CERT by liwenting

VIEWS: 85 PAGES: 1936

									Vul Number   CVE             Overview




                             Old versions (circa 1993) of
                             OpenVMS and OpenVMS
                             AXP contain a vulnerability
                             related to page
VU#10031     CAN-1999-1312   management.




                             The Sun Ray Smartcard
                             reader fails to properly
                             detect a "quick removal,
                             reinsertion and removal of
VU#100780                    a Smartcard."
                            A memory allocation
                            problem exists in the
                            "Automatic File Content
                            Type
                            Recognition Tool" versions
                            of the file[1] package prior
VU#100937                   to 3.41.




                            ISS RealSecure Network
                            Sensor "informational
                            signatures" fail to properly
                            process certain types of
                            DHCP traffic, thereby
                            causing the sensor to
VU#101915   CVE-2002-0601   crash.




                            A denial-of-service
                            vulnerability in AIX may
                            allow a remote attacker to
                            consume
VU#102345   CAN-2002-1201   100% of the CPU.
                            sh uses /tmp files of a
                            predictable name in
                            creating files for input
                            redirection using the <<
VU#10277    CAN-2000-1134   operator.




                            OpenSSL is an open-
                            source implementation of
                            the Secure Sockets Layer
                            (SSL)
                            protocol. A remotely
                            exploitable vulnerability
                            exists in OpenSSL servers
                            that
                            could lead to the execution
                            of arbitrary code on the
VU#102795   CAN-2002-0656   server.
VU#104555   CVE-2002-0653   A buffer overflow exists in mod_ssl.




                            Cayman gateways
                            vulnerable to a denial of
                            service via oversized ICMP
                            echo
                            (ping) requests. Installing
                            the newest version of the
                            vendor software will
VU#104823   CVE-2000-0418   resolve this vulnerability.
                            Oracle Database Server
                            may consume all available
                            memory and crash if clients
                            do
                            not connect completely in
VU#105259   CVE-2001-0513   the expected manner.

                            xmcd is an x11/motif CD
                            playing utility, in the public
                            domain. cda, the command
                            line interface to xmcd,
                            executes with system
                            administrator privileges. It
                            is
                            vulnerable to a symbolic
                            link attack that may allow a
                            local user to obtain
VU#105347   CVE-2001-1119   administrator privileges.
                            There is a denial-of-service
                            vulnerability in several
                            specific but common
                            configurations of Cisco
VU#106392   CVE-2001-0650   IOS.
                            Multiple vendor SNMPv1
                            Trap handling
                            implementations contain
                            vulnerabilities
                            that may allow
                            unauthorized privileged
                            access, denial-of-service
                            conditions, or
                            unstable behavior . If your
                            site uses SNMP in any
                            capacity, the CERT/CC
                            encourages you to read the
VU#107186   CAN-2002-0012   information provided below.
                            The Windows 2000
                            Network DDE agent
                            permits local users to
                            execute commands with
VU#107280   CVE-2001-0015   system privileges.
                            Microsoft Domain Name
                            Servers hosted on
                            Windows NT or Windows
                            2000 Server
                            systems run with
                            permissive DNS cache
                            defaults. This may allow
                            unauthorized
                            remote intruders to redirect
                            sites that rely on the
                            vulnerable DNS servers for
VU#109475                   legitimate information.




                            CrushFTP allows access to
                            files outside the FTP root
                            directory through
VU#110803   CAN-2001-0582   directory traversal.
                            A vulnerability exists in
                            xfsdump on SGI IRIX.
                            Exploitation of this
                            vulnerability may allow a
                            local attacker to gain root
                            privileges. Because other
                            operating systems ship with
                            xfsdump, vendors other
VU#111673   CAN-2003-0173   than SGI may be affected.
                            A vulnerability exists in
                            Microsoft IIS 4 and 5 such
                            that an attacker visiting
                            an IIS web site can execute
                            arbitrary code with the
                            privileges of the
                            IUSR_machinename
                            account. This vulnerability
                            is referred to as the "Web
                            Server
                            Folder Directory Traversal"
                            vulnerability. This
                            vulnerability has
                            characteristics similar to
                            vulnerabilities that have
                            been widely exploited in
                            the past. Unless remedial
                            action is taken, we believe
                            it is likely that systems
                            with this vulnerability will be
VU#111677   CVE-2000-0884   compromised.
                            Microsoft Exchange
                            servers that offer the
                            Outlook Web Access
                            service are
                            vulnerable to an
                            information disclosure
                            vulnerability that can reveal
                            any email
                            address stored in the
VU#111947   CVE-2001-0660   Global Address List.
                            Apple's QuickTime Player
                            is a player for files and
                            streaming media in the
                            QuickTime format.
                            Versions of the player are
                            available for both the
                            Microsoft
                            Windows and Apple
                            MacOS platforms. A flaw
                            in the version for Windows
                            could
                            allow a remote attacker to
                            execute arbitrary code on a
VU#112553   CAN-2003-0168   vulnerable system.




                            There is a problem with the
                            MPE/iX linkeditor that may
                            allow an attacker to
                            gain system manager
VU#112912   CVE-2001-0278   privileges.
                            Microsoft Windows Media
                            Services provides
                            streaming audio and video
                            capabilities. A vulnerability
                            in a component of this
                            software could allow a
                            remote attacker to
                            compromise the server
VU#113716   CAN-2003-0349   running it.
                            catman, the unix manual
                            display utility, creates
                            insecure temporary files
                            with
                            predictable names in a
                            world-writable directory.
                            Since catman executes
                            with
                            system administration
                            privileges, a symbolic link
                            attack could overwrite
VU#115112   CVE-2001-0095   arbitrary files.




                            The HP Tru64 UNIX
                            implementation of "quot"
                            contains a locally
                            exploitable
VU#115731                   buffer overflow.
            A vulnerability exists in
            Adobe PhotoDeluxe that
            allows a malicious web
            page or
            HTML email message
            viewed with Microsoft
            Internet Explorer to obtain
            directory
            listings or potentially
            download and execute
            arbitrary code on the local
VU#116875   system.
            There is an insecure
            default configuration in
            Apache Tomcat web server
            that
            places several sample
            applications in the webroot.
            Remote users may be able
            to
            use these applications to
            gain sensitive information
            about the server's
VU#116963   configuration.
                            Sambar Webserver
                            displays script contents
                            instead of interpreting them
                            when the
                            user adds certain
                            characters to the end of the
VU#117139   CVE-2002-0737   script URL.




                            A buffer overflow
                            vulnerability exists in the
                            Win32 API libraries shipped
                            with
                            all versions of Microsoft
                            Windows XP, Microsoft
                            Windows 2000, Microsoft
                            Windows
                            NT 4.0, and Microsoft
                            Windows NT 4.0 Terminal
                            Server Edition. This
                            vulnerability, which is being
                            actively exploited on
                            WebDAV-enabled IIS 5.0
                            servers, will allow a remote
                            attacker to execute
                            arbitrary code on
                            unpatched
                            systems. Sites running
                            Microsoft Windows should
                            apply a patch or disable
                            WebDAV
                            services as soon as
VU#117394   CAN-2003-0109   possible.
                            Oracle Internet Directory
                            version 2.0.6, which ships
                            with Oracle version 8i for
                            Linux (8.1.6), contains a
                            program, oidldapd, that is
                            an LDAP Daemon. There
                            is
                            a buffer overflow in the
                            LDAP Daemon that allows
                            a local user to obtain the
                            euid of the oidldapd
                            process, typically user
VU#118277   CAN-2000-0987   oracle.
                            This vulnerability may allow
                            an attacker to make
                            unauthorized connections
                            to
VU#118892   CVE-2000-0217   affected client machines.
                            There is a vulnerability in
                            the Hewlett-Packard
                            Support Tools Manager
                            that
                            allows a local user to
                            create a denial-of-service
VU#119952   CVE-2001-0219   condition.
            The daemon ypbind on
            Solaris and SunOS
            contains a buffer overflow
VU#121099   vulnerability.
            The CERT/CC has
            received a public report of
            a local buffer overflow
            vulnerability in the grpck
VU#121891   utility.
           MIT magic cookie and
           XDM authorization contain
           vulnerabilities that could
           allow
           remote attackers to
VU#12212   connect to X displays.
            MySQL is a popular open
            source database package.
            The MySQL client that
            ships
            with the MySQL package
VU#123384   contains a buffer overflow.
                            The IBM AIX operating
                            system contains a
                            vulnerability in the lsfs utility
                            that
                            allows a local user to
                            execute arbitrary code as
VU#123651   CVE-2001-0573   root.
                            A vulnerability in the
                            Apache HTTP Server
                            running on Win32 systems
                            (Windows
                            9x/Me, Windows
                            NT/2000/XP) could allow
                            an attacker to execute
                            commands with the
                            privileges of the web server
VU#124003   CVE-2002-0061   process.




                            The HP-UX version of
                            kermit contains a buffer
                            overflow that allows local
                            users
                            to prevent other users from
VU#124352   CVE-2001-0085   running kermit.
                            Some versions of the
                            Apache Web server are
                            vulnerable to denial-of-
                            service
                            attacks by crafted HTTP
VU#125235                   requests.




                            The kmmodreg program
                            distributed with some
                            HPUX versions creates two
                            temporary
                            files with predictable
                            names. Due to insecure
                            handling of these files, an
                            intruder may use them to
                            overwrite arbitrary files
                            during system boot via a
VU#127435   CAN-2001-1256   symbolic link attack.
                            The ActiveX control
                            "scriptlet.typlib" is
                            incorrectly marked "safe for
                            scripting" in Internet
                            Explorer (IE) versions 4.0
                            and 5.0, when it is actually
VU#12746    CVE-1999-0668   unsafe for scripting.




                            Macromedia Flash 6 does
                            not terminate connections
                            when a web user leaves
                            the
                            page. These connections
                            may consume excessive
                            amounts of bandwidth and
                            limit
VU#128491                   the flow of other data.
                           The Microsoft Remote
                           Access Service API
                           contains a vulnerability that
                           allows
                           local attackers to execute
                           arbitrary code with system
VU#13121   CVE-1999-0715   privileges.
                           Version 8.2.2 of BIND
                           (current circa November
                           1999) contained a buffer
                           overflow
                           in the routine that converts
                           records from network
VU#13145   CVE-1999-0835   format to database format.
                            A vulnerability exists in an
                            ActiveX control supplied
                            with Microsoft Outlook
                            2002 that could allow
                            malicious code on a web
                            page or in an HTML email
                            message
                            to manipulate Outlook data
                            or execute arbitrary code
                            as the user running
VU#131569   CVE-2001-0538   Outlook.
                            The pseudorandom
                            number generator (PRNG)
                            in OpenSSL has a
                            weakness that allows
                            an attacker to determine its
                            internal state and
                            subsequently determine its
VU#131923   CVE-2001-1141   future output values.
                            Snitz Forums 2000 does
                            not adequately check "IMG"
                            tag "SRC" attributes and
                            thus
                            contains cross-site scripting
VU#132011   CVE-2002-0329   vulnerability.




VU#132099   CAN-2001-0557   Jana Server contains a directory traversal vulnerability.
                            A problem existed with HP
                            versions of the r-
                            commands (remshd,
                            rexecd, rlogin,
                            rlogind, remsh, rcp, rexec,
                            rdist) in use circa
VU#13217                    December, 1998.




VU#133771   CAN-2001-1018   Lotus Domino Web server discloses its IP address to some HTTP req




                            The uml_net utility, part of
                            the kernel-utils package in
                            Red Hat Linux 8.0, was
                            shipped with incorrect
VU#134025   CAN-2003-0019   permissions.
                            A vulnerability exists in
                            Allaire ColdFusion Server
                            which allows an attacker to
                            have unauthorized read
                            and delete access to files
VU#135531   CAN-2001-1120   on the target host.




                            The Compaq web-enabled
                            management software
                            contains a buffer overflow
                            in the
                            authentication component
                            of the product. Remote
                            intruders may be able to
                            execute arbitrary code with
                            privileges on affected
                            systems. Many Compaq
                            products are affected, from
                            personal computers to
                            commercial UNIX operating
VU#137024   CAN-2001-0134   systems.
                            Yahoo! Messenger is an
                            instant messaging client. A
                            remotely exploitable
                            vulnerability has been
                            reported in the URI handler
VU#137115   CAN-2002-0031   of Yahoo! Messenger.
                            The Microsoft IIS FTP
                            Service contains a
                            vulnerability that allows
                            remote
                            attackers to log in using
                            domain accounts without
                            providing a specific domain
VU#137544   CVE-2001-0335   name.



                            The HP Tru64 UNIX
                            implementation of "chfn"
                            contains a locally
                            exploitable
VU#137555                   buffer overflow.
                           There is an information
                           integrity vulnerability in the
                           SSH1 protocol that
                           allows packets encrypted
                           with a block cipher to be
VU#13877   CVE-1999-1085   modified without notice.
                            The Snort "stream4"
                            preprocessor module
                            contains a vulnerability that
                            allows
                            remote attackers to
                            execute arbitrary code with
                            the privileges of the user
VU#139129   CAN-2003-0209   running Snort, typically root.




                            Air Messenger LAN Server
                            (AMLServer) stores
                            usernames and passwords
                            in
VU#139139   CAN-2001-0786   plaintext.
            SurfControl SuperScout
            Web Filter does not block
            some HTTP requests that
            have
            been fragmented into
VU#139315   multiple packets.
                            The Cisco IOS contains a
                            denial-of-service
                            vulnerability that allows
                            nearby
                            remote attackers to crash
                            or temporarily disable
VU#139491   CVE-2001-1071   affected network devices.
                            A cross-site scripting
                            vulnerability exists in the
                            Microsoft SQLXML HTTP
                            components. This
                            vulnerability could allow an
                            attacker to execute script
                            on a
                            victim's system with the
VU#139931   CVE-2002-0187   victim's privileges.


                            Advanced Poll is a polling
                            system written in PHP for
                            use on web sites. When a
                            flat file database is used,
                            Advanced Poll does not
                            adequately authenticate
                            users, thereby allowing any
                            user to gain Advanced Poll
                            administrative
VU#140723                   privileges.
                            The Windows version of
                            SSH Secure Shell for
                            Workstations contains a
                            buffer
                            overflow vulnerability that
                            may allow an attacker to
VU#140977                   execute arbitrary code.




                            A buffer overflow exists in
                            one of the functions
                            included with the zlib
                            compression library. This
                            vulnerability may allow a
                            remote attacker to execute
                            arbitrary code or cause a
                            denial of service. An exploit
                            for this vulnerability
VU#142121   CAN-2003-0107   is publicly available.
                            A vulnerability in the SGI
                            IRIX PIOCSWATCH ioctl()
                            function may allow local
                            attackers to crash the
VU#142228   CAN-2003-0175   operating system.




                            A buffer overflow
                            vulnerability exists in the
                            RealSystem Server. This
                            vulnerability may allow a
                            remote attacker to execute
                            arbitrary code on a
                            vulnerable host. An exploit
                            exists for this vulnerability
                            and is publicly
VU#143627                   available.
                            A core service of Microsoft
                            Windows 2000 domain
                            controllers fails to
                            correctly handle certain
                            invalid requests. After
                            receiving a number of
                            invalid
                            requests, the domain
                            controller may have to be
                            rebooted to return it to
                            correct
                            operation. A disabled
                            domain controller can
                            interfere with the ordinary
                            operation of all machines in
VU#145904   CVE-2001-0237   the domain.

                            iWeb Systems Hyperseek
                            search engine may allow
                            malformed URL requests to
                            access
                            files outside the document
VU#146704   CAN-2001-0253   root of a vulnerable system.
            A buffer overflow
            vulnerability in the
            SETI@home client could
            allow a remote
            attacker to execute
            arbitrary code or cause the
            SETI@home client to fail.
            An
            exploit for this vulnerability
            is known to exist and may
VU#146785   be circulating.



            The gm4 utility of Mac OS
            X contains a buffer
            overflow, which may allow
            a root
            compromise through other
VU#147587   programs.
                            Microsoft Outlook Web
                            Access (OWA) can run
                            malicious scripts on an
                            Exchange
                            server when Internet
                            Explorer (IE) users open
VU#149424   CVE-2001-0340   email attachments.
                            A vulnerability in the
                            Internet Software
                            Consortium's "dhcrelay"
                            makes it
                            possible for a remote
                            attacker to use dhcrelay to
                            launch a denial-of-service
                            attack against a victim dhcp
VU#149953   CAN-2003-0039   server.
            Multiple vendors' HTTP
            proxy services use
            insecure default
            configurations that
            could allow an attacker to
            make arbitrary TCP
            connections to internal
            hosts or
            to external third-party
VU#150227   hosts.
VU#152867   CVE-2002-0070   A remotely exploitable buffer overflow exists in the Microsoft Windows




                            The FC client in IBM's AIX
                            contains a buffer overflow
                            that may cause a core
VU#152955                   dump in the client.
                            Some versions of
                            SquirrelMail do not properly
                            validate input. Attackers
                            can
                            spoof email addresses
VU#153043                   through this vulnerability.




                            Some implementations of
                            the Linux backup utility,
                            dump, call external
                            programs
                            on remote machines via the
                            RSH environment variable.
                            This may permit an
                            attacker to compromise
VU#153653   CAN-2000-1009   root if dump is setuid root.
                            The SNMP proxy agent on
                            certain large Solaris
                            systems contains a buffer
                            overflow. It may be
                            possible, though it is
                            unconfirmed, that an
                            intruder could
                            use this flaw to execute
VU#154976   CAN-2001-0470   code with root privileges.




                            Some versions of Microsoft
                            Windows 2000 feature an
                            SMTP service for handling
                            Internet email. A flaw in
                            this SMTP service may
                            result in a denial-of-service
VU#155252                   vulnerability.
            Microsoft Office Web
            Components (OWC) allows
            a malicious script on a web
            page
            to learn if a file exists on
VU#156123   the client's filesystem.
            OpenSSH is an
            implementation of the
            Secure Shell protocol.
            When OpenSSH is
            configured with the
            UseLogin directive equal to
            "yes", an intruder can
            execute
            arbitrary code with the
            privileges of OpenSSH,
VU#157447   usually root.
            Some versions of Magic
            eDeveloper Enterprise
            Edition contain a symbolic-
            link
            vulnerability that allows
            attackers to overwrite data
            or execute arbitrary
VU#157795   commands.
VU#157961   CAN-2002-1349   A locally exploitable buffer overflow exists in PC-cillin.
            A servlet component of
            Oracle Configurator may
            post sensitive version and
            host
            information to any Web
            user that makes a crafted
VU#158323   request to the server.




            The HP Tru64 UNIX
            implementation of "csh"
            contains a locally
            exploitable buffer
VU#158499   overflow.
                            Novell NetWare 5.1 is a
                            network management
                            operating system that
                            enables access
                            to files, printers, directories,
                            email, databases, and
                            other network
                            interfaces, as well as
                            providing a web interface.
                            There is an insecure
                            default
                            configuration that places
                            several sample applications
                            in the webroot. Remote
                            users may be able to use
                            these applications to gain
                            sensitive information about
                            the server's configuration,
VU#159203                   and passwords.




                            Talentsoft's Web+
                            development platform
                            contains a buffer overflow
                            in a
                            component that also
                            installs by default into all
                            web sites produced by
VU#159907   CAN-2002-0449   Web+.
                            An implementation problem
                            in at least one Secure Shell
                            (SSH) product and a
                            weakness in the
                            PKCS#1_1.5 public key
                            encryption standard allows
                            attackers to
                            recover plaintext of
                            messages encrypted with
VU#161576   CVE-2001-0361   SSH.
                            Sun's NFS/RPC cachefs
                            daemon (cachefsd) is
                            shipped and installed by
                            default
                            with Sun Solaris 2.5.1, 2.6,
                            7, and 8 (SPARC and Intel
                            architectures). Cachefsd
                            caches requests for
                            operations on remote file
                            systems mounted via the
                            use of
                            NFS protocol. An
                            exploitable stack overflow
                            exists in cachefsd that
                            could
                            permit a local attacker to
                            execute arbitrary code with
                            the privileges of the
VU#161931   CAN-2002-0084   cachefsd, typically root.
                            Microsoft Internet Explorer
                            does not adequately
                            validate references to
                            cached
                            objects and methods
                            across domains and
                            security zones. The impact
                            is similar
                            to that of a cross-site
                            scripting vulnerability,
                            allowing an attacker to
                            access
                            data in other sites,
                            including the Local
VU#162097   CAN-2002-1262   Computer zone.
            x_news allows a user to
            authenticate without
            supplying the user's
            plaintext
VU#162723   password.




            With certain options used,
            cryptcat does not encrypt
            network connections as
VU#165099   expected.
                           A vulnerability in BIND,
                           repaired in verison 8.2.2p5,
                           allows remote attackers
                           to execute code with the
                           privileges of the process
                           running named. This
                           vulnerability was widely
                           exploited from November
VU#16532   CVE-1999-0833   1999 to December 2000.
            There is a vulnerability in
            Apache 2.0 through 2.035
            that could disclose the
            real path to a CGI script or
VU#165803   other file.
                            Versions of the Eyedog
                            ActiveX control current
                            circa August, 1999, are
                            incorrectly marked safe for
VU#1673     CVE-1999-0668   scripting.




                            Viking v1.07 is a 'multi-
                            protocol-internet-server'
                            available from
                            http://www.robtex.com. A
                            vulnerability exists with this
                            web server which allows
                            a remote user to see any
                            file on the server with read
VU#167464   CVE-2001-0467   permissions enabled.
                            A remotely exploitable
                            buffer overflow exists in
                            Trend Micro InterScan
VU#167739   CAN-2001-0958   eManager.
                            Oracle Application Server
                            9iAS allows remote users
                            to access several Apache
                            services without
VU#168795   CAN-2002-0563   authentication.
                            A vulnerability in Oracle's E-
                            Business Suite Report
                            Review Agent (RRA) allows
                            arbitrary files to be
                            retrieved with no
VU#168873                   authentication.



                            The X11 library included
                            with many UNIX variants
                            contains a buffer-overflow
                            vulnerability that may allow
                            attackers to gain root
VU#169059   CAN-2002-0517   privileges.
                            A buffer overflow in
                            URLMON.DDL may allow
                            an intruder to execute
                            arbitrary
VU#169753   CAN-2003-0113   code.




                            A vulnerability in the dvips
                            utility can allow a remote
                            attacker to execute
                            arbitrary code on a
VU#169841   CAN-2002-0836   vulnerable system.
           Some SGI systems
           produced circa 1998
           allowed an intruder to send
           mail that
           would execute commands
           when the reader opened
VU#17215   the message.
                            Yahoo! Messenger is an
                            instant messaging client.
                            When installed, Yahoo!
                            Messenger enables a URI
                            handler (ymsgr
                            :parameter). The addview
                            function of
                            this handler can be used to
                            execute arbitrary script/html
VU#172315   CVE-2002-0032   on the local system.
                            A remotely exploitable
                            buffer overflow exists in the
                            Common Desktop
                            Environment
                            (CDE) Subprocess Control
                            Service (dtspcd). An
                            attacker who successfully
                            exploits this vulnerability
                            can execute arbitrary code
VU#172583   CVE-2001-0803   as root.




                            The HP Tru64 UNIX
                            implementation of "ps"
                            contains a locally
                            exploitable buffer
VU#173977                   overflow.
                            A vulnerability in Cisco
                            Content Services Switches
                            (Arrowpoint) allows a valid
                            user to gain administrative
VU#174248   CVE-2001-0414   access.




                            sysback, shipped with AIX
                            systems, allows local
                            users to gain root access
                            because of a failure to use
                            a fully qualified path for a
VU#17566                    call to hostname.




VU#176363                   Some versions of ncompress contain a buffer-overflow vulnerability.
                            Unprivileged local users
                            can use the ptrace function
                            to take advantage of a
                            privileged program, while
                            that program is performing
                            a privileged operation, to
VU#176888   CVE-2001-0317   gain privileged access.
            Lotus Domino includes an
            SMTP server. Under
            certain configurations, an
            intruder
            may be able to relay mail to
            third parties through the
VU#176972   Domino SMTP server.




            The HP Tru64 UNIX
            implementation of "passwd"
            contains a locally
            exploitable
VU#177067   buffer overflow.
                            Mac OS X's Find-By-
                            Content indexing may store
                            file data where it can be
                            served
VU#177243                   to remote users by Apache.




                            Cisco Internetwork
                            Operating System (IOS)
                            may reload unexpectedly
                            after being
VU#178024   CVE-2001-0750   scanned on certain ports.
            The Dallas Semiconductor
            iButton DS1991 is
            vulnerable to a dictionary
            attack,
            allowing an intruder to
VU#178560   recover passwords.
                            Oracle Database Server
                            allows remote users to
                            execute system commands
                            without
VU#180147   CVE-2002-0567   authenticating.




                            The OmniSwitch
                            7700/7800 running Alcatel
                            Operating System (AOS)
                            version 5.1.1
                            has TCP port 6778
                            listening as a telnet server.
                            This gives anyone access
                            to the
                            OmniSwitch's Vx-Works
                            operating system without
VU#181721   CAN-2002-1272   requiring a password.
            Some versions of My
            Classifieds contain a
            directory-traversal
            vulnerability
            that allows attackers to
VU#181907   overwrite files.




            There is a problem with the
            nslookup program related
            to the handling of long
VU#182777   strings.
VU#18287    CVE-1999-0493   statd allows access to RPC services it shouldn't.




                            There is a buffer overflow
                            in the System Monitor
                            ActiveX control that ships
VU#183397   CVE-2000-1034   with Windows 2000.
                           The nslookup command
                           fails to drop privileges,
                           allowing local attackers to
                           gain
VU#18419   CVE-1999-0093   root privileges.
                            Adobe Acrobat contains a
                            vulnerability in its
                            JavaScript parsing engine
                            that
                            could allow an attacker to
                            place arbitrary files on the
VU#184820   CAN-2003-0284   local file system.
                            There is a buffer overflow
                            vulnerability in the AIX
                            portmir command that may
                            allow local attackers to gain
VU#18500    CAN-1999-0092   root privileges.




                            There exists a buffer
                            overflow vulnerability in
                            cgiemail that allows
                            execution
VU#185251                   of arbitrary code.
                            Novell NetWare Enterprise
                            Web Server contains a
                            buffer overflow vulnerability
                            that can be exploited via
                            the /perl/ HTTP request
                            handler. A remote attacker
                            could cause a denial of
                            service or possibly execute
                            arbitrary code with the
                            privileges of the server
VU#185593   CAN-2003-0562   process.




VU#186131   CVE-2002-0599   Blahz-DNS does not properly authenticate users.
                            There is a buffer overflow
                            in the parsing of Active
                            Stream Redirector (.ASX)
                            files. This buffer overflow
                            may allow a remote
                            attacker to execute
                            arbitrary
                            code when a user views a
VU#187528   CAN-2001-0242   malicious web page.
VU#188507   CAN-2002-0090   A locally exploitable buffer overflow exists in the Low BandWidth X pr
                            A vulnerability exists in
                            McAfee ASaP VirusScan
                            that permits intruders to
                            access files outside of the
VU#190267   CVE-2001-1144   web root.
                            Older versions of SSH
                           allow local attackers to to
                           establish ssh sessions as
                           the victim user without
VU#19124   CVE-1999-0787   authentication.
            The /usr/libexec/vi.recover
            script in OpenBSD has a
            vulnerability that could
            allow an attacker to remove
            arbitrary zero-length files,
            including device
VU#191675   nodes.
            A vulnerability exists in
            iPlanet Web Server,
            Enterprise Edition and
            Netscape
            Enterprise Server in which
            a malformed Web
            Publisher command can
            crash the web
            server process. This
            vulnerability only affects
            Windows NT based
VU#191763   servers.
                            There is an integer
                            overflow present in the
                            xdr_array() function
                            distributed as
                            part of the Sun
                            Microsystems XDR library.
                            This overflow has been
                            shown to lead
                            to remotely exploitable
                            buffer overflows in multiple
                            applications, leading to
                            the execution of arbitrary
                            code. Although the library
                            was originally
                            distributed by Sun
                            Microsystems, multiple
                            vendors have included the
                            vulnerable
                            code in their own
VU#192995   CVE-2002-0391   implementations.
            The HP Tru64 Unix
            operating system contains
            multiple buffer overflow
VU#193347   vulnerabilities.
            A vulnerability exists in the
            Apache Procedural
            Language/Structured Query
            Language (PL/SQL)
            module used by Oracle9i
            Application Server (iAS).
            By
            specifying the Database
            Access Descriptor (DAD)
            used to access a PL/SQL
            application, an attacker
            could gain unauthorized
VU#193523   access to the application.
                            The XFS journaling
                            filesystem uses a call to
                            popen(3) with unfiltered
                            client-controlled input. This
                            will lead to arbitrary
                            command execution on
VU#195371   CVE-2002-0359   remote systems.
            A denial-of-service
            vulnerability exists in the
            Sun ONE Directory Server.
            This
            vulnerability may allow a
            remote attacker to
            effectively terminate
            directory
            services on the affected
VU#195644   host.
                            The Berkeley Internet
                            Name Domain (BIND) is an
                            implementation of the
                            Domain
                            Name System (DNS) by
                            the Internet Software
                            Consortium (ISC). There is
                            a buffer
                            overflow vulnerability in
                            BIND 8.2.x, which may
                            allow remote intruders to
                            gain
                            access to systems running
                            BIND. DNS servers
                            running BIND 8 are
                            responsible for
                            the majority of name
                            resolution services on the
                            Internet.

                            This vulnerability has been
                            successfully exploited in a
                            laboratory environment
                            and presents a serious
                            threat to the Internet
VU#196945   CVE-2001-0010   infrastructure.
                            The default installation of
                            WinVNC on certain
                            Microsoft Windows
                            systems permits
                            unauthenticated access to
VU#197477   CVE-2000-1164   the WinVNC service.
                            There is a denial-of-service
                            vulnerability in several
                            versions of the Internet
                            Software Consortium's
                            (ISC) BIND software. This
                            vulnerability is referred to
                            by the ISC as the "srv bug"
                            and affects ISC BIND
                            versions 8.2 through
VU#198355   CVE-2000-0888   8.2.2-P6.
                            There is a vulnerability in
                            the Beck IPC@CHIP that
                            may allow an attacker to
VU#198979   CAN-2001-1338   gain access to the device.




                            Microsoft Internet Explorer
                            has a vulnerability that may
                            cause the program to
                            crash when opening some
VU#199408                   FTP URL's.
                            Aggregated in VU#971179.
                            A buffer overflow in uucico,
                            part of the UUCP package
                            on SCO systems, can allow
                            an intruder to gain elevated
VU#200123                   privileges.




                            A vulnerability in various
                            *NIX PDF viewers/readers
                            may allow remote attackers
                            to execute arbitrary
VU#200132   CAN-2003-0434   commands on your system.
VU#201704   CVE-2001-0147   The Windows 2000 event viewer contains a buffer overflow.
                            This document describes a
                            vulnerability in a CGI script
                            known as phf which was
                            widely exploited in 1996
VU#20276    CVE-1999-0067   and 1997.




                            The mcedit component of
                            some versions of Midnight
                            Commander contains a
                            buffer-overflow
VU#203203                   vulnerability.
                            MySQL reads configuration
                            options from world-
                            writeable files. This can
                            lead to
                            a remote user gaining
VU#203897   CAN-2003-0150   elevated privileges.




                            A buffer overflow in uuxqt,
                            part of the UUCP package
                            on SCO systems, can allow
                            an intruder to gain elevated
VU#206019                   privileges.
            Lotus iNotes contains a
            buffer overflow that could
            permit a remote attacker to
            execute arbitrary code or
            cause a denial of service
VU#206361   on a vulnerable server.
                            A remotely exploitable
                            denial-of-service
                            vulnerability exists in the
                            Apache
                            HTTP Server. Exploitation
                            of this vulnerability may
                            allow an attacker to
                            consume all available
                            system resources, resulting
                            in a denial-of-service
VU#206537   CAN-2003-0132   condition.
VU#206723   A remotely exploitable buffer overflow exists in the Gauntlet Firewall.
                            There is an MHTML input
                            validation vulnerability in
                            Outlook Express that may
                            lead to arbitrary command
                            and code execution in the
                            Local Computer Zone of a
VU#208052   CAN-2002-0980   victim host.
            Tomcat does not
            adequately validate HTTP
            requests and may reveal
            Java Servlet
            Page (JSP) source code if
            supplied a malformed
VU#208131   HTTP request.
VU#20851    CVE-1999-0025




                            IBM AIX contains a buffer-
                            overflow vulnerability that
                            may allow remote
                            attackers to gain root
VU#209363                   privileges.
                            The wget utility contains
                            directory traversal
                            vulnerabilities that allow a
                            malicious FTP server to
                            overwrite files on the client
VU#210148   CAN-2002-1344   host.
                            Multiple File Transfer
                            Protocol (FTP) clients
                            contain directory traversal
                            vulnerabilities that allow a
                            malicious FTP server to
                            overwrite files on the
VU#210409   CAN-2002-1345   client host.
            A vulnerability in the Tivoli
            Firewall Toolbox version
            1.2 has been discovered
            that can lead to remote
            unauthorized compromise
            of the environment with in
            the
VU#210937   firewall system.
            The San Diego
            Supercomputer Center
            (SDSC) has recently
            discovered several
            vulnerabilities in the Alcatel
            Speed Touch line of
            Asymmetric Digital
            Subscriber Line (ADSL)
            modems. These
            vulnerabilities are the result
            of weak
            authentication and access
            control policies and result
            in one or more of the
            following impacts:
            unauthorized access,
            unauthorized monitoring,
            information
            leakage, denial of service,
            and permanent disability of
            affected devices.

            The SDSC has published
            additional information
            regarding these
            vulnerabilities
            at
            http://security.sdsc.edu/self-
            help/alcatel/.
VU#211736
            The San Diego
            Supercomputer Center
            (SDSC) has recently
            discovered several
            vulnerabilities in the Alcatel
            Speed Touch line of
            Asymmetric Digital
            Subscriber Line (ADSL)
            modems. These
            vulnerabilities are the result
            of weak
            authentication and access
            control policies and result
            in one or more of the
            following impacts:
            unauthorized access,
            unauthorized monitoring,
            information
            leakage, denial of service,
            and permanent disability of
            affected devices.

            The SDSC has published
            additional information
            regarding these
            vulnerabilities
            at
            http://security.sdsc.edu/self-
            help/alcatel/.
VU#212088
            Several file scanning
            utilities, including some
            virus scanners, may fail
            and
            crash when scanning
VU#212707   compressed file archives.
            French smart card reader
            terminals can be fooled into
            accepting imposter smart
VU#214555   cards for payment.
                            The Microsoft Windows
                            2000 Telnet Service
                            contains a denial-of-service
                            vulnerability that allows
                            remote attackers to disrupt
                            the telnet service on
VU#215259   CVE-2001-0346   affected servers.




                            SecureCRT is vulnerable to
                            buffer overflow from
                            improper handling of long
VU#216227                   password input.
VU#219043   CVE-2001-0698   Surge FTP Server 2.0a contains a directory traversal vulnerability.




                            Alchemy Eye does not
                            properly validate HTTP
                            requests, allowing arbitrary
VU#220715   CAN-2001-0871   command execution.




                            gpm-root is a program in
                            the gpm package that
                            allows the use of menus in
                            console mode when Ctrl +
                            Mousebutton is pressed.
                            gpm-root does not properly
                            drop group privileges. Local
                            users can gain group
                            privileges by starting a
VU#22091    CVE-2000-0229   utility from gpm-root.
                            A vulnerability in some
                            Cisco Virtual Private
                            Network (VPN) products
                            could
                            allow a remote attacker to
VU#221164   CAN-2003-0260   cause a denial of service.
                            PHP-Nuke has an input-
                            validation vulnerability that
                            can lead to execution of
                            arbitrary PHP code hosted
VU#221683   CAN-2002-0206   on another web server.
            Handspring Visors
            equipped with the
            VisorPhone Springboard
            module can crash
            when receiving large SMS
            images from other mobile
VU#222739   devices.
VU#22404   CVE-2000-0892   Some telnet clients may disclose sensitive information in environment
                           Several flaws exist in
                           Microsoft Internet Explorer
                           that could allow an attacker
                           to masquerade as a
                           legitimate web site if the
                           attacker can compromise
                           the
                           validity of certain DNS
                           information. These
                           problems are different from
                           the
                           problems reported in CERT
                           Advisory CA-2000-05 and
                           CERT Advisory CA-2000-
                           08, but
                           they have a similar impact.

                           Digital certificates are small
                           documents used to
                           authenticate and encrypt
                           information transmitted
                           over the Internet. One very
                           common use of digital
                           certificates is to secure
                           electronic commerce
                           transactions through SSL
                           (Secure
                           Socket Layer). The kind of
                           certificates used in e-
                           commerce transactions are
                           called X.509 certificates.
                           The X.509 certificates help
VU#22482   CVE-2000-0518   a web browser and the
                            The Microsoft SQL Server
                            contains a buffer overflow
                            vulnerability that may
                            allow remote attackers to
                            execute arbitrary code with
VU#225555   CAN-2002-0624   system privileges.




                            Alladin Ghostscript, a
                            previewer for postscript
                            files, creates temporary
                            files
                            with a predictable names.
                            The creation allows
                            attackers to use symbolic
                            links
                            to overwrite other files on
VU#227312   CVE-2000-1162   the host.
                            A denial-of-service
                            vulnerability exists in the
                            Hot Standby Router
                            Protocol
VU#228186   CAN-2001-0741   (HSRP) .
VU#22919    CAN-1999-1206




                            A remotely exploitable
                            denial-of-service
                            vulnerability exists in BIND.
                            Based on
                            recent reports, we believe
                            this vulnerability is being
VU#229595   CAN-2002-1220   actively exploited.
                            The Hewlett Packard Tru64
                            "su" command contains a
                            locally exploitable buffer
                            overflow. An exploit for this
                            vulnerability is known to
                            exist and may be
VU#229867   CVE-2002-0816   circulating.




                            Some versions of
                            CrazyWWWBoard contain
                            a buffer-overflow
                            vulnerability that can
                            be exploited by a remote
                            user to execute arbitrary
VU#229955                   code.
                            The "netfilter" firewall
                            subsystem included with
                            Linux kernel versions 2.4.x
                            contains a vulnerability that
                            may allow remote attackers
                            to reach hosts that
VU#230307   CVE-2002-0060   should be protected.
                            gnome-terminal may allow
                            a remote attacker to
                            execute arbitrary
                            commands via
VU#230561   CAN-2003-0070   crafted escape sequences.
            There is a vulnerability in
            version 4.01 of ScriptLogic
            that may allow local or
            domain users to gain
            administrative access to
            workstations running the
            ScriptLogic RunAdmin
VU#231705   service.




            Ethereal is a network traffic
            analysis package. The
            mount packet dissector
            contains a vulnerability that
            may result in the execution
VU#232164   of arbitrary code.
                            Some versions of Gnu
                            Privacy Guard (GPG)
                            contain a format-string
                            vulnerability
                            from improper handling of
                            filenames when decrypting
VU#233200   CVE-2001-0522   files.
VU#23412   CVE-1999-0702
                           Incorrect decoding of
                           malformed DNS packets
                           causes some versions of
                           tcpdump and
                           ethereal to hang or crash
                           when these packets are
VU#23495   CAN-2000-0333   encountered.
                            There is a remotely
                            exploitable buffer overflow
                            in two modules that
                            implement
                            the Secure Sockets Layer
                            (SSL) and Transport Layer
                            Security (TLS) protocol.
                            This can be used to
VU#234971   CVE-2002-0082   execute arbitrary code.
                            A flaw in the Microsoft
                            virtual machine (Microsoft
                            VM) could allow malicious
                            Java applets to block other,
                            legitimate applets from
                            running, resulting in a
VU#237777   CAN-2002-1292   denial-of-service condition.




                            Versions of the Apache
                            HTTPD server with
                            wildcard DNS enabled and
                            UseCanonicalName
                            disabled, are vulnerable to
                            a cross-site scripting
VU#240329   CAN-2002-0840   attack.
                            The default configuration of
                            the IP Masquerade feature
                            of certain Linux 2.2
                            kernels may allow
                            unsolicited inbound UDP
                            packets to traverse a NAT
                            gateway and
VU#24140    CVE-2000-0289   enter network.




                            Microsoft Internet Explorer
                            (IE) may handle malformed
                            Internet pages accessed
                            through the NetBIOS
                            protocol as if they belong to
                            the IE's Intranet or Trusted
                            Sites security zones,
                            instead of the more
                            restrictive Internet security
VU#242891   CVE-2002-0190   zone.
                            Entrust GetAccess does
                            not properly validate the
                            CGI variable "LOCALE"
                            and may
                            be exploited to read
VU#243243                   arbitrary files on the server.




                            There is a denial-of-service
                            vulnerability in several
                            Cisco switch and router
                            products which allows an
                            attacker to force affected
                            devices to crash and
VU#24346    CVE-2000-0380   reboot.
            The San Diego
            Supercomputer Center
            (SDSC) has recently
            discovered several
            vulnerabilities in the Alcatel
            Speed Touch line of
            Asymmetric Digital
            Subscriber Line (ADSL)
            modems. These
            vulnerabilities are the result
            of weak
            authentication and access
            control policies and result
            in one or more of the
            following impacts:
            unauthorized access,
            unauthorized monitoring,
            information
            leakage, denial of service,
            and permanent disability of
            affected devices.

            The SDSC has published
            additional information
            regarding these
            vulnerabilities
            at
            http://security.sdsc.edu/self-
            help/alcatel/.
VU#243592
VU#24447   CAN-2000-0383   AOL Instant Messenger (AIM) disclose local file paths during transfer.
                            A vulnerability in the way
                            Microsoft Internet Explorer
                            (IE) handles window
                            ornament parameters in
                            dialog frames allows script
                            from a dialog frame in one
                            domain to execute in a
                            different domain, including
                            the Local Machine Zone.
                            The
                            script could read certain
                            local files and data (i.e.
                            cookies) from other web
                            sites. In the presence of
                            other vulnerabilities
                            (VU#626395, VU#25249),
                            the
                            script could execute
VU#244729   CAN-2003-0116   arbitrary commands.




                            Some versions of MiraMail
                            store username and
                            passwords in a text file
                            without
VU#245707   CAN-2002-0110   using encryption.
VU#245795                   Cherokee fails to drop root privileges after binding to port 80.




VU#247371   CVE-2001-0008
                            Protegrity Secure.Data for
                            Microsoft SQL Server 2000
                            includes several extended
                            stored procedures that
                            contain buffer overflow
                            vulnerabilities. These
                            vulnerabilities could allow a
                            remote attacker to execute
                            arbitrary code, gain
                            access to databases, or
VU#247545   CAN-2003-0030   cause a denial of service.
            A vulnerability in OnlineJFS
            could allow an intruder to
            gain greater access
VU#248337   than expected.
VU#24839    CVE-1999-0702




                            A security vulnerability
                            exists in the newgrp
                            command on certain
VU#249224                   Hewlett-Packard systems.
                            There is a remotely
                            exploitable flaw in IBM's
                            AIX 5.1L login when using
                            loadable authentication
                            modules. This does not
VU#249491                   affect AIX 4.3 and earlier.




                            There is a denial-of-service
                            vulnerability in certain
                            distributions of the
                            Linux kernel logging
                            daemon (klogd) which
                            could allow an attacker to
                            cause
VU#249579   CVE-2001-0738   klogd to hang.
                            Mike Spice's Vote does not
                            adequately validate user
                            input, allowing directory
                            traversal. As a result, an
                            attacker can cause Vote to
                            overwrite any file on
                            the server to which the web
                            server process has write
VU#250107                   privileges.




                            Microsoft Server Message
                            Block (SMB) may crash
                            when it receives a crafted
                            SMB_COM_TRANSACTIO
                            N packet requesting a
                            NetServerEnum2
                            transaction. Attackers
                            can use this vulnerability to
VU#250635   CAN-2002-0724   cause a denial of service.
            Verisign offers a service
            entitled "Code Signing
            Digital ID for Microsoft
            Authenticode." Information
            that is submitted to this site
            is not transmitted
            via an SSL secured
            session, instead it is
VU#251339   transmitted in the plain-text.
                            A problem in the way
                            Microsoft Internet Explorer
                            handles a large number of
                            file
                            download requests could
                            result in the execution of
                            arbitrary code on a
VU#251788   CAN-2003-0309   vulnerable system.
                           The HHCtrl ActiveX control
                           has a serious vulnerability
                           that allows remote
                           intruders to execute
                           arbitrary code, if the
                           intruder can cause a
                           compiled help
                           file (CHM) to be stored
                           "locally." Microsoft has
                           released a security bulletin
                           and a patch for this
                           vulnerability, but the patch
                           does not address all
                           circumstances under which
                           the vulnerability can be
                           exploited. This document
                           discusses some of the
                           additional ways in which
                           this vulnerability can be
                           exploited. Some common
                           circumstances under which
                           this vulnerability can be
                           exploited are addressed by
                           the Microsoft patch; others
                           are not. Read this
                           document carefully with
                           your network configuration
                           in mind to determine if you
                           need to take any action. In
                           recent discussions with the
                           CERT/CC, Microsoft has
                           indicated they do not plan
VU#25249   CVE-2000-0201   to alter the patch.
           There is an information
           integrity vulnerability in the
           SSH1 protocol that
           allows RC4 encrypted
           packets to be modified
VU#25309   without notice.
                            There is a vulnerability in
                            the File Transfer Protocol
                            (FTP) that allows an
                            attacker to hijack FTP data
                            connections when the client
                            connects using passive
VU#2558     CVE-1999-0351   mode (PASV).




                            WebBoard does not
                            adequately validate user
                            input, allowing attackers to
                            execute
                            arbitrary JavaScript code
                            on other WebBoard users'
VU#255915   CAN-2001-0743   systems.
                           gpm version 1.19.2 and
                           earlier are vulnerable due
                           to a flaw that allows a local
VU#25701   CAN-2000-0667   user to delete arbitrary files.




                           Microsoft IIS 4.0, circa
                           March 2000, contained a
                           vulnerability that allowed an
                           intruder to consume
                           unlimited memory on a
VU#25716   CVE-2000-0226   vulnerable server.
                            OpenSSL is an open-
                            source implementation of
                            the Secure Sockets Layer
                            (SSL)
                            protocol. A remotely
                            exploitable vulnerability
                            exists in OpenSSL clients
                            that
                            could lead to the execution
                            of arbitrary code on the
VU#258555   CAN-2002-0656   client's system.




                            There is a remotely-
                            accessible buffer overflow
                            in SGI IRIX systems
                            running
                            rpc.espd that may allow
                            remote attackers to
                            execute arbitrary code. The
                            Embedded Support Partner
                            daemon (rpc.espd) is
                            enabled by default on all
                            IRIX
VU#258632   CVE-2001-0331   versions since 6.5.5.
                            Various FTP client
                            implementations do not
                            correctly handle files whose
                            name
                            begins with the "|" (pipe)
VU#258721   CVE-1999-0097   character.
            A vulnerability in Check
            Point VPN-1/FireWall-1
            running on Nokia IPXXX
            Appliances can allow an
            attacker to pass traffic
            allowed by the security
            policy
            through the firewall while
            retaining the external
            (untranslated) destination
            IP
VU#258731   address.
VU#25919   CAN-1999-1484
                            America Online's Instant
                            Messenger (AIM) contains
                            a remotely exploitable
                            buffer
VU#259435                   overflow vulnerability.




VU#259787   CAN-2002-1420   A locally exploitable buffer overflow exists in all versions of OpenBSD
                            The RPC service in
                            Microsoft Windows NT 4.0,
                            2000, and XP can be
                            terminated by
                            a specially crafted RPC
                            message. A remote
                            attacker could cause a
                            denial of
VU#261537   CAN-2002-1561   service.
                           Under certain
                           circumstances, PGP v5.0
                           generates keys that are not
                           sufficiently
                           random, which may allow
                           an attacker to predict keys
                           and, hence, recover
                           information encrypted with
VU#26188   CVE-2000-0445   that key.
                            A vulnerability exists in
                            Microsoft Information
                            Server (IIS) in which a
                            crafted
                            HTTP GET request may
                            return the contents of a file
                            on the affected server. A
                            possible target of such a
                            request might be a script
                            that should only be
                            executable (not readable)
                            by unauthenticated remote
                            users. The contents of
                            such a file might contain
                            sensitive information such
                            as user credentials for
                            access to a back-end
                            database.
                            This is a variation of the
                            vulnerability discussed in
                            VU#35085 and Microsoft
                            Security Bulletin MS00-031
                            and more recently in
                            VU#28565 and Microsoft
                            Security
VU#264272   CVE-2001-0004   Bulletin MS00-044.
                           Excel fails to present a
                           warning dialog when a
                           macro is called from an
                           external
VU#26493   CVE-2000-0277   XLM (text macro) file.
                            A Microsoft Windows
                            DirectX library, quartz.dll,
                            does not properly validate
                            the
                            number of tracks value in
                            Musical Instrument Digital
                            Interface (MIDI) files.
                            An attacker could exploit
                            this vulnerability to execute
                            arbitrary code or crash
                            any application using the
                            library, causing a denial of
VU#265232   CAN-2003-0346   service.




                            A vulnerability in an object
                            included with Visual Studio
                            6.0 Enterprise Edition
                            may allow an attacker to
                            execute code with the
                            privileges of an interactively
VU#266032   CVE-2001-0153   logged in user.
                            A denial-of-service
                            vulnerability exists in
                            multiple vendor Sun RPC-
                            based libc
VU#266817   CAN-2002-1265   implementations.




                            Samba contains several
                            buffer overflow
                            vulnerabilitites. At least
                            one of these
                            vulnerabilities could allow
                            an unauthenticated, remote
                            attacker to execute
                            arbitrary code or cause a
VU#267873   CAN-2003-0201   denial of service.
                            A buffer overflow in the text
                            editor on certain Hewlett-
                            Packard systems could
                            compromise system
VU#268848                   availability.




VU#26924    CVE-1999-0702
                            Web Servers that use the
                            IBM VisualAge
                            Professional Vesion 3.5
                            Java Servlet
                            Container are vulnerable to
                            a cross-site scripting
                            vulnerability. A web site
                            may inadvertently include
                            malicious HTML tags or
                            script(JavaScript, VBScript,
                            Java, etc.) in a dynamically
                            generated page based on
                            unvalidated input from
                            untrustworthy sources. This
                            can be a problem when a
                            web server does not
                            adequately ensure that
                            generated pages are
                            properly encoded to
                            prevent
                            unintended execution of
                            scripts, and when input is
                            not validated to prevent
                            malicious HTML from being
VU#270083   CAN-2001-0824   presented to the user.
            A remotely exploitable
            buffer overflow vulnerability
            has been discovered in the
            Yahoo! Audio Conferencing
VU#272644   ActiveX control.




VU#273779   IBM AIX contains a possible buffer-overflow vulnerability.
                            The line printer daemon
                            enables various clients to
                            share printers over a
                            network. There exists a
                            buffer overflow vulnerability
                            in this daemon that
                            permits remote execution
                            of arbitrary commands with
VU#274043   CVE-2001-0670   elevated privileges.
                            The Compaq web-enabled
                            management software
                            contains a buffer overflow.
                            Remote
                            intruders may be able to
                            execute arbitrary code with
                            privileges on affected
                            systems. Many Compaq
                            products are affected, from
                            personal computers to
                            commercial UNIX operating
VU#275979   CVE-2001-0728   systems.




                            Microsoft Windows
                            Terminal Services
                            Advanced Client (TSAC)
                            contains a remotely
VU#276321   CVE-2002-0726   exploitable buffer overflow.
                            A buffer overflow exists in
                            the iPlanet Web Servers
                            (Enterprise and FastTrack
                            Editions) that may allow
                            remote attackers to gain
                            read access to sensitive
                            information contained in the
                            memory of the web server
                            process. The information
                            disclosed may include
                            userids, passwords,
                            cookies or authentication
                            data
                            belonging to other users of
                            the web server. With this
                            data the attacker may be
                            able to falsely authenticate
                            themselves to the web
                            server as other users. In
                            some cases, the attacker
                            may be able to prevent the
                            normal operation of the
                            web
                            server using this
VU#276767   CVE-2001-0327   vulnerability.
                            The iPlanet Directory
                            Server contains
                            vulnerabilities that may
                            allow
                            denial-of-service attacks,
                            unauthorized privileged
                            access, or both. These
                            vulnerabilities were
                            revealed using the
                            PROTOS LDAPv3 test
                            suite and are
                            documented in CERT
                            Advisory CA-2001-18. If
                            your site uses this product,
                            the
                            CERT/CC encourages you
                            to follow the advice
VU#276944   CAN-2001-1306   provided below.
                           Under certain conditions,
                           Internet Explorer can open
                           Microsoft Access database
                           or project files containing
                           malicious code and
                           execute the code without
                           giving
                           a user prior warning.
                           Access files that are
                           referenced by OBJECT
                           tags in HTML
                           documents can allow
                           attackers to execute
                           arbitrary commands using
                           Visual Basic
                           for Applications (VBA) or
                           macros.

                           A patch which protects
                           against all known variants
                           of attack exploiting this
                           vulnerability is now
                           available. A workaround
                           which was previously
                           suggested
                           provided protection against
                           one specific publicly-
                           available exploit using .mdb
                           files but did not protect
                           against attack using many
                           other Access file types.
                           (See below for a complete
VU#27857   CVE-2000-0596   list of file types.)
                            Oracle 9i Application
                            Servers (Oracle 9iAS)
                            contain a default error page
                            that
                            can be used to find the
                            physical path of files on the
VU#278971   CVE-2001-1372   system.
                            Microsoft SQL Server ships
                            with several administrative
                            tools that allow
                            database users to elevate
                            their administrative
                            privileges from a single
                            database to all databases
VU#279323   CVE-2001-0644   on the server.
            A vulnerability exists in the
            remote administration client
            for RhinoSoft Serv-U
            . During the authentication
            process, the client ignores
            the S/KEY one-time
            password (OTP) challenge
            sent by the server and
            sends the password
            entered by
VU#279763   the user in plaintext.
                            Attackers are using the
                            presence of the dgld
                            service to identify SGI IRIX
VU#28027    CAN-2000-0893   systems.




                            AdCycle does not
                            adequately filter user input,
                            allowing remote attackers
                            to
                            execute arbitrary MySQL
VU#282403   CAN-2001-1226   queries.
                            The taskpads ActiveX
                            control included with some
                            resource kit products circa
                            February 1999 was
                            incorrectly marked safe-for-
VU#28370    CVE-1999-0379   scripting.




                            Under certain
                            configurations, Exim may
                            execute commands
                            embedded in a mail
VU#283723   CVE-2001-0889   message's From address.
                            The Internet Software
                            Consortium (ISC) has
                            discovered several buffer
                            overflow
                            vulnerabilities in their
                            implementation of DHCP
                            (ISC DHCPD). These
                            vulnerabilities may allow
                            remote attackers to
                            execute arbitrary code on
                            affected systems. At this
                            time, we are not aware of
VU#284857   CAN-2003-0026   any exploits.
                           A vulnerability exists in
                           Microsoft Internet
                           Information Server (IIS)
                           that
                           could disclose sensitive
                           information contained in
                           CGI-type files. Typically a
                           CGI/script file on a web
                           server should only be
                           executable and not
                           readable to
                           remote users. Sensitive
                           information contained in
                           CGI-type files file might
                           include user credentials for
                           access to a back-end
                           database.
                           This is a variation of the
                           vulnerability previously
                           discussed in VU#35085
                           and
                           Microsoft Security Bulletin
VU#28565   CVE-2000-0630   MS00-031.
                            A malformed Microsoft
                            Excel or PowerPoint
                            document can bypass
                            macro checking
                            thereby allowing arbitrary
                            code to be run on the target
VU#287067   CVE-2001-0718   system.
            Internet Key Exchange
            (IKE) implementations from
            several vendors contain
            buffer
            overflows and denial-of-
            service conditions. The
            buffer overflow
            vulnerabilities could permit
            an attacker to execute
            arbitrary code on a
VU#287771   vulnerable system.
                           The sadmind program can
                           be used to perform
                           distributed system
                           administration
                           operations remotely using
                           RPC. A stack buffer
                           overflow in sadmind may
                           be
                           exploited by a remote
                           attacker to execute
                           arbitrary instructions and
                           gain root
VU#28934   CVE-1999-0977   access.
VU#290140   CVE-2002-1024   Multiple Cisco networking products contain a denial-of-service vulnera
            The CERT/CC is aware of
            a report about "several
            remotely exploitable buffer
            overflow vulnerabilities in
            the Oracle Web Cache
            Server" that could allow an
            unauthenticated, remote
            attacker to execute
            arbitrary code with the
            privileges
VU#291555   of the Web Cache process.




            The HP Tru64 UNIX
            implementation of "lprm"
            contains a locally
            exploitable
VU#293305   buffer overflow.
                            There is a vulnerability
                            caused by a failure to
                            detect macros embedded
                            in
                            Microsoft Word documents.
                            This vulnerability may allow
                            the author of a
                            malicious document to
                            execute arbitrary
                            commands as the user who
                            opens the
VU#295867   CVE-2001-0501   document.
                            Vulnerabilities in PHP
                            versions 3 and 4 could
                            allow an intruder to execute
                            arbitrary code with the
                            privileges of the web
VU#297363   CVE-2002-0081   server.




VU#29795    CVE-1999-0702
                           A vulnerability involving an
                           input validation error in the
                           "site exec" command
                           has recently been identified
                           in the Washington
                           University ftpd (wu-ftpd)
                           software package. Sites
                           running affected systems
                           are advised to update their
                           wu-ftpd software as soon
                           as possible.

                           A similar but distinct
                           vulnerability has also been
                           identified that involves a
                           missing format string in
                           several setproctitle() calls.
                           It affects a broader
                           number of ftp daemons.
                           Please see the vendor
                           section of this document for
                           specific information about
                           the status of specific ftpd
                           implementations and
                           solutions.
VU#29823   CVE-2000-0573
                            A buffer overflow
                            vulnerability has been
                            discovered in Samba. An
                            updated
VU#298233   CAN-2003-0085   version has been released.
                            The Common Desktop
                            Environment (CDE)
                            ToolTalk RPC database
                            server does not
                            adequately validate file
                            operations and follows
                            symbolic links, allowing a
                            local attacker to overwrite
                            any file that is writeable by
                            the server. The
                            ToolTalk RPC database
                            server typically runs with
VU#299816   CVE-2002-0678   root privileges.
                            The Oracle Listener Control
                            Utility (LSNRCTL) contains
                            a format string
                            vulnerability that could
                            allow an unauthenticated,
                            remote attacker to execute
                            arbitrary code or
                            commands or cause a
VU#301059   CAN-2002-0857   denial of service.




                            The line printer daemon
                            enables various clients to
                            share printers over a
                            network. There exists a
                            flaw in the authentication
                            method in this daemon that
                            permits remote access to
VU#30308    CAN-2000-1208   the server.
            WinVNC's
            challenge/response
            mechanism can allow an
            intruder to obtain
            legitimate credentials from
            a valid client in order to
            gain unauthorized access
VU#303080   to the server.




            The ActiveX control Cenroll
            permits unauthorized users
            to create files on the
VU#3062     local system.
                            The Java Database
                            Connectivity (JDBC)
                            classes of Microsoft's Java
                            virtual
                            machine (VM) do not
                            properly validate DLL
                            requests, allowing a
                            malicious applet
                            to load and execute any
VU#307306   CAN-2002-0866   DLL on the client system.
                            Oracle9i Application Server
                            (iAS) provides a Procedural
                            Language/Structured
                            Query Language (PL/SQL)
                            application (package)
                            called OWA_UTIL that
                            provides web
                            access to a number of
                            stored procedures. These
                            procedures could be used
                            by an
                            attacker to view the source
                            code of PL/SQL
                            applications, obtain
                            credentials and
                            access to other database
                            servers, and run SQL
                            queries on accessible
                            database
VU#307835   CAN-2002-0560   servers.




                            OpenSSL is an open-
                            source implementation of
                            the Secure Sockets Layer
                            (SSL)
                            protocol. There is a buffer
                            overflow on 64-bit platforms
                            related to the ASCII
VU#308891   CAN-2002-0655   representation of integers.
                            Check Point VPN-
                            1/FireWall-1 version 4.0 &
                            4.1 may allow an intruder to
                            pass
                            traffic through the firewall
VU#310295   CVE-2001-1158   on port 259.




                            A vulnerability exists in
                            multiple versions of Cisco's
                            Internetworking
                            Operating System (IOS)
                            software that allows an
                            attacker to collect
                            fragments of
                            previously processed
VU#310387   CVE-2002-0339   packets.
                            Due to a problem parsing
                            carriage return/line feeds in
                            RFC822 format mail
                            messages, The Bat! mail
                            client may permaturely
                            detect the end of a mail
                            message, causing an error
                            to occur. This error may
                            prevent the mail user from
                            retrieving other mail
                            messages until the
                            message with the error is
VU#310816   CVE-2001-0675   removed.




                            Microsoft Server Message
                            Block (SMB) may crash
                            upon receipt of a crafted
                            SMB_COM_TRANSACTIO
                            N packet requesting a
                            NetServerEnum3
                            transaction. Attackers
                            can use this vulnerability to
VU#311619                   cause a denial of service.
                            A remotely exploitable
                            buffer overflow has been
                            discovered in the Solaris X
                            Window Font Service
VU#312313   CAN-2002-1317   (XFS) daemon (fs.auto).




                            Cayman gateways are
                            vulnerable to a denial of
                            service. An attacker can
                            send a
                            number of TCP connect()
                            requests or SYN packets,
                            in conjunction with a
                            "Bouncing" vulnerability,
                            and can cause a denial of
VU#312761   CVE-2001-0773   service to the gateway.
            A buffer overflow
            vulnerability exists in the
            Apache Procedural
            Language/Structured Query
            Language (PL/SQL)
            module used by Oracle9i
            Application
            Server (iAS). This
            vulnerability could allow an
            unauthenticated remote
            attacker to cause a denial
            of service or execute
            arbitrary code on the
            system
            with the privileges of the
VU#313280   Apache process.
                            A buffer overflow
                            vulnerability in IIS 4.0 and
                            5.0 could allow an intruder
                            to
                            execute arbitrary code on
                            an IIS server with the
                            privileges of the HTR ISAPI
VU#313819   CVE-2002-0364   extension.
                            phpBB is an open-source
                            bulletin board program.
                            There exists a user input
                            validation problem with
                            regard to the parsing of the
                            URL. An intruder can
                            excute limited SQL queries
                            and gain administrative
                            privileges on the bulletin
VU#314347                   board.




                            The utility pcltotiff is
                            installed with insecure
                            permissions on some
                            Hewlett
VU#314776   CVE-2001-0488   Packard systems.
            The OpenBSD kernel does
            not adequately check file
            descriptors 0-2 prior to
            exec()ing setuid binaries.
            Other OS kernels may be
VU#314963   vulnerable as well.
            There is an information
            integrity vulnerability in the
            SSH1 protocol that
            allows the last block of an
            IDEA-encrypted session to
            be modified without
VU#315308   notice.
                           By embedding malicious
                           code in a Portable
                           Document Format (PDF)
                           file, an
                           attacker can cause
                           arbitrary code to execute
VU#31554   CAN-2000-0713   on the victim's system.




                           A vulnerability exists in the
                           Microsoft Windows 2000
                           Service Control Manager
                           which could allow local
                           users to gain control of the
VU#31607   CVE-2000-0737   system.
                            A vulnerability in some
                            Cisco Virtual Private
                            Network (VPN) products
                            could
                            allow a remote attacker to
VU#317348   CAN-2003-0259   cause a denial of service.
            Mike Spice's Quiz Me!
            does not adequately
            validate user input, allowing
            directory traversal. As a
            result, an attacker can
            cause Quiz Me! to
            overwrite
            any file on the server to
            which the web server
            process has write
VU#318835   privileges.
VU#31994    CAN-2000-0400




                            The HP Tru64 UNIX
                            implementation of "dtterm"
                            contains a locally
                            exploitable
VU#320067                   buffer overflow.
                            An ActiveX control included
                            with Windows Media Player
                            9 does not adequately
                            validate script access to the
                            Windows Media Library.
                            This could allow an
                            attacker to read or modify
                            data contained in the
VU#320516   CAN-2003-0348   library.
            FTP Voyager is an FTP
            client implemented as an
            ActiveX control. It is
            incorrectly marked as "safe
            for scripting" allowing
            malicious web pages or
            email messages to upload
VU#320944   and download files.




            A vulnerability exists in
            Allaire ColdFusion Server
            which allows an attacker to
            overwrite ColdFusion
            Server templates with zero
VU#321475   byte files.
                           Netscape Communicator
                           and Navigator ship with
                           Java classes that allow an
                           unsigned Java applet to
                           access local and remote
                           resources in violation of the
VU#32231   CVE-2000-0676   security policies for applets.
            A buffer overflow
            vulnerability in the rexec
            program supplied in some
            versions
            of the HP-UX operating
            system could allow local
            users to gain privileged
VU#322540   access.
                           KApplication-class, a class
                           used to create KDE
                           applications, creates
                           configuration files without
                           checking for proper
                           ownership or prior
VU#32448   CVE-2000-0530   existence.
                            The Berkeley Internet
                            Name Domain (BIND) is an
                            implementation of the
                            Domain
                            Name System (DNS) by
                            the Internet Software
                            Consortium (ISC). There is
                            an
                            information leakage
                            vulnerability in BIND 4.9.x
                            and 8.2.x, which may allow
                            remote intruders to obtain
                            information from systems
                            running BIND. Although
                            BIND 4.9.x is no longer
                            officially maintained by ISC,
                            various versions are
                            still widely deployed on the
                            Internet.

                            This vulnerability has been
                            exploited in a laboratory
                            environment and presents
                            a moderate threat to the
VU#325431   CVE-2001-0012   Internet infrastructure.
                           The NetBIOS Name
                           Service (NBNS) provides a
                           means for hostname and
                           address
                           mapping on a NetBIOS-
                           aware network. The
                           NetBIOS over TCP/IP
                           protocols
                           (including NBNS) are
                           described in the Internet
                           Engineering Task Force
                           (IETF)
                           Request for Comments
                           RFC1001 and RFC1002.
                           These protocols do not
                           specify a
                           method for authenticating
                           communications, and as
                           such, machines running
                           NetBIOS
                           services are vulnerable to
                           spoofing attacks.

                           NetBIOS is a set of defined
                           software interfaces for
                           vendor-independent PC
                           networking and is primarily
                           used on Microsoft Windows
                           computers. NetBIOS is
                           enabled by default on
                           Windows95 and
VU#32650   CVE-2000-0673   Windows98 machines.
                            A vulnerability exists in
                            Microsoft's Remote
                            Procedure Call (RPC)
                            implementation. A remote
                            attacker could exploit this
                            vulnerability to cause a
                            denial of service. An exploit
                            for this vulnerability is
VU#326746   CAN-2003-0605   publicly available.
                            A remotely exploitable
                            buffer overflow exists in the
                            'rpc.yppasswd' service on
VU#327281   CVE-2001-0779   Solaris 2.6, 2.7, and 2.8.
                           Older versions of sendmail
                           (circa 1995) incorrectly
                           used popen to process
VU#3278                    certain arguments.




                           A vulnerability exists in
                           iPlanet Web Server and
                           Netscape Enterprise Server
                           in
                           which Web Publisher
                           commands can be used to
VU#32794   CVE-2000-0236   obtain directory listings.
                            The Microsoft XMLHTTP
                            ActiveX control allows
                            unauthorized reading of
                            any known
                            file on a system. A victim
                            must be enticed to visit a
                            malicious site in order
VU#328163   CVE-2002-0057   to be attacked.
            Firewalls and other
            systems that inspect FTP
            application layer traffic may
            not
            adequately maintain the
            state of FTP commands
            and responses. As a
            result, an
            attacker could establish
            arbitrary TCP connections
            to FTP servers or clients
            located behind a vulnerable
VU#328867   firewall.
            The RealNetworks' Helix
            Universal Server supports
            delivery of several different
            media types via RTSP
            (Real Time Streaming
            Protocol). Vulnerabilities
            have been
            discovered in the way it
            handles some RTSP
            requests. These
            vulnerabilities
            could allow a remote
            attacker to execute
            arbitrary code on
VU#329561   vulnerable systems.
                            The Cisco Content Service
                            Switch contains a denial-of-
                            service vulnerability
                            that allows remote
                            attackers to reboot affected
VU#330275   CAN-2002-0792   devices.
VU#331937                   A vulnerability in BEA's WebLogic Server may disclose sensitive infor




                            Versions earlier than 5.0.9
                            of Lotus Domino R5
                            Servers with Secure Socket
                            Layer
                            (SSL) enabled are
                            vulnerable to a denial of
VU#332299                   sevice.




VU#33433    CAN-2000-0385   FileMaker may expose data inadvertently.
                            The uudecode utility
                            contains a vulnerability that
                            allows an attacker to
                            overwrite arbitrary files,
                            symbolic links, and named
VU#336083   CVE-2002-0178   pipes.
                            Microsoft SQL server
                            versions 7.0 and 2000, as
                            well as MSDE 1.0, may
                            leave
                            installation and log files on
                            the server after the
                            installation process is
                            complete. These files may
                            contain senstitive
                            information such as
                            passwords
                            [used during the install].
                            Users with authenticated
                            access to the server may
                            be
                            able to view this
                            information and gain
VU#338195   CAN-2002-0643   elevated privileges.




                            Savant Web Server has a
                            buffer overflow vulnerability
                            in handling of the HTTP
VU#339779   CAN-2001-0433   1.1 Host header.
                           The CERT/CC has begun
                           receiving reports of an
                           input validation vulnerability
                           in
                           the rpc.statd program being
                           exploited. This program is
                           included, and often
                           installed by default, in
                           several popular Linux
                           distributions. Please see
                           the
                           vendors section of this
                           document for specific
                           information regarding
                           affected
                           distributions.

                           More information about this
                           vulnerability is available at
                           the following public
                           URLs:
                           http://cve.mitre.org/cgi-
                           bin/cvename.cgi?name=CV
                           E-2000-0666
                           http://www.securityfocus.co
                           m/bid/1480

                           The rpc.statd program
                           passes user-supplied data
                           to the syslog() function as a
                           format string. If there is no
                           input validation of this
VU#34043   CVE-2000-0666   string, a malicious user
            A remotely exploitable
            authentication vulnerability
            exists in the SSH
            Communications Security
            SSH Secure Shell server,
            and possibly other SSH
VU#341187   servers.




            Novell GroupWise web
            application does not
            adequately validate user
            input,
VU#341539   allowing directory traversal.
                            Microsoft Server Message
                            Block (SMB) is a protocol
                            for sharing data and
                            resources between
                            computers. SMB may
                            crash upon receipt of a
                            crafted
                            SMB_COM_TRANSACTIO
                            N packet requesting a
                            NetShareEnum transaction.
                            Attackers
                            can use this vulnerability to
                            cause a denial of service.
                            SMB is included in
                            many versions of Microsoft
VU#342243   CAN-2002-0724   Windows.




                            getty_ps is an open-source
                            software package designed
                            to support logons to the
                            console and terminals.
                            Some implementations
                            create temporary files
                            insecurely
                            with predictable names,
                            leading to corruption of
                            arbitrary files via symbolic
VU#342768   CVE-2001-0119   link attack.
VU#34453   CAN-1999-1206
                            There is a vulnerability
                            caused by a failure to
                            detect macros embedded
                            in
                            templates used by rich text
                            format documents opened
                            in Microsoft Word. This
                            vulnerability may allow the
                            author of a malicious
                            document to execute
                            arbitrary
                            commands as the user who
VU#345576   CVE-2001-0240   opens the document.
            RSA Security ACE/Agent
            for Windows, ACE/Agent
            for Windows NT, and
            ACE/Agent for
            Windows 2000 contain a
            vulnerability in which the
            ACE/Agent does not
            properly
            handle URL encoded
            characters contained in a
            URL. A specially crafted
            request
            may bypass authentication
            and expose the contents of
            files or execute commands
VU#348040   on the web server.
                            Tripwire is a file integrity
                            verification utility for Unix
                            and Linux operating
                            systems. In some
                            implementations, tripwire
                            opens insecure temporary
                            files with
                            predictable names in
                            publically-writable
                            directories. Using a
                            symbolic link
                            attack, a local intruder may
                            overwrite or create arbitrary
                            files on machines
VU#349019   CVE-2001-0774   running tripwire.
                           A vulnerability exists in
                           Microsoft Internet
                           Information Server (IIS)
                           which
                           could disclose sensitive
                           information contained in
                           CGI-type files. Typically a
                           CGI/script file on a web
                           server should only be
                           executable and not
                           readable by
                           remote users. Sensitive
                           information contained in
                           such a file might include
                           user credentials for access
VU#35085   CVE-2000-0457   to a back-end database.
                            The Sun Solaris ptexec
                            command is subject to a
                            buffer overflow due to not
                            adequately validating
                            arguments passed via the -
VU#351219   CVE-2001-0701   o option.




VU#354387                   The Yahoo! Mobile service contains an information exposure vulnerab
                            A mutex controlling access
                            to resources required for
                            networking on Windows
                            NTMicrosoft Windows NT
                            4.0 and Microsoft Windows
                            NT 4.0, Terminal Server
                            Edition, has inappropriate
VU#354648   CVE-2001-0006   permissions.
            Lotus Domino Web Server
            is an application that
            provides access to Lotus
            Notes
            databases via HTTP
            requests. A vulnerability
            exists that could permit a
            remote
            attacker to cause a denial-
            of-service situation for
VU#355169   HTTP requests.
                            The Microsoft Office Web
                            Components allow a
                            remote attacker to read
                            arbitrary
VU#355707   CVE-2002-0860   files.




                            A vulnerability exists in
                            Microsoft Internet Explorer
                            that could permit an
                            attacker to execute
                            arbitrary script, even if the
                            user has specifically
VU#355971   CVE-2002-0026   disabled active scripting.
                            The Microsoft Office 2000
                            UA ActiveX control is
                            incorrectly marked as "safe
                            for
                            scripting". This vulnerability
                            may allow an intruder to
                            disable macro warnings
                            in Office products and,
                            subsequently, execute
                            arbitrary code. This
                            vulnerability may be
                            exploited by viewing an
                            HTML document via a web
                            page,
                            newsgroup posting, or
VU#35626    CVE-2000-0419   email message.

                            During installation,
                            Netscape 6.0.1 creates a
                            temporary file with insecure
                            options and a predictable
                            name in a world-writable
                            location. By using a
                            symbolic link attack, an
                            attacker could cause
VU#356323   CAN-2001-1066   overwrite of arbitrary files.
                            The 'makewhatis' script in
                           the Linux man package
                           allows local users to
                           overwrite files via a symlink
                           attack.
VU#35842   CVE-2000-0566
            There are a set of kernel
            interfaces called "call
            gates" which are code
            primitives used to build
            system-level calls into an
            operating system's kernel.
            A subset of these "calls
            gates" may be able to be
            manipulated on some
            operating
            systems which use
            improper privilege checking
            when accessing local
            descriptor
VU#358960   tables (LDTs)
                           A large stream of IP traffic
                           can monopolize the CPU of
                           a Check Point FireWall-1
                           firewall, resulting in a denial-
VU#35958   CVE-2000-0482   of-service condition.
                            Several commercial
                            desktops and laptops from
                            OEM distributors ship with
                            insecure permissions set
                            on files and directories. It
                            has been confirmed that
                            this is due to the use of
                            Microsoft's CONVERT.EXE
VU#361065   CAN-2002-0034   utility.
                            An attacker can send a
                            specially crafted email
                            message to a victim
                            containing
                            malicious scripting
                            (JavaScript, VBScript,
                            JScript, etc.), or potentially
                            HTML.
                            When a victim views the
                            message with scripting
                            enabled, the victim's
                            browser
                            will then interpret this
                            javascript which can lead to
VU#361600   CAN-2001-0223   several impacts.




                            Ethereal is a network traffic
                            analysis package. The PPP
                            packet dissector
                            contains a vulnerability that
                            may result in the execution
VU#361700                   of arbitrary code.
                            The Cisco IOS Firewall
                            Feature Set (also known as
                            Cisco Secure Integrated
                            Software, or Context Based
                            Access Control) may allow
                            an intruder to pass
                            traffic through the firewall in
                            violation of implied security
VU#362483                   policies.




                            Eye of Gnome contains a
                            format string vulnerability
                            that may allow remote
                            attackers to execute
                            arbitrary code with the
                            privileges of the user
                            running the
                            application, typically an
VU#363001   CAN-2003-0165   unprivileged system user.
                            Cayman gateways are
                            vulnerable to a denial of
                            service via the entry of a
                            long
                            username or password
VU#36312    CVE-2000-0417   sent to the HTTP interface.




                            Versions of OpenSSH
                            client prior to 2.3.0 do not
                            properly enforce
                            restrictions
                            to the ssh-agent or X11
VU#363181   CVE-2000-1169   display.
                            A buffer overflow in the
                            HTR ISAP extension on IIS
                            servers could permit an
                            intruder to interrupt the
                            normal operation of IIS or
                            possibly execute arbitrary
                            code with the privileges of
VU#363715   CVE-2002-0071   the HTR extension.
            MySQL is a popular open
            source database package.
            It contains a buffer overflow
            in the code that processes
VU#367320   drop database commands.
                           Versions of SYSKEY in use
                           prior to December, 1999
                           leave the SAM database
                           vulnerable to cryptanalytic
VU#36764   CVE-1999-0994   attacks.




VU#36866   CVE-2000-0471   There is a buffer overflow in ufsrestore, a file restoration utility.
                            There is a bug in the zlib
                            compression library that
                            may manifest itself as a
                            vulnerability in programs
                            that are linked with zlib.
                            This may allow an attacker
                            to conduct a denial-of-
                            service attack, gather
                            information, or execute
                            arbitrary
                            code.

                            It is important to note that
                            the CERT/CC has not
                            received any reports of
                            exploitation of this bug.
                            Based on the information
                            available to us at this
                            time, it is difficult to
                            determine whether this bug
                            can be successfully
                            exploited. However, given
                            the widespread deployment
                            of zlib, we have published
                            this document as a
VU#368819   CVE-2002-0059   proactive measure.
                            There are two related
                            vulnerabilities in the
                            challenge response
                            handling code
                            in OpenSSH versions
                            2.3.1p1 through 3.3. They
                            may allow a remote
                            intruder to
                            execute arbitrary code as
                            the user running sshd
                            (often root). The first
                            vulnerability affects
                            OpenSSH versions 2.9.9
                            through 3.3 that have the
                            challenge response option
                            enabled and that use SKEY
                            or BSD_AUTH
                            authentication. The second
                            vulnerability affects PAM
                            modules using interactive
                            keyboard authentication in
                            OpenSSH versions 2.3.1p1
                            through 3.3, regardless of
                            the challenge response
                            option setting. Additionally,
                            a number of other
                            possible security problems
                            have been corrected in
VU#369347   CVE-2002-0639   OpenSSH version 3.4.




                            There is an input validation
                            vulnerability in the
                            OpenBSD libutil system
                            library that allows local
                            users to gain superuser
                            access via the chpass
VU#369427   CVE-2000-0993   utility.
            Solaris 8 systems that
            accept IPv6 traffic may be
            subject to denial of service
            attacks from arbitrary
VU#370060   remote attackers.
                            Microsoft SQL Server 2000
                            contains a vulnerability that
                            allows remote attackers
                            to create a denial-of-
                            service condition between
VU#370308   CVE-2002-0650   two Microsoft SQL servers.
                           A flaw exists in Netscape
                           Navigator that could allow
                           an attacker to masquerade
                           as a legitimate web site if
                           the attacker can
                           compromise the validity of
                           certain
                           DNS information. This is
                           different from the problem
                           reported in CERT Advisory
                           CA-2000-05, but it has a
                           similar impact. This
                           vulnerability was recently
                           discovered by Kevin Fu of
                           of the Massachusetts
                           Institute of Technology and,
                           independently, by Jon
                           Guyer.

                           If a user visits a web site in
                           which the certificate name
                           does not match the
                           site name and proceeds
                           with the connection despite
                           the warning produced by
                           Netscape, then subsequent
                           connections to any sites
                           that have the same
                           certificate will not result in a
                           warning message.

                           It should be noted that
VU#37526   CVE-2000-0517   neither this vulnerability,




                           Microsoft Internet Explorer
                           4.01 and 5 ship with a
                           series of activex controls
                           to aid in its functionality.
                           Regwiz.dll is an safe-for-
                           scripting activex
                           control that contains a
                           remotely exploitable buffer
VU#37556                   overflow.
                            Microsoft ASP.NET
                            contains buffer overflow in
                            routine that handles the
                            processing of cookies in
VU#375859   CVE-2002-0369   StateServer mode.




                            Hewlett Packard (HP)
                            printers store sensitive
                            administrative account
                            information in a variable
                            that is served to any user
                            that makes a certain SNMP
VU#377003   CAN-2002-1048   request.
            A denial-of-service
            vulnerability exists in
            multiple vendor
            implementations of
            the Distributed Computing
            Environment. This
            vulnerability may allow a
            remote
            attacker to cause the
VU#377804   service to fail.


            The Utah Raster Toolkit is
            a graphics library/utility.
            Several vulnerabilities
            have been reported in the
VU#378049   Utah Raster Toolkit.
                           The download behavior of
                           Internet Explorer 5.0 can
                           be used to perform
                           arbitrary
VU#37828   CVE-1999-0891   operations on local files.
                            A popular replacement
                            software package to the
                            BSD lpd printing service
                            called
                            LPRng contains at least
                            one software defect known
                            as a "format string
                            vulnerability" which may
                            allow remote users to
                            execute arbitrary code on
                            vulnerable systems. The
                            privileges of such code will
VU#382365   CVE-2000-0917   probably be root-level.
VU#38336    CVE-2000-0392




                            Multiple file decompression
                            utilities contain buffer
                            overflow vulnerabilities
VU#383779   CAN-2002-0370   for which the impacts vary.
                            Microsoft Media Player
                            contains a vulnerability in
                            the parsing of "Skin Files"
                            that may permit a remote
                            attacker to download
                            arbitrary files to a known
                            location on the local
VU#384932   CAN-2003-0228   system.




                            The GNU libc library fails to
                            perform a check for the
                            SETUID bit for cached
                            libraries in the
                            /etc/ld.so.cache file. As a
                            result, malicious users may
                            create or modify privileged
VU#386504   CVE-2001-0169   files.
                            The Common Desktop
                            Environment (CDE)
                            ToolTalk RPC database
                            server contains a
                            buffer overflow condition
                            that could let an attacker
                            execute arbitrary code or
                            cause a denial of service
                            on a vulnerable system.
                            The ToolTalk RPC
                            database
                            server typically runs with
VU#387387   CVE-2002-0679   root privileges.




                            The Line Printer daemon
                            (lpd) shipped with AIX
                            systems contains a buffer
                            overflow in kill_print() that
                            potentially allow a malicious
                            remote user to gain
VU#388183   CAN-2001-0671   root privileges.
                           Microsoft has recently
                           released Microsoft Security
                           Bulletin MS00-046, in which
                           they announced a patch for
                           the "Cache Bypass"
                           vulnerability. By exploiting
                           this
                           vulnerability, an attacker
                           can use an HTML-
                           formatted message to read
                           certain
                           types of files on the victim's
                           machine.

                           In addition, because this
                           vulnerability also allows the
                           attacker to store files
                           on the victim's machine, it
                           can be used in conjunction
                           with existing
                           vulnerabilities to execute
                           arbitrary code on the target
VU#38950   CVE-2000-0621   system.
                            Secure shell (SSH)
                            transport layer protocol
                            implementations from
                            different
                            vendors contain multiple
                            vulnerabilities in code that
                            handles key exchange and
                            initialization. Both SSH
                            servers and clients are
                            affected. A remote
                            attacker
                            could execute arbitrary
                            code with the privileges of
                            the SSH process or cause
                            a
VU#389665   CAN-2002-1357   denial of service.




                            The line printer daemon
                            enables various clients to
                            share printers over a
                            network. There exists a
                            vulnerability in this daemon
                            that permits an intruder
                            to send options to
VU#39001    CAN-2000-1208   sendmail.
            A vulnerability exists in the
            KTH Kerberos IV and
            Kerberos V (Heimdal)
            Telnet
            implementations. When a
            KTH Kerberos Telnet client
            requests data encryption
            and the server does not
            appear to support it, the
            client will establish the
            connection using no
            encryption. A properly
            located attacker can then
            capture
            and read the contents of
VU#390280   the Telnet session.




            There is an input validation
            vulnerability in
            phpSecurePages that may
            allow a
            remote intruder to execute
            arbitrary code with the
            privileges of the running
VU#391347   web server.
            Yahoo! Messenger is an
            instant messaging client.
            There is a vulnerability in
            Yahoo! Messenger that
            permits a remote user to
            add arbitrary users to the
VU#393195   victim's buddy list.




            The Sun Java Runtime
            Environment (JRE)
            contains a vulnerability that
            may lead
            to sensitive information
VU#393292   being leaked.
                            mgetty, a replacement for
                            getty designed to support
                            modem and fax use,
                            creates
                            files of a predictable name
                            in a world-writable directory
                            without checking for
                            the prior existence or
                            ownership of the file. Using
                            a symbolic link attack, an
                            intruder might cause the
                            overwrite of arbitrary files
                            on the system, but the
                            risk of elevated privileges is
VU#396272   CVE-2001-0141   low.




                            There is a problem in the
                            NM Debug facility of
                            MPE/iX that allows users to
                            gain
VU#396624   CVE-2001-0267   unauthorized privileges.
                            A vulnerability in GnuPG
                            may cause keys with
                            multiple user ID's to give
                            other
                            user IDs on the key a false
VU#397604   CAN-2003-0255   amount of validity.
                            There is a vulnerability in
                            sendmail that may allow
                            remote attackers to gain
                            the privileges of the
                            sendmail daemon, typically
VU#398025   CAN-2002-1337   root.
                            Microsoft Internet Explorer
                            (IE) fails to properly
                            validate certificates when
                            CRL checking is enabled.
                            As a result, sensitive
                            information may be
VU#399087   CVE-2001-0338   exposed.
                            Microsoft SQL Server 2000
                            contains a remotely
                            exploitable heap buffer
                            overflow
                            that allows attackers to
                            execute arbitrary code with
                            the same privileges as the
VU#399260   CAN-2002-0649   SQL server.
            There is a denial-of-service
            vulnerability in specific
            versions of Cisco IOS or
VU#399355   CatOS.
                            MS SQL Server contains
                            an extended stored
                            procedure with
                            inappropriate
VU#399531   CAN-2002-0721   permission settings.
                           A vulnerability exists in the
                           DHTML Edit Control for IE5
                           that allows arbitrary
                           local files to be uploaded to
VU#39965   CVE-1999-0487   a web server.
                            A vulnerability in Microsoft
                            Internet Explorer (IE)
                            allows remote attackers to
                            read arbitrary files on a
VU#400577   CAN-2003-1328   vulnerable system.




                            Some versions of
                            exuberant-ctags, a source
                            code navigation utility,
                            create and
                            use temporary files
                            insecurely, leading to local
                            file corruption and possible
VU#401808   CVE-2001-0430   denial-of-service.
                            There is a format string
                            vulnerability in GNU Privacy
                            Guard. By sending a GPG
                            message with a carefully
                            crafted malicious filename,
                            an attacker may be able to
                            execute arbitrary code as
                            the user who decrypts the
VU#403051   CVE-2001-0522   message.




                            Versions of OpenSSH prior
                            to 2.1.1 (current circa June,
                            2000) allow a remote
                            attacker to execute
                            arbitrary commands with
                            the privileges of sshd,
                            typically
VU#40327    CVE-2000-0525   root.
            The Seagate Crystal
            Reports product exposes
            passwords to back-end
            databases in
            certain configurations. In
            particular, the username
            and password are
            transmitted in plaintext
            from the client browser to
            the server as part of the
            URL when using
            technologies other than
VU#403307   Active Server Pages (ASP).




            The Nortel Networks CVX
            1800 Multi-Service Access
            Switch discloses privileged
VU#403315   information.
                            The Microsoft Windows
                            2000 Telnet Service
                            contains a denial-of-service
                            vulnerability that allows
                            remote attackers to disrupt
                            the telnet service on
VU#405075   CVE-2001-0348   affected servers.




                            The util-linux package
                            contains a race condition
                            vulnerability that can be
                            used
                            to elevate privileges on the
VU#405955   CVE-2002-0638   system.
VU#406121                   A denial-of-service vulnerability exists in Apache mod_dav.




                            SetupCtl 1.0 Type Library is
                            a safe-for-scripting ActiveX
                            control that contains
                            a remotely exploitable
                            buffer overflow. This control
                            ships with Microsoft
                            Internet Explorer 4.01 and
VU#40813    CVE-1999-0702   5.




                            OpenSSH is a program
                            used to provide secure
                            connection and
                            communications
                            between client and servers.
                            Channels are used to
                            segregate differing traffic
                            between the client and the
VU#408419   CVE-2002-0083   server.
            The HP Tru64 UNIX
            implementation of "mailcv"
            contains a locally
            exploitable
VU#408771   buffer overflow.




VU#410609   PHP does not properly filter parameters to its mail() function.
                            Microsoft Windows
                            Universal Plug and Play
                            (UPnP) is vulnerable to a
                            denial-of-service attack that
                            could negatively affect the
                            performance of
VU#411059   CVE-2001-0877   vulnerable machines.
                            A denial-of-service
                            vulnerability exists in
                            Cisco's Internetwork
                            Operating
                            System (IOS). This
                            vulnerability may allow
                            remote attackers to
                            conduct
                            denial-of-service attacks on
VU#411332   CAN-2003-0567   an affected device.
            A buffer overflow
            vulnerability may be
            exploited via the Lotus
            Domino Web
            Retriever. Versions prior to
VU#411489   5.0.12 and 6.0 are affected.
                            Many network device
                            drivers reuse old frame
                            buffer data to pad packets,
                            resulting in an information
                            leakage vulnerability that
                            may allow remote
                            attackers to harvest
                            sensitive information from
VU#412115   CAN-2003-0001   affected devices.
                            A vulnerability in IIS could
                            allow an intruder to disrupt
                            ordinary operations
                            of both FTP and Web
                            services on vulnerable IIS
VU#412203   CVE-2002-0073   servers.
                            A buffer overflow exists in
                            the AOL Instant Messenger
                            (AIM) client versions
                            3.5.x and prior when
                            accepting the screenname
                            from the command line, or
                            through
VU#41301                    the aim protocol.




                            Encrypted File Transfer
                            Program (EFTP) does not
                            properly validate CWD
                            commands,
                            allowing authenticated
                            users to read arbitrary
VU#413875   CVE-2001-1193   directories and files.
VU#41408    CVE-1999-0702




                            The HP Tru64 UNIX
                            implementation of "deliver"
                            contains a locally
                            exploitable
VU#416427                   buffer overflow.
                            The sort utility creates
                            temporary files insecurely,
                            making sort subject to a
VU#417216   CVE-2001-0310   denial-of-service attack.




                            Yahoo! Messenger is an
                            instant messaging client.
                            There is a remotely
                            exploitable buffer overflow
                            vulnerability in the
                            "message" field of Yahoo!
VU#419419   CAN-2002-0320   Messenger.
                            There is a vulnerability in
                            the /sbin/mkacct program,
                            part of Hewlett Packard's
                            Virtual Vault Operating
VU#420475   CAN-2001-1264   System (VVOS).
                            Shadow-utils is an
                            encryption and account
                            management package
                            freely distributed
                            for many Linux
                            implementations. The
                            useradd program in this
                            package creates
                            insecure temporary files
                            with predictable names in a
                            write-protected
                            directory. If this directory is
                            changed to be writable, an
                            attacker may be
                            able to use a symbolic link
                            attack to overwrite arbitrary
VU#424080   CVE-2001-0120   files.
                            There may be a race
                            condition during the
                            creation of Kerberos ticket
                            files in
                            the /tmp directory. This
                            race condition may allow
                            intruders with local access
                            to the system to gain root
VU#426273   CVE-2001-0094   privileges.




                            gpm version 1.19.3, which
                            usually runs as root, is
                            vulnerable due to a flaw
                            that allows a local user to
                            exploit a race condition to
                            corrupt files that gpm
VU#426456   CVE-2001-0116   uses.
                            There is a vulnerability in
                            the Beck IPC@CHIP that
                            allows an attacker to gain
VU#426459                   access to the device.




VU#430419   CAN-2002-0357   There is a vulnerability in rpc.passwd that could allow root compromis
            Lotus Domino is vulnerable
            to a pre-authentication
            buffer overflow attack
            during Notes
VU#433489   authentication.



            There is a buffer overflow
            in the IBM AIX portmir
            command that may allow
            local
            users to gain root
VU#433499   privileges.




            The HP Tru64 UNIX
            implementation of "at"
            contains a locally
            exploitable buffer
VU#435611   overflow.
                            A vulnerability exists in the
                            SMTP service installed by
                            default on Microsoft
                            Windows 2000 Server (and
                            optionally on Windows
                            2000 professional) that
                            could
                            allow an intruder to use the
VU#435963   CVE-2001-0504   service to send mail.




                            The HP Tru64 UNIX
                            implementation of "uux"
                            contains a locally
                            exploitable buffer
VU#437899                   overflow.
                            A vulnerability in Adobe
                            Acrobat eBook Reader
                            allows local users to
                            circumvent
                            redistribution restrictions
                            placed on an eBook by the
VU#438867   CAN-2002-1016   publisher.
                            The Apache (1.3.14) web
                            server's file access
                            protection scheme can be
                            bypassed
                            for the Mac OS X HFS+
VU#439395   CAN-2001-0766   filesystem.
                            Microsoft Frontpage Server
                            Remote Application
                            Deployment (RAD)
                            component
                            contains an unchecked
                            buffer which can allow an
                            intruder to execute arbitrary
                            code with the privileges of
                            IUSR_machinename or
VU#439835   CVE-2001-0341   system.
                            There is a buffer overflow
                            in Internet Explorer when IE
                            receives information
VU#440275   CAN-2002-0371   from a gopher service.




                            msgchk, a part of the MH
                            mail system, reads the
                            user's .mh_profile in order
                            to
                            obtain configuration
                            options. If the .mh_profile
                            is linked to another file
                            with illegal format, the first
                            line of that file will be
                            displayed in an error
VU#440539   CAN-2001-1092   message by msgchk.
                            Several cryptographic
                            vulnerabilities exist in the
                            basic Kerberos version 4
                            protocol that could allow an
                            attacker to impersonate
                            any user in a Kerberos
                            realm and gain any
                            privilege authorized through
VU#442569   CAN-2003-0139   that Kerberos realm.
            Cisco Catalyst OS 7.5(1)
            contains a vulnerability that
            allows anyone who can
            obtain command line
            access to gain "enable"
            mode access without
            knowledge of
VU#443257   the "enable" password.
                            Microsoft Internet Explorer
                            contains a vulnerability in
                            its handling of certain
                            MIME headers in web
                            pages and HTML email
                            messages. This
                            vulnerability may allow
                            an attacker to execute
                            arbitrary code on the
                            victim's system when the
                            victim
                            visits a web page or views
VU#443699   CVE-2001-0727   an HTML email message.
VU#446338   CAN-2003-0112   A stack overflow vulnerability exists in the Microsoft Windows kernel.
                            If any rules include the
                            "Fast Mode" option, Check
                            Point Firewall-1 and VPN-1
                            will incorrectly allow
                            unauthorized connection
                            attempts to hosts that
                            should be
VU#446689                   restricted.




                            A buffer overflow in the
                            mailx program on Solaris
                            systems can allow an
                            intruder
                            to execute code with the
VU#446864   CVE-2001-0565   privileges of the mail group.
                            The Microsoft VM bytecode
                            verifier fails to check for
                            certain malicious code in
VU#447569   CAN-2003-0111   a Java applet.




                            The HP Tru64 UNIX
                            implementation of "uucp"
                            contains a locally
                            exploitable
VU#448987                   buffer overflow.



                            When passed an
                            incorrectly formatted sound
                            file, the Oliver Debon
                            (freeware)
                            Flash plug-in is reportedly
                            vulnerable to a buffer
VU#451096   CAN-2001-0127   overflow.
                            The curses library derived
                            from System V contains a
                            buffer overflow. A local
                            user can execute a
                            command that uses this
                            library to exploit the
                            vulnerability
                            and gain elevated
VU#451275   CAN-2001-1148   privileges.




                            PGPMail.pl does not
                            adequately filter user input,
                            allowing arbitrary command
VU#453475   CAN-2001-0937   execution.
                            A buffer overflow in IIS
                            could allow an intruder to
                            execute arbitrary code the
                            the privileges of the ASP
VU#454091   CVE-2002-0150   ISAPI extension.
                            Kerio Personal Firewall
                            contains a buffer overflow
                            that may allow a remote
                            attacker to execute
                            arbitrary code. An exploit
                            for this vulnerability is
VU#454716   CAN-2003-0220   publicly available.
            The Mandrake Security
            utility included with
            Mandrake Linux may make
            unexpected
            modifications that affect
VU#455323   system security.
                            There is a vulnerability in
                            the download dialog box in
                            Internet Explorer
                            versions 5.5 and 6.0. The
                            vulnerability allows an
                            attacker to mislead users,
                            causing them to
                            inadvertently execute
                            arbitrary code on the user's
VU#457787   CVE-2001-0875   system.
            Various implementations of
            DNS services may allow
            multiple simultaneous
            queries
            for the same resource
            record, allowing an attacker
            to apply probabilistic
            techniques to improve their
            odds of successful DNS
VU#457875   spoofing.
            Systems running Microsoft
            Windows 98, NT, Windows
            2000, or Windows XP DNS
            resolvers accept DNS
            replies from any IP
            address, not just the ones
            being sent
            DNS requests. This may
            lead to domain information
            spoofing or DNS cache
VU#458659   poisoning.
                            IPsec implementations
                            from multiple vendors do
                            not adequately validate the
                            authentication data in IPsec
                            packets, exposing
                            vulnerable systems to a
                            denial
VU#459371   CAN-2002-0666   of service.
                            There is a vulnerability in
                            the Beck IPC@CHIP that
                            may allow an attacker to
VU#461219                   gain access to the device.




                            A vulnerability in the cross-
                            domain frame security
                            model of Internet Explorer
                            may allow remote attackers
                            to view the contents of local
                            files when a user
                            views a malicious web
VU#462451   CVE-2002-0052   page.
            Various vendors' TCP/IP
            implementations handle
            packets containing unusual
            flag
            combinations in different
            ways, which may lead to a
            violation of implicit or
VU#464113   explicit security policies.
            Sun Solaris asppls(1M)
            creates temporary files
            insecurely, leading to
            possible
VU#464817   local root compromise.




            Cherokee contains a
            directory traversal
            vulnerability caused by
            failure to
            filter '../' character
VU#464827   sequences.
                            BSCW is a groupware
                            system that runs on a web
                            server. BSCW follows
                            symbolic
                            links in tar files that it
                            extracts into a user's local
                            area. Accessing those
                            links may allow the user to
                            view arbitrary files viewable
                            by the web server,
                            and to overwrite files
VU#465971   CVE-2001-0973   writable by the web server.




                            The Line Printer daemon
                            (lpd) shipped with AIX
                            systems contains a buffer
                            overflow in chk_fhost() that
                            potentially allow a malicious
                            remote user to gain
VU#466239   CAN-2001-0671   root privileges.
            The CERT/CC is aware of
            a report about a "remotely
            exploitable format string
            vulnerability in Oracle
            Application Server" that
            could allow an
            unauthenticated, remote
            attacker to execute
            arbitrary code on a
            vulnerable
VU#467555   system.
                            Versions 10.2 and later of
                            Apple's MacOS X operating
                            system include support for
                            the Lightweight Directory
                            Access Protocol (LDAP). A
                            vulnerability in the way
                            some of these versions of
                            MacOS X handle
                            authentication in certain
                            environments
                            could expose user's
                            passwords in plaintext as
                            they're transmitted across
                            the
VU#467828   CAN-2003-0378   network.
                            Sun Microsystems uses a
                            variety of X.509 keys
                            signed by VeriSign to
                            securevarious web sites.
                            Among these certificates
                            are two that were revoked
                            on
                            October 19, 2000. The
                            certificate IDs for these
                            revoked certificates are

                            3181 B12D C422 5DAC
                            A340 CF86 2710 ABE6

                            and

                            1705 FB13 A22F 9AF3
                            C130 F562 6E12 504C

VU#470543   CAN-2000-0889


                            4D WebServer does not
                            properly validate HTTP
                            requests, allowing directory
                            traversal outside the root
VU#471075   CAN-2001-0971   web directory.
                            The Linux 2.0 kernel
                            contains a vulnerability in
                            the way it processes ICMP
                            errors. This could lead to
                            portions of memory being
VU#471084                   leaked to a malicious user.




                            A1Stats does not properly
                            validate user input, allowing
                            directory traversal and
VU#471691   CAN-2001-0561   overwriting of files.
                            AOL Instant Messenger
                            (AIM) is an application that
                            allows one peer to
                            communicate with another.
                            A buffer overflow
                            vulnerability exists that can
                            manipulate the
                            configuration of the victim's
VU#474592   CVE-2000-1094   client.




                            Incorrectly formatted sound
                            wave (SWF) files may
                            cause a buffer overflow in
                            the
VU#475645   CVE-2001-0166   Macromedia Flash plug-in.
                            An intruder can send
                            certain kinds of data to
                            services that he is not
                            ordinarily able to reach. By
                            crafting the data such that it
                            is redirected
                            through any program the
                            victim uses to render the
                            malicious HTML, the
                            intruder
                            is able send that data to
                            any services that the victim
                            can send data to. The
                            malicious HTML can be
                            embedded in documents
                            such as an email message,
                            web page,
                            rich-text log or newsgroup
VU#476267                   posting.

                            It is possible to read the
                            "XSQLConfig.xml" and
                            "soapConfig.xml"
                            configuration
                            files from an Oracle 9i
                            Application Server under
                            the default installation
                            without any authorization.
                            This can lead to an intruder
                            gaining access to
                            sensitive information about
                            the server and potentially
VU#476619   CAN-2002-0568   compromising it.
                            The Apache HTTP server
                            contains a denial-of-service
                            vulnerability that allows
                            remote attackers to to
                            conduct denial-of-service
                            attacks on the HTTP basic
                            authentication module of an
VU#479268   CAN-2003-0189   affected server.




VU#482241   CAN-2002-1229   Multiple Avaya switches do not adequately protect privileged access.
                            A buffer overflow exists in
                            the Solaris line printer
                            daemon (in.lpd) that may
                            allow a remote intruder to
                            execute arbitrary code with
                            the privileges of the
                            running in.lpd. This
                            daemon runs with root
                            privileges by default on all
                            recent
VU#484011   CVE-2001-0353   versions of Solaris.
                            Microsoft SQL Server 2000
                            contains a remotely
                            exploitable stack buffer
                            overflow
                            that allows attackers to
                            execute arbitrary code with
                            the same privileges as the
VU#484891   CAN-2002-0649   SQL server.
            The RealNetworks' Helix
            Universal Server supports
            delivery of several different
            media types over the
            Internet via RTSP (Real
            Time Streaming Protocol).
            Vulnerabilities have been
            discovered in the way it
            handles some RTSP
            requests.
            These vulnerabilities could
            allow a remote attacker to
            execute arbitrary code
VU#485057   on vulnerable systems.
                            The Help and Support
                            Center included with
                            Microsoft Windows
                            Millennium Edition
                            and XP does not
                            adequately validate
                            parameters provided in an
                            "hcp://" URI. As
                            a result, an attacker could
                            construct a URI that could
                            cause the Help and
                            Support Center to execute
                            arbitrary script, effectively
                            giving the attacker
                            full control over a
VU#489721   CAN-2003-0009   vulnerable system.




                            Aggregated in VU#971179.
                            A buffer overflow in
                            uuxcmd, part of the UUCP
                            package
                            on SCO systems, can allow
                            an intruder to gain elevated
VU#489995                   privileges.
            The San Diego
            Supercomputer Center
            (SDSC) has recently
            discovered several
            vulnerabilities in the Alcatel
            Speed Touch line of
            Asymmetric Digital
            Subscriber Line (ADSL)
            modems. These
            vulnerabilities are the result
            of weak
            authentication and access
            control policies and result
            in one or more of the
            following impacts:
            unauthorized access,
            unauthorized monitoring,
            information
            leakage, denial of service,
            and permanent disability of
            affected devices.

            The SDSC has published
            additional information
            regarding these
            vulnerabilities
            at
            http://security.sdsc.edu/self-
VU#490344   help/alcatel/.
                            The Microsoft SNMP agent,
                            prior to Windows NT 4.0
                            Service Pack 4.0, will leak
VU#4923                     memory.




                            SIX-webboard does not
                            adequately validate user
                            input, allowing directory
VU#494307   CAN-2001-1115   traversal.
                            The Cisco Call Manager
                            contains a vulnerability that
                            could permit an intruder
VU#495275   CVE-2002-0505   to crash the Call Manager.
            Some versions of the Multi-
            Tech ProxyServer products
            ship without a default
            password for the
VU#495705   administrative interface.
                            A vulnerability in ibrow
                            NewsDesk allows an
                            attacker to view files and
                            execute
                            operating system
                            commands with the
                            privileges of the web
VU#496064   CAN-2001-0231   server.
                            Attacks against TCP initial
                            sequence number
                            generation have been
                            discussed for
                            some time now. It has long
                            been recognized that the
                            ability to know or predict
                            ISNs can lead to TCP
                            connection hijacking or
                            spoofing. What was not
                            previously
                            illustrated was just how
                            predictable one commonly-
                            used method of
                            randomizing
                            new connection ISNs is in
                            some modern TCP/IP
VU#498440   CAN-2001-0328   implementations.




VU#500027   CAN-2001-1293   Intruders can disrupt the normal operation of a 3Com HomeConnect C
                            A buffer overflow
                            vulnerability exists in the
                            Apache Procedural
                            Language/Structured Query
                            Language (PL/SQL)
                            module used by Oracle9i
                            Application
                            Server (iAS). This
                            vulnerability could allow an
                            unauthenticated remote
                            attacker to cause a denial
                            of service or execute
                            arbitrary code on the
                            system
                            with the privileges of the
VU#500203   CAN-2001-1216   Apache process.




                            AOLServer versions 3.3.0
                            and earlier contain an
                            exploitable buffer overflow.
                            This can lead to arbitrary
                            execution of code on the
VU#500379   CVE-2001-1067   system.
                          A vulnerability in versions
                          of the Cisco PIX Firewall
                          Manager (PFM) in use
                          circa September 1998
                          allows intruders to retrieve
                          files from the host running
VU#5053   CVE-1999-0158   PFM.
                            The IBM SecureWay
                            Directory contains
                            vulnerabilities that may
                            allow
                            denial-of-service attacks,
                            unauthorized privileged
                            access, or both. These
                            vulnerabilities were
                            revealed using the
                            PROTOS LDAPv3 test
                            suite and are
                            documented in CERT
                            Advisory CA-2001-18. If
                            your site uses this product,
                            the
                            CERT/CC encourages you
                            to follow the advice
VU#505564   CAN-2001-1309   provided below.




                            The HP Tru64 UNIX
                            implementation of
                            ".upd..loader" contains a
                            locally
VU#506441                   exploitable buffer overflow.
            AOL Instant Messenger
            (AIM) is an application that
            allows one peer to
            communicate with another.
            A vulnerability exists that
            can crash the client
VU#507771   window.
                            Microsoft SQL Server
                            contains multiple SQL
                            injection vulnerabilities that
                            allow
                            database users to leverage
                            administrative privileges on
                            a single database to
                            execute SQL queries or
                            operating system
                            commands with greater
VU#508387   CAN-2001-0645   privileges.
            A remotely exploitable
            denial-of-service
            vulnerability exists in the
            Oracle9i
            Application Server
VU#511194   MOD_ORADAV Module.
                            A vulnerability exists in
                            Microsoft IIS 5.0 running on
                            Windows 2000 that allows
                            a remote intruder to run
                            arbitrary code on the victim
VU#516648   CVE-2001-0241   machine.
                            The Cisco 6400 Access
                            Concentrator Node Route
                            Processor 2 (NRP2)
                            module permits
                            unauthenticated telnet
                            access when no password
VU#516659   CVE-2001-0757   has been set.
                            The XDR library from Sun
                            Microsystems is a widely
                            used implementation for
                            RPC
                            services. Although the
                            library was originally
                            distributed by Sun
                            Microsystems,
                            multiple vendors have
                            included the vulnerable
                            code in their own
                            implementations. Some
                            implementations of
                            standard functions in this
                            API may
VU#516825   CAN-2003-0028   contain an integer overflow.




                            A remotely exploitable
                            privilege escalation
                            vulnerability exists in
                            multiple
VU#518057                   versions of Solaris.
                            Visitors to web sites that
                            use Microsoft IIS and also
                            issue redirect response
                            messages are vulnerable to
VU#520707   CVE-2002-0075   cross-site scripting attacks.
                            Intruders may be able to
                            cause the IIS service to fail
                            by sending a particular
VU#521059   CVE-2002-0072   kind of overly-long URL.
                            The XFS file system on
                            SGI systems allows
                            anonymous remote users
                            to call
VU#521147   CVE-2002-0359   xfs-related RPC functions.
            A locally exploitable buffer
            overflow exists in GNU
            screen. An exploit is
            publicly available for this
VU#524227   vulnerability.
                            There is a buffer overflow
                            in a component of
                            Symantec's web-based
                            Security
VU#527228   CAN-2003-0470   Check.
VU#527736   Mkpasswd generates passwords that are insufficiently random.
            OUSPG has discovered a
            variety of new
            vulnerabilities affecting
            products that
            use the Session Initiation
            Protocol (SIP). We believe
            these vulnerbilities
            affect a wide variety of
            products, and while the full
            impact of these
            vulnerabilities are not yet
            known, they range from
            denial-of-service attacks to
            the ability to execute
            arbitrary code on such
            systems. SIP is primarily
            used in
            Voice over Internet
            Protocol (VoIP), instant
            messaging, and various
            other
VU#528719   applications.




            AOL Instant Messenger
            (AIM) is an application that
            allows one peer to
            communicate with another.
            A vulnerability exists that
            can crash the client
            window and in some cases
VU#530299   the operating system(OS).
                            The HP Tru64 UNIX
                            implementation of "rdist"
                            contains a locally
                            exploitable
VU#531355                   buffer overflow.




                            A vulnerability in the ypxfrd
                            daemon may allow a local
                            attacker to read
                            arbitrary files on the
VU#538033   CAN-2002-1199   vulnerable system.
                            There is a vulnerability in
                            Microsoft Visual FoxPro 6.0
                            that allows remote
                            attackers to execute Visual
                            FoxPro applications with
                            the privileges of the
VU#539001   CAN-2002-0696   victim user.




                            There is a vulnerability in
                            several state-based firewall
                            products that allows
                            arbitrary remote attackers
                            to conduct denial of service
                            attacks against
VU#539363                   vulnerable firewalls.
            Certain Alpha versions of
            AOL Instant Messenger
            (AIM), that were leaked,
            would
            log errors to a log file. By
            sending a crafted image
            file, it may be possible
            to execute arbitrary
            script/HTML on a victims
            browser when they view the
            log
VU#541384   files.
                            A vulnerability in the
                            Microsoft Data Access
                            Components (MDAC) could
                            lead to
                            remote execution of code
                            with the privileges of the
VU#542081   CAN-2002-1142   current process, or user.
                            A vulnerability in Ethereal
                            may allow a remote
                            attacker to cause a denial
                            of
VU#542540   CAN-2003-0428   service.
            Lotus iNotes contains a
            buffer overflow that could
            permit a remote attacker to
            execute arbitrary code or
            cause a denial of service
VU#542873   on a vulnerable server.
                            Buffer overflow
                            vulnerabilities exists in the
                            DNS stub resolver library
                            used by
                            BSD, ISC BIND, and GNU
                            glibc. Other systems that
                            use DNS resolver code
                            derived
                            from ISC BIND may also be
                            affected. An attacker who
                            is able to control DNS
                            responses could exploit
                            arbitrary code or cause a
                            denial of service on
VU#542971   CAN-2002-0684   vulnerable systems.
            A vulnerability in IIS 4.0
            may permit intruders to
            crash vulnerable IIS
            servers
            with URL redirection
VU#544555   enabled.




VU#544995   A locally exploitable buffer overflow exists in mclear.
            Oracle Database Server
            version 9iAS makes JSP
            source code publicly
            available.
            The source code may be
            used by attackers to
            analyze proprietary
            business logic
            or uncover Oracle's
            network configuration,
            usernames, and/or
VU#547459   passwords.
                            Multiple intrusion detection
                            systems may be
                            circumvented via %u
                            encoding
                            allowing intruders to launch
VU#548515   CAN-2001-0669   attacks undetected.
                            Acrobat plug-ins can be
                            digitally signed to
                            determine whether they
                            should be
                            loaded by Adobe Acrobat
                            Reader at startup. This
                            digital signature
                            mechanism is
                            not cryptographically strong
                            and allows other potentially-
                            malicious plug-in
                            code to pretend to be
                            certified by Adobe and be
                            executed by Acrobat
                            Reader even
                            when in 'Certified Plug-ins
VU#549913   CAN-2002-0030   Only' mode.




                            The Lotus Domino Web
                            Server contains a flaw that
                            could be exploited to cause
                            a
VU#555464                   denial of service.
                            A vulnerability in Microsoft
                            SQL Server may allow an
                            attacker to hijack a named
                            pipe. An attacker may be
                            able to leverage this
                            vulnerability to gain
                            elevated
VU#556356   CAN-2003-0230   privileges.




                            Cayman gateways ship
                            without a default password
                            on the admin and user
                            accounts.
                            As long as the gateway is
                            not addressable via the
                            WAN, this can only be
                            accessed and set by
                            anyone on the LAN side.
                            With admin access, the
                            gateway
                            settings can be configured
VU#557136                   by an intruder.
                            The HP Tru64 UNIX
                            implementation of "lpq"
                            contains a locally
                            exploitable buffer
VU#557481                   overflow.




                            Web Servers that use the
                            IBM WebSphere Java
                            Servlet Container 3.5 and
                            earlier
                            are vulnerable to a cross-
                            site scripting vulnerability.
                            A web site may
                            inadvertently include
                            malicious HTML tags or
                            script(JavaScript, VBScript,
                            Java,
                            etc.) in a dynamically
                            generated page based on
                            unvalidated input from
                            untrustworthy sources. This
                            can be a problem when a
                            web server does not
                            adequately ensure that
                            generated pages are
                            properly encoded to
                            prevent
                            unintended execution of
                            scripts, and when input is
                            not validated to prevent
                            malicious HTML from being
VU#560659   CAN-2001-0824   presented to the user.
                            OpenSSL is an open-
                            source implementation of
                            the Secure Sockets Layer
                            (SSL)
                            protocol. A remotely
                            exploitable vulnerability
                            exists in OpenSSL servers
                            that
                            could lead to the execution
                            of arbitrary code on the
VU#561275   CAN-2002-0657   system




                            A Microsoft Windows
                            DirectX library, quartz.dll,
                            does not properly validate
                            certain parameters in
                            Musical Instrument Digital
                            Interface (MIDI) files. An
                            attacker could exploit this
                            vulnerability to execute
                            arbitrary code or crash
                            any application using the
                            library, causing a denial of
VU#561284   CAN-2003-0346   service.
          Buffer Overflows in several
          MIME headers affect a
          large number of electronic
VU#5648   mail clients.
            Passwords sent using SSH
            with RC4 encryption can be
            easily cracked by an
            attacker who is able to
            capture and replay the
            session. This problem
            occurs for
            three reasons: SSH
            sessions can be replayed,
            the RC4 encryption
            algorithm has
            some specific weaknesses,
            and the SSH daemon
            provides too much
            information
            during the authentication
VU#565052   phase of the protocol.
                            The program pgp4pine
                            version 1.75.6 fails to
                            properly identify expired
                            keys
                            when working with the Gnu
                            Privacy Guard program
                            (GnuPG). This failure may
                            result in the clear-text
                            transmission of senstive
                            information when used with
                            the PINE mail reading
VU#566640   CAN-2001-0273   package.




                            The HP Tru64 UNIX
                            implementation of "imapd"
                            contains a locally
                            exploitable
VU#567963                   buffer overflow.
                            A buffer overflow
                            vulnerability exists in
                            Microsoft's Remote
                            Procedure Call
                            (RPC) implementation. A
                            remote attacker could
                            exploit this vulnerability to
                            execute arbitrary code or
                            cause a denial of service.
                            An exploit for this
                            vulnerability is publicly
VU#568148   CAN-2003-0352   available.
                            A remotely exploitable
                            buffer overflow exists in
                            implementations of login,
                            derived from System V. An
                            attacker can use this
                            vulnerability to gain the
                            privileges of the process
                            that invoked login, user root
                            in the cases of
                            in.telnetd, or in.rlogind. We
                            have been able to
                            determine that several
                            vendors
VU#569272   CVE-2001-0797   are affected.
                            There is a remotely
                            exploitable buffer overflow
                            in ICQ. Attackers that are
                            able to exploit the
                            vulnerability may be able to
                            execute arbitrary code with
                            the privileges of the victim
VU#570167   CVE-2002-0028   user.
                            Microsoft Windows NT 4.0
                            Terminal Server contains a
                            buffer overflow that could
                            allow an intruder to execute
                            arbitrary code with the
                            privileges of an
VU#570330   CVE-2000-1149   administrator.




                            Diskcheck.pl is a PERL
                            script, part of Red Hat's
                            powertools suite, that alerts
                            a system administrator if
                            any file system approaches
                            capacity. In creating
                            email alerts, diskcheck.pl
                            creates insecure temporary
                            files in a world-writable
                            directory, which may permit
                            an attacker to corrupt any
                            writable file on the
VU#570952   CAN-2000-0715   system.
            Lotus Notes is a client
            application that provides
            access to Lotus Domino
            servers. A vulnerability
            exists that could permit a
            remote attacker to cause a
            user to execute arbitrary
VU#571297   code.
                            The Berkeley Internet
                            Name Domain (BIND) is an
                            implementation of the
                            Domain
                            Name System (DNS) by
                            the Internet Software
                            Consortium (ISC). There is
                            a buffer
                            overflow vulnerability in
                            BIND 4.9.x, which may
                            allow remote intruders to
                            gain
                            access to systems running
                            BIND. Although BIND 4.9.x
                            is no longer officially
                            maintained by ISC, various
                            versions are still widely
                            deployed on the Internet.

                            This vulnerability has been
                            successfully exploited in a
                            laboratory environment
                            and presents a serious
                            threat to the Internet
VU#572183   CVE-2001-0011   infrastructure.
                            The Microsoft Windows
                            2000 Telnet Service
                            contains a vulnerability that
                            allows
                            remote attackers to log in
                            using domain accounts
                            without providing a specific
VU#573155   CVE-2001-0347   domain name.




                            An insecure default
                            configuration in the Beck
                            IPC@CHIP allows an
                            intruder to
                            obtain priviledged system
VU#574739   CAN-2001-1341   information.
                            Allaire Forums does not
                            verify user information
                            submitted in hidden fields
                            on a
                            web form, allowing
                            attackers to impersonate
VU#575619   CAN-2002-0108   other users.
                            The Cisco IOS HTTP
                            Server contains a
                            vulnerability that may
                            permit a remote
                            attacker to execute
                            arbitrary code on the
VU#579324                   system.


                            diffutils, a set of utilities
                            distributed with many
                            versions of linux, contains
                            a utility called sdiff, which
                            creates temporary files of
                            predictable names in
                            an insecure fashion. Using
                            a symbolic link attack, an
                            intruder can cause
                            overwrite of any file writable
VU#579928   CVE-2001-0117   by the user executing sdiff.
                            The NFS server included in
                            the Microsoft Services for
                            Unix package contains a
                            denial-of-service
                            vulnerability that may cause
                            the system to become
                            unstable or
VU#581603   CAN-2001-0505   crash.




VU#581682   CAN-2002-1221   A remotely exploitable denial-of-service vulnerability exists in BIND.




                            A remotely exploitable
                            buffer overflow exists in all
                            versions of webalizer
VU#582923   CAN-2002-0180   prior to version 2.01-10.
            There is an input validation
            error in the stand-alone
            SOAP server XMMS
            Remote
            which allows unauthorized
            remote command
VU#583020   execution.
                            The Lotus Domino R5
                            Server Family contains
                            vulnerabilities that may
                            allow
                            denial-of-service attacks,
                            unauthorized privileged
                            access, or both. These
                            vulnerabilities were
                            revealed using the
                            PROTOS LDAPv3 test
                            suite and are
                            documented in CERT
                            Advisory CA-2001-18. If
                            your site uses this product,
                            the
                            CERT/CC encourages you
                            to follow the advice
VU#583184   CAN-2001-1311   provided below.
            The HP Tru64 UNIX
            implementation of
            "dtsession" contains a
            locally exploitable
VU#584243   buffer overflow.
                            Microsoft SQL Server
                            contains a buffer overflow
                            vulnerability. A local
                            attacker
                            could leverage this
                            vulnerability to gain
                            elevated privileges and/or
                            execute
VU#584868   CAN-2003-0232   arbitrary code.
                            Microsoft Internet Explorer
                            contains a serious
                            vulnerability in the way in
                            which it evaluates
VU#585123   CVE-2002-0078   malformed URLs.
                            The MIT Kerberos V5
                            implementation contains an
                            ASN.1 decoding flaw that
                            may
                            allow remote attackers to
                            crash affected Kerberos
VU#587579   CAN-2002-0036   applications.
                            The Microsoft Windows
                            2000 Telnet Service
                            contains a vulnerability that
                            allows
                            unprivileged local users to
                            execute arbitrary code with
VU#587587   CAN-2001-0349   elevated privileges.
                            Multiple implementations of
                            the RADIUS protocol
                            contain a buffer overflow in
                            the function that calculates
VU#589523   CAN-2001-1376   message digests.
                            Lotus Domino web server
                            may allow malformed URL
                            requests to access files
                            outside the document root
VU#590487   CVE-2001-0009   of a vulnerable system.
                            A remotely exploitable
                            buffer overflow exists in the
                            Microsoft Windows Shell.
                            This buffer overflow is
                            present in all versions of
                            Windows XP, but it is not
                            present in other versions of
VU#591890   CAN-2002-1327   Windows.




                            The HP Tru64 UNIX
                            implementation of "inc"
                            contains a locally
                            exploitable buffer
VU#592515                   overflow.
VU#593299   CVE-2001-0053   There is a off-by-one vulnerability in several BSD-derived ftpd servers




                            Aggregated in VU#971179.
                            A buffer overflow in uux,
                            part of the UUCP package
                            on
                            SCO systems, can allow an
                            intruder to gain elevated
VU#593571                   privileges.
                            A flaw has been discovered
                            in the way that Microsoft's
                            Active Directory service
                            handles large LDAP
                            requests. This flaw could
                            result in a denial-of-service
VU#594108   CAN-2003-0507   vulnerability.
                            A vulnerability exists in
                            CDE ToolTalk that may
                            allow a remote attacker to
                            execute arbitrary code with
VU#595507   CVE-2001-0717   root privileges.
                            Lotus Notes prior to version
                            5.02, had permissive ECLs
                            that allow for the
                            execution of malicious mail
VU#5962     CVE-2000-0891   messages.




VU#596387   CAN-2002-0177   A remotely exploitable buffer overflow exists in Icecast.

                            A vulnerability in Sun
                            Solaris
                            "/usr/lib/utmp_update" may
                            allow a local
                            attacker to gain superuser
VU#596748                   privileges.
            There is a vulnerability in
            the SSH protocol that can
            simplify brute force
            attacks against passwords
            typed within an existing
VU#596827   SSH session.




            Easynews does not
            adequately validate user
            input. Attackers may
            exploit this
            vulnerability to learn the
            filesystem path where the
VU#597795   script is installed.
                            Microsoft Internet Explorer
                            contains a vulnerability in
                            which a script from one
                            source is permitted to
                            access files on the client's
                            file system. An attacker
                            may be able to read
                            cookies and other files on a
                            target system, and spoof
                            Internet sites by creating
VU#598147   CVE-2002-0027   believable window titles.
                            A buffer overflow in the
                            WinVNC server on
                            Windows systems can
                            allow an intruder
                            to gain control of the VNC
                            server and execute
                            arbitrary code with the
                            privileges of the user
VU#598581   CAN-2001-0168   running the server.




VU#600777   CAN-2002-0838   A remotely exploitable buffer overflow vulnerability exists in gv.
            The Lotus Domino Web
            Server contains a flaw that
            could be exploited to cause
            a
VU#601312   denial of service.




            The HP Tru64 UNIX
            implementation of "binmail"
            contains a locally
            exploitable
VU#602009   buffer overflow.
                            The environment variables
                            krb4proxy and
                            KRBCONFDIR may be
                            respected by client
                            programs such as login or
                            su, in such a way that local
                            or remote intruders can
                            cause the client program to
                            accept authentication
                            requests from a malicious
                            KDC. The vulnerabilites
                            may be exploited remotely
                            by passing these
                            environment
                            variables through a telnet
VU#602625   CVE-2001-0094   connection.
            Slash-based bulletin
            boards contain a
            vulnerability that may cause
            users to
            disclose their username
            and password to third-party
VU#603945   sites.
            There is a vulnerability in
            version 4.01 of ScriptLogic
            that could allow local
            users to gain full access to
VU#609137   the registry.
            RSA Security ACE/Agent
            for Windows, ACE/Agent
            for Windows NT, and
            ACE/Agent for
            Windows 2000 contain a
            vulnerability in which the
            ACE/Agent does not
            properly
            handle null characters
            contained in a URL. A
            specially crafted request
            may
            cause ACE/Agent to enter
            a debugging mode,
            possibly disclosing
            sensitive
            configuration information
VU#609840   about the server.
                            A buffer overflow
                            vulnerability in IIS 4.0 and
                            5.0 could allow an intruder
                            to
                            execute arbitrary code on
                            an IIS server with the
                            privileges of the ASP ISAPI
VU#610291   CVE-2002-0079   extension.




                            The Oracle LDAP Daemon
                            (oidldapd version 2.1.1.1),
                            which ships with Oracle
                            version 8i for Linux version
                            8.1.7, does not check write
                            permissions properly.
                            This can allow a local user
                            to delete or write to any file
VU#610904   CAN-2001-0300   on the system.
                            A remotely exploitable
                            buffer overflow exists in the
                            Microsoft Locator service.
                            This vulnerability may allow
                            a remote attacker to
                            execute arbitrary code on a
VU#610986   CAN-2003-0003   vulnerable system.
                            A vulnerability exists in the
                            Apache Procedural
                            Language/Structured Query
                            Language (PL/SQL)
                            module used by Oracle 9i
                            Application Server (iAS). In
                            its
                            default configuration, the
                            PL/SQL module grants
                            unauthenticated access to
                            the
                            PL/SQL gateway web-
                            based administration
VU#611776   CAN-2002-0561   interface.




                            A buffer overflow
                            vulnerability exists in the
                            "Automatic File Content
                            Type
                            Recognition Tool" versions
                            of the file[1] package prior
VU#611865                   to 3.41.
                            The HP Tru64 UNIX
                            implementation of "ping"
                            contains a locally
                            exploitable
VU#612833                   vulnerability.




                            The Sun iPlanet Web
                            Server and Sun ONE Web
                            Server both ship with a
                            search
                            engine that is not enabled
                            by default. A remotely
                            exploitable buffer overflow
                            exists in the search engine
                            that could permit an
                            attacker to execute
                            arbitrary
VU#612843   CAN-2002-0686   code on the system.
                            There is a remotely
                            exploitable buffer overflow
                            in the Squid proxy/cache
                            server. Exploitation of this
                            vulnerability could lead to
                            an intruder gaining a
                            shell on the target Squid
VU#613459   CVE-2002-0068   server.
                            A buffer overflow in the
                            Microsoft Windows Multiple
                            UNC Provider (MUP) could
                            allow a local user to
                            execute code with system
VU#613899   CVE-2002-0151   privileges.
                            Microsoft SQL Server
                            contains several buffer
                            overflows in "functions that
                            are
                            associated with connecting
                            to remote data sources
VU#619707   CAN-2002-0056   through 'ad hoc names.'"
                            A vulnerability in Oracle 8i
                            allows intruders to assume
                            control of the database
                            server and/or the operating
                            system on which the
                            database server is running,
                            depending on the platform
VU#620495   CAN-2001-0499   used.
                            Several cryptographic
                            vulnerabilities exist in the
                            basic Kerberos Version 4
                            protocol that could allow an
                            attacker to impersonate
                            any user in a Kerberos
                            realm and gain any
                            privilege authorized through
VU#623217   CAN-2003-0138   that Kerberos realm.
                            A vulnerability in the
                            secldapclntd daemon in
                            IBM's AIX operating system
                            could
                            allow unauthorized remote
                            users to modify accounts
VU#624713   CAN-2003-0119   on the system.
                            Microsoft Internet Explorer
                            (IE) permits the remote
                            execution of arbitrary
                            commands via the
VU#626395   CAN-2002-0077   <OBJECT> tag.
                            A race condition in the
                            'periodic' script allows local
                            files to be
                            overwritten. We believe
                            that 'periodic' is typically
                            used only with FreeBSD
                            systems, though it may be
VU#626919   CVE-2000-0890   installed on other systems.
                            Microsoft SQL Server 7.0
                            and SQL Server 2000
                            contain buffer overflow
                            vulnerabilities in multiple
                            extended stored
                            procedures. A remote
                            attacker
                            could cause a denial of
                            service or execute arbitrary
                            code or commands with the
                            privileges of the SQL
                            Server process, potentially
                            gaining complete control
                            over
                            a vulnerable system. An
                            attacker could also
                            manipulate databases
                            stored on a
VU#627275   CAN-2002-0154   vulnerable system.




                            The HP Tru64 UNIX
                            implementation of
                            "traceroute" contains a
                            locally exploitable
VU#629289                   buffer overflow.
                            A buffer overflow
                            vulnerability exists in the
                            TNS Listener component of
                            Oracle9i Database. This
                            vulnerability could allow an
                            unauthenticated, remote
                            attacker to execute
                            arbitrary code with the
                            privileges of the TNS
                            Listener
                            process or cause a denial
VU#630091   CVE-2002-0965   of service.
                            IPlanet Enterprise Server
                            and Netscape Enterprise
                            Server versions prior to 4.1.
                            SP12 have a vulnerability
                            involving the rendering of
                            <SCRIPT> tags embedded
                            in
                            the web logs when viewed
                            through the administration
VU#630355                   client.


                            NetPBM is a set of
                            graphics conversion tools
                            and has been found to
                            contain
                            multiple buffer overflow
VU#630433   CAN-2003-0146   vulnerabilities.
                            A buffer overflow in the
                            code that processes server-
                            side include files on IIS
                            4.0 and IIS 5.0 could allow
                            an intruder to execute code
                            with the privileges of
VU#630531   CVE-2001-0506   the web server.
                            An information leakage
                            vulnerability exists in the
                            default configuration of the
                            X Display Management
                            Console Protocol (XDMCP)
VU#634847   CVE-2000-0374   daemon.
                            Microsoft SQL Server and
                            Microsoft Data Engine ship
                            with a null default
                            password on the
                            administrative account sa.
                            If the system administrator
                            does
                            not set the password, the
                            system may be vulnerable
VU#635463   CAN-2000-1209   to attack.
                            Sun's NFS/RPC cachefs
                            daemon (cachefsd) is
                            shipped and installed by
                            default
                            with Sun Solaris 2.5.1, 2.6,
                            7, and 8 (SPARC and Intel
                            architectures). Cachefsd
                            caches requests for
                            operations on remote file
                            systems mounted via the
                            use of
                            NFS protocol. A remotely
                            exploitable heap overflow
                            exists in cachefsd that
                            could permit a remote
                            attacker to execute
                            arbitrary code with the
                            privileges of
VU#635811   CVE-2002-0033   the cachefsd, typically root.
                            Verity's Search97
                            application contains a
                            Cross-Site Scripting
                            vulnerability in
                            the processing of search
VU#636431                   requests.




                            A remotely exploitable
                            directory traversal
                            vulnerability exists in the
                            HP-UX
VU#638011   CAN-2001-0817   line printer daemon.
                            rpc.rwalld is a utility that is
                            used to send a message to
                            all terminals of a
                            time sharing system. A
                            format string vulnerability
                            may permit a remote user
                            to
                            execute code with the
                            privileges of the rwall
VU#638099   CVE-2002-0573   daemon.
                            A vulnerability exists in the
                            way the Cisco Pix Firewall
                            Manager stores
                            authentication credentials
                            which could allow local
                            attackers to have read
                            access to the enable
                            password for the Cisco Pix
VU#639507   CAN-2001-1098   Firewall.
                            WU-FTPD contains a
                            format string vulnerability
                            that manifests when WU-
                            FTPD is
                            configured to use RFC 931
                            authentication and is run in
                            debug mode. A crafted
                            identd response could be
                            used to execute arbitrary
                            code on a vulnerable
VU#639760   CVE-2001-0187   server.
            IBM AIX Parallel Systems
            Support Programs (PSSP)
            contains a vulnerability
            allowing unauthorized
            access to files in valid file
VU#640827   collections.
                            Kerio Personal Firewall
                            contains a vulnerability that
                            may allow a remote
                            attacker to replay an
VU#641012   CAN-2003-0219   administration session.




                            Ethereal is a network traffic
                            analysis package. Several
                            packet dissectors
                            contain a vulnerability that
                            may cause a denial-of-
VU#641013                   service situation.
                            Lotus Domino R5 Servers
                            are vulnerable to a cross-
                            site scripting
                            vulnerability. A web site
                            may inadvertently include
                            malicious HTML tags or
                            script(JavaScript, VBScript,
                            Java, etc.) in a dynamically
                            generated page based
                            on unvalidated input from
                            untrustworthy sources. This
                            can be a problem when a
                            web server does not
                            adequately ensure that
                            generated pages are
                            properly encoded
                            to prevent unintended
                            execution of scripts, and
                            when input is not validated
                            to
                            prevent malicious HTML
                            from being presented to the
VU#642239   CVE-2001-1161   user.




                            The Lotus Domino Web
                            Server contains a flaw that
                            could be exploited to cause
                            a
VU#642760                   denial of service.
                            There is a vulnerability that
                            permits unauthorized
                            access to several switch
                            and
                            router products
                            manufactured by Cisco
                            Systems. An attacker who
                            gains access to
                            an affected device can read
                            and modify its
                            configuration, creating a
                            denial-of-service condition,
                            an information leak, or
VU#645400                   both.




                            The Microsoft Windows
                            2000 Telnet Service
                            contains a denial-of-service
                            vulnerability that allows
                            unprivileged local users to
                            terminate existing telnet
VU#648131   CVE-2001-0351   sessions.
                            There is a buffer overflow
                            in the snmpXdmi daemon,
                            which may allow intruders
                            to
                            gain root privileges on
                            systems running the
VU#648304   CVE-2001-0236   vulnerable daemon.
                            A remotely exploitable
                            buffer overflow in the
                            Oracle9iAS Web Cache
                            allows
                            intruders to execute
                            arbitrary code or cause the
                            web cache process to hang
                            or
VU#649979   CVE-2001-0836   exit.
                            A "double-free" vulnerability
                            in the Concurrent Versions
                            System (CVS) server
                            could allow a remote
                            attacker to execute
                            arbitrary code or
                            commands or cause a
                            denial of service on a
VU#650937   CAN-2003-0015   vulnerable system.




                            The HP Tru64 UNIX
                            implementation of "lpr"
                            contains a locally
                            exploitable buffer
VU#651377                   overflow.
VU#651994   CAN-2001-0199   The SEDUM web server permits intruders to access files outside the




                            Web Servers that use the
                            Allaire JRun Java Servlet
                            Container are vulnerable to
                            a cross-site scripting
                            vulnerability. A web site
                            may inadvertently include
                            malicious HTML tags or
                            script(JavaScript, VBScript,
                            Java, etc.) in a
                            dynamically generated
                            page based on unvalidated
                            input from untrustworthy
                            sources. This can be a
                            problem when a web server
                            does not adequately ensure
                            that generated pages are
                            properly encoded to
                            prevent unintended
                            execution of
                            scripts, and when input is
                            not validated to prevent
                            malicious HTML from being
VU#654643                   presented to the user.
                            A buffer overflow exists in
                            Microsoft Index Server 2.0,
                            which may allow remote
                            attackers to execute code
                            with administrarive
VU#655248   CVE-2001-0244   privileges.




                            Due to insecure handling of
                            temporary files, some
                            versions of sshd, an
                            encrypted connection
                            program, can delete any
                            file named "cookies"
                            accessible
                            via the computer running
VU#655259   CVE-2001-0529   sshd.
VU#656315   CVE-2001-1183   Cisco IOS contains a vulnerability that allows an intruder to crash the
                            Multiple Critical Path
                            directory products contain
                            vulnerabilities that may
                            allow denial-of-service
                            attacks, unauthorized
                            privileged access, or both.
                            These
                            vulnerabilities were
                            revealed using the
                            PROTOS LDAPv3 test
                            suite and are
                            documented in CERT
                            Advisory CA-2001-18. If
                            your site uses this product,
                            the
                            CERT/CC encourages you
                            to follow the advice
VU#657547   CAN-2001-1314   provided below.
                            Some versions of the
                            Microsoft virtual machine
                            (Microsoft VM) contain a
                            flaw
                            that could allow untrusted
                            Java applets from an
                            attacker's site to be run
                            instead of the trusted
                            applet from the intended
VU#657625   CAN-2002-1286   site.
                            Lotus Domino Servers 5.x,
                            4.6x, and 4.5x allow users
                            to associate objects with
                            documents in a database.
                            While these objects appear
                            to be a part of the
                            document, they are actually
                            stored as separate files. A
                            vulnerability exist by
                            which an intruder could
                            view these objects
                            regardless of the
                            permissions set on
                            the document to which they
VU#657899   CAN-2002-0037   belong.
                            A buffer overflow
                            vulnerability exists in the
                            Apache Procedural
                            Language/Structured Query
                            Language (PL/SQL)
                            module used by Oracle9i
                            Application
                            Server (iAS). Specifying a
                            crafted password for a
                            Database Access
                            Descriptor
                            (DAD) could cause a denial
                            of service or execute
                            arbitrary code with the
                            privileges of the Apache
VU#659043   CAN-2002-0559   service.
                            A vulnerability exists in MIT
                            Kerberos V5 Key
                            Distribution Center that
                            may
                            allow attackers to crash
                            multiple KDC servers within
VU#661243   CAN-2003-0058   the same realm.
            A remotely exploitable
            buffer overflow vulnerability
            exists in Oracle9i
VU#663786   Database.
                            Some versions of ld.so, the
                            loader for shared libraries
                            in UNIX/LINUX, do not
                            properly clear risky
                            environment variables,
                            allowing a symlink attack to
VU#664141   CVE-2000-0959   overwrite arbitrary files.




VU#664323   CAN-2002-0926   A directory traversal vulnerability exists in webMathematica.
VU#665372   This vulnerability may allow an attacker to replay a captured SSH1 se




            A remotely exploitable
            buffer overflow vulnerability
            exists in AbsoluteTelnet.
            This vulnerability may allow
            a malicious server operator
            to execute arbitrary
VU#666073   code on a vulnerable client.
VU#666872   CVE-2001-0260   Lotus Domino R5 SMTP Server Contains a Buffer Overflow


                            A remotely exploitable
                            buffer overflow in SGI IRIX
                            syslogd may allow an
                            attacker to crash syslogd or
VU#667667   CVE-1999-0566   execute arbitrary code.
                            A buffer overflow
                            vulnerability in IIS 4.0, 5.0,
                            and 5.1 could allow an
                            intruder to execute arbitrary
                            code on an IIS server with
                            the privileges of the
VU#669779   CVE-2002-0147   ASP ISAPI extension.
                            Samba handles temporary
                            files insecurely, allowing
                            arbitrary files to be
                            overwritten and left in a
                            state that would permit later
VU#670568   CAN-2001-0406   modification.
                            The quikstore shopping
                            cart script contains an input
                            validation error that
                            allows attackers to execute
                            commands on affected web
VU#671444   CAN-2000-1188   servers.




                            The Hewlett Packard Tru64
                            "dxchpwd" command
                            contains a locally
                            exploitable
VU#671627                   buffer overflow.
                            User Manual does not
                            adequately validate user
                            input, allowing attackers to
                            execute arbitrary
VU#672419   CAN-2001-1214   commands on the server.




                            Web Servers that use the
                            Apache Tomcat Java
                            Servlet Container are
                            vulnerable to
                            a cross-site scripting
                            vulnerability. A web site
                            may inadvertently include
                            malicious HTML tags or
                            script(JavaScript, VBScript,
                            Java, etc.) in a
                            dynamically generated
                            page based on unvalidated
                            input from untrustworthy
                            sources. This can be a
                            problem when a web server
                            does not adequately ensure
                            that generated pages are
                            properly encoded to
                            prevent unintended
                            execution of
                            scripts, and when input is
                            not validated to prevent
                            malicious HTML from being
VU#672683   CAN-2001-0829   presented to the user.
                            A somewhat common
                            configuration of Cisco PIX
                            firewalls may permit a
                            window of
                            opportunity in which an
                            intruder can bypass the
                            firewall. This problem was
                            first publicly described in
VU#6733                     July, 1998.




                            There is a remotely
                            exploitable buffer overflow
                            in PopTop. An exploit for
                            this
                            vulnerability exists and is
VU#673993   CAN-2003-0213   publicly available.
                            There is a buffer overflow
                            in the parsing of Active
                            Stream Redirector (.ASX)
                            files. This buffer overflow
                            may allow a remote
                            attacker to execute
                            arbitrary
                            code when a user views a
VU#675320   CVE-2000-1113   malicious web page.




                            The Lotus Domino Web
                            Server contains a flaw that
                            could be exploited to cause
                            a
VU#676552                   denial of service situation.




                            There is a denial-of-service
                            vulnerability in tcpdump
                            that may allow a remote
                            attacker to cause tcpdump
VU#677337   CAN-2003-0108   to enter an infinite loop.
                            Aggregated in VU#971179.
                            A buffer overflow in
                            bnuconvert, part of the
                            UUCP
                            package on SCO systems,
                            can allow an intruder to
VU#677611                   gain elevated privileges.




                            A remotely exploitable
                            vulnerability has been
                            discovered in Internet
                            Explorer.
                            Exploitation of this
                            vulnerability may lead to the
VU#679556   CAN-2003-0344   execution of arbitrary code.
                            The Microsoft SQL Server
                            contains a buffer overflow
                            vulnerability that may
                            allow remote attackers to
                            execute arbitrary code with
VU#682620   CAN-2002-0641   system privileges.
                            A remotely exploitable
                            vulnerability has been
                            discoved in the "nsd"
                            service for
                            SGI IRIX systems. A
                            remote attacker may be
                            able to gain root access to
                            the
VU#682900   CAN-2003-0575   vulnerable system.
                            The Sun Solaris priocntl(2)
                            function does not
                            adequately validate a
                            memory
                            structure that specifies the
                            name of a kernel module.
                            As a result, a local
                            attacker could execute
                            arbitrary code with
                            superuser privileges on a
                            vulnerable
VU#683673   CAN-2002-1296   system.
                            A vulnerability exists in
                            multiple versions of Cisco's
                            Internetworking
                            Operating System (IOS)
                            software that allows an
                            attacker to force affected
                            switches and routers to
VU#683677   CVE-2000-0984   crash and reboot.




                            AOL Instant Messenger
                            (AIM) 4.1 and prior are
                            vulnerable to a denial of
                            service
                            vulnerability. A denial of
                            service occurs when
                            filenames that contain a
                            "%s"
VU#683765   CVE-2000-1000   are sent to a victim.
                            MIT Kerberos V5 contains
                            a flaw that allows the
                            controller of one Kerberos
                            realm to impersonate users
VU#684563   CAN-2003-0059   in a second realm.
                            A design flaw in the SSH-1
                            protocol allows a malicious
                            server to establish two
                            concurrent sessions with
                            the same session ID,
                            allowing a man-in-the-
                            middle
                            attack. The client must
                            accept unknown host keys
                            from the malicious server
                            to
                            enable exploitation of this
VU#684820                   vulnerability.




                            ld.so fails to unset
                            LD_PRELOAD before
                            executing suid root
                            programs, allowing
                            loading of insecure or
VU#686403   CVE-2000-0824   malicious libraries.
                            The Cisco Content Service
                            Switch contains a denial-of-
                            service vulnerability
                            that allows remote
                            attackers to perform a soft
VU#686939   CAN-2002-0792   reset on affected devices.
                            The Teamware Office suite
                            contains vulnerabilities that
                            may allow
                            denial-of-service attacks,
                            unauthorized privileged
                            access, or both. These
                            vulnerabilities were
                            revealed using the
                            PROTOS LDAPv3 test
                            suite and are
                            documented in CERT
                            Advisory CA-2001-18. If
                            your site uses this product,
                            the
                            CERT/CC encourages you
                            to follow the advice
VU#688960   CAN-2001-1316   provided below.
                            By default, Adobe PDF
                            viewers will start up and
                            load non-certified plug-ins
                            installed in a local plug_ins
                            directory. Adobe Reader
                            plug-ins not certified
                            by Adobe, if allowed to
                            load, will execute arbitrary
                            code in the process space
                            of the running viewer. One
                            incremental impact of such
                            arbitrary code execution
                            is to put the viewer into
                            'Certified Mode', allowing
                            the circumvention of
                            certain digital right
                            management features such
                            as printing, copying of text,
VU#689835   CAN-2003-0142   etc.
            The BEA WebLogic server
            contains a vulnerability that
            may allow authenticated
            users to bypass
            authentication for a given
            web application when the
            application
VU#691153   has been updated.
                            The default configuration of
                            Microsoft Windows 2000
                            does not properly handle
                            malformed packets
                            received on TCP port 445.
                            As a result, Windows may
                            cease to
                            function normally upon
                            receipt of malformed
VU#693099   CVE-2002-0597   packets on this port.




                            The HP Tru64 UNIX
                            implementation of
                            "dxpause" contains a
                            locally exploitable
VU#693803                   buffer overflow.
                            A vulnerability in the
                            logging of URI requests
                            may permit a remote
                            attacker to
                            disable logging on an
                            Apache HTTP Server.
                            Version 1.3.27 on Windows
                            systems is
                            reported vulnerable to this
VU#694428   CAN-2003-0460   issue.




                            Cisco Secure ACS for
                            Windows contains a buffer
                            overflow vulnerability that
                            could permit a remote
                            attacker to execute
                            arbitrary code or cause a
                            denial of
VU#697049   CAN-2003-0210   service.
            Oracle Database Server
            version 9iAS allows remote
            users to view the
            "globals.jsa" file used by
            Java Server Page (JSP)
            scripts. The "globals.jsa"
            file may contain Oracle
            usernames, passwords,
            and other configuration
            information not intended for
            public viewing, and
            attackers may use that
            information to mount
VU#698467   attacks.
                            Unprivileged local users
                            can exploit the sysctl Linux
                            kernel program to gain
VU#698640   CVE-2001-0316   privileged access.




VU#700216   CAN-2001-0610   KDE's kfm creates and uses temporary cache directories insecurely.
                            There is a buffer overflow
                            in Microsoft SQL Server
                            2000 and SQL Server 7.0
                            which could allow an
                            intruder to execute arbitrary
                            code on vulnerable
VU#700575   CAN-2001-0542   systems.
                            A remotely exploitable
                            buffer overflow exists in
                            Macromedia's JRun
                            version 3.1
VU#703835   CVE-2002-0801   on Win32 platforms.
                            Some X server products
                            (client software for
                            connecting to a host with
                            Xwindows
                            capabilities) may be
                            configured insecurely by
VU#704969                   default.



                            Alladin Ghostscript, a
                            previewer for postscript
                            files, uses an insecure
                            value
                            for the LD_RUN_PATH
                            environment variable. This
                            allows attackers to supply
                            malicious libraries to be
                            loaded from the current
VU#704976   CVE-2000-1163   directory.
            The HP Tru64 UNIX
            implementation of
            "ypmatch" contains a
            locally exploitable
VU#706817   buffer overflow.




            AOL Instant Messenger
            (AIM) is an application that
            allows one peer to
            communicate with another.
            A vulnerability exists that
            can crash the client of a
VU#710347   victim.




            Cherokee does not
            properly validate HTTP
            requests. Attackers may
            exploit this
            vulnerability to execute
            arbitrary commands as
VU#711315   root.
                            Textor Webmasters Ltd
                            listrec.pl CGI script does
                            not properly validate input
                            to
                            the "TEMPLATE" CGI
                            variable, allowing arbitrary
VU#711491                   command execution.




                            Microsoft Internet Explorer
                            (IE) includes several local
                            HTML resources that
                            contain cross-site scripting
                            vulnerabilities. These
                            resources use the
                            dialogArguments property
                            of dialog frames insecurely,
                            allowing an attacker to
                            execute arbitrary script in
VU#711843   CAN-2002-0189   the Local Machine Zone.
                            HP9000 Series 700/800
                            running HP-UX releases
                            10.01, 10.10, 10.20 and
                            11.00 are
                            affected by a buffer
                            overflow in Hewlett-
                            Packard's HP-UX Software
                            Distributor
                            (SD-UX). A local user can
                            exploit this vulnerability to
                            gain elevated
VU#712632   CAN-2001-0979   privileges.




                            Oracle Database Server
                            version 9iAS installs with
                            up to 160 distinct default
                            login accounts. The
                            usernames and passwords
                            for these have been made
                            publicly
                            available and could be
                            used by an attacker to gain
VU#712723                   access to an Oracle server.
                            Microsoft's MSN Chat is an
                            ActiveX control for
                            Microsoft Messenger, an
                            instant
                            messaging client. A buffer
                            overflow exists in the
                            ActiveX control that may
                            permit a remote attacker to
                            execute arbitrary code on
                            the system with the
                            privileges of the current
VU#713779   CVE-2002-0155   user.
            Some DNS servers
            respond with an
            inappropriate error
            message if queried for
            nonexistent AAAA records,
            which can lead to possible
VU#714121   denial of service.
                            There is a denial-of-service
                            vulnerability in several
                            versions of the Internet
                            Software Consortium's
                            (ISC) BIND software. This
                            vulnerability is referred to
                            by the ISC as the "zxfr
                            bug." It affects ISC BIND
                            version 8.2.2, patch levels
VU#715973   CVE-2000-0887   1 through 6.
                            The Qualcomm Eudora
                            WorldMail Server may
                            contain vulnerabilities that
                            allow
                            denial-of-service attacks,
                            unauthorized privileged
                            access, or both. These
                            vulnerabilities were
                            revealed using the
                            PROTOS LDAPv3 test
                            suite and are
                            documented in CERT
                            Advisory CA-2001-18. If
                            your site uses this product,
                            the
                            CERT/CC encourages you
                            to follow the advice
VU#717380   CAN-2001-1318   provided below.
                            Oracle Application Server
                            version 9iAS installs with
                            sample pages that
                            demonstrate various
                            functions of the software.
                            Many of these pages can
                            be used
                            by attackers to breach the
VU#717827                   security of the system.




                            The Beck IPC@CHIP web
                            server permits intruders to
                            access files outside the
                            web
VU#718971   CAN-2001-0749   root.
                            Entrust Authority Security
                            Manager contains a
                            vulnerability that could
                            allow a
                            master user to change the
                            password of another
                            master user. A master
                            user could
                            exploit this vulnerability to
                            perform operations that
                            otherwise require
                            authorization by multiple
VU#720017   CAN-2002-0712   master users.
                            A locally exploitable
                            vulnerability exists in the
                            Microsoft Windows 2000
                            Network Connection
                            Manager (NCM).
                            Exploitation of this
                            vulnerability may permit
                            a local user to gain full
VU#721611   CVE-2002-0720   privileges on the system.
                            A buffer overflow in IIS
                            could allow an intruder to
                            execute arbitrary code with
                            the privileges of the
VU#721963   CVE-2002-0149   ASP.DDL.




                            The Line Printer daemon
                            (lpd) shipped with AIX
                            systems contains a buffer
                            overflow in send_status()
                            that potentially allow a
                            malicious remote user to
VU#722143   CAN-2001-0671   gain root privileges.
                            Microsoft's SmartHTML
                            interpreter (shtml.dll)
                            contains a remotely
                            exploitable
VU#723537   CAN-2002-0692   vulnerability.
                            A problem exists in some
                            versions of the HP-UX
                            kernel allowing an intruder
                            to
VU#726187   CAN-2002-0279   cause kernel panics.
                            Novell GroupWise is an
                            email storage program.
                            Email is encrypted when
                            stored.
                            Usernames and passwords
                            can be acquired by sniffing
                            communications between
                            the
VU#726891   CVE-2001-1231   client and server.
                            A vulnerability in some
                            Cisco Virtual Private
                            Network (VPN) products
                            could
                            allow a remote attacker to
                            access systems that should
VU#727780   CAN-2003-0258   not be accessible.
                            Microsoft Internet Explorer
                            (IE) allows script from a
                            dialog frame in one
                            domain to execute in a
                            different domain, including
                            the Local Machine Zone.
                            The
                            script could read certain
                            local files and data (i.e.
                            cookies) from other web
                            sites. In the presence of
                            other vulnerabilities
                            (VU#626395, VU#25249),
                            the
                            script could execute
VU#728563   CAN-2002-0189   arbitrary commands.
                            Oracle Application Server
                            9iAS installs with Simple
                            Object Access Protocol
                            (SOAP) enabled by default
                            and allows unauthenticated
                            remote users to deploy and
                            undeploy SOAP services
VU#736923   CVE-2001-1371   and providers.
                            A vulnerability exists in
                            SSH Secure Shell that
                            allows an intruder to log to
                            an
                            account which contains a
                            stored encrypted password
                            of two or fewer characters
                            in length. An intruder may
                            leverage the privileges of
                            such an account to gain
VU#737451   CVE-2001-0553   full control of the system.
                            DNS stub resolvers from
                            multiple vendors contain a
                            buffer overflow
                            vulnerability. The impact of
                            this vulnerability appears to
                            be limited to
VU#738331   CAN-2002-1146   denial of service.
                            A denial-of-service
                            vulnerability exists in
                            version 9 of the Internet
                            Software
                            Consortium's (ISC)
                            Berkeley Internet Name
                            Domain (BIND) server. ISC
                            BIND
                            versions 8 and 4 are not
                            affected. Exploiting this
                            vulnerability will cause
                            vulnerable BIND servers to
VU#739123   CAN-2002-0400   shut down.




                            There is a buffer overflow
                            in the IBM AIX setclock
                            command that may allow
                            local
                            attackers to gain root
VU#739201   CVE-2000-1122   privileges.
                            PHP-Nuke's saveuser()
                            function does not
                            adequately authenticate
                            users.
                            Attackers may exploit this
                            vulnerability to change user
                            data and gain access to
VU#739211                   accounts.




                            There is a vulnerability in
                            the creation of Internet
                            shortcuts in Windows
                            Media
                            Player version 6.4 and 7.
                            This vulnerability may allow
                            attackers to execute
                            arbitrary commands when
                            a victim views a malicious
VU#739376   CVE-2001-0243   web page.
            A buffer overflow
            vulnerability exists in
            versions of Cyrus IMAP
            Server up to
            and including 2.1.10. This
            vulnerability may allow a
            remote attacker to execute
            arbitrary code on the mail
            server with the privileges of
VU#740169   the Cyrus IMAP Server.
            A locally exploitable
            privilege escalation
            vulnerability exists in SSH
            Secure
            Shell versions 2.0.13 -
VU#740619   3.2.1.
                            A FreeBSD derived
                            function, Realpath(3),
                            contains a vulnerability that
                            may
                            permit a malicious user to
                            gain root access to the
                            server. This function was
                            derived from the FreeBSD
                            3.x tree. Other applications
                            and operating systems
                            that use or were derived
                            from this code base may be
                            affected. This problem was
                            originally reported to affect
                            WU-FTPd. It has been
                            discoved to affect various
                            BSD implementations as
VU#743092   CAN-2003-0466   well.
            A remotely exploitable
            buffer overflow vulnerability
            exists in Oracle9i
VU#743954   Database.
            The installer for AOL
            Instant Messenger contains
            a vulnerability that weakens
            the security settings of
VU#744139   Microsoft Internet Explorer.
                            The telnetd program is a
                            server for the telnet remote
                            virtual terminal
                            protocol. There is a
                            remotely exploitable buffer
                            overflow in telnet daemons
                            derived from BSD source
                            code. This vulnerability can
                            crash the server, or be
                            leveraged to gain root
VU#745371   CVE-2001-0554   access.




                            Novell Netware RCONAG6
                            allows users to gain access
                            to the server without a
VU#746251   CAN-2002-1413   password.
                            Additional Decryption Keys
                            (ADKs) is a feature
                            introduced into PGP (Pretty
                            Good
                            Privacy) versions 5.5.x
                            through 6.5.3 that allows
                            authorized extra decryption
                            keys to be added to a
                            user's public key certificate.
                            However, an
                            implementation
                            flaw in PGP allows
                            unsigned ADKs which have
                            been maliciously added to
                            a
                            certificate to be used for
                            encryption.

                            Data encrypted with PGP
                            5.5.x through 6.5.3 using a
                            modified certificate will
                            generate ciphertext
                            encrypted with the ADK
                            subject to the conditions list
                            in
                            the impact section. The
                            attacker who modified the
                            certificate can obtain the
                            plaintext from this
                            ciphertext.

                            PGP does not correctly
VU#747124   CVE-2000-0678   detect this form of



                            The implementation of vi, a
                            text editor, provided with
                            SCO Openunix creates
                            insecure temporary files
                            with predictable names.
                            Using a symbolic link
                            attack,
                            an intruder can overwrite
                            any file writable by the user
VU#747736   CVE-2001-0627   of vi.
                            Abstract Syntax Notation
                            number One (ASN.1) is an
                            international standard used
                            to describe and transmit
                            data packets between
                            applications and across
                            networks.
                            There is a vulnerability
                            related to ASN.1 that could
                            permit an attacker to
                            cause a denial of service or
                            potentially execute arbitrary
VU#748355   CAN-2002-0659   code.
                            A buffer overflow
                            vulnerability exists in the
                            Apache Procedural
                            Language/Structured Query
                            Language (PL/SQL)
                            module used by Oracle9i
                            Application
                            Server (iAS). A maliciously
                            crafted HTTP request
                            made to the PL/SQL
                            module
                            could cause a denial of
                            service or execute arbitrary
                            code with the privileges
VU#750299   CAN-2002-0559   of the Apache service.




                            Yahoo! Messenger is an
                            instant messaging client.
                            There is a remotely
                            exploitable buffer overflow
                            vulnerability in the
                            "set_buddygrp" field of
                            Yahoo!
VU#755755                   Messenger.
                            There is a vulnerability in
                            the Beck IPC@CHIP that
                            allows an attacker to create
                            a denial-of-service
VU#756019   CAN-2001-1340   condition.
                            The Apache HTTP server
                            contains a denial-of-service
                            vulnerability that allows
                            remote attackers to
                            conduct denial-of-service
                            attacks against an affected
VU#757612   CAN-2003-0245   server.
                            A vulnerability exists in the
                            Apache Procedural
                            Language/Structured Query
                            Language (PL/SQL)
                            module used by Oracle9i
                            Application Server (iAS) in
                            which the
                            module does not properly
                            decode double URL
                            encoded strings. This
                            vulnerability
                            could allow an intruder to
                            read files outside the web
VU#758483   CAN-2001-1217   server's root directory.




                            The Sun Management
                            Center (SunMC) contains a
                            vulnerability that could
                            allow an
                            attacker to create or
                            overwrite any file on the
VU#758932                   system.
                            There is a buffer overflow is
                            the kdc_reply_cipher()
                            function of KTH Kerberos.
                            This buffer overflow may be
                            exploitable to allow an
                            attacker to gain root
                            privileges, and can be used
VU#759265   CVE-2001-0094   to deny service.
                            Cisco VPN 3000 series
                            concentrators do not
                            properly handle specially
                            crafted
                            Internet Security
                            Association and Key
                            Management Protocol
                            (ISAKMP) packets,
                            which can cause a
                            vulnerable device to reload,
                            denying service to
                            legitimate
VU#761651   CAN-2002-1103   users.
                            The Microsoft Exchange
                            LDAP Service contains
                            vulnerabilities that may
                            allow
                            denial-of-service attacks.
                            These vulnerabilities were
                            revealed using the
                            PROTOS
                            LDAPv3 test suite and are
                            documented in CERT
                            Advisory CA-2001-18. If
                            your site
                            uses this product, the
                            CERT/CC encourages you
                            to follow the advice
                            provided
VU#763400   CAN-2001-1319   below.




                            zml.cgi does not
                            adequately validate user
                            input, allowing for directory
                            traversal out of the web
VU#764027   CAN-2001-1209   root directory.
                            The Network Associates
                            PGP Keyserver contains
                            vulnerabilities that may
                            allow
                            denial-of-service attacks,
                            unauthorized privileged
                            access, or both. These
                            vulnerabilities were
                            revealed using the
                            PROTOS LDAPv3 test
                            suite and are
                            documented in CERT
                            Advisory CA-2001-18. If
                            your site uses this product,
                            the
                            CERT/CC encourages you
                            to follow the advice
VU#765256   CAN-2001-1320   provided below.


                            A locally exploitable denial-
                            of-service vulnerability in
                            SGI IRIX may allow a
                            local attacker to disrupt
VU#770891   CVE-2002-0172   network traffic.




                            The HP Tru64 UNIX
                            implementation of "ipcs"
                            contains a locally
                            exploitable
VU#771155   CAN-2002-0093   buffer overflow.
            Shambala FTP server has
            a directory traversal
            vulnerability in its handling
            of
VU#771771   the CWD command.




            A remotely exploitable
            buffer overflow exists in
            versions of IBM's Lotus
            Domino
            web server prior to
VU#772563   R5.0.10.
            Lotus Domino Web Server
            is an application that
            provides access to Lotus
            Notes
            databases via HTTP
            requests. A vulnerability
            exists that could permit a
            remote
            attacker to execute
            arbitrary code on the
VU#772817   server.




VU#772915   A locally exploitable buffer overflow exists in mllock.
            A vulnerability exists in the
            Telnet Authentication
            Option and Telnet Data
            Encryption Option
            specifications. An ordered
            list of authentication and
            encryption options sent
            from the server to client
            during negotiation is not
            cryptographically protected.
            As a result, an attacker
            may be able to modify
            the list and cause less
            secure authentication and
            encryption options to be
            negotiated. An active
            attacker may be able to
            disable Telnet data
            encryption
            without the client's
VU#774587   knowledge.
                            Tcpdump version 3.5
                            contains a buffer overflow
                            vulnerability permitting
                            unauthorized remote root
VU#776781   CVE-2000-1026   access.
                            Microsoft Exchange 2000
                            contains a vulnerability that
                            allows remote attackers
                            to conduct a denial-of-
                            service attack that once
                            begun, cannot be stopped
                            until
                            the crafted message has
                            been completely
VU#779163   CVE-2002-0368   processed.
                            Pine is a mail user agent
                            (MUA) written and
                            distributed by the University
                            of
                            Washington. Some
                            versions contain a buffer
                            overflow vulnerability in
                            email
VU#780737   CAN-2002-1320   address handling.




                            The HP Network Node
                            Manager contains a
                            vulnerability that may allow
                            an attacker
VU#782155   CAN-2001-1123   to gain elevated privileges.
                            TDForum does not properly
                            filter HTML scripting tags
                            from user input, allowing
                            users to post malicious
                            scripts that may be
                            executed unwittingly by
                            other
VU#782243   CAN-2001-0970   users.




                            This vulnerability allows an
                            attacker to redirect an SSH
                            connection to an
VU#786900                   arbitary host.
                            Early releases of the MIT
                            Kerberos V5 KDC contain
                            format string vulnerabilities
                            that can be used by
                            unauthenticated remote
                            attackers to conduct denial
                            of
                            service attacks on KDC
VU#787523   CAN-2003-0060   servers.
                            Microsoft IIS decodes
                            filenames after applying
                            security checks, allowing
                            an
                            attacker to execute
VU#789543   CVE-2001-0333   commands.
            An intruder who gains
            physical access to a
            computer system can
            bypass
            software-based control
VU#789985   mechanisms.
                            Ebay (www.ebay.com)is a
                            popular online auction site.
                            A vulnerability in the
                            ebay web site prior to April
                            24, 2002, could have
                            allowed an intruder to gain
                            access to a victim's
VU#791307                   personal data.




                            The Java Database
                            Connectivity (JDBC)
                            classes of Microsoft's Java
                            virtual
                            machine (VM) contain
                            functions that do not
                            properly validate
                            parameters. A
                            malicious Java applet can
                            exploit this vulnerability to
                            crash programs on the
VU#792881   CAN-2002-0867   client system.
                            SpoonFTP Server does not
                            adequately validate user
                            input, allowing directory
VU#794211   CVE-2001-0963   traversal.




                            A vulnerability exists in
                            ScreamingMedia's
                            SiteWare Editor's Desktop
                            that
                            allows an intruder to read
                            arbitrary files within the
VU#795707   CAN-2001-0555   SiteWare web hierarchy.
                            The Microsoft SQL Server
                            contains a vulnerability that
                            allows remote attackers
                            to execute arbitrary
                            commands with system
VU#796313   CVE-2002-0642   privileges.
                            A vulnerability that affects
                            Microsoft IIS 5.0 and
                            Exchange 2000 allows an
                            intruder to disrupt IIS web
                            services and web-based
                            mail services served via an
VU#796584   CAN-2001-0146   Exchange server.
            OpenSSH is an
            implementation of the
            Secure Shell (SSH)
            protocol. It can be
            configured to use Linux
            Pluggable Authentication
            Modules (PAM) for added
            authentication. A
            vulnerability exists in
            OpenSSH, and perhaps
            other
            implementations of SSH,
            which can allow to
            potentially bypass PAM
VU#797027   restrictions.
                            A vulnerability exists in
                            tcpdump that could allow
                            an attacker to execute
                            arbitrary code with the
                            privileges of tcpdump,
VU#797201   CAN-2001-1279   typically root.




                            Several Linux/Unix systems
                            ship with a utility package
                            called Taylor UUCP. A
                            component of the UUCP
                            package, uuxqt, fails to
                            properly filter arguments
                            from
                            the commands sent to it.
                            This can allow an intruder
                            to gain elevated privileges
                            and execute commands
                            with the privileges of uucp,
VU#798263   CVE-2001-0873   usually root.
            Oracle 9i Application
            Servers are vulnerable to a
            cross-site scripting
            vulnerability. The server
            may inadvertently include
            malicious HTML tags or
            script(JavaScript, VBScript,
            Java, etc.) in a dynamically
            generated page based
            on unvalidated input from
            untrustworthy sources. This
            can be a problem when a
            web server does not
            adequately ensure that
            generated pages are
            properly encoded
            to prevent unintended
            execution of scripts, and
            when input is not validated
            to
            prevent malicious HTML
            from being presented to the
VU#798611   user.
                            A vulnerability in various
                            Axis Communications
                            products may allow
                            unauthorized
VU#799060   CAN-2003-0240   remote privileged access.




                            There exist several signed-
                            integer vulnerabilities in
                            rsync. If rsync is run as
                            a daemon, a remote-root
                            compromise may be
VU#800635   CAN-2002-0048   possible.
            Internet Explorer may
            disclose files on your
            computer if you visit a
            malicious
            web site or read a mail
            message with Active
VU#800893   Scripting enabled.
                            Buffer overflow
                            vulnerabilities exists in the
                            DNS stub resolver library
                            used by
                            BSD, ISC BIND, and GNU
                            glibc. Other systems that
                            use DNS resolver code
                            derived
                            from ISC BIND may also be
                            affected. An attacker who
                            is able to control DNS
                            responses could exploit
                            arbitrary code or cause a
                            denial of service on
VU#803539   CAN-2002-0651   vulnerable systems.
                            A vulnerability exists in the
                            way the Apache Procedural
                            Language/Structured
                            Query Language (PL/SQL)
                            module used by Oracle9i
                            Application Server (iAS)
                            handles HTTP
                            Authorization headers.
                            This vulnerability could
                            allow an
                            unauthenticated remote
                            attacker to crash the
VU#805915   CAN-2002-0566   Apache service.




                            Mike Spice's My Calendar
                            does not adequately
                            validate user input, allowing
                            directory traversal. As a
                            result, an attacker can
                            cause My Calendar to
                            overwrite any file on the
                            server to which the web
                            server process has write
VU#806091                   privileges.
                            A variety of ftp servers
                            incorrectly manage buffers
                            in a way that can lead to
                            remote intruders executing
                            arbitrary code on the FTP
                            server. The incorrect
                            management of buffers
                            centers around the return
                            from the glob() function,
                            and
                            may be confused with a
                            related denial-of-service
                            problem. These problems
                            were
                            discovered by the COVERT
VU#808552                   Labs at PGP Security.




                            There is a buffer overflow
                            in the digest command that
                            may allow a local
                            attacker to gain root
VU#808633   CVE-2000-1120   privileges.
VU#809347   CAN-2002-0572   A locally exploitable privilege elevation vulnerability exists in FreeBSD




                            A remotely exploitable
                            vulnerability exists in Cobalt
                            RaQ Server Appliances
                            with the Security Hardening
VU#810921   CAN-2002-1361   Package (SHP) installed.
                            A buffer overflow
                            vulnerability exists in the
                            Microsoft SQLXML Internet
                            Services Application
                            Programming Interface
                            (ISAPI) extension for
                            Internet
                            Information Server (IIS).
                            This vulnerability could
                            allow a remote attacker to
                            cause a denial of service or
                            execute arbitrary code with
                            LocalSystem
VU#811371   CVE-2002-0186   privileges.
                            A problem with the HTTP
                            server component of Cisco
                            IOS system software allows
                            an
                            intruder to execute
                            privileged commands on
                            Cisco routers if local
                            authentication databases
VU#812515   CVE-2001-0537   are used.
            Version 4.01 of ScriptLogic
            contains a vulnerability in
            the default permissions
            assigned to the network
VU#813737   share used for logging.
                            A vulnerability exists in the
                            way Symantec LiveUpdate
                            stores proxy server
                            passwords which could
                            allow local users to have
VU#814187   CVE-2001-0549   read access to the key.
                            Sendmail shipped with IBM
                            AIX is configured by default
                            as an open mail relay.
                            Unauthenticated, remote
                            users can route mail
VU#814617   CAN-2003-0285   through such a system.




                            A remotely exploitable
                            buffer overflow exists in
                            Sendmail, versions 8.12.0
                            through 8.12.4. This
                            vulnerability only exhibits
                            itself if you have modified
                            the configuration file to look
VU#814627   CVE-2002-0906   up TXT records in DNS.
            A flaw in certain
            configurations of Windows
            2000 can allow an intruder
            to make
            an unlimited number of
            guesses to attempt to
            determine a password,
            despite
            policies intended to limit the
VU#818496   number of guesses.
                            MS SQL Server contains
                            an extended stored
                            procedure with
                            inappropriate
VU#818939   CAN-2002-0721   permission settings.




VU#820083   CVE-2002-0184   Sudo is susceptible to a locally exploitable heap overflow vulnerability
                            The Internet Explorer 5.5
                            print template feature
                            contains a vulnerability that
                            allows a web page author
                            to execute arbitrary code
                            as the user viewing the web
VU#820957   CVE-2001-0090   page.




                            A remotely exploitable
                            buffer overflow exists in the
                            Network Associates PGP
VU#821139   CVE-2002-0685   Outlook Plug-in.
                            A buffer overflow
                            vulnerability exists in a
                            shared HTML conversion
                            library used
                            by Internet Explorer (IE)
                            and other Windows
                            applications. By enticing a
                            victim
                            to view an HTML document
                            using IE, an attacker could
                            execute arbitrary code
                            with the victim's privileges
VU#823260   CAN-2003-0469   or cause IE to crash.
                            Due to a flaw in the Apache
                            web server's handling of
                            MS-DOS device names, an
                            attacker may be able to
                            remotely execute code on
                            systems running the
                            Apache web
                            server under some
                            versions of Microsoft
VU#825177   CAN-2003-0016   Windows.
                            A remotely exploitable
                            format string vulnerability
                            exists in the Referral Whois
VU#825275   CAN-2001-0838   server daemon (RWhoisd).
                            Index Server 2.0 and the
                            Indexing Service 3.0
                            contain a vulnerability that
                            may
                            allow remote intruders to
                            gain information about files
VU#829845   CAN-2000-1105   on the local computer.




                            It is possible to read the
                            stored configuration file
                            from the Cisco SN 5420
                            Storage Router without any
                            authorization. This can lead
                            to an intruder gaining
                            access to the storage
VU#833459                   space on the router.
                            Email anti-virus scanners
                            and content filters from
                            multiple vendors do not
                            adequately check
                            messages containing
                            "message/partial" MIME
                            entities (RFC
                            2046). As a result, viruses,
                            malicious code, or other
                            restricted content may
VU#836088   CAN-2002-1121   not be detected.




                            Netegrity SiteMinder does
                            adequately vaildate HTTP
                            requests containing
                            malicious Unicode
VU#837419                   encodings.
                            Microsoft Services for Unix
                            3.0 Interix SDK contains a
                            remotely exploitable
VU#840137   CAN-2002-1140   buffer overflow.
            There is a vulnerability that
            permits unauthorized
            access to several switch
            and
            router products
            manufactured by Cisco
            Systems. An attacker who
            gains access to
            an affected device can read
            and modify its
            configuration, creating a
            denial-of-service condition,
            an information leak, or
VU#840665   both.
            A remotely exploitable
            buffer overflow vulnerability
            exists in Oracle9i
VU#840666   Database.
                            RealNetwork's
                            RealJukebox and RealONE
                            Gold players are media
                            applications that
                            permit users to stream
                            audio and video from local
                            and internet sources. A
                            vulnerability exists in the
                            applications that could
                            permit the execution of
                            arbitrary code by a remote
VU#843667   CVE-2002-1015   attacker.
                            The DNS stub resolver
                            library in ISC BIND 4.9.2
                            through 4.9.10 contains
                            buffer
                            overflows in code that
                            handles responses for
                            network name and address
                            requests. Other resolver
                            libraries derived from BIND
                            4 such as BSD libc, GNU
                            glibc, and those used by
                            System V UNIX systems
                            may also be affected. An
                            attacker could execute
                            arbitrary code with the
                            privileges of the application
                            that made the request or
VU#844360   CAN-2002-0029   cause a denial of service.




                            The HP Tru64 UNIX
                            implementation of
                            "dxsysinfo" contains a
                            locally exploitable
VU#846307                   buffer overflow.
                            The glibc implementation of
                            unsetenv() fails to properly
                            remove one of two
                            successive occurrences of
                            the same environment
                            variable if the variable is
                            redundently passed to a
VU#846832   CVE-2000-0824   program.




                            Php is a dynamic scripting
                            language used by
                            programmers to develop
                            webservers,
                            message boards, chat
                            applications and a variety
                            of programs. By default php
                            stores variables passed
                            from the URL in a global
                            context. Programmers
                            often
                            fail to change this setting
                            which can allow serious
                            vulnerabilities to surface.
                            Often intruders can exploit
                            the vulnerabilities created
                            by this failure to gain
                            administrative rights to the
                            application or server,
                            manipulate data, and
VU#847803                   execute arbitrary php code.
            There is a vulnerability that
            permits unauthorized
            access to several switch
            and
            router products
            manufactured by Cisco
            Systems. An attacker who
            gains access to
            an affected device can read
            its configuration, creating
VU#848944   an information leak.
                            A vulnerability in some
                            implementations of
                            mod_dav may permit a
                            remote attacker
                            to gain unauthorized
                            access to a web server
VU#849993   CAN-2002-0842   running mod_dav.
                            The secure-RPC feature of
                            the SSH1 client in Solaris
                            sometimes encrypts the
                            SSH
                            private key file with a weak
                            passphrase, which can be
                            determined by an attacker
                            and used to recover the
                            SSH private keys. Other
                            versions of the SSH client
                            running on non-Solaris
                            platforms are not affected
VU#850440   CVE-2001-0259   by this vulnerability.
                            The Sun KCMS library
                            service daemon,
                            kcms_server, does not
                            adequately validate
                            the location of KCMS
                            profile files. This could
                            allow a remote attacker to
                            read
                            arbitrary files on a
VU#850785   CAN-2003-0027   vulnerable system.
                            A vulnerability in BIND
                            allows remote attackers to
                            execute code with the
                            privileges of the process
                            running named. This
                            vulnerability is resolved in
                            BIND
                            versions 4.9.11, 8.2.7,
VU#852283   CAN-2002-1219   8.3.4, and BIND 9.
                            Multiple vendor SNMPv1
                            GetRequest,
                            GetNextRequest, and
                            SetRequest message
                            handling implementations
                            contain vulnerabilities that
                            may allow unauthorized
                            privileged access, denial-of-
                            service conditions, or
                            unstable behavior . If your
                            site uses SNMP in any
                            capacity, the CERT/CC
                            encourages you to read the
VU#854306   CAN-2002-0013   information provided below.
                            The DHCP daemon
                            (DHCPD) is a server that is
                            used to allocate network
                            addresses
                            and assign configuration
                            parameters to dynamically
                            configured hosts. A format
                            string vulnerability may
                            permit an intruder to
                            execute code with the
                            privileges
                            of the DHCP daemon
VU#854315   CAN-2002-0702   (typically root).




                            It is possible to cause a
                            denial of service of the
                            Cisco SN 5420 Storage
                            Router
                            by sending a fragmented
                            packet over the Gigabit
VU#855195                   interface.
                            A remotely exploitable
                            denial-of-service
                            vulnerability exists in the
                            Solaris
                            lockd(1M) daemon.
                            Exploitation of this
                            vulnerability may kill the
                            lockd
VU#855635   CAN-2002-1228   process.




                            The Microsoft Windows
                            2000 Telnet Service
                            contains a denial-of-service
                            vulnerability that allows
                            remote attackers to disrupt
                            the telnet service on
VU#855723   CVE-2001-0345   affected servers.
                            The Microsoft Remote
                            Access Service API
                            contains a vulnerability that
                            allows
                            local attackers to execute
                            arbitrary code with system
VU#855811   CVE-2002-0366   privileges.


                            The CDE Print Viewer
                            program dtprintinfo
                            provides a graphical
                            interface display
                            the status of print queues
                            and print jobs. By using the
                            clipboard to overflow
                            the search field in the Help
                            window of dtprintinfo, a
                            local attacker can
                            execute arbitrary code on
VU#860296   CAN-2001-0551   the system as root.
VU#862401                   A privilege escalation vulnerability exists in the HP-UX 11.22 XServer




                            Microsoft Windows Remote
                            Desktop Protocol (RDP)
                            uses a weak algorithm for
VU#865833   CAN-2002-0863   encrypting packets.
            The HTTP TRACE method
            returns the contents of
            client HTTP requests in the
            entity-body of the TRACE
            response. This behavior
            could be leveraged by
            attackers to access
            sensitive information, such
            as cookies or
            authentication
            data, contained in the
            HTTP headers of the
VU#867593   request.
            Multiple vendors' HTTP anti-
            virus and content filters do
            not inspect the
            contents of HTTP
            CONNECT method
            tunnels. As a result,
            viruses or other
            restricted HTTP content
VU#868219   may not be blocked.
                            The Berkeley Internet
                            Name Domain (BIND) is an
                            implementation of the
                            Domain
                            Name System (DNS) by
                            the Internet Software
                            Consortium (ISC). There is
                            a format
                            string vulnerability in BIND
                            4.9.4 that may allow remote
                            intruders to gain
                            access to systems running
                            BIND. Although BIND 4.9.x
                            is no longer officially
                            maintained by ISC, various
                            versions are still widely
                            deployed on the Internet.

                            This vulnerability has been
                            successfully exploited in a
                            laboratory environment
                            and presents a serious
                            threat to the Internet
VU#868916   CVE-2001-0013   infrastructure.
                            The Oracle Internet
                            Directory server contains
                            vulnerabilities that may
                            allow
                            denial-of-service attacks,
                            unauthorized privileged
                            access, or both. These
                            vulnerabilities were
                            revealed using the
                            PROTOS LDAPv3 test
                            suite and are
                            documented in CERT
                            Advisory CA-2001-18. If
                            your site uses this product,
                            the
                            CERT/CC encourages you
                            to follow the advice
VU#869184   CAN-2001-0974   provided below.
                            On January 29 and 30,
                            2001, VeriSign, Inc. issued
                            two certificates to an
                            individual fraudulently
                            claiming to be an employee
                            of Microsoft Corporation.
                            Any code signed by these
                            certificates will appear to
                            be legitimately signed by
                            Microsoft when, in fact, it is
                            not. Although users who try
                            to run code signed
                            with these certificates will
                            generally be presented with
                            a warning dialog,
                            there will not be any
                            obvious reason to believe
                            that the certificate is not
VU#869360                   authentic.




                            Apple's Mac OS X IPSec
                            implementation does not
                            properly filter certain types
                            of
VU#869548   CAN-2003-0242   IP traffic.
                            There is a buffer overflow
                            in the enq command that
                            may allow a local attacker
VU#872257   CVE-2000-1121   to gain root privileges.




                            There is a buffer overflow
                            in nslookup that will allow
                            local attackers to gain
                            root privileges on
VU#872443                   vulnerable AIX systems.
                            A flaw in the authentication
                            code of the SMTP service
                            provided with Windows
                            2000 server and Exchange
                            5.5 may allow a user
                            access to the SMTP
                            service. This
                            acess could be used to
                            relay mail in violation of the
                            SMTP server's security
                            policy, or consume CPU
                            resources on the SMTP
VU#874115   CVE-2002-0054   server.
                            Multiple Kerberos
                            distributions contain a
                            remotely exploitable buffer
                            overflow
                            in the Kerberos
                            administration daemon. A
                            remote attacker could
                            exploit this
                            vulnerability to gain root
                            privileges on a vulnerable
VU#875073   CAN-2002-1235   system.
            The CERT/CC has
            received a public report of
            a local buffer overflow
            vulnerability in the pwck
VU#877811   utility.
                            A buffer overflow
                            vulnerability exists in the
                            Apache Procedural
                            Language/Structured Query
                            Language (PL/SQL)
                            module used by Oracle9i
                            Application
                            Server (iAS). An HTTP
                            Authorization header with a
                            crafted password
                            parameter
                            could allow an
                            unauthenticated remote
                            attacker to cause a denial
                            of service or
                            execute arbitrary code with
                            the privileges of the
VU#878603   CAN-2002-0559   Apache service.
VU#879386   Multiple buffer overflow vulnerabilities have been reported in QnX.
            A vulnerability in the
            Windows Media Player
            may allow remote attackers
            to view
            the contents of local files
VU#879920   on the victim's computer.
VU#880624   The inetd service on Compaq's Tru64 UNIX is vulnerable to a denial-
                            Visitors to web sites that
                            use Microsoft IIS 5.0 and
                            5.1 are vulnerable to
                            cross-site scripting attacks
VU#883091   CVE-2002-0074   through the IIS help facility.
                            SecurityFocus and CORE
                            Security Technologies have
                            reported a vulnerability in
                            WU-FTPD. WU-FTPD
                            does not handle file name
                            globbing properly and may
                            allow an
                            attacker to execute
                            arbitrary code. WU-FTPD
                            is a widely-used FTP
                            daemon that is
                            included in many UNIX and
                            Linux distributions. This
                            vulnerability was
                            discussed on
                            SecurityFocus' vuln-dev
VU#886083   CVE-2001-0550   mailing list in April 2001.
            The Internet Key Exchange
            (IKE) protocol discloses
            username information
            when
            Aggressive Mode is used
            for shared secret
VU#886601   authentication.
                            Visitors to web sites that
                            use Microsoft IIS and also
                            use the default error
                            pages are vulnerable to
VU#886699   CVE-2002-0148   cross-site scripting attacks.
                            A vulnerability in the Cisco
                            Aironet 1100 Series Access
                            Point may allow a
                            remote attacker to discover
                            valid accounts on the
VU#886796   CAN-2003-0512   access point.




                            There is a buffer overflow
                            in the IBM AIX setsenv
                            command that may allow
                            local
                            attackers to gain root
VU#886953   CVE-2000-1119   privileges.
                            Yahoo! Messenger is an
                            instant messaging client.
                            There is a remotely
                            exploitable buffer overflow
                            vulnerability in the "imv"
                            field of Yahoo!
VU#887319   CAN-2002-0320   Messenger.
            A memory leak exists in the
            Windows 2000 SNMP
            service. Under a specific
            precondition, it can result in
            a remote denial-of-service
VU#887393   vulnerability.
                            A remotely exploitable
                            buffer overflow exists in
                            Trend Micro InterScan
VU#888283   CAN-2001-0761   WebManager.
                            RealNetwork's
                            RealJukebox and RealONE
                            Gold players are media
                            applications that
                            permit users to stream
                            audio and video from local
                            and internet sources. A
                            vulnerability exists in the
                            applications that could
                            permit the execution of
                            arbitrary commands by a
VU#888547   CVE-2002-1015   remote attacker.
                            SSL/TLS implementations
                            that respond distinctively to
                            an incorrect PKCS #1 v1.5
                            encoded SSL/TLS version
                            number expose the
                            premaster secret to a
                            modified
                            Bleichenbacher attack. An
                            attacker could decrypt a
                            given SSL/TLS session or
                            forge a signature on behalf
                            of a vulnerable application's
VU#888801   CAN-2003-0131   private RSA key.




                            The Lotus Domino Web
                            Server contains a flaw that
                            could be exploited to cause
                            a
                            denial-of-service situation
                            on the Windows and OS/2
VU#890128                   Platforms.
                            A vulnerability in certain
                            Hewlett-Packard systems
                            allows users to gain
                            unauthorized access to
                            user accounts and
                            databases using the
                            architected
VU#895496   CAN-2001-0608   interface facility.




                            A denial-of-service
                            vulnerability exists in all
                            versions of Postfix prior to
                            2.0. This vulnerability may
                            allow a remote attacker to
                            cause mail service
VU#895508   CAN-2003-0540   interruption.
                            Some versions of the
                            Microsoft virtual machine
                            (Microsoft VM) contain a
                            flaw
                            that could leak information
                            about the user's system.
                            This flaw could allow
                            malicious Java applets to
                            get information they would
                            normally be denied access
VU#897529   CAN-2002-1325   to.
                            Sendmail contains a buffer
                            overflow in code that
                            parses email addresses. A
                            remote attacker could
                            execute arbitrary code or
                            cause a denial of service
                            on a
VU#897604   CAN-2003-0161   vulnerable system.




                            The default installation of
                            Apache on MandrakeSoft
                            Mandrake Linux includes
                            sample programs which
                            may unnecessarily disclose
                            information about the
VU#898480                   server.
                            Vulnerabilities in various
                            implementations of the
                            Remote Authentication Dial-
                            In
                            User Server (RADIUS)
                            'radiusd' daemon can allow
                            an attacker to disrupt
                            services
                            or obtain unauthorized
VU#898931   CAN-2001-0534   access.
                            Microsoft Word and Excel
                            contain special encoding
                            tags for formatting and
                            updating content. An
                            attacker may be able to use
                            these tags to exploit an
                            information disclosure
VU#899713   CAN-2002-1143   vulnerability.
            OpenSSH is an
            implementation of the
            Secure Shell protocol. A
            user may be able
            to bypass the IP based
            access control restriction
            feature specified in a key
            when two keys of varying
VU#905795   types are specified.
                            There is a remotely
                            exploitable buffer overflow
                            in AOL Instant Messenger
                            (AIM).
                            An exploit has been
                            publicly released. AOL has
                            implemented a server side
                            fix
                            that has largely eliminated
                            the chances of widespread
                            automated exploitation of
                            the vulnerability, but
                            targeted exploitation of
                            specific clients may still be
                            possible. Attackers that are
                            able to exploit the
                            vulnerability may be able to
VU#907819   CVE-2002-0005   execute arbitrary code.
            The Compaq web-enabled
            management software
            contains a buffer overflow
            in the
            SNMP and DMI
            functionality. Remote
            intruders may be able to
            execute arbitrary
            code with privileges on
            affected systems. All
            versions of Compaq Insight
            Manager XE are affected,
            but Compaq Insight
            Manager windows console
            and Compaq
            Managment agents are not
VU#908611   affected.
                            There is a vulnerability in
                            the way that Index Server
                            2.0 and the Indexing
                            Service for Windows 2000
                            handle search requests.
                            This vulnerability may alllow
                            attackers to view the
                            contents of "include" files
VU#910624   CVE-2001-0245   located on the web server.




                            There is an information
                            leakage in Apache that
                            results from an interaction
                            between WebDAV and
VU#910713   CAN-2002-1156   CGI.
                            A vulnerability exists in
                            pam_xauth that may allow
                            a local attacker to gain
                            access to an
VU#911505   CAN-2002-1160   administrator's X session.
            A buffer overflow
            vulnerability exists in the
            RealSystem Proxy. This
            vulnerability may allow a
            remote attacker to execute
            arbitrary code on a
            vulnerable host. An exploit
            exists for this vulnerability
            and is publicly
VU#912219   available.
            America Online's Instant
            Messenger (AIM) contains
            a remotely exploitable
            buffer
VU#912659   overflow vulnerability.
            The default installation of
            Apache on MandrakeSoft
            Mandrake Linux enables
            directory indexing on
            directories that may
            unnecessarily disclose
            information
VU#913704   about the server.
                            Microsoft Windows Index
                            Server ships with an
                            optional sample package. A
                            component of this package,
                            SQLQHit.asp, can disclose
                            sensitive information when
VU#914859   CAN-2001-0986   sent crafted requests.
VU#9162     CVE-1999-0702




                            msgchk, a part of the MH
                            mail system, reportedly
                            suffers from a buffer
                            overflow
                            with respect to the name of
                            the inbox to be checked for
                            new mail. This
                            overflow would allow the
                            user of msgchk to execute
VU#916443   CAN-2001-1093   arbitrary code.
                            There is a buffer overflow
                            vulnerability in the RPC
                            preprocessing feature of
                            Snort versions 1.8 through
VU#916785   CAN-2003-0033   1.9.0 and 2.0 beta.




                            Microsoft Internet Explorer
                            (IE) may handle executable
                            content automatically,
                            opening it with another
                            application on the client
                            host that may in turn
                            instruct the operating
VU#916795   CAN-2002-0193   system to execute the file.
                            A vulnerability in Microsoft
                            SQL Server may allow a
                            local attacker to cause a
                            denial of service. An exploit
                            for this vulnerability is
VU#918652   CAN-2003-0231   publicly available.
            phpBB is an open-source
            bulletin board program. A
            user input validation
            problem exists with regard
            to language settings. An
            intruder can excute
            arbitrary php code and gain
            a shell with the privileges
            of the web server on
VU#920931   the system.
            PostNuke does not
            adequately filter user input,
            allowing arbitrary MySQL
            query
            execution and user
            authentication without
VU#921547   password.
                            A buffer overflow
                            vulnerability exists in the
                            Apache Procedural
                            Language/Structured Query
                            Language (PL/SQL)
                            module used by Oracle9i
                            Application
                            Server (iAS). This
                            vulnerability could allow an
                            unauthenticated remote
                            attacker to cause a denial-
                            of-service or execute
                            arbitrary code on the
                            system
                            with the privileges of the
VU#923395   CAN-2002-0559   Apache process.
            The default installation of
            Apache on MandrakeSoft
            Mandrake Linux configures
            an
            instance of the server to
            run apache-mod_perl
VU#927256   listening on port 8200/tcp.
                            A vulnerability has been
                            discovered in PHP. This
                            vulnerability could be used
                            by
                            a remote attacker to
                            execute arbitrary code or
                            crash PHP and/or the web
VU#929115   CAN-2002-0717   server.
            The Secure Command
            Shell service on NetScreen
            firewall products contains a
            remotely exploitable denial-
VU#930161   of-service vulnerability.
                            The Microsoft Internet
                            Explorer HTML rendering
                            engine contains a
                            vulnerability
                            in its handling of the SRC
                            attribute of the HTML
                            <EMBED> directive. An
                            attacker who is able to
                            convince a user to read a
                            malicious HTML file may be
                            able to crash Internt
                            Explorer or execute
                            arbitrary code with the
                            user's
VU#932283   CVE-2002-0022   privileges.
                            PHPNuke's "admin.php"
                            script does not properly
                            authenticate users of its
                            filemanager capabilities.
                            Attackers may exploit this
                            vulnerability to copy,
VU#933955   CVE-2001-1032   move, or upload files.
                            Multiple versions of
                            OpenLDAP contain
                            vulnerabilities that may
                            allow
                            denial-of-service attacks.
                            These vulnerabilities were
                            revealed using the
                            PROTOS
                            LDAPv3 test suite and are
                            documented in CERT
                            Advisory CA-2001-18. If
                            your site
                            uses this product, the
                            CERT/CC encourages you
                            to follow the advice
                            provided
VU#935800   CVE-2001-0977   below.




                            Oracle 9i Application
                            Server (9iAS) allows
                            remote anonymous users
                            to view
                            source code in CGI scripts
                            stored in the Apache cgi-
                            bin. Attackers may analyze
                            these scripts to discover
                            usernames, passwords, or
                            other proprietary data or
VU#936507                   methods.
                            Various RADIUS servers
                            and clients permit the
                            passing of vendor-specific
                            and
                            user-specific attributes.
                            Several implementations of
                            RADIUS fail to check the
                            Vendor-Length of the
                            Vendor-Specific attribute.
                            It's possible to cause a
                            denial
                            of service against RADIUS
                            servers with a malformed
VU#936683   CAN-2001-1377   Vendor-Specific attribute.
            There is a buffer overflow
            in several versions of
            Oracle Database. The
            impact
            of this vulnerability may
            include the execution of
            arbitrary code; the ability
            to read, modify, or delete
            information stored in
            underlying Oracle
            databases;
VU#936868   and denial of service.
                            MS SQL Server contains
                            an extended stored
                            procedure with
                            inappropriate
VU#939675   CAN-2002-0721   permission settings.




VU#940203                   DansGuardian does not properly filter
VU#943536   A locally exploitable buffer overflow exists in ISC InterNetNews.
                            The FreeBSD operating
                            system does not
                            adequately clear signal
                            handlers
                            subsequent to a process
                            calling exec() on a setuid
                            program. This vulnerability
                            can allow a local attacker to
                            execute arbitrary code as
VU#943633   CVE-2001-1180   root.
            A vulnerability in rpc.walld
            may allow local users to
            forge wall messages. An
            exploit exists for this
            vulnerability and is
VU#944241   publically available.
                            There is a remotely
                            exploitable vulnerability in
                            the way that Apache web
                            servers (or other web
                            servers based on their
                            source code) handle data
                            encoded
                            in chunks. This vulnerability
                            is present by default in
                            configurations of Apache
                            web server versions 1.2.2
                            and above, 1.3 through
                            1.3.24, and versions 2.0
                            through 2.0.36. The impact
                            of this vulnerability is
                            dependent upon the
                            software
                            version and the hardware
                            platform the server is
VU#944335   CVE-2002-0392   running on.
                            There is a remote integer
                            overflow vulnerability in
                            several implementations of
                            the SSH1 protocol that
                            allows an attacker to
                            execute arbitrary code with
                            the
                            privileges of the SSH
VU#945216   CVE-2001-0144   daemon, typically root.




                            The "recent items" feature
                            of MacOS X allows users
                            at the console to trivially
VU#945747                   obtain root privileges.
                            A buffer overflow in
                            Universal Plug and Play
                            (UPnP) service on
                            Microsoft
                            Windows XP, Microsoft
                            Windows ME, and
                            Microsoft Windows 98
                            permits an intruder
                            to run arbitrary code on
VU#951555   CVE-2001-0876   vulnerable systems.




                            WebCalendar does not
                            properly validate user input,
                            allowing attackers to
                            execute arbitrary
VU#951632   CAN-2001-0477   commands.
                            Hewlett Packard's (HP)
                            OpenView and Tivoli
                            NetView are system
                            management
                            software packages. There
                            is a vulnerability a
                            component of these
                            packages,
                            ovactiond, that allows
                            intruders to execute
                            arbitrary commands as
                            user bin.
                            This may subsequently
VU#952171   CAN-2001-0552   lead to a root compromise.
                            A vulnerability exists in the
                            Indexing services used by
                            Microsoft IIS 4.0 and
                            IIS 5.0 running on Windows
                            NT, Windows 2000, and
                            beta versions of Windows
                            XP.
                            Exploitations of this
                            vulnerability allows a
                            remote intruder to run
                            arbitrary
                            code on the victim
VU#952336   CVE-2001-0500   machine.
                            A telnet client can be
                            invoked with unsafe options
                            by arbitrary HTML ("web")
                            pages when rendered by
                            affected Microsoft Internet
VU#952611   CVE-2001-0667   Explorer clients.



                            Yahoo! Messenger is an
                            instant messaging client. A
                            report indicates that there
                            is a vulnerability that
                            permits an attacker to
                            spoof the source user
                            name of a
                            Yahoo! Messenger
VU#952875   CAN-2002-0321   message.
            A remotely exploitable
            buffer overflow vulnerability
            exists in Oracle9i
VU#953746   Database.




            The HP Tru64 UNIX
            implementation of "lpd"
            contains a locally
            exploitable buffer
VU#955065   overflow.
                            A remotely exploitable
                            stack buffer overflow exists
                            in the Samba server
                            daemon
VU#958321   CAN-2002-1318   (smbd).
VU#959207   CAN-2000-1117   Lotus Notes JVM leaks information about the existence of a file.
                            Intruders can disrupt the
                            normal operation of an IIS
                            5.0 server using a
                            malicious Web Distributed
                            Authoring and Versioning
VU#959211   CVE-2001-0508   (WebDAV) request.
                            A vulnerability in the locking
                            of Group Policy Files under
                            Windows 2000 may
                            allow a local intruder to
                            circumvent recently applied
VU#960267   CVE-2002-0051   policy settings.




                            Some implementations of
                            the Linux restoration utility,
                            restore, call external
                            programs on remote
                            machines via the RSH
                            environment variable. This
                            may permit
                            an attacker to compromise
VU#960877   CAN-2000-1125   root if restore is setuid root.
                            A buffer overflow
                            vulnerability exists in
                            versions of the University of
                            Washington IMAP Server
                            up to and including the
                            imap-2002 release. This
                            vulnerability may allow an
                            authenticated attacker to
                            execute arbitrary code on
                            the mail server with the
                            privileges of the UID of the
VU#961489                   user running imapd.




                            inn, a network news agent,
                            may be configured on
                            some operating systems to
                            use a
                            publically-writeable
                            directory for its temporary
                            files. This may be
                            exploited
                            to gain access to the news
VU#964488   CVE-2001-0139   account.
                            The HP Tru64 UNIX
                            implementation of "lpc"
                            contains a locally
                            exploitable buffer
VU#965097                   overflow.




                            The line printer daemon
                            (rlpdaemon) on HP-UX
                            systems enable various
                            clients to
                            share printers over a
                            network. There exists a
                            buffer overflow vulnerability
                            in
                            this daemon that permits
                            remote execution of
                            arbitrary commands with
                            elevated
VU#966075   CVE-2001-0668   privileges.




                            It is possible to cause a
                            denial of service of the
                            Cisco SN 5420 Storage
                            Router
                            by sending a HTTP request
VU#968187                   with a large header.
                            There is a buffer overflow
                            defect in the ctl_getitem()
                            function of the Network
                            Time Protocol (NTP)
                            daemon responsible for
                            providing accurate time
                            reports used
                            for synchronizing the clocks
                            on installed systems. All
                            NTP daemons based on
                            code maintained at the
                            University of Delaware
                            since NTPv2 are assumed
VU#970472   CVE-2001-0414   at risk.
                            The Quake II Server
                            contains an information
                            leakage vulnerability that
                            allows
                            remote attackers to gain
                            control of the game server
VU#970915   CAN-2002-0770   process.
            Several Linux/Unix systems
            ship with a utility package
            called UUCP derived from
            System V. A buffer
            overflow in components of
            the UUCP package can
            allow an
            intruder to gain elevated
VU#971179   privileges.
            HP-UX's implementation of
            kermit contains a buffer
            overflow which may allow a
            local attacker to gain
VU#971364   elevated privileges.




            AOL Instant Messenger
            (AIM) is an application that
            allows one peer to
            communicate with another.
            A vulnerability exists that
            can crash the client of a
VU#972499   victim.
            The RealNetworks' Helix
            Universal Server supports
            delivery of several different
            media types over the
            Internet. Vulnerabilities
            have been discovered in
            the way
            it handles some requests
            from the network. These
            vulnerabilities could allow a
            remote attacker to execute
            arbitrary code on
VU#974689   vulnerable systems.




            An input validation
            vulnerability in the
            GoAhead Web Server
            allows attackers to
VU#975041   view sensitive information.
                            The Common Desktop
                            Environment (CDE)
                            ToolTalk RPC database
                            server does not
                            adequately validate a client-
                            supplied argument,
                            allowing attackers to
                            overwrite
                            certain locations in memory
                            with zeros. This
                            vulnerability could be
                            exploited
                            in a number of ways,
                            potentially allowing
                            attackers to: cause a
                            denial of
                            service, remotely delete
                            arbitrary files, remotely
                            create arbitrary
                            directories, and potentially
                            execute arbitrary code or
VU#975403   CAN-2002-0677   commands.
                            There is a vulnerability in
                            the remote management
                            architecture for
                            Asynchronous
                            Transfer Mode (ATM)
                            networking devices that
                            permits unauthorized
                            access to
                            configuration information.
                            An attacker who gains
                            access to an affected
                            device
                            can read and modify its
                            configuration, creating a
                            denial-of-service condition,
                            an information leak, or
VU#976280   CAN-2001-0380   both.
                            It is possible to read the
                            sensitive configuration files
                            from an Oracle 9i
                            Application Server without
                            any authorization. This can
                            lead to an intruder
                            gaining access to sensitive
                            information about the
                            server and potentially
VU#977251   CVE-2002-0569   compromising it.
                            The Microsoft Exchange
                            System Attendant sets the
                            permissions on a registry
                            key
                            incorrectly, allowing remote
                            intruders access to the
VU#978131   CVE-2002-0049   registry.
                            A vulnerability in the
                            OpenSSH daemon (sshd)
                            may give remote attackers
                            a better
                            chance of gaining access
VU#978316   CAN-2003-0386   to restricted resources.
                            Systems running the
                            Apache web server under
                            some versions of Microsoft
                            Windows
                            may be vulnerable to a
                            remote denial-of-service
VU#979793   CAN-2003-0016   condition.
                            A vulnerability exists in
                            Microsoft Internet Explorer
                            that allows a malicious
                            agent to execute arbitrary
                            code when parsing MIME
                            parts in a document. Any
                            user or program that uses
                            vulnerable versions of
                            Internet Explorer to render
                            HTML in a document (for
                            example, when browsing a
                            filesystem, reading email or
                            news messages, or visiting
                            a web page), should
                            immediately upgrade to a
                            non-vulnerable version of
VU#980499   CVE-2001-0154   Internet Explorer.
                            Web servers that use the
                            Resin Java Servlet
                            Container, versions 1.2.3
                            and
                            earlier, are vulnerable to a
                            cross-site scripting
                            vulnerability. A web site
                            may inadvertently include
                            malicious HTML tags or
                            script(JavaScript, VBScript,
                            Java, etc.) in a dynamically
                            generated page based on
                            unvalidated input from
                            untrustworthy sources. This
                            can be a problem when a
                            web server does not
                            adequately ensure that
                            generated pages are
                            properly encoded to
                            prevent
                            unintended execution of
                            scripts, and when input is
                            not validated to prevent
                            malicious HTML from being
VU#981651   CVE-2001-0828   presented to the user.
                            kdesu is a interactive
                            interface to the substitute
                            user (su) command for the
                            KDE environment. To pass
                            authentication information,
                            it creates a file that
                            may be read by
VU#982616   CVE-2001-0178   unauthorized users.




                            The default configuration of
                            the Lotus Domino web
                            server discloses system
                            characteristics to
VU#984555   CAN-2001-1018   anonymous remote users.
            A vulnerability exists in
            iPlanet Web Server
            Enterprise Edition and
            Netscape
            Enterprise Server that
            allows an attacker to make
            repeated authentication
            attempts if a server is
            configured to use HTTP
            basic authentication. While
            the
            risk is not greater than any
            other brute force attack
            using HTTP basic
            authentication, this
            vulnerability may represent
            an unexpected avenue of
VU#985347   attack.




VU#986843   A remotely exploitable buffer overflow exists in the IPSWITCH WS_F
                            NewsDaemon prior to
                            version 0.21b contains a
                            vulnerability allowing
                            remote
                            attackers to gain
                            administrative access to
VU#987632   CVE-2001-0234   the web site.




                            A vulnerability exists in
                            Microsoft Internet Explorer
                            which could could enable
                            an attacker to spoof trusted
VU#988768   CVE-2001-0339   web sites.
                            AOL Instant Messenger
                            (AIM) is an application that
                            allows one peer to
                            communicate with another.
                            A vulnerability exists that
                            can crash the client of a
VU#990451                   victim.




                            Remote attackers may be
                            able to relay connections
                            through systems running
                            the
                            Compaq web-enabled
                            management software.
                            Attackers relaying
                            connection in this
                            way may be able to access
                            restricted portions of the
                            network or disguise their
                            identity while attacking
                            other systems. Many
                            Compaq products are
                            affected, from
                            personal computers to
                            commercial UNIX operating
VU#991240   CAN-2001-0374   systems.
                            The telnet server included
                            in the Microsoft Services
                            for Unix package contains
                            a denial-of-service
                            vulnerability that may cause
                            the system to become
                            unstable
VU#994851   CAN-2001-0505   or crash.




                            A buffer overflow
                            vulnerability in Oracle
                            Reports Server 6i could
                            allow an
                            unauthenticated, remote
                            attacker to execute
                            arbitrary code with the
                            privileges
                            of the Reports Server
VU#997403   CVE-2002-0947   process.
                            Cryptographic libraries and
                            applications do not provide
                            adequate defense
                            against a side-channel
                            timing attack against RSA
                            private keys. Such an
                            attack
                            has been shown to be
                            practical using currently
                            available hardware on
                            systems
                            and networks with
                            sufficiently low variance in
VU#997481   CAN-2003-0147   latency.
            A vulnerability in BEA
            WebLogic Server and
            Express may allow a local
            attacker
VU#999788   to gain elevated privileges.
Description                     Impact                      Solution                              Date Known Public
                                                                                         Workaround

There is a vulnerability
related to page
management in old
versions (circa
1993) of Open VMS. An
exploit for this vulnerability,                           Upgrade to a recent (post
written in MACRO-32, was                                  1993) version of
available at the time this                                OpenVMS. If you are still
vulnerability was first                                   using an
reported. No other details                                old version of OpenVMS,
are currently available. See                              apply a patch as decribed
also CERT Advisory CA-                                    in CERT Advisory CA-1993-
                                                          05.
1993-05. Ray is a thin client An unprivileged user on a VMS system can gain full system privileges. 3/1/1993
The Sun
computing device designed
to process user input
and output, and provide
access to computing
services hosted by a
server.
Authentication can be
accomplished through a
smartcard. By design, the
smartcard must remain
inserted during the user's
session. Quoting from sun
documentation about smart
cards and the Sun Ray

" When the user is finished
(that is, the smart card is
removed), the                                                                             Until a fix
Authentication Manager is                                                                 is
notified. If the user has not                                                             available,
logged out, the session                                                                   ensure
is kept alive with all                                                                    that all
services disconnected from                                                                sessions
the display. No files are                                                                 have been
left on the device, as all      Under some                                                disconnec
state is kept on the server,    circumstances, a user                                     ted when
and the screen is               session may remain                                        rmoving a
cleared. When the user          available even if the                                     smartcard
removes the smart card,         smartcard has been                                        from the
there are no traces that he     removed, in violation of the                              Sun Ray
or                              security architecture of the                              Smartcard
she had been there. There       system.                                                   reader.
                                                             A fix is pending from the vendor.        4/28/2003
According to an OpenPKG
advisory, a memory
allocation problem exists in
the
"Automatic File Content
Type Recognition Tool"           The complete impact of this
(AFCTR tool) versions of         vulnerability is not yet      Upgrade to the version
the                              known. This vulnerability     3.41 of the file[1] package,
file[1] package prior to         may be exploited by a user    or apply a patch specified
3.41.                            on the local system.          by your vendor.                 3/4/2003
The ISS RealSecure
Network Sensor fails to
properly process certain
types of
DHCP traffic. If the sensor
processes certain types of
DHCP traffic, it will
crash. For more
information, please see
http://bvlive01.iss.net/issEn/
delivery/xforce/alertdetail.js
p?id=advise116.                                              Apply a stop functioning.
                                 An attacker can cause the sensor to vendor update.           4/30/2002

AIX is a UNIX operating                                                                         Update Vul Reports
                                                                                                Update Vul Reports
system distributed by IBM.
A vulnerability in AIX 4.3.3
may allow a remote
attacker to cause a denial       A remote attacker may be
of service. For more             able to consume 100% of
information,                     the CPU, resulting in a
please see IBM APAR              denial
IY31641.                         of service.                   Apply a patch.                 10/9/2002
                             It is possible for another
                             user to alter what is read
                             from this file.
                             If the sticky bit is not set on
                             /tmp, the file can be simply
                             removed, and a new
                             file created in its place
                             If the sticky bit is set, then it
                             is possible to guess what
                             the file will be
                             called and create it before
                             /bin/sh does (the creat()
                             call performed by the
                             shell does not result in an
                             open() call with O_EXCL
                             set) and hence it is
                             possible to maintain a
                             handle on the underlying
When performing the "<<" file.
redirection, /bin/sh creates If a fifo is created in place
a temporary file in /tmp     of the temporary file it is
with a name based on the particularly easy to
process id, writes           insert an extra command
subsequent input out to      into the input transparently,
that file,                   and without having to
and then closes the file     worry about ensuring the
before re-opening it as the bug is exploited during the
standard input of the        narrow window of time in
command to be executed. which it occurs.
At no stage are the results Even without reading,
of the creat(), write(),     creating this file may block
or open() calls checked for the execution of commands
an error status.             using the << operator.                                        Avoid the use of << section in cron
                                                                                                       7/17/1991
                                                               Apply vendor patches; see the Systems Affected operatorbelow. jobs

Versions of OpenSSL
servers prior to 0.9.6e and
pre-release version 0.9.7-                                                                 Servers
beta2                                                                                      can
contain a remotely                                            OpenSSL servers should       disable
exploitable buffer overflow                                   apply the patches provided SSL2 or
vulnerability. This             Exploitation of this          by your vendors, or          disable all
vulnerability can be            vulnerability could lead to   upgrade                      applicatio
exploited by a client using a   the execution of arbitrary    to OpenSSL 0.9.6e. Note      ns using
malformed key during the        code on the server. The       that applications statically SSL or
handshake process with an       code will be executed with    linking to OpenSSL           TLS until
SSL server connection           the privileges of the         libraries may need to be     the
using the SSLv2                 application or service        recompiled with the          patches
communication                   exploited via this            corrected version of         are
process.                        vulnerability.                OpenSSL.                     applied.    7/30/2002
                                                                                     Do not
                                                                                     allow per-
                                                                                     directory
                                                                                     config
                                                                                     files. To
                                                                                     accomplis
                                                                                     h this, set
                                                                                     the
                                                                                     AllowOver
                                                                                     ride
                                                                                     directive
                                                                                     to "none"
                                                                                     in the
                                                                                     httpd.conf
                              A local attacker can                                   file. As a
mod_ssl is an Apache          execute arbitrary code with                            reminder,
module that allows secure the privileges of the web                                  you
connections over X.509        server. Additionally, an                               must
authenticated channels. A attacker may be able to                                    restart the
buffer overflow exists in the add bogus entries to                                   web
ssl_compat_directive()        multiple                                               server for
function. For more detailed web server log files. An                                 the
information, please see the attacker may also be able                                changes
original vulnerability        to slow down or even stop                              to take
report.                       the web server.                                        effect.
                                                          Apply a patch from your vendor.        6/24/2002



Cayman gateways running
versions 5.5 Build R0, 5.3
Build R2, 5.3 Build R1 are
vulnerable to an oversized
ICMP echo (ping) request.
By sending an oversized
ping packet to the gateway,
it is possible to crash
various services resulting
in a denial of service.                                     Upgrade denial of service.                  5/23/2000
                            Exploiting this vulnerability results in a to the latest vendor software release.
                                                                                        Enable
                                                                                        tcp.validn
                                                                                        ode_chec
                                                                                        king and
                                                                                        set
                                                                                        tcp.invited
                                                                                        _nodes
                                                                                        and
                                                                                        tcp.exclud
                                                                                        ed_nodes
                                                                                        to limit
                                                                                        Oracle
                                                                                        access to
                                                                                        trusted
                                                                                        hosts.

                                                                                        Set the
                                                                                        following
                              By making many                                            parameter
When a connection request     connection requests to                                    s in the
is made to Oracle for         Oracle without connecting                                 Oracle
Windows NT, Oracle            to the new                                                Net8
Database                      threads created to handle                                 configurati
Server creates a new          the connections, an                                       on file
thread listening on a new     attacker can force the                                    PROTOC
port and redirects the        server to                                                 OL.ORA
connection to the new port.   consume all memory with                                   :
This new thread remains in    listening threads. Once all
memory listening until        server memory is                                         tcp.validn
the client connects to its    consumed,                                                ode_chec
port or the Oracle            the next console login                                   king =
Database Server is            attempt will crash the                                   YES
restarted.                    server.                                                  tcp.invited 6/19/2001
                                                            The CERT/CC is currently unaware of a practical solution to this prob



                            By creating symbolic links
cda, the command line       with appropriate names, a
interface to xmcd, executes local attacker may
with system administrator overwrite any writable file
privileges. It creates      on the system. If the
insecure temporary files    attacker can control the
with predictable names in content of the overwritten
/tmp, a world-writable      files, elevation of privileges
directory.                  may result.                                                Remove the8/23/2001
                                                                                                  setuid section below.
                                                           Apply vendor patches; see the Systems Affectedprotection from cda.
There is a problem
involving BGP updates on
Cisco routers with BGP4
Prefix
Filtering and Inbound Route
Maps enabled. A route
update with an                                               Cisco has released an
unrecognized                                                 advisory that provides a list
transitive attribute may                                     of affected products, along
cause vulnerable routers to                                  with instructions for
crash. This problem does                                     obtaining fixed software.
not appear to have been                                      Because there are many
exploited intentionally by                                   possible
attackers, but it has                                        combinations of hardware
occurred accidentally                                        and software
during normal operation as                                   configurations, the
the result of interaction with Attackers that are able to    CERT/CC recommends
another vendor's product. send malformed BGP                 that all users of IOS and
                               updates can cause             software consult the
More information on this       vulnerable                    following Cisco Security
problem is available from      routers to crash causing      Advisory:
Cisco at:                      network outages. Under
                               certain circumstances, an
http://www.cisco.com/warp/ attacker may be able to use       http://www.cisco.com/warp/
public/707/ios-bgp-attr-       the BGP infrastructure to     public/707/ios-bgp-attr-
corruption-pub.shtml           propogate the bad route       corruption-pub.shtml
                               update to multiple routers.                                   5/10/2001
The Oulu University Secure
Programming Group
(OUSPG) has reported
numerous
vulnerabilities in multiple
vendor SNMPv1
implementations. By
applying the
PROTOS c06-SNMPv1 test
suite to a variety of popular
SNMPv1-enabled products,
the OUSPG revealed a
number of vulnerabilities
across a wide range of
products.
This vulnerability note
focuses on vulnerabilities                                   Note that many of the
occurring in code                                            mitigation steps
responsible for SNMPv1                                       recommended below may
trap handling.                                               have significant
                                                             impact on your everyday
                                                             network operations and/or
SNMPv1 supports five                                         network architecture. Care
different types of              These vulnerabilities may    should therefore be taken
messages: GetRequest,           cause denial-of-service      to ensure that any changes
SetRequest,                     conditions, service          made based on the
GetNextRequest,                 interruptions, and in some   following recommendations
GetResponse, and Trap. A        cases may allow an           will not negatively impact
single SNMP message is          attacker to gain access to   your ongoing network
referred to as                  the                          operations capability.
a Protocol Data Unit (PDU).     affected device. Specific
These messages are              impacts will vary from       Contact your vendor for
described using Abstract        product to product.          patches.                                2/12/2002
                                                                                          Please see the Solution section of CA-20
Dynamic Data Exchange
(DDE) is an interprocess
communication mechanism
used in
Microsoft Windows. A DDE
share is an area of memory
which is used to store and
retrieve data. Network DDE
is used between process
on two different computers
that wish to communicate
using DDE. The service
that manages this network
communication is called the
Network DDE Agent.
When a share is marked by
its
creator as a truted share, it
can be used by the
Network DDE Agent.

When a trusted share is
accessed by a local user,
part of the request can
include an application that
will be invoked by the
Network DDE Agent. Under
Windows 2000, this
application will run with
Local System privileges.
Since any
local user can created
trusted shares, it is                                   Apply a patch as described in MS01-007.
                            Local users can execute arbitrary commands with system privileges. 2/5/2001
The Domain Name                                           On affected Windows NT
System, (partially specified                              or 2000 systems, locate the
in RFC 1034, Domain                                       following key in the
Names -                                                   registry:
Concepts and Facilities,) is
the network infrastructure
which maps Internet                                       HKEY_LOCAL_MACHINE\
addresses to human-                                       System\CurrentControlSet\
readable labels (names),                                  Services\DNS\Parameters
and vice-versa. Several
implementations of the                                     On the Edit menu, click
servers responsible for                                   Add Value, and then add
managing this mapping                                     the following registry value:
information have had a
specific security                                           Value Name:
vulnerability called "cache                               SecureResponses
poisoning"                                                  Data Type:                    See
which may lead to                                         REG_DWORD                       Q241352
corruption of the DNS                                       Value: 1                      for the
information (resource                                                                     complete
records, or RRs)                                              On Windows 2000 Server set of
being managed (see CA-                                        systems, there is a GUI     instruction
1999-22 for more details).                                    option "Secure cache        s for
                              Once the cache poisoning against                            enabling
Cache poisoning occurs        occurs, hosts looking for       pollution" in the DNS       cache
when malicious or             legitimate DNS responses Management Console                 protection
misleading data received      from a corrupted server         which can set the registry for both
from a remote                 can be redirected to            key value                   Windows
name server is saved          arbitrary sites. Alternatively, automatically. Please see NT and
(cached) by a gullible name the information returned          the Knowledge Base article Windows
server. This bad data is      can be garbage, leading to Q241352 for step-by-step 2000
then                          possible denial of DNS          instructions.               Server
made available to             service.                                                    systems. 6/22/2001
CrushFTP is a Java-based
FTP server available for
Linux, Mac OS, and                                                                        Use
Windows.                                                                                  chroot if
CrushFTP can be                                                                           available
configured to limit access                                                                on your
to files under a designated                                                               system, to
FTP root                                                                                  limit the
directory. However,                                                                       scope of
CrushFTP allows an            CrushFTP allows an              Upgrade to version 2.1.7 or CrushFTP
attacker to get files outside attacker to see any file in     later of CrushFTP at:       's access
this                          the filesystem, including                                   to the
directory through '../'       potentially sensitive and       http://www.crushftp.com     filesystem
directory traversal.          critical system files.                                      .           ########
From the xfsdump man
page:
xfsdump backs up files and
their attributes in a
filesystem. The files are
dumped to storage media,
a regular file, or standard
output. Options allow the
operator to have all files
dumped, just files that have
changed since a
previous dump, or just files
contained in a list of
pathnames.
xfsdump does not create
quota files in a secure
manner. As a result, a local
attacker may be able to
gain superuser privileges
on a vulnerable system.
For
more details, please see
SGI Security Advisory
20030404-01-P.                                            to gain patch from your vendor.
                             A local attacker may be able Apply a superuser privileges.     4/10/2003
IIS 4 and 5 provide the                                                          As a
ability for web                                                                  general
administrators to place                                                          practice,
executable                                                                       and to
files and scripts on the web                                                     mitigate
server for execution on the                                                      against
server by visitors to                                                            this
the site. The executability                                                      vulnerabili
and scriptability of files on                                                    ty if you
the server can be                                                                are
controlled on a directory-by-                                                    unable to
directory basis. Additionally,                                                   install a
by design, IIS                                                                   patch, use
restricts access to files on                                                     NTFS file
the server to only those                                                         permissio
files in the web                                                                 ns to
folder(s). This includes                                                         restrict IIS
attempts to access files                                                         so that it
through a relative reference                                                     can only
such as                                                                          access
                                                    Apply the patch described files
http://www.example.org/dat                          in MS01-044. This patch is contained
a/../../../winnt/file.dat                           a cumulative patch that      in the web
                                                    covers a variety of security server.
By design, attempts to                              problems discovered prior Additionall
access a file in this manner                        to August 15, 2001.          y,
will fail.                                          Alternately, you can install because
                                                    a patch from Microsoft as relative
Furthermore, an attempt to Remote users can execute described in MS00-078,       reference
execute a file contained in arbitrary commands with though that addresses only s to files
a directory not marked       the privileges of the  this specific vulnerability. cannot
as executable will fail. For IUSR_machinename       The patch was first          cross
example,                     account.               announced in MS00-057.       volume       ########
The Outlook Web Access                                                                 Disable
(OWA) component of                                                                     Outlook
Microsoft Exchange allows                                                              Web
users to                                                                               Access
access their email with a
web browser, obviating the                                                            Microsoft
need for a standalone                                                                 has
email client. This                                                                    reported
functionality is implemented                                                          that this
with several ASP scripts                                                              vulnerabili
that                                                                                  ty affects
allow users to perform                                                                Exchange
typical tasks such as                                                                 5.5
reading, composing, and                                                               servers
managing                                                                              running
mail messsages. Most of                                                               the OWA
these functions require                                                               service. If
users to authenticate to the                                                          your local
application, thereby                                                                  policies
protecting the content of                                                             prevent
the messages. However,                                                                the
the ASP                                                                               immediate
script used by OWA to                                                                 installation
search the Global Address      Attackers can exploit this Apply a patch from your     of the
List (GAL) does not require    vulnerability to perform   vendor                      patch
authentication, which          unauthenticated searches                               recomme
presents an information        on                         Microsoft has released a    nded by
disclosure vulnerability. By   sensitive contact          patch to address this       Microsoft,
writing custom ASP scripts     information. For example, vulnerability; For more      it is
that bypass the                an attacker could obtain a information, please consult possible
authenticated components       user's                     the vendor information      to work
of OWA, it                     email address by searching section below.              around
is possible for an attacker    on their name.                                         this           9/6/2001
A buffer overflow exists in
the QuickTime Player for
Windows' handling of
overly long URL of the type                                                            Removing
quicktime://... A specially                                                            the
crafted URL consisting                                                                 QuickTim
of a long string of                                                                    e handler
characters can cause the                                                               from the
QuickTime Player to crash  If the QuickTime player                                     web
or allow                   software is instructed to                                   browser
an attacker to execute     load a URL that is specially                                or
arbitrary code of their    crafted by an attacker,                                     removing
                           arbitrary code can be
choosing with the privileges                                                           the
of                         executed under the                                          HKEY_CL
the user running the       privileges of                                               ASSES_R
QuickTime Player.          the QuickTime user. This                                    OOT/quic
                           crafted URL may be                                          ktime
The URL containing the     supplied on a webpage or                                    registry
exploit code may be hosted in email                     Apply a patch from the         key may
on a webpage, introduced for the victim to select, or   vendor                         prevent
via                        some other means                                            automatic
HTML email, or presented designed to encourage          Apple has released a patch exploitatio
to the user in another     them to                      to address this vulnerability; n
fashion that encourages    invoke the QuickTime         please see the vendor          through
them to                    Player using the exploit     section of this document for HTML
browse to it.              URL.                         further details.               pages.    3/31/2003


The problem affects
HP3000 systems running
MPE/iX versions 5.5
through 6.5. HP
has published a security         The full impact of this
bulletin describing the          vulnerability is not yet
solution to this vulnerability   known, but it appears to
(HPSBMP0102-009). No             allow
additional details about the     local users to gain root
vulnerability are available.     privileges.                                                        2/20/2001
                                                            Apply the patches described in the HP security bulletin.
According to Microsoft
Security Bulletin MS03-022:

Microsoft Windows Media
Services is a feature of
Microsoft Windows 2000
Server,
Advanced Server, and
Datacenter Server and is
also available in a
downloadable
version for Windows NT
4.0 Server. Windows Media
Services contains support                                                                  Workarou
for                                                                                        nds
a method of delivering
media content to clients                                                                   If
across a network known as                                                                  nsiislog.dll
multicast streaming. In                                                                    is being
multicast streaming, the                                                                   used as
server has no connection to                                                                an ISAPI
or                                                                                         extension
knowledge of the clients                                                                   to IIS and
that may be receiving the                                                                  its
stream of media content                                                                    functionali
coming from the server. To     A remote attacker may be                                    ty is not
facilitate logging of client   able to execute arbitrary     Microsoft has released        required,
information for the            code in the context of the    patches for this issue.       sites are
server, Windows 2000           account under which IIS       Users are encouraged to       encourag
includes a capability          was running. This access      review                        ed to
specifically designed to       could be leveraged by the     Microsoft Security Bulletin   unmap
enable                         attacker to take any action   MS03-022 for more             the
logging for multicast          on the system.                information.                  extension. 6/25/2003
There is a vulnerability in
catman that allows
attackers to overwrite
arbitrary
files, regardless of
ownership. The catman
program creates temporary
files
with predictable names and
paths such as
/tmp/sman_pidofcatman.
By monitoring
the process ids (PID) of
currently running
processes, attackers can
predict the
next PID to be assigned,
which will allow them to
predict the filename. Once
the filename is established,
the attacker then creates a
symbolic link from the
temporary file to the file
they want to overwrite.        Attackers can exploit the
Because the catman             predictability of catman
program                        temporary filenames to
runs as root, it is able to    overwrite arbitrary system
overwrite the file targeted    files, regardless of
by the symbolic link.          ownership.                                                         1/30/2001
                                                            The CERT/CC is currently unaware of a practical solution to this prob
"quot" is used to
summarize file system
ownership. A locally
exploitable buffer
overflow in "quot" may
permit a local attacker to
gain elevated privileges       A local user may be able to
and                            gain elevated privileges
execute arbitrary code on a    and execute arbitrary
vulnerable host.               code.                       Apply a patch.                           5/22/2002
Adobe PhotoDeluxe is an
image manipulation
application for the Windows
platform. PhotoDeluxe is                                                               Configure
geared towards the home                                                                CLASSPA
user market and is bundled                                                             TH
with a number of image                                                                 Variable
capture devices, such as
scanners and digital                                                                   Modifying
cameras.                                                                               the
Dr. Hiromitsu Takagi has                                                               CLASSPA
reported that Java code                                                                TH
installed by PhotoDeluxe is                                                            environme
given privileged access to                                                             nt variable
the local system and can                                                               to exclude
be exploited by a malicious                                                            the
web page or HTML email                                                                 PhotoDelu
message viewed through       By enticing a user to view a                              xe Java
Internet Explorer. Dr.       malicious web page or                                     code will
Takagi's                     HTML email message, an Disable Active scripting and prevent
analysis is available here:  attacker may obtain          Java                         the
                             directory listings or cause At a minimum, disable         exploitatio
http://java-                 arbitrary code to be         Active scripting and Java in n of this
house.jp/~takagi/java/secur downloaded                    the Internet zone and the    vulnerabili
ity/adobe-photodeluxe/       and executed with the        zone used by Outlook,        ty,
PhotoDeluxe provides a       privileges of the current    Outlook Express, or any      however it
feature called               user. If an attacker         other email client that uses will also
"Connectables" that gives controls                        Internet Explorer to render break the
users the                    DNS information, they may HTML. Instructions for          Connecta
ability to download          be able to subvert the       disabling Active scripting   bles
additional design elements Connectables function          and Java can be found in     feature of
from Adobe's web site.       without                      the CERT/CC Malicious        PhotoDelu
PhotoDeluxe installs Java the user's knowledge.           Web Scripts FAQ.             xe.         7/18/2001
There are several sample
applications that ship with
Apache Tomcat, and are
installed in the webroot by
default. If these
applications are left in the
webroot of a production
machine, remote users        A remote user may be able
may be able to gain          to gain sensitive
sensitive                    information about the
information about the        server's
server's configuration.      configuration.                                            Remove a 5/29/2002
                                                                                                    sample solution to this prob
                                                          The CERT/CC is currently unaware ofthepractical files prior to placing
Sambar Webserver is
designed to handle CGI
requests by interpreting
CGI scripts
to produce output returned
to the client. However, due
to flaws in Sambar
Webserver's URL parsing,                                                                  Remove
it is possible to trick the                                                               all CGI
server into into thinking                                     Apply a patch from your     scripts
that a CGI script is a                                        vendor                      from the
regular file and serving the                                                              server, or
script's contents instead       Attackers can access          Upgrade to version 5.2b,    limit the
of interpreting the script.     information that may be       available at:               sensitive
This problem occurs when        considered sensitive,                                     informatio
the client adds a space         including                     http://sambar.dnsalias.org/ n in
and a null byte to the end of   usernames or passwords        win32-preview.tar.gz        your CGI
the script URL.
Microsoft Windows               contained in CGI scripts.                                 scripts.
                                                                                          Workarou 4/17/2002
contains a dynamic link                                                                   nds
library (DLL) named                                                                       Disable
ntdll.dll. This                                                                           vulnerable
DLL is a core operating                                                                   service
system component used to                                                                  Until a
interact with the Windows                                     Apply a patch from your     patch can
kernel. A buffer overflow                                     vendor                      be
vulnerability exists in                                                                   applied,
ntdll.dll, which is utilized                                  A patch is available from   you may
by many different                                             Microsoft at                wish to
components in the                                             http://microsoft.com/downlo disable
Windows operating system.                                     ads/details.aspx?FamilyId= IIS:
                                                              C9A38D45-5145-4844-
                                                              B62E-C69                    http://supp
The WebDAV (RFC2518)                                          D32AC929B&displaylang=e ort.micros
component of Microsoft IIS                                    n                           oft.com/de
5.0 is an example of one                                      Note that, according to     fault.aspx
Windows component that                                        MS03-007, "Microsoft was ?scid=kb;
uses ntdll.dll. The IIS                                       made aware that some        en-
WebDAV component                                              customers                   us;321141
utilizes                                                      who had received a hotfix
ntdll.dll when processing       Any attacker who can          from Product Support        If you
incoming WebDAV                 reach a vulnerable web        Services experienced stop cannot
requests. By sending a          server can gain complete      errors                      disable
specially                       control of                    on boot after applying the IIS,
crafted WebDAV request to       the system and execute        patch released for this     consider
an IIS 5.0 server, an           arbitrary code in the Local   bulletin." For more         using the
attacker may be able to         System security context.      information, see the        IIS
execute                         Note that this may be         "Frequently asked           lockdown
arbitrary code in the Local     significantly more serious    questions" section of MS03- tool to
System security context,        than a simple "web            007.                        disable
essentially giving the          defacement."                                              WebDAV 3/17/2003
                                                                                            If you use
                                                                                            a UFS
                                                                                            filesystem
                                                                                            , use
                                                                                            chmod to
                                                                                            set the file
                                                                                            permissio
                                                                                            ns to 710
                                                                                            for
                                                                                            the
                                                                                            oidldapd
                                                                                            and
                                                                                            oidmon
There is a buffer overflow                                                                  executabl
in the oidldapd with regard                                                                 es. For
to the "connect" option.                                                                    other
Since oidldapd typically                                                                    filesystem
runs as user oracle, this                                    Oracle encourages all          s (e.g.
vulnerability can be used by                                 Linux directory developers AFS) use
local users to obtain euid of   All database files can be    to upgrade to Oracle           equivalent
user oracle. As a result of     edited/deleted by a          Internet                       settings to
the default                     malicious user. A local user Directory, v2.1.1, part of the restrict
installation, user oracle       can                          Oracle 8.1.7 (8i Release 3) access to
owns all database files. An     obtain privileges of the     server media pack,             privileged
exploit has been                oidldapd process, typically from                            users
published.                      oracle.                      http://technet.oracle.com/. only.           ########
Older versions of the SSH
client do not allow the user
to disable X11
forwarding. As a result, if
the client connects to a
malicious server, the
server can open an X11
connection to the client's
display without notifying the
client. The attacker would
then have access to the
client's X11 session, which
would permit activities such
as keystroke monitoring.

It is also possible for an
attacker to make X11
connections to the client by
taking over the victim's
TCP connection; however,
this should generate a
client-side warning about
changed host keys. If the
client responds to the          Attackers can make
prompt by breaking the          unauthorized connections
connection, no keystrokes       to victim machines,
or sensitive data will be       potentially
transmitted.                    accessing sensitive data.                                           1/18/2001
                                                            Upgrade to a version of SSH that allows X11 forwarding to be disable
The Hewlett-Packard
Support Tools is a
collection of diagnostic
tools that
allow operators of HP-UX
systems to test and
diagnose hardware
configurations.
On January 18, 2001, HP
announced a vulnerability
in the HP Support Tools
Manager product that
allows a local user to
create a denial-of-service
condition. This vulnerability
is reported to affect                                           HP has provided patches
HP9000 Series 700 and           According to HP's report,       for each of the affected
800                             successful exploitation of      versions; please see the
systems running HP-UX           this vulnerability could        vendor section of this
versions 11.11, 11.00, and      result in a denial-of-service   document for further
10.20.                          attack.                         details.                   1/18/2001
                                                            Apply the appropriates
                                                            patches, available at:

                                                            http://sunsolve.sun.com/se
                                                            curitypatch

                                                            Refer to the following table
                                                            to see which patch you
                                                            should apply.

                                                                OS Version
                                                            Patch ID
                                                                __________
                                                            _________
                                                                SunOS 5.8
                                                            110322-01
                                                                SunOS 5.8_x86
                                                            110323-01
                                                                SunOS 5.7
                                                            108750-02
                                                                SunOS 5.7_x86
                                                            108751-02
                                                                SunOS 5.6
                                                            105403-04
A buffer overflow                                               SunOS 5.6_x86
vulnerability has been                                      105404-04
discovered in ypbind, a                                         SunOS 5.5.1
daemon that                     This vulnerability may be   105165-04
runs on all client and server   exploited by a local or a       SunOS 5.5.1_x86
machines running Solaris        remote attacker to gain     105166-04
and SunOS and set up to         root access, and thus           SunOS 5.5
use a Network Information       complete control of the     105169-04
Server (NIS).                   victim host.                    SunOS 5.5_x86              None.   ########
The grpck utility performs
syntax checking of
/etc/group and
/etc/gshadow group
information files. This utility
contains a buffer overflow
vulnerability in
the section of code that
parses command line
arguments. By sending a
command
line argument string of                                                                Clear the
approximately 3000                                                                     setuid bit
characters, it is possible to                                                          of affected
cause                                                                                  binaries
this utility to generate a
segmentation fault. On                                                                 As a
systems where this utility                                                             workaroun
is installed with setuid root                                                          d, it is
privileges, it may be                                                                  possible
possible for local users to                                                            to limit the
exploit this vulnerability to                                                          scope of
execute arbitrary code with                                                            this
superuser privileges.                                                                  vulnerabili
                                                                                       ty by
This vulnerability has been                                                            clearing
reported to affect systems                                                             the setuid
running IRIX and Linux,                                                                bit of
but other operating                                                                    affected
systems that include this      This vulnerability may allow                            binaries
setuid root utility are likely a local user to execute                                 with the
to                             arbitrary code with                                     chmod
be affected.                   superuser privileges.                                   utility.     1/2/2002
                                                            The CERT/CC is currently unaware of a practical solution to this prob
Two widely used X Window
System authorization
schemes have weaknesses
in their
sample implementations.
<br><br>&nbsp;&nbsp;MIT-
MAGIC-COOKIE-1
                                                                                         Tunnel X
On some systems built                                                                    connectio
without the HasXdmAuth                                                                   ns over
configuration option, the                                                                SSH
authorization key used by
MIT-MAGIC-COOKIE-1 is                                                                    Encrypting
guessable. The problem is                                                                X traffic
that                                                                                     will protect
the system rand() function,                                                              authorizati
used to generate cookies                                                                 on data
when DES is not available,                                                               from
is weak on some systems.                                                                 being
If you use MIT-MAGIC-                                                                    sniffed on
COOKIE-1 to authenticate                                                                 the
X                                                                                        network.
connections, and your xdm                                   Patch or Upgrade             Using
does NOT also support                                       Contact your vendor to       SSH does
XDM-AUTHORIZATION-1                                         determine if a patch or      not
authentication (that is, xdm                                upgrade is necessary. Due prevent
was built with HasXdmAuth                                   to                           other local
set to NO), you may be                                      the relative age of this     users
at risk. If your xdm           Remote attackers can         report, we have not notified from
program was built with         connect to X displays and    individual vendors. See      discoverin
HasXdmAuth set to YES          read potentially sensitive   VB-                          gX
(-DHASXDMAUTH passed           data                         95:08.X_Authentication_Vul authentica
on the compiler command        such as passwords.           for more information.        tion data.
The mysql program, part of
the MySQL package,
contains a buffer overflow
in the
host parameter. An intruder
who invokes mysql using a
specially crafted
hostname can execute
arbitrary code. Because
mysql is not setuid or
setgid, a
local attacker is unable to
use this vulnerability to gain
additional
privileges under most
circumstances. However,
when PHP is compiled with
MySQL
support, it is linked to the
library containing the buffer
overflow,
libmysqlclient.so. If a PHP
script or other program
establishes a connection to
a MySQL database and
accepts the hostname
argument from untrusted
sources, an                      The impact of this
intruder may be able to          vulnerability depends on
execute arbitrary code with      the context in which
the privileges of the web        MySQL is used,
server.                          and may vary on a site-by-
                                 site basis.                                                        2/9/2001
                                                            Upgrade to MySQL version 3.23.33 or later.
                                                                                          Clear
                                                                                          setuid bit
                                                                                          on lsfs

                                                                                             Previous
                                                                                             to AIX 5.1
                                                                                             and some
The IBM AIX lsfs utility                                                                     versions
displays filesystem                                                                          of AIX
information such as mount                                                                    4.3.3,
points,                                                                                      default
permissions and volume                                                                       installation
sizes. To list this                                                                          s of
information, it executes lslv                                                                AIX
to                                                                                           contained
list logical volumes and                                                                     an lsfs
grep to parse the resulting                                                                  binary
output. Because lsfs                                                                         with the
uses relative pathnames                                                                      setuid bit
when executing grep and                                                                      enabled.
lslv, a local attacker can                                                                   To reduce
use                                                                                          the impact
the PATH environment                                            Apply a patch from your      of this
variable to redirect the calls                                  vendor                       vulnerabili
made by lsfs to a local                                                                      ty on
version of either grep or                                       IBM has released APAR        those
lslv. If setuid root                                            IY16909 to address this      versions,
permissions have been                                           issue. For further           use the
applied                                                         information,                 chmod
to lsfs, the local versions of                                  please consult the           command
grep and lslv will be                                           "Systems Affected" section to clear
executed with root                                              of this document.            the
privileges.                                                                                  setuid root.
                                 This vulnerability allows local users to execute arbitrary code as bit. ########
The Apache HTTP Server                                                                    Run
is a freely available web                                                                 Apache
server that runs on a                                                                     with User
variety                                                                                   privileges
of operating systems
including Unix, Linux, and                                                             On
Microsoft Windows                                                                      Windows
(Win32).                                                                               NT, 2000,
Apache supports the                                                                    and XP
Common Gateway                                                                         systems,
Interface (CGI) that defines                                                           the
a standard                                                                             Apache
interface between the                                                                  service
HTTP server and external                                                               can be
applications. On Win32                                                                 configured
systems,                                                                               to
batch or command shell                                                                 run as a
programs (files typically                                                              specified
with .bat or .cmd                                                                      user
extensions)                                                                            instead of
can be executed via the                                                                local
CGI interface, and these       An unauthenticated, remote                              SYSTEM.
programs are executed          attacker could execute                                  By
within a                       commands on the               Upgrade Apache            carefully
full command shell             vulnerable                    This vulnerability is     specifying
(command.com on                server with the privileges of resolved in Apache 1.3.24 the
Windows 9x/Me, cmd.exe         the Apache process. By        and 2.0.34-beta. Please   privileges
in Windows                     default, Apache runs with see                           of the
NT/2000/XP).                   local SYSTEM privileges in the release Announcement Apache
Ory Segal of Sanctum has       Windows NT, 2000, and         for version 1.3.24. The   user, an
reported a vulnerability in    XP. In Windows 9x/Me,         Apache HTTP Server is     administra
which Apache on Win32          Apache                        available from the Apache tor can
does                           runs with full privileges.    web site.                 restrict the 3/21/2002
Kermit is a file transfer
protocol that has been
implemented by Hewlett-
Packard
for use on their systems.
On December 21, 2000,
HP released a security
bulletin regarding a local     This vulnerability allows       HP has provided patches
buffer overflow that affects   local users to create a         for each of the affected
the kermit client              denial of service attack that   versions; please see the
present in HP-UX versions      prevents other users from       vendor section of this
10.01, 10.10, 10.20, and       running the kermit              document for further
11.00.                         program.                        details.                                ########
A vulnerability exists in
some versions the Apache
Web (HTTPD) Server
running
on Windows 98SE,
Windows 2000 SP1, and
OS/2. The vulnerability
appears to be a                                        Upgrade to version Apache
bounds checking problem                                HTTPD Server 1.3.20 or
in HTTP requests. Receipt                              later. For more info, see:
of an HTTP request 8192
characters in length can                               http://bugs.apache.org/inde
exploit the vulnerability.                             x.cgi/full/7522
                           An attacker could cause the server to crash.                              ########


                                  By creating symbolic links
                                  named for either of the two
                                  temporary files, an
                                  intruder can overwrite any
                                  file in the system with data
                                  from kmmodreg. Since
                                  kmmodreg runs
                                  automatically during reboot,
                                  no separate invocation is
                                  required.
                                  The overwrite may cause a
                                  file corruption leading to
                                  denial of service, or,
The kmmodreg program              since the temporary files
distributed with some             are created to allow
HPUX versions creates two         modification by anyone
files in                          (protected 666), this may
/tmp: /tmp.kmmodreg_lock          be used to allow
and /tmp/kmpath.tmp. The          modification of system files
creat() call used in this         leading
program does not check for        to increased user
prior existence of either file.   privileges.                                                         6/4/2001
                                                               Apply vendor patches; see the Systems Affected section below.
There exists a vulnerability
in the default installation of
an ActiveX control               Any HTML document
named "scriptlet.typlib,"        rendered in IE may call
used by developers to            scriptlet.typlib and, without
create type libraries for        any
Windows Script                   warning displayed by IE,
Components. This ActiveX         create or edit files with all
control allows local files to    permissions of the
be                               client user. Such attacks
created or modified and          can occur when visiting
thus is unsafe for scripting     unfriendly web sites, or        Install the appropriate
by IE. However, it is            rendering embedded HTML         patches available at:
incorrectly marked "safe for     in email, newsgroup             http://www.microsoft.com/te
scripting" in IE versions 4.0    postings, or even server log    chnet/security/bulletin/MS9
and 5.0 for Windows.
The Macromedia Flash             entries.                        9-032.asp                               8/21/1999
                                                                                             Disable ActiveX controls in IE.
media format enables
frame-based animations
with sound to
be viewed within a web
browser. Flash uses a
scripting language called
ActionScript, which
includes the commands
loadMovie and loadSound
to download
associated video and audio
clips.

It is typical and generally
expected for downloads of                                                                     If you
embedded web page                                                                             notice
elements to cease when a         An attacker could trick a                                    sluggishn
user leaves one web page         victim into downloading a                                    ess in
for another. However, in         maliciously crafted Flash                                    Internet
version 6 of the Flash           animation from the Web.                                      connectio
player plug-in for Microsoft     Upon playback of the                                         ns after
Internet Explorer (IE),          malicious animation, the                                     visiting a
connections started by the       victim's                                                     page
loadMovie and loadSound          Flash Player software                                        containing
commands persist after the       would open several                                           a Flash
user has left the web page       multimedia connections                                       animation,
containing the Flash             and consume all                 Update Flash Player 6 to a try closing
animation. These                 available bandwidth,            version later than 6,0,25,0. IE to
connections                      effectively making the          For more info, see:          terminate
remain open for                  Internet unusable until the                                  any Flash
downloading video or             victim                          http://www.macromedia.co connectio
audio, which can be              closed IE.                      m/software/flashplayer/      ns.          4/3/2002
The Microsoft Remote                                                                     Prevent
Access Service (RAS)                                                                     users
Application Programming                                                                  from
Interface                                                                                accessing
(API) allows Windows                                                                     the
programs to make dial-up                                                                 Remote
connections to remote                                                                    Access
servers.                                                                                 Service
There is a buffer overflow
in the RAS API that allows                                                                  For
an attacker to execute                                                                      systems
arbitrary code with                                                                         that do not
LocalSystem privileges. To                                                                  require
exploit this vulnerability, the                                                             RAS, it
attacker must log into an                                                                   may be
account on the affected                                                                     possible
system and create a RAS                                                                     to prevent
phonebook entry. When                                                                       exploitatio
any program attempts to                                                                     n
use the RAS API to parse                                        Apply a patch from your     of this
the                                                             vendor                      vulnerabili
malicious phonebook entry,                                                                  ty by
the entry will cause a buffer   Attackers who are able to Microsoft has released            uninstallin
overflow and allow the          create malicious RAS            Security Bulletin MS99-016 g or
attacker to execute             phonebook entries can           to address this issue. For disabling
arbitrary code.                 execute                         more detailed information the
                                arbitrary code with             and upgrade instructions, Remote
Once the malicious              LocalSystem privileges. In please see                       Access
phonebook entry has been some cases, failed                                                 Service.
created, the attacker may attempts to                           http://www.microsoft.com/te
exploit                         exploit this vulnerability will chnet/security/bulletin/MS9 Prevent
the vulnerability by initiating cause the affected host to 9-016.asp                        users
a remote connection.            crash.                                                      from        5/19/1999
Version 8.2.2 of BIND
includes some checks for
the correct format of a
signature record in
DNSSEC that previous
versions did not.
Specifically, in the
file ns_resp.c, there is a
routine called 'rrextract'. (rr
= "resource
record"). rrextract contains
a large switch block that
converts resource
records from the network
format to the database
format, doing different
things
depending on the type of
record received. For case
T_SIG, it decodes the
signature records. When it
gets to the name of the
signing domain, there is the
following block of code:

          /* then the
signer's name */
           n=
dn_expand(msg, eom, cp,
(char *)cp1, (sizeof data) -
18);
           if (n < 0 || n +
NS_SIG_SIGNER > dlen) { Intruders may be able to interrupt the normal operations oflevel 5 or later.
                                                                                                ########
                                                     Upgrade to BIND 8.2.2 patch your nameserver.
Microsoft Outlook 2002                                                                      To further
installs an ActiveX control   In Outlook 2002, arbitrary                                    protect
called 'Microsoft Outlook     code can be executed with                                     against
View Control'. Microsoft      the privileges of the user                                    malicious
Outlook (and the Outlook      running Outlook. Also,                                        code
View Control) may be          email, calendar, and                                          contained
installed as part of          contact information                                           in email,
Microsoft Office. In          accessible via                Apply Patch                     install the
addition, the Outlook View    Outlook can be read,          Apply the appropriate patch     Outlook
Control                       modified, and/or deleted.     from Microsoft.                 Security
is independently available    In previous versions of       Outlook 2002:                   Update
for download from             Outlook, a user's folder      http://office.microsoft.com/d   and the
Microsoft. Outlook Express    view may be manipulated.      ownloads/2002/OLK1003.a         Java
is                            According to Microsoft        spx                             Permissio
also vulnerable if the        Security Bulletin MS01-038:   Outlook 2000:                   ns
Outlook View Control is       "In an Outlook 2002 client,   http://office.microsoft.com/d   Security
present on the system.        this [vulnerability]          ownloads/2000/outlctlx.asp      update.
The Outlook View Control      could enable an attacker to   x
provides access to Outlook    delete mail, change                                           Outlook
data such as email,           calendar information, or      Note that these patches do      2002:
contacts, and calendar        take                          not set the "kill bit" on the   Outlook
information. The control      virtually any other action,   vulnerable ActiveX              2002
should provide read-only      including running arbitrary   control and the control is      includes
access to Outlook data, but   code on the user's            signed by Microsoft.            the
in reality it exposes         machine. In contrast, in      Depending on zone               Outlook
programming elements that     Outlook 98 and 2000 the       security                        Security
allow the manipulation of     attacker could use the        settings, it could be           Update
Outlook data and, more        control                       possible to install a           and
importantly, the execution    to manipulate the user's      vulnerable version of the       disables
of                            folder view, but could not    ActiveX                         Java in
arbitrary code with the       use it to read, change or     control on a system that        the
privileges of the user        delete data, or to run code   does not already have the       'Restricted
running Outlook. To exploit   on the user's machine."       control installed.              sites'      7/12/2001
OpenSSL's PRNG hashes
an internal state to produce
output values, which are
supposed to be
pseudorandom and
unpredictable. Since the
hash algorithms are
well-known, the internal
state is intended to be
mostly secret to prevent
attackers from guessing
what the output will be.
However, in versions of
OpenSSL prior to 0.9.6b,
the PRNG outputs a
significant portion of the
internal
state that is used in
subsequent hash
computation. Knowing this
portion of                                                   Contact your operating
internal state, attackers can   Attackers can learn in       system vendor for an
brute-force the PRNG with       advance what output the      update which includes
multiple 1-byte                 PRNG will return.            OpenSSL
requests to discover the        Cryptographic                0.9.6b or later.
entire internal state used to   secrets based in
create future output            supposedly random values     Advanced users may wish
values. For more                from the PRNG will no        to install from source code
information, see the            longer be                    available at:
OpenSSL security advisory       secret, since those values
of 10 July                      can be determined in         ftp://ftp.openssl.org/source/
2001.                           advance.                     openssl-0.9.6b.tar.gz         None.   7/10/2000
Snitz Forums is an
automated bulletin-board
program for web sites.
Snitz
Forums allows users to
submit images by
specifying the URL of the
image. In
versions 3.3.03 and earlier
of Snitz Forums, the
program does not check
the
image URL to make sure
that it does not contain                                     Upgrade to version 3.3.04
JavaScript code. The                                         or later of Snitz Forums
program                                                      2000. For more
may then serve the script to                                 information,
any user viewing the post,     An attacker may perform       see
where the JavaScript           arbitrary commands with
may be executed to             the privileges and identity   http://forum.snitz.com/foru
perform unauthorized           of                            m/link.asp?TOPIC_ID=236
commands as the viewing        other users of the Snitz      60
user.                          Forums installation.                                                2/28/2002
Versions 1.4x of Jana
Server, a web server for
Windows developed by T.
Hauck,
do not properly filter
requests for hexadecimal                                     Upgrade to Jana Server 2.0
encodings of ".." (dot-dot)                                  beta or later at:
and                            Remote users can view any
allows directory traversal     file on the server with the http://www.jana-
out of the HTTP document       privileges of the Jana      server.ocm.de/en/index.ht
root directory.                server process.             m?/en/download.htm              None.    5/7/2001
See HEWLETT-PACKARD
COMPANY SECURITY
BULLETIN: #00090,
(registration required)
07 December 1998 for a
description of the problem.
No other information is
available. Quoting from
that bulletin:

Various HP-UX remote
network commands (r-
cmnds) in the fileset
InternetSrvcs.INETSVCS-
RUN have been enhanced.
These include remshd(1M),
rexecd(1M), rlogind(1M),
rlogin(1), remsh(1), rcp(1),
rexec(1), and rdist(1).
All of these commands
have been bundled into one
convenient patch to
address
various operational and
security defects noted the
recent past.
                                                           Install a patch as described in the bulletin, or upgrade to a later versio
                               The complete impact of this vulnerability is unknown.                   12/7/1999
Lotus Domino can be            Attackers can discover
coerced to reveal its IP       limited information about
address by sending it a        the numbering of the
crafted                        Domino
HTTP request.                  server's network.                                                       9/20/2001
                                                           The CERT/CC is currently unaware of a practical solution to this prob


User-Mode Linux (UML) is                                    Apply a patch as described
a tool to provide a virtual                                 in the Red Hat bulletin. If a
machine in which to run                                     patch cannot be
another copy of Linux. In                                   applied, you can remove
Red Hat linux 8.0, the                                      the suid bit from the
kernel-utils package                                        uml_net package with the
contains                       Local users could control    following command:
the UML utilities. One of      network interfaces, put
the UML utilities, uml_net,    interfaces into promiscuous chmod -s /usr/bin/uml_net
was incorrectly shipped        mode, and add and remove
setuid root.                   arp entries and routes.                                                  2/7/2003
                                An attacker can cause the
A remotely exploitable          ColdFusion server to
vulnerability exists in the     retrieve or delete arbitrary
Allaire ColdFusion Server       files accessible to the
which could allow an            ColdFusion server process.
attacker to have                This vulnerability may allow
unauthorized read and           an attacker to disclose
delete access to                confidential information       Apply the following patches
files on the target host. For   and/or destroy data on the     available from Allaire:
more information on this        target host. Note that this
vulnerability and               attack does not depend on      Windows Editions
versions affected, please       how the targeted site's        Solairs Editions
see the Macromedia              ColdFusion application is      Linux Editions
Product Security Bulletin       coded in the ColdFusion        HP-UX Editions
(MPSB01-07).
The Compaq web-enabled          Markup Language (CFML).                                      Disable  7/11/2001
management software                                                                          the Web-
allows system                                                                                Enabled
management information                                                                       Managem
to be accessed through a                                                                     ent
web interface. This web                                                                      Software
interface is secured by an
login dialog accessible on                                                                   You can
port 2301 of the system                                                                      prevent
running the vulnerable                                                                       this
software. The                                                                                vulnerabili
authentication code has a                                                                    ty from
buffer overflow in the                                                                       being
username field,                                                                              exploited
allowing a remote intruder                                                                   by
to execute arbitrary code                                                                    disabling
with the privileges of the                                                                   the
Compaq web-enabled                                                                           web-
management software.                                                                         enabled
This often includes                                            Apply a Patch                 managem
elevated                                                                                     ent
privileges (e.g., root or                                      Apply a patch from your       software.
Administrator).                                                vendor. Information about
                                                               patches to correct this       Block
Affected Compaq products                                       problem is available in the   Ports
include those running                                          Compaq security advisory.     2301 and
Microsoft Windows 9x,                                          The patches described in      280 at
Windows                                                        Compaq security advisory      Your
NT, Windows 2000,               A remote intruder may be       SSRT0715 and                  Perimeter
NetWare, SCO Open               able to execute arbitrary      VU#991240 will correct this
Server, SCO UnixWare 7,         code with privileges on        vulnerability                 Port 2301
RedHat 6.2, RedHat              systems running the            and another.                  (the
7.0, Tru64Unix, and             vulnerable software.                                         device        1/16/2001
A remotely exploitable
buffer overflow exists in the
URI handler of Yahoo!
Messenger, versions
5,0,0,1064 and prior, that
may permit a remote
attacker to
execute arbitrary code on
the system with the
privileges of the current
user.
A shared buffer for the
parameter functions, such
as "getimv", "sendim",
"message", "addview",
"adduser", "call", and
"chat", is vulnerable to
exploit.

This URI handler is
installed by Yahoo!
Messenger for applications
that use the                    Exploitation of this
underlying operating            vulnerability will crash the
system (such as Microsoft       application, resulting in a
Internet Explorer, Netscape     denial-of-service condition.
Navigator, Outlook, or the      However, this vulnerability
command shell). A URI           is a buffer overflow
can be sent by another          and may allow the
Yahoo!                          execution of arbitrary code
Messenger user,                 on the local system with the
embedded in a web site, or      privileges of the current
sent in an HTML-                user.                        Upgrade to version 5,0,0,1066.   5/27/2002
The Microsoft IIS FTP
Service allows users to
establish connections using
either local accounts or
Windows domain accounts.
Connections made using a
domain account require a
username of the form
"domain\user" to
distinguish them
from local accounts. The
FTP Service contains an
access control vulnerability
that causes the server to
search all trusted domains
for a matching domain                                                                Disable
account when the "domain"                                                            IIS FTP
portion of the username                                                              Service
contains a certain wildcard
value. Once a matching                                                                Sites that
domain account is found,                                                              do not
the user must provide a                                                               require
correct password to gain                                                              the IIS
access.                                                                               FTP
                                                         Apply a patch from your      Service
This vulnerability requires This vulnerability allows    vendor                       may
the attacker to provide a   remote users to log in using                              disable it
correct password, so the    a domain account without Microsoft has released a         to prevent
most likely accounts to be fully specifying the domain. patch for this vulnerability; exploitatio
targeted are those that     This may result in either    for further information,     n of this
contain a well-known        unauthorized file            please consult the systems vulnerabili
username and default        transfer access or           affected section below.      ty.
password. For example, if information leakage.                                                    5/14/2001


A locally exploitable buffer
overflow in "chfn" may
permit a local attacker to     A local user may be able to
gain elevated privileges       gain elevated privileges
and execute arbitrary code     and execute arbitrary
on a vulnerable host.          code.                       Apply a patch.                         8/1/2002
Preconditions:
Attacker has a fragment of
plaintext and its
corresponding ciphertext.
Attacker must be able to
actively intercept a
connection attempt or
hijack an
existing SSH session.                                      Apply a patch from your
Session is encrypted using                                 vendor
a block cipher.
Compression is disabled.                                     In June 1998, CORE-SDI
                                                             released code to detect
SSH1 sessions that encrypt                                   and block attacks exploiting
traffic with block ciphers in                                this vulnerability. This code
cipher feedback (CFB)                                        was subsequently
mode are vulnerable to an                                    incorporated into several
attack similar to one                                        SSH
described in VU#315308.                                      implementations, but it
However, if the attacker                                     contained a flaw that
has additional information                                   introduced a remote integer
consisting of both a                                         overflow. For vendor-
fragment of plaintext and its                                specific information
corresponding ciphertext, it                                 regarding this vulnerability,
is then possible to                                          please
overcome the protection                                      see the Systems Affected
introduced by cipher                                         section of this document.
feedback, thus allowing the                                  For more information
attacker to modify any                                       regarding the vulnerability
packet in the stream.                                        introduced by previous
                                                             attempts to patch this
As in VU#315308, this                                        vulnerability, please see
vulnerability is caused by                                   VU#945216.                             6/11/1998
                                An attacker can modify arbitrary packets within an encrypted SSH session.
Researchers at CORE                                                                        Disable
Security Technologies have                                                                 the
discovered a remotely                                                                      "stream4"
exploitable heap overflow in                                                               preproces
the Snort "stream4"                                                                        sor
preprocessor module. This                                                                  module
module allows Snort to
reassemble TCP packet                                                                        Sites that
fragments for further                                                                        are unable
analysis.                                                                                    to
                                                                                             immediate
To exploit this vulnerability,                                                               ly upgrade
an attacker must disrupt                                                                     affected
the state tracking                                                                           Snort
mechanism of the                                                                             sensors
preprocessor module by           This vulnerability allows                                   may
sending a series of packets      remote attackers to                                         prevent
with                             execute arbitrary code with                                 exploitatio
crafted sequence numbers.        the                            Upgrade to Snort 2.0         n of this
This causes the module to        privileges of the user                                      vulnerabili
bypass a check for buffer        running Snort, typically root. This vulnerability is        ty by
overflow attempts and            Please note that it is         addressed in Snort version commenti
allows the attacker to insert    not necessary for the          2.0, which is available at   ng out the
arbitrary code into the          attacker to know the IP                                     affected
heap.                            address of the Snort device http://www.snort.org/dl/snor preproces
                                 they                           t-2.0.0.tar.gz               sor
For further information,         wish to attack; merely                                      module in
please read the Core             sending malicious traffic      Binary-only versions of      the
Security Technologies            where it can be observed       Snort are available from     "snort.con
Advisory                         by an                                                       f"
located at                       affected Snort sensor is       http://www.snort.org/dl/bina configurati
                                 sufficient to exploit these    ries                         on file. To
http://www.coresecurity.co       vulnerabilities.                                            do this,    4/15/2003

AMLServer for windows is
a paging gateway that
allows users on a TCP/IP
LAN to
communicate with mobile
devices such as phones
and pagers. Access to
AMLServer's services is          If an attacker can view the
protected by a user              AMLServer password file        Apply a patch when one is
authentication system that       (through direct access or      available. The CERT/CC is
stores                           another vulnerability), they   currently unaware of a
usernames and passwords          can login as any               practical solution to this
in a plaintext file.             AMLServer user.                problem.                   None.       6/18/2001
SurfControl SuperScout
Web Filter is software
intended for companies
that wish
to limit employees' web
surfing to appropriate uses.
SuperScout anazlyzes
individual packets that
contain an HTTP GET
request and a "Host:"
header to
determine whether an
HTTP request to an
inappropriate Web site is
being made.
SuperScout does not keep
state of previous packets.
Therefore, it will not
block HTTP GET requests
if the "Host:" header
appears in a separate
packet.                                               The CERT/CC is currently unaware content.
                                                                                    None.      6/21/2001
                             Users can bypass SuperScout filtering and access blocked Web of a practical solution to this prob
The Cisco Internetwork                                       Disable
Operating System (IOS)                                       the Cisco
contains a vulnerability in                                  Discovery
its                                                          Protocol
processing of Cisco
Discovery Protocol (CDP)                                     Sites that
packets. By sending large                                    do not
numbers                                                      require
of crafted CDP packets to                                    the Cisco
an affected device, a                                        Discovery
nearby remote attacker can                                   Protocol
consume all available                                        may
memory resources,                                            disable it
causing the device to either                                 for a
crash or                                                     single
stop responding. It is                                       interface
important to note that the                                   by issuing
CDP protocol operates at                                     the "no
the                                                          cdp
data link layer of the                                       enable"
ISO/OSI model, so it                                         command
cannot be propagated by                                      on the
network and                                                  interface.
transport layer protocols                                    Alternative
such as IP and TCP,                                          ly, CDP
respectively. As such,                                       can be
attackers                                                    disabled
will only be able to attack    This vulnerability allows a   for the
devices on networks they       nearby remote attacker to     entire
can access directly (ie.       crash or consume the          device by
without IP routing).           memory resources of an        issuing
However, this also means       affected switch, router, or   the "no
that many of the strategies    other network device.         cdp         10/9/2001
Microsoft SQL Server 2000                                                                Disable
includes a feature called       An attacker who can                                      Scripting
SQLXML that allows the          convince a user to access
server to handle SQL            a URI supplied by the                                      To defend
queries and responses via       attacker                                                   against
XML. IIS enables XML            could cause script or HTML                                 cross-site
over HTTP                       of the attacker's choice to                                scripting
using the SQLXML HTTP           be executed in the                                         attacks
components. A client            user's browser. Using this                                 from the
SQLXML HTTP request             technique, an attacker may                                 client's
takes the form                  be able to take actions                                    perspectiv
of a URI that contains a        with the privileges of the                                 e,
number of arguments             user who accessed the                                      disable
including the name of the       URI, such as issuing                                       scripting
IIS                             queries                                                    in your
server, the virtual directory   on the underlying SQL                                      web
(virtual root), and optional    databases and viewing the                                  browser
parameters. One of              results.                                                   and HTML-
the optional parameters,                                                                   enabled
root, wraps top-level XML       In Microsoft Internet                                      email
tags around the response        Explorer, malicious script or                              client.
to                              HTML would be executed                                     The zones
the client, ensuring that the   in                                                         feature of
response is properly            the same zone as the                                       Microsoft
formed XML. The entire          vulnerable IIS server. An                                  Internet
URI,                            SQLXML-enabled IIS                                         Explorer
including the root              server in                                                  provides a
parameter, can be               the typically less restrictive Apply a Patch               way to
controlled by the client, or    Local intranet or Trusted                                  selectively
in the case                     sites zones would              Apply the appropriate patch enable
of cross-site scripting, a      allow an attacker to bypas as described in Microsoft       scripting
third-party attacker.           Internet zone security         Security Bulletin           for trusted
The SQLXML HTTP                 settings.                      MS02-030.                   sites.      6/12/2002


On versions of Advanced
Poll older than 1.61
configured to use a flat file
database, Advanced Poll
allows clients to login as
any user by setting the         Attackers may login as the
"logged_in" variable in the     administrative user without Upgrade to version 1.61 or
CGI query string of the         authentication and gain     later at:
GET request to Advanced         adminstrator privileges for
Poll.                           Advanced Poll.              http://www.proxy2.de       None.         ########
The SSH Secure Shell for
Workstations client
includes a URL-handling
feature
that allows users to launch
URLs that appear in the
terminal window. When the
user clicks on a URL, it will
be launched using their
default browser.

Versions 3.1 to 3.2.0 of this
application contain a buffer
overflow                                                   Apply a patch
vulnerability that is
triggered when the                                           SSH Communications
launched URL is                                              Security has released a
approximately 500                                            Security Advisory to
characters or greater in                                     address this
length. To exploit this         This vulnerability allows an vulnerability. For more
vulnerability, an attacker      attacker to execute          information, please see
must supply a malicious         arbitrary code by
URL to a terminal session       convincing                   http://www.ssh.com/compa
and convince the victim to      an unsuspecting user to      ny/newsroom/article/287/
launch it.                      click on a malicious URL.                                      ########

The zlib website describes
zlib as a "...lossless data-
compression library for
use on virtually any
computer hardware and
operating system." A buffer
overflow
exists in the gzprintf
function contained within
the zlib compression
library.
For more detailed
information, please see
Richard Kettlewell's
advisory.                                               Apply a vendor patch.                    2/22/2003
                             A remote attacker may be able to execute code or cause a denial of service.
SGI states that
PIOCSWATCH ioctl
"establishes or clears a set
of watched areas
in the traced process."
According to SGI Security
Advisory 20030603-01-P, a
local attacker could crash
the operating system by
exploiting this
vulnerability:
It's been reported that non-
root users can call the
PIOCSWATCH ioctl() in its
various invocations via a
user space program and                                       The vendor encourages
crash IRIX with a kernel                                     users to either upgrade to
panic. This could be used                                    IRIX 6.5.21 (when it
as a potential Denial of                                     becomes
Service attack on the                                        available) or apply a patch
system. A local account on                                   as described in SGI
the system is required.                                      Security Advisory
                                A local attacker may be able 20030603-01-P.
                                                              to crash the operating system.   6/10/2003


RealSystem Server is a
streaming media server. A
buffer overflow vulnerability
in RealSystem Server may
allow a remote attacker to
execute arbitrary code on a
vulnerable host. For more
information, please see         A remote attacker may be
RealSystem Server and           able to execute arbitrary
Proxy                           code with the privileges of
Buffer Overflow                 the RealSystem Server
Vulnerability.                  process.                      Update your software.            2/19/2003
Microsoft Windows 2000
uses Kerberos as its
default means of
authentication.
Kerberos is a trusted-third-
party scheme that is used
to perform mutual
authentication between two
network entities who trust a
"neutral" third party,
known as a key distribution
center (KDC). In the
Microsoft implementation of
Kerberos, a domain                                                                        Limiting
controller serves as the                                                                  access to
KDC. By making certain                                                                    ports 88
kinds of                                                                                  and 464
invalid Kerberos requests                                                                 can
to a Windows 2000 domain                                                                  reduce
controller repeatedly, an                                                                 your
intruder can exhaust the                                                                  exposure
available memory of the                                                                   to this
system, effectively                                                                       problem.
rendering                                                                                 In general,
it incapable of processing                                                                we
further Kerberos requests,                                                                recomme
possibly interrupting the        Intruders can disable                                    nd
ordinary operation of other      domain controllers,                                      blocking
services on that same            effectively halting the                                  access to
machine, and severely            processing of                                            all ports
impacting system                 logon requests and the                                   that aren't
performance. In order to         granting of new Kerberos                                 explicitly
recover the memory, a            tickets.                                                 required.    5/9/2001
                                                              Apply a patch as described in Microsoft Security Bulletin MS01-024.


A specially crafted URL can      Remote attackers may be
disclose the directory listing   able to disclose directory
and files of the                 listings and files of the
target system with read          target system with read
permissions.                     permissions.                 Contact the vendor to obtain a patch.   1/28/2001
From the SETI@home
website:
SETI@home is a scientific
experiment that uses
Internet-connected
computers in
the Search for
Extraterrestrial Intelligence
(SETI). You can participate
by
running a free program that
downloads and analyzes
radio telescope data.
A remotely exploitable
buffer overflow in the
SETI@home client may
allow a
remote attacker to execute
arbitrary code with the
privileges of the victim
running SETI@home, or
cause the SETI@home             A remote attacker may be
client to fail. For more        able to execute arbitrary
details,                        code with the privileges of
please see the advisory         the victim running
written by Berend-Jan           SETI@home, or cause the
Wever.                          SETI@home client to fail. SETI@home has provided an updated client that resolves this vulnera
                                                                                                4/6/2003


The gm4 utility of Mac OS
X contains a buffer
overflow. Some setuid root
programs on Mac OS X
may rely on gm4, possibly
allowing a root compromise
through these programs.                                 The CERT/CC is currently unaware
                                                                                   None.     ########
                           An attacker may gain root privileges on the Mac OS X system. of a practical solution to this prob
                                                                                   Take
OWA allows users to                                                                great care
access their email                                                                 when
accounts on a Microsoft                                                            choosing
Exchange server                                                                    whether to
from another host through                                                          open any
a web browser. When IE                                                             email
users access their email                                                           attachmen
through some versions of                                                           t. Do not
OWA and choose to open                                                             open
an email attachment that                                                           any email
contains malicious script in                                                       attachmen
HTML, IE may execute the                                                           t if you are
script on the client                                                               not sure
side. If executed, the script                                                      that its
would have all privileges of                                                       content is
the OWA user,                                                                      safe. A
including access to and                                                            malicious
manipulation of messages                                                           attachmen
and folders on the server.                                                         t may
                                                                                   appear to
This vulnerability affects                                                         come
OWA implementations in                                                             from
Microsoft Exchange 5.5       Malicious scripts could                               someone
and                          access all email messages                             you trust.
Exchange 2000.               stored on the server,                                 Verify that
Exploitation of this         breaching assumed                                     the
vulnerability requires the   confidentiality of the    Download the patch          attachmen
user to open an              messages. Malicious       available from Microsoft    t was sent
email attachment. This       scripts could also        through its advisory at:    intentional
vulnerability applies to all delete messages or        http://www.microsoft.com/te ly by the
attachments, regardless of rearrange messages          chnet/security/bulletin/ms0 sender
the attachment's file type. among folders.             1-030.asp                   before         6/6/2001
The Internet Software
Consortium (ISC) produces
a "freely redistributable
reference implementation
of all aspects of the DHCP
protocol, through a suite
of tools." One of these tools
is a dhcp relay agent
(dhcrelay). From the
dhcrelay man page:
The Internet Software
Consortium DHCP Relay
Agent, dhcrelay, provides a
means
for relaying DHCP and
BOOTP requests from a
subnet to which no DHCP
server is
directly connected to one or
more DHCP servers on
other subnets. The DHCP
Relay
Agent listens for DHCP and
BOOTP queries and
responses. When a query
is
received from a client,
dhcrelay forwards it to the     A remote attacker can use
list of DHCP servers            dhcrelay to launch a denial-
specified on the command        of-service attack against
line. When a reply is           DHCP servers configured
received from a server, it is   to communicate with the
broadcast or unicast            dhcrelay host.               Apply a patch from your vendor.   1/15/2003
HTTP proxy services           The HTTP CONNECT               Apply Patch or Upgrade         Secure
commonly support the          method can be abused to                                       Proxy
HTTP CONNECT method,          establish arbitrary TCP        Apply a patch or upgrade       Configurat
which is designed             connections                    from your vendor. For          ion
to create a TCP connection    through vulnerable proxy       information about a specific
that bypasses the normal      services. An attacker could    vendor, check the Systems     Check the
application layer             use a vulnerable proxy         Affected section of this      configurati
functionality of the proxy    service on one network as      document or contact your      on of your
service. Typically, the       an intermediary to scan or     vendor directly.              proxy
HTTP CONNECT method           connect to TCP services on                                   services
is used                       another network. In a more     Vendors listed as "Not        to
to tunnel HTTPS               severe case, an attacker       Vulnerable" ship HTTP         determine
connections through an        may be able to establish a     proxy services with           if they
HTTP proxy. The proxy         connection from a public       reasonably                    allow
service does not              network, such as the           secure default                HTTP
decrypt the HTTPS traffic,    Internet, through a            configurations, meaning       CONNEC
as this would violate the     vulnerable                     that the proxy only allows    T method
end-to-end security model     proxy service to an internal   connections                   connectio
used by TLS/SSL.              network.                       to a limited number of TCP ns to
The HTTP CONNECT              The CERT/CC has                ports, or only listens on an arbitrary
method is described in an     received numerous reports      internal or loopback          TCP ports
expired IETF Internet-Draft   of this technique being        interface, or requires        and
written                       used to                        further configuration before whether
in 1998 by Ari Luotonen.      connect to SMTP services       it will pass traffic. The     they allow
This document clearly         (25/tcp) to initiate the       vendor ships a secure or      connectio
explains the security risks   delivery of unsolicited bulk   disabled proxy, and the       ns from
associated with the HTTP      email (UCE/SPAM).              responsibility of configuring untrusted
CONNECT method:                                              the proxy is placed on the networks
                             If a proxy service allows       administrator. Note that      such as
6. Security Considerations   recursive connections, an       almost any proxy service, the
                             attacker may be able to         including those from          Internet.
 The CONNECT tunneling cause a denial-of-service             vendors listed as "Not        Configure
mechanism is really a lower- condition by consuming          Vulnerable," can be           your proxy 2/19/2002
There is a buffer overflow
in the Microsoft Windows                                    Apply the patches available
Shell. The Shell provides                                   from Microsoft Corporation
the basic human-computer                                    at
interface for Windows                                       http://www.microsoft.com/te
systems. Quoting from                                       chnet/treeview/default.asp?
Microsoft                                                   url=/technet/security/bull
Security Bulletin MS02-014:                                 etin/MS02-014.asp. At the
The Windows Shell is                                        time this document was
responsible for providing                                   written, the patches were
the basic framework of the                                  available from:
Windows user interface                                      Windows 98
experience. It is most                                      http://www.microsoft.com/D
familiar to users as the                                    ownloads/Release.asp?Rel
Windows                                                     easeID=37015
Desktop, but also provides                                  Windows NT 4.0
a variety of other functions                                http://www.microsoft.com/d
to help define the                                          ownloads/release.asp?Rele
user's computing session,                                   aseID=36867
including organizing files                                  Windows NT 4.0 with
and folders, and providing                                  Active Desktop
the means to start                                          http://www.microsoft.com/D
applications.                                               ownloads/Release.asp?Rel
The Windows Shell                                           easeID=37015
contains a function                                         Windows NT 4.0 Terminal
designed to locate                                          Server Edition
applications that have                                      http://www.microsoft.com/d
been incompletely removed      An attacker can either       ownloads/release.asp?Rele
from the system. According     execute arbitrary code (any aseID=36869
to MS02-014, this function     such code would run with Windows NT 2000
contains an unchecked          the                          http://www.microsoft.com/d
buffer. If an attacker         privileges of the victim) or ownloads/release.asp?Rele
invokes this function and      crash the Windows Shell. aseID=36880                              3/7/2002

The IBM AIX FC client
allows a buffer overflow of
a few bytes in the client
process, which could cause
intermittent core dumps                                    Upgrade to AIXV4
during session setup.
Overflowing the buffer is                                  For more information, see
difficult or impossible
without local, privileged                                  http://www.ibm.com/servers
access to the client.                                      /aix/
                            Exploitation of this vulnerability causes the FC client to crash.   3/28/2002
SquirrelMail is a collection
of PHP4 scripts that
provides webmail services.
Prior to version 1.24,
SquirrelMail does not
properly validate Universal    An attacker could craft an
Resource Identifiers (URI's)   email message to a
and JavaScript code            SquirrelMail user which,
embedded in HTML tags          when
within                         read by the user, could
an email message. These        automatically send email
tags are sent by               from the user's account to
SquirrelMail to the user's     any
web                            address of the attacker's     Upgrade SquirrelMail to
browser, which could make      choice. This vulnerability    version 1.2.4 or later,
the browser request the        could also be used in a       available from:
embedded URI's or              cross-site scripting attack
execute the                    to hijack an authenticated    http://www.squirrelmail.org/
JavaScript code.               user's session.               download.php                         1/24/2002
Some implementations of
the Linux backup utility,
dump, permit use of
backup
devices on remote
machines via an access
program on the local
machine. This
access program is
identified in the RSH
environment variable. The      By specifying a shell script
value in the                   of their own devising,
environment variable is not    malicious local users can
validated for security prior   exploit the setuid protection
to its use in calling          on dump to secure root
a program. In some             access for themselves to
implementations, dump is       execute arbitrary
protected setuid root.         commands.                                                 Remove suid protection from dump.
                                                                                                   ########
                                                             Apply vendor patches; see the Systems Affected section below.
The Sun Enterprise 10000
is monitored and controlled
by a systems called a
System Service Processor
(SSP). If two SSPs are in
use they are configured as      The complete impact of this
a                               vulnerability is not yet
main and a spare. The           known. In the worst case,
snmpd agent on the main         it could allow an intruder to
SSP, part of the                execute code with root
SSPSUNWsspop                    privileges, but that
package, contains a buffer      impact is unconfirmed.
overflow in a variable used     Because the overflow
to hold argv[0]. The            occurs in a buffer used to
location of the buffer          hold
suggests it would be            argv[0], an intruder cannot
difficult to use this flaw to   use this flaw to crash an
execute code.                   existing snmpd.                                                     3/13/2001
                                                              The CERT/CC is currently unaware of a practical solution to this prob

When a message with a
corrupted time stamp is
received by a vulnerable                                     Microsoft has included a
system,                                                      patch for this issue in
the SMTP service may stop                                    Windows 2000 Service
responding or shut down                                      Pack 4.
unexpectedly. This issue                                     For additional information,
may                                                          users are encouraged to
occur when the FILETIME                                      review the following
attribute of the message is                                  Microsoft Knowledge Base
not valid.                                                   Articles:

According to Microsoft, this                                 330716 - Corrupted
issue affects systems                                        Inbound Message Causes
running Microsoft Windows                                    the SMTP Service to Stop
2000 Server with Service                                     or to Shut
Pack 2 or Service Pack 3        The SMTP service may         Down Unexpectedly
installed and systems           stop responding or shut      260910 - How to Obtain the
running                         down unexpectedly,           Latest Windows 2000
Microsoft Exchange 2000         resulting in a               Service Pack
Server.                         denial of service.                                                     7/2/2003
OWC allows viewing of
Microsoft Office documents
such as spreadsheets and
charts to be viewed within
an HTML document in                                                                        Remove
Microsoft Internet Explorer                                                                OWC. If
(IE). OWC is included with                                                                 OWC was
Microsoft Office and can                                                                   installed
also be downloaded for                                                                     with
free from Microsoft's web                                                                  Microsoft
site. By default, it is                                                                    Office,
marked safe for scripting                                                                  choose
by                                                                                         "Add/Rem
ActiveX and other scripting                                                                ove
components.                                                                                Compone
                                                                                           nts" from
The Load method of                                                                         the
OWC's Chart component                                                                      Microsoft
opens a file specified by a                                                                Office
Uniform                                                                                    Setup
Resource Index (URI)                                                                       interface.
without checking the                                                                       If OWC
validity of the URI. If the                                                                was
URI                                                                                        installed
points to the client's local                                                               separately
filesystem, the Load                                                                       from
method will attempt to open     A malicious script can test                                Office,
the file at that location. If   any location on the client's                               choose
the file does not exist, the    filesystem for                                             "Add/Rem
method will return              existence of files, thereby    The CERT/CC is currently    ove
an error. If the file exists,   learning what files exist      unaware of patches or       Programs"
the method does not return      locally and on accessible      other software updates to   in
the error. A                    network drives.                resolve this problem.       Windows.     4/8/2002
                                                                                       We
                                                                                       strongly
                                                                                       encourag
                                                                                       e you to
                                                                                       review
OpenSSH contains a                                                                     your
vulnerability that permits an                                                          configurati
intruder to execute arbitrary                                                          on to
code. When the UseLogin                                                                determine
directive is enabled, a user                                                           whether or
can set environment                                                                    not
variables that are used by                                                             UseLogin
login. An intruder can use                                                             is
this vulnerability to                                                                  enabled. If
execute commands with                                                                  the use of
the privileges of OpenSSH,                                                             UseLogin
usually root. UseLogin is                                                              is required
not                                                                                    at your
enabled by default;                                                                    site, you
however, it is a common                                                                may wish
configuration. The intruder                                                            to
must be                                                                                temporaril
able to authenticate to the                                                            y disable
system using public key                                                                access to
authentication.                                             OpenSSH 3.0.2 resolves     the SSH
                                An intruder can use this    this vulnerability and is  service
This vulnerability is not       vulnerability to execute    available at               until a
related to VU#40327             commands with the           ftp://ftp.openbsd.com/pub/ patch can
(https://www.kb.cert.org/vul    privileges                  OpenBSD/OpenSSH/opens be
s/id/40327).                    of OpenSSH, usually root.   sh-3.0.2.tgz.              applied.    12/4/2001
Magic eDeveloper is a
development environment
for large-scale and
distributed
applications.

Magic eDeveloper
Enterprise Edition versions
8.30-5 and earlier handle        Attackers with previously
temporary files insecurely       established access to the
by not checking for              filesystem may be able to
symbolic links. Magic            manipulate Magic
eDeveloper version 9 may         eDeveloper to write data to
also be affected. Magic          arbitrary file locations.
eDeveloper is reported to        Since
trust certain files to contain   Magic eDeveloper trusts
code safe for execution.         certain files to contain safe
The ability to                   executable code,
overwrite these files could      overwriting these files can
allow an attacker to supply      cause Magic eDeveloper to
arbitrary code for               run arbitrary malicious
execution on the system.         code.                                                               ########
                                                               The CERT/CC is currently unaware of a practical solution to this prob
Trend Micro describes PC-
cillin as follows:
Trend Micro PC-cillin
provides all-in-one antivirus
security, personal
firewall, and PDA protection
for your PC. The user-
friendly interface makes it
easy to install and use. It
defends your system from
viruses, hackers, and
other Internet security
threats in email,
attachments, Internet
downloads, and
instant messaging.
PC-cillin has the capability
to scan incoming email for
viruses. PC-cillin does
this by running a local pop3
proxy daemon
(pop3trap.exe). Trend
Micro describes
pop3trap.exe as follows:
Trend Micro's pop3trap.exe
is an application level proxy
for POP3 defined in
RFC 1939. It forwards the
local POP3 client requests
to a remote server running      A local attacker may be
on a different machine,         able to execute arbitrary
mostly at the ISP-side. The     code with the privileges of
service is only accessible      the pop3 proxy.               Apply a patch.   ########
Oracle Configurator is an
Internet application used to
configure Oracle
Application and Database
Servers.

If a user sends a request to
the Oracle Configurator
servlet component named
"oracle.apps.cz.servlet.UiS
ervlet" with CGI variable
"test" set to "version",
the servlet returns sensitive                                 Apply a patch from your
build and schema                                              vendor
information. If a user sends
a                                                             Refer to Oracle Security
request with CGI variable       Attackers may learn           Alert #31 for details:
"test" set to "host", the       sensitive information about
servlet returns the             an Oracle installation,       http://technet.oracle.com/d
hostname and the port on        which                         eploy/security/htdocs/oconfi
which the Oracle Apache         may aid them in attacking     gvul.html
web server is running.          the system.                                                   4/1/2002
"csh" is used to invoke the
C shell and interpret
commands. A locally
exploitable buffer overflow
in "csh" may permit a local
attacker to gain                A local user may be able to
elevated privileges and         gain elevated privileges
execute arbitrary code on a     and execute arbitrary
vulnerable host.                code.                       Apply a patch.                   8/30/2002
There are several sample
applications that ship with
Novell NetWare 5.1 and
are
installed in the webroot by
default. If these
applications are left in the
webroot of a production
machine, remote users          Remote users may be able       Please see
may be able to gain            to use these applications to   http://support.novell.com/cg
sensitive                      gain sensitive                 i-
information about the          information about the          bin/search/searchtid.cgi?/1
server's configuration,        server's configuration,        0064452.htm
including passwords.           including passwords.           .                                     5/29/2002
                                                                                           Remove sample applications prior to plac

Talentsoft Web+ is a set of
tools for accelerated web
site development. A
component of Web+
named "webpsvc.exe"
contains a buffer overflow                                    Apply a patch from your
vulnerability.                                                vendor
This component is used by      By requesting a specially
the Web+ CGI program           crafted URI from a site        See the following document
"webplus.exe," which is        running Web+, an attacker      for more details:
installed by default in the    can
cgi-bin directory when         execute arbitrary code with    http://www.talentsoft.com/Is
Web+ is used to build a        privileges of the user         sues/IssueDetail.wml?ID=
web                            running webpsvc.exe,           WP943
site.                          typically the SYSTEM user.                                              3/5/2002
A weakness in some SSH
products using the SSH1
protocol may allow an
attacker
to determine internal
cryptologic states.
Combined with a weakness
in the
PKCS#1_1.5 public key                                                                        Reduce
encryption standard, used                                                                    potential
by SSH protocol 1.5, this                                                                    exposure
vulnerability may be
exploited to recover                                                                         Disable all
arbitrary session keys used                                                                  variants of
for                                                           Apply a patch available        SSH
symmetric encryption in          An attacker may recover an   from your vendor               protocols
SSH connections. It has          SSH connection's session                                    1.5 and
been reported that these         key and decrypt all          This vulnerability was first   older on
vulnerabilities are relatively   communications from the      reported and patched in        the
difficult to exploit.            connection.                  early 2001.                    server.     2/13/2001
After creating a local file on                                                    According
the system, an attacker can                                                       to the Sun
exploit a stack                                                                   Alert
overflow in cachefsd to                                                           Notificatio
execute arbitrary code with                                                       na
the privileges of the                                                             workaroun
cachefsd process, typically                                                       d is as
root. Sun Microsystems                                                            follows:
has released a Sun Alert
Notification that addresses                                                       Comment
this issue as well as the                                                         out
issue described in                                                                cachefsd
VU#635811.                                                                        in
                                                                                  /etc/inetd.
The Australian Computer                                                           conf as
Emergency Response                                                                shown
Team has also issued an                                                           below:
advisory
related to incident activity
exploiting cachefsd:                                                              #100235/1
                                                                                  tli rpc/tcp
http://www.auscert.org.au/I                                                       wait root
nformation/Advisories/advis                                                       /usr/lib/fs/
ory/AA-2002.01.txt                                                                cachefs/c
                                                                                  achefsd
The eSecurityOnline team                                                          cachefsd
has also published a report
on this vulnerability:
                                                                                  Once the
http://www.eSecurityOnline. An attacker can execute                               line is
com/advisories/eSO4198.a code with the privileges of                              commente
sp                          the cachefsd process,                                 d out
                            typically root.                                       either:    4/30/2002
                                                       The CERT/CC is currently unaware of patches for this problem.
Microsoft Internet Explorer      By convincing a user to                                    Disable
features the ability to          follow a URL or read an                                    Active
process scripts contained        HTML email message                                         scripting
in HTML documents. This          containing
feature is known as Active       malicious script, and                                       At a
scripting, and Internet          attacker could take any                                     minimum,
Explorer supports several        action with the privileges of                               disable
scripting languages,             the                                                         Active
including VBScript and           user executing the script.                                  scripting
JScript.                         This could include opening      Apply Patch                 in the
JScript is similar to            new browser windows to                                      Internet
Netscape's JavaScript and        different sites in different    Apply the patch referenced zone and
both languages played            security zones, reading or      in Microsoft Security       the zone
some part                        modifying information           Bulletin MS03-015.          used
in the development of            in open browser windows,                                    by
ECMAScript (ECMA-262).           reading files on the local      A number of object and      Outlook,
For security reasons, a          file system, and executing      method caching              Outlook
script                           commands that are in a          vulnerabilities were        Express,
loaded from one site should      location known to the           addressed by                and any
not be able to access            attacker. An attacker who       MS02-066. The external      other
resources on another site,       is able                         method caching              software
including the local client. In   to obtain cookies used for      vulnerability was addressed that uses
JavaScript, the Same             authentication may be able      by MS02-068,                Internet
Origin Policy protects           to impersonate a                which supersedes MS02- Explorer
clients by ensuring that         legitimate user and obtain      066. As of May 2003, the to render
"when loading a document         sensitive data such as          clipboardData method        HTML.
from one origin, a script        passwords or credit card        caching                     Instruction
loaded from a different          information. By leveraging      vulnerability has not been s for
origin cannot get or set         features of the Microsoft       addressed. The Both the disabling
specific properties of           HTML Help system                external and clipboardData Active
specific browser and HTML        (VU#25249), an attacker         vulnerabilities affect      scripting
objects in a window or           could execute commands          Internet Explorer version   can be
frame." Internet Explorer        with parameters or cause        6.0 SP1.                    found in    ########
x_news is a system for
managing news. When a
user logs in to x_news
version 1.1
using a plaintext password,
x_news hashes the
password with MD5 and
compares it
to user's hash stored in the
file named "db/users.txt". If
they match, x_news
sets a cookie that contains
the username and the
hashed password. On
subsequent
transactions, x_news will
accept this cookie as valid
authentication.

As a result, an attacker
does not need to know a          Attackers can gain access
user's plaintext password.       to a user's account by
All                              using password data stored
that is needed is the user's     in
MD5-hashed password,             a file, bypassing proper
which can be found in the        authentication by plaintext
db/users.txt file.               password.                                                         3/12/2002
                                                             The CERT/CC is currently unaware of a practical solution to this prob



Cryptcat is an enhanced
version of netcat that adds
twofish encryption.

If cryptcat is started in
listen (server) mode
binding a shell to a network
port, cryptcat fails to enable
encryption. Without
encryption enabled on the
server, cryptcat clients will
not be able to connect.          Users may open
Furthermore, netcat              unencrypted ports on the
clients can connect to the       server with the assumption
server port and                  that any
communicate without              connections to that port will
encryption.                      be encrypted by cryptcat.                                None.       3/2/2002
                                                               The CERT/CC is currently unaware of a practical solution to this prob
There is a buffer overflow
in the processing of NXT
records in the routine
rrextract, part of the file
ns_resp.c. Specifically, in
vulnerable versions of
BIND, there is a section of
code which reads:

     case T_NXT:
          n=
dn_expand(msg, eom, cp,
(char *)data, sizeof data);
          if (n < 0) {
                hp->rcode =
FORMERR;
                return (-1);
          }
          if
(!ns_nameok((char *)data,
class, NULL,
response_trans,

domain_ctx, dname,
from.sin_addr)) {
                hp->rcode =
FORMERR;
                return (-1);
          }
          cp += n;
          cp1 = data +
strlen((char *)data) + 1;
          memcpy(cp1, cp, Remote user may gain default process access of local nameserver, usually root
                                                    Upgrade to the latest version of BIND. ########
A vulnerability in the
Apache web server could
disclose sensitive
information.
Quoting from the Apache
Change Log:


*) [Security] Added the
APLOG_TOCLIENT flag to
ap_log_rerror() to explicitly
tell the server that warning
messages should be sent
to the client in addition
to being recorded in the
error log. Prior to this
change, ap_log_rerror()
always sent warning
messages to the client. In
one case, a faulty CGI
script
caused the server to send
a warning message to the
client that contained the
full path to the CGI script.
This could be considered a
minor security
exposure. [Bill Stoddard]

This vulnerability may
disclose sensitive
information.                                                   you are running version 2.0, upgrade to Apache 2.036 or later.
                                Sensitive information may beifdisclosed.                               5/6/2002
Eyedog is an ActiveX
control that was used to
perform diagnostic function
in
Windows. It was marked as
safe for scripting, which
means that it could be
called from Internet
Explorer, but provided
access to computer
configuration
data. The patch sets the
"kill bit" for the control. For
more information, see

http://www.microsoft.com/te
chnet/treeview/default.asp?
url=/technet/security/bull
etin/ms99-032.asp

The control is contained in
eyedog.ocx. The Class ID
is
06A7EC63-4321-11D0-
A112-00A0C90543AA.                                               configuration information.             8/31/1999
                                    Attacker can retrieve system Apply the patch as described in MS99-032.


Viking v1.07 does not stop
requests which traverse the
parent directory link
out of the web root
directory. As a result, a
remote user can traverse
the
entire file system on the
server host and request
any file. If the web server         Remote users can see any      Download and install the
process has read                    file on the server which is   latest beta version available
permissions to access that          readable by the web server    at
file, it will return its contents   process, regardless of the    http://www.robtex.com/vikin
to the remote user.                 file's location.              g/dl.htm                      None.   ########
                                                                                          If console
                                                                                          access via
                                                                                          the web is
                                                                                          not
                                                                                          necessary
                                                                                          , remove
                                                                                          /eManage
                                                           The following versions of      r virtual
                                                           InterScan eManager are         directory
                                                           affected.                      with the
                                                                                          use of
Trend Micro InterScan                                      InterScan eManager for NT      Internet
eManager is an application                                 Ver.3.51 (English)             Service
that inspects email traffic                                InterScan eManager for NT      Manager.
flowing into and out of a                                  Ver.3.51(Japanese)             Enable
network for confidential or                                                               NTLM
inappropriate material                                     These tests were               authentica
entering and/or leaving the                                performed on the following     tion using
network. This application                                  Operating Systems:             the
has the capability to                                      Windows NT 4.0 Server +        Internet
inspect, modify, and/or                                    SP6a [English]                 Service
block email at the border of                               Windows NT 4.0 Server +        Manager.
the enterprise. Trend                                      SP6a [Japanese]                This will
Micro InterScan eManager                                                                  provide
includes several dynamic                                   A patch for InterScan          restricted
link libraries which provide                               eManager for NT Ver.3.51J      access to
management features for                                    is available from              Web-
the system administrator                                   http://www.trendmicro.co.jp    based
over an http interface.        Remote intruders can        /esolution/solutionDetail.as   console.
Some                           execute arbitrary code with p?solutionID=3142              Restrict
of these dynamic link          SYSTEM privileges in the A patch for InterScan             access to
libraries contain a remotely   Local                       eManager for NT Ver.3.51       web-
exploitable buffer overflow.   System security context.    is pending.                    based      9/12/2001
                                                                                         The
                                                                                         following
                                                                                         workaroun
                                                                                         d was
                                                                                         suggested
                                                                                         by David
                                                                                         Litchfield
                                                                                         and has
                                                                                         not been
                                                                                         tested by
                                                                                         CERT/CC
                                                                                         .

                                                                                         Edit the
                                                                                         "httpd.con
                                                                                         f" file to
                                                                                         limit
                                                                                         access to
                                                                                         the
                                                                                         following
                                                                                         pages:

Oracle Application Server                                                               <BLOCK
9iAS includes the Apache                                                                QUOTE>
Web server and several                                                                  http://oracl
Apache services. In the                                                                 eserver/d
default install configuration,   Dynamic Monitoring                                     ms0
many of these services,          Services may be used                                   http://oracl
including Dynamic                without authentication by                              eserver/d
Monitoring Services, can         attackers to                                           ms/DMSD
be accessed remotely by          monitor the internal                                   ump
anonymous                        workings of the Oracle                                 http://oracl
users.                           server.                                                eserver/se 1/10/2002
                                                             The CERT/CC is currently unaware of a practical solution to this prob
                                                                                         Mitigation

                                                                                          Monitor
                                                                                          and/or
                                                                                          restrict
                                                                                          access to
                                                                                          the
                                                                                          Concurren
                                                                                          t Manager
                                                                                          server(s).
                                                                                          It may be
                                                                                          possible
                                                                                          to use
                                                                                          TCP
                                                                                          Wrappers
                                                                                          or similar
                                                                                          technolog
                                                                                          y to
A vulnerability exists in the                                                             provide
Oracle E-Business Suite                                                                   improved
Report Review Agent                                                                       access
(RRA). This vulnerability                                                                 control
may allow a remote                                                                        and
attacker to retrieve arbitrary                                                            logging.
information from Oracle                                                                   Additionall
Applications Concurrent                                                                   y, an
Manager servers prior to                                                                  applicatio
authentication. For more         A remote attacker may be                                 n-level
information, please see the      able to retrieve arbitrary                               firewall
following documents:             information from Oracle                                  and
Oracle Security Alert 53         Applications Concurrent                                  Intrusion
Integrity Security Alert         Manager servers prior to                                 Detection
                                 authentication.                                          System
                                                              Apply a vendor supplied patch.          4/10/2003

The X11 library contains an
unspecified buffer-overflow
vulnerability.                   Attackers may be able to     Apply a patch
Programs that use this           gain root privileges by
library and accept the -xrm      exploiting affected setuid   See the Systems Affected
option (including xterm)         root programs (such as       section for details, or
also contain this                xterm) that use the X11      contact your vendor
vulnerability.                   library.                     directly.                  None.        5/28/1997
URLMON.DLL is a library
used by Microsoft Internet
Explorer. It contains a
buffer overflow that could
allow an intruder to execute
arbitrary code if the
intruder can convince the
victim to visit a malicious
web page or, in some
limited circumstances,           An intruder could execute
open a malicious email           arbitrary code with the
message. For more                privileges of the user
information,                     operating the vulnerable
see Microsoft Security           web browser or email
Bulletin MS03-015.               client.                     Apply a patch as described in MS03-015.4/23/2003
                                                                                         Workarou
                                                                                         nd

                                                                                        The
                                                                                        following
                                                                                        workaroun
                                                                                        d is taken
                                                                                        from
                                                                                        RHSA-
                                                                                        2002:194-
                                                                                        18:

                                                                                        A work
                                                                                        around for
                                                                                        this
                                                                                        vulnerabili
                                                                                        ty is to
                                                                                        remove
                                                                                        the print
                                                                                        filter for
                                                                                        DVI
                                                                                        files. The
The dvips utility is used to                                                            following
convert DVI files to                                                                    command
PostScript(TM). Typically                                                               s, run as
the                                                                                     root, will
output is sent to the printer.                                                          accomplis
RHSA-2002:194-18 states                                                                 h this:
the vulnerability occurs
because dvips, "uses the         A remote attacker can                                  rm -f
system() function                execute arbitrary code with                            /usr/share
insecurely when managing         the privileges of the lp                               /printconf/
fonts."                          user.                       Apply a patch.             mf_rules/ ########
 On some SGI systems,
Netscape is bundled with
IRIX 6.3 and 6.4 and is
used as
the default web browser
and mail reader. On these
systems, the mailcap file
has
been extended to include
the line


application/x-sgi-exec;
/usr/sysadm/bin/runexec
%s; \
description="System
Administration Executable"

application/x-sgi-task;
/usr/sysadm/bin/runtask
%s; \
description="System         Intruders may be able to
Administration Task"        execute arbitrary
                            commands on vulnerable
The mailcap file is an      systems by
association between         inducing a victim to read
content-type specifications appropriately crafted email
and                         messages and web pages.
programs or commands to If privileged users use a         Modify the mailcap file to
interpret those types. The vulnerable mail system to      remove the runexec and
system mailcap file usually read a mail, an intruder      runtask associations.
resides in /etc/mailcap,    may be able to gain root      Don't enable javascript by
/usr/etc/mailcap, or        access.                       default.                     4/2/1998
The addview feature of
Yahoo! Messenger is used
to allow users to view
content
from a site that is formatted
in the Yahoo! Messenger         An attacker can send
format without the need         malicious script and HTML
for a stand-alone web           to the client using the
browser. If the attacker can    Yahoo!
trick the user into visiting    URL redirection service.
a website or opening an         This script or HTML is
HTML-renderable email,          interpreted by the Yahoo!
the attacker can exploit this   Messenger client and is
vulnerability to execute        displayed in the client's web
arbitrary script/HTML on        browser. The arbitrary
the local system with the       script/HTML is executed on
privileges of the current       the local system in the
user.                           Internet security zone.       Upgrade to version 5,0,0,1066.   5/27/2002
Internet Security Systems                                                                 Disable
(ISS) X-Force has reported                                                                Vulnerabl
a remotely exploitable                                                                    e Service
buffer overflow in the
Common Desktop                                                                           Until a
Environment (CDE)                                                                        patch can
Subprocess Control                                                                       be
Service (dtspcd). CDE is                                                                 applied,
an integrated graphical                                                                  you may
user interface that runs on                                                              wish to
Unix and Linux operating                                                                 consider
systems. dtspcd is a                                                                     disabling
network daemon that                                                                      dtspcd.
accepts                                                                                  Typically,
requests from clients to                                                                 this may
execute commands and                                                                     be
launch applications                                                                      achieved
remotely. On                                                                             by
systems running CDE,                                                                     commenti
dtspcd is spawned by the                                                                 ng out the
Internet services daemon                                                                 approprat
(typically inetd or xinetd) in                                                           e entry in
response to a CDE client                                                                 /etc/inetd.
request. dtspcd is                                                                       conf. As
typically configured to run                                                              a general
on port 6112/tcp with root                                                               practice,
privileges. dtspcd                                                                       CERT/CC
makes a function call to a                                   Apply Patch                 recomme
shared library,                                              Apply the appropriate       nds
libDTSvc.so.1, that                                          vendor supplied patch as    disabling
contains a                                                   described in the vendor     any
buffer overflow condition in                                 section                     services
the client connection                                        below.                      that are      11/7/2001
                                 A successful attacker can execute arbitrary code remotely with root privileges.
"ps" is used to display
information about running
processes. A locally
exploitable buffer overflow
in "ps" may permit a local
attacker to gain                 A local user may be able to
elevated privileges and          gain elevated privileges
execute arbitrary code on a      and execute arbitrary
vulnerable host.                 code.                       Apply a patch.                           8/30/2002
Cisco CSS switches run
Cisco WebNS software. A
user with a valid account on
a
CSS device can gain
unauthorized administrative
access to the device. See
the
Cisco advisory available at
http://www.cisco.com/warp/
public/707/arrowpoint-
useraccnt-debug-pub.shtml
for
more information.                                        Update to version 4.01B19s                4/4/2001
                             Local users can gain administrative access to the switch. of Cisco WebNS software.

                                                                                    Remove
                                                                                    setuid root
                                                                                    from
                                                                                    sysback in
sysback includes a call to                                                          environme
hostname but does not                                                               nts that
include a full path                                                                 permit it
specification. Because                                                              (where
sysback is set uid root,                                                            such a
intruders can put a                                                                 change
malicious                                                                           would not
hostname in the path                                                                be
before the "real" hostname,                                                         detriment
and thereby execute any                                                             al to
commands with root                                                                  operations
privileges.                                                                         ).
                                                        Update to sysback.rte 4.2.1.13 as described in the
                                                                                                privileges.
                            Local users can execute arbitrary commands and programs with root ######## IBM vendor statem
                            By supplying long
                            filenames to ncompress, an
Versions 4.2.4 and earlier attacker may be able to
of ncompress do not         gain local
properly handle filenames access to the server or
longer                      force ncompress to
than 1023 characters.       execute arbitrary code.                                 Remove ncompress or remove execute
                                                        Obtain a patch from your vendor.        ########
Ptrace is a function, which
is often used for
debugging, that allows one
process to attach to
another and monitor or
modify its execution state
and
memory. This vulnerability
exploits a race condition
that allows an attacker to
use ptrace, or similar
function (procfs), to attach                              Upgrade the Linux kernel to
to and, thus, modify a                                    version 2.2.19 or later. The
running setuid process.                                   release notes for
This enables the attacker to                              Linux 2.2.19 at
execute arbitratry code                                   http://www.linux.org.uk/VE
with elevated (root)                                      RSION/relnotes.2219.html
privilege. Linux kernel                                   describe the
version 2.2.18 or before are                              security fix. For users of
vulnerable to this flaw. Any                              specific Linux vendors, use
Linux product that is                                     the vendor-specific
dependent on this kernel                                  upgrades for convenience
is, therefore, vulnerable.   Unprivileged local users can and consistency.
                                                          gain privileged (root) access.   3/26/2001
An "open" mail server is                                                                    Until an
one that will send mail that                                                                update is
is not addressed to and                                                                     available,
does not originate from a                                                                   you can
local user. Open mail                                                                       avoid this
servers are sometimes                                                                       problem
called                                                                                      through
"open mail relays", "mail                                                                   several
relays", "third-party mail                                                                  technique
servers" or similar names.                                                                  s. First,
Intruders who wish to                                                                       you can
conceal their true location                                                                 use the
often send mail through an                                                                  anti-relay
open mail server. For more                                                                  facilities
information on open mail                                                                    provided
servers, see                                                                                by
                                                                                            Domino.
http://maps.vix.com/tsi/ar-                                                                 By
what.html                                                                                   putting a
                                                                                            "*" in the
Lotus Domino includes anti-                                                                 "Deny
relay provisions to prevent                                                                 messages
intruders from sending                                                                      from
mail through a Domino                                                                       external
SMTP server to third                                                                        Internet
parties. However, by                                                                        domains
carefully                                                                                   to be sent
constructing a mail                                             Apply an update from Lotus to the
message, an intruder can                                        when it is available. Lotus following
circumvent the safeguards       Intruders can use Lotus         is tracking this issue      Internet
provided                        Domino SMTP servers to          as SPR# MLOT4THVGP. domains"
by Domino, effectively          relay mail to arbitrary third   See their vendor statement field you
turning Domino SMTP             parties.                        for additional information. can          3/1/2001

"passwd" is a utility used to
change the password for
the current user. A
locally exploitable buffer
overflow in "passwd" may
permit a local attacker to      A local user may be able to
gain elevated privileges        gain elevated privileges
and execute arbitrary code      and execute arbitrary
on a vulnerable host.           code.                       Apply a patch.                               8/1/2002
                                                                                           Turn off
                                                                                           Find-By-
The Find-By-Content                                                                        Content
feature of Mac OS X                                                                        indexing
generates indexing data                                                                    in Mac OS
from the                                                                                   X.
contents of files in each
directory. It then stores the                                                             Use Unix
indexing data for each                                                                    file
directory in a hidden yet                                                                 permissio
world-readable file named                                                                 ns or
".FBCIndex" within the                                                                    Apache
same                                                                                      run-time
directory. If files in a                                                                  configurati
directory served by the                                                                   on
Apache Web server are             Users may not be aware                                  directives
indexed, the hidden index         that their potentially                                  to limit
data file will be stored in the   sensitive file data is being                            access to
same directory where              indexed and stored where it                             the hidden
it can be viewed by remote        can be served by Apache                                 index data
users via HTTP.                   to the public.                                          file.       9/10/2001
                                                               The CERT/CC is currently unaware of a practical solution to this prob


Certain versions of Cisco
IOS contain a vulnerability
that allows the router to
enter an unstable state
after receiving a connection                             Review Cisco Systems's
attempt on any TCP port in                               security advisory to
the following ranges: 3100-                              determine which versions
3999, 5100-5999, 7100-                                   of IOS are
7999, and 10100-10999. In                                vulnerable and which
this                                                     version you should obtain
state, the router will reload                            to eliminate this
at the next execution of                                 vulnerability.
"show running-config,"                                   The advisory is available at:
"write memory," or any
command that causes the                                  http://www.cisco.com/warp/
configuration file to be                                 public/707/ios-tcp-scanner-
accessed.                                                reload-pub.shtml              denial   5/24/2001
                              Attackers may cause Cisco routers to reload and cause aNone. of service.
The Dallas Semiconductor
iButton DS1911 stores 1
kilobyte of data in 3
separate
password-protected areas.
It includes functionality
intended to prevent
passwords guessing, but is
vulnerable to dictionary
attacks. For more
information, see the
advisory published by
@stake Research Labs,
available at


http://www.atstake.com/res                                Use passwords not found
earch/advisories/2001/a011                                in any dictionary of any
801-1.txt                                                 language, rewrite your
                                                          application, or upgrade to
                                                          the DS1963S.
                             Intruders can use a dictionary attack to recover passwords.   1/18/2001
Oracle Database Server                                                                       1. Install
provides extended                                                                            a firewall
functionality through the                                                                    and
use of                                                                                       restrict
Procedural                                                                                   access to
Language/Structured Query                                                                    port 1521
Language (PL/SQL)                                                                            from
libraries. PL/SQL                                                                            outside
includes commands to load                                                                    the
arbitrary system libraries                                                                   network.
and execute any function                                                                     2.
contained in those libraries.                                                                Configure
These commands require                                                                       the Oracle
special user privileges.                                                                     Listener to
However, the functions of                                                                    run on a
user authentication and                                                                      port other
library loading are split                                                                    than 1521.
among different Oracle                                                                       3.
processes. As a result, it is                                                                Remove
possible to load libraries                                                                   PLSExtpr
and execute arbitrary                                                                        oc and
functions from them without                                                                  icache_ex
authenticating.                                                                              tproc
                                                                                             functionali
Oracle runs a "Listener"                                                                     ty from
process that receives           Remote users can execute                                     Oracle if
requests from clients and       arbitrary code with                                          not
forks                           privileges of the user                                       needed,
separate child processes        running                                                      by
to handle each request.         Oracle, typically username                                   deleting
When the child process          "oracle" on Unix systems or                                  relevant
runs a                          the local "SYSTEM" user                                      lines from
PL/SQL library that makes       on Windows systems.                                          the          2/6/2002
                                                               The CERT/CC is currently unaware of a practical solution to this prob
                                                               1) Immediate - create an
                                                               ACL blocking all access to
                                                               TCP port 6778.
During an NMAP audit of                                        2) Short-term - Alcatel
the AOS 5.1.1 code that                                        Customer Support has
runs on the Alcatel                                            updated code that removes
OmniSwitch                                                     this
7700/7800 LAN switches, it                                     backdoor. This fix is part of
was determined a telnet                                        AOS 5.1.1.R02 and AOS
server was listening on         Anyone running NMAP on         5.1.1.R03. Contact
TCP                             AOS 5.1.1 will see port        Customer
port number 6778. This          6778 listening. The attacker   Support for this updated
was used during                 is                             code.
development to access the       able to telnet to the port     3) Permanent - the
Wind River                      and access the                 generally available AOS
Vx-Works operating              OmniSwitch operating           code--the code that ships
system. Due to an               system without a               with each
oversight, this access was      password. This backdoor        OmniSwitch--will have this
not removed                     compromises the entire         vulnerability removed as of
prior to product release.       system.                        AOS 5.1.3.                                ########
My Classifieds is a Perl
CGI script, maintained by
Mike Spice, that produces
dynamic ad listings on a
web server and allows
users to edit their ads
remotely. Prior to version
1.3, My Classifieds passed      Remote attackers can craft
the CGI variable                an HTTP request with any
"category" to Perl's open()     path in the "category"           Upgrade to version 1.3 of
function without checking       variable, allowing the           My Classifieds at:
the variable for                attacker to overwrite any
tampering by the client         file to which the web server     http://www.fuzzymonkey.or
user.                           process has access.              g/cgi-bin/download.cgi         1/9/2002


This problem is reported to
be the result of incorrect                                       Apply a Patch
bounds checking on the          The impact of this
part of the lex routines        vulnerability is not clear. It   IBM has released patches
used in nslookup. This          may be possible for local        to correct this problem. For
vulnerability is mentioned in   attackers to gain root           AIX version 4.3, system
an IBM advisory as being        privileges on the vulnerable     administrators should apply
exploited by attackers.         system.                          APAR#IX79909.                  7/6/1998
                                                                                         The
Background                                                                               easiest
                                                                                         way to
rpc.statd and rpc.lockd are                                                              work
designed to work in                                                                      around
conjunction with each other                                                              this
to                                                                                       problem
manage NFS lock                                                                          quickly is
information in the event of                                                              running
a crash of an NFS client or                                                              statd as a
server.                                                                                  user
                                                                                         other than
The rpc service rpc.statd is                                                             root. To
a program designed to                                                                    this end
communicate status                                                                       change in
information to other                                                                     /etc/init.d/
'interested' computers on                                                                nfs.client
the network. That is,                                                                    as follows
rpc.statd                                                                                (but
is designed to notify other                                                              not on
computers when the host                                                                  Solaris 7,
computer has crashed, and                                                                where
to receive notification when Intruder can call rpc                                       such a
other systems have           services that should not be Install the latest patches      change
crashed.                     reachable.                  from Sun for automountd         may break
                                                         and statd. Note that the        statd)
The notification of crashes In conjunction with other    statd patch is only a
is delivered to another      vulnerabilities in          defense against the
program, rpc.lockd.          automountd, root-level      combination problem of          28c28
rpc.lockd manages locks      access has                  bouncing                        <
for NFS clients and          been reported to have been things from statd to             /usr/lib/nfs
servers. When rpc.lockd is gained remotely using this automountd, not a general          /statd >
notified                     exploit.                    fix of the bounce problem.      /dev/cons      1/3/1999

The System Monitor
ActiveX control
(sysmon.ocx) included with
Windows 2000
contains a buffer overflow.
For more information, see

http://www.microsoft.com/te
chnet/security/bulletin/ms0
0-085.asp
http://www.ussrback.com/la Intruders who can script the
bs57.html                     control (e.g. by constructing
                              a malicious web page
The class id for this control or email message) can
is C4D2D8E0-D1DD-11CE- execute arbitrary code with
940F-008029004347.            the privileges of the victim. Apply a patch as described in the Microsoft bulletin.
                                                                                                    11/2/2000
                                                                                           Disable
                                                                                           the setuid
                                                                                           bit on
                                                                                           nslookup

                                                                                           You can
                                                                                           prevent
                                                                                           this
                                                                                           vulnerabili
                                                                                           ty from
                                                                                           being
                                                                                           exploited
                                                                                           by
                                                                                           removing
                                                                                           the setuid
                                                                                           bit from
                                                                                           the
                                                                                           nslookup
                                                                                           program.
                                                                                           You can
                                                                                           do this by
                                                                                           executing
                                                                                           the
The nslookup program fails                                                                 following
to drop the privileges it                                    Apply a Patch                 command
gains from being setuid.                                                                   as root:
This access appears to be                                    For AIX version 4.1, system
needed to read the                                           administrators should apply   chmod
"/etc/resolv.conf" file. This   Intruders with access to a   APAR #IX71464. For AIX        555
problem was described in        local user account may be    version 4.2, system           /usr/bin/ns
IBM ERS advisory ERS-           able to gain root            administrators should apply   lookup
SVA-E01-1997:008.1.             privileges.                  APAR #IX70815.                              ########
Different versions of Adobe                                                               Disable
Acrobat software can                                                                      JavaScript
create, modify, and read
Portable Document Format                                                                  Acrobat
(PDF) files. Acrobat                                                                      JavaScript
JavaScript implements                                                                     can be
PDF-specific objects,                                                                     disabled
methods, and properties                                                                   in the
and provides functionality                                                                General
similar to that of HTML                                                                   preferenc
client JavaScript. More                                                                   es dialog
information about Acrobat                                                                 (Edit >
JavaScript is available from                                                              Preferenc
Acrobat 5 JavaScript                                                                      es >
Training site and in the                                                                  General >
Acrobat JavaScript Object                                                                 JavaScript
Specification.                                                                            ).
A vulnerability in the way
Acrobat 5 validates                                                                       Restrict
JavaScript in PDF files                                                                   Access to
could                         An attacker could cause                                     Plug-ins
allow arbitrary files to be   arbitrary files to be written                               Directory
written to any location on    to the local file system
the local file system         within the scope of the                                     Use NTFS
that is writeable by the user users' permissions.                                         file
running Acrobat. From the     A virus (W32.Yourde) that       Apply Patch or Upgrade      permissio
Adobe Acrobat 5.0.5           exploits this vulnerability                                 ns to
Security, Accessibility, and  has been discovered.            Install the Adobe Acrobat   prevent
Forms patch:                  This virus does not destroy     5.0.5 Security,             users
                              data. More detailed             Accessibility, and Forms    from
Due to a vulnerability in the information is available in     patch or                    writing to
JavaScript parsing engine, write-ups from Symantec            upgrade to Acrobat 6 or     the Plug-
a malicious PDF               and McAfee.                     later.                      ins        4/30/2003
                                                                                    Disable
                                                                                    the setuid
                                                                                    bit on the
                                                                                    portmir
                                                                                    command

                                                                                    Disabling
                                                                                    the setuid
                                                                                    bit on the
                                                                                    portmir
                                                                                    command
                                                                                    will
                                                                                    prevent
                                                                                    this
                                                                                    vulnerabili
                                                                                    ty
                                                                                    from
                                                                                    being
                                                                                    exploited.
                                                                                    ?You can
                                                                                    do this by
                                                                                    running
                                                                                    the
                                                                                    following
                                                        Apply a Patch               command
There is a buffer overflow                                                          as
in the AIX portmir                                       IBM has released patches   root:
command. This problem                                    to correct this problem. For
was                                                      AIX version 4.2.1,           chmod u-s
described in IBM ERS                                     system administrators        /usr/sbin/p
security bulletin: ERS-SVA-                              should apply                 ortmir
E01-1997:006.1.                                          APAR#IX71795.                            ########
                            Attackers with access to a local user account may gain root privileges.

cgiemail is a CGI program
maintained that composes
data submitted on Web
forms
into email messages. The
cgicso.c component of the    HTTP clients may execute
web-based email system       arbitrary code on the web
cgiemail contains a buffer   server, with the privileges
overflow vulnerability.      of the web server process. The CERT/CC is currently unaware ofcgiemail from web servers prob
                                                                                              1/16/2002
                                                                                   Remove a practical solution to this that
Novell NetWare 5.1 and 6.0
include a web server called
NetWare Enterprise
Server. The server
contains a buffer overflow                                                                Unmap
vulnerability that can be                                                                 /perl/
triggered by a specially                                                                  handler
crafted HTTP request
directed to the /perl/                                                                   If it is not
handler.                                                                                 needed,
The vulnerability occurs in                                                              unmap
the module                                                                               the /perl/
CGI2PERL.NLM, which is                                                                   request
mapped to the                                                                            handler.
/perl/ directory in an HTTP                                                              Informatio
request. Further                                                                         n about
information is available in                                                              how
Novell Technical                                                                         to
Information Document                                                                     configure
2966549 and PROTEGO                                                                      the /perl/
Security Advisory                                                                        CGI
#PSA200301.                    A remote attacker could                                   directory
NetWare 5.1 with NetWare       cause the web server to                                   can be
Enterprise Web Server 3.6      hang or restart (ABEND),                                  found in
and certain NetWare 6.0        resulting in a denial of                                  Novell's
systems (NetWare               service. Since EIP is                                     Perl
Enterprise Web Server          overwritten, it may be                                    document
6.00d) are affected. In        possible                                                  ation for
particular,                    for the attacker to execute   Apply a patch               Netware
NetWare 6.0 systems that       arbitrary code with the       Apply the appropriate patch Enterprise
have been upgraded from        privileges of the server      referenced in Novell TID    Web
5.1 may be affected.           process (Admin).              2966549.                    Server.      7/23/2003

Blahz-DNS does not
properly authenticate users.
As a result, an attacker can   An attacker can gain
gain access to various         access to various
configuration pages. For       configuration pages and
more detailed information,     make
please see the ppp-design      modifications to DNS
advisory.                      information.                  Upgrade to version to .25.              4/29/2002
There is a buffer overflow
in the processing of Active
Stream Redirector (.ASX)
files in Windows Media
Player version 6.4 and 7.
An Active Stream
Redirector
is a file type used by                                     Apply a Patch
Windows Media Player to
determine where a media                                    Microsoft has published
stream                                                     patches correcting this
can be found on the                                        vulnerability. The patches
Internet, and how to play it.                              are
                                                           listed in their advisory at:
This vulnerability is a
variant of the vulnerability    An attacker may be able to http://www.microsoft.com/te
described in VU#675320          execute arbitrary code on chnet/security/bulletin/MS0
and                             vulnerable systems when 1-029.asp
MS00-090.                       the user visits a web page.                               5/23/2001
The Low BandWidth X
proxy is a component of
XFree86 (a freely
redistributable
open-source
implementation of the X
Window System). The Low
BandWidth X proxy
allows applications to
transparently take
advantage of the Low
Bandwidth
extension to X (LBX). LBX
allows one to make more
efficient use of low
bandwidth high latency
communication links.
Quoting from LBX technical
specifications:
Low Bandwidth X (LBX) is
a network-transparent
protocol for running X
Window
System applications over
transport channels whose
bandwidth and latency are
significantly worse than that
used in local area
networks. It combines a
variety of caching and
reencoding techniques to
reduce the volume of data
that                                                       arbitrary code patch.
                              A local attacker can execute Apply a vendorwith root privileges.   7/5/2001
Quoting from the McAfee                                        NAI has patched this
ASaP VirusScan FAQ,                                            vulnerability. The patch will
McAfee ASaP VirusScan is                                       be automatically
"a                                                             disseminated to all affected
web-based, managed and                                         hosts. Quoting from an NAI
updated anti-virus service                                     announcement regarding
for the entire desktop                                         this vulnerability:
environment." McAfee                                           McAfee has taken action to
ASaP VirusScan allows                                          address the vulnerability
hosts to share virus                                           discovered in the
definitions,                                                   VirusScan ASaP agent
eliminating the need for all                                   technology, which affected
of the hosts to update their                                   all users of VirusScan
virus signature                                                ASaP.
software from one central                                      McAfee has distributed the
location. In order to make                                     fix to all McAfee ASaP
this possible, each host                                       update sites for automatic
running this software also                                     distribution to end users.
runs a lightweight http                                        The fix will be downloaded
server that listens on                                         and applied to end user
6515/TCP. Because of a                                         systems in the normal
vulnerability that exists in                                   course of updating that
this HTTP server, a                                            VirusScan ASaP performs
malicious user can connect        A malicious user can         each day.
to 6515/TCP and traverse          connect to 6515/TCP and Any VirusScan ASaP
the host file system to           traverse the host file       agents that have performed
access any file on the            system,                      an update since 03:30
system. For example:              thus viewing any file on the Greenwich
HTTP://<Target IP                 target host with the         Mean Time on July 14,
Address>:6515/.../.../.../.../w   privileges of the HTTP       2001 will have applied the
innt/repair                       server, typically SYSTEM. fix.                               7/11/2001
The text of this document
was originally released on
January 20, 1998, as
SNI-23, developed by
Secure Networks, Inc.
(SNI). To more widely
broadcast this
information, we are
reprinting the SNI advisory
here with their permission.
Some technical details in
the original advisory are not
included in this
reprint, and these are
indicated thus:

The original advisory is
currently available from
http://www.pgp.com/resear
ch/covert/advisories/024.as
p
This advisory details a
vulnerabily in the SSH
cryptographic login
program. The
vulnerability enables users
to use RSA credentials
belonging to other users
who
use the ssh-agent program.
This vulnerability may allow
an attacker on the same
local host to login to a                                  Upgrade to sessions as a of ssh, as described1/20/1998
                             A malicious user is able to establish ssh a later version different local user. in the text of this docu
The /usr/libexec/vi.recover
script in OpenBSD cleans
up vi temp files and
informs a user via email if a
recovery file exists for an
aborted vi session.
The vi.recover script is
reported to contain an
unspecified vulnerability
that
may allow the removal of
arbitrary zero-length files,
including device nodes.                                     Obtain a patch for your
                                                            system from one the
The vi.recover script in                                    following URLs.
OpenBSD is a perl
adaptation of a shell script                                For OpenBSD-2.9:
from
the nvi package, which is      An attacker may be able to   ftp://ftp.openbsd.org/pub/O
also reported to be            remove arbitrary zero-       penBSD/patches/2.9/comm
vulnerable and may be          length files. This could     on/016_recover.patch
present in                     allow a local attacker to
other UNIX-based               cause a local denial of      For OpenBSD-3.0:
operating systems.             service by removing
                               devices                      ftp://ftp.openbsd.org/pub/O
This vulnerability is fixed in or files that enable         penBSD/patches/3.0/comm
OpenBSD 3.1.                   services.                    on/007_recover.patch                  ########
                                                                                        Remove /usr/libexec/vi.recover.
ProCheckup has reported a                                   Disable Web Publishing
vulnerability in iPlanet Web                                iPlanet recommends
Server, Enterprise                                          disabling Web Publisher
Edition and Netscape                                        and Directory Indexing on
Enterprise Server running                                   external
on Windows NT based                                         servers:
operating                                                   <dl>
systems. The iPlanet and                                    <dd>
NES servers provide a                                       <a
feature called Web                                          href="http://developer.netsc
Publisher.                                                  ape.com/docs/manuals/ent
According to NES                                            erprise/40/ag/esapuirf.htm#
documentation:                                              1
                                                            005372">http://developer.n
Netscape Enterprise Server                                  etscape.com/docs/manuals
4.0 clients can use Web                                     /enterprise/40/ag/esapuirf.h
Publisher to collaborate on                                 tm                              Filter
projects by directly                                        #1005372</a>                    HTTP
accessing, editing, and                                     </dl>                           Traffic
managing file on remote                                     </dd>                           It may be
servers.                                                    Another method for              possible
Web Publisher provides                                      disabling Web Publisher is      to use an
sophisticated features for                                  to use a Netscape Server        applicatio
server clients, such as file                                Application Programming         n layer
management, editing and                                     Interface (NSAPI) Server        filter to
publishing, and access                                      Application Function (SAF):     detect and
control.                                                    <dl>                            block
If Web Publishing is           An unauthenticated remote <dd>                               HTTP
enabled, a malformed ?wp-      attacker can cause a denial- <a                              requests
html-rend command can          of-service condition by      href="http://knowledgebase      containing
crash the                      sending malformed ?wp-       .iplanet.com/ikb/kb/articles/   the ?wp-
web server process. To         html-rend commands to a 7761.html                            html-rend
determine if Web Publisher     vulnerable server.           ">http://knowledgebase.ipla     command.     1/8/2002
The XDR (external data                                          Apply a patch from your       Disable
representation) libraries are                                   vendor                        access to
used to provide                                                                               vulnerable
platform-independent                                            Note that XDR libraries can services
methods for sending data        Because SunRPC-derived          be used by multiple           or
from one system process         XDR libraries are used by a     applications on most          applicatio
to                              variety of vendors in a         systems.                      ns
another, typically over a       variety of applications, this   It may be necessary to
network connection. Such        defect may lead to a            upgrade or apply multiple Until
routines are commonly           number of differing security    patches and then recompile patches
used                            problems. Exploiting this       statically linked             are
in remote procedure call        vulnerability will lead to      applications.                 available
(RPC) implementations to        denial of service,                                            and can
provide transparency to         execution of arbitrary code,    Applications that are         be
application programmers         or the disclosure of            statically linked must be     applied,
who need to use common          sensitive information.          recompiled using patched you may
interfaces to interact with                                     libraries. Applications that wish to
many                            Specific impacts reported       are dynamically linked do disable
different types of systems.     include the ability to          not need to be                access
The xdr_array() function in     execute arbitrary code with     recompiled; however,          to
the XDR library                 root privileges (by             running services need to be services
provided by Sun                 exploiting dmispd,              restarted in order to use the or
Microsystems contains an        rpc.cmsd, or kadmind, for       patched libraries.            applicatio
integer overflow that can       example). In                                                  ns
lead to                         addition, intruders who         System administrators         compiled
improperly sized dynamic        exploit the XDR overflow in     should consider the           with the
memory allocation.              MIT KRB5 kadmind may be         following process when        vulnerable
Subsequent problems like        able to gain control of a       addressing                    xdr_array(
buffer                          Key Distribution Center         this issue:                   ) function.
overflows may result,           (KDC) and improperly                                          Such
depending on how and            authenticate to other           Patch or obtain updated       applicatio
where the vulnerable            services within a trusted       XDR/RPC libraries.            ns
xdr_array()                     Kerberos realm.                 Restart any dynamically       include,    7/31/2002
                                                          Apply a patch. You may
                                                          also wish to see the
                                                          following douments.

                                                          HP Tru64 UNIX 5.1A:
                                                          README: T64V51AB2-
                                                          C0041400-14950-ES-
                                                          20020730
                                                          Location:
                                                          ftp://ftp1.support.compaq.c
                                                          om/public/unix/v5.1a/

                                                          HP Tru64 UNIX 5.1:
                                                          README: T64V51B19-
                                                          C0136900-14951-ES-
                                                          20020730
                                                          Location:
                                                          ftp://ftp1.support.compaq.c
A vulnerability exists in the                             om/public/unix/v5.1/
way in which the libc
libraries handle                                          HP Tru64 UNIX 5.0A:
environment variables in                                  README: T64V50AB17-
the HP Tru64 UNIX                                         C0018404-14949-ES-
operating system. As a                                    20020730
result,                                                   Location:
local attackers may be able                               ftp://ftp1.support.compaq.c
to execute arbitrary code                                 om/public/unix/v5.0a/
with elevated privileges,
using several different                                   HP Tru64 UNIX 4.0G:
binaries that make use of                                 README: T64V40GB17-
the vulnerable library. For                               C0010404-14948-ES-
more information, please                                  20020730
see SSRT2257.                 Local attackers can execute Location:code with elevated privileges.
                                                          arbitrary                                 4/17/2002
NGSSoftware has released
a paper titled Hackproofing
Oracle Application Server
that describes a number of
security issues in the
Apache PL/SQL module
used by
Oracle9i Application Server
(iAS). This document
addresses the DAD
substitution problem, where
an attacker could bypass
authentication by
specifying which DAD to                                  Block or Restrict Access
use to access a PL/SQL                                   Unauthenticated PUBLIC
application.                                             access to PL/SQL
Oracle iAS uses the                                      applications and
Apache HTTP Server to                                    procedures can be
provide web services,                                    restricted using the
including                                                exclusion_list parameter in
access to stored                                         the PL/SQL gateway            Disable
procedures via the Oracle                                configuration file,           Vulnerabl
PL/SQL module (modpplsql                                 /Apache/modplsql/cfg/wdbs     e Service
or                                                       vr.app. This solution is
mod_plsql). In iAS,                                      described in Oracle           Disable
PL/SQL is used to             An unauthenticated remote Security Alert #28. For        the
communicate with the          attacker could gain access more information, read the    PL/SQL
database and                  to an Oracle PL/SQL        section                       service
generate HTML that can be     application. Depending on titled Protecting the PL/SQL   (modplsql
interpreted by a web          the capabilities of the    Procedures Granted to         or
browser. A DAD defines        application, the attacker  PUBLIC in the Oracle iAS      mod_plsql
how a                         could read, modify, or     documentation under Using     in
PL/SQL request connects       delete data.               the PL/SQL Gateway.           Apache). 1/10/2002
XFS is a 64-bit compliant                                                        Per SGI
journaling file system. The                                                      Security
XFS journaling filesystem                                                        Advisory
daemon (xfsmd) on SGI                                                            20020606-
systems uses a call to                                                           02-I:
popen(3) with unfiltered
client-controlled input.                                                         There is
                                                                                 no
As mentioned in                                                                  effective
VU#20276:                                                                        workaroun
                                                                                 d
The popen(3) call is                                                             available
described by the man page                                                        for these
as follows:                                                                      problems.
                                                                                 SGI
         FILE                                                                    recomme
*popen(const char                                                                nds either
*command, const char                                                             disabling
*type);                                                                          or
                                                                                 uninstallin
           popen() creates                                                       g the
a pipe between the calling                                                       product.
program and the
command to be executed.                                                           To disable
The arguments to popen()                             SGI has reported they will the
are pointers to                                      not be providing a patch for product
null-terminated strings.                             this issue. Sites are        from
"command" consists of a                              strongly urged to disable    running,
shell command line.                                  the XFS daemon and           perform
                                                     related subsystems as        the
In essence, popen provides                           soon as                      following
the calling program the                              their service requirements steps:
                                                     permit.
output of "command." One A remote user can run arbitrary commands with root privileges.      6/18/2002
Sun describes the Sun
ONE Directory Server as
a software product that
provides a central
repository for storing and
managing
identity profiles, access
privileges and application
and network resource
information. Information
stored in the Sun ONE
Directory Server can be
used for
the authentication and
authorization of users to
enable secure access to
enterprise and Internet
services and applications.
A vulnerability exists in ns-   This vulnerability may allow
ldapd (a directory service      a remote attacker to
process). For more              effectively terminate
information, please see         directory services on the
Sun Alert 52102.                affected host.               Apply a patch.   4/30/2003
During the processing of
transaction signatures,
BIND performs a test for                                       The ISC has released
signatures that fail to                                        BIND version 8.2.3 to
include a valid key. If a                                      address this security issue
transaction signature is                                       as well
found in the request, but a                                    as others. The CERT/CC
valid key is not included,                                     strongly recommends that
BIND skips normal                                              all users of BIND 8.2.x
processing of the request                                      upgrade to 8.2.3
and jumps directly to code                                     immediately. The ISC
designed to send an error                                      recommends that users
response. Because this                                         affected by this
code fails to initialize                                       vulnerability upgrade to
variables in the same                                          either BIND 8.2.3 or BIND
manner                                                         9.1.
as the normal processing,
later function calls make                                      The BIND 8.2.3 distribution
invalid assumptions about                                      can be downloaded from:
the size of the request
buffer. In particular, the                                     ftp://ftp.isc.org/isc/bind/src/
code to add a new (valid)
signature to the response       This vulnerability may allow   The BIND 9.1 distribution
may overflow the request        an attacker to execute         can be downloaded from:
buffer and overwrite            privileged commands or
adjacent memory on the          code                           ftp://ftp.isc.org/isc/bind9/
stack or heap. Overwriting      with the same permissions
this memory can allow an        as the BIND server.            Please note that upgrading
intruder (in conjunction with   Because BIND is typically      to BIND 8.2.3 also
other buffer overflow exploit   run by                         addresses the information
techniques) to gain             a superuser account, the       leakage
unauthorized access to the      execution would occur with     vulnerability discussed in
vulnerable system.              superuser privileges.          VU#325431.                        1/29/2001
AT&T WinVNC is a free
package available from
AT&T Labs Cambridge that
allows an                                                   Use
existing desktop of a PC to                                 Regedit to
be available on the desktop                                 remove
of a remote host. This                                      the
software runs on Windows                                    "Standard
95, Windows98, Windows                                      Users" &
NT 4.0, and Windows                                         "Everybod
2000. The                                                   y"
default installation of                                     permissio
WinVNC creates a registry                                   ns from
key which is used to store                                  the
some of WinVNC's default                                    HKEY_LO
settings. Some of these                                     CAL_MAC
settings include the                                        HINE\Soft
connection password as                                      ware\ORL
well as an IP based                                         \WinVNC3
restriction list. The                                       \ registry
privileges on                                               key.
this registry key allow full                                Additionall
access from the                                             y, one
Administrator or System                                     should
accounts                                                    make sure
and gives the "Everybody"      This vulnerability could     that
group read and modify          allow a remote attacker to   access to
privileges. Upon creation,     modify the                   the
this                           HKEY_LOCAL_MACHINE\          registry is
key is insufficiently          Software\ORL\WinVNC3\        restricted
protected such that an         key and allow                to
attacker can modify the        unauthenticated access       authorized
registry                       to the service.              personnel. ########
This vulnerability can cause
affected DNS servers
running named to go into
an
infinite loop, thus
preventing further name
requests to be handled.
This can
happen if an SRV record
(defined in RFC2782) is
sent to the vulnerable
server.
                                                           Apply a patch from your
Microsoft's Windows 2000                                   vendor
Active Directory service
makes extensive use of                                      To address this
SRV                                                         vulnerability, the CERT/CC
records and is reportedly                                   recommends that all users
capable of triggering this                                  of ISC
bug in the course of                                        BIND upgrade to version
normal operations. This is                                  8.2.2-P7, which patches
not, however, a vulnerability                               both VU#198355 and
in Microsoft Active                                         VU#715973.
Directory. Any network          A remote attacker can use For information regarding
client capable of sending       malicious SRV records to vendor-specific versions of
SRV records to vulnerable       crash vulnerable BIND       DNS software, please
name                            servers, resulting in a     consult the Systems
server systems can              denial-of-service condition Affected section of this
exercise this vulnerability.    that disables name          document.
                                resolution service.                                      11/7/2000
The Beck IPC@CHIP is a
single chip embedded
webserver. This device
contains a
telnet server that "leaks
information". That is, when
an attacker connects to
the telnet daemon and
enters a valid username,
the telnet daemon will
prompt
the user with "Password".
However, if the attacker
supplies the telnet daemon
with an invalid account
name, the device will
respond with "User
Unknown".
Additionally, the telnet
daemon permits unlimited
login attempts and it isn't
counting or logging any bad An attacker can connect to
passwords. Given this, an   the telnet service and make
attacker could make use     use of a brute-force
of a brute-force password   password attack and
attack and gain entry to theperhaps gain entry to the
device.                     device.                     Obtain a patch from the vendor.       5/24/2001
                                                                                    Examine
                                                                                    URL's of
                                                                                    links
Microsoft Internet Explorer                                                         before
with Browsing                                                                       clicking
Enhancements (installed by                                                          them, and
default on                                                                          do not
some versions of Windows) Users who open a URL of                                   open
may crash when opening      the forms described above                               URL's of
an FTP URL containing '#' may lose session data and                                 the forms
or                          be                                                      described
'&' characters.             forced to restart IE.                                   above.    5/11/2001
                                                        The CERT/CC is currently unaware of a practical solution to this prob
SCO UnixWare 7 ships
with a utility package called
UUCP. The UUCP package
allows for the copying of
files between different
UNIX systems and the
sending
of commands for execution
on a remote system. There
is a buffer overflow in the                                 Caldera has released
uucico application, which is                                binaries that fix the
part of the package. A                                      problem. They are located
malicious user can use                                      at
these vulnerabilities to gain                               ftp://ftp.sco.com/pub/securit
elevated privileges.
Adobe Systems                                               y/unixware/sr847405/.
                                A malicious local user can gain elevated privileges.        6/27/2001
Incorporated describes
PDF (Portable Document
Format) as "a
universal file format that
preserves the fonts,
images, graphics, and
layout of
any source document,
regardless of the
application and platform
used to create
it." A viewer such as Adobe
Reader or Xpdf is needed
to view a document
encoded
in PDF . Various PDF
viewers are widely
deployed on the Internet.
Quoting from
the Adobe Systems
Incorporated web site:
Governments and
enterprises around the
world have adopted PDF to
streamline
document management,
increase productivity, and
reduce reliance on              A remote attacker may be
paper....An                     able to execute arbitrary
open file format                commands with the
specification, PDF is           privileges
available to anyone who         of the victim.              Apply a patch when available.   6/13/2003
The Microsoft Windows
2000 event viewer contains
a buffer overflow that can
be
exploited when a record
written to an event log is
examined by the event
viewer. Both privileged and
unprivileged users can read
and write to the system
and application logs, but
only privileged users and
processes can read and
write the security log. The
buffer overflow occurs in
the code used to process
and display properties of
individual event records.
For more information, see

http://www.microsoft.com/te
chnet/security/bulletin/MS0
1-013.asp                     An intruder who can write
                              to an event log can insert
The data needed to run        data that will cause a
code can be inserted into     buffer overflow to occur
event logs remotely, but an when a user examines the
intruder cannot cause the record in the event log.
vulnerability to be triggered This
without tricking or           will allow the execution of
cooercing someone to          arbitrary code with the
examine the particular        privileges of the person
event log record containing examining the record.                                                 2/26/2001
                                                          Apply a patch as described in the Microsoft bulletin.
The phf CGI script
constructs a partial
command line consisting of
the ph
command and appropriate
arguments, and completes
the command line based on
the
input from the user. The
intent is to execute a ph
query on behalf of the user.
Annotated code from the
vulnerable phf CGI script is
shown below. Labels have
been added for easy
reference.

    if (!atleastonequery)
printf("<B>You did not
enter a query!</B>%c",LF);
        else {
1:
strcpy(commandstr,
"/usr/local/bin/ph -m ");
           if (strlen(serverstr))
{
2:
strcat(commandstr, " -s ");
              /* RM 2/22/94         Any remote user can run
oops */                             programs on the attacked
3:                                  machine as the uid running
escape_shell_cmd(serverst           the
r);                                 Web sserver.                                                           2/5/1996
                                                               Update to the latest version of phf, or disable it if unused.


Midnight Commander is a
file manager for open
source operating systems,
distributed under the GNU
General Public License
(GPL). In version 4.5.1 of          The complete impact of this
Midnight Commander, the             vulnerability is not yet
mcedit text editor                  known. Local attackers
component contains an               can a segmentation fault in
unspecified                         mdedit. It may be possible
buffer-overflow vulnerability       to execute arbitrary
that can be exploited to            code, though this has not
cause a segmentation                been demonstrated or
fault.                              proven.                                                None.      ########
                                                                The CERT/CC is currently unaware of a practical solution to this prob
A message posted to the
bugtraq mailing list details
a vulnerability affecting
versions of MySQL prior to
3.23.56. MySQL would
permit users with 'FILE'
permissions to create and
edit world-writeable
configuration files. Upon      Exploitation of this
rebooting the server,          vulnerability can lead to a   Version 3.23.56 of MySQL
MySQL would read these         remote user gaining           resolves this issue.
files and be configured to     elevated                      Likewise, you may apply
give a                         privileges and subsequently   the patch
remote user elevated           gaining control of the        or upgrade supplied by
privileges.                    MySQL database.               your vendor for this issue.    3/8/2003


SCO UnixWare 7 ships
with a utility package called
UUCP. The UUCP package
allows for the copying of
files between different
UNIX systems and the
sending
of commands for execution
on a remote system. There
is a buffer overflow in the                               Caldera has released
uuxqt application, which is                               binaries that fix the
part of the package. A                                    problem. They are located
malicious user can use                                    at
these vulnerabilities to gain                             ftp://ftp.sco.com/pub/securit
elevated privileges.                                      y/unixware/sr847405/.
                              A malicious local user can gain elevated privileges.         6/27/2001
Lotus iNotes Web Access
is a database application
that provides "access to
corporate messaging
services and personal
information through a Web
browser."
NGSSoftware has
researched and reported a
buffer overflow vulnerability
in
iNotes that can be triggered
via a specially crafted
FolderName value of the                                                                   Disable
PresetFields parameter.                                                                   Vulnerabl
For further information, see                                                              e Service
NGSSoftware Insight
Security Research Advisory                                                                Until
#NISR17022003b.                                                                           upgrades
Lotus is tracking this issue    A remote attacker could                                   can be
as SPR# KSPR5HUQ59.             execute arbitrary code with   Upgrade                     performed
Further information is          the privileges of the         This issue is resolved in   , consider
available in IBM Technote       Domino server process or      Notes/Domino 6.0.1 and      disabling
1104527.                        cause a denial of service.    5.0.12.                     iNotes.    2/17/2003
The Apache HTTP Server
is a very popular freely
available web server that
runs
on a variety of operating
systems, including UNIX,
Linux, and Microsoft
Windows
(Win32).

A vulnerability exists in the
way the Apache HTTP
Server handles excessively
large chunks of
consecutive linefeed
characters. Apache 2.0.44
(both the
Windows & UNIX
implementations) contains                                      Apply a patch from your
this vulnerability. Prior 2.x   Exploitation of this           vendor. If a patch is not
versions                        vulnerability may allow an     available, you may wish to
of Apache may contain the       attacker to consume all        upgrade to Apache HTTP
vulnerability. For more         available system               Server 2.0.45. The Apache
information, please see the     resources, resulting in a      Software Foundation has
iDEFENSE Advisory.              denial-of-service condition.   provided a patch as well.    4/8/2003
The buffer overflow occurs
in the smap/smapd and
CSMAP daemons.
According to
PGP Security, these
daemons are responsible
for handling email
transactions for
both inbound and outbound
e-mail.
This vulnerability occurs in
smap/smapd on the
following products:
Gauntlet for Unix versions
5.x
PGP e-ppliance 300 series
version 1.0
McAfee e-ppliance 100 and
120 series
This vulnerability occurs in
CSMAP on the following
products:
Gauntlet for Unix version
6.0                                                      Patchs for this vulnerability
PGP e-ppliance 300 series                                are available from the
versions 1.5, 2.0                                        vendor at
PGP e-ppliance 1000            An intruder can execute   ftp://ftp.nai.com/pub/securit
series versions 1.5, 2.0       arbitrary code with the   y/ and
McAfee WebShield for           privileges of the         http://www.pgp.com/naicom
Solaris v4.1                   corresponding             mon/download/upgrade/up
                               daemon.                   grades-patch.asp.               9/4/2001
Microsoft systems use
components of Microsoft
Outlook Express to render
MHTML
(MIME Encapsulation of
Aggregate HTML) when
viewing files. Internet
Explorer
also relies on the MHTML
rendering engine in Outlook
Express when displaying
web pages.

The MHTML rendering         By exploiting this
engine in Outlook Express   vulnerability, an attacker
does not validate the type  may be able to launch
of                          programs on
file being processed. This  a victim's computer in the
may lead to web script      Local Computer Zone. If an
executing in the Local      attacker can guess,
Computer Zone, which may    discover, or know the file
give remote attackers       path of programs already
control of victim systems.  installed on a victim
                            computer, he may be able
Microsoft has released      to execute arbitrary
patches to resolve this     commands. Additionally, if
issue in Microsoft Security an
Bulletin MS03-014,          attacker can access files
Cumulative Patch for        he may have downloaded
Outlook Express             to a victim system, he
(330994).Microsoft also     would
reports that if the patches be able to execute arbitrary
for MS03-004 have already code.                                                                   5/1/2003
                                                         Apply patches for Outlook Express found in MS03-014.
JSP is a web-server-based
technology used to produce
dynamic web content.
Tomcat, a product of the
Apache Jakarta Project, is
an implementation of JSP.

Tomcat does not enforce
HTTP request syntax with
regard to protocol name
and
version number.
Furthermore, if a received
HTTP request for a JSP is
missing
the protocol name and
version number string (i.e.
"HTTP/1.1"), Tomcat will
serve the JSP source file
instead of executing the file
and serving the servlet
output.                                                  The CERT/CC is currently the server.   4/3/2001
                              Attackers may gain read access to JSP source code onunaware of a practical solution to this prob
The df program is used to                                                                1.
display statistics about the                                                             Remove
amount of used and free                                                                  setuid
disc space on a set of                                                                   perms,
mounted file systems.                                                                    and
Alternately, it can be used                                                              execute
to                                                                                       perms
check on the amount of                                                                   from df.
space available on
unmounted block devices                                                                  % chmod
which may be                                                                             u-s `which
specified by some path.                                                                  df`

Due to insufficient bounds                                                               2. Use the
checking on either directory                                                             AUSCER
or block device                                                                          T wrapper
arguments which are
supplied by users, it is                                                                 The
possible to overwrite the                                                                source for
internal                                                                                 the
stack space of the df                                                                    wrapper,
program while it is                                                                      including
executing. By supplying a                                                                installation
carefully                                                                                instruction
designed argument to the                                                                 s, can
df program, intruders may                                                                be found
be able to force df to                                                                   at:
execute arbitrary code.
Since df is setuid root, this                                                               ftp://ftp.au
will allow intruders to                                                                     scert.org.
run arbitrary code with root                                                                au/pub/au
privileges.                                                                                 scert/tools
                                                                                            /overflow_ 5/24/1997
                                                              Apply the to gain provided by SGI.
                                This vulnerability may allow local userspatched root privileges.

Some versions of IBM AIX
used unbounded string
operators. This problem                              Apply a patch from your
was                                                  vendor
corrected in AIXV4 by
changing the unbounded                               See the Vendor Status
operators to their bounded                           section for more
equivalents.                                         information.
                           Remote attackers may be able to gain root privileges.                        3/28/2002
In a typical file transfer
operation, one participant
(the client) requests a
file while a second
participant (the server)
provides the requested file.
Before processing each
request, many server
implementations will
consult an
access control policy to
determine whether the
client should be permitted
to
read, write, or create a file
at the requested location.
If the client is able
to craft a request that
violates the server's access
control policy, then the
server contains a
vulnerability. Since most
vulnerabilities of this type                                  Apply a patch from your
involve escaping a                                            vendor
restricted set of directories,
they are commonly known                                       For vendor-specific
as                                                            information regarding
"directory traversal"          This vulnerability allows an   vulnerability status and
vulnerabilities.               attacker to mislead wget       patch
                               users, convincing them to      availability, please consult
Directory traversal            unintentionally create or      the Systems Affected
vulnerabilities are most       overwrite files on the         section of this document
often reported in server       client's filesystem.                                          ########
In a typical file transfer
operation, one participant
(the client) requests a
file while a second
participant (the server)
provides the requested file.
Before processing each
request, many server
implementations will
consult an
access control policy to
determine whether the
client should be permitted
to
read, write, or create a file
at the requested location.
If the client is able
to craft a request that
violates the server's access
control policy, then the
server contains a
vulnerability. Since most
vulnerabilities of this type                                  Apply a patch from your
involve escaping a                                            vendor
restricted set of directories,
they are commonly known                                       For vendor-specific
as                             This vulnerability allows an   information regarding
"directory traversal"          attacker to mislead users of   vulnerability status and
vulnerabilities.               affected FTP clients,          patch
                               convincing the victim to       availability, please consult
Directory traversal            unintentionally create or      the Systems Affected
vulnerabilities are most       overwrite files on the         section of this document
often reported in server       client's filesystem.                                          ########
                                                             This issue has been
                                                             addressed in version 1.3 of
                                                             the Tivoli Firewall Toolbox.

A buffer overflow                                            According to IBM's
vulnerability in the                                         statement, downloads of
communications layer of                                      version 1.3 of the IBM
the Tivoli                                                   Tivoli
Firewall Toolbox has been                                    Firewall Toolbox can be
discovered. The IBM Tivoli                                   found at:
Firewall Toolbox,
according to the IBM                                         http://www-
statement, provides the       A remote unauthenticated       3.ibm.com/software/sysmg
underlying communication      attacker may be able to        mt/products/support/IBMTiv
for the                       execute arbitrary code on      oliManagementFramew
framework-based               the                            ork.html (Entitled
applications within a         system running the Tivoli      Customers only)
firewalled environment.       Firewall Toolbox. The Tivoli   ftp://ftp.software.ibm.com/s
This is an                    Firewall Toolbox               oftware/tivoli_support/patch
optional component, and       typically runs as user         es/patches_1.3
not part of the base          nobody, but may be             (anonymous access)
installation for IBM Tivoli   configured to run as
Management Environment.       another user.                                                 3/19/2003
Alcatel ADSL modems          A remote attacker may be
allow unauthenticated        able to gain access to the
Trivial File Transfer        perform TFTP operations.
Protocol (TFTP)              These operations include:
access from the local area
network (LAN) as a method    - inspection of configuration
to update firmware and to    data
make configuration           - recovery and setting of
changes to the device. In    passwords
conjunction with one of      - inspection and updates to
several                      the firmware
common vulnerabilities, a    - destructive updates to the
remote attacker may be       firmware
able to gain                 - malicious custom updates
unauthenticated              to the firmware               Block malicious traffic at
access as well.                                            your network perimeter
                             Note that affected Alcatel
For example, if a system on ADSL modems do not             If you have a home firewall
the LAN side of the ADSL provide any mechanism for product you may be able to
modem has the UDP echo determining the validity of prevent the TFTP UDP
service enabled, a remote firmware updates, so a           bounce attack by filtering
attacker may be able to      remote attacker may be        one or more of the
spoof packets such that the able                           following types of traffic:
ADSL modem will believe to install custom firmware
that this traffic originated that operated as a DDoS       - Packets with spoofed
from the local network. By client or a network sniffer. source addresses
sending a packet to the      Similarly, an attacker could - Packets with a source
UDP echo service with a      produce an invalid firmware address of
spoofed source port of 69 revision that would              255.255.255.255
(TFTP) and a source          disable the device            - Packets with a destination
address of                   completely, leaving victims port of echo (or other
255.255.255.255, the         no alternative but to return "simple" services)
system providing the echo the                                                             4/10/2001
                           Unless the user or internet
                           service provider changes
                           the default password of an
                           affected device, a remote
                           attacker can access the        Set a password for your
                           modem via TELNET,              ADSL modem
The Alcatel Speed Touch HTTP, or
ADSL modem ships with a FTP. In the case of               Because the Alcatel ADSL
null default password,     TELNET and HTTP, this          modems ship without a
permitting unauthenticated vulnerability grants the       password by default, an
access via TELNET, HTTP, attacker                         attacker
and FTP. As with the       read and write access to       may be able to gain access
EXPERT                     device configuration. For      if this password has not
account vulnerability      FTP, this vulnerability        been set. Users are
(VU#243592), the device    allows the attacker to         encouraged to set a
must have an externally    browse the file structure of   password when the device
accessible IP address.     the affected device.           is first configured.         4/10/2001
Many file scanners will
decompress compressed
file archives in memory so
their
contents can be scanned.
However, some of these
scanners do not check if
there
is enough memory
available to decompress
the file.

The Zip compression
algorithm allows a
maximum compression
ratio of 1000:1, and
with nested Zip archives, it
is possible to create a small
archive that would
decompress to a size
several thousands of times
greater, and much greater
than
the memory available on
most systems.

When a file scanner tries to    Attackers can design a file
decompress such an              which will crash a file
archive without ensuring        scanner and possibly
that                            cause
there is enough memory          additional problems for mail
available, it may fail and      servers that employ file
crash. As file scanners are     scanners.                                               None.      7/16/2002
                                                             The CERT/CC is currently unaware of a practical solution to this prob
French smart cards are
credit cards with an
embedded chip containing
certain
cardholder, account, and
authentication information.
These cards are read by
automated terminals
across France for sale of a
variety of products and
services.

Prior to November 1999,
authentication was
performed on the terminals
by
reading a 320-bit RSA-
encrypted authentication
value from card, decrypting
the
value, and comparing it to
the unencrypted account
information stored on the
card. The encryption                                       Merchants should upgrade
method used a 321-bit RSA                                  their smart card reader
key which was cracked in                                   terminals to require the
or                                                         new
before 1998 and published      Attackers can forge smart authentication scheme
on the Internet on February    cards that will be accepted introduced in November
9, 2000. With knowledge        as payment at over two      1999. Cardholders of cards
of the key now public,         million estimated           issued
criminals have begun to        automated card reader       before November 1999
forge their own credit cards   terminals in France.        should obtain new cards.     2/9/2000
The Microsoft Windows                                                                      Disable
2000 Telnet Service                                                                        telnet
contains a resource                                                                        service
starvation
vulnerability that prevents                                                                Sites that
the server from releasing                                                                  do not
handles when telnet                                                                        require
sessions are terminated in                                                                 the
a specific manner. If a                                                                    Windows
sufficiently large number                                                                  2000
of session requests are                                                                    Telnet
established and then                                         Apply a patch from your       Service
terminated in this manner,                                   vendor                        may
it is                                                                                      disable it
possible to consume all        This vulnerability allows a   Microsoft has released a      to
available handle resources,    remote attacker to disrupt    patch for this vulnerability; prevent
resulting in a                 or crash affected             for further information,      exploitatio
denial-of-service attack       Windows 2000 servers,         please consult the systems n of this
against all services offered   resulting in a denial-of-     affected section below.       vulnerabili
by the victim server.          service condition.                                          ty.           6/7/2001
SecureCRT is a terminal
emulator and SSH client for
Windows. If the SSH1
protocol is used and the
user enters a password
300 characters or more in
length, SecureCRT will
crash, with the following
error displayed by
Windows:

"SECURECRT caused an
invalid page fault in module
MSVCRT.DLL..."

Since the execution
instruction pointer (EIP)
register is not overwritten,
the
crash more likely results
from heap overflow than
stack overflow.

According to VanDyke           Local users may be able to
Software, the vulnerability    execute arbitrary code on
does not occur when the        the client host by
SSH2                           supplying a long password
protocol is used.              to SecureCRT.                                                    ########
                                                          The CERT/CC is currently unaware of a practical solution to this prob
                                                           Upgrade to version 2.0b,
Surge FTP Server 2.0a                                      available at:
allows remote users to list
files outside the FTP root                                  http://www.netwinsite.com/s
directory.                                                  urgeftp
                              Attackers may list files from directories to which access was not granted.

Alchemy Eye includes an
HTTP server for remote
system monitoring and
control.
In versions 2.0 through 2.6
of Alchemy Eye, the HTTP
server component does not
adequately validate HTTP
requests, allowing
attackers to execute
arbitrary
commands. Purpose
gpm (General                                                  The CERT/CC is currently unaware of ########
                                Remote attackers can execute arbitrary commands on the server. a practical solution to this prob
Mouse) is the program that
lets you use the mouse in
console mode when not
using XWindows. It is
usually included in Linux
distributions, and can be
started from the command
line or in the startup
script /etc/rc.d/rc.local. gpm-
root is a program in the
gpm package that allows
the use of menus in
console mode when Ctrl +
Mousebutton is pressed.
The
gpm-root daemon in gpm
version 1.19.1 and earlier
lets the user execute any
command with elevated
group privileges. To exploit
this problem, gpm-root
must
be running on a machine
and the user needs both to
login to that machine and to
have physical access to the
keyboard and mouse.
When the user selects a         A user with console access Upgrade to gpm version
utility                         can use this vulnerability to 1.19.2 or later, or apply its
from a menu, gpm-root           execute arbitrary             setuid(), setgid() and
starts the associated           commands with elevated        initgruops() related
process with the group and group privileges.                  patches.                            3/22/2000
                                                                                     Workarou
                                                                                     nds

                                                                                     Filter
                                                                                     malforme
                                                                                     d ICMP
                                                                                     packets
                                                                                     on
                                                                                     network
                                                                                     devices
                                                                                     that are
                                                                                     upstream
                                                                                     from the
                                                                                     affected
                                                                                     VPN
                                                                                     Concentra
The Cisco VPN 3000                                                                   tor device.
Series Concentrators and                                                             Sites may
the Cisco VPN 3002                                                                   wish to
Hardware Clients                                                                     apply this
are Virtual Private Network                                                          workaroun
(VPN) platforms designed                                                             d in
to provide secure remote                                                             conjunctio
network access. Some                                                                 n with the
models of these devices                                                              applicatio
contain a vulnerability by                                Cisco Systems Inc. has     n of the
which                                                     released software patches recomme
a flood of malformed ICMP                                 and workaround             nded
packets could result in       A denial-of-service         information for            patches.
performance degradation       condition can result from   this vulnerability. Please As a
or                            degraded performance or     see the vendor information general
cause the affected device     unexpected rebooting of     section of this document   rule, the
to reboot.                    the affected device.        for more details.          CERT/CC       5/7/2003
PHP-Nuke is a tool
designed to ease web site
creation and maintenance.
PHP-Nuke
includes a script named
index.php, which uses
PHP's include() function to
execute a PHP file
specified in the CGI
variable named "file." If
supplied an
HTTP URL, PHP's                                                                     Change
include() function will                                                             PHP
request the file from web                                                           configurati
server as                                                                           on
shown in the URL. Since
the index.php script does                                                           Set
not check if the "file"       A remote attacker can                                 allow_url_
variable contains an HTTP     force the server to run                               fopen to
URL before including the      arbitrary PHP source code,                            off in the
file, it can be made to       with                        Apply a patch             PHP
execute arbitrary PHP code    the user same privileges as                           server
from any reachable web        the PHP server process on Upgrade to version 5.5 or   configurati
server.                       the victim host.            later of PHP-Nuke.        on.         1/16/2002
Handspring Visor is a Palm-
OS-based personal digital
assistant (PDA) that
features a proprietary plug-
in hardware expansion
technology named
Springboard.
Handspring VisorPhone is
a Springboard module that
plugs into a Visor to
provide GSM telephony
and networking services.
VisorPhone is designed to
receive and store Short
Message Service (SMS)
communications such as
text
messages.

Certain other SMS-enabled
devices can send and
receive images through
SMS. When
the VisorPhone receives a      The Visor may crash,
large or crafted SMS image     requiring a reset to resume
from one of these other        function. In addition, the
devices, the VisorPhone        VisorPhone database --
database may become            which contains call logs,
corrupted, and the Visor       archived messages,
may also                       custom
crash and require a reset      messages, and other data --
(reboot) to resume             may become irreversibly
function. Since images are     corrupted.                                             Disabling a practical solution to this prob
                                                                                                  ########
                                                           The CERT/CC is currently unaware of software extensions may preve
Web browsers can be
configured to respond to
certian protocol types
through the
use of a helper application.
In this case, web browsers
can respond to telnet:
URLs with the use of a
helper application. RFC
1572
(http://andrew2.andrew.cm
u.edu/rfc/rfc1572.html)
permits telnet servers to
request environment
variables of telnet clients
prior to authentication.
Quoting from that
document:

Once the two hosts have
exchanged a WILL and a
DO, the sender of the DO
NEW-ENVIRON is free to
request that environment
variables be sent. Only the
sender of the DO may send
requests (IAC SB NEW-
ENVIRON SEND IAC SE)
and only
the sender of the WILL         A client machine can be
may transmit actual            "tricked" into revealing
environment information        sensitive information stored
(via the IAC                   in environment variables.      9/26/2000
IE fails to validate                                                                      General
certificates in images or                                                                 Recomme
frames                                                                                    ndations
                                                                                          When
When a connection to a                                                                    Using SSL
secure server is made via                                                                 DNS
either an image or a frame,                                                               informatio
IE                                                                                        n is
only verifies that the                                                                    fundamen
server's SSL certificate was                                                              tally
issued by a trusted root -                                                                insecure,
it does not verify the server                                                             and there
name or the expiration                                                                    are a
date. When a connection is                                                                variety of
made via any other means,                                                                 means by
all expected validation is                                                                which an
performed.                                                                                attacker
                                                                                          can
IE fails to revalidate                                                                    provide
certificates within the same                                                              false or
session                                                                                   misleadin
                                                                                          g DNS
Even if the initial validation                                                            informatio
is made correctly, IE does                                                                n, even in
not re-validate the                                           Specific Defenses Against the
certificate if a new SSL                                      These Problems              absence
session is establish with        Attackers can trick users    Stay up to date with        of any
the same server during the       into disclosing information patches, workarounds, and vulnerabili
same IE session.                 (such as credit card         certificate management      ties in a
                                 numbers, personal data, or products. The vendor          DNS
We encourage you to read         other sensitive information) section of this document    server.
Microsoft Security Bulletin      intended for a               lists information regarding Browsers
MS-039 for additional            legitimate web site.         these problems.             attempt to   6/5/2000
The Microsoft SQL Server
provides multiple methods
for users to authenticate to
SQL databases. When
SQL Server Authentication
is used, the username and
password of each database
user is stored in a database
on the SQL server. When
users supply a password to                                       Apply a patch
the server using this
method, a function named                                         Microsoft has published
pwdencrypt() is responsible                                      Security Bulletin MS02-034
for encrypting the user-                                         to address this
supplied password so that                                        vulnerability. For more
it can be compared to the                                        information, please see
encrypted password stored
on the SQL server. There is                                      http://www.microsoft.com/te
a buffer overflow in                                             chnet/security/bulletin/MS0
pwdencrypt() that allows                                         2-034.asp
remote attackers to              This vulnerability allows
execute                          remote attackers with           This vulnerability also
arbitrary code on the SQL        knowledge of a valid            affects any products that
server by supplying a            username                        include the Microsoft
crafted password value.          to execute arbitrary code       Desktop
Successful exploitation of       with the privileges of the      Engine (MSDE) 2000. For
this vulnerability requires      SQL service account. If         more information, please
knowledge of a valid             the privileges of the service   see
username and will cause          account are elevated via
the supplied code to             VU#796313, this                 http://www.microsoft.com/te
execute with the privileges      vulnerability may result in     chnet/security/MSDEapps.a
of the                           compromise of the server        sp
SQL service account.             host.                                                              6/14/2002


Alladin Ghostscript is a
previewer for postscript         By creating a symbolic link
files. It creates temporary      with the appropriate name,
files using the mktemp()         an attacker may
call, which creates files with   overwrite any file writable
predictable names based          by the user running
on the process number for        Ghostscript. This is
the process running              particularly dangerous for
Ghostscript. The prior           the root account, which
existence                        could lead to overwriting of
and ownership of the             system files, including the
temporary file is not            password file, and raising
checked by the mktemp()          of the attacker's access
call.                            privileges.                                                        ########
                                                              Apply vendor patches; see the Systems Affected section below.
HSRP is a protocol
designed to provide
transparent recovery of
routing services
when failures occur.
Quoting from RFC2281
(the RFC describing the
Hot Standby
Router Protocol):

The Hot Standby Router
Protocol, HSRP, provides a
mechanism which is
designed
to support nondisruptive
failover of IP traffic in
certain circumstances. In
particular, the protocol                                                                 Workarou
protects against the failure                                                             nd
of the first hop router
when the source host                                                                     Use
cannot learn the IP address                                                              HSRP in
of the first hop router                                                                  combinati
dynamically. The protocol is   An attacker located on the                                on with
designed for use over multi-   same LAN segment as the                                   IPsec as
access, multicast or           routers using HSRP can                                    described
broadcast capable LANs         disrupt legitimate network                                in
(e.g., Ethernet). HSRP is      traffic resulting in a denial-                            Advanced
not intended as a              of-service attack                                         IPSec
replacement                    against the network                                       Deployme
for existing dynamic router    infrastructure for which the                              nt
discovery mechanisms and       participating routers are                                 Scenarios
those protocols should be      responsible for.                                          .           3/1/1998
                                                              The CERT/CC is currently unaware of a practical solution to this prob
The SystemWizard
"Registry Object" ActiveX
Control may allow attackers
to
modify the registry on
systems where the control
is installed. This control
was shipped on HP
Pavilion computers running
Windows 98, as part of a
diagnostic application
named "SystemWizard"
produced by SystemSoft.
This
control can be used to read
and write registry keys
without authentication.
Because the control is
marked safe-for-scripting,
this vulnerability can be
exploited via a web page if
the user has the vulnerable
control installed.                                        Apply a patch

This control is implemented                              SystemSoft has a patch
in the file reg.dll and has a                            which appears to address
ClassID of                                               this issue:
{9C3558B8-4175-11D0-
926E-00AA00B91D12}.                                      http://www.systemsoft.com/
The control can also be                                  l-2/l-3/support-
referenced as                                            systemwizard.htm
IISSample.RegistryAccess. Attacker can read and write registry keys.                               7/21/1999
A remotely exploitable
denial-of-service
vulnerability exists in BIND                             Apply a patch from your
8.3.0 -                                                  vendor. In the absence of a
8.3.3. ISC's description of                              patch, you may wish to
this vulnerability states:                               consider ISC's
                                                         recommendation, which is
When constucting [sic] a                                 upgrading to "BIND 4.9.11,
response a NXDOMAIN                                      BIND 8.2.7,
response to a ENDS query                                 BIND 8.3.4 or preferably
with a                        The BIND daemon will shut BIND 9." Additionally, ISC
large UDP size it is          down. As a result, clients indicates, "BIND 4 is
possible to trigger an        will not be able to        officially deprecated. Only
assertion.                    connect to the service to  security fixes will be issued
                              resolve queries.           for BIND 4."                             ########
                                                                                       Disable recursion if possible.
The Hewlett Packard Tru64
operating system contains
a command, known as
"su,"
that allows users to           This vulnerability can be
assume the privileges of       exploited by local non-root     Hewlett Packard has
another user. This             users on a machine to           issued a patch that corrects
program is                     cause a denial-of-service       this vulnerability. More
vulnerable to a buffer         condition, or assume the        information can be found
overflow.                      privileges of the root user.    here.                                   7/19/2002
CrazyWWWBoard is a
binary CGI program that is
designed to provide
dynamic web
bulletin board services on
web servers. Versions
2000p4 and 2000LEp5 of
CrazyWWWBoard contain
a buffer overflow
vulnerability resulting from    A remote attacker can
improper                       exploit this vulnerability to
handling of the                execute arbitrary code
HTTP_USER_AGENT CGI            with privileges of the web
environment variable.          server CGI process.                                        None.
                                                               The CERT/CC is currently unaware of a practical solution to this prob
The "netfilter" subsystem
included with Linux kernel
versions 2.4.x provides a
framework for services
such as packet filtering and
network address translation                                                            Disable
(NAT). This subsystem                                                                  the IRC
includes a Direct Client                                                               DCC
Connections (DCC) module                                                               helper
for                                                                                    module
Internet Relay Chat (IRC)
that allows netfilter to track                                                          If it is not
outgoing DCC                                                                            possible
connections. When a DCC                                                                 or
connection is initiated by a                                                            practical
host inside the firewall,                                                               to
the IRC DCC helper                                         Apply a patch from your      immediate
module creates a dynamic                                   vendor                       ly patch
firewall rule that allows                                                               an
responses                                                  To address this              affected
from the remote end of the                                 vulnerability, the CERT/CC device,
DCC connection to be                                       recommends that all users disabling
passed back to the                                         of Linux                     the IRC
initiating                                                 kernel versions 2.4.x        DCC
host.                                                      upgrade to the latest kernel helper
                                                           version available for their  module
In versions 2.4.14 to 2.4.18-                              distribution. For vendor-    will
pre8 of the Linux kernel,                                  specific information         prevent
netfilter contains an                                      regarding patches and        exploitatio
implementation error that     This vulnerability may allow affected                     n of this
causes the IRC DCC            remote attackers to reach versions, please consult        vulnerabili
module to create firewall     hosts that should be         the vendor section of this   ty.
rules                         protected by the firewall.   document.                                 2/25/2002
gnome-terminal affords
users the ability to utilize an
escape sequence to
"export" the title of the
current window title directly
to the shell command
line. By viewing a
maliciously crafted file in
gnome-terminal, a victim
may
unknowingly execute shell
commands (provided by
the attacker).

This vulnerability was
discovered by H D Moore
of Digital Defense. H D has
provided a paper on this
topic (TERMINAL
EMULATOR SECURITY
ISSUES), and Red Hat
has published RHSA-
2003:053-10. Both of these        A remote attacker may be
documents provide more            able to execute arbitrary
information about this            commands on a vulnerable
vulnerability.                    host.                     Apply a patch.   2/24/2003
The ScriptLogic product
from ScriptLogic, Inc.
provides remote system
administration capabilities
for Microsoft Windows
systems in a domain. A
vulnerability in the
RunAdmin service included
in version 4.01 of the
ScriptLogic software could
allow a local user to gain
administrative access to
any workstations in the
domain that are managed
by the ScriptLogic server.  Local users can gain
According to ScriptLogic,   administrative control of
"the ScriptLogic RunAdmin   workstations with the
services (SLRAserver.exe    ScriptLogic RunAdmin
&                           service installed. This
SLRAclient.exe) are used    access can be leveraged to
to perform configurations   gain                           Upgrade to the latest
on the client workstation   administrative control of      version of the software
when the user logging on    other workstations in the
does not have               domain that have had the       Version 4.14 of the
Administrative privileges." SLSVCUSER account              ScriptLogic software has
                            added to the Local             been tested by the
The RunAdmin service        Administrators group (e.g.,    CERT/CC and
runs in the context of a    as a result of                 shown not to contain the
domain account (typically the ScriptLogic RunAdmin         vulnerability. Users of
SLSVCUSER or similar)       service being installed) and   potentially vulnerable
that is added to the Local  have the default               versions of the software are
Administrators group by the administrative shares          encouraged to upgrade to
installation program.       enabled.                       this version.                         4/30/2003


The mount packet
dissector for Ethereal
contains an integer
overflow
vulnerability. According to
the Ethereal Advisory,
tvb_get_nstringz() and
tvb_get_nstringz0() were
used in an unsafe manner. It may be possible for a
                            remote attacker to crash
Versions 0.9.11 and earlier the program or run arbitrary
of Ethereal are affected.   code on the system via a
                            crafted packet.                                                       this issue.
                                                         Upgrade to version 0.9.12 which resolves 5/1/2003
GPG is an OpenPGP-
compliant alternative to
PGP to protect electronic
communications using
public-key cryptography.
Versions of GPG prior to
1.0.6
contain a format-string
vulnerability.

The GPG source includes a
function named tty_printf(),
which expects as
parameters -- much like the
standard C library function
printf() -- a format
string followed by data
values as indicated in the                                                                Until a
format string. The do_get()                                                               patch can
function in file util/ttyio.c of                                                          be
the GPG source code                Attackers can craft a                                  applied,
makes a call to                    filename for an encrypted                              do not
tty_printf(), passing the          file that will cause GPG to                            decrypt
filename as the format             execute arbitrary code                                 messages
string instead of passing a        when the file is decrypted    Upgrade GPG to version   from
constant format string             by the recipient, with the    1.0.6, available from:   untrusted
followed by a pointer to the       privileges of the recipient                            sources
filename.                          user.                         http://www.gnupg.org     with GPG. 5/29/2001
The Image Annotation
control is incorrectly
marked safe for scripting.
This
control is sometimes
identified as from "Kodak"
and other times as from
"Wang". The Image
Annotation control is one of
several controls used to
provide image editting
services through a web
site. Because the control is
marked safe-for-scripting,
an attacker may be able to
script this control and                                                                   Disable
exploit the vulnerability                                                                 "Script
when you visit a web page.                                                                ActiveX
                                                                                          controls
This control is implemented                                                               marked
in the file imgedit.ocx and                                                               safe for
has a ClassID of              An attacker can use the                                     scripting"
{6D940285-9F11-11CE-          control to create files on a
83FD-02608C3EC08A}.           system viewing a malicious                                   In your
                              web page. By carefully         Apply a patch                 Internet
This vulnerability is closely constructing the files and                                   Explorer
related to these              specfying which files to       Apply the patch provided by security
vulnerabilities:              overwrite, an attacker can     Microsoft in Security         settings,
VU#26924 Wang/Kodak           cause arbitrary commands       Bulletin MS99-037. This       set this
Image Admin ActiveX           to be executed. The            patch sets the kill bit which option to
Control                       attacker can also overwrite    prevents the control from     "disable"
VU#41408 Wang/Kodak           existing files, causing the    being loaded by               or
Image Scan ActiveX            system to fail.                Internet Explorer.            "prompt".   9/10/1999
RFC1035 (DOMAIN
NAMES,
IMPLEMENTATION AND
SPECIFICATION) defines
a mechanism
for conserving bytes in a
DNS query or reply packet
by avoiding repetition of
character strings ("labels")
in a domain name. Thus if
the label "domain.com"
appears several times in a
query or response packet
(i.e. "www.domain.com",
"host.subdomain.domain.c
om", "ns.domain.com"),
only the first occurrence
need
be fully specified - further
occurrences of
"domain.com" can be
alluded to by
using a pointer to the first
occurrence. Since labels in
a DNS packet are                                               Additional code was added
preceded by an 8 bit length      Operation of tcpdump and      to the tcpdump v3.4 source
field, and since individual      ethereal can be interrupted   tree (print-domain.c) on
labels are restricted            by a specially crafted        4/17/2000 to detect looping
to 63 characters, there are      packet. If these tools are    and terminate decoding of
2 unused bits in the length      being used for intrusion      the malformed packet.
field. Setting these             detection, intruders can      Similar changes were
two bits 2 to "11" indicates     subvert IDS and potentially   made to the ethereal code
that the following byte is not   evade detection.              base on 4/12/2000.                     ########
                                                                                           Upgrade to tcpdump 3.5 or greater. Upg
The Secure Sockets Layer
(SSL) and Transport Layer
Security (TLS) protocols
are
used to provide a secure
connection between a client
and server for higher
level protocols such as
HTTP. Apache_SSL and
mod_ssl are two modules
for
Apache that both call an
OpenSSL routine
i2d_SSL_SESSION() to
help create an
SSL/TLS session. This
routine converts the
SSL/TLS session data into
a format
that can be stored in the
session cache. The
OpenSSL
d2i_SSL_SESSION.pod
document states that the
routine should be called to
first determine the size
of the buffer needed to
store the session data.
Then the appropriately        An attacker may be able to   Upgrade to mod_ssl 2.8.7
sized                         execute arbitrary code on    or Apache_SSL
buffer should be allocated    the system with the          1.3.22+1.47, or apply the
and finally the routine       privileges of the ssl        patch provided
should be called again to     module.                      by your vendor.             2/27/2002
The Microsoft virtual                                                                   Workarou
machine (Microsoft VM)       Exploitation of this                                       nds
enables Java programs to     vulnerability could result in
run on                       a denial-of-service                                        Disable
Windows platforms. The       condition since a malicious                                Java
Microsoft VM is included in  program or applet may list
most versions of Windows     other, legitimate                                           - if the
and                          programs or applets to the                                  ability to
Internet Explorer.           "banned" list in the                                        run Java
                             Standard Security                                           applets is
The Standard Security        Manager. A                                                  not
Manager is a component of malicious Java program                                         required
the VM’s security policy     that was designed to exploit                                or
mechanism, and provides this vulnerability could be                                      desired,
information about the        hosted on an attacker's                                     configure
restrictions that should be web page or introduced via                                   your
enforced when Java           HTML email.                                                 web
applets run within Internet                                                              browser to
Explorer. Among the          Any applications that                                       not
information                  depended on the now-                                        execute
it can contain is a list of  banned Java modules from                                    them.
Java applets and modules operating                                                       Informatio
that Java applets should     properly would be               Apply a patch from the      n about
not be able to invoke.       adversely affected. These       vendor                      disabling
                             conditions would persist for                                Java in
Microsoft's VM fails to      the                             Microsoft has issued        various
disallow Java programs       lifetime of that instance of    Security Bulletin MS02-069 web
from writing to the Standard the VM-enabled                  addressing this             browsers
Security Manager. By         application. Subsequent         vulnerability. Users are    can be
design, only the VM itself   instances,                      encouraged to follow the    found
should be able to add        or other instances held in      instructions outlined in    here.
information to the Standard parallel, would not be           that bulletin and apply the
Security Manager.            affected.                       patches that it refers to.  Note that ########
Apache HTTPD servers
versions 2.0.42 and prior,
and 1.3.26 and prior, with
wildcard DNS enabled and
UseCanonicalName
disabled, are vulnerable to
a                            The victim will be
cross-site scripting attack presented with information
via the error page. Only     which the compromised
versions 2.0 to 2.0.33       site did
have UseCanonicalName not wish their visitors to be
disabled by default. All     subjected. This could be
other versions had           used to "sniff"
UseCanonicalName             sensitive data from within
enabled by default and are the web page, including
not vulnerable unless this passwords, credit card
option                       numbers, and any arbitrary
is disabled.                 information the user inputs.                                           Server versions 1.3.27 and 2
                                                             This issue is resolved in Apache HTTPD 10/2/2002
As defined in RFC 1631,                                     The following information is
Network Address                                             based on Linux kernel code
Translation (NAT) provides                                  from The Linux Kernel
a means to                                                  Archives. Individual
translate a local networks'                                 distributions may have
IP addresses in to globally                                 different default
unique addresses. NAT                                       configurations.
operates on the                                             For Linux kernels 2.2.0-
assumption that not all of                                  pre5 to 2.2.14, comment
the hosts on a local                                        out or remove the following
network need to                                             line in ip_masq.c and
communicate beyond the                                      recompile the kernel:
local network at the same
time. Traditional NAT and                                #define
Port Address Translation                                 CONFIG_IP_MASQ_LOOS
(NAPT or PAT) can map                                    E_DEFAULT 1
many local addresses to                                  For Linux kernels 2.2.15
fewer                                                    and above, DLOOSE
global addresses (possibly                               behavior is disabled by
just one address), thus                                  default. To
reducing the overall need                                confirm that DLOOSE
for unique global IPv4                                   behavior is disabled, check
addresses, improving                                     the existence and contents
portability, and providing                               of                            Upgrade
some                                                     the following file:           to Linux
modest security through                                                                kernel
the use of RFC 1918                                      /proc/sys/net/ipv4/ip_masq version
private address space that                               _udp_dloose                   2.4 or
is not                        An attacker could send     If this file exists and       above that
globally routed.              arbitrary UDP packets to a contains a '1' or a '2', then incorporat
IP Masquerade is a kernel     network behind a           the system is configured      es
implementation of NAT on      vulnerable                 for DLOOSE behavior. If       netfilter/ipt
Linux. Based on code          NAT gateway.               this file does not exist or   ables.        3/27/2000

If a user views a page on
the Internet that has been
malformed in a certain way
to exploit the client's
particular configuration,
then IE may render the        A malicious web page may
page                          be rendered on the client     Apply a patch from your
using the less restrictive    host using less restrictive   vendor
security settings of the      security settings than are
Intranet zone or the          appropriate for Internet      See Microsoft Security
Trusted Sites zone. This      pages. The specific           Bulletin MS02-023 for more
vulnerability cannot be       impacts                       information:
exploited unless the user     depend on the privileges
views the page using the      specified in the client's     http://www.microsoft.com/te
NetBIOS protocol instead      settings for the Intranet     chnet/security/bulletin/MS0
of HTTP.                      and Trusted Sites zones.      2-023.asp                              5/15/2002
                                                                                        Disable NetBIOS access to external netw
Entrust GetAccess is a web
software product for
identifying users of a web
site. Entrust GetAccess
takes a CGI variable
named "LOCALE"
specifying a
server directory in which to
find international                                           Apply a patch
localization files. Entrust
GetAccess does not                                           For more information, login
adequately validate the         A remote attacker can read   to:
LOCALE value to remove          any file on the server to
'../' and                       which the web server      https://login.encommerce.c
other character sequences       process has read          om/private/docs/techSuppo
allowing directory traversal.   privileges.               rt/Patches-BugFix            Disable      11/5/2001
                                                                                       the HTTP
                                                                                       managem
                                                                                       ent
                                                                                       interface
                                                                                       If it is not
                                                                                       possible
                                                                                       or
                                                                                       practical
                                                                                       to
                                                                                       immediate
                                                                                       ly patch
                                                                                       an
                                                                                       affected
A vulnerability exists in                                                              device,
multiple versions of Cisco's                                                           temporaril
Internetworking                                                                        y disabling
Operating System (IOS)                                                                 its HTTP
software which allows an                                                               managem
attacker to force affected                                                             ent
switches and routers to                                                                interface
crash and reboot. If the                                                               will
IOS HTTP interface is        An attacker can force        Apply a patch from Cisco     prevent
enabled                      affected products to reboot, Cisco has released an        exploitatio
and presented with a         resulting in a               advisory to address this     n
request for "http://router-  denial-of-service while the issue and has provided        of this
ip/anytext/%%", the          device is restarting. In     patches                      vulnerabili
software                     some situations, the         for affected versions of the ty.
becomes trapped in a loop device may not restart          IOS software. For further
until a two-minute           properly without manual      details, please consult      Restrict
watchdog timer expires,      intervention such as a       the vendor section of this   access to
causing                      power                        document.                    the HTTP
the device to restart.       cycle.                                                    managem 4/26/2000
Alcatel ADSL modems
contain a special account
(EXPERT) for gaining
privileged
access to the device. This
account is secured via a
challenge-response
password
authentication mechanism.
While the use of such a
mechanism is
commendable,
the algorithm used is not
sufficiently strong.
Attackers who know the
algorithm
used to compute the
response can compute the
correct response using
information
given to them during the     Attackers who are able to
login process.               connect to the ADSL
                             modem can enter a
Because the EXPERT           predictable
account is accessible via    userid and password to
TELNET, HTTP, and FTP, gain privileged access to
the ADSL                     the device. This access can
modem must have an IP        be
address that is accessible used to reconfigure the
from the Internet to exploit device, potentially
this vulnerability. Alcatel  introducing additional
ADSL products do not         security
enable this feature over the weaknesses.                                                       4/10/2001
                                                         The CERT/CC is currently unaware of a practical solution to this prob
AOL Instant Messenger
(AIM) is a program for
communicating with other
users
over the Internet. AIM
permits users to transfer
files from one client to
another. When the file is
transferred, the entire local
path of the file on the
sender's machine is sent to
the recipient. This could
pose privacy and security
risks. An attacker could                                     The latest version of AIM
use this information to                                      allows the user to configure
extrapolate the location of                                  whether the recipient
other files on the victim's     Unauthorized disclosure of can see the full path of a
machine, and use this           information about the        transferred file. Upgrade to
information in conjunction      victim's machine is          the latest build and
with another vulnerability.     transmitted to the attacker. enable this feature.           5/8/2000
Microsoft Internet Explorer                                                            Disable
provides two methods                                                                   Active
(showModalDialog and                                                                   scripting
showModelessDialog) that
can be used to display                                                                  Active
dialog box frames. Both                                                                 scripting
methods require a URI                                                                   is required
parameter that specifies                                                                to open a
the source of the dialog                                                                modal
frame's                                                                                 dialog
content. The methods may       An attacker who is able to                               frame. At
optionally specify "windows    convince a user to access                                a
ornaments" that control        a specially crafted HTML                                 minimum,
different aspects of the       document, such as an                                     disable
dialog frame's appearance      Internet web page or HTML                                Active
(position, dimensions, font    email message, could read                                scripting
settings, etc.).               data                                                     in the
A dialog frame is subject to   from a different domain,                                 Internet
the security restrictions of   including the Local Machine                              zone and
the DHTML Object               Zone. The attacker could                                 the zone
Model: script executing in     read cookies from other                                  used by
one frame cannot access        web sites and certain types                              Outlook,
data in a frame from a         of local files. The                                      Outlook
different domain or across     attacker's HTML document                                 Express,
a different protocol. The      would need to reside in a                                or any
dialog methods may             zone in which Active                                     other
specify source URIs in a       scripting was enabled.                                   email
different domain than the      In conjunction with other     Apply Patch                client that
parent frame, however the      vulnerabilities (VU#626395,   Apply Q813489 or a more uses
security restrictions should   VU#25249), the attacker       recent cumulative patch.   Internet
prevent script in one frame    could execute arbitrary       See Microsoft Security     Explorer
from accessing data in         commands on the user's        Bulletin MS03-015 for more or the
the other.                     system.                       information.               WebBrow 12/3/2002

MiraMail is a news server
for Windows-based hosts.
Versions of MiraMail up to
and including 1.04 store
MiraMail user data,
including usernames and        Any user with access to the
passwords,                     .ini file can learn all
in unencrypted plaintext       usernames and passwords
stored in a '.ini' file.       used by MiraMail.                                      None.      1/10/2002
                                                           The CERT/CC is currently unaware of a practical solution to this prob
Cherokee is a compact,
open-source web server.
Cherokee is designed to
start
as root and drop root
privileges after binding to
port 80. However, versions
of Cherokee prior to 0.2.7
fail to drop root privileges
properly. By exploting                                 Upgrade
the vulnerability described
in CERT VU#711315 in                                   Upgrade to Cherokee
these versions of                                      0.2.7:
Cherokee,
attackers may execute                                  http://aurora.esi.uem.es/~al
arbitrary commands as                                  o/cherokee/Cherokee-
root.
Interbase is an open                                   0.2.7.tar.gz
                             Remote attackers may run arbitrary commands as root.                        ########
source database package
that is distributed by
Borland/Inprise. The server
contains a compiled-in
backdoor account with a
known password.

In the following interbase
code, references are made
about a LOCKSMITH user:
                              This backdoor allows any
./jrd/dyn.e                   local user or remote user                                     Block
./jrd/isc.c                   able to access port                                           access to
./jrd/jrd.c                   3050/tcp                                                      port
./jrd/pwd.c                   [gds_db] to manipulate any                                    3050/tcp;
./jrd/pwd.h                   database object on the                                        this will
./jrd/scl.e                   system. This includes the                                     not,
./jrd/scl.h                   ability to install trapdoors or                               however,
./jrd/shut.c                  other trojan horse software                                   prevent
./jrd/tra.c                   in the form of                                                local
./utilities/dba_full.e        stored procedures. In                                         users or
                              addition, if the database                                     users
It turns out the              software is running with                                      within a
LOCKSMITH is an entity        root                                                          firewall's
needed to allow               (*NIX) or System (NT)                                         adminstrat
"authorized"                  privileges, then any file on                                  ive
interaction with the security the server's file system can                                  boundary
accounts database             be overwritten, possibly                                      from
between services. This        leading to execution of           Install the patch being     accessing
LOCKSMITH is the user         arbitrary commands as root        distributed to change the   the
account in question           or                                backdoor server account     backdoor
compiled into the code with System.                             password.                   account.      1/9/2001
Protegrity Secure.Data for                                                                  Restrict
Microsoft SQL Server 2000                                                                   Access
provides access control
and encryption for                                                                          Using
individual data records.                                                                    firewall or
Secure.Data interacts with                                                                  similar
Microsoft SQL Server via                                                                    technolog
extended stored                                                                             y, restrict
procedures that are part of                                                                 direct
the                                                                                         access to
Secure.Data Extension                                                                       SQL
Feature (SEF). From                                                                         servers to
Microsoft Knowledge Base                                                                    only those
Article                                                                                     hosts and
190987: "Extended stored                                                                    networks
procedures provide a way                                                                    that
to dynamically load and                                                                     require it.
execute a function within a                                                                 By default,
dynamic-link library (DLL)                                                                  SQL
in a manner similar to                                                                      Server
that of a stored procedure,                                                                 2000
seamlessly extending SQL                                                                    listens on
Server functionality."                                                                      port
Extended stored                                                                             1433/tcp.
procedures execute under      A remote attacker could                                       Named/cl
the security context and in   execute arbitrary code with                                   ustered
the                           the privileges of the SQL                                     SQL
process space of SQL          Server process or cause a     Upgrade                         instances
Server. By default, the       denial of service. This       Protegrity has issued an        may
SQL Server 2000 service       could give an attacker full   updated version of              require
runs as a                     access to databases           protegrity.dll (2.2.3.9) that   special
Windows domain user.          stored on a vulnerable        resolves these                  configurati
Several extended stored       system.                       vulnerabilities.                on. See     3/13/2003
OnlineJFS "provides the
online management of the
Journaled File System
(JFS), a
high-integrity, highly
available file system
supported by HP-UX."
According to
Hewlett-Packard, there is a
vulnerability in OnlineJFS
3.1 in which the sticky
bit does not function
properly. The sticky bit is a
frequently-implemented but
non-standard extension to
the standard UNIX
permission scheme. The
symbolic
representation of this bit is
S_ISVTX, which is
mnemonic for "save text,"
and
the historical meaning of
the sticky bit related to
keeping executable files in
memory for faster
activation (the file would      The specific impact of this
stick in memory). Many          vulnerability is unknown.
systems                         The most likely case is
that implement sticky bits      that this vulnerability
have abandoned this             enables certain kinds of
meaning entirely, although      attacks which can lead to a
HP-UX                           root compromise.                                                     statement
                                                            Apply a patch as described in the vendor######## section of this do
The Image Thumbnail
control is incorrectly
marked safe for scripting.
This
control is sometimes
identified as from "Kodak"
and other times as from
"Wang". The Image
Thumbnail control is one of
several controls used to
provide
image editting services
through a web site.
Because the control is
marked
safe-for-scripting, an                                                                    Disable
attacker may be able to                                                                   "Script
script this control and                                                                   ActiveX
exploit                                                                                   controls
the vulnerability when you                                                                marked
visit a web page.                                                                         safe for
                              An attacker can use the                                     scripting"
This control is implemented   control to create files on a
in the file imgthumb.ocx      system viewing a malicious                                   In your
and has a ClassID of          web page. By carefully         Apply a patch                 Internet
{E1A6B8A0-3603-101C-          constructing the files and                                   Explorer
AC6E-040224009C02}.           specfying which files to       Apply the patch provided by security
                              overwrite, an attacker can     Microsoft in Security         settings,
This vulnerability is closely cause arbitrary commands       Bulletin MS99-037. This       set this
related to these              to be executed. The            patch sets the kill bit which option to
vulnerabilities:              attacker can also overwrite    prevents the control from     "disable"
VU#26924 Wang/Kodak           existing files, causing the    being loaded by               or
Image Admin ActiveX           system to fail.                Internet Explorer.            "prompt".   9/10/1999

HP9000 servers running
HP-UX release 11.11
contain a security
vulnerability
allowing users to gain
increased capability. No
further details are available.
See HP document
HPSBUX0103-147.                                            Apply a patch not yet known.
                               The complete impact of this vulnerability is as described in the HP bulletin.
IBM AIX 5.1L login, with
loadable authentication
modules enabled and some
non-default configurations,
will permit users to login
with an invalid
password. This can be
used to gain root access to
the system. IBM AIX 4.3
and
earlier are not affected by
this vulnerability. IBM has
issued an advisory
addressing this issue.                                     IBM has issued an            Disable integrated login permissions.
                                                                                                      ########
                              An intruder can gain root access to the system. advisory and assigned this issue APAR #IY26302.
                                                                                        The
                                                                                        following
                                                                                        workaroun
                                                                                        d is taken
                                                                                        from
                                                                                        http://bugs
                                                                                        .debian.or
                                                                                        g/cgi-
                                                                                        bin/bugrep
                                                                                        ort.cgi?arc
                                                                                        hive=no&
                                                                                        bug=8547
                                                                                        8:
                                                                                        The patch
                                                                                        below
                                                                                        contains a
                                                                                        possible
                                                                                        fix for this,
                                                                                        by treating
                                                                                        a null byte
                                                                                        as a
The Linux kernel logging                                                                delimiter,
daemon (klogd) can be                                                                   equivalent
forced to hang if it receives                                                           to \n.
a                                                                                       Additionall
null byte in a log message                                                              y, the
from the Linux kernel.                                                                  patch
Please see the following      This vulnerability causes                                 prevents
bug                           klogd to go into an infinite                              LogLine
report for more information: loop, thus preventing                                      from
http://bugs.debian.org/cgi- further kernel log                                          being
bin/bugreport.cgi?bug=854 messages from being                                           invoked
78                            written to disk.                                          with
                                                           Upgrade to latest version of klogdafor your Linux distribution.
                                                                                                      2/10/2001
Mike Spice's Vote is a CGI
script written in Perl and
designed to add polling
capabilities to web sites.
The CGI variable 'type' is
passed by Vote to Perl's
open() function, without
adequate validation to filter
'../' sequences and null
bytes. As a result, an                                  Upgrade
attacker can cause Vote to
traverse directories and                                Upgrade to version 1.3 or
overwrite any file on the                               later of Vote:
server to which the web
server process has write                                http://www.fuzzymonkey.or
privileges.                                             g/files/vote-1.3.zip
                              Remote attackers can overwrite files on the server. Disable         1/9/2002
                                                                                  anonymou
                                                                                  s access

                                                                                       Disable
                                                                                       anonymou
                                                                                       s SMB
                                                                                       access.
                                                                                       See
                                                                                       Microsoft
                                                                                       Knowledg
                                                                                       e Base
SMB is a protocol for                                                                  Article
sharing data and resources                                                             246261
between computers. It is                                                               for
included in many versions                                                              informatio
of Microsoft Windows.                                                                  n about
                                                                                       configurin
SMB will crash if it receives                                                          g
a crafted                                                                              anonymou
SMB_COM_TRANSACTIO                                                                     s access
N packet requesting a                                                                  in
NetServerEnum2                                                                         Windows
transaction. If either the                                                             2000.
'Max Param Count' field or                                                             Note that
the 'Max                                                   Apply a patch               disabling
Data Count' field of the        Remote attackers can                                   this
packet is set to zero (0),      cause a denial of service. For more information, see: access
the destination SMB host        Attackers may also be able                             will not
will crash with a blue          to                         http://www.microsoft.com/te prevent
screen. This vulnerability      execute arbitrary code,    chnet/treeview/?url=/techne authentica
can be exploited by both        though this has not been   t/security/bulletin/MS02-0 ted users
local and remote attackers.     demonstrated or proven.    45.asp                      from       8/22/2002
                                                                                        Change
                                                                                        the http://
                                                                                        to https://
                                                                                        and verify
                                                                                        that an
                                                                                        SSL
                                                                                        session
                                                                                        has been
                                                                                        establishe
                                                                                        d with
                                                                                        your
                                                                                        browser.
                                                                                        The
Verisign offers a service                                                               appropriat
entitled "Code Signing                                                                  e link
Digital ID for Microsoft                                                                should be
Authenticode." A fee is                                                                 similar to
charged for this service,                                                               the
and users can enter their                                                               following:
credit card information to
sign up. The site states                                                                  https://digi
that the information is                                                                   talid.verisi
transmitted via an SSL-                                                                   gn.com/cg
secured session, but this                                                                 i-
does not appear to be the                                                                 bin/haydn.
case. The link provided for                                                               exe?VHT
this service begins with                                                                  ML_FILE=
http:// rather than                                           As of May 30, 2002,         developer/
https:// indicating that a non- Subscribers to this service   Verisign has corrected this VSCclass
SSL HTTP session should may transmit their credit             problem on their web site, 3M
be used. Therefore the          card and other sensitive      and                         SCSie4.ht
data is transmitted in the      information over the          no further user action is   m&origina
plaintext.                      Internet in plaintext.        necessary.                  tor=$$pOr 5/18/2002
When Internet Explorer (IE)                                                           Disable
follows a link to an                                                                  File
executable file (.exe), a                                                             Download
dialog window is displayed                                                            s
that prompts the user to
open the file, save the                                                               To
file, or cancel the operation.                                                        manually
When handling a                                                                       disable file
sufficiently large number of                                                          download
file download requests, IE                                                            s for the
eventually fails to display                                                           current
the dialog window and                                                                 user:
executes the specified file
without user intervention. A                                                           Tools -->
dialog is displayed                                                                    Internet
for each download request,                                                             Options --
and it may be possible to                                                              > Security
terminate the IE process                                                               tab -->
before the file is executed.     An attacker who is able to                            (select
Publicly available examples      convince a user to access                             zone) -->
use large numbers of             a specially crafted HTML                              Custom
frames (FRAME or                 document, such as an                                  Level
IFRAME elements) to              Internet web page or HTML                             -->
generate download                email message, could                                  Download
requests.                        execute                                               s --> File
Other software that uses         arbitrary code with the                               download -
the WebBrowser ActiveX           privileges of the user.                               -> Disable
control may be affected.         Resource exhaustion        Apply Patch                The file
                                 caused by                  Apply Q818529 or a more download
Microsoft has addressed          the large number of        recent cumulative patch.   option is
this vulnerability in            download requests could    See Microsoft Security     set on a
Microsoft Security Bulletin      also cause a denial of     Bulletin MS03-020 for more per-user,
MS03-020.                        service.                   information.               per-zone      5/8/2003
The Microsoft Windows           By using the showHelp             Update HTML Help.                Caveat:
HTML help facility (part of     Active Scripting call in          Install an updated version       The
Internet Explorer) is able to   conjunction with shortcuts        of HTML Help (811630).           CERT/CC
execute arbitrary programs      embedded in a malicious           As described in Microsoft        developed
through an embedded             help file, attackers are able     Security Bulletin MS03-015,      the
"shortcut" in a compiled        to execute programs and           the updated HHCtrl control       following
HTML                            ActiveX controls of their         disables the Shortcut            informatio
file. This allows the help      choice. Since exploitation        command in a compiled            n based
system to start wizards and     of the vulnerability              help file that has been          on our
other programs as part          requires an attacker to           opened with the showHelp         independe
of the help facility.           place a compiled help file        method:                          nt tests
Unfortunately, it also          (CHM) in a location                                                using
makes it unsafe for users       accessible to the victim, it      Only supported protocols         primarily
to open                         is usually trivial to include a   [http:, https:, file:, ftp:, ms- Internet
help files obtained from        malicious                         its:, or                         Explorer 5
untrusted sources.              executable as well. In this       mk:@MSITStore:] can be on
                                situation, the attacker can       used with showHelp to            Microsoft
An attacker who can             take any action that              open a web page or help          Windows
construct a malicious help the victim can.                        (chm)                            NT
file and place it in a location The essence of the                file.                            4.0 and
accessible by the victim        problem is this:                  The shortcut function            Windows
may be able to cause this                                         supported by HTML Help           2000.
help file to be loaded and      The ability for an intruder to    will be disabled when the        Your
the embedded shortcuts          make a file accessible to a       help                             results will
executed without                victim running                    file is opened with              vary
interaction from the victim. Internet Explorer is                 showHelp This will not           based on
A                               equivalent to the ability to      affect the shortcut              your
malicious web site author execute arbitrary code on               functionality if                 particular
may cause a compiled            the                               the same CHM file is             configurati
HTML help file to be            victim's system if several        opened by the user               on.
opened                          common preconditions are          manually by double-clicking For some
through the Active Scripting met.                                 on the help                      sites, the
showHelp call in Internet                                         file, or by through an           patch          3/1/2000
Preconditions:
Client has requested RC4
and server supports it.
Compression is disabled.

When using the RC4
stream cipher, SSH1 uses
a cyclic redundancy check
(CRC)
algorithm to perform an
integrity check on incoming
packets. Because the CRC
checksum can be modified,
an attacker can intercept
an SSH packet, modify its
contents, then modify the
CRC to match. When the
packet is then
retransmitted
from the attacker to the
victim, the CRC integrity
check will pass. This
means
that the attacker can make
arbitrary modifications to
the packet and the victim
will be unable to detect
them. This vulnerability                                 SSH Secure
results from the fact that                               Communications
CRC is not intended for                                  recommends disabling
cryptographic integrity                                  RC4 in SSH1 or upgrading
checks. As a result, the                                 to
CRC                                                      SSH2.
                            Attackers can modify or logically delete arbitrary SSH packets.   1/18/2001
In FTP PASV mode, the                                                                   Reject
client makes a control                                                                  data
connection to the FTP                                                                   connectio
server                                                                                  ns from
(typically port 21/tcp) and                                                             hosts that
requests a PASV data                                                                    do not
connection. The server                                                                  match the
responds by listening for                                                               control
client connections on a