_pfk(). CA-1991-23 apollo-crp-root-access(7158) 34 colorview in Silicon Graphics IRIX 5.1, 5.2, and 6.0 allows local attackers to read arbitrary files via the -text argument. sgi-colorview(2112) 19950307 sigh. another Irix 5.2 hole. 336 19950209-00-P 19940809 Re: IRIX 5.2 Security Advisory xtvscreen in SuSE Linux 6.0 allows local users to overwrite arbitrary files via a symlink attack on the pic000.pnm file. xtvscreen-overwrite(1792) 325 19990218 xtvscreen and suse 6 Sudo 1.5 in Debian Linux 2.1 and Red Hat 6.0 allows local users to determine the existence of arbitrary files by attempting to execute the target filename as a program, which generates a different error message when the file does not exist. sudo-file-exists(2277) 321 19990608 unneeded information in sudo Ipswitch IMail 5.0 and 6.0 uses weak encryption to store passwords in registry keys, which allows local attackers to read passwords for e-mail accounts. 880 19991221 [w00giving '99 #11] IMail's password encryption scheme Slackware Linux 3.4 pkgtool allows local attacker to read and write to arbitrary files via a symlink attack on the reply file. 82 named in ISC BIND 4.9 and 8.1 allows local users to destroy files via a symlink attack on (1) named_dump.db when root kills the process with a SIGINT, or (2) named.stats when SIGIOT is used. 80 19980410 BIND 4.9.7 named follows symlinks, clobbers anything Internet Anywhere POP3 Mail Server 2.3.1 allows remote attackers to cause a denial of service (crash) via (1) LIST, (2) TOP, or (3) UIDL commands using letters as arguments. 733 19991001 Vulnerabilities in the Internet Anywhere Mail Server (1) ipxchk and (2) ipxlink in SGI OS2 IRIX 6.3 does not properly clear the IFS environmental variable before executing system calls, which allows local users to execute arbitrary commands. 71 70 19980408 SGI O2 ipx security issue Buffer overflows in Quake 1.9 client allows remote malicious servers to execute arbitrary commands via long (1) precache paths, (2) server name, (3) server address, or (4) argument to the map console command. 69 68 19980408 QuakeI client: serious holes. Network Flight Recorder (NFR) 1.5 and 1.6 allows remote attackers to cause a denial of service in nfrd (crash) via a TCP packet with a null header and data field. 63 Stalker Internet Mail Server 1.6 allows a remote attacker to cause a denial of service (crash) via a long HELO command. 62 19980408 Re: AppleShare IP Mail Server Buffer overflow in QuakeWorld 2.10 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary commands via a long initial connect packet. 60 19980407 QW vulnerability Vulnerability in SMI Sendmail 4.0 and earlier, on SunOS up to 4.0.3, allows remote attackers to access user bin. CA-1990-01 6 Sun SunOS 4.1 through 4.1.3 allows local attackers to gain root access via insecure permissions on files and directories such as crash. CA-1993-03 59 sun-dir(521) Web server in Tektronix PhaserLink Printer 840.0 and earlier allows a remote attacker to gain administrator access by directly calling undocumented URLs such as ncl_items.html and ncl_subjects.html. 806 19991116 [Fwd: Printer Vulnerability: Tektronix PhaserLink Webserver gives Administrator Password] Directory traversal vulnerability in Etype Eserv 2.50 web server allows a remote attacker to read any file in the file system via a .. (dot dot) in a URL. 773 19991104 Eserv 2.50 Web interface Server Directory Traversal Vulnerability 19991104 Eserv 2.50 Web interface Server Directory Traversal Vulnerability Buffer overflows in Bisonware FTP server prior to 4.1 allow remote attackers to cause a denial of service, and possibly execute arbitrary commands, via long (1) USER, (2) LIST, or (3) CWD commands. bisonware-command-bo(3234) 19990517 Vulnerabilities in BisonWare FTP Server 3.5 Buffer overflows in Xtramail 1.11 allow attackers to cause a denial of service (crash) and possibly execute arbitrary commands via (1) a long PASS command in the POP3 service, (2) a long HELO command in the SMTP service, or (3) a long user name in the Control Service. xtramail-pass-dos(3488) 791 19991110 Multiples Remotes DoS Attacks in Artisoft XtraMail v1.11 Vulnerability The AMaViS virus scanner 0.2.0-pre4 and earlier allows remote attackers to execute arbitrary commands as root via an infected mail message with shell metacharacters in the reply-to field. amavis-command-execute(2349) 527 http://www.amavis.org/ChangeLog.txt 19990716 AMaViS virus scanner for Linux - root exploit Management information base (MIB) for a 3Com SuperStack II hub running software version 2.10 contains an object identifier (.1.3.6.1.4.1.43.10.4.2) that is accessible by a read-only community string, but lists the entire table of community strings, which could allow attackers to conduct unauthorized activities. 19990830 One more 3Com SNMP vulnerability Buffer overflow in Celtech ExpressFS FTP server 2.x allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long USER command. expressfs-command-bo(3401) 749 19990729 ExpressFS 2.x FTPServer remotely exploitable buffer overflow vulnerability 19990729 ExpressFS 2.x FTPServer remotely exploitable buffer overflow vulnerability A non-default configuration in TenFour TFS Gateway 4.0 allows an attacker to cause a denial of service via messages with incorrect sender and recipient addresses, which causes the gateway to continuously try to return the message every 10 seconds. tfs-gateway-dos(3290) 613 A buffer overflow in TenFour TFS Gateway SMTP mail server 3.2 allows an attacker to crash the mail server and possibly execute arbitrary code by offering more than 128 bytes in a MAIL FROM string. 19990902 [SECURITY] TenFour TFS SMTP 3.2 Buffer Overflow runtar in the Amanda backup system used in various UNIX operating systems executes tar with root privileges, which allows a user to overwrite or read arbitrary files by providing the target files to runtar. 750 19991101 Amanda multiple vendor local root compromises Operating systems with shared memory implementations based on BSD 4.4 code allow a user to conduct a denial of service and bypass memory limits (e.g., as specified with rlimits) using mmap or shmget to allocate memory and cause page faults. bsd-shared-memory-dos(2351) 526 19990715 Shared memory DoS's Gene6 G6 FTP Server 2.0 allows a remote attacker to cause a denial of service (resource exhaustion) via a long (1) user name or (2) password. g6ftp-username-dos(3513) 805 19991117 Remote D.o.S Attack in G6 FTP Server v2.0 (beta 4/5) Vulnerability A configuration problem in the Ad Server Sample directory (AdSamples) in Microsoft Site Server 3.0 allows an attacker to obtain the SITE.CSC file, which exposes sensitive SQL database information. siteserver-site-csc(2270) 256 19990511 [ALERT] Site Server 3.0 May Expose SQL IDs and PSWs Computalynx CMail 2.4 and CMail 2.3 SP2 SMTP servers are vulnerable to a buffer overflow attack in the MAIL FROM command that may allow a remote attacker to execute arbitrary code on the server. cmail-command-bo(2240) 633 19990729 Vulnerability in CMail SMTP Server Version 2.4: Remotely exploitable buffer 19990912 Many kind of POP3/SMTP server softwares for Windows have buffer overflow bug Vulnerability in htmlparse.pike in Roxen Web Server 1.3.11 and earlier, possibly related to recursive parsing and referer tags in RXML. 19991007 Roxen security alert Buffer overflow in Sambar Web Server 4.2.1 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long HTTP GET request. sambar-logging-bo(1672) 19991006 Re: Sample DOS against the Sambar HTTP-Server 19991004 FlowPoint DSL router firmware versions prior to 3.0.8 allows a remote attacker to exploit a password recovery feature from the network and conduct brute force password guessing, instead of limiting the feature to the serial console port. 19990807 Re: FlowPoint DSL router vulnerability Macromedia Shockwave before 6.0 allows a malicious webmaster to read a user's mail box and possibly access internal web servers via the GetNextText command on a Shockwave movie. http-ns-shockwave(460) shockwave-file-read-vuln(1586) shockwave-internal-access(1585) 19970314 Shockwave Security Alert Auto-update feature of Macromedia Shockwave 7 transmits a user's password and hard disk information back to Macromedia. shockwave-updater(1931) 19990311 [Fwd: Shockwave 7 Security Hole] Internal HTTP server in Sun Netbeans Java IDE in Netbeans Developer 3.0 Beta and Forte Community Edition 1.0 Beta does not properly restrict access to IP addresses as specified in its configuration, which allows arbitrary remote attackers to access the server. 816 19991123 NetBeans/ Forte' Java IDE HTTP vulnerability ProSoft Netware Client 5.12 on Macintosh MacOS 9 does not automatically log a user out of the NDS tree when the user logs off the system, which allows other users of the same system access to the unprotected NDS session. 794 19991114 MacOS 9 and the MacOS Netware Client A buffer overflow exists in the HELO command in Trend Micro Interscan VirusWall SMTP gateway 3.23/3.3 for NT, which may allow an attacker to execute arbitrary code. viruswall-helo-bo(3465) 787 19991108 Patch for VirusWall 3.23. 20000417 New DOS on Interscan NT/3.32 19991107 Interscan VirusWall NT 3.23/3.3 buffer overflow 19991107 Interscan VirusWall NT 3.23/3.3 buffer overflow. 19991108 Re: Interscan VirusWall NT 3.23/3.3 buffer overflow. 19991108 Patch for VirusWall 3.23. cgiwrap as used on Cobalt RaQ 2.0 and RaQ 3i does not properly identify the user for running certain scripts, which allows a malicious site administrator to view or modify data located at another virtual site on the same system. 777 19991109 [Cobalt] Security Advisory - cgiwrap 19991108 Security flaw in Cobalt RaQ2 cgiwrap 35 cobalt-cgiwrap-incorrect-permissions(7764) Buffer overflow in IBM HomePagePrint 1.0.7 for Windows98J allows a malicious Web site to execute arbitrary code on a viewer's system via a long IMG_SRC HTML tag. 763 19991102 Some holes for Win/UNIX softwares ibm-homepageprint-bo(7767) Netscape Messaging Server 3.54, 3.55, and 3.6 allows a remote attacker to cause a denial of service (memory exhaustion) via a series of long RCPT TO commands. 748 19991029 message:Netscape Messaging Server RCPT TO vul. Eicon Technology Diva LAN ISDN modem allows a remote attacker to cause a denial of service (hang) via a long password argument to the login.htm file in its HTTP service. diva-lan-isdn-dos(3317) 665 19990926 DoS Exploit in Eicon Diehl LAN ISDN Modem Buffer overflow in (1) nlservd and (2) rnavc in Knox Software Arkeia backup product allows local users to obtain root access via a long HOME environmental variable. 661 19990923 Multiple vendor Knox Arkiea local root/remote DoS Buffer overflow in AspUpload.dll in Persits Software AspUpload before 1.4.0.2 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long argument in the HTTP request. http-aspupload-bo(3291) 19990818 AspUpload Buffer Overflow Fixed 592 19990720 Buffer overflow in AspUpload 1.4 .sbstart startup script in AcuShop Salesbuilder is world writable, which allows local users to gain privileges by appending commands to the file. 19990730 World writable root owned script in SalesBuilder (RedHat 6.0) 560 13557 IIS 3.x and 4.x does not distinguish between pages requiring encryption and those that do not, which allows remote attackers to cause a denial of service (resource exhaustion) via SSL requests to the HTTPS port for normally unencrypted files, which will cause IIS to perform extra work to send the files over SSL. 521 ssl-iis-dos(2352) 19990707 SSL and IIS. When IIS 2 or 3 is upgraded to IIS 4, ism.dll is inadvertently left in /scripts/iisadmin, which does not restrict access to the local machine and allows an unauthorized user to gain access to sensitive server information, including the Administrator's password. 19990114 MS IIS 4.0 Security Advisory 19990114 MS IIS 4.0 Security Advisory 189 Buffer overflow in FTP server in QPC Software's QVT/Term Plus versions 4.2d and 4.3 and QVT/Net 4.3 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long (1) user name or (2) password. qvtterm-login-dos(3491) 796 19991110 Remote DoS Attack in QVT/Term 'Plus' 4.2d FTP Server Vulnerability 19991110 Remote DoS Attack in QVT/Term 'Plus' 4.2d FTP Server Vulnerability shell-lock in Cactus Software Shell Lock uses weak encryption (trivial encoding) which allows attackers to easily decrypt and obtain the source code. cactus-shell-lock-retrieve-shell-code(3356) 19991004 19991005 Cactus Software's shell-lock shell-lock in Cactus Software Shell Lock allows local users to read or modify decoded shell files before they are executed, via a symlink attack on a temporary file. cactus-shell-lock-root-privs(3358) 19991004 19991005 Cactus Software's shell-lock RPMMail before 1.4 allows remote attackers to execute commands via an e-mail message with shell metacharacters in the "MAIL FROM" command. linux-rh-rpmmail(3353) 19991006 Fwd: [Re: RH6.0 local/remote command execution] 19991004 RH6.0 local/remote command execution MacOS uses weak encryption for passwords that are stored in the Users & Groups Data File. 519 19990914 MacOS system encryption algorithm 3 19990710 MacOS system encryption algorithm Buffer overflow in FTP server in Microsoft IIS 3.0 and 4.0 allows local and sometimes remote attackers to cause a denial of service via a long NLST (ls) command. 19990124 Advisory: IIS FTP Exploit/DoS Attack Joe's Own Editor (joe) 2.8 sets the world-readable permission on its crash-save file, DEADJOE, which could allow local users to read files that were being edited by other users. 19990717 joe 2.8 makes world-readable DEADJOE 19990714 netstation.navio-com.rte 1.1.0.1 configuration script for Navio NC on IBM AIX exports /tmp over NFS as world-readable and world-writable. navionc-config-script(1724) 19990129 TROJAN: netstation.navio-comm.rte 1.1.0.1 Oracle Web Listener 2.1 allows remote attackers to bypass access restrictions by replacing a character in the URL with its HTTP-encoded (hex) equivalent. 841 19991125 Oracle Web Listener 19991125 Oracle Web Listener Cabletron SmartSwitch Router (SSR) 8000 firmware 2.x can only handle 200 ARP requests per second allowing a denial of service attack to succeed with a flood of ARP requests exceeding that limit. 19991124 Cabletron SmartSwitch Router 8000 Firmware v2.x 821 Lynx 2.x does not properly distinguish between internal and external HTML, which may allow a local attacker to read a "secure" hidden form value from a temporary file and craft a LYNXOPTIONS: URL that causes Lynx to modify the user's configuration file and execute commands. 804 19991116 lynx 2.8.x - 'special URLs' anti-spoofing protection is weak bigconf.conf in F5 BIG/ip 2.1.2 and earlier allows remote attackers to read arbitrary files by specifying the target file in the "file" parameter. 19991109 778 19991109 Re: BigIP - bigconf.cgi holes 19991108 BigIP - bigconf.cgi holes bigip-bigconf-view-files(7771) Buffer overflow in Ipswitch IMail Service 5.0 allows an attacker to cause a denial of service (crash) and possibly execute arbitrary commands via a long URL. 505 imail-websvc-overflow(1898) 19990302 Multiple IMail Vulnerabilites dpsexec (DPS Server) when running under XDM in IBM AIX 3.2.5 and earlier does not properly check privileges, which allows local users to overwrite arbitrary files and gain privileges. 358 19940720 xnews and XDM Buffer overflow in XCmail 0.99.6 with autoquote enabled allows remote attackers to execute arbitrary commands via a long subject line. The authors were notified of this problem and it was fixed in devel-release 0.99.7. xcmail-reply-overflow(1859) 311 19990301 [0z0n3] XCmail remotely exploitable vulnerability /usr/sbin/Mail on SGI IRIX 3.3 and 3.3.1 does not properly set the group ID to the group ID of the user who started Mail, which allows local users to read the mail of other users. CA-1990-08 13 sgi-irix-reset(3164) Cheyenne InocuLAN Anti-Virus Server in Inoculan 4.0 before Service Pack 2 creates an update directory with "EVERYONE FULL CONTROL" permissions, which allows local users to cause Inoculan's antivirus update feature to install a Trojan horse dll. inoculan-bad-permissions(1536) 19980611 Cheyenne Inoculan vulnerability on NT Microsoft SQL Server 6.5 uses weak encryption for the password for the SQLExecutiveCmdExec account and stores it in an accessible portion of the registry, which could allow local users to gain privileges by reading and decrypting the CmdExecAccount value. mssql-sqlexecutivecmdexec-password(7354) 109 19980629 MS SQL Server 6.5 stores password in unprotected registry keys Buffer overflow in the login functions in IMAP server (imapd) in Ipswitch IMail 5.0 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary code via (1) a long user name or (2) a long password. imail-imap-overflow(1895) 19990301 Multiple IMail Vulnerabilites Vulnerability in loginout in Digital OpenVMS 7.1 and earlier allows unauthorized access when external authentication is enabled. 161 I-071A openvms-loginout-unauth-access(7151) Xylan OmniSwitch before 3.2.6 allows remote attackers to bypass the login prompt via a CTRL-D (control d) character, which locks other users out of the switch because it only supports one session at a time. xylan-omniswitch-login(2064) 19990331 Xylan OmniSwitch "features" Vulnerability in a script in Texas A&M University (TAMU) Tiger allows local users to execute arbitrary commands as the Tiger user, usually root. tiger-script-execute(2369) 19990720 tiger vulnerability Nullsoft SHOUTcast server stores the administrative password in plaintext in a configuration file (sc_serv.conf), which could allow a local user to gain administrative privileges on the server. 19990820 Winamp SHOUTcast server: Gain Administrator Password gFTP FTP client 1.13, and other versions before 2.0.0, records a password in plaintext in (1) the log window, or (2) in a log file. 19990905 gftp 3446 DSA-084 Nachuatec D435 and D445 printer allows remote attackers to cause a denial of service via ICMP redirect storm. 19991116 NEUROCOM: Nashuatec D445/435 vulnerabilities updated 19991014 NEUROCOM: Nashuatec printer, 3 vulnerabilities found FreeBSD 3.2 and possibly other versions allows a local user to cause a denial of service (panic) with a large number accesses of an NFS v3 mounted directory from a large number of processes. 19990902 [ Kernel panic with FreeBSD-3.2-19990830-STABLE ] Man2html 2.1 and earlier allows local users to overwrite arbitrary files via a symlink attack on a temporary file. 19990820 [SECURITY] New versions of man2html fixes postinst glitch 6291 Buffer overflow in iParty server 1.2 and earlier allows remote attackers to cause a denial of service (crash) by connecting to default port 6004 and sending repeated extended characters. 19990508 iParty Daemon Vulnerability w/ Exploit Code (worse than thought?) Seapine Software TestTrack server allows a remote attacker to cause a denial of service (high CPU) via (1) TestTrackWeb.exe and (2) ttcgi.exe by connecting to port 99 and disconnecting without sending any data. testtrack-dos(1948) Off-by-one error in NcFTPd FTP server before 2.4.1 allows a remote attacker to cause a denial of service (crash) via a long PORT command. 19990223 NcFTPd remote buffer overflow ncftpd-port-bo(1833) 19990223 Comments on NcFTPd "theoretical root compromise" Quake 1 and NetQuake servers allow remote attackers to cause a denial of service (resource exhaustion or forced disconnection) via a flood of spoofed UDP connection packets, which exceeds the server's player limit. quake-spoofed-client-dos(6871) 3051 20010716 Quake client and server denial-of-service 19981101 Quake problem? 19980502 NetQuake Protocol problem resulting in smurf like effect. Buffer overflow in sar for OpenServer 5.0.5 allows local users to gain root privileges via a long -o parameter. 4089 openserver-sar-bo(8989) CSSA-2002-SCO.17 19990909 19 SCO 5.0.5+Skunware98 buffer overflows 20020509 Sar -o exploitation process info. Buffer overflow in sar for SCO OpenServer 5.0.0 through 5.0.5 may allow local users to gain root privileges via a long -f parameter, a different vulnerability than CVE-1999-1570. http://online.securityfocus.com/advisories/1843 openserver-sar-bo(8989) 19990909 19 SCO 5.0.5+Skunware98 buffer overflows 19990917 Re: recent SCO 5.0.x vulnerabilities ftp://stage.caldera.com/pub/security/sse/sse037c/sse037c.ltr SB-99.17c 643 20020509 Sar -o exploitation process info. 19991105 SCO Security Bulletin 99.17 19991020 Re: recent SCO 5.0.x vulnerabilities cpio on FreeBSD 2.1.0, Debian GNU/Linux 3.0, and possibly other operating systems, uses a 0 umask when creating files using the -O (archive) or -F options, which creates the files with mode 0666 and allows local users to read or overwrite those files. Fixed in rev 1.3 of cpio/main.c. cpio-o-archive-insecure-permissions(19167) 2005-0003 RHSA-2005:080 RHSA-2005:073 http://www.freebsd.org/cgi/query-pr.cgi?pr=bin/1391 DSA-664 oval:org.mitre.oval:def:10888 RHSA-2005:806 MDKSA-2005:032 http://support.avaya.com/elmodocs2/security/ASA-2005-212.pdf 17532 17063 14357 20050204 [USN-75-1] cpio vulnerability Multiple unknown vulnerabilities in the "r-cmnds" (1) remshd, (2) rexecd, (3) rlogind, (4) rlogin, (5) remsh, (6) rcp, (7) rexec, and (8) rdist for HP-UX 10.00 through 11.00 allow attackers to gain privileges or access files. VU#13217 HPSBUX9812-090 J-022 ESB-98.186 hp-rcmnds-gain-privileges(7860) oval:org.mitre.oval:def:5550 Buffer overflow in the lex routines of nslookup for AIX 4.3 may allow attackers to cause a core dump and possibly execute arbitrary code via "long input strings." VU#182777 aix-nslookup-lex-bo(7867) IX79909 The Kodak/Wang (1) Image Edit (imgedit.ocx), (2) Image Annotation (imgedit.ocx), (3) Image Scan (imgscan.ocx), (4) Thumbnail Image (imgthumb.ocx), (5) Image Admin (imgadmin.ocx), (6) HHOpen (hhopen.ocx), (7) Registration Wizard (regwizc.dll), and (8) IE Active Setup (setupctl.dll) ActiveX controls for Internet Explorer (IE) 4.01 and 5.0 are marked as "Safe for Scripting," which allows remote attackers to create and modify files and execute arbitrary commands. VU#9162 VU#41408 VU#26924 VU#24839 VU#23412 wang-kodak-activex-control(7097) 19990924 Several ActiveX Buffer Overruns MS99-037 Buffer overflow in Adobe Acrobat ActiveX control (pdf.ocx, PDF.PdfCtrl.1) 1.3.188 for Acrobat Reader 4.0 allows remote attackers to execute arbitrary code via the pdf.setview method. VU#25919 adobe-acrobat-pdf-bo(3318) 666 19990924 Several ActiveX Buffer Overruns Buffer overflow in HHOpen ActiveX control (hhopen.ocx) 1.0.0.1 for Internet Explorer 4.01 and 5 allows remote attackers to execute arbitrary commands via long arguments to the OpenHelp method. VU#29795 ie-hhopen-bo(3314) 669 19990924 Several ActiveX Buffer Overruns Buffer overflow in Registration Wizard ActiveX control (regwizc.dll, InvokeRegWizard) 3.0.0.0 for Internet Explorer 4.01 and 5 allows remote attackers to execute arbitrary commands. VU#37556 671 ie-registration-wiz-bo(3311) 19990924 Several ActiveX Buffer Overruns The Cenroll ActiveX control (xenroll.dll) for Terminal Server Editions of Windows NT 4.0 and Windows NT Server 4.0 before SP6 allows remote attackers to cause a denial of service (resource consumption) by creating a large number of arbitrary files on the target machine. VU#3062 winnt-xenroll-dos(7107) 6827 Q242366 SunOS sendmail 5.59 through 5.65 uses popen to process a forwarding host argument, which allows local users to gain root privileges by modifying the IFS (Internal Field Separator) variable and passing crafted values to the -oR option. CA-1995-11 VU#3278 7829 AA-95.09 http://www.alw.nih.gov/Security/8lgm/8lgm-Advisory-21.html Memory leak in Simple Network Management Protocol (SNMP) agent (snmp.exe) for Windows NT 4.0 before Service Pack 4 allows remote attackers to cause a denial of service (memory consumption) via a large number of SNMP packets with Object Identifiers (OIDs) that cannot be decoded. VU#4923 winnt-snmp-oid-memory-leak(8231) Q178381 By design, the "established" command on the Cisco PIX firewall allows connections from one host to arbitrary ports of a target host if an alternative conduit has already been allowed, which can cause administrators to configure less restrictive access controls than intended if they do not understand this functionality. VU#6733 cisco-pix-established-bypass(8052) 19980715 PIX Firewall "established" Command Buffer overflow in nslookup for AIX 4.3 allows local users to execute arbitrary code via a long hostname command line argument. VU#872443 IY02120 aix-nslookup-hostname-bo(8031) Unknown vulnerability in (1) loadmodule, and (2) modload if modload is installed with setuid/setgid privileges, in SunOS 4.1.1 through 4.1.3c, and Open Windows 3.0, allows local users to gain root privileges via environment variables, a different vulnerability than CVE-1999-1586. CA-93.18 00124 The (1) rcS and (2) mountall programs in Sun Solaris 2.x, possibly before 2.4, start a privileged shell on the system console if fsck fails while the system is booting, which allows attackers with physical access to gain root privileges. 00124 loadmodule in SunOS 4.1.x, as used by xnews, does not properly sanitize its environment, which allows local users to gain privileges, a different vulnerability than CVE-1999-1584. CA-95.12 sun-loadmodule(498) G-02 /usr/ucb/ps in Sun Microsystems Solaris 8 and 9, and certain earlier releases, allows local users to view the environment variables and values of arbitrary processes via the -e option. solaris-ps-information-disclosure(25460) 102215 1015833 19426 ADV-2006-1123 http://www.sunmanagers.org/archives/1996/1383.html 19662 24200 oval:org.mitre.oval:def:1470 Buffer overflow in nlps_server in Sun Solaris x86 2.4, 2.5, and 2.5.1 allows remote attackers to execute arbitrary code as root via a long string beginning with "NLPS:002:002:" to the listen (aka System V listener) port, TCP port 2766. http://www.securityfocus.com/data/vulnerabilities/exploits/nlps_server.c 2319 http://security-protocols.com/sploits/unsorted_exploits/nlps_server.c http://lsd-pl.net/files/get?SOLARIS/solx86_nlps_server Unspecified vulnerability in crontab in IBM AIX 3.2 allows local users to gain root privileges via unknown attack vectors. CA-1992-10 357 Directory traversal vulnerability in Muhammad A. Muquit wwwcount (Count.cgi) 2.3 allows remote attackers to read arbitrary GIF files via ".." sequences in the image parameter, a different vulnerability than CVE-1999-0021. 19971010 Security flaw in Count.cgi (wwwcount) Microsoft Internet Information Services (IIS) server 4.0 SP4, without certain hotfixes released for SP4, does not require authentication credentials under certain conditions, which allows remote attackers to bypass authentication requirements, as demonstrated by connecting via Microsoft Visual InterDev 6.0. 190 19990119 Re: IIS4.0 and Visual Interdev 19990118 IIS4.0 and Visual Interdev Multiple unspecified vulnerabilities in sendmail 5, as installed on Sun SunOS 4.1.3_U1 and 4.1.4, have unspecified attack vectors and impact. NOTE: this might overlap CVE-1999-0129. 243 00159 Windows Internet Naming Service (WINS) allows remote attackers to cause a denial of service (connectivity loss) or steal credentials via a 1Ch registration that causes WINS to change the domain controller to point to a malicious server. NOTE: this problem may be limited when Windows 95/98 clients are used, or if the primary domain controller becomes unavailable. https://www2.sans.org/reading_room/whitepapers/win2k/185.php 2221 20010119 Re: Invalid WINS entries 20010118 Re: Invalid WINS entries 20010117 Re: Invalid WINS entries 20010117 Re: Invalid WINS entries 20010118 Re: Invalid WINS entries 20010117 Re: Invalid WINS entries 20010117 Invalid WINS entries 19990302 NT Domain DoS and Security Exploit with SAMBA Server RealMedia server allows remote attackers to cause a denial of service via a long ramgen request. 888 Buffer overflow in ZBServer Pro 1.50 allows remote attackers to execute commands via a long GET request. 20000128 ZBServer 1.50-r1x exploit (WinNT) 889 19991223 Local / Remote GET Buffer Overflow Vulnerability in ZBServer 1.5 Pro Edition for Win98/NT 19991223 Local / Remote GET Buffer Overflow Vulnerability in ZBServer 1.5 Pro Edition for Win98/NT Buffer overflow in UnixWare rtpm program allows local users to gain privileges via a long environmental variable. 20000127 New SCO patches... ZBServer Pro allows remote attackers to read source code for executable files by inserting a . (dot) into the URL. 19991223 Local / Remote GET Buffer Overflow Vulnerability in ZBServer 1.5 Pro Edition for Win98/NT 19991223 Re: Local / Remote GET Buffer Overflow Vulnerability in ZBServer 1.5 Pro Edition for Win98/NT HP-UX aserver program allows local users to gain privileges via a symlink attack. oval:org.mitre.oval:def:5635 strace allows local users to read arbitrary files via memory mapped file names. linux-strace(4554) 19991225 strace can lie Trend Micro PC-Cillin does not restrict access to its internal proxy port, allowing remote attackers to conduct a denial of service. pccillin-proxy-remote-dos(4491) 1740 FTPPro allows local users to read sensitive information, which is stored in plain text. The bna_pass program in Optivity NETarchitect uses the PATH environmental variable for finding the "rm" program, which allows local users to execute arbitrary commands. 907 WebWho+ whois.cgi program allows remote attackers to execute commands via shell metacharacters in the TLD parameter. Buffer overflow in AnalogX SimpleServer:WWW HTTP server allows remote attackers to execute commands via a long GET request. http://www.analogx.com/contents/download/network/sswww.htm 906 1184 Buffer overflow in w3-msql CGI program in miniSQL package allows remote attackers to execute commands. 898 IRIX soundplayer program allows local users to gain privileges by including shell metacharacters in a .wav file, which is executed via the midikeys program. 909 Denial of service in Savant web server via a null character in the requested URL. 897 CascadeView TFTP server allows local users to gain privileges via a symlink attack. 910 Buffer overflow in Internet Anywhere POP3 Mail Server allows remote attackers to cause a denial of service or execute commands via a long username. 730 Buffer overflow in Linux linuxconf package allows remote attackers to gain root privileges via a long parameter. wmmon in FreeBSD allows local users to gain privileges via the .wmmonrc configuration file. 885 1169 IMail POP3 daemon uses weak encryption, which allows local users to read files. DNS PRO allows remote attackers to conduct a denial of service via a large number of connections. Lotus Domino HTTP server allows remote attackers to determine the real path of the server via a request to a non-existent script in /cgi-bin. 881 Lotus Domino HTTP server does not properly disable anonymous access for the cgi-bin directory. 881 Buffer overflow in Lotus Domino HTTP server allows remote attackers to cause a denial of service via a long URL. 881 51 IIS does not properly canonicalize URLs, potentially allowing remote attackers to bypass access restrictions in third-party software via escape characters, aka the "Escape Character Parsing" vulnerability. Q246401 MS99-061 http://www.acrossecurity.com/aspr/ASPR-1999-11-10-1-PUB.txt IIS 4.0 and Site Server 3.0 allow remote attackers to read source code for ASP files if the file is in a virtual directory whose name includes extensions such as .com, .exe, .sh, .cgi, or .dll, aka the "Virtual Directory Naming" vulnerability. Q238606 8098 MS99-058 Buffer overflow in UnixWare i2odialogd daemon allows remote attackers to gain root access via a long username/password authorization string. 876 6310 19991223 FYI, SCO Security patches available. IBM Network Station Manager NetStation allows local users to gain privileges via a symlink attack. 900 19991227 IBM NetStation/UnixWare local root exploit ibm-netstat-race-condition(5381) Internet Explorer 5.0 and 5.01 allows remote attackers to bypass the cross frame security policy and read files via the external.NavigateAndFind function. UnixWare pis and mkpis commands allow local users to gain privileges via a symlink attack. 901 20000113 Info on some security holes reported against SCO Unixware. Solaris dmispd dmi_cmd allows local users to fill up restricted disk space by adding files to the /var/dmi/db database. 878 The initscripts package in Red Hat Linux allows local users to gain privileges via a symlink attack. Solaris dmi_cmd allows local users to crash the dmispd daemon by adding a malformed file to the /var/dmi/db database. 878 7582 InterScan VirusWall SMTP scanner does not properly scan messages with malformed attachments. 899 Netscape 4.7 records user passwords in the preferences.js file during an IMAP or POP session, even if the user has not enabled "remember passwords." resend command in Majordomo allows local users to gain privileges via shell metacharacters. 902 20000113 Info on some security holes reported against SCO Unixware. Outlook Express 5 for Macintosh downloads attachments to HTML mail without prompting the user, aka the "HTML Mail Attachment" vulnerability. MS99-060 Q249082 Majordomo wrapper allows local users to gain privileges by specifying an alternate configuration file. 903 RHSA-2000:005 20000113 Info on some security holes reported against SCO Unixware. glFtpD includes a default glftpd user account with a default password and a UID of 0. AltaVista search engine allows remote attackers to read files above the document root via a .. (dot dot) in the query.cgi CGI program. 896 15 glFtpD allows local users to gain privileges via metacharacters in the SITE ZIPCHK command. Macintosh systems generate large ICMP datagrams in response to malformed datagrams, allowing them to be used as amplifiers in a flood attack. 890 Buffer overflow in CSM mail server allows remote attackers to cause a denial of service or execute commands via a long HELO command. 895 Buffer overflow in CamShot WebCam HTTP server allows remote attackers to execute commands via a long GET request. 905 Macros in War FTP 1.70 and 1.67b2 allow local or remote attackers to read arbitrary files or execute commands. 919 MySQL allows local users to modify passwords for arbitrary MySQL users via the GRANT privilege. 926 Buffer overflow in ICQ 99b 1.1.1.1 client allows remote attackers to execute commands via a malformed URL within an ICQ message. 929 Buffer overflow in Yahoo Pager/Messenger client allows remote attackers to cause a denial of service via a long URL within a message. get_it program in Corel Linux Update allows local users to gain root access by specifying an alternate PATH for the cp program. http://linux.corel.com/support/clos_patch1.htm 928 Buffer overflow in Winamp client allows remote attackers to execute commands via a long entry in a .pls file. 925 12022 The Allaire Spectra Webtop allows authenticated users to access other Webtop sections by specifying explicit URLs. ASB00-01 915 The Allaire Spectra Configuration Wizard allows remote attackers to cause a denial of service by repeatedly resubmitting data collections for indexing via a URL. ASB00-02 916 Red Hat userhelper program in the usermode package allows local users to gain root access via PAM and a .. (dot dot) attack. linux-pam-userhelper 913 RHSA-2000:001 20000104 PamSlam Microsoft Commercial Internet System (MCIS) IMAP server allows remote attackers to cause a denial of service via a malformed IMAP request. MS00-001 Q246731 912 search.cgi in the SolutionScripts Home Free package allows remote attackers to view directories via a .. (dot dot) attack. 921 Buffer overflow in Solaris chkperm command allows local users to gain root access via a long -n option. 918 IMail IMONITOR status.cgi CGI script allows remote attackers to cause a denial of service with many calls to status.cgi. 914 Cold Fusion CFCACHE tag places temporary cache files within the web document root, allowing remote attackers to obtain sensitive system information. ASB00-03 917 Network HotSync program in Handspring Visor does not have authentication, which allows remote attackers to retrieve email and files. 920 20000105 Handspring Visor Network HotSync Security Hole PHP3 with safe_mode enabled does not properly filter shell metacharacters from commands that are executed by popen, which could allow remote attackers to execute commands. 911 Buffer overflow in aVirt Rover POP3 server 1.1 allows remote attackers to cause a denial of service via a long user name. 894 avirt-rover-pop3-dos(3765) 19991227 Local / Remote Remote DoS Attack in Rover POP3 Server V1.1 NT From aVirt 19991227 Local / Remote Remote DoS Attack in Rover POP3 Server V1.1 NT From aVirt Internet Explorer 5 does not modify the security zone for a document that is being loaded into a window until after the document has been loaded, which could allow remote attackers to execute Javascript in a different security context while the document is loading. 923 The DTML implementation in the Z Object Publishing Environment (Zope) allows remote attackers to conduct unauthorized activities. 20000104 [petrilli@digicool.com: [Zope] SECURITY ALERT] 922 cgiproc CGI script in Nortel Contivity HTTP server allows remote attackers to read arbitrary files by specifying the filename in a parameter to the script. 938 cgiproc CGI script in Nortel Contivity HTTP server allows remote attackers to cause a denial of service via a malformed URL that includes shell metacharacters. 938 7583 Buffer overflow in InetServ 3.0 allows remote attackers to execute commands via a long GET request. WebSite Pro allows remote attackers to determine the real pathname of webdirectories via a malformed URL request. CyberCash Merchant Connection Kit (MCK) allows local users to modify files via a symlink attack. daynad program in Intel InBusiness E-mail Station does not require authentication, which allows remote attackers to modify its configuration, delete files, or read mail. 20000104 [rootshell] Security Bulletin #27 The recover program in Solstice Backup allows local users to restore sensitive files. NtImpersonateClientOfPort local procedure call in Windows NT 4.0 allows local users to gain privileges, aka "Spoofed LPC Port Request." 20000113 Local Promotion Vulnerability in Windows NT 4 Q247869 nt-spoofed-lpc-port 934 MS00-003 IIS 4.0 allows a remote attacker to obtain the real pathname of the document root by requesting non-existent files with .ida or .idq extensions. 20000113 SV: IIS still revealing paths for web directories 20000111 IIS still revealing paths for web directories Visual Casel (Vcasel) does not properly prevent users from executing files, which allows local users to use a relative pathname to specify an alternate file which has an approved name and possibly gain privileges. 937 vcasel-filename-trusting(3867) 20000118 Warning: VCasel security hole. Buffer overflow in Microsoft Rich Text Format (RTF) reader allows attackers to cause a denial of service via a malformed control word. MS00-005 Q249973 win-malformed-rtf-control-word PowerScripts PlusMail CGI program allows remote attackers to execute commands via a password file with improper permissions. Super Mail Transfer Package (SMTP), later called MsgCore, has a memory leak which allows remote attackers to cause a denial of service by repeating multiple HELO, MAIL FROM, RCPT TO, and DATA commands in the same session. 930 nviboot boot script in the Debian nvi package allows local users to delete files via malformed entries in vi.recover. 1439 19991230 vibackup.sh The October 1998 version of the HP-UX aserver program allows local users to gain privileges by specifying an alternate PATH which aserver uses to find the ps and grep commands. oval:org.mitre.oval:def:5549 The June 1999 version of the HP-UX aserver program allows local users to gain privileges by specifying an alternate PATH which aserver uses to find the awk command. oval:org.mitre.oval:def:5728 The W3C CERN httpd HTTP server allows remote attackers to determine the real pathnames of some commands via a request for a nonexistent URL. 936 AIX techlibss allows local users to overwrite files via a symlink attack. 931 20000110 2nd attempt: AIX techlibss follows links Hotmail does not properly filter JavaScript code from a user's mailbox, which allows a remote attacker to execute the code by using hexadecimal codes to specify the javascript: protocol, e.g. j&#x41;vascript. WebTV email client allows remote attackers to force the client to send email without the user's knowledge via HTML. http://www.wired.com/news/technology/0,1282,33420,00.html http://net4tv.com/voice/story.cfm?StoryID=1823 HP asecure creates the Audio Security File audio.sec with insecure permissions, which allows local users to cause a denial of service or gain additional privileges. HPSBUX0001-109 CuteFTP uses weak encryption to store password information in its tree.dat file. Hotmail does not properly filter JavaScript code from a user's mailbox, which allows a remote attacker to execute code via the LOWSRC or DYNRC parameters in the IMG tag. Netopia Timbuktu Pro sends user IDs and passwords in cleartext, which allows remote attackers to obtain them via sniffing. 935 Netscape Mail Notification (nsnotify) utility in Netscape Communicator uses IMAP without SSL, even if the user has set a preference for Communicator to use an SSL connection, allowing a remote attacker to sniff usernames and passwords in plaintext. netscape-mail-notify-plaintext(4385) 20000113 Misleading sense of security in Netscape Buffer overflow in the conversion utilities for Japanese, Korean and Chinese Word 5 documents allows an attacker to execute commands, aka the "Malformed Conversion Data" vulnerability. 946 MS00-002 The rdisk utility in Microsoft Terminal Server Edition and Windows NT 4.0 stores registry hive information in a temporary file with permissions that allow local users to read it, aka the "RDISK Registry Enumeration File" vulnerability. Q249108 947 MS00-004 VMWare 1.1.2 allows local users to cause a denial of service via a symlink attack. 943 1205 Buffer overflow in vchkpw/vpopmail POP authentication package allows remote attackers to gain root privileges via a long username or password. http://www.inter7.com/vpopmail/ChangeLog http://www.inter7.com/vpopmail/ 942 The BSD make program allows local users to modify files via a symlink attack when the -j option is being used. FreeBSD-SA-00:01 939 An installation of Red Hat uses DES password encryption with crypt() for the initial password, instead of md5. procfs in BSD systems allows local users to gain root privileges by modifying the /proc/pid/mem interface via a modified file descriptor for stderr. netbsd-procfs(3995) 940 20760 NetBSD-SA2000-001 The PMTU discovery procedure used by HP-UX 10.30 and 11.00 for determining the optimum MTU generates large amounts of traffic in response to small packets, allowing remote attackers to cause the system to be used as a packet amplifier. HPSBUX0001-110 944 Buffer overflow in qpopper 3.0 beta versions allows local users to gain privileges via a long LIST command. 948 The WebHits ISAPI filter in Microsoft Index Server allows remote attackers to read arbitrary files, aka the "Malformed Hit-Highlighting Argument" vulnerability. MS00-006 950 1210 Microsoft Index Server allows remote attackers to determine the real path for a web directory via a request to an Internet Data Query file that does not exist. MS00-006 Buffer overflow in UnixWare ppptalk command allows local users to gain privileges via a long prompt argument. 20000119 Unixware ppptalk The SMS Remote Control program is installed with insecure permissions, which allows local users to gain privileges by modifying or replacing the program. MS00-012 20000115 Security Vulnerability with SMS 2.0 Remote Control The Make-a-Store OrderPage shopping cart application allows remote users to modify sensitive purchase information via hidden form fields. The SalesCart shopping cart application allows remote users to modify sensitive purchase information via hidden form fields. The SmartCart shopping cart application allows remote users to modify sensitive purchase information via hidden form fields. The Shoptron shopping cart application allows remote users to modify sensitive purchase information via hidden form fields. Outlook Express 5.01 and Internet Explorer 5.01 allow remote attackers to view a user's email messages via a script that accesses a variable that references subsequent email messages that are read by the client. 962 The EasyCart shopping cart application allows remote users to modify sensitive purchase information via hidden form fields. Linux apcd program allows local attackers to modify arbitrary files via a symlink attack. 958 20000201 The Intellivend shopping cart application allows remote users to modify sensitive purchase information via hidden form fields. The mcsp Client Site Processor system (MultiCSP) in Standard and Poor's ComStock is installed with several accounts that have no passwords or easily guessable default passwords. The WebSiteTool shopping cart application allows remote users to modify sensitive purchase information via hidden form fields. The RightFax web client uses predictable session numbers, which allows remote attackers to hijack user sessions. 953 The default installation of Debian GNU/Linux uses an insecure Master Boot Record (MBR) which allows a local user to boot from a floppy disk during the installation. 960 20000202 vulnerability in Linux Debian default boot configuration The SyGate Remote Management program does not properly restrict access to its administration service, which allows remote attackers to cause a denial of service, or access network traffic statistics. http://www.sybergen.com/support/fix.htm 952 20000203 UPDATE: Sygate 3.11 Port 7323 Telnet Hole 20000202 SV: SyGate 3.11 Port 7323 / Remote Admin hole 20000128 SyGate 3.11 Port 7323 / Remote Admin hole Frontpage Server Extensions allows remote attackers to determine the name of the anonymous account via an RPC POST request to shtml.dll in the /_vti_bin/ virtual directory. IIS allows local users to cause a denial of service via invalid regular expressions in a Visual Basic script in an ASP page. Firewall-1 does not properly filter script tags, which allows remote attackers to bypass the "Strip Script Tags" restriction by including an extra < in front of the SCRIPT tag. 954 1212 The siteUserMod.cgi program in Cobalt RaQ2 servers allows any Site Administrator to modify passwords for other users, site administrators, and possibly admin (root). 951 The Red Hat Linux su program does not log failed password guesses if the su process is killed before it times out, which allows local attackers to conduct brute force password guessing. 20000130 RedHat 6.1 /and others/ PAM The default configurations for McAfee Virus Scan and Norton Anti-Virus virus checkers do not check files in the RECYCLED folder that is used by the Windows Recycle Bin utility, which allows attackers to store malicious code without detection. 20000130 Bypass Virus Checking The Remote Access Service invoke.cfm template in Allaire Spectra 1.0 allows users to bypass authentication via the bAuthenticated parameter. allaire-spectra-ras-access(4025) 955 The Recycle Bin utility in Windows NT and Windows 2000 allows local users to read or modify files by creating a subdirectory with the victim's SID in the recycler directory, aka the "Recycle Bin Creation" vulnerability. Q248399 963 MS00-007 Frontpage Server Extensions allows remote attackers to determine the physical path of a virtual directory via a GET request to the htimage.exe CGI program. 964 frontpage-cern-information-disclosure(34719) 20070603 CERN &#304;mage Map Dispatcher The shopping cart application provided with Filemaker allows remote users to modify sensitive purchase information via hidden form fields. surfCONTROL SuperScout does not properly asign a category to web sites with a . (dot) at the end, which may allow users to bypass web access restrictions. 965 wwwthreads does not properly cleanse numeric data or table names that are passed to SQL queries, which allows remote attackers to gain privileges for wwwthreads forums. 20000203 RFP2K01 - "How I hacked Packetstorm" (wwwthreads advisory) 967 Sample Internet Data Query (IDQ) scripts in IIS 3 and 4 allow remote attackers to read files via a .. (dot dot) attack. The Webspeed configuration program does not properly disable access to the WSMadmin utility, which allows remote attackers to gain privileges via wsisa.dll. 969 http://www.progress.com/services/support/cgi-bin/techweb-kbase.cgi/webkb.html?kbid=19412&keywords=security%20Webspeed The Finger Server 0.82 allows remote attackers to execute commands via shell metacharacters. http://www.glazed.org/finger/changelog.txt 7610 Buffer overflow in the SHGetPathFromIDList function of the Serv-U FTP server allows attackers to cause a denial of service by performing a LIST command on a malformed .lnk file. Buffer overflow in SCO scohelp program allows remote attackers to execute commands. 20000127 New SCO patches... SB-00.02a Buffer overflow in War FTPd 1.6x allows users to cause a denial of service via long MKD and CWD commands. 966 4677 20000201 war-ftpd 1.6x DoS Microsoft Java Virtual Machine allows remote attackers to read files via the getSystemResourceAsStream function. 957 Buffer overflows in Tiny FTPd 0.52 beta3 FTP server allows users to execute commands via the STOR, RNTO, MKD, XMKD, RMD, XRMD, APPE, SIZE, and RNFR commands. 961 The Check It Out shopping cart application allows remote users to modify sensitive purchase information via hidden form fields. The @Retail shopping cart application allows remote users to modify sensitive purchase information via hidden form fields. The Cart32 shopping cart application allows remote users to modify sensitive purchase information via hidden form fields. The CartIt shopping cart application allows remote users to modify sensitive purchase information via hidden form fields. A system has a distributed denial of service (DDOS) attack master, agent, or zombie installed, such as (1) Trinoo, (2) Tribe Flood Network (TFN), (3) Tribe Flood Network 2000 (TFN2K), (4) stacheldraht, (5) mstream, or (6) shaft. 20000502 "mstream" Distributed Denial of Service Tool 20000429 Re: Source code to mstream, a DDoS tool 20000429 Re: Source code to mstream, a DDoS tool Internet Anywhere POP3 Mail Server allows local users to cause a denial of service via a malformed RETR command. 982 20000210 remote DoS on Internet Anywhere Mail Server Ver.3.1.3 Internet Anywhere POP3 Mail Server allows remote attackers to cause a denial of service via a large number of connections. 980 20000210 remote DoS on Internet Anywhere Mail Server Ver.3.1.3 Infopop Ultimate Bulletin Board (UBB) allows remote attackers to execute commands via shell metacharacters in the topic hidden field. http://www.ultimatebb.com/home/versions.shtml 20000211 perl-cgi hole in UltimateBB by Infopop Corp. 20000225 FW: Important UBB News For Licensed Users 991 The authentication protocol in Timbuktu Pro 2.0b650 allows remote attackers to cause a denial of service via connections to port 407 and 1417. The SSH protocol server sshd allows local users without shell access to redirect a TCP connection through a service that uses the standard system password database for authentication, such as POP or FTP. Axis 700 Network Scanner does not properly restrict access to administrator URLs, which allows users to bypass the password protection via a .. (dot dot) attack. 971 20000207 Infosec.20000207.axis700.a The libguile.so library file used by gnucash in Debian GNU/Linux is installed with world-writable permissions. The Java Server in the Novell GroupWise Web Access Enhancement Pack allows remote attackers to cause a denial of service via a long URL to the servlet. 972 20000207 Novell GroupWise 5.5 Enhancement Pack Web Access Denial of Servic e snmpd in SCO OpenServer has an SNMP community string that is writable by default, which allows local attackers to modify the host's configuration. 20000207 SNMPD default writable community string SB-00.04a 973 MySQL 3.22 allows remote attackers to bypass password authentication and access a database via a short check string. 975 20000208 Remote access vulnerability in all MySQL server versions Zeus web server allows remote attackers to view the source code for CGI programs via a null character (%00) at the end of a URL. zeus-server-null-string(3982) 977 254 20000208 Zeus Web Server: Null Terminated Strings Check Point Firewall-1 allows remote attackers to bypass port access restrictions on an FTP server by forcing it to send malicious packets that Firewall-1 misinterprets as a valid 227 response to a client's PASV attempt. VU#328867 979 4417 GNU make follows symlinks when it reads a Makefile from stdin, which allows other local users to execute commands. 981 Remote attackers can cause a denial of service in Novell BorderManager 3.5 by pressing the enter key in a telnet connection to port 2000. 976 7468 FrontPage Personal Web Server (PWS) allows remote attackers to read files via a .... (dot dot) attack. 20000216 Doubledot bug in FrontPage FrontPage Personal Web Server. 989 The ARCserve agent in UnixWare allows local attackers to modify arbitrary files via a symlink attack. 988 http://www.sco.com/security/ 20000215 ARCserve symlink vulnerability Windows NT Autorun executes the autorun.inf file on non-removable media, which allows local attackers to specify an alternate program to execute when other users access a drive. 993 20000218 AUTORUN.INF Vulnerability Internet Explorer 4.x and 5.x allows remote web servers to access files on the client that are outside of its security domain, aka the "Image Source Redirect" vulnerability. ie-image-source-redirect(3996) 7827 MS00-009 NetBSD ptrace call on VAX allows local users to gain privileges by modifying the PSL contents in the debugging process. 992 1999-012 Buffer overflow in MMDF server allows remote attackers to gain privileges via a long MAIL FROM command to the SMTP daemon. 20000215 Remote Vulnerability in the MMDF SMTP Daemon SB-00.06a 997 20000218 MMDF HP Ignite-UX does not save /etc/passwd when it creates an image of a trusted system, which can set the password field to a blank and allow an attacker to gain privileges. HPSBUX0002-111 The Microsoft Active Setup ActiveX component in Internet Explorer 4.x and 5.x allows a remote attacker to install software components without prompting the user by stating that the software's manufacturer is Microsoft. 20000221 Microsoft signed software can be install software without prompting users Sample web sites on Microsoft Site Server 3.0 Commerce Edition do not validate an identification number, which allows remote attackers to execute SQL commands. 994 MS00-010 The Microsoft virtual machine (VM) in Internet Explorer 4.x and 5.x allows a remote attacker to read files via a malicious Java applet that escapes the Java sandbox, aka the "VM File Reading" vulnerability. MS00-011 asmon and ascpu in FreeBSD allow local users to gain root privileges via a configuration file. FreeBSD-SA-00:03 996 The installation of Sun Internet Mail Server (SIMS) creates a world-readable file that allows local users to obtain passwords. 1004 20000220 Sun Internet Mail Server The Delegate application proxy has several buffer overflows which allow a remote attacker to execute commands. FreeBSD-SA-00:04 K-023 Buffer overflow in the InterAccess telnet server TelnetD allows remote attackers to execute commands via a long login name. 20000221 Local / Remote Exploiteable Buffer Overflow Vulnerability in InterAccess TelnetD Server 4.0 for Windows NT 995 IIS Inetinfo.exe allows local users to cause a denial of service by creating a mail file with a long name and a .txt.eml extension in the pickup directory. 20000215 Crashing Inetinfo.exe by using a longfilename in the \mailroot\pickup directory Microsoft Windows 9x operating systems allow an attacker to cause a denial of service via a pathname that includes file device names, aka the "DOS Device in Path Name" vulnerability. 20000306 con\con is a old thing (anyway is cool) MS00-017 1043 Batch files in the Oracle web listener ows-bin directory allow remote attackers to execute commands via a malformed URL that includes '?&'. 1053 20000314 Oracle Web Listener 4.0.x Buffer overflow in the man program in Linux allows local users to gain privileges via the MANPAGER environmental variable. 1011 atsadc in the atsar package for Linux does not properly check the permissions of an output file, which allows local users to gain root privileges. 1048 20000311 TESO advisory -- atsadc The mtr program only uses a seteuid call when attempting to drop privileges, which could allow local users to gain root privileges. 1038 Vulnerability in the EELS system in SCO UnixWare 7.1.x allows remote attackers to cause a denial of service. SB-00.08a StarOffice StarScheduler web server allows remote attackers to read arbitrary files via a .. (dot dot) attack. 1040 20000308 [SAFER 000309.EXP.1.4] StarScheduler (StarOffice) vulnerabilities Buffer overflow in StarOffice StarScheduler web server allows remote attackers to gain root access via a long GET command. 1039 20000308 [SAFER 000309.EXP.1.4] StarScheduler (StarOffice) vulnerabilities The default configuration of Serv-U 2.5d and earlier allows remote attackers to determine the real pathname of the server by requesting a URL for a directory or file that does not exist. 1016 20000228 Serv-U FTP-Server v2.4a showing real path DNSTools CGI applications allow remote attackers to execute arbitrary commands via shell metacharacters. 1028 20000302 DNSTools v1.08 has no input validation ServerIron switches by Foundry Networks have predictable TCP/IP sequence numbers, which allows remote attackers to spoof or hijack sessions. http://www.foundrynet.com/bugTraq.html 1017 HP OpenView OmniBack 2.55 allows remote attackers to cause a denial of service via a large number of connections to port 5555. 1015 HPSBUX0006-115 20000228 HP Omniback remote DoS Sojourn search engine allows remote attackers to read arbitrary files via a .. (dot dot) attack. 1052 20000313 SOJOURN Search engine exposes files sojourn-file-read(4197) Firewall-1 3.0 and 4.0 leaks packets with private IP address information, which could allow remote attackers to determine the real IP address of the host that is making the connection. 1054 1256 20000311 Our old friend Firewall-1 iPlanet Web Server 4.1 allows remote attackers to cause a denial of service via a large number of GET commands, which consumes memory and causes a kernel panic. Buffer overflow in ircII 4.4 IRC client allows remote attackers to execute commands via the DCC chat capability. 1046 RHSA-2000:008 20000310 Fwd: ircii-4.4 buffer overflow Linux printtool sets the permissions of printer configuration files to be world-readable, which allows local attackers to obtain printer share passwords. 1037 20000309 RealMedia RealServer reveals the real IP address of a Real Server, even if the address is supposed to be private. 1049 20000308 RealServer exposes internal IP addresses Buffer overflow in the dump utility in the Linux ext2fs backup package allows local users to gain privileges via a long command line argument. 1020 RHSA-2000:100 EZShopper 3.0 loadpage.cgi CGI script allows remote attackers to read arbitrary files via a .. (dot dot) attack or execute commands via shell metacharacters. 1014 20000227 EZ Shopper 3.0 shopping cart CGI remote command execution EZShopper 3.0 search.cgi CGI script allows remote attackers to read arbitrary files via a .. (dot dot) attack or execute commands via shell metacharacters. 1014 20000227 EZ Shopper 3.0 shopping cart CGI remote command execution ColdFusion Server 4.x allows remote attackers to determine the real pathname of the server via an HTTP request to the application.cfm or onrequestend.cfm files. 1021 AOL Instant Messenger (AIM) client allows remote attackers to cause a denial of service via a message with a malformed ASCII value. 20000303 Aol Instant Messenger DoS vulnerability Axis StorPoint CD allows remote attackers to access administrator URLs without authentication via a .. (dot dot) attack. 20000229 Infosec.20000229.axisstorpointcd.a 1025 19 The default installation of Caldera OpenLinux 2.3 includes the CGI program rpm_query, which allows remote attackers to determine what packages are installed on the system. 1036 20000304 OpenLinux 2.3: rpm_query The default configuration of Dosemu in Corel Linux 1.0 allows local users to execute the system.com program and gain privileges. 1030 20000302 Corel Linux 1.0 dosemu default configuration: Local root vuln buildxconf in Corel Linux allows local users to modify or create arbitrary files via the -x or -f parameters. 1007 20000224 Corel Linux 1.0 local root compromise setxconf in Corel Linux allows local users to gain root access via the -T parameter, which executes the user's .xserverrc file. 1008 20000224 Corel Linux 1.0 local root compromise Buffer overflow in mhshow in the Linux nmh package allows remote attackers to execute commands via malformed MIME headers in an email message. 1018 RHSA-2000:006 The Windows NT scheduler uses the drive mapping of the interactive user who is currently logged onto the system, which allows the local user to gain privileges by providing a Trojan horse batch file in place of the original batch file. 1050 20000313 AT Jobs - Denial of serice/Privilege Elevation Buffer overflow in POP3 and IMAP servers in the MERCUR mail server suite allows remote attackers to cause a denial of service. 1051 20000314 Local / Remote Multiples Remote DoS Attacks in MERCUR v3.2* for Windows 98/NT Vulnerability 20000314 Local / Remote Multiples Remote DoS Attacks in MERCUR v3.2* for Windows 98/NT Vulnerability When a new SQL Server is registered in Enterprise Manager for Microsoft SQL Server 7.0 and the "Always prompt for login name and password" option is not set, then the Enterprise Manager uses weak encryption to store the login ID and password. 1055 Buffer overflow in Microsoft Clip Art Gallery allows remote attackers to cause a denial of service or execute commands via a malformed CIL (clip art library) file, aka the "Clip Art Buffer Overrun" vulnerability. 1034 MS00-015 The window.showHelp() method in Internet Explorer 5.x does not restrict HTML help files (.chm) to be executed from the local host, which allows remote attackers to execute arbitrary commands via Microsoft Networking. 1033 Microsoft SQL Server 7.0 and Microsoft Data Engine (MSDE) 1.0 allow remote attackers to gain privileges via a malformed Select statement in an SQL query. 1041 MS00-014 The Trend Micro OfficeScan client tmlisten.exe allows remote attackers to cause a denial of service via malformed data to port 12345. http://www.antivirus.com/download/ofce_patch_35.htm 20000228 Re: TrendMicro OfficeScan tmlisten.exe DoS 1013 20000315 Trend Micro release patch for "OfficeScan DoS & Message Replay" V ulnerabilies The Trend Micro OfficeScan client allows remote attackers to cause a denial of service by making 5 connections to port 12345, which raises CPU utilization to 100%. 20000315 Trend Micro release patch for "OfficeScan DoS & Message Replay" V ulnerabilies 1013 20000226 DOS in Trendmicro OfficeScan http://www.antivirus.com/download/ofce_patch_35.htm Trend Micro OfficeScan allows remote attackers to replay administrative commands and modify the configuration of OfficeScan clients. http://www.antivirus.com/download/ofce_patch_35.htm 1013 20000303 TrendMicro OfficeScan, numerous security holes, remote files modification. 20000315 Trend Micro release patch for "OfficeScan DoS & Message Replay" V ulnerabilies The installation of Oracle 8.1.5.x on Linux follows symlinks and creates the orainstRoot.sh file with world-writeable permissions, which allows local users to gain privileges. 1035 20000305 Oracle installer problem SGI InfoSearch CGI program infosrch.cgi allows remote attackers to execute commands via shell metacharacters. 1031 20000501-01-P The htdig (ht://Dig) CGI program htsearch allows remote attackers to read arbitrary files by enclosing the file name with backticks (`) in parameters to htsearch. 1026 Buffer overflow in Lynx 2.x allows remote attackers to crash Lynx and possibly execute commands via a long URL in a malicious web page. 1012 The lit program in Sun Flex License Manager (FlexLM) follows symlinks, which allows local users to modify arbitrary files. 998 The Windows Media server allows remote attackers to cause a denial of service via a series of client handshake packets that are sent in an improper sequence, aka the "Misordered Windows Media Services Handshake" vulnerability. 1000 MS00-013 InterAccess TelnetID Server 4.0 allows remote attackers to conduct a denial of service via malformed terminal client configuration information. interaccess-telnet-dos(4033) 1001 The Sambar server includes batch files ECHO.BAT and HELLO.BAT in the CGI directory, which allow remote attackers to execute commands via shell metacharacters. 1002 20000223 Sambar Server alert! http://www.sambar.com/session/highlight?url=/syshelp/history.htm&words=security+&color=red FTP Explorer uses weak encryption for storing the username, password, and profile of FTP sites. 20000224 How the password could be recover using FTP Explorer's registry! 1003 Vulnerability in SCO cu program in UnixWare 7.x allows local users to gain privileges. 1019 Microsoft email clients in Outlook, Exchange, and Windows Messaging automatically respond to Read Receipt and Delivery Receipt tags, which could allow an attacker to flood a mail system with responses by forging a Read Receipt request that is redirected to a large distribution list. 20000229 mailbombing DoS easily exploitable against mail systems using MS mail clients. The default configuration of SSH allows X forwarding, which could allow a remote attacker to control a client's X sessions via a malicious xauth program. 1006 Buffer overflow in Linux mount and umount allows local users to gain root privileges via a long relative pathname. 7004 6980 CSSA-2000-002.0 Red Hat 6.0 allows local users to gain root access by booting single user and hitting ^C at the password prompt. 1005 20000223 redhat 6.0: single user boot security hole ZoneAlarm sends sensitive system and network information in cleartext to the Zone Labs server if a user requests more information about an event. The Nautica Marlin bridge allows remote attackers to cause a denial of service via a zero length UDP packet to the SNMP port. 1009 The installation for Windows 2000 does not activate the Administrator password until the system has rebooted, which allows remote attackers to connect to the ADMIN$ share without a password until the reboot occurs. 20000215 Windows 2000 installation process weakness 990 Buffer overflow in the wmcdplay CD player program for the WindowMaker desktop allows local users to gain root privileges via a long parameter. 1047 20000311 TESO advisory -- wmcdplay ARCserve agent in SCO UnixWare 7.x allows local attackers to gain root privileges via a symlink attack. 20000215 ARCserve symlink vulnerability The Pocsag POC32 program does not properly prevent remote users from accessing its server port, even if the option has been disabled. 1032 20000303 Pocsag remote access to client can't be disabled. 259 IIS 4.0 allows attackers to cause a denial of service by requesting a large buffer in a POST or PUT command which consumes memory, aka the "Chunked Transfer Encoding Buffer Overflow Vulnerability." MS00-018 1066 The Linux 2.2.x kernel does not restrict the number of Unix domain sockets as defined by the wmem_max paremeter, which allows local users to cause a denial of service by requesting a large number of sockets. linux-domain-socket-dos(4186) 1072 20000323 Local Denial-of-Service attack against Linux 20000328 Re: Local Denial-of-Service attack against Linux Microsoft Windows Media License Manager allows remote attackers to cause a denial of service by sending a malformed request that causes the manager to halt, aka the "Malformed Media License Request" Vulnerability. MS00-016 1058 gpm-root in the gpm package does not properly drop privileges, which allows local users to gain privileges by starting a utility from gpm-root. 1069 RHSA-2000:045 RHSA-2000:009 20000405 Security hole in gpm < 1.18.1 20000322 gpm-root Buffer overflow in imwheel allows local users to gain root privileges via the imwheel-solo script and a long HOME environmental variable. 1060 RHSA-2000:016 20000316 TESO & C-Skills development advisory -- imwheel Linux kreatecd trusts a user-supplied path that is used to find the cdrecord program, allowing local users to gain root privileges. 1061 20000316 "TESO & C-Skills development advisory -- kreatecd" at: Microsoft TCP/IP Printing Services, aka Print Services for Unix, allows an attacker to cause a denial of service via a malformed TCP/IP print request. MS00-021 1082 20000330 Remote DoS Attack in Windows 2000/NT 4.0 TCP/IP Print Request Server Vulnerability SuSE Linux IMAP server allows remote attackers to bypass IMAP authentication and gain privileges. 20000327 Security hole in SuSE Linux IMAP Server The default configuration of Cobalt RaQ2 and RaQ3 as specified in access.conf allows remote attackers to view sensitive contents of a .htaccess file. http://www.securityfocus.com/templates/advisory.html?id=2150 20000330 Cobalt apache configuration exposes .htaccess 1083 Buffer overflow in the huh program in the orville-write package allows local users to gain root privileges. FreeBSD-SA-00:10 1070 1263 Netscape Enterprise Server with Directory Indexing enabled allows remote attackers to list server directories via web publishing tags such as ?wp-ver-info and ?wp-cs-dump. 20000317 [SAFER 000317.EXP.1.5] Netscape Enterprise Server and '?wp' tags 1063 Netscape Enterprise Server with Web Publishing enabled allows remote attackers to list arbitrary directories via a GET request for the /publisher directory, which provides a Java applet that allows the attacker to browse the directories. 1075 http://zsh.stupidphat.com/advisory.cgi?000311-1 Buffer overflow in the web server for Norton AntiVirus for Internet Email Gateways allows remote attackers to cause a denial of service via a long URL. 1064 20000317 DoS with NAVIEG Buffer overflow in the MERCUR WebView WebMail server allows remote attackers to cause a denial of service via a long mail_user parameter in the GET request. 20000315 Local / Remote DoS Attack in MERCUR WebView WebMail-Client 1.0 1056 20000315 Local / Remote DoS Attack in MERCUR WebView WebMail-Client 1.0 vqSoft vqServer program allows remote attackers to read arbitrary files via a /........../ in the URL, a variation of a .. (dot dot) attack. 1067 http://www.vqsoft.com/vq/server/faqs/dotdotbug.html 20000321 vqserver /........../ 270 vqSoft vqServer stores sensitive information such as passwords in cleartext in the server.cfg file, which allows attackers to gain privileges. 20000321 vqserver /........../ 1068 WindMail allows remote attackers to read arbitrary files or execute commands via shell metacharacters. 1073 20000325 Windmail allow web user get any file AnalogX SimpleServer:WWW HTTP server 1.03 allows remote attackers to cause a denial of service via a short GET request to cgi-bin. 1076 http://www.analogx.com/contents/download/network/sswww.htm simpleserver-exception-dos(4189) 20000324 AnalogX SimpleServer 1.03 Remote Crash" at: 1265 The Citrix ICA (Independent Computing Architecture) protocol uses weak encryption (XOR) for user authentication. 1077 20000328 Citrix ICA Basic Encryption Vulnerability in SGI IRIX objectserver daemon allows remote attackers to create user accounts. 20000328 Objectserver vulnerability irix-objectserver-create-accounts(4206) 1079 1267 K-030 20000303-01-PX IIS 4.0 and 5.0 does not properly perform ISAPI extension processing if a virtual directory is mapped to a UNC share, which allows remote attackers to read the source code of ASP and other files, aka the "Virtualized UNC Share" vulnerability. MS00-019 1081 Q249599 Unknown vulnerability in Generic-NQS (GNQS) allows local users to gain root privileges. 20000322 Local root compromise in GNQS 3.50.6 and 3.50.7 generic-nqs-local-root(4306) 1842 http://ftp.gnqs.org/pub/gnqs/source/by-version-number/v3.50/Generic-NQS-3.50.8-ChangeLog.txt FreeBSD-SA-00:13 The web GUI for the Linux Virtual Server (LVS) software in the Red Hat Linux Piranha package has a backdoor password that allows remote attackers to execute arbitrary commands. 20000424 Backdoor Password in Red Hat Linux Virtual Server Package The AIX Fast Response Cache Accelerator (FRCA) allows local users to modify arbitrary files via the configuration capability in the frcactrl program. 20000426 Insecure file handling in IBM AIX frcactrl program 1152 The crypt function in QNX uses weak encryption, which allows local users to decrypt passwords. 1114 20000414 qnx crypt comprimised HP-UX 11.04 VirtualVault (VVOS) sends data to unprivileged processes via an interface that has multiple aliased IP addresses. 1090 HPSBUX0004-112 The dansie shopping cart application cart.pl allows remote attackers to execute commands via a shell metacharacters in a form variable. 1115 20000411 Back Door in Commercial Shopping Cart dansie-shell-metacharacters The dansie shopping cart application cart.pl allows remote attackers to modify sensitive purchase information via hidden form fields. shopping-cart-form-tampering 1115 The dansie shopping cart application cart.pl allows remote attackers to obtain the shopping cart database and configuration information via a URL that references either the env, db, or vars form variables. dansie-form-variables 1115 The Nbase-Xyplex EdgeBlaster router allows remote attackers to cause a denial of service via a scan for the FormMail CGI program. 1091 20000405 SilverBack Security Advisory: Nbase-Xyplex DoS Buffer overflows in htimage.exe and Imagemap.exe in FrontPage 97 and 98 Server Extensions allow a user to conduct activities that are not otherwise available through the web site, aka the "Server-Side Image Map Components" vulnerability. 1117 MS00-028 frontpage-cern-bo(34720) 20070603 CERN &#304;mage Map Dispatcher Buffer overflow in the NetWare remote web administration utility allows remote attackers to cause a denial of service or execute commands via a long URL. 1118 20000418 Novell Netware 5.1 (server 5.00h, Dec 11, 1999)... IIS 4.0 and 5.0 allows remote attackers to cause a denial of service by sending many URLs with a large number of escaped characters, aka the "Myriad Escaped Characters" Vulnerability. MS00-023 1101 The default permissions for the Cryptography\Offload registry key used by the OffloadModExpo in Windows NT 4.0 allows local users to obtain compromise the cryptographic keys of other users. 1105 MS00-024 Buffer overflow in the dvwssr.dll DLL in Microsoft Visual Interdev 1.0 allows users to cause a denial of service or execute commands, aka the "Link View Server-Side Component" vulnerability. MS00-025 1109 282 The AVM KEN! web server allows remote attackers to read arbitrary files via a .. (dot dot) attack. 20000418 AVM's Statement 1103 1282 20000415 (no subject) The AVM KEN! ISDN Proxy server allows remote attackers to cause a denial of service via a malformed request. 20000418 AVM's Statement 1103 20000415 (no subject) The X font server xfs in Red Hat Linux 6.x allows an attacker to cause a denial of service via a malformed request. 1111 20000416 xfs Panda Security 3.0 with registry editing disabled allows users to edit the registry and gain privileges by directly executing a .reg file or using other methods. http://updates.pandasoftware.com/docs/us/Avoidvulnerability.zip 20000417 bugs in Panda Security 3.0 1119 Panda Security 3.0 allows users to uninstall the Panda software via its Add/Remove Programs applet. 20000417 bugs in Panda Security 3.0 1119 http://updates.pandasoftware.com/docs/us/Avoidvulnerability.zip Internet Explorer 5.01 allows remote attackers to bypass the cross frame security policy via a malicious applet that interacts with the Java JSObject to modify the DOM properties to set the IFRAME to an arbitrary Javascript URL. 1121 20000418 IE 5 security vulnerablity - circumventing Cross-frame security policy using Java/JavaScript (and disabling Active Scripting is not that easy) Cisco Catalyst 5.4.x allows a user to gain access to the "enable" mode without a password. 20000419 Cisco Catalyst Enable Password Bypass Vulnerability 1122 1288 Cisco IOS 11.x and 12.x allows remote attackers to cause a denial of service by sending the ENVIRON option to the Telnet daemon before it is ready to accept it, which causes the system to reboot. 20000420 Cisco IOS Software TELNET Option Handling Vulnerability 1123 1289 Emacs 20 does not properly set permissions for a slave PTY device when starting a new subprocess, which allows local users to read or modify communications between Emacs and the subprocess. 1125 20000418 RUS-CERT Advisory 200004-01: GNU Emacs 20 The make-temp-name Lisp function in Emacs 20 creates temporary files with predictable names, which allows attackers to conduct a symlink attack. 1125 20000418 RUS-CERT Advisory 200004-01: GNU Emacs 20 read-passwd and other Lisp functions in Emacs 20 do not properly clear the history of recently typed keys, which allows an attacker to read unencrypted passwords. 1125 20000418 RUS-CERT Advisory 200004-01: GNU Emacs 20 RealNetworks RealServer allows remote attackers to cause a denial of service by sending malformed input to the server at port 7070. 1128 http://service.real.com/help/faq/servg270.html 20000420 Remote DoS attack in Real Networks Real Server Vulnerability PCAnywhere allows remote attackers to cause a denial of service by terminating the connection before PCAnywhere provides a login prompt. 1095 20000409 A funny way to DOS pcANYWHERE8.0 and 9.0 The Linux trustees kernel patch allows attackers to cause a denial of service by accessing a file or directory with a long name. http://www.braysystems.com/linux/trustees.html 1096 20000410 linux trustees 1.5 long path name vulnerability CRYPTOCard CryptoAdmin for PalmOS uses weak encryption to store a user's PIN number, which allows an attacker with access to the .PDB file to generate valid PT-1 tokens after cracking the PIN. 1097 20000410 CRYPTOCard PalmToken PIN Extraction 20000410 CRYPTOAdmin 4.1 server with PalmPilot PT-1 token 1.04 PIN Extract ion BeOS 4.5 and 5.0 allow local users to cause a denial of service via malformed direct system calls using interrupt 37. 1098 20000410 BeOS syscall bug Microsoft Excel 97 and 2000 does not warn the user when executing Excel Macro Language (XLM) macros in external text files, which could allow an attacker to execute a macro virus, aka the "XLM Text Macro" vulnerability. MS00-022 1087 1272 The SalesLogix Eviewer allows remote attackers to cause a denial of service by accessing the URL for the slxweb.dll administration program, which does not authenticate the user. 1089 20000331 SalesLogix Eviewer Web App Bug: URL request crashes eviewer web application BeOS allows remote attackers to cause a denial of service via malformed packets whose length field is less than the length of the headers. 1100 http://bebugs.be.com/devbugs/detail.php3?oid=2505312 20000407 BeOS Networking DOS Buffer overflow in the RealNetworks RealPlayer client versions 6 and 7 allows remote attackers to cause a denial of service via a long Location URL. 1088 20000403 Win32 RealPlayer 6/7 Buffer Overflow Buffer overflow in the Napster client beta 5 allows remote attackers to cause a denial of service via a long message. 20000330 Napster, Inc. response to Colten Edwards 20000326 neat little napster bug TalentSoft webpsvr daemon in the Web+ shopping cart application allows remote attackers to read arbitrary files via a .. (dot dot) attack on the webplus CGI program. 1102 20000412 TalentSoft Web+ Input Validation Bug Vulnerability ftp://ftp.talentsoft.com/Download/Webplus/Unix/Patches/Webplus46p%20Read%20me.html The default installation of IRIX Performance Copilot allows remote attackers to access sensitive system information via the pmcd daemon. 1106 20000412 Performance Copilot for IRIX 6.5 Buffer overflow in University of Washington imapd version 4.7 allows users with a valid account to execute commands via LIST or other commands. 1110 20000416 imapd4r1 v12.264 20000416 imapd4r1 v12.264 Buffer overflow in XFree86 3.3.x allows local users to execute arbitrary commands via a long -xkbmap parameter. 20000416 XFree86 server overflow 1306 X fontserver xfs allows local users to cause a denial of service via malformed input to the server. 1111 20000416 xfs The BizDB CGI script bizdb-search.cgi allows remote attackers to execute arbitrary commands via shell metacharacters in the dbname parameter. 1104 20000412 BizDB Search Script Enables Shell Command Execution at the Server Infonautics getdoc.cgi allows remote attackers to bypass the payment phase for accessing documents via a modified form variable. 20000412 Infonautic's getdoc.cgi may allow unauthorized access to documents IP masquerading in Linux 2.2.x allows remote attackers to route UDP packets through the internal interface by modifying the external source IP address and port number to match those of an established connection. 1078 20000327 Security Problems with Linux 2.2.x IP Masquerading 20000520 Security hole in kernel < 2.2.15 Buffer overflow in Webstar HTTP server allows remote attackers to cause a denial of service via a long GET request. 20000331 Webstar 4.0 Buffer overflow vulnerability macos-webstar-get-bo(4792) 1822 Buffer overflow in Star Office 5.1 allows attackers to cause a denial of service by embedding a long URL within a document. 1112 20000416 StarOffice 5.1 The Adtran MX2800 M13 Multiplexer allows remote attackers to cause a denial of service via a ping flood to the Ethernet interface, which causes the device to crash. 20000418 Adtran DoS 1129 aaa_base in SuSE Linux 6.3, and cron.daily in earlier versions, allow local users to delete arbitrary files by creating files whose names include spaces, which are then incorrectly interpreted by aaa_base when it deletes expired files from the /tmp directory. 1130 Buffer overflow in healthd for FreeBSD allows local users to gain root privileges. FreeBSD-SA-00:12 1107 606 Buffer overflow in LCDproc allows remote attackers to gain root privileges via the screen_add command. 20000420 Remote vulnerability in LCDproc 0.4 1131 lcdproc-remote-overflow(4315) GLSA-200301-07 7829 fcheck allows local users to gain privileges by embedding shell metacharacters into file names that are processed by fcheck. 1086 20000331 fcheck v.2.7.45 and insecure use of Perl's system() Allaire Forums 2.0.5 allows remote attackers to bypass access restrictions to secure conferences via the rightAccessAllForums or rightModerateAllForums variables. ASB00-06 1085 1270 The unattended installation of Windows 2000 with the OEMPreinstall option sets insecure permissions for the All Users and Default Users directories. win2k-unattended-install(4278) 1758 20000407 All Users startup folder left open if unattended install and OEMP reinstall=1 Buffer overflow in WebObjects.exe in the WebObjects Developer 4.5 package allows remote attackers to cause a denial of service via an HTTP request with long headers such as Accept. 20000404 WebObjects DoS The default encryption method of PcAnywhere 9.x uses weak encryption, which allows remote attackers to sniff and decrypt PcAnywhere or NT domain accounts. 1093 20000405 PcAnywhere weak password encryption Ipswitch IMAIL server 6.02 and earlier allows remote attackers to cause a denial of service via the AUTH CRAM-MD5 command. 1094 http://support.ipswitch.com/kb/IM-20000208-DM02.htm 20000405 Re: IMAIL (Ipswitch) DoS with Eudora (Qualcomm) Microsoft Index Server allows remote attackers to view the source code of ASP files by appending a %20 to the filename in the CiWebHitsFile argument to the null.htw URL. MS00-006 20000331 Alert: MS Index Server (CISADV000330) 1084 271 Quake3 Arena allows malicious server operators to read or modify files on a client via a dot dot (..) attack. http://www.quake3arena.com/news/index.html 20000503 Vulnerability in Quake3Arena Auto-Download Feature 1169 7531 Microsoft IIS 4.0 and 5.0 with the IISADMPWD virtual directory installed allows a remote attacker to cause a denial of service via a malformed request to the inetinfo.exe program, aka the "Undelimited .HTR Request" vulnerability. 20000511 Microsoft IIS Remote Denial of Service Attack 1191 MS00-031 Windows 95, Windows 98, Windows 2000, Windows NT 4.0, and Terminal Server systems allow a remote attacker to cause a denial of service by sending a large number of identical fragmented IP packets, aka jolt2 or the "IP Fragment Reassembly" vulnerability. MS00-029 20000519 jolt2 - Remote DoS against NT, W2K, 9x 1236 Buffer overflow in calserver in SCO OpenServer allows remote attackers to gain root access via a long message. 19981229 Local/remote exploit for SCO UNIX. SB-99.02 Vulnerability in xserver in SCO UnixWare 2.1.x and OpenServer 5.05 and earlier allows an attacker to cause a denial of service which prevents access to reserved port numbers below 1024. SB-99.07 Insecure file permissions for Netscape FastTrack Server 2.x, Enterprise Server 2.0, and Proxy Server 2.5 in SCO UnixWare 7.0.x and 2.1.3 allow an attacker to gain root privileges. SB-99.08 The i386 trace-trap handling in OpenBSD 2.4 with DDB enabled allows a local user to cause a denial of service. 6126 19990212 i386 trace-trap handling when DDB was configured could cause a system crash. IP fragment assembly in OpenBSD 2.4 allows a remote attacker to cause a denial of service by sending a large number of fragmented packets. 7539 19990217 IP fragment assembly can bog the machine excessively and cause problems. The Windows 2000 domain controller allows a malicious user to modify Active Directory information by modifying an unprotected attribute, aka the "Mixed Object Access" vulnerability. MS00-026 1145 cron in OpenBSD 2.5 allows local users to gain root privileges via an argv[] that is not NULL terminated, which is passed to cron's fake popen function. 19990830 In cron(8), make sure argv[] is NULL terminated in the fake popen() and run sendmail as the user, not as root. Vulnerability in OpenBSD 2.6 allows a local user to change interface media configurations. 7540 19991109 Any user can change interface media configurations. traceroute in NetBSD 1.3.3 and Linux systems allows local users to flood other systems by providing traceroute with a large waittime (-w) option, which is not parsed properly and sets the time delay for sending packets to zero. NetBSD-SA1999-004 19990213 traceroute as a flooder 7574 traceroute in NetBSD 1.3.3 and Linux systems allows local unprivileged users to modify the source address of the packets, which could be used in spoofing attacks. NetBSD-SA1999-004 19990213 traceroute as a flooder 7575 Buffer overflow in Solaris 7 lp allows local users to gain root privileges via a long -d option. 1143 20000424 Solaris 7 x86 lp exploit Buffer overflow in Solaris 7 lpset allows local users to gain root privileges via a long -r option. 1138 20000424 Solaris 7 x86 lpset exploit. 20000424 Solaris 7 x86 lpset exploit. 20000427 Re: Solaris/SPARC 2.7 lpset exploit (well not likely !) Atrium Mercur Mail Server 3.2 allows local attackers to read other user's email and create arbitrary files via a dot dot (..) attack. 1144 20000413 Security problems with Atrium Mercur Mailserver 3.20 mail.local in Sendmail 8.10.x does not properly identify the .\n string which identifies the end of message text, which allows a remote attacker to cause a denial of service or corrupt mailboxes via a message line that is 2047 characters long and ends in .\n. 1146 20000424 unsafe fgets() in sendmail's mail.local Qpopper 2.53 and 3.0 does not properly identify the \n string which identifies the end of message text, which allows a remote attacker to cause a denial of service or corrupt mailboxes via a message line that is 1023 characters long and ends in \n. 20000421 unsafe fgets() in qpopper 1133 Buffer overflow in IC Radius package allows a remote attacker to cause a denial of service via a long user name. 1147 20000424 Buffer Overflow in version .14 The passwd.php3 CGI script in the Red Hat Piranha Virtual Server Package allows local users to execure arbitrary commands via shell metacharacters. 1149 20000424 piranha default password/exploit RHSA-2000:014 The Microsoft Jet database engine allows an attacker to modify text files via a database query, aka the "Text I-ISAM" vulnerability. 19990728 Alert : MS Office 97 Vulnerability 595 MS99-030 pcAnywhere 8.x and 9.0 allows remote attackers to cause a denial of service via a TCP SYN scan, e.g. by nmap. 20000425 Denial of Service Against pcAnywhere. 1150 1301 pcanywhere-tcpsyn-dos(4347) 20010212 Re: Symantec pcAnywhere 9.0 DoS / Buffer Overflow 20010211 Symantec pcAnywhere 9.0 DoS / Buffer Overflow The Microsoft Jet database engine allows an attacker to execute commands via a database query, aka the "VBA Shell" vulnerability. jet-vba-shell(3155) 548 MS99-030 Meeting Maker uses weak encryption (a polyalphabetic substitution cipher) for passwords, which allows remote attackers to sniff and decrypt passwords for Meeting Maker accounts. 1151 http://support.on.com/support/mmxp.nsf/31af51e08bcc93eb852565a90056138b/11af70407a16b165852568c50056a952?OpenDocument Microsoft Virtual Machine (VM) allows remote attackers to escape the Java sandbox and execute commands via an applet containing an illegal cast operation, aka the "Virtual Machine Verifier" vulnerability. MS99-045 19991014 Another Microsoft Java Flaw Disovered Windows NT 4.0 generates predictable random TCP initial sequence numbers (ISN), which allows remote attackers to perform spoofing and session hijacking. MS99-046 19990824 NT Predictable Initial TCP Sequence numbers - changes observed with SP4 604 A Microsoft ActiveX control allows a remote attacker to execute a malicious cabinet file via an attachment and an embedded script in an HTML mail, aka the "Active Setup Control" vulnerability. MS99-048 The networking software in Windows 95 and Windows 98 allows remote attackers to execute commands via a long file name string, aka the "File Access URL" vulnerability. MS99-049 Buffer overflow in Microsoft command processor (CMD.EXE) for Windows NT and Windows 2000 allows a local user to cause a denial of service via a long environment variable, aka the "Malformed Environment Variable" vulnerability. 1135 MS00-027 20000421 CMD.EXE overflow (CISADV000420) UltraBoard.pl or UltraBoard.cgi CGI scripts in UltraBoard 1.6 allows remote attackers to read arbitrary files via a pathname string that includes a dot dot (..) and ends with a null byte. 1164 20000502 Fun with UltraBoard V1.6X 4065 1309 tcpdump, Ethereal, and other sniffer packages allow remote attackers to cause a denial of service via malformed DNS packets in which a jump offset refers to itself, which causes tcpdump to enter an infinite loop while decompressing the packet. 1165 20000502 Denial of service attack against tcpdump The Allaire Spectra container editor preview tool does not properly enforce object security, which allows an attacker to conduct unauthorized activities via an object-method that is added to the container object with a publishing rule. ASB00-10 1181 The resolver in glibc 2.1.3 uses predictable IDs, which allows a local attacker to spoof DNS query results. 1166 Linux OpenLDAP server allows local users to modify arbitrary files via a symlink attack. CSSA-2000-009.0 TLSA2000010-1 1232 RHSA-2000:012 Buffer overflow in Xsun X server in Solaris 7 allows local users to gain root privileges via a long -dev parameter. 1140 20000424 Solaris x86 Xsun overflow. Concurrent Versions Software (CVS) uses predictable temporary file names for locking, which allows local users to cause a denial of service by creating the lock directory before it is created for use by a legitimate CVS user. 1136 20000423 CVS DoS ZoneAlarm 2.1.10 and earlier does not filter UDP packets with a source port of 67, which allows remote attackers to bypass the firewall rules. 20000420 ZoneAlarm 1137 1294 Buffer overflow in Gnomelib in SuSE Linux 6.3 allows local users to execute arbitrary commands via the DISPLAY environmental variable. 1155 http://www.suse.com/us/support/download/updates/axp_63.html 20000428 SuSE 6.3 Gnomelib buffer overflow ATRIUM Cassandra NNTP Server 1.10 allows remote attackers to cause a denial of service via a long login name. 1156 20000501 Remote DoS attack in CASSANDRA NNTPServer v1.10 from ATRIUM Eudora 4.x allows remote attackers to bypass the user warning for executable attachments such as .exe, .com, and .bat by using a .lnk file that refers to the attachment, aka "Stealth Attachment." http://www.peacefire.org/security/stealthattach/explanation.html http://news.cnet.com/news/0-1005-200-1773077.html?tag=st.ne.fd.lthd.1005-200-1773077 1157 Buffer overflow in Sniffit 0.3.x with the -L logging option enabled allows remote attackers to execute arbitrary commands via a long MAIL FROM mail header. 1158 20000502 spj-003-000 - S0ftPj Advisory The knfsd NFS server in Linux kernel 2.2.x allows remote attackers to cause a denial of service via a negative size value. 20000501 Linux knfsd DoS issue 1160 The on-line help system options in Cisco routers allows non-privileged users without "enabled" access to obtain sensitive information via the show command. 1161 20000502 Possible issue with Cisco on-line help? AppleShare IP 6.1 and later allows a remote attacker to read potentially sensitive information via an invalid range request to the web server. http://asu.info.apple.com/swupdates.nsf/artnum/n11670 20000502 INFO:AppleShare IP 6.3.2 squashes security bug 1162 Windows 95 and Windows 98 allow a remote attacker to cause a denial of service via a NetBIOS session request packet with a NULL source name. 1163 20000501 el8.org advisory - Win 95/98 DoS (RFParalyze.c) A vulnerability in the Sendmail configuration file sendmail.cf as installed in SCO UnixWare 7.1.0 and earlier allows an attacker to gain root privileges. SB-99.10 Vulnerability in the passthru driver in SCO UnixWare 7.1.0 allows an attacker to cause a denial of service. SB-99.13 A debugging feature in NetworkICE ICEcap 2.0.23 and earlier is enabled, which allows a remote attacker to bypass the weak authentication and post unencrypted events. http://www.securityfocus.com/templates/advisory.html?id=2220 http://advice.networkice.com/advice/Support/KB/q000166/ 1216 312 Some packaging commands in SCO UnixWare 7.1.0 have insecure privileges, which allows local users to add or remove software packages. SB-99.09 Pine before version 4.21 does not properly filter shell metacharacters from URLs, which allows remote attackers to execute arbitrary commands via a malformed URL. 19991117 Pine: expanding env vars in URLs (seems to be fixed as of 4.21) 810 19991227 Security hole in Pine < 4.21 CSSA-1999-036.0 Pine 4.x allows a remote attacker to execute arbitrary commands via an index.html file which executes lynx and obtains a uudecoded file from a malicious web server, which is then executed by Pine. http://www.securiteam.com/unixfocus/HHP-Pine_remote_exploit.html 1247 19990628 Execution of commands in Pine 4.x 19990911 Update for Pine (fixed IMAP support) mirror 2.8.x in Linux systems allows remote attackers to create files one level above the local target directory. 19990928 mirror 2.9 hole 681 19991001 Security hole in mirror 19991018 Incorrect directory name handling in mirror pg and pb in SuSE pbpg 1.x package allows an attacker to read arbitrary files. 19990920 Security hole in pbpg Pluggable Authentication Modules (PAM) in Red Hat Linux 6.1 does not properly lock access to disabled NIS accounts. RHSA-1999:040 697 ORBit and esound in Red Hat Linux 6.1 do not use sufficiently random numbers, which allows local users to guess the authentication keys. RHSA-1999:058-01 ORBit and gnome-session in Red Hat Linux 6.1 allows remote attackers to crash a program. RHSA-1999:058-01 Buffer overflow in Trivial HTTP (THTTPd) allows remote attackers to cause a denial of service or execute arbitrary commands via a long If-Modified-Since header. 1248 19991116 Security hole in thttpd 1.90a - 2.04 19991113 thttpd 2.04 stack overflow (VD#6) Buffer overflow in INN 2.2.1 and earlier allows remote attackers to cause a denial of service via a maliciously formatted article. CSSA-1999-038.0 1249 19991124 Security hole in inn <= 2.2.1 The PPP wvdial.lxdialog script in wvdial 1.4 and earlier creates a .config file with world readable permissions, which allows a local attacker in the dialout group to access login and password information. 19991214 Security hole in wvdial <= 1.4 Buffer overflows in Linux cdwtools 093 and earlier allows local users to gain root privileges. 738 19991019 Security hole in cdwtools < 093 Linux cdwtools 093 and earlier allows local users to gain root privileges via the /tmp directory. 738 19991019 Security hole in cdwtools < 093 screen and rxvt in Red Hat Linux 6.0 do not properly set the modes of tty devices, which allows local users to write to other ttys. 309 RHSA1999014_01 19990606 RedHat 6.0, /dev/pts permissions bug when using xterm 19990606 RedHat 6.0, /dev/pts permissions bug when using xterm Red Hat Linux 6.0 installs the /dev/pts file system with insecure modes, which allows local users to write to other tty devices. 308 RHSA1999014_01 19990606 RedHat 6.0, /dev/pts permissions bug when using xterm 19990606 RedHat 6.0, /dev/pts permissions bug when using xterm dump in Debian GNU/Linux 2.1 does not properly restore symlinks, which allows a local user to modify the ownership of arbitrary files. 1442 19991202 problem restoring symlinks Vulnerability in eterm 0.8.8 in Debian GNU/Linux allows an attacker to gain root privileges. 19990218 Root exploit in eterm Classic Cisco IOS 9.1 and later allows attackers with access to the loging prompt to obtain portions of the command history of previous users, which may allow the attacker to access sensitive data. 19981014 Cisco IOS Command History Release at Login Prompt J-009 The IDENT server in Caldera Linux 2.3 creates multiple threads for each IDENT request, which allows remote attackers to cause a denial of service. 1266 CSSA-1999-029.1 The debug option in Caldera Linux smail allows remote attackers to execute commands via shell metacharacters in the -D option for the rmail command. CSSA-1999-001.0 1268 The libmediatool library used for the KDE mediatool allows local users to create arbitrary files via a symlink attack. CSSA-1999-005.0 1269 Vulnerability in Caldera rmt command in the dump package 0.4b4 allows a local user to gain root privileges. linux-rmt CSSA-1999-014.0 7940 Vulnerabilities in the KDE kvt terminal program allow local users to gain root privileges. kde-kvt RHSA-1999:015-01 CSSA-1999-015.0 The default configuration of kdm in Caldera and Mandrake Linux, and possibly other distributions, allows XDMCP connections from any host, which allows remote attackers to obtain sensitive information or bypass additional access restrictions. xdmcp-kdm-default-configuration(4856) 1446 MDKSA-2002:025 CSSA-1999-021.0 The kernel in FreeBSD 3.2 follows symbolic links when it creates core dump files, which allows local attackers to modify arbitrary files. 6084 Buffer overflow in the HTTP proxy server for the i-drive Filo software allows remote attackers to execute arbitrary commands via a long HTTP GET request. 1324 The Remote Registry server in Windows NT 4.0 allows local authenticated users to cause a denial of service via a malformed request, which causes the winlogon process to fail, aka the "Remote Registry Access Authentication" vulnerability. MS00-040 1331 Q264684 oval:org.mitre.oval:def:1021 The pam_console PAM module in Linux systems performs a chown on various devices upon a user login, but an open file descriptor for those devices can be maintained after the user logs out, which allows that user to sniff activity on these devices when subsequent users log in. 1176 20000502 pam_console bug The Netopia R9100 router does not prevent authenticated users from modifying SNMP tables, even if the administrator has configured it to do so. 20000507 Advisory: Netopia R9100 router vulnerability http://www.netopia.com/equipment/purchase/fmw_update.html 1177 The IOS HTTP service in Cisco routers and switches running IOS 11.1 through 12.1 allows remote attackers to cause a denial of service by requesting a URL that contains a %% string. 1154 1302 20000514 Cisco IOS HTTP Server Vulnerability 20000426 Cisco HTTP possible bug: The Gossamer Threads DBMan db.cgi CGI script allows remote attackers to view environmental variables and setup information by referencing a non-existing database in the db parameter. http://www.perfectotech.com/blackwatchlabs/vul5_05.html 1178 20000505 Black Watch Labs Vulnerability Alert ColdFusion ClusterCATS appends stale query string arguments to a URL during HTML redirection, which may provide sensitive information to the redirected site. ASB00-12 1179 The file transfer component of AOL Instant Messenger (AIM) reveals the physical path of the transferred file to the remote recipient. 1180 20000507 AOL Instant Messenger NetStructure 7110 and 7180 have undocumented accounts (servnow, root, and wizard) whose passwords are easily guessable from the NetStructure's MAC address, which could allow remote attackers to gain root access. 1183 1182 20000508 NetStructure 7180 remote backdoor vulnerability 20000508 NetStructure 7110 console backdoor http://216.188.41.136/ FileMaker Pro 5 Web Companion allows remote attackers to bypass Field-Level database security restrictions via the XML publishing or email capabilities. http://www.filemaker.com/support/webcompanion.html http://www.blueworld.com/blueworld/news/05.01.00-FM5_Security.html FileMaker Pro 5 Web Companion allows remote attackers to send anonymous or forged email. http://www.filemaker.com/support/webcompanion.html http://www.blueworld.com/blueworld/news/05.01.00-FM5_Security.html The makelev program in the golddig game from the FreeBSD ports collection allows local users to overwrite arbitrary files. 1184 FreeBSD-SA-00:16 Buffer overflow in FreeBSD libmytinfo library allows local users to execute commands via a long TERMCAP environmental variable. 1185 FreeBSD-SA-00:17 Buffer overflow in krb_rd_req function in Kerberos 4 and 5 allows remote attackers to gain root privileges. CA-2000-06 1220 RHSA-2000:025 FreeBSD-SA-00:20 20000516 BUFFER OVERRUN VULNERABILITIES IN KERBEROS Buffer overflow in krb425_conv_principal function in Kerberos 5 allows remote attackers to gain root privileges. CA-2000-06 1220 RHSA-2000:025 4884 FreeBSD-SA-00:20 20000516 BUFFER OVERRUN VULNERABILITIES IN KERBEROS Buffer overflow in krshd in Kerberos 5 allows remote attackers to gain root privileges. CA-2000-06 1220 RHSA-2000:025 4876 FreeBSD-SA-00:20 20000516 BUFFER OVERRUN VULNERABILITIES IN KERBEROS Buffer overflow in ksu in Kerberos 5 allows local users to gain root privileges. CA-2000-06 1220 RHSA-2000:025 FreeBSD-SA-00:20 20000516 BUFFER OVERRUN VULNERABILITIES IN KERBEROS The KDE kscd program does not drop privileges when executing a program specified in a user's SHELL environmental variable, which allows the user to gain privileges by specifying an alternate program to execute. 1206 20000529 kmulti <= 1.1.2 20000516 kscd vulnerability NetProwler 3.0 allows remote attackers to cause a denial of service by sending malformed IP packets that trigger NetProwler's Man-in-the-Middle signature. 20000522 RFP2K05 - NetProwler "Fragmentation" Issue 1225 20000519 RFP2K05: NetProwler vs. RFProwler Buffer overflow in CProxy 3.3 allows remote users to cause a denial of service via a long HTTP request. 20000516 CProxy v3.3 SP 2 DoS 1213 The add.exe program in the Carello shopping cart software allows remote attackers to duplicate files on the server, which could allow the attacker to read source code for web scripts such as .ASP files. 1245 20000524 Alert: Carello File Creation flaw The EMURL web-based email account software encodes predictable identifiers in user session URLs, which allows a remote attacker to access a user's email account. 1203 20000515 Vulnerability in EMURL-based e-mail providers Buffer overflow in wconsole.dll in Rockliffe MailSite Management Agent allows remote attackers to execute arbitrary commands via a long query_string parameter in the HTTP GET request. 1244 20000524 Alert: Buffer overflow in Rockliffe's MailSite Buffer overflow in MDaemon POP server allows remote attackers to cause a denial of service via a long user name. 1250 20000524 Deerfield Communications MDaemon Mail Server DoS The Microsoft Active Movie ActiveX Control in Internet Explorer 5 does not restrict which file types can be downloaded, which allows an attacker to download any type of file to a user's system by encoding it within an email message or news post. 1221 20000516 MICROSOFT SECURITY FLAW? Buffer overflows in redirect.exe and changepw.exe in PDGSoft shopping cart allow remote attackers to execute arbitrary commands via a long query string. 1256 http://www.pdgsoft.com/Security/security2.html 20000525 Alert: PDG Cart Overflows 20000525 Alert: PDG Cart Overflows The Mixed Mode authentication capability in Microsoft SQL Server 7.0 stores the System Administrator (sa) account in plaintext in a log file which is readable by any user, aka the "SQL Server 7.0 Service Pack Password" vulnerability. MS00-035 1281 Q263968 The CIFS Computer Browser service on Windows NT 4.0 allows a remote attacker to cause a denial of service by sending a large number of host announcement requests to the master browse tables, aka the "HostAnnouncement Flooding" or "HostAnnouncement Frame" vulnerability. MS00-036 1261 Q263307 The CIFS Computer Browser service allows remote attackers to cause a denial of service by sending a ResetBrowser frame to the Master Browser, aka the "ResetBrowser Frame" vulnerability. MS00-036 1262 Q262694 Buffer overflow in L0pht AntiSniff allows remote attackers to execute arbitrary commands via a malformed DNS response packet. 20000515 AntiSniff version 1.01 and Researchers version 1 DNS overflow 1207 3179 Netscape Communicator before version 4.73 and Navigator 4.07 do not properly validate SSL certificates, which allows remote attackers to steal information by redirecting traffic from a legitimate web server to their own malicious server, aka the "Acros-Suencksen SSL" vulnerability. CA-2000-05 1188 RHSA-2000:028 http://www.acrossecurity.com/aspr/ASPR-2000-04-06-1-PUB.txt Buffer overflow in Solaris netpr program allows local users to execute arbitrary commands via a long -p option. 1200 20000512 New Solaris root exploit for /usr/lib/lp/bin/netpr IIS 4.05 and 5.0 allow remote attackers to cause a denial of service via a long, complex URL that appears to contain a large number of file extensions, aka the "Malformed Extension Data in URL" vulnerability. MS00-030 http://www.ussrback.com/labs40.html 1190 Q260205 Netscape 4.73 and earlier follows symlinks when it imports a new certificate, which allows local users to overwrite files of the user importing the certificate. 1201 20000510 Possible symlink problems with Netscape 4.73 ColdFusion Server 4.5.1 allows remote attackers to cause a denial of service by making repeated requests to a CFCACHE tagged cache file that is not stored in memory. 20000510 Cold Fusion Server 4.5.1 DoS Vulnerability. 1192 Matt Wright's FormMail CGI script allows remote attackers to obtain environmental variables via the env_report parameter. http://www.perfectotech.com/blackwatchlabs/vul5_10.html 1187 20000510 Black Watch Labs Vulnerability Alert The gnapster and knapster clients for Napster do not properly restrict access only to MP3 files, which allows remote attackers to read arbitrary files from the client by specifying the full pathname for the file. 1186 20000510 Gnapster Vulnerability Compromises User-readable Files 20000510 KNapster Vulnerability Compromises User-readable Files FreeBSD-SA-00:18 The shtml.exe program in the FrontPage extensions package of IIS 4.0 and 5.0 allows remote attackers to determine the physical path of HTML, HTM, ASP, and SHTML files by requesting a file that does not exist, which generates an error message that reveals the path. 1174 20000506 shtml.exe reveal local path of IIS web directory Vulnerability in shutdown command for HP-UX 11.X and 10.X allows allows local users to gain privileges via malformed input variables. 1214 HPSBUX0005-113 Buffer overflow in Outlook Express 4.x allows attackers to cause a denial of service via a mail or news message that has a .jpg or .bmp attachment with a long file name. 1195 20000512 Overflow in Outlook Express 4.* - too long filenames with graphic format extension NTMail 5.x allows network users to bypass the NTMail proxy restrictions by redirecting their requests to NTMail's web configuration server. http://www.gordano.com/support/archives/ntmail/2000-05/00001114.htm 20000511 NTMail Proxy Exploit 1196 The HTTP administration interface to the Cayman 3220-H DSL router allows remote attackers to cause a denial of service via a long username or password. 1219 20000523 Cayman 3220H DSL Router Software Update and New Bonus Attack 20000505 Cayman 3220-H DSL Router DOS The Cayman 3220-H DSL router allows remote attackers to cause a denial of service via oversized ICMP echo (ping) requests. 1240 20000523 Cayman 3220H DSL Router Software Update and New Bonus Attack The Office 2000 UA ActiveX Control is marked as "safe for scripting," which allows remote attackers to conduct unauthorized activities via the "Show Me" function in Office Help, aka the "Office 2000 UA Control" vulnerability. CA-2000-07 MS00-034 1197 Q262767 The default configuration of SYSKEY in Windows 2000 stores the startup key in the registry, which could allow an attacker tor ecover it and use it to decrypt Encrypted File System (EFS) data. 1198 20000511 ISS SAVANT Advisory 00/26 The process_bug.cgi script in Bugzilla allows remote attackers to execute arbitrary commands via shell metacharacters. 1199 20000510 Advisory: Unchecked system(blaat $var blaat) call in Bugzilla 2.8 Buffer overflow in Netwin DMailWeb CGI program allows remote attackers to execute arbitrary commands via a long utoken parameter. 1171 20000504 Alert: DMailWeb buffer overflow Buffer overflow in Netwin DNEWSWEB CGI program allows remote attackers to execute arbitrary commands via long parameters such as group, cmd, and utag. 1172 20000505 Alert: DNewsWeb buffer overflow The CGI counter 4.0.7 by George Burgyan allows remote attackers to execute arbitrary commands via shell metacharacters. 20000514 Vulnerability in CGI counter 4.0.7 by George Burgyan 1202 Buffer overflow in the Web Archives component of L-Soft LISTSERV 1.8 allows remote attackers to execute arbitrary commands. http://www.lsoft.com/news/default.asp?item=Advisory0 1167 20000505 Alert: Listserv Web Archives (wa) buffer overflow UltraBoard 1.6 and other versions allow remote attackers to cause a denial of service by referencing UltraBoard in the Session parameter, which causes UltraBoard to fork copies of itself. 1175 20000505 Re: Fun with UltraBoard V1.6X The Aladdin Knowledge Systems eToken device allows attackers with physical access to the device to obtain sensitive information without knowing the PIN of the owner by resetting the PIN in the EEPROM. 1170 3266 20000504 eToken Private Information Extraction and Physical Attack Buffer overflow in the SMTP gateway for InterScan Virus Wall 3.32 and earlier allows a remote attacker to execute arbitrary commands via a long filename for a uuencoded attachment. 1168 20000503 Trend Micro InterScan VirusWall Remote Overflow A backdoor password in Cart32 3.0 and earlier allows remote attackers to execute arbitrary commands. http://www.cart32.com/kbshow.asp?article=c048 20000427 Alert: Cart32 secret password backdoor (CISADV000427) Cart32 allows remote attackers to access sensitive debugging information by appending /expdate to the URL request. 1358 20000503 Another interesting Cart32 command Cobalt RaQ2 and RaQ3 does not properly set the access permissions and ownership for files that are uploaded via FrontPage, which allows attackers to bypass cgiwrap and modify files. 1238 http://archives.neohapsis.com/archives/bugtraq/2000-05/0305.html 20000522 Problem with FrontPage on Cobalt RaQ2/RaQ3 1346 The calender.pl and the calendar_admin.pl calendar scripts by Matt Kruse allow remote attackers to execute arbitrary commands via shell metacharacters. 1215 20000516 Vuln in calender.pl (Matt Kruse calender script) The SuSE aaa_base package installs some system accounts with home directories set to /tmp, which allows local users to gain privileges to those accounts by creating standard user startup scripts such as profiles. 20000502 aaabase < 2000.5.2 The administrative password for the Allmanage web site administration software is stored in plaintext in a file which could be accessed by remote attackers. 1217 20000516 Allmanage.pl Vulnerabilities The allmanageup.pl file upload CGI script in the Allmanage Website administration software 2.6 can be called directly by remote attackers, which allows them to modify user accounts or web pages. 1217 1337 20000516 Allmanage.pl Vulnerabilities MetaProducts Offline Explorer 1.2 and earlier allows remote attackers to access arbitrary files via a .. (dot dot) attack. http://www.metaproducts.com/mpOE-HY.html 1231 20000522 MetaProducts Offline Explorer Directory Traversal Vulnerability Buffer overflow in the CyberPatrol daemon "cyberdaemon" used in gauntlet and WebShield allows remote attackers to cause a denial of service or execute arbitrary commands. http://www.tis.com/support/cyberadvisory.html http://www.pgp.com/jump/gauntlet_advisory.asp 1234 322 20000522 Gauntlet CyberPatrol Buffer Overflow Buffer overflow in fdmount on Linux systems allows local users in the "floppy" group to execute arbitrary commands via a long mountpoint parameter. 1239 20000522 fdmount buffer overflow Internet Explorer 4.0 and 5.0 allows a malicious web site to obtain client cookies from another domain by including that domain name and escaped characters in a URL, aka the "Unauthorized Cookie Access" vulnerability. MS00-033 ie-cookie-disclosure(4447) 20000511 IE Domain Confusion Vulnerability is an Email problem also 20000510 IE Domain Confusion Vulnerability 1194 1326 NetBSD 1.4.2 and earlier allows remote attackers to cause a denial of service by sending a packet with an unaligned IP timestamp option. 1173 20000506 [NHC20000504a.0: NetBSD Panics when sent unaligned IP options] NetBSD-SA2000-002 Vulnerability in AIX 3.2.x and 4.x allows local users to gain write access to files on locally or remotely mounted AIX filesystems. 1241 ERS-OAR-E01-2000:087.1 Qpopper 2.53 and earlier allows local users to gain privileges via a formatting string in the From: header, which is processed by the euidl command. 1242 20000608 pop <= 2000.3.4 20000523 Qpopper 2.53 remote problem, user can gain gid=mail The web interface server in HP Web JetAdmin 5.6 allows remote attackers to read arbitrary files via a .. (dot dot) attack. 1243 1350 20000524 HP Web JetAdmin Version 5.6 Web interface Server Directory Traversal Vulnerability HP Web JetAdmin 6.0 allows remote attackers to cause a denial of service via a malformed URL to port 8000. 1246 20000524 HP Web JetAdmin Version 6.0 Remote DoS attack Vulnerability The pgpk command in PGP 5.x on Unix systems uses an insufficiently random data source for non-interactive key pair generation, which may produce predictable keys. CA-2000-09 1251 1355 20000523 Key Generation Security Flaw in PGP 5.0 Buffer overflow in MDBMS database server allows remote attackers to execute arbitrary commands via a long string. 1252 20000524 Remote xploit for MDBMS Buffer overflow in WebShield SMTP 4.5.44 allows remote attackers to execute arbitrary commands via a long configuration parameter to the WebShield remote management service. 20000525 DST2K0003 : Buffer Overrun in NAI WebShield SMTP v4.5.44 Managem ent Tool 1254 327 The WebShield SMTP Management Tool version 4.5.44 does not properly restrict access to the management port when an IP address does not resolve to a hostname, which allows remote attackers to access the configuration via the GET_CONFIG command. 20000525 DST2K0003 : Buffer Overrun in NAI WebShield SMTP v4.5.44 Managem ent Tool 1253 326 Omnis Studio 2.4 uses weak encryption (trivial encoding) for encrypting database fields. 1255 20000525 Omnis Weak Encryption - Many products affected Vulnerability in bbd server in Big Brother System and Network Monitor allows an attacker to execute arbitrary commands. 1257 20000518 FW: Security Notice: Big Brother System and Network Monitor The Intel express 8100 ISDN router allows remote attackers to cause a denial of service via oversized or fragmented ICMP packets. 1228 20000518 Remote Dos attack against Intel express 8100 router Buffer overflow in the ESMTP service of Lotus Domino Server 5.0.1 allows remote attackers to cause a denial of service via a long MAIL FROM command. 1229 321 20000518 Lotus ESMTP Service (Lotus Domino Release 5.0.1 (Intl)) XFree86 3.3.x and 4.0 allows a user to cause a denial of service via a negative counter value in a malformed TCP packet that is sent to port 6000. 1235 20000518 Nasty XFree Xserver DoS CSSA-2000-012.0 Buffer overflow in Linux cdrecord allows local users to gain privileges via the dev parameter. 1265 20000607 Conectiva Linux Security Announcement - cdrecord 20000603 [Gael Duval ] [Security Announce] cdrecord 20000527 Mandrake 7.0: /usr/bin/cdrecord gid=80 (strike #2) Buffer overflow in xlockmore xlock program version 4.16 and earlier allows local users to read sensitive data from memory via a long -mode option. 1267 20000529 Initialized Data Overflow in Xlock TLSA2000012-1 NetBSD-SA2000-003 NetBSD 1.4.2 and earlier allows local users to cause a denial of service by repeatedly running certain system calls in the kernel which do not yield the CPU, aka "cpu-hog". 1272 1365 NetBSD-SA2000-005 ISM.DLL in IIS 4.0 and 5.0 allows remote attackers to read file contents by requesting the file and appending a large number of encoded spaces (%20) and terminated with a .htr extension, aka the ".HTR File Fragment Reading" or "File Fragment Reading via .HTR" vulnerability. iis-ism-file-access(4448) 1193 MS00-031 20000511 Alert: IIS ism.dll exposes file contents The MSWordView application in IMP creates world-readable files in the /tmp directory, which allows other local users to read potentially sensitive information. 1360 20000424 Two Problems in IMP 2 IMP does not remove files properly if the MSWordView application quits, which allows local users to cause a denial of service by filling up the disk space by requesting a large number of documents and prematurely stopping the request. 1361 20000424 Two Problems in IMP 2 Buffer overflow in KDE kdesud on Linux allows local uses to gain privileges via a long DISPLAY environmental variable. 20000526 KDE: /usr/bin/kdesud, gid = 0 exploit 1274 The undocumented semconfig system call in BSD freezes the state of semaphores, which allows local users to cause a denial of service of the semaphore system by using the semconfig call. 1270 20000526 NetBSD-SA2000-004 FreeBSD-SA-00:19 ftpd in NetBSD 1.4.2 does not properly parse entries in /etc/ftpchroot and does not chroot the specified users, which allows those users to access other files outside of their home directory. 1273 1366 NetBSD-SA2000-006 BeOS 5.0 allows remote attackers to cause a denial of service via fragmented TCP packets. 1222 20000517 AUX Security Advisory on Be/OS 5.0 (DoS) Internet Explorer 4.x and 5.x allows remote attackers to execute arbitrary commands via a buffer overflow in the ActiveX parameter parsing capability, aka the "Malformed Component Attribute" vulnerability. MS00-033 1223 Q261257 Internet Explorer 4.x and 5.x does properly verify the domain of a frame within a browser window, which allows a remote attacker to read client files via the frame, aka the "Frame Domain Verification" vulnerability. MS00-033 1224 Q255676 Q251108 AIX cdmount allows local users to gain root privileges via shell metacharacters. 1384 20000620 Insecure call of external program in AIX cdmount Buffer overflow in Linux splitvt 1.6.3 and earlier allows local users to gain root privileges via a long password in the screen locking function. 20000614 Splitvt exploit 1346 man in HP-UX 10.20 and 11 allows local attackers to overwrite files via a symlink attack. 1302 20000601 HP Security vulnerability in the man command Selena Sol WebBanner 4.0 allows remote attackers to read arbitrary files via a .. (dot dot) attack. 20000613 CGI: Selena Sol's WebBanner ( Random Banner Generator ) Vulnerability 20000620 Re: CGI: Selena Sol's WebBanner ( Random Banner Generator ) Vulnerability 1347 Allegro RomPager HTTP server allows remote attackers to cause a denial of service via a malformed authentication request. rompager-malformed-dos 1290 20000601 Hardware Exploit - Gets network Down Buffer overflow in ufsrestore in Solaris 8 and earlier allows local users to gain root privileges via a long pathname. VU#36866 1348 sol-ufsrestore-bo 1398 00210 20000614 Vulnerability in Solaris ufsrestore Buffer overflow in innd 2.2.2 allows remote attackers to execute arbitrary commands via a cancel request containing a long message ID. innd-cancel-overflow 1316 20000722 MDKSA-2000:023 inn update 20000721 [ANNOUNCE] INN 2.2.3 available 20000707 inn update 20000106 innd 2.2.2 remote buffer overflow CSSA-2000-016.0 Buffer overflow in AnalogX SimpleServer 1.05 allows a remote attacker to cause a denial of service via a long GET request for a program in the cgi-bin directory. 1349 http://www.analogx.com/contents/download/network/sswww.htm Real Networks RealServer 7.x allows remote attackers to cause a denial of service via a malformed request for a page in the viewsource directory. 1288 realserver-malformed-remote-dos 20000601 Remote DoS attack in RealServer: USSR-2000043 20000601 Remote DoS attack in Real Networks Real Server (Strike #2) Vulnerability Windows 2000 allows a local user process to access another user's desktop within the same windows station, aka the "Desktop Separation" vulnerability. win2k-desktop-separation 1350 MS00-020 xterm, Eterm, and rxvt allow an attacker to cause a denial of service by embedding certain escape characters which force the window to be resized. 1298 20000601 [rootshell.com] Xterm DoS Attack 20000601 [rootshell.com] Xterm DoS Attack Buffer overflow in Norton Antivirus for Exchange (NavExchange) allows remote attackers to cause a denial of service via a .zip file that contains long file names. 1351 antivirus-nav-zip-bo 20000614 Vulnerabilities in Norton Antivirus for Exchange In some cases, Norton Antivirus for Exchange (NavExchange) enters a "fail-open" state which allows viruses to pass through the server. 1351 antivirus-nav-fail-open 6266 20000614 Vulnerabilities in Norton Antivirus for Exchange Dragon FTP server allows remote attackers to cause a denial of service via a long USER command. 1352 20000616 Multiples Remotes DoS Attacks in Dragon Server v1.00 and v2.00 Dragon telnet server allows remote attackers to cause a denial of service via a long username. 1352 20000616 Multiples Remotes DoS Attacks in Dragon Server v1.00 and v2.00 Buffer overflow in KDE Kmail allows a remote attacker to cause a denial of service via an attachment with a long file name. 1380 20000601 Kmail heap overflow kde-kmail-attachment-dos Check Point Firewall-1 allows remote attackers to cause a denial of service by sending a large number of malformed fragmented IP packets. 1312 http://www.checkpoint.com/techsupport/alerts/list_vun.html#IP_Fragmentation fw1-packet-fragment-dos 1379 20000605 FW-1 IP Fragmentation Vulnerability The DocumentTemplate package in Zope 2.2 and earlier allows a remote attacker to modify DTMLDocuments or DTMLMethods without authorization. http://www.zope.org/Products/Zope/Hotfix_06_16_2000/security_alert 20000615 [Brian@digicool.com: [Zope] Zope security alert and 2.1.7 update [*important*]] zope-dtml-remote-modify 2000615 Conectiva Linux Security Announcement - ZOPE 1354 RHSA-2000:038 20000728 MDKSA-2000:026 Zope update FreeBSD-SA-00:38 Buffer overflow in Small HTTP Server allows remote attackers to cause a denial of service via a long GET request. small-http-get-overflow-dos 1355 20000616 Remote DoS Attack in Small HTTP Server ver. 1.212 Vulnerability 20000616 Remote DoS Attack in Small HTTP Server ver. 1.212 Vulnerability Microsoft SQL Server allows local users to obtain database passwords via the Data Transformation Service (DTS) package Properties dialog, aka the "DTS Password" vulnerability. MS00-041 mssql-dts-reveal-passwords 1292 20000530 Fw: Steal Passwords Using SQL Server EM Buffer overflow in Cisco TACACS+ tac_plus server allows remote attackers to cause a denial of service via a malformed packet with a long length field. 20000530 An Analysis of the TACACS+ Protocol and its Implementations http://archives.neohapsis.com/archives/bugtraq/2000-05/0370.html tacacsplus-packet-length-dos 1293 The Protected Store in Windows 2000 does not properly select the strongest encryption when available, which causes it to use a default of 40-bit encryption instead of 56-bit DES encryption, aka the "Protected Store Key Length" vulnerability. 1295 MS00-032 Buffer overflow in ITHouse mail server 1.04 allows remote attackers to execute arbitrary commands via a long RCPT TO mail command. ithouse-rcpt-overflow(4580) 20000601 DST2K0007: Buffer Overrun in ITHouse Mail Server v1.04 1285 FreeBSD, NetBSD, and OpenBSD allow an attacker to cause a denial of service by creating a large number of socket pairs using the socketpair function, setting a large buffer size via setsockopt, then writing large buffers. bsd-setsockopt-dos 19990826 Local DoS in FreeBSD 20000601 Local FreeBSD, Openbsd, NetBSD, DoS Vulnerability - Mac OS X affected 622 Buffer overflow in the NetWin DSMTP 2.7q in the NetWin dmail package allows remote attackers to execute arbitrary commands via a long ETRN request. 1297 dmail-etrn-dos http://netwinsite.com/dmail/security.htm 20000601 Netwin's Dmail package Buffer overflow in the XDMCP parsing code of GNOME gdm, KDE kdm, and wdm allows remote attackers to execute arbitrary commands or cause a denial of service via a long FORWARD_QUERY request. CSSA-2000-013.0 1370 1279 1233 20000524 Security hole in gdm <= 2.0beta4-25 20000607 Conectiva Linux Security Announcement - gdm 20000521 "gdm" remote hole PassWD 1.2 uses weak encryption (trivial encoding) to store passwords, which allows an attacker who can read the password file to easliy decrypt the passwords. 20000609 Insecure encryption in PassWD v1.2 1300 Buffer overflow in Simple Network Time Sync (SMTS) daemon allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long string. timesync-bo-execute 20000601 Vulnerability in SNTS 1289 Veritas Volume Manager creates a world writable .server_pids file, which allows local users to add arbitrary commands into the file, which is then executed by the vmsa_server script. 1356 20000616 Veritas Volume Manager 3.0.x hole http://seer.support.veritas.com/tnotes/volumeman/230053.htm Microsoft Windows Media Encoder allows remote attackers to cause a denial of service via a malformed request, aka the "Malformed Windows Media Encoder Request" vulnerability. ms-malformed-media-dos MS00-038 1282 IBM WebSphere server 3.0.2 allows a remote attacker to view source code of a JSP program by requesting a URL which provides the JSP extension in upper case. 20000612 IBM WebSphere JSP showcode vulnerability http://www-4.ibm.com/software/webservers/appserv/efix.html 1328 Unify eWave ServletExec allows a remote attacker to view source code of a JSP program by requesting a URL which provides the JSP extension in upper case. ewave-servletexec-jsp-source-read(4649) 20000608 Potential vulnerability in Unify eWave ServletExec 1328 The default configuration of BEA WebLogic 3.1.8 through 4.5.1 allows a remote attacker to view source code of a JSP program by requesting a URL which provides the JSP extension in upper case. 1328 http://developer.bea.com/alerts/security_000612.html weblogic-jsp-source-read 20000612 BEA WebLogic JSP showcode vulnerability The default configuration of BEA WebLogic 5.1.0 allows a remote attacker to view source code of programs by requesting a URL beginning with /file/, which causes the default servlet to display the file without further processing. 1378 weblogic-file-source-read http://www.weblogic.com/docs51/admindocs/http.html#file 20000621 BEA WebLogic /file/ showcode vulnerability Race condition in MDaemon 2.8.5.0 POP server allows local users to cause a denial of service by entering a UIDL command and quickly exiting the server. mdaemon-pass-dos 20000616 mdaemon 2.8.5.0 WinNT and Win9x remote DoS 1366 Mcafee VirusScan 4.03 does not properly restrict access to the alert text file before it is sent to the Central Alert Server, which allows local users to modify alerts in an arbitrary fashion. 1326 20000607 Mcafee Alerting DOS vulnerability mcafee-alerting-dos(4641) 6287 The IFRAME of the WebBrowser control in Internet Explorer 5.01 allows a remote attacker to violate the cross frame security policy via the NavigateComplete2 event. 20000606 IE 5 Cross-frame security vulnerability using IFRAME and WebBrowser control 1311 libICE in XFree86 allows remote attackers to cause a denial of service by specifying a large value which is not properly checked by the SKIP_STRING macro. 1369 http://www.xfree86.org/security/ 20000619 XFree86: libICE DoS The Apache 1.3.x HTTP server for Windows platforms allows remote attackers to list directory contents by requesting a URL containing a large number of / characters. 20000603 Re: IBM HTTP SERVER / APACHE 1284 ibm-http-file-retrieve The "capabilities" feature in Linux before 2.2.16 allows local users to cause a denial of service or gain privileges by setting the capabilities to prevent a setuid program from dropping privileges, aka the "Linux kernel setuid/setcap vulnerability." 20000609 Sendmail & procmail local root exploits on Linux kernel up to 2.2.16pre5 1322 RHSA-2000:037 20000608 CONECTIVA LINUX SECURITY ANNOUNCEMENT - kernel 20000609 Trustix Security Advisory 20000802-01-P Imate Webmail Server 2.5 allows remote attackers to cause a denial of service via a long HELO command. nt-webmail-dos 20000601 DST2K0006: Denial of Service Possibility in Imate WebMail Server 1286 rpc.lockd in Red Hat Linux 6.1 and 6.2 allows remote attackers to cause a denial of service via a malformed request. 1372 20000608 Remote DOS in linux rpc.lockd linux-lockd-remote-dos Buffer overflows in the finger and whois demonstration scripts in Sambar Server 4.3 allow remote attackers to execute arbitrary commands via a long hostname. 1287 20000601 DST2K0008: Buffer Overrun in Sambar Server 4.3 CUPS (Common Unix Printing System) 1.04 and earlier allows remote attackers to cause a denial of service via a malformed IPP request. ftp://ftp.easysw.com/pub/cups/1.0.5/cups-DoS.patch 1373 debian-cups-malformed-ipp 20000620 CUPS DoS Bugs CUPS (Common Unix Printing System) 1.04 and earlier allows remote attackers to cause a denial of service via a CGI POST request. ftp://ftp.easysw.com/pub/cups/1.0.5/cups-DoS.patch 1373 debian-cups-posts 20000620 CUPS DoS Bugs CUPS (Common Unix Printing System) 1.04 and earlier does not properly delete request files, which allows a remote attacker to cause a denial of service. ftp://ftp.easysw.com/pub/cups/1.0.5/cups-DoS.patch 1373 debian-cups-posts 20000620 CUPS DoS Bugs CUPS (Common Unix Printing System) 1.04 and earlier allows remote attackers to cause a denial of service by authenticating with a user name that does not exist or does not have a shadow password. ftp://ftp.easysw.com/pub/cups/1.0.5/cups-DoS.patch debian-cups-posts 1373 20000620 CUPS DoS Bugs GSSFTP FTP daemon in Kerberos 5 1.1.x does not properly restrict access to some FTP commands, which allows remote attackers to cause a denial of service, and local users to gain root privileges. kerberos-gssftpd-dos http://web.mit.edu/kerberos/www/advisories/ftp.txt 20000614 Security Advisory: REMOTE ROOT VULNERABILITY IN GSSFTP DAEMON 1374 4885 The snmpd.conf configuration file for the SNMP daemon (snmpd) in HP-UX 11.0 is world writable, which allows local users to modify SNMP configuration or gain privileges. hpux-snmp-daemon 20000608 Re: HP-UX SNMP daemon vulnerability 20000607 [ Hackerslab bug_paper ] HP-UX SNMP daemon vulnerability 1327 When configured to store configuration information in an LDAP directory, Shiva Access Manager 5.0.0 stores the root DN (Distinguished Name) name and password in cleartext in a file that is world readable, which allows local users to compromise the LDAP server. 20000606 Shiva Access Manager 5.0.0 Plaintext LDAP root password. shiva-plaintext-ldap-password 1329 Netscape 4.73 and earlier does not properly warn users about a potentially invalid certificate if the user has previously accepted the certificate for a different web site, which could allow remote attackers to spoof a legitimate web site by compromising that site's DNS information. CA-2000-08 netscape-ssl-certificate 1260 Internet Explorer 4.x and 5.x does not properly verify all contents of an SSL certificate if a connection is made to the server via an image or a frame, aka one of two different "SSL Certificate Validation" vulnerabilities. CA-2000-10 ie-invalid-frame-image-certificate 1309 MS00-039 http://www.acrossecurity.com/aspr/ASPR-1999-12-15-1-PUB.txt Internet Explorer 4.x and 5.x does not properly re-validate an SSL certificate if the user establishes a new SSL session with the same server during the same Internet Explorer session, aka one of two different "SSL Certificate Validation" vulnerabilities. CA-2000-10 ie-revalidate-certificate 1309 MS00-039 http://www.acrossecurity.com/aspr/ASPR-1999-12-15-1-PUB.txt Buffer overflow in restore program 0.4b17 and earlier in dump package allows local users to execute arbitrary commands via a long tape name. 1330 http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=11880 20000630 CONECTIVA LINUX SECURITY ANNOUNCEMENT - dump Savant web server allows remote attackers to read source code of CGI scripts via a GET request that does not include the HTTP version number. 1313 20000605 MDMA Advisory #5: Reading of CGI Scripts under Savant Webserver savant-source-read RSA ACE/Server allows remote attackers to cause a denial of service by flooding the server's authentication request port with UDP packets, which causes the server to crash. aceserver-udp-packet-dos 1332 20000714 Re: RSA Aceserver UDP Flood Vulnerability ftp://ftp.securid.com/support/outgoing/dos/readme.txt 20000608 Potential DoS Attack on RSA's ACE/Server Buffer overflow in the logging feature of EServ 2.9.2 and earlier allows an attacker to execute arbitrary commands via a long MKD command. eserv-logging-overflow 1315 20000606 MDMA Advisory #6: EServ Logging Heap Overflow Vulnerability Microsoft Outlook and Outlook Express allow remote attackers to cause a denial of service by sending email messages with blank fields such as BCC, Reply-To, Return-Path, or From. 1333 20000604 Microsoft Outlook (Express) bug.. OpenSSH does not properly drop privileges when the UseLogin option is enabled, which allows local users to execute arbitrary commands by providing the command to the ssh daemon. openssh-uselogin-remote-exec 1334 341 20000606 The non-default UseLogin feature in /etc/sshd_config is broken and should not be used. 20000609 OpenSSH's UseLogin option allows remote access with root privilege. mailview.cgi CGI program in MailStudio 2000 2.0 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) attack. 1335 20000609 Mailstudio2000 CGI Vulnerabilities [S0ftPj.4] userreg.cgi CGI program in MailStudio 2000 2.0 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters. 1335 20000609 Mailstudio2000 CGI Vulnerabilities [S0ftPj.4] Net Tools PKI Server does not properly restrict access to remote attackers when the XUDA template files do not contain absolute pathnames for other files. nettools-pki-unauthenticated-access 1364 20000619 Net Tools PKI server exploits ftp://ftp.tis.com/gauntlet/hide/pki/hotfix.txt 4353 Net Tools PKI Server allows remote attackers to cause a denial of service via a long HTTP request. nettools-pki-http-bo 1363 20000619 Net Tools PKI server exploits ftp://ftp.tis.com/gauntlet/hide/pki/hotfix.txt 4352 The KApplication class in the KDE 1.1.2 configuration file management capability allows local users to overwrite arbitrary files. kde-configuration-file-creation 1291 20000531 KDE::KApplication feature? RHSA-2000:032 CSSA-2000-015.0 Linux gpm program allows local users to cause a denial of service by flooding the /dev/gpmctl device with STREAM sockets. linux-gpm-gpmctl-dos 1377 20000620 Bug in gpm RHSA-2000:045 20000728 MDKSA:2000-025 gpm update A FreeBSD patch for SSH on 2000-01-14 configures ssh to listen on port 722 as well as port 22, which might allow remote attackers to access SSH through port 722 even if port 22 is otherwise filtered. freebsd-ssh-ports 1323 FreeBSD-SA-00:21 1387 Vulnerability in cvconnect in SGI IRIX WorkShop allows local users to overwrite arbitrary files. irix-workshop-cvconnect-overwrite 1379 20000601-01-P The apsfilter software in the FreeBSD ports package does not properly read user filter configurations, which allows local users to execute commands as the lpd user. 1325 apsfilter-elevate-privileges 1389 OpenSSL 0.9.4 and OpenSSH for FreeBSD do not properly check for the existence of the /dev/random or /dev/urandom devices, which are absent on FreeBSD Alpha systems, which causes them to produce weak keys which may be more easily broken. 1340 FreeBSD-SA-00:25 xinetd 2.1.8.x does not properly restrict connections if hostnames are used for access control and the connecting host does not have a reverse DNS entry. xinetd-improper-restrictions http://www.synack.net/xinetd/ 1381 20000619 xinetd: bug in access control mechanism BRU backup software allows local users to append data to arbitrary files by specifying an alternate configuration file with the BRUEXECLOG environmental variable. bru-execlog-env-variable 1321 20000606 BRU Vulnerability CSSA-2000-018.0 ColdFusion Administrator for ColdFusion 4.5.1 and earlier allows remote attackers to cause a denial of service via a long login password. coldfusion-parse-dos 1314 ASB00-14 3399 20000607 New Allaire ColdFusion DoS Servlet examples in Allaire JRun 2.3.x allow remote attackers to obtain sensitive information, e.g. listing HttpSession ID's via the SessionServlet servlet. jrun-read-sample-files 1386 ASB00-015 818 JSP sample files in Allaire JRun 2.3.x allow remote attackers to access arbitrary files (e.g. via viewsource.jsp) or obtain configuration information. jrun-read-sample-files 1386 ASB00-015 2713 The Panda Antivirus console on port 2001 allows local users to execute arbitrary commands without authentication via the CMD command. 1359 20000617 Infosec.20000617.panda.a panda-antivirus-remote-admin(4707) Tigris remote access server before 11.5.4.22 does not properly record Radius accounting information when a user fails the initial login authentication but subsequently succeeds. tigris-radius-login-failure 1345 20000612 ACC/Ericsson Tigris Accounting Failure The command port for PGP Certificate Server 2.5.0 and 2.5.1 allows remote attackers to cause a denial of service if their hostname does not have a reverse DNS entry and they connect to port 4000. pgp-cert-server-dos 1343 20000614 Remote DoS attack in Networks Associates PGP Certificate Server Version 2.5 Vulnerability Windows NT and Windows 2000 hosts allow a remote attacker to cause a denial of service via malformed DCE/RPC SMBwriteX requests that contain an invalid data length. 1304 20000604 anonymous SMBwriteX DoS Buffer overflow in mailx mail command (aka Mail) on Linux systems allows local users to gain privileges via a long -c (carbon copy) parameter. 1305 20000605 mailx: mail group exploit in mailx 20000602 /usr/bin/Mail exploit for Slackware 7.0 (mail-slack.c) Buffer overflow in Kerberos 4 KDC program allows remote attackers to cause a denial of service via the lastrealm variable in the set_tgtkey function. CA-2000-11 20000609 Security Advisory: MULTIPLE DENIAL OF SERVICE VULNERABILITIES IN KRB4 KDC 1338 http://web.mit.edu/kerberos/www/advisories/krb4kdc.txt K-051 Buffer overflow in Kerberos 4 KDC program allows remote attackers to cause a denial of service via the localrealm variable in the process_v4 function. CA-2000-11 20000609 Security Advisory: MULTIPLE DENIAL OF SERVICE VULNERABILITIES IN KRB4 KDC 1338 http://web.mit.edu/kerberos/www/advisories/krb4kdc.txt K-051 Buffer overflow in Kerberos 4 KDC program allows remote attackers to cause a denial of service via the e_msg variable in the kerb_err_reply function. CA-2000-11 20000609 Security Advisory: MULTIPLE DENIAL OF SERVICE VULNERABILITIES IN KRB4 KDC http://web.mit.edu/kerberos/www/advisories/krb4kdc.txt RHSA-2000:031 4875 K-051 Kerberos 4 KDC program does not properly check for null termination of AUTH_MSG_KDC_REQUEST requests, which allows remote attackers to cause a denial of service via a malformed request. CA-2000-11 20000609 Security Advisory: MULTIPLE DENIAL OF SERVICE VULNERABILITIES IN KRB4 KDC http://web.mit.edu/kerberos/www/advisories/krb4kdc.txt RHSA-2000:031 K-051 Kerberos 4 KDC program improperly frees memory twice (aka "double-free"), which allows remote attackers to cause a denial of service. CA-2000-11 http://web.mit.edu/kerberos/www/advisories/krb4kdc.txt 1465 RHSA-2000:031 K-051 20000609 Security Advisory: MULTIPLE DENIAL OF SERVICE VULNERABILITIES IN KRB4 KDC The file transfer mechanism in Danware NetOp 6.0 does not provide authentication, which allows remote attackers to access and modify arbitrary files. danware-netop-bypass-security(4569) 1263 20000523 I think ICQwebmail client for ICQ 2000A creates a world readable temporary file during login and does not delete it, which allows local users to obtain sensitive information. 1307 20000606 ICQ2000A ICQmail temparary internet link vulnearbility icq-temp-link Race condition in IPFilter firewall 3.4.3 and earlier, when configured with overlapping "return-rst" and "keep state" rules, allows remote attackers to bypass access restrictions. 1308 20000525 Security Vulnerability in IPFilter 3.3.15 and 3.4.3 ipfilter-firewall-race-condition 1377 Ceilidh allows remote attackers to obtain the real path of the Ceilidh directory via the translated_path hidden form field. 20000608 DST2K0010: DoS & Path Revealing Vulnerability in Ceilidh v2.60a 1320 Ceilidh allows remote attackers to cause a denial of service via a large number of POST requests. 20000608 DST2K0010: DoS & Path Revealing Vulnerability in Ceilidh v2.60a ceilidh-post-dos 1320 Buffer overflow in the web interface for Cmail 2.4.7 allows remote attackers to cause a denial of service by sending a large user name to the user dialog running on port 8002. cmail-long-username-dos 1319 20000608 DST2K0011: DoS & BufferOverrun in CMail v2.4.7 WebMail http://www.computalynx.net/news/Jun2000/news0806200001.html Buffer overflow in the web interface for Cmail 2.4.7 allows remote attackers to execute arbitrary commands via a long GET request. cmail-get-overflow-execute 1318 20000608 DST2K0011: DoS & BufferOverrun in CMail v2.4.7 WebMail Buffer overflow in HP Openview Network Node Manager 6.1 allows remote attackers to execute arbitrary commands via the Alarm service (OVALARMSRV) on port 2345. 1317 20000608 DST2K0012: BufferOverrun in HP Openview Network Node Manager v6.1 eTrust Intrusion Detection System (formerly SessionWall-3) uses weak encryption (XOR) to store administrative passwords in the registry, which allows local users to easily decrypt the passwords. 1341 20000607 SessionWall-3 Paper + (links to) code Buffer overflow in WebBBS 1.15 allows remote attackers to execute arbitrary commands via a long HTTP GET request. webbbs-get-request-overflow 1365 20000620 DST2K0018: Multiple BufferOverruns in WebBBS HTTP Server v1.15 3544 BlackIce Defender 2.1 and earlier, and BlackIce Pro 2.0.23 and earlier, do not properly block Back Orifice traffic when the security setting is Nervous or lower. 20000620 BlackICE by Network ICE Corp vulnerability against Back Orifice 1.2 The URLConnection function in MacOS Runtime Java (MRJ) 2.1 and earlier and the Microsoft virtual machine (VM) for MacOS allows a malicious web site operator to connect to arbitrary hosts using a HTTP redirection, in violation of the Java security model. 20000609 Security Holes Found in URLConnection of MRJ and IE of Mac OS (was Re: Reappearance of an old IE security bug) 1336 20000513 Re: Reappearance of an old IE security bug The guestbook CGI program in ICQ Web Front service for ICQ 2000a, 99b, and others allows remote attackers to cause a denial of service via a URL with a long name parameter. 20000529 ICQ Web Front Remote DoS Attack Vulnerability SmartFTP Daemon 0.2 allows a local user to access arbitrary files by uploading and specifying an alternate user configuration file via a .. (dot dot) attack. smartftp-directory-traversal 1344 20000613 SmartFTP Daemon v0.2 Beta Build 9 - Remote Exploit 1394 makewhatis in Linux man package allows local users to overwrite files via a symlink attack. linux-man-makewhatis-tmp 1434 RHSA-2000:041 MDKSA-2000:015 20000727 CONECTIVA LINUX SECURITY ANNOUNCEMENT - MAN CSSA-2000-021.0 Buffer overflow in Microsoft Outlook and Outlook Express allows remote attackers to execute arbitrary commands via a long Date field in an email header, aka the "Malformed E-mail Header" vulnerability. outlook-date-overflow 1481 MS00-043 Sybergen Secure Desktop 2.1 does not properly protect against false router advertisements (ICMP type 9), which allows remote attackers to modify default routes. 20000630 Multiple vulnerabilities in Sybergen Secure Desktop 1417 Sybergen Sygate allows remote attackers to cause a denial of service by sending a malformed DNS UDP packet to its internal interface. 1420 20000630 Any LAN user can crash Sygate sygate-udp-packet-dos(5049) FirstClass Internet Services server 5.770, and other versions before 6.1, allows remote attackers to cause a denial of service by sending an email with a long To: mail header. firstclass-large-bcc-dos(4843) 1421 20000627 DoS in FirstClass Internet Services 5.770 5718 LocalWEB HTTP server 1.2.0 allows remote attackers to cause a denial of service via a long GET request. localweb-get-bo 20000703 Remote DoS Attack in LocalWEB HTTP Server 1.2.0 Vulnerability 1423 The Razor configuration management tool uses weak encryption for its password file, which allows local users to gain privileges. 20000704 Recovering Passwords in Visible Systems' Razor 1424 The lreply function in wu-ftpd 2.6.0 and earlier does not properly cleanse an untrusted format string, which allows remote attackers to execute arbitrary commands via the SITE EXEC command. CA-2000-13 wuftp-format-string-stack-overwrite(4773) 20000623 ftpd: the advisory version 1387 RHSA-2000:039 CSSA-2000-020.0 20000707 New Released Version of the WuFTPD Sploit 20000623 WUFTPD 2.6.0 remote root exploit 20000622 WuFTPD: Providing *remote* root since at least1994 20000702 [Security Announce] wu-ftpd update 20000723 CONECTIVA LINUX SECURITY ANNOUNCEMENT - WU-FTPD (re-release) NetBSD-SA2000-009 FreeBSD-SA-00:29 AA-2000.02 FTP servers such as OpenBSD ftpd, NetBSD ftpd, ProFTPd and Opieftpd do not properly cleanse untrusted format strings that are used in the setproctitle function (sometimes called by set_proc_title), which allows remote attackers to cause a denial of service or execute arbitrary commands. CA-2000-13 1438 1425 20000710 opieftpd setproctitle() patches 20000706 ftpd and setproctitle() 20000705 proftp advisory NetBSD-SA2000-009 SSH 1.2.27 with Kerberos authentication support stores Kerberos tickets in a file which is created in the current directory of the user who is logging in, which could allow remote attackers to sniff the ticket cache if the home directory is installed on NFS. ssh-kerberos-tickets-disclosure(4903) 1426 20000630 Kerberos security vulnerability in SSH-1.2.27 Oracle Web Listener for AIX versions 4.0.7.0.0 and 4.0.8.1.0 allows remote attackers to cause a denial of service via a malformed URL. 1427 20000704 Oracle Web Listener for AIX DoS Netscape Professional Services FTP Server 1.3.6 allows remote attackers to read arbitrary files via a .. (dot dot) attack. 20000621 Netscape FTP Server - "Professional" as hell :> 1411 20000629 (forw) Re: Netscape ftp Server (fwd) SGI MIPSPro compilers C, C++, F77 and F90 generate temporary files in /tmp with predictable file names, which could allow local users to insert malicious contents into these files as they are being compiled by another user. 1412 20000621 Predictability Problems in IRIX Cron and Compilers IRIX crontab creates temporary files with predictable file names and with the umask of the user, which could allow local users to modify another user's crontab file as it is being edited. 1413 20000621 Predictability Problems in IRIX Cron and Compilers Windows 2000 Server allows remote attackers to cause a denial of service by sending a continuous stream of binary zeros to various TCP and UDP ports, which significantly increases the CPU utilization. 20000630 SecureXpert Advisory [SX-20000620-2] 1415 Windows 2000 Telnet Server allows remote attackers to cause a denial of service by sending a continuous stream of binary zeros, which causes the server to crash. 20000630 SecureXpert Advisory [SX-20000620-1] 1414 Check Point FireWall-1 4.0 and 4.1 allows remote attackers to cause a denial of service by sending a stream of invalid commands (such as binary zeros) to the SMTP Security Server proxy. 20000630 SecureXpert Advisory [SX-20000620-3] http://www.checkpoint.com/techsupport/alerts/list_vun.html#SMTP_Security 1416 1438 vchkpw program in vpopmail before version 4.8 does not properly cleanse an untrusted format string used in a call to syslog, which allows remote attackers to cause a denial of service via a USER or PASS command that contains arbitrary formatting directives. http://www.vpopmail.cx/vpopmail-ChangeLog 20000626 vpopmail-3.4.11 problems 1418 Buffer overflow in Canna input system allows remote attackers to execute arbitrary commands via an SR_INIT command with a long user name or group name. canna-bin-execute-bo http://shadowpenguin.backsection.net/advisories/advisory038.html FreeBSD-SA-00:31 1445 ISC DHCP client program dhclient allows remote attackers to execute arbitrary commands via shell metacharacters. openbsd-isc-dhcp 20000624 Possible root exploit in ISC DHCP client. 1388 20000711 Security Hole in dhclient < 2.0 20000628 dhcp client: remote root exploit in dhcp client 20000702 [Security Announce] dhcp update NetBSD-SA2000-008 FreeBSD-SA-00:34 Buffer overflow in Dalnet IRC server 4.6.5 allows remote attackers to cause a denial of service or execute arbitrary commands via the SUMMON command. 1404 20000628 dalnet 4.6.5 remote vulnerability The privpath directive in glftpd 1.18 allows remote attackers to bypass access restrictions for directories by using the file name completion capability. 20000626 Glftpd privpath bugs... +fix 1401 20000627 Re: Glftpd privpath bugs... +fix SawMill 5.0.21 CGI program allows remote attackers to read the first line of arbitrary files by listing the file in the rfcf parameter, whose contents SawMill attempts to parse as configuration commands. 20000626 sawmill5.0.21 old path bug & weak hash algorithm 1402 20000706 Patch for Flowerfire Sawmill Vulnerabilities Available SawMill 5.0.21 uses weak encryption to store passwords, which allows attackers to easily decrypt the password and modify the SawMill configuration. 20000626 sawmill5.0.21 old path bug & weak hash algorithm 1403 20000706 Patch for Flowerfire Sawmill Vulnerabilities Available Poll It 2.0 CGI script allows remote attackers to read arbitrary files by specifying the file name in the data_dir parameter. 1431 20000706 Vulnerability in Poll_It cgi v2.0 http-cgi-pollit-variable-overwrite(4878) Novell BorderManager 3.0 and 3.5 allows remote attackers to bypass URL filtering by encoding characters in the requested URL. 20000705 Novell BorderManager 3.0 EE - Encoded URL rule bypass 1432 Buffer overflows in POP3 service in WinProxy 2.0 and 2.0.1 allow remote attackers to execute arbitrary commands via long USER, PASS, LIST, RETR, or DELE commands. 20000627 [SPSadvisory #37]WinProxy 2.0.0/2.0.1 DoS and Exploitable Buffer Overflow 1400 WinProxy 2.0 and 2.0.1 allows remote attackers to cause a denial of service by sending an HTTP GET request without listing an HTTP version number. winproxy-get-dos(4831) 20000627 [SPSadvisory #37]WinProxy 2.0.0/2.0.1 DoS and Exploitable Buffer Overflow 1400 BitchX IRC client does not properly cleanse an untrusted format string, which allows remote attackers to cause a denial of service via an invite to a channel whose name includes special formatting characters. irc-bitchx-invite-dos 1436 RHSA-2000:042 CSSA-2000-022.0 20000704 BitchX /ignore bug FreeBSD-SA-00:32 20000707 BitchX update 20000707 CONECTIVA LINUX SECURITY ANNOUNCEMENT - BitchX 20000704 BitchX exploit possibly waiting to happen, certain DoS libedit searches for the .editrc file in the current directory instead of the user's home directory, which may allow local users to execute arbitrary commands by installing a modified .editrc in another directory. 1437 FreeBSD-SA-00:24 1446 Internet Explorer 5.x does not warn a user before opening a Microsoft Access database file that is referenced within ActiveX OBJECT tags in an HTML document, which could allow remote attackers to execute arbitrary commands, aka the "IE Script" vulnerability. CA-2000-16 20000627 IE 5 and Access 2000 vulnerability - executing programs MS00-049 20000627 FW: IE 5 and Access 2000 vulnerability - executing programs 1398 Microsoft Office 2000 (Excel and PowerPoint) and PowerPoint 97 are marked as safe for scripting, which allows remote attackers to force Internet Explorer or some email clients to save files to arbitrary locations via the Visual Basic for Applications (VBA) SaveAs function, aka the "Office HTML Script" vulnerability. 20000627 IE 5 and Excel 2000, PowerPoint 2000 vulnerability - executing programs MS00-049 1399 Fortech Proxy+ allows remote attackers to bypass access restrictions for to the administration service by redirecting their connections through the telnet proxy. 20000626 Proxy+ Telnet Gateway Problems http://www.proxyplus.cz/faq/articles/EN/art01002.htm 1395 Buffer overflow in iMesh 1.02 allows remote attackers to execute arbitrary commands via a long string to the iMesh port. 20000629 iMesh 1.02 vulnerability http://www.imesh.com/download/download.html 1407 Netscape Enterprise Server in NetWare 5.1 allows remote attackers to cause a denial of service or execute arbitrary commands via a malformed URL. netscape-virtual-directory-bo(4780) 1393 20000626 Netscape Enterprise Server for NetWare Virtual Directory Vulnerab ility LeafChat 1.7 IRC client allows a remote IRC server to cause a denial of service by rapidly sending a large amount of error messages. 20000625 LeafChat Denial of Service http://www.leafdigital.com/Software/leafChat/history.html 1396 Secure Locate (slocate) in Red Hat Linux allows local users to gain privileges via a malformed configuration file that is specified in the LOCATE_PATH environmental variable. 20000621 rh 6.2 - gid compromises, etc 1385 Microsoft SQL Server 7.0 allows a local user to bypass permissions for stored procedures by referencing them via a temporary stored procedure, aka the "Stored Procedure Permissions" vulnerability. 1444 MS00-048 mssql-procedure-perms gkermit in Red Hat Linux is improperly installed with setgid uucp, which allows local users to modify files owned by uucp. 20000621 rh 6.2 - gid compromises, etc 1383 Blackboard CourseInfo 4.0 stores the local and SQL administrator user names and passwords in cleartext in a registry key whose access control allows users to access the passwords. 1460 20000710 Two issues: Blackboard CourseInfo 4.0 stores admin password in clear text; strange settings on the winreg key. Buffer overflow in kon program in Kanji on Console (KON) package on Linux may allow local users to gain root privileges via a long -StartupMessage parameter. 20000619 Problems with "kon2" package 1371 Buffer overflow in fld program in Kanji on Console (KON) package on Linux may allow local users to gain root privileges via an input file containing long CHARSET_REGISTRY or CHARSET_ENCODING settings. 20000619 Problems with "kon2" package 1371 NetWin dMailWeb and cwMail 2.6i and earlier allows remote attackers to cause a denial of service via a long POP parameter (pophost). 20000620 NetWin dMailWeb Denial of Service 1376 NetWin dMailWeb and cwMail 2.6g and earlier allows remote attackers to cause a denial of service via a long username parameter. 20000620 NetWin dMailWeb Denial of Service 1376 NetWin dMailWeb and cwMail 2.6g and earlier allows remote attackers to bypass authentication and use the server for mail relay via a username that contains a carriage return. 1390 netwin-dmailweb-newline 20000623 NetWin dMailWeb Unrestricted Mail Relay The default configuration of NetWin dMailWeb and cwMail trusts all POP servers, which allows attackers to bypass normal authentication and cause a denial of service. netwin-dmailweb-auth 1391 20000623 NetWin dMailWeb Unrestricted Mail Relay Windows 95 and Windows 98 do not properly process spoofed ARP packets, which allows remote attackers to overwrite static entries in the cache table. 20000629 Buggy ARP handling in Windoze 1406 Cisco Secure PIX Firewall does not properly identify forged TCP Reset (RST) packets, which allows remote attackers to force the firewall to close legitimate connections. 20000320 PIX DMZ Denial of Service - TCP Resets cisco-pix-firewall-tcp 1454 1457 20000711 Cisco Secure PIX Firewall TCP Reset Vulnerability Tnef program in Linux systems allows remote attackers to overwrite arbitrary files via TNEF encoded compressed attachments which specify absolute path names for the decompressed output. 1450 20000710 Security Hole in tnef < 0-124 LPRng 3.6.x improperly installs lpd as setuid root, which can allow local users to append lpd trace and logging messages to files. 1447 20000709 LPRng lpd should not be SETUID root lpd-suid-root(7361) Vulnerability in HP TurboIMAGE DBUTIL allows local users to gain additional privileges via DBUTIL.PUB.SYS. 1405 HPSBMP0006-007 Buffer overflow in xconq and cconq game programs on Red Hat Linux allows local users to gain additional privileges via long USER environmental variable. 20000622 RHL 6.2 xconq package - overflows yield gid games Buffer overflow in xconq and cconq game programs on Red Hat Linux allows local users to gain additional privileges via long DISPLAY environmental variable. 20000622 RHL 6.2 xconq package - overflows yield gid games Top Layer AppSwitch 2500 allows remote attackers to cause a denial of service via malformed ICMP packets. 1258 20000614 Update on TopLayer Advisory 20000520 TopLayer layer 7 switch Advisory toplayer-icmp-dos(7364) libX11 X library allows remote attackers to cause a denial of service via a resource mask of 0, which causes libX11 to go into an infinite loop. libx11-infinite-loop-dos(4996) 1409 20000619 XFree86: Various nasty libX11 holes Microsoft Outlook 98 and 2000, and Outlook Express 4.0x and 5.0x, allow remote attackers to read files on the client's system via a malformed HTML message that stores files outside of the cache, aka the "Cache Bypass" vulnerability. CA-2000-14 1501 MS00-046 outlook-cache-bypass Buffer overflow in Webfind CGI program in O'Reilly WebSite Professional web server 2.x allows remote attackers to execute arbitrary commands via a URL containing a long "keywords" parameter. http://website.oreilly.com/support/software/wspro25_releasenotes.txt website-webfind-bo(4962) 1487 20000719 O'Reilly WebSite Professional Overflow Buffer overflow in O'Reilly WebSite Professional web server 2.4 and earlier allows remote attackers to execute arbitrary commands via a long GET request or Referrer header. 1492 20000719 Alert: Buffer Overrun is O'Reilly WebsitePro httpd32.exe (CISADV000717) Buffer overflow in Winamp 2.64 and earlier allows remote attackers to execute arbitrary commands via a long #EXTINF: extension in the M3U playlist. winamp-playlist-parser-bo http://www.winamp.com/getwinamp/newfeatures.jhtml 1496 20000720 Winamp M3U playlist parser buffer overflow security vulnerability NetZero 3.0 and earlier uses weak encryption for storing a user's login information, which allows a local user to decrypt the password. 1483 20000718 NetZero Password Encryption Algorithm Buffer overflow in Alibaba web server allows remote attackers to cause a denial of service via a long GET request. 1482 20000718 Multiple bugs in Alibaba 2.0 BlackBoard CourseInfo 4.0 does not properly authenticate users, which allows local users to modify CourseInfo database information and gain privileges by directly calling the supporting CGI programs such as user_update_passwd.pl and user_update_admin.pl. blackboard-courseinfo-dbase-modification 1486 20000718 Blackboard Courseinfo v4.0 User Authentication 20000719 Security Fix for Blackboard CourseInfo 4.0 The source.asp example script in the Apache ASP module Apache::ASP 1.93 and earlier allows remote attackers to modify files. apache-source-asp-file-write 1457 20000710 ANNOUNCE Apache::ASP v1.95 - Security Hole Fixed http://www.nodeworks.com/asp/changes.html The default configuration of the Sun Java web server 2.0 and earlier allows remote attackers to execute arbitrary commands by uploading Java code to the server via board.html, then directly calling the JSP compiler servlet. http://www.sun.com/software/jwebserver/faq/jwsca-2000-02.html 20000711 Sun's Java Web Server remote command execution vulnerability 1459 IIS 4.0 and 5.0 allows remote attackers to obtain fragments of source code by appending a +.htr to the URL, a variant of the "File Fragment Reading via .HTR" vulnerability. MS00-044 iis-htr-obtain-code 1488 An administrative script from IIS 3.0, later included in IIS 4.0 and 5.0, allows remote attackers to cause a denial of service by accessing the script without a particular argument, aka the "Absent Directory Browser Argument" vulnerability. iis-absent-directory-dos 1476 MS00-044 20000718 ISBASE Security Advisory(SA2000-02) Buffer overflow in the web archive component of L-Soft Listserv 1.8d and earlier allows remote attackers to execute arbitrary commands via a long query string. http://www.lsoft.com/news/default.asp?item=Advisory1 lsoft-listserv-querystring-bo 1490 20000717 [COVERT-2000-07] LISTSERV Web Archive Remote Overflow Vulnerability in Mandrake Linux usermode package allows local users to to reboot or halt the system. linux-usermode-dos 1489 20000718 MDKSA-2000:020 usermode update RHSA-2000:053 20000812 Conectiva Linux security announcement - usermode The web administration interface for CommuniGate Pro 3.2.5 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) attack. 1493 20000717 S21SEC-003: Vulnerabilities in CommuniGate Pro v3.2.4 communigate-pro-file-read 5774 The view_page.html sample page in the MiniVend shopping cart program allows remote attackers to execute arbitrary commands via shell metacharacters. minivend-viewpage-sample 1449 http://www.zdnet.com/zdnn/stories/news/0,4586,2600258,00.html 20000711 Akopia MiniVend Piped Command Execution Vulnerability HP JetDirect printers versions G.08.20 and H.08.20 and earlier allow remote attackers to cause a denial of service via a malformed FTP quote command. 1491 20000719 HP Jetdirect - Invalid FTP Command DoS hp-jetdirect-quote-dos Microsoft Excel 97 and 2000 allows an attacker to execute arbitrary commands by specifying a malicious .dll using the Register.ID function, aka the "Excel REGISTER.ID Function" vulnerability. excel-register-function 20000711 Excel 2000 vulnerability - executing programs MS00-051 1451 bb-hostsvc.sh in Big Brother 1.4h1 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) attack on the HOSTSVC parameter. http-cgi-bigbrother-bbhostsvc 1455 http://bb4.com/README.CHANGES 20000711 REMOTE EXPLOIT IN ALL CURRENT VERSIONS OF BIG BROTHER 20000711 BIG BROTHER EXPLOIT The default configuration of Big Brother 1.4h2 and earlier does not include proper access restrictions, which allows remote attackers to execute arbitrary commands by using bbd to upload a file whose extension will cause it to be executed as a CGI script by the web server. 20000711 Big Brother filename extension vulnerability 1494 big-brother-filename-extension 1472 Guild FTPd allows remote attackers to determine the existence of files outside the FTP root via a .. (dot dot) attack, which provides different error messages depending on whether the file exists or not. 20000708 gnu-pop3d (FTGate problem), Savant Webserver, Guild FTPd guild-ftpd-disclosure 1452 573 Savant web server allows remote attackers to execute arbitrary commands via a long GET request. savant-get-bo 1453 20000708 gnu-pop3d (FTGate problem), Savant Webserver, Guild FTPd The default configuration of WebActive HTTP Server 1.00 stores the web access log active.log in the document root, which allows remote attackers to view the logs by directly requesting the page. 20000711 Lame DoS in WEBactive win65/NT server 1497 webactive-active-log Buffer overflow in WebActive HTTP Server 1.00 allows remote attackers to cause a denial of service via a long URL. webactive-long-get-dos 20000711 Lame DoS in WEBactive win65/NT server 1470 WFTPD and WFTPD Pro 2.41 allows remote attackers to cause a denial of service by executing a STAT command while the LIST command is still executing. 1506 20000721 WFTPD/WFTPD Pro 2.41 RC11 vulnerabilities. wftpd-stat-dos 1477 WFTPD and WFTPD Pro 2.41 allows remote attackers to cause a denial of service by using the RESTART (REST) command and writing beyond the end of a file, or writing to a file that does not exist, via commands such as STORE UNIQUE (STOU), STORE (STOR), or APPEND (APPE). 1506 20000721 WFTPD/WFTPD Pro 2.41 RC11 vulnerabilities. WFTPD and WFTPD Pro 2.41 allows remote attackers to obtain the real pathname for a file by executing a STATUS (STAT) command while the file is being transferred. 1506 20000721 WFTPD/WFTPD Pro 2.41 RC11 vulnerabilities. WFTPD and WFTPD Pro 2.41 allows remote attackers to cause a denial of service by executing an MLST command before logging into the server. 1506 20000721 WFTPD/WFTPD Pro 2.41 RC11 vulnerabilities. WFTPD and WFTPD Pro 2.41 allows local users to cause a denial of service by executing the RENAME TO (RNTO) command before a RENAME FROM (RNFR) command. 1456 20000711 WFTPD/WFTPD Pro 2.41 RC10 denial-of-service IIS 4.0 allows remote attackers to obtain the internal IP address of the server via an HTTP 1.0 request for a web page which is protected by basic authentication and has no realm defined. 1499 20000713 IIS4 Basic authentication realm issue The default installation of VirusScan 4.5 and NetShield 4.5 has insecure permissions for the registry key that identifies the AutoUpgrade directory, which allows local users to execute arbitrary commands by replacing SETUP.EXE in that directory with a Trojan Horse. 1458 20000711 Potential Vulnerability in McAfee Netshield and VirusScan 4.5 nai-virusscan-netshield-autoupgrade(5177) 4200 1458 The ClientTrust program in Novell BorderManager does not properly verify the origin of authentication requests, which could allow remote attackers to impersonate another user by replaying the authentication requests and responses from port 3024 of the victim's machine. 1440 novell-bordermanager-verification 20000707 Novell Border Manger - Anyone can pose as an authenticated user IBM WebSphere allows remote attackers to read source code for executable web files by directly calling the default InvokerServlet using a URL which contains the "/servlet/file" string. 1500 20000723 IBM WebSphere default servlet handler showcode vulnerability websphere-showcode Microsoft Outlook Express allows remote attackers to monitor a user's email by creating a persistent browser link to the Outlook Express windows, aka the "Persistent Mail-Browser Link" vulnerability. 1502 MS00-045 Microsoft Enterprise Manager allows local users to obtain database passwords via the Data Transformation Service (DTS) package Registered Servers Dialog dialog, aka a variant of the "DTS Password" vulnerability. mssql-dts-reveal-passwords 1466 MS00-041 Netscape Communicator 4.73 and earlier allows remote attackers to cause a denial of service or execute arbitrary commands via a JPEG image containing a comment with an illegal field length of 1. 20000724 JPEG COM Marker Processing Vulnerability in Netscape Browsers TLSA2000017-1 1503 RHSA-2000:046 20000823 Security Hole in Netscape, Versions 4.x, possibly others 20000810 Conectiva Linux Security Announcement - netscape 20000801 MDKSA-2000:027-1 netscape update NetBSD-SA2000-011 FreeBSD-SA-00:39 Buffer overflow in AnalogX proxy server 4.04 and earlier allows remote attackers to cause a denial of service via a long USER command in the FTP protocol. 1504 20000724 AnalogX Proxy DoS http://www.analogx.com/contents/download/network/proxy.htm Buffer overflow in AnalogX proxy server 4.04 and earlier allows remote attackers to cause a denial of service via a long HELO command in the SMTP protocol. 1504 20000724 AnalogX Proxy DoS http://www.analogx.com/contents/download/network/proxy.htm Buffer overflow in AnalogX proxy server 4.04 and earlier allows remote attackers to cause a denial of service via a long USER command in the POP3 protocol. 1504 20000724 AnalogX Proxy DoS http://www.analogx.com/contents/download/network/proxy.htm Buffer overflow in AnalogX proxy server 4.04 and earlier allows remote attackers to cause a denial of service via a long user ID in a SOCKS4 CONNECT request. 1504 20000724 AnalogX Proxy DoS The WDaemon web server for WorldClient 2.1 allows remote attackers to read arbitrary files via a .. (dot dot) attack. 20000712 Infosec.20000712.worldclient.2.1 worldclient-dir-traverse 1462 http://www.altn.com/Downloads/WorldClient/Release/RelNotes.txt 1459 WircSrv IRC Server 5.07s allows remote attackers to cause a denial of service via a long string to the server port. wircsrv-character-flood-dos 1448 20000710 Remote DoS Attack in WircSrv Irc Server v5.07s Vulnerability Internet Explorer 5.x and Microsoft Outlook allows remote attackers to read arbitrary files by redirecting the contents of an IFRAME using the DHTML Edit Control (DHTMLED). 20000714 IE 5.5 and 5.01 vulnerability - reading at least local and from any host text and parsed html files ie-dhtmled-file-read(5107) 1474 The registry entry for the Windows Shell executable (Explorer.exe) in Windows NT and Windows 2000 uses a relative path name, which allows local users to execute arbitrary commands by inserting a Trojan Horse named Explorer.exe into the %Systemdrive% directory, aka the "Relative Shell Path" vulnerability. explorer-relative-path-name 1507 MS00-052 Q269049 AnalogX SimpleServer:WWW 1.06 and earlier allows remote attackers to read arbitrary files via a modified .. (dot dot) attack that uses the %2E URL encoding for the dots. 20000726 AnalogX "SimpleServer:WWW" dot dot bug http://www.analogx.com/contents/download/network/sswww.htm analogx-simpleserver-directory-path 1508 388 GAMSoft TelSrv telnet server 1.5 and earlier allows remote attackers to cause a denial of service via a long username. 20000717 DoS in Gamsoft TelSrv telnet server for MS Windows 95/98/NT/2k. gamsoft-telsrv-dos 1478 373 20000729 TelSrv Reveals Usernames & Passwords After DoS Attack rpc.statd in the nfs-utils package in various Linux distributions does not properly cleanse untrusted format strings, which allows remote attackers to gain root privileges. CA-2000-17 linux-rpcstatd-format-overwrite 1480 20000716 Lots and lots of fun with rpc.statd RHSA-2000:043 CSSA-2000-025.0 20000718 [Security Announce] MDKSA-2000:021 nfs-utils update 20000718 Trustix Security Advisory - nfs-utils 20000717 CONECTIVA LINUX SECURITY ANNOUNCEMENT - nfs-utils Vulnerability in gpm in Caldera Linux allows local users to delete arbitrary files or conduct a denial of service. 1512 CSSA-2000-024.0 pam_console PAM module in Linux systems allows a user to access the system console and reboot the system when a display manager such as gdm or kdm has XDMCP enabled. linux-pam-console 1513 RHSA-2000:044 20000801 MDKSA-2000:029 pam update 20000727 CONECTIVA LINUX SECURITY ANNOUNCEMENT - PAM Novell NetWare 5.0 allows remote attackers to cause a denial of service by flooding port 40193 with random data. 20000711 Remote Denial Of Service -- NetWare 5.0 with SP 5 1467 The cvsweb CGI script in CVSWeb 1.80 allows remote attackers with write access to a CVS repository to execute arbitrary commands via shell metacharacters. cvsweb-shell-access 20000714 MDKSA-2000:019 cvsweb update TLSA2000016-1 1469 20000712 cvsweb: remote shell for cvs committers FreeBSD-SA-00:37 Roxen web server earlier than 2.0.69 allows allows remote attackers to bypass access restrictions, list directory contents, and read source code by inserting a null character (%00) to the URL. 20000721 Roxen security alert: Problems with URLs containing null characters. roxen-null-char-url 1510 20000721 Roxen Web Server Vulnerability The default configuration of Jakarta Tomcat does not restrict access to the /admin context, which allows remote attackers to read arbitrary files by directly calling the administrative servlets to add a context for the root directory. 20000721 Jakarta-tomcat.../admin jakarta-tomcat-admin 1548 The NetBIOS Name Server (NBNS) protocol does not perform authentication, which allows remote attackers to cause a denial of service by sending a spoofed Name Conflict or Name Release datagram, aka the "NetBIOS Name Server Protocol Spoofing" vulnerability. netbios-name-server-spoofing 1514 MS00-047 1515 20000727 Windows NetBIOS Name Conflicts ftp.pl CGI program for Virtual Visions FTP browser allows remote attackers to read directories outside of the document root via a .. (dot dot) attack. 1471 20000712 ftp.pl vulnerability virtualvision-ftp-browser Buffer overflow in Infopulse Gatekeeper 3.5 and earlier allows remote attackers to execute arbitrary commands via a long string. gatekeeper-long-string-bo 1477 20000713 The MDMA Crew's GateKeeper Exploit Netscape Communicator and Navigator 4.04 through 4.74 allows remote attackers to read arbitrary files by using a Java applet to open a connection to a URL using the "file", "http", "https", and "ftp" protocols, as demonstrated by Brown Orifice. CA-2000-15 1546 RHSA-2000:054 20000823 Security Hole in Netscape, Versions 4.x, possibly others CSSA-2000-027.1 20000821 MDKSA-2000:036 - netscape update 20000818 Conectiva Linux Security Announcement - netscape 20000810 MDKSA-2000:033 Netscape Java vulnerability 20000804 Dangerous Java/Netscape Security Hole FreeBSD-SA-00:39 Buffer overflow in IBM Net.Data db2www CGI program allows remote attackers to execute arbitrary commands via a long PATH_INFO environmental variable. 20000907 Buffer Overflow in IBM Net.Data db2www CGI program. ibm-netdata-db2www-bo PGP 5.5.x through 6.5.3 does not properly check if an Additional Decryption Key (ADK) is stored in the signed portion of a public certificate, which allows an attacker who can modify a victim's public certificate to decrypt any data that has been encrypted with the modified certificate. CA-2000-18 1606 4354 The CVS 1.10.8 client trusts pathnames that are provided by the CVS server, which allows the server to force the client to create arbitrary files. 20000728 cvs security problem 1523 The CVS 1.10.8 server does not properly restrict users from creating arbitrary Checkin.prog or Update.prog programs, which allows remote CVS committers to modify or create Trojan horse programs with the Checkin.prog or Update.prog names, then performing a CVS commit action. 1524 20000728 cvs security problem Buffer overflow in BEA WebLogic server proxy plugin allows remote attackers to execute arbitrary commands via a long URL with a .JSP extension. 1570 20000815 BEA Weblogic server proxy library vulnerabilities BEA WebLogic 5.1.x allows remote attackers to read source code for parsed pages by inserting /ConsoleHelp/ into the URL, which invokes the FileServlet. 1518 20000728 BEA's WebLogic force handlers show code vulnerability 1481 http://developer.bea.com/alerts/security_000731.html BEA WebLogic 5.1.x allows remote attackers to read source code for parsed pages by inserting /*.shtml/ into the URL, which invokes the SSIServlet. 1517 20000728 BEA's WebLogic force handlers show code vulnerability 1480 http://developer.bea.com/alerts/security_000728.html BEA WebLogic 5.1.x does not properly restrict access to the JSPServlet, which could allow remote attackers to compile and execute Java JSP code by directly invoking the servlet on any source file. 1525 20000731 BEA's WebLogic *.jsp/*.jhtml remote command execution http://developer.bea.com/alerts/security_000731.html BEA WebLogic 5.1.x does not properly restrict access to the PageCompileServlet, which could allow remote attackers to compile and execute Java JHTML code by directly invoking the servlet on any source file. 1525 20000731 BEA's WebLogic *.jsp/*.jhtml remote command execution http://developer.bea.com/alerts/security_000731.html Auction Weaver CGI script 1.03 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) attack in the fromfile parameter. 1630 20000823 Auction WeaverT LITE 1.0 Auction Weaver CGI script 1.03 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) attack in the catdir parameter. 1630 20000823 Auction WeaverT LITE 1.0 Subscribe Me LITE does not properly authenticate attempts to change the administrator password, which allows remote attackers to gain privileges for the Account Manager by directly calling the subscribe.pl script with the setpwd parameter. 1607 http://www.cgiscriptcenter.com/subscribe/ 20000823 Subscribe Me Vulnerability 20000823 Re: Subscribe Me CGI Vulnerability Account Manager LITE does not properly authenticate attempts to change the administrator password, which allows remote attackers to gain privileges for the Account Manager by directly calling the amadmin.pl script with the setpasswd parameter. 1604 http://www.cgiscriptcenter.com/acctlite/ 20000823 Account Manager CGI Vulnerability account-manager-overwrite-password(5125) 13341 Auction Weaver CGI script 1.02 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the fromfile parameter. 20000830 More problems with Auction Weaver & CGI Script Center. 20000830 More problems with Auction Weaver & CGI Script Center. The faxrunq and faxrunqd in the mgetty package allows local users to create or modify arbitrary files via a symlink attack which creates a symlink in from /var/spool/fax/outgoing/.last_run to the target file. 1612 CSSA-2000-029.0 http://archives.neohapsis.com/archives/bugtraq/2000-08/0330.html 20000826 Advisory: mgetty local compromise ISS RealSecure 3.2.1 and 3.2.2 allows remote attackers to cause a denial of service via a flood of fragmented packets with the SYN flag set. 20000822 DOS on RealSecure 3.2 1597 pgxconfig in the Raptor GFX configuration tool uses a relative path name for a system call to the "cp" program, which allows local users to execute arbitrary commands by modifying their path to point to an alternate "cp" program. 1563 20000802 Local root compromise in PGX Config Sun Sparc Solaris 1501 pgxconfig in the Raptor GFX configuration tool allows local users to gain privileges via a symlink attack. 20000802 Local root compromise in PGX Config Sun Sparc Solaris 5740 Buffer overflows in pgxconfig in the Raptor GFX configuration tool allow local users to gain privileges via command line options. 20000802 Local root compromise in PGX Config Sun Sparc Solaris The administration interface for the dwhttpd web server in Solaris AnswerBook2 does not properly authenticate requests to its supporting CGI scripts, which allows remote attackers to add user accounts to the interface by directly calling the admin CGI script. 1554 00196 solaris-answerbook2-admin-interface(5069) http://www.s21sec.com/en/avisos/s21sec-004-en.txt 20000807 Vulnerabilities in Sun Solaris AnswerBook2 dwhttpd server The administration interface for the dwhttpd web server in Solaris AnswerBook2 allows interface users to remotely execute commands via shell metacharacters. 1556 00196 http://www.s21sec.com/en/avisos/s21sec-004-en.txt solaris-answerbook2-remote-execution(5058) 20000807 Vulnerabilities in Sun Solaris AnswerBook2 dwhttpd server Minicom 1.82.1 and earlier on some Linux systems allows local users to create arbitrary files owned by the uucp user via a symlink attack. 1599 20000819 RH 6.1 / 6.2 minicom vulnerability minicom-capture-groupown Format string vulnerability in ftpd in HP-UX 10.20 allows remote attackers to cause a denial of service or execute arbitrary commands via format strings in the PASS command. 1560 20000806 HPUX FTPd vulnerability Cisco Gigabit Switch Routers (GSR) with Fast Ethernet / Gigabit Ethernet cards, from IOS versions 11.2(15)GS1A up to 11.2(19)GS0.2 and some versions of 12.0, do not properly handle line card failures, which allows remote attackers to bypass ACLs or force the interface to stop forwarding packets. 1541 20000803 Possible Access Control Bypass and Denial of Service in Gigabit Switch Routers Using Gigabit Ethernet or Fast Ethernet Cards 798 793 The wrapper program in mailman 2.0beta3 and 2.0beta4 does not properly cleanse untrusted format strings, which allows local users to gain privileges. 1539 20000801 Advisory: mailman local compromise 20000802 CONECTIVA LINUX SECURITY ANNOUNCEMENT - mailman RHSA-2000:030 20000802 MDKSA-2000:030 - Linux-Mandrake not affected by mailman problem http://www.securityfocus.com/templates/archive.pike?list=1&msg=20000802105050.A11733@rak.isternet.sk The net.init rc script in HP-UX 11.00 (S008net.init) allows local users to overwrite arbitrary files via a symlink attack that points from /tmp/stcp.conf to the targeted file. 1602 20000821 [HackersLab bugpaper] HP-UX net.init rc script hp-netinit-symlink suidperl (aka sperl) does not properly cleanse the escape sequence "~!" before calling /bin/mail to send an error report, which allows local users to gain privileges by setting the "interactive" environmental variable and calling suidperl with a filename that contains the escape sequence. 1547 CSSA-2000-026.0 20000805 sperl 5.00503 (and newer ;) exploit TLSA2000018-1 RHSA-2000:048 20000810 Security Hole in perl, all versions 20000814 Trustix Security Advisory - perl and mailx 20000810 Conectiva Linux security announcemente - PERL 20000808 MDKSA-2000:031 perl update Buffer overflow in SGI Omron WorldView Wnn allows remote attackers to execute arbitrary commands via long JS_OPEN, JS_MKDIR, or JS_FILE_INFO commands. 1603 20000803-01-A irix-worldview-wnn-bo(5163) 11080 ntop running in web mode allows remote attackers to read arbitrary files via a .. (dot dot) attack. 1550 20000802 [ Hackerslab bug_paper ] ntop web mode vulnerabliity RHSA-2000:049 1496 Buffer overflows in ntop running in web mode allows remote attackers to execute arbitrary commands. 1576 20000830 ntop: Still remotely exploitable using buffer overflows 1513 FreeBSD-SA-00:36 PCCS MySQLDatabase Admin Tool Manager 1.2.4 and earlier installs the file dbconnect.inc within the web root, which allows remote attackers to obtain sensitive information such as the administrative password. 1557 20000804 PCCS MySQL DB Admin Tool v1.2.3- Advisory http://pccs-linux.com/public/view.php3?bn=agora_pccslinux&key=965951324 Buffer overflow in Pragma Systems TelnetServer 2000 version 4.0 allows remote attackers to cause a denial of service via a long series of null characters to the rexec port. 1605 http://www.pragmasys.com/TelnetServer/ 20000824 Remote DoS Attack in Pragma TelnetServer 2000 (Remote Execute Daemon) Vulnerability The shtml.exe component of Microsoft FrontPage 2000 Server Extensions 1.1 allows remote attackers to cause a denial of service in some components by requesting a URL whose name includes a standard DOS device name. 1608 20000823 Xato Advisory: FrontPage DOS Device DoS http://msdn.microsoft.com/workshop/languages/fp/2000/sr12.asp The shtml.exe component of Microsoft FrontPage 2000 Server Extensions 1.1 allows remote attackers determine the physical path of the server components by requesting an invalid URL whose name includes a standard DOS device name. 1608 20000823 Xato Advisory: FrontPage DOS Device DoS http://msdn.microsoft.com/workshop/languages/fp/2000/sr12.asp Netscape Communicator does not properly prevent a ServerSocket object from being created by untrusted entities, which allows remote attackers to create a server on the victim's system via a malicious applet, as demonstrated by Brown Orifice. CA-2000-15 1545 20000816 JDK 1.1.x Listening Socket Vulnerability (was Re: BrownOrifice can break firewalls!) 20000805 Dangerous Java/Netscape Security Hole Linux Intrusion Detection System (LIDS) 0.9.7 allows local users to gain root privileges when LIDS is disabled via the security=0 boot option. 1549 http://www.lids.org/changelog.html http://www.egroups.com/message/lids/1038 2000803 LIDS severe bug 1495 Buffer overflow in Adobe Acrobat 4.05, Reader, Business Tools, and Fill In products that handle PDF files allows attackers to execute arbitrary commands via a long /Registry or /Ordering specifier. 1509 20000726 [SPSadvisory#39]Adobe Acrobat Series PDF File Buffer Overflow http://www.adobe.com/misc/pdfsecurity.html umb-scheme 3.2-11 for Red Hat Linux is installed with world-writeable files. 1551 RHSA-2000:047 DiskCheck script diskcheck.pl in Red Hat Linux 6.2 allows local users to create or overwrite arbitrary files via a symlink attack on a temporary file. 1552 20000622 Re: rh 6.2 - gid compromises, etc [+ MORE!!!] 20000807 Re: Diskcheck 3.1.1 Symlink Vulnerability 20000805 Diskcheck 3.1.1 Symlink Vulnerability WorldClient email client in MDaemon 2.8 includes the session ID in the referer field of an HTTP request when the user clicks on a URL, which allows the visited web site to hijcak the session ID and read the user's email. 1553 20000809 Session hijacking in Alt-N's MDaemon 2.8 mdaemon-session-id-hijack GoodTech FTP server allows remote attackers to cause a denial of service via a large number of RNTO commands. 20000830 [EXPL] GoodTech's FTP Server vulnerable to a DoS (RNTO) 1619 ftp-goodtech-rnto-dos(5166) A race condition in MandrakeUpdate allows local users to modify RPM files while they are in the /tmp directory before they are installed. 1567 20000812 MDKSA-2000:034 MandrakeUpdate update VariCAD 7.0 is installed with world-writeable files, which allows local users to replace the VariCAD programs with a Trojan horse program. 20000810 VariCAD 7.0 premission vulnerability news.cgi in GWScripts News Publisher does not properly authenticate requests to add an author to the author index, which allows remote attackers to add new authors by directly posting an HTTP request to the new.cgi program with an addAuthor parameter, and setting the Referer to the news.cgi program. 20000829 News Publisher CGI Vulnerability 1621 news-publisher-add-author(5169) The FSserial, FlagShip_c, and FlagShip_p programs in the FlagShip package are installed world-writeable, which allows local users to replace them with Trojan horses. 20000810 FlagShip v4.48.7449 premission vulnerability 1586 Helix GNOME Updater helix-update 0.5 and earlier allows local users to install arbitrary RPM packages by creating the /tmp/helix-install installation directory before root has begun installing packages. 1593 20000820 [Helix Beta] Helix Code Security Advisory - Helix GNOME Installer 20000820 Helix Code Security Advisory - Helix GNOME Update 20000819 Multiple Local Vulnerabilities in Helix Gnome Installer Helix GNOME Updater helix-update 0.5 and earlier does not properly create /tmp directories, which allows local users to create empty system configuration files such as /etc/config.d/bashrc, /etc/config.d/csh.cshrc, and /etc/rc.config. 1596 20000820 [Helix Beta] Helix Code Security Advisory - Helix GNOME Installer 20000819 Multiple Local Vulnerabilities in Helix Gnome Installer The go-gnome Helix GNOME pre-installer allows local users to overwrite arbitrary files via a symlink attack on various files in /tmp, including uudecode, snarf, and some installer files. 1622 20000829 Helix Code Security Advisory - go-gnome pre-installer 20000829 More Helix Code installation problems (go-gnome) Zope before 2.2.1 does not properly restrict access to the getRoles method, which allows users who can edit DTML to add or modify roles by modifying the roles list that is included in a request. 1577 20000821 Conectiva Linux Security Announcement - Zope 20000816 MDKSA-2000:035 Zope update http://www.zope.org/Products/Zope/Hotfix_08_09_2000/security_alert 20000821 zope: unauthorized escalation of privilege (update) RHSA-2000:052 CGIMail.exe CGI program in Stalkerlab Mailers 1.1.2 allows remote attackers to read arbitrary files by specifying the file in the $Attach$ hidden form variable. 20000829 Stalker's CGImail Gives Read Access to All Server Files 1623 mailers-cgimail-spoof(5165) xpdf PDF viewer client earlier than 0.91 does not properly launch a web browser for embedded URL's, which allows an attacker to execute arbitrary commands via a URL that contains shell metacharacters. 1624 20000910 xpdf: local exploit CSSA-2000-031.0 20000829 MDKSA-2000:041 - xpdf update RHSA-2000:060 20000913 Conectiva Linux Security Announcement - xpdf xpdf PDF viewer client earlier than 0.91 allows local users to overwrite arbitrary files via a symlink attack. 1624 20000913 Conectiva Linux Security Announcement - xpdf 20000829 MDKSA-2000:041 - xpdf update RHSA-2000:060 CSSA-2000-031.0 FreeBSD 5.x, 4.x, and 3.x allows local users to cause a denial of service by executing a program with a malformed ELF image header. 1625 FreeBSD-SA-00:41 freebsd-elf-dos(5967) 1534 Vulnerability in newgrp command in HP-UX 11.0 allows local users to gain privileges. 1580 HPSBUX0008-118 Directory traversal vulnerability in Worm HTTP server allows remote attackers to read arbitrary files via a .. (dot dot) attack. 20000825 DST2K0023: Directory Traversal Possible & Denial of Service in Wo rm HTTP Server 1626 wormhttp-dir-traverse(5148) 1535 Worm HTTP server allows remote attackers to cause a denial of service via a long URL. 20000825 DST2K0023: Directory Traversal Possible & Denial of Service in Wo rm HTTP Server 1626 wormhttp-filename-dos Telnetd telnet server in IRIX 5.2 through 6.1 does not properly cleans user-injected format strings, which allows remote attackers to execute arbitrary commands via a long RLD variable in the IAC-SB-TELOPT_ENVIRON request. 20000814 [LSD] IRIX telnetd remote vulnerability 1572 20000801-02-P eEye IRIS 1.01 beta allows remote attackers to cause a denial of service via a large number of UDP connections. 1627 20000831 Remote DoS Attack in Eeye Iris 1.01 and SpyNet CaptureNet v3.12 Buffer overflow in Becky! Internet Mail client 1.26.03 and earlier allows remote attackers to cause a denial of service via a long Content-type: MIME header when the user replies to a message. 20000818 Becky! Internet Mail Buffer overflow 1588 http://member.nifty.ne.jp/rimarts/becky-e/Readme.txt Buffer overflow in Becky! Internet Mail client 1.26.04 and earlier allows remote attackers to cause a denial of service via a long Content-type: MIME header when the user forwards a message. 20000818 Becky! Internet Mail Buffer overflow 1588 http://member.nifty.ne.jp/rimarts/becky-e/Readme.txt The Service Control Manager (SCM) in Windows 2000 creates predictable named pipes, which allows a local user with console access to gain administrator privileges, aka the "Service Control Manager Named Pipe Impersonation" vulnerability. 1535 MS00-053 WebShield SMTP 4.5 allows remote attackers to cause a denial of service by sending e-mail with a From: address that has a . (period) at the end, which causes WebShield to continuously send itself copies of the e-mail. 1589 20000818 WebShield SMTP infinite loop DoS Attack webshield-smtp-dos Directory traversal vulnerability in strong.exe program in NAI Net Tools PKI server 1.0 before HotFix 3 allows remote attackers to read arbitrary files via a .. (dot dot) attack in an HTTPS request to the enrollment server. 1537 http://download.nai.com/products/licensed/pgp/hf3pki10.txt 20000802 NAI Net Tools PKI Server vulnerabilities nettools-pki-dir-traverse(5066) 1489 Buffer overflow in strong.exe program in NAI Net Tools PKI server 1.0 before HotFix 3 allows remote attackers to execute arbitrary commands via a long URL in the HTTPS port. 1536 http://download.nai.com/products/licensed/pgp/hf3pki10.txt 20000802 NAI Net Tools PKI Server vulnerabilities nai-nettools-strong-bo(5026) 1488 Format string vulnerability in strong.exe program in NAI Net Tools PKI server 1.0 before HotFix 3 allows remote attackers to execute arbitrary code via format strings in a URL with a .XUDA extension. 1538 http://download.nai.com/products/licensed/pgp/hf3pki10.txt 20000802 NAI Net Tools PKI Server vulnerabilities 1490 The IPX protocol implementation in Microsoft Windows 95 and 98 allows remote attackers to cause a denial of service by sending a ping packet with a source IP address that is a broadcast address, aka the "Malformed IPX Ping Packet" vulnerability. 1544 MS00-054 20000602 ipx storm win-ipx-ping-packet(5079) Buffer overflow in University of Minnesota (UMN) gopherd 2.x allows remote attackers to execute arbitrary commands via a DES key generation request (GDESkey) that contains a long ticket value. 1569 20000810 Remote vulnerability in Gopherd 2.x DEPRECATED. This entry has been deprecated. It is a duplicate of CVE-2000-0743. admin.php3 in PHP-Nuke does not properly verify the PHP-Nuke administrator password, which allows remote attackers to gain privileges by requesting a URL that does not specify the aid or pwd parameter. 1592 20000821 Vuln. in all sites using PHP-Nuke, versions less than 3 1521 Vulnerabilities in IIS 4.0 and 5.0 do not properly protect against cross-site scripting (CSS) attacks. They allow a malicious web site operator to embed scripts in a link to a trusted site, which are returned without quoting in an error message back to the client. The client then executes those scripts in the same context as the trusted site, aka the "IIS Cross-Site Scripting" vulnerabilities. 1595 1594 MS00-060 20000821 IIS 5.0 cross site scripting vulnerability - using .shtml files or /_vti_bin/shtml.dll The logrotate script for OpenLDAP before 1.2.11 in Conectiva Linux sends an improper signal to the kernel log daemon (klogd) and kills it. 20000726 CONECTIVA LINUX SECURITY ANNOUNCEMENT - OPENLDAP openldap-logrotate-script-dos(5036) OpenLDAP 1.2.11 and earlier improperly installs the ud binary with group write permissions, which could allow any user in that group to replace the binary with a Trojan horse. 1511 20000726 Group-writable executable in OpenLDAP Buffer overflow in the Linux binary compatibility module in FreeBSD 3.x through 5.x allows local users to gain root privileges via long filenames in the linux shadow file system. 1628 FreeBSD-SA-00:42 freebsd-linux-module-bo(5968) 1536 Buffer overflow in mopd (Maintenance Operations Protocol loader daemon) allows remote attackers to execute arbitrary commands via a long file name. 1558 FreeBSD-SA-00:40 20000808 OpenBSD 2.7 / NetBSD 1.4.2 mopd buffer overflow RHSA-2000:050 20000705 Mopd contained a buffer overflow. http://cvsweb.netbsd.org/bsdweb.cgi/basesrc/usr.sbin/mopd/mopd/process.c.diff?r1=1.7&r2=1.8&f=h mopd (Maintenance Operations Protocol loader daemon) does not properly cleanse user-injected format strings, which allows remote attackers to execute arbitrary commands. 1559 FreeBSD-SA-00:40 20000808 OpenBSD 2.7 / NetBSD 1.4.2 mopd buffer overflow RHSA-2000:050 20000705 Mopd contained a buffer overflow. http://cvsweb.netbsd.org/bsdweb.cgi/basesrc/usr.sbin/mopd/mopd/process.c.diff?r1=1.7&r2=1.8&f=h Buffer overflows in brouted in FreeBSD and possibly other OSes allows local users to gain root privileges via long command line arguments. 1629 FreeBSD-SA-00:43 The Microsoft Outlook mail client identifies the physical path of the sender's machine within a winmail.dat attachment to Rich Text Format (RTF) files. 1631 outlook-reveal-path(5508) 20000824 Outlook winmail.dat 20010802 Outlook 2000 Rich Text information disclosure Vulnerability in HP OpenView Network Node Manager (NMM) version 6.1 related to passwords. HPSBUX0008-119 1581 Vulnerability in the newgrp command in HP-UX 11.00 allows local users to gain privileges. HPSBUX0008-118 1581 Microsoft Outlook 2000 does not properly process long or malformed fields in vCard (.vcf) files, which allows attackers to cause a denial of service. 1633 20000831 vCard DoS on Outlook 2000 The sysgen service in Aptis Totalbill does not perform authentication, which allows remote attackers to gain root privileges by connecting to the service and specifying the commands to be executed. 1555 20000808 Exploit for Totalbill... The web interface for Lyris List Manager 3 and 4 allows list subscribers to obtain administrative access by modifying the value of the list_admin hidden form field. 1584 20000811 Lyris List Manager Administration Hole http://www.lyris.com/lm/lm_updates.html Jakarta Tomcat 3.1 under Apache reveals physical path information when a remote attacker requests a URL that does not exist, which generates an error message that includes the physical path. 20000719 [LoWNOISE] Tomcat 3.1 Path Revealing Problem. 1531 tomcat-error-path-reveal(4967) The Snoop servlet in Jakarta Tomcat 3.1 and 3.0 under Apache reveals sensitive system information when a remote attacker requests a nonexistent URL with a .snp extension. 20000719 [LoWNOISE] Snoop Servlet (Tomcat 3.1 and 3.0) 1532 OS2/Warp 4.5 FTP server allows remote attackers to cause a denial of service via a long username. 1582 20000815 OS/2 Warp 4.5 FTP Server DoS ftp://ftp.software.ibm.com/ps/products/tcpip/fixes/v4.3os2/ic27721/README The default installation of eTrust Access Control (formerly SeOS) uses a default encryption key, which allows remote attackers to spoof the eTrust administrator and gain privileges. 20000811 eTrust Access Control - Root compromise for default install 1583 http://support.ca.com/techbases/eTrust/etrust_access_control-response.html etrust-access-control-default 1517 xlockmore and xlockf do not properly cleanse user-injected format strings, which allows local users to gain root privileges via the -d option. 20000816 xlock vulnerability 1585 20000816 xlockmore: possible shadow file compromise FreeBSD-SA-00:44.xlockmore 20000823 MDKSA-2000:038 - xlockmore update 20000817 Conectiva Linux Security Announcement - xlockmore Intel Express 500 series switches allow a remote attacker to cause a denial of service via a malformed IP packet. 1609 20000828 Intel Express Switch 500 series DoS intel-express-switch-dos Buffer overflow in the HTML interpreter in Microsoft Office 2000 allows an attacker to execute arbitrary commands via a long embedded object tag, aka the "Microsoft Office HTML Object Tag" vulnerability. 1561 MS00-056 Buffer overflow in vqSoft vqServer 1.4.49 allows remote attackers to cause a denial of service or possibly gain privileges via a long HTTP GET request. 1610 20000819 D.o.S Vulnerability in vqServer vqserver-get-dos The ActiveX control for invoking a scriptlet in Internet Explorer 4.x and 5.x renders arbitrary file types instead of HTML, which allows an attacker to read arbitrary files, aka the "Scriptlet Rendering" vulnerability. 1564 MS00-055 A function in Internet Explorer 4.x and 5.x does not properly verify the domain of a frame within a browser window, which allows a remote attacker to read client files, aka a variant of the "Frame Domain Verification" vulnerability. 1564 MS00-055 O'Reilly WebSite Pro 2.3.7 installs the uploader.exe program with execute permissions for all users, which allows remote attackers to create and execute arbitrary files by directly calling uploader.exe. 1611 20000824 WebServer Pro 2.3.7 Vulnerability IIS 4.0 and 5.0 does not properly restrict access to certain types of files when their parent folders have less restrictive permissions, which could allow remote attackers to bypass access restrictions to some files, aka the "File Permission Canonicalization" vulnerability. 1565 MS00-057 Microsoft Windows 2000 allows local users to cause a denial of service by corrupting the local security policy via malformed RPC traffic, aka the "Local Security Policy Corruption" vulnerability. 1613 MS00-062 The installation of Tumbleweed Messaging Management System (MMS) 4.6 and earlier (formerly Worldtalk Worldsecure) creates a default account "sa" with no password. 1562 tumbleweed-mms-blank-password http://thompson.tumbleweed.com/NewKB/bulletin/UPFiles/sa-official.htm 20000810 Tumbleweed Worldsecure (MMS) BLANK 'sa' account password vulnerability Bajie HTTP web server 0.30a allows remote attackers to read arbitrary files via a URL that contains a "....", a variant of the dot dot directory traversal attack. bajie-view-arbitrary-files(5021) 1522 20000731 Two security flaws in Bajie Webserver The sample Java servlet "test" in Bajie HTTP web server 0.30a reveals the real pathname of the web document root. 1521 20000731 Two security flaws in Bajie Webserver Buffer overflow in RobTex Viking server earlier than 1.06-370 allows remote attackers to cause a denial of service or execute arbitrary commands via a long HTTP GET request, or long Unless-Modified-Since, If-Range, or If-Modified-Since headers. 1614 http://www.robtex.com/viking/bugs.htm 20000828 [NT] Viking security vulnerabilities enable remote code execution (long URL, date parsing) Mediahouse Statistics Server 5.02x allows remote attackers to execute arbitrary commands via a long HTTP GET request. 1568 20000810 [DeepZone Advisory] Statistics Server 5.02x stack overflow (Win2k remote exploit) mediahouse-stats-livestats-bo(5113) The password protection feature of Microsoft Money can store the password in plaintext, which allows attackers with physical access to the system to obtain the password, aka the "Money Password" vulnerability. MS00-061 1615 IIS 5.0 allows remote attackers to obtain source code for .ASP files and other scripts via an HTTP GET request with a "Translate: f" header, aka the "Specialized Header" vulnerability. 20000815 Translate:f summary, history and thoughts MS00-058 1578 20000816 Translate: f oval:org.mitre.oval:def:927 Checkpoint Firewall-1 with the RSH/REXEC setting enabled allows remote attackers to bypass access restrictions and connect to a RSH/REXEC client via malformed connection requests. 1534 http://www.checkpoint.com/techsupport/alerts/list_vun.html#Improper_stderr 1487 The web server in IPSWITCH IMail 6.04 and earlier allows remote attackers to read and delete arbitrary files via a .. (dot dot) attack. 1617 http://www.ipswitch.com/Support/IMail/news.html 20000830 Vulnerability Report On IPSWITCH's IMail uagentsetup in ARCServeIT Client Agent 6.62 does not properly check for the existence or ownership of a temporary file which is moved to the agent.cfg configuration file, which allows local users to execute arbitrary commands by modifying the temporary file before it is moved. arcserveit-clientagent-temp-file(5023) 1519 20000728 Client Agent 6.62 for Unix Vulnerability netauth.cgi program in Netwin Netauth 4.2e and earlier allows remote attackers to read arbitrary files via a .. (dot dot) attack. 20000817 Netauth: Web Based Email Management System 1587 http://netwinsite.com/netauth/updates.htm netwin-netauth-dir-traverse(5090) Watchguard Firebox II allows remote attackers to cause a denial of service by sending a malformed URL to the authentication service on port 4100. 1573 20000815 Watchguard Firebox Authentication DoS firebox-url-dos sshd program in the Rapidstream 2.1 Beta VPN appliance has a hard-coded "rsadmin" account with a null password, which allows remote attackers to execute arbitrary commands via ssh. 1574 20000816 Remote Root Compromise On All RapidStream VPN Appliances WircSrv IRC Server 5.07s allows IRC operators to read arbitrary files via the importmotd command, which sets the Message of the Day (MOTD) to the specified file. 20000713 More wIRCSrv stupidity GNU userv 1.0.0 and earlier does not properly perform file descriptor swapping, which can corrupt the USERV_GROUPS and USERV_GIDS environmental variables and allow local users to bypass some access restrictions. 1516 20000727 userv: local exploit 20000726 userv security boundary tool 1.0.1 (SECURITY FIX) http://marc.theaimsgroup.com/?l=bugtraq&m=96473640717095&w=2 IRC Xchat client versions 1.4.2 and earlier allows remote attackers to execute arbitrary commands by encoding shell metacharacters into a URL which XChat uses to launch a web browser. 1601 20000825 Conectiva Linux Security Announcement - xchat 20000824 MDKSA-2000:039 - xchat update 20000817 XChat URL handler vulnerabilty RHSA-2000:055 The Mail Merge tool in Microsoft Word does not prompt the user before executing Visual Basic (VBA) scripts in an Access database, which could allow an attacker to execute arbitrary commands. 20000807 MS Word and MS Access vulnerability - executing arbitrary programs, may be exploited by IE/Outlook 1566 word-mail-merge(5322) MS00-071 WinU 5.x and earlier uses weak encryption to store its configuration password, which allows local users to decrypt the password and gain privileges. 20000816 WinU 4/5 weak password vulnerability The web-based folder display capability in Microsoft Internet Explorer 5.5 on Windows 98 allows local users to insert Trojan horse programs by modifying the Folder.htt file and using the InvokeVerb method in the ShellDefView ActiveX control to specify a default execute option for the first file that is listed in the folder. 20000828 IE 5.5/5.x for Win98 may execute arbitrary files that can be accessed thru Microsoft Networking. Also local Administrator compromise at least on default Windows 2000. 1571 ie-folder-remote-exe(5097) Trustix installs the httpsd program for Apache-SSL with world-writeable permissions, which allows local users to replace it with a Trojan horse. 20000815 Trustix security advisory - apache-ssl 1575 Gnome Lokkit firewall package before 0.41 does not properly restrict access to some ports, even if a user does not make any services available. 20000819 Security update for Gnome-Lokkit 1590 1520 Norton AntiVirus 5.00.01C with the Novell Netware client does not properly restart the auto-protection service after the first user has logged off of the system. 1533 20000728 Norton Antivirus Protection Disabled under Novell Netware Buffer overflow in IRIX libgl.so library allows local users to gain root privileges via a long HOME variable to programs such as (1) gmemusage and (2) gr_osview. 1527 irix-libgl-bo(5063) 20000802 [LSD] some unpublished LSD exploit codes 8568 Buffer overflow in lpstat in IRIX 6.2 and 6.3 allows local users to gain root privileges via a long -n option. 20000802 [LSD] some unpublished LSD exploit codes 1529 1485 Buffer overflow in dmplay in IRIX 6.2 and 6.3 allows local users to gain root privileges via a long command line option. 20000802 [LSD] some unpublished LSD exploit codes 1528 irix-dmplay-bo(5064) 1484 Buffer overflow in gr_osview in IRIX 6.2 and 6.3 allows local users to gain privileges via a long -D option. irix-grosview-bo(5062) 20000802 [LSD] some unpublished LSD exploit codes 1526 3815 20040104-01-P The truncate function in IRIX 6.x does not properly check for privileges when the file is in the xfs file system, which allows local users to delete the contents of arbitrary files. 1540 20000802 [LSD] some unpublished LSD exploit codes 8569 inpview in InPerson in SGI IRIX 5.3 through IRIX 6.5.10 allows local users to gain privileges via a symlink attack on the .ilmpAAA temporary file. 20000802 [LSD] some unpublished LSD exploit codes 1530 irix-inpview-symlink(5065) 20001101-01-I String parsing error in rpc.kstatd in the linuxnfs or knfsd packages in SuSE and possibly other Linux systems allows remote attackers to gain root privileges. 20000810 Security Hole in knfsd, all versions Buffer overflow in bdf program in HP-UX 11.00 may allow local users to gain root privileges via a long -t option. 1520 20000727 [ Hackerslab bug_paper ] HP-UX bdf -t option buffer overflow vul. The BAIR program does not properly restrict access to the Internet Explorer Internet options menu, which allows local users to obtain access to the menu by modifying the registry key that starts BAIR. 20000722 More bad censorware GNU Groff uses the current working directory to find a device description file, which allows a local user to gain additional privileges by including a malicious postpro directive in the description file, which is executed when another user runs groff. gnu-groff-utilities(5280) Check Point VPN-1/FireWall-1 4.1 and earlier allows remote attackers to bypass the directionality check via fragmented TCP connection requests or reopening closed TCP connection requests, aka "One-way Connection Enforcement Bypass." http://www.checkpoint.com/techsupport/alerts/list_vun.html#One-way_Connection fw1-remote-bypass 4419 Check Point VPN-1/FireWall-1 4.1 and earlier improperly retransmits encapsulated FWS packets, even if they do not come from a valid FWZ client, aka "Retransmission of Encapsulated Packets." http://www.checkpoint.com/techsupport/alerts/list_vun.html#Retransmission_of fw1-client-spoof 4415 The inter-module authentication mechanism (fwa1) in Check Point VPN-1/FireWall-1 4.1 and earlier may allow remote attackers to conduct a denial of service, aka "Inter-module Communications Bypass." http://www.checkpoint.com/techsupport/alerts/list_vun.html#Inter-module_Communications fw1-fwa1-auth-replay 4413 The OPSEC communications authentication mechanism (fwn1) in Check Point VPN-1/FireWall-1 4.1 and earlier allows remote attackers to spoof connections, aka the "OPSEC Authentication Vulnerability." http://www.checkpoint.com/techsupport/alerts/list_vun.html#OPSEC_Authentication fw1-opsec-auth-spoof 4420 The seed generation mechanism in the inter-module S/Key authentication mechanism in Check Point VPN-1/FireWall-1 4.1 and earlier allows remote attackers to bypass authentication via a brute force attack, aka "One-time (s/key) Password Authentication." http://www.checkpoint.com/techsupport/alerts/list_vun.html#One-time_Password fw1-localhost-auth 4421 Buffer overflow in Getkey in the protocol checker in the inter-module communication mechanism in Check Point VPN-1/FireWall-1 4.1 and earlier allows remote attackers to cause a denial of service. http://www.checkpoint.com/techsupport/alerts/list_vun.html#Getkey_Buffer fw1-getkey-bo 4422 Auction Weaver 1.0 through 1.04 does not properly validate the names of form fields, which allows remote attackers to delete arbitrary files and directories via a .. (dot dot) attack. auction-weaver-delete-files 1782 1600 Auction Weaver 1.0 through 1.04 allows remote attackers to read arbitrary files via a .. (dot dot) attack on the username or bidfile form fields. auction-weaver-username-bidfile 1783 4053 The administration module in Sun Java web server allows remote attackers to execute arbitrary commands by uploading Java code to the module and invoke the com.sun.server.http.pagecompile.jsp92.JspServlet by requesting a URL that begins with a /servlet/ tag. http://www.securityfocus.com/templates/advisory.html?id=2542 00197 sunjava-webadmin-bbs 1600 Check Point VPN-1/FireWall-1 4.1 and earlier allows remote attackers to redirect FTP connections to other servers ("FTP Bounce") via invalid FTP commands that are processed improperly by FireWall-1, aka "FTP Connection Enforcement Bypass." http://www.checkpoint.com/techsupport/alerts/list_vun.html#FTP_Connection fw1-ftp-redirect 4434 Linux tmpwatch --fuser option allows local users to execute arbitrary commands by creating files whose names contain shell metacharacters. 20001006 Insecure call of external programs in Red Hat Linux tmpwatch linux-tmpwatch-fuser(5320) 1785 RHSA-2000:080 MDKSA-2000:056 Buffer overflow in the HTTP protocol parser for Microsoft Network Monitor (Netmon) allows remote attackers to execute arbitrary commands via malformed data, aka the "Netmon Protocol Parsing" vulnerability. 20001101 Buffer Overflow in Microsoft Windows NT 4.0 and Windows 2000 Network Monitor MS00-083 The default installation for the Oracle listener program 7.3.4, 8.0.6, and 8.1.6 allows an attacker to cause logging information to be appended to arbitrary files and execute commands via the SET TRC_FILE or SET LOG_FILE commands. http://otn.oracle.com/deploy/security/pdf/listener_alert.pdf 20001025 Vulnerability in the Oracle Listener Program oracle-listener-connect-statements(5380) The unsetenv function in glibc 2.1.1 does not properly unset an environmental variable if the variable is provided twice to a program, which could allow local users to execute arbitrary commands in setuid programs by specifying their own duplicate environmental variables such as LD_PRELOAD or LD_LIBRARY_PATH. 648 20000831 glibc unsetenv bug glibc-ld-unsetenv TLSA2000020-1 1639 RHSA-2000:057 20000924 glibc locale security problem MDKSA-2000:045 MDKSA-2000:040 20000902 glibc: local root exploit CSSA-2000-028.0 19990917 A few bugs... 20000906 [slackware-security]: glibc 2.1.3 vulnerabilities patched 20000905 Conectiva Linux Security Announcement - glibc 20000902 Conectiva Linux Security Announcement - glibc Ipswitch Imail 6.0 allows remote attackers to cause a denial of service via a large number of connections in which a long Host: header is sent, which causes a thread to crash. 20000817 Imail Web Service Remote DoS Attack v.2 ipswitch-imail-remote-dos(5475) 2011 20000817 Imail Web Service Remote DoS Attack v.2 20000817 Imail Web Service Remote DoS Attack v.2 Buffer overflow in ddicgi.exe program in Mobius DocumentDirect for the Internet 1.2 allows remote attackers to execute arbitrary commands via a long GET request. documentdirect-get-bo 1657 A090800-1 Buffer overflow in the web authorization form of Mobius DocumentDirect for the Internet 1.2 allows remote attackers to cause a denial of service or execute arbitrary commands via a long username. documentdirect-username-bo 1657 A090800-1 Buffer overflow in ddicgi.exe in Mobius DocumentDirect for the Internet 1.2 allows remote attackers to execute arbitrary commands via a long User-Agent parameter. documentdirect-user-agent-bo 1657 A090800-1 The tmpwatch utility in Red Hat Linux forks a new process for each directory level, which allows local users to cause a denial of service by creating deeply nested directories in /tmp or /var/tmp/. linux-tmpwatch-fork-dos 1664 20000909 tmpwatch: local DoS : fork()bomb as root RHSA-2000:080 annclist.exe in webTV for Windows allows remote attackers to cause a denial of service by via a large, malformed UDP packet to ports 22701 through 22705. 1671 webtv-udp-dos 20000913 trivial DoS in webTV MS00-074 Buffer overflow in Fastream FTP++ 2.0 allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long username. 20000912 DST2K0027: DoS in Faststream FTP++ 2.0 Htgrep CGI program allows remote attackers to read arbitrary files by specifying the full pathname in the hdr parameter. htgrep-cgi-view-files(5476) 20000817 Htgrep CGI Arbitrary File Viewing Vulnerability Buffer overflow in WinSMTP 1.06f and 2.X allows remote attackers to cause a denial of service via a long (1) USER or (2) HELO command. winsmtp-helo-bo(5255) 1680 2000911 WinSMTPD remote exploit/DoS problem The Windows 2000 telnet client attempts to perform NTLM authentication by default, which allows remote attackers to capture and replay the NTLM challenge/response via a telnet:// URL that points to the malicious server, aka the "Windows 2000 Telnet Client NTLM Authentication" vulnerability. 1683 MS00-067 win2k-telnet-ntlm-authentication A091400-1 search.dll Sambar ISAPI Search utility in Sambar Server 4.4 Beta 3 allows remote attackers to read arbitrary directories by specifying the directory in the query parameter. 1684 20000915 Sambar Server search CGI vulnerability Buffer overflow in CamShot WebCam Trial2.6 allows remote attackers to execute arbitrary commands via a long Authorization header. camshot-password-bo 1685 20000915 [NEWS] Vulnerability in CamShot server (Authorization) FTP Serv-U 2.5e allows remote attackers to cause a denial of service by sending a large number of null bytes. servu-null-character-dos 20000804 FTP Serv-U 2.5e vulnerability. 1543 Fastream FUR HTTP server 1.0b allows remote attackers to cause a denial of service via a long GET request. fur-get-dos(5237) 20000914 DST2K0028: DoS in FUR HTTP Server v1.0b WinCOM LPD 1.00.90 allows remote attackers to cause a denial of service via a large number of LPD options to the LPD port (515). wincom-lpd-dos(5258) 1701 20000919 VIGILANTE-2000013: WinCOM LPD DoS Buffer overflow in XMail POP3 server before version 0.59 allows remote attackers to execute arbitrary commands via a long USER command. 20000906 [NEWS] XMail vulnerable to a remotely exploitable buffer overflow (APOP, USER) xmail-long-user-bo 1652 Buffer overflow in XMail POP3 server before version 0.59 allows remote attackers to execute arbitrary commands via a long APOP command. 20000906 [NEWS] XMail vulnerable to a remotely exploitable buffer overflow (APOP, USER) xmail-long-apop-bo 1652 The search97cgi/vtopic" in the UnixWare 7 scohelphttp webserver allows remote attackers to read arbitrary files via a .. (dot dot) attack. 1663 20000911 SCO scohelhttp documentation webserver exposes local files Buffer overflow in pam_smb and pam_ntdom pluggable authentication modules (PAM) allow remote attackers to execute arbitrary commands via a login with a long user name. 1666 20000911 libpam-smb: remote root exploit 20000913 pam_smb remotely exploitable buffer overflow MDKSA-2000:047 20000911 Conectiva Linux Security Announcement - pam_smb 20000910 (SRADV00002) Remote root compromise through pam_smb and pam_ntdom Some functions that implement the locale subsystem on Unix do not properly cleanse user-injected format strings, which allows local attackers to execute arbitrary commands via functions such as gettext and catopen. 1634 20000904 UNIX locale format string vulnerability unix-locale-format-string(5176) RHSA-2000:057 20000906 glibc locale security problem 20000902 glibc: local root exploit CSSA-2000-030.0 SSRT0689U IY13753 20000902 Conectiva Linux Security Announcement - glibc 20000901-01-P kdebug daemon (kdebugd) in Digital Unix 4.0F allows remote attackers to read arbitrary files by specifying the full file name in the initialization packet. 20000918 [ENIGMA] Digital UNIX/Tru64 UNIX remote kdebug Vulnerability Buffer overflow in Darxite 0.4 and earlier allows a remote attacker to execute arbitrary commands via a long username or password. 1598 20000821 Darxite daemon remote exploit/DoS problem darxite-login-bo Buffer overflow in University of Washington c-client library (used by pine and other programs) allows remote attackers to execute arbitrary commands via a long X-Keywords header. 1646 20000901 More about UW c-client library c-client-dos(5223) 1687 FreeBSD-SA-00:47.pine 20000901 UW c-client library vulnerability Buffer overflow in IBM WebSphere web application server (WAS) allows remote attackers to execute arbitrary commands via a long Host: request header. 1691 20000915 WebSphere application server plugin issue & vendor fix http://www-4.ibm.com/software/webservers/appserv/doc/v3022/fxpklst.htm#Security websphere-header-dos Race condition in Microsoft Windows Media server allows remote attackers to cause a denial of service in the Windows Media Unicast Service via a malformed request, aka the "Unicast Service Race Condition" vulnerability. 1655 MS00-064 unicast-service-dos(5193) Netegrity SiteMinder before 4.11 allows remote attackers to bypass its authentication mechanism by appending "$/FILENAME.ext" (where ext is .ccc, .class, or .jpg) to the requested URL. 1681 siteminder-bypass-authentication A091100-1 Buffer overflow in the Still Image Service in Windows 2000 allows local users to gain additional privileges via a long WM_USER message, aka the "Still Image Service Privilege Escalation" vulnerability. 1651 MS00-065 A090700-1 w2k-still-image-service Multiple buffer overflows in eject on FreeBSD and possibly other OSes allows local users to gain root privileges. 1686 freebsd-eject-port 1559 FreeBSD-SA-00:49 YaBB Bulletin Board 9.1.2000 allows remote attackers to read arbitrary files via a .. (dot dot) attack. 1668 yabb-file-access 20000909 YaBB 1.9.2000 Vulnerabilitie When a Microsoft Office 2000 document is launched, the directory of that document is first used to locate DLL's such as riched20.dll and msi.dll, which could allow an attacker to execute arbitrary commands by inserting a Trojan Horse DLL into the same directory as the document. 1699 20000918 Double clicking on MS Office documents from Windows Explorer may execute arbitrary programs in some cases office-dll-execution(5263) 20000921 Mitigators for possible exploit of Eudora via Guninski #21,2000 20000922 Eudora + riched20.dll affects WinZip v8.0 as well SunFTP build 9(1) allows remote attackers to cause a denial of service by connecting to the server and disconnecting before sending a newline. 1637 20000901 [EXPL] SunFTP vulnerable to two Denial-of-Service attacks (long buffer, half-open) Buffer overflow in SunFTP build 9(1) allows remote attackers to cause a denial of service or possibly execute arbitrary commands via a long GET request. 1638 20000901 [EXPL] SunFTP vulnerable to two Denial-of-Service attacks (long buffer, half-open) The logging capability in muh 2.05d IRC server does not properly cleanse user-injected format strings, which allows remote attackers to cause a denial of service or execute arbitrary commands via a malformed nickname. 1665 muh-log-dos 20000909 Re: format string bug in muh 20000909 format string bug in muh Vulnerability in Microsoft Windows NT 4.0 allows remote attackers to cause a denial of service in IIS by sending it a series of malformed requests which cause INETINFO.EXE to fail, aka the "Invalid URL" vulnerability. 1642 20000906 VIGILANTE-2000009: "Invalid URL" DoS MS00-063 iis-invald-url-dos The web configuration server for NTMail V5 and V6 allows remote attackers to cause a denial of service via a series of partial HTTP requests. 1640 20000904 VIGILANTE-2000008: NTMail Configuration Service DoS ntmail-incomplete-http-requests The file upload capability in PHP versions 3 and 4 allows remote attackers to read arbitrary files by setting hidden form fields whose names match the names of internal PHP script variables. 1649 20000903 (SRADV00001) Arbitrary file disclosure through PHP file upload php-file-upload http://cvsweb.php.net/viewcvs.cgi/php4/main/rfc1867.c.diff?r1=1.38%3Aphp_4_0_2&tr1=1.1&r2=text&tr2=1.45&diff_format=u MDKSA-2000:048 20000904 Re: [PHP-DEV] RE: (SRADV00001) Arbitrary file disclosure through PHP file upload Mailman 1.1 allows list administrators to execute arbitrary commands via shell metacharacters in the %(listname) macro expansion. 1667 FreeBSD-SA-00:51 20000907 Mailman 1.1 + external archiver vulnerability mailman-execute-external-commands(5493) Vulnerability in an administrative interface utility for Allaire Spectra 1.0.1 allows remote attackers to read and modify sensitive configuration information. ASB00-23 allaire-spectra-admin-access Buffer overflow in listmanager earlier than 2.105.1 allows local users to gain additional privileges. FreeBSD-SA-00:50 listmanager-port-bo Race condition in the creation of a Unix domain socket in GNOME esound 0.2.19 and earlier allows a local user to change the permissions of arbitrary files and directories, and gain additional privileges, via a symlink attack. 1659 RHSA-2000:077 20001012 esound daemon race condition 20001008 esound: race condition FreeBSD-SA-00:45 20001006 Immunix OS Security Update for esound 20000911 Patch for esound-0.2.19 Buffer overflow in dvtermtype in Tridia Double Vision 3.07.00 allows local users to gain root privileges via a long terminal type argument. 1697 20000916 Advisory: Tridia DoubleVision / SCO UnixWare doublevision-dvtermtype-bo Interbase 6 SuperServer for Linux allows an attacker to cause a denial of service via a query containing 0 bytes. interbase-query-dos 1654 20000907 SEGFAULTING Interbase 6 SS Linux Kernel logging daemon (klogd) in Linux does not properly cleanse user-injected format strings, which allows local users to gain root privileges by triggering malformed kernel messages. klogd-format-string 20000917 klogd format bug TLSA2000022-2 RHSA-2000:061 5824 20000920 syslogd + klogd format string parsing error 20000918 Conectiva Linux Security Announcement - sysklogd MDKSA-2000:050 CSSA-2000-032.0 The default configuration of Apache 1.3.12 in SuSE Linux 6.4 allows remote attackers to read source code for CGI scripts by replacing the /cgi-bin/ in the requested URL with /cgi-bin-sdb/. 1658 A090700-2 20000907 suse-apache-cgi-source-code The default configuration of Apache 1.3.12 in SuSE Linux 6.4 enables WebDAV, which allows remote attackers to list arbitrary diretories via the PROPFIND HTTP request method. 1656 A090700-3 20000907 apache-webdav-directory-listings Buffer overflow in EFTP allows remote attackers to cause a denial of service via a long string. 1675 20000911[EXPL] EFTP vulnerable to two DoS attacks eftp-bo 1555 Buffer overflow in EFTP allows remote attackers to cause a denial of service by sending a string that does not contain a newline, then disconnecting from the server. 1677 20000911[EXPL] EFTP vulnerable to two DoS attacks eftp-newline-dos 409 explorer.php in PhotoAlbum 0.9.9 allows remote attackers to read arbitrary files via a .. (dot dot) attack. phpphoto-dir-traverse 1650 20000906 PhotoAlbum 0.9.9 explorer.php Vulnerability netstat in AIX 4.x.x does not properly restrict access to the -Zi option, which allows local users to clear network interface statistics and possibly hide evidence of unusual network activities. 1660 20000903 aix allows clearing the interface stats aix-clear-netstat Eudora mail client includes the absolute path of the sender's host within a virtual card (VCF). eudora-path-disclosure 1653 20000907 Eudora disclosure 1545 WFTPD and WFTPD Pro 2.41 RC12 allows remote attackers to cause a denial of service by sending a long string of unprintable characters. wftpd-long-string-dos http://www.wftpd.com/bug_gpf.htm 20000905 WFTPD/WFTPD Pro 2.41 RC12 vulnerabilities WFTPD and WFTPD Pro 2.41 RC12 allows remote attackers to obtain the full pathname of the server via a "%C" command, which generates an error message that includes the pathname. 5829 20000905 WFTPD/WFTPD Pro 2.41 RC12 vulnerabilities mailform.pl CGI script in MailForm 2.0 allows remote attackers to read arbitrary files by specifying the file name in the XX-attach_file parameter, which MailForm then sends to the attacker. 1670 20000911 Unsafe passing of variables to mailform.pl in MailForm V2.0 mailform-attach-file The mailto CGI script allows remote attacker to execute arbitrary commands via shell metacharacters in the emailadd form field. 1669 20000911 Fwd: Poor variable checking in mailto.cgi mailto-piped-address LPPlus programs dccsched, dcclpdser, dccbkst, dccshut, dcclpdshut, and dccbkstshut are installed setuid root and world executable, which allows arbitrary local users to start and stop various LPD services. lpplus-permissions-dos 1643 20000906 Multiple Security Holes in LPPlus LPPlus creates the lpdprocess file with world-writeable permissions, which allows local users to kill arbitrary processes by specifying an alternate process ID and using the setuid dcclpdshut program to kill the process that was specified in the lpdprocess file. lpplus-process-perms-dos 1643 20000906 Multiple Security Holes in LPPlus The dccscan setuid program in LPPlus does not properly check if the user has the permissions to print the file that is specified to dccscan, which allows local users to print arbitrary files. lpplus-dccscan-file-read 1644 20000906 Multiple Security Holes in LPPlus Intel Express 500 series switches allow a remote attacker to cause a denial of service via a malformed ICMP packet, which causes the CPU to crash. 1647 20000906 VIGILANTE-2000010: Intel Express Switch series 500 DoS #2 The default configuration of mod_perl for Apache as installed on Mandrake Linux 6.1 through 7.1 sets the /perl/ directory to be browseable, which allows remote attackers to list the contents of that directory. linux-mod-perl 1678 MDKSA-2000:046 IIS 4.0 and 5.0 allows remote attackers to read documents outside of the web root, and possibly execute arbitrary commands, via malformed URLs that contain UNICODE encoded characters, aka the "Web Server Folder Traversal" vulnerability. MS00-078 iis-unicode-translation 1806 436 oval:org.mitre.oval:def:44 Buffer overflows in Microsoft Network Monitor (Netmon) allow remote attackers to execute arbitrary commands via a long Browser Name in a CIFS Browse Frame, a long SNMP community name, or a long username or filename in an SMB session, aka the "Netmon Protocol Parsing" vulnerability. NOTE: It is highly likely that this candidate will be split into multiple candidates. MS00-083 IIS 5.0 allows remote attackers to execute arbitrary commands via a malformed request for an executable file whose name is appended with operating system commands, aka the "Web Server File Request Parsing" vulnerability. MS00-086 20001107 NSFOCUS SA2000-07 : Microsoft IIS 4.0/5.0 CGI File Name Inspection Vulnerability iis-invalid-filename-passing(5470) 1912 oval:org.mitre.oval:def:191 named in BIND 8.2 through 8.2.2-P6 allows remote attackers to cause a denial of service by making a compressed zone transfer (ZXFR) request and performing a name service query on an authoritative record that is not cached, aka the "zxfr bug." CA-2000-20 1923 CLSA-2000:339 bind-zxfr-dos(5540) 20001107 BIND 8.2.2-P5 Possible DOS RHSA-2000:107 20001112 bind: remote Denial of Service MDKSA-2000:067 CLSA-2000:338 SuSE-SA:2000:45 20001115 Trustix Security Advisory - bind and openssh (and modutils) named in BIND 8.2 through 8.2.2-P6 allows remote attackers to cause a denial of service by sending an SRV record to the server, aka the "srv bug." CA-2000-20 CLSA-2000:339 bind-srv-dos(5814) RHSA-2000:107 20001112 bind: remote Denial of Service MDKSA-2000:067 CLSA-2000:338 SuSE-SA:2000:45 Two Sun security certificates have been compromised, which could allow attackers to insert malicious code such as applets and make it appear that it is signed by Sun. CA-2000-19 00198 periodic in FreeBSD 4.1.1 and earlier, and possibly other operating systems, allows local users to overwrite arbitrary files via a symlink attack. VU#626919 periodic-temp-file-symlink(6047) 2325 1754 A default ECL in Lotus Notes before 5.02 allows remote attackers to execute arbitrary commands by attaching a malicious program in an email message that is automatically executed when the user opens the email. VU#5962 http://www.notes.net/R5FixList.nsf/Search!SearchView&Query=CBAT45TU9S lotus-notes-bypass-ecl(5045) Some telnet clients allow remote telnet servers to request environment variables from the client that may contain sensitive information, or remote web servers to obtain the information via a telnet: URL. VU#22404 telnet-obtain-env-variable(6644) The presence of the Distributed GL Daemon (dgld) service on port 5232 on SGI IRIX systems allows remote attackers to identify the target host as an SGI system. VU#28027 HTTP server on the WatchGuard SOHO firewall does not properly restrict access to administrative functions such as password resets or rebooting, which allows attackers to cause a denial of service or conduct unauthorized activities. 20001214 Multiple vulnerabilities in the WatchGuard SOHO Firewall 2119 watchguard-soho-web-auth(5554) 4404 Buffer overflow in HTTP server on the WatchGuard SOHO firewall allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long GET request. 20001214 Multiple vulnerabilities in the WatchGuard SOHO Firewall 2114 watchguard-soho-web-dos(5218) 4403 WatchGuard SOHO firewall allows remote attackers to cause a denial of service via a flood of fragmented IP packets, which causes the firewall to drop connections and stop forwarding packets. watchguard-soho-fragmented-packets 20001214 Multiple vulnerabilities in the WatchGuard SOHO Firewall 2113 1690 Small HTTP Server 2.03 and earlier allows remote attackers to cause a denial of service by repeatedly requesting a URL that references a directory that does not contain an index.html file, which consumes memory that is not released after the request is completed. 1941 20001114 Vulnerabilites in SmallHTTP Server http://home.lanck.net/mf/srv/index.htm small-http-nofile-dos(5524) Small HTTP Server 2.01 does not properly process Server Side Includes (SSI) tags that contain null values, which allows local users, and possibly remote attackers, to cause the server to crash by inserting the SSI into an HTML file. 20001114 Vulnerabilites in SmallHTTP Server Small HTTP Server 2.01 allows remote attackers to cause a denial of service by connecting to the server and sending out multiple GET, HEAD, or POST requests and closing the connection before the server responds to the requests. 1942 20001114 Vulnerabilites in SmallHTTP Server Directory traversal vulnerability in ssi CGI program in thttpd 2.19 and earlier allows remote attackers to read arbitrary files via a "%2e%2e" string, a variation of the .. (dot dot) attack. acme-thttpd-ssi 1737 20001002 thttpd ssi: retrieval of arbitrary world-readable files FreeBSD-SA-00:73 Format string vulnerability in screen 3.9.5 and earlier allows local users to gain root privileges via format characters in the vbell_msg initialization variable. screen-format-string 1641 20000905 screen 3.9.5 root vulnerability RHSA-2000:058 20000906 screen format string parsing security problem MDKSA-2000:044 20000906 Screen-3.7.6 local compromise FreeBSD-SA-00:46 getalbum.php in PhotoAlbum before 0.9.9 allows remote attackers to read arbitrary files via a .. (dot dot) attack. phpphotoalbum-getalbum-directory-traversal 20000907 Re: PhotoAlbum 0.9.9 explorer.php Vulnerability Directory traversal vulnerability in Voyager web server 2.01B in the demo disks for QNX 405 allows remote attackers to read arbitrary files via a .. (dot dot) attack. 1648 20000901 Multiple QNX Voyager Issues Voyager web server 2.01B in the demo disks for QNX 405 stores sensitive web client information in the .photon directory in the web document root, which allows remote attackers to obtain that information. 1648 20000901 Multiple QNX Voyager Issues QNX Embedded Resource Manager in Voyager web server 2.01B in the demo disks for QNX 405 allows remote attackers to read sensitive system statistics information via the embedded.html web page. 1648 20000901 Multiple QNX Voyager Issues Directory traversal vulnerability in Moreover.com cached_feed.cgi script version 4.July.00 allows remote attackers to read arbitrary files via a .. (dot dot) attack on the category or format parameters. moreover-cgi-dir-traverse 1762 20001002 Moreover Cached_Feed CGI Vulnerability EServ 2.92 Build 2982 allows remote attackers to cause a denial of service and possibly execute arbitrary commands via long HELO and MAIL FROM commands. 20000925 DST2K0030: DoS in EServ 2.92 Build 2982 BrowseGate 2.80 allows remote attackers to cause a denial of service and possibly execute arbitrary commands via long Authorization or Referer MIME headers in the HTTP request. browsegate-http-dos 1702 http://www.netcplus.com/browsegate.htm#BGLatest 20000921 DST2K0031: DoS in BrowseGate(Home) v2.80(H) 20000921 DST2K0031: DoS in BrowseGate(Home) v2.80(H) Buffer overflow in the automatic mail checking component of Pine 4.21 and earlier allows remote attackers to execute arbitrary commands via a long From: header. 1709 pine-check-mail-bo 20000922 [ no subject ] RHSA-2000:102 MDKSA-2000:073 20001031 FW: Pine 4.30 now available FreeBSD-SA-00:59 Horde library 1.02 allows attackers to execute arbitrary commands via shell metacharacters in the "from" address. horde-imp-sendmail-command 1674 20000910 imp: remote compromise http://ssl.coc-ag.de/sec/hordelib-1.2.0.frombug.patch 20000908 horde library bug - unchecked from-address IMP 2.2 and earlier allows attackers to read and delete arbitrary files by modifying the attachment_name hidden form variable, which causes IMP to send the file to the attacker as an attachment. imp-attach-file 1679 20000912 (SRADV00003) Arbitrary file disclosure through IMP MultiHTML CGI script allows remote attackers to read arbitrary files and possibly execute arbitrary commands by specifying the file name to the "multi" parameter. http-cgi-multihtml 20000913 MultiHTML vulnerability mod_rewrite in Apache 1.3.12 and earlier allows remote attackers to read arbitrary files if a RewriteRule directive is expanded to include a filename whose name contains a regular expression. apache-rewrite-view-files 1728 RHSA-2000:095 RHSA-2000:088 MDKSA-2000:060 CSSA-2000-035.0 HPSBUX0010-126 20001011 Conectiva Linux Security Announcement - apache 20000929 Security vulnerability in Apache mod_rewrite OpenBSD 2.6 and earlier allows remote attackers to cause a denial of service by flooding the server with ARP requests. bsd-arp-request-dos 1759 20001005 obsd_fun.c 1592 fingerd in FreeBSD 4.1.1 allows remote attackers to read arbitrary files by specifying the target file name instead of a regular user name. freebsd-fingerd-files 1803 433 20001002 [sa2c@and.or.jp: bin/21704: enabling fingerd makes files world readable] FreeBSD-SA-00:54 FreeBSD 4.1.1 and earlier, and possibly other BSD-based OSes, uses an insufficient random number generator to generate initial TCP sequence numbers (ISN), which allows remote attackers to spoof TCP connections. 1766 FreeBSD-SA-00:52 Format string vulnerability in use_syslog() function in LPRng 3.6.24 allows remote attackers to execute arbitrary commands. CA-2000-22 lprng-format-string 1712 RHSA-2000:065 CSSA-2000-033.0 20000925 Format strings: bug #2: LPRng FreeBSD-SA-00:56 Format string vulnerability in kvt in KDE 1.1.2 may allow local users to execute arbitrary commands via a DISPLAY environmental variable that contains formatting characters. 1700 20000919 kvt format bug Directory traversal vulnerability in PHPix Photo Album 1.0.2 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) attack. phpix-dir-traversal 1773 472 20001007 PHPix advisory Directory traversal vulnerability in BOA web server 0.94.8.2 and earlier allows remote attackers to read arbitrary files via a modified .. (dot dot) attack in the GET HTTP request that uses a "%2E" instead of a "." boa-webserver-get-dir-traversal 1770 20001009 boa: exposes contents of local files 20001006 Vulnerability in BOA web server v0.94.8.2 FreeBSD-SA-00:60 Directory traversal vulnerability in Hassan Consulting shop.cgi shopping cart program allows remote attackers to read arbitrary files via a .. (dot dot) attack on the page parameter. hassan-shopping-cart-dir-traversal 1777 1596 20001007 Security Advisory: Hassan Consulting's shop.cgi Directory Traversal Vulnerability. Directory traversal vulnerability in Bytes Interactive Web Shopper shopping cart program (shopper.cgi) 2.0 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) attack on the newpage parameter. web-shopper-directory-traversal 1776 20001008 Security Advisory: Bytes Interactive's Web Shopper (shopper.cgi) Directory Traversal Vulnerability authenticate.cgi CGI program in Aplio PRO allows remote attackers to execute arbitrary commands via shell metacharacters in the password parameter. uclinux-apliophone-bin-execute 1784 20001006 Fwd: APlio PRO web shell Directory traversal vulnerability in search.cgi CGI script in Armada Master Index allows remote attackers to read arbitrary files via a .. (dot dot) attack in the "catigory" parameter. 1772 20001009 Master Index traverse advisory master-index-directory-traversal 461 The default installation of SmartWin CyberOffice Shopping Cart 2 (aka CyberShop) installs the _private directory with world readable permissions, which allows remote attackers to obtain sensitive information. 1734 20001002 DST2K0035: Credit card (customer) details exposed within CyberOff ice Shopping Cart v2 cyberoffice-world-readable-directory 20001002 DST2K0035: Credit card (customer) details exposed within CyberOff ice Shopping Cart v2 SmartWin CyberOffice Shopping Cart 2 (aka CyberShop) allows remote attackers to modify price information by changing the "Price" hidden form variable. 1733 20001002 DST2K0036: Price modification possible in CyberOffice Shopping Ca rt cyberoffice-price-modification 20001002 DST2K0036: Price modification possible in CyberOffice Shopping Cart WQuinn QuotaAdvisor 4.1 does not properly record file sizes if they are stored in alternative data streams, which allows users to bypass quota restrictions. quotaadvisor-quota-bypass 1724 20000928 DST2K0037: QuotaAdvisor 4.1 by WQuinn is susceptible to alternati ve datastreams to bypass quotas. 20000928 DST2K0037: QuotaAdvisor 4.1 by WQuinn is susceptible to alternati ve datastreams to bypass quotas. WQuinn QuotaAdvisor 4.1 allows users to list directories and files by running a report on the targeted shares. 1765 20001006 DST2K0040: QuotaAdvisor 4.1 by WQuinn susceptible to any user bei ng able to list (not read) all files on any server running QuotaAdvisor. quotaadvisor-list-files Microsoft Windows Media Player 7 allows attackers to cause a denial of service in RTF-enabled email clients via an embedded OCX control that is not closed properly, aka the "OCX Attachment" vulnerability. mediaplayer-outlook-dos 1714 MS00-068 20000929 Malformed Embedded Windows Media Player 7 "OCX Attachment" Pegasus Mail 3.12 allows remote attackers to read arbitrary files via an embedded URL that calls the mailto: protocol with a -F switch. 1738 pegasus-file-forwarding 20001030 Pegasus Mail file reading vulnerability 20001003 Pegasus mail file reading vulnerability Buffer overflow in Pegasus Mail 3.11 allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long email message containing binary data. 1750 20001004 Another Pegasus Mail vulnerability MAILsweeper for SMTP 3.x does not properly handle corrupt CDA documents in a ZIP file and hangs, which allows remote attackers to cause a denial of service. 20000926 FW: DOS for Content Technologies' MAILsweeper for SMTP. mailsweeper-smtp-dos The Input Method Editor (IME) in the Simplified Chinese version of Windows 2000 does not disable access to privileged functionality that should normally be restricted, which allows local users to gain privileges, aka the "Simplified Chinese IME State Recognition" vulnerability. win2k-simplified-chinese-ime 1729 MS00-069 Glint in Red Hat Linux 5.2 allows local users to overwrite arbitrary files and cause a denial of service via a symlink attack. glint-symlink 1703 RHSA-2000:062 Samba Web Administration Tool (SWAT) in Samba 2.0.7 allows local users to overwrite arbitrary files via a symlink attack on the cgi.log file. 1872 20001030 Samba 2.0.7 SWAT vulnerabilities samba-swat-logging-sym-link Samba Web Administration Tool (SWAT) in Samba 2.0.7 installs the cgi.log logging file with world readable permissions, which allows local users to read sensitive information such as user names and passwords. 1874 20001030 Samba 2.0.7 SWAT vulnerabilities samba-swat-logfile-info Samba Web Administration Tool (SWAT) in Samba 2.0.7 does not log login attempts in which the username is correct but the password is wrong, which allows remote attackers to conduct brute force password guessing attacks. 20001030 Samba 2.0.7 SWAT vulnerabilities samba-swat-brute-force 1873 Samba Web Administration Tool (SWAT) in Samba 2.0.7 supplies a different error message when a valid username is provided versus an invalid name, which allows remote attackers to identify valid users on the server. 20001030 Samba 2.0.7 SWAT vulnerabilities samba-swat-brute-force(5442) Samba Web Administration Tool (SWAT) in Samba 2.0.7 allows remote attackers to cause a denial of service by repeatedly submitting a nonstandard URL in the GET HTTP request and forcing it to restart. 20001030 Samba 2.0.7 SWAT vulnerabilities samba-swat-url-filename-dos Directory traversal vulnerability in Metertek pagelog.cgi allows remote attackers to read arbitrary files via a .. (dot dot) attack on the "name" or "display" parameter. pagelog-cgi-dir-traverse 1864 20001029 Minor bug in Pagelog.cgi Kootenay Web KW Whois 1.0 CGI program allows remote attackers to execute arbitrary commands via shell metacharacters in the "whois" parameter. kw-whois-meta 1883 20001029 Re: Remote command execution via KW Whois 1.0 (addition) http://www.kootenayweb.bc.ca/scripts/whois.txt 20001029 Remote command execution via KW Whois 1.0 The CiWebHitsFile component in Microsoft Indexing Services for Windows 2000 allows remote attackers to conduct a cross site scripting (CSS) attack via a CiRestriction parameter in a .htw request, aka the "Indexing Services Cross Site Scripting" vulnerability. 1861 MS00-084 iis-htw-cross-scripting 20001028 IIS 5.0 cross site scripting vulnerability - using .htw Buffer overflow in bftp daemon (bftpd) 1.0.11 allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long USER command. 20001027 Potential Security Problem in bftpd-1.0.11 bftpd-user-bo 1858 CGI Script Center News Update 1.1 does not properly validate the original news administration password during a password change operation, which allows remote attackers to modify the password without knowing the original password. news-update-bypass-password 1881 20001027 CGI-Bug: News Update 1.1 administration password bug The web configuration interface for Catalyst 3500 XL switches allows remote attackers to execute arbitrary commands without authentication when the enable password is not set, via a URL containing the /exec/ directory. 1846 cisco-catalyst-remote-commands(5415) 20001026 Advisory def-2000-02: Cisco Catalyst remote command execution 444 20001113 Re: 3500XL Compaq Easy Access Keyboard software 1.3 does not properly disable access to custom buttons when the screen is locked, which could allow an attacker to gain privileges or execute programs without authorization. 20001012 Security issue with Compaq Easy Access Keyboard software http://www5.compaq.com/support/files/desktops/us/revision/1723.html compaq-ea-elevate-privileges 5831 Format string vulnerability in cfd daemon in GNU CFEngine before 1.6.0a11 allows attackers to execute arbitrary commands via format characters in the CAUTH command. 1757 MDKSA-2000:061 cfengine-cfd-format-string 20001002 Very probable remote root vulnerability in cfengine NetBSD-SA2000-013 GnoRPM before 0.95 allows local users to modify arbitrary files via a symlink attack. gnorpm-temp-symlink 1761 20001002 GnoRPM local /tmp vulnerability RHSA-2000:072 MDKSA-2000:055 20001011 Immunix OS Security Update for gnorpm package 20001003 Conectiva Linux Security Announcement - gnorpm Heap overflow in savestr function in LBNL traceroute 1.4a5 and earlier allows a local user to execute arbitrary commands via the -g option. traceroute-heap-overflow 1739 TLSA2000023-1 RHSA-2000:078 MDKSA-2000:053 20001013 traceroute: local root exploit CSSA-2000-034.0 20000930 Conectiva Linux Security Announcement - traceroute 20000928 Very interesting traceroute flaw Format string vulnerability in x-gw in TIS Firewall Toolkit (FWTK) allows local users to execute arbitrary commands via a malformed display name. tisfwtk-xgw-execute-code 20001026 FWTK x-gw Security Advisory [GSA2000-01] A misconfiguration in IIS 5.0 with Index Server enabled and the Index property set allows remote attackers to list directories in the web root via a Web Distributed Authoring and Versioning (WebDAV) search. iis-index-dir-traverse 1756 Q272079 A100400-1 global.cgi CGI program in Global 3.55 and earlier on NetBSD allows remote attackers to execute arbitrary commands via shell metacharacters. global-execute-remote-commands NetBSD-SA2000-014 6486 Shambala Server 4.5 allows remote attackers to cause a denial of service by opening then closing a connection. shambala-connection-dos 1778 20001009 Shambala 4.5 vulnerability Shambala Server 4.5 stores passwords in plaintext, which could allow local users to obtain the passwords and compromise the server. shambala-password-plaintext 1771 20001009 Shambala 4.5 vulnerability Cisco Virtual Central Office 4000 (VCO/4K) uses weak encryption to store usernames and passwords in the SNMP MIB, which allows an attacker who knows the community name to crack the password and gain privileges. cisco-vco-snmp-passwords 1885 A102600-1 cyrus-sasl before 1.5.24 in Red Hat Linux 7.0 does not properly verify the authorization for a local user, which could allow the users to bypass specified access restrictions. cyrus-sasl-gain-access 1875 RHSA-2000:094 The pluggable authentication module for mysql (pam_mysql) before 0.4.7 does not properly cleanse user input when constructing SQL statements, which allows attackers to obtain plaintext passwords or hashes. pammysql-auth-input 20001026 (SRADV00004) Remote and local vulnerabilities in pam_mysql HotJava Browser 3.0 allows remote attackers to access the DOM of a web page by opening a javascript: URL in a named window. hotjava-browser-dom-access 20001025 HotJava Browser 3.0 JavaScript security vulnerability glibc2 does not properly clear the LD_DEBUG_OUTPUT and LD_DEBUG environmental variables when a program is spawned from a setuid program, which could allow local users to overwrite files via a symlink attack. glibc-unset-symlink 1719 20000926 ld.so bug - LD_DEBUG_OUTPUT follows symlinks The POP3 server in Netscape Messaging Server 4.15p1 generates different error messages for incorrect user names versus incorrect passwords, which allows remote attackers to determine valid users on the system and harvest email addresses for spam abuse. netscape-messaging-email-verify 1787 20001011 Netscape Messaging server 4.15 poor error strings Buffer overflow in IMAP server in Netscape Messaging Server 4.15 Patch 2 allows local users to execute arbitrary commands via a long LIST command. netscape-messaging-list-dos 1721 20000928 commercial products and security [ + new bug ] The IPSEC implementation in OpenBSD 2.7 does not properly handle empty AH/ESP packets, which allows remote attackers to cause a denial of service. 1723 20000925 Nmap Protocol Scanning DoS against OpenBSD IPSEC openbsd-nmap-dos 1574 Buffer overflow in ncurses library allows local users to execute arbitrary commands via long environmental information such as TERM or TERMINFO_DIRS. 1142 CSSA-2000-036.0 20001009 ncurses buffer overflows gnu-ncurses-term-terminfodirs-bo(44487) Buffer overflow in the web administration service for the HiNet LP5100 IP-phone allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long GET request. hinet-ipphone-get-bo 1727 20000928 Another thingy. The NSAPI plugins for TGA and the Java Servlet proxy in HP-UX VVOS 10.24 and 11.04 allows an attacker to cause a denial of service (high CPU utilization). hp-virtualvault-nsapi-dos HPSBUX0010-124 Buffer overflows in lpspooler in the fileset PrinterMgmt.LP-SPOOL of HP-UX 11.0 and earlier allows local users to gain privileges. hp-lpspooler-bo HPSBUX0010-125 7244 PHP 3 and 4 do not properly cleanse user-injected format strings, which allows remote attackers to execute arbitrary commands by triggering error messages that are improperly written to the error logs. php-logging-format-string 1786 RHSA-2000:095 RHSA-2000:088 MDKSA-2000:062 CSSA-2000-037.0 A101200-1 20001012 Conectiva Linux Security Announcement - mod_php3 FreeBSD-SA-00:75 Buffer overflow in Half Life dedicated server before build 3104 allows remote attackers to execute arbitrary commands via a long rcon command. halflife-server-changelevel-bo 1799 20001024 Tamandua Sekure Labs Security Advisory 2000-01 20001027 Re: Half Life dedicated server Patch 20001016 Half-Life Dedicated Server Vulnerability Format string vulnerability in Half Life dedicated server build 3104 and earlier allows remote attackers to execute arbitrary commands by injecting format strings into the changelevel command, via the system console or rcon. halflife-rcon-format-string 20001024 Tamandua Sekure Labs Security Advisory 2000-01 6983 20001027 Re: Half Life dedicated server Patch 20001016 Half-Life Dedicated Server Vulnerability IIS 4.0 and 5.0 .ASP pages send the same Session ID cookie for secure and insecure web sessions, which could allow remote attackers to hijack the secure web session of the user if that user moves to an insecure session, aka the "Session ID Cookie Marking" vulnerability. session-cookie-remote-retrieval MS00-080 7265 http://www.acrossecurity.com/aspr/ASPR-2000-07-22-1-PUB.txt Avirt Mail 4.0 and 4.2 allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long "RCPT TO" or "MAIL FROM" command. avirt-rcpt-to-dos avirt-mail-from-dos 20001023 Avirt Mail 4.x DoS HP-UX 11.00 crontab allows local users to read arbitrary files via the -e option by creating a symlink to the target file during the crontab session, quitting the session, and reading the error messages that crontab generates. hp-crontab-read-files 20001020 [ Hackerslab bug_paper ] HP-UX crontab temporary file symbolic link vulnerability Buffer overflow in curl earlier than 6.0-1.1, and curl-ssl earlier than 6.0-1.2, allows remote attackers to execute arbitrary commands by forcing a long error message to be generated. curl-error-bo 1804 RHBA-2000:092-01 FreeBSD-SA-00:72 GnuPG (gpg) 1.0.3 does not properly check all signatures of a file containing multiple documents, which allows an attacker to modify contents of all documents but the first without detection. gnupg-message-modify 1797 RHSA-2000:089 1608 20001111 gnupg: incorrect signature verification CLSA-2000:334 20001025 Immunix OS Security Update for gnupg package 20001011 GPG 1.0.3 doesn't detect modifications to files with multiple signatures FreeBSD-SA-00:67 CSSA-2000-038.0 Directory traversal vulnerability in apexec.pl in Anaconda Foundation Directory allows remote attackers to read arbitrary files via a .. (dot dot) attack. 20001012 Anaconda Advisory anaconda-apexec-directory-traversal 435 Buffer overflow in xlib in XFree 3.3.x possibly allows local users to execute arbitrary commands via a long DISPLAY environment variable or a -display command line parameter. 1805 20001012 another Xlib buffer overflow xfree-xlib-bo(5751) 20020502-01-I mailfile.cgi CGI program in MailFile 1.10 allows remote attackers to read arbitrary files by specifying the target file name in the "filename" parameter in a POST request, which is then sent by email to the address specified in the "email" parameter. 1807 20001011 Mail File POST Vulnerability mailfile-post-file-read bbd server in Big Brother System and Network Monitor before 1.5c2 allows remote attackers to execute arbitrary commands via the "&" shell metacharacter. 1779 20001010 Big Brother Systems and Network Monitor vulnerability bb4-netmon-execute-commands File and Print Sharing service in Windows 95, Windows 98, and Windows Me does not properly check the password for a file share, which allows remote attackers to bypass share access controls by sending a 1-byte password that matches the first character of the real password, aka the "Share Level Password" vulnerability. win9x-share-level-password 1780 MS00-072 20001012 NSFOCUS SA2000-05: Microsoft Windows 9x NETBIOS password oval:org.mitre.oval:def:996 NMPI (Name Management Protocol on IPX) listener in Microsoft NWLink does not properly filter packets from a broadcast address, which allows remote attackers to cause a broadcast storm and flood the network. win-nmpi-packet-dos 1781 MS00-073 MySQL Database Engine uses a weak authentication method which leaks information that could be used by a remote attacker to recover the password. mysql-authentication http://www.mysql.com/documentation/mysql/commented/manual.php?section=Security 20001023 [CORE SDI ADVISORY] MySQL weak authentication Internet Explorer before 5.5 forwards cached user credentials for a secure web site to insecure pages on the same web site, which could allow remote attackers to obtain the credentials by monitoring connections to the web server, aka the "Cached Web Credentials" vulnerability. ie-cache-info 1793 MS00-076 http://www.acrossecurity.com/aspr/ASPR-2000-07-22-2-PUB.txt Microsoft NetMeeting with Remote Desktop Sharing enabled allows remote attackers to cause a denial of service (CPU utilization) via a sequence of null bytes to the NetMeeting port, aka the "NetMeeting Desktop Sharing" vulnerability. netmeeting-desktop-sharing-dos 1798 Q273854 20001018 Denial of Service attack against computers running Microsoft NetMeeting MS00-077 The HTTP server in Cisco IOS 12.0 through 12.1 allows local users to cause a denial of service (crash and reload) via a URL containing a "?/" string. 1838 20001025 Cisco IOS HTTP Server Query Vulnerability cisco-ios-query-dos(5412) Buffer overflow in All-Mail 1.1 allows remote attackers to execute arbitrary commands via a long "MAIL FROM" or "RCPT TO" command. 1789 A101200-2 Buffer overflow in Oracle 8.1.5 applications such as names, namesctl, onrsd, osslogin, tnslsnr, tnsping, trcasst, and trcroute possibly allow local users to gain privileges via a long ORACLE_HOME environmental variable. oracle-home-bo 20001020 [ Hackerslab bug_paper ] Linux ORACLE 8.1.5 vulnerability Buffer overflow in oidldapd in Oracle 8.1.6 allow local users to gain privileges via a long "connect" command line parameter. oracle-oidldap-bo 20001020 In response to posting 10/18/2000 vulnerability in Oracle Internet Directory in Oracle 8.1.6 20001018 vulnerability in Oracle Internet Directory in Oracle 8.1.6 WinU 1.0 through 5.1 has a backdoor password that allows remote attackers to gain access to its administrative interface and modify configuration. winu-backdoor 1801 http://www.bardon.com/pwdcrack.htm 20001013 WinU Backdoor passwords!!!! Buffer overflow in Intel InBusiness eMail Station 1.04.87 POP service allows remote attackers to cause a denial of service and possibly execute commands via a long username. intel-email-username-bo 20001020 DoS in Intel corporation 'InBusiness eMail Station' 6488 cmd5checkpw 0.21 and earlier allows remote attackers to cause a denial of service via an "SMTP AUTH" command with an unknown username. cmd5checkpw-qmail-bypass-authentication 1809 http://members.elysium.pl/brush/cmd5checkpw/changes.html 20001016 Authentication failure in cmd5checkpw 0.21 Buffer overflow in Hilgraeve, Inc. HyperTerminal client on Windows 98, ME, and 2000 allows remote attackers to execute arbitrary commands via a long telnet URL, aka the "HyperTerminal Buffer Overflow" vulnerability. win-hyperterminal-telnet-bo 1815 MS00-079 Directory traversal vulnerability in scp in sshd 1.2.xx allows a remote malicious scp server to overwrite arbitrary files via a .. (dot dot) attack. 1742 20000930 scp file transfer hole scp-overwrite-files MDKSA-2000:057 Format string vulnerability in pw_error function in BSD libutil library allows local users to gain root privileges via a malformed password in commands such as chpass or passwd. bsd-libutil-format 1744 20001003 A format string vulnerability exists in the pw_error(3) function. 20001004 Re: OpenBSD Security Advisory NetBSD-SA2000-015 FreeBSD-SA-00:58 Format string vulnerability in OpenBSD fstat program (and possibly other BSD-based operating systems) allows local users to gain root privileges via the PWD environmental variable. bsd-fstat-format ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.7/common/028_format_strings.patch 1746 20001004 Re: OpenBSD Security Advisory Format string vulnerability in OpenBSD yp_passwd program (and possibly other BSD-based operating systems) allows attackers to gain root privileges a malformed name. ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.7/common/028_format_strings.patch bsd-yp-passwd-format 6125 Format string vulnerability in OpenBSD su program (and possibly other BSD-based operating systems) allows local attackers to gain root privileges via a malformed shell. ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.7/common/028_format_strings.patch bsd-su-format 6124 Format string vulnerabilities in eeprom program in OpenBSD, NetBSD, and possibly other operating systems allows local attackers to gain root privileges. bsd-eeprom-format 1752 ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.7/common/028_format_strings.patch Format string vulnerability in top program allows local attackers to gain root privileges via the "kill" or "renice" function. 1895 FreeBSD-SA-00:62 ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.7/common/028_format_strings.patch Format string vulnerabilities in OpenBSD ssh program (and possibly other BSD-based operating systems) allow attackers to gain root privileges. ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.7/common/028_format_strings.patch Format string vulnerability in AOL Instant Messenger (AIM) 4.1.2010 allows remote attackers to cause a denial of service and possibly execute arbitrary commands by transferring a file whose name includes format characters. aim-file-transfer-dos 1747 20001003 AOL Instant Messenger DoS add_2_basket.asp in Element InstantShop allows remote attackers to modify price information via the "price" hidden form variable. 20001024 Price modification in Element InstantShop instantshop-modify-price 6487 POP3 daemon in Stalker CommuniGate Pro 3.3.2 generates different error messages for invalid usernames versus invalid passwords, which allows remote attackers to determine valid email addresses on the server for SPAM attacks. communigate-email-verify 1792 20001012 Re: Netscape Messaging server 4.15 poor error strings NETBIOS client in Windows 95 and Windows 98 allows a remote attacker to cause a denial of service by changing a file sharing service to return an unknown driver type, which causes the client to crash. win-netbios-driver-type-dos 1794 20001012 NSFOCUS SA2000-04: Microsoft Win9x client driver type comparing vulnerability Format string vulnerability in OpenBSD photurisd allows local users to execute arbitrary commands via a configuration file directory name that contains formatting characters. bsd-photurisd-format 20001004 Re: OpenBSD Security Advisory 6123 Directory traversal vulnerability in html_web_store.cgi and web_store.cgi CGI programs in eXtropia WebStore allows remote attackers to read arbitrary files via a .. (dot dot) attack on the page parameter. extropia-webstore-fileread 1774 20001009 Security Advisory : eXtropia WebStore (web_store.cgi) Directory Traversal Vulnerability Microsoft Exchange Server 5.5 does not properly handle a MIME header with a blank charset specified, which allows remote attackers to cause a denial of service via a charset="" command, aka the "Malformed MIME Header" vulnerability. ms-exchange-mime-dos 1869 MS00-082 I-gear 3.5.7 and earlier does not properly process log entries in which a URL is longer than 255 characters, which allows an attacker to cause reporting errors. 20001025 I-gear 3.5.x for Microsoft Proxy logging vulnerability + temporary fix. igear-invalid-log(5791) PalmOS 3.5.2 and earlier uses weak encryption to store the user password, which allows attackers with physical access to the Palm device to decrypt the password and gain access to the device. 1715 A092600-1 dump in Red Hat Linux 6.2 trusts the pathname specified by the RSH environmental variable, which allows local users to obtain root privileges by modifying the RSH variable to point to a Trojan horse program. 1871 linux-dump-execute-code 20001030 Redhat 6.2 dump command executes external program with suid priviledge. Format string vulnerability in talkd in OpenBSD and possibly other BSD-based OSes allows remote attackers to execute arbitrary commands via a user name that contains format characters. linux-talkd-overwrite-root 1764 20001006 talkd [WAS: Re: OpenBSD Security Advisory] Buffer overflow in catopen() function in FreeBSD 5.0 and earlier, and possibly other OSes, allows local users to gain root privileges via a long environmental variable. FreeBSD-SA-00:53 freebsd-catopen-bo 6070 The catopen function in FreeBSD 5.0 and earlier, and possibly other OSes, allows local users to read arbitrary files via the LANG environmental variable. FreeBSD-SA-00:53 The setlocale function in FreeBSD 5.0 and earlier, and possibly other OSes, allows local users to read arbitrary files via the LANG environmental variable. FreeBSD-SA-00:53 Format string vulnerability in the search97.cgi CGI script in SCO help http server for Unixware 7 allows remote attackers to execute arbitrary commands via format characters in the queryText parameter. unixware-scohelp-format 1717 3240 20000927 Unixware SCOhelp http server format string vulnerability The default configuration of Slashcode before version 2.0 Alpha has a default administrative password, which allows remote attackers to gain Slashcode priviliges and possibly execute arbitrary commands. slashcode-default-admin-passwords 1731 20000929 Default admin password with Slashcode. The default configuration of Apache (httpd.conf) on SuSE 6.4 includes an alias for the /usr/doc directory, which allows remote attackers to read package documentation and obtain system configuration information via an HTTP request for the /doc/packages URL. suse-installed-packages-exposed 1707 20000921 httpd.conf in Suse 6.4 Webteachers Webdata allows remote attackers with valid Webdata accounts to read arbitrary files by posting a request to import the file into the WebData database. 1732 20001003 Update to DST2K0039: Webteachers Webdata: Importing files lower t han web root possible in to database 20001002 DST2K0039: Webteachers Webdata: Importing files lower than web ro ot possible in to database shred 1.0 file wiping utility does not properly open a file for overwriting or flush its buffers, which prevents shred from properly replacing the file's data and allows local users to recover the file. 1788 20001011 Shred v1.0 Fix shred-recover-files 20001010 Shred 1.0 Bug Report Search engine in Ultraseek 3.1 and 3.1.10 (aka Inktomi Search) allows remote attackers to cause a denial of service via a malformed URL. ultraseek-malformed-url-dos 1866 20001030 Ultraseek 3.1.x Remote DoS Vulnerability Heap overflow in Worldclient in Mdaemon 3.1.1 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long URL. mdaemon-url-dos 1689 20000917 VIGILANTE-2000012: Mdaemon Web Services Heap Overflow DoS Heap overflow in WebConfig in Mdaemon 3.1.1 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long URL. 1689 mdaemon-url-dos 20000917 VIGILANTE-2000012: Mdaemon Web Services Heap Overflow DoS The mailguard feature in Cisco Secure PIX Firewall 5.2(2) and earlier does not properly restrict access to SMTP commands, which allows remote attackers to execute restricted commands by sending a DATA command before sending the restricted commands. cisco-pix-smtp-filtering 1698 20001005 Cisco Secure PIX Firewall Mailguard Vulnerability 20000920 Re: Cisco PIX Firewall (smtp content filtering hack) - Version 4.2(1) not exploitable 20000919 Cisco PIX Firewall (smtp content filtering hack) The Alabanza Control Panel does not require passwords to access administrative commands, which allows remote attackers to modify domain name information via the nsManager.cgi CGI program. 1710 alabanza-unauthorized-access 20000924 Major Vulnerability in Alabanza Control Panel eWave ServletExec 3.0C and earlier does not restrict access to the UploadServlet Java/JSP servlet, which allows remote attackers to upload files and execute arbitrary commands. 1876 ewave-servletexec-file-upload 20001101 Unify eWave ServletExec upload eWave ServletExec JSP/Java servlet engine, versions 3.0C and earlier, allows remote attackers to cause a denial of service via a URL that contains the "/servlet/" string, which invokes the ServletExec servlet and causes an exception if the servlet is already running. 1868 20001030 Unify eWave ServletExec DoS ewave-servletexec-dos Multiple buffer overflows in LBNL tcpdump allow remote attackers to execute arbitrary commands. 1870 tcpdump-afs-packet-overflow(5480) SuSE-SA:2000:46 FreeBSD-SA-00:61 Cisco Secure PIX Firewall 5.2(2) allows remote attackers to determine the real IP address of a target FTP server by flooding the server with PASV requests, which includes the real IP address in the response when passive mode is established. 1877 20001003 Cisco PIX Firewall allow external users to discover internal IPs cisco-pix-reveal-address 1623 Buffer overflow in cu program in HP-UX 11.0 may allow local users to gain privileges via a long -l command line argument. 1886 20001102 HPUX cu -l option buffer overflow vulnerabilit Buffer overflow in host command allows a remote attacker to execute arbitrary commands via a long response to an AXFR query. 1887 20001027 old version of host command vulnearbility CS&T CorporateTime for the Web returns different error messages for invalid usernames and invalid passwords, which allows remote attackers to determine valid usernames on the server. 1888 20001031 Re: Samba 2.0.7 SWAT vulnerabilities Buffer overflow in dtterm in HP-UX 11.0 and HP Tru64 UNIX 4.0f through 5.1a allows local users to execute arbitrary code via a long -tn option. VU#320067 1889 HPSBUX0011-128 hp-dtterm(5461) 20000810 Re: Possible vulnerability in HPUX ( Add vulnerability List ) 20020902 Happy Labor Day from Snosoft SSRT2275 20020919 iDEFENSE OSF1/Tru64 3.x vuln clarification 20020919 iDEFENSE OSF1/Tru64 3.x vuln clarification The client authentication interface for Check Point Firewall-1 4.0 and earlier generates different error messages for invalid usernames versus invalid passwords, which allows remote attackers to identify valid usernames on the firewall. 1890 20001101 Re: Samba 2.0.7 SWAT vulnerabilities fw1-login-response(5816) 1632 Serv-U FTP Server allows remote attackers to bypass its anti-hammering feature by first logging on as a valid user (possibly anonymous) and then attempting to guess the passwords of other users. ftp-servu-brute-force 1860 20001029 Brute Forcing FTP Servers with enabled anti-hammering (anti brute-force) modus Buffer overflow in the System Monitor ActiveX control in Windows 2000 allows remote attackers to execute arbitrary commands via a long LogFileName parameter in HTML source code, aka the "ActiveX Parameter Validation" vulnerability. 1899 MS00-085 system-monitor-activex-bo(5467) 20001106 System Monitor ActiveX Buffer Overflow Vulnerability Buffer overflows in TYPSoft FTP Server 0.78 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long USER, PASS, or CWD command. http://www.synnergy.net/Archives/Advisories/dethy/typsoft-ftpd.txt 1690 20000912 TYPSoft FTP Server remote DoS Problem Directory traversal vulnerability in Extent RBS ISP web server allows remote attackers to read sensitive information via a .. (dot dot) attack on the Image parameter. rbs-isp-directory-traversal 1704 20000920 Extent RBS directory Transversal. Check Point Firewall-1 session agent 3.0 through 4.1 generates different error messages for invalid user names versus invalid passwords, which allows remote attackers to determine valid usernames and guess a password via a brute force attack. 1662 20000815 Firewall-1 session agent 3.0 -> 4.1, dictionnary and brute force attack The web administration interface for IBM AS/400 Firewall allows remote attackers to cause a denial of service via an empty GET request. http://as400service.rochester.ibm.com/n_dir/nas4apar.NSF/5ec6cdc6ab42894a862568f90073c74a/9ce636030a58807186256955003d128d?OpenDocument as400-firewall-dos SA90544 Various TCP/IP stacks and network applications allow remote attackers to cause a denial of service by flooding a target host with TCP connection attempts and completing the TCP/IP handshake without maintaining the connection state on the attacker host, aka the "NAPTHA" class of vulnerabilities. NOTE: this candidate may change significantly as the security community discusses the technical nature of NAPTHA and learns more about the affected applications. This candidate is at a higher level of abstraction than is typical for CVE. CA-2000-21 2022 MS00-091 20001130 The NAPTHA DoS vulnerabilities 20001204 NAPTHA Advisory Updated - BindView RAZOR Format string vulnerability in logging function of ypbind 3.3, while running in debug mode, leaks file descriptors and allows an attacker to cause a denial of service. 1820 ypbind-printf-format-string RHSA-2000:086 MDKSA-2000:064 20001014 nis: local exploit CSSA-2000-039.0 SuSE-SA:2000:042 20001030 Trustix Security Advisory - ping gnupg ypbind 20001025 Immunix OS Security Update for ypbind package Buffer overflow in ypbind 3.3 possibly allows an attacker to gain root privileges. MDKSA-2000:064 CSSA-2000-039.0 SuSE-SA:2000:042 ypbind-remote-bo Buffer overflow in ypserv in Mandrake Linux 7.1 and earlier, and possibly other Linux operating systems, allows an attacker to gain root privileges when ypserv is built without a vsyslog() function. MDKSA-2000:064 linux-ypserv-bo Format string vulnerability in ypserv in Mandrake Linux 7.1 and earlier, and possibly other Linux operating systems, allows an attacker to gain root privileges when ypserv is built without a vsyslog() function. MDKSA-2000:064 linux-ypserv-format-string Format string vulnerability in ypbind-mt in SuSE SuSE-6.2, and possibly other Linux operating systems, allows an attacker to gain root privileges. 1820 SuSE-SA:2000:042 ypbind-printf-format-string nss_ldap earlier than 121, when run with nscd (name service caching daemon), allows remote attackers to cause a denial of service via a flood of LDAP requests. 1863 RHSA-2000:024 MDKSA-2000-066 nssldap-nscd-dos Multiple buffer overflows in the ESMTP service of Lotus Domino 5.0.2c and earlier allow remote attackers to cause a denial of service and possibly execute arbitrary code via long (1) "RCPT TO," (2) "SAML FROM," or (3) "SOML FROM" commands. 20000911 Advisory Code: VIGILANTE-2000011 Lotus Domino ESMTP Service Buffer overflow Buffer overflow in SMTP service of Lotus Domino 5.0.4 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long ENVID keyword in the "MAIL FROM" command. 1905 20001103 [SAFER] Buffer overflow in Lotus Domino SMTP Server lotus-domino-smtp-envid(5488) 442 Directory traversal vulnerability in the logfile service of Wingate 4.1 Beta A and earlier allows remote attackers to read arbitrary files via a .. (dot dot) attack via an HTTP GET request that uses encoded characters in the URL. wingate-view-files 20001016 Wingate 4.1 Beta A vulnerability Allaire JRun 3.0 http servlet server allows remote attackers to cause a denial of service via a URL that contains a long string of "." characters. allaire-jrun-servlet-dos ASB00-030 20001101 Allaire's JRUN DoS Allaire JRun 3.0 http servlet server allows remote attackers to directly access the WEB-INF directory via a URL request that contains an extra "/" in the beginning of the request (aka the "extra leading slash"). allaire-jrun-webinf-access ASB00-027 500 20001023 Allaire's JRUN Unauthenticated Access to WEB-INF directory Directory traversal vulnerability in Allaire JRun 2.3 server allows remote attackers to read arbitrary files via the SSIFilter servlet. allaire-jrun-ssifilter-url ASB00-028 20001023 Allaire JRUN 2.3 Arbitrary File Retrieval Allaire JRun 2.3 server allows remote attackers to obtain source code for executable content by directly calling the SSIFilter servlet. 20001023 Allaire JRUN 2.3 Arbitrary File Retrieval Allaire JRun 2.3.3 server allows remote attackers to compile and execute JSP code by inserting it via a cross-site scripting (CSS) attack and directly calling the com.livesoftware.jrun.plugins.JSP JSP servlet. allaire-jrun-jsp-execute ASB00-029 20001023 Allaire JRUN 2.3 Remote command execution Buffer overflow in CSAdmin module in CiscoSecure ACS Server 2.4(2) and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a large packet. ciscosecure-csadmin-bo 1705 20000921 Multiple Vulnerabilities in CiscoSecure ACS for Windows NT Server Buffer overflow in CiscoSecure ACS Server 2.4(2) and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a large TACACS+ packet. ciscosecure-tacacs-dos 1706 20000921 Multiple Vulnerabilities in CiscoSecure ACS for Windows NT Server 1569 CiscoSecure ACS Server 2.4(2) and earlier allows remote attackers to bypass LDAP authentication on the server if the LDAP server allows null passwords. ciscosecure-ldap-bypass-authentication 1708 20000921 Multiple Vulnerabilities in CiscoSecure ACS for Windows NT Server Vulnerabilities in database configuration scripts in HP OpenView Network Node Manager (NNM) 6.1 and earlier allows local users to gain privileges, possibly via insecure permissions. hp-openview-nnm-scripts 1682 HPSBUX0009-120 Buffer overflow in OverView5 CGI program in HP OpenView Network Node Manager (NNM) 6.1 and earlier allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, in the SNMP service (snmp.exe), aka the "Java SNMP MIB Browser Object ID parsing problem." openview-nmm-snmp-bo 20000926 DST2K0014: BufferOverrun in HP Openview Network Node Manager v6.1 (Round2) HPSBUX0009-121 The default configuration of the Xsession file in Mandrake Linux 7.1 and 7.0 bypasses the Xauthority access control mechanism with an "xhost + localhost" command, which allows local users to sniff X Windows events and gain privileges. xinitrc-bypass-xauthority 1735 20000929 Mandrake 7.1 bypasses Xauthority X session security. MDKSA-2000:052 The default configuration of XFCE 3.5.1 bypasses the Xauthority access control mechanism with an "xhost + localhost" command in the xinitrc program, which allows local users to sniff X Windows traffic and gain privileges. xinitrc-bypass-xauthority 1736 20001002 Local vulnerability in XFCE 3.5.1 Microsoft Virtual Machine (VM) in Internet Explorer 4.x and 5.x allows an unsigned applet to create and use ActiveX controls, which allows a remote attacker to bypass Internet Explorer's security settings and execute arbitrary commands via a malicious web page or email, aka the "Microsoft VM ActiveX Component" vulnerability. MS00-075 java-vm-applet Buffer overflow in the FTP service in HP JetDirect printer card Firmware x.08.20 and earlier allows remote attackers to cause a denial of service. hp-jetdirect-firmware-dos 1775 20001010 VIGILANTE-2000014: HP Jetdirect multiple DoS Buffer overflow in the Telnet service in HP JetDirect printer card Firmware x.08.20 and earlier allows remote attackers to cause a denial of service. hp-jetdirect-firmware-dos 1775 20001010 VIGILANTE-2000014: HP Jetdirect multiple DoS Buffer overflow in the LPD service in HP JetDirect printer card Firmware x.08.20 and earlier allows remote attackers to cause a denial of service. hp-jetdirect-firmware-dos 1775 20001010 VIGILANTE-2000014: HP Jetdirect multiple DoS Vulnerability in IP implementation of HP JetDirect printer card Firmware x.08.20 and earlier allows remote attackers to cause a denial of service (printer crash) via a malformed packet. hp-jetdirect-ip-implementation 1775 20001010 VIGILANTE-2000014: HP Jetdirect multiple DoS The getnameinfo function in FreeBSD 4.1.1 and earlier, and possibly other operating systems, allows a remote attacker to cause a denial of service via a long DNS hostname. 1894 FreeBSD-SA-00:63 pollit.cgi in Poll It 2.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the poll_options parameter. 20001023 Re: Poll It v2.0 cgi (again) http://www.cgi-world.com/pollit.html pollit-polloptions-execute-commands pollit.cgi in Poll It 2.01 and earlier allows remote attackers to access administrative functions without knowing the real password by specifying the same value to the entered_password and admin_password parameters. pollit-admin-password-var 20001023 Re: Poll It v2.0 cgi (again) pollit.cgi in Poll It 2.01 and earlier uses data files that are located under the web document root, which allows remote attackers to access sensitive or private information. 20001023 Re: Poll It v2.0 cgi (again) pollit-webroot-gain-access The GUI installation for iCal 2.1 Patch 2 disables access control for the X server using an "xhost +" command, which allows remote attackers to monitor X Windows events and gain privileges. A100900-1 1767 ical-xhost-gain-privileges 7213 iCal 2.1 Patch 2 installs many files with world-writeable permissions, which allows local users to modify the iCal configuration and execute arbitrary commands by replacing the iplncal.sh program with a Trojan horse. 1768 A100900-1 ical-iplncal-gain-access 7212 csstart program in iCal 2.1 Patch 2 searches for the cshttpd program in the current working directory, which allows local users to gain root privileges by creating a Trojan Horse cshttpd program in a directory and calling csstart from that directory. 1769 A100900-1 ical-csstart-gain-access 7210 csstart program in iCal 2.1 Patch 2 uses relative pathnames to install the libsocket and libnsl libraries, which could allow the icsuser account to gain root privileges by creating a Trojan Horse library in the current or parent directory. 1769 A100900-1 ical-csstart-gain-access 7209 Directory traversal vulnerability in iPlanet Certificate Management System 4.2 and Directory Server 4.12 allows remote attackers to read arbitrary files via a .. (dot dot) attack in the Agent, End Entity, or Administrator services. 1839 iplanet-netscape-directory-traversal http://www.iplanet.com/downloads/patches/0122.html 486 4086 20001026 [CORE SDI ADVISORY] iPlanet Certificate Management System 4.2 path traversal bug Netscape (iPlanet) Certificate Management System 4.2 and Directory Server 4.12 stores the administrative password in plaintext, which could allow local and possibly remote attackers to gain administrative privileges on the server. iplanet-netscape-plaintext-password 20001026 [CORE SDI ADVISORY] iPlanet Certificate Management System 4.2 path traversal bug Buffer overflow in the SHTML logging functionality of iPlanet Web Server 4.x allows remote attackers to execute arbitrary commands via a long filename with a .shtml extension. 20001026 Buffer overflow in iPlanet Web Server 4 server side SHTML parsing module iplanet-web-server-shtml-bo ICQ Web Front HTTPd allows remote attackers to cause a denial of service by requesting a URL that contains a "?" character. icq-webfront-url-dos 20001007 ICQ WebFront HTTPd DoS Interactions between the CIFS Browser Protocol and NetBIOS as implemented in Microsoft Windows 95, 98, NT, and 2000 allow remote attackers to modify dynamic NetBIOS name cache entries via a spoofed Browse Frame Request in a unicast or UDP broadcast datagram. win-netbios-corrupt-cache 1620 20000829 Windows NetBIOS Unsolicited Cache Corruption 20000829 Re: [COVERT-2000-10] Windows NetBIOS Unsolicited Cache Corruption oval:org.mitre.oval:def:1079 Quake 1 (quake1) and ProQuake 1.01 and earlier allow remote attackers to cause a denial of service via a malformed (empty) UDP packet. 1900 http://proquake.ai.mit.edu/ 20001102 dos on quake1 servers quake-empty-udp-dos(5527) The xp_displayparamstmt function in SQL Server and Microsoft SQL Server Desktop Engine (MSDE) does not properly restrict the length of a buffer before calling the srv_paraminfo function in the SQL Server API for Extended Stored Procedures (XP), which allows an attacker to cause a denial of service or execute arbitrary commands, aka the "Extended Stored Procedure Parameter Parsing" vulnerability. 2030 MS00-092 20001201 Microsoft SQL Server extended stored procedure vulnerability oval:org.mitre.oval:def:231 The xp_enumresultset function in SQL Server and Microsoft SQL Server Desktop Engine (MSDE) does not properly restrict the length of a buffer before calling the srv_paraminfo function in the SQL Server API for Extended Stored Procedures (XP), which allows an attacker to cause a denial of service or execute arbitrary commands, aka the "Extended Stored Procedure Parameter Parsing" vulnerability. 2031 MS00-092 20001201 Microsoft SQL Server extended stored procedure vulnerability The xp_showcolv function in SQL Server and Microsoft SQL Server Desktop Engine (MSDE) does not properly restrict the length of a buffer before calling the srv_paraminfo function in the SQL Server API for Extended Stored Procedures (XP), which allows an attacker to cause a denial of service or execute arbitrary commands, aka the "Extended Stored Procedure Parameter Parsing" vulnerability. 2038 MS00-092 20001201 Microsoft SQL Server extended stored procedure vulnerability The xp_updatecolvbm function in SQL Server and Microsoft SQL Server Desktop Engine (MSDE) does not properly restrict the length of a buffer before calling the srv_paraminfo function in the SQL Server API for Extended Stored Procedures (XP), which allows an attacker to cause a denial of service or execute arbitrary commands, aka the "Extended Stored Procedure Parameter Parsing" vulnerability. 2039 MS00-092 20001201 Microsoft SQL Server extended stored procedure vulnerability The xp_peekqueue function in Microsoft SQL Server 2000 and SQL Server Desktop Engine (MSDE) does not properly restrict the length of a buffer before calling the srv_paraminfo function in the SQL Server API for Extended Stored Procedures (XP), which allows an attacker to cause a denial of service or execute arbitrary commands, aka the "Extended Stored Procedure Parameter Parsing" vulnerability. 2040 MS00-092 20001201 SQL Server 2000 Extended Stored Procedure Vulnerability The xp_printstatements function in Microsoft SQL Server 2000 and SQL Server Desktop Engine (MSDE) does not properly restrict the length of a buffer before calling the srv_paraminfo function in the SQL Server API for Extended Stored Procedures (XP), which allows an attacker to cause a denial of service or execute arbitrary commands, aka the "Extended Stored Procedure Parameter Parsing" vulnerability. 2041 MS00-092 20001201 SQL Server 2000 Extended Stored Procedure Vulnerability The xp_proxiedmetadata function in Microsoft SQL Server 2000 and SQL Server Desktop Engine (MSDE) does not properly restrict the length of a buffer before calling the srv_paraminfo function in the SQL Server API for Extended Stored Procedures (XP), which allows an attacker to cause a denial of service or execute arbitrary commands, aka the "Extended Stored Procedure Parameter Parsing" vulnerability. 2042 MS00-092 20001201 SQL Server 2000 Extended Stored Procedure Vulnerability The xp_SetSQLSecurity function in Microsoft SQL Server 2000 and SQL Server Desktop Engine (MSDE) does not properly restrict the length of a buffer before calling the srv_paraminfo function in the SQL Server API for Extended Stored Procedures (XP), which allows an attacker to cause a denial of service or execute arbitrary commands, aka the "Extended Stored Procedure Parameter Parsing" vulnerability. 2043 MS00-092 20001201 SQL Server 2000 Extended Stored Procedure Vulnerability Buffer overflow in Microsoft Phone Book Service allows local users to execute arbitrary commands, aka the "Phone Book Service Buffer Overflow" vulnerability. A120400-1 2048 MS00-094 phone-book-service-bo(5623) Microsoft IIS for Far East editions 4.0 and 5.0 allows remote attackers to read source code for parsed pages via a malformed URL that uses the lead-byte of a double-byte character. 2100 microsoft-iis-file-disclosure http://www.nsfocus.com/english/homepage/sa_08.htm loadpage.cgi CGI program in EZshopper 3.0 and 2.0 allows remote attackers to list and read files in the EZshopper data directory by inserting a "/" in front of the target filename in the "file" parameter. ezshopper-cgi-file-disclosure(5740) 2109 20001213 NSFOCUS SA2000-09 : AHG EZshopper Loadpage.cgi File List Buffer overflow in AOL Instant Messenger before 4.3.2229 allows remote attackers to execute arbitrary commands via a long "goim" command. A121200-1 Buffer overflow in AOL Instant Messenger (AIM) before 4.3.2229 allows remote attackers to execute arbitrary commands via a "buddyicon" command with a long "src" argument. A121200-1 1692 20001214 Re: AIM & @stake's advisory 20001213 Administrivia & AOL IM Advisory modprobe in the modutils 2.3.x package on Linux systems allows a local user to execute arbitrary commands via shell metacharacters. 1936 RHSA-2000:108 linux-modprobe-execute-code MDKSA-2000:071 20001120 modutils: local exploit CLSA-2000:340 SuSE-SA:2000:44 20001112 RedHat 7.0 (and SuSE): modutils + netkit = root compromise. (fwd) crontab by Paul Vixie uses predictable file names for a temporary file and does not properly ensure that the file is owned by the user executing the crontab -e command, which allows local users with write access to the crontab spool directory to execute arbitrary commands by creating world-writeable temporary files and modifying them while the victim is editing the file. 1960 vixie-cron-execute-commands(5543) 20001116 vixie cron... The web server for the SonicWALL SOHO firewall allows remote attackers to cause a denial of service via a long username in the authentication page. 2013 20001129 DoS in Sonicwall SOHO firewall sonicwall-soho-dos(5596) 1667 20001201 FW: SonicWALL SOHO Vulnerability (fwd) The web server for the SonicWALL SOHO firewall allows remote attackers to cause a denial of service via an empty GET or POST request. 20001201 FW: SonicWALL SOHO Vulnerability (fwd) 20001201 Re: DoS in Sonicwall SOHO firewall Java Runtime Environment in Java Development Kit (JDK) 1.2.2_05 and earlier can allow an untrusted Java class to call into a disallowed class, which could allow an attacker to escape the Java sandbox and conduct unauthorized activities. 00199 jdk-untrusted-java-class(5605) HPSBUX0011-132 7255 The default configuration for PostACI webmail system installs the /includes/global.inc configuration file within the web root, which allows remote attackers to read sensitive information such as database usernames and passwords via a direct HTTP GET request. 2029 20001130 PostACI Webmail Vulnerability Directory traversal vulnerability in Winsock FTPd (WFTPD) 3.00 and 2.41 with the "Restrict to home directory" option enabled allows local users to escape the home directory via a "/../" string, a variation of the .. (dot dot) attack. 2005 20001127 Vulnerability in Winsock FTPD 2.41/3.00 (Pro) wftpd-dir-traverse(5608) PTlink IRCD 3.5.3 and PTlink Services 1.8.1 allow remote attackers to cause a denial of service (server crash) via "mode +owgscfxeb" and "oper" commands. 2008 20001126 Vulnerablity in PTlink3.5.3ircd + PTlink.Services.1.8.1... rcvtty in BSD 3.0 and 4.0 does not properly drop privileges before executing a script, which allows local attackers to gain privileges by specifying an alternate Trojan horse script on the command line. 2009 20001127 BSDi 3.0/4.0 rcvtty gid=tty exploit... (mh package) Variant of the "IIS Cross-Site Scripting" vulnerability as originally discussed in MS:MS00-060 (CVE-2000-0746) allows a malicious web site operator to embed scripts in a link to a trusted site, which are returned without quoting in an error message back to the client. The client then executes those scripts in the same context as the trusted site. MS00-060 The ixsso.query ActiveX Object is marked as safe for scripting, which allows malicious web site operators to embed a script that remotely determines the existence of files on visiting Windows 2000 systems that have Indexing Services enabled. 1933 20001110 IE 5.x Win2000 Indexing service vulnerability 20001110 IE 5.x Win2000 Indexing service vulnerability Trend Micro InterScan VirusWall creates an "Intscan" share to the "InterScan" directory with permissions that grant Full Control permissions to the Everyone group, which allows attackers to gain privileges by modifying the VirusWall programs. 2014 20001128 TrendMicro InterScan VirusWall shared folder problem interscan-viruswall-unauth-access 20001201 Responding to BugTraq ID 2014 - "Trend Micro InterScan VirusWall Shared Directory Vulnerability" in.identd ident server in SuSE Linux 6.x and 7.0 allows remote attackers to cause a denial of service via a long request, which causes the server to access a NULL pointer and crash. 2015 20001128 SuSE Linux 6.x 7.0 Ident buffer overflow linux-ident-bo cons.saver in Midnight Commander (mc) 4.5.42 and earlier does not properly verify if an output file descriptor is a TTY, which allows local users to corrupt files by creating a symbolic link to the target file, calling mc, and specifying that link as a TTY argument. 1945 20001125 mc: local DoS midnight-commander-conssaver-symlink(5519) MDKSA-2000:078 20001113 Problems with cons.saver Midnight Commander (mc) 4.5.51 and earlier does not properly process malformed directory names when a user opens a directory, which allows other local users to gain privileges by creating directories that contain special characters followed by the commands to be executed. 2016 20001127 Midnight Commander midnight-commander-elevate-privileges(5929) SuSE-SA:2001:11 DSA-036 document.d2w CGI program in the IBM Net.Data db2www package allows remote attackers to determine the physical path of the web server by sending a nonexistent command to the program. 2017 20001128 IBM Net.Data Local Path Disclosure Vulnerability? Telnet Service for Windows 2000 Professional does not properly terminate incomplete connection attempts, which allows remote attackers to cause a denial of service by connecting to the server and not providing any input. 2018 20001129 Windows 2000 Telnet Service DoS win2k-telnet-dos(5598) Microsoft Windows Media Player 7 executes scripts in custom skin (.WMS) files, which could allow remote attackers to gain privileges via a skin that contains a malicious script, aka the ".WMS Script Execution" vulnerability. 1976 MS00-090 mediaplayer-wms-script-exe Buffer overflow in Microsoft Windows Media Player allows remote attackers to execute arbitrary commands via a malformed Active Stream Redirector (.ASX) file, aka the ".ASX Buffer Overrun" vulnerability. 1980 MS00-090 mediaplayer-asx-bo A112300-1 Unify ServletExec AS v3.0C allows remote attackers to read source code for JSP pages via an HTTP request that ends with characters such as ".", or "+", or "%20". 1970 20001121 Disclosure of JSP source code with ServletExec AS v3.0c + web ins tance Buffer overflow in remote web administration component (webprox.dll) of 602Pro LAN SUITE before 2000.0.1.33 allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long GET request. 1979 20001122 602Pro Lan Suite Web Admin Overflow http://www.software602.com/products/ls/support/newbuild.html software602-lan-suite-bo Buffer overflow in TransSoft Broker FTP Server before 4.3.0.1 allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long command. broker-ftp-username-dos 20001018 TransSoft's Broker FTP Server 3.x & 4.x Remote DoS attack Vulnerability The Extended Control List (ECL) feature of the Java Virtual Machine (JVM) in Lotus Notes Client R5 allows malicious web site operators to determine the existence of files on the client by measuring delays in the execution of the getSystemResource method. 1994 20001124 Security Hole in ECL Feature of Java VM Embedded in Lotus Notes Client R5 24Link 1.06 web server allows remote attackers to bypass access restrictions by prepending strings such as "/+/" or "/." to the HTTP GET request. 20001127 24Link Webserver Buffer overflow in setsenv command in IBM AIX 4.3.x and earlier allows local users to execute arbitrary commands via a long "x=" argument. 2032 20001201 Fixed local AIX V43 vulnerabilities aix-setsenv-bo(5621) 1676 IY10721 IY08812 Buffer overflow in digest command in IBM AIX 4.3.x and earlier allows local users to execute arbitrary commands. 2033 20001201 Fixed local AIX V43 vulnerabilities aix-digest-bo(5620) IY08287 IY08143 Buffer overflow in enq command in IBM AIX 4.3.x and earlier may allow local users to execute arbitrary commands via a long -M argument. 2034 20001201 Fixed local AIX V43 vulnerabilities aix-enq-bo(5619) IY08287 IY08143 Buffer overflow in setclock command in IBM AIX 4.3.x and earlier may allow local users to execute arbitrary commands via a long argument. 2035 20001201 Fixed local AIX V43 vulnerabilities IY07831 IY07790 Buffer overflow in pioout command in IBM AIX 4.3.x and earlier may allow local users to execute arbitrary commands. 2036 20001201 Fixed local AIX V43 vulnerabilities aix-pioout-bo IY12638 Buffer overflow in piobe command in IBM AIX 4.3.x allows local users to gain privileges via long environmental variables. 2037 20001201 Fixed local AIX V43 vulnerabilities aix-piobe-bo(5616) IY12638 restore 0.4b15 and earlier in Red Hat Linux 6.2 trusts the pathname specified by the RSH environmental variable, which allows local users to obtain root privileges by modifying the RSH variable to point to a Trojan horse program. 1914 20001104 Redhat 6.2 restore exploit Vulnerability in auto_parms and set_parms in HP-UX 11.00 and earlier allows remote attackers to execute arbitrary commands or cause a denial of service. 1954 HPSBUX0011-130 oval:org.mitre.oval:def:5655 registrar in the HP resource monitor service allows local users to read and modify arbitrary files by renaming the original registrar.log log file and creating a symbolic link to the target file, to which registrar appends log information and sets the permissions to be world readable. 1919 20001108 HP-UX 10.20 resource monitor service The default configuration of McAfee VirusScan 4.5 does not quote the ImagePath variable, which improperly sets the search path and allows local users to place a Trojan horse "common.exe" program in the C:\Program Files directory. 1920 20001103 Elevation of Privileges Exploit with McAfee VirusScan 4.5 McAfee WebShield SMTP 4.5 allows remote attackers to cause a denial of service via a malformed recipient field. 1999 20001123 McAfee WebShield SMTP vulnerabilities McAfee WebShield SMTP 4.5 allows remote attackers to bypass email content filtering rules by including Extended ASCII characters in name of the attachment. 1993 20001123 McAfee WebShield SMTP vulnerabilities Bill Kendrick web site guestbook (GBook) allows remote attackers to execute arbitrary commands via shell metacharacters in the _MAILTO form variable. 1940 20001110 [hacksware] gbook.cgi remote command execution vulnerability gbook-cgi-remote-execution DCForum cgforum.cgi CGI script allows remote attackers to read arbitrary files, and delete the program itself, via a malformed "forum" variable. 1951 20001114 Cgisecurity.com advisory on dcforum http://www.dcscripts.com/dcforum/dcfNews/124.html#1 dcforum-cgi-view-files(5533) 1646 Authentix Authentix100 allows remote attackers to bypass authentication by inserting a . (dot) into the URL for a protected directory. 1907 20001107 Explanation Authentix Input Validation Error 20001106 Authentix Security Advisory Multiple shell programs on various Unix systems, including (1) tcsh, (2) csh, (3) sh, and (4) bash, follow symlinks when processing << redirects (aka here-documents or in-here documents), which allows local users to overwrite files of other users via a symlink attack. VU#10277 2006 FreeBSD-SA-00:76 1926 20001128 /bin/sh creates insecure tmp files RHSA-2000:121 RHSA-2000:117 MDKSA-2000:075 MDKSA-2000-069 20001111a CSSA-2000-043.0 CSSA-2000-042.0 20001130 [ADV/EXP]: RH6.x root from bash /tmp vuln + MORE CLSA-2000:354 CLA-2000:350 SSRT1-41U 20001028 tcsh: unsafe tempfile in << redirects 20011103-02-P oval:org.mitre.oval:def:4047 fshd (fsh daemon) in Debian GNU/Linux allows local users to overwrite files of other users via a symlink attack. Note: fixed in potato version 20001130 DSA-002-1 fsh: symlink attack linux-fsh-symlink(5633) 7208 elvis-tiny before 1.4-10 in Debian GNU/Linux, and possibly other Linux operating systems, allows local users to overwrite files of other users via a symlink attack. 1984 20001122 New version of elvis-tiny released linux-tinyelvis-tmpfiles GNU ed before 0.2-18.1 allows local users to overwrite the files of other users via a symlink attack. RHSA-2000:123 gnu-ed-symlink(5723) 6491 MDKSA-2000:076 20001129 DSA-001-1 ed: symlink attack CLA-2000:359-2 Lotus Notes R5 client R5.0.5 and earlier does not properly warn users when an S/MIME email message has been modified, which could allow an attacker to modify the email in transit without being detected. 1925 20001108 Lotus Notes R5 clients - no warning for broken signature or encryption The installation of Microsoft Exchange 2000 before Rev. A creates a user account with a known password, which could allow attackers to gain privileges, aka the "Exchange User Account" vulnerability. 1958 MS00-088 ms-exchange-username-pwd(5537) Recourse ManTrap 1.6 does not properly hide processes from attackers, which could allow attackers to determine that they are in a honeypot system by comparing the results from kill commands with the process listing in the /proc filesystem. 1908 20001107 Vendor Response Re: Mantrap Advisory Vendor Followup - Fate Research Labs 20001102 Mantrap By Recourse Technologies - Fate Advisory (11-01-00) mantrap-hidden-processes Recourse ManTrap 1.6 modifies the kernel so that ".." does not appear in the /proc listing, which allows attackers to determine that they are in a honeypot system. 20001105 Mantrap Advisory Vendor Followup - Fate Research Labs 20001107 Vendor Response Re: Mantrap Advisory Vendor Followup - Fate Research Labs mantrap-hidden-processes 20001102 Mantrap By Recourse Technologies - Fate Advisory (11-01-00) Recourse ManTrap 1.6 generates an error when an attacker cd's to /proc/self/cwd and executes the pwd command, which allows attackers to determine that they are in a honeypot system. 20001105 Mantrap Advisory Vendor Followup - Fate Research Labs 20001107 Vendor Response Re: Mantrap Advisory Vendor Followup - Fate Research Labs mantrap-pwd-reveal-information 20001102 Mantrap By Recourse Technologies - Fate Advisory (11-01-00) Recourse ManTrap 1.6 hides the first 4 processes that run on a Solaris system, which allows attackers to determine that they are in a honeypot system. 20001105 Mantrap Advisory Vendor Followup - Fate Research Labs 20001107 Vendor Response Re: Mantrap Advisory Vendor Followup - Fate Research Labs 20001102 Mantrap By Recourse Technologies - Fate Advisory (11-01-00) mantrap-hidden-processes Recourse ManTrap 1.6 sets up a chroot environment to hide the fact that it is running, but the inode number for the resulting "/" file system is higher than normal, which allows attackers to determine that they are in a chroot environment. 1909 20001107 Vendor Response Re: Mantrap Advisory Vendor Followup - Fate Research Labs mantrap-inode-disclosure 20001105 Mantrap Advisory Vendor Followup - Fate Research Labs 20001102 Mantrap By Recourse Technologies - Fate Advisory (11-01-00) Recourse ManTrap 1.6 allows attackers who have gained root access to use utilities such as crash or fsdb to read /dev/mem and raw disk devices to identify ManTrap processes or modify arbitrary data files. 20001105 Mantrap Advisory Vendor Followup - Fate Research Labs 20001107 Vendor Response Re: Mantrap Advisory Vendor Followup - Fate Research Labs mantrap-identify-processes 20001102 Mantrap By Recourse Technologies - Fate Advisory (11-01-00) Recourse ManTrap 1.6 allows attackers to cause a denial of service via a sequence of commands that navigate into and out of the /proc/self directory and executing various commands such as ls or pwd. 1913 20001107 Vendor Response Re: Mantrap Advisory Vendor Followup - Fate Research Labs mantrap-dir-dos 20001105 Mantrap Advisory Vendor Followup - Fate Research Labs 20001102 Mantrap By Recourse Technologies - Fate Advisory (11-01-00) Buffer overflow in IIS ISAPI .ASP parsing mechanism allows attackers to execute arbitrary commands via a long string to the "LANGUAGE" argument in a script tag. 1911 20001103 IIS ASP $19.95 hack - IISHack 1.5 iis-isapi-asp-bo The installation of VolanoChatPro chat server sets world-readable permissions for its configuration file and stores the server administrator passwords in plaintext, which allows local users to gain privileges on the server. 1906 20001106 Re: FW: Filesystem Access + VolanoChat = VChat admin (fwd) 20001104 Filesystem Access + VolanoChat = VChat admin (fwd) volanochatpro-plaintext-password Buffer overflow in RegAPI.DLL used by Windows NT 4.0 Terminal Server allows remote attackers to execute arbitrary commands via a long username, aka the "Terminal Server Login Buffer Overflow" vulnerability. 1924 20001108 [CORE SDI ADVISORY] MS NT4.0 Terminal Server Edition GINA buffer overflow MS00-087 nt-termserv-gina-bo Felix IRC client in BeOS r5 pro and earlier allows remote attackers to conduct a denial of service via a message that contains a long URL. 20001113 beos vulnerabilities Baxter IRC client in BeOS r5 pro and earlier allows remote attackers to conduct a denial of service via a message that contains a long URL. 20001113 beos vulnerabilities Browser IRC client in BeOS r5 pro and earlier allows remote attackers to conduct a denial of service via a message that contains a long URL. 20001113 beos vulnerabilities PostMaster 1.0 in BeOS r5 pro and earlier allows remote attackers to conduct a denial of service via a message that contains a long URL. 20001113 beos vulnerabilities RHConsole in RobinHood 1.1 web server in BeOS r5 pro and earlier allows remote attackers to cause a denial of service via long HTTP request. 20001113 beos vulnerabilities RHDaemon in RobinHood 1.1 web server in BeOS r5 pro and earlier allows remote attackers to cause a denial of service via long HTTP request. 20001113 beos vulnerabilities StarOffice 5.2 follows symlinks and sets world-readable permissions for the /tmp/soffice.tmp directory, which allows a local user to read files of the user who is using StarOffice. 1922 staroffice-tmp-sym-link 20001108 StarOffice 5.2 Temporary Dir Vulnerability Buffer overflow in NAI Sniffer Agent allows remote attackers to execute arbitrary commands via a long SNMP community name. 1901 20001102 Remotely exploitable buffer overflow in NAI's Distributed Sniffer Agent NAI Sniffer Agent uses base64 encoding for authentication, which allows attackers to sniff the network and easily decrypt usernames and passwords. 20001102 Remotely exploitable buffer overflow in NAI's Distributed Sniffer Agent NAI Sniffer Agent allows remote attackers to gain privileges on the agent by sniffing the initial UDP authentication packets and spoofing commands. 1902 20001102 Remotely exploitable buffer overflow in NAI's Distributed Sniffer Agent NAI Sniffer Agent allows remote attackers to cause a denial of service (crash) by sending a large number of login requests. 1903 20001102 Remotely exploitable buffer overflow in NAI's Distributed Sniffer Agent The installation of AdCycle banner management system leaves the build.cgi program in a web-accessible directory, which allows remote attackers to execute the program and view passwords or delete databases. 1969 20001120 security problem in AdCycle installation ghostscript before 5.10-16 allows local users to overwrite files of other users via a symlink attack. 1990 CSSA-2000-041 ghostscript-sym-link RHSA-2000:114 MDKSA-2000:074 20001123 ghostscript: symlink attack CLSA-2000:343 ghostscript before 5.10-16 uses an empty LD_RUN_PATH environmental variable to find libraries in the current directory, which could allow local users to execute commands as other users by placing a Trojan horse library into a directory from which another user executes ghostscript. 1991 20001123 ghostscript: symlink attack ghostscript-env-variable MDKSA-2000:074 CSSA-2000-041 CLSA-2000:343 WinVNC installs the WinVNC3 registry key with permissions that give Special Access (read and modify) to the Everybody group, which allows users to read and modify sensitive information such as passwords and gain access to the system. 1961 20001118 WinVNC 3.3.x winvnc-modify-registry(5545) Balabit syslog-ng allows remote attackers to cause a denial of service (application crash) via a malformed log message that does not have a closing > in the priority specifier. 1981 20001122 DoS possibility in syslog-ng balabit-syslog-ng-dos(5576) http://www.balabit.hu/products/syslog-ng/ FreeBSD-SA-01:02 Twig webmail system does not properly set the "vhosts" variable if it is not configured on the site, which allows remote attackers to insert arbitrary PHP (PHP3) code by specifying an alternate vhosts as an argument to the index.php3 program. 1998 http://twig.screwdriver.net/file.php3?file=CHANGELOG 20001124 Security problems with TWIG webmail system twig-php3-script-execute(5581) ppp utility in FreeBSD 4.1.1 and earlier does not properly restrict access as specified by the "nat deny_incoming" command, which allows remote attackers to connect to the target system. 1974 freebsd-ppp-bypass-gateway(5584) 1655 FreeBSD-SA-00:70 IBM HTTP Server 1.3.6 (based on Apache) allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long GET request. 20001123 IBM HTTP Server 1.3.6 Remote Overflow 1988 OpenSSH SSH client before 2.3.0 does not properly disable X11 or agent forwarding, which could allow a malicious SSH server to gain access to the X11 display and sniff X11 events, or gain access to the ssh-agent. 1949 20001123 OpenSSH Security Advisory (adv.fwd) openssh-unauthorized-access(5517) RHSA-2000:111 6248 2114 MDKSA-2000:068 20001118 openssh: possible remote exploit SuSE-SA:2000:47 CLSA-2000:345 20001115 Trustix Security Advisory - bind and openssh (and modutils) Buffer overflow in Netsnap webcam HTTP server before 1.2.9 allows remote attackers to execute arbitrary commands via a long GET request. 1956 20001115 Netsnap Webcam Software Remote Overflow http://www.netsnap.com/new.htm netsnap-remote-bo(5534) Directory traversal vulnerability in cgiforum.pl script in CGIForum 1.0 allows remote attackers to ready arbitrary files via a .. (dot dot) attack in the "thesection" parameter. 1963 20001120 CGIForum 1.0 Vulnerability cgiforum-view-files(5553) Buffer overflow in Gaim 0.10.3 and earlier using the OSCAR protocol allows remote attackers to conduct a denial of service and possibly execute arbitrary commands via a long HTML tag. 1948 20001110 Advisory: Gaim remote vulnerability Microsys CyberPatrol uses weak encryption (trivial encoding) for credit card numbers and uses no encryption for the remainder of the information during registration, which could allow attackers to sniff network traffic and obtain this sensitive information. 1977 20001122 CyberPatrol - poor credit card protection Multiple buffer overflows in AFS ACL parser for Ethereal 0.8.13 and earlier allows remote attackers to execute arbitrary commands via a packet with a long username. 1972 ethereal-afs-bo(5557) RHSA-2000:116 20001121 ethereal: remote exploit CLSA-2000:342 20001118 [hacksware] Ethereal 0.8.13 AFS ACL parsing buffer overflow bug FreeBSD-SA-00:81 Buffer overflow in Koules 1.4 allows local users to execute arbitrary commands via a long command line argument. 1967 20001120 local exploit for linux's Koules1.4 package Directory traversal vulnerability in YaBB search.pl CGI script allows remote attackers to read arbitrary files via a .. (dot dot) attack in the "catsearch" form field. 1921 20001107 Insecure input balidation in YaBB Search.pl bb-hist.sh, bb-histlog.sh, bb-hostsvc.sh, bb-rep.sh, bb-replog.sh, and bb-ack.sh in Big Brother (BB) before 1.5d3 allows remote attackers to determine the existence of files and user ID's by specifying the target file in the HISTFILE parameter. 1971 20001121 Big Brother Advisory - Fate Research Labs http://bb4.com/incident.nov21 Joe text editor follows symbolic links when creating a rescue copy called DEADJOE during an abnormal exit, which allows local users to overwrite the files of other users whose joe session crashes. 1959 20001116 Joe's Own Editor File Link Vulnerability joe-symlink-corruption(5546) RHSA-2000:110 MDKSA-2000:072 20001201 DSA-003-1 joe: symlink attack 20001121 Immunix OS Security update for joe CLA-2000:356 Netopia ISDN Router 650-ST before 4.3.5 allows remote attackers to read system logs without authentication by directly connecting to the login screen and typing certain control characters. 1952 20001115 Netopia ISDN Router 650-ST: Viewing of all system logs without login netopia-view-system-log(5536) Buffer overflow in cmctl program in Oracle 8.1.5 Connection Manager Control allows local users to gain privileges via a long command line argument. 1968 oracle-cmctl-bo(5551) 20001120 vulnerability in Connection Manager Control binary in Oracle Real Networks RealServer 7 and earlier allows remote attackers to obtain portions of RealServer's memory contents, possibly including sensitive information, by accessing the /admin/includes/ URL. 1957 20001116 [CORE SDI ADVISORY] RealServer memory contents disclosure http://service.real.com/help/faq/security/memory.html realserver-gain-access(5538) WatchGuard Firebox II allows remote attackers to cause a denial of service by flooding the Firebox with a large number of FTP or SMTP requests, which disables proxy handling. 1953 20001116 Possible Watchguard Firebox II DoS https://www.watchguard.com/support/patches.html watchguard-firebox-ftp-dos(5535) Buffer overflow in socks5 server on Linux allows attackers to execute arbitrary commands via a long connection request. 20001115 socks5 remote exploit / linux x86 telnetd in FreeBSD 4.2 and earlier, and possibly other operating systems, allows remote attackers to cause a denial of service by specifying an arbitrary large file in the TERMCAP environmental variable, which consumes resources as the server processes the file. FreeBSD-SA-00:69 telnetd-termcap-dos(5959) 6083 The telnet proxy in RideWay PN proxy server allows remote attackers to cause a denial of service via a flood of connections that contain malformed requests. 1938 20001113 Rideway PN Telnet DoS Buffer overflow in phf CGI program allows remote attackers to execute arbitrary commands by specifying a large number of arguments and including a long MIME header. 20001115 Exploit: phf buffer overflow (CGI) phf-cgi-bo(5970) Buffer overflow in the HTML parser for Netscape 4.75 and earlier allows remote attackers to execute arbitrary commands via a long password value in a form field. RHSA-2000:109 FreeBSD-SA-00:66 netscape-client-html-bo 7207 20001121 Immunix OS Security update for netscape SuSE-SA:2000:48 CLSA-2000:344 Directory traversal vulnerability in Quikstore shopping cart program allows remote attackers to read arbitrary files via a .. (dot dot) attack in the "page" parameter. 20001120 Cgisecurity Quickstore Shopping cart Buffer overflow in pam_localuser PAM module in Red Hat Linux 7.x and 6.x allows attackers to gain privileges. RHSA-2000:120 pam-localuser-bo(5747) MDKSA-2000:082-1 CLA-2000:358 imwheel-solo in imwheel package allows local users to modify arbitrary files via a symlink attack from the .imwheelrc file. RHSA-2000:016 linux-imwheel-symlink(4941) 20000531 Re: strike#2 htsearch program in htDig 3.2 beta, 3.1.6, 3.1.5, and earlier allows remote attackers to determine the physical path of the server by requesting a non-existent configuration file using the config parameter, which generates an error message that includes the full path. http://www.securiteam.com/exploits/htDig_reveals_web_server_configuration_paths.html oval:org.mitre.oval:def:10526 htdig-htsearch-path-disclosure(7367) 4366 Buffer overflow in BTT Software SNMP Trap Watcher 1.16 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long string trap. http://www.securiteam.com/windowsntfocus/5ZP0C000KC.html 985 http://www.bttsoftware.co.uk/snmptrap.html Performance Metrics Collector Daemon (PMCD) in Performance Copilot in IRIX 6.x allows remote attackers to cause a denial of service (resource exhaustion) via an extremely long string to the PMCD port. irix-pcp-pmcd-dos(4284) 20000412 Performance Copilot for IRIX 6.5 20020407-01-I Argosoft FRP server 1.0 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long string to the (1) USER or (2) CWD commands. 1227 http://www.mdma.za.net/fk/FK9.zip telnet daemon (telnetd) from the Linux netkit package before netkit-telnet-0.16 allows remote attackers to bypass authentication when telnetd is running with the -L command line option. CSSA-2000-008.0 telnetd-login-bypass(4225) PSCOErrPage.htm in Netscape PublishingXpert 2.5 before SP2 allows remote attackers to read arbitrary files by specifying the target file in the errPagePath parameter. http://docs.iplanet.com/docs/manuals/pubx/2.5.2_Relnotes.html http://packetstormsecurity.org/0004-exploits/ooo1.txt publishingxpert-pscoerrpage-url(7362) POP2 or POP3 server (pop3d) in imap-uw IMAP package on FreeBSD and other operating systems creates lock files with predictable names, which allows local users to cause a denial of service (lack of mail access) for other users by creating lock files for other mail boxes. 1132 20000420 pop3d/imap DOS (while we're on the subject) FreeBSD-SA-00:15 qpopper POP server creates lock files with predictable names, which allows local users to cause a denial of service for other users (lack of mail access) by creating lock files for other mail boxes. 1132 20000420 pop3 20000420 pop3d/imap DOS (while we're on the subject) PostgreSQL stores usernames and passwords in plaintext in (1) pg_shadow and (2) pg_pwd, which allows attackers with sufficient privileges to gain access to databases. postgresql-plaintext-passwords(4364) 1139 20000423 Postgresql cleartext password storage Windows NT allows remote attackers to list all users in a domain by obtaining the domain SID with the LsaQueryInformationPolicy policy function via a null session and using the SID to list the users. nt-lsa-domain-sid(4015) 959 20000201 Windows NT and account list leak ! A new SID usage Check Point FireWall-1 allows remote attackers to cause a denial of service (high CPU) via a flood of packets to port 264. 20000707 Re: CheckPoint FW1 BUG ikeyman in IBM IBMHSSSB 1.0 sets the CLASSPATH environmental variable to include the user's own CLASSPATH directories before the system's directories, which allows a malicious local user to execute arbitrary code as root via a Trojan horse Ikeyman class. ibm-ikeyman(4235) 1092 20000405 minor issue with IBM HTTPD and /usr/bin/ikeyman Lotus Domino SMTP server 4.63 through 5.08 allows remote attackers to cause a denial of service (CPU consumption) by forging an email message with the sender as bounce@[127.0.0.1] (localhost), which causes Domino to enter a mail loop. 3212 lotus-domino-bounced-message-dos(7012) 20000520 Infinite loop in LOTUS NOTE 5.0.3. SMTP SERVER 20010820 Lotus Domino DoS 20010823 Lotus Domino DoS solution Vulnerability in the mod_vhost_alias virtual hosting module for Apache 1.3.9, 1.3.11 and 1.3.12 allows remote attackers to obtain the source code for CGI programs if the cgi-bin directory is under the document root. http://www.apacheweek.com/issues/00-10-13 Cross site scripting vulnerabilities in Apache 1.3.0 through 1.3.11 allow remote attackers to execute script as other web site visitors via (1) the printenv CGI (printenv.pl), which does not encode its output, (2) pages generated by the ap_send_error_response function such as a default 404, which does not add an explicit charset, or (3) various messages that are generated by certain Apache modules or core code. NOTE: the printenv issue might still exist for web browsers that can render text/plain content types as HTML, such as Internet Explorer, but CVE regards this as a design limitation of those browsers, not Apache. The printenv.pl/acuparam vector, discloser on 20070724, is one such variant. http://httpd.apache.org/info/css-security/apache_specific.html apache-printenv-acuparam-xss(35597) apache-printenv-xss(10938) 20070724 printenv.pl(all versions) cross site scripting Vulnerability 20021222 'printenv' XSS vulnerability 20021223 Re: 'printenv' XSS vulnerability Vulnerability in Apache httpd before 1.3.11, when configured for mass virtual hosting using mod_rewrite, or mod_vhost_alias in Apache 1.3.9, allows remote attackers to retrieve arbitrary files. http://www.apacheweek.com/issues/00-01-07#status userhelper in the usermode package on Red Hat Linux executes non-setuid programs as root, which does not activate the security measures in glibc and allows the programs to be exploited via format string vulnerabilities in glibc via the LANG or LC_ALL environment variables (CVE-2000-0844). RHSA-2000:075 MDKSA-2000:059 20000930 glibc and userhelper - local root 20001003 SuSE: userhelper/usermode Format string vulnerability in startprinting() function of printjob.c in BSD-based lpr lpd package may allow local users to gain privileges via an improper syslog call that uses format strings from the checkremote() call. RHSA-2000:066 lpr-checkremote-format-string(5286) 1711 20001004 Immunix OS Security Update for lpr 20000925 Format strings: bug #1: BSD-lpr The "sa" account is installed with a default null password on (1) Microsoft SQL Server 2000, (2) SQL Server 7.0, and (3) Data Engine (MSDE) 1.0, including third party packages that use these products such as (4) Tumbleweed Secure Mail (MMS) (5) Compaq Insight Manager, and (6) Visio 2000, which allows remote attackers to gain privileges, as exploited by worms such as Voyager Alpha Force and Spida. VU#635463 mssql-no-sapassword(1459) http://www.microsoft.com/security/security_bulletins/ms02020_sql.asp Q321081 Q313418 20000815 MS-SQL 'sa' user exploit code 4797 3570 20020522 Opty-Way Enterprise includes MSDE with sa <blank> 20000816 Released Patch: Tumbleweed Worldsecure (MMS) BLANK 'sa' account password 20000810 Tumbleweed Worldsecure (MMS) BLANK 'sa' account password 20000710 MSDE / Re: Default Password Database Directory traversal vulnerability in source.jsp of Apache Tomcat before 3.1 allows remote attackers to read arbitrary files via a .. (dot dot) in the argument to source.jsp. apache-tomcat-file-contents(4205) 20000322 Security bug in Apache project: Jakarta Tomcat Zope 2.2.0 through 2.2.4 does not properly perform security registration for legacy names of object constructors such as DTML method objects, which could allow attackers to perform unauthorized activities. http://www.zope.org/Products/Zope/Hotfix_2000-12-08/security_alert MDKSA-2000:083 RHSA-2000:125 6282 zope-legacy-names(5824) Zope 2.2.0 through 2.2.4 does not properly protect a data updating method on Image and File objects, which allows attackers with DTML editing privileges to modify the raw data of these objects. http://www.zope.org/Products/Zope/Hotfix_2000-12-18/security_alert zope-image-file(5778) RHSA-2000:135 6283 DSA-007 MDKSA-2000:086 CLA-2000:365 ping in iputils before 20001010, as distributed on Red Hat Linux 6.2 through 7J and other operating systems, does not drop privileges after acquiring a raw socket, which increases ping's exposure to bugs that otherwise would occur at lower privileges. RHSA-2000:087 20001025 Immunix OS Security Update for ping package 20001030 Trustix Security Advisory - ping gnupg ypbind Buffer overflows in the (1) outpack or (2) buf variables of ping in iputils before 20001010, as distributed on Red Hat Linux 6.2 through 7J and other operating systems, may allow local users to gain privileges. RHSA-2000:087 ping-buf-bo(5431) 20001025 Immunix OS Security Update for ping package 1813 20001020 Re: [RHSA-2000:087-02] Potential security problems in ping fixed. 20001030 Trustix Security Advisory - ping gnupg ypbind The default configuration of Lotus Domino server 5.0.8 includes system information (version, operating system, and build date) in the HTTP headers of replies, which allows remote attackers to obtain sensitive information. VU#984555 lotus-domino-information-disclosure(10685) http://www-10.lotus.com/ldd/r5fixlist.nsf/5c087391999d06e7852569280062619d/5552251934afaa9585256c0000737a7f?OpenDocument&Highlight=0,AWHN4A8QWM 20010919 lotus domino server 5.08 is very gabby Buffer overflow in portmir for AIX 4.3.0 allows local users to corrupt lock files and gain root privileges via the echo_error routine. VU#433499 aix-portmir-echoerror-bo(7929) IY07832 Microsoft Windows 2000 before Service Pack 2 (SP2), when running in a non-Windows 2000 domain and using NTLM authentication, and when credentials of an account are locally cached, allows local users to bypass account lockout policies and make an unlimited number of login attempts, aka the "Domain Account Lockout" vulnerability. VU#818496 win2k-brute-force(5585) 1973 MS00-089 The default configuration for the domain name resolver for Microsoft Windows 98, NT 4.0, 2000, and XP sets the QueryIpMatching parameter to 0, which causes Windows to accept DNS updates from hosts that it did not query, which allows remote attackers to poison the DNS cache. VU#458659 win2k-dns-resolver(4280) The -ftrapv compiler option in gcc and g++ 3.3.3 and earlier does not handle all types of integer overflows, which may leave applications vulnerable to vulnerabilities related to overflows. VU#540517 [gcc-bugs] 20020506 c/6586: -ftrapv doesn't catch multiplication overflow The line printer daemon (lpd) in the lpr package in multiple Linux operating systems allows local users to gain root privileges by causing sendmail to execute with arbitrary command line arguments, as demonstrated using the -C option to specify a configuration file. VU#39001 redhat-lpd-print-control(3841) 927 RHSA-2000:002 20000109 lpr -- access control problem and root exploit 20000109 lpr -- access control problem and root exploit http://www.atstake.com/research/advisories/2000/lpd_advisory.txt http://www.atstake.com/research/advisories/2000/lpd_advisory.txt 20000108 L0pht Advisory: LPD, RH 4.x,5.x,6.x 20021104-01-P The line printer daemon (lpd) in the lpr package in multiple Linux operating systems authenticates by comparing the reverse-resolved hostname of the local machine to the hostname of the print server as returned by gethostname, which allows remote attackers to bypass intended access controls by modifying the DNS for the attacking IP. VU#30308 20000109 lpr -- access control problem and root exploit 20000108 Quadruple Inverted Backflip 20021104-01-P redhat-lpd-auth(3840) 927 20000108 Quadruple Inverted Backflip RHSA-2000:002 AIX sysback before 4.2.1.13 uses a relative path to find and execute the hostname program, which allows local users to gain privileges by modifying the path to point to a malicious hostname program. VU#17566 aix-sysback-elevate-privileges(6432) quikstore.cgi in Quikstore Shopping Cart allows remote attackers to execute arbitrary commands via shell metacharacters in the URL portion of an HTTP GET request. VU#671444 Caucho Technology Resin 1.2 and possibly earlier allows remote attackers to view JSP source via an HTTP request to a .jsp file with certain characters appended to the file name, such as (1) "..", (2) "%2e..", (3) "%81", (4) "%82", and others. resin-jsp-source-disclosure(5568) 1986 20001123 Re: RESIN ServletExec JSP Source Disclosure Vulnerability(Apache 1.3.6 Win2k)) 20001123 RESIN ServletExec JSP Source Disclosure Vulnerability(Apache 1.3.6 Win2k)) Xitami 2.5b installs the testcgi.exe program by default in the cgi-bin directory, which allows remote attackers to gain sensitive configuration information about the web server by accessing the program. http://archives.neohapsis.com/archives/win2ksecadvice/2000-q4/0109.html Snort 1.6, when running in straight ASCII packet logging mode or IDS mode with straight decoded ASCII packet logging selected, allows remote attackers to cause a denial of service (crash) by sending non-IP protocols that Snort does not know about, as demonstrated by an nmap protocol scan. 20000614 Re: Snort 1.6 and nmap 2.54beta1 20000614 Snort 1.6 and nmap 2.54beta1 Windows NT 4.0 and Windows 2000 hosts allow remote attackers to cause a denial of service (unavailable connections) by sending multiple SMB SMBnegprots requests but not reading the response that is sent back. 1301 Phorum 3.0.7 allows remote attackers to change the administrator password without authentication via an HTTP request for admin.php3 that sets step, option, confirm and newPssword variables. 2271 20000106 Phorum 3.0.7 exploits and IDS signatures Directory traversal vulnerability in Phorum 3.0.7 allows remote Phorum administrators to read arbitrary files via ".." (dot dot) sequences in the default .langfile name field in the Master Settings administrative function, which causes the file to be displayed in admin.php3. 20000106 Phorum 3.0.7 exploits and IDS signatures Backdoor in auth.php3 in Phorum 3.0.7 allows remote attackers to access restricted web pages via an HTTP request with the PHP_AUTH_USER parameter set to "boogieman". http://www.digitalsec.net/stuff/z-mirrors/hispahack/mi020.htm 20000106 Phorum 3.0.7 exploits and IDS signatures 2274 code.php3 in Phorum 3.0.7 allows remote attackers to read arbitrary files in the phorum directory via the query string. 20000106 Phorum 3.0.7 exploits and IDS signatures upgrade.php3 in Phorum 3.0.7 could allow remote attackers to modify certain Phorum database tables via an unknown method. 20000106 Phorum 3.0.7 exploits and IDS signatures SQL injection vulnerability in read.php3 and other scripts in Phorum 3.0.7 allows remote attackers to execute arbitrary SQL queries via the sSQL parameter. 20000106 Phorum 3.0.7 exploits and IDS signatures violation.php3 in Phorum 3.0.7 allows remote attackers to send e-mails to arbitrary addresses and possibly use Phorum as a "spam proxy" by setting the Mod and ForumName parameters. 2272 20000106 Phorum 3.0.7 exploits and IDS signatures The default configurations of (1) the port listener and (2) modplsql in Oracle Internet Application Server (IAS) 3.0.7 and earlier allow remote attackers to view privileged database information via HTTP requests for Database Access Descriptor (DAD) files. 2150 oracle-webdb-admin-access(5818) 20001223 Potential Vulnerabilities in Oracle Internet Application Server 20001221 Re: Oracle WebDb engine brain-damagse 20001219 Oracle WebDb engine brain-damagse SQL injection vulnerability in mod_sql in Oracle Internet Application Server (IAS) 3.0.7 and earlier allows remote attackers to execute arbitrary SQL commands via the query string of the URL. 2150 oracle-execute-plsql(5817) 20001223 Potential Vulnerabilities in Oracle Internet Application Server 20001221 Re: Oracle WebDb engine brain-damagse 20001219 Oracle WebDb engine brain-damagse The POP3 server in FTGate returns an -ERR code after receiving an invalid USER request, which makes it easier for remote attackers to determine valid usernames and conduct brute force password guessing. ftgate-invalid-user-requests(4793) 20000626 Problems with FTGate BEA Systems WebLogic Express and WebLogic Server 5.1 SP1-SP6 allows remote attackers to bypass access controls for restricted JSP or servlet pages via a URL with multiple / (forward slash) characters before the restricted pages. This vulnerability is addressed in the following product releases: BEA Systems Weblogic Server 5.1 SP 7 BEA Systems WebLogic Express 5.1 SP 7 weblogic-bypass-auth(5588) 5089 ftp://ftpna.bea.com/pub/releases/patches/SecurityBEA00-0600.zip The HTTP interface of Tivoli Lightweight Client Framework (LCF) in IBM Tivoli Management Framework 3.7.1 sets http_disable to zero at install time, which allows remote authenticated users to bypass file permissions on Tivoli Endpoint Configuration data files via an unspecified manipulation of log files. tivoli-lcf-file-read(3927) 17085 Unspecified vulnerability in siteman.php3 in AnyPortal(php) before 22 APR 00 allows remote attackers to obtain sensitive information via unknown attack vectors, which reveal the absolute path. NOTE: the provenance of this information is unknown; the details are obtained from third party information. anyportalphp-siteman-information-disclosure(25441) 23983 Unspecified vulnerability in Haakon Nilsen simple, integrated publishing system (SIPS) before 0.2.4 has an unknown impact and attack vectors, related to a "grave security fault." http://sourceforge.net/forum/forum.php?forum_id=25971 The HTTP service in American Power Conversion (APC) PowerChute uses a default username and password, which allows remote attackers to gain system access. 30768 http://governmentsecurity.org/articles/DefaultLoginsandPasswordsforNetworkedDevices.php Privacy leak in Dansie Shopping Cart 3.04, and probably earlier versions, sends sensitive information such as user credentials to an e-mail address controlled by the product developers. 20070603 Dansie Cart Script Exploit Reported 20000413 Re: Back Door in Commercial Shopping Cart [RESOLVED] 20000413 Re: Back Door in Commercial Shopping Cart 20000413 Re: Back Door in Commercial Shopping Cart [Stormer Hosting] 20000411 Back Door in Commercial Shopping Cart Computer Associates InoculateIT Agent for Exchange Server does not recognize an e-mail virus attachment if the SMTP header is missing the "From" field, which allows remote attackers to bypass virus protection. 20001110 CA's InoculateIT Agent for Exchange Server Multiple unspecified vulnerabilities in NWFTPD.nlm before 5.01o in the FTP server in Novell NetWare 5.1 SP3 allow remote attackers to bypass intended restrictions on anonymous access via unknown vectors. http://www.novell.com/support/viewContent.do?externalId=3238588&sliceId=1 NWFTPD.nlm before 5.01o in the FTP server in Novell NetWare 5.1 SP3 allows remote authenticated users to cause a denial of service (abend) by sending an RNTO command after a failed RNFR command. http://www.novell.com/support/viewContent.do?externalId=3238588&sliceId=1 The default configuration of the jserv-status handler in jserv.conf in Apache JServ 1.1.2 includes an "allow from 127.0.0.1" line, which allows local users to discover JDBC passwords or other sensitive information via a direct request to the jserv/ URI. http://archive.apache.org/dist/java/java.apache.org-www.tar.gz apache-jserv-env-information-disclosure(51946) [java-apache-users] 20000929 jserv wrapper error cookiedecode function in PHP-Nuke 4.4 allows users to bypass authentication and gain access to other user accounts by extracting the authentication information from a cookie. 20010213 RFP2101: RFPlutonium to fuel your PHP-Nuke php-nuke-elevate-privileges(6183) Internet Explorer 5.5 and earlier allows remote attackers to obtain the physical location of cached content and open the content in the Local Computer Zone, then use compiled HTML help (.chm) files to execute arbitrary programs. ie-chm-execute-files(5567) 2456 7823 MS01-015 http://www.guninski.com/chmtempmain.html oval:org.mitre.oval:def:920 Web Extender Client (WEC) in Microsoft Office 2000, Windows 2000, and Windows Me does not properly process Internet Explorer security settings for NTLM authentication, which allows attackers to obtain NTLM credentials and possibly obtain the password, aka the "Web Client NTLM Authentication" vulnerability. 2199 MS01-001 wec-ntlm-authentication IIS 5.0 and 4.0 allows remote attackers to read the source code for executable web server programs by appending "%3F+.htr" to the requested URL, which causes the files to be parsed by the .HTR ISAPI extension, aka a variant of the "File Fragment Reading via .HTR" vulnerability. MS01-004 20010108 IIS 5.0 allows viewing files using %3F+.htr iis-read-files(5903) 2313 Buffer overflow in the parsing mechanism of the file loader in Microsoft PowerPoint 2000 allows attackers to execute arbitrary commands. MS01-002 A012301-1 powerpoint-execute-code(5996) The Winsock2ProtocolCatalogMutex mutex in Windows NT 4.0 has inappropriate Everyone/Full Control permissions, which allows local users to modify the permissions to "No Access" and disable Winsock network connectivity to cause a denial of service, aka the "Winsock Mutex" vulnerability. MS01-003 20010126 ntsecurity.nu advisory: Winsock Mutex Vulnerability in Windows NT 4.0 SP6 and below winnt-mutex-dos(6006) Buffer overflow in NetScreen Firewall WebUI allows remote attackers to cause a denial of service via a long URL request to the web administration interface. 2176 20010109 NSFOCUS SA2001-01: NetScreen Firewall WebUI Buffer Overflow vulnerability netscreen-webui-bo(5908) 1707 Backdoor account in Interbase database server allows remote attackers to overwrite arbitrary files using stored procedures. CA-2001-01 2192 interbase-backdoor-account(5911) Directory traversal vulnerability in Lotus Domino 5.0.5 web server allows remote attackers to read arbitrary files via a .. attack. 2173 20010109 bugtraq id 2173 Lotus Domino Server 20010105 Lotus Domino 5.0.5 Web Server vulnerability - reading files outside the web root lotus-domino-directory-traversal(5899) 1703 Buffer overflow in transaction signature (TSIG) handling code in BIND 8 allows remote attackers to gain root privileges. CA-2001-02 2302 RHSA-2001:007 20010129 Vulnerabilities in BIND 4 and 8 DSA-026 Buffer overflow in nslookupComplain function in BIND 4 allows remote attackers to gain root privileges. CA-2001-02 2307 RHSA-2001:007 20010129 Vulnerabilities in BIND 4 and 8 BIND 4 and BIND 8 allow remote attackers to access sensitive information such as environment variables. CA-2001-02 2321 RHSA-2001:007 20010129 Vulnerabilities in BIND 4 and 8 DSA-026 Format string vulnerability in nslookupComplain function in BIND 4 allows remote attackers to gain root privileges. CA-2001-02 2309 RHSA-2001:007 20010129 Vulnerabilities in BIND 4 and 8 Remote Data Protocol (RDP) in Windows 2000 Terminal Service does not properly handle certain malformed packets, which allows remote attackers to cause a denial of service, aka the "Invalid RDP Data" vulnerability. 2326 MS01-006 Network Dynamic Data Exchange (DDE) in Windows 2000 allows local users to gain SYSTEM privileges via a "WM_COPYDATA" message to an invisible window that is running with the privileges of the WINLOGON process. MS01-007 A020501-1 win-dde-elevate-privileges(6062) 2341 NTLM Security Support Provider (NTLMSSP) service does not properly check the function number in an LPC request, which could allow local users to gain administrator level access. MS01-008 20010207 Local promotion vulnerability in NT4's NTLM Security Support Provider ntlm-ssp-elevate-privileges(6076) 2348 Memory leak in PPTP server in Windows NT 4.0 allows remote attackers to cause a denial of service via a malformed data packet, aka the "Malformed PPTP Packet Stream" vulnerability. MS01-009 winnt-pptp-dos(6103) 2368 Windows 2000 domain controller in Windows 2000 Server, Advanced Server, or Datacenter Server allows remote attackers to cause a denial of service via a flood of malformed service requests. MS01-011 win2k-domain-controller-dos(6136) L-049 20001202 UDP Ping-pong in Win2k Arrowpoint (aka Cisco Content Services, or CSS) allows local users to cause a denial of service via a long argument to the "show script," "clear script," "show archive," "clear archive," "show log," or "clear log" commands. 20010131 Cisco Content Services Switch Vulnerability A013101-1 Directory traversal vulnerability in Arrowpoint (aka Cisco Content Services, or CSS) allows local unprivileged users to read arbitrary files via a .. (dot dot) attack. 20010131 Cisco Content Services Switch Vulnerability A013101-1 cisco-ccs-file-access(6031) 2331 1757 MailMan Webmail 3.0.25 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the alternate_template parameter. 2063 20001206 (SRADV00005) Remote command execution vulnerabilities in MailMan Webmail mailman-alternate-templates http://www.endymion.com/products/mailman/history.htm simplestguest.cgi CGI program by Leif Wright allows remote attackers to execute arbitrary commands via shell metacharacters in the guestbook parameter. http-cgi-simplestguest 2106 20001213 Re: Insecure input validation in simplestmail.cgi everythingform.cgi CGI program by Leif Wright allows remote attackers to execute arbitrary commands via shell metacharacters in the config parameter. http-cgi-everythingform 2101 20001211 Insecure input validation in everythingform.cgi (remote command execution) simplestmail.cgi CGI program by Leif Wright allows remote attackers to execute arbitrary commands via shell metacharacters in the MyEmail parameter. http-cgi-simplestmail 2102 20001211 Insecure input validation in simplestmail.cgi (remote command execution) ad.cgi CGI program by Leif Wright allows remote attackers to execute arbitrary commands via shell metacharacters in the file parameter. http-cgi-ad 2103 20001211 Insecure input validation in ad.cgi rp-pppoe PPPoE client allows remote attackers to cause a denial of service via the Clamp MSS option and a TCP packet with a zero-length TCP option. 2098 RHSA-2000:130 20001211 DoS vulnerability in rp-pppoe versions <= 2.4 rppppoe-zero-length-dos MDKSA-2000:084 CLA-2000:357 mod_sqlpw module in ProFTPD does not reset a cached password when a user uses the "user" command to change accounts, which allows authenticated attackers to gain privileges of other users. proftpd-modsqlpw-unauth-access 20001211 mod_sqlpw Password Caching Bug Buffer overflow in the HTML parsing code in oops WWW proxy server 1.5.2 and earlier allows remote attackers to execute arbitrary commands via a large number of " (quotation) characters. 2099 FreeBSD-SA-00:79 20001211 [pkc] remote heap buffer overflow in oops oops-ftputils-bo Buffer overflow in oops WWW proxy server 1.4.6 (and possibly other versions) allows remote attackers to execute arbitrary commands via a long host or domain name that is obtained from a reverse DNS lookup. 2099 http://zipper.paco.net/~igor/oops/ChangeLog oops-dns-bo(6122) 20001212 Stack too ;) Re: [pkc] remote heap buffer overflow in oops FoolProof 3.9 allows local users to bypass program execution restrictions by downloading the restricted executables from another source and renaming them. foolproof-security-bypass 2089 BroadVision One-To-One Enterprise allows remote attackers to determine the physical path of server files by requesting a .JSP file name that does not exist. broadvision-bv1to1-reveal-path 20001207 BroadVision One-To-One Enterprise Path Disclosure Vulnerability Format string vulnerability in ssldump possibly allows remote attackers to cause a denial of service and possibly gain root privileges via malicious format string specifiers in a URL. ssldump-format-strings 2096 20001208 format string in ssl dump KTH Kerberos IV allows local users to change the configuration of a Kerberos server running at an elevated privilege by specifying an alternate directory using with the KRBCONFDIR environmental variable, which allows the user to gain additional privileges. 20001210 KTH upgrade and FIX 20001208 Vulnerabilities in KTH Kerberos IV kerberos4-user-config KTH Kerberos IV allows local users to specify an alternate proxy using the krb4_proxy variable, which allows the user to generate false proxy responses and possibly gain privileges. 20001210 KTH upgrade and FIX 20001208 Vulnerabilities in KTH Kerberos IV kerberos4-arbitrary-proxy Buffer overflow in the kdc_reply_cipher function in KTH Kerberos IV allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long authentication request. 20001210 KTH upgrade and FIX 20001208 Vulnerabilities in KTH Kerberos IV kerberos4-auth-packet-overflow 20010130 Buffer overflow in old ssh-1.2.2x-afs-kerberosv4 patches KTH Kerberos IV allows local users to overwrite arbitrary files via a symlink attack on a ticket file. 20001210 KTH upgrade and FIX 20001208 Vulnerabilities in KTH Kerberos IV kerberos4-tmpfile-dos RHSA-2001:025 Directory traversal vulnerability in HomeSeer before 1.4.29 allows remote attackers to read arbitrary files via a URL containing .. (dot dot) specifiers. 2085 homeseer-directory-traversal http://www.keware.com/hsbetachanges.htm 20001207 HomeSeer Directory Traversal Vulnerability Offline Explorer 1.4 before Service Release 2 allows remote attackers to read arbitrary files by specifying the drive letter (e.g. C:) in the requested URL. 2084 offline-explorer-reveal-files 20001207 MetaProducts Offline Explorer IPSwitch IMail 6.0.5 allows remote attackers to cause a denial of service using the SMTP AUTH command by sending a base64-encoded user password whose length is between 80 and 136 bytes. 2083 imail-smtp-auth-dos http://www.ipswitch.com/Support/IMail/news.html 20001206 DoS by SMTP AUTH command in IPSwitch IMail server APC UPS daemon, apcupsd, saves its process ID in a world-writable file, which allows local users to kill an arbitrary process by specifying the target process ID in the apcupsd.pid file. 2070 apc-apcupsd-dos 20001206 apcupsd 3.7.2 Denial of Service MDKSA-2000:077 Memory leak in Cisco Catalyst 4000, 5000, and 6000 series switches allows remote attackers to cause a denial of service via a series of failed telnet authentication attempts. 2072 20001206 Cisco Catalyst Memory Leak Vulnerability cisco-catalyst-telnet-dos 801 PHP 3.x (PHP3) on Apache 1.3.6 allows remote attackers to read arbitrary files via a modified .. (dot dot) attack containing "%5c" (encoded backslash) sequences. apache-php-disclose-files 2060 20001206 CHINANSL Security Advisory(CSA-200011) phpGroupWare before 0.9.7 allows remote attackers to execute arbitrary PHP commands by specifying a malicious include file in the phpgw_info parameter of the phpgw.inc.php program. 2069 http://sourceforge.net/project/shownotes.php?release_id=17604 20001206 (SRADV00006) Remote command execution vulnerabilities in phpGroupWare phpgroupware-include-files 1682 Multiple buffer overflows in Lexmark MarkVision printer driver programs allows local users to gain privileges via long arguments to the cat_network, cat_paraller, and cat_serial commands. 2075 20001206 (SRADV00007) Local root compromise through Lexmark MarkVision printer drivers markvision-printer-driver-bo The default permissions for the RAS Administration key in Windows NT 4.0 allows local users to execute arbitrary commands by changing the value to point to a malicious DLL, aka one of the "Registry Permissions" vulnerabilities. 2064 MS00-095 nt-ras-reg-perms oval:org.mitre.oval:def:500 The default permissions for the SNMP Parameters registry key in Windows NT 4.0 allows remote attackers to read and possibly modify the SNMP community strings to obtain sensitive information or modify network configuration, aka one of the "Registry Permissions" vulnerabilities. 2066 MS00-095 nt-snmp-reg-perms oval:org.mitre.oval:def:139 The default permissions for the MTS Package Administration registry key in Windows NT 4.0 allows local users to install or modify arbitrary Microsoft Transaction Server (MTS) packages and gain privileges, aka one of the "Registry Permissions" vulnerabilities. MS00-095 nt-mts-reg-perms 2065 oval:org.mitre.oval:def:140 The "Configure Your Server" tool in Microsoft 2000 domain controllers installs a blank password for the Directory Service Restore Mode, which allows attackers with physical access to the controller to install malicious programs, aka the "Directory Service Restore Mode Password" vulnerability. 2133 MS00-099 WatchGuard SOHO FireWall 2.2.1 and earlier allows remote attackers to cause a denial of service via a large number of GET requests. watchguard-soho-get-dos 2082 20001207 WatchGuard SOHO v2.2.1 DoS Buffer overflow in BitchX IRC client allows remote attackers to cause a denial of service and possibly execute arbitrary commands via an IP address that resolves to a long DNS hostname or domain name. 2087 irc-bitchx-dns-bo 20001207 bitchx/ircd DNS overflow demonstration 20001207 BitchX DNS Overflow Patch RHSA-2000:126 MDKSA-2000:079 CLA-2000:364 FreeBSD-SA-00:78 IBM DB2 Universal Database version 6.1 creates an account with a default user name and password, which allows remote attackers to gain access to the databasse. ibm-db2-gain-access 2068 20001205 IBM DB2 default account and password Vulnerability IBM DB2 Universal Database version 6.1 allows users to cause a denial of service via a malformed query. ibm-db2-dos 2067 20001205 IBM DB2 SQL DOS One-byte buffer overflow in replydirname function in BSD-based ftpd allows remote attackers to gain root privileges. bsd-ftpd-replydirname-bo 2124 20001218 20001218 Trustix Security Advisory - ed, tcsh, and ftpd-BSD NetBSD-SA2000-018 Directory traversal vulnerability in FTP Serv-U before 2.5i allows remote attackers to escape the FTP root and read arbitrary files by appending a string such as "/..%20." to a CD command, a variant of a .. (dot dot) attack. 2052 20001205 Serv-U FTP directory traversal vunerability (all versions) 20001205 (no subject) ftp-servu-homedir-travers 464 CBOS 2.4.1 and earlier in Cisco 600 routers allows remote attackers to cause a denial of service via a slow stream of TCP SYN packets. cisco-cbos-syn-packets 20001204 Multiple Vulnerabilities in CBOS The Cisco Web Management interface in routers running CBOS 2.4.1 and earlier does not log invalid logins, which allows remote attackers to guess passwords without detection. cisco-cbos-invalid-login 20001204 Multiple Vulnerabilities in CBOS Cisco 600 routers running CBOS 2.4.1 and earlier allow remote attackers to cause a denial of service via a large ICMP echo (ping) packet. cisco-cbos-icmp-echo 20001204 Multiple Vulnerabilities in CBOS The Web interface to Cisco 600 routers running CBOS 2.4.1 and earlier allow remote attackers to cause a denial of service via a URL that does not end in a space character. cisco-cbos-web-access 20001204 Multiple Vulnerabilities in CBOS 460 patchadd in Solaris allows local users to overwrite arbitrary files via a symlink attack. solaris-patchadd-symlink 2127 20001218 Solaris patchadd(1) (3) symlink vulnerabilty Format string vulnerability in stunnel 3.8 and earlier allows attackers to execute arbitrary commands via a malformed ident username. 2128 20001218 Stunnel format bug 20001209 Trustix Security Advisory - stunnel stunnel-format-logfile RHSA-2000:129 DSA-009 CLA-2000:363 procfs in FreeBSD and possibly other operating systems does not properly restrict access to per-process mem and ctl files, which allows local users to gain root privileges by forking a child process and executing a privileged process from the child, while the parent retains access to the child's address space. 2130 FreeBSD-SA-00:77 procfs-elevate-privileges(6106) 1697 procfs in FreeBSD and possibly other operating systems allows local users to cause a denial of service by calling mmap on the process' own mem file, which causes the kernel to hang. 2131 FreeBSD-SA-00:77 procfs-mmap-dos(6107) 6082 1698 procfs in FreeBSD and possibly other operating systems allows local users to bypass access control restrictions for a jail environment and gain additional privileges. 2132 FreeBSD-SA-00:77 procfs-access-control-bo(6108) 1691 Webconfig, IMAP, and other services in MDaemon 3.5.0 and earlier allows remote attackers to cause a denial of service via a long URL terminated by a "\r\n" string. 2134 20001219 def-2000-03: MDaemon 3.5.0 DoS Buffer overflow in bftpd 1.0.13 allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long SITE CHOWN command. bftpd-site-chown-bo 20001213 Potential Buffer Overflow vulnerability in bftpd-1.0.13 Secure Locate (slocate) allows local users to corrupt memory via a malformed database file that specifies an offset value that accesses memory outside of the intended buffer. 2004 20001126 [MSY] S(ecure)Locate heap corruption vulnerability slocate-heap-execute-code(5594) TLSA2001002-1 RHSA-2000:128 MDKSA-2000:085 DSA-005-1 CLA-2001:369 The installation of J-Pilot creates the .jpilot directory with the user's umask, which could allow local attackers to read other users' PalmOS backup information if their umasks are not securely set. MDKSA-2000:081 jpilot-perms 20001214 J-Pilot Permissions Vulnerability Mac OS Runtime for Java (MRJ) 2.2.3 allows remote attackers to use malicious applets to read files outside of the CODEBASE context via the ARCHIVE applet parameter. mrj-runtime-malicious-applets 20001215 Security Hole of MRJ 2.2.3 (Mac OS Runtime for Java) - Inconsistent Use of CODEBASE and ARCHIVE Attributes - dialog before 0.9a-20000118-3bis in Debian GNU/Linux allows local users to overwrite arbitrary files via a symlink attack. 2151 DSA-008-1 dialog-symlink Buffer overflow in 1st Up Mail Server 4.1 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long MAIL FROM command. 20001226 1st Up Mail Server v4.1 Buffer Overflow Vulnerability 1stup-mail-server-bo 2152 gpg (aka GnuPG) 1.0.4 and other versions does not properly verify detached signatures, which allows attackers to modify the contents of a file without detection. 2141 20001220 Trustix Security Advisory - gnupg, ftpd-BSD RHSA-2000:131 gnupg-detached-sig-modify 1699 MDKSA-2000-087 DSA-010-1 CLA-2000:368 gpg (aka GnuPG) 1.0.4 and other versions imports both public and private keys from public key servers without notifying the user about the private keys, which could allow an attacker to break the web of trust. 2153 gnupg-reveal-private 20001220 Trustix Security Advisory - gnupg, ftpd-BSD RHSA-2000:131 1702 MDKSA-2000-087 DSA-010-1 CLA-2000:368 Buffer overflow in the find_default_type function in libsecure in NSA Security-enhanced Linux, which may allow attackers to modify critical data in memory. 2154 20001226 buffer overflow in libsecure (NSA Security-enhanced Linux) Directory traversal vulnerability in print.cgi in Technote allows remote attackers to read arbitrary files via a .. (dot dot) attack in the board parameter. 2155 20001223 Technote Directory traversal vulnerability in main.cgi in Technote allows remote attackers to read arbitrary files via a .. (dot dot) attack in the filename parameter. 2156 20001227 [Ksecurity Advisory] main.cgi in technote register.cgi in Ikonboard 2.1.7b and earlier allows remote attackers to execute arbitrary commands via the SEND_MAIL parameter, which overwrites an internal program variable that references a program to be executed. 2157 20001228 Remote vulnerability in Ikonboard upto version 2.1.7b http-cgi-ikonboard The clustmon service in Sun Cluster 2.x does not require authentication, which allows remote attackers to obtain sensitive information such as system logs and cluster configurations. 20001212 Two Holes in Sun Cluster 2.x clustmon-no-authentication(6123) in.mond in Sun Cluster 2.x allows local users to read arbitrary files via a symlink attack on the status file of a host running HA-NFS. 20001212 Two Holes in Sun Cluster 2.x ha-nfs-symlink(6125) 6437 Support Tools Manager (STM) A.22.00 for HP-UX allows local users to overwrite arbitrary files via a symlink attack on the tool_stat.txt log file. 20001213 STM symlink Vulnerability Cisco Catalyst 6000, 5000, or 4000 switches allow remote attackers to cause a denial of service by connecting to the SSH service with a non-SSH client, which generates a protocol mismatch error. 20001213 Cisco Catalyst SSH Protocol Mismatch Vulnerability cisco-catalyst-ssh-mismatch 2117 swinit in nCipher does not properly disable the Operator Card Set recovery feature even when explicitly disabled by the user, which could allow attackers to gain access to application keys. 20001212 nCipher Security Advisory: Operator Cards unexpectedly recoverable http://active.ncipher.com/updates/advisory.txt ncipher-recover-operator-cards(5999) 4849 Check Point VPN-1/FireWall-1 4.1 SP2 with Fastmode enabled allows remote attackers to bypass access restrictions via malformed, fragmented packets. 20001218 FireWall-1 Fastmode Vulnerability Windows Media Unicast Service in Windows Media Services 4.0 and 4.1 does not properly shut down some types of connections, producing a memory leak that allows remote attackers to cause a denial of service via a series of severed connections, aka the "Severed Windows Media Server Connection" vulnerability. MS00-097 mediaservices-dropped-connection-dos Q281256 GTK+ library allows local users to specify arbitrary modules via the GTK_MODULES environmental variable, which could allow local users to gain privileges if GTK+ is used by a setuid/setgid program. 2165 http://www.gtk.org/setuid.html 20010103 Claimed vulnerability in GTK_MODULES 20010102 gtk+ security hole. Buffer overflow in Kermit communications software in HP-UX 11.0 and earlier allows local users to cause a denial of service and possibly execute arbitrary commands. 2170 hpux-kermit-bo HPSBUX0012-135 CGI Script Center Subscribe Me LITE 2.0 and earlier allows remote attackers to delete arbitrary mailing list users without authentication by directly calling subscribe.pl with the target address as a parameter. subscribemelite-gain-admin-access 2108 20001212 Security Advisory: Subscribe Me Lite 1.0 - 2.0 Unix or 1.0 - 2.0 NT and below. itetris/xitetris 1.6.2 and earlier trusts the PATH environmental variable to find and execute the gunzip program, which allows local users to gain root privileges by changing their PATH so that it points to a malicious gunzip program. 2139 20001219 itetris[v1.6.2] local root exploit (system()+../ protection) itetris-svgalib-path common.inc.php in phpWebLog 0.4.2 does not properly initialize the $CONF array, which inadvertently sets the password to a single character, allowing remote attackers to easily guess the SiteKey and gain administrative privileges to phpWebLog. phpweblog-bypass-authentication 2047 20001202 Bypassing admin authentication in phpWebLog Internet Explorer 5.0 through 5.5 allows remote attackers to read arbitrary files from the client via the INPUT TYPE element in an HTML form, aka the "File Upload via Form" vulnerability. MS00-093 ie-form-file-upload The Print Templates feature in Internet Explorer 5.5 executes arbitrary custom print templates without prompting the user, which could allow an attacker to execute arbitrary ActiveX controls, aka the "Browser Print Template" vulnerability. 2046 MS00-093 ie-print-template(5614) The ActiveX control for invoking a scriptlet in Internet Explorer 5.0 through 5.5 renders arbitrary file types instead of HTML, which allows an attacker to read arbitrary files, aka a variant of the "Scriptlet Rendering" vulnerability. MS00-093 ie-scriptlet-rendering-read-files(6085) 7820 A function in Internet Explorer 5.0 through 5.5 does not properly verify the domain of a frame within a browser window, which allows a remote attacker to read client files, aka a new variant of the "Frame Domain Verification" vulnerability. MS00-093 ie-frame-verification-read-files(6086) 7817 Vulnerability in telnetd in FreeBSD 1.5 allows local users to gain root privileges by modifying critical environmental variables that affect the behavior of telnetd. NetBSD-SA2000-017 Buffer overflow in kdc_reply_cipher of libkrb (Kerberos 4 authentication library) in NetBSD 1.5 and FreeBSD 4.2 and earlier, as used in Kerberised applications such as telnetd and login, allows local users to gain root privileges. NetBSD-SA2000-017 kerberos4-auth-packet-overflow(5734) FreeBSD-SA-01:25 catman in Solaris 2.7 and 2.8 allows local users to overwrite arbitrary files via a symlink attack on the sman_PID temporary file. solaris-catman-symlink(5788) 20001218 Catman file clobbering vulnerability Solaris 2.x 6024 FrontPage Server Extensions (FPSE) in IIS 4.0 and 5.0 allows remote attackers to cause a denial of service via a malformed form, aka the "Malformed Web Form Submission" vulnerability. MS00-100 iis-web-form-submit The Web interface for Infinite Interchange 3.6.1 allows remote attackers to cause a denial of service (application crash) via a large POST request. infinite-interchange-dos 2140 20001221 Infinite InterChange DoS Buffer overflow in Bea WebLogic Server before 5.1.0 allows remote attackers to execute arbitrary commands via a long URL that begins with a ".." string. weblogic-dot-bo 2138 20001219 def-2000-04: Bea WebLogic Server dotdot-overflow bsguest.cgi guestbook script allows remote attackers to execute arbitrary commands via shell metacharacters in the email address. bsguest-cgi-execute-commands http://www.stanback.net/ 20001221 BS Scripts Vulnerabilities bslist.cgi mailing list script allows remote attackers to execute arbitrary commands via shell metacharacters in the email address. bslist-cgi-execute-commands http://www.stanback.net/ 20001221 BS Scripts Vulnerabilities Vulnerability in fetchmail 5.5.0-2 and earlier in the AUTHENTICATE GSSAPI command. fetchmail-authenticate-gssapi(7455) TLSA2000024-1 RHBA-2000:106-04 "Multiple Users" Control Panel in Mac OS 9 allows Normal users to gain Owner privileges by removing the Users & Groups Data File, which effectively removes the Owner password and allows the Normal user to log in as the Owner account without a password. macos-multiple-users 20001229 Mac OS 9 Multiple Users Control Panel Password Vulnerability CoffeeCup Direct and Free FTP clients uses weak encryption to store passwords in the FTPServers.ini file, which could allow attackers to easily decrypt the passwords. coffeecup-ftp-weak-encryption 2107 MDaemon Pro 3.5.1 and earlier allows local users to bypass the "lock server" security setting by pressing the Cancel button at the password prompt, then pressing the enter key. mdaemon-lock-bypass-password 2115 20001214 Bypass MDaemon 3.5.1 "Lock Server" Protection Vulnerability in top in HP-UX 11.04 and earlier allows local users to overwrite files owned by the "sys" group. HPSBUX0012-134 hp-top-sys-files Vulnerability in inetd server in HP-UX 11.04 and earlier allows attackers to cause a denial of service when the "swait" state is used by a server. HPSBUX0101-136 hp-inetd-swait-dos(5904) Veritas Backup agent on Linux allows remote attackers to cause a denial of service by establishing a connection without sending any data, which causes the process to hang. 2204 20010115 Veritas BackupExec (remote DoS) PHP Apache module 4.0.4 and earlier allows remote attackers to bypass .htaccess access restrictions via a malformed HTTP request on an unrestricted page that causes PHP to use those access controls on the next page that is requested. 2206 php-htaccess-unauth-access(5940) RHSA-2000:136 MDKSA-2001:013 DSA-020 20010112 PHP Security Advisory - Apache Module bugs CLA-2001:373 rctab in SuSE 7.0 and earlier allows local users to create or overwrite arbitrary files via a symlink attack on the rctmp temporary file. 2207 20010113 Serious security flaw in SuSE rctab rctab-elevate-privileges(5945) 20010117 Re: Serious security flaw in SuSE rctab Buffer overflow in jaZip Zip/Jaz drive manager allows local users to gain root privileges via a long DISPLAY environmental variable. DSA-017 2209 20010114 Vulnerability in jaZip. jazip-display-bo(5942) Format string vulnerability in splitvt before 1.6.5 allows local users to execute arbitrary commands via the -rcfile command line argument. 2210 DSA-014-1 20010114 [MSY] Multiple vulnerabilities in splitvt splitvt-perserc-format-string(5948) Multiple buffer overflows in splitvt before 1.6.5 allow local users to execute arbitrary commands. 2210 DSA-014 20010114 [MSY] Multiple vulnerabilities in splitvt statsconfig.pl in OmniHTTPd 2.07 allows remote attackers to execute arbitrary commands via the mostbrowsers parameter, whose value is used as part of a generated Perl script. 2211 20010116 Vulnerabilities in OmniHTTPd default installation statsconfig.pl in OmniHTTPd 2.07 allows remote attackers to overwrite arbitrary files via the cgidir parameter. 2211 20010116 Vulnerabilities in OmniHTTPd default installation Buffer overflow in arp command in Solaris 7 and earlier allows local users to execute arbitrary commands via a long -f parameter. 2193 00200 20010112 arp exploit 20010111 Solaris Arp Vulnerability solaris-arp-bo(5928) gpm 1.19.3 allows local users to overwrite arbitrary files via a symlink attack. 2188 MDKSA-2001:006 20010110 Immunix OS Security update for lots of temp file problems linux-gpm-symlink(5917) sdiff 2.7 in the diffutils package allows local users to overwrite files via a symlink attack. VU#579928 2191 MDKSA-2001:008-1 20010110 Immunix OS Security update for lots of temp file problems linux-diffutils-sdiff-symlink(5914) RHSA-2001:116 IMNX-2000-70-028-01 rdist 6.1.5 allows local users to overwrite arbitrary files via a symlink attack. 2195 MDKSA-2001-005 20010110 Immunix OS Security update for lots of temp file problems rdist-symlink(5925) getty_ps 2.0.7j allows local users to overwrite arbitrary files via a symlink attack. 2194 MDKSA-2001:004 20010110 Immunix OS Security update for lots of temp file problems gettyps-symlink(5924) useradd program in shadow-utils program may allow local users to overwrite arbitrary files via a symlink attack. 2196 MDKSA-2001:007 20010110 Immunix OS Security update for lots of temp file problems shadow-utils-useradd-symlink(5927) ImageCast Control Center 4.1.0 allows remote attackers to cause a denial of service (resource exhaustion or system crash) via a long string to port 12002. 2174 20010108 def-2001-01: ImageCast IC3 Control Center DoS storagesoft-imagecast-dos(5901) Kernel leak in AfpaCache module of the Fast Response Cache Accelerator (FRCA) component of IBM HTTP Server 1.3.x and Websphere 3.52 allows remote attackers to cause a denial of service via a series of malformed HTTP requests that generate a "bad request" error. 2175 20010108 def-2001-02: IBM Websphere 3.52 Kernel Leak DoS http://www-4.ibm.com/software/webservers/security.html ibm-websphere-dos(5900) 20010307 def-2001-02: IBM HTTP Server Kernel Leak DoS (re-release) Directory traversal vulnerability in eXtropia bbs_forum.cgi 1.0 allows remote attackers to read arbitrary files via a .. (dot dot) attack on the file parameter. 2177 20010107 Cgisecurity.com Advisory #3.1 http://www.extropia.com/hacks/bbs_security.html http-cgi-bbs-forum(5906) 3546 Buffer overflow in exrecover in Solaris 2.6 and earlier possibly allows local users to gain privileges via a long command line argument. 2179 20010109 Solaris /usr/lib/exrecover buffer overflow solaris-exrecover-bo(5913) exmh 2.2 and earlier allows local users to overwrite arbitrary files via a symlink attack on the exmhErrorMsg temporary file. exmh-error-symlink MDKSA-2001:015 http://www.beedub.com/exmh/symlink.html 20010112 exmh security vulnerability 20001231 Advisory: exmh symlink vulnerability DSA-022 FreeBSD-SA-01:17 Oracle XSQL servlet 1.0.3.0 and earlier allows remote attackers to execute arbitrary Java code by redirecting the XSQL server to another source via the xml-stylesheet parameter in the xslt stylesheet. 20010109 Oracle XSQL servlet and xml-stylesheet allow executing java on the web server oracle-xsql-execute-code(5905) 20010123 Patch for Potential Vulnerability in Oracle XSQL Servlet Buffer overflow in Olivier Debon Flash plugin (not the Macromedia plugin) allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long DefineSound tag. VU#451096 2214 20010115 Flash plugin write-overflow Zope before 2.2.4 does not properly compute local roles, which could allow users to bypass specified access restrictions and gain privileges. MDKSA-2000-083 DSA-006-1 FreeBSD-SA-01:06 zope-calculate-roles RHSA-2000:127 6284 CLA-2000:365 Buffer overflow in Tinyproxy HTTP proxy 1.3.3 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long connect request. 2217 DSA-018 20010117 [pkc] remote heap overflow in tinyproxy tinyproxy-remote-bo(5954) Buffer overflow in HTML parser of the Lotus R5 Domino Server before 5.06, and Domino Client before 5.05, allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a malformed font size specifier. http://service1.symantec.com/sarc/sarc.nsf/info/html/Lotus.Domino.Denial.of.Service.Malformed.HTML.Email.html lotus-html-bo(6207) htpasswd and htdigest in Apache 2.0a9, 1.3.14, and others allows local users to overwrite arbitrary files via a symlink attack. 2182 DSA-021 linux-apache-symlink(5926) 20010110 Immunix OS Security update for lots of temp file problems Interscan VirusWall 3.6.x and earlier follows symbolic links when uninstalling the product, which allows local users to overwrite arbitrary files via a symlink attack. 2213 20010114 Trend Micro's VirusWall: Multiple vunerabilities The web administration interface for Interscan VirusWall 3.6.x and earlier does not use encryption, which could allow remote attackers to obtain the administrator password to sniff the administrator password via the setpasswd.cgi program or other HTTP GET requests that contain base64 encoded usernames and passwords. 2212 20010114 Trend Micro's VirusWall: Multiple vunerabilities Buffer overflow in cpqlogin.htm in web-enabled agents for various Compaq management software products such as Insight Manager and Management Agents allows remote attackers to execute arbitrary commands via a long user name. SSRT0705 2200 20010116 iXsecurity.20001120.compaq-authbo.a The default installation of Ultraboard 2000 2.11 creates the Skins, Database, and Backups directories with world-writeable permissions, which could allow local users to modify sensitive information or possibly insert and execute CGI programs. 2197 20010112 UltraBoard cgi directory permission problem Memory leak in ProFTPd 1.2.0rc2 allows remote attackers to cause a denial of service via a series of USER commands, and possibly SIZE commands if the server has been improperly installed. proftpd-size-memory-leak 20001220 ProFTPD 1.2.0 Memory leakage - denial of service 20010110 Re: Memory leakage in ProFTPd leads to remote DoS (SIZE FTP); (Exploit Code) 20010109 Memory leakage in ProFTPd leads to remote DoS (SIZE FTP); (Exploit Code) MDKSA-2001:021 DSA-029 CLA-2001:380 20010213 Trustix Security Advisory - proftpd, kernel Windows Media Player 7 allows remote attackers to execute malicious Java applets in Internet Explorer clients by enclosing the applet in a skin file named skin.wmz, then referencing that skin in the codebase parameter to an applet tag, aka the Windows Media Player Skins File Download" vulnerability. 2203 20010115 Windows Media Player 7 and IE java vulnerability - executing arbitrary programs win-mediaplayer-arbitrary-code(5937) MS01-010 privatepw program in wu-ftpd before 2.6.1-6 allows local users to overwrite arbitrary files via a symlink attack. 2189 linux-wuftpd-privatepw-symlink(5915) MDKSA-2001-001 DSA-016 20010110 Immunix OS Security update for lots of temp file problems inn 2.2.3 allows local users to overwrite arbitrary files via a symlink attack in some configurations. 2190 MDKSA-2001:010 CSSA-2001-001.0 linux-inn-symlink(5916) 20010110 Immunix OS Security update for lots of temp file problems arpwatch 2.1a4 allows local users to overwrite arbitrary files via a symlink attack in some configurations. 2183 MDKSA-2001:002 tcpdump-arpwatch-symlink(5922) 20010110 Immunix OS Security update for lots of temp file problems mgetty 1.1.22 allows local users to overwrite arbitrary files via a symlink attack in some configurations. 2187 MDKSA-2001:009 DSA-011 CSSA-2001-002.0 linux-mgetty-symlink(5918) RHSA-2001:050 20010110 Immunix OS Security update for lots of temp file problems squid 2.3 and earlier allows local users to overwrite arbitrary files via a symlink attack in some configurations. 2184 MDKSA-2001:003 20010112 Trustix Security Advisory - diffutils squid squid-email-symlink(5921) DSA-019 20010110 Immunix OS Security update for lots of temp file problems vpop3d program in linuxconf 1.23r and earlier allows local users to overwrite arbitrary files via a symlink attack. 2186 MDKSA-2001:011 linuxconf-vpop3d-symlink(5923) 20010110 Immunix OS Security update for lots of temp file problems CORE SDI SSH1 CRC-32 compensation attack detector allows remote attackers to execute arbitrary commands on an SSH server or client via an integer overflow. CA-2001-35 2347 20010208 Remote vulnerability in SSH daemon crc32 compensation attack detector 20010208 [CORE SDI ADVISORY] SSH1 CRC-32 compensation attack detector ssh-deattack-overwrite-memory(6083) 795 503 Buffer overflow in VCard handler in Outlook 2000 and 98, and Outlook Express 5.x, allows an attacker to execute arbitrary commands via a malformed vCard birthday field. MS01-012 A022301-1 IIS 5.0 and Microsoft Exchange 2000 allow remote attackers to cause a denial of service (memory allocation error) by repeatedly sending a series of specially formatted URL's. VU#796584 MS01-014 exchange-malformed-url-dos(6172) iis-malformed-url-dos(6171) 2441 2440 Buffer overflow in Windows 2000 event viewer snap-in allows attackers to execute arbitrary commands via a malformed field that is improperly handled during the detailed view of event records. MS01-013 The WMP ActiveX Control in Windows Media Player 7 allows remote attackers to execute commands in Internet Explorer via javascript URLs, a variant of the "Frame Domain Verification" vulnerability. MS01-015 20010101 Windows Media Player 7 and IE vulnerability - executing arbitrary programs media-player-execute-commands(6227) Windows Scripting Host in Internet Explorer 5.5 and earlier allows remote attackers to read arbitrary files via the GetObject Javascript function and the htmlfile ActiveX object. MS01-015 20000926 IE 5.5/Outlook Express security vulnerability - GetObject() expose user's files 20000926 IE 5.5/Outlook Express security vulnerability - GetObject() expose user's files ie-getobject-expose-files(5293) 1718 Internet Explorer 5.5 and earlier executes Telnet sessions using command line arguments that are specified by the web site, which could allow remote attackers to execute arbitrary commands if the IE client is using the Telnet client provided in Services for Unix (SFU) 2.0, which creates session transcripts. MS01-015 ie-telnet-execute-commands(6230) 2463 7816 IIS 5.0 allows remote attackers to cause a denial of service via a series of malformed WebDAV requests. MS01-016 iis-webdav-dos(6205) oval:org.mitre.oval:def:90 The password protection option for the Compressed Folders feature in Plus! for Windows 98 and Windows Me writes password information to a file, which allows local users to recover the passwords and read the compressed folders. MS01-019 Buffer overflow in VB-TSQL debugger object (vbsdicli.exe) in Visual Studio 6.0 Enterprise Edition allows remote attackers to execute arbitrary commands. MS01-018 20010327 Remote buffer overflow in DCOM VB T-SQL debugger HTML e-mail feature in Internet Explorer 5.5 and earlier allows attackers to execute attachments by setting an unusual MIME type for the attachment, which Internet Explorer does not process correctly. CA-2001-06 MS01-020 20010330 Incorrect MIME Header Can Cause IE to Execute E-mail Attachment ie-mime-execute-code(6306) 2524 7806 L-066 1001197 oval:org.mitre.oval:def:141 Format string vulnerability in VShell SSH gateway 1.0.1 and earlier allows remote attackers to execute arbitrary commands via a user name that contains format string specifiers. http://www.vandyke.com/products/vshell/security102.html A021601-1 VShell SSH gateway 1.0.1 and earlier has a default port forwarding rule of 0.0.0.0/0.0.0.0, which could allow local users conduct arbitrary port forwarding to other systems. A021601-1 http://www.vandyke.com/products/vshell/security102.html vshell-port-forwarding-rule(6148) 2402 Debugging utility in the backdoor mode of Palm OS 3.5.2 and earlier allows attackers with physical access to a Palm device to bypass access restrictions and obtain passwords, even if the system lockout mechanism is enabled. A030101-1 palm-debug-bypass-password(6196) Lucent/ORiNOCO WaveLAN cards generate predictable Initialization Vector (IV) values for the Wireless Encryption Protocol (WEP) which allows remote attackers to quickly compile information that will let them decrypt messages. http://www.cs.jhu.edu/~seny/pubs/wince802.pdf Cisco 340-series Aironet access point using firmware 11.01 does not use 6 of the 24 available IV bits for WEP encryption, which makes it easier for remote attackers to mount brute force attacks. http://www.cs.jhu.edu/~seny/pubs/wince802.pdf WinCE 3.0.9348 generates predictable TCP Initial Sequence Numbers (ISNs), which allows remote attackers to spoof or hijack TCP connections. http://www.cs.jhu.edu/~seny/pubs/wince802.pdf Cisco AP340 base station produces predictable TCP Initial Sequence Numbers (ISNs), which allows remote attackers to spoof or hijack TCP connections. http://www.cs.jhu.edu/~seny/pubs/wince802.pdf Buffer overflow in Netscape Directory Server 4.12 and earlier allows remote attackers to cause a denial of service or execute arbitrary commands via a malformed recipient field. A030701-1 netscape-directory-server-bo(6233) Buffer overflow in ximp40 shared library in Solaris 7 and Solaris 8 allows local users to gain privileges via a long "arg0" (process name) argument. solaris-ximp40-bo 2322 20010131 [SPSadvisory#40]Solaris7/8 ximp40 shared library buffer overflow Macromedia Shockwave Flash plugin version 8 and earlier allows remote attackers to cause a denial of service via malformed tag length specifiers in a SWF file. shockwave-flash-swf-bo 20001229 Shockwave Flash buffer overflow Buffer overflow in AT&T WinVNC (Virtual Network Computing) client 3.3.3r7 and earlier allows remote attackers to execute arbitrary commands via a long rfbConnFailed packet with a long reason string. winvnc-client-bo 2305 20010129 [CORE SDI ADVISORY] WinVNC client buffer overflow Buffer overflow in AT&T WinVNC (Virtual Network Computing) server 3.3.3r7 and earlier allows remote attackers to execute arbitrary commands via a long HTTP GET request when the DebugLevel registry key is greater than 0. VU#598581 2306 20010129 [CORE SDI ADVISORY] WinVNC server buffer overflow winvnc-server-bo(6026) When using the LD_PRELOAD environmental variable in SUID or SGID applications, glibc does not verify that preloaded libraries in /etc/ld.so.cache are also SUID/SGID, which could allow a local user to overwrite arbitrary files by loading a library from /lib or /usr/lib. 2223 20010121 Trustix Security Advisory - glibc RHSA-2001:002 MDKSA-2001:012 linux-glibc-preload-overwrite SuSE-SA:2001:01 DSA-039 CSSA-2001-007 TLSA2000021-2 glibc 2.1.9x and earlier does not properly clear the RESOLV_HOST_CONF, HOSTALIASES, or RES_OPTIONS environmental variables when executing setuid/setgid programs, which could allow local users to read arbitrary files. 2181 RHSA-2001:001 20010110 [slackware-security] glibc 2.2 local vulnerability on setuid binaries linux-glibc-read-files 20010110 Glibc Local Root Exploit Buffer overflow in SlimServe HTTPd 1.0 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long GET request. slimserve-httpd-dos 2318 20010130 DOS Vulnerability in SlimServe HTTPd Buffer overflow in ReiserFS 3.5.28 in SuSE Linux allows local users to cause a denial of service and possibly execute arbitrary commands by via a long directory name. suse-reiserfs-long-filenames 2180 20010109 major security bug in reiserfs (may affect SuSE Linux) Buffer overflow in qDecoder library 5.08 and earlier, as used in CrazyWWWBoard, CrazySearch, and other CGI programs, allows remote attackers to execute arbitrary commands via a long MIME Content-Type header. 2329 crazywwwboard-qdecoder-bo 20010130 Nobreak Tecnologies CrazyWWWBoard Remote Buffer Overflow Buffer overflow in Trend Micro Virus Buster 2001 8.00 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a large "To" address. virusbuster-mua-bo(6034) 20010130 Security hole in Virus Buster 2001 6138 The caching module in Netscape Fasttrack Server 4.1 allows remote attackers to cause a denial of service (resource exhaustion) by requesting a large number of non-existent URLs. netscape-fasttrack-cache-dos(5985) 2273 20010124 iPlanet FastTrack/Enterprise 4.1 DoS clarifications 20010122 def-2001-05: Netscape Fasttrack Server Caching DoS The setuid doroot program in Voyant Sonata 3.x executes arbitrary command line arguments, which allows local users to gain root privileges. 2125 20001218 More Sonata Conferencing software vulnerabilities. sonata-command-execute(5787) WebMaster ConferenceRoom 1.8.1 allows remote attackers to cause a denial of service via a buddy relationship between the IRC server and a server clone. 2178 conferenceroom-developer-dos 20010110 Vulnerable: Conference Room Professional-Developer Edititon. kdesu program in KDE2 (KDE before 2.2.0-6) does not properly verify the owner of a UNIX socket that is used to send a password, which allows local users to steal passwords and gain privileges. MDKSA-2001:018 CSSA-2001-005.0 kde2-kdesu-retrieve-passwords SuSE-SA:2001:02 Allaire JRun 3.0 allows remote attackers to list contents of the WEB-INF directory, and the web.xml file in the WEB-INF directory, via a malformed URL that contains a "." ASB01-02 jrun-webinf-file-retrieval Lars Ellingsen guestserver.cgi allows remote attackers to execute arbitrary commands via shell metacharacters in the "email" parameter. guestserver-cgi-execute-commands 20010129 Remote Command Execution in guestserver.cgi + exploit Format string vulnerability in the error logging code of DHCP server and client in Caldera Linux allows remote attackers to execute arbitrary commands. 2215 CSSA-2001-003.0 dhcp-format-string FireWall-1 4.1 with a limited-IP license allows remote attackers to cause a denial of service by sending a large number of spoofed IP packets with various source addresses to the inside interface, which floods the console with warning messages and consumes CPU resources. 2238 fw1-limited-license-dos 20010117 Licensing Firewall-1 DoS Attack 1733 ipfw and ip6fw in FreeBSD 4.2 and earlier allows remote attackers to bypass access restrictions by setting the ECE flag in a TCP packet, which makes the packet appear to be part of an established connection. 2293 FreeBSD-SA-01:08 ipfw-bypass-firewall(5998) 20010125 ecepass - proof of concept code for FreeBSD ipfw bypass 1743 L-029 eEye Iris 1.01 beta allows remote attackers to cause a denial of service via a malformed packet, which causes Iris to crash when a user views the packet. eeye-iris-dos 2278 20010121 eEye Iris the Network traffic analyser DoS 20010121 eEye Iris the Network traffic analyser DoS Netopia R9100 router version 4.6 allows authenticated users to cause a denial of service by using the router's telnet program to connect to the router's IP address, which causes a crash. 2287 netopia-telnet-dos 20010123 Make The Netopia R9100 Router To Crash Directory traversal vulnerability in Free Java Web Server 1.0 allows remote attackers to read arbitrary files via a .. (dot dot) attack. 20010204 Vulnerability in Free Java Web Server Format string vulnerability in wu-ftp 2.6.1 and earlier, when running with debug mode enabled, allows remote attackers to execute arbitrary commands via a malformed argument that is recorded in a PASV port assignment. 2296 DSA-016 wuftp-debug-format-string ftp://ftp.wu-ftpd.org/pub/wu-ftpd/patches/apply_to_current/missing_format_strings.patch CLA-2001:443 GoodTech FTP server 3.0.1.2.1.0 and earlier allows remote attackers to cause a denial of service via a flood of connections to the server, which causes it to crash. 2270 20010122 def-2001-03: GoodTech Systems FTP Connection DoS goodtech-ftp-dos Directory traversal vulnerability in LocalWEB2000 HTTP server allows remote attackers to read arbitrary commands via a .. (dot dot) attack in an HTTP GET request. localweb2k-directory-traversal 2268 20010119 LocalWEB2000 Directory Traversal Vulnerability Buffer overflow in /usr/bin/cu in Solaris 2.8 and earlier, and possibly other operating systems, allows local users to gain privileges by executing cu with a long program name (arg0). 20010123 Solaris /usr/bin/cu Vulnerability 20010117 Solaris /usr/bin/cu Vulnerability cu-argv-bo(6224) gnuserv before 3.12, as shipped with XEmacs, does not properly check the specified length of an X Windows MIT-MAGIC-COOKIE cookie, which allows remote attackers to execute arbitrary commands via a buffer overflow, or brute force authentication by using a short cookie length. RHSA-2001:011 RHSA-2001:010 MDKSA-2001:019 20010202 Remote vulnerability in gnuserv/XEmacs gnuserv-tcp-cookie-overflow(6056) Buffer overflows in CTRLServer in XMail allows attackers to execute arbitrary commands via the cfgfileget or domaindel functions. http://xmailserver.org/XMail-Readme.txt 20010201 XMail CTRLServer remote buffer overflow vulnerability Format string vulnerability in man in some Linux distributions allows local users to gain privileges via a malformed -l parameter. 2327 DSA-028 20010131 SuSe / Debian man package format string vulnerability man-i-format-string(6059) Buffer overflow in httpGets function in CUPS 1.1.5 allows remote attackers to execute arbitrary commands via a long input line. MDKSA-2001:020-1 cups-httpgets-dos(6043) 6064 sash before 3.4-4 in Debian GNU/Linux does not properly clone /etc/shadow, which makes it world-readable and could allow local users to gain privileges via password cracking. linux-sash-shadow-readable DSA-015 inetd ident server in FreeBSD 4.x and earlier does not properly set group permissions, which allows remote attackers to read the first 16 bytes of files that are accessible by the wheel group. 2324 FreeBSD-SA-01:11 inetd-ident-read-files(6052) 1753 Format string vulnerability in print_client in icecast 1.3.8beta2 and earlier allows remote attackers to execute arbitrary commands. 2264 RHSA-2001:004 CLA-2001:374 20010121 [pkc] format bugs in icecast 1.3.8b2 and prior icecast-format-string Buffer overflow in QuickTime Player plugin 4.1.2 (Japanese) allows remote attackers to execute arbitrary commands via a long HREF parameter in an EMBED tag. quicktime-embedded-tag-bo 2328 20010131 [SPSadvisory#41]Apple Quick Time Plug-in Buffer Overflow Directory traversal vulnerability in SEDUM HTTP Server 2.0 allows remote attackers to read arbitrary files via a .. (dot dot) attack in the HTTP GET request. VU#651994 sedum-directory-traversal(6063) 2335 14797 20010204 Vulnerability in SEDUM HTTP Server HSWeb 2.0 HTTP server allows remote attackers to obtain the physical path of the server via a request to the /cgi/ directory, which will list the path if directory browsing is enabled. 2336 20010204 Web root exposure in HSWeb Webserver The Postaci frontend for PostgreSQL does not properly filter characters such as semicolons, which could allow remote attackers to execute arbitrary SQL queries via the deletecontact.php program. postaci-sql-command-injection 2230 20010117 Postaci allows arbitrary SQL query execution Picserver web server allows remote attackers to read arbitrary files via a .. (dot dot) attack in an HTTP GET request. 2339 20010205 Vulnerability in Picserver Watchguard Firebox II firewall allows users with read-only access to gain read-write access, and administrative privileges, by accessing a file that contains hashed passphrases, and using the hashes during authentication. 2284 20010120 Watchguard Firewall Elevated Privilege Vulnerability watchguard-firebox-obtain-passphrase Watchguard Firebox II allows remote attackers to cause a denial of service by establishing multiple connections and sending malformed PPTP packets. 2369 20010214 def-2001-07: Watchguard Firebox II PPTP DoS firebox-pptp-dos(6109) Directory traversal vulnerability in AOLserver 3.2 and earlier allows remote attackers to read arbitrary files by inserting "..." into the requested pathname, a modified .. (dot dot) attack. 2343 20010208 Vulnerability in AOLserver 20010206 Vulnerability in AOLserver Directory traversal vulnerability in Soft Lite ServerWorx 3.00 allows remote attackers to read arbitrary files by inserting a .. (dot dot) or ... into the requested pathname of an HTTP GET request. 20010207 Vulnerability in Soft Lite ServerWorx 2346 Buffer overflow in bing allows remote attackers to execute arbitrary commands via a long hostname, which is copied to a small buffer after a reverse DNS lookup using the gethostbyaddr function. 2279 linux-bing-bo 20010119 Buffer overflow in bing MicroFocus Cobol 4.1, with the AppTrack feature enabled, installs the mfaslmf directory and the nolicense file with insecure permissions, which allows local users to gain privileges by modifying files. 2359 20010211 Security Hole in Microfocus Cobol Buffer overflow in Shoutcast Distributed Network Audio Server (DNAS) 1.7.1 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long description. shoutcast-description-bo 20010118 Shoutcast Server Buffer Crashes Server Directory traversal vulnerability in commerce.cgi CGI program allows remote attackers to read arbitrary files via a .. (dot dot) attack in the page parameter. 20010212 Commerce.cgi Directory Traversal 2361 Directory traversal vulnerability in WebSPIRS 3.1 allows remote attackers to read arbitrary files via a .. (dot dot) attack on the sp.nextform parameter. 2362 20010212 WebSPIRS CGI script "show files" Vulnerability. Directory traversal vulnerability in HIS Auktion 1.62 allows remote attackers to read arbitrary files via a .. (dot dot) in the menue parameter, and possibly execute commands via shell metacharacters. 2367 20010212 HIS Auktion 1.62: "show files" vulnerability and remote command execute. Buffer overflow in pi program in PlanetIntra 2.5 allows remote attackers to execute arbitrary commands. planetintra-pi-bo 200101125 [SAFER] Security Bulletin 010125.EXP.1.12 Way-board CGI program allows remote attackers to read arbitrary files by specifying the filename in the db parameter and terminating the filename with a null byte. 2370 20010212 Way board: "show files" Vulnerability with null bite bug ROADS search.pl program allows remote attackers to read arbitrary files by specifying the file name in the form parameter and terminating the filename with a null byte. 2371 http://www.roads.lut.ac.uk/lists/open-roads/2001/02/0001.html 20010212 ROADS search system "show files" Vulnerability with "null bite" bug roads-search-view-files(6097) PALS Library System pals-cgi program allows remote attackers to execute arbitrary commands via shell metacharacters in the documentName parameter. 2372 20010212 PALS Library System "show files" Vulnerability and remote command execution webpals-library-cgi-url(6102) Directory traversal vulnerability in PALS Library System pals-cgi program allows remote attackers to read arbitrary files via a .. (dot dot) in the documentName parameter. 2372 20010212 PALS Library System "show files" Vulnerability and remote command execution webpals-library-cgi-url(6102) Format string vulnerability in mars_nwe 0.99.pl19 allows remote attackers to execute arbitrary commands. FreeBSD-SA-01:20 20010126 format string vulnerability in mars_nwe 0.99pl19 mars-nwe-format-string(6019) Vulnerability in Support Tools Manager (xstm,cstm,stm) in HP-UX 11.11 and earlier allows local users to cause a denial of service. 2239 HPSBUX0101-137 hp-stm-dos 7030 7029 6991 Buffer overflow in ja-elvis and ko-helvis ports of elvis allow local users to gain root privileges. FreeBSD-SA-01:21 Buffer overflow in ja-xklock 2.7.1 and earlier allows local users to gain root privileges. FreeBSD-SA-01:19 ja-xklock-bo(6073) webmin 0.84 and earlier allows local users to overwrite and create arbitrary files via a symlink attack. MDKSA-2001-016 CSSA-2001-004.0 linux-webmin-tmpfiles Buffer overflow in wwwwais allows remote attackers to execute arbitrary commands via a long QUERY_STRING (HTTP GET request). wwwwais-cgi-dos 20010117 numerous holes Muscat Empower CGI program allows remote attackers to obtain the absolute pathname of the server via an invalid request in the DB parameter. 2374 20010212 Vulnerability in Muscat Empower wich can print path to DB-dir. muskat-empower-url-dir(6093) fortran math component in Infobot 0.44.5.3 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters. 20010207 Infobot 0.44.5.3/below remotely vulnerable (also in FreeBSD ports tree) 2349 Directory traversal vulnerability in BiblioWeb web server 2.0 allows remote attackers tor ead arbitrary files via a .. (dot dot) or ... attack in an HTTP GET request. 20010205 Vulnerabilities in BiblioWeb Server Buffer overflow in BiblioWeb web server 2.0 allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long HTTP GET request. 20010205 Vulnerabilities in BiblioWeb Server Directory traversal vulnerability in GoAhead web server 2.1 and earlier allows remote attackers to read arbitrary files via a .. attack in an HTTP GET request. 20010202 GoAhead Web Server Directory Traversal Vulnerability Chili!Soft ASP for Linux before 3.6 does not properly set group privileges when running in inherited mode, which could allow attackers to gain privileges via malicious scripts. 20010206 Security hole in ChiliSoft ASP on Linux. Buffer overflow in dc20ctrl before 0.4_1 in FreeBSD, and possibly other operating systems, allows local users to gain privileges. FreeBSD-SA-01:22 dc20ctrl-port-bo(6077) 6081 Directory traversal vulnerability in newsdesk.cgi in News Desk 1.2 allows remote attackers to read arbitrary files via a .. in the "t" parameter. VU#496064 newsdesk-cgi-read-files(5898) 2172 20010103 News Desk 1.2 CGI Vulnerbility newsdesk.cgi in News Desk 1.2 allows remote attackers to read arbitrary files via shell metacharacters. 20010103 News Desk 1.2 CGI Vulnerbility Buffer overflow in micq client 0.4.6 and earlier allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long Description field. RHSA-2001:005 DSA-012 20010124 patch Re: [PkC] Advisory #003: micq-0.4.6 remote buffer overflow FreeBSD-SA-01:14 micq-sprintf-remote-bo(5962) 20010118 [PkC] Advisory #003: micq-0.4.6 remote buffer overflow NewsDaemon before 0.21b allows remote attackers to execute arbitrary SQL queries and gain privileges via a malformed user_username parameter. 20010126 NewsDaemon remote administrator access newsdaemon-gain-admin-access http://sourceforge.net/forum/forum.php?forum_id=60570 Vulnerability in crontab allows local users to read crontab files of other users by replacing the temporary file that is being edited while crontab is running. DSA-024 FreeBSD-SA-01:09 crontab-read-files(6225) 2332 Buffer overflow in Solaris snmpXdmid SNMP to DMI mapper daemon allows remote attackers to execute arbitrary commands via a long "indication" event. CA-2001-05 2417 20010314 Solaris /usr/lib/dmi/snmpXdmid vulnerability solaris-snmpxdmid-bo(6245) L-065 00207 Memory leak in Microsoft 2000 domain controller allows remote attackers to cause a denial of service by repeatedly connecting to the Kerberos service and then disconnecting without sending any data. MS01-024 20010509 def-2001-24: Windows 2000 Kerberos DoS win2k-kerberos-dos(6506) 2707 L-079 Microsoft Data Access Component Internet Publishing Provider 8.103.2519.0 and earlier allows remote attackers to bypass Security Zone restrictions via WebDAV requests. MS01-022 ms-dacipp-webdav-access(6405) L-074 Microsoft Internet Security and Acceleration (ISA) Server 2000 Web Proxy allows remote attackers to cause a denial of service via a long web request with a specific type. 2600 MS01-021 20010427 Microsoft ISA Server Vulnerability 20010417 [SX-20010320-2b] - Followup re. Microsoft ISA Server Denial of Service 20010416 [SX-20010320-2] - Microsoft ISA Server Denial of Service isa-web-proxy-dos(6383) L-073 Microsoft Word before Word 2002 allows attackers to automatically execute macros without warning the user via a Rich Text Format (RTF) document that links to a template with the embedded macro. MS01-028 word-rtf-macro-execution(6571) 2753 Buffer overflow in Internet Printing ISAPI extension in Windows 2000 allows remote attackers to gain root privileges via a long print request that is passed to the extension through IIS 5.0. CA-2001-10 2674 MS01-023 20010501 Windows 2000 IIS 5.0 Remote buffer overflow vulnerability (Remote SYSTEM Level Access) iis-isapi-printer-bo(6485) 3323 oval:org.mitre.oval:def:1068 Buffer overflows in Microsoft Windows Media Player 7 and earlier allow remote attackers to execute arbitrary commands via (1) a long version tag in an .ASX file, or (2) a long banner tag, a variant of the ".ASX Buffer Overrun" vulnerability as discussed in MS:MS00-090. VU#187528 MS01-029 mediaplayer-asx-bo(5574) 2686 2677 20010506 Re: Microsoft Media Player ASX Parser buffer overflow vulnerability 20010502 Microsoft Media Player ASX Parser buffer overflow vulnerability Windows Media Player 7 and earlier stores Internet shortcuts in a user's Temporary Files folder with a fixed filename instead of in the Internet Explorer cache, which causes the HTML in those shortcuts to run in the Local Computer Zone instead of the Internet Zone, which allows remote attackers to read certain files. MS01-029 mediaplayer-html-shortcut(6584) 2765 Buffer overflow in Microsoft Index Server 2.0 allows remote attackers to execute arbitrary commands via a long search parameter. MS01-025 winnt-indexserver-search-bo(6517) 2709 Microsoft Index Server 2.0 in Windows NT 4.0, and Indexing Service in Windows 2000, allows remote attackers to read server-side include files via a malformed search request, aka a new variant of the "Malformed Hit-Highlighting" vulnerability. MS01-025 win-indexserver-view-files(6518) Internet Explorer 5.5 and earlier does not properly verify the domain of a frame within a browser window, which allows remote web site operators to read certain files on the client by sending information from a local frame to a frame in a different domain, aka a variant of the "Frame Domain Verification" vulnerability. MS01-027 Buffer overflows in BSD-based FTP servers allows remote attackers to execute arbitrary commands via a long pattern string containing a {} sequence, as seen in (1) g_opendir, (2) g_lstat, (3) g_stat, and (4) the glob0 buffer as used in the glob functions glob2 and glob3. CA-2001-07 2548 FreeBSD-SA-01:33 NetBSD-SA2000-018 ftp-glob-expansion(6332) 20010409 Globbing Vulnerabilities in Multiple FTP Daemons 20010802-01-P Buffer overflow in FTP server in HPUX 11 allows remote attackers to execute arbitrary commands by creating a long pathname and calling the STAT command, which uses glob to generate long strings. CA-2001-07 2552 ftp-glob-expansion(6332) 20010409 Globbing Vulnerabilities in Multiple FTP Daemons Heap overflow in FTP daemon in Solaris 8 allows remote attackers to execute arbitrary commands by creating a long pathname and calling the LIST command, which uses glob to generate long strings. CA-2001-07 2550 ftp-glob-expansion(6332) 20010409 Globbing Vulnerabilities in Multiple FTP Daemons The Web Publishing feature in Netscape Enterprise Server 4.x and earlier allows remote attackers to list arbitrary directories under the web server root via the INDEX command. netscape-enterprise-list-directories 2285 20010124 [SAFER] Security Bulletin 010124.EXP.1.11 The Web Publishing feature in Netscape Enterprise Server 3.x allows remote attackers to cause a denial of service via the REVLOG command. netscape-enterprise-revlog-dos 2294 20010125 [SAFER] Security Bulletin 010125.DOS.1.5 iPlanet (formerly Netscape) Enterprise Server 4.1 allows remote attackers to cause a denial of service via a long HTTP GET request that contains many "/../" (dot dot) sequences. netscape-enterprise-dot-dos 2282 20010122 def-2001-04: Netscape Enterprise Server Dot-DoS 20010124 iPlanet FastTrack/Enterprise 4.1 DoS clarifications Directory traversal vulnerability in hsx.cgi program in iWeb Hyperseek 2000 allows remote attackers to read arbitrary files and directories via a .. (dot dot) attack in the show parameter. VU#146704 2314 hyperseek-cgi-reveal-info 20010128 Hyperseek 2000 Search Engine - "show directory & files" bug FaSTream FTP++ Server 2.0 allows remote attackers to obtain the real pathname of the server via the "pwd" command. 20010119 Multiple Vulnerabilities In FaSTream FTP++ (+ ICS Tftpserver DoS) FaSTream FTP++ Server 2.0 allows remote attackers to list arbitrary directories by using the "ls" command and including the drive letter name (e.g. C:) in the requested pathname. fastream-ftp-path-disclosure 20010119 Multiple Vulnerabilities In FaSTream FTP++ (+ ICS Tftpserver DoS) 2267 FaSTream FTP++ Server 2.0 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long username. 20010119 Multiple Vulnerabilities In FaSTream FTP++ (+ ICS Tftpserver DoS) fastream-ftp-server-dos 2261 Buffer overflow in Easycom/Safecom Print Server Web service, version 404.590 and earlier, allows remote attackers to execute arbitrary commands via (1) a long URL or (2) a long HTTP header field such as "Host:". easycom-safecom-url-bo 2291 20010123 def-2001-06: Easycom/Safecom 10/100 Multiple DoS The Easycom/Safecom Print Server (firmware 404.590) PrintGuide server allows remote attackers to cause a denial of service via a large number of connections that send null characters. easycom-safecom-printguide-dos 20010123 def-2001-06: Easycom/Safecom 10/100 Multiple DoS ssh-keygen in ssh 1.2.27 - 1.2.30 with Secure-RPC can allow local attackers to recover a SUN-DES-1 magic phrase generated by another user, which the attacker can use to decrypt that user's private key file. ssh-rpc-private-key 2222 20010116 Bug in SSH1 secure-RPC support can expose users' private keys http://www.ssh.com/products/ssh/patches/secureRPCvulnerability.html Buffer overflow in Lotus Domino Mail Server 5.0.5 and earlier allows a remote attacker to crash the server or execute arbitrary code via a long "RCPT TO" command. lotus-domino-smtp-bo 2283 20010123 [SAFER] Security Bulletin 010123.EXP.1.10 3321 Microsoft Windows 2000 Encrypted File System does not properly destroy backups of files that are encrypted, which allows a local attacker to recover the text of encrypted files. win2k-efs-recover-data 2243 20010123 Reply to EFS note on Bugtraq 20010119 BugTraq: EFS Win 2000 flaw Buffer overflow in Netscape SmartDownload 1.3 allows remote attackers (malicious web pages) to execute arbitrary commands via a long URL. A041301-1 Gene6 G6 FTP Server 2.0 (aka BPFTP Server 2.10) allows attackers to read file attributes outside of the web root via the (1) SIZE and (2) MDTM commands when the "show relative paths" option is not enabled. A040301-1 bpftp-obtain-credentials(6330) 2537 Gene6 G6 FTP Server 2.0 (aka BPFTP Server 2.10) allows remote attackers to obtain NETBIOS credentials by requesting information on a file that is in a network share, which causes the server to send the credentials to the host that owns the share, and allows the attacker to sniff the connection. 2534 A040301-1 ASCII Armor parser in Windows PGP 7.0.3 and earlier allows attackers to create files in arbitrary locations via a malformed ASCII armored file. A040901-1 pgp-armor-code-execution(6643) 2556 1782 Vulnerability in Software Distributor SD-UX in HP-UX 11.0 and earlier allows local users to gain privileges. HPSBUX0102-143 6033 NM debug in HP MPE/iX 6.5 and earlier does not properly handle breakpoints, which allows local users to gain privileges. HPSBMP0102-008 hp-nmdebug-gain-privileges(6226) 6032 The i386_set_ldt system call in NetBSD 1.5 and earlier, and OpenBSD 2.8 and earlier, when the USER_LDT kernel option is enabled, does not validate a call gate target, which allows local users to gain root privileges by creating a segment call gate in the Local Descriptor Table (LDT) with a target that specifies an arbitrary kernel address. VU#358960 NetBSD-SA:2001-002 user-ldt-validation(6222) 2739 6141 20010302 The USER_LDT kernel option allows an attacker to gain access to privileged areas of kernel memory. CSSA-2001-SCO.35 20010219 Re: your mail pam_ldap authentication module in Solaris 8 allows remote attackers to bypass authentication via a NULL password. 20010217 Solaris 8 pam_ldap.so.1 module broken solaris-pamldap-bypass-authentication(6440) 6030 Marconi ASX-1000 ASX switches allow remote attackers to cause a denial of service in the telnet and web management interfaces via a malformed packet with the SYN-FIN and More Fragments attributes set. 2400 20010219 Denial of Service Condition exists in Fore/Marconi ASX Switches mailnews.cgi 1.3 and earlier allows remote attackers to execute arbitrary commands via a user name that contains shell metacharacters. 20010218 mailnews.cgi 2391 Directory traversal vulnerability in sendtemp.pl in W3.org Anaya Web development server allows remote attackers to read arbitrary files via a .. (dot dot) attack in the templ parameter. 20010212 W3.ORG sendtemp.pl pgp4pine Pine/PGP interface version 1.75-6 does not properly check to see if a public key has expired when obtaining the keys via Gnu Privacy Guard (GnuPG), which causes the message to be sent in cleartext. VU#566640 20010220 [CryptNET Advisory] pgp4pine-1.75-6 - expired public keys pgp4pine-expired-keys(6135) 2405 kicq IRC client 1.0.0, and possibly later versions, allows remote attackers to execute arbitrary commands via shell metacharacters in a URL. 20010303 Re: Security hole in kicq 20010214 Security hole in kicq kicq-execute-commands(6112) Moby Netsuite Web Server 1.02 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long HTTP request. 20010219 NetSuite 1.02 web server vulnerabilty ext.dll in BadBlue 1.02.07 Personal Edition web server allows remote attackers to determine the physical path of the server by directly calling ext.dll without any arguments, which produces an error message that contains the path. 2390 20010217 BadBlue Web Server Ext.dll Vulnerabilities http://www.badblue.com/p010219.htm badblue-ext-reveal-path(6130) Buffer overflow in ext.dll in BadBlue 1.02.07 Personal Edition allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long HTTP GET request. 2392 20010217 BadBlue Web Server Ext.dll Vulnerabilities Vulnerability in linkeditor in HP MPE/iX 6.5 and earlier allows local users to gain privileges. HPSBMP0102-009 hp-linkeditor-gain-privileges(6223) Buffer overflow in sudo earlier than 1.6.3p6 allows local users to gain root privileges. MDKSA-2001:024 DSA-031 20010222 Sudo version 1.6.3p6 now available (fwd) RHSA-2001:019 RHSA-2001:018 CLA-2001:381 20010225 [slackware-security] buffer overflow in sudo fixed 20010226 Trustix Security Advisory - sudo Buffer overflow in MERCUR SMTP server 3.30 allows remote attackers to execute arbitrary commands via a long EXPN command. 20010223 Mercur Mailserver 3.3 buffer overflow with EXPN mercur-expn-bo(6149) 6027 Format string vulnerability in DbgPrint function, used in debug messages for some Windows NT drivers (possibly when called through DebugMessage), may allow local users to gain privileges. 20010221 NT drivers are potentially vulnerable to format string bug SEDUM 2.1 HTTP server allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long HTTP request. 20010223 SEDUM v2.1 HTTPd - Denial of Service Directory traversal vulnerability in SunFTP build 9 allows remote attackers to read arbitrary files via .. (dot dot) characters in various commands, including (1) GET, (2) MKDIR, (3) RMDIR, (4) RENAME, or (5) PUT. 20010302 Sunftp build9(1) - ftp server Vulnerability Buffer overflow in IPSEC authentication mechanism for OpenBSD 2.8 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a malformed Authentication header (AH) IPv4 option. 6026 20010302 Insufficient checks in the IPSEC AH IPv4 option handling code can lead to a buffer overrun in the kernel. Buffer overflow in A1 HTTP server 1.0a allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long HTTP request. 20010226 A1 Server v1.0a HTTPd (DoS & Dir Traversal) Directory traversal vulnerability in A1 HTTP server 1.0a allows remote attackers to read arbitrary files via a .. (dot dot) in an HTTP GET request. 20010226 A1 Server v1.0a HTTPd (DoS & Dir Traversal) VERITAS Cluster Server (VCS) 1.3.0 on Solaris allows local users to cause a denial of service (system panic) via the -L option to the lltstat command. http://seer.support.veritas.com/docs/234326.htm 20010302 Option to VERITAS Cluster Server (VCS) lltstat command will panic system. 6025 Cisco switches and routers running IOS 12.1 and earlier produce predictable TCP Initial Sequence Numbers (ISNs), which allows remote attackers to spoof or hijack TCP connections. 20010228 Cisco IOS Software TCP Initial Sequence Number Randomization Improvements Joe text editor 2.8 searches the current working directory (CWD) for the .joerc configuration file, which could allow local users to gain privileges of other users by placing a Trojan Horse .joerc file into a directory, then waiting for users to execute joe from that directory. MDKSA-2001:026 DSA-041 20010228 Joe's Own Editor File Handling Error RHSA-2001:024 Vulnerability in Mailman 2.0.1 and earlier allows list administrators to obtain user passwords. 20010306 [Mailman-Announce] ANNOUNCE Mailman 2.0.2 (important privacy patch) Buffer overflow in post-query sample CGI program allows remote attackers to execute arbitrary commands via an HTTP POST request that contains at least 10001 parameters. 20010305 Remote buffer overflow condition in post-query (CGI). PHP-Nuke 4.4.1a allows remote attackers to modify a user's email address and obtain the password by guessing the user id (UID) and calling user.php with the saveuser operator. 20010302 PHPNUKE4.4.1a Advisory Directory traversal vulnerability in FtpXQ FTP server 2.0.93 allows remote attackers to read arbitrary files via a .. (dot dot) in the GET command. 2426 20010228 Vulnerability in FtpXQ Server Directory traversal vulnerability in TYPSoft FTP Server 0.85 allows remote attackers to read arbitrary files via (1) a .. (dot dot) in a GET command, or (2) a ... in a CWD command. 20010228 Vulnerability in TYPSoft FTP Server Directory traversal vulnerability in War FTP 1.67.04 allows remote attackers to list directory contents and possibly read files via a "dir *./../.." command. 2444 20010306 Warftp 1.67b04 Directory Traversal 874 http://support.jgaa.com/?cmd=ShowArticle&ID=31 Buffer overflow in WFTPD Pro 3.00 allows remote attackers to execute arbitrary commands via a long CWD command. 20010303 WFTPD Pro 3.00 R1 Buffer Overflow Directory traversal vulnerability in Simple Server HTTPd 1.0 (originally Free Java Server) allows remote attackers to read arbitrary files via a .. (dot dot) in the URL. 2415 20010224 The Simple Server HTTPd Directory Traversal Buffer overflow in WebReflex 1.55 HTTPd allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long HTTP GET request. 2425 20010227 WebReflex 1.55 HTTPd DoS Buffer overflow in Voyager web administration server for Nokia IP440 allows local users to cause a denial of service, and possibly execute arbitrary commands, via a long URL. 2054 20001205 Nokia firewalls - Response from Nokia 20001127 Nokia firewalls nokia-ip440-bo(5640) 6020 oidldapd 2.1.1.1 in Oracle 8.1.7 records log files in a directory (ldaplog) that has world-writable permissions, which may allow local users to delete logs and/or overwrite other files via a symlink attack. VU#610904 20001222 vulnerability #2 in Oracle Internet Directory 2.1.1.1 in Oracle 8.1.7 oracle-oidldap-write-permission(5804) Buffer overflow in Analog before 4.16 allows remote attackers to execute arbitrary commands by using the ALIAS command to construct large strings. 2377 DSA-033 http://www.analog.cx/security2.html RHSA-2001:017 20010213 Security advisory for analog analog-alias-bo(6105) 1762 Buffer overflow in tstisapi.dll in Pi3Web 1.0.1 web server allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long URL. 2381 20010215 Vulnerabilities in Pi3Web Server tstisapi.dll in Pi3Web 1.0.1 web server allows remote attackers to determine the physical path of the server via a URL that requests a non-existent file. 2381 20010215 Vulnerabilities in Pi3Web Server Directory traversal vulnerability in Caucho Resin 1.2.2 allows remote attackers to read arbitrary files via a "\.." (dot dot) in a URL request. 2384 20010216 Vulnerability in Resin Webserver Directory traversal vulnerability in store.cgi in Thinking Arts ES.One package allows remote attackers to read arbitrary files via a .. (dot dot) in the StartID parameter. 2385 20010216 Thinking Arts Store.cgi Directory Traversal Directory traversal vulnerability in ITAfrica WEBactive HTTP Server 1.00 allows remote attackers to read arbitrary files via a .. (dot dot) in a URL. 2386 20010216 WEBactive HTTP Server 1.0 Directory Traversal Bajie HTTP JServer 0.78, and other versions before 0.80, allows remote attackers to execute arbitrary commands via shell metacharacters in an HTTP request for a CGI program that does not exist. 20010216 Vulnerabilities in Bajie Http JServer http://www.geocities.com/gzhangx/websrv/docs/security.html UploadServlet in Bajie HTTP JServer 0.78, and possibly other versions before 0.80, allows remote attackers to execute arbitrary commands by calling the servlet to upload a program, then using a ... (modified ..) to access the file that was created for the program. 2388 http://www.geocities.com/gzhangx/websrv/docs/security.html 20010216 Vulnerabilities in Bajie Http JServer inetd in Red Hat 6.2 does not properly close sockets for internal services such as chargen, daytime, echo, etc., which allows remote attackers to cause a denial of service via a series of connections to the internal services. RHSA-2001:006 inetd-internal-socket-dos(6380) sort in FreeBSD 4.1.1 and earlier, and possibly other operating systems, uses predictable temporary file names and does not properly handle when the temporary file already exists, which causes sort to crash and possibly impacts security-sensitive scripts. sort-temp-file-abort 3960 FreeBSD-SA-01:13 Vulnerability in OmniBackII A.03.50 in HP 11.x and earlier allows attackers to gain unauthorized access to an OmniBack client. omniback-unauthorized-access(6434) HPSBUX0102-142 PHSS_22915 PHSS_22914 IBM WebSphere plugin for Netscape Enterprise server allows remote attackers to read source code for JSP files via an HTTP request that contains a host header that references a host that is not in WebSphere's host aliases list, which will bypass WebSphere processing. 20010125 Yet Another IBM WebSphere Showcode Vulerability Borderware Firewall Server 6.1.2 allows remote attackers to cause a denial of service via a ping to the broadcast address of the public network on which the server is placed, which causes the server to continuously send pings (echo requests) to the network. borderware-ping-dos 20010126 Borderware v6.1.2 ping DoS vulnerability Buffer overflow in www.tol module in America Online (AOL) 5.0 may allow remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long URL in a link. aol-malformed-url-dos 20010125 America Online 5.0 contains a buffer overflow The locking feature in mIRC 5.7 allows local users to bypass the password mechanism by modifying the LockOptions registry key. mirc-bypass-password 20010125 mIRC allows password protection to be bypassed Linux kernel 2.4 and 2.2 allows local users to read kernel memory and possibly gain privileges via a negative argument to the sysctl call. CSSA-2001-009 20010213 Trustix Security Advisory - proftpd, kernel linux-sysctl-read-memory(6079) 2364 RHSA-2001:013 6017 Race condition in ptrace in Linux kernel 2.4 and 2.2 allows local users to gain privileges by using ptrace to track and modify a running setuid process. CSSA-2001-009 20010213 Trustix Security Advisory - proftpd, kernel linux-ptrace-modify-process(6080) RHSA-2001:013 Format string vulnerability in ProFTPD 1.2.0rc2 may allow attackers to execute arbitrary commands by shutting down the FTP server while using a malformed working directory (cwd). MDKSA-2001:021 DSA-029 20010206 Response to ProFTPD issues proftpd-format-string(6433) 20010110 proftpd 1.2.0rc2 -- example of bad coding CLA-2001:380 orderdspc.d2w macro in IBM Net.Commerce 3.x allows remote attackers to execute arbitrary SQL queries by inserting them into the order_rn option of the report capability. 2350 http://www-4.ibm.com/software/webservers/commerce/netcomletter.html 20010205 IBM NetCommerce Security ibm-netcommerce-reveal-information(6067) bb_smilies.php and bbcode_ref.php in PHP-Nuke 4.4 allows remote attackers to read arbitrary files and gain PHP administrator privileges by inserting a null character and .. (dot dot) sequences into a malformed username argument. 20010223 Yet another hole in PHP-Nuke opendir.php script in PHP-Nuke allows remote attackers to read arbitrary files by specifying the filename as an argument to the requesturl parameter. 20010212 Fwd: Re: phpnuke, security problem... phpnuke-opendir-read-files(6512) MSHTML.DLL HTML parser in Internet Explorer 4.0, and other versions, allows remote attackers to cause a denial of service (application crash) via a script that creates and deletes an object that is associated with the browser window object. ie-mshtml-dos 2202 20010115 Stack Overflow in MSHTML.DLL The ICMP path MTU (PMTU) discovery feature in various UNIX systems allows remote attackers to cause a denial of service by spoofing "ICMP Fragmentation needed but Don't Fragment (DF) set" packets between two target hosts, which could cause one host to lower its MTU when transmitting to the other host. icmp-pmtu-dos 20010115 ICMP fragmentation required but DF set problems. Windows 98 and Windows 2000 Java clients allow remote attackers to cause a denial of service via a Java applet that opens a large number of UDP sockets, which prevents the host from establishing any additional UDP connections, and possibly causes a crash. 2340 20010206 Windows client UDP exhaustion denial of service Buffer overflow in QNX RTP 5.60 allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a large number of arguments to the stat command. 2342 20010202 QNX RTP ftpd stack overflow Oracle Java Virtual Machine (JVM ) for Oracle 8.1.7 and Oracle Application Server 9iAS Release 1.0.2.0.1 allows remote attackers to read arbitrary files via the .jsp and .sqljsp file extensions when the server is configured to use the <<ALL FILES>> FilePermission. 20010212 Solution for Potential Vunerability in Granting FilePermission to Oracle Java Virtual Machine oracle-jvm-file-permissions(6438) 5706 iPlanet Web Server Enterprise Edition 4.1 and earlier allows remote attackers to retrieve sensitive data from memory allocation pools, or cause a denial of service, via a URL-encoded Host: header in the HTTP request, which reveals memory in the Location: header that is returned by the server. VU#276767 A041601-1 http://www.iplanet.com/products/iplanet_web_enterprise/iwsalert4.16.html 5704 TCP implementations that use random increments for initial sequence numbers (ISN) can allow remote attackers to perform session hijacking or disruption by injecting a flood of packets with a range of ISN values, one of which may match the expected ISN. CA-2001-09 oval:org.mitre.oval:def:4922 57 8044 20030201-01-P Bugzilla 2.10 allows remote attackers to execute arbitrary commands via shell metacharacters in a username that is then processed by (1) the Bugzilla_login cookie in post_bug.cgi, or (2) the who parameter in process_bug.cgi. A043001-1 1199 http://www.mozilla.org/projects/bugzilla/security2_12.html Bugzilla 2.10 allows remote attackers to access sensitive information, including the database username and password, via an HTTP request for the globals.pl file, which is normally returned by the web server without being executed. 2671 A043001-1 bugzilla-gobalpl-gain-information(6489) Buffer overflow in Embedded Support Partner (ESP) daemon (rpc.espd) in IRIX 6.5.8 and earlier allows remote attackers to execute arbitrary commands. VU#258632 20010509 Remote Buffer Overflow Vulnerability in IRIX Embedded Support Partner Infrastructure irix-espd-bo(6502) 2714 1822 20010501-01-P Internet Explorer 5.5 and earlier does not properly verify the domain of a frame within a browser window, which allows remote web site operators to read certain files on the client by sending information from a local frame to a frame in a different domain using MSScriptControl.ScriptControl and GetObject, aka a variant of the "Frame Domain Verification" vulnerability. MS01-027 20010330 Security bug in Internet Explorer - MSScriptControl.ScriptControl Directory traversal vulnerability in IIS 5.0 and earlier allows remote attackers to execute arbitrary commands by encoding .. (dot dot) and "\" characters twice. CA-2001-12 MS01-026 20010515 NSFOCUS SA2001-02 : Microsoft IIS CGI Filename Decode Error Vulnerability iis-url-decoding(6534) 2708 oval:org.mitre.oval:def:78 oval:org.mitre.oval:def:37 oval:org.mitre.oval:def:1051 oval:org.mitre.oval:def:1018 FTP service in IIS 5.0 and earlier allows remote attackers to cause a denial of service via a wildcard sequence that generates a long string when it is expanded. MS01-026 iis-ftp-wildcard-dos(6535) FTP service in IIS 5.0 and earlier allows remote attackers to enumerate Guest accounts in trusted domains by preceding the username with a special sequence of characters. MS01-026 iis-ftp-domain-authentication(6545) 2719 The Microsoft MS00-060 patch for IIS 5.0 and earlier introduces an error which allows attackers to cause a denial of service via a malformed request. MS01-026 iis-crosssitescripting-patch-dos(6858) 5693 The Microsoft MS01-014 and MS01-016 patches for IIS 5.0 and earlier introduce a memory leak which allows attackers to cause a denial of service via a series of requests. MS01-026 Internet Explorer 5.5 and earlier does not properly validate digital certificates when Certificate Revocation List (CRL) checking is enabled, which could allow remote attackers to spoof trusted web sites, aka the "Server certificate validation vulnerability." MS01-027 ie-crl-certificate-spoofing(6555) 2735 L-087 Internet Explorer 5.5 and earlier allows remote attackers to display a URL in the address bar that is different than the URL that is actually being displayed, which could be used in web site spoofing attacks, aka the "Web page spoofing vulnerability." MS01-027 ie-html-url-spoofing(6556) 2737 5694 L-087 oval:org.mitre.oval:def:1096 An interaction between the Outlook Web Access (OWA) service in Microsoft Exchange 2000 Server and Internet Explorer allows attackers to execute malicious script code against a user's mailbox via a message attachment that contains HTML code, which is executed automatically. MS01-030 exchange-owa-script-execution(6652) L-091 Buffer overflow in Microsoft Visual Studio RAD Support sub-component of FrontPage Server Extensions allows remote attackers to execute arbitrary commands via a long registration request (URL) to fp30reg.dll. 2906 MS01-035 20010625 NSFOCUS SA2001-03 : Microsoft FrontPage 2000 Server Extensions Buffer Overflow Vulnerability frontpage-ext-rad-bo(6730) 577 An SQL query method in Microsoft SQL Server 2000 Gold and 7.0 using Mixed Mode allows local database users to gain privileges by reusing a cached connection of the sa administrator account. MS01-032 mssql-cached-connection-access(6684) L-095 oval:org.mitre.oval:def:71 Microsoft Windows 2000 telnet service allows attackers to prevent idle Telnet sessions from timing out, causing a denial of service by creating a large number of idle sessions. MS01-031 win2k-telnet-idle-sessions-dos(6667) 2843 Handle leak in Microsoft Windows 2000 telnet service allows attackers to cause a denial of service by starting a large number of sessions and terminating them. win2k-telnet-handle-leak-dos(6668) MS01-031 Information disclosure vulnerability in Microsoft Windows 2000 telnet service allows remote attackers to determine the existence of user accounts such as Guest, or log in to the server without specifying the domain name, via a malformed userid. MS01-031 win2k-telnet-domain-authentication(6665) 2847 5686 L-092 Microsoft Windows 2000 telnet service allows attackers to cause a denial of service (crash) via a long logon command that contains a backspace. MS01-031 win2k-telnet-username-dos(6666) L-092 20010608 Range checking fault condition in Microsoft Windows 2000 Telnet server Microsoft Windows 2000 telnet service creates named pipes with predictable names and does not properly verify them, which allows local users to execute arbitrary commands by creating a named pipe with the predictable name and associating a malicious program with it, the first of two variants of this vulnerability. VU#587587 MS01-031 win2k-telnet-pipe-privileges(6664) 2849 Microsoft Windows 2000 telnet service creates named pipes with predictable names and does not properly verify them, which allows local users to execute arbitrary commands by creating a named pipe with the predictable name and associating a malicious program with it, the second of two variants of this vulnerability. MS01-031 win2k-telnet-pipe-privileges(6664) Microsoft Windows 2000 telnet service allows a local user to make a certain system call that allows the user to terminate a Telnet session and cause a denial of service. MS01-031 win2k-telnet-system-call-dos(6669) 2846 L-092 SNMP agents in 3Com AirConnect AP-4111 and Symbol 41X1 Access Point allow remote attackers to obtain the WEP encryption key by reading it from a MIB when the value should be write-only, via (1) dot11WEPDefaultKeyValue in the dot11WEPDefaultKeysTable of the IEEE 802.11b MIB, or (2) ap128bWepKeyValue in the ap128bWEPKeyTable in the Symbol MIB. Buffer overflow in the line printer daemon (in.lpd) for Solaris 8 and earlier allows local and remote attackers to gain root privileges via a "transfer job" routine. CA-2001-15 solaris-lpd-bo(6718) 20010619 Remote Buffer Overflow Vulnerability in Solaris Print Protocol Daemon 2894 00206 TheNet CheckBO 1.56 allows remote attackers to cause a denial of service via a flood of characters to the TCP ports which it is listening on. 2634 20010420 CheckBO Win9x memo overflow Novell Groupwise 5.5 (sp1 and sp2) allows a remote user to access arbitrary files via an implementation error in Groupwise system policies. 20010210 Novell Groupwise Client Vulnerability FormMail.pl in FormMail 1.6 and earlier allows a remote attacker to send anonymous email (spam) by modifying the recipient and message parameters. formmail-anonymous-flooding(6242) 20010310 CORRECTION to CODE: FormMail.pl can be used to send anonymous email Buffer overflows in Sierra Half-Life build 1573 and earlier allow remote attackers to execute arbitrary code via (1) a long map command, (2) a long exec command, or (3) long input in a configuration file. halflife-config-file-bo halflife-map-bo 20010309 Advisory: Half-life server buffer overflows and formatting vulnerabilities Format string vulnerability in Sierra Half-Life build 1573 and earlier allows a remote attacker to execute arbitrary code via the map command. halflife-map-format-string 20010309 Advisory: Half-life server buffer overflows and formatting vulnerabilities Directory traversal vulnerability in help.cgi in Ikonboard 2.1.7b and earlier allows a remote attacker to read arbitrary files via a .. (dot dot) attack in the helpon parameter. ikonboard-cgi-read-files 2471 20010311 Ikonboard v2.1.7b "show files" vulnerability Implementations of SSH version 1.5, including (1) OpenSSH up to version 2.3.0, (2) AppGate, and (3) ssh-1 up to version 1.2.31, in certain configurations, allow a remote attacker to decrypt and/or alter traffic via a "Bleichenbacher attack" on PKCS#1 version 1.5. 2344 ssh-session-key-recovery(6082) 2116 SuSE-SA:2001:04 DSA-086 DSA-027 DSA-023 L-047 20010207 [CORE SDI ADVISORY] SSH1 session key recovery vulnerability FreeBSD-SA-01:24 SSH Communications Security sshd 2.4 for Windows allows remote attackers to create a denial of service via a large number of simultaneous connections. ssh-ssheloop-dos(6241) 2477 20010315 Remote DoS attack against SSH Secure Shell for Windows Servers Eudora before 5.1 allows a remote attacker to execute arbitrary code, when the 'Use Microsoft Viewer' and 'allow executables in HTML content' options are enabled, via an HTML email message containing Javascript, with ActiveX controls and malicious code within IMG tags. eudora-html-execute-code(6262) 2490 20010318 feeble.you!dora.exploit saposcol in SAP R/3 Web Application Server Demo before 1.5 trusts the PATH environmental variable to find and execute the expand program, which allows local users to obtain root access by modifying the PATH to point to a Trojan horse expand program. 2662 20010429 SAP R/3 Web Application Server Demo for Linux: root exploit ftp://ftp.sap.com/pub/linuxlab/saptools/README.saposcol linux-sap-execute-code(6487) Mirabilis ICQ WebFront Plug-in ICQ2000b Build 3278 allows a remote attacker to create a denial of service via HTTP URL requests containing a large number of % characters. 2664 20010428 Mirabilis ICQ WebFront Plug-in Denial of Service Directory traversal vulnerability in BearShare 2.2.2 and earlier allows a remote attacker to read certain files via a URL containing a series of . characters, a variation of the .. (dot dot) attack. 2672 20010430 A Serious Security Vulnerability Found in BearShare (Directory Traversal) bearshare-dot-download-files(6481) 1810 Buffer overflow in lpsched on DGUX version R4.20MU06 and MU02 allows a local attacker to obtain root access via a long command line argument (non-existent printer name). dgux-lpsched-bo 20010319 DGUX lpsched buffer overflow fcheck prior to 2.57.59 calls the file signature checking program insecurely, which can allow a local user to run arbitrary commands via a file name that contains shell metacharacters. fcheck-open-execute-commands 20010320 fcheck prior to 2.07.59 - vulnerability - improper use of perl 'magic open' Race condition in the UFS and EXT2FS file systems in FreeBSD 4.2 and earlier, and possibly other operating systems, makes deleted data available to user processes before it is zeroed out, which allows a local user to access otherwise restricted information. ufs-ext2fs-data-disclosure(6268) FreeBSD-SA-01:30 5682 Akopia Interchange 4.5.3 through 4.6.3 installs demo stores with a default group account :backup with no password, which allows a remote attacker to gain administrative access via the demo stores (1) barry, (2) basic, or (3) construct. 2499 20010323 FW: Akopia Interchange E-commerce Package Demo Files Vulnerability akopia-interchange-gain-access(6273) http://lists.akopia.com/pipermail/interchange-announce/2001/000009.html The default configuration of the Dr. Watson program in Windows NT and Windows 2000 generates user.dmp crash dump files with world-readable permissions, which could allow a local user to gain access to sensitive information. 2501 win-userdmp-insecure-permission(6275) 5683 20010323 NT crash dump files insecure by default The HTTP server in Compaq web-enabled management software for (1) Foundation Agents, (2) Survey, (3) Power Manager, (4) Availability Agents, (5) Intelligent Cluster Administrator, and (6) Insight Manager can be used as a generic proxy server, which allows remote attackers to bypass access restrictions via the management port, 2301. compaq-wbm-bypass-proxy SSRT0715 20010322 Compaq Insight Manager Proxy Vuln Cisco PIX Firewall 515 and 520 with 5.1.4 OS running aaa authentication to a TACACS+ server allows remote attackers to cause a denial of service via a large number of authentication requests. 2551 20010406 PIX Firewall 5.1 DoS Vulnerability cisco-pix-tacacs-dos(6353) 20011003 Cisco PIX Firewall Authentication Denial of Service Vulnerability SonicWALL Tele2 and SOHO firewalls with 6.0.0.0 firmware using IPSEC with IKE pre-shared keys do not allow for the use of full 128 byte IKE pre-shared keys, which is the intended design of the IKE pre-shared key, and only support 48 byte keys. This allows a remote attacker to brute force attack the pre-shared keys with significantly less resources than if the full 128 byte IKE pre-shared keys were used. 20010327 SonicWall IKE pre-shared key length bug and security concern sonicwall-ike-shared-keys Infradig Inframail prior to 3.98a allows a remote attacker to create a denial of service via a malformed POST request which includes a space followed by a large string. inframail-post-dos(6297) 20010328 Inframail Denial of Service Vulnerability 5685 readline prior to 4.1, in OpenBSD 2.8 and earlier, creates history files with insecure permissions, which allows a local attacker to recover potentially sensitive information via readline history files. ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.8/common/024_readline.patch bsd-readline-permissions(6586) 5680 Vulnerability in the newgrp program included with HP9000 servers running HP-UX 11.11 allows a local attacker to obtain higher access rights. VU#249224 HPSBUX0103-147 hp-newgrp-additional-privileges(6282) 5681 Crosscom/Olicom XLT-F running XL 80 IM Version 5.5 Build Level 2 allows a remote attacker SNMP read and write access via a default, undocumented community string 'ILMI'. oval:org.mitre.oval:def:5718 200103 ILMI community in olicom/crosscomm routers The OpenPGP PGP standard allows an attacker to determine the private signature key via a cryptanalytic attack in which the attacker alters the encrypted private key file and captures a single message signed with the signature key. openpgp-private-key-disclosure(6558) 2673 RHSA-2001:063 11966 20010322 Re: Yes, they have found a serious PGP vulnerability...sort of 20010320 Yes, they have found a serious PGP vulnerability...sort of 20010319 Have they found a serious PGP vulnerability?! CSSA-2001-017.0 Computer Associates CCC\Harvest 5.0 for Windows NT/2000 uses weak encryption for passwords, which allows a remote attacker to gain privileges on the application. 20010327 CA CCC\Harvest exploit banners.php in PHP-Nuke 4.4 and earlier allows remote attackers to modify banner ad URLs by directly calling the Change operation, which does not require authentication. http://phpnuke.org/download.php?dcategory=Fixes 20010401 Php-nuke exploit... php-nuke-url-redirect(6342) 2544 ppd in Reliant Sinix allows local users to corrupt arbitrary files via a symlink attack in the /tmp/ppd.trace file. 2606 20010414 Re: Reliant Unix 5.43 / 5.44 ICMP port unreachable problem GoAhead webserver 2.1 allows remote attackers to cause a denial of service via an HTTP request to the /aux directory. 2607 20010417 Advisory for GoAhead Webserver v2.1 goahead-aux-dos(6400) 6664 AnalogX SimpleServer:WWW 1.08 allows remote attackers to cause a denial of service via an HTTP request to the /aux directory. 2608 20010417 Advisory for SimpleServer:WWW (analogX) analogx-simpleserver-aux-dos(6395) 3781 Format string vulnerability in hfaxd in HylaFAX before 4.1.b2_2 allows local users to gain privileges via the -q command line argument. 2574 MDKSA-2001:041 SuSE-SA:2001:15 20010415 **SECURITY ADVISORY** - HylaFAX format string vulnerability 20010412 HylaFAX vulnerability hylafax-hfaxd-format-string(6377) 5679 FreeBSD-SA-01:34 time server daemon timed allows remote attackers to cause a denial of service via malformed packets. timed-remote-dos(6228) MDKSA-2001:034 FreeBSD-SA-01:28 SuSE-SA:2001:07 IBM Websphere/NetCommerce3 3.1.2 allows remote attackers to determine the real path of the server by directly calling the macro.d2w macro with a NOEXISTINGHTMLBLOCK argument. 2587 20010413 [LoWNOISE] IBM Websphere/NetCommerce3 DoS and one more. IBM Websphere/NetCommerce3 3.1.2 allows remote attackers to cause a denial of service by directly calling the macro.d2w macro with a long string of %0a characters. 2588 20010413 [LoWNOISE] IBM Websphere/NetCommerce3 DoS and one more. Xitami 2.5d4 and earlier allows remote attackers to crash the server via an HTTP request to the /aux directory. 20010417 Advisory for Xitami 2.4d7, 2.5d4 Navision Financials Server 2.60 and earlier allows remote attackers to cause a denial of service by sending a null character and a long string to the server port (2407), which causes the server to crash. 2539 20010403 def-2001-17: Navision Financials Server DoS Navision Financials Server 2.0 allows remote attackers to cause a denial of service via a series of connections to the server without providing a username/password combination, which consumes the license limits. 20010404 Re: def-2001-17: Navision Financials Server DoS Remote manager service in Website Pro 3.0.37 allows remote attackers to cause a denial of service via a series of malformed HTTP requests to the /dyn directory. 20010328 def-2001-15: Website Pro Remote Manager DoS website-pro-remote-dos(6295) 5669 Lightwave ConsoleServer 3200 does not disconnect users after unsuccessful login attempts, which could allow remote attackers to conduct brute force password guessing. 2578 20010410 Console 3200 telnetd problem. The pre-login mode in the System Administrator interface of Lightwave ConsoleServer 3200 allows remote attackers to obtain sensitive information such as system status, configuration, and users. 2578 20010410 Console 3200 telnetd problem. Buffer overflow in Silent Runner Collector (SRC) 1.6.1 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long SMTP HELO command. 20010329 Silent Runner Collector - HELO buffer overflow vulnerability The BAT! mail client allows remote attackers to bypass user warnings of an executable attachment and execute arbitrary commands via an attachment whose file name contains many spaces, which also causes the BAT! to misrepresent the attachment's type with a different icon. 2530 20010402 ~..~!guano Caucho Resin 1.3b1 and earlier allows remote attackers to read source code for Javabean files by inserting a .jsp before the WEB-INF specifier in an HTTP request. 2533 20010403 CHINANSL Security Advisory(CSA-200111) nph-maillist.pl allows remote attackers to execute arbitrary commands via shell metacharacters ("`") in the email address. 2563 20010410 CGI - nph-maillist.pl vulnerability... Buffer overflow in tip in Solaris 8 and earlier allows local users to execute arbitrary commands via a long HOME environmental variable. 20010327 Solaris /usr/bin/tip Vulnerability solaris-tip-bo 2475 IPFilter 3.4.16 and earlier does not include sufficient session information in its cache, which allows remote attackers to bypass access restrictions by sending fragmented packets to a restricted port after sending unfragmented packets to an unrestricted port. 20010408 A fragmentation attack against IP Filter FreeBSD-SA-01:32 ipfilter-access-ports(6331) /opt/JSparm/bin/perfmon program in Solaris allows local users to create arbitrary files as root via the Logging File option in the GUI. 20010323 [ Hackerslab bug_paper ] SunOS application perfmon vulnerability solaris-perfmon-create-files Directory traversal vulnerability in JavaServer Web Dev Kit (JSWDK) 1.0.1 allows remote attackers to read arbitrary files via a .. (dot dot) in an HTTP request to the WEB-INF directory. 20010328 CHINANSL Security Advisory(CSA-200106) ip_conntrack_ftp in the IPTables firewall for Linux 2.4 allows remote attackers to bypass access restrictions for an FTP server via a PORT command that lists an arbitrary IP address and port number, which is added to the RELATED table and allowed by the firewall. 2602 20010416 Tempest Security Techonologies -- Adivsory #01/2001 -- Linux IPTables RHSA-2001:052 linux-netfilter-iptables(6390) RHSA-2001:084 MDKSA-2001:071 Samba before 2.2.0 allows local attackers to overwrite arbitrary files via a symlink attack using (1) a printer queue query, (2) the more command in smbclient, or (3) the mput command in smbclient. VU#670568 DSA-048 CSSA-2001-015.0 20010418 PROGENY-SA-2001-05: Samba /tmp vulnerabilities 20010418 TSLSA-#2001-0005 - samba 20010417 Samba 2.0.8 security fix 2617 MDKSA-2001:040 FreeBSD-SA-01:36 CLA-2001:395 Directory traversal vulnerability in MySQL before 3.23.36 allows local users to modify arbitrary files and gain privileges by creating a database whose name starts with .. (dot dot). 20010327 MySQL 3.23.36 is relased (fwd) 20010318 potential vulnerability of mysqld running with root privileges (can be used as good DoS or r00t expoloit) mysql-dot-directory-traversal(6617) 2522 vim (aka gvim) processes VIM control codes that are embedded in a file, which could allow attackers to execute arbitrary commands when another user opens a file containing malicious VIM control codes. 2510 RHSA-2001:008 CSSA-2001-014.0 vim-elevate-privileges(6259) SuSE-SA:2001:12 MDKSA-2001:035 20010329 Immunix OS Security update for vim vim (aka gvim) allows local users to modify files being edited by other users via a symlink attack on the backup and swap files, when the victim is editing the file in a world writable directory. CSSA-2001-014.0 vim-tmp-symlink(6628) SuSE-SA:2001:12 Buffer overflow in Trend Micro Virus Buster 2001 8.02 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long "From" header. 20010330 Virus Buster 2001(ver8.02) Buffer Overflow Reliant Unix 5.44 and earlier allows remote attackers to cause a denial of service via an ICMP port unreachable packet, which causes Reliant to drop all connections to the source address of the packet. 20010406 Reliant Unix 5.43 / 5.44 ICMP port unreachable problem Cisco Content Services (CSS) switch products 11800 and earlier, aka Arrowpoint, allows local users to gain privileges by entering debug mode. 20010404 Cisco Content Services Switch User Account Vulnerability cisco-css-elevate-privileges(6322) 2559 1784 BinTec X4000 Access router, and possibly other versions, allows remote attackers to cause a denial of service via a SYN port scan, which causes the router to hang. 20010406 X4000 DoS: Details and workaround 20010410 BinTec Router DoS: Workaround and Details 20010404 BinTec X4000 Access Router DoS Vulnerability bintec-x4000-nmap-dos(6323) 20010409 BINTEC X1200 Buffer overflow in ntpd ntp daemon 4.0.99k and earlier (aka xntpd and xntp3) allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long readvar argument. 2540 MDKSA-2001:036 DSA-045 ntpd-remote-bo(6321) RHSA-2001:045 805 CSSA-2001-013 20010409 ntpd - new Debian 2.2 (potato) version is also vulnerable 20010409 PROGENY-SA-2001-02: ntpd remote buffer overflow 20010409 ntp-4.99k23.tar.gz is available 20010408 [slackware-security] buffer overflow fix for NTP 20010406 Immunix OS Security update for ntp and xntp3 20010405 Re: ntpd =< 4.0.99k remote buffer overflow] 20010404 ntpd =< 4.0.99k remote buffer overflow SuSE-SA:2001:10 CLA-2001:392 20010418 IBM MSS Outside Advisory Redistribution: IBM AIX: Buffer Overflow Vulnerability in (x)ntp 20010413 PROGENY-SA-2001-02A: [UPDATE] ntpd remote buffer overflow 20010409 [ESA-20010409-01] xntp buffer overflow SSE074 SSE073 NetBSD-SA2001-004 FreeBSD-SA-01:31 oval:org.mitre.oval:def:3831 REDIPlus program, REDI.exe, stores passwords and user names in cleartext in the StartLog.txt log file, which allows local users to gain access to other accounts. rediplus-weak-security 2495 20010320 Password stored in clear text vulnerability in real time stock trading program sgml-tools (aka sgmltools) before 1.0.9-15 creates temporary files with insecure permissions, which allows other users to read files that are being processed by sgml-tools. RHSA-2001:027 MDKSA-2001:030 20010316 Immunix OS Security update for sgml-tools CLA-2001:390 DSA-038 sgmltools-symlink 2683 2506 SuSE-SA:2001:16 Kerberos 4 (aka krb4) allows local users to overwrite arbitrary files via a symlink attack on new ticket files. 20010307 Security advisory: Unsafe temporary file handling in krb4 RHSA-2001:025 content.pl script in NCM Content Management System allows remote attackers to read arbitrary contents of the content database by inserting SQL characters into the id parameter. 2584 20010413 Exploitable NCM.at - Content Management System Buffer overflow in shared library ndwfn4.so for iPlanet Web Server (iWS) 4.1, when used as a web listener for Oracle application server 4.0.8.2, allows remote attackers to execute arbitrary commands via a long HTTP request that is passed to the application server, such as /jsp/. 2569 20010410 Oracle Application Server shared library buffer overflow Directory traversal vulnerability in talkback.cgi program allows remote attackers to read arbitrary files via a .. (dot dot) in the article parameter. 2547 20010409 talkback.cgi vulnerability may allow users to read any file FTP server in Solaris 8 and earlier allows local and remote attackers to cause a core dump in the root directory, possibly with world-readable permissions, by providing a valid username with an invalid password followed by a CWD ~ command, which could release sensitive information such as shadowed passwords, or fill the disk partition. 2601 20010417 Re: SUN SOLARIS 5.6/5.7 FTP Globbing Exploit ! Buffer overflow in Xsun in Solaris 8 and earlier allows local users to execute arbitrary commands via a long HOME environmental variable. 2561 20010410 Solaris Xsun buffer overflow vulnerability solaris-xsun-home-bo(6343) oval:org.mitre.oval:def:555 Buffer overflow in ipcs in Solaris 7 x86 allows local users to execute arbitrary code via a long TZ (timezone) environmental variable, a different vulnerability than CAN-2002-0093. 2581 20010412 Solaris ipcs vulnerability solaris-ipcs-bo(6369) BubbleMon 1.31 does not properly drop group privileges before executing programs, which allows local users to execute arbitrary commands with the kmem group id. 2609 20010415 BubbleMon 1.31 AdLibrary.pm in AdCycle 0.78b allows remote attackers to gain privileges to AdCycle via a malformed Agent: header in the HTTP request, which is inserted into a resulting SQL query that is used to verify login information. 20010219 Adcycle 0.78b Authentication 2393 Buffer overflow in dtsession on Solaris, and possibly other operating systems, allows local users to gain privileges via a long LANG environmental variable. 20010411 [LSD] Solaris kcsSUNWIOsolf.so and dtsession vulnerabilities Cisco VPN 3000 series concentrators before 2.5.2(F) allow remote attackers to cause a denial of service via a flood of invalid login requests to (1) the SSL service, or (2) the telnet service, which do not properly disconnect the user after several failed login attempts. 20010328 VPN3000 Concentrator TELNET Vulnerability cisco-vpn-telnet-dos(6298) 5643 Cisco VPN 3000 series concentrators before 2.5.2(F) allow remote attackers to cause a denial of service via an IP packet with an invalid IP option. 2573 20010412 VPN 3000 Concentrator IP Options Vulnerability cisco-vpn-ip-dos(6360) 1786 Cisco Catalyst 5000 series switches 6.1(2) and earlier will forward an 802.1x frame on a Spanning Tree Protocol (STP) blocked port, which causes a network storm and a denial of service. 2604 20010416 Catalyst 5000 Series 802.1x Vulnerability cisco-catalyst-8021x-dos(6379) L-072 Vulnerability in exuberant-ctags before 3.2.4-0.1 insecurely creates temporary files. DSA-046 exuberant-ctags-symlink(6388) 5642 Vulnerability in iPlanet Web Server Enterprise Edition 4.x. 20010417 iPlanet Web Server 4.x Product Alert http://www.iplanet.com/products/iplanet_web_enterprise/iwsalert4.16.html Buffer overflows in various CGI programs in the remote administration service for Trend Micro Interscan VirusWall 3.01 allow remote attackers to execute arbitrary commands. 2579 20010413 Trend Micro Interscan VirusWall 3.01 vulnerability Buffer overflow in Savant 3.0 web server allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long Host HTTP header. 20010405 Savant 3.0 Denial Of Service The LogDataListToFile ActiveX function used in (1) Knowledge Center and (2) Back web components of Compaq Presario computers allows remote attackers to modify arbitrary files and cause a denial of service. SSRT0716 compaq-activex-dos(6355) The split key mechanism used by PGP 7.0 allows a key share holder to obtain access to the entire key by setting the "Cache passphrase while logged on" option and capturing the passphrases of other share holders as they authenticate. 20010410 [wsir-01/02-03] PGP 7.0 Split Key/Cached Passphrase Vulnerability dcboard.cgi in DCForum 2000 1.0 allows remote attackers to execute arbitrary commands by uploading a Perl program to the server and using a .. (dot dot) in the AZ parameter to reference the program. 2611 http://www.dcscripts.com/FAQ/sec_2001_03_31.html 20010416 qDefense Advisory: DCForum allows remote read/write/execute dcforum-az-expr(6392) 3862 upload_file.pl in DCForum 2000 1.0 allows remote attackers to upload arbitrary files without authentication by setting the az parameter to upload_file. 2611 http://www.dcscripts.com/FAQ/sec_2001_03_31.html 20010416 qDefense Advisory: DCForum allows remote read/write/execute dcforum-az-file-upload(6393) Preview version of Timbuktu for Mac OS X allows local users to modify System Preferences without logging in via the About Timbuktu menu. 20010418 Hole in Netopia's Mac OS X Timbuktu licq before 1.0.3 allows remote attackers to execute arbitrary commands via shell metacharacters in a URL. licq-url-execute-commands(6261) MDKSA-2001:032 CLA-2001:389 FreeBSD-SA-01:35 RHSA-2001:023 RHSA-2001:022 5641 Buffer overflow in logging functions of licq before 1.0.3 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands. MDKSA-2001:032 CLA-2001:389 FreeBSD-SA-01:35 licq-logging-bo(6645) RHSA-2001:023 RHSA-2001:022 5601 Buffer overflow in (1) wrapping and (2) unwrapping functions of slrn news reader before 0.9.7.0 allows remote attackers to execute arbitrary commands via a long message header. RHSA-2001:028 MDKSA-2001:028 DSA-040 FreeBSD-SA-01:37 slrn-wrapping-bo 2493 20010316 Immunix OS Security update for slrn CLA-2001:383 Buffer overflow in Mercury MTA POP3 server for NetWare 1.48 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long APOP command. 2641 20010421 Mercury for NetWare POP3 server vulnerable to remote buffer overflow mercury-mta-bo(6444) 20010424 Re: Mercury for NetWare POP3 server vulnerable to remote buffer overflow Buffer overflow in QPC QVT/Net Popd 4.20 in QVT/Net 5.0 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via (1) a long username, or (2) a long password. 20010413 QPC POPd Buffer Overflow Vulnerability Cisco CBOS 2.3.0.053 sends output of the "sh nat" (aka "show nat") command to the terminal of the next user who attempts to connect to the router via telnet, which could allow that user to obtain sensitive information. 2635 20010420 Bug in Cisco CBOS v2.3.0.053 cisco-cbos-gain-information(6453) 1796 IBM WCS (WebSphere Commerce Suite) 4.0.1 with Application Server 3.0.2 allows remote attackers to read source code for .jsp files by appending a / to the requested URL. 20010328 CHINANSL Security Advisory(CSA-200107) Web configuration server in 602Pro LAN SUITE allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long HTTP request containing "%2e" (dot dot) characters. 2514 20010326 602Pro Lansuite Denial Of Service 1.0.34 Web configuration server in 602Pro LAN SUITE allows remote attackers to cause a denial of service via an HTTP GET HTTP request to the aux directory, and possibly other directories with legacy DOS device names. 20010326 602Pro Lansuite Denial Of Service 1.0.34 Buffer overflow in WinZip 8.0 allows attackers to execute arbitrary commands via a long file name that is processed by the /zipandemail command line option. winzip-zipandemail-bo(6191) 20010302 def-2001-09: Winzip32 zipandemail Buffer Overflow Directory traversal vulnerability in Transsoft FTP Broker before 5.5 allows attackers to (1) delete arbitrary files via DELETE, or (2) list arbitrary directories via LIST, via a .. (dot dot) in the file name. broker-ftp-delete-files broker-ftp-list-directories http://www.ftp-broker.com/cgibin/Pageexe.exe?H=4143&P=0&C=0 20010303 Broker Ftp Server 5.0 Vulnerability INDEXU 2.0 beta and earlier allows remote attackers to bypass authentication and gain privileges by setting the cookie_admin_authenticated cookie value to 1. indexu-gain-access BRS WebWeaver FTP server before 0.64 Beta allows remote attackers to obtain the real pathname of the server via a "CD *" command followed by an ls command. 20010428 Vulnerabilities in BRS WebWeaver 2676 http://members.nbci.com/_XMCM/BSoutham/WebWeaver/WebWeaverHistory.html Directory traversal vulnerability in BRS WebWeaver HTTP server allows remote attackers to read arbitrary files via a .. (dot dot) attack in the (1) syshelp, (2) sysimages, or (3) scripts directories. 20010428 Vulnerabilities in BRS WebWeaver 2675 http://members.nbci.com/_XMCM/BSoutham/WebWeaver/WebWeaverHistory.html Directory traversal vulnerability in SlimServe HTTPd 1.1a allows remote attackers to read arbitrary files via a ... (modified dot dot) in the HTTP request. 20010303 SlimServe HTTPd ver. 1.1a Directory Traversal slimserve-httpd-directory-traversal Cisco Aironet 340 Series wireless bridge before 8.55 does not properly disable access to the web interface, which allows remote attackers to modify its configuration. cisco-aironet-web-access(6200) 20010307 Access to the Cisco Aironet 340 Series Wireless Bridge via Web Interface 5597 postinst installation script for Proftpd in Debian 2.2 does not properly change the "run as uid/gid root" configuration when the user enables anonymous access, which causes the server to run at a higher privilege than intended. proftpd-postinst-root(6208) DSA-032 man2html before 1.5-22 allows remote attackers to cause a denial of service (memory exhaustion). man2html-remote-dos(6211) DSA-035 5631 Multiple buffer overflows in ePerl before 2.2.14-0.7 allow local and remote attackers to execute arbitrary commands. linux-eperl-bo 2464 MDKSA-2001:027 DSA-034 SuSE-SA:2001:08 Buffer overflows in ascdc Afterstep while running setuid allows local users to gain root privileges via a long (1) -d option, (2) -m option, or (3) -f option. ascdc-afterstep-bo 20010308 ascdc Buffer Overflow Vulnerability Websweeper 4.0 does not limit the length of certain HTTP headers, which allows remote attackers to cause a denial of service (memory exhaustion) via an extremely large HTTP Referrer: header. 20010308 def-2001-10: Websweeper Infinite HTTP Request DoS websweeper-http-dos template.cgi in Free On-Line Dictionary of Computing (FOLDOC) allows remote attackers to read files and execute commands via shell metacharacters in the argument to template.cgi. foldoc-cgi-execute-commands 20010309 Cgisecurity.com advisory #4 The Free On-line Dictionary of Computing http://wombat.doc.ic.ac.uk/foldoc/index.html 5591 Directory traversal vulnerability in Perl web server 0.3 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the URL. 2648 20010424 Advisory for perl webserver perl-webserver-directory-traversal(6451) Directory traversal vulnerability in cal_make.pl in PerlCal allows remote attackers to read arbitrary files via a .. (dot dot) in the p0 parameter. 2663 20010427 PerlCal (CGI) show files vulnerability perlcal-calmake-directory-traversal(6480) http://www.perlcal.com/calendar/docs/bugs.txt Buffer overflow in websync.exe in Cyberscheduler allows remote attackers to execute arbitrary commands via a long tzs (timezone) parameter. 2628 20010417 Cyberscheduler remote root compromise TurboTax saves passwords in a temporary file when a user imports investment tax information from a financial institution, which could allow local users to obtain sensitive information. 20010405 http://www.turbotax.com/atr/update/ turbotax-save-passwords(6622) Directory traversal vulnerability in ustorekeeper 1.61 allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter. 20010403 new advisory Directory traversal vulnerability in RobTex Viking Web server before 1.07-381 allows remote attackers to read arbitrary files via a \... (modified dot dot) in an HTTP URL request. 2643 20010423 Vulnerability in Viking Web Server http://www.robtex.com/files/viking/beta/chglog.txt viking-dot-directory-traversal(6450) Buffer overflow in FTPFS allows local users to gain root privileges via a long user name. ftpfs-bo 20010313 Buffer oveflow in FTPFS (linux kernel module) rwho daemon rwhod in FreeBSD 4.2 and earlier, and possibly other operating systems, allows remote attackers to cause a denial of service via malformed packets with a short length. rwhod-remote-dos(6229) 2473 FreeBSD-SA-01:29 Buffer overflow in SNMP proxy agent snmpd in Solaris 8 may allow local users to gain root privileges by calling snmpd with a long program name. snmpd-argv-bo 20010315 Re: Solaris 5.8 snmpd Vulnerability 20010313 Solaris 5.8 snmpd Vulnerability SSH daemon version 1 (aka SSHD-1 or SSH-1) 1.2.30 and earlier does not log repeated login attempts, which could allow remote attackers to compromise accounts without detection via a brute force attack. 2345 20010205 SSHD-1 Logging Vulnerability Hursley Software Laboratories Consumer Transaction Framework (HSLCTF) HTTP object allows remote attackers to cause a denial of service (crash) via an extremely long HTTP request. hslctf-http-dos 20010320 def-2001-12: Hursley Software Laboratories Consumer Transaction Framework DoS Format string vulnerability in Mutt before 1.2.5 allows a remote malicious IMAP server to execute arbitrary commands. mutt-imap-format-string(6235) RHSA-2001:029 MDKSA-2001-031 20010315 Immunix OS Security update for mutt 20010320 Trustix Security Advisory - mutt 5615 CLA-2001:385 Utah-glx in Mesa before 3.3-14 on Mandrake Linux 7.2 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/glxmemory file. mesa-utahglx-symlink(6231) MDKSA-2001:029 index.php in Jelsoft vBulletin does not properly initialize a PHP variable that is used to store template information, which allows remote attackers to execute arbitrary PHP code via special characters in the templatecache parameter. vbulletin-php-elevate-privileges(6237) http://www.vbulletin.com/forum/showthread.php?s=b20af207b5b908ecf7a4ecf56fbe3cd3&threadid=10839 20010315 vBulletin allows arbitrary code execution 2474 Multiple buffer overflows in s.cgi program in Aspseek search engine 1.03 and earlier allow remote attackers to execute arbitrary commands via (1) a long HTTP query string, or (2) a long tmpl parameter. aspseek-scgi-bo http://www.aspseek.org/changes.html 2492 20010318 Aspseek Buffer Overflow Vulnerability in WebCalendar 0.9.26 allows remote command execution. 20010423 (SRPRE00004) WebCalendar 0.9.26 2639 Directory traversal vulnerability in phpMyAdmin 2.2.0 and earlier versions allows remote attackers to execute arbitrary code via a .. (dot dot) in an argument to the sql.php script. 2642 20010423 (SRPRE00001) phpMyAdmin 2.1.0 and phpPgAdmin 2.2.1 Directory traversal vulnerability in phpPgAdmin 2.2.1 and earlier versions allows remote attackers to execute arbitrary code via a .. (dot dot) in an argument to the sql.php script. 2640 20010423 (SRPRE00001) phpMyAdmin 2.1.0 and phpPgAdmin 2.2.1 http://www.greatbridge.org/project/phppgadmin/cvs/checkout.php/phpPgAdmin/ChangeLog?r=1.13 Directory traversal vulnerability in Alex's FTP Server 0.7 allows remote attackers to read arbitrary files via a ... (modified dot dot) in the (1) GET or (2) CD commands. 20010428 Vulnerabilities in Alex's FTP Server 2668 Vulnerability in rpmdrake in Mandrake Linux 8.0 related to insecure temporary file handling. MDKSA-2001:043 linux-rpmdrake-temp-file(6494) 5612 Configuration error in Argus PitBull LX allows root users to bypass specified access control restrictions and cause a denial of service or execute arbitrary commands by modifying kernel variables such as MaxFiles, MaxInodes, and ModProbePath in /proc/sys via calls to sysctl. 20010330 Serious Pitbull LX Vulnerability pitbull-lx-modify-kernel(6623) Configuration error in Axent Raptor Firewall 6.5 allows remote attackers to use the firewall as a proxy to access internal web resources when the http.noproxy Rule is not set. 2517 20010327 RE: Raptor 6.5 http vulnerability 20010324 Raptor 6.5 http vulnerability Tektronix PhaserLink 850 does not require authentication for access to configuration pages such as _ncl_subjects.shtml and _ncl_items.shtml, which allows remote attackers to modify configuration information and cause a denial of service by accessing the pages. tektronix-phaserlink-webserver-backdoor(6482) 20010425 Tektronix (Xerox) PhaserLink 850 Webserver Vulnerability (NEW) Unknown vulnerability in netprint in IRIX 6.2, and possibly other versions, allows local users with lp privileges attacker to execute arbitrary commands via the -n option. 2656 irix-netprint-shared-library(6473) 20010426 IRIX /usr/lib/print/netprint local root symbols exploit. 8571 20010427 Re: IRIX /usr/lib/print/netprint local root symbols exploit. 20010701-01-P Remote attackers can cause a denial of service in Novell BorderManager 3.6 and earlier by sending TCP SYN flood to port 353. 2623 http://support.novell.com/cgi-bin/search/searchtid.cgi?/2959062.htm 20010420 Novell BorderManager 3.5 VPN Denial of Service 20010501 Re: Proof of concept DoS against novell border manager enterprise edition 3.5 20010402 (no subject) bordermanager-vpn-syn-dos(6429) 20010429 Proof of concept DoS against novell border manager enterprise AIX SNMP server snmpd allows remote attackers to cause a denial of service via a RST during the TCP connection. 5611 aix-snmpd-rst-dos(6996) IY17630 pcltotiff in HP-UX 10.x has unnecessary set group id permissions, which allows local users to cause a denial of service. 2646 hp-pcltotiff-insecure-permissions(6447) HPSBUX0104-149 2188 Format string vulnerability in gftp prior to 2.0.8 allows remote malicious FTP servers to execute arbitrary commands. RHSA-2001:053 gftp-format-string(6478) 2657 1805 DSA-057 20010417 gftp exploitable? Buffer overflow in WINAMP 2.6x and 2.7x allows attackers to execute arbitrary code via a long string in an AIP file. 20010429 Winamp 2.6x / 2.7x buffer overflow Directory traversal vulnerability in RaidenFTPD Server 2.1 before build 952 allows attackers to access files outside the ftp root via dot dot attacks, such as (1) .... in CWD, (2) .. in NLST, or (3) ... in NLST. 20010425 Vulnerabilities in RaidenFTPD Server raidenftpd-dot-directory-traversal(6455) Netcruiser Web server version 0.1.2.8 and earlier allows remote attackers to determine the physical path of the server via a URL containing (1) con, (2) com2, or (3) com3. netcruiser-server-path-disclosure(6468) 2650 20010424 Advisory for Netcruiser Small HTTP server 2.03 allows remote attackers to cause a denial of service via a URL that contains an MS-DOS device name such as aux. 2649 http://home.lanck.net/mf/srv/index.htm 20010424 Advisory for Small HTTP Server small-http-aux-dos(6446) Buffer overflow in IPSwitch IMail SMTP server 6.06 and possibly prior versions allows remote attackers to execute arbitrary code via a long From: header. 20010424 IPSwitch IMail 6.06 SMTP Remote System Access Vulnerability http://ipswitch.com/Support/IMail/news.html ipswitch-imail-smtp-bo(6445) 5610 Directory traversal in DataWizard WebXQ server 1.204 allows remote attackers to view files outside of the web root via a .. (dot dot) attack. 2660 20010426 Vulnerability in WebXQ Server webxq-dot-directory-traversal(6466) 1799 kdesu in kdelibs package creates world readable temporary files containing authentication info, which can allow local users to gain privileges. RHSA-2001:059 MDKSA-2001:046 kdelibs-kdesu-insecure-tmpfile(6856) dnskeygen in BIND 8.2.4 and earlier, and dnssec-keygen in BIND 9.1.2 and earlier, set insecure permissions for a HMAC-MD5 shared secret key file used for DNS Transactional Signatures (TSIG), which allows attackers to obtain the keys and perform dynamic DNS updates. 20010611 BIND Inadvertent Local Exposure of HMAC-MD5 (TSIG) Keys bind-local-key-exposure(6694) 5609 Transparent Network Substrate (TNS) over Net8 (SQLNet) in Oracle 8i 8.1.7 and earlier allows remote attackers to cause a denial of service via a malformed SQLNet connection request with a large offset in the header extension. 20010627 Oracle 8i SQLNet Header Vulnerability Buffer overflow in Transparent Network Substrate (TNS) Listener in Oracle 8i 8.1.7 and earlier allows remote attackers to gain privileges via a long argument to the commands (1) STATUS, (2) PING, (3) SERVICES, (4) TRC_FILE, (5) SAVE_CONFIG, or (6) RELOAD. VU#620495 CA-2001-16 oracle-tns-listener-bo(6758) 2941 20010627 Vulnerability in Oracle 8i TNS Listener Buffer overflow in ISAPI extension (idq.dll) in Index Server 2.0 and Indexing Service 2000 in IIS 6.0 beta and earlier allows remote attackers to execute arbitrary commands via a long argument to Internet Data Administration (.ida) and Internet Data Query (.idq) files such as default.ida, as commonly exploited by Code Red. CA-2001-13 MS01-033 2880 20010618 All versions of Microsoft Internet Information Services, Remote buffer overflow (SYSTEM Level Access) iis-isapi-idq-bo(6705) L-098 oval:org.mitre.oval:def:197 Microsoft Word 2002 and earlier allows attackers to automatically execute macros without warning the user by embedding the macros in a manner that escapes detection by the security scanner. 2876 MS01-034 20010622 Fwd: Microsoft Word macro vulnerability advisory MS01-034 msword-macro-bypass-security(6732) Running Windows 2000 LDAP Server over SSL, a function does not properly check the permissions of a user request when the directory principal is a domain user and the data attribute is the domain password, which allows local users to modify the login password of other users. MS01-036 win2k-ldap-change-passwords(6745) 2929 L-101 Microsoft NetMeeting 3.01 with Remote Desktop Sharing enabled allows remote attackers to cause a denial of service via a malformed string to the NetMeeting service port, aka a variant of the "NetMeeting Desktop Sharing" vulnerability. MS00-077 5608 netmeeting-desktop-sharing-dos(5368) Vulnerability in authentication process for SMTP service in Microsoft Windows 2000 allows remote attackers to use incorrect credentials to gain privileges and conduct activites such as mail relaying. VU#435963 MS01-037 win2k-smtp-mail-relay(6803) 2988 L-107 Multiple memory leaks in Microsoft Services for Unix 2.0 allow remote attackers to cause a denial of service (memory exhaustion) via a large number of malformed requests to (1) the Telnet service, or (2) the NFS service. VU#994851 VU#581603 MS01-039 sfu-telnet-dos(6883) sfu-nfs-dos(6882) 3089 Buffer overflow in ssinc.dll in IIS 5.0 and 4.0 allows local users to gain system privileges via a Server-Side Includes (SSI) directive for a long filename, which triggers the overflow when the directory name is added, aka the "SSI privilege elevation" vulnerability. 3190 MS01-044 iis-ssi-directive-bo(6984) L-132 20011127 IIS Server Side Include Buffer overflow exploit code 20010817 NSFOCUS SA2001-06 : Microsoft IIS ssinc.dll Buffer Overflow Vulnerability IIS 5.0 uses relative paths to find system files that will run in-process, which allows local users to gain privileges via a Trojan horse file, aka the "System file listing privilege elevation" vulnerability. MS01-044 iis-relative-path-privilege-elevation(6985) 5607 L-132 20010816 ENTERCEPT SECURITY ALERT: Privilege Escalation Vulnerability in Microsoft IIS oval:org.mitre.oval:def:912 oval:org.mitre.oval:def:909 Vulnerability in IIS 5.0 allows remote attackers to cause a denial of service (restart) via a long, invalid WebDAV request. MS01-044 2690 5633 5606 iis-webdav-long-request-dos(6982) 20010506 IIS 5.0 PROPFIND DOS #2 Vulnerabilities in RPC servers in (1) Microsoft Exchange Server 2000 and earlier, (2) Microsoft SQL Server 2000 and earlier, (3) Windows NT 4.0, and (4) Windows 2000 allow remote attackers to cause a denial of service via malformed inputs. MS01-041 oval:org.mitre.oval:def:82 Oracle listener process on Windows NT redirects connection requests to another port and creates a separate thread to process the request, which allows remote attackers to cause a denial of service by repeatedly connecting to the Oracle listener but not connecting to the redirected port. VU#105259 20010619 Oracle Redirect Denial of Service oracle-listener-redirect-dos(6717) 5600 SNMP service in Atmel 802.11b VNET-B Access Point 1.3 and earlier, as used in Netgear ME102 and Linksys WAP11, accepts arbitrary community strings with requested MIB modifications, which allows remote attackers to obtain sensitive information such as WEP keys, cause a denial of service, or gain access to the network. 20010620 Multiple Vendor 802.11b Access Point SNMP authentication flaw atmel-vnetb-ap-snmp-security(6576) 2896 Oracle Listener in Oracle 7.3 and 8i allows remote attackers to cause a denial of service via a malformed connection packet with a large offset_to_data value. 20010515 Multiple Oracle Listener Denial of Service Vulnerabilities http://otn.oracle.com/deploy/security/pdf/net8_dos_alert.pdf Oracle listener between Oracle 9i and Oracle 8.0 allows remote attackers to cause a denial of service via a malformed connection packet that contains an incorrect requester_version value that does not match an expected offset to the data. 20010515 Multiple Oracle Listener Denial of Service Vulnerabilities http://otn.oracle.com/deploy/security/pdf/net8_dos_alert.pdf Oracle listener in Oracle 8i on Solaris allows remote attackers to cause a denial of service via a malformed connection packet with a maximum transport data size that is set to 0. oracle-listener-data-transport-dos(6715) 20010515 Multiple Oracle Listener Denial of Service Vulnerabilities http://otn.oracle.com/deploy/security/pdf/net8_dos_alert.pdf 5590 Oracle listener before Oracle 9i allows attackers to cause a denial of service by repeatedly sending the first portion of a fragmented Oracle command without sending the remainder of the command, which causes the listener to hang. oracle-listener-fragmentation-dos(6716) 20010515 Multiple Oracle Listener Denial of Service Vulnerabilities http://otn.oracle.com/deploy/security/alerts.htm Aladdin eSafe Gateway versions 2.x allows a remote attacker to circumvent HTML SCRIPT filtering via a special arrangement of HTML tags which includes SCRIPT tags embedded within other SCRIPT tags. 20010529 Aladdin eSafe Gateway Filter Bypass - Updated Advisory esafe-gateway-bypass-filtering(6580) Aladdin eSafe Gateway versions 3.0 and earlier allows a remote attacker to circumvent filtering of SCRIPT tags by embedding the scripts within certain HTML tags including (1) onload in the BODY tag, (2) href in the A tag, (3) the BUTTON tag, (4) the INPUT tag, or (5) any other tag in which scripts can be defined. esafe-gateway-bypass-filtering(6580) 20010529 Aladdin eSafe Gateway Script-filtering Bypass through HTML tags Aladdin eSafe Gateway versions 3.0 and earlier allows a remote attacker to circumvent HTML SCRIPT filtering via the UNICODE encoding of SCRIPT tags within the HTML document. esafe-gateway-bypass-filtering(6580) 20010529 Aladdin eSafe Gateway Script-filtering Bypass through Unicode Vulnerability Format string vulnerability in Gnu Privacy Guard (aka GnuPG or gpg) 1.05 and earlier can allow an attacker to gain privileges via format strings in the original filename that is stored in an encrypted file. VU#403051 MDKSA-2001:053 http://www.gnupg.org/whatsnew.html#rn20010529 gnupg-tty-format-string(6642) TLSA2001028 2797 RHSA-2001:073 1845 SuSE-SA:2001:020 DSA-061 CSSA-2001-020.0 20010601 The GnuPG format string bug (was: TSLSA-2001-0009 - GnuPG) IMNX-2001-70-023-01 CLA-2001:399 eEye SecureIIS versions 1.0.3 and earlier allows a remote attacker to bypass filtering of requests made to SecureIIS by escaping HTML characters within the request, which could allow a remote attacker to use restricted variables and perform directory traversal attacks on vulnerable programs that would otherwise be protected. eeye-secureiis-directory-traversal(6564) eeye-secureiis-bypass-detection(6563) 20010519 RE: ASLabs-2001-01: Multiple Security Problems in eEye SecureIIS 20010518 ASLabs-2001-01: Multiple Security Problems in eEye SecureIIS eEye SecureIIS versions 1.0.3 and earlier does not perform length checking on individual HTTP headers, which allows a remote attacker to send arbitrary length strings to IIS, contrary to an advertised feature of SecureIIS versions 1.0.3 and earlier. eeye-secureiis-http-header-bo(6574) 20010519 RE: ASLabs-2001-01: Multiple Security Problems in eEye SecureIIS 20010518 ASLabs-2001-01: Multiple Security Problems in eEye SecureIIS Buffer overflow in dsh in dqs 3.2.7 in SuSE Linux 7.0 and earlier, and possibly other operating systems, allows local users to gain privileges via a long first command line argument. dqs-dsh-bo(6577) 20010519 Re: dqs 3.2.7 local root exploit. 20010519 dqs 3.2.7 local root exploit. 2749 Buffer overflow in the Xview library as used by mailtool in Solaris 8 and earlier allows a local attacker to gain privileges via the OPENWINHOME environment variable. solaris-mailtool-openwinhome-bo(6626) 20010528 [synnergy] - Solaris mailtool(1) buffer overflow vulnerability DCScripts DCForum versions 2000 and earlier allow a remote attacker to gain additional privileges by inserting pipe symbols (|) and newlines into the last name in the registration form, which will create an extra entry in the registration database. dcforum-cgi-admin-access(6538) http://www.dcscripts.com/dcforum/dcfNews/167.html 20010515 DCForum Password File Manipukation Vulnerability (qDefense Advisory Number QDAV-5-2000-2) 2728 480 Oracle E-Business Suite Release 11i Applications Desktop Integrator (ADI) version 7.x includes a debug version of FNDPUB11I.DLL, which logs the APPS schema password in cleartext in a debug file, which allows local users to obtain the password and gain privileges. oracle-adi-plaintext-passwords(6501) 2694 20010522 Vulnerability in Oracle E-Business Suite Release 11i Applications Desktop Integrator 20010507 Oracle's ADI 7.1.1.10.1 Major security hole OpenSSH version 2.9 and earlier, with X forwarding enabled, allows a local attacker to delete any file named 'cookies' via a symlink attack. VU#655259 2825 NetBSD-SA2001-010 CSSA-2001-023.0 20010604 Re: SSH allows deletion of other users files... 20010604 SSH allows deletion of other users files... openssh-symlink-file-deletion(6676) 1853 20010612 20010605 OpenSSH_2.5.2p2 RH7.0 <- version info IMNX-2001-70-034-01 CLA-2001:431 Spearhead NetGAP 200 and 300 before build 78 allow a remote attacker to bypass file blocking and content inspection via specially encoded URLs which include '%' characters. netgap-unicode-bypass-filter(6625) 2798 20010607 SpearHead Security NetGAP 20010528 Vulnerability discovered in SpearHead NetGap Buffer overflow in libi18n library in IBM AIX 5.1 and 4.3.x allows local users to gain root privileges via a long LANG environmental variable. MSS-OAR-E01-2001:271.1 aix-libi18n-lang-bo(6863) 5585 L-123 Multiple buffer overflows in RADIUS daemon radiusd in (1) Merit 3.6b and (2) Lucent 2.1-2 RADIUS allow remote attackers to cause a denial of service or execute arbitrary commands. VU#898931 20010705 Remote Buffer Overflow in Multiple RADIUS Implementations 2989 Example applications (Exampleapps) in ColdFusion Server 4.x do not properly restrict prevent access from outside the local host's domain, which allows remote attackers to conduct upload, read, or execute files by spoofing the "HTTP Host" (CGI.Host) variable in (1) the "Web Publish" example script, and (2) the "Email" example script. 20010807 Remote Vulnerabilities in Macromedia ColdFusion Example Applications MPSB01-08 HTTP server for Cisco IOS 11.3 to 12.2 allows attackers to bypass authentication and execute arbitrary commands, when local authorization is being used, by specifying a high access level in the URL. CA-2001-14 2936 20010627 IOS HTTP authorization vulnerability cisco-ios-admin-access(6749) 20010702 Cisco device HTTP exploit... 20010629 Re: Cisco Security Advisory: IOS HTTP authorization vulnerability 20010702 ios-http-auth.sh 20010702 Cisco IOS HTTP Configuration Exploit 578 L-106 Microsoft Outlook View ActiveX Control in Microsoft Outlook 2002 and earlier allows remote attackers to execute arbitrary commands via a malicious HTML e-mail message or web page. VU#131569 MS01-038 20010712 MS Office XP - the more money I give to Microsoft, the more vulnerable my Windows computers are outlook-activex-view-control(6831) 3025 20010712 Vulnerability in IE/Outlook ActiveX control L-113 Memory leak in Terminal servers in Windows NT and Windows 2000 allows remote attackers to cause a denial of service (memory exhaustion) via a large number of malformed Remote Desktop Protocol (RDP) requests to port 3389. MS01-040 win-terminal-rdp-dos(6912) 3099 Buffer overflow in Microsoft Windows Media Player 7.1 and earlier allows remote attackers to execute arbitrary commands via a malformed Windows Media Station (.NSC) file. MS01-042 20010527 Microsoft Windows Media Player Buffer Overflow Vulnerability mediaplayer-nsc-bo(6907) 3105 Buffer overflows in Microsoft SQL Server 7.0 and 2000 allow attackers with access to SQL Server to execute arbitrary code through the functions (1) raiserror, (2) formatmessage, or (3) xp_sprintf. NOTE: the C runtime format string vulnerability reported in MS01-060 is identified by CVE-2001-0879. VU#700575 mssql-text-message-bo(7724) 3733 MS01-060 A122001-1 20011221 @stake advisory: Multiple overflow and format string vulnerabilities in in Microsoft SQL Server oval:org.mitre.oval:def:83 Memory leak in NNTP service in Windows NT 4.0 and Windows 2000 allows remote attackers to cause a denial of service (memory exhaustion) via a large number of malformed posts. MS01-043 win-nntp-dos(6977) 3183 oval:org.mitre.oval:def:334 IIS 5.0 allows local users to cause a denial of service (hang) via by installing content that produces a certain invalid MIME Content-Type header, which corrupts the File Type table. MS01-044 iis-invalid-mime-header-dos(6983) 3195 L-132 IIS 4.0 with URL redirection enabled allows remote attackers to cause a denial of service (crash) via a malformed request that specifies a length that is different than the actual length. MS01-044 iis-url-redirection-dos(6981) 5736 L-132 Memory leak in H.323 Gatekeeper Service in Microsoft Internet Security and Acceleration (ISA) Server 2000 allows remote attackers to cause a denial of service (resource exhaustion) via a large amount of malformed H.323 data. MS01-045 isa-h323-gatekeeper-dos(6989) 3196 Memory leak in the proxy service in Microsoft Internet Security and Acceleration (ISA) Server 2000 allows local attackers to cause a denial of service (resource exhaustion). MS01-045 isa-proxy-memory-leak-dos(6990) 3197 Buffer overflow in dtmail in Solaris 2.6 and 7 allows local users to gain privileges via the MAIL environment variable. 20010724 NSFOCUS SA2001-04 : Solaris dtmail Buffer Overflow Vulnerability solaris-dtmail-bo(6879) 3081 Symantec LiveUpdate 1.5 stores proxy passwords in cleartext in a registry key, which could allow local users to obtain the passwords. VU#814187 http://www.sarc.com/avcenter/security/Content/2001_07_20.html liveupdate-obtain-proxy-password(7013) wu-ftpd 2.6.1 allows remote attackers to execute arbitrary commands via a "~{" argument to commands such as CWD, which is not properly handled by the glob function (ftpglob). VU#886083 CA-2001-33 3581 RHSA-2001:157 CSSA-2001-041.0 wuftp-glob-heap-corruption(7611) HPSBUX0107-162 20010430 some ftpd implementations mishandle CWD ~{ SuSE-SA:2001:043 MDKSA-2001:090 DSA-087 20011128 CORE-20011001: Wu-FTP glob heap corruption vulnerability IMNX-2001-70-036-01 CLA-2001:442 Buffer overflow in CDE Print Viewer (dtprintinfo) allows local users to execute arbitrary code by copying text from the clipboard into the Help window. VU#860296 HPSBUX0105-151 oval:org.mitre.oval:def:5958 ovactiond in HP OpenView Network Node Manager (NNM) 6.1 and Tivoli Netview 5.x and 6.x allows remote attackers to execute arbitrary commands via shell metacharacters in a certain SNMP trap message. VU#952171 CA-2001-24 2845 20010608 HP Openview NNM6.1 ovactiond bin exploit SSH Secure Shell 3.0.0 on Unix systems does not properly perform password authentication to the sshd2 daemon, which allows local users to gain access to accounts with short password fields, such as locked accounts that use "NP" in the password field. VU#737451 20010720 URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0 http://www.ssh.com/products/ssh/exploit.cfm ssh-password-length-unauth-access(6868) 3078 586 L-121 Buffer overflow in BSD-based telnetd telnet daemon on various operating systems allows remote attackers to execute arbitrary commands via a set of options including AYT (Are You There), which is not properly handled by the telrcv function. CA-2001-21 3064 FreeBSD-SA-01:49 telnetd-option-telrcv-bo(6875) 20010718 multiple vendor telnet daemon vulnerability RHSA-2001:100 RHSA-2001:099 809 SuSE-SA:2001:029 MDKSA-2001:068 DSA-075 DSA-070 20020129 Cisco CatOS Telnet Buffer Vulnerability L-131 CSSA-2001-030.0 20010810 ADV/EXP: netkit <=0.17 in.telnetd remote buffer overflow 20010725 SCO - Telnetd AYT overflow ? 20010725 Telnetd AYT overflow scanner MSS-OAR-E01-2001:298 SSRT0745U CLA-2001:413 HPSBUX0110-172 CSSA-2001-SCO.10 20010801-01-P NetBSD-SA2001-012 ScreamingMedia SITEWare versions 2.5 through 3.1 allows a remote attacker to read world-readable files via a .. (dot dot) attack through (1) the SITEWare Editor's Desktop or (2) the template parameter in SWEditServlet. VU#795707 http://www01.screamingmedia.com/en/security/sms1001.php siteware-dot-file-retrieval(6689) 2869 13887 20010613 ScreamingMedia SITEWare source code disclosure vulnerability 20010613 ScreamingMedia SITEWare arbitrary file retrieval vulnerability The Nirvana Editor (NEdit) 5.1.1 and earlier allows a local attacker to overwrite other users' files via a symlink attack on (1) backup files or (2) temporary files used when nedit prints a file or portions of a file. 2667 RHSA-2001:061 MDKSA-2001:042 DSA-053 20010428 More nedit problems ? (was Re: PROGENY-SA-2001-10...) SuSE-SA:2001:14 http://www.nedit.org/archives/develop/2001-Feb/0391.html T. Hauck Jana Webserver 1.46 and earlier allows a remote attacker to view arbitrary files via a '..' (dot dot) attack which is URL encoded (%2e%2e). VU#132099 jana-server-directory-traversal(6513) 2703 20010507 Advisory for Jana server T. Hauck Jana Webserver 2.01 beta 1 and earlier allows a remote attacker to create a denial of service via a URL request which includes a MS-DOS device name (i.e. GET /aux HTTP/1.0). jana-server-device-dos(6521) 20010507 Advisory for Jana server 2704 1817 crontab in Vixie cron 3.0.1 and earlier does not properly drop privileges after the failed parsing of a modification operation, which could allow a local attacker to gain additional privileges when an editor is called to correct the error. 2687 20010507 Vixie cron vulnerability MDKSA-2001:050 DSA-054 vixie-cron-gain-privileges(6508) SuSE-SA:2001:17 Buffer overflow in Vixie cron 3.0.1-56 and earlier could allow a local attacker to gain additional privileges via a long username (> 20 characters). vixie-crontab-bo(6098) RHSA-2001:014 MDKSA-2001:022 20010220 Immunix OS Security update for vixie-cron 20010210 vixie cron possible local root compromise 5583 IY17261 IY17048 Directory traversal vulnerability in Drummond Miles A1Stats prior to 1.6 allows a remote attacker to read arbitrary files via a '..' (dot dot) attack in (1) a1disp2.cgi, (2) a1disp3.cgi, or (3) a1disp4.cgi. VU#471691 a1stats-dot-directory-traversal(6503) 20010507 Advisory for A1Stats 2705 a1disp.cgi program in Drummond Miles A1Stats prior to 1.6 allows a remote attacker to execute commands via a specially crafted URL which includes shell metacharacters. a1stats-a1admin-dos(6505) 20010507 Advisory for A1Stats 2705 ElectroSystems Engineering Inc. ElectroComm 2.0 and earlier allows a remote attacker to create a denial of service via large (> 160000 character) strings sent to port 23. electrocomm-telnet-dos(6514) 2706 20010507 Advisory for Electrocomm 2.0 APC Web/SNMP Management Card prior to Firmware 310 only supports one telnet connection, which allows a remote attacker to create a denial of service via repeated failed logon attempts which temporarily locks the card. 20010225 APC web/snmp/telnet management card dos apc-telnet-dos(6199) 2430 ftp://ftp.apcftp.com/hardware/webcard/firmware/sy/v310/install.txt Buffer overflow in mailx in Solaris 8 and earlier allows a local attacker to gain additional privileges via a long '-F' command line option. VU#446864 20010502 Solaris mailx Vulnerability solaris-mailx-f-bo(8246) 2610 20010511 Solaris /usr/bin/mailx exploit (SPARC) Cisco Catalyst 2900XL switch allows a remote attacker to create a denial of service via an empty UDP packet sent to port 161 (SNMP) when SNMP is disabled. cisco-catalyst-udp-dos(6515) 20010503 Cisco Catalyst 2900XL crashes with empty UDP packet when SNMP is disabled. Digital Creations Zope 2.3.2 and earlier allows a local attacker to gain additional privileges via the changing of ZClass permission mappings for objects and methods in the ZClass. RHSA-2001:065 http://www.zope.org/Products/Zope/Hotfix_2001-05-01/security_alert MDKSA-2001:049 DSA-055 zope-zclass-gain-privileges(6958) CLA-2001:407 Digital Creations Zope 2.3.1 b1 and earlier allows a local attacker (Zope user) with through-the-web scripting capabilities to alter ZClasses class attributes. http://www.zope.org/Products/Zope/Products/Zope/Products/Zope/Hotfix_2001-02-23 RHSA-2001:021 MDKSA-2001:025 DSA-043 CLA-2001:382 Digital Creations Zope 2.3.1 b1 and earlier contains a problem in the method return values related to the classes (1) ObjectManager, (2) PropertyManager, and (3) PropertySheet. http://www.zope.org/Products/Zope/Products/Zope/Products/Zope/Hotfix_2001-02-23 RHSA-2001:021 MDKSA-2001:025 DSA-043 CLA-2001:382 minicom 1.83.1 and earlier allows a local attacker to gain additional privileges via numerous format string attacks. minicom-xmodem-format-string(6498) RHSA-2001:067 CSSA-2001-016.0 20010517 Immunix OS Security update for minicom 20010503 minicom exploit Directory traversal vulnerability in the web server for (1) Elron Internet Manager (IM) Message Inspector and (2) Anti-Virus before 3.0.4 allows remote attackers to read arbitrary files via a .. (dot dot) in the requested URL. 2520 2519 20010326 http://archives.neohapsis.com/archives/bugtraq/2001-03/0345.html 20010323 Elron IM Products Vulnerability 20010406 http://archives.neohapsis.com/archives/bugtraq/2001-03/0345.html The SSH protocols 1 and 2 (aka SSH-2) as implemented in OpenSSH and other packages have various weaknesses which can allow a remote attacker to obtain the following information via sniffing: (1) password lengths or ranges of lengths, which simplifies brute force password guessing, (2) whether RSA or DSA authentication is being used, (3) the number of authorized_keys in RSA authentication, or (4) the lengths of shell commands. VU#596827 RHSA-2001:033 MDKSA-2001:033 20010318 Passive Analysis of SSH (Secure Shell) Traffic CLA-2001:391 lsfs in AIX 4.x allows a local user to gain additional privileges by creating Trojan horse programs named (1) grep or (2) lslv in a certain directory that is under the user's control, which cause lsfs to access the programs in that directory. VU#123651 IY16909 aix-lsfs-path(7007) 5582 Directory traversal vulnerability in MP3Mystic prior to 1.04b3 allows a remote attacker to download arbitrary files via a '..' (dot dot) in the URL. mp3mystic-dot-directory-traversal(6504) 2699 http://mp3mystic.com/mp3mystic/news.phtml 20010507 Advisory for MP3Mystic 1815 Buffer overflow in lpshut in SCO OpenServer 5.0.6 can allow a local attacker to gain additional privileges via a long first argument to lpshut. sco-openserver-lpshut-bo(6290) 20010327 SCO 5.0.6 issues (lpshut) 20010412 SSE072B: SCO OpenServer revision of buffer overflow fixes lpusers as included with SCO OpenServer 5.0 through 5.0.6 allows a local attacker to gain additional privileges via a buffer overflow attack in the '-u' command line parameter. sco-openserver-lpusers-bo(6292) 20010327 SCO 5.0.6 issues (lpusers) 20010412 SSE072B: SCO OpenServer revision of buffer overflow fixes recon in SCO OpenServer 5.0 through 5.0.6 can allow a local attacker to gain additional privileges via a buffer overflow attack in the first command line argument. sco-openserver-recon-bo(6289) 20010327 SCO 5.0.6 issues (recon) 20010412 SSE072B: SCO OpenServer revision of buffer overflow fixes Buffer overflow in lpforms in SCO OpenServer 5.0-5.0.6 can allow a local attacker to gain additional privileges via a long first argument to the lpforms command. sco-openserver-lpforms-bo(6293) 20010327 SCO 5.0.6 issues (lpforms) 20010412 SSE072B: SCO OpenServer revision of buffer overflow fixes lpadmin in SCO OpenServer 5.0.6 can allow a local attacker to gain additional privileges via a buffer overflow attack in the first argument to the command. sco-openserver-lpadmin-bo(6291) 20010327 SCO 5.0.6 issues (lpadmin) 20010412 SSE072B: SCO OpenServer revision of buffer overflow fixes Hughes Technologies Virtual DNS (VDNS) Server 1.0 allows a remote attacker to create a denial of service by connecting to port 6070, sending some data, and closing the connection. 200105007 Advisory for Vdns Spytech Spynet Chat Server 6.5 allows a remote attacker to create a denial of service (crash) via a large number of connections to port 6387. 2701 spynet-connection-dos(6509) 20010507 Advisory for Spynet Chat Ben Spink CrushFTP FTP Server 2.1.6 and earlier allows a local attacker to access arbitrary files via a '..' (dot dot) attack, or variations, in (1) GET, (2) CD, (3) NLST, (4) SIZE, (5) RETR. VU#110803 crushftp-directory-traversal(6495) 20010503 Vulnerabilities in CrushFTP Server Alt-N Technologies MDaemon 3.5.4 allows a remote attacker to create a denial of service via the URL request of a MS-DOS device (such as GET /aux) to (1) the Worldclient service at port 3000, or (2) the Webconfig service at port 3001. mdaemon-webservices-dos(6240) 20010315 def-2001-11: MDaemon 3.5.4 Dos-Device DoS http://ftp1.deerfield.com/pub/mdaemon/Archive/3.5.6/ IMAP server in Alt-N Technologies MDaemon 3.5.6 allows a local user to cause a denial of service (hang) via long (1) SELECT or (2) EXAMINE commands. 20010325 MDaemon IMAP Denial Of Service mdaemon-imap-command-dos(6279) 2508 Gordano NTMail 6.0.3c allows a remote attacker to create a denial of service via a long (>= 255 characters) URL request to port 8000 or port 9000. ntmail-long-url-dos(6249) 2494 20010320 def-2001-13: NTMail Web Services DoS TrendMicro ScanMail for Exchange 3.5 Evaluation allows a local attacker to recover the administrative credentials for ScanMail via a combination of unprotected registry keys and weakly encrypted passwords. 20010330 STAT Security Advisory: Trend Micro's ScanMail for Exchange store s passwords in registry unprotected scanmail-reveals-credentials(6311) 5581 deliver program in MMDF 2.43.3b in SCO OpenServer 5.0.6 can allow a local attacker to gain additional privileges via a buffer overflow in the first argument to the command. sco-openserver-deliver-bo(6302) 20010327 SCO 5.0.6 MMDF issues (deliver) 2583 20010412 SSE072B: SCO OpenServer revision of buffer overflow fixes sendmail 8.9.3, as included with the MMDF 2.43.3b package in SCO OpenServer 5.0.6, can allow a local attacker to gain additional privileges via a buffer overflow in the first argument to the command. 20010327 SCO 5.0.6 MMDF issues (sendmail 8.9.3) 20010412 SSE072B: SCO OpenServer revision of buffer overflow fixes NetScreen ScreenOS prior to 2.5r6 on the NetScreen-10 and Netscreen-100 can allow a local attacker to bypass the DMZ 'denial' policy via specific traffic patterns. 2523 20010326 Netscreen: DMZ Network Receives Some "Denied" Traffic netscreen-screenos-bypass-firewall(6317) 1780 Apache Software Foundation Tomcat Servlet prior to 3.2.2 allows a remote attacker to read the source code to arbitrary 'jsp' files via a malformed URL request which does not end with an HTTP protocol specification (i.e. HTTP/1.0). 20010403 Re: Tomcat may reveal script source code by URL trickery jakarta-tomcat-jsp-source(6971) HPSBTL0112-004 5580 Directory traversal vulnerability in Oracle JSP 1.0.x through 1.1.1 and Oracle 8.1.7 iAS Release 1.0.2 can allow a remote attacker to read or execute arbitrary .jsp files via a '..' (dot dot) attack. 2286 20010212 Patch for Potential Vulnerability in the execution of JSPs outside doc_root oracle-handlers-directory-traversal(5986) Watchguard Firebox II prior to 4.6 allows a remote attacker to create a denial of service in the kernel via a large stream (>10,000) of malformed ICMP or TCP packets. firebox-kernel-dos(6327) 20010405 def-2001-18: Watchguard Firebox II Kernel DoS Ananconda Partners Clipper 3.3 and earlier allows a remote attacker to read arbitrary files via a '..' (dot dot) attack in the template parameter. 20010327 advisory anaconda-clipper-directory-traversal(6286) 2512 http://anacondapartners.com/cgi-local/apexec.pl?template=ap_releasenotestemplate.html&f1=ap_af_updates_menu&f2=ap_af_releasenotes_clip kcms_configure as included with Solaris 7 and 8 allows a local attacker to gain additional privileges via a buffer overflow in a command line argument. solaris-kcms-command-bo(6359) 20010409 Solaris kcms_configure vulnerability 2558 oval:org.mitre.oval:def:7 oval:org.mitre.oval:def:65 Buffer overflow in the kcsSUNWIOsolf.so library in Solaris 7 and 8 allows local attackers to execute arbitrary commands via the KCMS_PROFILES environment variable, e.g. as demonstrated using the kcms_configure program. solaris-kcssunwiosolf-bo(6365) 2605 20010411 [LSD] Solaris kcsSUNWIOsolf.so and dtsession vulnerabilities Netscape Communicator before 4.77 allows remote attackers to execute arbitrary Javascript via a GIF image whose comment contains the Javascript. netscape-javascript-access-data(6344) RHSA-2001:046 DSA-051 20010409 Netscape 4.76 gif comment flaw 2637 5579 IMNX-2001-70-014-01 CLA-2001:393 Zetetic Secure Tool for Recalling Important Passwords (STRIP) 0.5 and earlier for the PalmOS allows a local attacker to recover passwords via a brute force attack. This attack is made feasible by STRIP's use of SysRandom, which is seeded by TimeGetTicks, and an implementation flaw which vastly reduces the password 'search space'. strip-weak-passwords(6362) 2567 20010410 Catastrophic failure of Strip password generation. Symantec Ghost 6.5 and earlier allows a remote attacker to create a denial of service by sending large (> 45Kb) amounts of data to the Ghost Configuration Server on port 1347, which triggers an error that is not properly handled. ghost-configuration-server-dos(6357) 2570 20010411 def-2001-21: Ghost Multiple DoS Sybase Adaptive Server Anywhere Database Engine 6.0.3.2747 and earlier as included with Symantec Ghost 6.5 allows a remote attacker to create a denial of service by sending large (> 45Kb) amounts of data to port 2638. ghost-database-engine-dos(6356) 2572 20010411 def-2001-21: Ghost Multiple DoS Lotus Domino R5 prior to 5.0.7 allows a remote attacker to create a denial of service via repeated URL requests with the same HTTP headers, such as (1) Accept, (2) Accept-Charset, (3) Accept-Encoding, (4) Accept-Language, and (5) Content-Type. lotus-domino-header-dos(6347) 20010411 def-2001-20: Lotus Domino Multiple DoS Lotus Domino R5 prior to 5.0.7 allows a remote attacker to create a denial of service via HTTP requests containing certain combinations of UNICODE characters. lotus-domino-unicode-dos(6349) 20010411 def-2001-20: Lotus Domino Multiple DoS Lotus Domino R5 prior to 5.0.7 allows a remote attacker to create a denial of service via repeated (>400) URL requests for DOS devices. lotus-domino-device-dos(6348) 20010411 def-2001-20: Lotus Domino Multiple DoS Lotus Domino R5 prior to 5.0.7 allows a remote attacker to create a denial of service via repeatedly sending large (> 10Kb) amounts of data to the DIIOP - CORBA service on TCP port 63148. lotus-domino-corba-dos(6350) 20010411 def-2001-20: Lotus Domino Multiple DoS Lotus Domino R5 prior to 5.0.7 allows a remote attacker to create a denial of service via URL requests (>8Kb) containing a large number of '/' characters. lotus-domino-url-dos(6351) 20010411 def-2001-20: Lotus Domino Multiple DoS Headlight Software MyGetright prior to 1.0b allows a remote attacker to upload and/or overwrite arbitrary files via a malicious .dld (skins-data) file which contains long strings of random data. 20010226 My Getright Unsupervised File Download Vulnerability Vulnerability in iPlanet Web Server 4.X in HP-UX 11.04 (VVOS) with VirtualVault A.04.00 allows a remote attacker to create a denial of service via the HTTPS service. hp-virtualvault-iws-dos(6110) HPSBUX0102-139 asecure as included with HP-UX 10.01 through 11.00 can allow a local attacker to create a denial of service and gain additional privileges via unsafe permissions on the asecure program, a different vulnerability than CVE-2000-0083. HPSBUX0103-145 oval:org.mitre.oval:def:5621 HP architected interface facility (AIF) as includes with MPE/iX 5.5 through 6.5 running on a HP3000 allows an attacker to gain additional privileges and gain access to databases via the AIF - AIFCHANGELOGON program. VU#895496 HPSBMP0103-011 hp-aif-gain-privileges(6951) Format string vulnerability in Infodrom cfingerd 1.4.3 and earlier allows a remote attacker to gain additional privileges via a malformed ident reply that is passed to the syslog function. cfingerd-remote-format-string(6364) 2576 20010411 CFINGERD remote vulnerability kfm as included with KDE 1.x can allow a local attacker to gain additional privileges via a symlink attack in the kfm cache directory in /tmp. kfm-tmpfile-symlink(6428) 20010418 Insecure directory handling in KFM file manager Becky! 2.00.05 and earlier can allow a remote attacker to gain additional privileges via a buffer overflow attack on long messages without newline characters. becky-mail-message-bo(6531) 2723 20010514 Becky! 2.00.05 Buffer Overflow McAfee Remote Desktop 3.0 and earlier allows remote attackers to cause a denial of service (crash) via a large number of packets to port 5045. 2726 20010516 Remote Desktop DoS remote-desktop-dos(6547) 6288 Omnicron Technologies OmniHTTPD Professional 2.08 and earlier allows a remote attacker to create a denial of service via a long POST URL request. omnihttpd-post-dos(6540) 2730 20010515 OmniHTTPd Pro Denial of Service Vulnerability Carello E-Commerce 1.2.1 and earlier allows a remote attacker to gain additional privileges and execute arbitrary commands via a specially constructed URL. carello-url-code-execution(6532) 20010514 def-2001-25: Carello E-Commerce Arbitrary Command Execution Directory traversal vulnerability in Faust Informatics Freestyle Chat server prior to 4.1 SR3 allows a remote attacker to read arbitrary files via a specially crafted URL which includes variations of a '..' (dot dot) attack such as '...' or '....'. freestyle-chat-directory-traversal(6601) 2776 20010525 Advisory for Freestyle Chat server 1841 Faust Informatics Freestyle Chat server prior to 4.1 SR3 allows a remote attacker to create a denial of service via a URL request which includes a MS-DOS device name (e.g., GET /aux HTTP/1.0). freestyle-chat-device-dos(6602) 2777 20010525 Advisory for Freestyle Chat server Allied Telesyn AT-AR220e cable/DSL router firmware 1.08a RC14 with the portmapper and the 'Virtual Server' enabled can allow a remote attacker to gain access to mapped services even though the single portmappings may be disabled. telesyn-portmapper-access-services(6560) 20010514 Cable-Router AR220e Portmapper Security-Flaw Orinoco RG-1000 wireless Residential Gateway uses the last 5 digits of the 'Network Name' or SSID as the default Wired Equivalent Privacy (WEP) encryption key. Since the SSID occurs in the clear during communications, a remote attacker could determine the WEP key and decrypt RG-1000 traffic. orinoco-rg1000-wep-key(6328) 20010402 RG-1000 802.11 Residential Gateway default WEP key disclosure flaw The Lucent Closed Network protocol can allow remote attackers to join Closed Network networks which they do not have access to. The 'Network Name' or SSID, which is used as a shared secret to join the network, is transmitted in the clear. 20010402 Design Flaw in Lucent/Orinoco 802.11 proprietary access control- closed network iPlanet Calendar Server 5.0p2 and earlier allows a local attacker to gain access to the Netscape Admin Server (NAS) LDAP database and read arbitrary files by obtaining the cleartext administrator username and password from the configuration file, which has insecure permissions. iplanet-calendar-plaintext-password(6402) 20010418 iplanet calendar server 5.0p2 exposes Netscape Admin Server master password The FTP server on Cisco Content Service 11000 series switches (CSS) before WebNS 4.01B23s and WebNS 4.10B13s allows an attacker who is an FTP user to read and write arbitrary files via GET or PUT commands. cisco-css-ftp-commands(6557) 20010517 Cisco Content Service Switch 11000 Series FTP Vulnerability 2745 1834 L-085 The web management service on Cisco Content Service series 11000 switches (CSS) before WebNS 4.01B29s or WebNS 4.10B17s allows a remote attacker to gain additional privileges by directly requesting the web management URL instead of navigating through the interface. 20010531 Cisco Content Service Switch 11000 Series Web Management Vulnerability cisco-css-web-management(6631) 2806 1848 sendfiled, as included with Simple Asynchronous File Transfer (SAFT), on various Linux systems does not properly drop privileges when sending notification emails, which allows local attackers to gain privileges. saft-sendfiled-execute-code(6430) DSA-052 DSA-050 QNX 2.4 allows a local user to read arbitrary files by directly accessing the mount point for the FAT disk partition, e.g. /fs-dos. qnx-fat-file-read 20010421 QNX FIle Read Vulnerability ftpdownload in Computer Associates InoculateIT 6.0 allows a local attacker to overwrite arbitrary files via a symlink attack on /tmp/ftpdownload.log . inoculateit-ftpdownload-symlink(6607) 2778 20010525 Security Bug in InoculateIT for Linux (fwd) 1843 O'Reilly Website Professional 2.5.4 and earlier allows remote attackers to determine the physical path to the root directory via a URL request containing a ":" character. 2488 20010316 WebServer Pro All Version Vulnerability website-pro-dir-path(3839) vi as included with SCO OpenServer 5.0 - 5.0.6 allows a local attacker to overwrite arbitrary files via a symlink attack. VU#747736 2752 20010522 [SRT2001-09] - vi and crontab -e /tmp issues sco-openserver-vi-symlink(6588) CSSA-2001-SCO.17 Microsoft Word 2000 does not check AutoRecovery (.asd) files for macros, which allows a local attacker to execute arbitrary macros with the user ID of the Word user. word-asd-macro-execution(6614) 2760 Q274228 HP Event Correlation Service (ecsd) as included with OpenView Network Node Manager 6.1 allows a remote attacker to gain addition privileges via a buffer overflow attack in the '-restore_config' command line parameter. openview-nnm-ecsd-bo(6582) 2761 20010523 HP OpenView NNM v6.1 buffer overflow HPSBUX0107-158 Directory traversal vulnerability in MIMAnet viewsrc.cgi 2.0 allows a remote attacker to read arbitrary files via a '..' (dot dot) attack in the 'loc' variable. 2762 20010523 Vulnerability in viewsrc.cgi viewsrc-cgi-view-files(6583) 5565 Centrinity First Class Internet Services 5.50 allows for the circumventing of the default 'spam' filters via the presence of '<@>' in the 'From:' field, which allows remote attackers to send spoofed email with the identity of local users. 20010226 Re: [Fwd: FirstClass Internetgateway "stupidity"] 20010221 FirstClass Internetgateway "stupidity" centrinity-firstclass-email-spoofing(6192) 2423 Sun Chili!Soft 3.5.2 on Linux and 3.6 on AIX creates a default admin username and password in the default installation, which can allow a remote attacker to gain additional privileges. 20010224 Re: Advisory: Chili!Soft ASP Multiple Vulnerabilities 20010220 Advisory: Chili!Soft ASP Multiple Vulnerabilities Directory traversal vulnerability in Sun Chili!Soft ASP on multiple Unixes allows a remote attacker to read arbitrary files above the web root via a '..' (dot dot) attack in the sample script 'codebrws.asp'. 20010224 Re: Advisory: Chili!Soft ASP Multiple Vulnerabilities 20010220 Advisory: Chili!Soft ASP Multiple Vulnerabilities Sun Chili!Soft ASP has weak permissions on various configuration files, which allows a local attacker to gain additional privileges and create a denial of service. 20010226 Re: Advisory: Chili!Soft ASP Multiple Vulnerabilities 20010220 Advisory: Chili!Soft ASP Multiple Vulnerabilities chilisoft-asp-license-dos(6176) 2409 Red Hat Linux 7.1 sets insecure permissions on swap files created during installation, which can allow a local attacker to gain additional privileges by reading sensitive information from the swap file, such as passwords. RHSA-2001:058 mount-swap-world-readable(6493) 5564 Buffer overflows in Raytheon SilentRunner allow remote attackers to (1) cause a denial of service in the collector (cle.exe) component of SilentRunner 2.0 via traffic containing long passwords, or (2) execute arbitrary commands via long HTTP queries in the Knowledge Browser component in SilentRunner 2.0 and 2.0.1. NOTE: It is highly likely that this candidate will be split into multiple candidates. 20010806 Multiple Buffer Overflow Vulnerabilities in Raytheon SilentRunner Buffer overflow in man program in various distributions of Linux allows local user to execute arbitrary code as group man via a long -S option. man-s-bo(6530) 2711 RHSA-2001:069 20010513 RH 7.0:/usr/bin/man exploit: gid man + more 20010612 man 1.5h10 + man 1.5i-4 exploits SuSE-SA:2001:019 Directory traversal vulnerability in IncrediMail version 1400185 and earlier allows local users to overwrite files on the local hard drive by appending .. (dot dot) sequences to filenames listed in the content.ini file. incredimail-dot-overwrite-files(6529) 20010511 [eyeonsecurity.net] Incredimail allows automatic over writing offiles on your hard disk Internet Explorer 5.5 does not display the Class ID (CLSID) when it is at the end of the file name, which could allow attackers to trick the user into executing dangerous programs by making it appear that the document is of a safe file type. ie-clsid-execute-files(6426) 20010416 Double clicking on innocent looking files may be dangerous http://www.sarc.com/avcenter/venc/data/vbs.postcard@mm.html http://vil.nai.com/vil/virusSummary.asp?virus_k=99048 2612 7858 http://www.guninski.com/clsidext.html Maxum Rumpus FTP Server 1.3.3 and 2.0.3 dev 3 stores passwords in plaintext in the "Rumpus User Database" file in the prefs folder, which could allow attackers to gain privileges on the server. 20010515 Rumpus FTP DoS rumpus-plaintext-passwords(6543) 2718 Symantec/AXENT NetProwler 3.5.x contains several default passwords, which could allow remote attackers to (1) access to the management tier via the "admin" password, or (2) connect to a MySQL ODBC from the management tier using a blank password. VU#508387 netprowler-default-odbc-password(6539) netprowler-default-management-password(6537) 20010510 Corsaire Limited Security Advisory - Symantec/Axent NetProwler 3. 5.x password restrictions 20010510 Corsaire Limited Security Advisory - Symantec/Axent NetProwler 3. 5.x database configuration Maxum Rumpus FTP Server 1.3.3 and 2.0.3 dev 3 allows a remote attacker to perform a denial of service (hang) by creating a directory name of a specific length. rumpus-long-directory-dos(6542) 2716 20010515 Rumpus FTP DoS Orange Web Server 2.1, based on GoAhead, allows a remote attacker to perform a denial of service via an HTTP GET request that does not include the HTTP version. 2432 20010227 Orange Web Server v2.1 DoS Directory traversal vulnerability in PHProjekt 2.1 and earlier allows a remote attacker to conduct unauthorized activities via a dot dot (..) attack on the file module. phprojekt-dot-directory-traversal(6522) 2702 20010508 security hole in os groupware suite PHProjekt Personal Web Sharing 1.5.5 allows a remote attacker to cause a denial of service via a long HTTP request. macos-web-sharing-dos(6536) 20010510 Personal Web Sharing remote stop Cisco devices IOS 12.0 and earlier allow a remote attacker to cause a crash, or bad route updates, via malformed BGP updates with unrecognized transitive attribute. VU#106392 cisco-ios-bgp-dos(6566) 20010510 Cisco IOS BGP Attribute Corruption Vulnerability 2733 1830 L-082 Heap overflow in xlock in Solaris 2.6 through 8 allows local users to gain root privileges via a long (1) XFILESEARCHPATH or (2) XUSERFILESEARCHPATH environmental variable. 20010810 NSFOCUS SA2001-05 : Solaris Xlock Heap Overflow Vulnerability solaris-xlock-bo(6967) 3160 oval:org.mitre.oval:def:131 oval:org.mitre.oval:def:10 Sendmail 8.10.0 through 8.11.5, and 8.12.0 beta, allows local users to modify process memory and possibly gain privileges via a large value in the 'category' part of debugger (-d) command line arguments, which is interpreted as a negative number. 3163 20010821 *ALERT* UPDATED BID 3163 (URGENCY 6.58): Sendmail Debugger Arbitrary Code Execution Vulnerability (fwd) http://www.sendmail.org/8.11.html sendmail-debug-signed-int-overflow(7016) HPSBTL0112-007 SuSE-SA:2001:028 MDKSA-2001:075 L-133 CSSA-2001-032.0 RHSA-2001:106 IMNX-2001-70-032-01 CLA-2001:412 NetBSD-SA2001-017 Cross-site scripting (CSS) vulnerability in Microsoft Internet Security and Acceleration (ISA) Server 2000 allows remote attackers to cause other clients to execute certain script or read cookies via malicious script in an invalid URL that is not properly quoted in an error message. MS01-045 isa-cross-site-scripting(6991) 3198 Buffer overflow in IrDA driver providing infrared data exchange on Windows 2000 allows attackers who are physically close to the machine to cause a denial of service (reboot) via a malformed IrDA packet. MS01-046 win2k-irda-dos(7008) 3215 20010821 IrDA semiremote vulnerability Outlook Web Access (OWA) in Microsoft Exchange 5.5, SP4 and earlier, allows remote attackers to identify valid user email addresses by directly accessing a back-end function that processes the global address list (GAL). MS01-047 Q307195 exchange-owa-obtain-addresses(7089) 3301 RPC endpoint mapper in Windows NT 4.0 allows remote attackers to cause a denial of service (loss of RPC services) via a malformed request. MS01-048 winnt-rpc-endpoint-dos(7105) 3313 L-142 Terminal Server in Windows NT and Windows 2000 allows remote attackers to cause a denial of service via a sequence of invalid Remote Desktop Protocol (RDP) packets. MS01-052 win-rdp-packet-dos(7302) 3445 Internet Explorer 5.5 and 5.01 allows remote attackers to bypass security restrictions via malformed URLs that contain dotless IP addresses, which causes Internet Explorer to process the page in the Intranet Zone, which may have fewer security restrictions, aka the "Zone Spoofing vulnerability." MS01-051 ie-incorrect-security-zone(7258) 3420 1971 http://morph3us.org/blog/?p=31 20011011 Serious security Flaw in Microsoft Internet Explorer - Zone Spoofing Internet Explorer 6 and earlier allows remote attackers to cause certain HTTP requests to be automatically executed and appear to come from the user, which could allow attackers to gain privileges or execute operations within web-based services, aka the "HTTP Request Encoding vulnerability." MS01-051 ie-url-http-requests(7259) 3421 1972 Outlook Web Access (OWA) in Microsoft Exchange 2000 allows an authenticated user to cause a denial of service (CPU consumption) via a malformed OWA request for a deeply nested folder within the user's mailbox. MS01-049 exchange-owa-folder-request-dos(7168) 3368 Internet Explorer 6 and earlier, when used with the Telnet client in Services for Unix (SFU) 2.0, allows remote attackers to execute commands by spawning Telnet with a log file option on the command line and writing arbitrary code into an executable file which is later executed, aka a new variant of the Telnet Invocation vulnerability as described in CVE-2001-0150. VU#952611 MS01-051 ie-telnet-command-execution-variant(7260) M-024 Buffer overflow in line printer daemon (rlpdaemon) in HP-UX 10.01 through 11.11 allows remote attackers to execute arbitrary commands. VU#966075 CA-2001-30 20010827 Remote Buffer Overflow Vulnerability in HP-UX Line Printer Daemon hpux-rlpd-bo(6811) 3240 L-134 HPSBUX0108-163 Various Intrusion Detection Systems (IDS) including (1) Cisco Secure Intrusion Detection System, (2) Cisco Catalyst 6000 Intrusion Detection System Module, (3) Dragon Sensor 4.x, (4) Snort before 1.8.1, (5) ISS RealSecure Network Sensor 5.x and 6.x before XPU 3.2, and (6) ISS RealSecure Server Sensor 5.5 and 6.0 for Windows, allow remote attackers to evade detection of HTTP attacks via non-standard "%u" Unicode encoding of ASCII characters in the requested URL. VU#548515 20010905 Multiple Vendor IDS Unicode Bypass Vulnerability 20010905 Cisco Secure Intrusion Detection System Signature Obfuscation Vulnerability 20010905 %u encoding IDS bypass vulnerability 3292 Buffer overflow in BSD line printer daemon (in.lpd or lpd) in various BSD-based operating systems allows remote attackers to execute arbitrary code via an incomplete print job followed by a request to display the printer queue. VU#274043 CA-2001-30 20010829 Remote Buffer Overflow Vulnerability in BSD Line Printer Daemon 20010829 CSSA-2001-SCO.20 bsd-lpd-bo(7046) 3252 RHSA-2001:147 NetBSD-SA2001-018 Buffer overflows in (1) send_status, (2) kill_print, and (3) chk_fhost in lpd in AIX 4.3 and 5.1 allow remote attackers to gain root privileges. VU#722143 VU#466239 VU#388183 CA-2001-30 Directory traversal vulnerability in RobTex Viking Web server before 1.07-381 allows remote attackers to read arbitrary files via a hexadecimal encoded dot-dot attack (eg. http://www.server.com/%2e%2e/%2e%2e) in an HTTP URL request. viking-hex-directory-traversal(6394) 20010417 Advisory for Viking http://www.robtex.com/viking/bugs.htm Rit Research Labs The Bat! 1.51 for Windows allows a remote attacker to cause a denial of service by sending an email to a user's account containing a carrage return <CR> that is not followed by a line feed <LF>. thebat-pop3-dos(6423) 2636 20010423 Re: SECURITY.NNOV: The Bat! <cr> bug 20010421 Re: SECURITY.NNOV: The Bat! <cr> bug 20010418 SECURITY.NNOV: The Bat! <cr> bug Directory traversal vulnerability in Rit Research Labs The Bat! 1.48f and earlier allows a remote attacker to create arbitrary files via a "dot dot" attack in the filename for an attachment. thebat-attachment-directory-traversal(5871) 20010104 SECURITY.NNOV advisory - The Bat! directory traversal (public release) Eudora 5.0.2 allows a remote attacker to read arbitrary files via an email with the path of the target file in the "Attachment Converted" MIME header, which sends the file when the email is forwarded to the attacker by the user. eudora-plain-text-attachment(6431) 20010418 Eudora file leakage problem (still) 2616 3085 A buffer overflow in reggo.dll file used by Trend Micro InterScan VirusWall prior to 3.51 build 1349 for Windows NT 3.5 and InterScan WebManager 1.2 allows a local attacker to execute arbitrary code. interscan-reggo-bo(6575) 20010519 TrendMicro Interscan VirusWall RegGo.dll BOf A buffer overflow in InterScan VirusWall 3.23 and 3.3 allows a remote attacker to execute arbitrary code by sending a long HELO command to the server. viruswall-helo-bo(3465) 19991109 InterScan VirusWall 3.23/3.3 Buffer Overflow 19991108 Patch for VirusWall 3.23. 19991108 Interscan VirusWall NT 3.23/3.3 buffer overflow. 19991108 Patch for VirusWall 3.23. Directory traversal vulnerability in ftpd in QPC QVT/Net 4.0 and AVT/Term 5.0 allows a remote attacker to traverse directories on the web server via a "dot dot" attack in a LIST (ls) command. qpc-ftpd-directory-traversal(6375) 20010413 QPC FTPd Directory Traversal and BoF Vulnerabilities 2618 4050 1794 20010925 Vulnerabilities in QVT/Term Buffer overflow in ftpd in QPC QVT/Net 5.0 and QVT/Term 5.0 allows a remote attacker to cause a denial of service via a long (1) username or (2) password. qpc-ftpd-bo(6376) 20010413 QPC FTPd Directory Traversal and BoF Vulnerabilities ZoneAlarm and ZoneAlarm Pro allows a local attacker to cause a denial of service by running a trojan to initialize a ZoneAlarm mutex object which prevents ZoneAlarm from starting. zonealarm-mutex-dos(5821) 20001230 [DiamondCS Advisory] ZoneAlarm and ZoneAlarm Pro can be blocked from loading by setting a Mutex in memory Memory leak in Netscape Collabra Server 3.5.4 and earlier allows a remote attacker to cause a denial of service (memory exhaustion) by repeatedly sending approximately 5K of data to TCP port 5238. netscape-collabra-kernel-dos(6158) 20010226 def-2001-08: Netscape Collabra DoS Netscape Collabra Server 3.5.4 and earlier allows a remote attacker to cause a denial of service by sending seven or more characters to TCP port 5239. 20010226 def-2001-08: Netscape Collabra DoS netscape-collabra-cpu-dos(6159) Thibault Godouet FCron prior to 1.1.1 allows a local user to corrupt another user's crontab file via a symlink attack on the fcrontab temporary file. 2835 20010228 fcron 0.9.5 is vulnerable to a symlink attack http://fcron.free.fr/CHANGES.html fcron-tmpfile-symlink(7127) Buffer overflow in mail included with SunOS 5.8 for x86 allows a local user to gain privileges via a long HOME environment variable. 20010604 $HOME buffer overflow in SunOS 5.8 x86 2819 solaris-mail-home-bo(6638) Broker FTP server 5.9.5 for Windows NT and 9x allows a remote attacker to retrieve privileged web server system information by (1) issuing a CD command (CD C:) followed by the LS command, (2) specifying arbitrary paths in the UNC format (\\computername\sharename). broker-ftp-cd-directory-traversal(6674) 2853 20010610 Broker FTP Server 5.9.5.0 Buffer Overflow / DoS / Directory Traversal Broker FTP Server 5.9.5.0 allows a remote attacker to cause a denial of service by repeatedly issuing an invalid CD or CWD ("CD . .") command. 2851 20010610 Broker FTP Server 5.9.5.0 Buffer Overflow / DoS / Directory Traversal Vulnerability in TrendMicro Virus Control System 1.8 allows a remote attacker to view configuration files and change the configuration via a certain CGI program. 20010607 [SNS Advisory No.29] Trend Micro Virus Control System(VCS) Format string vulnerability in exim (3.22-10 in Red Hat, 3.12 in Debian and 3.16 in Conectiva) in batched SMTP mode allows a remote attacker to execute arbitrary code via format strings in SMTP mail headers. RHSA-2001:078 DSA-058 20010606 lil' exim format bug exim-syntax-format-string(6671) 2828 CLA-2001:402 Buffer overflows in Washington University imapd 2000a through 2000c could allow local users without shell access to execute code as themselves in certain configurations. 2856 MDKSA-2001:054 RHSA-2001:094 imap-ipop2d-ipop3d-bo(6269) SMTP proxy in WatchGuard Firebox (2500 and 4500) 4.5 and 4.6 allows a remote attacker to bypass firewall filtering via a base64 MIME encoded email attachment whose boundary name ends in two dashes. 2855 20010628 RE: WatchGuard SMTP Proxy issue firebox-smtp-bypass-filter(6682) 20010608 WatchGuard SMTP Proxy issue WebTrends HTTP Server 3.1c and 3.5 allows a remote attacker to view script source code via a filename followed by an encoded space (%20). webtrends-unicode-reveal-source(6639) 2812 20010603 Webtrends HTTP Server %20 bug Directory traversal vulnerability in WFTPD 3.00 R5 allows a remote attacker to view arbitrary files via a dot dot attack in the CD command. 20010525 WFTPD 32-bit (X86) 3.00 R5 Directory Traversal / Buffer Overflow / DoS WFTPD 3.00 R5 allows a remote attacker to cause a denial of service by making repeated requests to cd to the floppy drive (A:\). wftpd-cd-dos(6496) 20010503 Potential DOS Vulnerability in WFTPD NetWin SurgeFTP 2.0a and 1.0b allows a remote attacker to cause a denial of service (crash) via a CD command to a directory with an MS-DOS device name such as con. surgeftp-concon-dos(6712) 2891 20010619 SurgeFTP vulnerabilities http://netwinsite.com/surgeftp/manual/updates.htm NetWin SurgeFTP prior to 1.1h allows a remote attacker to cause a denial of service (crash) via an 'ls ..' command. surgeftp-listing-dos(6168) 20010228 SurgeFTP Denial of Service 20010301 SurgeFTP 1.0b Denial of Service http://netwinsite.com/surgeftp/manual/updates.htm 2442 Directory traversal vulnerability in NetWin SurgeFTP 2.0a and 1.0b allows a remote attacker to list arbitrary files and directories via the 'nlist ...' command. surgeftp-nlist-directory-traversal(6711) 2892 20010619 SurgeFTP vulnerabilities http://www.netwinsite.com/surgeftp/manual/updates.htm Buffer overflow in cb_reset in the System Service Processor (SSP) package of SunOS 5.8 allows a local user to execute arbitrary code via a long argument. sun-cbreset-bo(6726) 2893 20010620 Solaris /opt/SUNWssp/bin/cb_reset Vulnerability Buffer overflow in w3m 0.2.1 and earlier allows a remote attacker to execute arbitrary code via a long base64 encoded MIME header. w3m-mime-header-bo(6725) 2895 http://mi.med.tohoku.ac.jp/~satodai/w3m-dev-en/200106.month/537.html 20010621 [SNS Advisory No.32] w3m malformed MIME header Buffer Overflow Vulnerability DSA-081 DSA-064 CLA-2001:434 Buffer overflow in ptexec in the Sun Validation Test Suite 4.3 and earlier allows a local user to gain privileges via a long -o argument. sunvts-ptexec-bo(6736) 2898 20010621 Solaris /opt/SUNWvts/bin/ptexec Vulnerability Cerberus FTP 1.5 and earlier allows remote attackers to cause a denial of service, and possibly execute arbitrary code, via a long (1) username, (2) password, or (3) PASV command. cerberus-ftp-bo(6728) 2901 20010621 Cerberus FTP Server 1.x Remote DoS attack Vulnerability 20010704 CesarFTPd, Cerberus FTPd tradecli.dll in Arcadia Internet Store 1.0 allows a remote attacker to cause a denial of service via a URL request with an MS-DOS device name in the template parameter. 2905 arcadia-tradecli-dos(6739) 20010621 NERF Advisory #2 - 1C:Arcadia multiple vulnerablilities. tradecli.dll in Arcadia Internet Store 1.0 allows a remote attacker to discover the full path to the working directory via a URL with a template argument for a file that does not exist. 2904 arcadia-tradecli-reveal-path(6738) 20010621 NERF Advisory #2 - 1C:Arcadia multiple vulnerablilities. Directory traversal vulnerability in tradecli.dll in Arcadia Internet Store 1.0 allows a remote attacker to read arbitrary files on the web server via a URL with "dot dot" sequences in the template argument. 2902 arcadia-tradecli-directory-traversal(6737) 20010621 NERF Advisory #2 - 1C:Arcadia multiple vulnerablilities. Maximum Rumpus FTP Server 2.0.3 dev and before allows an attacker to cause a denial of service (crash) via a mkdir command that specifies a large number of sub-folders. rumpus-ftp-directory-dos(6699) 2864 20010612 Rumpus FTP DoS vol. 2 Denicomp RSHD 2.18 and earlier allows a remote attacker to cause a denial of service (crash) via a long string to port 514. denicomp-rshd-dos(6523) 20010503 Denicomp REXECD/RSHD Denial of Service Vulnerability Denicomp REXECD 1.05 and earlier allows a remote attacker to cause a denial of service (crash) via a long string. denicomp-rexecd-dos(6524) 20010503 Denicomp REXECD/RSHD Denial of Service Vulnerability Microsoft IIS 4.0 and before, when installed on a FAT partition, allows a remote attacker to obtain source code of ASP files via a URL encoded with Unicode. iis-unicode-asp-disclosure(6742) 2909 20010622 [VIGILANTE-2001001] ASP source code retrieved with Unicode extens ion NetBSD 1.5 and earlier and FreeBSD 4.3 and earlier allows a remote attacker to cause a denial of service by sending a large number of IP fragments to the machine, exhausting the mbuf pool. bsd-ip-fragments-dos(6636) 2799 NetBSD-SA2001-006 FreeBSD-SA-01:52 Cisco IOS 11.x and 12.0 with ATM support allows attackers to cause a denial of service via the undocumented Interim Local Management Interface (ILMI) SNMP community string. 20010207 Cisco IOS Software SNMP Read-Write ILMI Community String Vulnerability cisco-ios-modify-snmp(6169) The rendering engine in Internet Explorer determines the MIME type independently of the type that is specified by the server, which allows remote servers to automatically execute script which is placed in a file whose MIME type does not normally support scripting, such as text (.txt), JPEG (.jpg), etc. 20010729 Re: TXT or HTML? -- IE NEW BUG 20010727 TXT or HTML? -- IE NEW BUG 3116 Sendmail before 8.12.1 does not properly drop privileges when the -C option is used to load custom configuration files, which allows local users to gain privileges via malformed arguments in the configuration file whose names contain characters with the high bit set, such as (1) macro names that are one character long, (2) a variable setting which is processed by the setoption function, or (3) a Modifiers setting which is processed by the getmodifiers function. 20011001 Multiple Local Sendmail Vulnerabilities 3377 sendmail-setregid-gain-privileges(7192) Sendmail before 8.12.1, without the RestrictQueueRun option enabled, allows local users to cause a denial of service (data loss) by (1) setting a high initial message hop count option (-h), which causes Sendmail to drop queue entries, (2) via the -qR option, or (3) via the -qS option. 20011001 Multiple Local Sendmail Vulnerabilities 20011101-01-I Sendmail before 8.12.1, without the RestrictQueueRun option enabled, allows local users to obtain potentially sensitive information about the mail queue by setting debugging flags to enable debug mode. 20011001 Multiple Local Sendmail Vulnerabilities 20011101-01-I Citrix MetaFrame 1.8 Server with Service Pack 3, and XP Server Service Pack 1 and earlier, allows remote attackers to cause a denial of service (crash) via a large number of incomplete connections to the server. 20011016 Citrix MetaFrame Remote Denial of Service Vulnerability metaframe-multiple-sessions-dos(7068) 3440 Format string vulnerability in ToolTalk database server rpc.ttdbserverd allows remote attackers to execute arbitrary commands via format string specifiers that are passed to the syslog function. CA-2001-27 20011002 Multi-Vendor Format String Vulnerability in ToolTalk Service tooltalk-ttdbserverd-format-string(7069) 3382 M-002 00212 1002479 HPSBUX0110-168 SSRT0767U CSSA-2001-SCO.28 Vulnerability in (1) Microsoft Excel 2002 and earlier and (2) Microsoft PowerPoint 2002 and earlier allows attackers to bypass macro restrictions and execute arbitrary commands by modifying the data stream in the document. CA-2001-28 VU#287067 MS01-050 ms-malformed-document-macro(7223) 3402 20011005 Symantec Security Response SecBul-10042001, Revision1, Malformed Microsoft Excel or PowerPoint documents bypass Microsoft macro security features Buffer overflow in Microsoft Windows Media Player 6.4 allows remote attackers to execute arbitrary code via a malformed Advanced Streaming Format (ASF) file. MS01-056 3156 5558 mediaplayer-asf-marker-bo(6962) 20010807 MS Windows Media Player ASF Marker Buffer Overflow oval:org.mitre.oval:def:287 Internet Explorer 5.1 for Macintosh on Mac OS X allows remote attackers to execute arbitrary commands by causing a BinHex or MacBinary file type to be downloaded, which causes the files to be executed if automatic decoding is enabled. MS01-053 ie-mac-downloaded-file-execution(7336) 3471 M-013 Universal Plug and Play (UPnP) in Windows 98, 98SE, ME, and XP allows remote attackers to cause a denial of service (memory consumption or crash) via a malformed UPnP request. MS01-054 20011109 Important Information Regarding MS01-054 and WindowsME 20011101 Three Windows XP UPNP DOS attacks Internet Explorer 5.5 and 6.0 allows remote attackers to read and modify user cookies via Javascript in an about: URL, aka the "First Cookie Handling Vulnerability." 20011019 Minor IE vulnerability: about: URLs MS01-055 20011108 Microsoft IE cookies readable via about: URLS ie-about-cookie-information(7486) 3513 1982 M-016 Internet Explorer 5.5 and 6.0 allows remote attackers to read and modify user cookies via Javascript, aka the "Second Cookie Handling Vulnerability." 3546 MS01-055 Internet Explorer 5.5 allows remote attackers to bypass security restrictions via malformed URLs that contain dotless IP addresses, which causes Internet Explorer to process the page in the Intranet Zone, which may have fewer security restrictions, aka the "Zone Spoofing Vulnerability variant" of CVE-2001-0664. MS01-055 ie-incorrect-security-zone-variant(8471) 5556 Outlook Web Access (OWA) in Microsoft Exchange 5.5 Server, when used with Internet Explorer, does not properly detect certain inline script, which can allow remote attackers to perform arbitrary actions on a user's Exchange mailbox via an HTML e-mail message. MS01-057 exchange-owa-embedded-script-execution(7663) 3650 5557 Internet Explorer 6.0 allows remote attackers to execute arbitrary code by modifying the Content-Disposition and Content-Type header fields in a way that causes Internet Explorer to believe that the file is safe to open without prompting the user, aka the "File Execution Vulnerability." CA-2001-36 VU#443699 MS01-058 20011214 MSIE may download and run progams automatically 20011216 Re: MSIE may download and run progams automatically - NOT SO FAST ie-file-download-execution(7703) 3578 3033 M-027 oval:org.mitre.oval:def:921 Buffer overflow in Compaq Management Agents before 5.2, included in Compaq Web-enabled Management Software, allows local users to gain privileges. VU#275979 SSRT0758 compaq-wbm-bo(7189) 3376 Apache 1.3.20 on Windows servers allows remote attackers to bypass the default index page and list directory contents via a URL with a large number of / (slash) characters. http://www.apacheweek.com/issues/01-09-28#security 22083 http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html 1017522 23794 split-logfile in Apache 1.3.20 allows remote attackers to overwrite arbitrary files that end in the .log extension via an HTTP request with a / (slash) in the Host: header. http://www.apacheweek.com/issues/01-09-28#security apache-log-file-overwrite(7419) RHSA-2001:164 RHSA-2001:126 ESA-20011019-01 MDKSA-2001:077 CLA-2001:430 Apache 1.3.20 with Multiviews enabled allows remote attackers to view directory contents and bypass the index page via a URL containing the "M=D" query string. http://www.apacheweek.com/issues/01-10-05#security apache-multiviews-directory-listing(8275) 3009 20010709 How Google indexed a file with no external link RHSA-2001:164 RHSA-2001:126 MDKSA-2001:077 20020301-01-P The #sinclude directive in Embedded Perl (ePerl) 2.2.14 and earlier allows a remote attacker to execute arbitrary code by modifying the 'sinclude' file to point to another file that contains a #include directive that references a file that contains the code. eperl-embedded-code-execution(6743) 20010