CVE-1999-0001 DESCRIPTION: ip_input.c in BSD-derived TCP/IP implementations allows remote attackers to cause a denial of service (crash or hang) via crafted packets. CVE-1999-0002 DESCRIPTION: Buffer overflow in NFS mountd gives root access to remote attackers, mostly in Linux systems. CVE-1999-0003 DESCRIPTION: Execute commands as root via buffer overflow in Tooltalk database server (rpc.ttdbserverd). CVE-1999-0004 DESCRIPTION: MIME buffer overflow in email clients, e.g. Solaris mailtool and Outlook. CVE-1999-0005 DESCRIPTION: Arbitrary command execution via IMAP buffer overflow in authenticate command. CVE-1999-0006 DESCRIPTION: Buffer overflow in POP servers based on BSD/Qualcomm's qpopper allows remote attackers to gain root access using a long PASS command. CVE-1999-0007 DESCRIPTION: Information from SSL-encrypted sessions via PKCS #1. CVE-1999-0008 DESCRIPTION: Buffer overflow in NIS+, in Sun's rpc.nisd program. CVE-1999-0009 DESCRIPTION: Inverse query buffer overflow in BIND 4.9 and BIND 8 Releases. CVE-1999-0010 DESCRIPTION: Denial of Service vulnerability in BIND 8 Releases via maliciously formatted DNS messages. CVE-1999-0011 DESCRIPTION: Denial of Service vulnerabilities in BIND 4.9 and BIND 8 Releases via CNAME record and zone transfer. CVE-1999-0012 DESCRIPTION: Some web servers under Microsoft Windows allow remote attackers to bypass access restrictions for files with long file names. CVE-1999-0013 DESCRIPTION: Stolen credentials from SSH clients via ssh-agent program, allowing other local users to access remote accounts belonging to the ssh-agent user. CVE-1999-0014 DESCRIPTION: Unauthorized privileged access or denial of service via dtappgather program in CDE. CVE-1999-0015 DESCRIPTION: Teardrop IP denial of service. CVE-1999-0016 DESCRIPTION: Land IP denial of service. CVE-1999-0017 DESCRIPTION: FTP servers can allow an attacker to connect to arbitrary ports on machines other than the FTP client, aka FTP bounce. CVE-1999-0018 DESCRIPTION: Buffer overflow in statd allows root privileges. CVE-1999-0019 DESCRIPTION: Delete or create a file via rpc.statd, due to invalid information. CVE-1999-0020 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-0032. Reason: This candidate is a duplicate of CVE-1999-0032. Notes: All CVE users should reference CVE-1999-0032 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. CVE-1999-0021 DESCRIPTION: Arbitrary command execution via buffer overflow in Count.cgi (wwwcount) cgi-bin program. CVE-1999-0022 DESCRIPTION: Local user gains root privileges via buffer overflow in rdist, via expstr() function. CVE-1999-0023 DESCRIPTION: Local user gains root privileges via buffer overflow in rdist, via lookup() function. CVE-1999-0024 DESCRIPTION: DNS cache poisoning via BIND, by predictable query IDs. CVE-1999-0025 DESCRIPTION: root privileges via buffer overflow in df command on SGI IRIX systems. CVE-1999-0026 DESCRIPTION: root privileges via buffer overflow in pset command on SGI IRIX systems. CVE-1999-0027 DESCRIPTION: root privileges via buffer overflow in eject command on SGI IRIX systems. CVE-1999-0028 DESCRIPTION: root privileges via buffer overflow in login/scheme command on SGI IRIX systems. CVE-1999-0029 DESCRIPTION: root privileges via buffer overflow in ordist command on SGI IRIX systems. CVE-1999-0030 DESCRIPTION: root privileges via buffer overflow in xlock command on SGI IRIX systems. CVE-1999-0031 DESCRIPTION: JavaScript in Internet Explorer 3.x and 4.x, and Netscape 2.x, 3.x and 4.x, allows remote attackers to monitor a user's web activities, aka the Bell Labs vulnerability. CVE-1999-0032 DESCRIPTION: Buffer overflow in lpr, as used in BSD-based systems including Linux, allows local users to execute arbitrary code as root via a long -C (classification) command line option. CVE-1999-0033 DESCRIPTION: Command execution in Sun systems via buffer overflow in the at program. CVE-1999-0034 DESCRIPTION: Buffer overflow in suidperl (sperl), Perl 4.x and 5.x. CVE-1999-0035 DESCRIPTION: Race condition in signal handling routine in ftpd, allowing read/write arbitrary files. CVE-1999-0036 DESCRIPTION: IRIX login program with a nonzero LOCKOUT parameter allows creation or damage to files. CVE-1999-0037 DESCRIPTION: Arbitrary command execution via metamail package using message headers, when user processes attacker's message using metamail. CVE-1999-0038 DESCRIPTION: Buffer overflow in xlock program allows local users to execute commands as root. CVE-1999-0039 DESCRIPTION: webdist CGI program (webdist.cgi) in SGI IRIX allows remote attackers to execute arbitrary commands via shell metacharacters in the distloc parameter. CVE-1999-0040 DESCRIPTION: Buffer overflow in Xt library of X Windowing System allows local users to execute commands with root privileges. CVE-1999-0041 DESCRIPTION: Buffer overflow in NLS (Natural Language Service). CVE-1999-0042 DESCRIPTION: Buffer overflow in University of Washington's implementation of IMAP and POP servers. CVE-1999-0043 DESCRIPTION: Command execution via shell metachars in INN daemon (innd) 1.5 using "newgroup" and "rmgroup" control messages, and others. CVE-1999-0044 DESCRIPTION: fsdump command in IRIX allows local users to obtain root access by modifying sensitive files. CVE-1999-0045 DESCRIPTION: List of arbitrary files on Web host via nph-test-cgi script. CVE-1999-0046 DESCRIPTION: Buffer overflow of rlogin program using TERM environmental variable. CVE-1999-0047 DESCRIPTION: MIME conversion buffer overflow in sendmail versions 8.8.3 and 8.8.4. CVE-1999-0048 DESCRIPTION: Talkd, when given corrupt DNS information, can be used to execute arbitrary commands with root privileges. CVE-1999-0049 DESCRIPTION: Csetup under IRIX allows arbitrary file creation or overwriting. CVE-1999-0050 DESCRIPTION: Buffer overflow in HP-UX newgrp program. CVE-1999-0051 DESCRIPTION: Arbitrary file creation and program execution using FLEXlm LicenseManager, from versions 4.0 to 5.0, in IRIX. CVE-1999-0052 DESCRIPTION: IP fragmentation denial of service in FreeBSD allows a remote attacker to cause a crash. CVE-1999-0053 DESCRIPTION: TCP RST denial of service in FreeBSD. CVE-1999-0054 DESCRIPTION: Sun's ftpd daemon can be subjected to a denial of service. CVE-1999-0055 DESCRIPTION: Buffer overflows in Sun libnsl allow root access. CVE-1999-0056 DESCRIPTION: Buffer overflow in Sun's ping program can give root access to local users. CVE-1999-0057 DESCRIPTION: Vacation program allows command execution by remote users through a sendmail command. CVE-1999-0058 DESCRIPTION: Buffer overflow in PHP cgi program, php.cgi allows shell access. CVE-1999-0059 DESCRIPTION: IRIX fam service allows an attacker to obtain a list of all files on the server. CVE-1999-0060 DESCRIPTION: Attackers can cause a denial of service in Ascend MAX and Pipeline routers with a malformed packet to the discard port, which is used by the Java Configurator tool. CVE-1999-0061 DESCRIPTION: File creation and deletion, and remote execution, in the BSD line printer daemon (lpd). CVE-1999-0062 DESCRIPTION: The chpass command in OpenBSD allows a local user to gain root access through file descriptor leakage. CVE-1999-0063 DESCRIPTION: Cisco IOS 12.0 and other versions can be crashed by malicious UDP packets to the syslog port. CVE-1999-0064 DESCRIPTION: Buffer overflow in AIX lquerylv program gives root access to local users. CVE-1999-0065 DESCRIPTION: Multiple buffer overflows in how dtmail handles attachments allows a remote attacker to execute commands. CVE-1999-0066 DESCRIPTION: AnyForm CGI remote execution. CVE-1999-0067 DESCRIPTION: phf CGI program allows remote command execution through shell metacharacters. CVE-1999-0068 DESCRIPTION: CGI PHP mylog script allows an attacker to read any file on the target server. CVE-1999-0069 DESCRIPTION: Solaris ufsrestore buffer overflow. CVE-1999-0070 DESCRIPTION: test-cgi program allows an attacker to list files on the server. CVE-1999-0071 DESCRIPTION: Apache httpd cookie buffer overflow for versions 1.1.1 and earlier. CVE-1999-0072 DESCRIPTION: Buffer overflow in AIX xdat gives root access to local users. CVE-1999-0073 DESCRIPTION: Telnet allows a remote client to specify environment variables including LD_LIBRARY_PATH, allowing an attacker to bypass the normal system libraries and gain root access. CVE-1999-0074 DESCRIPTION: Listening TCP ports are sequentially allocated, allowing spoofing attacks. CVE-1999-0075 DESCRIPTION: PASV core dump in wu-ftpd daemon when attacker uses a QUOTE PASV command after specifying a username and password. CVE-1999-0076 DESCRIPTION: Buffer overflow in wu-ftp from PASV command causes a core dump. CVE-1999-0077 DESCRIPTION: Predictable TCP sequence numbers allow spoofing. CVE-1999-0078 DESCRIPTION: pcnfsd (aka rpc.pcnfsd) allows local users to change file permissions, or execute arbitrary commands through arguments in the RPC call. CVE-1999-0079 DESCRIPTION: Remote attackers can cause a denial of service in FTP by issuing multiple PASV commands, causing the server to run out of available ports. CVE-1999-0080 DESCRIPTION: Certain configurations of wu-ftp FTP server 2.4 use a _PATH_EXECPATH setting to a directory with dangerous commands, such as /bin, which allows remote authenticated users to gain root access via the "site exec" command. CVE-1999-0081 DESCRIPTION: wu-ftp allows files to be overwritten via the rnfr command. CVE-1999-0082 DESCRIPTION: CWD ~root command in ftpd allows root access. CVE-1999-0083 DESCRIPTION: getcwd() file descriptor leak in FTP. CVE-1999-0084 DESCRIPTION: Certain NFS servers allow users to use mknod to gain privileges by creating a writable kmem device and setting the UID to 0. CVE-1999-0085 DESCRIPTION: Buffer overflow in rwhod on AIX and other operating systems allows remote attackers to execute arbitrary code via a UDP packet with a long hostname. CVE-1999-0086 DESCRIPTION: AIX routed allows remote users to modify sensitive files. CVE-1999-0087 DESCRIPTION: Denial of service in AIX telnet can freeze a system and prevent users from accessing the server. CVE-1999-0088 DESCRIPTION: IRIX and AIX automountd services (autofsd) allow remote users to execute root commands. CVE-1999-0089 DESCRIPTION: Buffer overflow in AIX libDtSvc library can allow local users to gain root access. CVE-1999-0090 DESCRIPTION: Buffer overflow in AIX rcp command allows local users to obtain root access. CVE-1999-0091 DESCRIPTION: Buffer overflow in AIX writesrv command allows local users to obtain root access. CVE-1999-0092 DESCRIPTION: Various vulnerabilities in the AIX portmir command allows local users to obtain root access. CVE-1999-0093 DESCRIPTION: AIX nslookup command allows local users to obtain root access by not dropping privileges correctly. CVE-1999-0094 DESCRIPTION: AIX piodmgrsu command allows local users to gain additional group privileges. CVE-1999-0095 DESCRIPTION: The debug command in Sendmail is enabled, allowing attackers to execute commands as root. CVE-1999-0096 DESCRIPTION: Sendmail decode alias can be used to overwrite sensitive files. CVE-1999-0097 DESCRIPTION: The AIX FTP client can be forced to execute commands from a malicious server through shell metacharacters (e.g. a pipe character). CVE-1999-0098 DESCRIPTION: Buffer overflow in SMTP HELO command in Sendmail allows a remote attacker to hide activities. CVE-1999-0099 DESCRIPTION: Buffer overflow in syslog utility allows local or remote attackers to gain root privileges. CVE-1999-0100 DESCRIPTION: Remote access in AIX innd 1.5.1, using control messages. CVE-1999-0101 DESCRIPTION: Buffer overflow in AIX and Solaris "gethostbyname" library call allows root access through corrupt DNS host names. CVE-1999-0102 DESCRIPTION: Buffer overflow in SLmail 3.x allows attackers to execute commands using a large FROM line. CVE-1999-0103 DESCRIPTION: Echo and chargen, or other combinations of UDP services, can be used in tandem to flood the server, a.k.a. UDP bomb or UDP packet storm. CVE-1999-0104 DESCRIPTION: A later variation on the Teardrop IP denial of service attack, a.k.a. Teardrop-2. CVE-1999-0105 DESCRIPTION: finger allows recursive searches by using a long string of @ symbols. CVE-1999-0106 DESCRIPTION: Finger redirection allows finger bombs. CVE-1999-0107 DESCRIPTION: Buffer overflow in Apache 1.2.5 and earlier allows a remote attacker to cause a denial of service with a large number of GET requests containing a large number of / characters. CVE-1999-0108 DESCRIPTION: The printers program in IRIX has a buffer overflow that gives root access to local users. CVE-1999-0109 DESCRIPTION: Buffer overflow in ffbconfig in Solaris 2.5.1. CVE-1999-0110 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-0315. Reason: This candidate's original description had a typo that delayed it from being detected as a duplicate of CVE-1999-0315. Notes: All CVE users should reference CVE-1999-0315 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. CVE-1999-0111 DESCRIPTION: RIP v1 is susceptible to spoofing. CVE-1999-0112 DESCRIPTION: Buffer overflow in AIX dtterm program for the CDE. CVE-1999-0113 DESCRIPTION: Some implementations of rlogin allow root access if given a -froot parameter. CVE-1999-0114 DESCRIPTION: Local users can execute commands as other users, and read other users' files, through the filter command in the Elm elm-2.4 mail package using a symlink attack. CVE-1999-0115 DESCRIPTION: AIX bugfiler program allows local users to gain root access. CVE-1999-0116 DESCRIPTION: Denial of service when an attacker sends many SYN packets to create multiple connections without ever sending an ACK to complete the connection, aka SYN flood. CVE-1999-0117 DESCRIPTION: AIX passwd allows local users to gain root access. CVE-1999-0118 DESCRIPTION: AIX infod allows local users to gain root access through an X display. CVE-1999-0119 DESCRIPTION: Windows NT 4.0 beta allows users to read and delete shares. CVE-1999-0120 DESCRIPTION: Sun/Solaris utmp file allows local users to gain root access if it is writable by users other than root. CVE-1999-0121 DESCRIPTION: Buffer overflow in dtaction command gives root access. CVE-1999-0122 DESCRIPTION: Buffer overflow in AIX lchangelv gives root access. CVE-1999-0123 DESCRIPTION: Race condition in Linux mailx command allows local users to read user files. CVE-1999-0124 DESCRIPTION: Vulnerabilities in UMN gopher and gopher+ versions 1.12 and 2.0x allow an intruder to read any files that can be accessed by the gopher daemon. CVE-1999-0125 DESCRIPTION: Buffer overflow in SGI IRIX mailx program. CVE-1999-0126 DESCRIPTION: SGI IRIX buffer overflow in xterm and Xaw allows root access. CVE-1999-0127 DESCRIPTION: swinstall and swmodify commands in SD-UX package in HP-UX systems allow local users to create or overwrite arbitrary files to gain root access. CVE-1999-0128 DESCRIPTION: Oversized ICMP ping packets can result in a denial of service, aka Ping o' Death. CVE-1999-0129 DESCRIPTION: Sendmail allows local users to write to a file and gain group permissions via a .forward or :include: file. CVE-1999-0130 DESCRIPTION: Local users can start Sendmail in daemon mode and gain root privileges. CVE-1999-0131 DESCRIPTION: Buffer overflow and denial of service in Sendmail 8.7.5 and earlier through GECOS field gives root access to local users. CVE-1999-0132 DESCRIPTION: Expreserve, as used in vi and ex, allows local users to overwrite arbitrary files and gain root access. CVE-1999-0133 DESCRIPTION: fm_fls license server for Adobe Framemaker allows local users to overwrite arbitrary files and gain root access. CVE-1999-0134 DESCRIPTION: vold in Solaris 2.x allows local users to gain root access. CVE-1999-0135 DESCRIPTION: admintool in Solaris allows a local user to write to arbitrary files and gain root access. CVE-1999-0136 DESCRIPTION: Kodak Color Management System (KCMS) on Solaris allows a local user to write to arbitrary files and gain root access. CVE-1999-0137 DESCRIPTION: The dip program on many Linux systems allows local users to gain root access via a buffer overflow. CVE-1999-0138 DESCRIPTION: The suidperl and sperl program do not give up root privileges when changing UIDs back to the original users, allowing root access. CVE-1999-0139 DESCRIPTION: Buffer overflow in Solaris x86 mkcookie allows local users to obtain root access. CVE-1999-0140 DESCRIPTION: Denial of service in RAS/PPTP on NT systems. CVE-1999-0141 DESCRIPTION: Java Bytecode Verifier allows malicious applets to execute arbitrary commands as the user of the applet. CVE-1999-0142 DESCRIPTION: The Java Applet Security Manager implementation in Netscape Navigator 2.0 and Java Developer's Kit 1.0 allows an applet to connect to arbitrary hosts. CVE-1999-0143 DESCRIPTION: Kerberos 4 key servers allow a user to masquerade as another by breaking and generating session keys. CVE-1999-0144 DESCRIPTION: Denial of service in Qmail by specifying a large number of recipients with the RCPT command. CVE-1999-0145 DESCRIPTION: Sendmail WIZ command enabled, allowing root access. CVE-1999-0146 DESCRIPTION: The campas CGI program provided with some NCSA web servers allows an attacker to execute arbitrary commands via encoded carriage return characters in the query string, as demonstrated by reading the password file. CVE-1999-0147 DESCRIPTION: The aglimpse CGI program of the Glimpse package allows remote execution of arbitrary commands. CVE-1999-0148 DESCRIPTION: The handler CGI program in IRIX allows arbitrary command execution. CVE-1999-0149 DESCRIPTION: The wrap CGI program in IRIX allows remote attackers to view arbitrary directory listings via a .. (dot dot) attack. CVE-1999-0150 DESCRIPTION: The Perl fingerd program allows arbitrary command execution from remote users. CVE-1999-0151 DESCRIPTION: The SATAN session key may be disclosed if the user points the web browser to other sites, possibly allowing root access. CVE-1999-0152 DESCRIPTION: The DG/UX finger daemon allows remote command execution through shell metacharacters. CVE-1999-0153 DESCRIPTION: Windows 95/NT out of band (OOB) data denial of service through NETBIOS port, aka WinNuke. CVE-1999-0154 DESCRIPTION: IIS 2.0 and 3.0 allows remote attackers to read the source code for ASP pages by appending a . (dot) to the end of the URL. CVE-1999-0155 DESCRIPTION: The ghostscript command with the -dSAFER option allows remote attackers to execute commands. CVE-1999-0156 DESCRIPTION: wu-ftpd FTP daemon allows any user and password combination. CVE-1999-0157 DESCRIPTION: Cisco PIX firewall and CBAC IP fragmentation attack results in a denial of service. CVE-1999-0158 DESCRIPTION: Cisco PIX firewall manager (PFM) on Windows NT allows attackers to connect to port 8080 on the PFM server and retrieve any file whose name and location is known. CVE-1999-0159 DESCRIPTION: Attackers can crash a Cisco IOS router or device, provided they can get to an interactive prompt (such as a login). This applies to some IOS 9.x, 10.x, and 11.x releases. CVE-1999-0160 DESCRIPTION: Some classic Cisco IOS devices have a vulnerability in the PPP CHAP authentication to establish unauthorized PPP connections. CVE-1999-0161 DESCRIPTION: In Cisco IOS 10.3, with the tacacs-ds or tacacs keyword, an extended IP access control list could bypass filtering. CVE-1999-0162 DESCRIPTION: The "established" keyword in some Cisco IOS software allowed an attacker to bypass filtering. CVE-1999-0163 DESCRIPTION: In older versions of Sendmail, an attacker could use a pipe character to execute root commands. CVE-1999-0164 DESCRIPTION: A race condition in the Solaris ps command allows an attacker to overwrite critical files. CVE-1999-0165 DESCRIPTION: NFS cache poisoning. CVE-1999-0166 DESCRIPTION: NFS allows users to use a "cd .." command to access other directories besides the exported file system. CVE-1999-0167 DESCRIPTION: In SunOS, NFS file handles could be guessed, giving unauthorized access to the exported file system. CVE-1999-0168 DESCRIPTION: The portmapper may act as a proxy and redirect service requests from an attacker, making the request appear to come from the local host, possibly bypassing authentication that would otherwise have taken place. For example, NFS file systems could be mounted through the portmapper despite export restrictions. CVE-1999-0169 DESCRIPTION: NFS allows attackers to read and write any file on the system by specifying a false UID. CVE-1999-0170 DESCRIPTION: Remote attackers can mount an NFS file system in Ultrix or OSF, even if it is denied on the access list. CVE-1999-0171 DESCRIPTION: Denial of service in syslog by sending it a large number of superfluous messages. CVE-1999-0172 DESCRIPTION: FormMail CGI program allows remote execution of commands. CVE-1999-0173 DESCRIPTION: FormMail CGI program can be used by web servers other than the host server that the program resides on. CVE-1999-0174 DESCRIPTION: The view-source CGI program allows remote attackers to read arbitrary files via a .. (dot dot) attack. CVE-1999-0175 DESCRIPTION: The convert.bas program in the Novell web server allows a remote attackers to read any file on the system that is internally accessible by the web server. CVE-1999-0176 DESCRIPTION: The Webgais program allows a remote user to execute arbitrary commands. CVE-1999-0177 DESCRIPTION: The uploader program in the WebSite web server allows a remote attacker to execute arbitrary programs. CVE-1999-0178 DESCRIPTION: Buffer overflow in the win-c-sample program (win-c-sample.exe) in the WebSite web server 1.1e allows remote attackers to execute arbitrary code via a long query string. CVE-1999-0179 DESCRIPTION: Windows NT crashes or locks up when a Samba client executes a "cd .." command on a file share. CVE-1999-0180 DESCRIPTION: in.rshd allows users to login with a NULL username and execute commands. CVE-1999-0181 DESCRIPTION: The wall daemon can be used for denial of service, social engineering attacks, or to execute remote commands. CVE-1999-0182 DESCRIPTION: Samba has a buffer overflow which allows a remote attacker to obtain root access by specifying a long password. CVE-1999-0183 DESCRIPTION: Linux implementations of TFTP would allow access to files outside the restricted directory. CVE-1999-0184 DESCRIPTION: When compiled with the -DALLOW_UPDATES option, bind allows dynamic updates to the DNS server, allowing for malicious modification of DNS records. CVE-1999-0185 DESCRIPTION: In SunOS or Solaris, a remote user could connect from an FTP server's data port to an rlogin server on a host that trusts the FTP server, allowing remote command execution. CVE-1999-0186 DESCRIPTION: In Solaris, an SNMP subagent has a default community string that allows remote attackers to execute arbitrary commands as root, or modify system parameters. CVE-1999-0187 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-0022. Reason: This candidate is a duplicate of CVE-1999-0022. Notes: All CVE users should reference CVE-1999-0022 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. CVE-1999-0188 DESCRIPTION: The passwd command in Solaris can be subjected to a denial of service. CVE-1999-0189 DESCRIPTION: Solaris rpcbind listens on a high numbered UDP port, which may not be filtered since the standard port number is 111. CVE-1999-0190 DESCRIPTION: Solaris rpcbind can be exploited to overwrite arbitrary files and gain root access. CVE-1999-0191 DESCRIPTION: IIS newdsn.exe CGI script allows remote users to overwrite files. CVE-1999-0192 DESCRIPTION: Buffer overflow in telnet daemon tgetent routing allows remote attackers to gain root access via the TERMCAP environmental variable. CVE-1999-0193 DESCRIPTION: Denial of service in Ascend and 3com routers, which can be rebooted by sending a zero length TCP option. CVE-1999-0194 DESCRIPTION: Denial of service in in.comsat allows attackers to generate messages. CVE-1999-0195 DESCRIPTION: Denial of service in RPC portmapper allows attackers to register or unregister RPC services or spoof RPC services using a spoofed source IP address such as 127.0.0.1. CVE-1999-0196 DESCRIPTION: websendmail in Webgais 1.0 allows a remote user to access arbitrary files and execute arbitrary code via the receiver parameter ($VAR_receiver variable). CVE-1999-0197 DESCRIPTION: finger 0@host on some systems may print information on some user accounts. CVE-1999-0198 DESCRIPTION: finger .@host on some systems may print information on some user accounts. CVE-1999-0200 DESCRIPTION: Windows NT FTP server (WFTP) with the guest account enabled without a password allows an attacker to log into the FTP server using any username and password. CVE-1999-0201 DESCRIPTION: A quote cwd command on FTP servers can reveal the full path of the home directory of the "ftp" user. CVE-1999-0202 DESCRIPTION: The GNU tar command, when used in FTP sessions, may allow an attacker to execute arbitrary commands. CVE-1999-0203 DESCRIPTION: In Sendmail, attackers can gain root privileges via SMTP by specifying an improper "mail from" address and an invalid "rcpt to" address that would cause the mail to bounce to a program. CVE-1999-0204 DESCRIPTION: Sendmail 8.6.9 allows remote attackers to execute root commands, using ident. CVE-1999-0205 DESCRIPTION: Denial of service in Sendmail 8.6.11 and 8.6.12. CVE-1999-0206 DESCRIPTION: MIME buffer overflow in Sendmail 8.8.0 and 8.8.1 gives root access. CVE-1999-0207 DESCRIPTION: Remote attacker can execute commands through Majordomo using the Reply-To field and a "lists" command. CVE-1999-0208 DESCRIPTION: rpc.ypupdated (NIS) allows remote users to execute arbitrary commands. CVE-1999-0209 DESCRIPTION: The SunView (SunTools) selection_svc facility allows remote users to read files. CVE-1999-0210 DESCRIPTION: Automount daemon automountd allows local or remote users to gain privileges via shell metacharacters. CVE-1999-0211 DESCRIPTION: Extra long export lists over 256 characters in some mount daemons allows NFS directories to be mounted by anyone. CVE-1999-0212 DESCRIPTION: Solaris rpc.mountd generates error messages that allow a remote attacker to determine what files are on the server. CVE-1999-0213 DESCRIPTION: libnsl in Solaris allowed an attacker to perform a denial of service of rpcbind. CVE-1999-0214 DESCRIPTION: Denial of service by sending forged ICMP unreachable packets. CVE-1999-0215 DESCRIPTION: Routed allows attackers to append data to files. CVE-1999-0216 DESCRIPTION: Denial of service of inetd on Linux through SYN and RST packets. CVE-1999-0217 DESCRIPTION: Malicious option settings in UDP packets could force a reboot in SunOS 4.1.3 systems. CVE-1999-0218 DESCRIPTION: Livingston portmaster machines could be rebooted via a series of commands. CVE-1999-0219 DESCRIPTION: Buffer overflow in FTP Serv-U 2.5 allows remote authenticated users to cause a denial of service (crash) via a long (1) CWD or (2) LS (list) command. CVE-1999-0220 DESCRIPTION: Attackers can do a denial of service of IRC by crashing the server. CVE-1999-0221 DESCRIPTION: Denial of service of Ascend routers through port 150 (remote administration). CVE-1999-0222 DESCRIPTION: Denial of service in Cisco IOS web server allows attackers to reboot the router using a long URL. CVE-1999-0223 DESCRIPTION: Solaris syslogd crashes when receiving a message from a host that doesn't have an inverse DNS entry. CVE-1999-0224 DESCRIPTION: Denial of service in Windows NT messenger service through a long username. CVE-1999-0225 DESCRIPTION: Windows NT 4.0 allows remote attackers to cause a denial of service via a malformed SMB logon request in which the actual data size does not match the specified size. CVE-1999-0226 DESCRIPTION: Windows NT TCP/IP processes fragmented IP packets improperly, causing a denial of service. CVE-1999-0227 DESCRIPTION: Access violation in LSASS.EXE (LSA/LSARPC) program in Windows NT allows a denial of service. CVE-1999-0228 DESCRIPTION: Denial of service in RPCSS.EXE program (RPC Locator) in Windows NT. CVE-1999-0229 DESCRIPTION: Denial of service in Windows NT IIS server using ..\.. CVE-1999-0230 DESCRIPTION: Buffer overflow in Cisco 7xx routers through the telnet service. CVE-1999-0231 DESCRIPTION: Buffer overflow in IP-Switch IMail and Seattle Labs Slmail 2.6 packages using a long VRFY command, causing a denial of service and possibly remote access. CVE-1999-0232 DESCRIPTION: Buffer overflow in NCSA WebServer (version 1.5c) gives remote access. CVE-1999-0233 DESCRIPTION: IIS 1.0 allows users to execute arbitrary commands using .bat or .cmd files. CVE-1999-0234 DESCRIPTION: Bash treats any character with a value of 255 as a command separator. CVE-1999-0235 DESCRIPTION: Buffer overflow in NCSA WebServer (1.4.1 and below) gives remote access. CVE-1999-0236 DESCRIPTION: ScriptAlias directory in NCSA and Apache httpd allowed attackers to read CGI programs. CVE-1999-0237 DESCRIPTION: Remote execution of arbitrary commands through Guestbook CGI program. CVE-1999-0238 DESCRIPTION: php.cgi allows attackers to read any file on the system. CVE-1999-0239 DESCRIPTION: Netscape FastTrack Web server lists files when a lowercase "get" command is used instead of an uppercase GET. CVE-1999-0240 DESCRIPTION: Some filters or firewalls allow fragmented SYN packets with IP reserved bits in violation of their implemented policy. CVE-1999-0241 DESCRIPTION: Guessable magic cookies in X Windows allows remote attackers to execute commands, e.g. through xterm. CVE-1999-0242 DESCRIPTION: Remote attackers can access mail files via POP3 in some Linux systems that are using shadow passwords. CVE-1999-0243 DESCRIPTION: Linux cfingerd could be exploited to gain root access. CVE-1999-0244 DESCRIPTION: Livingston RADIUS code has a buffer overflow which can allow remote execution of commands as root. CVE-1999-0245 DESCRIPTION: Some configurations of NIS+ in Linux allowed attackers to log in as the user "+". CVE-1999-0246 DESCRIPTION: HP Remote Watch allows a remote user to gain root access. CVE-1999-0247 DESCRIPTION: Buffer overflow in nnrpd program in INN up to version 1.6 allows remote users to execute arbitrary commands. CVE-1999-0248 DESCRIPTION: A race condition in the authentication agent mechanism of sshd 1.2.17 allows an attacker to steal another user's credentials. CVE-1999-0249 DESCRIPTION: Windows NT RSHSVC program allows remote users to execute arbitrary commands. CVE-1999-0250 DESCRIPTION: Denial of service in Qmail through long SMTP commands. CVE-1999-0251 DESCRIPTION: Denial of service in talk program allows remote attackers to disrupt a user's display. CVE-1999-0252 DESCRIPTION: Buffer overflow in listserv allows arbitrary command execution. CVE-1999-0253 DESCRIPTION: IIS 3.0 with the iis-fix hotfix installed allows remote intruders to read source code for ASP programs by using a %2e instead of a . (dot) in the URL. CVE-1999-0254 DESCRIPTION: A hidden SNMP community string in HP OpenView allows remote attackers to modify MIB tables and obtain sensitive information. CVE-1999-0255 DESCRIPTION: Buffer overflow in ircd allows arbitrary command execution. CVE-1999-0256 DESCRIPTION: Buffer overflow in War FTP allows remote execution of commands. CVE-1999-0257 DESCRIPTION: Nestea variation of teardrop IP fragmentation denial of service. CVE-1999-0258 DESCRIPTION: Bonk variation of teardrop IP fragmentation denial of service. CVE-1999-0259 DESCRIPTION: cfingerd lists all users on a system via search.**@target. CVE-1999-0260 DESCRIPTION: The jj CGI program allows command execution via shell metacharacters. CVE-1999-0261 DESCRIPTION: Netmanager Chameleon SMTPd has several buffer overflows that cause a crash. CVE-1999-0262 DESCRIPTION: Hylafax faxsurvey CGI script on Linux allows remote attackers to execute arbitrary commands via shell metacharacters in the query string. CVE-1999-0263 DESCRIPTION: Solaris SUNWadmap can be exploited to obtain root access. CVE-1999-0264 DESCRIPTION: htmlscript CGI program allows remote read access to files. CVE-1999-0265 DESCRIPTION: ICMP redirect messages may crash or lock up a host. CVE-1999-0266 DESCRIPTION: The info2www CGI script allows remote file access or remote command execution. CVE-1999-0267 DESCRIPTION: Buffer overflow in NCSA HTTP daemon v1.3 allows remote command execution. CVE-1999-0268 DESCRIPTION: MetaInfo MetaWeb web server allows users to upload, execute, and read scripts. CVE-1999-0269 DESCRIPTION: Netscape Enterprise servers may list files through the PageServices query. CVE-1999-0270 DESCRIPTION: Directory traversal vulnerability in pfdispaly.cgi program (sometimes referred to as "pfdisplay") for SGI's Performer API Search Tool (performer_tools) allows remote attackers to read arbitrary files. CVE-1999-0271 DESCRIPTION: Progressive Networks Real Video server (pnserver) can be crashed remotely. CVE-1999-0272 DESCRIPTION: Denial of service in Slmail v2.5 through the POP3 port. CVE-1999-0273 DESCRIPTION: Denial of service through Solaris 2.5.1 telnet by sending ^D characters. CVE-1999-0274 DESCRIPTION: Denial of service in Windows NT DNS servers through malicious packet which contains a response to a query that wasn't made. CVE-1999-0275 DESCRIPTION: Denial of service in Windows NT DNS servers by flooding port 53 with too many characters. CVE-1999-0276 DESCRIPTION: mSQL v2.0.1 and below allows remote execution through a buffer overflow. CVE-1999-0277 DESCRIPTION: The WorkMan program can be used to overwrite any file to get root access. CVE-1999-0278 DESCRIPTION: In IIS, remote attackers can obtain source code for ASP files by appending "::$DATA" to the URL. CVE-1999-0279 DESCRIPTION: Excite for Web Servers (EWS) allows remote command execution via shell metacharacters. CVE-1999-0280 DESCRIPTION: Remote command execution in Microsoft Internet Explorer using .lnk and .url files. CVE-1999-0281 DESCRIPTION: Denial of service in IIS using long URLs. CVE-1999-0282 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-1584, CVE-1999-1586. Reason: This candidate combined references from one issue with the description from another issue. Notes: Users should consult CVE-1999-1584 and CVE-1999-1586 to obtain the appropriate name. All references and descriptions in this candidate have been removed to prevent accidental usage. CVE-1999-0283 DESCRIPTION: The Java Web Server would allow remote users to obtain the source code for CGI programs. CVE-1999-0284 DESCRIPTION: Denial of service to NT mail servers including Ipswitch, Mdaemon, and Exchange through a buffer overflow in the SMTP HELO command. CVE-1999-0285 DESCRIPTION: Denial of service in telnet from the Windows NT Resource Kit, by opening then immediately closing a connection. CVE-1999-0286 DESCRIPTION: In some NT web servers, appending a space at the end of a URL may allow attackers to read source code for active pages. CVE-1999-0287 DESCRIPTION: Vulnerability in the Wguest CGI program. CVE-1999-0288 DESCRIPTION: The WINS server in Microsoft Windows NT 4.0 before SP4 allows remote attackers to cause a denial of service (process termination) via invalid UDP frames to port 137 (NETBIOS Name Service), as demonstrated via a flood of random packets. CVE-1999-0289 DESCRIPTION: The Apache web server for Win32 may provide access to restricted files when a . (dot) is appended to a requested URL. CVE-1999-0290 DESCRIPTION: The WinGate telnet proxy allows remote attackers to cause a denial of service via a large number of connections to localhost. CVE-1999-0291 DESCRIPTION: The WinGate proxy is installed without a password, which allows remote attackers to redirect connections without authentication. CVE-1999-0292 DESCRIPTION: Denial of service through Winpopup using large user names. CVE-1999-0293 DESCRIPTION: AAA authentication on Cisco systems allows attackers to execute commands without authorization. CVE-1999-0294 DESCRIPTION: All records in a WINS database can be deleted through SNMP for a denial of service. CVE-1999-0295 DESCRIPTION: Solaris sysdef command allows local users to read kernel memory, potentially leading to root privileges. CVE-1999-0296 DESCRIPTION: Solaris volrmmount program allows attackers to read any file. CVE-1999-0297 DESCRIPTION: Buffer overflow in Vixie Cron library up to version 3.0 allows local users to obtain root access via a long environmental variable. CVE-1999-0298 DESCRIPTION: ypbind with -ypset and -ypsetme options activated in Linux Slackware and SunOS allows local and remote attackers to overwrite files via a .. (dot dot) attack. CVE-1999-0299 DESCRIPTION: Buffer overflow in FreeBSD lpd through long DNS hostnames. CVE-1999-0300 DESCRIPTION: nis_cachemgr for Solaris NIS+ allows attackers to add malicious NIS+ servers. CVE-1999-0301 DESCRIPTION: Buffer overflow in SunOS/Solaris ps command. CVE-1999-0302 DESCRIPTION: SunOS/Solaris FTP clients can be forced to execute arbitrary commands from a malicious FTP server. CVE-1999-0303 DESCRIPTION: Buffer overflow in BNU UUCP daemon (uucpd) through long hostnames. CVE-1999-0304 DESCRIPTION: mmap function in BSD allows local attackers in the kmem group to modify memory through devices. CVE-1999-0305 DESCRIPTION: The system configuration control (sysctl) facility in BSD based operating systems OpenBSD 2.2 and earlier, and FreeBSD 2.2.5 and earlier, does not properly restrict source routed packets even when the (1) dosourceroute or (2) forwarding variables are set, which allows remote attackers to spoof TCP connections. CVE-1999-0306 DESCRIPTION: buffer overflow in HP xlock program. CVE-1999-0307 DESCRIPTION: Buffer overflow in HP-UX cstm program allows local users to gain root privileges. CVE-1999-0308 DESCRIPTION: HP-UX gwind program allows users to modify arbitrary files. CVE-1999-0309 DESCRIPTION: HP-UX vgdisplay program gives root access to local users. CVE-1999-0310 DESCRIPTION: SSH 1.2.25 on HP-UX allows access to new user accounts. CVE-1999-0311 DESCRIPTION: fpkg2swpk in HP-UX allows local users to gain root access. CVE-1999-0312 DESCRIPTION: HP ypbind allows attackers with root privileges to modify NIS data. CVE-1999-0313 DESCRIPTION: disk_bandwidth on SGI IRIX 6.4 S2MP for Origin/Onyx2 allows local users to gain root access using relative pathnames. CVE-1999-0314 DESCRIPTION: ioconfig on SGI IRIX 6.4 S2MP for Origin/Onyx2 allows local users to gain root access using relative pathnames. CVE-1999-0315 DESCRIPTION: Buffer overflow in Solaris fdformat command gives root access to local users. CVE-1999-0316 DESCRIPTION: Buffer overflow in Linux splitvt command gives root access to local users. CVE-1999-0317 DESCRIPTION: Buffer overflow in Linux su command gives root access to local users. CVE-1999-0318 DESCRIPTION: Buffer overflow in xmcd 2.0p12 allows local users to gain access through an environmental variable. CVE-1999-0319 DESCRIPTION: Buffer overflow in xmcd 2.1 allows local users to gain access through a user resource setting. CVE-1999-0320 DESCRIPTION: SunOS rpc.cmsd allows attackers to obtain root access by overwriting arbitrary files. CVE-1999-0321 DESCRIPTION: Buffer overflow in Solaris kcms_configure command allows local users to gain root access. CVE-1999-0322 DESCRIPTION: The open() function in FreeBSD allows local attackers to write to arbitrary files. CVE-1999-0323 DESCRIPTION: FreeBSD mmap function allows users to modify append-only or immutable files. CVE-1999-0324 DESCRIPTION: ppl program in HP-UX allows local users to create root files through symlinks. CVE-1999-0325 DESCRIPTION: vhe_u_mnt program in HP-UX allows local users to create root files through symlinks. CVE-1999-0326 DESCRIPTION: Vulnerability in HP-UX mediainit program. CVE-1999-0327 DESCRIPTION: SGI syserr program allows local users to corrupt files. CVE-1999-0328 DESCRIPTION: SGI permissions program allows local users to gain root privileges. CVE-1999-0329 DESCRIPTION: SGI mediad program allows local users to gain root access. CVE-1999-0330 DESCRIPTION: Linux bdash game has a buffer overflow that allows local users to gain root access. CVE-1999-0331 DESCRIPTION: Buffer overflow in Internet Explorer 4.0(1). CVE-1999-0332 DESCRIPTION: Buffer overflow in NetMeeting allows denial of service and remote command execution. CVE-1999-0333 DESCRIPTION: HP OpenView Omniback allows remote execution of commands as root via spoofing, and local users can gain root access via a symlink attack. CVE-1999-0334 DESCRIPTION: In Solaris 2.2 and 2.3, when fsck fails on startup, it allows a local user with physical access to obtain root access. CVE-1999-0335 DESCRIPTION: DEPRECATED. This entry has been deprecated. It is a duplicate of CVE-1999-0032. CVE-1999-0336 DESCRIPTION: Buffer overflow in mstm in HP-UX allows local users to gain root access. CVE-1999-0337 DESCRIPTION: AIX batch queue (bsh) allows local and remote users to gain additional privileges when network printing is enabled. CVE-1999-0338 DESCRIPTION: AIX Licensed Program Product performance tools allow local users to gain root access. CVE-1999-0339 DESCRIPTION: Buffer overflow in the libauth library in Solaris allows local users to gain additional privileges, possibly root access. CVE-1999-0340 DESCRIPTION: Buffer overflow in Linux Slackware crond program allows local users to gain root access. CVE-1999-0341 DESCRIPTION: Buffer overflow in the Linux mail program "deliver" allows local users to gain root access. CVE-1999-0342 DESCRIPTION: Linux PAM modules allow local users to gain root access using temporary files. CVE-1999-0343 DESCRIPTION: A malicious Palace server can force a client to execute arbitrary programs. CVE-1999-0344 DESCRIPTION: NT users can gain debug-level access on a system process using the Sechole exploit. CVE-1999-0345 DESCRIPTION: Jolt ICMP attack causes a denial of service in Windows 95 and Windows NT systems. CVE-1999-0346 DESCRIPTION: CGI PHP mlog script allows an attacker to read any file on the target server. CVE-1999-0347 DESCRIPTION: Internet Explorer 4.01 allows remote attackers to read local files and spoof web pages via a "%01" character in an "about:" Javascript URL, which causes Internet Explorer to use the domain specified after the character. CVE-1999-0348 DESCRIPTION: IIS ASP caching problem releases sensitive information when two virtual servers share the same physical directory. CVE-1999-0349 DESCRIPTION: A buffer overflow in the FTP list (ls) command in IIS allows remote attackers to conduct a denial of service and, in some cases, execute arbitrary commands. CVE-1999-0350 DESCRIPTION: Race condition in the db_loader program in ClearCase gives local users root access by setting SUID bits. CVE-1999-0351 DESCRIPTION: FTP PASV "Pizza Thief" denial of service and unauthorized data access. Attackers can steal data by connecting to a port that was intended for use by a client. CVE-1999-0352 DESCRIPTION: ControlIT 4.5 and earlier (aka Remotely Possible) has weak password encryption. CVE-1999-0353 DESCRIPTION: rpc.pcnfsd in HP gives remote root access by changing the permissions on the main printer spool directory. CVE-1999-0354 DESCRIPTION: Internet Explorer 4.x or 5.x with Word 97 allows arbitrary execution of Visual Basic programs to the IE client through the Word 97 template, which doesn't warn the user that the template contains executable content. Also applies to Outlook when the client views a malicious email message. CVE-1999-0355 DESCRIPTION: Local or remote users can force ControlIT 4.5 to reboot or force a user to log out, resulting in a denial of service. CVE-1999-0356 DESCRIPTION: ControlIT v4.5 and earlier uses weak encryption to store usernames and passwords in an address book. CVE-1999-0357 DESCRIPTION: Windows 98 and other operating systems allows remote attackers to cause a denial of service via crafted "oshare" packets, possibly involving invalid fragmentation offsets. CVE-1999-0358 DESCRIPTION: Digital Unix 4.0 has a buffer overflow in the inc program of the mh package. CVE-1999-0359 DESCRIPTION: ptylogin in Unix systems allows users to perform a denial of service by locking out modems, dial out with that modem, or obtain passwords. CVE-1999-0360 DESCRIPTION: MS Site Server 2.0 with IIS 4 can allow users to upload content, including ASP, to the target web site, thus allowing them to execute commands remotely. CVE-1999-0361 DESCRIPTION: NetWare version of LaserFiche stores usernames and passwords unencrypted, and allows administrative changes without logging. CVE-1999-0362 DESCRIPTION: WS_FTP server remote denial of service through cwd command. CVE-1999-0363 DESCRIPTION: SuSE 5.2 PLP lpc program has a buffer overflow that leads to root compromise. CVE-1999-0364 DESCRIPTION: Microsoft Access 97 stores a database password as plaintext in a foreign mdb, allowing access to data. CVE-1999-0365 DESCRIPTION: The metamail package allows remote command execution using shell metacharacters that are not quoted in a mailcap entry. CVE-1999-0366 DESCRIPTION: In some cases, Service Pack 4 for Windows NT 4.0 can allow access to network shares using a blank password, through a problem with a null NT hash value. CVE-1999-0367 DESCRIPTION: NetBSD netstat command allows local users to access kernel memory. CVE-1999-0368 DESCRIPTION: Buffer overflows in wuarchive ftpd (wu-ftpd) and ProFTPD lead to remote root access, a.k.a. palmetto. CVE-1999-0369 DESCRIPTION: The Sun sdtcm_convert calendar utility for OpenWindows has a buffer overflow which can gain root access. CVE-1999-0370 DESCRIPTION: In Sun Solaris and SunOS, man and catman contain vulnerabilities that allow overwriting arbitrary files. CVE-1999-0371 DESCRIPTION: Lynx allows a local user to overwrite sensitive files through /tmp symlinks. CVE-1999-0372 DESCRIPTION: The installer for BackOffice Server includes account names and passwords in a setup file (reboot.ini) which is not deleted. CVE-1999-0373 DESCRIPTION: Buffer overflow in the "Super" utility in Debian GNU/Linux, and other operating systems, allows local users to execute commands as root. CVE-1999-0374 DESCRIPTION: Debian GNU/Linux cfengine package is susceptible to a symlink attack. CVE-1999-0375 DESCRIPTION: Buffer overflow in webd in Network Flight Recorder (NFR) 2.0.2-Research allows remote attackers to execute commands. CVE-1999-0376 DESCRIPTION: Local users in Windows NT can obtain administrator privileges by changing the KnownDLLs list to reference malicious programs. CVE-1999-0377 DESCRIPTION: Process table attack in Unix systems allows a remote attacker to perform a denial of service by filling a machine's process tables through multiple connections to network services. CVE-1999-0378 DESCRIPTION: InterScan VirusWall for Solaris doesn't scan files for viruses when a single HTTP request includes two GET commands. CVE-1999-0379 DESCRIPTION: Microsoft Taskpads allows remote web sites to execute commands on the visiting user's machine via certain methods that are marked as Safe for Scripting. CVE-1999-0380 DESCRIPTION: SLMail 3.1 and 3.2 allows local users to access any file in the NTFS file system when the Remote Administration Service (RAS) is enabled by setting a user's Finger File to point to the target file, then running finger on the user. CVE-1999-0381 DESCRIPTION: super 3.11.6 and other versions have a buffer overflow in the syslog utility which allows a local user to gain root access. CVE-1999-0382 DESCRIPTION: The screen saver in Windows NT does not verify that its security context has been changed properly, allowing attackers to run programs with elevated privileges. CVE-1999-0383 DESCRIPTION: ACC Tigris allows public access without a login. CVE-1999-0384 DESCRIPTION: The Forms 2.0 ActiveX control (included with Visual Basic for Applications 5.0) can be used to read text from a user's clipboard when the user accesses documents with ActiveX content. CVE-1999-0385 DESCRIPTION: The LDAP bind function in Exchange 5.5 has a buffer overflow that allows a remote attacker to conduct a denial of service or execute commands. CVE-1999-0386 DESCRIPTION: Microsoft Personal Web Server and FrontPage Personal Web Server in some Windows systems allows a remote attacker to read files on the server by using a nonstandard URL. CVE-1999-0387 DESCRIPTION: A legacy credential caching mechanism used in Windows 95 and Windows 98 systems allows attackers to read plaintext network passwords. CVE-1999-0388 DESCRIPTION: DataLynx suGuard trusts the PATH environment variable to execute the ps command, allowing local users to execute commands as root. CVE-1999-0389 DESCRIPTION: Buffer overflow in the bootp server in the Debian Linux netstd package. CVE-1999-0390 DESCRIPTION: Buffer overflow in Dosemu Slang library in Linux. CVE-1999-0391 DESCRIPTION: The cryptographic challenge of SMB authentication in Windows 95 and Windows 98 can be reused, allowing an attacker to replay the response and impersonate a user. CVE-1999-0392 DESCRIPTION: Buffer overflow in Thomas Boutell's cgic library version up to 1.05. CVE-1999-0393 DESCRIPTION: Remote attackers can cause a denial of service in Sendmail 8.8.x and 8.9.2 by sending messages with a large number of headers. CVE-1999-0394 DESCRIPTION: DPEC Online Courseware allows an attacker to change another user's password without knowing the original password. CVE-1999-0395 DESCRIPTION: A race condition in the BackWeb Polite Agent Protocol allows an attacker to spoof a BackWeb server. CVE-1999-0396 DESCRIPTION: A race condition between the select() and accept() calls in NetBSD TCP servers allows remote attackers to cause a denial of service. CVE-1999-0397 DESCRIPTION: The demo version of the Quakenbush NT Password Appraiser sends passwords across the network in plaintext. CVE-1999-0398 DESCRIPTION: In some instances of SSH 1.2.27 and 2.0.11 on Linux systems, SSH will allow users with expired accounts to login. CVE-1999-0399 DESCRIPTION: The DCC server command in the Mirc 5.5 client doesn't filter characters from file names properly, allowing remote attackers to place a malicious file in a different location, possibly allowing the attacker to execute commands. CVE-1999-0400 DESCRIPTION: Denial of service in Linux 2.2.0 running the ldd command on a core file. CVE-1999-0401 DESCRIPTION: A race condition in Linux 2.2.1 allows local users to read arbitrary memory from /proc files. CVE-1999-0402 DESCRIPTION: wget 1.5.3 follows symlinks to change permissions of the target file instead of the symlink itself. CVE-1999-0403 DESCRIPTION: A bug in Cyrix CPUs on Linux allows local users to perform a denial of service. CVE-1999-0404 DESCRIPTION: Buffer overflow in the Mail-Max SMTP server for Windows systems allows remote command execution. CVE-1999-0405 DESCRIPTION: A buffer overflow in lsof allows local users to obtain root privilege. CVE-1999-0406 DESCRIPTION: Digital Unix Networker program nsralist has a buffer overflow which allows local users to obtain root privilege. CVE-1999-0407 DESCRIPTION: By default, IIS 4.0 has a virtual directory /IISADMPWD which contains files that can be used as proxies for brute force password attacks, or to identify valid users on the system. CVE-1999-0408 DESCRIPTION: Files created from interactive shell sessions in Cobalt RaQ microservers (e.g. .bash_history) are world readable, and thus are accessible from the web server. CVE-1999-0409 DESCRIPTION: Buffer overflow in gnuplot in Linux version 3.5 allows local users to obtain root access. CVE-1999-0410 DESCRIPTION: The cancel command in Solaris 2.6 (i386) has a buffer overflow that allows local users to obtain root access. CVE-1999-0411 DESCRIPTION: Several startup scripts in SCO OpenServer Enterprise System v 5.0.4p, including S84rpcinit, S95nis, S85tcp, and S89nfs, are vulnerable to a symlink attack, allowing a local user to gain root access. CVE-1999-0412 DESCRIPTION: In IIS and other web servers, an attacker can attack commands as SYSTEM if the server is running as SYSTEM and loading an ISAPI extension. CVE-1999-0413 DESCRIPTION: A buffer overflow in the SGI X server allows local users to gain root access through the X server font path. CVE-1999-0414 DESCRIPTION: In Linux before version 2.0.36, remote attackers can spoof a TCP connection and pass data to the application layer before fully establishing the connection. CVE-1999-0415 DESCRIPTION: The HTTP server in Cisco 7xx series routers 3.2 through 4.2 is enabled by default, which allows remote attackers to change the router's configuration. CVE-1999-0416 DESCRIPTION: Vulnerability in Cisco 7xx series routers allows a remote attacker to cause a system reload via a TCP connection to the router's TELNET port. CVE-1999-0417 DESCRIPTION: 64 bit Solaris 7 procfs allows local users to perform a denial of service. CVE-1999-0418 DESCRIPTION: Denial of service in SMTP applications such as Sendmail, when a remote attacker (e.g. spammer) uses many "RCPT TO" commands in the same connection. CVE-1999-0419 DESCRIPTION: When the Microsoft SMTP service attempts to send a message to a server and receives a 4xx error code, it quickly and repeatedly attempts to redeliver the message, causing a denial of service. CVE-1999-0420 DESCRIPTION: umapfs allows local users to gain root privileges by changing their uid through a malicious mount_umap program. CVE-1999-0421 DESCRIPTION: During a reboot after an installation of Linux Slackware 3.6, a remote attacker can obtain root access by logging in to the root account without a password. CVE-1999-0422 DESCRIPTION: In some cases, NetBSD 1.3.3 mount allows local users to execute programs in some file systems that have the "noexec" flag set. CVE-1999-0423 DESCRIPTION: Vulnerability in hpterm on HP-UX 10.20 allows local users to gain additional privileges. CVE-1999-0424 DESCRIPTION: talkback in Netscape 4.5 allows a local user to overwrite arbitrary files of another user whose Netscape crashes. CVE-1999-0425 DESCRIPTION: talkback in Netscape 4.5 allows a local user to kill an arbitrary process of another user whose Netscape crashes. CVE-1999-0426 DESCRIPTION: The default permissions of /dev/kmem in Linux versions before 2.0.36 allows IP spoofing. CVE-1999-0427 DESCRIPTION: Eudora 4.1 allows remote attackers to perform a denial of service by sending attachments with long file names. CVE-1999-0428 DESCRIPTION: OpenSSL and SSLeay allow remote attackers to reuse SSL sessions and bypass access controls. CVE-1999-0429 DESCRIPTION: The Lotus Notes 4.5 client may send a copy of encrypted mail in the clear across the network if the user does not set the "Encrypt Saved Mail" preference. CVE-1999-0430 DESCRIPTION: Cisco Catalyst LAN switches running Catalyst 5000 supervisor software allows remote attackers to perform a denial of service by forcing the supervisor module to reload. CVE-1999-0431 DESCRIPTION: Linux 2.2.3 and earlier allow a remote attacker to perform an IP fragmentation attack, causing a denial of service. CVE-1999-0432 DESCRIPTION: ftp on HP-UX 11.00 allows local users to gain privileges. CVE-1999-0433 DESCRIPTION: XFree86 startx command is vulnerable to a symlink attack, allowing local users to create files in restricted directories, possibly allowing them to gain privileges or cause a denial of service. CVE-1999-0434 DESCRIPTION: XFree86 xfs command is vulnerable to a symlink attack, allowing local users to create files in restricted directories, possibly allowing them to gain privileges or cause a denial of service. CVE-1999-0435 DESCRIPTION: MC/ServiceGuard and MC/LockManager in HP-UX allows local users to gain privileges through SAM. CVE-1999-0436 DESCRIPTION: Domain Enterprise Server Management System (DESMS) in HP-UX allows local users to gain privileges. CVE-1999-0437 DESCRIPTION: Remote attackers can perform a denial of service in WebRamp systems by sending a malicious string to the HTTP port. CVE-1999-0438 DESCRIPTION: Remote attackers can perform a denial of service in WebRamp systems by sending a malicious UDP packet to port 5353, changing its IP address. CVE-1999-0439 DESCRIPTION: Buffer overflow in procmail before version 3.12 allows remote or local attackers to execute commands via expansions in the procmailrc configuration file. CVE-1999-0440 DESCRIPTION: The byte code verifier component of the Java Virtual Machine (JVM) allows remote execution through malicious web pages. CVE-1999-0441 DESCRIPTION: Remote attackers can perform a denial of service in WinGate machines using a buffer overflow in the Winsock Redirector Service. CVE-1999-0442 DESCRIPTION: Solaris ff.core allows local users to modify files. CVE-1999-0443 DESCRIPTION: Patrol management software allows a remote attacker to conduct a replay attack to steal the administrator password. CVE-1999-0444 DESCRIPTION: Remote attackers can perform a denial of service in Windows machines using malicious ARP packets, forcing a message box display for each packet or filling up log files. CVE-1999-0445 DESCRIPTION: In Cisco routers under some versions of IOS 12.0 running NAT, some packets may not be filtered by input access list filters. CVE-1999-0446 DESCRIPTION: Local users can perform a denial of service in NetBSD 1.3.3 and earlier versions by creating an unusual symbolic link with the ln command, triggering a bug in VFS. CVE-1999-0447 DESCRIPTION: Local users can gain privileges using the debug utility in the MPE/iX operating system. CVE-1999-0448 DESCRIPTION: IIS 4.0 and Apache log HTTP request methods, regardless of how long they are, allowing a remote attacker to hide the URL they really request. CVE-1999-0449 DESCRIPTION: The ExAir sample site in IIS 4 allows remote attackers to cause a denial of service (CPU consumption) via a direct request to the (1) advsearch.asp, (2) query.asp, or (3) search.asp scripts. CVE-1999-0450 DESCRIPTION: In IIS, an attacker could determine a real path using a request for a non-existent URL that would be interpreted by Perl (perl.exe). CVE-1999-0451 DESCRIPTION: Denial of service in Linux 2.0.36 allows local users to prevent any server from listening on any non-privileged port. CVE-1999-0452 DESCRIPTION: A service or application has a backdoor password that was placed there by the developer. CVE-1999-0453 DESCRIPTION: An attacker can identify a CISCO device by sending a SYN packet to port 1999, which is for the Cisco Discovery Protocol (CDP). CVE-1999-0454 DESCRIPTION: A remote attacker can sometimes identify the operating system of a host based on how it reacts to some IP or ICMP packets, using a tool such as nmap or queso. CVE-1999-0455 DESCRIPTION: The Expression Evaluator sample application in ColdFusion allows remote attackers to read or delete files on the server via exprcalc.cfm, which does not restrict access to the server properly. CVE-1999-0457 DESCRIPTION: Linux ftpwatch program allows local users to gain root privileges. CVE-1999-0458 DESCRIPTION: L0phtcrack 2.5 used temporary files in the system TEMP directory which could contain password information. CVE-1999-0459 DESCRIPTION: Local users can perform a denial of service in Alpha Linux, using MILO to force a reboot. CVE-1999-0460 DESCRIPTION: Buffer overflow in Linux autofs module through long directory names allows local users to perform a denial of service. CVE-1999-0461 DESCRIPTION: Versions of rpcbind including Linux, IRIX, and Wietse Venema's rpcbind allow a remote attacker to insert and delete entries by spoofing a source address. CVE-1999-0462 DESCRIPTION: suidperl in Linux Perl does not check the nosuid mount option on file systems, allowing local users to gain root access by placing a setuid script in a mountable file system, e.g. a CD-ROM or floppy disk. CVE-1999-0463 DESCRIPTION: Remote attackers can perform a denial of service using IRIX fcagent. CVE-1999-0464 DESCRIPTION: Local users can perform a denial of service in Tripwire 1.2 and earlier using long filenames. CVE-1999-0465 DESCRIPTION: Remote attackers can crash Lynx and Internet Explorer using an IMG tag with a large width parameter. CVE-1999-0466 DESCRIPTION: The SVR4 /dev/wabi special device file in NetBSD 1.3.3 and earlier allows a local user to read or write arbitrary files on the disk associated with that device. CVE-1999-0467 DESCRIPTION: The Webcom CGI Guestbook programs wguest.exe and rguest.exe allow a remote attacker to read arbitrary files using the "template" parameter. CVE-1999-0468 DESCRIPTION: Internet Explorer 5.0 allows a remote server to read arbitrary files on the client's file system using the Microsoft Scriptlet Component. CVE-1999-0469 DESCRIPTION: Internet Explorer 5.0 allows window spoofing, allowing a remote attacker to spoof a legitimate web site and capture information from the client. CVE-1999-0470 DESCRIPTION: A weak encryption algorithm is used for passwords in Novell Remote.NLM, allowing them to be easily decrypted. CVE-1999-0471 DESCRIPTION: The remote proxy server in Winroute allows a remote attacker to reconfigure the proxy without authentication through the "cancel" button. CVE-1999-0472 DESCRIPTION: The SNMP default community name "public" is not properly removed in NetApps C630 Netcache, even if the administrator tries to disable it. CVE-1999-0473 DESCRIPTION: The rsync command before rsync 2.3.1 may inadvertently change the permissions of the client's working directory to the permissions of the directory being transferred. CVE-1999-0474 DESCRIPTION: The ICQ Webserver allows remote attackers to use .. to access arbitrary files outside of the user's personal directory. CVE-1999-0475 DESCRIPTION: A race condition in how procmail handles .procmailrc files allows a local user to read arbitrary files available to the user who is running procmail. CVE-1999-0476 DESCRIPTION: A weak encryption algorithm is used for passwords in SCO TermVision, allowing them to be easily decrypted by a local user. CVE-1999-0477 DESCRIPTION: The Expression Evaluator in the ColdFusion Application Server allows a remote attacker to upload files to the server via openfile.cfm, which does not restrict access to the server properly. CVE-1999-0478 DESCRIPTION: Denial of service in HP-UX sendmail 8.8.6 related to accepting connections. CVE-1999-0479 DESCRIPTION: Denial of service Netscape Enterprise Server with VirtualVault on HP-UX VVOS systems. CVE-1999-0480 DESCRIPTION: Local attackers can conduct a denial of service in Midnight Commander 4.x with a symlink attack. CVE-1999-0481 DESCRIPTION: Denial of service in "poll" in OpenBSD. CVE-1999-0482 DESCRIPTION: OpenBSD kernel crash through TSS handling, as caused by the crashme program. CVE-1999-0483 DESCRIPTION: OpenBSD crash using nlink value in FFS and EXT2FS filesystems. CVE-1999-0484 DESCRIPTION: Buffer overflow in OpenBSD ping. CVE-1999-0485 DESCRIPTION: Remote attackers can cause a system crash through ipintr() in ipq in OpenBSD. CVE-1999-0486 DESCRIPTION: Denial of service in AOL Instant Messenger when a remote attacker sends a malicious hyperlink to the receiving client, potentially causing a system crash. CVE-1999-0487 DESCRIPTION: The DHTML Edit ActiveX control in Internet Explorer allows remote attackers to read arbitrary files. CVE-1999-0488 DESCRIPTION: Internet Explorer 4.0 and 5.0 allows a remote attacker to execute security scripts in a different security context using malicious URLs, a variant of the "cross frame" vulnerability. CVE-1999-0489 DESCRIPTION: MSHTML.DLL in Internet Explorer 5.0 allows a remote attacker to paste a file name into the file upload intrinsic control, a variant of "untrusted scripted paste" as described in MS:MS98-013. CVE-1999-0490 DESCRIPTION: MSHTML.DLL in Internet Explorer 5.0 allows a remote attacker to learn information about a local user's files via an IMG SRC tag. CVE-1999-0491 DESCRIPTION: The prompt parsing in bash allows a local user to execute commands as another user by creating a directory with the name of the command to execute. CVE-1999-0492 DESCRIPTION: The ffingerd 1.19 allows remote attackers to identify users on the target system based on its responses. CVE-1999-0493 DESCRIPTION: rpc.statd allows remote attackers to forward RPC calls to the local operating system via the SM_MON and SM_NOTIFY commands, which in turn could be used to remotely exploit other bugs such as in automountd. CVE-1999-0494 DESCRIPTION: Denial of service in WinGate proxy through a buffer overflow in POP3. CVE-1999-0495 DESCRIPTION: A remote attacker can gain access to a file system using .. (dot dot) when accessing SMB shares. CVE-1999-0496 DESCRIPTION: A Windows NT 4.0 user can gain administrative rights by forcing NtOpenProcessToken to succeed regardless of the user's permissions, aka GetAdmin. CVE-1999-0497 DESCRIPTION: Anonymous FTP is enabled. CVE-1999-0498 DESCRIPTION: TFTP is not running in a restricted directory, allowing a remote attacker to access sensitive information such as password files. CVE-1999-0499 DESCRIPTION: NETBIOS share information may be published through SNMP registry keys in NT. CVE-1999-0501 DESCRIPTION: A Unix account has a guessable password. CVE-1999-0502 DESCRIPTION: A Unix account has a default, null, blank, or missing password. CVE-1999-0503 DESCRIPTION: A Windows NT local user or administrator account has a guessable password. CVE-1999-0504 DESCRIPTION: A Windows NT local user or administrator account has a default, null, blank, or missing password. CVE-1999-0505 DESCRIPTION: A Windows NT domain user or administrator account has a guessable password. CVE-1999-0506 DESCRIPTION: A Windows NT domain user or administrator account has a default, null, blank, or missing password. CVE-1999-0507 DESCRIPTION: An account on a router, firewall, or other network device has a guessable password. CVE-1999-0508 DESCRIPTION: An account on a router, firewall, or other network device has a default, null, blank, or missing password. CVE-1999-0509 DESCRIPTION: Perl, sh, csh, or other shell interpreters are installed in the cgi-bin directory on a WWW site, which allows remote attackers to execute arbitrary commands. CVE-1999-0510 DESCRIPTION: A router or firewall allows source routed packets from arbitrary hosts. CVE-1999-0511 DESCRIPTION: IP forwarding is enabled on a machine which is not a router or firewall. CVE-1999-0512 DESCRIPTION: A mail server is explicitly configured to allow SMTP mail relay, which allows abuse by spammers. CVE-1999-0513 DESCRIPTION: ICMP messages to broadcast addresses are allowed, allowing for a Smurf attack that can cause a denial of service. CVE-1999-0514 DESCRIPTION: UDP messages to broadcast addresses are allowed, allowing for a Fraggle attack that can cause a denial of service by flooding the target. CVE-1999-0515 DESCRIPTION: An unrestricted remote trust relationship for Unix systems has been set up, e.g. by using a + sign in /etc/hosts.equiv. CVE-1999-0516 DESCRIPTION: An SNMP community name is guessable. CVE-1999-0517 DESCRIPTION: An SNMP community name is the default (e.g. public), null, or missing. CVE-1999-0518 DESCRIPTION: A NETBIOS/SMB share password is guessable. CVE-1999-0519 DESCRIPTION: A NETBIOS/SMB share password is the default, null, or missing. CVE-1999-0520 DESCRIPTION: A system-critical NETBIOS/SMB share has inappropriate access control. CVE-1999-0521 DESCRIPTION: An NIS domain name is easily guessable. CVE-1999-0522 DESCRIPTION: The permissions for a system-critical NIS+ table (e.g. passwd) are inappropriate. CVE-1999-0523 DESCRIPTION: ICMP echo (ping) is allowed from arbitrary hosts. CVE-1999-0524 DESCRIPTION: ICMP information such as (1) netmask and (2) timestamp is allowed from arbitrary hosts. CVE-1999-0525 DESCRIPTION: IP traceroute is allowed from arbitrary hosts. CVE-1999-0526 DESCRIPTION: An X server's access control is disabled (e.g. through an "xhost +" command) and allows anyone to connect to the server. CVE-1999-0527 DESCRIPTION: The permissions for system-critical data in an anonymous FTP account are inappropriate. For example, the root directory is writeable by world, a real password file is obtainable, or executable commands such as "ls" can be overwritten. CVE-1999-0528 DESCRIPTION: A router or firewall forwards external packets that claim to come from inside the network that the router/firewall is in front of. CVE-1999-0529 DESCRIPTION: A router or firewall forwards packets that claim to come from IANA reserved or private addresses, e.g. 10.x.x.x, 127.x.x.x, 217.x.x.x, etc. CVE-1999-0530 DESCRIPTION: A system is operating in "promiscuous" mode which allows it to perform packet sniffing. CVE-1999-0531 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "An SMTP service supports EXPN, VRFY, HELP, ESMTP, and/or EHLO." CVE-1999-0532 DESCRIPTION: A DNS server allows zone transfers. CVE-1999-0533 DESCRIPTION: A DNS server allows inverse queries. CVE-1999-0534 DESCRIPTION: A Windows NT user has inappropriate rights or privileges, e.g. Act as System, Add Workstation, Backup, Change System Time, Create Pagefile, Create Permanent Object, Create Token Name, Debug, Generate Security Audit, Increase Priority, Increase Quota, Load Driver, Lock Memory, Profile Single Process, Remote Shutdown, Replace Process Token, Restore, System Environment, Take Ownership, or Unsolicited Input. CVE-1999-0535 DESCRIPTION: A Windows NT account policy for passwords has inappropriate, security-critical settings, e.g. for password length, password age, or uniqueness. CVE-1999-0537 DESCRIPTION: A configuration in a web browser such as Internet Explorer or Netscape Navigator allows execution of active content such as ActiveX, Java, Javascript, etc. CVE-1999-0539 DESCRIPTION: A trust relationship exists between two Unix hosts. CVE-1999-0541 DESCRIPTION: A password for accessing a WWW URL is guessable. CVE-1999-0546 DESCRIPTION: The Windows NT guest account is enabled. CVE-1999-0547 DESCRIPTION: An SSH server allows authentication through the .rhosts file. CVE-1999-0548 DESCRIPTION: A superfluous NFS server is running, but it is not importing or exporting any file systems. CVE-1999-0549 DESCRIPTION: Windows NT automatically logs in an administrator upon rebooting. CVE-1999-0550 DESCRIPTION: A router's routing tables can be obtained from arbitrary hosts. CVE-1999-0551 DESCRIPTION: HP OpenMail can be misconfigured to allow users to run arbitrary commands using malicious print requests. CVE-1999-0554 DESCRIPTION: NFS exports system-critical data to the world, e.g. / or a password file. CVE-1999-0555 DESCRIPTION: A Unix account with a name other than "root" has UID 0, i.e. root privileges. CVE-1999-0556 DESCRIPTION: Two or more Unix accounts have the same UID. CVE-1999-0559 DESCRIPTION: A system-critical Unix file or directory has inappropriate permissions. CVE-1999-0560 DESCRIPTION: A system-critical Windows NT file or directory has inappropriate permissions. CVE-1999-0561 DESCRIPTION: IIS has the #exec function enabled for Server Side Include (SSI) files. CVE-1999-0562 DESCRIPTION: The registry in Windows NT can be accessed remotely by users who are not administrators. CVE-1999-0564 DESCRIPTION: An attacker can force a printer to print arbitrary documents (e.g. if the printer doesn't require a password) or to become disabled. CVE-1999-0565 DESCRIPTION: A Sendmail alias allows input to be piped to a program. CVE-1999-0566 DESCRIPTION: An attacker can write to syslog files from any location, causing a denial of service by filling up the logs, and hiding activities. CVE-1999-0568 DESCRIPTION: rpc.admind in Solaris is not running in a secure mode. CVE-1999-0569 DESCRIPTION: A URL for a WWW directory allows auto-indexing, which provides a list of all files in that directory if it does not contain an index.html file. CVE-1999-0570 DESCRIPTION: Windows NT is not using a password filter utility, e.g. PASSFILT.DLL. CVE-1999-0571 DESCRIPTION: A router's configuration service or management interface (such as a web server or telnet) is configured to allow connections from arbitrary hosts. CVE-1999-0572 DESCRIPTION: .reg files are associated with the Windows NT registry editor (regedit), making the registry susceptible to Trojan Horse attacks. CVE-1999-0575 DESCRIPTION: A Windows NT system's user audit policy does not log an event success or failure, e.g. for Logon and Logoff, File and Object Access, Use of User Rights, User and Group Management, Security Policy Changes, Restart, Shutdown, and System, and Process Tracking. CVE-1999-0576 DESCRIPTION: A Windows NT system's file audit policy does not log an event success or failure for security-critical files or directories. CVE-1999-0577 DESCRIPTION: A Windows NT system's file audit policy does not log an event success or failure for non-critical files or directories. CVE-1999-0578 DESCRIPTION: A Windows NT system's registry audit policy does not log an event success or failure for security-critical registry keys. CVE-1999-0579 DESCRIPTION: A Windows NT system's registry audit policy does not log an event success or failure for non-critical registry keys. CVE-1999-0580 DESCRIPTION: The HKEY_LOCAL_MACHINE key in a Windows NT system has inappropriate, system-critical permissions. CVE-1999-0581 DESCRIPTION: The HKEY_CLASSES_ROOT key in a Windows NT system has inappropriate, system-critical permissions. CVE-1999-0582 DESCRIPTION: A Windows NT account policy has inappropriate, security-critical settings for lockout, e.g. lockout duration, lockout after bad logon attempts, etc. CVE-1999-0583 DESCRIPTION: There is a one-way or two-way trust relationship between Windows NT domains. CVE-1999-0584 DESCRIPTION: A Windows NT file system is not NTFS. CVE-1999-0585 DESCRIPTION: A Windows NT administrator account has the default name of Administrator. CVE-1999-0586 DESCRIPTION: A network service is running on a nonstandard port. CVE-1999-0587 DESCRIPTION: A WWW server is not running in a restricted file system, e.g. through a chroot, thus allowing access to system-critical data. CVE-1999-0588 DESCRIPTION: A filter in a router or firewall allows unusual fragmented packets. CVE-1999-0589 DESCRIPTION: A system-critical Windows NT registry key has inappropriate permissions. CVE-1999-0590 DESCRIPTION: A system does not present an appropriate legal message or warning to a user who is accessing it. CVE-1999-0591 DESCRIPTION: An event log in Windows NT has inappropriate access permissions. CVE-1999-0592 DESCRIPTION: The Logon box of a Windows NT system displays the name of the last user who logged in. CVE-1999-0593 DESCRIPTION: The default setting for the Winlogon key entry ShutdownWithoutLogon in Windows NT allows users with physical access to shut down a Windows NT system without logging in. CVE-1999-0594 DESCRIPTION: A Windows NT system does not restrict access to removable media drives such as a floppy disk drive or CDROM drive. CVE-1999-0595 DESCRIPTION: A Windows NT system does not clear the system page file during shutdown, which might allow sensitive information to be recorded. CVE-1999-0596 DESCRIPTION: A Windows NT log file has an inappropriate maximum size or retention period. CVE-1999-0597 DESCRIPTION: A Windows NT account policy does not forcibly disconnect remote users from the server when their logon hours expire. CVE-1999-0598 DESCRIPTION: A network intrusion detection system (IDS) does not properly handle packets that are sent out of order, allowing an attacker to escape detection. CVE-1999-0599 DESCRIPTION: A network intrusion detection system (IDS) does not properly handle packets with improper sequence numbers. CVE-1999-0600 DESCRIPTION: A network intrusion detection system (IDS) does not verify the checksum on a packet. CVE-1999-0601 DESCRIPTION: A network intrusion detection system (IDS) does not properly handle data within TCP handshake packets. CVE-1999-0602 DESCRIPTION: A network intrusion detection system (IDS) does not properly reassemble fragmented packets. CVE-1999-0603 DESCRIPTION: In Windows NT, an inappropriate user is a member of a group, e.g. Administrator, Backup Operators, Domain Admins, Domain Guests, Power Users, Print Operators, Replicators, System Operators, etc. CVE-1999-0604 DESCRIPTION: An incorrect configuration of the WebStore 1.0 shopping cart CGI program "web_store.cgi" could disclose private information. CVE-1999-0605 DESCRIPTION: An incorrect configuration of the Order Form 1.0 shopping cart CGI program could disclose private information. CVE-1999-0606 DESCRIPTION: An incorrect configuration of the EZMall 2000 shopping cart CGI program "mall2000.cgi" could disclose private information. CVE-1999-0607 DESCRIPTION: quikstore.cgi in QuikStore shopping cart stores quikstore.cfg under the web document root with insufficient access control, which allows remote attackers to obtain the cleartext administrator password and gain privileges. CVE-1999-0608 DESCRIPTION: An incorrect configuration of the PDG Shopping Cart CGI program "shopper.cgi" could disclose private information. CVE-1999-0609 DESCRIPTION: An incorrect configuration of the SoftCart CGI program "SoftCart.exe" could disclose private information. CVE-1999-0610 DESCRIPTION: An incorrect configuration of the Webcart CGI program could disclose private information. CVE-1999-0611 DESCRIPTION: A system-critical Windows NT registry key has an inappropriate value. CVE-1999-0612 DESCRIPTION: A version of finger is running that exposes valid user information to any entity on the network. CVE-1999-0613 DESCRIPTION: The rpc.sprayd service is running. CVE-1999-0614 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The FTP service is running." CVE-1999-0615 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The SNMP service is running." CVE-1999-0616 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The TFTP service is running." CVE-1999-0617 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The SMTP service is running." CVE-1999-0618 DESCRIPTION: The rexec service is running. CVE-1999-0619 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The Telnet service is running." CVE-1999-0620 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "A component service related to NIS is running." CVE-1999-0621 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "A component service related to NETBIOS is running." CVE-1999-0622 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "A component service related to DNS service is running." CVE-1999-0623 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The X Windows service is running." CVE-1999-0624 DESCRIPTION: The rstat/rstatd service is running. CVE-1999-0625 DESCRIPTION: The rpc.rquotad service is running. CVE-1999-0626 DESCRIPTION: A version of rusers is running that exposes valid user information to any entity on the network. CVE-1999-0627 DESCRIPTION: The rexd service is running, which uses weak authentication that can allow an attacker to execute commands. CVE-1999-0628 DESCRIPTION: The rwho/rwhod service is running, which exposes machine status and user information. CVE-1999-0629 DESCRIPTION: The ident/identd service is running. CVE-1999-0630 DESCRIPTION: The NT Alerter and Messenger services are running. CVE-1999-0631 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The NFS service is running." CVE-1999-0632 DESCRIPTION: The RPC portmapper service is running. CVE-1999-0633 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The HTTP/WWW service is running." CVE-1999-0634 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The SSH service is running." CVE-1999-0635 DESCRIPTION: The echo service is running. CVE-1999-0636 DESCRIPTION: The discard service is running. CVE-1999-0637 DESCRIPTION: The systat service is running. CVE-1999-0638 DESCRIPTION: The daytime service is running. CVE-1999-0639 DESCRIPTION: The chargen service is running. CVE-1999-0640 DESCRIPTION: The Gopher service is running. CVE-1999-0641 DESCRIPTION: The UUCP service is running. CVE-1999-0642 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "A POP service is running." CVE-1999-0643 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The IMAP service is running." CVE-1999-0644 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The NNTP news service is running." CVE-1999-0645 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The IRC service is running." CVE-1999-0646 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The LDAP service is running." CVE-1999-0647 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The bootparam (bootparamd) service is running." CVE-1999-0648 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The X25 service is running." CVE-1999-0649 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The FSP service is running." CVE-1999-0650 DESCRIPTION: The netstat service is running, which provides sensitive information to remote attackers. CVE-1999-0651 DESCRIPTION: The rsh/rlogin service is running. CVE-1999-0652 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "A database service is running, e.g. a SQL server, Oracle, or mySQL." CVE-1999-0653 DESCRIPTION: A component service related to NIS+ is running. CVE-1999-0654 DESCRIPTION: The OS/2 or POSIX subsystem in NT is enabled. CVE-1999-0655 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is not about any specific product, protocol, or design, so it is out of scope of CVE. Notes: the former description is: "A service may include useful information in its banner or help function (such as the name and version), making it useful for information gathering activities." CVE-1999-0656 DESCRIPTION: The ugidd RPC interface, by design, allows remote attackers to enumerate valid usernames by specifying arbitrary UIDs that ugidd maps to local user and group names. CVE-1999-0657 DESCRIPTION: WinGate is being used. CVE-1999-0658 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "DCOM is running." CVE-1999-0659 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "A Windows NT Primary Domain Controller (PDC) or Backup Domain Controller (BDC) is present." CVE-1999-0660 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is not about any specific product, protocol, or design, so it is out of scope of CVE. It might be more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "A hacker utility, back door, or Trojan Horse is installed on a system, e.g. NetBus, Back Orifice, Rootkit, etc." CVE-1999-0661 DESCRIPTION: A system is running a version of software that was replaced with a Trojan Horse at one of its distribution points, such as (1) TCP Wrappers 7.6, (2) util-linux 2.9g, (3) wuarchive ftpd (wuftpd) 2.2 and 2.1f, (4) IRC client (ircII) ircII 2.2.9, (5) OpenSSH 3.4p1, or (6) Sendmail 8.12.6. CVE-1999-0662 DESCRIPTION: A system-critical program or library does not have the appropriate patch, hotfix, or service pack installed, or is outdated or obsolete. CVE-1999-0663 DESCRIPTION: A system-critical program, library, or file has a checksum or other integrity measurement that indicates that it has been modified. CVE-1999-0664 DESCRIPTION: An application-critical Windows NT registry key has inappropriate permissions. CVE-1999-0665 DESCRIPTION: An application-critical Windows NT registry key has an inappropriate value. CVE-1999-0667 DESCRIPTION: The ARP protocol allows any host to spoof ARP replies and poison the ARP cache to conduct IP address spoofing or a denial of service. CVE-1999-0668 DESCRIPTION: The scriptlet.typelib ActiveX control is marked as "safe for scripting" for Internet Explorer, which allows a remote attacker to execute arbitrary commands as demonstrated by Bubbleboy. CVE-1999-0669 DESCRIPTION: The Eyedog ActiveX control is marked as "safe for scripting" for Internet Explorer, which allows a remote attacker to execute arbitrary commands as demonstrated by Bubbleboy. CVE-1999-0670 DESCRIPTION: Buffer overflow in the Eyedog ActiveX control allows a remote attacker to execute arbitrary commands. CVE-1999-0671 DESCRIPTION: Buffer overflow in ToxSoft NextFTP client through CWD command. CVE-1999-0672 DESCRIPTION: Buffer overflow in Fujitsu Chocoa IRC client via IRC channel topics. CVE-1999-0673 DESCRIPTION: Buffer overflow in ALMail32 POP3 client via From: or To: headers. CVE-1999-0674 DESCRIPTION: The BSD profil system call allows a local user to modify the internal data space of a program via profiling and execve. CVE-1999-0675 DESCRIPTION: Check Point FireWall-1 can be subjected to a denial of service via UDP packets that are sent through VPN-1 to port 0 of a host. CVE-1999-0676 DESCRIPTION: sdtcm_convert in Solaris 2.6 allows a local user to overwrite sensitive files via a symlink attack. CVE-1999-0677 DESCRIPTION: The WebRamp web administration utility has a default password. CVE-1999-0678 DESCRIPTION: A default configuration of Apache on Debian GNU/Linux sets the ServerRoot to /usr/doc, which allows remote users to read documentation files for the entire server. CVE-1999-0679 DESCRIPTION: Buffer overflow in hybrid-6 IRC server commonly used on EFnet allows remote attackers to execute commands via m_invite invite option. CVE-1999-0680 DESCRIPTION: Windows NT Terminal Server performs extra work when a client opens a new connection but before it is authenticated, allowing for a denial of service. CVE-1999-0681 DESCRIPTION: Buffer overflow in Microsoft FrontPage Server Extensions (PWS) 3.0.2.926 on Windows 95, and possibly other versions, allows remote attackers to cause a denial of service via a long URL. CVE-1999-0682 DESCRIPTION: Microsoft Exchange 5.5 allows a remote attacker to relay email (i.e. spam) using encapsulated SMTP addresses, even if the anti-relaying features are enabled. CVE-1999-0683 DESCRIPTION: Denial of service in Gauntlet Firewall via a malformed ICMP packet. CVE-1999-0684 DESCRIPTION: Denial of service in Sendmail 8.8.6 in HPUX. CVE-1999-0685 DESCRIPTION: Buffer overflow in Netscape Communicator via EMBED tags in the pluginspage option. CVE-1999-0686 DESCRIPTION: Denial of service in Netscape Enterprise Server (NES) in HP Virtual Vault (VVOS) via a long URL. CVE-1999-0687 DESCRIPTION: The ToolTalk ttsession daemon uses weak RPC authentication, which allows a remote attacker to execute commands. CVE-1999-0688 DESCRIPTION: Buffer overflows in HP Software Distributor (SD) for HPUX 10.x and 11.x. CVE-1999-0689 DESCRIPTION: The CDE dtspcd daemon allows local users to execute arbitrary commands via a symlink attack. CVE-1999-0690 DESCRIPTION: HP CDE program includes the current directory in root's PATH variable. CVE-1999-0691 DESCRIPTION: Buffer overflow in the AddSuLog function of the CDE dtaction utility allows local users to gain root privileges via a long user name. CVE-1999-0692 DESCRIPTION: The default configuration of the Array Services daemon (arrayd) disables authentication, allowing remote users to gain root privileges. CVE-1999-0693 DESCRIPTION: Buffer overflow in TT_SESSION environment variable in ToolTalk shared library allows local users to gain root privileges. CVE-1999-0694 DESCRIPTION: Denial of service in AIX ptrace system call allows local users to crash the system. CVE-1999-0695 DESCRIPTION: The Sybase PowerDynamo personal web server allows attackers to read arbitrary files through a .. (dot dot) attack. CVE-1999-0696 DESCRIPTION: Buffer overflow in CDE Calendar Manager Service Daemon (rpc.cmsd). CVE-1999-0697 DESCRIPTION: SCO Doctor allows local users to gain root privileges through a Tools option. CVE-1999-0698 DESCRIPTION: Denial of service in IP protocol logger (ippl) on Red Hat and Debian Linux. CVE-1999-0699 DESCRIPTION: The Bluestone Sapphire web server allows session hijacking via easily guessable session IDs. CVE-1999-0700 DESCRIPTION: Buffer overflow in Microsoft Phone Dialer (dialer.exe), via a malformed dialer entry in the dialer.ini file. CVE-1999-0701 DESCRIPTION: After an unattended installation of Windows NT 4.0, an installation file could include sensitive information such as the local Administrator password. CVE-1999-0702 DESCRIPTION: Internet Explorer 5.0 and 5.01 allows remote attackers to modify or execute files via the Import/Export Favorites feature, aka the "ImportExportFavorites" vulnerability. CVE-1999-0703 DESCRIPTION: OpenBSD, BSDI, and other Unix operating systems allow users to set chflags and fchflags on character and block devices. CVE-1999-0704 DESCRIPTION: Buffer overflow in Berkeley automounter daemon (amd) logging facility provided in the Linux am-utils package and others. CVE-1999-0705 DESCRIPTION: Buffer overflow in INN inews program. CVE-1999-0706 DESCRIPTION: Linux xmonisdn package allows local users to gain root privileges by modifying the IFS or PATH environmental variables. CVE-1999-0707 DESCRIPTION: The default FTP configuration in HP Visualize Conference allows conference users to send a file to other participants without authorization. CVE-1999-0708 DESCRIPTION: Buffer overflow in cfingerd allows local users to gain root privileges via a long GECOS field. CVE-1999-0710 DESCRIPTION: The Squid package in Red Hat Linux 5.2 and 6.0, and other distributions, installs cachemgr.cgi in a public web directory, which allows remote attackers to use it as an intermediary to connect to other systems. CVE-1999-0711 DESCRIPTION: The oratclsh interpreter in Oracle 8.x Intelligent Agent for Unix allows local users to execute Tcl commands as root. CVE-1999-0712 DESCRIPTION: A vulnerability in Caldera Open Administration System (COAS) allows the /etc/shadow password file to be made world-readable. CVE-1999-0713 DESCRIPTION: The dtlogin program in Compaq Tru64 UNIX allows local users to gain root privileges. CVE-1999-0714 DESCRIPTION: Vulnerability in Compaq Tru64 UNIX edauth command. CVE-1999-0715 DESCRIPTION: Buffer overflow in Remote Access Service (RAS) client allows an attacker to execute commands or cause a denial of service via a malformed phonebook entry. CVE-1999-0716 DESCRIPTION: Buffer overflow in Windows NT 4.0 help file utility via a malformed help file. CVE-1999-0717 DESCRIPTION: A remote attacker can disable the virus warning mechanism in Microsoft Excel 97. CVE-1999-0718 DESCRIPTION: IBM GINA, when used for OS/2 domain authentication of Windows NT users, allows local users to gain administrator privileges by changing the GroupMapping registry key. CVE-1999-0719 DESCRIPTION: The Guile plugin for the Gnumeric spreadsheet package allows attackers to execute arbitrary code. CVE-1999-0720 DESCRIPTION: The pt_chown command in Linux allows local users to modify TTY terminal devices that belong to other users. CVE-1999-0721 DESCRIPTION: Denial of service in Windows NT Local Security Authority (LSA) through a malformed LSA request. CVE-1999-0722 DESCRIPTION: The default configuration of Cobalt RaQ2 servers allows remote users to install arbitrary software packages. CVE-1999-0723 DESCRIPTION: The Windows NT Client Server Runtime Subsystem (CSRSS) can be subjected to a denial of service when all worker threads are waiting for user input. CVE-1999-0724 DESCRIPTION: Buffer overflow in OpenBSD procfs and fdescfs file systems via uio_offset in the readdir() function. CVE-1999-0725 DESCRIPTION: When IIS is run with a default language of Chinese, Korean, or Japanese, it allows a remote attacker to view the source code of certain files, a.k.a. "Double Byte Code Page". CVE-1999-0726 DESCRIPTION: An attacker can conduct a denial of service in Windows NT by executing a program with a malformed file image header. CVE-1999-0727 DESCRIPTION: A kernel leak in the OpenBSD kernel allows IPsec packets to be sent unencrypted. CVE-1999-0728 DESCRIPTION: A Windows NT user can disable the keyboard or mouse by directly calling the IOCTLs which control them. CVE-1999-0729 DESCRIPTION: Buffer overflow in Lotus Notes LDAP (NLDAP) allows an attacker to conduct a denial of service through the ldap_search request. CVE-1999-0730 DESCRIPTION: The zsoelim program in the Debian man-db package allows local users to overwrite files via a symlink attack. CVE-1999-0731 DESCRIPTION: The KDE klock program allows local users to unlock a session using malformed input. CVE-1999-0732 DESCRIPTION: The logging facility of the Debian smtp-refuser package allows local users to delete arbitrary files using symbolic links. CVE-1999-0733 DESCRIPTION: Buffer overflow in VMWare 1.0.1 for Linux via a long HOME environmental variable. CVE-1999-0734 DESCRIPTION: A default configuration of CiscoSecure Access Control Server (ACS) allows remote users to modify the server database without authentication. CVE-1999-0735 DESCRIPTION: KDE K-Mail allows local users to gain privileges via a symlink attack in temporary user directories. CVE-1999-0736 DESCRIPTION: The showcode.asp sample file in IIS and Site Server allows remote attackers to read arbitrary files. CVE-1999-0737 DESCRIPTION: The viewcode.asp sample file in IIS and Site Server allows remote attackers to read arbitrary files. CVE-1999-0738 DESCRIPTION: The code.asp sample file in IIS and Site Server allows remote attackers to read arbitrary files. CVE-1999-0739 DESCRIPTION: The codebrws.asp sample file in IIS and Site Server allows remote attackers to read arbitrary files. CVE-1999-0740 DESCRIPTION: Remote attackers can cause a denial of service on Linux in.telnetd telnet daemon through a malformed TERM environmental variable. CVE-1999-0741 DESCRIPTION: QMS CrownNet Unix Utilities for 2060 allows root to log on without a password. CVE-1999-0742 DESCRIPTION: The Debian mailman package uses weak authentication, which allows attackers to gain privileges. CVE-1999-0743 DESCRIPTION: Trn allows local users to overwrite other users' files via symlinks. CVE-1999-0744 DESCRIPTION: Buffer overflow in Netscape Enterprise Server and FastTrask Server allows remote attackers to gain privileges via a long HTTP GET request. CVE-1999-0745 DESCRIPTION: Buffer overflow in Source Code Browser Program Database Name Server Daemon (pdnsd) for the IBM AIX C Set ++ compiler. CVE-1999-0746 DESCRIPTION: A default configuration of in.identd in SuSE Linux waits 120 seconds between requests, allowing a remote attacker to conduct a denial of service. CVE-1999-0747 DESCRIPTION: Denial of service in BSDi Symmetric Multiprocessing (SMP) when an fstat call is made when the system has a high CPU load. CVE-1999-0748 DESCRIPTION: Buffer overflows in Red Hat net-tools package. CVE-1999-0749 DESCRIPTION: Buffer overflow in Microsoft Telnet client in Windows 95 and Windows 98 via a malformed Telnet argument. CVE-1999-0750 DESCRIPTION: Hotmail allows Javascript to be executed via the HTML STYLE tag, allowing remote attackers to execute commands on the user's Hotmail account. CVE-1999-0751 DESCRIPTION: Buffer overflow in Accept command in Netscape Enterprise Server 3.6 with the SSL Handshake Patch. CVE-1999-0752 DESCRIPTION: Denial of service in Netscape Enterprise Server via a buffer overflow in the SSL handshake. CVE-1999-0753 DESCRIPTION: The w3-msql CGI script provided with Mini SQL allows remote attackers to view restricted directories. CVE-1999-0754 DESCRIPTION: The INN inndstart program allows local users to gain privileges by specifying an alternate configuration file using the INNCONF environmental variable. CVE-1999-0755 DESCRIPTION: Windows NT RRAS and RAS clients cache a user's password even if the user has not selected the "Save password" option. CVE-1999-0756 DESCRIPTION: ColdFusion Administrator with Advanced Security enabled allows remote users to stop the ColdFusion server via the Start/Stop utility. CVE-1999-0757 DESCRIPTION: The ColdFusion CFCRYPT program for encrypting CFML templates has weak encryption, allowing attackers to decrypt the templates. CVE-1999-0758 DESCRIPTION: Netscape Enterprise 3.5.1 and FastTrack 3.01 servers allow a remote attacker to view source code to scripts by appending a %20 to the script's URL. CVE-1999-0759 DESCRIPTION: Buffer overflow in FuseMAIL POP service via long USER and PASS commands. CVE-1999-0760 DESCRIPTION: Undocumented ColdFusion Markup Language (CFML) tags and functions in the ColdFusion Administrator allow users to gain additional privileges. CVE-1999-0761 DESCRIPTION: Buffer overflow in FreeBSD fts library routines allows local user to modify arbitrary files via the periodic program. CVE-1999-0762 DESCRIPTION: When Javascript is embedded within the TITLE tag, Netscape Communicator allows a remote attacker to use the "about" protocol to gain access to browser information. CVE-1999-0763 DESCRIPTION: NetBSD on a multi-homed host allows ARP packets on one network to modify ARP entries on another connected network. CVE-1999-0764 DESCRIPTION: NetBSD allows ARP packets to overwrite static ARP entries. CVE-1999-0765 DESCRIPTION: SGI IRIX midikeys program allows local users to modify arbitrary files via a text editor. CVE-1999-0766 DESCRIPTION: The Microsoft Java Virtual Machine allows a malicious Java applet to execute arbitrary commands outside of the sandbox environment. CVE-1999-0767 DESCRIPTION: Buffer overflow in Solaris libc, ufsrestore, and rcp via LC_MESSAGES environmental variable. CVE-1999-0768 DESCRIPTION: Buffer overflow in Vixie Cron on Red Hat systems via the MAILTO environmental variable. CVE-1999-0769 DESCRIPTION: Vixie Cron on Linux systems allows local users to set parameters of sendmail commands via the MAILTO environmental variable. CVE-1999-0770 DESCRIPTION: Firewall-1 sets a long timeout for connections that begin with ACK or other packets except SYN, allowing an attacker to conduct a denial of service via a large number of connection attempts to unresponsive systems. CVE-1999-0771 DESCRIPTION: The web components of Compaq Management Agents and the Compaq Survey Utility allow a remote attacker to read arbitrary files via a .. (dot dot) attack. CVE-1999-0772 DESCRIPTION: Denial of service in Compaq Management Agents and the Compaq Survey Utility via a long string sent to port 2301. CVE-1999-0773 DESCRIPTION: Buffer overflow in Solaris lpset program allows local users to gain root access. CVE-1999-0774 DESCRIPTION: Buffer overflows in Mars NetWare Emulation (NWE, mars_nwe) package via long directory names. CVE-1999-0775 DESCRIPTION: Cisco Gigabit Switch routers running IOS allow remote attackers to forward unauthorized packets due to improper handling of the "established" keyword in an access list. CVE-1999-0776 DESCRIPTION: Alibaba HTTP server allows remote attackers to read files via a .. (dot dot) attack. CVE-1999-0777 DESCRIPTION: IIS FTP servers may allow a remote attacker to read or delete files on the server, even if they have "No Access" permissions. CVE-1999-0778 DESCRIPTION: Buffer overflow in Xi Graphics Accelerated-X server allows local users to gain root access via a long display or query parameter. CVE-1999-0779 DESCRIPTION: Denial of service in HP-UX SharedX recserv program. CVE-1999-0780 DESCRIPTION: KDE klock allows local users to kill arbitrary processes by specifying an arbitrary PID in the .kss.pid file. CVE-1999-0781 DESCRIPTION: KDE allows local users to execute arbitrary commands by setting the KDEDIR environmental variable to modify the search path that KDE uses to locate its executables. CVE-1999-0782 DESCRIPTION: KDE kppp allows local users to create a directory in an arbitrary location via the HOME environmental variable. CVE-1999-0783 DESCRIPTION: FreeBSD allows local users to conduct a denial of service by creating a hard link from a device special file to a file on an NFS file system. CVE-1999-0784 DESCRIPTION: Denial of service in Oracle TNSLSNR SQL*Net Listener via a malformed string to the listener port, aka NERP. CVE-1999-0785 DESCRIPTION: The INN inndstart program allows local users to gain root privileges via the "pathrun" parameter in the inn.conf file. CVE-1999-0786 DESCRIPTION: The dynamic linker in Solaris allows a local user to create arbitrary files via the LD_PROFILE environmental variable and a symlink attack. CVE-1999-0787 DESCRIPTION: The SSH authentication agent follows symlinks via a UNIX domain socket. CVE-1999-0788 DESCRIPTION: Arkiea nlservd allows remote attackers to conduct a denial of service. CVE-1999-0789 DESCRIPTION: Buffer overflow in AIX ftpd in the libc library. CVE-1999-0790 DESCRIPTION: A remote attacker can read information from a Netscape user's cache via JavaScript. CVE-1999-0791 DESCRIPTION: Hybrid Network cable modems do not include an authentication mechanism for administration, allowing remote attackers to compromise the system through the HSMP protocol. CVE-1999-0792 DESCRIPTION: ROUTERmate has a default SNMP community name which allows remote attackers to modify its configuration. CVE-1999-0793 DESCRIPTION: Internet Explorer allows remote attackers to read files by redirecting data to a Javascript applet. CVE-1999-0794 DESCRIPTION: Microsoft Excel does not warn a user when a macro is present in a Symbolic Link (SYLK) format file. CVE-1999-0795 DESCRIPTION: The NIS+ rpc.nisd server allows remote attackers to execute certain RPC calls without authentication to obtain system information, disable logging, or modify caches. CVE-1999-0796 DESCRIPTION: FreeBSD T/TCP Extensions for Transactions can be subjected to spoofing attacks. CVE-1999-0797 DESCRIPTION: NIS finger allows an attacker to conduct a denial of service via a large number of finger requests, resulting in a large number of NIS queries. CVE-1999-0798 DESCRIPTION: Buffer overflow in bootpd on OpenBSD, FreeBSD, and Linux systems via a malformed header type. CVE-1999-0799 DESCRIPTION: Buffer overflow in bootpd 2.4.3 and earlier via a long boot file location. CVE-1999-0800 DESCRIPTION: The GetFile.cfm file in Allaire Forums allows remote attackers to read files through a parameter to GetFile.cfm. CVE-1999-0801 DESCRIPTION: BMC Patrol allows remote attackers to gain access to an agent by spoofing frames. CVE-1999-0802 DESCRIPTION: Buffer overflow in Internet Explorer 5 allows remote attackers to execute commands via a malformed Favorites icon. CVE-1999-0803 DESCRIPTION: The fwluser script in AIX eNetwork Firewall allows local users to write to arbitrary files via a symlink attack. CVE-1999-0804 DESCRIPTION: Denial of service in Linux 2.2.x kernels via malformed ICMP packets containing unusual types, codes, and IP header lengths. CVE-1999-0805 DESCRIPTION: Novell NetWare Transaction Tracking System (TTS) in Novell 4.11 and earlier allows remote attackers to cause a denial of service via a large number of requests. CVE-1999-0806 DESCRIPTION: Buffer overflow in Solaris dtprintinfo program. CVE-1999-0807 DESCRIPTION: The Netscape Directory Server installation procedure leaves sensitive information in a file that is accessible to local users. CVE-1999-0808 DESCRIPTION: Multiple buffer overflows in ISC DHCP Distribution server (dhcpd) 1.0 and 2.0 allow a remote attacker to cause a denial of service (crash) and possibly execute arbitrary commands via long options. CVE-1999-0809 DESCRIPTION: Netscape Communicator 4.x with Javascript enabled does not warn a user of cookie settings, even if they have selected the option to "Only accept cookies originating from the same server as the page being viewed". CVE-1999-0810 DESCRIPTION: Denial of service in Samba NETBIOS name service daemon (nmbd). CVE-1999-0811 DESCRIPTION: Buffer overflow in Samba smbd program via a malformed message command. CVE-1999-0812 DESCRIPTION: Race condition in Samba smbmnt allows local users to mount file systems in arbitrary locations. CVE-1999-0813 DESCRIPTION: Cfingerd with ALLOW_EXECUTION enabled does not properly drop privileges when it executes a program on behalf of the user, allowing local users to gain root privileges. CVE-1999-0814 DESCRIPTION: Red Hat pump DHCP client allows remote attackers to gain root access in some configurations. CVE-1999-0815 DESCRIPTION: Memory leak in SNMP agent in Windows NT 4.0 before SP5 allows remote attackers to conduct a denial of service (memory exhaustion) via a large number of queries. CVE-1999-0816 DESCRIPTION: The Motorola CableRouter allows any remote user to connect to and configure the router on port 1024. CVE-1999-0817 DESCRIPTION: Lynx WWW client allows a remote attacker to specify command-line parameters which Lynx uses when calling external programs to handle certain protocols, e.g. telnet. CVE-1999-0818 DESCRIPTION: Buffer overflow in Solaris kcms_configure via a long NETPATH environmental variable. CVE-1999-0819 DESCRIPTION: NTMail does not disable the VRFY command, even if the administrator has explicitly disabled it. CVE-1999-0820 DESCRIPTION: FreeBSD seyon allows users to gain privileges via a modified PATH variable for finding the xterm and seyon-emu commands. CVE-1999-0821 DESCRIPTION: FreeBSD seyon allows local users to gain privileges by providing a malicious program in the -emulator argument. CVE-1999-0822 DESCRIPTION: Buffer overflow in Qpopper (qpop) 3.0 allows remote root access via AUTH command. CVE-1999-0823 DESCRIPTION: Buffer overflow in FreeBSD xmindpath allows local users to gain privileges via -f argument. CVE-1999-0824 DESCRIPTION: A Windows NT user can use SUBST to map a drive letter to a folder, which is not unmapped after the user logs off, potentially allowing that user to modify the location of folders accessed by later users. CVE-1999-0825 DESCRIPTION: The default permissions for UnixWare /var/mail allow local users to read and modify other users' mail. CVE-1999-0826 DESCRIPTION: Buffer overflow in FreeBSD angband allows local users to gain privileges. CVE-1999-0827 DESCRIPTION: By default, Internet Explorer 5.0 and other versions enables the "Navigate sub-frames across different domains" option, which allows frame spoofing. CVE-1999-0828 DESCRIPTION: UnixWare pkg commands such as pkginfo, pkgcat, and pkgparam allow local users to read arbitrary files via the dacread permission. CVE-1999-0829 DESCRIPTION: HP Secure Web Console uses weak encryption. CVE-1999-0830 DESCRIPTION: Buffer overflow in SCO UnixWare Xsco command via a long argument. CVE-1999-0831 DESCRIPTION: Denial of service in Linux syslogd via a large number of connections. CVE-1999-0832 DESCRIPTION: Buffer overflow in NFS server on Linux allows attackers to execute commands via a long pathname. CVE-1999-0833 DESCRIPTION: Buffer overflow in BIND 8.2 via NXT records. CVE-1999-0834 DESCRIPTION: Buffer overflow in RSAREF2 via the encryption and decryption functions in the RSAREF library. CVE-1999-0835 DESCRIPTION: Denial of service in BIND named via malformed SIG records. CVE-1999-0836 DESCRIPTION: UnixWare uidadmin allows local users to modify arbitrary files via a symlink attack. CVE-1999-0837 DESCRIPTION: Denial of service in BIND by improperly closing TCP sessions via so_linger. CVE-1999-0838 DESCRIPTION: Buffer overflow in Serv-U FTP 2.5 allows remote users to conduct a denial of service via the SITE command. CVE-1999-0839 DESCRIPTION: Windows NT Task Scheduler installed with Internet Explorer 5 allows a user to gain privileges by modifying the job after it has been scheduled. CVE-1999-0840 DESCRIPTION: Buffer overflow in CDE dtmail and dtmailpr programs allows local users to gain privileges via a long -f option. CVE-1999-0841 DESCRIPTION: Buffer overflow in CDE mailtool allows local users to gain root privileges via a long MIME Content-Type. CVE-1999-0842 DESCRIPTION: Symantec Mail-Gear 1.0 web interface server allows remote users to read arbitrary files via a .. (dot dot) attack. CVE-1999-0843 DESCRIPTION: Denial of service in Cisco routers running NAT via a PORT command from an FTP client to a Telnet port. CVE-1999-0844 DESCRIPTION: Denial of service in MDaemon WorldClient and WebConfig services via a long URL. CVE-1999-0845 DESCRIPTION: Buffer overflow in SCO su program allows local users to gain root access via a long username. CVE-1999-0846 DESCRIPTION: Denial of service in MDaemon 2.7 via a large number of connection attempts. CVE-1999-0847 DESCRIPTION: Buffer overflow in free internet chess server (FICS) program, xboard. CVE-1999-0848 DESCRIPTION: Denial of service in BIND named via consuming more than "fdmax" file descriptors. CVE-1999-0849 DESCRIPTION: Denial of service in BIND named via maxdname. CVE-1999-0850 DESCRIPTION: The default permissions for Endymion MailMan allow local users to read email or modify files. CVE-1999-0851 DESCRIPTION: Denial of service in BIND named via naptr. CVE-1999-0852 DESCRIPTION: IBM WebSphere sets permissions that allow a local user to modify a deinstallation script or its data files stored in /usr/bin. CVE-1999-0853 DESCRIPTION: Buffer overflow in Netscape Enterprise Server and Netscape FastTrack Server allows remote attackers to gain privileges via the HTTP Basic Authentication procedure. CVE-1999-0854 DESCRIPTION: Ultimate Bulletin Board stores data files in the cgi-bin directory, allowing remote attackers to view the data if an error occurs when the HTTP server attempts to execute the file. CVE-1999-0855 DESCRIPTION: Buffer overflow in FreeBSD gdc program. CVE-1999-0856 DESCRIPTION: login in Slackware 7.0 allows remote attackers to identify valid users on the system by reporting an encryption error when an account is locked or does not exist. CVE-1999-0857 DESCRIPTION: FreeBSD gdc program allows local users to modify files via a symlink attack. CVE-1999-0858 DESCRIPTION: Internet Explorer 5 allows a remote attacker to modify the IE client's proxy configuration via a malicious Web Proxy Auto-Discovery (WPAD) server. CVE-1999-0859 DESCRIPTION: Solaris arp allows local users to read files via the -f parameter, which lists lines in the file that do not parse properly. CVE-1999-0860 DESCRIPTION: Solaris chkperm allows local users to read files owned by bin via the VMSYS environmental variable and a symlink attack. CVE-1999-0861 DESCRIPTION: Race condition in the SSL ISAPI filter in IIS and other servers may leak information in plaintext. CVE-1999-0862 DESCRIPTION: Insecure directory permissions in RPM distribution for PostgreSQL allows local users to gain privileges by reading a plaintext password file. CVE-1999-0863 DESCRIPTION: Buffer overflow in FreeBSD seyon via HOME environmental variable, -emulator argument, -modems argument, or the GUI. CVE-1999-0864 DESCRIPTION: UnixWare programs that dump core allow a local user to modify files via a symlink attack on the ./core.pid file. CVE-1999-0865 DESCRIPTION: Buffer overflow in CommuniGatePro via a long string to the HTTP configuration port. CVE-1999-0866 DESCRIPTION: Buffer overflow in UnixWare xauto program allows local users to gain root privilege. CVE-1999-0867 DESCRIPTION: Denial of service in IIS 4.0 via a flood of HTTP requests with malformed headers. CVE-1999-0868 DESCRIPTION: ucbmail allows remote attackers to execute commands via shell metacharacters that are passed to it from INN. CVE-1999-0869 DESCRIPTION: Internet Explorer 3.x to 4.01 allows a remote attacker to insert malicious content into a frame of another web site, aka frame spoofing. CVE-1999-0870 DESCRIPTION: Internet Explorer 4.01 allows remote attackers to read arbitrary files by pasting a file name into the file upload control, aka untrusted scripted paste. CVE-1999-0871 DESCRIPTION: Internet Explorer 4.0 and 4.01 allow a remote attacker to read files via IE's cross frame security, aka the "Cross Frame Navigate" vulnerability. CVE-1999-0872 DESCRIPTION: Buffer overflow in Vixie cron allows local users to gain root access via a long MAILTO environment variable in a crontab file. CVE-1999-0873 DESCRIPTION: Buffer overflow in Skyfull mail server via MAIL FROM command. CVE-1999-0874 DESCRIPTION: Buffer overflow in IIS 4.0 allows remote attackers to cause a denial of service via a malformed request for files with .HTR, .IDC, or .STM extensions. CVE-1999-0875 DESCRIPTION: DHCP clients with ICMP Router Discovery Protocol (IRDP) enabled allow remote attackers to modify their default routes. CVE-1999-0876 DESCRIPTION: Buffer overflow in Internet Explorer 4.0 via EMBED tag. CVE-1999-0877 DESCRIPTION: Internet Explorer 5 allows remote attackers to read files via an ExecCommand method called on an IFRAME. CVE-1999-0878 DESCRIPTION: Buffer overflow in WU-FTPD and related FTP servers allows remote attackers to gain root privileges via MAPPING_CHDIR. CVE-1999-0879 DESCRIPTION: Buffer overflow in WU-FTPD and related FTP servers allows remote attackers to gain root privileges via macro variables in a message file. CVE-1999-0880 DESCRIPTION: Denial of service in WU-FTPD via the SITE NEWER command, which does not free memory properly. CVE-1999-0881 DESCRIPTION: Falcon web server allows remote attackers to read arbitrary files via a .. (dot dot) attack. CVE-1999-0882 DESCRIPTION: Falcon web server allows remote attackers to determine the absolute path of the web root via long file names. CVE-1999-0883 DESCRIPTION: Zeus web server allows remote attackers to read arbitrary files by specifying the file name in an option to the search engine. CVE-1999-0884 DESCRIPTION: The Zeus web server administrative interface uses weak encryption for its passwords. CVE-1999-0885 DESCRIPTION: Alibaba web server allows remote attackers to execute commands via a pipe character in a malformed URL. CVE-1999-0886 DESCRIPTION: The security descriptor for RASMAN allows users to point to an alternate location via the Windows NT Service Control Manager. CVE-1999-0887 DESCRIPTION: FTGate web interface server allows remote attackers to read files via a .. (dot dot) attack. CVE-1999-0888 DESCRIPTION: dbsnmp in Oracle Intelligent Agent allows local users to gain privileges by setting the ORACLE_HOME environmental variable, which dbsnmp uses to find the nmiconf.tcl script. CVE-1999-0889 DESCRIPTION: Cisco 675 routers running CBOS allow remote attackers to establish telnet sessions if an exec or superuser password has not been set. CVE-1999-0890 DESCRIPTION: iHTML Merchant allows remote attackers to obtain sensitive information or execute commands via a code parsing error. CVE-1999-0891 DESCRIPTION: The "download behavior" in Internet Explorer 5 allows remote attackers to read arbitrary files via a server-side redirect. CVE-1999-0892 DESCRIPTION: Buffer overflow in Netscape Communicator before 4.7 via a dynamic font whose length field is less than the size of the font. CVE-1999-0893 DESCRIPTION: userOsa in SCO OpenServer allows local users to corrupt files via a symlink attack. CVE-1999-0894 DESCRIPTION: Red Hat Linux screen program does not use Unix98 ptys, allowing local users to write to other terminals. CVE-1999-0895 DESCRIPTION: Firewall-1 does not properly restrict access to LDAP attributes. CVE-1999-0896 DESCRIPTION: Buffer overflow in RealNetworks RealServer administration utility allows remote attackers to execute arbitrary commands via a long username and password. CVE-1999-0897 DESCRIPTION: iChat ROOMS Webserver allows remote attackers to read arbitrary files via a .. (dot dot) attack. CVE-1999-0898 DESCRIPTION: Buffer overflows in Windows NT 4.0 print spooler allow remote attackers to gain privileges or cause a denial of service via a malformed spooler request. CVE-1999-0899 DESCRIPTION: The Windows NT 4.0 print spooler allows a local user to execute arbitrary commands due to inappropriate permissions that allow the user to specify an alternate print provider. CVE-1999-0900 DESCRIPTION: Buffer overflow in rpc.yppasswdd allows a local user to gain privileges via MD5 hash generation. CVE-1999-0901 DESCRIPTION: ypserv allows a local user to modify the GECOS and login shells of other users. CVE-1999-0902 DESCRIPTION: ypserv allows local administrators to modify password tables. CVE-1999-0903 DESCRIPTION: genfilt in the AIX Packet Filtering Module does not properly filter traffic to destination ports greater than 32767. CVE-1999-0904 DESCRIPTION: Buffer overflow in BFTelnet allows remote attackers to cause a denial of service via a long username. CVE-1999-0905 DESCRIPTION: Denial of service in Axent Raptor firewall via malformed zero-length IP options. CVE-1999-0906 DESCRIPTION: Buffer overflow in sccw allows local users to gain root access via the HOME environmental variable. CVE-1999-0907 DESCRIPTION: sccw allows local users to read arbitrary files. CVE-1999-0908 DESCRIPTION: Denial of service in Solaris TCP streams driver via a malicious connection that causes the server to panic as a result of recursive calls to mutex_enter. CVE-1999-0909 DESCRIPTION: Multihomed Windows systems allow a remote attacker to bypass IP source routing restrictions via a malformed packet with IP options, aka the "Spoofed Route Pointer" vulnerability. CVE-1999-0910 DESCRIPTION: Microsoft Site Server and Commercial Internet System (MCIS) do not set an expiration for a cookie, which could then be cached by a proxy and inadvertently used by a different user. CVE-1999-0911 DESCRIPTION: Buffer overflow in ProFTPD, wu-ftpd, and beroftpd allows remote attackers to gain root access via a series of MKD and CWD commands that create nested directories. CVE-1999-0912 DESCRIPTION: FreeBSD VFS cache (vfs_cache) allows local users to cause a denial of service by opening a large number of files. CVE-1999-0913 DESCRIPTION: dfire.cgi script in Dragon-Fire IDS allows remote users to execute commands via shell metacharacters. CVE-1999-0914 DESCRIPTION: Buffer overflow in the FTP client in the Debian GNU/Linux netstd package. CVE-1999-0915 DESCRIPTION: URL Live! web server allows remote attackers to read arbitrary files via a .. (dot dot) attack. CVE-1999-0916 DESCRIPTION: WebTrends software stores account names and passwords in a file which does not have restricted access permissions. CVE-1999-0917 DESCRIPTION: The Preloader ActiveX control used by Internet Explorer allows remote attackers to read arbitrary files. CVE-1999-0918 DESCRIPTION: Denial of service in various Windows systems via malformed, fragmented IGMP packets. CVE-1999-0919 DESCRIPTION: A memory leak in a Motorola CableRouter allows remote attackers to conduct a denial of service via a large number of telnet connections. CVE-1999-0920 DESCRIPTION: Buffer overflow in the pop-2d POP daemon in the IMAP package allows remote attackers to gain privileges via the FOLD command. CVE-1999-0921 DESCRIPTION: BMC Patrol allows any remote attacker to flood its UDP port, causing a denial of service. CVE-1999-0922 DESCRIPTION: An example application in ColdFusion Server 4.0 allows remote attackers to view source code via the sourcewindow.cfm file. CVE-1999-0923 DESCRIPTION: Sample runnable code snippets in ColdFusion Server 4.0 allow remote attackers to read files, conduct a denial of service, or use the server as a proxy for other HTTP calls. CVE-1999-0924 DESCRIPTION: The Syntax Checker in ColdFusion Server 4.0 allows remote attackers to conduct a denial of service. CVE-1999-0925 DESCRIPTION: UnityMail allows remote attackers to conduct a denial of service via a large number of MIME headers. CVE-1999-0926 DESCRIPTION: Apache allows remote attackers to conduct a denial of service via a large number of MIME headers. CVE-1999-0927 DESCRIPTION: NTMail allows remote attackers to read arbitrary files via a .. (dot dot) attack. CVE-1999-0928 DESCRIPTION: Buffer overflow in SmartDesk WebSuite allows remote attackers to cause a denial of service via a long URL. CVE-1999-0929 DESCRIPTION: Novell NetWare with Novell-HTTP-Server or YAWN web servers allows remote attackers to conduct a denial of service via a large number of HTTP GET requests. CVE-1999-0930 DESCRIPTION: wwwboard allows a remote attacker to delete message board articles via a malformed argument. CVE-1999-0931 DESCRIPTION: Buffer overflow in Mediahouse Statistics Server allows remote attackers to execute commands. CVE-1999-0932 DESCRIPTION: Mediahouse Statistics Server allows remote attackers to read the administrator password, which is stored in cleartext in the ss.cfg file. CVE-1999-0933 DESCRIPTION: TeamTrack web server allows remote attackers to read arbitrary files via a .. (dot dot) attack. CVE-1999-0934 DESCRIPTION: classifieds.cgi allows remote attackers to read arbitrary files via shell metacharacters. CVE-1999-0935 DESCRIPTION: classifieds.cgi allows remote attackers to execute arbitrary commands by specifying them in a hidden variable in a CGI form. CVE-1999-0936 DESCRIPTION: BNBSurvey survey.cgi program allows remote attackers to execute commands via shell metacharacters. CVE-1999-0937 DESCRIPTION: BNBForm allows remote attackers to read arbitrary files via the automessage hidden form variable. CVE-1999-0938 DESCRIPTION: MBone SDR Package allows remote attackers to execute commands via shell metacharacters in Session Initiation Protocol (SIP) messages. CVE-1999-0939 DESCRIPTION: Denial of service in Debian IRC Epic/epic4 client via a long string. CVE-1999-0940 DESCRIPTION: Buffer overflow in mutt mail client allows remote attackers to execute commands via malformed MIME messages. CVE-1999-0941 DESCRIPTION: Mutt mail client allows a remote attacker to execute commands via shell metacharacters. CVE-1999-0942 DESCRIPTION: UnixWare dos7utils allows a local user to gain root privileges by using the STATICMERGE environmental variable to find a script which it executes. CVE-1999-0943 DESCRIPTION: Buffer overflow in OpenLink 3.2 allows remote attackers to gain privileges via a long GET request to the web configurator. CVE-1999-0944 DESCRIPTION: IBM WebSphere ikeyman tool uses weak encryption to store a password for a key database that is used for SSL connections. CVE-1999-0945 DESCRIPTION: Buffer overflow in Internet Mail Service (IMS) for Microsoft Exchange 5.5 and 5.0 allows remote attackers to conduct a denial of service via AUTH or AUTHINFO commands. CVE-1999-0946 DESCRIPTION: Buffer overflow in Yamaha MidiPlug via a Text variable in an EMBED tag. CVE-1999-0947 DESCRIPTION: AN-HTTPd provides example CGI scripts test.bat, input.bat, input2.bat, and envout.bat, which allow remote attackers to execute commands via shell metacharacters. CVE-1999-0948 DESCRIPTION: Buffer overflow in uum program for Canna input system allows local users to gain root privileges. CVE-1999-0949 DESCRIPTION: Buffer overflow in canuum program for Canna input system allows local users to gain root privileges. CVE-1999-0950 DESCRIPTION: Buffer overflow in WFTPD FTP server allows remote attackers to gain root access via a series of MKD and CWD commands that create nested directories. CVE-1999-0951 DESCRIPTION: Buffer overflow in OmniHTTPd CGI program imagemap.exe allows remote attackers to execute commands. CVE-1999-0952 DESCRIPTION: Buffer overflow in Solaris lpstat via class argument allows local users to gain root access. CVE-1999-0953 DESCRIPTION: WWWBoard stores encrypted passwords in a password file that is under the web root and thus accessible by remote attackers. CVE-1999-0954 DESCRIPTION: WWWBoard has a default username and default password. CVE-1999-0955 DESCRIPTION: Race condition in wu-ftpd and BSDI ftpd allows remote attackers to gain root access via the SITE EXEC command. CVE-1999-0956 DESCRIPTION: The NeXT NetInfo _writers property allows local users to gain root privileges or conduct a denial of service. CVE-1999-0957 DESCRIPTION: MajorCool mj_key_cache program allows local users to modify files via a symlink attack. CVE-1999-0958 DESCRIPTION: sudo 1.5.x allows local users to execute arbitrary commands via a .. (dot dot) attack. CVE-1999-0959 DESCRIPTION: IRIX startmidi program allows local users to modify arbitrary files via a symlink attack. CVE-1999-0960 DESCRIPTION: IRIX cdplayer allows local users to create directories in arbitrary locations via a command line option. CVE-1999-0961 DESCRIPTION: HPUX sysdiag allows local users to gain root privileges via a symlink attack during log file creation. CVE-1999-0962 DESCRIPTION: Buffer overflow in HPUX passwd command allows local users to gain root privileges via a command line option. CVE-1999-0963 DESCRIPTION: FreeBSD mount_union command allows local users to gain root privileges via a symlink attack. CVE-1999-0964 DESCRIPTION: Buffer overflow in FreeBSD setlocale in the libc module allows attackers to execute arbitrary code via a long PATH_LOCALE environment variable. CVE-1999-0965 DESCRIPTION: Race condition in xterm allows local users to modify arbitrary files via the logging option. CVE-1999-0966 DESCRIPTION: Buffer overflow in Solaris getopt in libc allows local users to gain root privileges via a long argv[0]. CVE-1999-0967 DESCRIPTION: Buffer overflow in the HTML library used by Internet Explorer, Outlook Express, and Windows Explorer via the res: local resource protocol. CVE-1999-0968 DESCRIPTION: Buffer overflow in BNC IRC proxy allows remote attackers to gain privileges. CVE-1999-0969 DESCRIPTION: The Windows NT RPC service allows remote attackers to conduct a denial of service using spoofed malformed RPC packets which generate an error message that is sent to the spoofed host, potentially setting up a loop, aka Snork. CVE-1999-0970 DESCRIPTION: The OmniHTTPD visadmin.exe program allows a remote attacker to conduct a denial of service via a malformed URL which causes a large number of temporary files to be created. CVE-1999-0971 DESCRIPTION: Buffer overflow in Exim allows local users to gain root privileges via a long :include: option in a .forward file. CVE-1999-0972 DESCRIPTION: Buffer overflow in Xshipwars xsw program. CVE-1999-0973 DESCRIPTION: Buffer overflow in Solaris snoop program allows remote attackers to gain root privileges via a long domain name when snoop is running in verbose mode. CVE-1999-0974 DESCRIPTION: Buffer overflow in Solaris snoop allows remote attackers to gain root privileges via GETQUOTA requests to the rpc.rquotad service. CVE-1999-0975 DESCRIPTION: The Windows help system can allow a local user to execute commands as another user by editing a table of contents metafile with a .CNT extension and modifying the topic action to include the commands to be executed when the .hlp file is accessed. CVE-1999-0976 DESCRIPTION: Sendmail allows local users to reinitialize the aliases database via the newaliases command, then cause a denial of service by interrupting Sendmail. CVE-1999-0977 DESCRIPTION: Buffer overflow in Solaris sadmind allows remote attackers to gain root privileges using a NETMGT_PROC_SERVICE request. CVE-1999-0978 DESCRIPTION: htdig allows remote attackers to execute commands via filenames with shell metacharacters. CVE-1999-0979 DESCRIPTION: The SCO UnixWare privileged process system allows local users to gain root privileges by using a debugger such as gdb to insert traps into _init before the privileged process is executed. CVE-1999-0980 DESCRIPTION: Windows NT Service Control Manager (SCM) allows remote attackers to cause a denial of service via a malformed argument in a resource enumeration request. CVE-1999-0981 DESCRIPTION: Internet Explorer 5.01 and earlier allows a remote attacker to create a reference to a client window and use a server-side redirect to access local files via that window, aka "Server-side Page Reference Redirect." CVE-1999-0982 DESCRIPTION: The Sun Web-Based Enterprise Management (WBEM) installation script stores a password in plaintext in a world readable file. CVE-1999-0983 DESCRIPTION: Whois Internic Lookup program whois.cgi allows remote attackers to execute commands via shell metacharacters in the domain entry. CVE-1999-0984 DESCRIPTION: Matt's Whois program whois.cgi allows remote attackers to execute commands via shell metacharacters in the domain entry. CVE-1999-0985 DESCRIPTION: CC Whois program whois.cgi allows remote attackers to execute commands via shell metacharacters in the domain entry. CVE-1999-0986 DESCRIPTION: The ping command in Linux 2.0.3x allows local users to cause a denial of service by sending large packets with the -R (record route) option. CVE-1999-0987 DESCRIPTION: Windows NT does not properly download a system policy if the domain user logs into the domain with a space at the end of the domain name. CVE-1999-0988 DESCRIPTION: UnixWare pkgtrans allows local users to read arbitrary files via a symlink attack. CVE-1999-0989 DESCRIPTION: Buffer overflow in Internet Explorer 5 directshow filter (MSDXM.OCX) allows remote attackers to execute commands via the vnd.ms.radio protocol. CVE-1999-0990 DESCRIPTION: Error messages generated by gdm with the VerboseAuth setting allows an attacker to identify valid users on a system. CVE-1999-0991 DESCRIPTION: Buffer overflow in GoodTech Telnet Server NT allows remote users to cause a denial of service via a long login name. CVE-1999-0992 DESCRIPTION: HP VirtualVault with the PHSS_17692 patch allows unprivileged processes to bypass access restrictions via the Trusted Gateway Proxy (TGP). CVE-1999-0993 DESCRIPTION: Modifications to ACLs (Access Control Lists) in Microsoft Exchange 5.5 do not take effect until the directory store cache is refreshed. CVE-1999-0994 DESCRIPTION: Windows NT with SYSKEY reuses the keystream that is used for encrypting SAM password hashes, allowing an attacker to crack passwords. CVE-1999-0995 DESCRIPTION: Windows NT Local Security Authority (LSA) allows remote attackers to cause a denial of service via malformed arguments to the LsaLookupSids function which looks up the SID, aka "Malformed Security Identifier Request." CVE-1999-0996 DESCRIPTION: Buffer overflow in Infoseek Ultraseek search engine allows remote attackers to execute commands via a long GET request. CVE-1999-0997 DESCRIPTION: wu-ftp with FTP conversion enabled allows an attacker to execute commands via a malformed file name that is interpreted as an argument to the program that does the conversion, e.g. tar or uncompress. CVE-1999-0998 DESCRIPTION: Cisco Cache Engine allows an attacker to replace content in the cache. CVE-1999-0999 DESCRIPTION: Microsoft SQL 7.0 server allows a remote attacker to cause a denial of service via a malformed TDS packet. CVE-1999-1000 DESCRIPTION: The web administration interface for Cisco Cache Engine allows remote attackers to view performance statistics. CVE-1999-1001 DESCRIPTION: Cisco Cache Engine allows a remote attacker to gain access via a null username and password. CVE-1999-1002 DESCRIPTION: Netscape Navigator uses weak encryption for storing a user's Netscape mail password. CVE-1999-1003 DESCRIPTION: War FTP Daemon 1.70 allows remote attackers to cause a denial of service by flooding it with connections. CVE-1999-1004 DESCRIPTION: Buffer overflow in the POP server POProxy for the Norton Anti-Virus protection NAV2000 program via a large USER command. CVE-1999-1005 DESCRIPTION: Groupwise web server GWWEB.EXE allows remote attackers to read arbitrary files with .htm extensions via a .. (dot dot) attack using the HELP parameter. CVE-1999-1006 DESCRIPTION: Groupwise web server GWWEB.EXE allows remote attackers to determine the real path of the web server via the HELP parameter. CVE-1999-1007 DESCRIPTION: Buffer overflow in VDO Live Player allows remote attackers to execute commands on the VDO client via a malformed .vdo file. CVE-1999-1008 DESCRIPTION: xsoldier program allows local users to gain root access via a long argument. CVE-1999-1009 DESCRIPTION: The Disney Go Express Search allows remote attackers to access and modify search information for users by connecting to an HTTP server on the user's system. CVE-1999-1010 DESCRIPTION: An SSH 1.2.27 server allows a client to use the "none" cipher, even if it is not allowed by the server policy. CVE-1999-1011 DESCRIPTION: The Remote Data Service (RDS) DataFactory component of Microsoft Data Access Components (MDAC) in IIS 3.x and 4.x exposes unsafe methods, which allows remote attackers to execute arbitrary commands. CVE-1999-1012 DESCRIPTION: SMTP component of Lotus Domino 4.6.1 on AS/400, and possibly other operating systems, allows a remote attacker to crash the mail server via a long string. CVE-1999-1013 DESCRIPTION: named-xfer in AIX 4.1.5 and 4.2.1 allows members of the system group to overwrite system files to gain root access via the -f parameter and a malformed zone file. CVE-1999-1014 DESCRIPTION: Buffer overflow in mail command in Solaris 2.7 and 2.7 allows local users to gain privileges via a long -m argument. CVE-1999-1015 DESCRIPTION: Buffer overflow in Apple AppleShare Mail Server 5.0.3 on MacOS 8.1 and earlier allows a remote attacker to cause a denial of service (crash) via a long HELO command. CVE-1999-1016 DESCRIPTION: Microsoft HTML control as used in (1) Internet Explorer 5.0, (2) FrontPage Express, (3) Outlook Express 5, and (4) Eudora, and possibly others, allows remote malicious web site or HTML emails to cause a denial of service (100% CPU consumption) via large HTML form fields such as text inputs in a table cell. CVE-1999-1017 DESCRIPTION: Seattle Labs Emurl 2.0, and possibly earlier versions, stores e-mail attachments in a specific directory with scripting enabled, which allows a malicious ASP file attachment to execute when the recipient opens the message. CVE-1999-1018 DESCRIPTION: IPChains in Linux kernels 2.2.10 and earlier does not reassemble IP fragments before checking the header information, which allows a remote attacker to bypass the filtering rules using several fragments with 0 offsets. CVE-1999-1019 DESCRIPTION: SpectroSERVER in Cabletron Spectrum Enterprise Manager 5.0 installs a directory tree with insecure permissions, which allows local users to replace a privileged executable (processd) with a Trojan horse, facilitating a root or Administrator compromise. CVE-1999-1020 DESCRIPTION: The installation of Novell Netware NDS 5.99 provides an unauthenticated client with Read access for the tree, which allows remote attackers to access sensitive information such as users, groups, and readable objects via CX.EXE and NLIST.EXE. CVE-1999-1021 DESCRIPTION: NFS on SunOS 4.1 through 4.1.2 ignores the high order 16 bits in a 32 bit UID, which allows a local user to gain root access if the lower 16 bits are set to 0, as fixed by the NFS jumbo patch upgrade. CVE-1999-1022 DESCRIPTION: serial_ports administrative program in IRIX 4.x and 5.x trusts the user's PATH environmental variable to find and execute the ls program, which allows local users to gain root privileges via a Trojan horse ls program. CVE-1999-1023 DESCRIPTION: useradd in Solaris 7.0 does not properly interpret certain date formats as specified in the "-e" (expiration date) argument, which could allow users to login after their accounts have expired. CVE-1999-1024 DESCRIPTION: ip_print procedure in Tcpdump 3.4a allows remote attackers to cause a denial of service via a packet with a zero length header, which causes an infinite loop and core dump when tcpdump prints the packet. CVE-1999-1025 DESCRIPTION: CDE screen lock program (screenlock) on Solaris 2.6 does not properly lock an unprivileged user's console session when the host is an NIS+ client, which allows others with physical access to login with any string. CVE-1999-1026 DESCRIPTION: aspppd on Solaris 2.5 x86 allows local users to modify arbitrary files and gain root privileges via a symlink attack on the /tmp/.asppp.fifo file. CVE-1999-1027 DESCRIPTION: Solaris 2.6 HW3/98 installs admintool with world-writable permissions, which allows local users to gain privileges by replacing it with a Trojan horse program. CVE-1999-1028 DESCRIPTION: Symantec pcAnywhere 8.0 allows remote attackers to cause a denial of service (CPU utilization) via a large amount of data to port 5631. CVE-1999-1029 DESCRIPTION: SSH server (sshd2) before 2.0.12 does not properly record login attempts if the connection is closed before the maximum number of tries, allowing a remote attacker to guess the password without showing up in the audit logs. CVE-1999-1030 DESCRIPTION: counter.exe 2.70 allows a remote attacker to cause a denial of service (hang) via an HTTP request that ends in %0A (newline), which causes a malformed entry in the counter log that produces an access violation. CVE-1999-1031 DESCRIPTION: counter.exe 2.70 allows a remote attacker to cause a denial of service (hang) via a long argument. CVE-1999-1032 DESCRIPTION: Vulnerability in LAT/Telnet Gateway (lattelnet) on Ultrix 4.1 and 4.2 allows attackers to gain root privileges. CVE-1999-1033 DESCRIPTION: Microsoft Outlook Express before 4.72.3612.1700 allows a malicious user to send a message that contains a .., which can inadvertently cause Outlook to re-enter POP3 command mode and cause the POP3 session to hang. CVE-1999-1034 DESCRIPTION: Vulnerability in login in AT&T System V Release 4 allows local users to gain privileges. CVE-1999-1035 DESCRIPTION: IIS 3.0 and 4.0 on x86 and Alpha allows remote attackers to cause a denial of service (hang) via a malformed GET request, aka the IIS "GET" vulnerability. CVE-1999-1036 DESCRIPTION: COPS 1.04 allows local users to overwrite or create arbitrary files via a symlink attack on temporary files in (1) res_diff, (2) ca.src, and (3) mail.chk. CVE-1999-1037 DESCRIPTION: rex.satan in SATAN 1.1.1 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/rex.$$ file. CVE-1999-1038 DESCRIPTION: Tiger 2.2.3 allows local users to overwrite arbitrary files via a symlink attack on various temporary files in Tiger's default working directory, as defined by the WORKDIR variable. CVE-1999-1039 DESCRIPTION: Vulnerability in (1) diskalign and (2) diskperf in IRIX 6.4 patches 2291 and 2848 allow a local user to create root-owned files leading to a root compromise. CVE-1999-1040 DESCRIPTION: Vulnerabilities in (1) ipxchk and (2) ipxlink in NetWare Client 1.0 on IRIX 6.3 and 6.4 allows local users to gain root access via a modified IFS environmental variable. CVE-1999-1041 DESCRIPTION: Buffer overflow in mscreen on SCO OpenServer 5.0 and SCO UNIX 3.2v4 allows a local user to gain root access via (1) a long TERM environmental variable and (2) a long entry in the .mscreenrc file. CVE-1999-1042 DESCRIPTION: Cisco Resource Manager (CRM) 1.0 and 1.1 creates world-readable log files and temporary files, which may expose sensitive information, to local users such as user IDs, passwords and SNMP community strings. CVE-1999-1043 DESCRIPTION: Microsoft Exchange Server 5.5 and 5.0 does not properly handle (1) malformed NNTP data, or (2) malformed SMTP data, which allows remote attackers to cause a denial of service (application error). CVE-1999-1044 DESCRIPTION: Vulnerability in Advanced File System Utility (advfs) in Digital UNIX 4.0 through 4.0d allows local users to gain privileges. CVE-1999-1045 DESCRIPTION: pnserver in RealServer 5.0 and earlier allows remote attackers to cause a denial of service by sending a short, malformed request. CVE-1999-1046 DESCRIPTION: Buffer overflow in IMonitor in IMail 5.0 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long string to port 8181. CVE-1999-1047 DESCRIPTION: When BSDI patches for Gauntlet 5.0 BSDI are installed in a particular order, Gauntlet allows remote attackers to bypass firewall access restrictions, and does not log the activities. CVE-1999-1048 DESCRIPTION: Buffer overflow in bash 2.0.0, 1.4.17, and other versions allows local attackers to gain privileges by creating an extremely large directory name, which is inserted into the password prompt via the \w option in the PS1 environmental variable when another user changes into that directory. CVE-1999-1049 DESCRIPTION: ARCserve NT agents use weak encryption (XOR) for passwords, which allows remote attackers to sniff the authentication request to port 6050 and decrypt the password. CVE-1999-1050 DESCRIPTION: Directory traversal vulnerability in Matt Wright FormHandler.cgi script allows remote attackers to read arbitrary files via (1) a .. (dot dot) in the reply_message_attach attachment parameter, or (2) by specifying the filename as a template. CVE-1999-1051 DESCRIPTION: Default configuration in Matt Wright FormHandler.cgi script allows arbitrary directories to be used for attachments, and only restricts access to the /etc/ directory, which allows remote attackers to read arbitrary files via the reply_message_attach attachment parameter. CVE-1999-1052 DESCRIPTION: Microsoft FrontPage stores form results in a default location in /_private/form_results.txt, which is world-readable and accessible in the document root, which allows remote attackers to read possibly sensitive information submitted by other users. CVE-1999-1053 DESCRIPTION: guestbook.pl cleanses user-inserted SSI commands by removing text between "" separators, which allows remote attackers to execute arbitrary commands when guestbook.pl is run on Apache 1.3.9 and possibly other versions, since Apache allows other closing sequences besides "-->". CVE-1999-1054 DESCRIPTION: The default configuration of FLEXlm license manager 6.0d, and possibly other versions, allows remote attackers to shut down the server via the lmdown command. CVE-1999-1055 DESCRIPTION: Microsoft Excel 97 does not warn the user before executing worksheet functions, which could allow attackers to execute arbitrary commands by using the CALL function to execute a malicious DLL, aka the Excel "CALL Vulnerability." CVE-1999-1056 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-1395. Reason: This candidate is a duplicate of CVE-1999-1395. Notes: All CVE users should reference CVE-1999-1395 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. CVE-1999-1057 DESCRIPTION: VMS 4.0 through 5.3 allows local users to gain privileges via the ANALYZE/PROCESS_DUMP dcl command. CVE-1999-1058 DESCRIPTION: Buffer overflow in Vermillion FTP Daemon VFTPD 1.23 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via several long CWD commands. CVE-1999-1059 DESCRIPTION: Vulnerability in rexec daemon (rexecd) in AT&T TCP/IP 4.0 for various SVR4 systems allows remote attackers to execute arbitrary commands. CVE-1999-1060 DESCRIPTION: Buffer overflow in Tetrix TetriNet daemon 1.13.16 allows remote attackers to cause a denial of service and possibly execute arbitrary commands by connecting to port 31457 from a host with a long DNS hostname. CVE-1999-1061 DESCRIPTION: HP Laserjet printers with JetDirect cards, when configured with TCP/IP, can be configured without a password, which allows remote attackers to connect to the printer and change its IP address or disable logging. CVE-1999-1062 DESCRIPTION: HP Laserjet printers with JetDirect cards, when configured with TCP/IP, allow remote attackers to bypass print filters by directly sending PostScript documents to TCP ports 9099 and 9100. CVE-1999-1063 DESCRIPTION: CDomain whois_raw.cgi whois CGI script allows remote attackers to execute arbitrary commands via shell metacharacters in the fqdn parameter. CVE-1999-1064 DESCRIPTION: Multiple buffer overflows in WindowMaker 0.52 through 0.60.0 allow attackers to cause a denial of service and possibly execute arbitrary commands by executing WindowMaker with a long program name (argv[0]). CVE-1999-1065 DESCRIPTION: Palm Pilot HotSync Manager 3.0.4 in Windows 98 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long string to port 14238 while the manager is in network mode. CVE-1999-1066 DESCRIPTION: Quake 1 server responds to an initial UDP game connection request with a large amount of traffic, which allows remote attackers to use the server as an amplifier in a "Smurf" style attack on another host, by spoofing the connection request. CVE-1999-1067 DESCRIPTION: SGI MachineInfo CGI program, installed by default on some web servers, prints potentially sensitive system status information, which could be used by remote attackers for information gathering activities. CVE-1999-1068 DESCRIPTION: Oracle Webserver 2.1, when serving PL/SQL stored procedures, allows remote attackers to cause a denial of service via a long HTTP GET request. CVE-1999-1069 DESCRIPTION: Directory traversal vulnerability in carbo.dll in iCat Carbo Server 3.0.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the icatcommand parameter. CVE-1999-1070 DESCRIPTION: Buffer overflow in ping CGI program in Xylogics Annex terminal service allows remote attackers to cause a denial of service via a long query parameter. CVE-1999-1071 DESCRIPTION: Excite for Web Servers (EWS) 1.1 installs the Architext.conf authentication file with world-writeable permissions, which allows local users to gain access to Excite accounts by modifying the file. CVE-1999-1072 DESCRIPTION: Excite for Web Servers (EWS) 1.1 allows local users to gain privileges by obtaining the encrypted password from the world-readable Architext.conf authentication file and replaying the encrypted password in an HTTP request to AT-generated.cgi or AT-admin.cgi. CVE-1999-1073 DESCRIPTION: Excite for Web Servers (EWS) 1.1 records the first two characters of a plaintext password in the beginning of the encrypted password, which makes it easier for an attacker to guess passwords via a brute force or dictionary attack. CVE-1999-1074 DESCRIPTION: Webmin before 0.5 does not restrict the number of invalid passwords that are entered for a valid username, which could allow remote attackers to gain privileges via brute force password cracking. CVE-1999-1075 DESCRIPTION: inetd in AIX 4.1.5 dynamically assigns a port N when starting ttdbserver (ToolTalk server), but also inadvertently listens on port N-1 without passing control to ttdbserver, which allows remote attackers to cause a denial of service via a large number of connections to port N-1, which are not properly closed by inetd. CVE-1999-1076 DESCRIPTION: Idle locking function in MacOS 9 allows local users to bypass the password protection of idled sessions by selecting the "Log Out" option and selecting a "Cancel" option in the dialog box for an application that attempts to verify that the user wants to log out, which returns the attacker into the locked session. CVE-1999-1077 DESCRIPTION: Idle locking function in MacOS 9 allows local attackers to bypass the password protection of idled sessions via the programmer's switch or CMD-PWR keyboard sequence, which brings up a debugger that the attacker can use to disable the lock. CVE-1999-1078 DESCRIPTION: WS_FTP Pro 6.0 uses weak encryption for passwords in its initialization files, which allows remote attackers to easily decrypt the passwords and gain privileges. CVE-1999-1079 DESCRIPTION: Vulnerability in ptrace in AIX 4.3 allows local users to gain privileges by attaching to a setgid program. CVE-1999-1080 DESCRIPTION: rmmount in SunOS 5.7 may mount file systems without the nosuid flag set, contrary to the documentation and its use in previous versions of SunOS, which could allow local users with physical access to gain root privileges by mounting a floppy or CD-ROM that contains a setuid program and running volcheck, when the file systems do not have the nosuid option specified in rmmount.conf. CVE-1999-1081 DESCRIPTION: Vulnerability in files.pl script in Novell WebServer Examples Toolkit 2 allows remote attackers to read arbitrary files. CVE-1999-1082 DESCRIPTION: Directory traversal vulnerability in Jana proxy web server 1.40 allows remote attackers to ready arbitrary files via a "......" (modified dot dot) attack. CVE-1999-1083 DESCRIPTION: Directory traversal vulnerability in Jana proxy web server 1.45 allows remote attackers to ready arbitrary files via a .. (dot dot) attack. CVE-1999-1084 DESCRIPTION: The "AEDebug" registry key is installed with insecure permissions, which allows local users to modify the key to specify a Trojan Horse debugger which is automatically executed on a system crash. CVE-1999-1085 DESCRIPTION: SSH 1.2.25, 1.2.23, and other versions, when used in in CBC (Cipher Block Chaining) or CFB (Cipher Feedback 64 bits) modes, allows remote attackers to insert arbitrary data into an existing stream between an SSH client and server by using a known plaintext attack and computing a valid CRC-32 checksum for the packet, aka the "SSH insertion attack." CVE-1999-1086 DESCRIPTION: Novell 5 and earlier, when running over IPX with a packet signature level less than 3, allows remote attackers to gain administrator privileges by spoofing the MAC address in IPC fragmented packets that make NetWare Core Protocol (NCP) calls. CVE-1999-1087 DESCRIPTION: Internet Explorer 4 treats a 32-bit number ("dotless IP address") in the a URL as the hostname instead of an IP address, which causes IE to apply Local Intranet Zone settings to the resulting web page, allowing remote malicious web servers to conduct unauthorized activities by using URLs that contain the dotless IP address for their server. CVE-1999-1088 DESCRIPTION: Vulnerability in chsh command in HP-UX 9.X through 10.20 allows local users to gain privileges. CVE-1999-1089 DESCRIPTION: Buffer overflow in chfn command in HP-UX 9.X through 10.20 allows local users to gain privileges via a long command line argument. CVE-1999-1090 DESCRIPTION: The default configuration of NCSA Telnet package for Macintosh and PC enables FTP, even though it does not include an "ftp=yes" line, which allows remote attackers to read and modify arbitrary files. CVE-1999-1091 DESCRIPTION: UNIX news readers tin and rtin create the /tmp/.tin_log file with insecure permissions and follow symlinks, which allows attackers to modify the permissions of files writable by the user via a symlink attack. CVE-1999-1092 DESCRIPTION: tin 1.40 creates the .tin directory with insecure permissions, which allows local users to read passwords from the .inputhistory file. CVE-1999-1093 DESCRIPTION: Buffer overflow in the Window.External function in the JScript Scripting Engine in Internet Explorer 4.01 SP1 and earlier allows remote attackers to execute arbitrary commands via a malicious web page. CVE-1999-1094 DESCRIPTION: Buffer overflow in Internet Explorer 4.01 and earlier allows remote attackers to execute arbitrary commands via a long URL with the "mk:" protocol, aka the "MK Overrun security issue." CVE-1999-1095 DESCRIPTION: sort creates temporary files and follows symbolic links, which allows local users to modify arbitrary files that are writable by the user running sort, as observed in updatedb and other programs that use sort. CVE-1999-1096 DESCRIPTION: Buffer overflow in kscreensaver in KDE klock allows local users to gain root privileges via a long HOME environmental variable. CVE-1999-1097 DESCRIPTION: Microsoft NetMeeting 2.1 allows one client to read the contents of another client's clipboard via a CTRL-C in the chat box when the box is empty. CVE-1999-1098 DESCRIPTION: Vulnerability in BSD Telnet client with encryption and Kerberos 4 authentication allows remote attackers to decrypt the session via sniffing. CVE-1999-1099 DESCRIPTION: Kerberos 4 allows remote attackers to obtain sensitive information via a malformed UDP packet that generates an error string that inadvertently includes the realm name and the last user. CVE-1999-1100 DESCRIPTION: Cisco PIX Private Link 4.1.6 and earlier does not properly process certain commands in the configuration file, which reduces the effective key length of the DES key to 48 bits instead of 56 bits, which makes it easier for an attacker to find the proper key via a brute force attack. CVE-1999-1101 DESCRIPTION: Kabsoftware Lydia utility uses weak encryption to store user passwords in the lydia.ini file, which allows local users to easily decrypt the passwords and gain privileges. CVE-1999-1102 DESCRIPTION: lpr on SunOS 4.1.1, BSD 4.3, A/UX 2.0.1, and other BSD-based operating systems allows local users to create or overwrite arbitrary files via a symlink attack that is triggered after invoking lpr 1000 times. CVE-1999-1103 DESCRIPTION: dxconsole in DEC OSF/1 3.2C and earlier allows local users to read arbitrary files by specifying the file with the -file parameter. CVE-1999-1104 DESCRIPTION: Windows 95 uses weak encryption for the password list (.pwl) file used when password caching is enabled, which allows local users to gain privileges by decrypting the passwords. CVE-1999-1105 DESCRIPTION: Windows 95, when Remote Administration and File Sharing for NetWare Networks is enabled, creates a share (C$) when an administrator logs in remotely, which allows remote attackers to read arbitrary files by mapping the network drive. CVE-1999-1106 DESCRIPTION: Buffer overflow in kppp in KDE allows local users to gain root access via a long -c (account_name) command line argument. CVE-1999-1107 DESCRIPTION: Buffer overflow in kppp in KDE allows local users to gain root access via a long PATH environmental variable. CVE-1999-1108 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-1107. Reason: This candidate is a duplicate of CVE-1999-1107. Notes: All CVE users should reference CVE-1999-1107 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. CVE-1999-1109 DESCRIPTION: Sendmail before 8.10.0 allows remote attackers to cause a denial of service by sending a series of ETRN commands then disconnecting from the server, while Sendmail continues to process the commands after the connection has been terminated. CVE-1999-1110 DESCRIPTION: Windows Media Player ActiveX object as used in Internet Explorer 5.0 returns a specific error code when a file does not exist, which allows remote malicious web sites to determine the existence of files on the client. CVE-1999-1111 DESCRIPTION: Vulnerability in StackGuard before 1.21 allows remote attackers to bypass the Random and Terminator Canary security mechanisms by using a non-linear attack which directly modifies a pointer to a return address instead of using a buffer overflow to reach the return address entry itself. CVE-1999-1112 DESCRIPTION: Buffer overflow in IrfanView32 3.07 and earlier allows attackers to execute arbitrary commands via a long string after the "8BPS" image type in a Photo Shop image header. CVE-1999-1113 DESCRIPTION: Buffer overflow in Eudora Internet Mail Server (EIMS) 2.01 and earlier on MacOS systems allows remote attackers to cause a denial of service via a long USER command to port 106. CVE-1999-1114 DESCRIPTION: Buffer overflow in Korn Shell (ksh) suid_exec program on IRIX 6.x and earlier, and possibly other operating systems, allows local users to gain root privileges. CVE-1999-1115 DESCRIPTION: Vulnerability in the /etc/suid_exec program in HP Apollo Domain/OS sr10.2 and sr10.3 beta, related to the Korn Shell (ksh). CVE-1999-1116 DESCRIPTION: Vulnerability in runpriv in Indigo Magic System Administration subsystem of SGI IRIX 6.3 and 6.4 allows local users to gain root privileges. CVE-1999-1117 DESCRIPTION: lquerypv in AIX 4.1 and 4.2 allows local users to read arbitrary files by specifying the file in the -h command line parameter. CVE-1999-1118 DESCRIPTION: ndd in Solaris 2.6 allows local users to cause a denial of service by modifying certain TCP/IP parameters. CVE-1999-1119 DESCRIPTION: FTP installation script anon.ftp in AIX insecurely configures anonymous FTP, which allows remote attackers to execute arbitrary commands. CVE-1999-1120 DESCRIPTION: netprint in SGI IRIX 6.4 and earlier trusts the PATH environmental variable for finding and executing the disable program, which allows local users to gain privileges. CVE-1999-1121 DESCRIPTION: The default configuration for UUCP in AIX before 3.2 allows local users to gain root privileges. CVE-1999-1122 DESCRIPTION: Vulnerability in restore in SunOS 4.0.3 and earlier allows local users to gain privileges. CVE-1999-1123 DESCRIPTION: The installation of Sun Source (sunsrc) tapes allows local users to gain root privileges via setuid root programs (1) makeinstall or (2) winstall. CVE-1999-1124 DESCRIPTION: HTTP Client application in ColdFusion allows remote attackers to bypass access restrictions for web pages on other ports by providing the target page to the mainframeset.cfm application, which requests the page from the server, making it look like the request is coming from the local host. CVE-1999-1125 DESCRIPTION: Oracle Webserver 2.1 and earlier runs setuid root, but the configuration file is owned by the oracle account, which allows any local or remote attacker who obtains access to the oracle account to gain privileges or modify arbitrary files by modifying the configuration file. CVE-1999-1126 DESCRIPTION: Cisco Resource Manager (CRM) 1.1 and earlier creates certain files with insecure permissions that allow local users to obtain sensitive configuration information including usernames, passwords, and SNMP community strings, from (1) swim_swd.log, (2) swim_debug.log, (3) dbi_debug.log, and (4) temporary files whose names begin with "DPR_". CVE-1999-1127 DESCRIPTION: Windows NT 4.0 does not properly shut down invalid named pipe RPC connections, which allows remote attackers to cause a denial of service (resource exhaustion) via a series of connections containing malformed data, aka the "Named Pipes Over RPC" vulnerability. CVE-1999-1128 DESCRIPTION: Internet Explorer 3.01 on Windows 95 allows remote malicious web sites to execute arbitrary commands via a .isp file, which is automatically downloaded and executed without prompting the user. CVE-1999-1129 DESCRIPTION: Cisco Catalyst 2900 Virtual LAN (VLAN) switches allow remote attackers to inject 802.1q frames into another VLAN by forging the VLAN identifier in the trunking tag. CVE-1999-1130 DESCRIPTION: Default configuration of the search engine in Netscape Enterprise Server 3.5.1, and possibly other versions, allows remote attackers to read the source of JHTML files by specifying a search command using the HTML-tocrec-demo1.pat pattern file. CVE-1999-1131 DESCRIPTION: Buffer overflow in OSF Distributed Computing Environment (DCE) security demon (secd) in IRIX 6.4 and earlier allows attackers to cause a denial of service via a long principal, group, or organization. CVE-1999-1132 DESCRIPTION: Windows NT 4.0 allows remote attackers to cause a denial of service (crash) via extra source routing data such as (1) a Routing Information Field (RIF) field with a hop count greater than 7, or (2) a list containing duplicate Token Ring IDs. CVE-1999-1133 DESCRIPTION: HP-UX 9.x and 10.x running X windows may allow local attackers to gain privileges via (1) vuefile, (2) vuepad, (3) dtfile, or (4) dtpad, which do not authenticate users. CVE-1999-1134 DESCRIPTION: Vulnerability in Vue 3.0 in HP 9.x allows local users to gain root privileges, as fixed by PHSS_4038, PHSS_4055, and PHSS_4066. CVE-1999-1135 DESCRIPTION: Vulnerability in VUE 3.0 in HP 9.x allows local users to gain root privileges, as fixed by PHSS_4994 and PHSS_5438. CVE-1999-1136 DESCRIPTION: Vulnerability in Predictive on HP-UX 11.0 and earlier, and MPE/iX 5.5 and earlier, allows attackers to compromise data transfer for Predictive messages (using e-mail or modem) between customer and Response Center Predictive systems. CVE-1999-1137 DESCRIPTION: The permissions for the /dev/audio device on Solaris 2.2 and earlier, and SunOS 4.1.x, allow any local user to read from the device, which could be used by an attacker to monitor conversations happening near a machine that has a microphone. CVE-1999-1138 DESCRIPTION: SCO UNIX System V/386 Release 3.2, and other SCO products, installs the home directories (1) /tmp for the dos user, and (2) /usr/tmp for the asg user, which allows other users to gain access to those accounts since /tmp and /usr/tmp are world-writable. CVE-1999-1139 DESCRIPTION: Character-Terminal User Environment (CUE) in HP-UX 11.0 and earlier allows local users to overwrite arbitrary files and gain root privileges via a symlink attack on the IOERROR.mytty file. CVE-1999-1140 DESCRIPTION: Buffer overflow in CrackLib 2.5 may allow local users to gain root privileges via a long GECOS field. CVE-1999-1141 DESCRIPTION: Ascom Timeplex router allows remote attackers to obtain sensitive information or conduct unauthorized activities by entering debug mode through a sequence of CTRL-D characters. CVE-1999-1142 DESCRIPTION: SunOS 4.1.2 and earlier allows local users to gain privileges via "LD_*" environmental variables to certain dynamically linked setuid or setgid programs such as (1) login, (2) su, or (3) sendmail, that change the real and effective user ids to the same user. CVE-1999-1143 DESCRIPTION: Vulnerability in runtime linker program rld in SGI IRIX 6.x and earlier allows local users to gain privileges via setuid and setgid programs. CVE-1999-1144 DESCRIPTION: Certain files in MPower in HP-UX 10.x are installed with insecure permissions, which allows local users to gain privileges. CVE-1999-1145 DESCRIPTION: Vulnerability in Glance programs in GlancePlus for HP-UX 10.20 and earlier allows local users to access arbitrary files and gain privileges. CVE-1999-1146 DESCRIPTION: Vulnerability in Glance and gpm programs in GlancePlus for HP-UX 9.x and earlier allows local users to access arbitrary files and gain privileges. CVE-1999-1147 DESCRIPTION: Buffer overflow in Platinum Policy Compliance Manager (PCM) 7.0 allows remote attackers to execute arbitrary commands via a long string to the Agent port (1827), which is handled by smaxagent.exe. CVE-1999-1148 DESCRIPTION: FTP service in IIS 4.0 and earlier allows remote attackers to cause a denial of service (resource exhaustion) via many passive (PASV) connections at the same time. CVE-1999-1149 DESCRIPTION: Buffer overflow in CSM Proxy 4.1 allows remote attackers to cause a denial of service (crash) via a long string to the FTP port. CVE-1999-1150 DESCRIPTION: Livingston Portmaster routers running ComOS use the same initial sequence number (ISN) for TCP connections, which allows remote attackers to conduct spoofing and hijack TCP sessions. CVE-1999-1151 DESCRIPTION: Compaq/Microcom 6000 Access Integrator does not cause a session timeout after prompting for a username or password, which allows remote attackers to cause a denial of service by connecting to the integrator without providing a username or password. CVE-1999-1152 DESCRIPTION: Compaq/Microcom 6000 Access Integrator does not disconnect a client after a certain number of failed login attempts, which allows remote attackers to guess usernames or passwords via a brute force attack. CVE-1999-1153 DESCRIPTION: HAMcards Postcard CGI script 1.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the recipient email address. CVE-1999-1154 DESCRIPTION: LakeWeb Filemail CGI script allows remote attackers to execute arbitrary commands via shell metacharacters in the recipient email address. CVE-1999-1155 DESCRIPTION: LakeWeb Mail List CGI script allows remote attackers to execute arbitrary commands via shell metacharacters in the recipient email address. CVE-1999-1156 DESCRIPTION: BisonWare FTP Server 4.1 and earlier allows remote attackers to cause a denial of service via a malformed PORT command that contains a non-numeric character and a large number of carriage returns. CVE-1999-1157 DESCRIPTION: Tcpip.sys in Windows NT 4.0 before SP4 allows remote attackers to cause a denial of service via an ICMP Subnet Mask Address Request packet, when certain multiple IP addresses are bound to the same network interface. CVE-1999-1158 DESCRIPTION: Buffer overflow in (1) pluggable authentication module (PAM) on Solaris 2.5.1 and 2.5 and (2) unix_scheme in Solaris 2.4 and 2.3 allows local users to gain root privileges via programs that use these modules such as passwd, yppasswd, and nispasswd. CVE-1999-1159 DESCRIPTION: SSH 2.0.11 and earlier allows local users to request remote forwarding from privileged ports without being root. CVE-1999-1160 DESCRIPTION: Vulnerability in ftpd/kftpd in HP-UX 10.x and 9.x allows local and possibly remote users to gain root privileges. CVE-1999-1161 DESCRIPTION: Vulnerability in ppl in HP-UX 10.x and earlier allows local users to gain root privileges by forcing ppl to core dump. CVE-1999-1162 DESCRIPTION: Vulnerability in passwd in SCO UNIX 4.0 and earlier allows attackers to cause a denial of service by preventing users from being able to log into the system. CVE-1999-1163 DESCRIPTION: Vulnerability in HP Series 800 S/X/V Class servers allows remote attackers to gain access to the S/X/V Class console via the Service Support Processor (SSP) Teststation. CVE-1999-1164 DESCRIPTION: Microsoft Outlook client allows remote attackers to cause a denial of service by sending multiple email messages with the same X-UIDL headers, which causes Outlook to hang. CVE-1999-1165 DESCRIPTION: GNU fingerd 1.37 does not properly drop privileges before accessing user information, which could allow local users to (1) gain root privileges via a malicious program in the .fingerrc file, or (2) read arbitrary files via symbolic links from .plan, .forward, or .project files. CVE-1999-1166 DESCRIPTION: Linux 2.0.37 does not properly encode the Custom segment limit, which allows local users to gain root privileges by accessing and modifying kernel memory. CVE-1999-1167 DESCRIPTION: Cross-site scripting vulnerability in Third Voice Web annotation utility allows remote users to read sensitive data and generate fake web pages for other Third Voice users by injecting malicious Javascript into an annotation. CVE-1999-1168 DESCRIPTION: install.iss installation script for Internet Security Scanner (ISS) for Linux, version 5.3, allows local users to change the permissions of arbitrary files via a symlink attack on a temporary file. CVE-1999-1169 DESCRIPTION: nobo 1.2 allows remote attackers to cause a denial of service (crash) via a series of large UDP packets. CVE-1999-1170 DESCRIPTION: IPswitch IMail allows local users to gain additional privileges and modify or add mail accounts by setting the "flags" registry key to 1920. CVE-1999-1171 DESCRIPTION: IPswitch WS_FTP allows local users to gain additional privileges and modify or add mail accounts by setting the "flags" registry key to 1920. CVE-1999-1172 DESCRIPTION: By design, Maximizer Enterprise 4 calendar and address book program allows arbitrary users to modify the calendar of other users when the calendar is being shared. CVE-1999-1173 DESCRIPTION: Corel Word Perfect 8 for Linux creates a temporary working directory with world-writable permissions, which allows local users to (1) modify Word Perfect behavior by modifying files in the working directory, or (2) modify files of other users via a symlink attack. CVE-1999-1174 DESCRIPTION: ZIP drive for Iomega ZIP-100 disks allows attackers with physical access to the drive to bypass password protection by inserting a known disk with a known password, waiting for the ZIP drive to power down, manually replacing the known disk with the target disk, and using the known password to access the target disk. CVE-1999-1175 DESCRIPTION: Web Cache Control Protocol (WCCP) in Cisco Cache Engine for Cisco IOS 11.2 and earlier does not use authentication, which allows remote attackers to redirect HTTP traffic to arbitrary hosts via WCCP packets to UDP port 2048. CVE-1999-1176 DESCRIPTION: Buffer overflow in cidentd ident daemon allows local users to gain root privileges via a long line in the .authlie script. CVE-1999-1177 DESCRIPTION: Directory traversal vulnerability in nph-publish before 1.2 allows remote attackers to overwrite arbitrary files via a .. (dot dot) in the pathname for an upload operation. CVE-1999-1178 DESCRIPTION: Sambar Server 4.1 beta allows remote attackers to obtain sensitive information about the server via an HTTP request for the dumpenv.pl script. CVE-1999-1179 DESCRIPTION: Vulnerability in man.sh CGI script, included in May 1998 issue of SysAdmin Magazine, allows remote attackers to execute arbitrary commands. CVE-1999-1180 DESCRIPTION: O'Reilly WebSite 1.1e and Website Pro 2.0 allows remote attackers to execute arbitrary commands via shell metacharacters in an argument to (1) args.cmd or (2) args.bat. CVE-1999-1181 DESCRIPTION: Vulnerability in On-Line Customer Registration software for IRIX 6.2 through 6.4 allows local users to gain root privileges. CVE-1999-1182 DESCRIPTION: Buffer overflow in run-time linkers (1) ld.so or (2) ld-linux.so for Linux systems allows local users to gain privileges by calling a setuid program with a long program name (argv[0]) and forcing ld.so/ld-linux.so to report an error. CVE-1999-1183 DESCRIPTION: System Manager sysmgr GUI in SGI IRIX 6.4 and 6.3 allows remote attackers to execute commands by providing a trojan horse (1) runtask or (2) runexec descriptor file, which is used to execute a System Manager Task when the user's Mailcap entry supports the x-sgi-task or x-sgi-exec type. CVE-1999-1184 DESCRIPTION: Buffer overflow in Elm 2.4 and earlier allows local users to gain privileges via a long TERM environmental variable. CVE-1999-1185 DESCRIPTION: Buffer overflow in SCO mscreen allows local users to gain root privileges via a long terminal entry (TERM) in the .mscreenrc file. CVE-1999-1186 DESCRIPTION: rxvt, when compiled with the PRINT_PIPE option in various Linux operating systems including Linux Slackware 3.0 and RedHat 2.1, allows local users to gain root privileges by specifying a malicious program using the -print-pipe command line parameter. CVE-1999-1187 DESCRIPTION: Pine before version 3.94 allows local users to gain privileges via a symlink attack on a lockfile that is created when a user receives new mail. CVE-1999-1188 DESCRIPTION: mysqld in MySQL 3.21 creates log files with world-readable permissions, which allows local users to obtain passwords for users who are added to the user database. CVE-1999-1189 DESCRIPTION: Buffer overflow in Netscape Navigator/Communicator 4.7 for Windows 95 and Windows 98 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long argument after the ? character in a URL that references an .asp, .cgi, .html, or .pl file. CVE-1999-1190 DESCRIPTION: Buffer overflow in POP3 server of Admiral Systems EmailClub 1.05 allows remote attackers to execute arbitrary commands via a long "From" header in an e-mail message. CVE-1999-1191 DESCRIPTION: Buffer overflow in chkey in Solaris 2.5.1 and earlier allows local users to gain root privileges via a long command line argument. CVE-1999-1192 DESCRIPTION: Buffer overflow in eeprom in Solaris 2.5.1 and earlier allows local users to gain root privileges via a long command line argument. CVE-1999-1193 DESCRIPTION: The "me" user in NeXT NeXTstep 2.1 and earlier has wheel group privileges, which could allow the me user to use the su command to become root. CVE-1999-1194 DESCRIPTION: chroot in Digital Ultrix 4.1 and 4.0 is insecurely installed, which allows local users to gain privileges. CVE-1999-1195 DESCRIPTION: NAI VirusScan NT 4.0.2 does not properly modify the scan.dat virus definition file during an update via FTP, but it reports that the update was successful, which could cause a system administrator to believe that the definitions have been updated correctly. CVE-1999-1196 DESCRIPTION: Hummingbird Exceed X version 5 allows remote attackers to cause a denial of service via malformed data to port 6000. CVE-1999-1197 DESCRIPTION: TIOCCONS in SunOS 4.1.1 does not properly check the permissions of a user who tries to redirect console output and input, which could allow a local user to gain privileges. CVE-1999-1198 DESCRIPTION: BuildDisk program on NeXT systems before 2.0 does not prompt users for the root password, which allows local users to gain root privileges. CVE-1999-1199 DESCRIPTION: Apache WWW server 1.3.1 and earlier allows remote attackers to cause a denial of service (resource exhaustion) via a large number of MIME headers with the same name, aka the "sioux" vulnerability. CVE-1999-1200 DESCRIPTION: Vintra SMTP MailServer allows remote attackers to cause a denial of service via a malformed "EXPN *@" command. CVE-1999-1201 DESCRIPTION: Windows 95 and Windows 98 systems, when configured with multiple TCP/IP stacks bound to the same MAC address, allow remote attackers to cause a denial of service (traffic amplification) via a certain ICMP echo (ping) packet, which causes all stacks to send a ping response, aka TCP Chorusing. CVE-1999-1202 DESCRIPTION: StarTech (1) POP3 proxy server and (2) telnet server allows remote attackers to cause a denial of service via a long USER command. CVE-1999-1203 DESCRIPTION: Multilink PPP for ISDN dialup users in Ascend before 4.6 allows remote attackers to cause a denial of service via a spoofed endpoint identifier. CVE-1999-1204 DESCRIPTION: Check Point Firewall-1 does not properly handle certain restricted keywords (e.g., Mail, auth, time) in user-defined objects, which could produce a rule with a default "ANY" address and result in access to more systems than intended by the administrator. CVE-1999-1205 DESCRIPTION: nettune in HP-UX 10.01 and 10.00 is installed setuid root, which allows local users to cause a denial of service by modifying critical networking configuration information. CVE-1999-1206 DESCRIPTION: SystemSoft SystemWizard package in HP Pavilion PC with Windows 98, and possibly other platforms and operating systems, installs two ActiveX controls that are marked as safe for scripting, which allows remote attackers to execute arbitrary commands via a malicious web page that references (1) the Launch control, or (2) the RegObj control. CVE-1999-1207 DESCRIPTION: Buffer overflow in web-admin tool in NetXRay 2.6 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long HTTP request. CVE-1999-1208 DESCRIPTION: Buffer overflow in ping in AIX 4.2 and earlier allows local users to gain root privileges via a long command line argument. CVE-1999-1209 DESCRIPTION: Vulnerability in scoterm in SCO OpenServer 5.0 and SCO Open Desktop/Open Server 3.0 allows local users to gain root privileges. CVE-1999-1210 DESCRIPTION: xterm in Digital UNIX 4.0B *with* patch kit 5 allows local users to overwrite arbitrary files via a symlink attack on a core dump file, which is created when xterm is called with a DISPLAY environmental variable set to a display that xterm cannot access. CVE-1999-1211 DESCRIPTION: Vulnerability in in.telnetd in SunOS 4.1.1 and earlier allows local users to gain root privileges. CVE-1999-1212 DESCRIPTION: Vulnerability in in.rlogind in SunOS 4.0.3 and 4.0.3c allows local users to gain root privileges. CVE-1999-1213 DESCRIPTION: Vulnerability in telnet service in HP-UX 10.30 allows attackers to cause a denial of service. CVE-1999-1214 DESCRIPTION: The asynchronous I/O facility in 4.4 BSD kernel does not check user credentials when setting the recipient of I/O notification, which allows local users to cause a denial of service by using certain ioctl and fcntl calls to cause the signal to be sent to an arbitrary process ID. CVE-1999-1215 DESCRIPTION: LOGIN.EXE program in Novell Netware 4.0 and 4.01 temporarily writes user name and password information to disk, which could allow local users to gain privileges. CVE-1999-1216 DESCRIPTION: Cisco routers 9.17 and earlier allow remote attackers to bypass security restrictions via certain IP source routed packets that should normally be denied using the "no ip source-route" command. CVE-1999-1217 DESCRIPTION: The PATH in Windows NT includes the current working directory (.), which could allow local users to gain privileges by placing Trojan horse programs with the same name as commonly used system programs into certain directories. CVE-1999-1218 DESCRIPTION: Vulnerability in finger in Commodore Amiga UNIX 2.1p2a and earlier allows local users to read arbitrary files. CVE-1999-1219 DESCRIPTION: Vulnerability in sgihelp in the SGI help system and print manager in IRIX 5.2 and earlier allows local users to gain root privileges, possibly through the clogin command. CVE-1999-1220 DESCRIPTION: Majordomo 1.94.3 and earlier allows remote attackers to execute arbitrary commands when the advertise or noadvertise directive is used in a configuration file, via shell metacharacters in the Reply-To header. CVE-1999-1221 DESCRIPTION: dxchpwd in Digital Unix (OSF/1) 3.x allows local users to modify arbitrary files via a symlink attack on the dxchpwd.log file. CVE-1999-1222 DESCRIPTION: Netbt.sys in Windows NT 4.0 allows remote malicious DNS servers to cause a denial of service (crash) by returning 0.0.0.0 as the IP address for a DNS host name lookup. CVE-1999-1223 DESCRIPTION: IIS 3.0 allows remote attackers to cause a denial of service via a request to an ASP page in which the URL contains a large number of / (forward slash) characters. CVE-1999-1224 DESCRIPTION: IMAP 4.1 BETA, and possibly other versions, does not properly handle the SIGABRT (abort) signal, which allows local users to crash the server (imapd) via certain sequences of commands, which causes a core dump that may contain sensitive password information. CVE-1999-1225 DESCRIPTION: rpc.mountd on Linux, Ultrix, and possibly other operating systems, allows remote attackers to determine the existence of a file on the server by attempting to mount that file, which generates different error messages depending on whether the file exists or not. CVE-1999-1226 DESCRIPTION: Netscape Communicator 4.7 and earlier allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long certificate key. CVE-1999-1227 DESCRIPTION: Ethereal allows local users to overwrite arbitrary files via a symlink attack on the packet capture file. CVE-1999-1228 DESCRIPTION: Various modems that do not implement a guard time, or are configured with a guard time of 0, can allow remote attackers to execute arbitrary modem commands such as ATH, ATH0, etc., via a "+++" sequence that appears in ICMP packets, the subject of an e-mail message, IRC commands, and others. CVE-1999-1229 DESCRIPTION: Quake 2 server 3.13 on Linux does not properly check file permissions for the config.cfg configuration file, which allows local users to read arbitrary files via a symlink from config.cfg to the target file. CVE-1999-1230 DESCRIPTION: Quake 2 server allows remote attackers to cause a denial of service via a spoofed UDP packet with a source address of 127.0.0.1, which causes the server to attempt to connect to itself. CVE-1999-1231 DESCRIPTION: ssh 2.0.12, and possibly other versions, allows valid user names to attempt to enter the correct password multiple times, but only prompts an invalid user name for a password once, which allows remote attackers to determine user account names on the server. CVE-1999-1232 DESCRIPTION: Untrusted search path vulnerability in day5datacopier in SGI IRIX 6.2 allows local users to execute arbitrary commands via a modified PATH environment variable that points to a malicious cp program. CVE-1999-1233 DESCRIPTION: IIS 4.0 does not properly restrict access for the initial session request from a user's IP address if the address does not resolve to a DNS domain, aka the "Domain Resolution" vulnerability. CVE-1999-1234 DESCRIPTION: LSA (LSASS.EXE) in Windows NT 4.0 allows remote attackers to cause a denial of service via a NULL policy handle in a call to (1) SamrOpenDomain, (2) SamrEnumDomainUsers, and (3) SamrQueryDomainInfo. CVE-1999-1235 DESCRIPTION: Internet Explorer 5.0 records the username and password for FTP servers in the URL history, which could allow (1) local users to read the information from another user's index.dat, or (2) people who are physically observing ("shoulder surfing") another user to read the information from the status bar when the user moves the mouse over a link. CVE-1999-1236 DESCRIPTION: Internet Anywhere Mail Server 2.3.1 stores passwords in plaintext in the msgboxes.dbf file, which could allow local users to gain privileges by extracting the passwords from msgboxes.dbf. CVE-1999-1237 DESCRIPTION: Multiple buffer overflows in smbvalid/smbval SMB authentication library, as used in Apache::AuthenSmb and possibly other modules, allows remote attackers to execute arbitrary commands via (1) a long username, (2) a long password, and (3) other unspecified methods. CVE-1999-1238 DESCRIPTION: Vulnerability in CORE-DIAG fileset in HP message catalog in HP-UX 9.05 and earlier allows local users to gain privileges. CVE-1999-1239 DESCRIPTION: HP-UX 9.x does not properly enable the Xauthority mechanism in certain conditions, which could allow local users to access the X display even when they have not explicitly been authorized to do so. CVE-1999-1240 DESCRIPTION: Buffer overflow in cddbd CD database server allows remote attackers to execute arbitrary commands via a long log message. CVE-1999-1241 DESCRIPTION: Internet Explorer, with a security setting below Medium, allows remote attackers to execute arbitrary commands via a malicious web page that uses the FileSystemObject ActiveX object. CVE-1999-1242 DESCRIPTION: Vulnerability in subnetconfig in HP-UX 9.01 and 9.0 allows local users to gain privileges. CVE-1999-1243 DESCRIPTION: SGI Desktop Permissions Tool in IRIX 6.0.1 and earlier allows local users to modify permissions for arbitrary files and gain privileges. CVE-1999-1244 DESCRIPTION: IPFilter 3.2.3 through 3.2.10 allows local users to modify arbitrary files via a symlink attack on the saved output file. CVE-1999-1245 DESCRIPTION: vacm ucd-snmp SNMP server, version 3.52, does not properly disable access to the public community string, which could allow remote attackers to obtain sensitive information. CVE-1999-1246 DESCRIPTION: Direct Mailer feature in Microsoft Site Server 3.0 saves user domain names and passwords in plaintext in the TMLBQueue network share, which has insecure default permissions, allowing remote attackers to read the passwords and gain privileges. CVE-1999-1247 DESCRIPTION: Vulnerability in HP Camera component of HP DCE/9000 in HP-UX 9.x allows attackers to gain root privileges. CVE-1999-1248 DESCRIPTION: Vulnerability in Support Watch (aka SupportWatch) in HP-UX 8.0 through 9.0 allows local users to gain privileges. CVE-1999-1249 DESCRIPTION: movemail in HP-UX 10.20 has insecure permissions, which allows local users to gain privileges. CVE-1999-1250 DESCRIPTION: Vulnerability in CGI program in the Lasso application by Blue World, as used on WebSTAR and other servers, allows remote attackers to read arbitrary files. CVE-1999-1251 DESCRIPTION: Vulnerability in direct audio user space code on HP-UX 10.20 and 10.10 allows local users to cause a denial of service. CVE-1999-1252 DESCRIPTION: Vulnerability in a certain system call in SCO UnixWare 2.0.x and 2.1.0 allows local users to access arbitrary files and gain root privileges. CVE-1999-1253 DESCRIPTION: Vulnerability in a kernel error handling routine in SCO OpenServer 5.0.2 and earlier, and SCO Internet FastStart 1.0, allows local users to gain root privileges. CVE-1999-1254 DESCRIPTION: Windows 95, 98, and NT 4.0 allow remote attackers to cause a denial of service by spoofing ICMP redirect messages from a router, which causes Windows to change its routing tables. CVE-1999-1255 DESCRIPTION: Hyperseek allows remote attackers to modify the hyperseek configuration by directly calling the admin.cgi program with an edit_file action parameter. CVE-1999-1256 DESCRIPTION: Oracle Database Assistant 1.0 in Oracle 8.0.3 Enterprise Edition stores the database master password in plaintext in the spoolmain.log file when a new database is created, which allows local users to obtain the password from that file. CVE-1999-1257 DESCRIPTION: Xyplex terminal server 6.0.1S1, and possibly other versions, allows remote attackers to bypass the password prompt by entering (1) a CTRL-Z character, or (2) a ? (question mark). CVE-1999-1258 DESCRIPTION: rpc.pwdauthd in SunOS 4.1.1 and earlier does not properly prevent remote access to the daemon, which allows remote attackers to obtain sensitive system information. CVE-1999-1259 DESCRIPTION: Microsoft Office 98, Macintosh Edition, does not properly initialize the disk space used by Office 98 files and effectively inserts data from previously deleted files into the Office file, which could allow attackers to obtain sensitive information. CVE-1999-1260 DESCRIPTION: mSQL (Mini SQL) 2.0.6 allows remote attackers to obtain sensitive server information such as logged users, database names, and server version via the ServerStats query. CVE-1999-1261 DESCRIPTION: Buffer overflow in Rainbow Six Multiplayer allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long nickname (nick) command. CVE-1999-1262 DESCRIPTION: Java in Netscape 4.5 does not properly restrict applets from connecting to other hosts besides the one from which the applet was loaded, which violates the Java security model and could allow remote attackers to conduct unauthorized activities. CVE-1999-1263 DESCRIPTION: Metamail before 2.7-7.2 allows remote attackers to overwrite arbitrary files via an e-mail message containing a uuencoded attachment that specifies the full pathname for the file to be modified, which is processed by uuencode in Metamail scripts such as sun-audio-file. CVE-1999-1264 DESCRIPTION: WebRamp M3 router does not disable remote telnet or HTTP access to itself, even when access has been explicitly disabled. CVE-1999-1265 DESCRIPTION: SMTP server in SLmail 3.1 and earlier allows remote attackers to cause a denial of service via malformed commands whose arguments begin with a "(" (parenthesis) character, such as (1) SEND, (2) VRFY, (3) EXPN, (4) MAIL FROM, (5) RCPT TO. CVE-1999-1266 DESCRIPTION: rsh daemon (rshd) generates different error messages when a valid username is provided versus an invalid name, which allows remote attackers to determine valid users on the system. CVE-1999-1267 DESCRIPTION: KDE file manager (kfm) uses a TCP server for certain file operations, which allows remote attackers to modify arbitrary files by sending a copy command to the server. CVE-1999-1268 DESCRIPTION: Vulnerability in KDE konsole allows local users to hijack or observe sessions of other users by accessing certain devices. CVE-1999-1269 DESCRIPTION: Screen savers in KDE beta 3 allows local users to overwrite arbitrary files via a symlink attack on the .kss.pid file. CVE-1999-1270 DESCRIPTION: KMail in KDE 1.0 provides a PGP passphrase as a command line argument to other programs, which could allow local users to obtain the passphrase and compromise the PGP keys of other users by viewing the arguments via programs that list process information, such as ps. CVE-1999-1271 DESCRIPTION: Macromedia Dreamweaver uses weak encryption to store FTP passwords, which could allow local users to easily decrypt the passwords of other users. CVE-1999-1272 DESCRIPTION: Buffer overflows in CDROM Confidence Test program (cdrom) allow local users to gain root privileges. CVE-1999-1273 DESCRIPTION: Squid Internet Object Cache 1.1.20 allows users to bypass access control lists (ACLs) by encoding the URL with hexadecimal escape sequences. CVE-1999-1274 DESCRIPTION: iPass RoamServer 3.1 creates temporary files with world-writable permissions. CVE-1999-1275 DESCRIPTION: Lotus cc:Mail release 8 stores the postoffice password in plaintext in a hidden file which has insecure permissions, which allows local users to gain privileges. CVE-1999-1276 DESCRIPTION: fte-console in the fte package before 0.46b-4.1 does not drop root privileges, which allows local users to gain root access via the virtual console device. CVE-1999-1277 DESCRIPTION: BackWeb client stores the username and password in cleartext for proxy authentication in the Communication registry key, which could allow other local users to gain privileges by reading the password. CVE-1999-1278 DESCRIPTION: nlog CGI scripts do not properly filter shell metacharacters from the IP address argument, which could allow remote attackers to execute certain commands via (1) nlog-smb.pl or (2) rpc-nlog.pl. CVE-1999-1279 DESCRIPTION: An interaction between the AS/400 shared folders feature and Microsoft SNA Server 3.0 and earlier allows users to view each other's folders when the users share the same Local APPC LU. CVE-1999-1280 DESCRIPTION: Hummingbird Exceed 6.0.1.0 inadvertently includes a DLL that was meant for development and testing, which logs user names and passwords in cleartext in the test.log file. CVE-1999-1281 DESCRIPTION: Development version of Breeze Network Server allows remote attackers to cause the system to reboot by accessing the configbreeze CGI program. CVE-1999-1282 DESCRIPTION: RealSystem G2 server stores the administrator password in cleartext in a world-readable configuration file, which allows local users to gain privileges. CVE-1999-1283 DESCRIPTION: Opera 3.2.1 allows remote attackers to cause a denial of service (application crash) via a URL that contains an extra / in the http:// tag. CVE-1999-1284 DESCRIPTION: NukeNabber allows remote attackers to cause a denial of service by connecting to the NukeNabber port (1080) without sending any data, which causes the CPU usage to rise to 100% from the report.exe program that is executed upon the connection. CVE-1999-1285 DESCRIPTION: Linux 2.1.132 and earlier allows local users to cause a denial of service (resource exhaustion) by reading a large buffer from a random device (e.g. /dev/urandom), which cannot be interrupted until the read has completed. CVE-1999-1286 DESCRIPTION: addnetpr in SGI IRIX 6.2 and earlier allows local users to modify arbitrary files and possibly gain root access via a symlink attack on a temporary file. CVE-1999-1287 DESCRIPTION: Vulnerability in Analog 3.0 and earlier allows remote attackers to read arbitrary files via the forms interface. CVE-1999-1288 DESCRIPTION: Samba 1.9.18 inadvertently includes a prototype application, wsmbconf, which is installed with incorrect permissions including the setgid bit, which allows local users to read and write files and possibly gain privileges via bugs in the program. CVE-1999-1289 DESCRIPTION: ICQ 98 beta on Windows NT leaks the internal IP address of a client in the TCP data segment of an ICQ packet instead of the public address (e.g. through NAT), which provides remote attackers with potentially sensitive information about the client or the internal network configuration. CVE-1999-1290 DESCRIPTION: Buffer overflow in nftp FTP client version 1.40 allows remote malicious FTP servers to cause a denial of service, and possibly execute arbitrary commands, via a long response string. CVE-1999-1291 DESCRIPTION: TCP/IP implementation in Microsoft Windows 95, Windows NT 4.0, and possibly others, allows remote attackers to reset connections by forcing a reset (RST) via a PSH ACK or other means, obtaining the target's last sequence number from the resulting packet, then spoofing a reset to the target. CVE-1999-1292 DESCRIPTION: Buffer overflow in web administration feature of Kolban Webcam32 4.8.3 and earlier allows remote attackers to execute arbitrary commands via a long URL. CVE-1999-1293 DESCRIPTION: mod_proxy in Apache 1.2.5 and earlier allows remote attackers to cause a denial of service via malformed FTP commands, which causes Apache to dump core. CVE-1999-1294 DESCRIPTION: Office Shortcut Bar (OSB) in Windows 3.51 enables backup and restore permissions, which are inherited by programs such as File Manager that are started from the Shortcut Bar, which could allow local users to read folders for which they do not have permission. CVE-1999-1295 DESCRIPTION: Transarc DCE Distributed File System (DFS) 1.1 for Solaris 2.4 and 2.5 does not properly initialize the grouplist for users who belong to a large number of groups, which could allow those users to gain access to resources that are protected by DFS. CVE-1999-1296 DESCRIPTION: Buffer overflow in Kerberos IV compatibility libraries as used in Kerberos V allows local users to gain root privileges via a long line in a kerberos configuration file, which can be specified via the KRB_CONF environmental variable. CVE-1999-1297 DESCRIPTION: cmdtool in OpenWindows 3.0 and XView 3.0 in SunOS 4.1.4 and earlier allows attackers with physical access to the system to display unechoed characters (such as those from password prompts) via the L2/AGAIN key. CVE-1999-1298 DESCRIPTION: Sysinstall in FreeBSD 2.2.1 and earlier, when configuring anonymous FTP, creates the ftp user without a password and with /bin/date as the shell, which could allow attackers to gain access to certain system resources. CVE-1999-1299 DESCRIPTION: rcp on various Linux systems including Red Hat 4.0 allows a "nobody" user or other user with UID of 65535 to overwrite arbitrary files, since 65535 is interpreted as -1 by chown and other system calls, which causes the calls to fail to modify the ownership of the file. CVE-1999-1300 DESCRIPTION: Vulnerability in accton in Cray UNICOS 6.1 and 6.0 allows local users to read arbitrary files and modify system accounting configuration. CVE-1999-1301 DESCRIPTION: A design flaw in the Z-Modem protocol allows the remote sender of a file to execute arbitrary programs on the client, as implemented in rz in the rzsz module of FreeBSD before 2.1.5, and possibly other programs. CVE-1999-1302 DESCRIPTION: Unspecified vulnerability in pt_chmod in SCO UNIX 4.2 and earlier allows local users to gain root access. CVE-1999-1303 DESCRIPTION: Vulnerability in prwarn in SCO UNIX 4.2 and earlier allows local users to gain root access. CVE-1999-1304 DESCRIPTION: Vulnerability in login in SCO UNIX 4.2 and earlier allows local users to gain root access. CVE-1999-1305 DESCRIPTION: Vulnerability in "at" program in SCO UNIX 4.2 and earlier allows local users to gain root access. CVE-1999-1306 DESCRIPTION: Cisco IOS 9.1 and earlier does not properly handle extended IP access lists when the IP route cache is enabled and the "established" keyword is set, which could allow attackers to bypass filters. CVE-1999-1307 DESCRIPTION: Vulnerability in urestore in Novell UnixWare 1.1 allows local users to gain root privileges. CVE-1999-1308 DESCRIPTION: Certain programs in HP-UX 10.20 do not properly handle large user IDs (UID) or group IDs (GID) over 60000, which could allow local users to gain privileges. CVE-1999-1309 DESCRIPTION: Sendmail before 8.6.7 allows local users to gain root access via a large value in the debug (-d) command line option. CVE-1999-1310 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-1022. Reason: This candidate is a duplicate of CVE-1999-1022. Notes: All CVE users should reference CVE-1999-1022 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. CVE-1999-1311 DESCRIPTION: Vulnerability in dtlogin and dtsession in HP-UX 10.20 and 10.10 allows local users to bypass authentication and gain privileges. CVE-1999-1312 DESCRIPTION: Vulnerability in DEC OpenVMS VAX 5.5-2 through 5.0, and OpenVMS AXP 1.0, allows local users to gain system privileges. CVE-1999-1313 DESCRIPTION: Manual page reader (man) in FreeBSD 2.2 and earlier allows local users to gain privileges via a sequence of commands. CVE-1999-1314 DESCRIPTION: Vulnerability in union file system in FreeBSD 2.2 and earlier, and possibly other operating systems, allows local users to cause a denial of service (system reload) via a series of certain mount_union commands. CVE-1999-1315 DESCRIPTION: Vulnerabilities in DECnet/OSI for OpenVMS before 5.8 on DEC Alpha AXP and VAX/VMS systems allow local users to gain privileges or cause a denial of service. CVE-1999-1316 DESCRIPTION: Passfilt.dll in Windows NT SP2 allows users to create a password that contains the user's name, which could make it easier for an attacker to guess. CVE-1999-1317 DESCRIPTION: Windows NT 4.0 SP4 and earlier allows local users to gain privileges by modifying the symbolic link table in the \?? object folder using a different case letter (upper or lower) to point to a different device. CVE-1999-1318 DESCRIPTION: /usr/5bin/su in SunOS 4.1.3 and earlier uses a search path that includes the current working directory (.), which allows local users to gain privileges via Trojan horse programs. CVE-1999-1319 DESCRIPTION: Vulnerability in object server program in SGI IRIX 5.2 through 6.1 allows remote attackers to gain root privileges in certain configurations. CVE-1999-1320 DESCRIPTION: Vulnerability in Novell NetWare 3.x and earlier allows local users to gain privileges via packet spoofing. CVE-1999-1321 DESCRIPTION: Buffer overflow in ssh 1.2.26 client with Kerberos V enabled could allow remote attackers to cause a denial of service or execute arbitrary commands via a long DNS hostname that is not properly handled during TGT ticket passing. CVE-1999-1322 DESCRIPTION: The installation of 1ArcServe Backup and Inoculan AV client modules for Exchange create a log file, exchverify.log, which contains usernames and passwords in plaintext. CVE-1999-1323 DESCRIPTION: Norton AntiVirus for Internet Email Gateways (NAVIEG) 1.0.1.7 and earlier, and Norton AntiVirus for MS Exchange (NAVMSE) 1.5 and earlier, store the administrator password in cleartext in (1) the navieg.ini file for NAVIEG, and (2) the ModifyPassword registry key in NAVMSE. CVE-1999-1324 DESCRIPTION: VAXstations running Open VMS 5.3 through 5.5-2 with VMS DECwindows or MOTIF do not properly disable access to user accounts that exceed the break-in limit threshold for failed login attempts, which makes it easier for attackers to conduct brute force password guessing. CVE-1999-1325 DESCRIPTION: SAS System 5.18 on VAX/VMS is installed with insecure permissions for its directories and startup file, which allows local users to gain privileges. CVE-1999-1326 DESCRIPTION: wu-ftpd 2.4 FTP server does not properly drop privileges when an ABOR (abort file transfer) command is executed during a file transfer, which causes a signal to be handled incorrectly and allows local and possibly remote attackers to read arbitrary files. CVE-1999-1327 DESCRIPTION: Buffer overflow in linuxconf 1.11r11-rh2 on Red Hat Linux 5.1 allows local users to gain root privileges via a long LANG environmental variable. CVE-1999-1328 DESCRIPTION: linuxconf before 1.11.r11-rh3 on Red Hat Linux 5.1 allows local users to overwrite arbitrary files and gain root access via a symlink attack. CVE-1999-1329 DESCRIPTION: Buffer overflow in SysVInit in Red Hat Linux 5.1 and earlier allows local users to gain privileges. CVE-1999-1330 DESCRIPTION: The snprintf function in the db library 1.85.4 ignores the size parameter, which could allow attackers to exploit buffer overflows that would be prevented by a properly implemented snprintf. CVE-1999-1331 DESCRIPTION: netcfg 2.16-1 in Red Hat Linux 4.2 allows the Ethernet interface to be controlled by users on reboot when an option is set, which allows local users to cause a denial of service by shutting down the interface. CVE-1999-1332 DESCRIPTION: gzexe in the gzip package on Red Hat Linux 5.0 and earlier allows local users to overwrite files of other users via a symlink attack on a temporary file. CVE-1999-1333 DESCRIPTION: automatic download option in ncftp 2.4.2 FTP client in Red Hat Linux 5.0 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the names of files that are to be downloaded. CVE-1999-1334 DESCRIPTION: Multiple buffer overflows in filter command in Elm 2.4 allows attackers to execute arbitrary commands via (1) long From: headers, (2) long Reply-To: headers, or (3) via a long -f (filterfile) command line argument. CVE-1999-1335 DESCRIPTION: snmpd server in cmu-snmp SNMP package before 3.3-1 in Red Hat Linux 4.0 is configured to allow remote attackers to read and write sensitive information. CVE-1999-1336 DESCRIPTION: 3Com HiPer Access Router Card (HiperARC) 4.0 through 4.2.29 allows remote attackers to cause a denial of service (reboot) via a flood of IAC packets to the telnet port. CVE-1999-1337 DESCRIPTION: FTP client in Midnight Commander (mc) before 4.5.11 stores usernames and passwords for visited sites in plaintext in the world-readable history file, which allows other local users to gain privileges. CVE-1999-1338 DESCRIPTION: Delegate proxy 5.9.3 and earlier creates files and directories in the DGROOT with world-writable permissions. CVE-1999-1339 DESCRIPTION: Vulnerability when Network Address Translation (NAT) is enabled in Linux 2.2.10 and earlier with ipchains, or FreeBSD 3.2 with ipfw, allows remote attackers to cause a denial of service (kernel panic) via a ping -R (record route) command. CVE-1999-1340 DESCRIPTION: Buffer overflow in faxalter in hylafax 4.0.2 allows local users to gain privileges via a long -m command line argument. CVE-1999-1341 DESCRIPTION: Linux kernel before 2.3.18 or 2.2.13pre15, with SLIP and PPP options, allows local unprivileged users to forge IP packets via the TIOCSETD option on tty devices. CVE-1999-1342 DESCRIPTION: ICQ ActiveList Server allows remote attackers to cause a denial of service (crash) via malformed packets to the server's UDP port. CVE-1999-1343 DESCRIPTION: HTTP server for Xerox DocuColor 4 LP allows remote attackers to cause a denial of service (hang) via a long URL that contains a large number of . characters. CVE-1999-1344 DESCRIPTION: Auto_FTP.pl script in Auto_FTP 0.2 stores usernames and passwords in plaintext in the auto_ftp.conf configuration file. CVE-1999-1345 DESCRIPTION: Auto_FTP.pl script in Auto_FTP 0.2 uses the /tmp/ftp_tmp as a shared directory with insecure permissions, which allows local users to (1) send arbitrary files to the remote server by placing them in the directory, and (2) view files that are being transferred. CVE-1999-1346 DESCRIPTION: PAM configuration file for rlogin in Red Hat Linux 6.1 and earlier includes a less restrictive rule before a more restrictive one, which allows users to access the host via rlogin even if rlogin has been explicitly disabled using the /etc/nologin file. CVE-1999-1347 DESCRIPTION: Xsession in Red Hat Linux 6.1 and earlier can allow local users with restricted accounts to bypass execution of the .xsession file by starting kde, gnome or anotherlevel from kdm. CVE-1999-1348 DESCRIPTION: Linuxconf on Red Hat Linux 6.0 and earlier does not properly disable PAM-based access to the shutdown command, which could allow local users to cause a denial of service. CVE-1999-1349 DESCRIPTION: NFS daemon (nfsd.exe) for Omni-NFS/X 6.1 allows remote attackers to cause a denial of service (resource exhaustion) via certain packets, possibly with the Urgent (URG) flag set, to port 111. CVE-1999-1350 DESCRIPTION: ARCAD Systemhaus 0.078-5 installs critical programs and files with world-writeable permissions, which could allow local users to gain privileges by replacing a program with a Trojan horse. CVE-1999-1351 DESCRIPTION: Directory traversal vulnerability in KVIrc IRC client 0.9.0 with the "Listen to !nick requests" option enabled allows remote attackers to read arbitrary files via a .. (dot dot) in a DCC GET request. CVE-1999-1352 DESCRIPTION: mknod in Linux 2.2 follows symbolic links, which could allow local users to overwrite files or gain privileges. CVE-1999-1353 DESCRIPTION: Nosque MsgCore 2.14 stores passwords in cleartext: (1) the administrator password in the AdmPasswd registry key, and (2) user passwords in the Userbase.dbf data file, which could allow local users to gain privileges. CVE-1999-1354 DESCRIPTION: E-mail client in Softarc FirstClass Internet Server 5.506 and earlier stores usernames and passwords in cleartext in the files (1) home.fc for version 5.506, (2) network.fc for version 3.5, or (3) FCCLIENT.LOG when logging is enabled. CVE-1999-1355 DESCRIPTION: BMC Patrol component, when installed with Compaq Insight Management Agent 4.23 and earlier, or Management Agents for Servers 4.40 and earlier, creates a PFCUser account with a default password and potentially dangerous privileges. CVE-1999-1356 DESCRIPTION: Compaq Integration Maintenance Utility as used in Compaq Insight Manager agent before SmartStart 4.50 modifies the legal notice caption (LegalNoticeCaption) and text (LegalNoticeText) in Windows NT, which could produce a legal notice that is in violation of the security policy. CVE-1999-1357 DESCRIPTION: Netscape Communicator 4.04 through 4.7 (and possibly other versions) in various UNIX operating systems converts the 0x8b character to a "<" sign, and the 0x9b character to a ">" sign, which could allow remote attackers to attack other clients via cross-site scripting (CSS) in CGI programs that do not filter these characters. CVE-1999-1358 DESCRIPTION: When an administrator in Windows NT or Windows 2000 changes a user policy, the policy is not properly updated if the local ntconfig.pol is not writable by the user, which could allow local users to bypass restrictions that would otherwise be enforced by the policy, possibly by changing the policy file to be read-only. CVE-1999-1359 DESCRIPTION: When the Ntconfig.pol file is used on a server whose name is longer than 13 characters, Windows NT does not properly enforce policies for global groups, which could allow users to bypass restrictions that were intended by those policies. CVE-1999-1360 DESCRIPTION: Windows NT 4.0 allows local users to cause a denial of service via a user mode application that closes a handle that was opened in kernel mode, which causes a crash when the kernel attempts to close the handle. CVE-1999-1361 DESCRIPTION: Windows NT 3.51 and 4.0 running WINS (Windows Internet Name Service) allows remote attackers to cause a denial of service (resource exhaustion) via a flood of malformed packets, which causes the server to slow down and fill the event logs with error messages. CVE-1999-1362 DESCRIPTION: Win32k.sys in Windows NT 4.0 before SP2 allows local users to cause a denial of service (crash) by calling certain WIN32K functions with incorrect parameters. CVE-1999-1363 DESCRIPTION: Windows NT 3.51 and 4.0 allow local users to cause a denial of service (crash) by running a program that creates a large number of locks on a file, which exhausts the NonPagedPool. CVE-1999-1364 DESCRIPTION: Windows NT 4.0 allows local users to cause a denial of service (crash) via an illegal kernel mode address to the functions (1) GetThreadContext or (2) SetThreadContext. CVE-1999-1365 DESCRIPTION: Windows NT searches a user's home directory (%systemroot% by default) before other directories to find critical programs such as NDDEAGNT.EXE, EXPLORER.EXE, USERINIT.EXE or TASKMGR.EXE, which could allow local users to bypass access restrictions or gain privileges by placing a Trojan horse program into the root directory, which is writable by default. CVE-1999-1366 DESCRIPTION: Pegasus e-mail client 3.0 and earlier uses weak encryption to store POP3 passwords in the pmail.ini file, which allows local users to easily decrypt the passwords and read e-mail. CVE-1999-1367 DESCRIPTION: Internet Explorer 5.0 does not properly reset the username/password cache for Web sites that do not use standard cache controls, which could allow users on the same system to access restricted web sites that were visited by other users. CVE-1999-1368 DESCRIPTION: AV Option for MS Exchange Server option for InoculateIT 4.53, and possibly other versions, only scans the Inbox folder tree of a Microsoft Exchange server, which could allow viruses to escape detection if a user's rules cause the message to be moved to a different mailbox. CVE-1999-1369 DESCRIPTION: Real Media RealServer (rmserver) 6.0.3.353 stores a password in plaintext in the world-readable rmserver.cfg file, which allows local users to gain privileges. CVE-1999-1370 DESCRIPTION: The setup wizard (ie5setup.exe) for Internet Explorer 5.0 disables (1) the screen saver, which could leave the system open to users with physical access if a failure occurs during an unattended installation, and (2) the Task Scheduler Service, which might prevent the scheduled execution of security-critical programs. CVE-1999-1371 DESCRIPTION: Buffer overflow in /usr/bin/write in Solaris 2.6 and 7 allows local users to gain privileges via a long string in the terminal name argument. CVE-1999-1372 DESCRIPTION: Triactive Remote Manager with Basic authentication enabled stores the username and password in cleartext in registry keys, which could allow local users to gain privileges. CVE-1999-1373 DESCRIPTION: FORE PowerHub before 5.0.1 allows remote attackers to cause a denial of service (hang) via a TCP SYN scan with TCP/IP OS fingerprinting, e.g. via nmap. CVE-1999-1374 DESCRIPTION: perlshop.cgi shopping cart program stores sensitive customer information in directories and files that are under the web root, which allows remote attackers to obtain that information via an HTTP request. CVE-1999-1375 DESCRIPTION: FileSystemObject (FSO) in the showfile.asp Active Server Page (ASP) allows remote attackers to read arbitrary files by specifying the name in the file parameter. CVE-1999-1376 DESCRIPTION: Buffer overflow in fpcount.exe in IIS 4.0 with FrontPage Server Extensions allows remote attackers to execute arbitrary commands. CVE-1999-1377 DESCRIPTION: Matt Wright's download.cgi 1.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the f parameter. CVE-1999-1378 DESCRIPTION: dbmlparser.exe CGI guestbook program does not perform a chroot operation properly, which allows remote attackers to read arbitrary files. CVE-1999-1379 DESCRIPTION: DNS allows remote attackers to use DNS name servers as traffic amplifiers via a UDP DNS query with a spoofed source address, which produces more traffic to the victim than was sent by the attacker. CVE-1999-1380 DESCRIPTION: Symantec Norton Utilities 2.0 for Windows 95 marks the TUNEOCX.OCX ActiveX control as safe for scripting, which allows remote attackers to execute arbitrary commands via the run option through malicious web pages that are accessed by browsers such as Internet Explorer 3.0. CVE-1999-1381 DESCRIPTION: Buffer overflow in dbadmin CGI program 1.0.1 on Linux allows remote attackers to execute arbitrary commands. CVE-1999-1382 DESCRIPTION: NetWare NFS mode 1 and 2 implements the "Read Only" flag in Unix by changing the ownership of a file to root, which allows local users to gain root privileges by creating a setuid program and setting it to "Read Only," which NetWare-NFS changes to a setuid root program. CVE-1999-1383 DESCRIPTION: (1) bash before 1.14.7, and (2) tcsh 6.05 allow local users to gain privileges via directory names that contain shell metacharacters (` back-tick), which can cause the commands enclosed in the directory name to be executed when the shell expands filenames using the \w option in the PS1 variable. CVE-1999-1384 DESCRIPTION: Indigo Magic System Tour in the SGI system tour package (systour) for IRIX 5.x through 6.3 allows local users to gain root privileges via a Trojan horse .exitops program, which is called by the inst command that is executed by the RemoveSystemTour program. CVE-1999-1385 DESCRIPTION: Buffer overflow in ppp program in FreeBSD 2.1 and earlier allows local users to gain privileges via a long HOME environment variable. CVE-1999-1386 DESCRIPTION: Perl 5.004_04 and earlier follows symbolic links when running with the -e option, which allows local users to overwrite arbitrary files via a symlink attack on the /tmp/perl-eaXXXXX file. CVE-1999-1387 DESCRIPTION: Windows NT 4.0 SP2 allows remote attackers to cause a denial of service (crash), possibly via malformed inputs or packets, such as those generated by a Linux smbmount command that was compiled on the Linux 2.0.29 kernel but executed on Linux 2.0.25. CVE-1999-1388 DESCRIPTION: passwd in SunOS 4.1.x allows local users to overwrite arbitrary files via a symlink attack and the -F command line argument. CVE-1999-1389 DESCRIPTION: US Robotics/3Com Total Control Chassis with Frame Relay between 3.6.22 and 3.7.24 does not properly enforce access filters when the "set host prompt" setting is made for a port, which allows attackers to bypass restrictions by providing the hostname twice at the "host: " prompt. CVE-1999-1390 DESCRIPTION: suidexec in suidmanager 0.18 on Debian 2.0 allows local users to gain root privileges by specifying a malicious program on the command line. CVE-1999-1391 DESCRIPTION: Vulnerability in NeXT 1.0a and 1.0 with publicly accessible printers allows local users to gain privileges via a combination of the npd program and weak directory permissions. CVE-1999-1392 DESCRIPTION: Vulnerability in restore0.9 installation script in NeXT 1.0a and 1.0 allows local users to gain root privileges. CVE-1999-1393 DESCRIPTION: Control Panel "Password Security" option for Apple Powerbooks allows attackers with physical access to the machine to bypass the security by booting it with an emergency startup disk and using a disk editor to modify the on/off toggle or password in the aaaaaaaAPWD file, which is normally inaccessible. CVE-1999-1394 DESCRIPTION: BSD 4.4 based operating systems, when running at security level 1, allow the root user to clear the immutable and append-only flags for files by unmounting the file system and using a file system editor such as fsdb to directly modify the file through a device. CVE-1999-1395 DESCRIPTION: Vulnerability in Monitor utility (SYS$SHARE:SPISHR.EXE) in VMS 5.0 through 5.4-2 allows local users to gain privileges. CVE-1999-1396 DESCRIPTION: Vulnerability in integer multiplication emulation code on SPARC architectures for SunOS 4.1 through 4.1.2 allows local users to gain root access or cause a denial of service (crash). CVE-1999-1397 DESCRIPTION: Index Server 2.0 on IIS 4.0 stores physical path information in the ContentIndex\Catalogs subkey of the AllowedPaths registry key, whose permissions allows local and remote users to obtain the physical paths of directories that are being indexed. CVE-1999-1398 DESCRIPTION: Vulnerability in xfsdump in SGI IRIX may allow local users to obtain root privileges via the bck.log log file, possibly via a symlink attack. CVE-1999-1399 DESCRIPTION: spaceball program in SpaceWare 7.3 v1.0 in IRIX 6.2 allows local users to gain root privileges by setting the HOSTNAME environmental variable to contain the commands to be executed. CVE-1999-1400 DESCRIPTION: The Economist screen saver 1999 with the "Password Protected" option enabled allows users with physical access to the machine to bypass the screen saver and read files by running Internet Explorer while the screen is still locked. CVE-1999-1401 DESCRIPTION: Vulnerability in Desktop searchbook program in IRIX 5.0.x through 6.2 sets insecure permissions for certain user files (iconbook and searchbook). CVE-1999-1402 DESCRIPTION: The access permissions for a UNIX domain socket are ignored in Solaris 2.x and SunOS 4.x, and other BSD-based operating systems before 4.4, which could allow local users to connect to the socket and possibly disrupt or control the operations of the program using that socket. CVE-1999-1403 DESCRIPTION: IBM/Tivoli OPC Tracker Agent version 2 release 1 creates files, directories, and IPC message queues with insecure permissions (world-readable and world-writable), which could allow local users to disrupt operations and possibly gain privileges by modifying or deleting files. CVE-1999-1404 DESCRIPTION: IBM/Tivoli OPC Tracker Agent version 2 release 1 allows remote attackers to cause a denial of service (resource exhaustion) via malformed data to the localtracker client port (5011), which prevents the connection from being closed properly. CVE-1999-1405 DESCRIPTION: snap command in AIX before 4.3.2 creates the /tmp/ibmsupt directory with world-readable permissions and does not remove or clear the directory when snap -a is executed, which could allow local users to access the shadowed password file by creating /tmp/ibmsupt/general/passwd before root runs snap -a. CVE-1999-1406 DESCRIPTION: dumpreg in Red Hat Linux 5.1 opens /dev/mem with O_RDWR access, which allows local users to cause a denial of service (crash) by redirecting fd 1 (stdout) to the kernel. CVE-1999-1407 DESCRIPTION: ifdhcpc-done script for configuring DHCP on Red Hat Linux 5 allows local users to append text to arbitrary files via a symlink attack on the dhcplog file. CVE-1999-1408 DESCRIPTION: Vulnerability in AIX 4.1.4 and HP-UX 10.01 and 9.05 allows local users to cause a denial of service (crash) by using a socket to connect to a port on the localhost, calling shutdown to clear the socket, then using the same socket to connect to a different port on localhost. CVE-1999-1409 DESCRIPTION: The at program in IRIX 6.2 and NetBSD 1.3.2 and earlier allows local users to read portions of arbitrary files by submitting the file to at with the -f argument, which generates error messages that at sends to the user via e-mail. CVE-1999-1410 DESCRIPTION: addnetpr in IRIX 5.3 and 6.2 allows local users to overwrite arbitrary files and possibly gain root privileges via a symlink attack on the printers temporary file. CVE-1999-1411 DESCRIPTION: The installation of the fsp package 2.71-10 in Debian GNU/Linux 2.0 adds the anonymous FTP user without notifying the administrator, which could automatically enable anonymous FTP on some servers such as wu-ftp. CVE-1999-1412 DESCRIPTION: A possible interaction between Apple MacOS X release 1.0 and Apache HTTP server allows remote attackers to cause a denial of service (crash) via a flood of HTTP GET requests to CGI programs, which generates a large number of processes. CVE-1999-1413 DESCRIPTION: Solaris 2.4 before kernel jumbo patch -35 allows set-gid programs to dump core even if the real user id is not in the set-gid group, which allows local users to overwrite or create files at higher privileges by causing a core dump, e.g. through dmesg. CVE-1999-1414 DESCRIPTION: IBM Netfinity Remote Control allows local users to gain administrator privileges by starting programs from the process manager, which runs with system level privileges. CVE-1999-1415 DESCRIPTION: Vulnerability in /usr/bin/mail in DEC ULTRIX before 4.2 allows local users to gain privileges. CVE-1999-1416 DESCRIPTION: AnswerBook2 (AB2) web server dwhttpd 3.1a4 allows remote attackers to cause a denial of service (resource exhaustion) via an HTTP POST request with a large content-length. CVE-1999-1417 DESCRIPTION: Format string vulnerability in AnswerBook2 (AB2) web server dwhttpd 3.1a4 allows remote attackers to cause a denial of service and possibly execute arbitrary commands via encoded % characters in an HTTP request, which is improperly logged. CVE-1999-1418 DESCRIPTION: ICQ99 ICQ web server build 1701 with "Active Homepage" enabled generates allows remote attackers to determine the existence of files on the server by comparing server responses when a file exists ("404 Forbidden") versus when a file does not exist ("404 not found"). CVE-1999-1419 DESCRIPTION: Buffer overflow in nss_nisplus.so.1 library in NIS+ in Solaris 2.3 and 2.4 allows local users to gain root privileges. CVE-1999-1420 DESCRIPTION: NBase switches NH2012, NH2012R, NH2015, and NH2048 have a back door password that cannot be disabled, which allows remote attackers to modify the switch's configuration. CVE-1999-1421 DESCRIPTION: NBase switches NH208 and NH215 run a TFTP server which allows remote attackers to send software updates to modify the switch or cause a denial of service (crash) by guessing the target filenames, which have default names. CVE-1999-1422 DESCRIPTION: The default configuration of Slackware 3.4, and possibly other versions, includes . (dot, the current directory) in the PATH environmental variable, which could allow local users to create Trojan horse programs that are inadvertently executed by other users. CVE-1999-1423 DESCRIPTION: ping in Solaris 2.3 through 2.6 allows local users to cause a denial of service (crash) via a ping request to a multicast address through the loopback interface, e.g. via ping -i. CVE-1999-1424 DESCRIPTION: Solaris Solstice AdminSuite (AdminSuite) 2.1 uses unsafe permissions when adding new users to the NIS+ password table, which allows local users to gain root access by modifying their password table entries. CVE-1999-1425 DESCRIPTION: Solaris Solstice AdminSuite (AdminSuite) 2.1 incorrectly sets write permissions on source files for NIS maps, which could allow local users to gain privileges by modifying /etc/passwd. CVE-1999-1426 DESCRIPTION: Solaris Solstice AdminSuite (AdminSuite) 2.1 follows symbolic links when updating an NIS database, which allows local users to overwrite arbitrary files. CVE-1999-1427 DESCRIPTION: Solaris Solstice AdminSuite (AdminSuite) 2.1 and 2.2 create lock files insecurely, which allows local users to gain root privileges. CVE-1999-1428 DESCRIPTION: Solaris Solstice AdminSuite (AdminSuite) 2.1 and 2.2 allows local users to gain privileges via the save option in the Database Manager, which is running with setgid bin privileges. CVE-1999-1429 DESCRIPTION: DIT TransferPro installs devices with world-readable and world-writable permissions, which could allow local users to damage disks through the ff device driver. CVE-1999-1430 DESCRIPTION: PIM software for Royal daVinci does not properly password-protext access to data stored in the .mdb (Microsoft Access) file, which allows local users to read the data without a password by directly accessing the files with a different application, such as Access. CVE-1999-1431 DESCRIPTION: ZAK in Appstation mode allows users to bypass the "Run only allowed apps" policy by starting Explorer from Office 97 applications (such as Word), installing software into the TEMP directory, and changing the name to that for an allowed application, such as Winword.exe. CVE-1999-1432 DESCRIPTION: Power management (Powermanagement) on Solaris 2.4 through 2.6 does not start the xlock process until after the sys-suspend has completed, which allows an attacker with physical access to input characters to the last active application from the keyboard for a short period after the system is restoring, which could lead to increased privileges. CVE-1999-1433 DESCRIPTION: HP JetAdmin D.01.09 on Solaris allows local users to change the permissions of arbitrary files via a symlink attack on the /tmp/jetadmin.log file. CVE-1999-1434 DESCRIPTION: login in Slackware Linux 3.2 through 3.5 does not properly check for an error when the /etc/group file is missing, which prevents it from dropping privileges, causing it to assign root privileges to any local user who logs on to the server. CVE-1999-1435 DESCRIPTION: Buffer overflow in libsocks5 library of Socks 5 (socks5) 1.0r5 allows local users to gain privileges via long environmental variables. CVE-1999-1436 DESCRIPTION: Ray Chan WWW Authorization Gateway 0.1 CGI program allows remote attackers to execute arbitrary commands via shell metacharacters in the "user" parameter. CVE-1999-1437 DESCRIPTION: ePerl 2.2.12 allows remote attackers to read arbitrary files and possibly execute certain commands by specifying a full pathname of the target file as an argument to bar.phtml. CVE-1999-1438 DESCRIPTION: Vulnerability in /bin/mail in SunOS 4.1.1 and earlier allows local users to gain root privileges via certain command line arguments. CVE-1999-1439 DESCRIPTION: gcc 2.7.2 allows local users to overwrite arbitrary files via a symlink attack on temporary .i, .s, or .o files. CVE-1999-1440 DESCRIPTION: Win32 ICQ 98a 1.30, and possibly other versions, does not display the entire portion of long filenames, which could allow attackers to send an executable file with a long name that contains so many spaces that the .exe extension is not displayed, which could make the user believe that the file is safe to open from the client. CVE-1999-1441 DESCRIPTION: Linux 2.0.34 does not properly prevent users from sending SIGIO signals to arbitrary processes, which allows local users to cause a denial of service by sending SIGIO to processes that do not catch it. CVE-1999-1442 DESCRIPTION: Bug in AMD K6 processor on Linux 2.0.x and 2.1.x kernels allows local users to cause a denial of service (crash) via a particular sequence of instructions, possibly related to accessing addresses outside of segments. CVE-1999-1443 DESCRIPTION: Micah Software Full Armor Network Configurator and Zero Administration allow local users with physical access to bypass the desktop protection by (1) using and kill the process using the task manager, (2) booting the system from a separate disk, or (3) interrupting certain processes that execute while the system is booting. CVE-1999-1444 DESCRIPTION: genkey utility in Alibaba 2.0 generates RSA key pairs with an exponent of 1, which results in transactions that are sent in cleartext. CVE-1999-1445 DESCRIPTION: Vulnerability in imapd and ipop3d in Slackware 3.4 and 3.3 with shadowing enabled, and possibly other operating systems, allows remote attackers to cause a core dump via a short sequence of USER and PASS commands that do not provide valid usernames or passwords. CVE-1999-1446 DESCRIPTION: Internet Explorer 3 records a history of all URL's that are visited by a user in DAT files located in the Temporary Internet Files and History folders, which are not cleared when the user selects the "Clear History" option, and are not visible when the user browses the folders because of tailored displays. CVE-1999-1447 DESCRIPTION: Internet Explorer 4.0 allows remote attackers to cause a denial of service (crash) via HTML code that contains a long CLASSID parameter in an OBJECT tag. CVE-1999-1448 DESCRIPTION: Eudora and Eudora Light before 3.05 allows remote attackers to cause a crash and corrupt the user's mailbox via an e-mail message with certain dates, such as (1) dates before 1970, which cause a Divide By Zero error, or (2) dates that are 100 years after the current date, which causes a segmentation fault. CVE-1999-1449 DESCRIPTION: SunOS 4.1.4 on a Sparc 20 machine allows local users to cause a denial of service (kernel panic) by reading from the /dev/tcx0 TCX device. CVE-1999-1450 DESCRIPTION: Vulnerability in (1) rlogin daemon rshd and (2) scheme on SCO UNIX OpenServer 5.0.5 and earlier, and SCO UnixWare 7.0.1 and earlier, allows remote attackers to gain privileges. CVE-1999-1451 DESCRIPTION: The Winmsdp.exe sample file in IIS 4.0 and Site Server 3.0 allows remote attackers to read arbitrary files. CVE-1999-1452 DESCRIPTION: GINA in Windows NT 4.0 allows attackers with physical access to display a portion of the clipboard of the user who has locked the workstation by pasting (CTRL-V) the contents into the username prompt. CVE-1999-1453 DESCRIPTION: Internet Explorer 4 allows remote attackers (malicious web site operators) to read the contents of the clipboard via the Internet WebBrowser ActiveX object. CVE-1999-1454 DESCRIPTION: Macromedia "The Matrix" screen saver on Windows 95 with the "Password protected" option enabled allows attackers with physical access to the machine to bypass the password prompt by pressing the ESC (Escape) key. CVE-1999-1455 DESCRIPTION: RSH service utility RSHSVC in Windows NT 3.5 through 4.0 does not properly restrict access as specified in the .Rhosts file when a user comes from an authorized host, which could allow unauthorized users to access the service by logging in from an authorized host. CVE-1999-1456 DESCRIPTION: thttpd HTTP server 2.03 and earlier allows remote attackers to read arbitrary files via a GET request with more than one leading / (slash) character in the filename. CVE-1999-1457 DESCRIPTION: Buffer overflow in thttpd HTTP server before 2.04-31 allows remote attackers to execute arbitrary commands via a long date string, which is not properly handled by the tdate_parse function. CVE-1999-1458 DESCRIPTION: Buffer overflow in at program in Digital UNIX 4.0 allows local users to gain root privileges via a long command line argument. CVE-1999-1459 DESCRIPTION: BMC PATROL Agent before 3.2.07 allows local users to gain root privileges via a symlink attack on a temporary file. CVE-1999-1460 DESCRIPTION: BMC PATROL SNMP Agent before 3.2.07 allows local users to create arbitrary world-writeable files as root by specifying the target file as the second argument to the snmpmagt program. CVE-1999-1461 DESCRIPTION: inpview in InPerson on IRIX 5.3 through IRIX 6.5.10 trusts the PATH environmental variable to find and execute the ttsession program, which allows local users to obtain root access by modifying the PATH to point to a Trojan horse ttsession program. CVE-1999-1462 DESCRIPTION: Vulnerability in bb-hist.sh CGI History module in Big Brother 1.09b and 1.09c allows remote attackers to read portions of arbitrary files. CVE-1999-1463 DESCRIPTION: Windows NT 4.0 before SP3 allows remote attackers to bypass firewall restrictions or cause a denial of service (crash) by sending improperly fragmented IP packets without the first fragment, which the TCP/IP stack incorrectly reassembles into a valid session. CVE-1999-1464 DESCRIPTION: Vulnerability in Cisco IOS 11.1CC and 11.1CT with distributed fast switching (DFS) enabled allows remote attackers to bypass certain access control lists when the router switches traffic from a DFS-enabled interface to an interface that does not have DFS enabled, as described by Cisco bug CSCdk35564. CVE-1999-1465 DESCRIPTION: Vulnerability in Cisco IOS 11.1 through 11.3 with distributed fast switching (DFS) enabled allows remote attackers to bypass certain access control lists when the router switches traffic from a DFS-enabled input interface to an output interface with a logical subinterface, as described by Cisco bug CSCdk43862. CVE-1999-1466 DESCRIPTION: Vulnerability in Cisco routers versions 8.2 through 9.1 allows remote attackers to bypass access control lists when extended IP access lists are used on certain interfaces, the IP route cache is enabled, and the access list uses the "established" keyword. CVE-1999-1467 DESCRIPTION: Vulnerability in rcp on SunOS 4.0.x allows remote attackers from trusted hosts to execute arbitrary commands as root, possibly related to the configuration of the nobody user. CVE-1999-1468 DESCRIPTION: rdist in various UNIX systems uses popen to execute sendmail, which allows local users to gain root privileges by modifying the IFS (Internal Field Separator) variable. CVE-1999-1469 DESCRIPTION: Buffer overflow in w3-auth CGI program in miniSQL package allows remote attackers to execute arbitrary commands via an HTTP request with (1) a long URL, or (2) a long User-Agent MIME header. CVE-1999-1470 DESCRIPTION: Eastman Work Management 3.21 stores passwords in cleartext in the COMMON and LOCATOR registry keys, which could allow local users to gain privileges. CVE-1999-1471 DESCRIPTION: Buffer overflow in passwd in BSD based operating systems 4.3 and earlier allows local users to gain root privileges by specifying a long shell or GECOS field. CVE-1999-1472 DESCRIPTION: Internet Explorer 4.0 allows remote attackers to read arbitrary text and HTML files on the user's machine via a small IFRAME that uses Dynamic HTML (DHTML) to send the data to the attacker, aka the Freiburg text-viewing issue. CVE-1999-1473 DESCRIPTION: When a Web site redirects the browser to another site, Internet Explorer 3.02 and 4.0 automatically resends authentication information to the second site, aka the "Page Redirect Issue." CVE-1999-1474 DESCRIPTION: PowerPoint 95 and 97 allows remote attackers to cause an application to be run automatically without prompting the user, possibly through the slide show, when the document is opened in browsers such as Internet Explorer. CVE-1999-1475 DESCRIPTION: ProFTPd 1.2 compiled with the mod_sqlpw module records user passwords in the wtmp log file, which allows local users to obtain the passwords and gain privileges by reading wtmp, e.g. via the last command. CVE-1999-1476 DESCRIPTION: A bug in Intel Pentium processor (MMX and Overdrive) allows local users to cause a denial of service (hang) in Intel-based operating systems such as Windows NT and Windows 95, via an invalid instruction, aka the "Invalid Operand with Locked CMPXCHG8B Instruction" problem. CVE-1999-1477 DESCRIPTION: Buffer overflow in GNOME libraries 1.0.8 allows local user to gain root access via a long --espeaker argument in programs such as nethack. CVE-1999-1478 DESCRIPTION: The Sun HotSpot Performance Engine VM allows a remote attacker to cause a denial of service on any server running HotSpot via a URL that includes the [ character. CVE-1999-1479 DESCRIPTION: The textcounter.pl by Matt Wright allows remote attackers to execute arbitrary commands via shell metacharacters. CVE-1999-1480 DESCRIPTION: (1) acledit and (2) aclput in AIX 4.3 allow local users to create or modify files via a symlink attack. CVE-1999-1481 DESCRIPTION: Squid 2.2.STABLE5 and below, when using external authentication, allows attackers to bypass access controls via a newline in the user/password pair. CVE-1999-1482 DESCRIPTION: SVGAlib zgv 3.0-7 and earlier allows local users to gain root access via a privilege leak of the iopl(3) privileges to child processes. CVE-1999-1483 DESCRIPTION: Buffer overflow in zgv in svgalib 1.2.10 and earlier allows local users to execute arbitrary code via a long HOME environment variable. CVE-1999-1484 DESCRIPTION: Buffer overflow in MSN Setup BBS 4.71.0.10 ActiveX control (setupbbs.ocx) allows a remote attacker to execute arbitrary commands via the methods (1) vAddNewsServer or (2) bIsNewsServerConfigured. CVE-1999-1485 DESCRIPTION: nsd in IRIX 6.5 through 6.5.2 exports a virtual filesystem on a UDP port, which allows remote attackers to view files and cause a possible denial of service by mounting the nsd virtual file system. CVE-1999-1486 DESCRIPTION: sadc in IBM AIX 4.1 through 4.3, when called from programs such as timex that are setgid adm, allows local users to overwrite arbitrary files via a symlink attack. CVE-1999-1487 DESCRIPTION: Vulnerability in digest in AIX 4.3 allows printq users to gain root privileges by creating and/or modifing any file on the system. CVE-1999-1488 DESCRIPTION: sdrd daemon in IBM SP2 System Data Repository (SDR) allows remote attackers to read files without authentication. CVE-1999-1489 DESCRIPTION: Buffer overflow in TestChip function in XFree86 SuperProbe in Slackware Linux 3.1 allows local users to gain root privileges via a long -nopr argument. CVE-1999-1490 DESCRIPTION: xosview 1.5.1 in Red Hat 5.1 allows local users to gain root access via a long HOME environmental variable. CVE-1999-1491 DESCRIPTION: abuse.console in Red Hat 2.1 uses relative pathnames to find and execute the undrv program, which allows local users to execute arbitrary commands via a path that points to a Trojan horse program. CVE-1999-1492 DESCRIPTION: Vulnerability in (1) diskperf and (2) diskalign in IRIX 6.4 allows local attacker to create arbitrary root owned files, leading to root privileges. CVE-1999-1493 DESCRIPTION: Vulnerability in crp in Hewlett Packard Apollo Domain OS SR10 through SR10.3 allows remote attackers to gain root privileges via insecure system calls, (1) pad_$dm_cmd and (2) pad_$def_pfk(). CVE-1999-1494 DESCRIPTION: colorview in Silicon Graphics IRIX 5.1, 5.2, and 6.0 allows local attackers to read arbitrary files via the -text argument. CVE-1999-1495 DESCRIPTION: xtvscreen in SuSE Linux 6.0 allows local users to overwrite arbitrary files via a symlink attack on the pic000.pnm file. CVE-1999-1496 DESCRIPTION: Sudo 1.5 in Debian Linux 2.1 and Red Hat 6.0 allows local users to determine the existence of arbitrary files by attempting to execute the target filename as a program, which generates a different error message when the file does not exist. CVE-1999-1497 DESCRIPTION: Ipswitch IMail 5.0 and 6.0 uses weak encryption to store passwords in registry keys, which allows local attackers to read passwords for e-mail accounts. CVE-1999-1498 DESCRIPTION: Slackware Linux 3.4 pkgtool allows local attacker to read and write to arbitrary files via a symlink attack on the reply file. CVE-1999-1499 DESCRIPTION: named in ISC BIND 4.9 and 8.1 allows local users to destroy files via a symlink attack on (1) named_dump.db when root kills the process with a SIGINT, or (2) named.stats when SIGIOT is used. CVE-1999-1500 DESCRIPTION: Internet Anywhere POP3 Mail Server 2.3.1 allows remote attackers to cause a denial of service (crash) via (1) LIST, (2) TOP, or (3) UIDL commands using letters as arguments. CVE-1999-1501 DESCRIPTION: (1) ipxchk and (2) ipxlink in SGI OS2 IRIX 6.3 does not properly clear the IFS environmental variable before executing system calls, which allows local users to execute arbitrary commands. CVE-1999-1502 DESCRIPTION: Buffer overflows in Quake 1.9 client allows remote malicious servers to execute arbitrary commands via long (1) precache paths, (2) server name, (3) server address, or (4) argument to the map console command. CVE-1999-1503 DESCRIPTION: Network Flight Recorder (NFR) 1.5 and 1.6 allows remote attackers to cause a denial of service in nfrd (crash) via a TCP packet with a null header and data field. CVE-1999-1504 DESCRIPTION: Stalker Internet Mail Server 1.6 allows a remote attacker to cause a denial of service (crash) via a long HELO command. CVE-1999-1505 DESCRIPTION: Buffer overflow in QuakeWorld 2.10 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary commands via a long initial connect packet. CVE-1999-1506 DESCRIPTION: Vulnerability in SMI Sendmail 4.0 and earlier, on SunOS up to 4.0.3, allows remote attackers to access user bin. CVE-1999-1507 DESCRIPTION: Sun SunOS 4.1 through 4.1.3 allows local attackers to gain root access via insecure permissions on files and directories such as crash. CVE-1999-1508 DESCRIPTION: Web server in Tektronix PhaserLink Printer 840.0 and earlier allows a remote attacker to gain administrator access by directly calling undocumented URLs such as ncl_items.html and ncl_subjects.html. CVE-1999-1509 DESCRIPTION: Directory traversal vulnerability in Etype Eserv 2.50 web server allows a remote attacker to read any file in the file system via a .. (dot dot) in a URL. CVE-1999-1510 DESCRIPTION: Buffer overflows in Bisonware FTP server prior to 4.1 allow remote attackers to cause a denial of service, and possibly execute arbitrary commands, via long (1) USER, (2) LIST, or (3) CWD commands. CVE-1999-1511 DESCRIPTION: Buffer overflows in Xtramail 1.11 allow attackers to cause a denial of service (crash) and possibly execute arbitrary commands via (1) a long PASS command in the POP3 service, (2) a long HELO command in the SMTP service, or (3) a long user name in the Control Service. CVE-1999-1512 DESCRIPTION: The AMaViS virus scanner 0.2.0-pre4 and earlier allows remote attackers to execute arbitrary commands as root via an infected mail message with shell metacharacters in the reply-to field. CVE-1999-1513 DESCRIPTION: Management information base (MIB) for a 3Com SuperStack II hub running software version 2.10 contains an object identifier (.1.3.6.1.4.1.43.10.4.2) that is accessible by a read-only community string, but lists the entire table of community strings, which could allow attackers to conduct unauthorized activities. CVE-1999-1514 DESCRIPTION: Buffer overflow in Celtech ExpressFS FTP server 2.x allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long USER command. CVE-1999-1515 DESCRIPTION: A non-default configuration in TenFour TFS Gateway 4.0 allows an attacker to cause a denial of service via messages with incorrect sender and recipient addresses, which causes the gateway to continuously try to return the message every 10 seconds. CVE-1999-1516 DESCRIPTION: A buffer overflow in TenFour TFS Gateway SMTP mail server 3.2 allows an attacker to crash the mail server and possibly execute arbitrary code by offering more than 128 bytes in a MAIL FROM string. CVE-1999-1517 DESCRIPTION: runtar in the Amanda backup system used in various UNIX operating systems executes tar with root privileges, which allows a user to overwrite or read arbitrary files by providing the target files to runtar. CVE-1999-1518 DESCRIPTION: Operating systems with shared memory implementations based on BSD 4.4 code allow a user to conduct a denial of service and bypass memory limits (e.g., as specified with rlimits) using mmap or shmget to allocate memory and cause page faults. CVE-1999-1519 DESCRIPTION: Gene6 G6 FTP Server 2.0 allows a remote attacker to cause a denial of service (resource exhaustion) via a long (1) user name or (2) password. CVE-1999-1520 DESCRIPTION: A configuration problem in the Ad Server Sample directory (AdSamples) in Microsoft Site Server 3.0 allows an attacker to obtain the SITE.CSC file, which exposes sensitive SQL database information. CVE-1999-1521 DESCRIPTION: Computalynx CMail 2.4 and CMail 2.3 SP2 SMTP servers are vulnerable to a buffer overflow attack in the MAIL FROM command that may allow a remote attacker to execute arbitrary code on the server. CVE-1999-1522 DESCRIPTION: Vulnerability in htmlparse.pike in Roxen Web Server 1.3.11 and earlier, possibly related to recursive parsing and referer tags in RXML. CVE-1999-1523 DESCRIPTION: Buffer overflow in Sambar Web Server 4.2.1 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long HTTP GET request. CVE-1999-1524 DESCRIPTION: FlowPoint DSL router firmware versions prior to 3.0.8 allows a remote attacker to exploit a password recovery feature from the network and conduct brute force password guessing, instead of limiting the feature to the serial console port. CVE-1999-1525 DESCRIPTION: Macromedia Shockwave before 6.0 allows a malicious webmaster to read a user's mail box and possibly access internal web servers via the GetNextText command on a Shockwave movie. CVE-1999-1526 DESCRIPTION: Auto-update feature of Macromedia Shockwave 7 transmits a user's password and hard disk information back to Macromedia. CVE-1999-1527 DESCRIPTION: Internal HTTP server in Sun Netbeans Java IDE in Netbeans Developer 3.0 Beta and Forte Community Edition 1.0 Beta does not properly restrict access to IP addresses as specified in its configuration, which allows arbitrary remote attackers to access the server. CVE-1999-1528 DESCRIPTION: ProSoft Netware Client 5.12 on Macintosh MacOS 9 does not automatically log a user out of the NDS tree when the user logs off the system, which allows other users of the same system access to the unprotected NDS session. CVE-1999-1529 DESCRIPTION: A buffer overflow exists in the HELO command in Trend Micro Interscan VirusWall SMTP gateway 3.23/3.3 for NT, which may allow an attacker to execute arbitrary code. CVE-1999-1530 DESCRIPTION: cgiwrap as used on Cobalt RaQ 2.0 and RaQ 3i does not properly identify the user for running certain scripts, which allows a malicious site administrator to view or modify data located at another virtual site on the same system. CVE-1999-1531 DESCRIPTION: Buffer overflow in IBM HomePagePrint 1.0.7 for Windows98J allows a malicious Web site to execute arbitrary code on a viewer's system via a long IMG_SRC HTML tag. CVE-1999-1532 DESCRIPTION: Netscape Messaging Server 3.54, 3.55, and 3.6 allows a remote attacker to cause a denial of service (memory exhaustion) via a series of long RCPT TO commands. CVE-1999-1533 DESCRIPTION: Eicon Technology Diva LAN ISDN modem allows a remote attacker to cause a denial of service (hang) via a long password argument to the login.htm file in its HTTP service. CVE-1999-1534 DESCRIPTION: Buffer overflow in (1) nlservd and (2) rnavc in Knox Software Arkeia backup product allows local users to obtain root access via a long HOME environmental variable. CVE-1999-1535 DESCRIPTION: Buffer overflow in AspUpload.dll in Persits Software AspUpload before 1.4.0.2 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long argument in the HTTP request. CVE-1999-1536 DESCRIPTION: .sbstart startup script in AcuShop Salesbuilder is world writable, which allows local users to gain privileges by appending commands to the file. CVE-1999-1537 DESCRIPTION: IIS 3.x and 4.x does not distinguish between pages requiring encryption and those that do not, which allows remote attackers to cause a denial of service (resource exhaustion) via SSL requests to the HTTPS port for normally unencrypted files, which will cause IIS to perform extra work to send the files over SSL. CVE-1999-1538 DESCRIPTION: When IIS 2 or 3 is upgraded to IIS 4, ism.dll is inadvertently left in /scripts/iisadmin, which does not restrict access to the local machine and allows an unauthorized user to gain access to sensitive server information, including the Administrator's password. CVE-1999-1539 DESCRIPTION: Buffer overflow in FTP server in QPC Software's QVT/Term Plus versions 4.2d and 4.3 and QVT/Net 4.3 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long (1) user name or (2) password. CVE-1999-1540 DESCRIPTION: shell-lock in Cactus Software Shell Lock uses weak encryption (trivial encoding) which allows attackers to easily decrypt and obtain the source code. CVE-1999-1541 DESCRIPTION: shell-lock in Cactus Software Shell Lock allows local users to read or modify decoded shell files before they are executed, via a symlink attack on a temporary file. CVE-1999-1542 DESCRIPTION: RPMMail before 1.4 allows remote attackers to execute commands via an e-mail message with shell metacharacters in the "MAIL FROM" command. CVE-1999-1543 DESCRIPTION: MacOS uses weak encryption for passwords that are stored in the Users & Groups Data File. CVE-1999-1544 DESCRIPTION: Buffer overflow in FTP server in Microsoft IIS 3.0 and 4.0 allows local and sometimes remote attackers to cause a denial of service via a long NLST (ls) command. CVE-1999-1545 DESCRIPTION: Joe's Own Editor (joe) 2.8 sets the world-readable permission on its crash-save file, DEADJOE, which could allow local users to read files that were being edited by other users. CVE-1999-1546 DESCRIPTION: netstation.navio-com.rte 1.1.0.1 configuration script for Navio NC on IBM AIX exports /tmp over NFS as world-readable and world-writable. CVE-1999-1547 DESCRIPTION: Oracle Web Listener 2.1 allows remote attackers to bypass access restrictions by replacing a character in the URL with its HTTP-encoded (hex) equivalent. CVE-1999-1548 DESCRIPTION: Cabletron SmartSwitch Router (SSR) 8000 firmware 2.x can only handle 200 ARP requests per second allowing a denial of service attack to succeed with a flood of ARP requests exceeding that limit. CVE-1999-1549 DESCRIPTION: Lynx 2.x does not properly distinguish between internal and external HTML, which may allow a local attacker to read a "secure" hidden form value from a temporary file and craft a LYNXOPTIONS: URL that causes Lynx to modify the user's configuration file and execute commands. CVE-1999-1550 DESCRIPTION: bigconf.conf in F5 BIG/ip 2.1.2 and earlier allows remote attackers to read arbitrary files by specifying the target file in the "file" parameter. CVE-1999-1551 DESCRIPTION: Buffer overflow in Ipswitch IMail Service 5.0 allows an attacker to cause a denial of service (crash) and possibly execute arbitrary commands via a long URL. CVE-1999-1552 DESCRIPTION: dpsexec (DPS Server) when running under XDM in IBM AIX 3.2.5 and earlier does not properly check privileges, which allows local users to overwrite arbitrary files and gain privileges. CVE-1999-1553 DESCRIPTION: Buffer overflow in XCmail 0.99.6 with autoquote enabled allows remote attackers to execute arbitrary commands via a long subject line. CVE-1999-1554 DESCRIPTION: /usr/sbin/Mail on SGI IRIX 3.3 and 3.3.1 does not properly set the group ID to the group ID of the user who started Mail, which allows local users to read the mail of other users. CVE-1999-1555 DESCRIPTION: Cheyenne InocuLAN Anti-Virus Server in Inoculan 4.0 before Service Pack 2 creates an update directory with "EVERYONE FULL CONTROL" permissions, which allows local users to cause Inoculan's antivirus update feature to install a Trojan horse dll. CVE-1999-1556 DESCRIPTION: Microsoft SQL Server 6.5 uses weak encryption for the password for the SQLExecutiveCmdExec account and stores it in an accessible portion of the registry, which could allow local users to gain privileges by reading and decrypting the CmdExecAccount value. CVE-1999-1557 DESCRIPTION: Buffer overflow in the login functions in IMAP server (imapd) in Ipswitch IMail 5.0 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary code via (1) a long user name or (2) a long password. CVE-1999-1558 DESCRIPTION: Vulnerability in loginout in Digital OpenVMS 7.1 and earlier allows unauthorized access when external authentication is enabled. CVE-1999-1559 DESCRIPTION: Xylan OmniSwitch before 3.2.6 allows remote attackers to bypass the login prompt via a CTRL-D (control d) character, which locks other users out of the switch because it only supports one session at a time. CVE-1999-1560 DESCRIPTION: Vulnerability in a script in Texas A&M University (TAMU) Tiger allows local users to execute arbitrary commands as the Tiger user, usually root. CVE-1999-1561 DESCRIPTION: Nullsoft SHOUTcast server stores the administrative password in plaintext in a configuration file (sc_serv.conf), which could allow a local user to gain administrative privileges on the server. CVE-1999-1562 DESCRIPTION: gFTP FTP client 1.13, and other versions before 2.0.0, records a password in plaintext in (1) the log window, or (2) in a log file. CVE-1999-1563 DESCRIPTION: Nachuatec D435 and D445 printer allows remote attackers to cause a denial of service via ICMP redirect storm. CVE-1999-1564 DESCRIPTION: FreeBSD 3.2 and possibly other versions allows a local user to cause a denial of service (panic) with a large number accesses of an NFS v3 mounted directory from a large number of processes. CVE-1999-1565 DESCRIPTION: Man2html 2.1 and earlier allows local users to overwrite arbitrary files via a symlink attack on a temporary file. CVE-1999-1566 DESCRIPTION: Buffer overflow in iParty server 1.2 and earlier allows remote attackers to cause a denial of service (crash) by connecting to default port 6004 and sending repeated extended characters. CVE-1999-1567 DESCRIPTION: Seapine Software TestTrack server allows a remote attacker to cause a denial of service (high CPU) via (1) TestTrackWeb.exe and (2) ttcgi.exe by connecting to port 99 and disconnecting without sending any data. CVE-1999-1568 DESCRIPTION: Off-by-one error in NcFTPd FTP server before 2.4.1 allows a remote attacker to cause a denial of service (crash) via a long PORT command. CVE-1999-1569 DESCRIPTION: Quake 1 and NetQuake servers allow remote attackers to cause a denial of service (resource exhaustion or forced disconnection) via a flood of spoofed UDP connection packets, which exceeds the server's player limit. CVE-1999-1570 DESCRIPTION: Buffer overflow in sar for OpenServer 5.0.5 allows local users to gain root privileges via a long -o parameter. CVE-1999-1571 DESCRIPTION: Buffer overflow in sar for SCO OpenServer 5.0.0 through 5.0.5 may allow local users to gain root privileges via a long -f parameter, a different vulnerability than CVE-1999-1570. CVE-1999-1572 DESCRIPTION: cpio on FreeBSD 2.1.0, Debian GNU/Linux 3.0, and possibly other operating systems, uses a 0 umask when creating files using the -O (archive) or -F options, which creates the files with mode 0666 and allows local users to read or overwrite those files. CVE-1999-1573 DESCRIPTION: Multiple unknown vulnerabilities in the "r-cmnds" (1) remshd, (2) rexecd, (3) rlogind, (4) rlogin, (5) remsh, (6) rcp, (7) rexec, and (8) rdist for HP-UX 10.00 through 11.00 allow attackers to gain privileges or access files. CVE-1999-1574 DESCRIPTION: Buffer overflow in the lex routines of nslookup for AIX 4.3 may allow attackers to cause a core dump and possibly execute arbitrary code via "long input strings." CVE-1999-1575 DESCRIPTION: The Kodak/Wang (1) Image Edit (imgedit.ocx), (2) Image Annotation (imgedit.ocx), (3) Image Scan (imgscan.ocx), (4) Thumbnail Image (imgthumb.ocx), (5) Image Admin (imgadmin.ocx), (6) HHOpen (hhopen.ocx), (7) Registration Wizard (regwizc.dll), and (8) IE Active Setup (setupctl.dll) ActiveX controls for Internet Explorer (IE) 4.01 and 5.0 are marked as "Safe for Scripting," which allows remote attackers to create and modify files and execute arbitrary commands. CVE-1999-1576 DESCRIPTION: Buffer overflow in Adobe Acrobat ActiveX control (pdf.ocx, PDF.PdfCtrl.1) 1.3.188 for Acrobat Reader 4.0 allows remote attackers to execute arbitrary code via the pdf.setview method. CVE-1999-1577 DESCRIPTION: Buffer overflow in HHOpen ActiveX control (hhopen.ocx) 1.0.0.1 for Internet Explorer 4.01 and 5 allows remote attackers to execute arbitrary commands via long arguments to the OpenHelp method. CVE-1999-1578 DESCRIPTION: Buffer overflow in Registration Wizard ActiveX control (regwizc.dll, InvokeRegWizard) 3.0.0.0 for Internet Explorer 4.01 and 5 allows remote attackers to execute arbitrary commands. CVE-1999-1579 DESCRIPTION: The Cenroll ActiveX control (xenroll.dll) for Terminal Server Editions of Windows NT 4.0 and Windows NT Server 4.0 before SP6 allows remote attackers to cause a denial of service (resource consumption) by creating a large number of arbitrary files on the target machine. CVE-1999-1580 DESCRIPTION: SunOS sendmail 5.59 through 5.65 uses popen to process a forwarding host argument, which allows local users to gain root privileges by modifying the IFS (Internal Field Separator) variable and passing crafted values to the -oR option. CVE-1999-1581 DESCRIPTION: Memory leak in Simple Network Management Protocol (SNMP) agent (snmp.exe) for Windows NT 4.0 before Service Pack 4 allows remote attackers to cause a denial of service (memory consumption) via a large number of SNMP packets with Object Identifiers (OIDs) that cannot be decoded. CVE-1999-1582 DESCRIPTION: By design, the "established" command on the Cisco PIX firewall allows connections from one host to arbitrary ports of a target host if an alternative conduit has already been allowed, which can cause administrators to configure less restrictive access controls than intended if they do not understand this functionality. CVE-1999-1583 DESCRIPTION: Buffer overflow in nslookup for AIX 4.3 allows local users to execute arbitrary code via a long hostname command line argument. CVE-1999-1584 DESCRIPTION: Unknown vulnerability in (1) loadmodule, and (2) modload if modload is installed with setuid/setgid privileges, in SunOS 4.1.1 through 4.1.3c, and Open Windows 3.0, allows local users to gain root privileges via environment variables, a different vulnerability than CVE-1999-1586. CVE-1999-1585 DESCRIPTION: The (1) rcS and (2) mountall programs in Sun Solaris 2.x, possibly before 2.4, start a privileged shell on the system console if fsck fails while the system is booting, which allows attackers with physical access to gain root privileges. CVE-1999-1586 DESCRIPTION: loadmodule in SunOS 4.1.x, as used by xnews, does not properly sanitize its environment, which allows local users to gain privileges, a different vulnerability than CVE-1999-1584. CVE-1999-1587 DESCRIPTION: /usr/ucb/ps in Sun Microsystems Solaris 8 and 9, and certain earlier releases, allows local users to view the environment variables and values of arbitrary processes via the -e option. CVE-1999-1588 DESCRIPTION: Buffer overflow in nlps_server in Sun Solaris x86 2.4, 2.5, and 2.5.1 allows remote attackers to execute arbitrary code as root via a long string beginning with "NLPS:002:002:" to the listen (aka System V listener) port, TCP port 2766. CVE-1999-1589 DESCRIPTION: Unspecified vulnerability in crontab in IBM AIX 3.2 allows local users to gain root privileges via unknown attack vectors. CVE-1999-1590 DESCRIPTION: Directory traversal vulnerability in Muhammad A. Muquit wwwcount (Count.cgi) 2.3 allows remote attackers to read arbitrary GIF files via ".." sequences in the image parameter, a different vulnerability than CVE-1999-0021. CVE-1999-1591 DESCRIPTION: Microsoft Internet Information Services (IIS) server 4.0 SP4, without certain hotfixes released for SP4, does not require authentication credentials under certain conditions, which allows remote attackers to bypass authentication requirements, as demonstrated by connecting via Microsoft Visual InterDev 6.0. CVE-1999-1592 DESCRIPTION: Multiple unspecified vulnerabilities in sendmail 5, as installed on Sun SunOS 4.1.3_U1 and 4.1.4, have unspecified attack vectors and impact. NOTE: this might overlap CVE-1999-0129. CVE-1999-1593 DESCRIPTION: Windows Internet Naming Service (WINS) allows remote attackers to cause a denial of service (connectivity loss) or steal credentials via a 1Ch registration that causes WINS to change the domain controller to point to a malicious server. NOTE: this problem may be limited when Windows 95/98 clients are used, or if the primary domain controller becomes unavailable. CVE-1999-1594 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-1999-1595 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-1999-1596 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-1999-1597 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-1999-1598 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2000-0001 DESCRIPTION: RealMedia server allows remote attackers to cause a denial of service via a long ramgen request. CVE-2000-0002 DESCRIPTION: Buffer overflow in ZBServer Pro 1.50 allows remote attackers to execute commands via a long GET request. CVE-2000-0003 DESCRIPTION: Buffer overflow in UnixWare rtpm program allows local users to gain privileges via a long environmental variable. CVE-2000-0004 DESCRIPTION: ZBServer Pro allows remote attackers to read source code for executable files by inserting a . (dot) into the URL. CVE-2000-0005 DESCRIPTION: HP-UX aserver program allows local users to gain privileges via a symlink attack. CVE-2000-0006 DESCRIPTION: strace allows local users to read arbitrary files via memory mapped file names. CVE-2000-0007 DESCRIPTION: Trend Micro PC-Cillin does not restrict access to its internal proxy port, allowing remote attackers to conduct a denial of service. CVE-2000-0008 DESCRIPTION: FTPPro allows local users to read sensitive information, which is stored in plain text. CVE-2000-0009 DESCRIPTION: The bna_pass program in Optivity NETarchitect uses the PATH environmental variable for finding the "rm" program, which allows local users to execute arbitrary commands. CVE-2000-0010 DESCRIPTION: WebWho+ whois.cgi program allows remote attackers to execute commands via shell metacharacters in the TLD parameter. CVE-2000-0011 DESCRIPTION: Buffer overflow in AnalogX SimpleServer:WWW HTTP server allows remote attackers to execute commands via a long GET request. CVE-2000-0012 DESCRIPTION: Buffer overflow in w3-msql CGI program in miniSQL package allows remote attackers to execute commands. CVE-2000-0013 DESCRIPTION: IRIX soundplayer program allows local users to gain privileges by including shell metacharacters in a .wav file, which is executed via the midikeys program. CVE-2000-0014 DESCRIPTION: Denial of service in Savant web server via a null character in the requested URL. CVE-2000-0015 DESCRIPTION: CascadeView TFTP server allows local users to gain privileges via a symlink attack. CVE-2000-0016 DESCRIPTION: Buffer overflow in Internet Anywhere POP3 Mail Server allows remote attackers to cause a denial of service or execute commands via a long username. CVE-2000-0017 DESCRIPTION: Buffer overflow in Linux linuxconf package allows remote attackers to gain root privileges via a long parameter. CVE-2000-0018 DESCRIPTION: wmmon in FreeBSD allows local users to gain privileges via the .wmmonrc configuration file. CVE-2000-0019 DESCRIPTION: IMail POP3 daemon uses weak encryption, which allows local users to read files. CVE-2000-0020 DESCRIPTION: DNS PRO allows remote attackers to conduct a denial of service via a large number of connections. CVE-2000-0021 DESCRIPTION: Lotus Domino HTTP server allows remote attackers to determine the real path of the server via a request to a non-existent script in /cgi-bin. CVE-2000-0022 DESCRIPTION: Lotus Domino HTTP server does not properly disable anonymous access for the cgi-bin directory. CVE-2000-0023 DESCRIPTION: Buffer overflow in Lotus Domino HTTP server allows remote attackers to cause a denial of service via a long URL. CVE-2000-0024 DESCRIPTION: IIS does not properly canonicalize URLs, potentially allowing remote attackers to bypass access restrictions in third-party software via escape characters, aka the "Escape Character Parsing" vulnerability. CVE-2000-0025 DESCRIPTION: IIS 4.0 and Site Server 3.0 allow remote attackers to read source code for ASP files if the file is in a virtual directory whose name includes extensions such as .com, .exe, .sh, .cgi, or .dll, aka the "Virtual Directory Naming" vulnerability. CVE-2000-0026 DESCRIPTION: Buffer overflow in UnixWare i2odialogd daemon allows remote attackers to gain root access via a long username/password authorization string. CVE-2000-0027 DESCRIPTION: IBM Network Station Manager NetStation allows local users to gain privileges via a symlink attack. CVE-2000-0028 DESCRIPTION: Internet Explorer 5.0 and 5.01 allows remote attackers to bypass the cross frame security policy and read files via the external.NavigateAndFind function. CVE-2000-0029 DESCRIPTION: UnixWare pis and mkpis commands allow local users to gain privileges via a symlink attack. CVE-2000-0030 DESCRIPTION: Solaris dmispd dmi_cmd allows local users to fill up restricted disk space by adding files to the /var/dmi/db database. CVE-2000-0031 DESCRIPTION: The initscripts package in Red Hat Linux allows local users to gain privileges via a symlink attack. CVE-2000-0032 DESCRIPTION: Solaris dmi_cmd allows local users to crash the dmispd daemon by adding a malformed file to the /var/dmi/db database. CVE-2000-0033 DESCRIPTION: InterScan VirusWall SMTP scanner does not properly scan messages with malformed attachments. CVE-2000-0034 DESCRIPTION: Netscape 4.7 records user passwords in the preferences.js file during an IMAP or POP session, even if the user has not enabled "remember passwords." CVE-2000-0035 DESCRIPTION: resend command in Majordomo allows local users to gain privileges via shell metacharacters. CVE-2000-0036 DESCRIPTION: Outlook Express 5 for Macintosh downloads attachments to HTML mail without prompting the user, aka the "HTML Mail Attachment" vulnerability. CVE-2000-0037 DESCRIPTION: Majordomo wrapper allows local users to gain privileges by specifying an alternate configuration file. CVE-2000-0038 DESCRIPTION: glFtpD includes a default glftpd user account with a default password and a UID of 0. CVE-2000-0039 DESCRIPTION: AltaVista search engine allows remote attackers to read files above the document root via a .. (dot dot) in the query.cgi CGI program. CVE-2000-0040 DESCRIPTION: glFtpD allows local users to gain privileges via metacharacters in the SITE ZIPCHK command. CVE-2000-0041 DESCRIPTION: Macintosh systems generate large ICMP datagrams in response to malformed datagrams, allowing them to be used as amplifiers in a flood attack. CVE-2000-0042 DESCRIPTION: Buffer overflow in CSM mail server allows remote attackers to cause a denial of service or execute commands via a long HELO command. CVE-2000-0043 DESCRIPTION: Buffer overflow in CamShot WebCam HTTP server allows remote attackers to execute commands via a long GET request. CVE-2000-0044 DESCRIPTION: Macros in War FTP 1.70 and 1.67b2 allow local or remote attackers to read arbitrary files or execute commands. CVE-2000-0045 DESCRIPTION: MySQL allows local users to modify passwords for arbitrary MySQL users via the GRANT privilege. CVE-2000-0046 DESCRIPTION: Buffer overflow in ICQ 99b 1.1.1.1 client allows remote attackers to execute commands via a malformed URL within an ICQ message. CVE-2000-0047 DESCRIPTION: Buffer overflow in Yahoo Pager/Messenger client allows remote attackers to cause a denial of service via a long URL within a message. CVE-2000-0048 DESCRIPTION: get_it program in Corel Linux Update allows local users to gain root access by specifying an alternate PATH for the cp program. CVE-2000-0049 DESCRIPTION: Buffer overflow in Winamp client allows remote attackers to execute commands via a long entry in a .pls file. CVE-2000-0050 DESCRIPTION: The Allaire Spectra Webtop allows authenticated users to access other Webtop sections by specifying explicit URLs. CVE-2000-0051 DESCRIPTION: The Allaire Spectra Configuration Wizard allows remote attackers to cause a denial of service by repeatedly resubmitting data collections for indexing via a URL. CVE-2000-0052 DESCRIPTION: Red Hat userhelper program in the usermode package allows local users to gain root access via PAM and a .. (dot dot) attack. CVE-2000-0053 DESCRIPTION: Microsoft Commercial Internet System (MCIS) IMAP server allows remote attackers to cause a denial of service via a malformed IMAP request. CVE-2000-0054 DESCRIPTION: search.cgi in the SolutionScripts Home Free package allows remote attackers to view directories via a .. (dot dot) attack. CVE-2000-0055 DESCRIPTION: Buffer overflow in Solaris chkperm command allows local users to gain root access via a long -n option. CVE-2000-0056 DESCRIPTION: IMail IMONITOR status.cgi CGI script allows remote attackers to cause a denial of service with many calls to status.cgi. CVE-2000-0057 DESCRIPTION: Cold Fusion CFCACHE tag places temporary cache files within the web document root, allowing remote attackers to obtain sensitive system information. CVE-2000-0058 DESCRIPTION: Network HotSync program in Handspring Visor does not have authentication, which allows remote attackers to retrieve email and files. CVE-2000-0059 DESCRIPTION: PHP3 with safe_mode enabled does not properly filter shell metacharacters from commands that are executed by popen, which could allow remote attackers to execute commands. CVE-2000-0060 DESCRIPTION: Buffer overflow in aVirt Rover POP3 server 1.1 allows remote attackers to cause a denial of service via a long user name. CVE-2000-0061 DESCRIPTION: Internet Explorer 5 does not modify the security zone for a document that is being loaded into a window until after the document has been loaded, which could allow remote attackers to execute Javascript in a different security context while the document is loading. CVE-2000-0062 DESCRIPTION: The DTML implementation in the Z Object Publishing Environment (Zope) allows remote attackers to conduct unauthorized activities. CVE-2000-0063 DESCRIPTION: cgiproc CGI script in Nortel Contivity HTTP server allows remote attackers to read arbitrary files by specifying the filename in a parameter to the script. CVE-2000-0064 DESCRIPTION: cgiproc CGI script in Nortel Contivity HTTP server allows remote attackers to cause a denial of service via a malformed URL that includes shell metacharacters. CVE-2000-0065 DESCRIPTION: Buffer overflow in InetServ 3.0 allows remote attackers to execute commands via a long GET request. CVE-2000-0066 DESCRIPTION: WebSite Pro allows remote attackers to determine the real pathname of webdirectories via a malformed URL request. CVE-2000-0067 DESCRIPTION: CyberCash Merchant Connection Kit (MCK) allows local users to modify files via a symlink attack. CVE-2000-0068 DESCRIPTION: daynad program in Intel InBusiness E-mail Station does not require authentication, which allows remote attackers to modify its configuration, delete files, or read mail. CVE-2000-0069 DESCRIPTION: The recover program in Solstice Backup allows local users to restore sensitive files. CVE-2000-0070 DESCRIPTION: NtImpersonateClientOfPort local procedure call in Windows NT 4.0 allows local users to gain privileges, aka "Spoofed LPC Port Request." CVE-2000-0071 DESCRIPTION: IIS 4.0 allows a remote attacker to obtain the real pathname of the document root by requesting non-existent files with .ida or .idq extensions. CVE-2000-0072 DESCRIPTION: Visual Casel (Vcasel) does not properly prevent users from executing files, which allows local users to use a relative pathname to specify an alternate file which has an approved name and possibly gain privileges. CVE-2000-0073 DESCRIPTION: Buffer overflow in Microsoft Rich Text Format (RTF) reader allows attackers to cause a denial of service via a malformed control word. CVE-2000-0074 DESCRIPTION: PowerScripts PlusMail CGI program allows remote attackers to execute commands via a password file with improper permissions. CVE-2000-0075 DESCRIPTION: Super Mail Transfer Package (SMTP), later called MsgCore, has a memory leak which allows remote attackers to cause a denial of service by repeating multiple HELO, MAIL FROM, RCPT TO, and DATA commands in the same session. CVE-2000-0076 DESCRIPTION: nviboot boot script in the Debian nvi package allows local users to delete files via malformed entries in vi.recover. CVE-2000-0077 DESCRIPTION: The October 1998 version of the HP-UX aserver program allows local users to gain privileges by specifying an alternate PATH which aserver uses to find the ps and grep commands. CVE-2000-0078 DESCRIPTION: The June 1999 version of the HP-UX aserver program allows local users to gain privileges by specifying an alternate PATH which aserver uses to find the awk command. CVE-2000-0079 DESCRIPTION: The W3C CERN httpd HTTP server allows remote attackers to determine the real pathnames of some commands via a request for a nonexistent URL. CVE-2000-0080 DESCRIPTION: AIX techlibss allows local users to overwrite files via a symlink attack. CVE-2000-0081 DESCRIPTION: Hotmail does not properly filter JavaScript code from a user's mailbox, which allows a remote attacker to execute the code by using hexadecimal codes to specify the javascript: protocol, e.g. jAvascript. CVE-2000-0082 DESCRIPTION: WebTV email client allows remote attackers to force the client to send email without the user's knowledge via HTML. CVE-2000-0083 DESCRIPTION: HP asecure creates the Audio Security File audio.sec with insecure permissions, which allows local users to cause a denial of service or gain additional privileges. CVE-2000-0084 DESCRIPTION: CuteFTP uses weak encryption to store password information in its tree.dat file. CVE-2000-0085 DESCRIPTION: Hotmail does not properly filter JavaScript code from a user's mailbox, which allows a remote attacker to execute code via the LOWSRC or DYNRC parameters in the IMG tag. CVE-2000-0086 DESCRIPTION: Netopia Timbuktu Pro sends user IDs and passwords in cleartext, which allows remote attackers to obtain them via sniffing. CVE-2000-0087 DESCRIPTION: Netscape Mail Notification (nsnotify) utility in Netscape Communicator uses IMAP without SSL, even if the user has set a preference for Communicator to use an SSL connection, allowing a remote attacker to sniff usernames and passwords in plaintext. CVE-2000-0088 DESCRIPTION: Buffer overflow in the conversion utilities for Japanese, Korean and Chinese Word 5 documents allows an attacker to execute commands, aka the "Malformed Conversion Data" vulnerability. CVE-2000-0089 DESCRIPTION: The rdisk utility in Microsoft Terminal Server Edition and Windows NT 4.0 stores registry hive information in a temporary file with permissions that allow local users to read it, aka the "RDISK Registry Enumeration File" vulnerability. CVE-2000-0090 DESCRIPTION: VMWare 1.1.2 allows local users to cause a denial of service via a symlink attack. CVE-2000-0091 DESCRIPTION: Buffer overflow in vchkpw/vpopmail POP authentication package allows remote attackers to gain root privileges via a long username or password. CVE-2000-0092 DESCRIPTION: The BSD make program allows local users to modify files via a symlink attack when the -j option is being used. CVE-2000-0093 DESCRIPTION: An installation of Red Hat uses DES password encryption with crypt() for the initial password, instead of md5. CVE-2000-0094 DESCRIPTION: procfs in BSD systems allows local users to gain root privileges by modifying the /proc/pid/mem interface via a modified file descriptor for stderr. CVE-2000-0095 DESCRIPTION: The PMTU discovery procedure used by HP-UX 10.30 and 11.00 for determining the optimum MTU generates large amounts of traffic in response to small packets, allowing remote attackers to cause the system to be used as a packet amplifier. CVE-2000-0096 DESCRIPTION: Buffer overflow in qpopper 3.0 beta versions allows local users to gain privileges via a long LIST command. CVE-2000-0097 DESCRIPTION: The WebHits ISAPI filter in Microsoft Index Server allows remote attackers to read arbitrary files, aka the "Malformed Hit-Highlighting Argument" vulnerability. CVE-2000-0098 DESCRIPTION: Microsoft Index Server allows remote attackers to determine the real path for a web directory via a request to an Internet Data Query file that does not exist. CVE-2000-0099 DESCRIPTION: Buffer overflow in UnixWare ppptalk command allows local users to gain privileges via a long prompt argument. CVE-2000-0100 DESCRIPTION: The SMS Remote Control program is installed with insecure permissions, which allows local users to gain privileges by modifying or replacing the program. CVE-2000-0101 DESCRIPTION: The Make-a-Store OrderPage shopping cart application allows remote users to modify sensitive purchase information via hidden form fields. CVE-2000-0102 DESCRIPTION: The SalesCart shopping cart application allows remote users to modify sensitive purchase information via hidden form fields. CVE-2000-0103 DESCRIPTION: The SmartCart shopping cart application allows remote users to modify sensitive purchase information via hidden form fields. CVE-2000-0104 DESCRIPTION: The Shoptron shopping cart application allows remote users to modify sensitive purchase information via hidden form fields. CVE-2000-0105 DESCRIPTION: Outlook Express 5.01 and Internet Explorer 5.01 allow remote attackers to view a user's email messages via a script that accesses a variable that references subsequent email messages that are read by the client. CVE-2000-0106 DESCRIPTION: The EasyCart shopping cart application allows remote users to modify sensitive purchase information via hidden form fields. CVE-2000-0107 DESCRIPTION: Linux apcd program allows local attackers to modify arbitrary files via a symlink attack. CVE-2000-0108 DESCRIPTION: The Intellivend shopping cart application allows remote users to modify sensitive purchase information via hidden form fields. CVE-2000-0109 DESCRIPTION: The mcsp Client Site Processor system (MultiCSP) in Standard and Poor's ComStock is installed with several accounts that have no passwords or easily guessable default passwords. CVE-2000-0110 DESCRIPTION: The WebSiteTool shopping cart application allows remote users to modify sensitive purchase information via hidden form fields. CVE-2000-0111 DESCRIPTION: The RightFax web client uses predictable session numbers, which allows remote attackers to hijack user sessions. CVE-2000-0112 DESCRIPTION: The default installation of Debian GNU/Linux uses an insecure Master Boot Record (MBR) which allows a local user to boot from a floppy disk during the installation. CVE-2000-0113 DESCRIPTION: The SyGate Remote Management program does not properly restrict access to its administration service, which allows remote attackers to cause a denial of service, or access network traffic statistics. CVE-2000-0114 DESCRIPTION: Frontpage Server Extensions allows remote attackers to determine the name of the anonymous account via an RPC POST request to shtml.dll in the /_vti_bin/ virtual directory. CVE-2000-0115 DESCRIPTION: IIS allows local users to cause a denial of service via invalid regular expressions in a Visual Basic script in an ASP page. CVE-2000-0116 DESCRIPTION: Firewall-1 does not properly filter script tags, which allows remote attackers to bypass the "Strip Script Tags" restriction by including an extra < in front of the SCRIPT tag. CVE-2000-0117 DESCRIPTION: The siteUserMod.cgi program in Cobalt RaQ2 servers allows any Site Administrator to modify passwords for other users, site administrators, and possibly admin (root). CVE-2000-0118 DESCRIPTION: The Red Hat Linux su program does not log failed password guesses if the su process is killed before it times out, which allows local attackers to conduct brute force password guessing. CVE-2000-0119 DESCRIPTION: The default configurations for McAfee Virus Scan and Norton Anti-Virus virus checkers do not check files in the RECYCLED folder that is used by the Windows Recycle Bin utility, which allows attackers to store malicious code without detection. CVE-2000-0120 DESCRIPTION: The Remote Access Service invoke.cfm template in Allaire Spectra 1.0 allows users to bypass authentication via the bAuthenticated parameter. CVE-2000-0121 DESCRIPTION: The Recycle Bin utility in Windows NT and Windows 2000 allows local users to read or modify files by creating a subdirectory with the victim's SID in the recycler directory, aka the "Recycle Bin Creation" vulnerability. CVE-2000-0122 DESCRIPTION: Frontpage Server Extensions allows remote attackers to determine the physical path of a virtual directory via a GET request to the htimage.exe CGI program. CVE-2000-0123 DESCRIPTION: The shopping cart application provided with Filemaker allows remote users to modify sensitive purchase information via hidden form fields. CVE-2000-0124 DESCRIPTION: surfCONTROL SuperScout does not properly asign a category to web sites with a . (dot) at the end, which may allow users to bypass web access restrictions. CVE-2000-0125 DESCRIPTION: wwwthreads does not properly cleanse numeric data or table names that are passed to SQL queries, which allows remote attackers to gain privileges for wwwthreads forums. CVE-2000-0126 DESCRIPTION: Sample Internet Data Query (IDQ) scripts in IIS 3 and 4 allow remote attackers to read files via a .. (dot dot) attack. CVE-2000-0127 DESCRIPTION: The Webspeed configuration program does not properly disable access to the WSMadmin utility, which allows remote attackers to gain privileges via wsisa.dll. CVE-2000-0128 DESCRIPTION: The Finger Server 0.82 allows remote attackers to execute commands via shell metacharacters. CVE-2000-0129 DESCRIPTION: Buffer overflow in the SHGetPathFromIDList function of the Serv-U FTP server allows attackers to cause a denial of service by performing a LIST command on a malformed .lnk file. CVE-2000-0130 DESCRIPTION: Buffer overflow in SCO scohelp program allows remote attackers to execute commands. CVE-2000-0131 DESCRIPTION: Buffer overflow in War FTPd 1.6x allows users to cause a denial of service via long MKD and CWD commands. CVE-2000-0132 DESCRIPTION: Microsoft Java Virtual Machine allows remote attackers to read files via the getSystemResourceAsStream function. CVE-2000-0133 DESCRIPTION: Buffer overflows in Tiny FTPd 0.52 beta3 FTP server allows users to execute commands via the STOR, RNTO, MKD, XMKD, RMD, XRMD, APPE, SIZE, and RNFR commands. CVE-2000-0134 DESCRIPTION: The Check It Out shopping cart application allows remote users to modify sensitive purchase information via hidden form fields. CVE-2000-0135 DESCRIPTION: The @Retail shopping cart application allows remote users to modify sensitive purchase information via hidden form fields. CVE-2000-0136 DESCRIPTION: The Cart32 shopping cart application allows remote users to modify sensitive purchase information via hidden form fields. CVE-2000-0137 DESCRIPTION: The CartIt shopping cart application allows remote users to modify sensitive purchase information via hidden form fields. CVE-2000-0138 DESCRIPTION: A system has a distributed denial of service (DDOS) attack master, agent, or zombie installed, such as (1) Trinoo, (2) Tribe Flood Network (TFN), (3) Tribe Flood Network 2000 (TFN2K), (4) stacheldraht, (5) mstream, or (6) shaft. CVE-2000-0139 DESCRIPTION: Internet Anywhere POP3 Mail Server allows local users to cause a denial of service via a malformed RETR command. CVE-2000-0140 DESCRIPTION: Internet Anywhere POP3 Mail Server allows remote attackers to cause a denial of service via a large number of connections. CVE-2000-0141 DESCRIPTION: Infopop Ultimate Bulletin Board (UBB) allows remote attackers to execute commands via shell metacharacters in the topic hidden field. CVE-2000-0142 DESCRIPTION: The authentication protocol in Timbuktu Pro 2.0b650 allows remote attackers to cause a denial of service via connections to port 407 and 1417. CVE-2000-0143 DESCRIPTION: The SSH protocol server sshd allows local users without shell access to redirect a TCP connection through a service that uses the standard system password database for authentication, such as POP or FTP. CVE-2000-0144 DESCRIPTION: Axis 700 Network Scanner does not properly restrict access to administrator URLs, which allows users to bypass the password protection via a .. (dot dot) attack. CVE-2000-0145 DESCRIPTION: The libguile.so library file used by gnucash in Debian GNU/Linux is installed with world-writable permissions. CVE-2000-0146 DESCRIPTION: The Java Server in the Novell GroupWise Web Access Enhancement Pack allows remote attackers to cause a denial of service via a long URL to the servlet. CVE-2000-0147 DESCRIPTION: snmpd in SCO OpenServer has an SNMP community string that is writable by default, which allows local attackers to modify the host's configuration. CVE-2000-0148 DESCRIPTION: MySQL 3.22 allows remote attackers to bypass password authentication and access a database via a short check string. CVE-2000-0149 DESCRIPTION: Zeus web server allows remote attackers to view the source code for CGI programs via a null character (%00) at the end of a URL. CVE-2000-0150 DESCRIPTION: Check Point Firewall-1 allows remote attackers to bypass port access restrictions on an FTP server by forcing it to send malicious packets that Firewall-1 misinterprets as a valid 227 response to a client's PASV attempt. CVE-2000-0151 DESCRIPTION: GNU make follows symlinks when it reads a Makefile from stdin, which allows other local users to execute commands. CVE-2000-0152 DESCRIPTION: Remote attackers can cause a denial of service in Novell BorderManager 3.5 by pressing the enter key in a telnet connection to port 2000. CVE-2000-0153 DESCRIPTION: FrontPage Personal Web Server (PWS) allows remote attackers to read files via a .... (dot dot) attack. CVE-2000-0154 DESCRIPTION: The ARCserve agent in UnixWare allows local attackers to modify arbitrary files via a symlink attack. CVE-2000-0155 DESCRIPTION: Windows NT Autorun executes the autorun.inf file on non-removable media, which allows local attackers to specify an alternate program to execute when other users access a drive. CVE-2000-0156 DESCRIPTION: Internet Explorer 4.x and 5.x allows remote web servers to access files on the client that are outside of its security domain, aka the "Image Source Redirect" vulnerability. CVE-2000-0157 DESCRIPTION: NetBSD ptrace call on VAX allows local users to gain privileges by modifying the PSL contents in the debugging process. CVE-2000-0158 DESCRIPTION: Buffer overflow in MMDF server allows remote attackers to gain privileges via a long MAIL FROM command to the SMTP daemon. CVE-2000-0159 DESCRIPTION: HP Ignite-UX does not save /etc/passwd when it creates an image of a trusted system, which can set the password field to a blank and allow an attacker to gain privileges. CVE-2000-0160 DESCRIPTION: The Microsoft Active Setup ActiveX component in Internet Explorer 4.x and 5.x allows a remote attacker to install software components without prompting the user by stating that the software's manufacturer is Microsoft. CVE-2000-0161 DESCRIPTION: Sample web sites on Microsoft Site Server 3.0 Commerce Edition do not validate an identification number, which allows remote attackers to execute SQL commands. CVE-2000-0162 DESCRIPTION: The Microsoft virtual machine (VM) in Internet Explorer 4.x and 5.x allows a remote attacker to read files via a malicious Java applet that escapes the Java sandbox, aka the "VM File Reading" vulnerability. CVE-2000-0163 DESCRIPTION: asmon and ascpu in FreeBSD allow local users to gain root privileges via a configuration file. CVE-2000-0164 DESCRIPTION: The installation of Sun Internet Mail Server (SIMS) creates a world-readable file that allows local users to obtain passwords. CVE-2000-0165 DESCRIPTION: The Delegate application proxy has several buffer overflows which allow a remote attacker to execute commands. CVE-2000-0166 DESCRIPTION: Buffer overflow in the InterAccess telnet server TelnetD allows remote attackers to execute commands via a long login name. CVE-2000-0167 DESCRIPTION: IIS Inetinfo.exe allows local users to cause a denial of service by creating a mail file with a long name and a .txt.eml extension in the pickup directory. CVE-2000-0168 DESCRIPTION: Microsoft Windows 9x operating systems allow an attacker to cause a denial of service via a pathname that includes file device names, aka the "DOS Device in Path Name" vulnerability. CVE-2000-0169 DESCRIPTION: Batch files in the Oracle web listener ows-bin directory allow remote attackers to execute commands via a malformed URL that includes '?&'. CVE-2000-0170 DESCRIPTION: Buffer overflow in the man program in Linux allows local users to gain privileges via the MANPAGER environmental variable. CVE-2000-0171 DESCRIPTION: atsadc in the atsar package for Linux does not properly check the permissions of an output file, which allows local users to gain root privileges. CVE-2000-0172 DESCRIPTION: The mtr program only uses a seteuid call when attempting to drop privileges, which could allow local users to gain root privileges. CVE-2000-0173 DESCRIPTION: Vulnerability in the EELS system in SCO UnixWare 7.1.x allows remote attackers to cause a denial of service. CVE-2000-0174 DESCRIPTION: StarOffice StarScheduler web server allows remote attackers to read arbitrary files via a .. (dot dot) attack. CVE-2000-0175 DESCRIPTION: Buffer overflow in StarOffice StarScheduler web server allows remote attackers to gain root access via a long GET command. CVE-2000-0176 DESCRIPTION: The default configuration of Serv-U 2.5d and earlier allows remote attackers to determine the real pathname of the server by requesting a URL for a directory or file that does not exist. CVE-2000-0177 DESCRIPTION: DNSTools CGI applications allow remote attackers to execute arbitrary commands via shell metacharacters. CVE-2000-0178 DESCRIPTION: ServerIron switches by Foundry Networks have predictable TCP/IP sequence numbers, which allows remote attackers to spoof or hijack sessions. CVE-2000-0179 DESCRIPTION: HP OpenView OmniBack 2.55 allows remote attackers to cause a denial of service via a large number of connections to port 5555. CVE-2000-0180 DESCRIPTION: Sojourn search engine allows remote attackers to read arbitrary files via a .. (dot dot) attack. CVE-2000-0181 DESCRIPTION: Firewall-1 3.0 and 4.0 leaks packets with private IP address information, which could allow remote attackers to determine the real IP address of the host that is making the connection. CVE-2000-0182 DESCRIPTION: iPlanet Web Server 4.1 allows remote attackers to cause a denial of service via a large number of GET commands, which consumes memory and causes a kernel panic. CVE-2000-0183 DESCRIPTION: Buffer overflow in ircII 4.4 IRC client allows remote attackers to execute commands via the DCC chat capability. CVE-2000-0184 DESCRIPTION: Linux printtool sets the permissions of printer configuration files to be world-readable, which allows local attackers to obtain printer share passwords. CVE-2000-0185 DESCRIPTION: RealMedia RealServer reveals the real IP address of a Real Server, even if the address is supposed to be private. CVE-2000-0186 DESCRIPTION: Buffer overflow in the dump utility in the Linux ext2fs backup package allows local users to gain privileges via a long command line argument. CVE-2000-0187 DESCRIPTION: EZShopper 3.0 loadpage.cgi CGI script allows remote attackers to read arbitrary files via a .. (dot dot) attack or execute commands via shell metacharacters. CVE-2000-0188 DESCRIPTION: EZShopper 3.0 search.cgi CGI script allows remote attackers to read arbitrary files via a .. (dot dot) attack or execute commands via shell metacharacters. CVE-2000-0189 DESCRIPTION: ColdFusion Server 4.x allows remote attackers to determine the real pathname of the server via an HTTP request to the application.cfm or onrequestend.cfm files. CVE-2000-0190 DESCRIPTION: AOL Instant Messenger (AIM) client allows remote attackers to cause a denial of service via a message with a malformed ASCII value. CVE-2000-0191 DESCRIPTION: Axis StorPoint CD allows remote attackers to access administrator URLs without authentication via a .. (dot dot) attack. CVE-2000-0192 DESCRIPTION: The default installation of Caldera OpenLinux 2.3 includes the CGI program rpm_query, which allows remote attackers to determine what packages are installed on the system. CVE-2000-0193 DESCRIPTION: The default configuration of Dosemu in Corel Linux 1.0 allows local users to execute the system.com program and gain privileges. CVE-2000-0194 DESCRIPTION: buildxconf in Corel Linux allows local users to modify or create arbitrary files via the -x or -f parameters. CVE-2000-0195 DESCRIPTION: setxconf in Corel Linux allows local users to gain root access via the -T parameter, which executes the user's .xserverrc file. CVE-2000-0196 DESCRIPTION: Buffer overflow in mhshow in the Linux nmh package allows remote attackers to execute commands via malformed MIME headers in an email message. CVE-2000-0197 DESCRIPTION: The Windows NT scheduler uses the drive mapping of the interactive user who is currently logged onto the system, which allows the local user to gain privileges by providing a Trojan horse batch file in place of the original batch file. CVE-2000-0198 DESCRIPTION: Buffer overflow in POP3 and IMAP servers in the MERCUR mail server suite allows remote attackers to cause a denial of service. CVE-2000-0199 DESCRIPTION: When a new SQL Server is registered in Enterprise Manager for Microsoft SQL Server 7.0 and the "Always prompt for login name and password" option is not set, then the Enterprise Manager uses weak encryption to store the login ID and password. CVE-2000-0200 DESCRIPTION: Buffer overflow in Microsoft Clip Art Gallery allows remote attackers to cause a denial of service or execute commands via a malformed CIL (clip art library) file, aka the "Clip Art Buffer Overrun" vulnerability. CVE-2000-0201 DESCRIPTION: The window.showHelp() method in Internet Explorer 5.x does not restrict HTML help files (.chm) to be executed from the local host, which allows remote attackers to execute arbitrary commands via Microsoft Networking. CVE-2000-0202 DESCRIPTION: Microsoft SQL Server 7.0 and Microsoft Data Engine (MSDE) 1.0 allow remote attackers to gain privileges via a malformed Select statement in an SQL query. CVE-2000-0203 DESCRIPTION: The Trend Micro OfficeScan client tmlisten.exe allows remote attackers to cause a denial of service via malformed data to port 12345. CVE-2000-0204 DESCRIPTION: The Trend Micro OfficeScan client allows remote attackers to cause a denial of service by making 5 connections to port 12345, which raises CPU utilization to 100%. CVE-2000-0205 DESCRIPTION: Trend Micro OfficeScan allows remote attackers to replay administrative commands and modify the configuration of OfficeScan clients. CVE-2000-0206 DESCRIPTION: The installation of Oracle 8.1.5.x on Linux follows symlinks and creates the orainstRoot.sh file with world-writeable permissions, which allows local users to gain privileges. CVE-2000-0207 DESCRIPTION: SGI InfoSearch CGI program infosrch.cgi allows remote attackers to execute commands via shell metacharacters. CVE-2000-0208 DESCRIPTION: The htdig (ht://Dig) CGI program htsearch allows remote attackers to read arbitrary files by enclosing the file name with backticks (`) in parameters to htsearch. CVE-2000-0209 DESCRIPTION: Buffer overflow in Lynx 2.x allows remote attackers to crash Lynx and possibly execute commands via a long URL in a malicious web page. CVE-2000-0210 DESCRIPTION: The lit program in Sun Flex License Manager (FlexLM) follows symlinks, which allows local users to modify arbitrary files. CVE-2000-0211 DESCRIPTION: The Windows Media server allows remote attackers to cause a denial of service via a series of client handshake packets that are sent in an improper sequence, aka the "Misordered Windows Media Services Handshake" vulnerability. CVE-2000-0212 DESCRIPTION: InterAccess TelnetD Server 4.0 allows remote attackers to conduct a denial of service via malformed terminal client configuration information. CVE-2000-0213 DESCRIPTION: The Sambar server includes batch files ECHO.BAT and HELLO.BAT in the CGI directory, which allow remote attackers to execute commands via shell metacharacters. CVE-2000-0214 DESCRIPTION: FTP Explorer uses weak encryption for storing the username, password, and profile of FTP sites. CVE-2000-0215 DESCRIPTION: Vulnerability in SCO cu program in UnixWare 7.x allows local users to gain privileges. CVE-2000-0216 DESCRIPTION: Microsoft email clients in Outlook, Exchange, and Windows Messaging automatically respond to Read Receipt and Delivery Receipt tags, which could allow an attacker to flood a mail system with responses by forging a Read Receipt request that is redirected to a large distribution list. CVE-2000-0217 DESCRIPTION: The default configuration of SSH allows X forwarding, which could allow a remote attacker to control a client's X sessions via a malicious xauth program. CVE-2000-0218 DESCRIPTION: Buffer overflow in Linux mount and umount allows local users to gain root privileges via a long relative pathname. CVE-2000-0219 DESCRIPTION: Red Hat 6.0 allows local users to gain root access by booting single user and hitting ^C at the password prompt. CVE-2000-0220 DESCRIPTION: ZoneAlarm sends sensitive system and network information in cleartext to the Zone Labs server if a user requests more information about an event. CVE-2000-0221 DESCRIPTION: The Nautica Marlin bridge allows remote attackers to cause a denial of service via a zero length UDP packet to the SNMP port. CVE-2000-0222 DESCRIPTION: The installation for Windows 2000 does not activate the Administrator password until the system has rebooted, which allows remote attackers to connect to the ADMIN$ share without a password until the reboot occurs. CVE-2000-0223 DESCRIPTION: Buffer overflow in the wmcdplay CD player program for the WindowMaker desktop allows local users to gain root privileges via a long parameter. CVE-2000-0224 DESCRIPTION: ARCserve agent in SCO UnixWare 7.x allows local attackers to gain root privileges via a symlink attack. CVE-2000-0225 DESCRIPTION: The Pocsag POC32 program does not properly prevent remote users from accessing its server port, even if the option has been disabled. CVE-2000-0226 DESCRIPTION: IIS 4.0 allows attackers to cause a denial of service by requesting a large buffer in a POST or PUT command which consumes memory, aka the "Chunked Transfer Encoding Buffer Overflow Vulnerability." CVE-2000-0227 DESCRIPTION: The Linux 2.2.x kernel does not restrict the number of Unix domain sockets as defined by the wmem_max parameter, which allows local users to cause a denial of service by requesting a large number of sockets. CVE-2000-0228 DESCRIPTION: Microsoft Windows Media License Manager allows remote attackers to cause a denial of service by sending a malformed request that causes the manager to halt, aka the "Malformed Media License Request" Vulnerability. CVE-2000-0229 DESCRIPTION: gpm-root in the gpm package does not properly drop privileges, which allows local users to gain privileges by starting a utility from gpm-root. CVE-2000-0230 DESCRIPTION: Buffer overflow in imwheel allows local users to gain root privileges via the imwheel-solo script and a long HOME environmental variable. CVE-2000-0231 DESCRIPTION: Linux kreatecd trusts a user-supplied path that is used to find the cdrecord program, allowing local users to gain root privileges. CVE-2000-0232 DESCRIPTION: Microsoft TCP/IP Printing Services, aka Print Services for Unix, allows an attacker to cause a denial of service via a malformed TCP/IP print request. CVE-2000-0233 DESCRIPTION: SuSE Linux IMAP server allows remote attackers to bypass IMAP authentication and gain privileges. CVE-2000-0234 DESCRIPTION: The default configuration of Cobalt RaQ2 and RaQ3 as specified in access.conf allows remote attackers to view sensitive contents of a .htaccess file. CVE-2000-0235 DESCRIPTION: Buffer overflow in the huh program in the orville-write package allows local users to gain root privileges. CVE-2000-0236 DESCRIPTION: Netscape Enterprise Server with Directory Indexing enabled allows remote attackers to list server directories via web publishing tags such as ?wp-ver-info and ?wp-cs-dump. CVE-2000-0237 DESCRIPTION: Netscape Enterprise Server with Web Publishing enabled allows remote attackers to list arbitrary directories via a GET request for the /publisher directory, which provides a Java applet that allows the attacker to browse the directories. CVE-2000-0238 DESCRIPTION: Buffer overflow in the web server for Norton AntiVirus for Internet Email Gateways allows remote attackers to cause a denial of service via a long URL. CVE-2000-0239 DESCRIPTION: Buffer overflow in the MERCUR WebView WebMail server allows remote attackers to cause a denial of service via a long mail_user parameter in the GET request. CVE-2000-0240 DESCRIPTION: vqSoft vqServer program allows remote attackers to read arbitrary files via a /........../ in the URL, a variation of a .. (dot dot) attack. CVE-2000-0241 DESCRIPTION: vqSoft vqServer stores sensitive information such as passwords in cleartext in the server.cfg file, which allows attackers to gain privileges. CVE-2000-0242 DESCRIPTION: WindMail allows remote attackers to read arbitrary files or execute commands via shell metacharacters. CVE-2000-0243 DESCRIPTION: AnalogX SimpleServer:WWW HTTP server 1.03 allows remote attackers to cause a denial of service via a short GET request to cgi-bin. CVE-2000-0244 DESCRIPTION: The Citrix ICA (Independent Computing Architecture) protocol uses weak encryption (XOR) for user authentication. CVE-2000-0245 DESCRIPTION: Vulnerability in SGI IRIX objectserver daemon allows remote attackers to create user accounts. CVE-2000-0246 DESCRIPTION: IIS 4.0 and 5.0 does not properly perform ISAPI extension processing if a virtual directory is mapped to a UNC share, which allows remote attackers to read the source code of ASP and other files, aka the "Virtualized UNC Share" vulnerability. CVE-2000-0247 DESCRIPTION: Unknown vulnerability in Generic-NQS (GNQS) allows local users to gain root privileges. CVE-2000-0248 DESCRIPTION: The web GUI for the Linux Virtual Server (LVS) software in the Red Hat Linux Piranha package has a backdoor password that allows remote attackers to execute arbitrary commands. CVE-2000-0249 DESCRIPTION: The AIX Fast Response Cache Accelerator (FRCA) allows local users to modify arbitrary files via the configuration capability in the frcactrl program. CVE-2000-0250 DESCRIPTION: The crypt function in QNX uses weak encryption, which allows local users to decrypt passwords. CVE-2000-0251 DESCRIPTION: HP-UX 11.04 VirtualVault (VVOS) sends data to unprivileged processes via an interface that has multiple aliased IP addresses. CVE-2000-0252 DESCRIPTION: The dansie shopping cart application cart.pl allows remote attackers to execute commands via a shell metacharacters in a form variable. CVE-2000-0253 DESCRIPTION: The dansie shopping cart application cart.pl allows remote attackers to modify sensitive purchase information via hidden form fields. CVE-2000-0254 DESCRIPTION: The dansie shopping cart application cart.pl allows remote attackers to obtain the shopping cart database and configuration information via a URL that references either the env, db, or vars form variables. CVE-2000-0255 DESCRIPTION: The Nbase-Xyplex EdgeBlaster router allows remote attackers to cause a denial of service via a scan for the FormMail CGI program. CVE-2000-0256 DESCRIPTION: Buffer overflows in htimage.exe and Imagemap.exe in FrontPage 97 and 98 Server Extensions allow a user to conduct activities that are not otherwise available through the web site, aka the "Server-Side Image Map Components" vulnerability. CVE-2000-0257 DESCRIPTION: Buffer overflow in the NetWare remote web administration utility allows remote attackers to cause a denial of service or execute commands via a long URL. CVE-2000-0258 DESCRIPTION: IIS 4.0 and 5.0 allows remote attackers to cause a denial of service by sending many URLs with a large number of escaped characters, aka the "Myriad Escaped Characters" Vulnerability. CVE-2000-0259 DESCRIPTION: The default permissions for the Cryptography\Offload registry key used by the OffloadModExpo in Windows NT 4.0 allows local users to obtain compromise the cryptographic keys of other users. CVE-2000-0260 DESCRIPTION: Buffer overflow in the dvwssr.dll DLL in Microsoft Visual Interdev 1.0 allows users to cause a denial of service or execute commands, aka the "Link View Server-Side Component" vulnerability. CVE-2000-0261 DESCRIPTION: The AVM KEN! web server allows remote attackers to read arbitrary files via a .. (dot dot) attack. CVE-2000-0262 DESCRIPTION: The AVM KEN! ISDN Proxy server allows remote attackers to cause a denial of service via a malformed request. CVE-2000-0263 DESCRIPTION: The X font server xfs in Red Hat Linux 6.x allows an attacker to cause a denial of service via a malformed request. CVE-2000-0264 DESCRIPTION: Panda Security 3.0 with registry editing disabled allows users to edit the registry and gain privileges by directly executing a .reg file or using other methods. CVE-2000-0265 DESCRIPTION: Panda Security 3.0 allows users to uninstall the Panda software via its Add/Remove Programs applet. CVE-2000-0266 DESCRIPTION: Internet Explorer 5.01 allows remote attackers to bypass the cross frame security policy via a malicious applet that interacts with the Java JSObject to modify the DOM properties to set the IFRAME to an arbitrary Javascript URL. CVE-2000-0267 DESCRIPTION: Cisco Catalyst 5.4.x allows a user to gain access to the "enable" mode without a password. CVE-2000-0268 DESCRIPTION: Cisco IOS 11.x and 12.x allows remote attackers to cause a denial of service by sending the ENVIRON option to the Telnet daemon before it is ready to accept it, which causes the system to reboot. CVE-2000-0269 DESCRIPTION: Emacs 20 does not properly set permissions for a slave PTY device when starting a new subprocess, which allows local users to read or modify communications between Emacs and the subprocess. CVE-2000-0270 DESCRIPTION: The make-temp-name Lisp function in Emacs 20 creates temporary files with predictable names, which allows attackers to conduct a symlink attack. CVE-2000-0271 DESCRIPTION: read-passwd and other Lisp functions in Emacs 20 do not properly clear the history of recently typed keys, which allows an attacker to read unencrypted passwords. CVE-2000-0272 DESCRIPTION: RealNetworks RealServer allows remote attackers to cause a denial of service by sending malformed input to the server at port 7070. CVE-2000-0273 DESCRIPTION: PCAnywhere allows remote attackers to cause a denial of service by terminating the connection before PCAnywhere provides a login prompt. CVE-2000-0274 DESCRIPTION: The Linux trustees kernel patch allows attackers to cause a denial of service by accessing a file or directory with a long name. CVE-2000-0275 DESCRIPTION: CRYPTOCard CryptoAdmin for PalmOS uses weak encryption to store a user's PIN number, which allows an attacker with access to the .PDB file to generate valid PT-1 tokens after cracking the PIN. CVE-2000-0276 DESCRIPTION: BeOS 4.5 and 5.0 allow local users to cause a denial of service via malformed direct system calls using interrupt 37. CVE-2000-0277 DESCRIPTION: Microsoft Excel 97 and 2000 does not warn the user when executing Excel Macro Language (XLM) macros in external text files, which could allow an attacker to execute a macro virus, aka the "XLM Text Macro" vulnerability. CVE-2000-0278 DESCRIPTION: The SalesLogix Eviewer allows remote attackers to cause a denial of service by accessing the URL for the slxweb.dll administration program, which does not authenticate the user. CVE-2000-0279 DESCRIPTION: BeOS allows remote attackers to cause a denial of service via malformed packets whose length field is less than the length of the headers. CVE-2000-0280 DESCRIPTION: Buffer overflow in the RealNetworks RealPlayer client versions 6 and 7 allows remote attackers to cause a denial of service via a long Location URL. CVE-2000-0281 DESCRIPTION: Buffer overflow in the Napster client beta 5 allows remote attackers to cause a denial of service via a long message. CVE-2000-0282 DESCRIPTION: TalentSoft webpsvr daemon in the Web+ shopping cart application allows remote attackers to read arbitrary files via a .. (dot dot) attack on the webplus CGI program. CVE-2000-0283 DESCRIPTION: The default installation of IRIX Performance Copilot allows remote attackers to access sensitive system information via the pmcd daemon. CVE-2000-0284 DESCRIPTION: Buffer overflow in University of Washington imapd version 4.7 allows users with a valid account to execute commands via LIST or other commands. CVE-2000-0285 DESCRIPTION: Buffer overflow in XFree86 3.3.x allows local users to execute arbitrary commands via a long -xkbmap parameter. CVE-2000-0286 DESCRIPTION: X fontserver xfs allows local users to cause a denial of service via malformed input to the server. CVE-2000-0287 DESCRIPTION: The BizDB CGI script bizdb-search.cgi allows remote attackers to execute arbitrary commands via shell metacharacters in the dbname parameter. CVE-2000-0288 DESCRIPTION: Infonautics getdoc.cgi allows remote attackers to bypass the payment phase for accessing documents via a modified form variable. CVE-2000-0289 DESCRIPTION: IP masquerading in Linux 2.2.x allows remote attackers to route UDP packets through the internal interface by modifying the external source IP address and port number to match those of an established connection. CVE-2000-0290 DESCRIPTION: Buffer overflow in Webstar HTTP server allows remote attackers to cause a denial of service via a long GET request. CVE-2000-0291 DESCRIPTION: Buffer overflow in Star Office 5.1 allows attackers to cause a denial of service by embedding a long URL within a document. CVE-2000-0292 DESCRIPTION: The Adtran MX2800 M13 Multiplexer allows remote attackers to cause a denial of service via a ping flood to the Ethernet interface, which causes the device to crash. CVE-2000-0293 DESCRIPTION: aaa_base in SuSE Linux 6.3, and cron.daily in earlier versions, allow local users to delete arbitrary files by creating files whose names include spaces, which are then incorrectly interpreted by aaa_base when it deletes expired files from the /tmp directory. CVE-2000-0294 DESCRIPTION: Buffer overflow in healthd for FreeBSD allows local users to gain root privileges. CVE-2000-0295 DESCRIPTION: Buffer overflow in LCDproc allows remote attackers to gain root privileges via the screen_add command. CVE-2000-0296 DESCRIPTION: fcheck allows local users to gain privileges by embedding shell metacharacters into file names that are processed by fcheck. CVE-2000-0297 DESCRIPTION: Allaire Forums 2.0.5 allows remote attackers to bypass access restrictions to secure conferences via the rightAccessAllForums or rightModerateAllForums variables. CVE-2000-0298 DESCRIPTION: The unattended installation of Windows 2000 with the OEMPreinstall option sets insecure permissions for the All Users and Default Users directories. CVE-2000-0299 DESCRIPTION: Buffer overflow in WebObjects.exe in the WebObjects Developer 4.5 package allows remote attackers to cause a denial of service via an HTTP request with long headers such as Accept. CVE-2000-0300 DESCRIPTION: The default encryption method of PcAnywhere 9.x uses weak encryption, which allows remote attackers to sniff and decrypt PcAnywhere or NT domain accounts. CVE-2000-0301 DESCRIPTION: Ipswitch IMAIL server 6.02 and earlier allows remote attackers to cause a denial of service via the AUTH CRAM-MD5 command. CVE-2000-0302 DESCRIPTION: Microsoft Index Server allows remote attackers to view the source code of ASP files by appending a %20 to the filename in the CiWebHitsFile argument to the null.htw URL. CVE-2000-0303 DESCRIPTION: Quake3 Arena allows malicious server operators to read or modify files on a client via a dot dot (..) attack. CVE-2000-0304 DESCRIPTION: Microsoft IIS 4.0 and 5.0 with the IISADMPWD virtual directory installed allows a remote attacker to cause a denial of service via a malformed request to the inetinfo.exe program, aka the "Undelimited .HTR Request" vulnerability. CVE-2000-0305 DESCRIPTION: Windows 95, Windows 98, Windows 2000, Windows NT 4.0, and Terminal Server systems allow a remote attacker to cause a denial of service by sending a large number of identical fragmented IP packets, aka jolt2 or the "IP Fragment Reassembly" vulnerability. CVE-2000-0306 DESCRIPTION: Buffer overflow in calserver in SCO OpenServer allows remote attackers to gain root access via a long message. CVE-2000-0307 DESCRIPTION: Vulnerability in xserver in SCO UnixWare 2.1.x and OpenServer 5.05 and earlier allows an attacker to cause a denial of service which prevents access to reserved port numbers below 1024. CVE-2000-0308 DESCRIPTION: Insecure file permissions for Netscape FastTrack Server 2.x, Enterprise Server 2.0, and Proxy Server 2.5 in SCO UnixWare 7.0.x and 2.1.3 allow an attacker to gain root privileges. CVE-2000-0309 DESCRIPTION: The i386 trace-trap handling in OpenBSD 2.4 with DDB enabled allows a local user to cause a denial of service. CVE-2000-0310 DESCRIPTION: IP fragment assembly in OpenBSD 2.4 allows a remote attacker to cause a denial of service by sending a large number of fragmented packets. CVE-2000-0311 DESCRIPTION: The Windows 2000 domain controller allows a malicious user to modify Active Directory information by modifying an unprotected attribute, aka the "Mixed Object Access" vulnerability. CVE-2000-0312 DESCRIPTION: cron in OpenBSD 2.5 allows local users to gain root privileges via an argv[] that is not NULL terminated, which is passed to cron's fake popen function. CVE-2000-0313 DESCRIPTION: Vulnerability in OpenBSD 2.6 allows a local user to change interface media configurations. CVE-2000-0314 DESCRIPTION: traceroute in NetBSD 1.3.3 and Linux systems allows local users to flood other systems by providing traceroute with a large waittime (-w) option, which is not parsed properly and sets the time delay for sending packets to zero. CVE-2000-0315 DESCRIPTION: traceroute in NetBSD 1.3.3 and Linux systems allows local unprivileged users to modify the source address of the packets, which could be used in spoofing attacks. CVE-2000-0316 DESCRIPTION: Buffer overflow in Solaris 7 lp allows local users to gain root privileges via a long -d option. CVE-2000-0317 DESCRIPTION: Buffer overflow in Solaris 7 lpset allows local users to gain root privileges via a long -r option. CVE-2000-0318 DESCRIPTION: Atrium Mercur Mail Server 3.2 allows local attackers to read other user's email and create arbitrary files via a dot dot (..) attack. CVE-2000-0319 DESCRIPTION: mail.local in Sendmail 8.10.x does not properly identify the .\n string which identifies the end of message text, which allows a remote attacker to cause a denial of service or corrupt mailboxes via a message line that is 2047 characters long and ends in .\n. CVE-2000-0320 DESCRIPTION: Qpopper 2.53 and 3.0 does not properly identify the \n string which identifies the end of message text, which allows a remote attacker to cause a denial of service or corrupt mailboxes via a message line that is 1023 characters long and ends in \n. CVE-2000-0321 DESCRIPTION: Buffer overflow in IC Radius package allows a remote attacker to cause a denial of service via a long user name. CVE-2000-0322 DESCRIPTION: The passwd.php3 CGI script in the Red Hat Piranha Virtual Server Package allows local users to execute arbitrary commands via shell metacharacters. CVE-2000-0323 DESCRIPTION: The Microsoft Jet database engine allows an attacker to modify text files via a database query, aka the "Text I-ISAM" vulnerability. CVE-2000-0324 DESCRIPTION: pcAnywhere 8.x and 9.0 allows remote attackers to cause a denial of service via a TCP SYN scan, e.g. by nmap. CVE-2000-0325 DESCRIPTION: The Microsoft Jet database engine allows an attacker to execute commands via a database query, aka the "VBA Shell" vulnerability. CVE-2000-0326 DESCRIPTION: Meeting Maker uses weak encryption (a polyalphabetic substitution cipher) for passwords, which allows remote attackers to sniff and decrypt passwords for Meeting Maker accounts. CVE-2000-0327 DESCRIPTION: Microsoft Virtual Machine (VM) allows remote attackers to escape the Java sandbox and execute commands via an applet containing an illegal cast operation, aka the "Virtual Machine Verifier" vulnerability. CVE-2000-0328 DESCRIPTION: Windows NT 4.0 generates predictable random TCP initial sequence numbers (ISN), which allows remote attackers to perform spoofing and session hijacking. CVE-2000-0329 DESCRIPTION: A Microsoft ActiveX control allows a remote attacker to execute a malicious cabinet file via an attachment and an embedded script in an HTML mail, aka the "Active Setup Control" vulnerability. CVE-2000-0330 DESCRIPTION: The networking software in Windows 95 and Windows 98 allows remote attackers to execute commands via a long file name string, aka the "File Access URL" vulnerability. CVE-2000-0331 DESCRIPTION: Buffer overflow in Microsoft command processor (CMD.EXE) for Windows NT and Windows 2000 allows a local user to cause a denial of service via a long environment variable, aka the "Malformed Environment Variable" vulnerability. CVE-2000-0332 DESCRIPTION: UltraBoard.pl or UltraBoard.cgi CGI scripts in UltraBoard 1.6 allows remote attackers to read arbitrary files via a pathname string that includes a dot dot (..) and ends with a null byte. CVE-2000-0333 DESCRIPTION: tcpdump, Ethereal, and other sniffer packages allow remote attackers to cause a denial of service via malformed DNS packets in which a jump offset refers to itself, which causes tcpdump to enter an infinite loop while decompressing the packet. CVE-2000-0334 DESCRIPTION: The Allaire Spectra container editor preview tool does not properly enforce object security, which allows an attacker to conduct unauthorized activities via an object-method that is added to the container object with a publishing rule. CVE-2000-0335 DESCRIPTION: The resolver in glibc 2.1.3 uses predictable IDs, which allows a local attacker to spoof DNS query results. CVE-2000-0336 DESCRIPTION: Linux OpenLDAP server allows local users to modify arbitrary files via a symlink attack. CVE-2000-0337 DESCRIPTION: Buffer overflow in Xsun X server in Solaris 7 allows local users to gain root privileges via a long -dev parameter. CVE-2000-0338 DESCRIPTION: Concurrent Versions Software (CVS) uses predictable temporary file names for locking, which allows local users to cause a denial of service by creating the lock directory before it is created for use by a legitimate CVS user. CVE-2000-0339 DESCRIPTION: ZoneAlarm 2.1.10 and earlier does not filter UDP packets with a source port of 67, which allows remote attackers to bypass the firewall rules. CVE-2000-0340 DESCRIPTION: Buffer overflow in Gnomelib in SuSE Linux 6.3 allows local users to execute arbitrary commands via the DISPLAY environmental variable. CVE-2000-0341 DESCRIPTION: ATRIUM Cassandra NNTP Server 1.10 allows remote attackers to cause a denial of service via a long login name. CVE-2000-0342 DESCRIPTION: Eudora 4.x allows remote attackers to bypass the user warning for executable attachments such as .exe, .com, and .bat by using a .lnk file that refers to the attachment, aka "Stealth Attachment." CVE-2000-0343 DESCRIPTION: Buffer overflow in Sniffit 0.3.x with the -L logging option enabled allows remote attackers to execute arbitrary commands via a long MAIL FROM mail header. CVE-2000-0344 DESCRIPTION: The knfsd NFS server in Linux kernel 2.2.x allows remote attackers to cause a denial of service via a negative size value. CVE-2000-0345 DESCRIPTION: The on-line help system options in Cisco routers allows non-privileged users without "enabled" access to obtain sensitive information via the show command. CVE-2000-0346 DESCRIPTION: AppleShare IP 6.1 and later allows a remote attacker to read potentially sensitive information via an invalid range request to the web server. CVE-2000-0347 DESCRIPTION: Windows 95 and Windows 98 allow a remote attacker to cause a denial of service via a NetBIOS session request packet with a NULL source name. CVE-2000-0348 DESCRIPTION: A vulnerability in the Sendmail configuration file sendmail.cf as installed in SCO UnixWare 7.1.0 and earlier allows an attacker to gain root privileges. CVE-2000-0349 DESCRIPTION: Vulnerability in the passthru driver in SCO UnixWare 7.1.0 allows an attacker to cause a denial of service. CVE-2000-0350 DESCRIPTION: A debugging feature in NetworkICE ICEcap 2.0.23 and earlier is enabled, which allows a remote attacker to bypass the weak authentication and post unencrypted events. CVE-2000-0351 DESCRIPTION: Some packaging commands in SCO UnixWare 7.1.0 have insecure privileges, which allows local users to add or remove software packages. CVE-2000-0352 DESCRIPTION: Pine before version 4.21 does not properly filter shell metacharacters from URLs, which allows remote attackers to execute arbitrary commands via a malformed URL. CVE-2000-0353 DESCRIPTION: Pine 4.x allows a remote attacker to execute arbitrary commands via an index.html file which executes lynx and obtains a uudecoded file from a malicious web server, which is then executed by Pine. CVE-2000-0354 DESCRIPTION: mirror 2.8.x in Linux systems allows remote attackers to create files one level above the local target directory. CVE-2000-0355 DESCRIPTION: pg and pb in SuSE pbpg 1.x package allows an attacker to read arbitrary files. CVE-2000-0356 DESCRIPTION: Pluggable Authentication Modules (PAM) in Red Hat Linux 6.1 does not properly lock access to disabled NIS accounts. CVE-2000-0357 DESCRIPTION: ORBit and esound in Red Hat Linux 6.1 do not use sufficiently random numbers, which allows local users to guess the authentication keys. CVE-2000-0358 DESCRIPTION: ORBit and gnome-session in Red Hat Linux 6.1 allows remote attackers to crash a program. CVE-2000-0359 DESCRIPTION: Buffer overflow in Trivial HTTP (THTTPd) allows remote attackers to cause a denial of service or execute arbitrary commands via a long If-Modified-Since header. CVE-2000-0360 DESCRIPTION: Buffer overflow in INN 2.2.1 and earlier allows remote attackers to cause a denial of service via a maliciously formatted article. CVE-2000-0361 DESCRIPTION: The PPP wvdial.lxdialog script in wvdial 1.4 and earlier creates a .config file with world readable permissions, which allows a local attacker in the dialout group to access login and password information. CVE-2000-0362 DESCRIPTION: Buffer overflows in Linux cdwtools 093 and earlier allows local users to gain root privileges. CVE-2000-0363 DESCRIPTION: Linux cdwtools 093 and earlier allows local users to gain root privileges via the /tmp directory. CVE-2000-0364 DESCRIPTION: screen and rxvt in Red Hat Linux 6.0 do not properly set the modes of tty devices, which allows local users to write to other ttys. CVE-2000-0365 DESCRIPTION: Red Hat Linux 6.0 installs the /dev/pts file system with insecure modes, which allows local users to write to other tty devices. CVE-2000-0366 DESCRIPTION: dump in Debian GNU/Linux 2.1 does not properly restore symlinks, which allows a local user to modify the ownership of arbitrary files. CVE-2000-0367 DESCRIPTION: Vulnerability in eterm 0.8.8 in Debian GNU/Linux allows an attacker to gain root privileges. CVE-2000-0368 DESCRIPTION: Classic Cisco IOS 9.1 and later allows attackers with access to the login prompt to obtain portions of the command history of previous users, which may allow the attacker to access sensitive data. CVE-2000-0369 DESCRIPTION: The IDENT server in Caldera Linux 2.3 creates multiple threads for each IDENT request, which allows remote attackers to cause a denial of service. CVE-2000-0370 DESCRIPTION: The debug option in Caldera Linux smail allows remote attackers to execute commands via shell metacharacters in the -D option for the rmail command. CVE-2000-0371 DESCRIPTION: The libmediatool library used for the KDE mediatool allows local users to create arbitrary files via a symlink attack. CVE-2000-0372 DESCRIPTION: Vulnerability in Caldera rmt command in the dump package 0.4b4 allows a local user to gain root privileges. CVE-2000-0373 DESCRIPTION: Vulnerabilities in the KDE kvt terminal program allow local users to gain root privileges. CVE-2000-0374 DESCRIPTION: The default configuration of kdm in Caldera and Mandrake Linux, and possibly other distributions, allows XDMCP connections from any host, which allows remote attackers to obtain sensitive information or bypass additional access restrictions. CVE-2000-0375 DESCRIPTION: The kernel in FreeBSD 3.2 follows symbolic links when it creates core dump files, which allows local attackers to modify arbitrary files. CVE-2000-0376 DESCRIPTION: Buffer overflow in the HTTP proxy server for the i-drive Filo software allows remote attackers to execute arbitrary commands via a long HTTP GET request. CVE-2000-0377 DESCRIPTION: The Remote Registry server in Windows NT 4.0 allows local authenticated users to cause a denial of service via a malformed request, which causes the winlogon process to fail, aka the "Remote Registry Access Authentication" vulnerability. CVE-2000-0378 DESCRIPTION: The pam_console PAM module in Linux systems performs a chown on various devices upon a user login, but an open file descriptor for those devices can be maintained after the user logs out, which allows that user to sniff activity on these devices when subsequent users log in. CVE-2000-0379 DESCRIPTION: The Netopia R9100 router does not prevent authenticated users from modifying SNMP tables, even if the administrator has configured it to do so. CVE-2000-0380 DESCRIPTION: The IOS HTTP service in Cisco routers and switches running IOS 11.1 through 12.1 allows remote attackers to cause a denial of service by requesting a URL that contains a %% string. CVE-2000-0381 DESCRIPTION: The Gossamer Threads DBMan db.cgi CGI script allows remote attackers to view environmental variables and setup information by referencing a non-existing database in the db parameter. CVE-2000-0382 DESCRIPTION: ColdFusion ClusterCATS appends stale query string arguments to a URL during HTML redirection, which may provide sensitive information to the redirected site. CVE-2000-0383 DESCRIPTION: The file transfer component of AOL Instant Messenger (AIM) reveals the physical path of the transferred file to the remote recipient. CVE-2000-0384 DESCRIPTION: NetStructure 7110 and 7180 have undocumented accounts (servnow, root, and wizard) whose passwords are easily guessable from the NetStructure's MAC address, which could allow remote attackers to gain root access. CVE-2000-0385 DESCRIPTION: FileMaker Pro 5 Web Companion allows remote attackers to bypass Field-Level database security restrictions via the XML publishing or email capabilities. CVE-2000-0386 DESCRIPTION: FileMaker Pro 5 Web Companion allows remote attackers to send anonymous or forged email. CVE-2000-0387 DESCRIPTION: The makelev program in the golddig game from the FreeBSD ports collection allows local users to overwrite arbitrary files. CVE-2000-0388 DESCRIPTION: Buffer overflow in FreeBSD libmytinfo library allows local users to execute commands via a long TERMCAP environmental variable. CVE-2000-0389 DESCRIPTION: Buffer overflow in krb_rd_req function in Kerberos 4 and 5 allows remote attackers to gain root privileges. CVE-2000-0390 DESCRIPTION: Buffer overflow in krb425_conv_principal function in Kerberos 5 allows remote attackers to gain root privileges. CVE-2000-0391 DESCRIPTION: Buffer overflow in krshd in Kerberos 5 allows remote attackers to gain root privileges. CVE-2000-0392 DESCRIPTION: Buffer overflow in ksu in Kerberos 5 allows local users to gain root privileges. CVE-2000-0393 DESCRIPTION: The KDE kscd program does not drop privileges when executing a program specified in a user's SHELL environmental variable, which allows the user to gain privileges by specifying an alternate program to execute. CVE-2000-0394 DESCRIPTION: NetProwler 3.0 allows remote attackers to cause a denial of service by sending malformed IP packets that trigger NetProwler's Man-in-the-Middle signature. CVE-2000-0395 DESCRIPTION: Buffer overflow in CProxy 3.3 allows remote users to cause a denial of service via a long HTTP request. CVE-2000-0396 DESCRIPTION: The add.exe program in the Carello shopping cart software allows remote attackers to duplicate files on the server, which could allow the attacker to read source code for web scripts such as .ASP files. CVE-2000-0397 DESCRIPTION: The EMURL web-based email account software encodes predictable identifiers in user session URLs, which allows a remote attacker to access a user's email account. CVE-2000-0398 DESCRIPTION: Buffer overflow in wconsole.dll in Rockliffe MailSite Management Agent allows remote attackers to execute arbitrary commands via a long query_string parameter in the HTTP GET request. CVE-2000-0399 DESCRIPTION: Buffer overflow in MDaemon POP server allows remote attackers to cause a denial of service via a long user name. CVE-2000-0400 DESCRIPTION: The Microsoft Active Movie ActiveX Control in Internet Explorer 5 does not restrict which file types can be downloaded, which allows an attacker to download any type of file to a user's system by encoding it within an email message or news post. CVE-2000-0401 DESCRIPTION: Buffer overflows in redirect.exe and changepw.exe in PDGSoft shopping cart allow remote attackers to execute arbitrary commands via a long query string. CVE-2000-0402 DESCRIPTION: The Mixed Mode authentication capability in Microsoft SQL Server 7.0 stores the System Administrator (sa) account in plaintext in a log file which is readable by any user, aka the "SQL Server 7.0 Service Pack Password" vulnerability. CVE-2000-0403 DESCRIPTION: The CIFS Computer Browser service on Windows NT 4.0 allows a remote attacker to cause a denial of service by sending a large number of host announcement requests to the master browse tables, aka the "HostAnnouncement Flooding" or "HostAnnouncement Frame" vulnerability. CVE-2000-0404 DESCRIPTION: The CIFS Computer Browser service allows remote attackers to cause a denial of service by sending a ResetBrowser frame to the Master Browser, aka the "ResetBrowser Frame" vulnerability. CVE-2000-0405 DESCRIPTION: Buffer overflow in L0pht AntiSniff allows remote attackers to execute arbitrary commands via a malformed DNS response packet. CVE-2000-0406 DESCRIPTION: Netscape Communicator before version 4.73 and Navigator 4.07 do not properly validate SSL certificates, which allows remote attackers to steal information by redirecting traffic from a legitimate web server to their own malicious server, aka the "Acros-Suencksen SSL" vulnerability. CVE-2000-0407 DESCRIPTION: Buffer overflow in Solaris netpr program allows local users to execute arbitrary commands via a long -p option. CVE-2000-0408 DESCRIPTION: IIS 4.05 and 5.0 allow remote attackers to cause a denial of service via a long, complex URL that appears to contain a large number of file extensions, aka the "Malformed Extension Data in URL" vulnerability. CVE-2000-0409 DESCRIPTION: Netscape 4.73 and earlier follows symlinks when it imports a new certificate, which allows local users to overwrite files of the user importing the certificate. CVE-2000-0410 DESCRIPTION: ColdFusion Server 4.5.1 allows remote attackers to cause a denial of service by making repeated requests to a CFCACHE tagged cache file that is not stored in memory. CVE-2000-0411 DESCRIPTION: Matt Wright's FormMail CGI script allows remote attackers to obtain environmental variables via the env_report parameter. CVE-2000-0412 DESCRIPTION: The gnapster and knapster clients for Napster do not properly restrict access only to MP3 files, which allows remote attackers to read arbitrary files from the client by specifying the full pathname for the file. CVE-2000-0413 DESCRIPTION: The shtml.exe program in the FrontPage extensions package of IIS 4.0 and 5.0 allows remote attackers to determine the physical path of HTML, HTM, ASP, and SHTML files by requesting a file that does not exist, which generates an error message that reveals the path. CVE-2000-0414 DESCRIPTION: Vulnerability in shutdown command for HP-UX 11.X and 10.X allows allows local users to gain privileges via malformed input variables. CVE-2000-0415 DESCRIPTION: Buffer overflow in Outlook Express 4.x allows attackers to cause a denial of service via a mail or news message that has a .jpg or .bmp attachment with a long file name. CVE-2000-0416 DESCRIPTION: NTMail 5.x allows network users to bypass the NTMail proxy restrictions by redirecting their requests to NTMail's web configuration server. CVE-2000-0417 DESCRIPTION: The HTTP administration interface to the Cayman 3220-H DSL router allows remote attackers to cause a denial of service via a long username or password. CVE-2000-0418 DESCRIPTION: The Cayman 3220-H DSL router allows remote attackers to cause a denial of service via oversized ICMP echo (ping) requests. CVE-2000-0419 DESCRIPTION: The Office 2000 UA ActiveX Control is marked as "safe for scripting," which allows remote attackers to conduct unauthorized activities via the "Show Me" function in Office Help, aka the "Office 2000 UA Control" vulnerability. CVE-2000-0420 DESCRIPTION: The default configuration of SYSKEY in Windows 2000 stores the startup key in the registry, which could allow an attacker tor ecover it and use it to decrypt Encrypted File System (EFS) data. CVE-2000-0421 DESCRIPTION: The process_bug.cgi script in Bugzilla allows remote attackers to execute arbitrary commands via shell metacharacters. CVE-2000-0422 DESCRIPTION: Buffer overflow in Netwin DMailWeb CGI program allows remote attackers to execute arbitrary commands via a long utoken parameter. CVE-2000-0423 DESCRIPTION: Buffer overflow in Netwin DNEWSWEB CGI program allows remote attackers to execute arbitrary commands via long parameters such as group, cmd, and utag. CVE-2000-0424 DESCRIPTION: The CGI counter 4.0.7 by George Burgyan allows remote attackers to execute arbitrary commands via shell metacharacters. CVE-2000-0425 DESCRIPTION: Buffer overflow in the Web Archives component of L-Soft LISTSERV 1.8 allows remote attackers to execute arbitrary commands. CVE-2000-0426 DESCRIPTION: UltraBoard 1.6 and other versions allow remote attackers to cause a denial of service by referencing UltraBoard in the Session parameter, which causes UltraBoard to fork copies of itself. CVE-2000-0427 DESCRIPTION: The Aladdin Knowledge Systems eToken device allows attackers with physical access to the device to obtain sensitive information without knowing the PIN of the owner by resetting the PIN in the EEPROM. CVE-2000-0428 DESCRIPTION: Buffer overflow in the SMTP gateway for InterScan Virus Wall 3.32 and earlier allows a remote attacker to execute arbitrary commands via a long filename for a uuencoded attachment. CVE-2000-0429 DESCRIPTION: A backdoor password in Cart32 3.0 and earlier allows remote attackers to execute arbitrary commands. CVE-2000-0430 DESCRIPTION: Cart32 allows remote attackers to access sensitive debugging information by appending /expdate to the URL request. CVE-2000-0431 DESCRIPTION: Cobalt RaQ2 and RaQ3 does not properly set the access permissions and ownership for files that are uploaded via FrontPage, which allows attackers to bypass cgiwrap and modify files. CVE-2000-0432 DESCRIPTION: The calender.pl and the calendar_admin.pl calendar scripts by Matt Kruse allow remote attackers to execute arbitrary commands via shell metacharacters. CVE-2000-0433 DESCRIPTION: The SuSE aaa_base package installs some system accounts with home directories set to /tmp, which allows local users to gain privileges to those accounts by creating standard user startup scripts such as profiles. CVE-2000-0434 DESCRIPTION: The administrative password for the Allmanage web site administration software is stored in plaintext in a file which could be accessed by remote attackers. CVE-2000-0435 DESCRIPTION: The allmanageup.pl file upload CGI script in the Allmanage Website administration software 2.6 can be called directly by remote attackers, which allows them to modify user accounts or web pages. CVE-2000-0436 DESCRIPTION: MetaProducts Offline Explorer 1.2 and earlier allows remote attackers to access arbitrary files via a .. (dot dot) attack. CVE-2000-0437 DESCRIPTION: Buffer overflow in the CyberPatrol daemon "cyberdaemon" used in gauntlet and WebShield allows remote attackers to cause a denial of service or execute arbitrary commands. CVE-2000-0438 DESCRIPTION: Buffer overflow in fdmount on Linux systems allows local users in the "floppy" group to execute arbitrary commands via a long mountpoint parameter. CVE-2000-0439 DESCRIPTION: Internet Explorer 4.0 and 5.0 allows a malicious web site to obtain client cookies from another domain by including that domain name and escaped characters in a URL, aka the "Unauthorized Cookie Access" vulnerability. CVE-2000-0440 DESCRIPTION: NetBSD 1.4.2 and earlier allows remote attackers to cause a denial of service by sending a packet with an unaligned IP timestamp option. CVE-2000-0441 DESCRIPTION: Vulnerability in AIX 3.2.x and 4.x allows local users to gain write access to files on locally or remotely mounted AIX filesystems. CVE-2000-0442 DESCRIPTION: Qpopper 2.53 and earlier allows local users to gain privileges via a formatting string in the From: header, which is processed by the euidl command. CVE-2000-0443 DESCRIPTION: The web interface server in HP Web JetAdmin 5.6 allows remote attackers to read arbitrary files via a .. (dot dot) attack. CVE-2000-0444 DESCRIPTION: HP Web JetAdmin 6.0 allows remote attackers to cause a denial of service via a malformed URL to port 8000. CVE-2000-0445 DESCRIPTION: The pgpk command in PGP 5.x on Unix systems uses an insufficiently random data source for non-interactive key pair generation, which may produce predictable keys. CVE-2000-0446 DESCRIPTION: Buffer overflow in MDBMS database server allows remote attackers to execute arbitrary commands via a long string. CVE-2000-0447 DESCRIPTION: Buffer overflow in WebShield SMTP 4.5.44 allows remote attackers to execute arbitrary commands via a long configuration parameter to the WebShield remote management service. CVE-2000-0448 DESCRIPTION: The WebShield SMTP Management Tool version 4.5.44 does not properly restrict access to the management port when an IP address does not resolve to a hostname, which allows remote attackers to access the configuration via the GET_CONFIG command. CVE-2000-0449 DESCRIPTION: Omnis Studio 2.4 uses weak encryption (trivial encoding) for encrypting database fields. CVE-2000-0450 DESCRIPTION: Vulnerability in bbd server in Big Brother System and Network Monitor allows an attacker to execute arbitrary commands. CVE-2000-0451 DESCRIPTION: The Intel express 8100 ISDN router allows remote attackers to cause a denial of service via oversized or fragmented ICMP packets. CVE-2000-0452 DESCRIPTION: Buffer overflow in the ESMTP service of Lotus Domino Server 5.0.1 allows remote attackers to cause a denial of service via a long MAIL FROM command. CVE-2000-0453 DESCRIPTION: XFree86 3.3.x and 4.0 allows a user to cause a denial of service via a negative counter value in a malformed TCP packet that is sent to port 6000. CVE-2000-0454 DESCRIPTION: Buffer overflow in Linux cdrecord allows local users to gain privileges via the dev parameter. CVE-2000-0455 DESCRIPTION: Buffer overflow in xlockmore xlock program version 4.16 and earlier allows local users to read sensitive data from memory via a long -mode option. CVE-2000-0456 DESCRIPTION: NetBSD 1.4.2 and earlier allows local users to cause a denial of service by repeatedly running certain system calls in the kernel which do not yield the CPU, aka "cpu-hog". CVE-2000-0457 DESCRIPTION: ISM.DLL in IIS 4.0 and 5.0 allows remote attackers to read file contents by requesting the file and appending a large number of encoded spaces (%20) and terminated with a .htr extension, aka the ".HTR File Fragment Reading" or "File Fragment Reading via .HTR" vulnerability. CVE-2000-0458 DESCRIPTION: The MSWordView application in IMP creates world-readable files in the /tmp directory, which allows other local users to read potentially sensitive information. CVE-2000-0459 DESCRIPTION: IMP does not remove files properly if the MSWordView application quits, which allows local users to cause a denial of service by filling up the disk space by requesting a large number of documents and prematurely stopping the request. CVE-2000-0460 DESCRIPTION: Buffer overflow in KDE kdesud on Linux allows local uses to gain privileges via a long DISPLAY environmental variable. CVE-2000-0461 DESCRIPTION: The undocumented semconfig system call in BSD freezes the state of semaphores, which allows local users to cause a denial of service of the semaphore system by using the semconfig call. CVE-2000-0462 DESCRIPTION: ftpd in NetBSD 1.4.2 does not properly parse entries in /etc/ftpchroot and does not chroot the specified users, which allows those users to access other files outside of their home directory. CVE-2000-0463 DESCRIPTION: BeOS 5.0 allows remote attackers to cause a denial of service via fragmented TCP packets. CVE-2000-0464 DESCRIPTION: Internet Explorer 4.x and 5.x allows remote attackers to execute arbitrary commands via a buffer overflow in the ActiveX parameter parsing capability, aka the "Malformed Component Attribute" vulnerability. CVE-2000-0465 DESCRIPTION: Internet Explorer 4.x and 5.x does not properly verify the domain of a frame within a browser window, which allows a remote attacker to read client files via the frame, aka the "Frame Domain Verification" vulnerability. CVE-2000-0466 DESCRIPTION: AIX cdmount allows local users to gain root privileges via shell metacharacters. CVE-2000-0467 DESCRIPTION: Buffer overflow in Linux splitvt 1.6.3 and earlier allows local users to gain root privileges via a long password in the screen locking function. CVE-2000-0468 DESCRIPTION: man in HP-UX 10.20 and 11 allows local attackers to overwrite files via a symlink attack. CVE-2000-0469 DESCRIPTION: Selena Sol WebBanner 4.0 allows remote attackers to read arbitrary files via a .. (dot dot) attack. CVE-2000-0470 DESCRIPTION: Allegro RomPager HTTP server allows remote attackers to cause a denial of service via a malformed authentication request. CVE-2000-0471 DESCRIPTION: Buffer overflow in ufsrestore in Solaris 8 and earlier allows local users to gain root privileges via a long pathname. CVE-2000-0472 DESCRIPTION: Buffer overflow in innd 2.2.2 allows remote attackers to execute arbitrary commands via a cancel request containing a long message ID. CVE-2000-0473 DESCRIPTION: Buffer overflow in AnalogX SimpleServer 1.05 allows a remote attacker to cause a denial of service via a long GET request for a program in the cgi-bin directory. CVE-2000-0474 DESCRIPTION: Real Networks RealServer 7.x allows remote attackers to cause a denial of service via a malformed request for a page in the viewsource directory. CVE-2000-0475 DESCRIPTION: Windows 2000 allows a local user process to access another user's desktop within the same windows station, aka the "Desktop Separation" vulnerability. CVE-2000-0476 DESCRIPTION: xterm, Eterm, and rxvt allow an attacker to cause a denial of service by embedding certain escape characters which force the window to be resized. CVE-2000-0477 DESCRIPTION: Buffer overflow in Norton Antivirus for Exchange (NavExchange) allows remote attackers to cause a denial of service via a .zip file that contains long file names. CVE-2000-0478 DESCRIPTION: In some cases, Norton Antivirus for Exchange (NavExchange) enters a "fail-open" state which allows viruses to pass through the server. CVE-2000-0479 DESCRIPTION: Dragon FTP server allows remote attackers to cause a denial of service via a long USER command. CVE-2000-0480 DESCRIPTION: Dragon telnet server allows remote attackers to cause a denial of service via a long username. CVE-2000-0481 DESCRIPTION: Buffer overflow in KDE Kmail allows a remote attacker to cause a denial of service via an attachment with a long file name. CVE-2000-0482 DESCRIPTION: Check Point Firewall-1 allows remote attackers to cause a denial of service by sending a large number of malformed fragmented IP packets. CVE-2000-0483 DESCRIPTION: The DocumentTemplate package in Zope 2.2 and earlier allows a remote attacker to modify DTMLDocuments or DTMLMethods without authorization. CVE-2000-0484 DESCRIPTION: Buffer overflow in Small HTTP Server allows remote attackers to cause a denial of service via a long GET request. CVE-2000-0485 DESCRIPTION: Microsoft SQL Server allows local users to obtain database passwords via the Data Transformation Service (DTS) package Properties dialog, aka the "DTS Password" vulnerability. CVE-2000-0486 DESCRIPTION: Buffer overflow in Cisco TACACS+ tac_plus server allows remote attackers to cause a denial of service via a malformed packet with a long length field. CVE-2000-0487 DESCRIPTION: The Protected Store in Windows 2000 does not properly select the strongest encryption when available, which causes it to use a default of 40-bit encryption instead of 56-bit DES encryption, aka the "Protected Store Key Length" vulnerability. CVE-2000-0488 DESCRIPTION: Buffer overflow in ITHouse mail server 1.04 allows remote attackers to execute arbitrary commands via a long RCPT TO mail command. CVE-2000-0489 DESCRIPTION: FreeBSD, NetBSD, and OpenBSD allow an attacker to cause a denial of service by creating a large number of socket pairs using the socketpair function, setting a large buffer size via setsockopt, then writing large buffers. CVE-2000-0490 DESCRIPTION: Buffer overflow in the NetWin DSMTP 2.7q in the NetWin dmail package allows remote attackers to execute arbitrary commands via a long ETRN request. CVE-2000-0491 DESCRIPTION: Buffer overflow in the XDMCP parsing code of GNOME gdm, KDE kdm, and wdm allows remote attackers to execute arbitrary commands or cause a denial of service via a long FORWARD_QUERY request. CVE-2000-0492 DESCRIPTION: PassWD 1.2 uses weak encryption (trivial encoding) to store passwords, which allows an attacker who can read the password file to easliy decrypt the passwords. CVE-2000-0493 DESCRIPTION: Buffer overflow in Simple Network Time Sync (SMTS) daemon allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long string. CVE-2000-0494 DESCRIPTION: Veritas Volume Manager creates a world writable .server_pids file, which allows local users to add arbitrary commands into the file, which is then executed by the vmsa_server script. CVE-2000-0495 DESCRIPTION: Microsoft Windows Media Encoder allows remote attackers to cause a denial of service via a malformed request, aka the "Malformed Windows Media Encoder Request" vulnerability. CVE-2000-0497 DESCRIPTION: IBM WebSphere server 3.0.2 allows a remote attacker to view source code of a JSP program by requesting a URL which provides the JSP extension in upper case. CVE-2000-0498 DESCRIPTION: Unify eWave ServletExec allows a remote attacker to view source code of a JSP program by requesting a URL which provides the JSP extension in upper case. CVE-2000-0499 DESCRIPTION: The default configuration of BEA WebLogic 3.1.8 through 4.5.1 allows a remote attacker to view source code of a JSP program by requesting a URL which provides the JSP extension in upper case. CVE-2000-0500 DESCRIPTION: The default configuration of BEA WebLogic 5.1.0 allows a remote attacker to view source code of programs by requesting a URL beginning with /file/, which causes the default servlet to display the file without further processing. CVE-2000-0501 DESCRIPTION: Race condition in MDaemon 2.8.5.0 POP server allows local users to cause a denial of service by entering a UIDL command and quickly exiting the server. CVE-2000-0502 DESCRIPTION: Mcafee VirusScan 4.03 does not properly restrict access to the alert text file before it is sent to the Central Alert Server, which allows local users to modify alerts in an arbitrary fashion. CVE-2000-0503 DESCRIPTION: The IFRAME of the WebBrowser control in Internet Explorer 5.01 allows a remote attacker to violate the cross frame security policy via the NavigateComplete2 event. CVE-2000-0504 DESCRIPTION: libICE in XFree86 allows remote attackers to cause a denial of service by specifying a large value which is not properly checked by the SKIP_STRING macro. CVE-2000-0505 DESCRIPTION: The Apache 1.3.x HTTP server for Windows platforms allows remote attackers to list directory contents by requesting a URL containing a large number of / characters. CVE-2000-0506 DESCRIPTION: The "capabilities" feature in Linux before 2.2.16 allows local users to cause a denial of service or gain privileges by setting the capabilities to prevent a setuid program from dropping privileges, aka the "Linux kernel setuid/setcap vulnerability." CVE-2000-0507 DESCRIPTION: Imate Webmail Server 2.5 allows remote attackers to cause a denial of service via a long HELO command. CVE-2000-0508 DESCRIPTION: rpc.lockd in Red Hat Linux 6.1 and 6.2 allows remote attackers to cause a denial of service via a malformed request. CVE-2000-0509 DESCRIPTION: Buffer overflows in the finger and whois demonstration scripts in Sambar Server 4.3 allow remote attackers to execute arbitrary commands via a long hostname. CVE-2000-0510 DESCRIPTION: CUPS (Common Unix Printing System) 1.04 and earlier allows remote attackers to cause a denial of service via a malformed IPP request. CVE-2000-0511 DESCRIPTION: CUPS (Common Unix Printing System) 1.04 and earlier allows remote attackers to cause a denial of service via a CGI POST request. CVE-2000-0512 DESCRIPTION: CUPS (Common Unix Printing System) 1.04 and earlier does not properly delete request files, which allows a remote attacker to cause a denial of service. CVE-2000-0513 DESCRIPTION: CUPS (Common Unix Printing System) 1.04 and earlier allows remote attackers to cause a denial of service by authenticating with a user name that does not exist or does not have a shadow password. CVE-2000-0514 DESCRIPTION: GSSFTP FTP daemon in Kerberos 5 1.1.x does not properly restrict access to some FTP commands, which allows remote attackers to cause a denial of service, and local users to gain root privileges. CVE-2000-0515 DESCRIPTION: The snmpd.conf configuration file for the SNMP daemon (snmpd) in HP-UX 11.0 is world writable, which allows local users to modify SNMP configuration or gain privileges. CVE-2000-0516 DESCRIPTION: When configured to store configuration information in an LDAP directory, Shiva Access Manager 5.0.0 stores the root DN (Distinguished Name) name and password in cleartext in a file that is world readable, which allows local users to compromise the LDAP server. CVE-2000-0517 DESCRIPTION: Netscape 4.73 and earlier does not properly warn users about a potentially invalid certificate if the user has previously accepted the certificate for a different web site, which could allow remote attackers to spoof a legitimate web site by compromising that site's DNS information. CVE-2000-0518 DESCRIPTION: Internet Explorer 4.x and 5.x does not properly verify all contents of an SSL certificate if a connection is made to the server via an image or a frame, aka one of two different "SSL Certificate Validation" vulnerabilities. CVE-2000-0519 DESCRIPTION: Internet Explorer 4.x and 5.x does not properly re-validate an SSL certificate if the user establishes a new SSL session with the same server during the same Internet Explorer session, aka one of two different "SSL Certificate Validation" vulnerabilities. CVE-2000-0520 DESCRIPTION: Buffer overflow in restore program 0.4b17 and earlier in dump package allows local users to execute arbitrary commands via a long tape name. CVE-2000-0521 DESCRIPTION: Savant web server allows remote attackers to read source code of CGI scripts via a GET request that does not include the HTTP version number. CVE-2000-0522 DESCRIPTION: RSA ACE/Server allows remote attackers to cause a denial of service by flooding the server's authentication request port with UDP packets, which causes the server to crash. CVE-2000-0523 DESCRIPTION: Buffer overflow in the logging feature of EServ 2.9.2 and earlier allows an attacker to execute arbitrary commands via a long MKD command. CVE-2000-0524 DESCRIPTION: Microsoft Outlook and Outlook Express allow remote attackers to cause a denial of service by sending email messages with blank fields such as BCC, Reply-To, Return-Path, or From. CVE-2000-0525 DESCRIPTION: OpenSSH does not properly drop privileges when the UseLogin option is enabled, which allows local users to execute arbitrary commands by providing the command to the ssh daemon. CVE-2000-0526 DESCRIPTION: mailview.cgi CGI program in MailStudio 2000 2.0 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) attack. CVE-2000-0527 DESCRIPTION: userreg.cgi CGI program in MailStudio 2000 2.0 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters. CVE-2000-0528 DESCRIPTION: Net Tools PKI Server does not properly restrict access to remote attackers when the XUDA template files do not contain absolute pathnames for other files. CVE-2000-0529 DESCRIPTION: Net Tools PKI Server allows remote attackers to cause a denial of service via a long HTTP request. CVE-2000-0530 DESCRIPTION: The KApplication class in the KDE 1.1.2 configuration file management capability allows local users to overwrite arbitrary files. CVE-2000-0531 DESCRIPTION: Linux gpm program allows local users to cause a denial of service by flooding the /dev/gpmctl device with STREAM sockets. CVE-2000-0532 DESCRIPTION: A FreeBSD patch for SSH on 2000-01-14 configures ssh to listen on port 722 as well as port 22, which might allow remote attackers to access SSH through port 722 even if port 22 is otherwise filtered. CVE-2000-0533 DESCRIPTION: Vulnerability in cvconnect in SGI IRIX WorkShop allows local users to overwrite arbitrary files. CVE-2000-0534 DESCRIPTION: The apsfilter software in the FreeBSD ports package does not properly read user filter configurations, which allows local users to execute commands as the lpd user. CVE-2000-0535 DESCRIPTION: OpenSSL 0.9.4 and OpenSSH for FreeBSD do not properly check for the existence of the /dev/random or /dev/urandom devices, which are absent on FreeBSD Alpha systems, which causes them to produce weak keys which may be more easily broken. CVE-2000-0536 DESCRIPTION: xinetd 2.1.8.x does not properly restrict connections if hostnames are used for access control and the connecting host does not have a reverse DNS entry. CVE-2000-0537 DESCRIPTION: BRU backup software allows local users to append data to arbitrary files by specifying an alternate configuration file with the BRUEXECLOG environmental variable. CVE-2000-0538 DESCRIPTION: ColdFusion Administrator for ColdFusion 4.5.1 and earlier allows remote attackers to cause a denial of service via a long login password. CVE-2000-0539 DESCRIPTION: Servlet examples in Allaire JRun 2.3.x allow remote attackers to obtain sensitive information, e.g. listing HttpSession ID's via the SessionServlet servlet. CVE-2000-0540 DESCRIPTION: JSP sample files in Allaire JRun 2.3.x allow remote attackers to access arbitrary files (e.g. via viewsource.jsp) or obtain configuration information. CVE-2000-0541 DESCRIPTION: The Panda Antivirus console on port 2001 allows local users to execute arbitrary commands without authentication via the CMD command. CVE-2000-0542 DESCRIPTION: Tigris remote access server before 11.5.4.22 does not properly record Radius accounting information when a user fails the initial login authentication but subsequently succeeds. CVE-2000-0543 DESCRIPTION: The command port for PGP Certificate Server 2.5.0 and 2.5.1 allows remote attackers to cause a denial of service if their hostname does not have a reverse DNS entry and they connect to port 4000. CVE-2000-0544 DESCRIPTION: Windows NT and Windows 2000 hosts allow a remote attacker to cause a denial of service via malformed DCE/RPC SMBwriteX requests that contain an invalid data length. CVE-2000-0545 DESCRIPTION: Buffer overflow in mailx mail command (aka Mail) on Linux systems allows local users to gain privileges via a long -c (carbon copy) parameter. CVE-2000-0546 DESCRIPTION: Buffer overflow in Kerberos 4 KDC program allows remote attackers to cause a denial of service via the lastrealm variable in the set_tgtkey function. CVE-2000-0547 DESCRIPTION: Buffer overflow in Kerberos 4 KDC program allows remote attackers to cause a denial of service via the localrealm variable in the process_v4 function. CVE-2000-0548 DESCRIPTION: Buffer overflow in Kerberos 4 KDC program allows remote attackers to cause a denial of service via the e_msg variable in the kerb_err_reply function. CVE-2000-0549 DESCRIPTION: Kerberos 4 KDC program does not properly check for null termination of AUTH_MSG_KDC_REQUEST requests, which allows remote attackers to cause a denial of service via a malformed request. CVE-2000-0550 DESCRIPTION: Kerberos 4 KDC program improperly frees memory twice (aka "double-free"), which allows remote attackers to cause a denial of service. CVE-2000-0551 DESCRIPTION: The file transfer mechanism in Danware NetOp 6.0 does not provide authentication, which allows remote attackers to access and modify arbitrary files. CVE-2000-0552 DESCRIPTION: ICQwebmail client for ICQ 2000A creates a world readable temporary file during login and does not delete it, which allows local users to obtain sensitive information. CVE-2000-0553 DESCRIPTION: Race condition in IPFilter firewall 3.4.3 and earlier, when configured with overlapping "return-rst" and "keep state" rules, allows remote attackers to bypass access restrictions. CVE-2000-0554 DESCRIPTION: Ceilidh allows remote attackers to obtain the real path of the Ceilidh directory via the translated_path hidden form field. CVE-2000-0555 DESCRIPTION: Ceilidh allows remote attackers to cause a denial of service via a large number of POST requests. CVE-2000-0556 DESCRIPTION: Buffer overflow in the web interface for Cmail 2.4.7 allows remote attackers to cause a denial of service by sending a large user name to the user dialog running on port 8002. CVE-2000-0557 DESCRIPTION: Buffer overflow in the web interface for Cmail 2.4.7 allows remote attackers to execute arbitrary commands via a long GET request. CVE-2000-0558 DESCRIPTION: Buffer overflow in HP Openview Network Node Manager 6.1 allows remote attackers to execute arbitrary commands via the Alarm service (OVALARMSRV) on port 2345. CVE-2000-0559 DESCRIPTION: eTrust Intrusion Detection System (formerly SessionWall-3) uses weak encryption (XOR) to store administrative passwords in the registry, which allows local users to easily decrypt the passwords. CVE-2000-0561 DESCRIPTION: Buffer overflow in WebBBS 1.15 allows remote attackers to execute arbitrary commands via a long HTTP GET request. CVE-2000-0562 DESCRIPTION: BlackIce Defender 2.1 and earlier, and BlackIce Pro 2.0.23 and earlier, do not properly block Back Orifice traffic when the security setting is Nervous or lower. CVE-2000-0563 DESCRIPTION: The URLConnection function in MacOS Runtime Java (MRJ) 2.1 and earlier and the Microsoft virtual machine (VM) for MacOS allows a malicious web site operator to connect to arbitrary hosts using a HTTP redirection, in violation of the Java security model. CVE-2000-0564 DESCRIPTION: The guestbook CGI program in ICQ Web Front service for ICQ 2000a, 99b, and others allows remote attackers to cause a denial of service via a URL with a long name parameter. CVE-2000-0565 DESCRIPTION: SmartFTP Daemon 0.2 allows a local user to access arbitrary files by uploading and specifying an alternate user configuration file via a .. (dot dot) attack. CVE-2000-0566 DESCRIPTION: makewhatis in Linux man package allows local users to overwrite files via a symlink attack. CVE-2000-0567 DESCRIPTION: Buffer overflow in Microsoft Outlook and Outlook Express allows remote attackers to execute arbitrary commands via a long Date field in an email header, aka the "Malformed E-mail Header" vulnerability. CVE-2000-0568 DESCRIPTION: Sybergen Secure Desktop 2.1 does not properly protect against false router advertisements (ICMP type 9), which allows remote attackers to modify default routes. CVE-2000-0569 DESCRIPTION: Sybergen Sygate allows remote attackers to cause a denial of service by sending a malformed DNS UDP packet to its internal interface. CVE-2000-0570 DESCRIPTION: FirstClass Internet Services server 5.770, and other versions before 6.1, allows remote attackers to cause a denial of service by sending an email with a long To: mail header. CVE-2000-0571 DESCRIPTION: LocalWEB HTTP server 1.2.0 allows remote attackers to cause a denial of service via a long GET request. CVE-2000-0572 DESCRIPTION: The Razor configuration management tool uses weak encryption for its password file, which allows local users to gain privileges. CVE-2000-0573 DESCRIPTION: The lreply function in wu-ftpd 2.6.0 and earlier does not properly cleanse an untrusted format string, which allows remote attackers to execute arbitrary commands via the SITE EXEC command. CVE-2000-0574 DESCRIPTION: FTP servers such as OpenBSD ftpd, NetBSD ftpd, ProFTPd and Opieftpd do not properly cleanse untrusted format strings that are used in the setproctitle function (sometimes called by set_proc_title), which allows remote attackers to cause a denial of service or execute arbitrary commands. CVE-2000-0575 DESCRIPTION: SSH 1.2.27 with Kerberos authentication support stores Kerberos tickets in a file which is created in the current directory of the user who is logging in, which could allow remote attackers to sniff the ticket cache if the home directory is installed on NFS. CVE-2000-0576 DESCRIPTION: Oracle Web Listener for AIX versions 4.0.7.0.0 and 4.0.8.1.0 allows remote attackers to cause a denial of service via a malformed URL. CVE-2000-0577 DESCRIPTION: Netscape Professional Services FTP Server 1.3.6 allows remote attackers to read arbitrary files via a .. (dot dot) attack. CVE-2000-0578 DESCRIPTION: SGI MIPSPro compilers C, C++, F77 and F90 generate temporary files in /tmp with predictable file names, which could allow local users to insert malicious contents into these files as they are being compiled by another user. CVE-2000-0579 DESCRIPTION: IRIX crontab creates temporary files with predictable file names and with the umask of the user, which could allow local users to modify another user's crontab file as it is being edited. CVE-2000-0580 DESCRIPTION: Windows 2000 Server allows remote attackers to cause a denial of service by sending a continuous stream of binary zeros to various TCP and UDP ports, which significantly increases the CPU utilization. CVE-2000-0581 DESCRIPTION: Windows 2000 Telnet Server allows remote attackers to cause a denial of service by sending a continuous stream of binary zeros, which causes the server to crash. CVE-2000-0582 DESCRIPTION: Check Point FireWall-1 4.0 and 4.1 allows remote attackers to cause a denial of service by sending a stream of invalid commands (such as binary zeros) to the SMTP Security Server proxy. CVE-2000-0583 DESCRIPTION: vchkpw program in vpopmail before version 4.8 does not properly cleanse an untrusted format string used in a call to syslog, which allows remote attackers to cause a denial of service via a USER or PASS command that contains arbitrary formatting directives. CVE-2000-0584 DESCRIPTION: Buffer overflow in Canna input system allows remote attackers to execute arbitrary commands via an SR_INIT command with a long user name or group name. CVE-2000-0585 DESCRIPTION: ISC DHCP client program dhclient allows remote attackers to execute arbitrary commands via shell metacharacters. CVE-2000-0586 DESCRIPTION: Buffer overflow in Dalnet IRC server 4.6.5 allows remote attackers to cause a denial of service or execute arbitrary commands via the SUMMON command. CVE-2000-0587 DESCRIPTION: The privpath directive in glftpd 1.18 allows remote attackers to bypass access restrictions for directories by using the file name completion capability. CVE-2000-0588 DESCRIPTION: SawMill 5.0.21 CGI program allows remote attackers to read the first line of arbitrary files by listing the file in the rfcf parameter, whose contents SawMill attempts to parse as configuration commands. CVE-2000-0589 DESCRIPTION: SawMill 5.0.21 uses weak encryption to store passwords, which allows attackers to easily decrypt the password and modify the SawMill configuration. CVE-2000-0590 DESCRIPTION: Poll It 2.0 CGI script allows remote attackers to read arbitrary files by specifying the file name in the data_dir parameter. CVE-2000-0591 DESCRIPTION: Novell BorderManager 3.0 and 3.5 allows remote attackers to bypass URL filtering by encoding characters in the requested URL. CVE-2000-0592 DESCRIPTION: Buffer overflows in POP3 service in WinProxy 2.0 and 2.0.1 allow remote attackers to execute arbitrary commands via long USER, PASS, LIST, RETR, or DELE commands. CVE-2000-0593 DESCRIPTION: WinProxy 2.0 and 2.0.1 allows remote attackers to cause a denial of service by sending an HTTP GET request without listing an HTTP version number. CVE-2000-0594 DESCRIPTION: BitchX IRC client does not properly cleanse an untrusted format string, which allows remote attackers to cause a denial of service via an invite to a channel whose name includes special formatting characters. CVE-2000-0595 DESCRIPTION: libedit searches for the .editrc file in the current directory instead of the user's home directory, which may allow local users to execute arbitrary commands by installing a modified .editrc in another directory. CVE-2000-0596 DESCRIPTION: Internet Explorer 5.x does not warn a user before opening a Microsoft Access database file that is referenced within ActiveX OBJECT tags in an HTML document, which could allow remote attackers to execute arbitrary commands, aka the "IE Script" vulnerability. CVE-2000-0597 DESCRIPTION: Microsoft Office 2000 (Excel and PowerPoint) and PowerPoint 97 are marked as safe for scripting, which allows remote attackers to force Internet Explorer or some email clients to save files to arbitrary locations via the Visual Basic for Applications (VBA) SaveAs function, aka the "Office HTML Script" vulnerability. CVE-2000-0598 DESCRIPTION: Fortech Proxy+ allows remote attackers to bypass access restrictions for to the administration service by redirecting their connections through the telnet proxy. CVE-2000-0599 DESCRIPTION: Buffer overflow in iMesh 1.02 allows remote attackers to execute arbitrary commands via a long string to the iMesh port. CVE-2000-0600 DESCRIPTION: Netscape Enterprise Server in NetWare 5.1 allows remote attackers to cause a denial of service or execute arbitrary commands via a malformed URL. CVE-2000-0601 DESCRIPTION: LeafChat 1.7 IRC client allows a remote IRC server to cause a denial of service by rapidly sending a large amount of error messages. CVE-2000-0602 DESCRIPTION: Secure Locate (slocate) in Red Hat Linux allows local users to gain privileges via a malformed configuration file that is specified in the LOCATE_PATH environmental variable. CVE-2000-0603 DESCRIPTION: Microsoft SQL Server 7.0 allows a local user to bypass permissions for stored procedures by referencing them via a temporary stored procedure, aka the "Stored Procedure Permissions" vulnerability. CVE-2000-0604 DESCRIPTION: gkermit in Red Hat Linux is improperly installed with setgid uucp, which allows local users to modify files owned by uucp. CVE-2000-0605 DESCRIPTION: Blackboard CourseInfo 4.0 stores the local and SQL administrator user names and passwords in cleartext in a registry key whose access control allows users to access the passwords. CVE-2000-0606 DESCRIPTION: Buffer overflow in kon program in Kanji on Console (KON) package on Linux may allow local users to gain root privileges via a long -StartupMessage parameter. CVE-2000-0607 DESCRIPTION: Buffer overflow in fld program in Kanji on Console (KON) package on Linux may allow local users to gain root privileges via an input file containing long CHARSET_REGISTRY or CHARSET_ENCODING settings. CVE-2000-0608 DESCRIPTION: NetWin dMailWeb and cwMail 2.6i and earlier allows remote attackers to cause a denial of service via a long POP parameter (pophost). CVE-2000-0609 DESCRIPTION: NetWin dMailWeb and cwMail 2.6g and earlier allows remote attackers to cause a denial of service via a long username parameter. CVE-2000-0610 DESCRIPTION: NetWin dMailWeb and cwMail 2.6g and earlier allows remote attackers to bypass authentication and use the server for mail relay via a username that contains a carriage return. CVE-2000-0611 DESCRIPTION: The default configuration of NetWin dMailWeb and cwMail trusts all POP servers, which allows attackers to bypass normal authentication and cause a denial of service. CVE-2000-0612 DESCRIPTION: Windows 95 and Windows 98 do not properly process spoofed ARP packets, which allows remote attackers to overwrite static entries in the cache table. CVE-2000-0613 DESCRIPTION: Cisco Secure PIX Firewall does not properly identify forged TCP Reset (RST) packets, which allows remote attackers to force the firewall to close legitimate connections. CVE-2000-0614 DESCRIPTION: Tnef program in Linux systems allows remote attackers to overwrite arbitrary files via TNEF encoded compressed attachments which specify absolute path names for the decompressed output. CVE-2000-0615 DESCRIPTION: LPRng 3.6.x improperly installs lpd as setuid root, which can allow local users to append lpd trace and logging messages to files. CVE-2000-0616 DESCRIPTION: Vulnerability in HP TurboIMAGE DBUTIL allows local users to gain additional privileges via DBUTIL.PUB.SYS. CVE-2000-0617 DESCRIPTION: Buffer overflow in xconq and cconq game programs on Red Hat Linux allows local users to gain additional privileges via long USER environmental variable. CVE-2000-0618 DESCRIPTION: Buffer overflow in xconq and cconq game programs on Red Hat Linux allows local users to gain additional privileges via long DISPLAY environmental variable. CVE-2000-0619 DESCRIPTION: Top Layer AppSwitch 2500 allows remote attackers to cause a denial of service via malformed ICMP packets. CVE-2000-0620 DESCRIPTION: libX11 X library allows remote attackers to cause a denial of service via a resource mask of 0, which causes libX11 to go into an infinite loop. CVE-2000-0621 DESCRIPTION: Microsoft Outlook 98 and 2000, and Outlook Express 4.0x and 5.0x, allow remote attackers to read files on the client's system via a malformed HTML message that stores files outside of the cache, aka the "Cache Bypass" vulnerability. CVE-2000-0622 DESCRIPTION: Buffer overflow in Webfind CGI program in O'Reilly WebSite Professional web server 2.x allows remote attackers to execute arbitrary commands via a URL containing a long "keywords" parameter. CVE-2000-0623 DESCRIPTION: Buffer overflow in O'Reilly WebSite Professional web server 2.4 and earlier allows remote attackers to execute arbitrary commands via a long GET request or Referrer header. CVE-2000-0624 DESCRIPTION: Buffer overflow in Winamp 2.64 and earlier allows remote attackers to execute arbitrary commands via a long #EXTINF: extension in the M3U playlist. CVE-2000-0625 DESCRIPTION: NetZero 3.0 and earlier uses weak encryption for storing a user's login information, which allows a local user to decrypt the password. CVE-2000-0626 DESCRIPTION: Buffer overflow in Alibaba web server allows remote attackers to cause a denial of service via a long GET request. CVE-2000-0627 DESCRIPTION: BlackBoard CourseInfo 4.0 does not properly authenticate users, which allows local users to modify CourseInfo database information and gain privileges by directly calling the supporting CGI programs such as user_update_passwd.pl and user_update_admin.pl. CVE-2000-0628 DESCRIPTION: The source.asp example script in the Apache ASP module Apache::ASP 1.93 and earlier allows remote attackers to modify files. CVE-2000-0629 DESCRIPTION: The default configuration of the Sun Java web server 2.0 and earlier allows remote attackers to execute arbitrary commands by uploading Java code to the server via board.html, then directly calling the JSP compiler servlet. CVE-2000-0630 DESCRIPTION: IIS 4.0 and 5.0 allows remote attackers to obtain fragments of source code by appending a +.htr to the URL, a variant of the "File Fragment Reading via .HTR" vulnerability. CVE-2000-0631 DESCRIPTION: An administrative script from IIS 3.0, later included in IIS 4.0 and 5.0, allows remote attackers to cause a denial of service by accessing the script without a particular argument, aka the "Absent Directory Browser Argument" vulnerability. CVE-2000-0632 DESCRIPTION: Buffer overflow in the web archive component of L-Soft Listserv 1.8d and earlier allows remote attackers to execute arbitrary commands via a long query string. CVE-2000-0633 DESCRIPTION: Vulnerability in Mandrake Linux usermode package allows local users to to reboot or halt the system. CVE-2000-0634 DESCRIPTION: The web administration interface for CommuniGate Pro 3.2.5 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) attack. CVE-2000-0635 DESCRIPTION: The view_page.html sample page in the MiniVend shopping cart program allows remote attackers to execute arbitrary commands via shell metacharacters. CVE-2000-0636 DESCRIPTION: HP JetDirect printers versions G.08.20 and H.08.20 and earlier allow remote attackers to cause a denial of service via a malformed FTP quote command. CVE-2000-0637 DESCRIPTION: Microsoft Excel 97 and 2000 allows an attacker to execute arbitrary commands by specifying a malicious .dll using the Register.ID function, aka the "Excel REGISTER.ID Function" vulnerability. CVE-2000-0638 DESCRIPTION: bb-hostsvc.sh in Big Brother 1.4h1 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) attack on the HOSTSVC parameter. CVE-2000-0639 DESCRIPTION: The default configuration of Big Brother 1.4h2 and earlier does not include proper access restrictions, which allows remote attackers to execute arbitrary commands by using bbd to upload a file whose extension will cause it to be executed as a CGI script by the web server. CVE-2000-0640 DESCRIPTION: Guild FTPd allows remote attackers to determine the existence of files outside the FTP root via a .. (dot dot) attack, which provides different error messages depending on whether the file exists or not. CVE-2000-0641 DESCRIPTION: Savant web server allows remote attackers to execute arbitrary commands via a long GET request. CVE-2000-0642 DESCRIPTION: The default configuration of WebActive HTTP Server 1.00 stores the web access log active.log in the document root, which allows remote attackers to view the logs by directly requesting the page. CVE-2000-0643 DESCRIPTION: Buffer overflow in WebActive HTTP Server 1.00 allows remote attackers to cause a denial of service via a long URL. CVE-2000-0644 DESCRIPTION: WFTPD and WFTPD Pro 2.41 allows remote attackers to cause a denial of service by executing a STAT command while the LIST command is still executing. CVE-2000-0645 DESCRIPTION: WFTPD and WFTPD Pro 2.41 allows remote attackers to cause a denial of service by using the RESTART (REST) command and writing beyond the end of a file, or writing to a file that does not exist, via commands such as STORE UNIQUE (STOU), STORE (STOR), or APPEND (APPE). CVE-2000-0646 DESCRIPTION: WFTPD and WFTPD Pro 2.41 allows remote attackers to obtain the real pathname for a file by executing a STATUS (STAT) command while the file is being transferred. CVE-2000-0647 DESCRIPTION: WFTPD and WFTPD Pro 2.41 allows remote attackers to cause a denial of service by executing an MLST command before logging into the server. CVE-2000-0648 DESCRIPTION: WFTPD and WFTPD Pro 2.41 allows local users to cause a denial of service by executing the RENAME TO (RNTO) command before a RENAME FROM (RNFR) command. CVE-2000-0649 DESCRIPTION: IIS 4.0 allows remote attackers to obtain the internal IP address of the server via an HTTP 1.0 request for a web page which is protected by basic authentication and has no realm defined. CVE-2000-0650 DESCRIPTION: The default installation of VirusScan 4.5 and NetShield 4.5 has insecure permissions for the registry key that identifies the AutoUpgrade directory, which allows local users to execute arbitrary commands by replacing SETUP.EXE in that directory with a Trojan Horse. CVE-2000-0651 DESCRIPTION: The ClientTrust program in Novell BorderManager does not properly verify the origin of authentication requests, which could allow remote attackers to impersonate another user by replaying the authentication requests and responses from port 3024 of the victim's machine. CVE-2000-0652 DESCRIPTION: IBM WebSphere allows remote attackers to read source code for executable web files by directly calling the default InvokerServlet using a URL which contains the "/servlet/file" string. CVE-2000-0653 DESCRIPTION: Microsoft Outlook Express allows remote attackers to monitor a user's email by creating a persistent browser link to the Outlook Express windows, aka the "Persistent Mail-Browser Link" vulnerability. CVE-2000-0654 DESCRIPTION: Microsoft Enterprise Manager allows local users to obtain database passwords via the Data Transformation Service (DTS) package Registered Servers Dialog dialog, aka a variant of the "DTS Password" vulnerability. CVE-2000-0655 DESCRIPTION: Netscape Communicator 4.73 and earlier allows remote attackers to cause a denial of service or execute arbitrary commands via a JPEG image containing a comment with an illegal field length of 1. CVE-2000-0656 DESCRIPTION: Buffer overflow in AnalogX proxy server 4.04 and earlier allows remote attackers to cause a denial of service via a long USER command in the FTP protocol. CVE-2000-0657 DESCRIPTION: Buffer overflow in AnalogX proxy server 4.04 and earlier allows remote attackers to cause a denial of service via a long HELO command in the SMTP protocol. CVE-2000-0658 DESCRIPTION: Buffer overflow in AnalogX proxy server 4.04 and earlier allows remote attackers to cause a denial of service via a long USER command in the POP3 protocol. CVE-2000-0659 DESCRIPTION: Buffer overflow in AnalogX proxy server 4.04 and earlier allows remote attackers to cause a denial of service via a long user ID in a SOCKS4 CONNECT request. CVE-2000-0660 DESCRIPTION: The WDaemon web server for WorldClient 2.1 allows remote attackers to read arbitrary files via a .. (dot dot) attack. CVE-2000-0661 DESCRIPTION: WircSrv IRC Server 5.07s allows remote attackers to cause a denial of service via a long string to the server port. CVE-2000-0662 DESCRIPTION: Internet Explorer 5.x and Microsoft Outlook allows remote attackers to read arbitrary files by redirecting the contents of an IFRAME using the DHTML Edit Control (DHTMLED). CVE-2000-0663 DESCRIPTION: The registry entry for the Windows Shell executable (Explorer.exe) in Windows NT and Windows 2000 uses a relative path name, which allows local users to execute arbitrary commands by inserting a Trojan Horse named Explorer.exe into the %Systemdrive% directory, aka the "Relative Shell Path" vulnerability. CVE-2000-0664 DESCRIPTION: AnalogX SimpleServer:WWW 1.06 and earlier allows remote attackers to read arbitrary files via a modified .. (dot dot) attack that uses the %2E URL encoding for the dots. CVE-2000-0665 DESCRIPTION: GAMSoft TelSrv telnet server 1.5 and earlier allows remote attackers to cause a denial of service via a long username. CVE-2000-0666 DESCRIPTION: rpc.statd in the nfs-utils package in various Linux distributions does not properly cleanse untrusted format strings, which allows remote attackers to gain root privileges. CVE-2000-0667 DESCRIPTION: Vulnerability in gpm in Caldera Linux allows local users to delete arbitrary files or conduct a denial of service. CVE-2000-0668 DESCRIPTION: pam_console PAM module in Linux systems allows a user to access the system console and reboot the system when a display manager such as gdm or kdm has XDMCP enabled. CVE-2000-0669 DESCRIPTION: Novell NetWare 5.0 allows remote attackers to cause a denial of service by flooding port 40193 with random data. CVE-2000-0670 DESCRIPTION: The cvsweb CGI script in CVSWeb 1.80 allows remote attackers with write access to a CVS repository to execute arbitrary commands via shell metacharacters. CVE-2000-0671 DESCRIPTION: Roxen web server earlier than 2.0.69 allows allows remote attackers to bypass access restrictions, list directory contents, and read source code by inserting a null character (%00) to the URL. CVE-2000-0672 DESCRIPTION: The default configuration of Jakarta Tomcat does not restrict access to the /admin context, which allows remote attackers to read arbitrary files by directly calling the administrative servlets to add a context for the root directory. CVE-2000-0673 DESCRIPTION: The NetBIOS Name Server (NBNS) protocol does not perform authentication, which allows remote attackers to cause a denial of service by sending a spoofed Name Conflict or Name Release datagram, aka the "NetBIOS Name Server Protocol Spoofing" vulnerability. CVE-2000-0674 DESCRIPTION: ftp.pl CGI program for Virtual Visions FTP browser allows remote attackers to read directories outside of the document root via a .. (dot dot) attack. CVE-2000-0675 DESCRIPTION: Buffer overflow in Infopulse Gatekeeper 3.5 and earlier allows remote attackers to execute arbitrary commands via a long string. CVE-2000-0676 DESCRIPTION: Netscape Communicator and Navigator 4.04 through 4.74 allows remote attackers to read arbitrary files by using a Java applet to open a connection to a URL using the "file", "http", "https", and "ftp" protocols, as demonstrated by Brown Orifice. CVE-2000-0677 DESCRIPTION: Buffer overflow in IBM Net.Data db2www CGI program allows remote attackers to execute arbitrary commands via a long PATH_INFO environmental variable. CVE-2000-0678 DESCRIPTION: PGP 5.5.x through 6.5.3 does not properly check if an Additional Decryption Key (ADK) is stored in the signed portion of a public certificate, which allows an attacker who can modify a victim's public certificate to decrypt any data that has been encrypted with the modified certificate. CVE-2000-0679 DESCRIPTION: The CVS 1.10.8 client trusts pathnames that are provided by the CVS server, which allows the server to force the client to create arbitrary files. CVE-2000-0680 DESCRIPTION: The CVS 1.10.8 server does not properly restrict users from creating arbitrary Checkin.prog or Update.prog programs, which allows remote CVS committers to modify or create Trojan horse programs with the Checkin.prog or Update.prog names, then performing a CVS commit action. CVE-2000-0681 DESCRIPTION: Buffer overflow in BEA WebLogic server proxy plugin allows remote attackers to execute arbitrary commands via a long URL with a .JSP extension. CVE-2000-0682 DESCRIPTION: BEA WebLogic 5.1.x allows remote attackers to read source code for parsed pages by inserting /ConsoleHelp/ into the URL, which invokes the FileServlet. CVE-2000-0683 DESCRIPTION: BEA WebLogic 5.1.x allows remote attackers to read source code for parsed pages by inserting /*.shtml/ into the URL, which invokes the SSIServlet. CVE-2000-0684 DESCRIPTION: BEA WebLogic 5.1.x does not properly restrict access to the JSPServlet, which could allow remote attackers to compile and execute Java JSP code by directly invoking the servlet on any source file. CVE-2000-0685 DESCRIPTION: BEA WebLogic 5.1.x does not properly restrict access to the PageCompileServlet, which could allow remote attackers to compile and execute Java JHTML code by directly invoking the servlet on any source file. CVE-2000-0686 DESCRIPTION: Auction Weaver CGI script 1.03 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) attack in the fromfile parameter. CVE-2000-0687 DESCRIPTION: Auction Weaver CGI script 1.03 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) attack in the catdir parameter. CVE-2000-0688 DESCRIPTION: Subscribe Me LITE does not properly authenticate attempts to change the administrator password, which allows remote attackers to gain privileges for the Account Manager by directly calling the subscribe.pl script with the setpwd parameter. CVE-2000-0689 DESCRIPTION: Account Manager LITE does not properly authenticate attempts to change the administrator password, which allows remote attackers to gain privileges for the Account Manager by directly calling the amadmin.pl script with the setpasswd parameter. CVE-2000-0690 DESCRIPTION: Auction Weaver CGI script 1.02 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the fromfile parameter. CVE-2000-0691 DESCRIPTION: The faxrunq and faxrunqd in the mgetty package allows local users to create or modify arbitrary files via a symlink attack which creates a symlink in from /var/spool/fax/outgoing/.last_run to the target file. CVE-2000-0692 DESCRIPTION: ISS RealSecure 3.2.1 and 3.2.2 allows remote attackers to cause a denial of service via a flood of fragmented packets with the SYN flag set. CVE-2000-0693 DESCRIPTION: pgxconfig in the Raptor GFX configuration tool uses a relative path name for a system call to the "cp" program, which allows local users to execute arbitrary commands by modifying their path to point to an alternate "cp" program. CVE-2000-0694 DESCRIPTION: pgxconfig in the Raptor GFX configuration tool allows local users to gain privileges via a symlink attack. CVE-2000-0695 DESCRIPTION: Buffer overflows in pgxconfig in the Raptor GFX configuration tool allow local users to gain privileges via command line options. CVE-2000-0696 DESCRIPTION: The administration interface for the dwhttpd web server in Solaris AnswerBook2 does not properly authenticate requests to its supporting CGI scripts, which allows remote attackers to add user accounts to the interface by directly calling the admin CGI script. CVE-2000-0697 DESCRIPTION: The administration interface for the dwhttpd web server in Solaris AnswerBook2 allows interface users to remotely execute commands via shell metacharacters. CVE-2000-0698 DESCRIPTION: Minicom 1.82.1 and earlier on some Linux systems allows local users to create arbitrary files owned by the uucp user via a symlink attack. CVE-2000-0699 DESCRIPTION: Format string vulnerability in ftpd in HP-UX 10.20 allows remote attackers to cause a denial of service or execute arbitrary commands via format strings in the PASS command. CVE-2000-0700 DESCRIPTION: Cisco Gigabit Switch Routers (GSR) with Fast Ethernet / Gigabit Ethernet cards, from IOS versions 11.2(15)GS1A up to 11.2(19)GS0.2 and some versions of 12.0, do not properly handle line card failures, which allows remote attackers to bypass ACLs or force the interface to stop forwarding packets. CVE-2000-0701 DESCRIPTION: The wrapper program in mailman 2.0beta3 and 2.0beta4 does not properly cleanse untrusted format strings, which allows local users to gain privileges. CVE-2000-0702 DESCRIPTION: The net.init rc script in HP-UX 11.00 (S008net.init) allows local users to overwrite arbitrary files via a symlink attack that points from /tmp/stcp.conf to the targeted file. CVE-2000-0703 DESCRIPTION: suidperl (aka sperl) does not properly cleanse the escape sequence "~!" before calling /bin/mail to send an error report, which allows local users to gain privileges by setting the "interactive" environmental variable and calling suidperl with a filename that contains the escape sequence. CVE-2000-0704 DESCRIPTION: Buffer overflow in SGI Omron WorldView Wnn allows remote attackers to execute arbitrary commands via long JS_OPEN, JS_MKDIR, or JS_FILE_INFO commands. CVE-2000-0705 DESCRIPTION: ntop running in web mode allows remote attackers to read arbitrary files via a .. (dot dot) attack. CVE-2000-0706 DESCRIPTION: Buffer overflows in ntop running in web mode allows remote attackers to execute arbitrary commands. CVE-2000-0707 DESCRIPTION: PCCS MySQLDatabase Admin Tool Manager 1.2.4 and earlier installs the file dbconnect.inc within the web root, which allows remote attackers to obtain sensitive information such as the administrative password. CVE-2000-0708 DESCRIPTION: Buffer overflow in Pragma Systems TelnetServer 2000 version 4.0 allows remote attackers to cause a denial of service via a long series of null characters to the rexec port. CVE-2000-0709 DESCRIPTION: The shtml.exe component of Microsoft FrontPage 2000 Server Extensions 1.1 allows remote attackers to cause a denial of service in some components by requesting a URL whose name includes a standard DOS device name. CVE-2000-0710 DESCRIPTION: The shtml.exe component of Microsoft FrontPage 2000 Server Extensions 1.1 allows remote attackers to determine the physical path of the server components by requesting an invalid URL whose name includes a standard DOS device name. CVE-2000-0711 DESCRIPTION: Netscape Communicator does not properly prevent a ServerSocket object from being created by untrusted entities, which allows remote attackers to create a server on the victim's system via a malicious applet, as demonstrated by Brown Orifice. CVE-2000-0712 DESCRIPTION: Linux Intrusion Detection System (LIDS) 0.9.7 allows local users to gain root privileges when LIDS is disabled via the security=0 boot option. CVE-2000-0713 DESCRIPTION: Buffer overflow in Adobe Acrobat 4.05, Reader, Business Tools, and Fill In products that handle PDF files allows attackers to execute arbitrary commands via a long /Registry or /Ordering specifier. CVE-2000-0714 DESCRIPTION: umb-scheme 3.2-11 for Red Hat Linux is installed with world-writeable files. CVE-2000-0715 DESCRIPTION: DiskCheck script diskcheck.pl in Red Hat Linux 6.2 allows local users to create or overwrite arbitrary files via a symlink attack on a temporary file. CVE-2000-0716 DESCRIPTION: WorldClient email client in MDaemon 2.8 includes the session ID in the referer field of an HTTP request when the user clicks on a URL, which allows the visited web site to hijack the session ID and read the user's email. CVE-2000-0717 DESCRIPTION: GoodTech FTP server allows remote attackers to cause a denial of service via a large number of RNTO commands. CVE-2000-0718 DESCRIPTION: A race condition in MandrakeUpdate allows local users to modify RPM files while they are in the /tmp directory before they are installed. CVE-2000-0719 DESCRIPTION: VariCAD 7.0 is installed with world-writeable files, which allows local users to replace the VariCAD programs with a Trojan horse program. CVE-2000-0720 DESCRIPTION: news.cgi in GWScripts News Publisher does not properly authenticate requests to add an author to the author index, which allows remote attackers to add new authors by directly posting an HTTP request to the new.cgi program with an addAuthor parameter, and setting the Referer to the news.cgi program. CVE-2000-0721 DESCRIPTION: The FSserial, FlagShip_c, and FlagShip_p programs in the FlagShip package are installed world-writeable, which allows local users to replace them with Trojan horses. CVE-2000-0722 DESCRIPTION: Helix GNOME Updater helix-update 0.5 and earlier allows local users to install arbitrary RPM packages by creating the /tmp/helix-install installation directory before root has begun installing packages. CVE-2000-0723 DESCRIPTION: Helix GNOME Updater helix-update 0.5 and earlier does not properly create /tmp directories, which allows local users to create empty system configuration files such as /etc/config.d/bashrc, /etc/config.d/csh.cshrc, and /etc/rc.config. CVE-2000-0724 DESCRIPTION: The go-gnome Helix GNOME pre-installer allows local users to overwrite arbitrary files via a symlink attack on various files in /tmp, including uudecode, snarf, and some installer files. CVE-2000-0725 DESCRIPTION: Zope before 2.2.1 does not properly restrict access to the getRoles method, which allows users who can edit DTML to add or modify roles by modifying the roles list that is included in a request. CVE-2000-0726 DESCRIPTION: CGIMail.exe CGI program in Stalkerlab Mailers 1.1.2 allows remote attackers to read arbitrary files by specifying the file in the $Attach$ hidden form variable. CVE-2000-0727 DESCRIPTION: xpdf PDF viewer client earlier than 0.91 does not properly launch a web browser for embedded URL's, which allows an attacker to execute arbitrary commands via a URL that contains shell metacharacters. CVE-2000-0728 DESCRIPTION: xpdf PDF viewer client earlier than 0.91 allows local users to overwrite arbitrary files via a symlink attack. CVE-2000-0729 DESCRIPTION: FreeBSD 5.x, 4.x, and 3.x allows local users to cause a denial of service by executing a program with a malformed ELF image header. CVE-2000-0730 DESCRIPTION: Vulnerability in newgrp command in HP-UX 11.0 allows local users to gain privileges. CVE-2000-0731 DESCRIPTION: Directory traversal vulnerability in Worm HTTP server allows remote attackers to read arbitrary files via a .. (dot dot) attack. CVE-2000-0732 DESCRIPTION: Worm HTTP server allows remote attackers to cause a denial of service via a long URL. CVE-2000-0733 DESCRIPTION: Telnetd telnet server in IRIX 5.2 through 6.1 does not properly cleans user-injected format strings, which allows remote attackers to execute arbitrary commands via a long RLD variable in the IAC-SB-TELOPT_ENVIRON request. CVE-2000-0734 DESCRIPTION: eEye IRIS 1.01 beta allows remote attackers to cause a denial of service via a large number of UDP connections. CVE-2000-0735 DESCRIPTION: Buffer overflow in Becky! Internet Mail client 1.26.03 and earlier allows remote attackers to cause a denial of service via a long Content-type: MIME header when the user replies to a message. CVE-2000-0736 DESCRIPTION: Buffer overflow in Becky! Internet Mail client 1.26.04 and earlier allows remote attackers to cause a denial of service via a long Content-type: MIME header when the user forwards a message. CVE-2000-0737 DESCRIPTION: The Service Control Manager (SCM) in Windows 2000 creates predictable named pipes, which allows a local user with console access to gain administrator privileges, aka the "Service Control Manager Named Pipe Impersonation" vulnerability. CVE-2000-0738 DESCRIPTION: WebShield SMTP 4.5 allows remote attackers to cause a denial of service by sending e-mail with a From: address that has a . (period) at the end, which causes WebShield to continuously send itself copies of the e-mail. CVE-2000-0739 DESCRIPTION: Directory traversal vulnerability in strong.exe program in NAI Net Tools PKI server 1.0 before HotFix 3 allows remote attackers to read arbitrary files via a .. (dot dot) attack in an HTTPS request to the enrollment server. CVE-2000-0740 DESCRIPTION: Buffer overflow in strong.exe program in NAI Net Tools PKI server 1.0 before HotFix 3 allows remote attackers to execute arbitrary commands via a long URL in the HTTPS port. CVE-2000-0741 DESCRIPTION: Format string vulnerability in strong.exe program in NAI Net Tools PKI server 1.0 before HotFix 3 allows remote attackers to execute arbitrary code via format strings in a URL with a .XUDA extension. CVE-2000-0742 DESCRIPTION: The IPX protocol implementation in Microsoft Windows 95 and 98 allows remote attackers to cause a denial of service by sending a ping packet with a source IP address that is a broadcast address, aka the "Malformed IPX Ping Packet" vulnerability. CVE-2000-0743 DESCRIPTION: Buffer overflow in University of Minnesota (UMN) gopherd 2.x allows remote attackers to execute arbitrary commands via a DES key generation request (GDESkey) that contains a long ticket value. CVE-2000-0744 DESCRIPTION: DEPRECATED. This entry has been deprecated. It is a duplicate of CVE-2000-0743. CVE-2000-0745 DESCRIPTION: admin.php3 in PHP-Nuke does not properly verify the PHP-Nuke administrator password, which allows remote attackers to gain privileges by requesting a URL that does not specify the aid or pwd parameter. CVE-2000-0746 DESCRIPTION: Vulnerabilities in IIS 4.0 and 5.0 do not properly protect against cross-site scripting (CSS) attacks. They allow a malicious web site operator to embed scripts in a link to a trusted site, which are returned without quoting in an error message back to the client. The client then executes those scripts in the same context as the trusted site, aka the "IIS Cross-Site Scripting" vulnerabilities. CVE-2000-0747 DESCRIPTION: The logrotate script for OpenLDAP before 1.2.11 in Conectiva Linux sends an improper signal to the kernel log daemon (klogd) and kills it. CVE-2000-0748 DESCRIPTION: OpenLDAP 1.2.11 and earlier improperly installs the ud binary with group write permissions, which could allow any user in that group to replace the binary with a Trojan horse. CVE-2000-0749 DESCRIPTION: Buffer overflow in the Linux binary compatibility module in FreeBSD 3.x through 5.x allows local users to gain root privileges via long filenames in the linux shadow file system. CVE-2000-0750 DESCRIPTION: Buffer overflow in mopd (Maintenance Operations Protocol loader daemon) allows remote attackers to execute arbitrary commands via a long file name. CVE-2000-0751 DESCRIPTION: mopd (Maintenance Operations Protocol loader daemon) does not properly cleanse user-injected format strings, which allows remote attackers to execute arbitrary commands. CVE-2000-0752 DESCRIPTION: Buffer overflows in brouted in FreeBSD and possibly other OSes allows local users to gain root privileges via long command line arguments. CVE-2000-0753 DESCRIPTION: The Microsoft Outlook mail client identifies the physical path of the sender's machine within a winmail.dat attachment to Rich Text Format (RTF) files. CVE-2000-0754 DESCRIPTION: Vulnerability in HP OpenView Network Node Manager (NMM) version 6.1 related to passwords. CVE-2000-0755 DESCRIPTION: Vulnerability in the newgrp command in HP-UX 11.00 allows local users to gain privileges. CVE-2000-0756 DESCRIPTION: Microsoft Outlook 2000 does not properly process long or malformed fields in vCard (.vcf) files, which allows attackers to cause a denial of service. CVE-2000-0757 DESCRIPTION: The sysgen service in Aptis Totalbill does not perform authentication, which allows remote attackers to gain root privileges by connecting to the service and specifying the commands to be executed. CVE-2000-0758 DESCRIPTION: The web interface for Lyris List Manager 3 and 4 allows list subscribers to obtain administrative access by modifying the value of the list_admin hidden form field. CVE-2000-0759 DESCRIPTION: Jakarta Tomcat 3.1 under Apache reveals physical path information when a remote attacker requests a URL that does not exist, which generates an error message that includes the physical path. CVE-2000-0760 DESCRIPTION: The Snoop servlet in Jakarta Tomcat 3.1 and 3.0 under Apache reveals sensitive system information when a remote attacker requests a nonexistent URL with a .snp extension. CVE-2000-0761 DESCRIPTION: OS2/Warp 4.5 FTP server allows remote attackers to cause a denial of service via a long username. CVE-2000-0762 DESCRIPTION: The default installation of eTrust Access Control (formerly SeOS) uses a default encryption key, which allows remote attackers to spoof the eTrust administrator and gain privileges. CVE-2000-0763 DESCRIPTION: xlockmore and xlockf do not properly cleanse user-injected format strings, which allows local users to gain root privileges via the -d option. CVE-2000-0764 DESCRIPTION: Intel Express 500 series switches allow a remote attacker to cause a denial of service via a malformed IP packet. CVE-2000-0765 DESCRIPTION: Buffer overflow in the HTML interpreter in Microsoft Office 2000 allows an attacker to execute arbitrary commands via a long embedded object tag, aka the "Microsoft Office HTML Object Tag" vulnerability. CVE-2000-0766 DESCRIPTION: Buffer overflow in vqSoft vqServer 1.4.49 allows remote attackers to cause a denial of service or possibly gain privileges via a long HTTP GET request. CVE-2000-0767 DESCRIPTION: The ActiveX control for invoking a scriptlet in Internet Explorer 4.x and 5.x renders arbitrary file types instead of HTML, which allows an attacker to read arbitrary files, aka the "Scriptlet Rendering" vulnerability. CVE-2000-0768 DESCRIPTION: A function in Internet Explorer 4.x and 5.x does not properly verify the domain of a frame within a browser window, which allows a remote attacker to read client files, aka a variant of the "Frame Domain Verification" vulnerability. CVE-2000-0769 DESCRIPTION: O'Reilly WebSite Pro 2.3.7 installs the uploader.exe program with execute permissions for all users, which allows remote attackers to create and execute arbitrary files by directly calling uploader.exe. CVE-2000-0770 DESCRIPTION: IIS 4.0 and 5.0 does not properly restrict access to certain types of files when their parent folders have less restrictive permissions, which could allow remote attackers to bypass access restrictions to some files, aka the "File Permission Canonicalization" vulnerability. CVE-2000-0771 DESCRIPTION: Microsoft Windows 2000 allows local users to cause a denial of service by corrupting the local security policy via malformed RPC traffic, aka the "Local Security Policy Corruption" vulnerability. CVE-2000-0772 DESCRIPTION: The installation of Tumbleweed Messaging Management System (MMS) 4.6 and earlier (formerly Worldtalk Worldsecure) creates a default account "sa" with no password. CVE-2000-0773 DESCRIPTION: Bajie HTTP web server 0.30a allows remote attackers to read arbitrary files via a URL that contains a "....", a variant of the dot dot directory traversal attack. CVE-2000-0774 DESCRIPTION: The sample Java servlet "test" in Bajie HTTP web server 0.30a reveals the real pathname of the web document root. CVE-2000-0775 DESCRIPTION: Buffer overflow in RobTex Viking server earlier than 1.06-370 allows remote attackers to cause a denial of service or execute arbitrary commands via a long HTTP GET request, or long Unless-Modified-Since, If-Range, or If-Modified-Since headers. CVE-2000-0776 DESCRIPTION: Mediahouse Statistics Server 5.02x allows remote attackers to execute arbitrary commands via a long HTTP GET request. CVE-2000-0777 DESCRIPTION: The password protection feature of Microsoft Money can store the password in plaintext, which allows attackers with physical access to the system to obtain the password, aka the "Money Password" vulnerability. CVE-2000-0778 DESCRIPTION: IIS 5.0 allows remote attackers to obtain source code for .ASP files and other scripts via an HTTP GET request with a "Translate: f" header, aka the "Specialized Header" vulnerability. CVE-2000-0779 DESCRIPTION: Checkpoint Firewall-1 with the RSH/REXEC setting enabled allows remote attackers to bypass access restrictions and connect to a RSH/REXEC client via malformed connection requests. CVE-2000-0780 DESCRIPTION: The web server in IPSWITCH IMail 6.04 and earlier allows remote attackers to read and delete arbitrary files via a .. (dot dot) attack. CVE-2000-0781 DESCRIPTION: uagentsetup in ARCServeIT Client Agent 6.62 does not properly check for the existence or ownership of a temporary file which is moved to the agent.cfg configuration file, which allows local users to execute arbitrary commands by modifying the temporary file before it is moved. CVE-2000-0782 DESCRIPTION: netauth.cgi program in Netwin Netauth 4.2e and earlier allows remote attackers to read arbitrary files via a .. (dot dot) attack. CVE-2000-0783 DESCRIPTION: Watchguard Firebox II allows remote attackers to cause a denial of service by sending a malformed URL to the authentication service on port 4100. CVE-2000-0784 DESCRIPTION: sshd program in the Rapidstream 2.1 Beta VPN appliance has a hard-coded "rsadmin" account with a null password, which allows remote attackers to execute arbitrary commands via ssh. CVE-2000-0785 DESCRIPTION: WircSrv IRC Server 5.07s allows IRC operators to read arbitrary files via the importmotd command, which sets the Message of the Day (MOTD) to the specified file. CVE-2000-0786 DESCRIPTION: GNU userv 1.0.0 and earlier does not properly perform file descriptor swapping, which can corrupt the USERV_GROUPS and USERV_GIDS environmental variables and allow local users to bypass some access restrictions. CVE-2000-0787 DESCRIPTION: IRC Xchat client versions 1.4.2 and earlier allows remote attackers to execute arbitrary commands by encoding shell metacharacters into a URL which XChat uses to launch a web browser. CVE-2000-0788 DESCRIPTION: The Mail Merge tool in Microsoft Word does not prompt the user before executing Visual Basic (VBA) scripts in an Access database, which could allow an attacker to execute arbitrary commands. CVE-2000-0789 DESCRIPTION: WinU 5.x and earlier uses weak encryption to store its configuration password, which allows local users to decrypt the password and gain privileges. CVE-2000-0790 DESCRIPTION: The web-based folder display capability in Microsoft Internet Explorer 5.5 on Windows 98 allows local users to insert Trojan horse programs by modifying the Folder.htt file and using the InvokeVerb method in the ShellDefView ActiveX control to specify a default execute option for the first file that is listed in the folder. CVE-2000-0791 DESCRIPTION: Trustix installs the httpsd program for Apache-SSL with world-writeable permissions, which allows local users to replace it with a Trojan horse. CVE-2000-0792 DESCRIPTION: Gnome Lokkit firewall package before 0.41 does not properly restrict access to some ports, even if a user does not make any services available. CVE-2000-0793 DESCRIPTION: Norton AntiVirus 5.00.01C with the Novell Netware client does not properly restart the auto-protection service after the first user has logged off of the system. CVE-2000-0794 DESCRIPTION: Buffer overflow in IRIX libgl.so library allows local users to gain root privileges via a long HOME variable to programs such as (1) gmemusage and (2) gr_osview. CVE-2000-0795 DESCRIPTION: Buffer overflow in lpstat in IRIX 6.2 and 6.3 allows local users to gain root privileges via a long -n option. CVE-2000-0796 DESCRIPTION: Buffer overflow in dmplay in IRIX 6.2 and 6.3 allows local users to gain root privileges via a long command line option. CVE-2000-0797 DESCRIPTION: Buffer overflow in gr_osview in IRIX 6.2 and 6.3 allows local users to gain privileges via a long -D option. CVE-2000-0798 DESCRIPTION: The truncate function in IRIX 6.x does not properly check for privileges when the file is in the xfs file system, which allows local users to delete the contents of arbitrary files. CVE-2000-0799 DESCRIPTION: inpview in InPerson in SGI IRIX 5.3 through IRIX 6.5.10 allows local users to gain privileges via a symlink attack on the .ilmpAAA temporary file. CVE-2000-0800 DESCRIPTION: String parsing error in rpc.kstatd in the linuxnfs or knfsd packages in SuSE and possibly other Linux systems allows remote attackers to gain root privileges. CVE-2000-0801 DESCRIPTION: Buffer overflow in bdf program in HP-UX 11.00 may allow local users to gain root privileges via a long -t option. CVE-2000-0802 DESCRIPTION: The BAIR program does not properly restrict access to the Internet Explorer Internet options menu, which allows local users to obtain access to the menu by modifying the registry key that starts BAIR. CVE-2000-0803 DESCRIPTION: GNU Groff uses the current working directory to find a device description file, which allows a local user to gain additional privileges by including a malicious postpro directive in the description file, which is executed when another user runs groff. CVE-2000-0804 DESCRIPTION: Check Point VPN-1/FireWall-1 4.1 and earlier allows remote attackers to bypass the directionality check via fragmented TCP connection requests or reopening closed TCP connection requests, aka "One-way Connection Enforcement Bypass." CVE-2000-0805 DESCRIPTION: Check Point VPN-1/FireWall-1 4.1 and earlier improperly retransmits encapsulated FWS packets, even if they do not come from a valid FWZ client, aka "Retransmission of Encapsulated Packets." CVE-2000-0806 DESCRIPTION: The inter-module authentication mechanism (fwa1) in Check Point VPN-1/FireWall-1 4.1 and earlier may allow remote attackers to conduct a denial of service, aka "Inter-module Communications Bypass." CVE-2000-0807 DESCRIPTION: The OPSEC communications authentication mechanism (fwn1) in Check Point VPN-1/FireWall-1 4.1 and earlier allows remote attackers to spoof connections, aka the "OPSEC Authentication Vulnerability." CVE-2000-0808 DESCRIPTION: The seed generation mechanism in the inter-module S/Key authentication mechanism in Check Point VPN-1/FireWall-1 4.1 and earlier allows remote attackers to bypass authentication via a brute force attack, aka "One-time (s/key) Password Authentication." CVE-2000-0809 DESCRIPTION: Buffer overflow in Getkey in the protocol checker in the inter-module communication mechanism in Check Point VPN-1/FireWall-1 4.1 and earlier allows remote attackers to cause a denial of service. CVE-2000-0810 DESCRIPTION: Auction Weaver 1.0 through 1.04 does not properly validate the names of form fields, which allows remote attackers to delete arbitrary files and directories via a .. (dot dot) attack. CVE-2000-0811 DESCRIPTION: Auction Weaver 1.0 through 1.04 allows remote attackers to read arbitrary files via a .. (dot dot) attack on the username or bidfile form fields. CVE-2000-0812 DESCRIPTION: The administration module in Sun Java web server allows remote attackers to execute arbitrary commands by uploading Java code to the module and invoke the com.sun.server.http.pagecompile.jsp92.JspServlet by requesting a URL that begins with a /servlet/ tag. CVE-2000-0813 DESCRIPTION: Check Point VPN-1/FireWall-1 4.1 and earlier allows remote attackers to redirect FTP connections to other servers ("FTP Bounce") via invalid FTP commands that are processed improperly by FireWall-1, aka "FTP Connection Enforcement Bypass." CVE-2000-0816 DESCRIPTION: Linux tmpwatch --fuser option allows local users to execute arbitrary commands by creating files whose names contain shell metacharacters. CVE-2000-0817 DESCRIPTION: Buffer overflow in the HTTP protocol parser for Microsoft Network Monitor (Netmon) allows remote attackers to execute arbitrary commands via malformed data, aka the "Netmon Protocol Parsing" vulnerability. CVE-2000-0818 DESCRIPTION: The default installation for the Oracle listener program 7.3.4, 8.0.6, and 8.1.6 allows an attacker to cause logging information to be appended to arbitrary files and execute commands via the SET TRC_FILE or SET LOG_FILE commands. CVE-2000-0824 DESCRIPTION: The unsetenv function in glibc 2.1.1 does not properly unset an environmental variable if the variable is provided twice to a program, which could allow local users to execute arbitrary commands in setuid programs by specifying their own duplicate environmental variables such as LD_PRELOAD or LD_LIBRARY_PATH. CVE-2000-0825 DESCRIPTION: Ipswitch Imail 6.0 allows remote attackers to cause a denial of service via a large number of connections in which a long Host: header is sent, which causes a thread to crash. CVE-2000-0826 DESCRIPTION: Buffer overflow in ddicgi.exe program in Mobius DocumentDirect for the Internet 1.2 allows remote attackers to execute arbitrary commands via a long GET request. CVE-2000-0827 DESCRIPTION: Buffer overflow in the web authorization form of Mobius DocumentDirect for the Internet 1.2 allows remote attackers to cause a denial of service or execute arbitrary commands via a long username. CVE-2000-0828 DESCRIPTION: Buffer overflow in ddicgi.exe in Mobius DocumentDirect for the Internet 1.2 allows remote attackers to execute arbitrary commands via a long User-Agent parameter. CVE-2000-0829 DESCRIPTION: The tmpwatch utility in Red Hat Linux forks a new process for each directory level, which allows local users to cause a denial of service by creating deeply nested directories in /tmp or /var/tmp/. CVE-2000-0830 DESCRIPTION: annclist.exe in webTV for Windows allows remote attackers to cause a denial of service by via a large, malformed UDP packet to ports 22701 through 22705. CVE-2000-0831 DESCRIPTION: Buffer overflow in Fastream FTP++ 2.0 allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long username. CVE-2000-0832 DESCRIPTION: Htgrep CGI program allows remote attackers to read arbitrary files by specifying the full pathname in the hdr parameter. CVE-2000-0833 DESCRIPTION: Buffer overflow in WinSMTP 1.06f and 2.X allows remote attackers to cause a denial of service via a long (1) USER or (2) HELO command. CVE-2000-0834 DESCRIPTION: The Windows 2000 telnet client attempts to perform NTLM authentication by default, which allows remote attackers to capture and replay the NTLM challenge/response via a telnet:// URL that points to the malicious server, aka the "Windows 2000 Telnet Client NTLM Authentication" vulnerability. CVE-2000-0835 DESCRIPTION: search.dll Sambar ISAPI Search utility in Sambar Server 4.4 Beta 3 allows remote attackers to read arbitrary directories by specifying the directory in the query parameter. CVE-2000-0836 DESCRIPTION: Buffer overflow in CamShot WebCam Trial2.6 allows remote attackers to execute arbitrary commands via a long Authorization header. CVE-2000-0837 DESCRIPTION: FTP Serv-U 2.5e allows remote attackers to cause a denial of service by sending a large number of null bytes. CVE-2000-0838 DESCRIPTION: Fastream FUR HTTP server 1.0b allows remote attackers to cause a denial of service via a long GET request. CVE-2000-0839 DESCRIPTION: WinCOM LPD 1.00.90 allows remote attackers to cause a denial of service via a large number of LPD options to the LPD port (515). CVE-2000-0840 DESCRIPTION: Buffer overflow in XMail POP3 server before version 0.59 allows remote attackers to execute arbitrary commands via a long USER command. CVE-2000-0841 DESCRIPTION: Buffer overflow in XMail POP3 server before version 0.59 allows remote attackers to execute arbitrary commands via a long APOP command. CVE-2000-0842 DESCRIPTION: The search97cgi/vtopic" in the UnixWare 7 scohelphttp webserver allows remote attackers to read arbitrary files via a .. (dot dot) attack. CVE-2000-0843 DESCRIPTION: Buffer overflow in pam_smb and pam_ntdom pluggable authentication modules (PAM) allow remote attackers to execute arbitrary commands via a login with a long user name. CVE-2000-0844 DESCRIPTION: Some functions that implement the locale subsystem on Unix do not properly cleanse user-injected format strings, which allows local attackers to execute arbitrary commands via functions such as gettext and catopen. CVE-2000-0845 DESCRIPTION: kdebug daemon (kdebugd) in Digital Unix 4.0F allows remote attackers to read arbitrary files by specifying the full file name in the initialization packet. CVE-2000-0846 DESCRIPTION: Buffer overflow in Darxite 0.4 and earlier allows a remote attacker to execute arbitrary commands via a long username or password. CVE-2000-0847 DESCRIPTION: Buffer overflow in University of Washington c-client library (used by pine and other programs) allows remote attackers to execute arbitrary commands via a long X-Keywords header. CVE-2000-0848 DESCRIPTION: Buffer overflow in IBM WebSphere web application server (WAS) allows remote attackers to execute arbitrary commands via a long Host: request header. CVE-2000-0849 DESCRIPTION: Race condition in Microsoft Windows Media server allows remote attackers to cause a denial of service in the Windows Media Unicast Service via a malformed request, aka the "Unicast Service Race Condition" vulnerability. CVE-2000-0850 DESCRIPTION: Netegrity SiteMinder before 4.11 allows remote attackers to bypass its authentication mechanism by appending "$/FILENAME.ext" (where ext is .ccc, .class, or .jpg) to the requested URL. CVE-2000-0851 DESCRIPTION: Buffer overflow in the Still Image Service in Windows 2000 allows local users to gain additional privileges via a long WM_USER message, aka the "Still Image Service Privilege Escalation" vulnerability. CVE-2000-0852 DESCRIPTION: Multiple buffer overflows in eject on FreeBSD and possibly other OSes allows local users to gain root privileges. CVE-2000-0853 DESCRIPTION: YaBB Bulletin Board 9.1.2000 allows remote attackers to read arbitrary files via a .. (dot dot) attack. CVE-2000-0854 DESCRIPTION: When a Microsoft Office 2000 document is launched, the directory of that document is first used to locate DLL's such as riched20.dll and msi.dll, which could allow an attacker to execute arbitrary commands by inserting a Trojan Horse DLL into the same directory as the document. CVE-2000-0855 DESCRIPTION: SunFTP build 9(1) allows remote attackers to cause a denial of service by connecting to the server and disconnecting before sending a newline. CVE-2000-0856 DESCRIPTION: Buffer overflow in SunFTP build 9(1) allows remote attackers to cause a denial of service or possibly execute arbitrary commands via a long GET request. CVE-2000-0857 DESCRIPTION: The logging capability in muh 2.05d IRC server does not properly cleanse user-injected format strings, which allows remote attackers to cause a denial of service or execute arbitrary commands via a malformed nickname. CVE-2000-0858 DESCRIPTION: Vulnerability in Microsoft Windows NT 4.0 allows remote attackers to cause a denial of service in IIS by sending it a series of malformed requests which cause INETINFO.EXE to fail, aka the "Invalid URL" vulnerability. CVE-2000-0859 DESCRIPTION: The web configuration server for NTMail V5 and V6 allows remote attackers to cause a denial of service via a series of partial HTTP requests. CVE-2000-0860 DESCRIPTION: The file upload capability in PHP versions 3 and 4 allows remote attackers to read arbitrary files by setting hidden form fields whose names match the names of internal PHP script variables. CVE-2000-0861 DESCRIPTION: Mailman 1.1 allows list administrators to execute arbitrary commands via shell metacharacters in the %(listname) macro expansion. CVE-2000-0862 DESCRIPTION: Vulnerability in an administrative interface utility for Allaire Spectra 1.0.1 allows remote attackers to read and modify sensitive configuration information. CVE-2000-0863 DESCRIPTION: Buffer overflow in listmanager earlier than 2.105.1 allows local users to gain additional privileges. CVE-2000-0864 DESCRIPTION: Race condition in the creation of a Unix domain socket in GNOME esound 0.2.19 and earlier allows a local user to change the permissions of arbitrary files and directories, and gain additional privileges, via a symlink attack. CVE-2000-0865 DESCRIPTION: Buffer overflow in dvtermtype in Tridia Double Vision 3.07.00 allows local users to gain root privileges via a long terminal type argument. CVE-2000-0866 DESCRIPTION: Interbase 6 SuperServer for Linux allows an attacker to cause a denial of service via a query containing 0 bytes. CVE-2000-0867 DESCRIPTION: Kernel logging daemon (klogd) in Linux does not properly cleanse user-injected format strings, which allows local users to gain root privileges by triggering malformed kernel messages. CVE-2000-0868 DESCRIPTION: The default configuration of Apache 1.3.12 in SuSE Linux 6.4 allows remote attackers to read source code for CGI scripts by replacing the /cgi-bin/ in the requested URL with /cgi-bin-sdb/. CVE-2000-0869 DESCRIPTION: The default configuration of Apache 1.3.12 in SuSE Linux 6.4 enables WebDAV, which allows remote attackers to list arbitrary directories via the PROPFIND HTTP request method. CVE-2000-0870 DESCRIPTION: Buffer overflow in EFTP allows remote attackers to cause a denial of service via a long string. CVE-2000-0871 DESCRIPTION: Buffer overflow in EFTP allows remote attackers to cause a denial of service by sending a string that does not contain a newline, then disconnecting from the server. CVE-2000-0872 DESCRIPTION: explorer.php in PhotoAlbum 0.9.9 allows remote attackers to read arbitrary files via a .. (dot dot) attack. CVE-2000-0873 DESCRIPTION: netstat in AIX 4.x.x does not properly restrict access to the -Zi option, which allows local users to clear network interface statistics and possibly hide evidence of unusual network activities. CVE-2000-0874 DESCRIPTION: Eudora mail client includes the absolute path of the sender's host within a virtual card (VCF). CVE-2000-0875 DESCRIPTION: WFTPD and WFTPD Pro 2.41 RC12 allows remote attackers to cause a denial of service by sending a long string of unprintable characters. CVE-2000-0876 DESCRIPTION: WFTPD and WFTPD Pro 2.41 RC12 allows remote attackers to obtain the full pathname of the server via a "%C" command, which generates an error message that includes the pathname. CVE-2000-0877 DESCRIPTION: mailform.pl CGI script in MailForm 2.0 allows remote attackers to read arbitrary files by specifying the file name in the XX-attach_file parameter, which MailForm then sends to the attacker. CVE-2000-0878 DESCRIPTION: The mailto CGI script allows remote attacker to execute arbitrary commands via shell metacharacters in the emailadd form field. CVE-2000-0879 DESCRIPTION: LPPlus programs dccsched, dcclpdser, dccbkst, dccshut, dcclpdshut, and dccbkstshut are installed setuid root and world executable, which allows arbitrary local users to start and stop various LPD services. CVE-2000-0880 DESCRIPTION: LPPlus creates the lpdprocess file with world-writeable permissions, which allows local users to kill arbitrary processes by specifying an alternate process ID and using the setuid dcclpdshut program to kill the process that was specified in the lpdprocess file. CVE-2000-0881 DESCRIPTION: The dccscan setuid program in LPPlus does not properly check if the user has the permissions to print the file that is specified to dccscan, which allows local users to print arbitrary files. CVE-2000-0882 DESCRIPTION: Intel Express 500 series switches allow a remote attacker to cause a denial of service via a malformed ICMP packet, which causes the CPU to crash. CVE-2000-0883 DESCRIPTION: The default configuration of mod_perl for Apache as installed on Mandrake Linux 6.1 through 7.1 sets the /perl/ directory to be browseable, which allows remote attackers to list the contents of that directory. CVE-2000-0884 DESCRIPTION: IIS 4.0 and 5.0 allows remote attackers to read documents outside of the web root, and possibly execute arbitrary commands, via malformed URLs that contain UNICODE encoded characters, aka the "Web Server Folder Traversal" vulnerability. CVE-2000-0885 DESCRIPTION: Buffer overflows in Microsoft Network Monitor (Netmon) allow remote attackers to execute arbitrary commands via a long Browser Name in a CIFS Browse Frame, a long SNMP community name, or a long username or filename in an SMB session, aka the "Netmon Protocol Parsing" vulnerability. NOTE: It is highly likely that this candidate will be split into multiple candidates. CVE-2000-0886 DESCRIPTION: IIS 5.0 allows remote attackers to execute arbitrary commands via a malformed request for an executable file whose name is appended with operating system commands, aka the "Web Server File Request Parsing" vulnerability. CVE-2000-0887 DESCRIPTION: named in BIND 8.2 through 8.2.2-P6 allows remote attackers to cause a denial of service by making a compressed zone transfer (ZXFR) request and performing a name service query on an authoritative record that is not cached, aka the "zxfr bug." CVE-2000-0888 DESCRIPTION: named in BIND 8.2 through 8.2.2-P6 allows remote attackers to cause a denial of service by sending an SRV record to the server, aka the "srv bug." CVE-2000-0889 DESCRIPTION: Two Sun security certificates have been compromised, which could allow attackers to insert malicious code such as applets and make it appear that it is signed by Sun. CVE-2000-0890 DESCRIPTION: periodic in FreeBSD 4.1.1 and earlier, and possibly other operating systems, allows local users to overwrite arbitrary files via a symlink attack. CVE-2000-0891 DESCRIPTION: A default ECL in Lotus Notes before 5.02 allows remote attackers to execute arbitrary commands by attaching a malicious program in an email message that is automatically executed when the user opens the email. CVE-2000-0892 DESCRIPTION: Some telnet clients allow remote telnet servers to request environment variables from the client that may contain sensitive information, or remote web servers to obtain the information via a telnet: URL. CVE-2000-0893 DESCRIPTION: The presence of the Distributed GL Daemon (dgld) service on port 5232 on SGI IRIX systems allows remote attackers to identify the target host as an SGI system. CVE-2000-0894 DESCRIPTION: HTTP server on the WatchGuard SOHO firewall does not properly restrict access to administrative functions such as password resets or rebooting, which allows attackers to cause a denial of service or conduct unauthorized activities. CVE-2000-0895 DESCRIPTION: Buffer overflow in HTTP server on the WatchGuard SOHO firewall allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long GET request. CVE-2000-0896 DESCRIPTION: WatchGuard SOHO firewall allows remote attackers to cause a denial of service via a flood of fragmented IP packets, which causes the firewall to drop connections and stop forwarding packets. CVE-2000-0897 DESCRIPTION: Small HTTP Server 2.03 and earlier allows remote attackers to cause a denial of service by repeatedly requesting a URL that references a directory that does not contain an index.html file, which consumes memory that is not released after the request is completed. CVE-2000-0898 DESCRIPTION: Small HTTP Server 2.01 does not properly process Server Side Includes (SSI) tags that contain null values, which allows local users, and possibly remote attackers, to cause the server to crash by inserting the SSI into an HTML file. CVE-2000-0899 DESCRIPTION: Small HTTP Server 2.01 allows remote attackers to cause a denial of service by connecting to the server and sending out multiple GET, HEAD, or POST requests and closing the connection before the server responds to the requests. CVE-2000-0900 DESCRIPTION: Directory traversal vulnerability in ssi CGI program in thttpd 2.19 and earlier allows remote attackers to read arbitrary files via a "%2e%2e" string, a variation of the .. (dot dot) attack. CVE-2000-0901 DESCRIPTION: Format string vulnerability in screen 3.9.5 and earlier allows local users to gain root privileges via format characters in the vbell_msg initialization variable. CVE-2000-0902 DESCRIPTION: getalbum.php in PhotoAlbum before 0.9.9 allows remote attackers to read arbitrary files via a .. (dot dot) attack. CVE-2000-0903 DESCRIPTION: Directory traversal vulnerability in Voyager web server 2.01B in the demo disks for QNX 405 allows remote attackers to read arbitrary files via a .. (dot dot) attack. CVE-2000-0904 DESCRIPTION: Voyager web server 2.01B in the demo disks for QNX 405 stores sensitive web client information in the .photon directory in the web document root, which allows remote attackers to obtain that information. CVE-2000-0905 DESCRIPTION: QNX Embedded Resource Manager in Voyager web server 2.01B in the demo disks for QNX 405 allows remote attackers to read sensitive system statistics information via the embedded.html web page. CVE-2000-0906 DESCRIPTION: Directory traversal vulnerability in Moreover.com cached_feed.cgi script version 4.July.00 allows remote attackers to read arbitrary files via a .. (dot dot) attack on the category or format parameters. CVE-2000-0907 DESCRIPTION: EServ 2.92 Build 2982 allows remote attackers to cause a denial of service and possibly execute arbitrary commands via long HELO and MAIL FROM commands. CVE-2000-0908 DESCRIPTION: BrowseGate 2.80 allows remote attackers to cause a denial of service and possibly execute arbitrary commands via long Authorization or Referer MIME headers in the HTTP request. CVE-2000-0909 DESCRIPTION: Buffer overflow in the automatic mail checking component of Pine 4.21 and earlier allows remote attackers to execute arbitrary commands via a long From: header. CVE-2000-0910 DESCRIPTION: Horde library 1.02 allows attackers to execute arbitrary commands via shell metacharacters in the "from" address. CVE-2000-0911 DESCRIPTION: IMP 2.2 and earlier allows attackers to read and delete arbitrary files by modifying the attachment_name hidden form variable, which causes IMP to send the file to the attacker as an attachment. CVE-2000-0912 DESCRIPTION: MultiHTML CGI script allows remote attackers to read arbitrary files and possibly execute arbitrary commands by specifying the file name to the "multi" parameter. CVE-2000-0913 DESCRIPTION: mod_rewrite in Apache 1.3.12 and earlier allows remote attackers to read arbitrary files if a RewriteRule directive is expanded to include a filename whose name contains a regular expression. CVE-2000-0914 DESCRIPTION: OpenBSD 2.6 and earlier allows remote attackers to cause a denial of service by flooding the server with ARP requests. CVE-2000-0915 DESCRIPTION: fingerd in FreeBSD 4.1.1 allows remote attackers to read arbitrary files by specifying the target file name instead of a regular user name. CVE-2000-0916 DESCRIPTION: FreeBSD 4.1.1 and earlier, and possibly other BSD-based OSes, uses an insufficient random number generator to generate initial TCP sequence numbers (ISN), which allows remote attackers to spoof TCP connections. CVE-2000-0917 DESCRIPTION: Format string vulnerability in use_syslog() function in LPRng 3.6.24 allows remote attackers to execute arbitrary commands. CVE-2000-0918 DESCRIPTION: Format string vulnerability in kvt in KDE 1.1.2 may allow local users to execute arbitrary commands via a DISPLAY environmental variable that contains formatting characters. CVE-2000-0919 DESCRIPTION: Directory traversal vulnerability in PHPix Photo Album 1.0.2 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) attack. CVE-2000-0920 DESCRIPTION: Directory traversal vulnerability in BOA web server 0.94.8.2 and earlier allows remote attackers to read arbitrary files via a modified .. (dot dot) attack in the GET HTTP request that uses a "%2E" instead of a "." CVE-2000-0921 DESCRIPTION: Directory traversal vulnerability in Hassan Consulting shop.cgi shopping cart program allows remote attackers to read arbitrary files via a .. (dot dot) attack on the page parameter. CVE-2000-0922 DESCRIPTION: Directory traversal vulnerability in Bytes Interactive Web Shopper shopping cart program (shopper.cgi) 2.0 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) attack on the newpage parameter. CVE-2000-0923 DESCRIPTION: authenticate.cgi CGI program in Aplio PRO allows remote attackers to execute arbitrary commands via shell metacharacters in the password parameter. CVE-2000-0924 DESCRIPTION: Directory traversal vulnerability in search.cgi CGI script in Armada Master Index allows remote attackers to read arbitrary files via a .. (dot dot) attack in the "catigory" parameter. CVE-2000-0925 DESCRIPTION: The default installation of SmartWin CyberOffice Shopping Cart 2 (aka CyberShop) installs the _private directory with world readable permissions, which allows remote attackers to obtain sensitive information. CVE-2000-0926 DESCRIPTION: SmartWin CyberOffice Shopping Cart 2 (aka CyberShop) allows remote attackers to modify price information by changing the "Price" hidden form variable. CVE-2000-0927 DESCRIPTION: WQuinn QuotaAdvisor 4.1 does not properly record file sizes if they are stored in alternative data streams, which allows users to bypass quota restrictions. CVE-2000-0928 DESCRIPTION: WQuinn QuotaAdvisor 4.1 allows users to list directories and files by running a report on the targeted shares. CVE-2000-0929 DESCRIPTION: Microsoft Windows Media Player 7 allows attackers to cause a denial of service in RTF-enabled email clients via an embedded OCX control that is not closed properly, aka the "OCX Attachment" vulnerability. CVE-2000-0930 DESCRIPTION: Pegasus Mail 3.12 allows remote attackers to read arbitrary files via an embedded URL that calls the mailto: protocol with a -F switch. CVE-2000-0931 DESCRIPTION: Buffer overflow in Pegasus Mail 3.11 allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long email message containing binary data. CVE-2000-0932 DESCRIPTION: MAILsweeper for SMTP 3.x does not properly handle corrupt CDA documents in a ZIP file and hangs, which allows remote attackers to cause a denial of service. CVE-2000-0933 DESCRIPTION: The Input Method Editor (IME) in the Simplified Chinese version of Windows 2000 does not disable access to privileged functionality that should normally be restricted, which allows local users to gain privileges, aka the "Simplified Chinese IME State Recognition" vulnerability. CVE-2000-0934 DESCRIPTION: Glint in Red Hat Linux 5.2 allows local users to overwrite arbitrary files and cause a denial of service via a symlink attack. CVE-2000-0935 DESCRIPTION: Samba Web Administration Tool (SWAT) in Samba 2.0.7 allows local users to overwrite arbitrary files via a symlink attack on the cgi.log file. CVE-2000-0936 DESCRIPTION: Samba Web Administration Tool (SWAT) in Samba 2.0.7 installs the cgi.log logging file with world readable permissions, which allows local users to read sensitive information such as user names and passwords. CVE-2000-0937 DESCRIPTION: Samba Web Administration Tool (SWAT) in Samba 2.0.7 does not log login attempts in which the username is correct but the password is wrong, which allows remote attackers to conduct brute force password guessing attacks. CVE-2000-0938 DESCRIPTION: Samba Web Administration Tool (SWAT) in Samba 2.0.7 supplies a different error message when a valid username is provided versus an invalid name, which allows remote attackers to identify valid users on the server. CVE-2000-0939 DESCRIPTION: Samba Web Administration Tool (SWAT) in Samba 2.0.7 allows remote attackers to cause a denial of service by repeatedly submitting a nonstandard URL in the GET HTTP request and forcing it to restart. CVE-2000-0940 DESCRIPTION: Directory traversal vulnerability in Metertek pagelog.cgi allows remote attackers to read arbitrary files via a .. (dot dot) attack on the "name" or "display" parameter. CVE-2000-0941 DESCRIPTION: Kootenay Web KW Whois 1.0 CGI program allows remote attackers to execute arbitrary commands via shell metacharacters in the "whois" parameter. CVE-2000-0942 DESCRIPTION: The CiWebHitsFile component in Microsoft Indexing Services for Windows 2000 allows remote attackers to conduct a cross site scripting (CSS) attack via a CiRestriction parameter in a .htw request, aka the "Indexing Services Cross Site Scripting" vulnerability. CVE-2000-0943 DESCRIPTION: Buffer overflow in bftp daemon (bftpd) 1.0.11 allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long USER command. CVE-2000-0944 DESCRIPTION: CGI Script Center News Update 1.1 does not properly validate the original news administration password during a password change operation, which allows remote attackers to modify the password without knowing the original password. CVE-2000-0945 DESCRIPTION: The web configuration interface for Catalyst 3500 XL switches allows remote attackers to execute arbitrary commands without authentication when the enable password is not set, via a URL containing the /exec/ directory. CVE-2000-0946 DESCRIPTION: Compaq Easy Access Keyboard software 1.3 does not properly disable access to custom buttons when the screen is locked, which could allow an attacker to gain privileges or execute programs without authorization. CVE-2000-0947 DESCRIPTION: Format string vulnerability in cfd daemon in GNU CFEngine before 1.6.0a11 allows attackers to execute arbitrary commands via format characters in the CAUTH command. CVE-2000-0948 DESCRIPTION: GnoRPM before 0.95 allows local users to modify arbitrary files via a symlink attack. CVE-2000-0949 DESCRIPTION: Heap overflow in savestr function in LBNL traceroute 1.4a5 and earlier allows a local user to execute arbitrary commands via the -g option. CVE-2000-0950 DESCRIPTION: Format string vulnerability in x-gw in TIS Firewall Toolkit (FWTK) allows local users to execute arbitrary commands via a malformed display name. CVE-2000-0951 DESCRIPTION: A misconfiguration in IIS 5.0 with Index Server enabled and the Index property set allows remote attackers to list directories in the web root via a Web Distributed Authoring and Versioning (WebDAV) search. CVE-2000-0952 DESCRIPTION: global.cgi CGI program in Global 3.55 and earlier on NetBSD allows remote attackers to execute arbitrary commands via shell metacharacters. CVE-2000-0953 DESCRIPTION: Shambala Server 4.5 allows remote attackers to cause a denial of service by opening then closing a connection. CVE-2000-0954 DESCRIPTION: Shambala Server 4.5 stores passwords in plaintext, which could allow local users to obtain the passwords and compromise the server. CVE-2000-0955 DESCRIPTION: Cisco Virtual Central Office 4000 (VCO/4K) uses weak encryption to store usernames and passwords in the SNMP MIB, which allows an attacker who knows the community name to crack the password and gain privileges. CVE-2000-0956 DESCRIPTION: cyrus-sasl before 1.5.24 in Red Hat Linux 7.0 does not properly verify the authorization for a local user, which could allow the users to bypass specified access restrictions. CVE-2000-0957 DESCRIPTION: The pluggable authentication module for mysql (pam_mysql) before 0.4.7 does not properly cleanse user input when constructing SQL statements, which allows attackers to obtain plaintext passwords or hashes. CVE-2000-0958 DESCRIPTION: HotJava Browser 3.0 allows remote attackers to access the DOM of a web page by opening a javascript: URL in a named window. CVE-2000-0959 DESCRIPTION: glibc2 does not properly clear the LD_DEBUG_OUTPUT and LD_DEBUG environmental variables when a program is spawned from a setuid program, which could allow local users to overwrite files via a symlink attack. CVE-2000-0960 DESCRIPTION: The POP3 server in Netscape Messaging Server 4.15p1 generates different error messages for incorrect user names versus incorrect passwords, which allows remote attackers to determine valid users on the system and harvest email addresses for spam abuse. CVE-2000-0961 DESCRIPTION: Buffer overflow in IMAP server in Netscape Messaging Server 4.15 Patch 2 allows local users to execute arbitrary commands via a long LIST command. CVE-2000-0962 DESCRIPTION: The IPSEC implementation in OpenBSD 2.7 does not properly handle empty AH/ESP packets, which allows remote attackers to cause a denial of service. CVE-2000-0963 DESCRIPTION: Buffer overflow in ncurses library allows local users to execute arbitrary commands via long environmental information such as TERM or TERMINFO_DIRS. CVE-2000-0964 DESCRIPTION: Buffer overflow in the web administration service for the HiNet LP5100 IP-phone allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long GET request. CVE-2000-0965 DESCRIPTION: The NSAPI plugins for TGA and the Java Servlet proxy in HP-UX VVOS 10.24 and 11.04 allows an attacker to cause a denial of service (high CPU utilization). CVE-2000-0966 DESCRIPTION: Buffer overflows in lpspooler in the fileset PrinterMgmt.LP-SPOOL of HP-UX 11.0 and earlier allows local users to gain privileges. CVE-2000-0967 DESCRIPTION: PHP 3 and 4 do not properly cleanse user-injected format strings, which allows remote attackers to execute arbitrary commands by triggering error messages that are improperly written to the error logs. CVE-2000-0968 DESCRIPTION: Buffer overflow in Half Life dedicated server before build 3104 allows remote attackers to execute arbitrary commands via a long rcon command. CVE-2000-0969 DESCRIPTION: Format string vulnerability in Half Life dedicated server build 3104 and earlier allows remote attackers to execute arbitrary commands by injecting format strings into the changelevel command, via the system console or rcon. CVE-2000-0970 DESCRIPTION: IIS 4.0 and 5.0 .ASP pages send the same Session ID cookie for secure and insecure web sessions, which could allow remote attackers to hijack the secure web session of the user if that user moves to an insecure session, aka the "Session ID Cookie Marking" vulnerability. CVE-2000-0971 DESCRIPTION: Avirt Mail 4.0 and 4.2 allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long "RCPT TO" or "MAIL FROM" command. CVE-2000-0972 DESCRIPTION: HP-UX 11.00 crontab allows local users to read arbitrary files via the -e option by creating a symlink to the target file during the crontab session, quitting the session, and reading the error messages that crontab generates. CVE-2000-0973 DESCRIPTION: Buffer overflow in curl earlier than 6.0-1.1, and curl-ssl earlier than 6.0-1.2, allows remote attackers to execute arbitrary commands by forcing a long error message to be generated. CVE-2000-0974 DESCRIPTION: GnuPG (gpg) 1.0.3 does not properly check all signatures of a file containing multiple documents, which allows an attacker to modify contents of all documents but the first without detection. CVE-2000-0975 DESCRIPTION: Directory traversal vulnerability in apexec.pl in Anaconda Foundation Directory allows remote attackers to read arbitrary files via a .. (dot dot) attack. CVE-2000-0976 DESCRIPTION: Buffer overflow in xlib in XFree 3.3.x possibly allows local users to execute arbitrary commands via a long DISPLAY environment variable or a -display command line parameter. CVE-2000-0977 DESCRIPTION: mailfile.cgi CGI program in MailFile 1.10 allows remote attackers to read arbitrary files by specifying the target file name in the "filename" parameter in a POST request, which is then sent by email to the address specified in the "email" parameter. CVE-2000-0978 DESCRIPTION: bbd server in Big Brother System and Network Monitor before 1.5c2 allows remote attackers to execute arbitrary commands via the "&" shell metacharacter. CVE-2000-0979 DESCRIPTION: File and Print Sharing service in Windows 95, Windows 98, and Windows Me does not properly check the password for a file share, which allows remote attackers to bypass share access controls by sending a 1-byte password that matches the first character of the real password, aka the "Share Level Password" vulnerability. CVE-2000-0980 DESCRIPTION: NMPI (Name Management Protocol on IPX) listener in Microsoft NWLink does not properly filter packets from a broadcast address, which allows remote attackers to cause a broadcast storm and flood the network. CVE-2000-0981 DESCRIPTION: MySQL Database Engine uses a weak authentication method which leaks information that could be used by a remote attacker to recover the password. CVE-2000-0982 DESCRIPTION: Internet Explorer before 5.5 forwards cached user credentials for a secure web site to insecure pages on the same web site, which could allow remote attackers to obtain the credentials by monitoring connections to the web server, aka the "Cached Web Credentials" vulnerability. CVE-2000-0983 DESCRIPTION: Microsoft NetMeeting with Remote Desktop Sharing enabled allows remote attackers to cause a denial of service (CPU utilization) via a sequence of null bytes to the NetMeeting port, aka the "NetMeeting Desktop Sharing" vulnerability. CVE-2000-0984 DESCRIPTION: The HTTP server in Cisco IOS 12.0 through 12.1 allows local users to cause a denial of service (crash and reload) via a URL containing a "?/" string. CVE-2000-0985 DESCRIPTION: Buffer overflow in All-Mail 1.1 allows remote attackers to execute arbitrary commands via a long "MAIL FROM" or "RCPT TO" command. CVE-2000-0986 DESCRIPTION: Buffer overflow in Oracle 8.1.5 applications such as names, namesctl, onrsd, osslogin, tnslsnr, tnsping, trcasst, and trcroute possibly allow local users to gain privileges via a long ORACLE_HOME environmental variable. CVE-2000-0987 DESCRIPTION: Buffer overflow in oidldapd in Oracle 8.1.6 allow local users to gain privileges via a long "connect" command line parameter. CVE-2000-0988 DESCRIPTION: WinU 1.0 through 5.1 has a backdoor password that allows remote attackers to gain access to its administrative interface and modify configuration. CVE-2000-0989 DESCRIPTION: Buffer overflow in Intel InBusiness eMail Station 1.04.87 POP service allows remote attackers to cause a denial of service and possibly execute commands via a long username. CVE-2000-0990 DESCRIPTION: cmd5checkpw 0.21 and earlier allows remote attackers to cause a denial of service via an "SMTP AUTH" command with an unknown username. CVE-2000-0991 DESCRIPTION: Buffer overflow in Hilgraeve, Inc. HyperTerminal client on Windows 98, ME, and 2000 allows remote attackers to execute arbitrary commands via a long telnet URL, aka the "HyperTerminal Buffer Overflow" vulnerability. CVE-2000-0992 DESCRIPTION: Directory traversal vulnerability in scp in sshd 1.2.xx allows a remote malicious scp server to overwrite arbitrary files via a .. (dot dot) attack. CVE-2000-0993 DESCRIPTION: Format string vulnerability in pw_error function in BSD libutil library allows local users to gain root privileges via a malformed password in commands such as chpass or passwd. CVE-2000-0994 DESCRIPTION: Format string vulnerability in OpenBSD fstat program (and possibly other BSD-based operating systems) allows local users to gain root privileges via the PWD environmental variable. CVE-2000-0995 DESCRIPTION: Format string vulnerability in OpenBSD yp_passwd program (and possibly other BSD-based operating systems) allows attackers to gain root privileges a malformed name. CVE-2000-0996 DESCRIPTION: Format string vulnerability in OpenBSD su program (and possibly other BSD-based operating systems) allows local attackers to gain root privileges via a malformed shell. CVE-2000-0997 DESCRIPTION: Format string vulnerabilities in eeprom program in OpenBSD, NetBSD, and possibly other operating systems allows local attackers to gain root privileges. CVE-2000-0998 DESCRIPTION: Format string vulnerability in top program allows local attackers to gain root privileges via the "kill" or "renice" function. CVE-2000-0999 DESCRIPTION: Format string vulnerabilities in OpenBSD ssh program (and possibly other BSD-based operating systems) allow attackers to gain root privileges. CVE-2000-1000 DESCRIPTION: Format string vulnerability in AOL Instant Messenger (AIM) 4.1.2010 allows remote attackers to cause a denial of service and possibly execute arbitrary commands by transferring a file whose name includes format characters. CVE-2000-1001 DESCRIPTION: add_2_basket.asp in Element InstantShop allows remote attackers to modify price information via the "price" hidden form variable. CVE-2000-1002 DESCRIPTION: POP3 daemon in Stalker CommuniGate Pro 3.3.2 generates different error messages for invalid usernames versus invalid passwords, which allows remote attackers to determine valid email addresses on the server for SPAM attacks. CVE-2000-1003 DESCRIPTION: NETBIOS client in Windows 95 and Windows 98 allows a remote attacker to cause a denial of service by changing a file sharing service to return an unknown driver type, which causes the client to crash. CVE-2000-1004 DESCRIPTION: Format string vulnerability in OpenBSD photurisd allows local users to execute arbitrary commands via a configuration file directory name that contains formatting characters. CVE-2000-1005 DESCRIPTION: Directory traversal vulnerability in html_web_store.cgi and web_store.cgi CGI programs in eXtropia WebStore allows remote attackers to read arbitrary files via a .. (dot dot) attack on the page parameter. CVE-2000-1006 DESCRIPTION: Microsoft Exchange Server 5.5 does not properly handle a MIME header with a blank charset specified, which allows remote attackers to cause a denial of service via a charset="" command, aka the "Malformed MIME Header" vulnerability. CVE-2000-1007 DESCRIPTION: I-gear 3.5.7 and earlier does not properly process log entries in which a URL is longer than 255 characters, which allows an attacker to cause reporting errors. CVE-2000-1008 DESCRIPTION: PalmOS 3.5.2 and earlier uses weak encryption to store the user password, which allows attackers with physical access to the Palm device to decrypt the password and gain access to the device. CVE-2000-1009 DESCRIPTION: dump in Red Hat Linux 6.2 trusts the pathname specified by the RSH environmental variable, which allows local users to obtain root privileges by modifying the RSH variable to point to a Trojan horse program. CVE-2000-1010 DESCRIPTION: Format string vulnerability in talkd in OpenBSD and possibly other BSD-based OSes allows remote attackers to execute arbitrary commands via a user name that contains format characters. CVE-2000-1011 DESCRIPTION: Buffer overflow in catopen() function in FreeBSD 5.0 and earlier, and possibly other OSes, allows local users to gain root privileges via a long environmental variable. CVE-2000-1012 DESCRIPTION: The catopen function in FreeBSD 5.0 and earlier, and possibly other OSes, allows local users to read arbitrary files via the LANG environmental variable. CVE-2000-1013 DESCRIPTION: The setlocale function in FreeBSD 5.0 and earlier, and possibly other OSes, allows local users to read arbitrary files via the LANG environmental variable. CVE-2000-1014 DESCRIPTION: Format string vulnerability in the search97.cgi CGI script in SCO help http server for Unixware 7 allows remote attackers to execute arbitrary commands via format characters in the queryText parameter. CVE-2000-1015 DESCRIPTION: The default configuration of Slashcode before version 2.0 Alpha has a default administrative password, which allows remote attackers to gain Slashcode privileges and possibly execute arbitrary commands. CVE-2000-1016 DESCRIPTION: The default configuration of Apache (httpd.conf) on SuSE 6.4 includes an alias for the /usr/doc directory, which allows remote attackers to read package documentation and obtain system configuration information via an HTTP request for the /doc/packages URL. CVE-2000-1017 DESCRIPTION: Webteachers Webdata allows remote attackers with valid Webdata accounts to read arbitrary files by posting a request to import the file into the WebData database. CVE-2000-1018 DESCRIPTION: shred 1.0 file wiping utility does not properly open a file for overwriting or flush its buffers, which prevents shred from properly replacing the file's data and allows local users to recover the file. CVE-2000-1019 DESCRIPTION: Search engine in Ultraseek 3.1 and 3.1.10 (aka Inktomi Search) allows remote attackers to cause a denial of service via a malformed URL. CVE-2000-1020 DESCRIPTION: Heap overflow in Worldclient in Mdaemon 3.1.1 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long URL. CVE-2000-1021 DESCRIPTION: Heap overflow in WebConfig in Mdaemon 3.1.1 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long URL. CVE-2000-1022 DESCRIPTION: The mailguard feature in Cisco Secure PIX Firewall 5.2(2) and earlier does not properly restrict access to SMTP commands, which allows remote attackers to execute restricted commands by sending a DATA command before sending the restricted commands. CVE-2000-1023 DESCRIPTION: The Alabanza Control Panel does not require passwords to access administrative commands, which allows remote attackers to modify domain name information via the nsManager.cgi CGI program. CVE-2000-1024 DESCRIPTION: eWave ServletExec 3.0C and earlier does not restrict access to the UploadServlet Java/JSP servlet, which allows remote attackers to upload files and execute arbitrary commands. CVE-2000-1025 DESCRIPTION: eWave ServletExec JSP/Java servlet engine, versions 3.0C and earlier, allows remote attackers to cause a denial of service via a URL that contains the "/servlet/" string, which invokes the ServletExec servlet and causes an exception if the servlet is already running. CVE-2000-1026 DESCRIPTION: Multiple buffer overflows in LBNL tcpdump allow remote attackers to execute arbitrary commands. CVE-2000-1027 DESCRIPTION: Cisco Secure PIX Firewall 5.2(2) allows remote attackers to determine the real IP address of a target FTP server by flooding the server with PASV requests, which includes the real IP address in the response when passive mode is established. CVE-2000-1028 DESCRIPTION: Buffer overflow in cu program in HP-UX 11.0 may allow local users to gain privileges via a long -l command line argument. CVE-2000-1029 DESCRIPTION: Buffer overflow in host command allows a remote attacker to execute arbitrary commands via a long response to an AXFR query. CVE-2000-1030 DESCRIPTION: CS&T CorporateTime for the Web returns different error messages for invalid usernames and invalid passwords, which allows remote attackers to determine valid usernames on the server. CVE-2000-1031 DESCRIPTION: Buffer overflow in dtterm in HP-UX 11.0 and HP Tru64 UNIX 4.0f through 5.1a allows local users to execute arbitrary code via a long -tn option. CVE-2000-1032 DESCRIPTION: The client authentication interface for Check Point Firewall-1 4.0 and earlier generates different error messages for invalid usernames versus invalid passwords, which allows remote attackers to identify valid usernames on the firewall. CVE-2000-1033 DESCRIPTION: Serv-U FTP Server allows remote attackers to bypass its anti-hammering feature by first logging on as a valid user (possibly anonymous) and then attempting to guess the passwords of other users. CVE-2000-1034 DESCRIPTION: Buffer overflow in the System Monitor ActiveX control in Windows 2000 allows remote attackers to execute arbitrary commands via a long LogFileName parameter in HTML source code, aka the "ActiveX Parameter Validation" vulnerability. CVE-2000-1035 DESCRIPTION: Buffer overflows in TYPSoft FTP Server 0.78 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long USER, PASS, or CWD command. CVE-2000-1036 DESCRIPTION: Directory traversal vulnerability in Extent RBS ISP web server allows remote attackers to read sensitive information via a .. (dot dot) attack on the Image parameter. CVE-2000-1037 DESCRIPTION: Check Point Firewall-1 session agent 3.0 through 4.1 generates different error messages for invalid user names versus invalid passwords, which allows remote attackers to determine valid usernames and guess a password via a brute force attack. CVE-2000-1038 DESCRIPTION: The web administration interface for IBM AS/400 Firewall allows remote attackers to cause a denial of service via an empty GET request. CVE-2000-1039 DESCRIPTION: Various TCP/IP stacks and network applications allow remote attackers to cause a denial of service by flooding a target host with TCP connection attempts and completing the TCP/IP handshake without maintaining the connection state on the attacker host, aka the "NAPTHA" class of vulnerabilities. NOTE: this candidate may change significantly as the security community discusses the technical nature of NAPTHA and learns more about the affected applications. This candidate is at a higher level of abstraction than is typical for CVE. CVE-2000-1040 DESCRIPTION: Format string vulnerability in logging function of ypbind 3.3, while running in debug mode, leaks file descriptors and allows an attacker to cause a denial of service. CVE-2000-1041 DESCRIPTION: Buffer overflow in ypbind 3.3 possibly allows an attacker to gain root privileges. CVE-2000-1042 DESCRIPTION: Buffer overflow in ypserv in Mandrake Linux 7.1 and earlier, and possibly other Linux operating systems, allows an attacker to gain root privileges when ypserv is built without a vsyslog() function. CVE-2000-1043 DESCRIPTION: Format string vulnerability in ypserv in Mandrake Linux 7.1 and earlier, and possibly other Linux operating systems, allows an attacker to gain root privileges when ypserv is built without a vsyslog() function. CVE-2000-1044 DESCRIPTION: Format string vulnerability in ypbind-mt in SuSE SuSE-6.2, and possibly other Linux operating systems, allows an attacker to gain root privileges. CVE-2000-1045 DESCRIPTION: nss_ldap earlier than 121, when run with nscd (name service caching daemon), allows remote attackers to cause a denial of service via a flood of LDAP requests. CVE-2000-1046 DESCRIPTION: Multiple buffer overflows in the ESMTP service of Lotus Domino 5.0.2c and earlier allow remote attackers to cause a denial of service and possibly execute arbitrary code via long (1) "RCPT TO," (2) "SAML FROM," or (3) "SOML FROM" commands. CVE-2000-1047 DESCRIPTION: Buffer overflow in SMTP service of Lotus Domino 5.0.4 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long ENVID keyword in the "MAIL FROM" command. CVE-2000-1048 DESCRIPTION: Directory traversal vulnerability in the logfile service of Wingate 4.1 Beta A and earlier allows remote attackers to read arbitrary files via a .. (dot dot) attack via an HTTP GET request that uses encoded characters in the URL. CVE-2000-1049 DESCRIPTION: Allaire JRun 3.0 http servlet server allows remote attackers to cause a denial of service via a URL that contains a long string of "." characters. CVE-2000-1050 DESCRIPTION: Allaire JRun 3.0 http servlet server allows remote attackers to directly access the WEB-INF directory via a URL request that contains an extra "/" in the beginning of the request (aka the "extra leading slash"). CVE-2000-1051 DESCRIPTION: Directory traversal vulnerability in Allaire JRun 2.3 server allows remote attackers to read arbitrary files via the SSIFilter servlet. CVE-2000-1052 DESCRIPTION: Allaire JRun 2.3 server allows remote attackers to obtain source code for executable content by directly calling the SSIFilter servlet. CVE-2000-1053 DESCRIPTION: Allaire JRun 2.3.3 server allows remote attackers to compile and execute JSP code by inserting it via a cross-site scripting (CSS) attack and directly calling the com.livesoftware.jrun.plugins.JSP JSP servlet. CVE-2000-1054 DESCRIPTION: Buffer overflow in CSAdmin module in CiscoSecure ACS Server 2.4(2) and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a large packet. CVE-2000-1055 DESCRIPTION: Buffer overflow in CiscoSecure ACS Server 2.4(2) and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a large TACACS+ packet. CVE-2000-1056 DESCRIPTION: CiscoSecure ACS Server 2.4(2) and earlier allows remote attackers to bypass LDAP authentication on the server if the LDAP server allows null passwords. CVE-2000-1057 DESCRIPTION: Vulnerabilities in database configuration scripts in HP OpenView Network Node Manager (NNM) 6.1 and earlier allows local users to gain privileges, possibly via insecure permissions. CVE-2000-1058 DESCRIPTION: Buffer overflow in OverView5 CGI program in HP OpenView Network Node Manager (NNM) 6.1 and earlier allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, in the SNMP service (snmp.exe), aka the "Java SNMP MIB Browser Object ID parsing problem." CVE-2000-1059 DESCRIPTION: The default configuration of the Xsession file in Mandrake Linux 7.1 and 7.0 bypasses the Xauthority access control mechanism with an "xhost + localhost" command, which allows local users to sniff X Windows events and gain privileges. CVE-2000-1060 DESCRIPTION: The default configuration of XFCE 3.5.1 bypasses the Xauthority access control mechanism with an "xhost + localhost" command in the xinitrc program, which allows local users to sniff X Windows traffic and gain privileges. CVE-2000-1061 DESCRIPTION: Microsoft Virtual Machine (VM) in Internet Explorer 4.x and 5.x allows an unsigned applet to create and use ActiveX controls, which allows a remote attacker to bypass Internet Explorer's security settings and execute arbitrary commands via a malicious web page or email, aka the "Microsoft VM ActiveX Component" vulnerability. CVE-2000-1062 DESCRIPTION: Buffer overflow in the FTP service in HP JetDirect printer card Firmware x.08.20 and earlier allows remote attackers to cause a denial of service. CVE-2000-1063 DESCRIPTION: Buffer overflow in the Telnet service in HP JetDirect printer card Firmware x.08.20 and earlier allows remote attackers to cause a denial of service. CVE-2000-1064 DESCRIPTION: Buffer overflow in the LPD service in HP JetDirect printer card Firmware x.08.20 and earlier allows remote attackers to cause a denial of service. CVE-2000-1065 DESCRIPTION: Vulnerability in IP implementation of HP JetDirect printer card Firmware x.08.20 and earlier allows remote attackers to cause a denial of service (printer crash) via a malformed packet. CVE-2000-1066 DESCRIPTION: The getnameinfo function in FreeBSD 4.1.1 and earlier, and possibly other operating systems, allows a remote attacker to cause a denial of service via a long DNS hostname. CVE-2000-1068 DESCRIPTION: pollit.cgi in Poll It 2.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the poll_options parameter. CVE-2000-1069 DESCRIPTION: pollit.cgi in Poll It 2.01 and earlier allows remote attackers to access administrative functions without knowing the real password by specifying the same value to the entered_password and admin_password parameters. CVE-2000-1070 DESCRIPTION: pollit.cgi in Poll It 2.01 and earlier uses data files that are located under the web document root, which allows remote attackers to access sensitive or private information. CVE-2000-1071 DESCRIPTION: The GUI installation for iCal 2.1 Patch 2 disables access control for the X server using an "xhost +" command, which allows remote attackers to monitor X Windows events and gain privileges. CVE-2000-1072 DESCRIPTION: iCal 2.1 Patch 2 installs many files with world-writeable permissions, which allows local users to modify the iCal configuration and execute arbitrary commands by replacing the iplncal.sh program with a Trojan horse. CVE-2000-1073 DESCRIPTION: csstart program in iCal 2.1 Patch 2 searches for the cshttpd program in the current working directory, which allows local users to gain root privileges by creating a Trojan Horse cshttpd program in a directory and calling csstart from that directory. CVE-2000-1074 DESCRIPTION: csstart program in iCal 2.1 Patch 2 uses relative pathnames to install the libsocket and libnsl libraries, which could allow the icsuser account to gain root privileges by creating a Trojan Horse library in the current or parent directory. CVE-2000-1075 DESCRIPTION: Directory traversal vulnerability in iPlanet Certificate Management System 4.2 and Directory Server 4.12 allows remote attackers to read arbitrary files via a .. (dot dot) attack in the Agent, End Entity, or Administrator services. CVE-2000-1076 DESCRIPTION: Netscape (iPlanet) Certificate Management System 4.2 and Directory Server 4.12 stores the administrative password in plaintext, which could allow local and possibly remote attackers to gain administrative privileges on the server. CVE-2000-1077 DESCRIPTION: Buffer overflow in the SHTML logging functionality of iPlanet Web Server 4.x allows remote attackers to execute arbitrary commands via a long filename with a .shtml extension. CVE-2000-1078 DESCRIPTION: ICQ Web Front HTTPd allows remote attackers to cause a denial of service by requesting a URL that contains a "?" character. CVE-2000-1079 DESCRIPTION: Interactions between the CIFS Browser Protocol and NetBIOS as implemented in Microsoft Windows 95, 98, NT, and 2000 allow remote attackers to modify dynamic NetBIOS name cache entries via a spoofed Browse Frame Request in a unicast or UDP broadcast datagram. CVE-2000-1080 DESCRIPTION: Quake 1 (quake1) and ProQuake 1.01 and earlier allow remote attackers to cause a denial of service via a malformed (empty) UDP packet. CVE-2000-1081 DESCRIPTION: The xp_displayparamstmt function in SQL Server and Microsoft SQL Server Desktop Engine (MSDE) does not properly restrict the length of a buffer before calling the srv_paraminfo function in the SQL Server API for Extended Stored Procedures (XP), which allows an attacker to cause a denial of service or execute arbitrary commands, aka the "Extended Stored Procedure Parameter Parsing" vulnerability. CVE-2000-1082 DESCRIPTION: The xp_enumresultset function in SQL Server and Microsoft SQL Server Desktop Engine (MSDE) does not properly restrict the length of a buffer before calling the srv_paraminfo function in the SQL Server API for Extended Stored Procedures (XP), which allows an attacker to cause a denial of service or execute arbitrary commands, aka the "Extended Stored Procedure Parameter Parsing" vulnerability. CVE-2000-1083 DESCRIPTION: The xp_showcolv function in SQL Server and Microsoft SQL Server Desktop Engine (MSDE) does not properly restrict the length of a buffer before calling the srv_paraminfo function in the SQL Server API for Extended Stored Procedures (XP), which allows an attacker to cause a denial of service or execute arbitrary commands, aka the "Extended Stored Procedure Parameter Parsing" vulnerability. CVE-2000-1084 DESCRIPTION: The xp_updatecolvbm function in SQL Server and Microsoft SQL Server Desktop Engine (MSDE) does not properly restrict the length of a buffer before calling the srv_paraminfo function in the SQL Server API for Extended Stored Procedures (XP), which allows an attacker to cause a denial of service or execute arbitrary commands, aka the "Extended Stored Procedure Parameter Parsing" vulnerability. CVE-2000-1085 DESCRIPTION: The xp_peekqueue function in Microsoft SQL Server 2000 and SQL Server Desktop Engine (MSDE) does not properly restrict the length of a buffer before calling the srv_paraminfo function in the SQL Server API for Extended Stored Procedures (XP), which allows an attacker to cause a denial of service or execute arbitrary commands, aka the "Extended Stored Procedure Parameter Parsing" vulnerability. CVE-2000-1086 DESCRIPTION: The xp_printstatements function in Microsoft SQL Server 2000 and SQL Server Desktop Engine (MSDE) does not properly restrict the length of a buffer before calling the srv_paraminfo function in the SQL Server API for Extended Stored Procedures (XP), which allows an attacker to cause a denial of service or execute arbitrary commands, aka the "Extended Stored Procedure Parameter Parsing" vulnerability. CVE-2000-1087 DESCRIPTION: The xp_proxiedmetadata function in Microsoft SQL Server 2000 and SQL Server Desktop Engine (MSDE) does not properly restrict the length of a buffer before calling the srv_paraminfo function in the SQL Server API for Extended Stored Procedures (XP), which allows an attacker to cause a denial of service or execute arbitrary commands, aka the "Extended Stored Procedure Parameter Parsing" vulnerability. CVE-2000-1088 DESCRIPTION: The xp_SetSQLSecurity function in Microsoft SQL Server 2000 and SQL Server Desktop Engine (MSDE) does not properly restrict the length of a buffer before calling the srv_paraminfo function in the SQL Server API for Extended Stored Procedures (XP), which allows an attacker to cause a denial of service or execute arbitrary commands, aka the "Extended Stored Procedure Parameter Parsing" vulnerability. CVE-2000-1089 DESCRIPTION: Buffer overflow in Microsoft Phone Book Service allows local users to execute arbitrary commands, aka the "Phone Book Service Buffer Overflow" vulnerability. CVE-2000-1090 DESCRIPTION: Microsoft IIS for Far East editions 4.0 and 5.0 allows remote attackers to read source code for parsed pages via a malformed URL that uses the lead-byte of a double-byte character. CVE-2000-1092 DESCRIPTION: loadpage.cgi CGI program in EZshopper 3.0 and 2.0 allows remote attackers to list and read files in the EZshopper data directory by inserting a "/" in front of the target filename in the "file" parameter. CVE-2000-1093 DESCRIPTION: Buffer overflow in AOL Instant Messenger before 4.3.2229 allows remote attackers to execute arbitrary commands via a long "goim" command. CVE-2000-1094 DESCRIPTION: Buffer overflow in AOL Instant Messenger (AIM) before 4.3.2229 allows remote attackers to execute arbitrary commands via a "buddyicon" command with a long "src" argument. CVE-2000-1095 DESCRIPTION: modprobe in the modutils 2.3.x package on Linux systems allows a local user to execute arbitrary commands via shell metacharacters. CVE-2000-1096 DESCRIPTION: crontab by Paul Vixie uses predictable file names for a temporary file and does not properly ensure that the file is owned by the user executing the crontab -e command, which allows local users with write access to the crontab spool directory to execute arbitrary commands by creating world-writeable temporary files and modifying them while the victim is editing the file. CVE-2000-1097 DESCRIPTION: The web server for the SonicWALL SOHO firewall allows remote attackers to cause a denial of service via a long username in the authentication page. CVE-2000-1098 DESCRIPTION: The web server for the SonicWALL SOHO firewall allows remote attackers to cause a denial of service via an empty GET or POST request. CVE-2000-1099 DESCRIPTION: Java Runtime Environment in Java Development Kit (JDK) 1.2.2_05 and earlier can allow an untrusted Java class to call into a disallowed class, which could allow an attacker to escape the Java sandbox and conduct unauthorized activities. CVE-2000-1100 DESCRIPTION: The default configuration for PostACI webmail system installs the /includes/global.inc configuration file within the web root, which allows remote attackers to read sensitive information such as database usernames and passwords via a direct HTTP GET request. CVE-2000-1101 DESCRIPTION: Directory traversal vulnerability in Winsock FTPd (WFTPD) 3.00 and 2.41 with the "Restrict to home directory" option enabled allows local users to escape the home directory via a "/../" string, a variation of the .. (dot dot) attack. CVE-2000-1102 DESCRIPTION: PTlink IRCD 3.5.3 and PTlink Services 1.8.1 allow remote attackers to cause a denial of service (server crash) via "mode +owgscfxeb" and "oper" commands. CVE-2000-1103 DESCRIPTION: rcvtty in BSD 3.0 and 4.0 does not properly drop privileges before executing a script, which allows local attackers to gain privileges by specifying an alternate Trojan horse script on the command line. CVE-2000-1104 DESCRIPTION: Variant of the "IIS Cross-Site Scripting" vulnerability as originally discussed in MS:MS00-060 (CVE-2000-0746) allows a malicious web site operator to embed scripts in a link to a trusted site, which are returned without quoting in an error message back to the client. The client then executes those scripts in the same context as the trusted site. CVE-2000-1105 DESCRIPTION: The ixsso.query ActiveX Object is marked as safe for scripting, which allows malicious web site operators to embed a script that remotely determines the existence of files on visiting Windows 2000 systems that have Indexing Services enabled. CVE-2000-1106 DESCRIPTION: Trend Micro InterScan VirusWall creates an "Intscan" share to the "InterScan" directory with permissions that grant Full Control permissions to the Everyone group, which allows attackers to gain privileges by modifying the VirusWall programs. CVE-2000-1107 DESCRIPTION: in.identd ident server in SuSE Linux 6.x and 7.0 allows remote attackers to cause a denial of service via a long request, which causes the server to access a NULL pointer and crash. CVE-2000-1108 DESCRIPTION: cons.saver in Midnight Commander (mc) 4.5.42 and earlier does not properly verify if an output file descriptor is a TTY, which allows local users to corrupt files by creating a symbolic link to the target file, calling mc, and specifying that link as a TTY argument. CVE-2000-1109 DESCRIPTION: Midnight Commander (mc) 4.5.51 and earlier does not properly process malformed directory names when a user opens a directory, which allows other local users to gain privileges by creating directories that contain special characters followed by the commands to be executed. CVE-2000-1110 DESCRIPTION: document.d2w CGI program in the IBM Net.Data db2www package allows remote attackers to determine the physical path of the web server by sending a nonexistent command to the program. CVE-2000-1111 DESCRIPTION: Telnet Service for Windows 2000 Professional does not properly terminate incomplete connection attempts, which allows remote attackers to cause a denial of service by connecting to the server and not providing any input. CVE-2000-1112 DESCRIPTION: Microsoft Windows Media Player 7 executes scripts in custom skin (.WMS) files, which could allow remote attackers to gain privileges via a skin that contains a malicious script, aka the ".WMS Script Execution" vulnerability. CVE-2000-1113 DESCRIPTION: Buffer overflow in Microsoft Windows Media Player allows remote attackers to execute arbitrary commands via a malformed Active Stream Redirector (.ASX) file, aka the ".ASX Buffer Overrun" vulnerability. CVE-2000-1114 DESCRIPTION: Unify ServletExec AS v3.0C allows remote attackers to read source code for JSP pages via an HTTP request that ends with characters such as ".", or "+", or "%20". CVE-2000-1115 DESCRIPTION: Buffer overflow in remote web administration component (webprox.dll) of 602Pro LAN SUITE before 2000.0.1.33 allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long GET request. CVE-2000-1116 DESCRIPTION: Buffer overflow in TransSoft Broker FTP Server before 4.3.0.1 allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long command. CVE-2000-1117 DESCRIPTION: The Extended Control List (ECL) feature of the Java Virtual Machine (JVM) in Lotus Notes Client R5 allows malicious web site operators to determine the existence of files on the client by measuring delays in the execution of the getSystemResource method. CVE-2000-1118 DESCRIPTION: 24Link 1.06 web server allows remote attackers to bypass access restrictions by prepending strings such as "/+/" or "/." to the HTTP GET request. CVE-2000-1119 DESCRIPTION: Buffer overflow in setsenv command in IBM AIX 4.3.x and earlier allows local users to execute arbitrary commands via a long "x=" argument. CVE-2000-1120 DESCRIPTION: Buffer overflow in digest command in IBM AIX 4.3.x and earlier allows local users to execute arbitrary commands. CVE-2000-1121 DESCRIPTION: Buffer overflow in enq command in IBM AIX 4.3.x and earlier may allow local users to execute arbitrary commands via a long -M argument. CVE-2000-1122 DESCRIPTION: Buffer overflow in setclock command in IBM AIX 4.3.x and earlier may allow local users to execute arbitrary commands via a long argument. CVE-2000-1123 DESCRIPTION: Buffer overflow in pioout command in IBM AIX 4.3.x and earlier may allow local users to execute arbitrary commands. CVE-2000-1124 DESCRIPTION: Buffer overflow in piobe command in IBM AIX 4.3.x allows local users to gain privileges via long environmental variables. CVE-2000-1125 DESCRIPTION: restore 0.4b15 and earlier in Red Hat Linux 6.2 trusts the pathname specified by the RSH environmental variable, which allows local users to obtain root privileges by modifying the RSH variable to point to a Trojan horse program. CVE-2000-1126 DESCRIPTION: Vulnerability in auto_parms and set_parms in HP-UX 11.00 and earlier allows remote attackers to execute arbitrary commands or cause a denial of service. CVE-2000-1127 DESCRIPTION: registrar in the HP resource monitor service allows local users to read and modify arbitrary files by renaming the original registrar.log log file and creating a symbolic link to the target file, to which registrar appends log information and sets the permissions to be world readable. CVE-2000-1128 DESCRIPTION: The default configuration of McAfee VirusScan 4.5 does not quote the ImagePath variable, which improperly sets the search path and allows local users to place a Trojan horse "common.exe" program in the C:\Program Files directory. CVE-2000-1129 DESCRIPTION: McAfee WebShield SMTP 4.5 allows remote attackers to cause a denial of service via a malformed recipient field. CVE-2000-1130 DESCRIPTION: McAfee WebShield SMTP 4.5 allows remote attackers to bypass email content filtering rules by including Extended ASCII characters in name of the attachment. CVE-2000-1131 DESCRIPTION: Bill Kendrick web site guestbook (GBook) allows remote attackers to execute arbitrary commands via shell metacharacters in the _MAILTO form variable. CVE-2000-1132 DESCRIPTION: DCForum cgforum.cgi CGI script allows remote attackers to read arbitrary files, and delete the program itself, via a malformed "forum" variable. CVE-2000-1133 DESCRIPTION: Authentix Authentix100 allows remote attackers to bypass authentication by inserting a . (dot) into the URL for a protected directory. CVE-2000-1134 DESCRIPTION: Multiple shell programs on various Unix systems, including (1) tcsh, (2) csh, (3) sh, and (4) bash, follow symlinks when processing << redirects (aka here-documents or in-here documents), which allows local users to overwrite files of other users via a symlink attack. CVE-2000-1135 DESCRIPTION: fshd (fsh daemon) in Debian GNU/Linux allows local users to overwrite files of other users via a symlink attack. CVE-2000-1136 DESCRIPTION: elvis-tiny before 1.4-10 in Debian GNU/Linux, and possibly other Linux operating systems, allows local users to overwrite files of other users via a symlink attack. CVE-2000-1137 DESCRIPTION: GNU ed before 0.2-18.1 allows local users to overwrite the files of other users via a symlink attack. CVE-2000-1138 DESCRIPTION: Lotus Notes R5 client R5.0.5 and earlier does not properly warn users when an S/MIME email message has been modified, which could allow an attacker to modify the email in transit without being detected. CVE-2000-1139 DESCRIPTION: The installation of Microsoft Exchange 2000 before Rev. A creates a user account with a known password, which could allow attackers to gain privileges, aka the "Exchange User Account" vulnerability. CVE-2000-1140 DESCRIPTION: Recourse ManTrap 1.6 does not properly hide processes from attackers, which could allow attackers to determine that they are in a honeypot system by comparing the results from kill commands with the process listing in the /proc filesystem. CVE-2000-1141 DESCRIPTION: Recourse ManTrap 1.6 modifies the kernel so that ".." does not appear in the /proc listing, which allows attackers to determine that they are in a honeypot system. CVE-2000-1142 DESCRIPTION: Recourse ManTrap 1.6 generates an error when an attacker cd's to /proc/self/cwd and executes the pwd command, which allows attackers to determine that they are in a honeypot system. CVE-2000-1143 DESCRIPTION: Recourse ManTrap 1.6 hides the first 4 processes that run on a Solaris system, which allows attackers to determine that they are in a honeypot system. CVE-2000-1144 DESCRIPTION: Recourse ManTrap 1.6 sets up a chroot environment to hide the fact that it is running, but the inode number for the resulting "/" file system is higher than normal, which allows attackers to determine that they are in a chroot environment. CVE-2000-1145 DESCRIPTION: Recourse ManTrap 1.6 allows attackers who have gained root access to use utilities such as crash or fsdb to read /dev/mem and raw disk devices to identify ManTrap processes or modify arbitrary data files. CVE-2000-1146 DESCRIPTION: Recourse ManTrap 1.6 allows attackers to cause a denial of service via a sequence of commands that navigate into and out of the /proc/self directory and executing various commands such as ls or pwd. CVE-2000-1147 DESCRIPTION: Buffer overflow in IIS ISAPI .ASP parsing mechanism allows attackers to execute arbitrary commands via a long string to the "LANGUAGE" argument in a script tag. CVE-2000-1148 DESCRIPTION: The installation of VolanoChatPro chat server sets world-readable permissions for its configuration file and stores the server administrator passwords in plaintext, which allows local users to gain privileges on the server. CVE-2000-1149 DESCRIPTION: Buffer overflow in RegAPI.DLL used by Windows NT 4.0 Terminal Server allows remote attackers to execute arbitrary commands via a long username, aka the "Terminal Server Login Buffer Overflow" vulnerability. CVE-2000-1150 DESCRIPTION: Felix IRC client in BeOS r5 pro and earlier allows remote attackers to conduct a denial of service via a message that contains a long URL. CVE-2000-1151 DESCRIPTION: Baxter IRC client in BeOS r5 pro and earlier allows remote attackers to conduct a denial of service via a message that contains a long URL. CVE-2000-1152 DESCRIPTION: Browser IRC client in BeOS r5 pro and earlier allows remote attackers to conduct a denial of service via a message that contains a long URL. CVE-2000-1153 DESCRIPTION: PostMaster 1.0 in BeOS r5 pro and earlier allows remote attackers to conduct a denial of service via a message that contains a long URL. CVE-2000-1154 DESCRIPTION: RHConsole in RobinHood 1.1 web server in BeOS r5 pro and earlier allows remote attackers to cause a denial of service via long HTTP request. CVE-2000-1155 DESCRIPTION: RHDaemon in RobinHood 1.1 web server in BeOS r5 pro and earlier allows remote attackers to cause a denial of service via long HTTP request. CVE-2000-1156 DESCRIPTION: StarOffice 5.2 follows symlinks and sets world-readable permissions for the /tmp/soffice.tmp directory, which allows a local user to read files of the user who is using StarOffice. CVE-2000-1157 DESCRIPTION: Buffer overflow in NAI Sniffer Agent allows remote attackers to execute arbitrary commands via a long SNMP community name. CVE-2000-1158 DESCRIPTION: NAI Sniffer Agent uses base64 encoding for authentication, which allows attackers to sniff the network and easily decrypt usernames and passwords. CVE-2000-1159 DESCRIPTION: NAI Sniffer Agent allows remote attackers to gain privileges on the agent by sniffing the initial UDP authentication packets and spoofing commands. CVE-2000-1160 DESCRIPTION: NAI Sniffer Agent allows remote attackers to cause a denial of service (crash) by sending a large number of login requests. CVE-2000-1161 DESCRIPTION: The installation of AdCycle banner management system leaves the build.cgi program in a web-accessible directory, which allows remote attackers to execute the program and view passwords or delete databases. CVE-2000-1162 DESCRIPTION: ghostscript before 5.10-16 allows local users to overwrite files of other users via a symlink attack. CVE-2000-1163 DESCRIPTION: ghostscript before 5.10-16 uses an empty LD_RUN_PATH environmental variable to find libraries in the current directory, which could allow local users to execute commands as other users by placing a Trojan horse library into a directory from which another user executes ghostscript. CVE-2000-1164 DESCRIPTION: WinVNC installs the WinVNC3 registry key with permissions that give Special Access (read and modify) to the Everybody group, which allows users to read and modify sensitive information such as passwords and gain access to the system. CVE-2000-1165 DESCRIPTION: Balabit syslog-ng allows remote attackers to cause a denial of service (application crash) via a malformed log message that does not have a closing > in the priority specifier. CVE-2000-1166 DESCRIPTION: Twig webmail system does not properly set the "vhosts" variable if it is not configured on the site, which allows remote attackers to insert arbitrary PHP (PHP3) code by specifying an alternate vhosts as an argument to the index.php3 program. CVE-2000-1167 DESCRIPTION: ppp utility in FreeBSD 4.1.1 and earlier does not properly restrict access as specified by the "nat deny_incoming" command, which allows remote attackers to connect to the target system. CVE-2000-1168 DESCRIPTION: IBM HTTP Server 1.3.6 (based on Apache) allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long GET request. CVE-2000-1169 DESCRIPTION: OpenSSH SSH client before 2.3.0 does not properly disable X11 or agent forwarding, which could allow a malicious SSH server to gain access to the X11 display and sniff X11 events, or gain access to the ssh-agent. CVE-2000-1170 DESCRIPTION: Buffer overflow in Netsnap webcam HTTP server before 1.2.9 allows remote attackers to execute arbitrary commands via a long GET request. CVE-2000-1171 DESCRIPTION: Directory traversal vulnerability in cgiforum.pl script in CGIForum 1.0 allows remote attackers to ready arbitrary files via a .. (dot dot) attack in the "thesection" parameter. CVE-2000-1172 DESCRIPTION: Buffer overflow in Gaim 0.10.3 and earlier using the OSCAR protocol allows remote attackers to conduct a denial of service and possibly execute arbitrary commands via a long HTML tag. CVE-2000-1173 DESCRIPTION: Microsys CyberPatrol uses weak encryption (trivial encoding) for credit card numbers and uses no encryption for the remainder of the information during registration, which could allow attackers to sniff network traffic and obtain this sensitive information. CVE-2000-1174 DESCRIPTION: Multiple buffer overflows in AFS ACL parser for Ethereal 0.8.13 and earlier allows remote attackers to execute arbitrary commands via a packet with a long username. CVE-2000-1175 DESCRIPTION: Buffer overflow in Koules 1.4 allows local users to execute arbitrary commands via a long command line argument. CVE-2000-1176 DESCRIPTION: Directory traversal vulnerability in YaBB search.pl CGI script allows remote attackers to read arbitrary files via a .. (dot dot) attack in the "catsearch" form field. CVE-2000-1177 DESCRIPTION: bb-hist.sh, bb-histlog.sh, bb-hostsvc.sh, bb-rep.sh, bb-replog.sh, and bb-ack.sh in Big Brother (BB) before 1.5d3 allows remote attackers to determine the existence of files and user ID's by specifying the target file in the HISTFILE parameter. CVE-2000-1178 DESCRIPTION: Joe text editor follows symbolic links when creating a rescue copy called DEADJOE during an abnormal exit, which allows local users to overwrite the files of other users whose joe session crashes. CVE-2000-1179 DESCRIPTION: Netopia ISDN Router 650-ST before 4.3.5 allows remote attackers to read system logs without authentication by directly connecting to the login screen and typing certain control characters. CVE-2000-1180 DESCRIPTION: Buffer overflow in cmctl program in Oracle 8.1.5 Connection Manager Control allows local users to gain privileges via a long command line argument. CVE-2000-1181 DESCRIPTION: Real Networks RealServer 7 and earlier allows remote attackers to obtain portions of RealServer's memory contents, possibly including sensitive information, by accessing the /admin/includes/ URL. CVE-2000-1182 DESCRIPTION: WatchGuard Firebox II allows remote attackers to cause a denial of service by flooding the Firebox with a large number of FTP or SMTP requests, which disables proxy handling. CVE-2000-1183 DESCRIPTION: Buffer overflow in socks5 server on Linux allows attackers to execute arbitrary commands via a long connection request. CVE-2000-1184 DESCRIPTION: telnetd in FreeBSD 4.2 and earlier, and possibly other operating systems, allows remote attackers to cause a denial of service by specifying an arbitrary large file in the TERMCAP environmental variable, which consumes resources as the server processes the file. CVE-2000-1185 DESCRIPTION: The telnet proxy in RideWay PN proxy server allows remote attackers to cause a denial of service via a flood of connections that contain malformed requests. CVE-2000-1186 DESCRIPTION: Buffer overflow in phf CGI program allows remote attackers to execute arbitrary commands by specifying a large number of arguments and including a long MIME header. CVE-2000-1187 DESCRIPTION: Buffer overflow in the HTML parser for Netscape 4.75 and earlier allows remote attackers to execute arbitrary commands via a long password value in a form field. CVE-2000-1188 DESCRIPTION: Directory traversal vulnerability in Quikstore shopping cart program allows remote attackers to read arbitrary files via a .. (dot dot) attack in the "page" parameter. CVE-2000-1189 DESCRIPTION: Buffer overflow in pam_localuser PAM module in Red Hat Linux 7.x and 6.x allows attackers to gain privileges. CVE-2000-1190 DESCRIPTION: imwheel-solo in imwheel package allows local users to modify arbitrary files via a symlink attack from the .imwheelrc file. CVE-2000-1191 DESCRIPTION: htsearch program in htDig 3.2 beta, 3.1.6, 3.1.5, and earlier allows remote attackers to determine the physical path of the server by requesting a non-existent configuration file using the config parameter, which generates an error message that includes the full path. CVE-2000-1192 DESCRIPTION: Buffer overflow in BTT Software SNMP Trap Watcher 1.16 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long string trap. CVE-2000-1193 DESCRIPTION: Performance Metrics Collector Daemon (PMCD) in Performance Copilot in IRIX 6.x allows remote attackers to cause a denial of service (resource exhaustion) via an extremely long string to the PMCD port. CVE-2000-1194 DESCRIPTION: Argosoft FRP server 1.0 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long string to the (1) USER or (2) CWD commands. CVE-2000-1195 DESCRIPTION: telnet daemon (telnetd) from the Linux netkit package before netkit-telnet-0.16 allows remote attackers to bypass authentication when telnetd is running with the -L command line option. CVE-2000-1196 DESCRIPTION: PSCOErrPage.htm in Netscape PublishingXpert 2.5 before SP2 allows remote attackers to read arbitrary files by specifying the target file in the errPagePath parameter. CVE-2000-1197 DESCRIPTION: POP2 or POP3 server (pop3d) in imap-uw IMAP package on FreeBSD and other operating systems creates lock files with predictable names, which allows local users to cause a denial of service (lack of mail access) for other users by creating lock files for other mail boxes. CVE-2000-1198 DESCRIPTION: qpopper POP server creates lock files with predictable names, which allows local users to cause a denial of service for other users (lack of mail access) by creating lock files for other mail boxes. CVE-2000-1199 DESCRIPTION: PostgreSQL stores usernames and passwords in plaintext in (1) pg_shadow and (2) pg_pwd, which allows attackers with sufficient privileges to gain access to databases. CVE-2000-1200 DESCRIPTION: Windows NT allows remote attackers to list all users in a domain by obtaining the domain SID with the LsaQueryInformationPolicy policy function via a null session and using the SID to list the users. CVE-2000-1201 DESCRIPTION: Check Point FireWall-1 allows remote attackers to cause a denial of service (high CPU) via a flood of packets to port 264. CVE-2000-1202 DESCRIPTION: ikeyman in IBM IBMHSSSB 1.0 sets the CLASSPATH environmental variable to include the user's own CLASSPATH directories before the system's directories, which allows a malicious local user to execute arbitrary code as root via a Trojan horse Ikeyman class. CVE-2000-1203 DESCRIPTION: Lotus Domino SMTP server 4.63 through 5.08 allows remote attackers to cause a denial of service (CPU consumption) by forging an email message with the sender as bounce@[127.0.0.1] (localhost), which causes Domino to enter a mail loop. CVE-2000-1204 DESCRIPTION: Vulnerability in the mod_vhost_alias virtual hosting module for Apache 1.3.9, 1.3.11 and 1.3.12 allows remote attackers to obtain the source code for CGI programs if the cgi-bin directory is under the document root. CVE-2000-1205 DESCRIPTION: Cross site scripting vulnerabilities in Apache 1.3.0 through 1.3.11 allow remote attackers to execute script as other web site visitors via (1) the printenv CGI (printenv.pl), which does not encode its output, (2) pages generated by the ap_send_error_response function such as a default 404, which does not add an explicit charset, or (3) various messages that are generated by certain Apache modules or core code. NOTE: the printenv issue might still exist for web browsers that can render text/plain content types as HTML, such as Internet Explorer, but CVE regards this as a design limitation of those browsers, not Apache. The printenv.pl/acuparam vector, discloser on 20070724, is one such variant. CVE-2000-1206 DESCRIPTION: Vulnerability in Apache httpd before 1.3.11, when configured for mass virtual hosting using mod_rewrite, or mod_vhost_alias in Apache 1.3.9, allows remote attackers to retrieve arbitrary files. CVE-2000-1207 DESCRIPTION: userhelper in the usermode package on Red Hat Linux executes non-setuid programs as root, which does not activate the security measures in glibc and allows the programs to be exploited via format string vulnerabilities in glibc via the LANG or LC_ALL environment variables (CVE-2000-0844). CVE-2000-1208 DESCRIPTION: Format string vulnerability in startprinting() function of printjob.c in BSD-based lpr lpd package may allow local users to gain privileges via an improper syslog call that uses format strings from the checkremote() call. CVE-2000-1209 DESCRIPTION: The "sa" account is installed with a default null password on (1) Microsoft SQL Server 2000, (2) SQL Server 7.0, and (3) Data Engine (MSDE) 1.0, including third party packages that use these products such as (4) Tumbleweed Secure Mail (MMS) (5) Compaq Insight Manager, and (6) Visio 2000, which allows remote attackers to gain privileges, as exploited by worms such as Voyager Alpha Force and Spida. CVE-2000-1210 DESCRIPTION: Directory traversal vulnerability in source.jsp of Apache Tomcat before 3.1 allows remote attackers to read arbitrary files via a .. (dot dot) in the argument to source.jsp. CVE-2000-1211 DESCRIPTION: Zope 2.2.0 through 2.2.4 does not properly perform security registration for legacy names of object constructors such as DTML method objects, which could allow attackers to perform unauthorized activities. CVE-2000-1212 DESCRIPTION: Zope 2.2.0 through 2.2.4 does not properly protect a data updating method on Image and File objects, which allows attackers with DTML editing privileges to modify the raw data of these objects. CVE-2000-1213 DESCRIPTION: ping in iputils before 20001010, as distributed on Red Hat Linux 6.2 through 7J and other operating systems, does not drop privileges after acquiring a raw socket, which increases ping's exposure to bugs that otherwise would occur at lower privileges. CVE-2000-1214 DESCRIPTION: Buffer overflows in the (1) outpack or (2) buf variables of ping in iputils before 20001010, as distributed on Red Hat Linux 6.2 through 7J and other operating systems, may allow local users to gain privileges. CVE-2000-1215 DESCRIPTION: The default configuration of Lotus Domino server 5.0.8 includes system information (version, operating system, and build date) in the HTTP headers of replies, which allows remote attackers to obtain sensitive information. CVE-2000-1216 DESCRIPTION: Buffer overflow in portmir for AIX 4.3.0 allows local users to corrupt lock files and gain root privileges via the echo_error routine. CVE-2000-1217 DESCRIPTION: Microsoft Windows 2000 before Service Pack 2 (SP2), when running in a non-Windows 2000 domain and using NTLM authentication, and when credentials of an account are locally cached, allows local users to bypass account lockout policies and make an unlimited number of login attempts, aka the "Domain Account Lockout" vulnerability. CVE-2000-1218 DESCRIPTION: The default configuration for the domain name resolver for Microsoft Windows 98, NT 4.0, 2000, and XP sets the QueryIpMatching parameter to 0, which causes Windows to accept DNS updates from hosts that it did not query, which allows remote attackers to poison the DNS cache. CVE-2000-1219 DESCRIPTION: The -ftrapv compiler option in gcc and g++ 3.3.3 and earlier does not handle all types of integer overflows, which may leave applications vulnerable to vulnerabilities related to overflows. CVE-2000-1220 DESCRIPTION: The line printer daemon (lpd) in the lpr package in multiple Linux operating systems allows local users to gain root privileges by causing sendmail to execute with arbitrary command line arguments, as demonstrated using the -C option to specify a configuration file. CVE-2000-1221 DESCRIPTION: The line printer daemon (lpd) in the lpr package in multiple Linux operating systems authenticates by comparing the reverse-resolved hostname of the local machine to the hostname of the print server as returned by gethostname, which allows remote attackers to bypass intended access controls by modifying the DNS for the attacking IP. CVE-2000-1222 DESCRIPTION: AIX sysback before 4.2.1.13 uses a relative path to find and execute the hostname program, which allows local users to gain privileges by modifying the path to point to a malicious hostname program. CVE-2000-1223 DESCRIPTION: quikstore.cgi in Quikstore Shopping Cart allows remote attackers to execute arbitrary commands via shell metacharacters in the URL portion of an HTTP GET request. CVE-2000-1224 DESCRIPTION: Caucho Technology Resin 1.2 and possibly earlier allows remote attackers to view JSP source via an HTTP request to a .jsp file with certain characters appended to the file name, such as (1) "..", (2) "%2e..", (3) "%81", (4) "%82", and others. CVE-2000-1225 DESCRIPTION: Xitami 2.5b installs the testcgi.exe program by default in the cgi-bin directory, which allows remote attackers to gain sensitive configuration information about the web server by accessing the program. CVE-2000-1226 DESCRIPTION: Snort 1.6, when running in straight ASCII packet logging mode or IDS mode with straight decoded ASCII packet logging selected, allows remote attackers to cause a denial of service (crash) by sending non-IP protocols that Snort does not know about, as demonstrated by an nmap protocol scan. CVE-2000-1227 DESCRIPTION: Windows NT 4.0 and Windows 2000 hosts allow remote attackers to cause a denial of service (unavailable connections) by sending multiple SMB SMBnegprots requests but not reading the response that is sent back. CVE-2000-1228 DESCRIPTION: Phorum 3.0.7 allows remote attackers to change the administrator password without authentication via an HTTP request for admin.php3 that sets step, option, confirm and newPssword variables. CVE-2000-1229 DESCRIPTION: Directory traversal vulnerability in Phorum 3.0.7 allows remote Phorum administrators to read arbitrary files via ".." (dot dot) sequences in the default .langfile name field in the Master Settings administrative function, which causes the file to be displayed in admin.php3. CVE-2000-1230 DESCRIPTION: Backdoor in auth.php3 in Phorum 3.0.7 allows remote attackers to access restricted web pages via an HTTP request with the PHP_AUTH_USER parameter set to "boogieman". CVE-2000-1231 DESCRIPTION: code.php3 in Phorum 3.0.7 allows remote attackers to read arbitrary files in the phorum directory via the query string. CVE-2000-1232 DESCRIPTION: upgrade.php3 in Phorum 3.0.7 could allow remote attackers to modify certain Phorum database tables via an unknown method. CVE-2000-1233 DESCRIPTION: SQL injection vulnerability in read.php3 and other scripts in Phorum 3.0.7 allows remote attackers to execute arbitrary SQL queries via the sSQL parameter. CVE-2000-1234 DESCRIPTION: violation.php3 in Phorum 3.0.7 allows remote attackers to send e-mails to arbitrary addresses and possibly use Phorum as a "spam proxy" by setting the Mod and ForumName parameters. CVE-2000-1235 DESCRIPTION: The default configurations of (1) the port listener and (2) modplsql in Oracle Internet Application Server (IAS) 3.0.7 and earlier allow remote attackers to view privileged database information via HTTP requests for Database Access Descriptor (DAD) files. CVE-2000-1236 DESCRIPTION: SQL injection vulnerability in mod_sql in Oracle Internet Application Server (IAS) 3.0.7 and earlier allows remote attackers to execute arbitrary SQL commands via the query string of the URL. CVE-2000-1237 DESCRIPTION: The POP3 server in FTGate returns an -ERR code after receiving an invalid USER request, which makes it easier for remote attackers to determine valid usernames and conduct brute force password guessing. CVE-2000-1238 DESCRIPTION: BEA Systems WebLogic Express and WebLogic Server 5.1 SP1-SP6 allows remote attackers to bypass access controls for restricted JSP or servlet pages via a URL with multiple / (forward slash) characters before the restricted pages. CVE-2000-1239 DESCRIPTION: The HTTP interface of Tivoli Lightweight Client Framework (LCF) in IBM Tivoli Management Framework 3.7.1 sets http_disable to zero at install time, which allows remote authenticated users to bypass file permissions on Tivoli Endpoint Configuration data files via an unspecified manipulation of log files. CVE-2000-1240 DESCRIPTION: Unspecified vulnerability in siteman.php3 in AnyPortal(php) before 22 APR 00 allows remote attackers to obtain sensitive information via unknown attack vectors, which reveal the absolute path. NOTE: the provenance of this information is unknown; the details are obtained from third party information. CVE-2000-1241 DESCRIPTION: Unspecified vulnerability in Haakon Nilsen simple, integrated publishing system (SIPS) before 0.2.4 has an unknown impact and attack vectors, related to a "grave security fault." CVE-2000-1242 DESCRIPTION: The HTTP service in American Power Conversion (APC) PowerChute uses a default username and password, which allows remote attackers to gain system access. CVE-2000-1243 DESCRIPTION: Privacy leak in Dansie Shopping Cart 3.04, and probably earlier versions, sends sensitive information such as user credentials to an e-mail address controlled by the product developers. CVE-2000-1244 DESCRIPTION: Computer Associates InoculateIT Agent for Exchange Server does not recognize an e-mail virus attachment if the SMTP header is missing the "From" field, which allows remote attackers to bypass virus protection. CVE-2000-1245 DESCRIPTION: Multiple unspecified vulnerabilities in NWFTPD.nlm before 5.01o in the FTP server in Novell NetWare 5.1 SP3 allow remote attackers to bypass intended restrictions on anonymous access via unknown vectors. CVE-2000-1246 DESCRIPTION: NWFTPD.nlm before 5.01o in the FTP server in Novell NetWare 5.1 SP3 allows remote authenticated users to cause a denial of service (abend) by sending an RNTO command after a failed RNFR command. CVE-2000-1247 DESCRIPTION: The default configuration of the jserv-status handler in jserv.conf in Apache JServ 1.1.2 includes an "allow from 127.0.0.1" line, which allows local users to discover JDBC passwords or other sensitive information via a direct request to the jserv/ URI. CVE-2000-1248 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2000-1249 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2000-1250 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2000-1251 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2000-1252 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2000-1253 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2000-1254 DESCRIPTION: crypto/rsa/rsa_gen.c in OpenSSL before 0.9.6 mishandles C bitwise-shift operations that exceed the size of an expression, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by leveraging improper RSA key generation on 64-bit HP-UX platforms. CVE-2001-0001 DESCRIPTION: cookiedecode function in PHP-Nuke 4.4 allows users to bypass authentication and gain access to other user accounts by extracting the authentication information from a cookie. CVE-2001-0002 DESCRIPTION: Internet Explorer 5.5 and earlier allows remote attackers to obtain the physical location of cached content and open the content in the Local Computer Zone, then use compiled HTML help (.chm) files to execute arbitrary programs. CVE-2001-0003 DESCRIPTION: Web Extender Client (WEC) in Microsoft Office 2000, Windows 2000, and Windows Me does not properly process Internet Explorer security settings for NTLM authentication, which allows attackers to obtain NTLM credentials and possibly obtain the password, aka the "Web Client NTLM Authentication" vulnerability. CVE-2001-0004 DESCRIPTION: IIS 5.0 and 4.0 allows remote attackers to read the source code for executable web server programs by appending "%3F+.htr" to the requested URL, which causes the files to be parsed by the .HTR ISAPI extension, aka a variant of the "File Fragment Reading via .HTR" vulnerability. CVE-2001-0005 DESCRIPTION: Buffer overflow in the parsing mechanism of the file loader in Microsoft PowerPoint 2000 allows attackers to execute arbitrary commands. CVE-2001-0006 DESCRIPTION: The Winsock2ProtocolCatalogMutex mutex in Windows NT 4.0 has inappropriate Everyone/Full Control permissions, which allows local users to modify the permissions to "No Access" and disable Winsock network connectivity to cause a denial of service, aka the "Winsock Mutex" vulnerability. CVE-2001-0007 DESCRIPTION: Buffer overflow in NetScreen Firewall WebUI allows remote attackers to cause a denial of service via a long URL request to the web administration interface. CVE-2001-0008 DESCRIPTION: Backdoor account in Interbase database server allows remote attackers to overwrite arbitrary files using stored procedures. CVE-2001-0009 DESCRIPTION: Directory traversal vulnerability in Lotus Domino 5.0.5 web server allows remote attackers to read arbitrary files via a .. attack. CVE-2001-0010 DESCRIPTION: Buffer overflow in transaction signature (TSIG) handling code in BIND 8 allows remote attackers to gain root privileges. CVE-2001-0011 DESCRIPTION: Buffer overflow in nslookupComplain function in BIND 4 allows remote attackers to gain root privileges. CVE-2001-0012 DESCRIPTION: BIND 4 and BIND 8 allow remote attackers to access sensitive information such as environment variables. CVE-2001-0013 DESCRIPTION: Format string vulnerability in nslookupComplain function in BIND 4 allows remote attackers to gain root privileges. CVE-2001-0014 DESCRIPTION: Remote Data Protocol (RDP) in Windows 2000 Terminal Service does not properly handle certain malformed packets, which allows remote attackers to cause a denial of service, aka the "Invalid RDP Data" vulnerability. CVE-2001-0015 DESCRIPTION: Network Dynamic Data Exchange (DDE) in Windows 2000 allows local users to gain SYSTEM privileges via a "WM_COPYDATA" message to an invisible window that is running with the privileges of the WINLOGON process. CVE-2001-0016 DESCRIPTION: NTLM Security Support Provider (NTLMSSP) service does not properly check the function number in an LPC request, which could allow local users to gain administrator level access. CVE-2001-0017 DESCRIPTION: Memory leak in PPTP server in Windows NT 4.0 allows remote attackers to cause a denial of service via a malformed data packet, aka the "Malformed PPTP Packet Stream" vulnerability. CVE-2001-0018 DESCRIPTION: Windows 2000 domain controller in Windows 2000 Server, Advanced Server, or Datacenter Server allows remote attackers to cause a denial of service via a flood of malformed service requests. CVE-2001-0019 DESCRIPTION: Arrowpoint (aka Cisco Content Services, or CSS) allows local users to cause a denial of service via a long argument to the "show script," "clear script," "show archive," "clear archive," "show log," or "clear log" commands. CVE-2001-0020 DESCRIPTION: Directory traversal vulnerability in Arrowpoint (aka Cisco Content Services, or CSS) allows local unprivileged users to read arbitrary files via a .. (dot dot) attack. CVE-2001-0021 DESCRIPTION: MailMan Webmail 3.0.25 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the alternate_template parameter. CVE-2001-0022 DESCRIPTION: simplestguest.cgi CGI program by Leif Wright allows remote attackers to execute arbitrary commands via shell metacharacters in the guestbook parameter. CVE-2001-0023 DESCRIPTION: everythingform.cgi CGI program by Leif Wright allows remote attackers to execute arbitrary commands via shell metacharacters in the config parameter. CVE-2001-0024 DESCRIPTION: simplestmail.cgi CGI program by Leif Wright allows remote attackers to execute arbitrary commands via shell metacharacters in the MyEmail parameter. CVE-2001-0025 DESCRIPTION: ad.cgi CGI program by Leif Wright allows remote attackers to execute arbitrary commands via shell metacharacters in the file parameter. CVE-2001-0026 DESCRIPTION: rp-pppoe PPPoE client allows remote attackers to cause a denial of service via the Clamp MSS option and a TCP packet with a zero-length TCP option. CVE-2001-0027 DESCRIPTION: mod_sqlpw module in ProFTPD does not reset a cached password when a user uses the "user" command to change accounts, which allows authenticated attackers to gain privileges of other users. CVE-2001-0028 DESCRIPTION: Buffer overflow in the HTML parsing code in oops WWW proxy server 1.5.2 and earlier allows remote attackers to execute arbitrary commands via a large number of " (quotation) characters. CVE-2001-0029 DESCRIPTION: Buffer overflow in oops WWW proxy server 1.4.6 (and possibly other versions) allows remote attackers to execute arbitrary commands via a long host or domain name that is obtained from a reverse DNS lookup. CVE-2001-0030 DESCRIPTION: FoolProof 3.9 allows local users to bypass program execution restrictions by downloading the restricted executables from another source and renaming them. CVE-2001-0031 DESCRIPTION: BroadVision One-To-One Enterprise allows remote attackers to determine the physical path of server files by requesting a .JSP file name that does not exist. CVE-2001-0032 DESCRIPTION: Format string vulnerability in ssldump possibly allows remote attackers to cause a denial of service and possibly gain root privileges via malicious format string specifiers in a URL. CVE-2001-0033 DESCRIPTION: KTH Kerberos IV allows local users to change the configuration of a Kerberos server running at an elevated privilege by specifying an alternate directory using with the KRBCONFDIR environmental variable, which allows the user to gain additional privileges. CVE-2001-0034 DESCRIPTION: KTH Kerberos IV allows local users to specify an alternate proxy using the krb4_proxy variable, which allows the user to generate false proxy responses and possibly gain privileges. CVE-2001-0035 DESCRIPTION: Buffer overflow in the kdc_reply_cipher function in KTH Kerberos IV allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long authentication request. CVE-2001-0036 DESCRIPTION: KTH Kerberos IV allows local users to overwrite arbitrary files via a symlink attack on a ticket file. CVE-2001-0037 DESCRIPTION: Directory traversal vulnerability in HomeSeer before 1.4.29 allows remote attackers to read arbitrary files via a URL containing .. (dot dot) specifiers. CVE-2001-0038 DESCRIPTION: Offline Explorer 1.4 before Service Release 2 allows remote attackers to read arbitrary files by specifying the drive letter (e.g. C:) in the requested URL. CVE-2001-0039 DESCRIPTION: IPSwitch IMail 6.0.5 allows remote attackers to cause a denial of service using the SMTP AUTH command by sending a base64-encoded user password whose length is between 80 and 136 bytes. CVE-2001-0040 DESCRIPTION: APC UPS daemon, apcupsd, saves its process ID in a world-writable file, which allows local users to kill an arbitrary process by specifying the target process ID in the apcupsd.pid file. CVE-2001-0041 DESCRIPTION: Memory leak in Cisco Catalyst 4000, 5000, and 6000 series switches allows remote attackers to cause a denial of service via a series of failed telnet authentication attempts. CVE-2001-0042 DESCRIPTION: PHP 3.x (PHP3) on Apache 1.3.6 allows remote attackers to read arbitrary files via a modified .. (dot dot) attack containing "%5c" (encoded backslash) sequences. CVE-2001-0043 DESCRIPTION: phpGroupWare before 0.9.7 allows remote attackers to execute arbitrary PHP commands by specifying a malicious include file in the phpgw_info parameter of the phpgw.inc.php program. CVE-2001-0044 DESCRIPTION: Multiple buffer overflows in Lexmark MarkVision printer driver programs allows local users to gain privileges via long arguments to the cat_network, cat_paraller, and cat_serial commands. CVE-2001-0045 DESCRIPTION: The default permissions for the RAS Administration key in Windows NT 4.0 allows local users to execute arbitrary commands by changing the value to point to a malicious DLL, aka one of the "Registry Permissions" vulnerabilities. CVE-2001-0046 DESCRIPTION: The default permissions for the SNMP Parameters registry key in Windows NT 4.0 allows remote attackers to read and possibly modify the SNMP community strings to obtain sensitive information or modify network configuration, aka one of the "Registry Permissions" vulnerabilities. CVE-2001-0047 DESCRIPTION: The default permissions for the MTS Package Administration registry key in Windows NT 4.0 allows local users to install or modify arbitrary Microsoft Transaction Server (MTS) packages and gain privileges, aka one of the "Registry Permissions" vulnerabilities. CVE-2001-0048 DESCRIPTION: The "Configure Your Server" tool in Microsoft 2000 domain controllers installs a blank password for the Directory Service Restore Mode, which allows attackers with physical access to the controller to install malicious programs, aka the "Directory Service Restore Mode Password" vulnerability. CVE-2001-0049 DESCRIPTION: WatchGuard SOHO FireWall 2.2.1 and earlier allows remote attackers to cause a denial of service via a large number of GET requests. CVE-2001-0050 DESCRIPTION: Buffer overflow in BitchX IRC client allows remote attackers to cause a denial of service and possibly execute arbitrary commands via an IP address that resolves to a long DNS hostname or domain name. CVE-2001-0051 DESCRIPTION: IBM DB2 Universal Database version 6.1 creates an account with a default user name and password, which allows remote attackers to gain access to the database. CVE-2001-0052 DESCRIPTION: IBM DB2 Universal Database version 6.1 allows users to cause a denial of service via a malformed query. CVE-2001-0053 DESCRIPTION: One-byte buffer overflow in replydirname function in BSD-based ftpd allows remote attackers to gain root privileges. CVE-2001-0054 DESCRIPTION: Directory traversal vulnerability in FTP Serv-U before 2.5i allows remote attackers to escape the FTP root and read arbitrary files by appending a string such as "/..%20." to a CD command, a variant of a .. (dot dot) attack. CVE-2001-0055 DESCRIPTION: CBOS 2.4.1 and earlier in Cisco 600 routers allows remote attackers to cause a denial of service via a slow stream of TCP SYN packets. CVE-2001-0056 DESCRIPTION: The Cisco Web Management interface in routers running CBOS 2.4.1 and earlier does not log invalid logins, which allows remote attackers to guess passwords without detection. CVE-2001-0057 DESCRIPTION: Cisco 600 routers running CBOS 2.4.1 and earlier allow remote attackers to cause a denial of service via a large ICMP echo (ping) packet. CVE-2001-0058 DESCRIPTION: The Web interface to Cisco 600 routers running CBOS 2.4.1 and earlier allow remote attackers to cause a denial of service via a URL that does not end in a space character. CVE-2001-0059 DESCRIPTION: patchadd in Solaris allows local users to overwrite arbitrary files via a symlink attack. CVE-2001-0060 DESCRIPTION: Format string vulnerability in stunnel 3.8 and earlier allows attackers to execute arbitrary commands via a malformed ident username. CVE-2001-0061 DESCRIPTION: procfs in FreeBSD and possibly other operating systems does not properly restrict access to per-process mem and ctl files, which allows local users to gain root privileges by forking a child process and executing a privileged process from the child, while the parent retains access to the child's address space. CVE-2001-0062 DESCRIPTION: procfs in FreeBSD and possibly other operating systems allows local users to cause a denial of service by calling mmap on the process' own mem file, which causes the kernel to hang. CVE-2001-0063 DESCRIPTION: procfs in FreeBSD and possibly other operating systems allows local users to bypass access control restrictions for a jail environment and gain additional privileges. CVE-2001-0064 DESCRIPTION: Webconfig, IMAP, and other services in MDaemon 3.5.0 and earlier allows remote attackers to cause a denial of service via a long URL terminated by a "\r\n" string. CVE-2001-0065 DESCRIPTION: Buffer overflow in bftpd 1.0.13 allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long SITE CHOWN command. CVE-2001-0066 DESCRIPTION: Secure Locate (slocate) allows local users to corrupt memory via a malformed database file that specifies an offset value that accesses memory outside of the intended buffer. CVE-2001-0067 DESCRIPTION: The installation of J-Pilot creates the .jpilot directory with the user's umask, which could allow local attackers to read other users' PalmOS backup information if their umasks are not securely set. CVE-2001-0068 DESCRIPTION: Mac OS Runtime for Java (MRJ) 2.2.3 allows remote attackers to use malicious applets to read files outside of the CODEBASE context via the ARCHIVE applet parameter. CVE-2001-0069 DESCRIPTION: dialog before 0.9a-20000118-3bis in Debian GNU/Linux allows local users to overwrite arbitrary files via a symlink attack. CVE-2001-0070 DESCRIPTION: Buffer overflow in 1st Up Mail Server 4.1 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long MAIL FROM command. CVE-2001-0071 DESCRIPTION: gpg (aka GnuPG) 1.0.4 and other versions does not properly verify detached signatures, which allows attackers to modify the contents of a file without detection. CVE-2001-0072 DESCRIPTION: gpg (aka GnuPG) 1.0.4 and other versions imports both public and private keys from public key servers without notifying the user about the private keys, which could allow an attacker to break the web of trust. CVE-2001-0073 DESCRIPTION: Buffer overflow in the find_default_type function in libsecure in NSA Security-enhanced Linux, which may allow attackers to modify critical data in memory. CVE-2001-0074 DESCRIPTION: Directory traversal vulnerability in print.cgi in Technote allows remote attackers to read arbitrary files via a .. (dot dot) attack in the board parameter. CVE-2001-0075 DESCRIPTION: Directory traversal vulnerability in main.cgi in Technote allows remote attackers to read arbitrary files via a .. (dot dot) attack in the filename parameter. CVE-2001-0076 DESCRIPTION: register.cgi in Ikonboard 2.1.7b and earlier allows remote attackers to execute arbitrary commands via the SEND_MAIL parameter, which overwrites an internal program variable that references a program to be executed. CVE-2001-0077 DESCRIPTION: The clustmon service in Sun Cluster 2.x does not require authentication, which allows remote attackers to obtain sensitive information such as system logs and cluster configurations. CVE-2001-0078 DESCRIPTION: in.mond in Sun Cluster 2.x allows local users to read arbitrary files via a symlink attack on the status file of a host running HA-NFS. CVE-2001-0079 DESCRIPTION: Support Tools Manager (STM) A.22.00 for HP-UX allows local users to overwrite arbitrary files via a symlink attack on the tool_stat.txt log file. CVE-2001-0080 DESCRIPTION: Cisco Catalyst 6000, 5000, or 4000 switches allow remote attackers to cause a denial of service by connecting to the SSH service with a non-SSH client, which generates a protocol mismatch error. CVE-2001-0081 DESCRIPTION: swinit in nCipher does not properly disable the Operator Card Set recovery feature even when explicitly disabled by the user, which could allow attackers to gain access to application keys. CVE-2001-0082 DESCRIPTION: Check Point VPN-1/FireWall-1 4.1 SP2 with Fastmode enabled allows remote attackers to bypass access restrictions via malformed, fragmented packets. CVE-2001-0083 DESCRIPTION: Windows Media Unicast Service in Windows Media Services 4.0 and 4.1 does not properly shut down some types of connections, producing a memory leak that allows remote attackers to cause a denial of service via a series of severed connections, aka the "Severed Windows Media Server Connection" vulnerability. CVE-2001-0084 DESCRIPTION: GTK+ library allows local users to specify arbitrary modules via the GTK_MODULES environmental variable, which could allow local users to gain privileges if GTK+ is used by a setuid/setgid program. CVE-2001-0085 DESCRIPTION: Buffer overflow in Kermit communications software in HP-UX 11.0 and earlier allows local users to cause a denial of service and possibly execute arbitrary commands. CVE-2001-0086 DESCRIPTION: CGI Script Center Subscribe Me LITE 2.0 and earlier allows remote attackers to delete arbitrary mailing list users without authentication by directly calling subscribe.pl with the target address as a parameter. CVE-2001-0087 DESCRIPTION: itetris/xitetris 1.6.2 and earlier trusts the PATH environmental variable to find and execute the gunzip program, which allows local users to gain root privileges by changing their PATH so that it points to a malicious gunzip program. CVE-2001-0088 DESCRIPTION: common.inc.php in phpWebLog 0.4.2 does not properly initialize the $CONF array, which inadvertently sets the password to a single character, allowing remote attackers to easily guess the SiteKey and gain administrative privileges to phpWebLog. CVE-2001-0089 DESCRIPTION: Internet Explorer 5.0 through 5.5 allows remote attackers to read arbitrary files from the client via the INPUT TYPE element in an HTML form, aka the "File Upload via Form" vulnerability. CVE-2001-0090 DESCRIPTION: The Print Templates feature in Internet Explorer 5.5 executes arbitrary custom print templates without prompting the user, which could allow an attacker to execute arbitrary ActiveX controls, aka the "Browser Print Template" vulnerability. CVE-2001-0091 DESCRIPTION: The ActiveX control for invoking a scriptlet in Internet Explorer 5.0 through 5.5 renders arbitrary file types instead of HTML, which allows an attacker to read arbitrary files, aka a variant of the "Scriptlet Rendering" vulnerability. CVE-2001-0092 DESCRIPTION: A function in Internet Explorer 5.0 through 5.5 does not properly verify the domain of a frame within a browser window, which allows a remote attacker to read client files, aka a new variant of the "Frame Domain Verification" vulnerability. CVE-2001-0093 DESCRIPTION: Vulnerability in telnetd in FreeBSD 1.5 allows local users to gain root privileges by modifying critical environmental variables that affect the behavior of telnetd. CVE-2001-0094 DESCRIPTION: Buffer overflow in kdc_reply_cipher of libkrb (Kerberos 4 authentication library) in NetBSD 1.5 and FreeBSD 4.2 and earlier, as used in Kerberised applications such as telnetd and login, allows local users to gain root privileges. CVE-2001-0095 DESCRIPTION: catman in Solaris 2.7 and 2.8 allows local users to overwrite arbitrary files via a symlink attack on the sman_PID temporary file. CVE-2001-0096 DESCRIPTION: FrontPage Server Extensions (FPSE) in IIS 4.0 and 5.0 allows remote attackers to cause a denial of service via a malformed form, aka the "Malformed Web Form Submission" vulnerability. CVE-2001-0097 DESCRIPTION: The Web interface for Infinite Interchange 3.6.1 allows remote attackers to cause a denial of service (application crash) via a large POST request. CVE-2001-0098 DESCRIPTION: Buffer overflow in Bea WebLogic Server before 5.1.0 allows remote attackers to execute arbitrary commands via a long URL that begins with a ".." string. CVE-2001-0099 DESCRIPTION: bsguest.cgi guestbook script allows remote attackers to execute arbitrary commands via shell metacharacters in the email address. CVE-2001-0100 DESCRIPTION: bslist.cgi mailing list script allows remote attackers to execute arbitrary commands via shell metacharacters in the email address. CVE-2001-0101 DESCRIPTION: Vulnerability in fetchmail 5.5.0-2 and earlier in the AUTHENTICATE GSSAPI command. CVE-2001-0102 DESCRIPTION: "Multiple Users" Control Panel in Mac OS 9 allows Normal users to gain Owner privileges by removing the Users & Groups Data File, which effectively removes the Owner password and allows the Normal user to log in as the Owner account without a password. CVE-2001-0103 DESCRIPTION: CoffeeCup Direct and Free FTP clients uses weak encryption to store passwords in the FTPServers.ini file, which could allow attackers to easily decrypt the passwords. CVE-2001-0104 DESCRIPTION: MDaemon Pro 3.5.1 and earlier allows local users to bypass the "lock server" security setting by pressing the Cancel button at the password prompt, then pressing the enter key. CVE-2001-0105 DESCRIPTION: Vulnerability in top in HP-UX 11.04 and earlier allows local users to overwrite files owned by the "sys" group. CVE-2001-0106 DESCRIPTION: Vulnerability in inetd server in HP-UX 11.04 and earlier allows attackers to cause a denial of service when the "swait" state is used by a server. CVE-2001-0107 DESCRIPTION: Veritas Backup agent on Linux allows remote attackers to cause a denial of service by establishing a connection without sending any data, which causes the process to hang. CVE-2001-0108 DESCRIPTION: PHP Apache module 4.0.4 and earlier allows remote attackers to bypass .htaccess access restrictions via a malformed HTTP request on an unrestricted page that causes PHP to use those access controls on the next page that is requested. CVE-2001-0109 DESCRIPTION: rctab in SuSE 7.0 and earlier allows local users to create or overwrite arbitrary files via a symlink attack on the rctmp temporary file. CVE-2001-0110 DESCRIPTION: Buffer overflow in jaZip Zip/Jaz drive manager allows local users to gain root privileges via a long DISPLAY environmental variable. CVE-2001-0111 DESCRIPTION: Format string vulnerability in splitvt before 1.6.5 allows local users to execute arbitrary commands via the -rcfile command line argument. CVE-2001-0112 DESCRIPTION: Multiple buffer overflows in splitvt before 1.6.5 allow local users to execute arbitrary commands. CVE-2001-0113 DESCRIPTION: statsconfig.pl in OmniHTTPd 2.07 allows remote attackers to execute arbitrary commands via the mostbrowsers parameter, whose value is used as part of a generated Perl script. CVE-2001-0114 DESCRIPTION: statsconfig.pl in OmniHTTPd 2.07 allows remote attackers to overwrite arbitrary files via the cgidir parameter. CVE-2001-0115 DESCRIPTION: Buffer overflow in arp command in Solaris 7 and earlier allows local users to execute arbitrary commands via a long -f parameter. CVE-2001-0116 DESCRIPTION: gpm 1.19.3 allows local users to overwrite arbitrary files via a symlink attack. CVE-2001-0117 DESCRIPTION: sdiff 2.7 in the diffutils package allows local users to overwrite files via a symlink attack. CVE-2001-0118 DESCRIPTION: rdist 6.1.5 allows local users to overwrite arbitrary files via a symlink attack. CVE-2001-0119 DESCRIPTION: getty_ps 2.0.7j allows local users to overwrite arbitrary files via a symlink attack. CVE-2001-0120 DESCRIPTION: useradd program in shadow-utils program may allow local users to overwrite arbitrary files via a symlink attack. CVE-2001-0121 DESCRIPTION: ImageCast Control Center 4.1.0 allows remote attackers to cause a denial of service (resource exhaustion or system crash) via a long string to port 12002. CVE-2001-0122 DESCRIPTION: Kernel leak in AfpaCache module of the Fast Response Cache Accelerator (FRCA) component of IBM HTTP Server 1.3.x and Websphere 3.52 allows remote attackers to cause a denial of service via a series of malformed HTTP requests that generate a "bad request" error. CVE-2001-0123 DESCRIPTION: Directory traversal vulnerability in eXtropia bbs_forum.cgi 1.0 allows remote attackers to read arbitrary files via a .. (dot dot) attack on the file parameter. CVE-2001-0124 DESCRIPTION: Buffer overflow in exrecover in Solaris 2.6 and earlier possibly allows local users to gain privileges via a long command line argument. CVE-2001-0125 DESCRIPTION: exmh 2.2 and earlier allows local users to overwrite arbitrary files via a symlink attack on the exmhErrorMsg temporary file. CVE-2001-0126 DESCRIPTION: Oracle XSQL servlet 1.0.3.0 and earlier allows remote attackers to execute arbitrary Java code by redirecting the XSQL server to another source via the xml-stylesheet parameter in the xslt stylesheet. CVE-2001-0127 DESCRIPTION: Buffer overflow in Olivier Debon Flash plugin (not the Macromedia plugin) allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long DefineSound tag. CVE-2001-0128 DESCRIPTION: Zope before 2.2.4 does not properly compute local roles, which could allow users to bypass specified access restrictions and gain privileges. CVE-2001-0129 DESCRIPTION: Buffer overflow in Tinyproxy HTTP proxy 1.3.3 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long connect request. CVE-2001-0130 DESCRIPTION: Buffer overflow in HTML parser of the Lotus R5 Domino Server before 5.06, and Domino Client before 5.05, allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a malformed font size specifier. CVE-2001-0131 DESCRIPTION: htpasswd and htdigest in Apache 2.0a9, 1.3.14, and others allows local users to overwrite arbitrary files via a symlink attack. CVE-2001-0132 DESCRIPTION: Interscan VirusWall 3.6.x and earlier follows symbolic links when uninstalling the product, which allows local users to overwrite arbitrary files via a symlink attack. CVE-2001-0133 DESCRIPTION: The web administration interface for Interscan VirusWall 3.6.x and earlier does not use encryption, which could allow remote attackers to obtain the administrator password to sniff the administrator password via the setpasswd.cgi program or other HTTP GET requests that contain base64 encoded usernames and passwords. CVE-2001-0134 DESCRIPTION: Buffer overflow in cpqlogin.htm in web-enabled agents for various Compaq management software products such as Insight Manager and Management Agents allows remote attackers to execute arbitrary commands via a long user name. CVE-2001-0135 DESCRIPTION: The default installation of Ultraboard 2000 2.11 creates the Skins, Database, and Backups directories with world-writeable permissions, which could allow local users to modify sensitive information or possibly insert and execute CGI programs. CVE-2001-0136 DESCRIPTION: Memory leak in ProFTPd 1.2.0rc2 allows remote attackers to cause a denial of service via a series of USER commands, and possibly SIZE commands if the server has been improperly installed. CVE-2001-0137 DESCRIPTION: Windows Media Player 7 allows remote attackers to execute malicious Java applets in Internet Explorer clients by enclosing the applet in a skin file named skin.wmz, then referencing that skin in the codebase parameter to an applet tag, aka the Windows Media Player Skins File Download" vulnerability. CVE-2001-0138 DESCRIPTION: privatepw program in wu-ftpd before 2.6.1-6 allows local users to overwrite arbitrary files via a symlink attack. CVE-2001-0139 DESCRIPTION: inn 2.2.3 allows local users to overwrite arbitrary files via a symlink attack in some configurations. CVE-2001-0140 DESCRIPTION: arpwatch 2.1a4 allows local users to overwrite arbitrary files via a symlink attack in some configurations. CVE-2001-0141 DESCRIPTION: mgetty 1.1.22 allows local users to overwrite arbitrary files via a symlink attack in some configurations. CVE-2001-0142 DESCRIPTION: squid 2.3 and earlier allows local users to overwrite arbitrary files via a symlink attack in some configurations. CVE-2001-0143 DESCRIPTION: vpop3d program in linuxconf 1.23r and earlier allows local users to overwrite arbitrary files via a symlink attack. CVE-2001-0144 DESCRIPTION: CORE SDI SSH1 CRC-32 compensation attack detector allows remote attackers to execute arbitrary commands on an SSH server or client via an integer overflow. CVE-2001-0145 DESCRIPTION: Buffer overflow in VCard handler in Outlook 2000 and 98, and Outlook Express 5.x, allows an attacker to execute arbitrary commands via a malformed vCard birthday field. CVE-2001-0146 DESCRIPTION: IIS 5.0 and Microsoft Exchange 2000 allow remote attackers to cause a denial of service (memory allocation error) by repeatedly sending a series of specially formatted URL's. CVE-2001-0147 DESCRIPTION: Buffer overflow in Windows 2000 event viewer snap-in allows attackers to execute arbitrary commands via a malformed field that is improperly handled during the detailed view of event records. CVE-2001-0148 DESCRIPTION: The WMP ActiveX Control in Windows Media Player 7 allows remote attackers to execute commands in Internet Explorer via javascript URLs, a variant of the "Frame Domain Verification" vulnerability. CVE-2001-0149 DESCRIPTION: Windows Scripting Host in Internet Explorer 5.5 and earlier allows remote attackers to read arbitrary files via the GetObject Javascript function and the htmlfile ActiveX object. CVE-2001-0150 DESCRIPTION: Internet Explorer 5.5 and earlier executes Telnet sessions using command line arguments that are specified by the web site, which could allow remote attackers to execute arbitrary commands if the IE client is using the Telnet client provided in Services for Unix (SFU) 2.0, which creates session transcripts. CVE-2001-0151 DESCRIPTION: IIS 5.0 allows remote attackers to cause a denial of service via a series of malformed WebDAV requests. CVE-2001-0152 DESCRIPTION: The password protection option for the Compressed Folders feature in Plus! for Windows 98 and Windows Me writes password information to a file, which allows local users to recover the passwords and read the compressed folders. CVE-2001-0153 DESCRIPTION: Buffer overflow in VB-TSQL debugger object (vbsdicli.exe) in Visual Studio 6.0 Enterprise Edition allows remote attackers to execute arbitrary commands. CVE-2001-0154 DESCRIPTION: HTML e-mail feature in Internet Explorer 5.5 and earlier allows attackers to execute attachments by setting an unusual MIME type for the attachment, which Internet Explorer does not process correctly. CVE-2001-0155 DESCRIPTION: Format string vulnerability in VShell SSH gateway 1.0.1 and earlier allows remote attackers to execute arbitrary commands via a user name that contains format string specifiers. CVE-2001-0156 DESCRIPTION: VShell SSH gateway 1.0.1 and earlier has a default port forwarding rule of 0.0.0.0/0.0.0.0, which could allow local users to conduct arbitrary port forwarding to other systems. CVE-2001-0157 DESCRIPTION: Debugging utility in the backdoor mode of Palm OS 3.5.2 and earlier allows attackers with physical access to a Palm device to bypass access restrictions and obtain passwords, even if the system lockout mechanism is enabled. CVE-2001-0158 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2001-0159 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2001-0160 DESCRIPTION: Lucent/ORiNOCO WaveLAN cards generate predictable Initialization Vector (IV) values for the Wireless Encryption Protocol (WEP) which allows remote attackers to quickly compile information that will let them decrypt messages. CVE-2001-0161 DESCRIPTION: Cisco 340-series Aironet access point using firmware 11.01 does not use 6 of the 24 available IV bits for WEP encryption, which makes it easier for remote attackers to mount brute force attacks. CVE-2001-0162 DESCRIPTION: WinCE 3.0.9348 generates predictable TCP Initial Sequence Numbers (ISNs), which allows remote attackers to spoof or hijack TCP connections. CVE-2001-0163 DESCRIPTION: Cisco AP340 base station produces predictable TCP Initial Sequence Numbers (ISNs), which allows remote attackers to spoof or hijack TCP connections. CVE-2001-0164 DESCRIPTION: Buffer overflow in Netscape Directory Server 4.12 and earlier allows remote attackers to cause a denial of service or execute arbitrary commands via a malformed recipient field. CVE-2001-0165 DESCRIPTION: Buffer overflow in ximp40 shared library in Solaris 7 and Solaris 8 allows local users to gain privileges via a long "arg0" (process name) argument. CVE-2001-0166 DESCRIPTION: Macromedia Shockwave Flash plugin version 8 and earlier allows remote attackers to cause a denial of service via malformed tag length specifiers in a SWF file. CVE-2001-0167 DESCRIPTION: Buffer overflow in AT&T WinVNC (Virtual Network Computing) client 3.3.3r7 and earlier allows remote attackers to execute arbitrary commands via a long rfbConnFailed packet with a long reason string. CVE-2001-0168 DESCRIPTION: Buffer overflow in AT&T WinVNC (Virtual Network Computing) server 3.3.3r7 and earlier allows remote attackers to execute arbitrary commands via a long HTTP GET request when the DebugLevel registry key is greater than 0. CVE-2001-0169 DESCRIPTION: When using the LD_PRELOAD environmental variable in SUID or SGID applications, glibc does not verify that preloaded libraries in /etc/ld.so.cache are also SUID/SGID, which could allow a local user to overwrite arbitrary files by loading a library from /lib or /usr/lib. CVE-2001-0170 DESCRIPTION: glibc 2.1.9x and earlier does not properly clear the RESOLV_HOST_CONF, HOSTALIASES, or RES_OPTIONS environmental variables when executing setuid/setgid programs, which could allow local users to read arbitrary files. CVE-2001-0171 DESCRIPTION: Buffer overflow in SlimServe HTTPd 1.0 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long GET request. CVE-2001-0172 DESCRIPTION: Buffer overflow in ReiserFS 3.5.28 in SuSE Linux allows local users to cause a denial of service and possibly execute arbitrary commands by via a long directory name. CVE-2001-0173 DESCRIPTION: Buffer overflow in qDecoder library 5.08 and earlier, as used in CrazyWWWBoard, CrazySearch, and other CGI programs, allows remote attackers to execute arbitrary commands via a long MIME Content-Type header. CVE-2001-0174 DESCRIPTION: Buffer overflow in Trend Micro Virus Buster 2001 8.00 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a large "To" address. CVE-2001-0175 DESCRIPTION: The caching module in Netscape Fasttrack Server 4.1 allows remote attackers to cause a denial of service (resource exhaustion) by requesting a large number of non-existent URLs. CVE-2001-0176 DESCRIPTION: The setuid doroot program in Voyant Sonata 3.x executes arbitrary command line arguments, which allows local users to gain root privileges. CVE-2001-0177 DESCRIPTION: WebMaster ConferenceRoom 1.8.1 allows remote attackers to cause a denial of service via a buddy relationship between the IRC server and a server clone. CVE-2001-0178 DESCRIPTION: kdesu program in KDE2 (KDE before 2.2.0-6) does not properly verify the owner of a UNIX socket that is used to send a password, which allows local users to steal passwords and gain privileges. CVE-2001-0179 DESCRIPTION: Allaire JRun 3.0 allows remote attackers to list contents of the WEB-INF directory, and the web.xml file in the WEB-INF directory, via a malformed URL that contains a "." CVE-2001-0180 DESCRIPTION: Lars Ellingsen guestserver.cgi allows remote attackers to execute arbitrary commands via shell metacharacters in the "email" parameter. CVE-2001-0181 DESCRIPTION: Format string vulnerability in the error logging code of DHCP server and client in Caldera Linux allows remote attackers to execute arbitrary commands. CVE-2001-0182 DESCRIPTION: FireWall-1 4.1 with a limited-IP license allows remote attackers to cause a denial of service by sending a large number of spoofed IP packets with various source addresses to the inside interface, which floods the console with warning messages and consumes CPU resources. CVE-2001-0183 DESCRIPTION: ipfw and ip6fw in FreeBSD 4.2 and earlier allows remote attackers to bypass access restrictions by setting the ECE flag in a TCP packet, which makes the packet appear to be part of an established connection. CVE-2001-0184 DESCRIPTION: eEye Iris 1.01 beta allows remote attackers to cause a denial of service via a malformed packet, which causes Iris to crash when a user views the packet. CVE-2001-0185 DESCRIPTION: Netopia R9100 router version 4.6 allows authenticated users to cause a denial of service by using the router's telnet program to connect to the router's IP address, which causes a crash. CVE-2001-0186 DESCRIPTION: Directory traversal vulnerability in Free Java Web Server 1.0 allows remote attackers to read arbitrary files via a .. (dot dot) attack. CVE-2001-0187 DESCRIPTION: Format string vulnerability in wu-ftp 2.6.1 and earlier, when running with debug mode enabled, allows remote attackers to execute arbitrary commands via a malformed argument that is recorded in a PASV port assignment. CVE-2001-0188 DESCRIPTION: GoodTech FTP server 3.0.1.2.1.0 and earlier allows remote attackers to cause a denial of service via a flood of connections to the server, which causes it to crash. CVE-2001-0189 DESCRIPTION: Directory traversal vulnerability in LocalWEB2000 HTTP server allows remote attackers to read arbitrary commands via a .. (dot dot) attack in an HTTP GET request. CVE-2001-0190 DESCRIPTION: Buffer overflow in /usr/bin/cu in Solaris 2.8 and earlier, and possibly other operating systems, allows local users to gain privileges by executing cu with a long program name (arg0). CVE-2001-0191 DESCRIPTION: gnuserv before 3.12, as shipped with XEmacs, does not properly check the specified length of an X Windows MIT-MAGIC-COOKIE cookie, which allows remote attackers to execute arbitrary commands via a buffer overflow, or brute force authentication by using a short cookie length. CVE-2001-0192 DESCRIPTION: Buffer overflows in CTRLServer in XMail allows attackers to execute arbitrary commands via the cfgfileget or domaindel functions. CVE-2001-0193 DESCRIPTION: Format string vulnerability in man in some Linux distributions allows local users to gain privileges via a malformed -l parameter. CVE-2001-0194 DESCRIPTION: Buffer overflow in httpGets function in CUPS 1.1.5 allows remote attackers to execute arbitrary commands via a long input line. CVE-2001-0195 DESCRIPTION: sash before 3.4-4 in Debian GNU/Linux does not properly clone /etc/shadow, which makes it world-readable and could allow local users to gain privileges via password cracking. CVE-2001-0196 DESCRIPTION: inetd ident server in FreeBSD 4.x and earlier does not properly set group permissions, which allows remote attackers to read the first 16 bytes of files that are accessible by the wheel group. CVE-2001-0197 DESCRIPTION: Format string vulnerability in print_client in icecast 1.3.8beta2 and earlier allows remote attackers to execute arbitrary commands. CVE-2001-0198 DESCRIPTION: Buffer overflow in QuickTime Player plugin 4.1.2 (Japanese) allows remote attackers to execute arbitrary commands via a long HREF parameter in an EMBED tag. CVE-2001-0199 DESCRIPTION: Directory traversal vulnerability in SEDUM HTTP Server 2.0 allows remote attackers to read arbitrary files via a .. (dot dot) attack in the HTTP GET request. CVE-2001-0200 DESCRIPTION: HSWeb 2.0 HTTP server allows remote attackers to obtain the physical path of the server via a request to the /cgi/ directory, which will list the path if directory browsing is enabled. CVE-2001-0201 DESCRIPTION: The Postaci frontend for PostgreSQL does not properly filter characters such as semicolons, which could allow remote attackers to execute arbitrary SQL queries via the deletecontact.php program. CVE-2001-0202 DESCRIPTION: Picserver web server allows remote attackers to read arbitrary files via a .. (dot dot) attack in an HTTP GET request. CVE-2001-0203 DESCRIPTION: Watchguard Firebox II firewall allows users with read-only access to gain read-write access, and administrative privileges, by accessing a file that contains hashed passphrases, and using the hashes during authentication. CVE-2001-0204 DESCRIPTION: Watchguard Firebox II allows remote attackers to cause a denial of service by establishing multiple connections and sending malformed PPTP packets. CVE-2001-0205 DESCRIPTION: Directory traversal vulnerability in AOLserver 3.2 and earlier allows remote attackers to read arbitrary files by inserting "..." into the requested pathname, a modified .. (dot dot) attack. CVE-2001-0206 DESCRIPTION: Directory traversal vulnerability in Soft Lite ServerWorx 3.00 allows remote attackers to read arbitrary files by inserting a .. (dot dot) or ... into the requested pathname of an HTTP GET request. CVE-2001-0207 DESCRIPTION: Buffer overflow in bing allows remote attackers to execute arbitrary commands via a long hostname, which is copied to a small buffer after a reverse DNS lookup using the gethostbyaddr function. CVE-2001-0208 DESCRIPTION: MicroFocus Cobol 4.1, with the AppTrack feature enabled, installs the mfaslmf directory and the nolicense file with insecure permissions, which allows local users to gain privileges by modifying files. CVE-2001-0209 DESCRIPTION: Buffer overflow in Shoutcast Distributed Network Audio Server (DNAS) 1.7.1 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long description. CVE-2001-0210 DESCRIPTION: Directory traversal vulnerability in commerce.cgi CGI program allows remote attackers to read arbitrary files via a .. (dot dot) attack in the page parameter. CVE-2001-0211 DESCRIPTION: Directory traversal vulnerability in WebSPIRS 3.1 allows remote attackers to read arbitrary files via a .. (dot dot) attack on the sp.nextform parameter. CVE-2001-0212 DESCRIPTION: Directory traversal vulnerability in HIS Auktion 1.62 allows remote attackers to read arbitrary files via a .. (dot dot) in the menue parameter, and possibly execute commands via shell metacharacters. CVE-2001-0213 DESCRIPTION: Buffer overflow in pi program in PlanetIntra 2.5 allows remote attackers to execute arbitrary commands. CVE-2001-0214 DESCRIPTION: Way-board CGI program allows remote attackers to read arbitrary files by specifying the filename in the db parameter and terminating the filename with a null byte. CVE-2001-0215 DESCRIPTION: ROADS search.pl program allows remote attackers to read arbitrary files by specifying the file name in the form parameter and terminating the filename with a null byte. CVE-2001-0216 DESCRIPTION: PALS Library System pals-cgi program allows remote attackers to execute arbitrary commands via shell metacharacters in the documentName parameter. CVE-2001-0217 DESCRIPTION: Directory traversal vulnerability in PALS Library System pals-cgi program allows remote attackers to read arbitrary files via a .. (dot dot) in the documentName parameter. CVE-2001-0218 DESCRIPTION: Format string vulnerability in mars_nwe 0.99.pl19 allows remote attackers to execute arbitrary commands. CVE-2001-0219 DESCRIPTION: Vulnerability in Support Tools Manager (xstm,cstm,stm) in HP-UX 11.11 and earlier allows local users to cause a denial of service. CVE-2001-0220 DESCRIPTION: Buffer overflow in ja-elvis and ko-helvis ports of elvis allow local users to gain root privileges. CVE-2001-0221 DESCRIPTION: Buffer overflow in ja-xklock 2.7.1 and earlier allows local users to gain root privileges. CVE-2001-0222 DESCRIPTION: webmin 0.84 and earlier allows local users to overwrite and create arbitrary files via a symlink attack. CVE-2001-0223 DESCRIPTION: Buffer overflow in wwwwais allows remote attackers to execute arbitrary commands via a long QUERY_STRING (HTTP GET request). CVE-2001-0224 DESCRIPTION: Muscat Empower CGI program allows remote attackers to obtain the absolute pathname of the server via an invalid request in the DB parameter. CVE-2001-0225 DESCRIPTION: fortran math component in Infobot 0.44.5.3 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters. CVE-2001-0226 DESCRIPTION: Directory traversal vulnerability in BiblioWeb web server 2.0 allows remote attackers to read arbitrary files via a .. (dot dot) or ... attack in an HTTP GET request. CVE-2001-0227 DESCRIPTION: Buffer overflow in BiblioWeb web server 2.0 allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long HTTP GET request. CVE-2001-0228 DESCRIPTION: Directory traversal vulnerability in GoAhead web server 2.1 and earlier allows remote attackers to read arbitrary files via a .. attack in an HTTP GET request. CVE-2001-0229 DESCRIPTION: Chili!Soft ASP for Linux before 3.6 does not properly set group privileges when running in inherited mode, which could allow attackers to gain privileges via malicious scripts. CVE-2001-0230 DESCRIPTION: Buffer overflow in dc20ctrl before 0.4_1 in FreeBSD, and possibly other operating systems, allows local users to gain privileges. CVE-2001-0231 DESCRIPTION: Directory traversal vulnerability in newsdesk.cgi in News Desk 1.2 allows remote attackers to read arbitrary files via a .. in the "t" parameter. CVE-2001-0232 DESCRIPTION: newsdesk.cgi in News Desk 1.2 allows remote attackers to read arbitrary files via shell metacharacters. CVE-2001-0233 DESCRIPTION: Buffer overflow in micq client 0.4.6 and earlier allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long Description field. CVE-2001-0234 DESCRIPTION: NewsDaemon before 0.21b allows remote attackers to execute arbitrary SQL queries and gain privileges via a malformed user_username parameter. CVE-2001-0235 DESCRIPTION: Vulnerability in crontab allows local users to read crontab files of other users by replacing the temporary file that is being edited while crontab is running. CVE-2001-0236 DESCRIPTION: Buffer overflow in Solaris snmpXdmid SNMP to DMI mapper daemon allows remote attackers to execute arbitrary commands via a long "indication" event. CVE-2001-0237 DESCRIPTION: Memory leak in Microsoft 2000 domain controller allows remote attackers to cause a denial of service by repeatedly connecting to the Kerberos service and then disconnecting without sending any data. CVE-2001-0238 DESCRIPTION: Microsoft Data Access Component Internet Publishing Provider 8.103.2519.0 and earlier allows remote attackers to bypass Security Zone restrictions via WebDAV requests. CVE-2001-0239 DESCRIPTION: Microsoft Internet Security and Acceleration (ISA) Server 2000 Web Proxy allows remote attackers to cause a denial of service via a long web request with a specific type. CVE-2001-0240 DESCRIPTION: Microsoft Word before Word 2002 allows attackers to automatically execute macros without warning the user via a Rich Text Format (RTF) document that links to a template with the embedded macro. CVE-2001-0241 DESCRIPTION: Buffer overflow in Internet Printing ISAPI extension in Windows 2000 allows remote attackers to gain root privileges via a long print request that is passed to the extension through IIS 5.0. CVE-2001-0242 DESCRIPTION: Buffer overflows in Microsoft Windows Media Player 7 and earlier allow remote attackers to execute arbitrary commands via (1) a long version tag in an .ASX file, or (2) a long banner tag, a variant of the ".ASX Buffer Overrun" vulnerability as discussed in MS:MS00-090. CVE-2001-0243 DESCRIPTION: Windows Media Player 7 and earlier stores Internet shortcuts in a user's Temporary Files folder with a fixed filename instead of in the Internet Explorer cache, which causes the HTML in those shortcuts to run in the Local Computer Zone instead of the Internet Zone, which allows remote attackers to read certain files. CVE-2001-0244 DESCRIPTION: Buffer overflow in Microsoft Index Server 2.0 allows remote attackers to execute arbitrary commands via a long search parameter. CVE-2001-0245 DESCRIPTION: Microsoft Index Server 2.0 in Windows NT 4.0, and Indexing Service in Windows 2000, allows remote attackers to read server-side include files via a malformed search request, aka a new variant of the "Malformed Hit-Highlighting" vulnerability. CVE-2001-0246 DESCRIPTION: Internet Explorer 5.5 and earlier does not properly verify the domain of a frame within a browser window, which allows remote web site operators to read certain files on the client by sending information from a local frame to a frame in a different domain, aka a variant of the "Frame Domain Verification" vulnerability. CVE-2001-0247 DESCRIPTION: Buffer overflows in BSD-based FTP servers allows remote attackers to execute arbitrary commands via a long pattern string containing a {} sequence, as seen in (1) g_opendir, (2) g_lstat, (3) g_stat, and (4) the glob0 buffer as used in the glob functions glob2 and glob3. CVE-2001-0248 DESCRIPTION: Buffer overflow in FTP server in HPUX 11 allows remote attackers to execute arbitrary commands by creating a long pathname and calling the STAT command, which uses glob to generate long strings. CVE-2001-0249 DESCRIPTION: Heap overflow in FTP daemon in Solaris 8 allows remote attackers to execute arbitrary commands by creating a long pathname and calling the LIST command, which uses glob to generate long strings. CVE-2001-0250 DESCRIPTION: The Web Publishing feature in Netscape Enterprise Server 4.x and earlier allows remote attackers to list arbitrary directories under the web server root via the INDEX command. CVE-2001-0251 DESCRIPTION: The Web Publishing feature in Netscape Enterprise Server 3.x allows remote attackers to cause a denial of service via the REVLOG command. CVE-2001-0252 DESCRIPTION: iPlanet (formerly Netscape) Enterprise Server 4.1 allows remote attackers to cause a denial of service via a long HTTP GET request that contains many "/../" (dot dot) sequences. CVE-2001-0253 DESCRIPTION: Directory traversal vulnerability in hsx.cgi program in iWeb Hyperseek 2000 allows remote attackers to read arbitrary files and directories via a .. (dot dot) attack in the show parameter. CVE-2001-0254 DESCRIPTION: FaSTream FTP++ Server 2.0 allows remote attackers to obtain the real pathname of the server via the "pwd" command. CVE-2001-0255 DESCRIPTION: FaSTream FTP++ Server 2.0 allows remote attackers to list arbitrary directories by using the "ls" command and including the drive letter name (e.g. C:) in the requested pathname. CVE-2001-0256 DESCRIPTION: FaSTream FTP++ Server 2.0 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long username. CVE-2001-0257 DESCRIPTION: Buffer overflow in Easycom/Safecom Print Server Web service, version 404.590 and earlier, allows remote attackers to execute arbitrary commands via (1) a long URL or (2) a long HTTP header field such as "Host:". CVE-2001-0258 DESCRIPTION: The Easycom/Safecom Print Server (firmware 404.590) PrintGuide server allows remote attackers to cause a denial of service via a large number of connections that send null characters. CVE-2001-0259 DESCRIPTION: ssh-keygen in ssh 1.2.27 - 1.2.30 with Secure-RPC can allow local attackers to recover a SUN-DES-1 magic phrase generated by another user, which the attacker can use to decrypt that user's private key file. CVE-2001-0260 DESCRIPTION: Buffer overflow in Lotus Domino Mail Server 5.0.5 and earlier allows a remote attacker to crash the server or execute arbitrary code via a long "RCPT TO" command. CVE-2001-0261 DESCRIPTION: Microsoft Windows 2000 Encrypted File System does not properly destroy backups of files that are encrypted, which allows a local attacker to recover the text of encrypted files. CVE-2001-0262 DESCRIPTION: Buffer overflow in Netscape SmartDownload 1.3 allows remote attackers (malicious web pages) to execute arbitrary commands via a long URL. CVE-2001-0263 DESCRIPTION: Gene6 G6 FTP Server 2.0 (aka BPFTP Server 2.10) allows attackers to read file attributes outside of the web root via the (1) SIZE and (2) MDTM commands when the "show relative paths" option is not enabled. CVE-2001-0264 DESCRIPTION: Gene6 G6 FTP Server 2.0 (aka BPFTP Server 2.10) allows remote attackers to obtain NETBIOS credentials by requesting information on a file that is in a network share, which causes the server to send the credentials to the host that owns the share, and allows the attacker to sniff the connection. CVE-2001-0265 DESCRIPTION: ASCII Armor parser in Windows PGP 7.0.3 and earlier allows attackers to create files in arbitrary locations via a malformed ASCII armored file. CVE-2001-0266 DESCRIPTION: Vulnerability in Software Distributor SD-UX in HP-UX 11.0 and earlier allows local users to gain privileges. CVE-2001-0267 DESCRIPTION: NM debug in HP MPE/iX 6.5 and earlier does not properly handle breakpoints, which allows local users to gain privileges. CVE-2001-0268 DESCRIPTION: The i386_set_ldt system call in NetBSD 1.5 and earlier, and OpenBSD 2.8 and earlier, when the USER_LDT kernel option is enabled, does not validate a call gate target, which allows local users to gain root privileges by creating a segment call gate in the Local Descriptor Table (LDT) with a target that specifies an arbitrary kernel address. CVE-2001-0269 DESCRIPTION: pam_ldap authentication module in Solaris 8 allows remote attackers to bypass authentication via a NULL password. CVE-2001-0270 DESCRIPTION: Marconi ASX-1000 ASX switches allow remote attackers to cause a denial of service in the telnet and web management interfaces via a malformed packet with the SYN-FIN and More Fragments attributes set. CVE-2001-0271 DESCRIPTION: mailnews.cgi 1.3 and earlier allows remote attackers to execute arbitrary commands via a user name that contains shell metacharacters. CVE-2001-0272 DESCRIPTION: Directory traversal vulnerability in sendtemp.pl in W3.org Anaya Web development server allows remote attackers to read arbitrary files via a .. (dot dot) attack in the templ parameter. CVE-2001-0273 DESCRIPTION: pgp4pine Pine/PGP interface version 1.75-6 does not properly check to see if a public key has expired when obtaining the keys via Gnu Privacy Guard (GnuPG), which causes the message to be sent in cleartext. CVE-2001-0274 DESCRIPTION: kicq IRC client 1.0.0, and possibly later versions, allows remote attackers to execute arbitrary commands via shell metacharacters in a URL. CVE-2001-0275 DESCRIPTION: Moby Netsuite Web Server 1.02 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long HTTP request. CVE-2001-0276 DESCRIPTION: ext.dll in BadBlue 1.02.07 Personal Edition web server allows remote attackers to determine the physical path of the server by directly calling ext.dll without any arguments, which produces an error message that contains the path. CVE-2001-0277 DESCRIPTION: Buffer overflow in ext.dll in BadBlue 1.02.07 Personal Edition allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long HTTP GET request. CVE-2001-0278 DESCRIPTION: Vulnerability in linkeditor in HP MPE/iX 6.5 and earlier allows local users to gain privileges. CVE-2001-0279 DESCRIPTION: Buffer overflow in sudo earlier than 1.6.3p6 allows local users to gain root privileges. CVE-2001-0280 DESCRIPTION: Buffer overflow in MERCUR SMTP server 3.30 allows remote attackers to execute arbitrary commands via a long EXPN command. CVE-2001-0281 DESCRIPTION: Format string vulnerability in DbgPrint function, used in debug messages for some Windows NT drivers (possibly when called through DebugMessage), may allow local users to gain privileges. CVE-2001-0282 DESCRIPTION: SEDUM 2.1 HTTP server allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long HTTP request. CVE-2001-0283 DESCRIPTION: Directory traversal vulnerability in SunFTP build 9 allows remote attackers to read arbitrary files via .. (dot dot) characters in various commands, including (1) GET, (2) MKDIR, (3) RMDIR, (4) RENAME, or (5) PUT. CVE-2001-0284 DESCRIPTION: Buffer overflow in IPSEC authentication mechanism for OpenBSD 2.8 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a malformed Authentication header (AH) IPv4 option. CVE-2001-0285 DESCRIPTION: Buffer overflow in A1 HTTP server 1.0a allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long HTTP request. CVE-2001-0286 DESCRIPTION: Directory traversal vulnerability in A1 HTTP server 1.0a allows remote attackers to read arbitrary files via a .. (dot dot) in an HTTP GET request. CVE-2001-0287 DESCRIPTION: VERITAS Cluster Server (VCS) 1.3.0 on Solaris allows local users to cause a denial of service (system panic) via the -L option to the lltstat command. CVE-2001-0288 DESCRIPTION: Cisco switches and routers running IOS 12.1 and earlier produce predictable TCP Initial Sequence Numbers (ISNs), which allows remote attackers to spoof or hijack TCP connections. CVE-2001-0289 DESCRIPTION: Joe text editor 2.8 searches the current working directory (CWD) for the .joerc configuration file, which could allow local users to gain privileges of other users by placing a Trojan Horse .joerc file into a directory, then waiting for users to execute joe from that directory. CVE-2001-0290 DESCRIPTION: Vulnerability in Mailman 2.0.1 and earlier allows list administrators to obtain user passwords. CVE-2001-0291 DESCRIPTION: Buffer overflow in post-query sample CGI program allows remote attackers to execute arbitrary commands via an HTTP POST request that contains at least 10001 parameters. CVE-2001-0292 DESCRIPTION: PHP-Nuke 4.4.1a allows remote attackers to modify a user's email address and obtain the password by guessing the user id (UID) and calling user.php with the saveuser operator. CVE-2001-0293 DESCRIPTION: Directory traversal vulnerability in FtpXQ FTP server 2.0.93 allows remote attackers to read arbitrary files via a .. (dot dot) in the GET command. CVE-2001-0294 DESCRIPTION: Directory traversal vulnerability in TYPSoft FTP Server 0.85 allows remote attackers to read arbitrary files via (1) a .. (dot dot) in a GET command, or (2) a ... in a CWD command. CVE-2001-0295 DESCRIPTION: Directory traversal vulnerability in War FTP 1.67.04 allows remote attackers to list directory contents and possibly read files via a "dir *./../.." command. CVE-2001-0296 DESCRIPTION: Buffer overflow in WFTPD Pro 3.00 allows remote attackers to execute arbitrary commands via a long CWD command. CVE-2001-0297 DESCRIPTION: Directory traversal vulnerability in Simple Server HTTPd 1.0 (originally Free Java Server) allows remote attackers to read arbitrary files via a .. (dot dot) in the URL. CVE-2001-0298 DESCRIPTION: Buffer overflow in WebReflex 1.55 HTTPd allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long HTTP GET request. CVE-2001-0299 DESCRIPTION: Buffer overflow in Voyager web administration server for Nokia IP440 allows local users to cause a denial of service, and possibly execute arbitrary commands, via a long URL. CVE-2001-0300 DESCRIPTION: oidldapd 2.1.1.1 in Oracle 8.1.7 records log files in a directory (ldaplog) that has world-writable permissions, which may allow local users to delete logs and/or overwrite other files via a symlink attack. CVE-2001-0301 DESCRIPTION: Buffer overflow in Analog before 4.16 allows remote attackers to execute arbitrary commands by using the ALIAS command to construct large strings. CVE-2001-0302 DESCRIPTION: Buffer overflow in tstisapi.dll in Pi3Web 1.0.1 web server allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long URL. CVE-2001-0303 DESCRIPTION: tstisapi.dll in Pi3Web 1.0.1 web server allows remote attackers to determine the physical path of the server via a URL that requests a non-existent file. CVE-2001-0304 DESCRIPTION: Directory traversal vulnerability in Caucho Resin 1.2.2 allows remote attackers to read arbitrary files via a "\.." (dot dot) in a URL request. CVE-2001-0305 DESCRIPTION: Directory traversal vulnerability in store.cgi in Thinking Arts ES.One package allows remote attackers to read arbitrary files via a .. (dot dot) in the StartID parameter. CVE-2001-0306 DESCRIPTION: Directory traversal vulnerability in ITAfrica WEBactive HTTP Server 1.00 allows remote attackers to read arbitrary files via a .. (dot dot) in a URL. CVE-2001-0307 DESCRIPTION: Bajie HTTP JServer 0.78, and other versions before 0.80, allows remote attackers to execute arbitrary commands via shell metacharacters in an HTTP request for a CGI program that does not exist. CVE-2001-0308 DESCRIPTION: UploadServlet in Bajie HTTP JServer 0.78, and possibly other versions before 0.80, allows remote attackers to execute arbitrary commands by calling the servlet to upload a program, then using a ... (modified ..) to access the file that was created for the program. CVE-2001-0309 DESCRIPTION: inetd in Red Hat 6.2 does not properly close sockets for internal services such as chargen, daytime, echo, etc., which allows remote attackers to cause a denial of service via a series of connections to the internal services. CVE-2001-0310 DESCRIPTION: sort in FreeBSD 4.1.1 and earlier, and possibly other operating systems, uses predictable temporary file names and does not properly handle when the temporary file already exists, which causes sort to crash and possibly impacts security-sensitive scripts. CVE-2001-0311 DESCRIPTION: Vulnerability in OmniBackII A.03.50 in HP 11.x and earlier allows attackers to gain unauthorized access to an OmniBack client. CVE-2001-0312 DESCRIPTION: IBM WebSphere plugin for Netscape Enterprise server allows remote attackers to read source code for JSP files via an HTTP request that contains a host header that references a host that is not in WebSphere's host aliases list, which will bypass WebSphere processing. CVE-2001-0313 DESCRIPTION: Borderware Firewall Server 6.1.2 allows remote attackers to cause a denial of service via a ping to the broadcast address of the public network on which the server is placed, which causes the server to continuously send pings (echo requests) to the network. CVE-2001-0314 DESCRIPTION: Buffer overflow in www.tol module in America Online (AOL) 5.0 may allow remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long URL in a link. CVE-2001-0315 DESCRIPTION: The locking feature in mIRC 5.7 allows local users to bypass the password mechanism by modifying the LockOptions registry key. CVE-2001-0316 DESCRIPTION: Linux kernel 2.4 and 2.2 allows local users to read kernel memory and possibly gain privileges via a negative argument to the sysctl call. CVE-2001-0317 DESCRIPTION: Race condition in ptrace in Linux kernel 2.4 and 2.2 allows local users to gain privileges by using ptrace to track and modify a running setuid process. CVE-2001-0318 DESCRIPTION: Format string vulnerability in ProFTPD 1.2.0rc2 may allow attackers to execute arbitrary commands by shutting down the FTP server while using a malformed working directory (cwd). CVE-2001-0319 DESCRIPTION: orderdspc.d2w macro in IBM Net.Commerce 3.x allows remote attackers to execute arbitrary SQL queries by inserting them into the order_rn option of the report capability. CVE-2001-0320 DESCRIPTION: bb_smilies.php and bbcode_ref.php in PHP-Nuke 4.4 allows remote attackers to read arbitrary files and gain PHP administrator privileges by inserting a null character and .. (dot dot) sequences into a malformed username argument. CVE-2001-0321 DESCRIPTION: opendir.php script in PHP-Nuke allows remote attackers to read arbitrary files by specifying the filename as an argument to the requesturl parameter. CVE-2001-0322 DESCRIPTION: MSHTML.DLL HTML parser in Internet Explorer 4.0, and other versions, allows remote attackers to cause a denial of service (application crash) via a script that creates and deletes an object that is associated with the browser window object. CVE-2001-0323 DESCRIPTION: The ICMP path MTU (PMTU) discovery feature in various UNIX systems allows remote attackers to cause a denial of service by spoofing "ICMP Fragmentation needed but Don't Fragment (DF) set" packets between two target hosts, which could cause one host to lower its MTU when transmitting to the other host. CVE-2001-0324 DESCRIPTION: Windows 98 and Windows 2000 Java clients allow remote attackers to cause a denial of service via a Java applet that opens a large number of UDP sockets, which prevents the host from establishing any additional UDP connections, and possibly causes a crash. CVE-2001-0325 DESCRIPTION: Buffer overflow in QNX RTP 5.60 allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a large number of arguments to the stat command. CVE-2001-0326 DESCRIPTION: Oracle Java Virtual Machine (JVM ) for Oracle 8.1.7 and Oracle Application Server 9iAS Release 1.0.2.0.1 allows remote attackers to read arbitrary files via the .jsp and .sqljsp file extensions when the server is configured to use the <> FilePermission. CVE-2001-0327 DESCRIPTION: iPlanet Web Server Enterprise Edition 4.1 and earlier allows remote attackers to retrieve sensitive data from memory allocation pools, or cause a denial of service, via a URL-encoded Host: header in the HTTP request, which reveals memory in the Location: header that is returned by the server. CVE-2001-0328 DESCRIPTION: TCP implementations that use random increments for initial sequence numbers (ISN) can allow remote attackers to perform session hijacking or disruption by injecting a flood of packets with a range of ISN values, one of which may match the expected ISN. CVE-2001-0329 DESCRIPTION: Bugzilla 2.10 allows remote attackers to execute arbitrary commands via shell metacharacters in a username that is then processed by (1) the Bugzilla_login cookie in post_bug.cgi, or (2) the who parameter in process_bug.cgi. CVE-2001-0330 DESCRIPTION: Bugzilla 2.10 allows remote attackers to access sensitive information, including the database username and password, via an HTTP request for the globals.pl file, which is normally returned by the web server without being executed. CVE-2001-0331 DESCRIPTION: Buffer overflow in Embedded Support Partner (ESP) daemon (rpc.espd) in IRIX 6.5.8 and earlier allows remote attackers to execute arbitrary commands. CVE-2001-0332 DESCRIPTION: Internet Explorer 5.5 and earlier does not properly verify the domain of a frame within a browser window, which allows remote web site operators to read certain files on the client by sending information from a local frame to a frame in a different domain using MSScriptControl.ScriptControl and GetObject, aka a variant of the "Frame Domain Verification" vulnerability. CVE-2001-0333 DESCRIPTION: Directory traversal vulnerability in IIS 5.0 and earlier allows remote attackers to execute arbitrary commands by encoding .. (dot dot) and "\" characters twice. CVE-2001-0334 DESCRIPTION: FTP service in IIS 5.0 and earlier allows remote attackers to cause a denial of service via a wildcard sequence that generates a long string when it is expanded. CVE-2001-0335 DESCRIPTION: FTP service in IIS 5.0 and earlier allows remote attackers to enumerate Guest accounts in trusted domains by preceding the username with a special sequence of characters. CVE-2001-0336 DESCRIPTION: The Microsoft MS00-060 patch for IIS 5.0 and earlier introduces an error which allows attackers to cause a denial of service via a malformed request. CVE-2001-0337 DESCRIPTION: The Microsoft MS01-014 and MS01-016 patches for IIS 5.0 and earlier introduce a memory leak which allows attackers to cause a denial of service via a series of requests. CVE-2001-0338 DESCRIPTION: Internet Explorer 5.5 and earlier does not properly validate digital certificates when Certificate Revocation List (CRL) checking is enabled, which could allow remote attackers to spoof trusted web sites, aka the "Server certificate validation vulnerability." CVE-2001-0339 DESCRIPTION: Internet Explorer 5.5 and earlier allows remote attackers to display a URL in the address bar that is different than the URL that is actually being displayed, which could be used in web site spoofing attacks, aka the "Web page spoofing vulnerability." CVE-2001-0340 DESCRIPTION: An interaction between the Outlook Web Access (OWA) service in Microsoft Exchange 2000 Server and Internet Explorer allows attackers to execute malicious script code against a user's mailbox via a message attachment that contains HTML code, which is executed automatically. CVE-2001-0341 DESCRIPTION: Buffer overflow in Microsoft Visual Studio RAD Support sub-component of FrontPage Server Extensions allows remote attackers to execute arbitrary commands via a long registration request (URL) to fp30reg.dll. CVE-2001-0342 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2001-0343 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2001-0344 DESCRIPTION: An SQL query method in Microsoft SQL Server 2000 Gold and 7.0 using Mixed Mode allows local database users to gain privileges by reusing a cached connection of the sa administrator account. CVE-2001-0345 DESCRIPTION: Microsoft Windows 2000 telnet service allows attackers to prevent idle Telnet sessions from timing out, causing a denial of service by creating a large number of idle sessions. CVE-2001-0346 DESCRIPTION: Handle leak in Microsoft Windows 2000 telnet service allows attackers to cause a denial of service by starting a large number of sessions and terminating them. CVE-2001-0347 DESCRIPTION: Information disclosure vulnerability in Microsoft Windows 2000 telnet service allows remote attackers to determine the existence of user accounts such as Guest, or log in to the server without specifying the domain name, via a malformed userid. CVE-2001-0348 DESCRIPTION: Microsoft Windows 2000 telnet service allows attackers to cause a denial of service (crash) via a long logon command that contains a backspace. CVE-2001-0349 DESCRIPTION: Microsoft Windows 2000 telnet service creates named pipes with predictable names and does not properly verify them, which allows local users to execute arbitrary commands by creating a named pipe with the predictable name and associating a malicious program with it, the first of two variants of this vulnerability. CVE-2001-0350 DESCRIPTION: Microsoft Windows 2000 telnet service creates named pipes with predictable names and does not properly verify them, which allows local users to execute arbitrary commands by creating a named pipe with the predictable name and associating a malicious program with it, the second of two variants of this vulnerability. CVE-2001-0351 DESCRIPTION: Microsoft Windows 2000 telnet service allows a local user to make a certain system call that allows the user to terminate a Telnet session and cause a denial of service. CVE-2001-0352 DESCRIPTION: SNMP agents in 3Com AirConnect AP-4111 and Symbol 41X1 Access Point allow remote attackers to obtain the WEP encryption key by reading it from a MIB when the value should be write-only, via (1) dot11WEPDefaultKeyValue in the dot11WEPDefaultKeysTable of the IEEE 802.11b MIB, or (2) ap128bWepKeyValue in the ap128bWEPKeyTable in the Symbol MIB. CVE-2001-0353 DESCRIPTION: Buffer overflow in the line printer daemon (in.lpd) for Solaris 8 and earlier allows local and remote attackers to gain root privileges via a "transfer job" routine. CVE-2001-0354 DESCRIPTION: TheNet CheckBO 1.56 allows remote attackers to cause a denial of service via a flood of characters to the TCP ports which it is listening on. CVE-2001-0355 DESCRIPTION: Novell Groupwise 5.5 (sp1 and sp2) allows a remote user to access arbitrary files via an implementation error in Groupwise system policies. CVE-2001-0357 DESCRIPTION: FormMail.pl in FormMail 1.6 and earlier allows a remote attacker to send anonymous email (spam) by modifying the recipient and message parameters. CVE-2001-0358 DESCRIPTION: Buffer overflows in Sierra Half-Life build 1573 and earlier allow remote attackers to execute arbitrary code via (1) a long map command, (2) a long exec command, or (3) long input in a configuration file. CVE-2001-0359 DESCRIPTION: Format string vulnerability in Sierra Half-Life build 1573 and earlier allows a remote attacker to execute arbitrary code via the map command. CVE-2001-0360 DESCRIPTION: Directory traversal vulnerability in help.cgi in Ikonboard 2.1.7b and earlier allows a remote attacker to read arbitrary files via a .. (dot dot) attack in the helpon parameter. CVE-2001-0361 DESCRIPTION: Implementations of SSH version 1.5, including (1) OpenSSH up to version 2.3.0, (2) AppGate, and (3) ssh-1 up to version 1.2.31, in certain configurations, allow a remote attacker to decrypt and/or alter traffic via a "Bleichenbacher attack" on PKCS#1 version 1.5. CVE-2001-0364 DESCRIPTION: SSH Communications Security sshd 2.4 for Windows allows remote attackers to create a denial of service via a large number of simultaneous connections. CVE-2001-0365 DESCRIPTION: Eudora before 5.1 allows a remote attacker to execute arbitrary code, when the 'Use Microsoft Viewer' and 'allow executables in HTML content' options are enabled, via an HTML email message containing Javascript, with ActiveX controls and malicious code within IMG tags. CVE-2001-0366 DESCRIPTION: saposcol in SAP R/3 Web Application Server Demo before 1.5 trusts the PATH environmental variable to find and execute the expand program, which allows local users to obtain root access by modifying the PATH to point to a Trojan horse expand program. CVE-2001-0367 DESCRIPTION: Mirabilis ICQ WebFront Plug-in ICQ2000b Build 3278 allows a remote attacker to create a denial of service via HTTP URL requests containing a large number of % characters. CVE-2001-0368 DESCRIPTION: Directory traversal vulnerability in BearShare 2.2.2 and earlier allows a remote attacker to read certain files via a URL containing a series of . characters, a variation of the .. (dot dot) attack. CVE-2001-0369 DESCRIPTION: Buffer overflow in lpsched on DGUX version R4.20MU06 and MU02 allows a local attacker to obtain root access via a long command line argument (non-existent printer name). CVE-2001-0370 DESCRIPTION: fcheck prior to 2.57.59 calls the file signature checking program insecurely, which can allow a local user to run arbitrary commands via a file name that contains shell metacharacters. CVE-2001-0371 DESCRIPTION: Race condition in the UFS and EXT2FS file systems in FreeBSD 4.2 and earlier, and possibly other operating systems, makes deleted data available to user processes before it is zeroed out, which allows a local user to access otherwise restricted information. CVE-2001-0372 DESCRIPTION: Akopia Interchange 4.5.3 through 4.6.3 installs demo stores with a default group account :backup with no password, which allows a remote attacker to gain administrative access via the demo stores (1) barry, (2) basic, or (3) construct. CVE-2001-0373 DESCRIPTION: The default configuration of the Dr. Watson program in Windows NT and Windows 2000 generates user.dmp crash dump files with world-readable permissions, which could allow a local user to gain access to sensitive information. CVE-2001-0374 DESCRIPTION: The HTTP server in Compaq web-enabled management software for (1) Foundation Agents, (2) Survey, (3) Power Manager, (4) Availability Agents, (5) Intelligent Cluster Administrator, and (6) Insight Manager can be used as a generic proxy server, which allows remote attackers to bypass access restrictions via the management port, 2301. CVE-2001-0375 DESCRIPTION: Cisco PIX Firewall 515 and 520 with 5.1.4 OS running aaa authentication to a TACACS+ server allows remote attackers to cause a denial of service via a large number of authentication requests. CVE-2001-0376 DESCRIPTION: SonicWALL Tele2 and SOHO firewalls with 6.0.0.0 firmware using IPSEC with IKE pre-shared keys do not allow for the use of full 128 byte IKE pre-shared keys, which is the intended design of the IKE pre-shared key, and only support 48 byte keys. This allows a remote attacker to brute force attack the pre-shared keys with significantly less resources than if the full 128 byte IKE pre-shared keys were used. CVE-2001-0377 DESCRIPTION: Infradig Inframail prior to 3.98a allows a remote attacker to create a denial of service via a malformed POST request which includes a space followed by a large string. CVE-2001-0378 DESCRIPTION: readline prior to 4.1, in OpenBSD 2.8 and earlier, creates history files with insecure permissions, which allows a local attacker to recover potentially sensitive information via readline history files. CVE-2001-0379 DESCRIPTION: Vulnerability in the newgrp program included with HP9000 servers running HP-UX 11.11 allows a local attacker to obtain higher access rights. CVE-2001-0380 DESCRIPTION: Crosscom/Olicom XLT-F running XL 80 IM Version 5.5 Build Level 2 allows a remote attacker SNMP read and write access via a default, undocumented community string 'ILMI'. CVE-2001-0381 DESCRIPTION: The OpenPGP PGP standard allows an attacker to determine the private signature key via a cryptanalytic attack in which the attacker alters the encrypted private key file and captures a single message signed with the signature key. CVE-2001-0382 DESCRIPTION: Computer Associates CCC\Harvest 5.0 for Windows NT/2000 uses weak encryption for passwords, which allows a remote attacker to gain privileges on the application. CVE-2001-0383 DESCRIPTION: banners.php in PHP-Nuke 4.4 and earlier allows remote attackers to modify banner ad URLs by directly calling the Change operation, which does not require authentication. CVE-2001-0384 DESCRIPTION: ppd in Reliant Sinix allows local users to corrupt arbitrary files via a symlink attack in the /tmp/ppd.trace file. CVE-2001-0385 DESCRIPTION: GoAhead webserver 2.1 allows remote attackers to cause a denial of service via an HTTP request to the /aux directory. CVE-2001-0386 DESCRIPTION: AnalogX SimpleServer:WWW 1.08 allows remote attackers to cause a denial of service via an HTTP request to the /aux directory. CVE-2001-0387 DESCRIPTION: Format string vulnerability in hfaxd in HylaFAX before 4.1.b2_2 allows local users to gain privileges via the -q command line argument. CVE-2001-0388 DESCRIPTION: time server daemon timed allows remote attackers to cause a denial of service via malformed packets. CVE-2001-0389 DESCRIPTION: IBM Websphere/NetCommerce3 3.1.2 allows remote attackers to determine the real path of the server by directly calling the macro.d2w macro with a NOEXISTINGHTMLBLOCK argument. CVE-2001-0390 DESCRIPTION: IBM Websphere/NetCommerce3 3.1.2 allows remote attackers to cause a denial of service by directly calling the macro.d2w macro with a long string of %0a characters. CVE-2001-0391 DESCRIPTION: Xitami 2.5d4 and earlier allows remote attackers to crash the server via an HTTP request to the /aux directory. CVE-2001-0392 DESCRIPTION: Navision Financials Server 2.60 and earlier allows remote attackers to cause a denial of service by sending a null character and a long string to the server port (2407), which causes the server to crash. CVE-2001-0393 DESCRIPTION: Navision Financials Server 2.0 allows remote attackers to cause a denial of service via a series of connections to the server without providing a username/password combination, which consumes the license limits. CVE-2001-0394 DESCRIPTION: Remote manager service in Website Pro 3.0.37 allows remote attackers to cause a denial of service via a series of malformed HTTP requests to the /dyn directory. CVE-2001-0395 DESCRIPTION: Lightwave ConsoleServer 3200 does not disconnect users after unsuccessful login attempts, which could allow remote attackers to conduct brute force password guessing. CVE-2001-0396 DESCRIPTION: The pre-login mode in the System Administrator interface of Lightwave ConsoleServer 3200 allows remote attackers to obtain sensitive information such as system status, configuration, and users. CVE-2001-0397 DESCRIPTION: Buffer overflow in Silent Runner Collector (SRC) 1.6.1 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long SMTP HELO command. CVE-2001-0398 DESCRIPTION: The BAT! mail client allows remote attackers to bypass user warnings of an executable attachment and execute arbitrary commands via an attachment whose file name contains many spaces, which also causes the BAT! to misrepresent the attachment's type with a different icon. CVE-2001-0399 DESCRIPTION: Caucho Resin 1.3b1 and earlier allows remote attackers to read source code for Javabean files by inserting a .jsp before the WEB-INF specifier in an HTTP request. CVE-2001-0400 DESCRIPTION: nph-maillist.pl allows remote attackers to execute arbitrary commands via shell metacharacters ("`") in the email address. CVE-2001-0401 DESCRIPTION: Buffer overflow in tip in Solaris 8 and earlier allows local users to execute arbitrary commands via a long HOME environmental variable. CVE-2001-0402 DESCRIPTION: IPFilter 3.4.16 and earlier does not include sufficient session information in its cache, which allows remote attackers to bypass access restrictions by sending fragmented packets to a restricted port after sending unfragmented packets to an unrestricted port. CVE-2001-0403 DESCRIPTION: /opt/JSparm/bin/perfmon program in Solaris allows local users to create arbitrary files as root via the Logging File option in the GUI. CVE-2001-0404 DESCRIPTION: Directory traversal vulnerability in JavaServer Web Dev Kit (JSWDK) 1.0.1 allows remote attackers to read arbitrary files via a .. (dot dot) in an HTTP request to the WEB-INF directory. CVE-2001-0405 DESCRIPTION: ip_conntrack_ftp in the IPTables firewall for Linux 2.4 allows remote attackers to bypass access restrictions for an FTP server via a PORT command that lists an arbitrary IP address and port number, which is added to the RELATED table and allowed by the firewall. CVE-2001-0406 DESCRIPTION: Samba before 2.2.0 allows local attackers to overwrite arbitrary files via a symlink attack using (1) a printer queue query, (2) the more command in smbclient, or (3) the mput command in smbclient. CVE-2001-0407 DESCRIPTION: Directory traversal vulnerability in MySQL before 3.23.36 allows local users to modify arbitrary files and gain privileges by creating a database whose name starts with .. (dot dot). CVE-2001-0408 DESCRIPTION: vim (aka gvim) processes VIM control codes that are embedded in a file, which could allow attackers to execute arbitrary commands when another user opens a file containing malicious VIM control codes. CVE-2001-0409 DESCRIPTION: vim (aka gvim) allows local users to modify files being edited by other users via a symlink attack on the backup and swap files, when the victim is editing the file in a world writable directory. CVE-2001-0410 DESCRIPTION: Buffer overflow in Trend Micro Virus Buster 2001 8.02 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long "From" header. CVE-2001-0411 DESCRIPTION: Reliant Unix 5.44 and earlier allows remote attackers to cause a denial of service via an ICMP port unreachable packet, which causes Reliant to drop all connections to the source address of the packet. CVE-2001-0412 DESCRIPTION: Cisco Content Services (CSS) switch products 11800 and earlier, aka Arrowpoint, allows local users to gain privileges by entering debug mode. CVE-2001-0413 DESCRIPTION: BinTec X4000 Access router, and possibly other versions, allows remote attackers to cause a denial of service via a SYN port scan, which causes the router to hang. CVE-2001-0414 DESCRIPTION: Buffer overflow in ntpd ntp daemon 4.0.99k and earlier (aka xntpd and xntp3) allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long readvar argument. CVE-2001-0415 DESCRIPTION: REDIPlus program, REDI.exe, stores passwords and user names in cleartext in the StartLog.txt log file, which allows local users to gain access to other accounts. CVE-2001-0416 DESCRIPTION: sgml-tools (aka sgmltools) before 1.0.9-15 creates temporary files with insecure permissions, which allows other users to read files that are being processed by sgml-tools. CVE-2001-0417 DESCRIPTION: Kerberos 4 (aka krb4) allows local users to overwrite arbitrary files via a symlink attack on new ticket files. CVE-2001-0418 DESCRIPTION: content.pl script in NCM Content Management System allows remote attackers to read arbitrary contents of the content database by inserting SQL characters into the id parameter. CVE-2001-0419 DESCRIPTION: Buffer overflow in shared library ndwfn4.so for iPlanet Web Server (iWS) 4.1, when used as a web listener for Oracle application server 4.0.8.2, allows remote attackers to execute arbitrary commands via a long HTTP request that is passed to the application server, such as /jsp/. CVE-2001-0420 DESCRIPTION: Directory traversal vulnerability in talkback.cgi program allows remote attackers to read arbitrary files via a .. (dot dot) in the article parameter. CVE-2001-0421 DESCRIPTION: FTP server in Solaris 8 and earlier allows local and remote attackers to cause a core dump in the root directory, possibly with world-readable permissions, by providing a valid username with an invalid password followed by a CWD ~ command, which could release sensitive information such as shadowed passwords, or fill the disk partition. CVE-2001-0422 DESCRIPTION: Buffer overflow in Xsun in Solaris 8 and earlier allows local users to execute arbitrary commands via a long HOME environmental variable. CVE-2001-0423 DESCRIPTION: Buffer overflow in ipcs in Solaris 7 x86 allows local users to execute arbitrary code via a long TZ (timezone) environmental variable, a different vulnerability than CAN-2002-0093. CVE-2001-0424 DESCRIPTION: BubbleMon 1.31 does not properly drop group privileges before executing programs, which allows local users to execute arbitrary commands with the kmem group id. CVE-2001-0425 DESCRIPTION: AdLibrary.pm in AdCycle 0.78b allows remote attackers to gain privileges to AdCycle via a malformed Agent: header in the HTTP request, which is inserted into a resulting SQL query that is used to verify login information. CVE-2001-0426 DESCRIPTION: Buffer overflow in dtsession on Solaris, and possibly other operating systems, allows local users to gain privileges via a long LANG environmental variable. CVE-2001-0427 DESCRIPTION: Cisco VPN 3000 series concentrators before 2.5.2(F) allow remote attackers to cause a denial of service via a flood of invalid login requests to (1) the SSL service, or (2) the telnet service, which do not properly disconnect the user after several failed login attempts. CVE-2001-0428 DESCRIPTION: Cisco VPN 3000 series concentrators before 2.5.2(F) allow remote attackers to cause a denial of service via an IP packet with an invalid IP option. CVE-2001-0429 DESCRIPTION: Cisco Catalyst 5000 series switches 6.1(2) and earlier will forward an 802.1x frame on a Spanning Tree Protocol (STP) blocked port, which causes a network storm and a denial of service. CVE-2001-0430 DESCRIPTION: Vulnerability in exuberant-ctags before 3.2.4-0.1 insecurely creates temporary files. CVE-2001-0431 DESCRIPTION: Vulnerability in iPlanet Web Server Enterprise Edition 4.x. CVE-2001-0432 DESCRIPTION: Buffer overflows in various CGI programs in the remote administration service for Trend Micro Interscan VirusWall 3.01 allow remote attackers to execute arbitrary commands. CVE-2001-0433 DESCRIPTION: Buffer overflow in Savant 3.0 web server allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long Host HTTP header. CVE-2001-0434 DESCRIPTION: The LogDataListToFile ActiveX function used in (1) Knowledge Center and (2) Back web components of Compaq Presario computers allows remote attackers to modify arbitrary files and cause a denial of service. CVE-2001-0435 DESCRIPTION: The split key mechanism used by PGP 7.0 allows a key share holder to obtain access to the entire key by setting the "Cache passphrase while logged on" option and capturing the passphrases of other share holders as they authenticate. CVE-2001-0436 DESCRIPTION: dcboard.cgi in DCForum 2000 1.0 allows remote attackers to execute arbitrary commands by uploading a Perl program to the server and using a .. (dot dot) in the AZ parameter to reference the program. CVE-2001-0437 DESCRIPTION: upload_file.pl in DCForum 2000 1.0 allows remote attackers to upload arbitrary files without authentication by setting the az parameter to upload_file. CVE-2001-0438 DESCRIPTION: Preview version of Timbuktu for Mac OS X allows local users to modify System Preferences without logging in via the About Timbuktu menu. CVE-2001-0439 DESCRIPTION: licq before 1.0.3 allows remote attackers to execute arbitrary commands via shell metacharacters in a URL. CVE-2001-0440 DESCRIPTION: Buffer overflow in logging functions of licq before 1.0.3 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands. CVE-2001-0441 DESCRIPTION: Buffer overflow in (1) wrapping and (2) unwrapping functions of slrn news reader before 0.9.7.0 allows remote attackers to execute arbitrary commands via a long message header. CVE-2001-0442 DESCRIPTION: Buffer overflow in Mercury MTA POP3 server for NetWare 1.48 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long APOP command. CVE-2001-0443 DESCRIPTION: Buffer overflow in QPC QVT/Net Popd 4.20 in QVT/Net 5.0 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via (1) a long username, or (2) a long password. CVE-2001-0444 DESCRIPTION: Cisco CBOS 2.3.0.053 sends output of the "sh nat" (aka "show nat") command to the terminal of the next user who attempts to connect to the router via telnet, which could allow that user to obtain sensitive information. CVE-2001-0446 DESCRIPTION: IBM WCS (WebSphere Commerce Suite) 4.0.1 with Application Server 3.0.2 allows remote attackers to read source code for .jsp files by appending a / to the requested URL. CVE-2001-0447 DESCRIPTION: Web configuration server in 602Pro LAN SUITE allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long HTTP request containing "%2e" (dot dot) characters. CVE-2001-0448 DESCRIPTION: Web configuration server in 602Pro LAN SUITE allows remote attackers to cause a denial of service via an HTTP GET HTTP request to the aux directory, and possibly other directories with legacy DOS device names. CVE-2001-0449 DESCRIPTION: Buffer overflow in WinZip 8.0 allows attackers to execute arbitrary commands via a long file name that is processed by the /zipandemail command line option. CVE-2001-0450 DESCRIPTION: Directory traversal vulnerability in Transsoft FTP Broker before 5.5 allows attackers to (1) delete arbitrary files via DELETE, or (2) list arbitrary directories via LIST, via a .. (dot dot) in the file name. CVE-2001-0451 DESCRIPTION: INDEXU 2.0 beta and earlier allows remote attackers to bypass authentication and gain privileges by setting the cookie_admin_authenticated cookie value to 1. CVE-2001-0452 DESCRIPTION: BRS WebWeaver FTP server before 0.64 Beta allows remote attackers to obtain the real pathname of the server via a "CD *" command followed by an ls command. CVE-2001-0453 DESCRIPTION: Directory traversal vulnerability in BRS WebWeaver HTTP server allows remote attackers to read arbitrary files via a .. (dot dot) attack in the (1) syshelp, (2) sysimages, or (3) scripts directories. CVE-2001-0454 DESCRIPTION: Directory traversal vulnerability in SlimServe HTTPd 1.1a allows remote attackers to read arbitrary files via a ... (modified dot dot) in the HTTP request. CVE-2001-0455 DESCRIPTION: Cisco Aironet 340 Series wireless bridge before 8.55 does not properly disable access to the web interface, which allows remote attackers to modify its configuration. CVE-2001-0456 DESCRIPTION: postinst installation script for Proftpd in Debian 2.2 does not properly change the "run as uid/gid root" configuration when the user enables anonymous access, which causes the server to run at a higher privilege than intended. CVE-2001-0457 DESCRIPTION: man2html before 1.5-22 allows remote attackers to cause a denial of service (memory exhaustion). CVE-2001-0458 DESCRIPTION: Multiple buffer overflows in ePerl before 2.2.14-0.7 allow local and remote attackers to execute arbitrary commands. CVE-2001-0459 DESCRIPTION: Buffer overflows in ascdc Afterstep while running setuid allows local users to gain root privileges via a long (1) -d option, (2) -m option, or (3) -f option. CVE-2001-0460 DESCRIPTION: Websweeper 4.0 does not limit the length of certain HTTP headers, which allows remote attackers to cause a denial of service (memory exhaustion) via an extremely large HTTP Referrer: header. CVE-2001-0461 DESCRIPTION: template.cgi in Free On-Line Dictionary of Computing (FOLDOC) allows remote attackers to read files and execute commands via shell metacharacters in the argument to template.cgi. CVE-2001-0462 DESCRIPTION: Directory traversal vulnerability in Perl web server 0.3 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the URL. CVE-2001-0463 DESCRIPTION: Directory traversal vulnerability in cal_make.pl in PerlCal allows remote attackers to read arbitrary files via a .. (dot dot) in the p0 parameter. CVE-2001-0464 DESCRIPTION: Buffer overflow in websync.exe in Cyberscheduler allows remote attackers to execute arbitrary commands via a long tzs (timezone) parameter. CVE-2001-0465 DESCRIPTION: TurboTax saves passwords in a temporary file when a user imports investment tax information from a financial institution, which could allow local users to obtain sensitive information. CVE-2001-0466 DESCRIPTION: Directory traversal vulnerability in ustorekeeper 1.61 allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter. CVE-2001-0467 DESCRIPTION: Directory traversal vulnerability in RobTex Viking Web server before 1.07-381 allows remote attackers to read arbitrary files via a \... (modified dot dot) in an HTTP URL request. CVE-2001-0468 DESCRIPTION: Buffer overflow in FTPFS allows local users to gain root privileges via a long user name. CVE-2001-0469 DESCRIPTION: rwho daemon rwhod in FreeBSD 4.2 and earlier, and possibly other operating systems, allows remote attackers to cause a denial of service via malformed packets with a short length. CVE-2001-0470 DESCRIPTION: Buffer overflow in SNMP proxy agent snmpd in Solaris 8 may allow local users to gain root privileges by calling snmpd with a long program name. CVE-2001-0471 DESCRIPTION: SSH daemon version 1 (aka SSHD-1 or SSH-1) 1.2.30 and earlier does not log repeated login attempts, which could allow remote attackers to compromise accounts without detection via a brute force attack. CVE-2001-0472 DESCRIPTION: Hursley Software Laboratories Consumer Transaction Framework (HSLCTF) HTTP object allows remote attackers to cause a denial of service (crash) via an extremely long HTTP request. CVE-2001-0473 DESCRIPTION: Format string vulnerability in Mutt before 1.2.5 allows a remote malicious IMAP server to execute arbitrary commands. CVE-2001-0474 DESCRIPTION: Utah-glx in Mesa before 3.3-14 on Mandrake Linux 7.2 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/glxmemory file. CVE-2001-0475 DESCRIPTION: index.php in Jelsoft vBulletin does not properly initialize a PHP variable that is used to store template information, which allows remote attackers to execute arbitrary PHP code via special characters in the templatecache parameter. CVE-2001-0476 DESCRIPTION: Multiple buffer overflows in s.cgi program in Aspseek search engine 1.03 and earlier allow remote attackers to execute arbitrary commands via (1) a long HTTP query string, or (2) a long tmpl parameter. CVE-2001-0477 DESCRIPTION: Vulnerability in WebCalendar 0.9.26 allows remote command execution. CVE-2001-0478 DESCRIPTION: Directory traversal vulnerability in phpMyAdmin 2.2.0 and earlier versions allows remote attackers to execute arbitrary code via a .. (dot dot) in an argument to the sql.php script. CVE-2001-0479 DESCRIPTION: Directory traversal vulnerability in phpPgAdmin 2.2.1 and earlier versions allows remote attackers to execute arbitrary code via a .. (dot dot) in an argument to the sql.php script. CVE-2001-0480 DESCRIPTION: Directory traversal vulnerability in Alex's FTP Server 0.7 allows remote attackers to read arbitrary files via a ... (modified dot dot) in the (1) GET or (2) CD commands. CVE-2001-0481 DESCRIPTION: Vulnerability in rpmdrake in Mandrake Linux 8.0 related to insecure temporary file handling. CVE-2001-0482 DESCRIPTION: Configuration error in Argus PitBull LX allows root users to bypass specified access control restrictions and cause a denial of service or execute arbitrary commands by modifying kernel variables such as MaxFiles, MaxInodes, and ModProbePath in /proc/sys via calls to sysctl. CVE-2001-0483 DESCRIPTION: Configuration error in Axent Raptor Firewall 6.5 allows remote attackers to use the firewall as a proxy to access internal web resources when the http.noproxy Rule is not set. CVE-2001-0484 DESCRIPTION: Tektronix PhaserLink 850 does not require authentication for access to configuration pages such as _ncl_subjects.shtml and _ncl_items.shtml, which allows remote attackers to modify configuration information and cause a denial of service by accessing the pages. CVE-2001-0485 DESCRIPTION: Unknown vulnerability in netprint in IRIX 6.2, and possibly other versions, allows local users with lp privileges attacker to execute arbitrary commands via the -n option. CVE-2001-0486 DESCRIPTION: Remote attackers can cause a denial of service in Novell BorderManager 3.6 and earlier by sending TCP SYN flood to port 353. CVE-2001-0487 DESCRIPTION: AIX SNMP server snmpd allows remote attackers to cause a denial of service via a RST during the TCP connection. CVE-2001-0488 DESCRIPTION: pcltotiff in HP-UX 10.x has unnecessary set group id permissions, which allows local users to cause a denial of service. CVE-2001-0489 DESCRIPTION: Format string vulnerability in gftp prior to 2.0.8 allows remote malicious FTP servers to execute arbitrary commands. CVE-2001-0490 DESCRIPTION: Buffer overflow in WINAMP 2.6x and 2.7x allows attackers to execute arbitrary code via a long string in an AIP file. CVE-2001-0491 DESCRIPTION: Directory traversal vulnerability in RaidenFTPD Server 2.1 before build 952 allows attackers to access files outside the ftp root via dot dot attacks, such as (1) .... in CWD, (2) .. in NLST, or (3) ... in NLST. CVE-2001-0492 DESCRIPTION: Netcruiser Web server version 0.1.2.8 and earlier allows remote attackers to determine the physical path of the server via a URL containing (1) con, (2) com2, or (3) com3. CVE-2001-0493 DESCRIPTION: Small HTTP server 2.03 allows remote attackers to cause a denial of service via a URL that contains an MS-DOS device name such as aux. CVE-2001-0494 DESCRIPTION: Buffer overflow in IPSwitch IMail SMTP server 6.06 and possibly prior versions allows remote attackers to execute arbitrary code via a long From: header. CVE-2001-0495 DESCRIPTION: Directory traversal in DataWizard WebXQ server 1.204 allows remote attackers to view files outside of the web root via a .. (dot dot) attack. CVE-2001-0496 DESCRIPTION: kdesu in kdelibs package creates world readable temporary files containing authentication info, which can allow local users to gain privileges. CVE-2001-0497 DESCRIPTION: dnskeygen in BIND 8.2.4 and earlier, and dnssec-keygen in BIND 9.1.2 and earlier, set insecure permissions for a HMAC-MD5 shared secret key file used for DNS Transactional Signatures (TSIG), which allows attackers to obtain the keys and perform dynamic DNS updates. CVE-2001-0498 DESCRIPTION: Transparent Network Substrate (TNS) over Net8 (SQLNet) in Oracle 8i 8.1.7 and earlier allows remote attackers to cause a denial of service via a malformed SQLNet connection request with a large offset in the header extension. CVE-2001-0499 DESCRIPTION: Buffer overflow in Transparent Network Substrate (TNS) Listener in Oracle 8i 8.1.7 and earlier allows remote attackers to gain privileges via a long argument to the commands (1) STATUS, (2) PING, (3) SERVICES, (4) TRC_FILE, (5) SAVE_CONFIG, or (6) RELOAD. CVE-2001-0500 DESCRIPTION: Buffer overflow in ISAPI extension (idq.dll) in Index Server 2.0 and Indexing Service 2000 in IIS 6.0 beta and earlier allows remote attackers to execute arbitrary commands via a long argument to Internet Data Administration (.ida) and Internet Data Query (.idq) files such as default.ida, as commonly exploited by Code Red. CVE-2001-0501 DESCRIPTION: Microsoft Word 2002 and earlier allows attackers to automatically execute macros without warning the user by embedding the macros in a manner that escapes detection by the security scanner. CVE-2001-0502 DESCRIPTION: Running Windows 2000 LDAP Server over SSL, a function does not properly check the permissions of a user request when the directory principal is a domain user and the data attribute is the domain password, which allows local users to modify the login password of other users. CVE-2001-0503 DESCRIPTION: Microsoft NetMeeting 3.01 with Remote Desktop Sharing enabled allows remote attackers to cause a denial of service via a malformed string to the NetMeeting service port, aka a variant of the "NetMeeting Desktop Sharing" vulnerability. CVE-2001-0504 DESCRIPTION: Vulnerability in authentication process for SMTP service in Microsoft Windows 2000 allows remote attackers to use incorrect credentials to gain privileges and conduct activities such as mail relaying. CVE-2001-0505 DESCRIPTION: Multiple memory leaks in Microsoft Services for Unix 2.0 allow remote attackers to cause a denial of service (memory exhaustion) via a large number of malformed requests to (1) the Telnet service, or (2) the NFS service. CVE-2001-0506 DESCRIPTION: Buffer overflow in ssinc.dll in IIS 5.0 and 4.0 allows local users to gain system privileges via a Server-Side Includes (SSI) directive for a long filename, which triggers the overflow when the directory name is added, aka the "SSI privilege elevation" vulnerability. CVE-2001-0507 DESCRIPTION: IIS 5.0 uses relative paths to find system files that will run in-process, which allows local users to gain privileges via a Trojan horse file, aka the "System file listing privilege elevation" vulnerability. CVE-2001-0508 DESCRIPTION: Vulnerability in IIS 5.0 allows remote attackers to cause a denial of service (restart) via a long, invalid WebDAV request. CVE-2001-0509 DESCRIPTION: Vulnerabilities in RPC servers in (1) Microsoft Exchange Server 2000 and earlier, (2) Microsoft SQL Server 2000 and earlier, (3) Windows NT 4.0, and (4) Windows 2000 allow remote attackers to cause a denial of service via malformed inputs. CVE-2001-0513 DESCRIPTION: Oracle listener process on Windows NT redirects connection requests to another port and creates a separate thread to process the request, which allows remote attackers to cause a denial of service by repeatedly connecting to the Oracle listener but not connecting to the redirected port. CVE-2001-0514 DESCRIPTION: SNMP service in Atmel 802.11b VNET-B Access Point 1.3 and earlier, as used in Netgear ME102 and Linksys WAP11, accepts arbitrary community strings with requested MIB modifications, which allows remote attackers to obtain sensitive information such as WEP keys, cause a denial of service, or gain access to the network. CVE-2001-0515 DESCRIPTION: Oracle Listener in Oracle 7.3 and 8i allows remote attackers to cause a denial of service via a malformed connection packet with a large offset_to_data value. CVE-2001-0516 DESCRIPTION: Oracle listener between Oracle 9i and Oracle 8.0 allows remote attackers to cause a denial of service via a malformed connection packet that contains an incorrect requester_version value that does not match an expected offset to the data. CVE-2001-0517 DESCRIPTION: Oracle listener in Oracle 8i on Solaris allows remote attackers to cause a denial of service via a malformed connection packet with a maximum transport data size that is set to 0. CVE-2001-0518 DESCRIPTION: Oracle listener before Oracle 9i allows attackers to cause a denial of service by repeatedly sending the first portion of a fragmented Oracle command without sending the remainder of the command, which causes the listener to hang. CVE-2001-0519 DESCRIPTION: Aladdin eSafe Gateway versions 2.x allows a remote attacker to circumvent HTML SCRIPT filtering via a special arrangement of HTML tags which includes SCRIPT tags embedded within other SCRIPT tags. CVE-2001-0520 DESCRIPTION: Aladdin eSafe Gateway versions 3.0 and earlier allows a remote attacker to circumvent filtering of SCRIPT tags by embedding the scripts within certain HTML tags including (1) onload in the BODY tag, (2) href in the A tag, (3) the BUTTON tag, (4) the INPUT tag, or (5) any other tag in which scripts can be defined. CVE-2001-0521 DESCRIPTION: Aladdin eSafe Gateway versions 3.0 and earlier allows a remote attacker to circumvent HTML SCRIPT filtering via the UNICODE encoding of SCRIPT tags within the HTML document. CVE-2001-0522 DESCRIPTION: Format string vulnerability in Gnu Privacy Guard (aka GnuPG or gpg) 1.05 and earlier can allow an attacker to gain privileges via format strings in the original filename that is stored in an encrypted file. CVE-2001-0523 DESCRIPTION: eEye SecureIIS versions 1.0.3 and earlier allows a remote attacker to bypass filtering of requests made to SecureIIS by escaping HTML characters within the request, which could allow a remote attacker to use restricted variables and perform directory traversal attacks on vulnerable programs that would otherwise be protected. CVE-2001-0524 DESCRIPTION: eEye SecureIIS versions 1.0.3 and earlier does not perform length checking on individual HTTP headers, which allows a remote attacker to send arbitrary length strings to IIS, contrary to an advertised feature of SecureIIS versions 1.0.3 and earlier. CVE-2001-0525 DESCRIPTION: Buffer overflow in dsh in dqs 3.2.7 in SuSE Linux 7.0 and earlier, and possibly other operating systems, allows local users to gain privileges via a long first command line argument. CVE-2001-0526 DESCRIPTION: Buffer overflow in the Xview library as used by mailtool in Solaris 8 and earlier allows a local attacker to gain privileges via the OPENWINHOME environment variable. CVE-2001-0527 DESCRIPTION: DCScripts DCForum versions 2000 and earlier allow a remote attacker to gain additional privileges by inserting pipe symbols (|) and newlines into the last name in the registration form, which will create an extra entry in the registration database. CVE-2001-0528 DESCRIPTION: Oracle E-Business Suite Release 11i Applications Desktop Integrator (ADI) version 7.x includes a debug version of FNDPUB11I.DLL, which logs the APPS schema password in cleartext in a debug file, which allows local users to obtain the password and gain privileges. CVE-2001-0529 DESCRIPTION: OpenSSH version 2.9 and earlier, with X forwarding enabled, allows a local attacker to delete any file named 'cookies' via a symlink attack. CVE-2001-0530 DESCRIPTION: Spearhead NetGAP 200 and 300 before build 78 allow a remote attacker to bypass file blocking and content inspection via specially encoded URLs which include '%' characters. CVE-2001-0531 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2001-0532 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2001-0533 DESCRIPTION: Buffer overflow in libi18n library in IBM AIX 5.1 and 4.3.x allows local users to gain root privileges via a long LANG environmental variable. CVE-2001-0534 DESCRIPTION: Multiple buffer overflows in RADIUS daemon radiusd in (1) Merit 3.6b and (2) Lucent 2.1-2 RADIUS allow remote attackers to cause a denial of service or execute arbitrary commands. CVE-2001-0535 DESCRIPTION: Example applications (Exampleapps) in ColdFusion Server 4.x do not properly restrict prevent access from outside the local host's domain, which allows remote attackers to conduct upload, read, or execute files by spoofing the "HTTP Host" (CGI.Host) variable in (1) the "Web Publish" example script, and (2) the "Email" example script. CVE-2001-0537 DESCRIPTION: HTTP server for Cisco IOS 11.3 to 12.2 allows attackers to bypass authentication and execute arbitrary commands, when local authorization is being used, by specifying a high access level in the URL. CVE-2001-0538 DESCRIPTION: Microsoft Outlook View ActiveX Control in Microsoft Outlook 2002 and earlier allows remote attackers to execute arbitrary commands via a malicious HTML e-mail message or web page. CVE-2001-0539 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2001-0540 DESCRIPTION: Memory leak in Terminal servers in Windows NT and Windows 2000 allows remote attackers to cause a denial of service (memory exhaustion) via a large number of malformed Remote Desktop Protocol (RDP) requests to port 3389. CVE-2001-0541 DESCRIPTION: Buffer overflow in Microsoft Windows Media Player 7.1 and earlier allows remote attackers to execute arbitrary commands via a malformed Windows Media Station (.NSC) file. CVE-2001-0542 DESCRIPTION: Buffer overflows in Microsoft SQL Server 7.0 and 2000 allow attackers with access to SQL Server to execute arbitrary code through the functions (1) raiserror, (2) formatmessage, or (3) xp_sprintf. NOTE: the C runtime format string vulnerability reported in MS01-060 is identified by CVE-2001-0879. CVE-2001-0543 DESCRIPTION: Memory leak in NNTP service in Windows NT 4.0 and Windows 2000 allows remote attackers to cause a denial of service (memory exhaustion) via a large number of malformed posts. CVE-2001-0544 DESCRIPTION: IIS 5.0 allows local users to cause a denial of service (hang) via by installing content that produces a certain invalid MIME Content-Type header, which corrupts the File Type table. CVE-2001-0545 DESCRIPTION: IIS 4.0 with URL redirection enabled allows remote attackers to cause a denial of service (crash) via a malformed request that specifies a length that is different than the actual length. CVE-2001-0546 DESCRIPTION: Memory leak in H.323 Gatekeeper Service in Microsoft Internet Security and Acceleration (ISA) Server 2000 allows remote attackers to cause a denial of service (resource exhaustion) via a large amount of malformed H.323 data. CVE-2001-0547 DESCRIPTION: Memory leak in the proxy service in Microsoft Internet Security and Acceleration (ISA) Server 2000 allows local attackers to cause a denial of service (resource exhaustion). CVE-2001-0548 DESCRIPTION: Buffer overflow in dtmail in Solaris 2.6 and 7 allows local users to gain privileges via the MAIL environment variable. CVE-2001-0549 DESCRIPTION: Symantec LiveUpdate 1.5 stores proxy passwords in cleartext in a registry key, which could allow local users to obtain the passwords. CVE-2001-0550 DESCRIPTION: wu-ftpd 2.6.1 allows remote attackers to execute arbitrary commands via a "~{" argument to commands such as CWD, which is not properly handled by the glob function (ftpglob). CVE-2001-0551 DESCRIPTION: Buffer overflow in CDE Print Viewer (dtprintinfo) allows local users to execute arbitrary code by copying text from the clipboard into the Help window. CVE-2001-0552 DESCRIPTION: ovactiond in HP OpenView Network Node Manager (NNM) 6.1 and Tivoli Netview 5.x and 6.x allows remote attackers to execute arbitrary commands via shell metacharacters in a certain SNMP trap message. CVE-2001-0553 DESCRIPTION: SSH Secure Shell 3.0.0 on Unix systems does not properly perform password authentication to the sshd2 daemon, which allows local users to gain access to accounts with short password fields, such as locked accounts that use "NP" in the password field. CVE-2001-0554 DESCRIPTION: Buffer overflow in BSD-based telnetd telnet daemon on various operating systems allows remote attackers to execute arbitrary commands via a set of options including AYT (Are You There), which is not properly handled by the telrcv function. CVE-2001-0555 DESCRIPTION: ScreamingMedia SITEWare versions 2.5 through 3.1 allows a remote attacker to read world-readable files via a .. (dot dot) attack through (1) the SITEWare Editor's Desktop or (2) the template parameter in SWEditServlet. CVE-2001-0556 DESCRIPTION: The Nirvana Editor (NEdit) 5.1.1 and earlier allows a local attacker to overwrite other users' files via a symlink attack on (1) backup files or (2) temporary files used when nedit prints a file or portions of a file. CVE-2001-0557 DESCRIPTION: T. Hauck Jana Webserver 1.46 and earlier allows a remote attacker to view arbitrary files via a '..' (dot dot) attack which is URL encoded (%2e%2e). CVE-2001-0558 DESCRIPTION: T. Hauck Jana Webserver 2.01 beta 1 and earlier allows a remote attacker to create a denial of service via a URL request which includes a MS-DOS device name (i.e. GET /aux HTTP/1.0). CVE-2001-0559 DESCRIPTION: crontab in Vixie cron 3.0.1 and earlier does not properly drop privileges after the failed parsing of a modification operation, which could allow a local attacker to gain additional privileges when an editor is called to correct the error. CVE-2001-0560 DESCRIPTION: Buffer overflow in Vixie cron 3.0.1-56 and earlier could allow a local attacker to gain additional privileges via a long username (> 20 characters). CVE-2001-0561 DESCRIPTION: Directory traversal vulnerability in Drummond Miles A1Stats prior to 1.6 allows a remote attacker to read arbitrary files via a '..' (dot dot) attack in (1) a1disp2.cgi, (2) a1disp3.cgi, or (3) a1disp4.cgi. CVE-2001-0562 DESCRIPTION: a1disp.cgi program in Drummond Miles A1Stats prior to 1.6 allows a remote attacker to execute commands via a specially crafted URL which includes shell metacharacters. CVE-2001-0563 DESCRIPTION: ElectroSystems Engineering Inc. ElectroComm 2.0 and earlier allows a remote attacker to create a denial of service via large (> 160000 character) strings sent to port 23. CVE-2001-0564 DESCRIPTION: APC Web/SNMP Management Card prior to Firmware 310 only supports one telnet connection, which allows a remote attacker to create a denial of service via repeated failed logon attempts which temporarily locks the card. CVE-2001-0565 DESCRIPTION: Buffer overflow in mailx in Solaris 8 and earlier allows a local attacker to gain additional privileges via a long '-F' command line option. CVE-2001-0566 DESCRIPTION: Cisco Catalyst 2900XL switch allows a remote attacker to create a denial of service via an empty UDP packet sent to port 161 (SNMP) when SNMP is disabled. CVE-2001-0567 DESCRIPTION: Digital Creations Zope 2.3.2 and earlier allows a local attacker to gain additional privileges via the changing of ZClass permission mappings for objects and methods in the ZClass. CVE-2001-0568 DESCRIPTION: Digital Creations Zope 2.3.1 b1 and earlier allows a local attacker (Zope user) with through-the-web scripting capabilities to alter ZClasses class attributes. CVE-2001-0569 DESCRIPTION: Digital Creations Zope 2.3.1 b1 and earlier contains a problem in the method return values related to the classes (1) ObjectManager, (2) PropertyManager, and (3) PropertySheet. CVE-2001-0570 DESCRIPTION: minicom 1.83.1 and earlier allows a local attacker to gain additional privileges via numerous format string attacks. CVE-2001-0571 DESCRIPTION: Directory traversal vulnerability in the web server for (1) Elron Internet Manager (IM) Message Inspector and (2) Anti-Virus before 3.0.4 allows remote attackers to read arbitrary files via a .. (dot dot) in the requested URL. CVE-2001-0572 DESCRIPTION: The SSH protocols 1 and 2 (aka SSH-2) as implemented in OpenSSH and other packages have various weaknesses which can allow a remote attacker to obtain the following information via sniffing: (1) password lengths or ranges of lengths, which simplifies brute force password guessing, (2) whether RSA or DSA authentication is being used, (3) the number of authorized_keys in RSA authentication, or (4) the lengths of shell commands. CVE-2001-0573 DESCRIPTION: lsfs in AIX 4.x allows a local user to gain additional privileges by creating Trojan horse programs named (1) grep or (2) lslv in a certain directory that is under the user's control, which cause lsfs to access the programs in that directory. CVE-2001-0574 DESCRIPTION: Directory traversal vulnerability in MP3Mystic prior to 1.04b3 allows a remote attacker to download arbitrary files via a '..' (dot dot) in the URL. CVE-2001-0575 DESCRIPTION: Buffer overflow in lpshut in SCO OpenServer 5.0.6 can allow a local attacker to gain additional privileges via a long first argument to lpshut. CVE-2001-0576 DESCRIPTION: lpusers as included with SCO OpenServer 5.0 through 5.0.6 allows a local attacker to gain additional privileges via a buffer overflow attack in the '-u' command line parameter. CVE-2001-0577 DESCRIPTION: recon in SCO OpenServer 5.0 through 5.0.6 can allow a local attacker to gain additional privileges via a buffer overflow attack in the first command line argument. CVE-2001-0578 DESCRIPTION: Buffer overflow in lpforms in SCO OpenServer 5.0-5.0.6 can allow a local attacker to gain additional privileges via a long first argument to the lpforms command. CVE-2001-0579 DESCRIPTION: lpadmin in SCO OpenServer 5.0.6 can allow a local attacker to gain additional privileges via a buffer overflow attack in the first argument to the command. CVE-2001-0580 DESCRIPTION: Hughes Technologies Virtual DNS (VDNS) Server 1.0 allows a remote attacker to create a denial of service by connecting to port 6070, sending some data, and closing the connection. CVE-2001-0581 DESCRIPTION: Spytech Spynet Chat Server 6.5 allows a remote attacker to create a denial of service (crash) via a large number of connections to port 6387. CVE-2001-0582 DESCRIPTION: Ben Spink CrushFTP FTP Server 2.1.6 and earlier allows a local attacker to access arbitrary files via a '..' (dot dot) attack, or variations, in (1) GET, (2) CD, (3) NLST, (4) SIZE, (5) RETR. CVE-2001-0583 DESCRIPTION: Alt-N Technologies MDaemon 3.5.4 allows a remote attacker to create a denial of service via the URL request of a MS-DOS device (such as GET /aux) to (1) the Worldclient service at port 3000, or (2) the Webconfig service at port 3001. CVE-2001-0584 DESCRIPTION: IMAP server in Alt-N Technologies MDaemon 3.5.6 allows a local user to cause a denial of service (hang) via long (1) SELECT or (2) EXAMINE commands. CVE-2001-0585 DESCRIPTION: Gordano NTMail 6.0.3c allows a remote attacker to create a denial of service via a long (>= 255 characters) URL request to port 8000 or port 9000. CVE-2001-0586 DESCRIPTION: TrendMicro ScanMail for Exchange 3.5 Evaluation allows a local attacker to recover the administrative credentials for ScanMail via a combination of unprotected registry keys and weakly encrypted passwords. CVE-2001-0587 DESCRIPTION: deliver program in MMDF 2.43.3b in SCO OpenServer 5.0.6 can allow a local attacker to gain additional privileges via a buffer overflow in the first argument to the command. CVE-2001-0588 DESCRIPTION: sendmail 8.9.3, as included with the MMDF 2.43.3b package in SCO OpenServer 5.0.6, can allow a local attacker to gain additional privileges via a buffer overflow in the first argument to the command. CVE-2001-0589 DESCRIPTION: NetScreen ScreenOS prior to 2.5r6 on the NetScreen-10 and Netscreen-100 can allow a local attacker to bypass the DMZ 'denial' policy via specific traffic patterns. CVE-2001-0590 DESCRIPTION: Apache Software Foundation Tomcat Servlet prior to 3.2.2 allows a remote attacker to read the source code to arbitrary 'jsp' files via a malformed URL request which does not end with an HTTP protocol specification (i.e. HTTP/1.0). CVE-2001-0591 DESCRIPTION: Directory traversal vulnerability in Oracle JSP 1.0.x through 1.1.1 and Oracle 8.1.7 iAS Release 1.0.2 can allow a remote attacker to read or execute arbitrary .jsp files via a '..' (dot dot) attack. CVE-2001-0592 DESCRIPTION: Watchguard Firebox II prior to 4.6 allows a remote attacker to create a denial of service in the kernel via a large stream (>10,000) of malformed ICMP or TCP packets. CVE-2001-0593 DESCRIPTION: Ananconda Partners Clipper 3.3 and earlier allows a remote attacker to read arbitrary files via a '..' (dot dot) attack in the template parameter. CVE-2001-0594 DESCRIPTION: kcms_configure as included with Solaris 7 and 8 allows a local attacker to gain additional privileges via a buffer overflow in a command line argument. CVE-2001-0595 DESCRIPTION: Buffer overflow in the kcsSUNWIOsolf.so library in Solaris 7 and 8 allows local attackers to execute arbitrary commands via the KCMS_PROFILES environment variable, e.g. as demonstrated using the kcms_configure program. CVE-2001-0596 DESCRIPTION: Netscape Communicator before 4.77 allows remote attackers to execute arbitrary Javascript via a GIF image whose comment contains the Javascript. CVE-2001-0597 DESCRIPTION: Zetetic Secure Tool for Recalling Important Passwords (STRIP) 0.5 and earlier for the PalmOS allows a local attacker to recover passwords via a brute force attack. This attack is made feasible by STRIP's use of SysRandom, which is seeded by TimeGetTicks, and an implementation flaw which vastly reduces the password 'search space'. CVE-2001-0598 DESCRIPTION: Symantec Ghost 6.5 and earlier allows a remote attacker to create a denial of service by sending large (> 45Kb) amounts of data to the Ghost Configuration Server on port 1347, which triggers an error that is not properly handled. CVE-2001-0599 DESCRIPTION: Sybase Adaptive Server Anywhere Database Engine 6.0.3.2747 and earlier as included with Symantec Ghost 6.5 allows a remote attacker to create a denial of service by sending large (> 45Kb) amounts of data to port 2638. CVE-2001-0600 DESCRIPTION: Lotus Domino R5 prior to 5.0.7 allows a remote attacker to create a denial of service via repeated URL requests with the same HTTP headers, such as (1) Accept, (2) Accept-Charset, (3) Accept-Encoding, (4) Accept-Language, and (5) Content-Type. CVE-2001-0601 DESCRIPTION: Lotus Domino R5 prior to 5.0.7 allows a remote attacker to create a denial of service via HTTP requests containing certain combinations of UNICODE characters. CVE-2001-0602 DESCRIPTION: Lotus Domino R5 prior to 5.0.7 allows a remote attacker to create a denial of service via repeated (>400) URL requests for DOS devices. CVE-2001-0603 DESCRIPTION: Lotus Domino R5 prior to 5.0.7 allows a remote attacker to create a denial of service via repeatedly sending large (> 10Kb) amounts of data to the DIIOP - CORBA service on TCP port 63148. CVE-2001-0604 DESCRIPTION: Lotus Domino R5 prior to 5.0.7 allows a remote attacker to create a denial of service via URL requests (>8Kb) containing a large number of '/' characters. CVE-2001-0605 DESCRIPTION: Headlight Software MyGetright prior to 1.0b allows a remote attacker to upload and/or overwrite arbitrary files via a malicious .dld (skins-data) file which contains long strings of random data. CVE-2001-0606 DESCRIPTION: Vulnerability in iPlanet Web Server 4.X in HP-UX 11.04 (VVOS) with VirtualVault A.04.00 allows a remote attacker to create a denial of service via the HTTPS service. CVE-2001-0607 DESCRIPTION: asecure as included with HP-UX 10.01 through 11.00 can allow a local attacker to create a denial of service and gain additional privileges via unsafe permissions on the asecure program, a different vulnerability than CVE-2000-0083. CVE-2001-0608 DESCRIPTION: HP architected interface facility (AIF) as includes with MPE/iX 5.5 through 6.5 running on a HP3000 allows an attacker to gain additional privileges and gain access to databases via the AIF - AIFCHANGELOGON program. CVE-2001-0609 DESCRIPTION: Format string vulnerability in Infodrom cfingerd 1.4.3 and earlier allows a remote attacker to gain additional privileges via a malformed ident reply that is passed to the syslog function. CVE-2001-0610 DESCRIPTION: kfm as included with KDE 1.x can allow a local attacker to gain additional privileges via a symlink attack in the kfm cache directory in /tmp. CVE-2001-0611 DESCRIPTION: Becky! 2.00.05 and earlier can allow a remote attacker to gain additional privileges via a buffer overflow attack on long messages without newline characters. CVE-2001-0612 DESCRIPTION: McAfee Remote Desktop 3.0 and earlier allows remote attackers to cause a denial of service (crash) via a large number of packets to port 5045. CVE-2001-0613 DESCRIPTION: Omnicron Technologies OmniHTTPD Professional 2.08 and earlier allows a remote attacker to create a denial of service via a long POST URL request. CVE-2001-0614 DESCRIPTION: Carello E-Commerce 1.2.1 and earlier allows a remote attacker to gain additional privileges and execute arbitrary commands via a specially constructed URL. CVE-2001-0615 DESCRIPTION: Directory traversal vulnerability in Faust Informatics Freestyle Chat server prior to 4.1 SR3 allows a remote attacker to read arbitrary files via a specially crafted URL which includes variations of a '..' (dot dot) attack such as '...' or '....'. CVE-2001-0616 DESCRIPTION: Faust Informatics Freestyle Chat server prior to 4.1 SR3 allows a remote attacker to create a denial of service via a URL request which includes a MS-DOS device name (e.g., GET /aux HTTP/1.0). CVE-2001-0617 DESCRIPTION: Allied Telesyn AT-AR220e cable/DSL router firmware 1.08a RC14 with the portmapper and the 'Virtual Server' enabled can allow a remote attacker to gain access to mapped services even though the single portmappings may be disabled. CVE-2001-0618 DESCRIPTION: Orinoco RG-1000 wireless Residential Gateway uses the last 5 digits of the 'Network Name' or SSID as the default Wired Equivalent Privacy (WEP) encryption key. Since the SSID occurs in the clear during communications, a remote attacker could determine the WEP key and decrypt RG-1000 traffic. CVE-2001-0619 DESCRIPTION: The Lucent Closed Network protocol can allow remote attackers to join Closed Network networks which they do not have access to. The 'Network Name' or SSID, which is used as a shared secret to join the network, is transmitted in the clear. CVE-2001-0620 DESCRIPTION: iPlanet Calendar Server 5.0p2 and earlier allows a local attacker to gain access to the Netscape Admin Server (NAS) LDAP database and read arbitrary files by obtaining the cleartext administrator username and password from the configuration file, which has insecure permissions. CVE-2001-0621 DESCRIPTION: The FTP server on Cisco Content Service 11000 series switches (CSS) before WebNS 4.01B23s and WebNS 4.10B13s allows an attacker who is an FTP user to read and write arbitrary files via GET or PUT commands. CVE-2001-0622 DESCRIPTION: The web management service on Cisco Content Service series 11000 switches (CSS) before WebNS 4.01B29s or WebNS 4.10B17s allows a remote attacker to gain additional privileges by directly requesting the web management URL instead of navigating through the interface. CVE-2001-0623 DESCRIPTION: sendfiled, as included with Simple Asynchronous File Transfer (SAFT), on various Linux systems does not properly drop privileges when sending notification emails, which allows local attackers to gain privileges. CVE-2001-0624 DESCRIPTION: QNX 2.4 allows a local user to read arbitrary files by directly accessing the mount point for the FAT disk partition, e.g. /fs-dos. CVE-2001-0625 DESCRIPTION: ftpdownload in Computer Associates InoculateIT 6.0 allows a local attacker to overwrite arbitrary files via a symlink attack on /tmp/ftpdownload.log . CVE-2001-0626 DESCRIPTION: O'Reilly Website Professional 2.5.4 and earlier allows remote attackers to determine the physical path to the root directory via a URL request containing a ":" character. CVE-2001-0627 DESCRIPTION: vi as included with SCO OpenServer 5.0 - 5.0.6 allows a local attacker to overwrite arbitrary files via a symlink attack. CVE-2001-0628 DESCRIPTION: Microsoft Word 2000 does not check AutoRecovery (.asd) files for macros, which allows a local attacker to execute arbitrary macros with the user ID of the Word user. CVE-2001-0629 DESCRIPTION: HP Event Correlation Service (ecsd) as included with OpenView Network Node Manager 6.1 allows a remote attacker to gain addition privileges via a buffer overflow attack in the '-restore_config' command line parameter. CVE-2001-0630 DESCRIPTION: Directory traversal vulnerability in MIMAnet viewsrc.cgi 2.0 allows a remote attacker to read arbitrary files via a '..' (dot dot) attack in the 'loc' variable. CVE-2001-0631 DESCRIPTION: Centrinity First Class Internet Services 5.50 allows for the circumventing of the default 'spam' filters via the presence of '<@>' in the 'From:' field, which allows remote attackers to send spoofed email with the identity of local users. CVE-2001-0632 DESCRIPTION: Sun Chili!Soft 3.5.2 on Linux and 3.6 on AIX creates a default admin username and password in the default installation, which can allow a remote attacker to gain additional privileges. CVE-2001-0633 DESCRIPTION: Directory traversal vulnerability in Sun Chili!Soft ASP on multiple Unixes allows a remote attacker to read arbitrary files above the web root via a '..' (dot dot) attack in the sample script 'codebrws.asp'. CVE-2001-0634 DESCRIPTION: Sun Chili!Soft ASP has weak permissions on various configuration files, which allows a local attacker to gain additional privileges and create a denial of service. CVE-2001-0635 DESCRIPTION: Red Hat Linux 7.1 sets insecure permissions on swap files created during installation, which can allow a local attacker to gain additional privileges by reading sensitive information from the swap file, such as passwords. CVE-2001-0636 DESCRIPTION: Buffer overflows in Raytheon SilentRunner allow remote attackers to (1) cause a denial of service in the collector (cle.exe) component of SilentRunner 2.0 via traffic containing long passwords, or (2) execute arbitrary commands via long HTTP queries in the Knowledge Browser component in SilentRunner 2.0 and 2.0.1. NOTE: It is highly likely that this candidate will be split into multiple candidates. CVE-2001-0641 DESCRIPTION: Buffer overflow in man program in various distributions of Linux allows local user to execute arbitrary code as group man via a long -S option. CVE-2001-0642 DESCRIPTION: Directory traversal vulnerability in IncrediMail version 1400185 and earlier allows local users to overwrite files on the local hard drive by appending .. (dot dot) sequences to filenames listed in the content.ini file. CVE-2001-0643 DESCRIPTION: Internet Explorer 5.5 does not display the Class ID (CLSID) when it is at the end of the file name, which could allow attackers to trick the user into executing dangerous programs by making it appear that the document is of a safe file type. CVE-2001-0644 DESCRIPTION: Maxum Rumpus FTP Server 1.3.3 and 2.0.3 dev 3 stores passwords in plaintext in the "Rumpus User Database" file in the prefs folder, which could allow attackers to gain privileges on the server. CVE-2001-0645 DESCRIPTION: Symantec/AXENT NetProwler 3.5.x contains several default passwords, which could allow remote attackers to (1) access to the management tier via the "admin" password, or (2) connect to a MySQL ODBC from the management tier using a blank password. CVE-2001-0646 DESCRIPTION: Maxum Rumpus FTP Server 1.3.3 and 2.0.3 dev 3 allows a remote attacker to perform a denial of service (hang) by creating a directory name of a specific length. CVE-2001-0647 DESCRIPTION: Orange Web Server 2.1, based on GoAhead, allows a remote attacker to perform a denial of service via an HTTP GET request that does not include the HTTP version. CVE-2001-0648 DESCRIPTION: Directory traversal vulnerability in PHProjekt 2.1 and earlier allows a remote attacker to conduct unauthorized activities via a dot dot (..) attack on the file module. CVE-2001-0649 DESCRIPTION: Personal Web Sharing 1.5.5 allows a remote attacker to cause a denial of service via a long HTTP request. CVE-2001-0650 DESCRIPTION: Cisco devices IOS 12.0 and earlier allow a remote attacker to cause a crash, or bad route updates, via malformed BGP updates with unrecognized transitive attribute. CVE-2001-0652 DESCRIPTION: Heap overflow in xlock in Solaris 2.6 through 8 allows local users to gain root privileges via a long (1) XFILESEARCHPATH or (2) XUSERFILESEARCHPATH environmental variable. CVE-2001-0653 DESCRIPTION: Sendmail 8.10.0 through 8.11.5, and 8.12.0 beta, allows local users to modify process memory and possibly gain privileges via a large value in the 'category' part of debugger (-d) command line arguments, which is interpreted as a negative number. CVE-2001-0654 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2001. Notes: none. CVE-2001-0655 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2001. Notes: none. CVE-2001-0656 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2001. Notes: none. CVE-2001-0657 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2001. Notes: none. CVE-2001-0658 DESCRIPTION: Cross-site scripting (CSS) vulnerability in Microsoft Internet Security and Acceleration (ISA) Server 2000 allows remote attackers to cause other clients to execute certain script or read cookies via malicious script in an invalid URL that is not properly quoted in an error message. CVE-2001-0659 DESCRIPTION: Buffer overflow in IrDA driver providing infrared data exchange on Windows 2000 allows attackers who are physically close to the machine to cause a denial of service (reboot) via a malformed IrDA packet. CVE-2001-0660 DESCRIPTION: Outlook Web Access (OWA) in Microsoft Exchange 5.5, SP4 and earlier, allows remote attackers to identify valid user email addresses by directly accessing a back-end function that processes the global address list (GAL). CVE-2001-0661 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2001-0662 DESCRIPTION: RPC endpoint mapper in Windows NT 4.0 allows remote attackers to cause a denial of service (loss of RPC services) via a malformed request. CVE-2001-0663 DESCRIPTION: Terminal Server in Windows NT and Windows 2000 allows remote attackers to cause a denial of service via a sequence of invalid Remote Desktop Protocol (RDP) packets. CVE-2001-0664 DESCRIPTION: Internet Explorer 5.5 and 5.01 allows remote attackers to bypass security restrictions via malformed URLs that contain dotless IP addresses, which causes Internet Explorer to process the page in the Intranet Zone, which may have fewer security restrictions, aka the "Zone Spoofing vulnerability." CVE-2001-0665 DESCRIPTION: Internet Explorer 6 and earlier allows remote attackers to cause certain HTTP requests to be automatically executed and appear to come from the user, which could allow attackers to gain privileges or execute operations within web-based services, aka the "HTTP Request Encoding vulnerability." CVE-2001-0666 DESCRIPTION: Outlook Web Access (OWA) in Microsoft Exchange 2000 allows an authenticated user to cause a denial of service (CPU consumption) via a malformed OWA request for a deeply nested folder within the user's mailbox. CVE-2001-0667 DESCRIPTION: Internet Explorer 6 and earlier, when used with the Telnet client in Services for Unix (SFU) 2.0, allows remote attackers to execute commands by spawning Telnet with a log file option on the command line and writing arbitrary code into an executable file which is later executed, aka a new variant of the Telnet Invocation vulnerability as described in CVE-2001-0150. CVE-2001-0668 DESCRIPTION: Buffer overflow in line printer daemon (rlpdaemon) in HP-UX 10.01 through 11.11 allows remote attackers to execute arbitrary commands. CVE-2001-0669 DESCRIPTION: Various Intrusion Detection Systems (IDS) including (1) Cisco Secure Intrusion Detection System, (2) Cisco Catalyst 6000 Intrusion Detection System Module, (3) Dragon Sensor 4.x, (4) Snort before 1.8.1, (5) ISS RealSecure Network Sensor 5.x and 6.x before XPU 3.2, and (6) ISS RealSecure Server Sensor 5.5 and 6.0 for Windows, allow remote attackers to evade detection of HTTP attacks via non-standard "%u" Unicode encoding of ASCII characters in the requested URL. CVE-2001-0670 DESCRIPTION: Buffer overflow in BSD line printer daemon (in.lpd or lpd) in various BSD-based operating systems allows remote attackers to execute arbitrary code via an incomplete print job followed by a request to display the printer queue. CVE-2001-0671 DESCRIPTION: Buffer overflows in (1) send_status, (2) kill_print, and (3) chk_fhost in lpd in AIX 4.3 and 5.1 allow remote attackers to gain root privileges. CVE-2001-0672 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2001-0673 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2001-0674 DESCRIPTION: Directory traversal vulnerability in RobTex Viking Web server before 1.07-381 allows remote attackers to read arbitrary files via a hexadecimal encoded dot-dot attack (eg. http://www.server.com/%2e%2e/%2e%2e) in an HTTP URL request. CVE-2001-0675 DESCRIPTION: Rit Research Labs The Bat! 1.51 for Windows allows a remote attacker to cause a denial of service by sending an email to a user's account containing a carriage return that is not followed by a line feed . CVE-2001-0676 DESCRIPTION: Directory traversal vulnerability in Rit Research Labs The Bat! 1.48f and earlier allows a remote attacker to create arbitrary files via a "dot dot" attack in the filename for an attachment. CVE-2001-0677 DESCRIPTION: Eudora 5.0.2 allows a remote attacker to read arbitrary files via an email with the path of the target file in the "Attachment Converted" MIME header, which sends the file when the email is forwarded to the attacker by the user. CVE-2001-0678 DESCRIPTION: A buffer overflow in reggo.dll file used by Trend Micro InterScan VirusWall prior to 3.51 build 1349 for Windows NT 3.5 and InterScan WebManager 1.2 allows a local attacker to execute arbitrary code. CVE-2001-0679 DESCRIPTION: A buffer overflow in InterScan VirusWall 3.23 and 3.3 allows a remote attacker to execute arbitrary code by sending a long HELO command to the server. CVE-2001-0680 DESCRIPTION: Directory traversal vulnerability in ftpd in QPC QVT/Net 4.0 and AVT/Term 5.0 allows a remote attacker to traverse directories on the web server via a "dot dot" attack in a LIST (ls) command. CVE-2001-0681 DESCRIPTION: Buffer overflow in ftpd in QPC QVT/Net 5.0 and QVT/Term 5.0 allows a remote attacker to cause a denial of service via a long (1) username or (2) password. CVE-2001-0682 DESCRIPTION: ZoneAlarm and ZoneAlarm Pro allows a local attacker to cause a denial of service by running a trojan to initialize a ZoneAlarm mutex object which prevents ZoneAlarm from starting. CVE-2001-0683 DESCRIPTION: Memory leak in Netscape Collabra Server 3.5.4 and earlier allows a remote attacker to cause a denial of service (memory exhaustion) by repeatedly sending approximately 5K of data to TCP port 5238. CVE-2001-0684 DESCRIPTION: Netscape Collabra Server 3.5.4 and earlier allows a remote attacker to cause a denial of service by sending seven or more characters to TCP port 5239. CVE-2001-0685 DESCRIPTION: Thibault Godouet FCron prior to 1.1.1 allows a local user to corrupt another user's crontab file via a symlink attack on the fcrontab temporary file. CVE-2001-0686 DESCRIPTION: Buffer overflow in mail included with SunOS 5.8 for x86 allows a local user to gain privileges via a long HOME environment variable. CVE-2001-0687 DESCRIPTION: Broker FTP server 5.9.5 for Windows NT and 9x allows a remote attacker to retrieve privileged web server system information by (1) issuing a CD command (CD C:) followed by the LS command, (2) specifying arbitrary paths in the UNC format (\\computername\sharename). CVE-2001-0688 DESCRIPTION: Broker FTP Server 5.9.5.0 allows a remote attacker to cause a denial of service by repeatedly issuing an invalid CD or CWD ("CD . .") command. CVE-2001-0689 DESCRIPTION: Vulnerability in TrendMicro Virus Control System 1.8 allows a remote attacker to view configuration files and change the configuration via a certain CGI program. CVE-2001-0690 DESCRIPTION: Format string vulnerability in exim (3.22-10 in Red Hat, 3.12 in Debian and 3.16 in Conectiva) in batched SMTP mode allows a remote attacker to execute arbitrary code via format strings in SMTP mail headers. CVE-2001-0691 DESCRIPTION: Buffer overflows in Washington University imapd 2000a through 2000c could allow local users without shell access to execute code as themselves in certain configurations. CVE-2001-0692 DESCRIPTION: SMTP proxy in WatchGuard Firebox (2500 and 4500) 4.5 and 4.6 allows a remote attacker to bypass firewall filtering via a base64 MIME encoded email attachment whose boundary name ends in two dashes. CVE-2001-0693 DESCRIPTION: WebTrends HTTP Server 3.1c and 3.5 allows a remote attacker to view script source code via a filename followed by an encoded space (%20). CVE-2001-0694 DESCRIPTION: Directory traversal vulnerability in WFTPD 3.00 R5 allows a remote attacker to view arbitrary files via a dot dot attack in the CD command. CVE-2001-0695 DESCRIPTION: WFTPD 3.00 R5 allows a remote attacker to cause a denial of service by making repeated requests to cd to the floppy drive (A:\). CVE-2001-0696 DESCRIPTION: NetWin SurgeFTP 2.0a and 1.0b allows a remote attacker to cause a denial of service (crash) via a CD command to a directory with an MS-DOS device name such as con. CVE-2001-0697 DESCRIPTION: NetWin SurgeFTP prior to 1.1h allows a remote attacker to cause a denial of service (crash) via an 'ls ..' command. CVE-2001-0698 DESCRIPTION: Directory traversal vulnerability in NetWin SurgeFTP 2.0a and 1.0b allows a remote attacker to list arbitrary files and directories via the 'nlist ...' command. CVE-2001-0699 DESCRIPTION: Buffer overflow in cb_reset in the System Service Processor (SSP) package of SunOS 5.8 allows a local user to execute arbitrary code via a long argument. CVE-2001-0700 DESCRIPTION: Buffer overflow in w3m 0.2.1 and earlier allows a remote attacker to execute arbitrary code via a long base64 encoded MIME header. CVE-2001-0701 DESCRIPTION: Buffer overflow in ptexec in the Sun Validation Test Suite 4.3 and earlier allows a local user to gain privileges via a long -o argument. CVE-2001-0702 DESCRIPTION: Cerberus FTP 1.5 and earlier allows remote attackers to cause a denial of service, and possibly execute arbitrary code, via a long (1) username, (2) password, or (3) PASV command. CVE-2001-0703 DESCRIPTION: tradecli.dll in Arcadia Internet Store 1.0 allows a remote attacker to cause a denial of service via a URL request with an MS-DOS device name in the template parameter. CVE-2001-0704 DESCRIPTION: tradecli.dll in Arcadia Internet Store 1.0 allows a remote attacker to discover the full path to the working directory via a URL with a template argument for a file that does not exist. CVE-2001-0705 DESCRIPTION: Directory traversal vulnerability in tradecli.dll in Arcadia Internet Store 1.0 allows a remote attacker to read arbitrary files on the web server via a URL with "dot dot" sequences in the template argument. CVE-2001-0706 DESCRIPTION: Maximum Rumpus FTP Server 2.0.3 dev and before allows an attacker to cause a denial of service (crash) via a mkdir command that specifies a large number of sub-folders. CVE-2001-0707 DESCRIPTION: Denicomp RSHD 2.18 and earlier allows a remote attacker to cause a denial of service (crash) via a long string to port 514. CVE-2001-0708 DESCRIPTION: Denicomp REXECD 1.05 and earlier allows a remote attacker to cause a denial of service (crash) via a long string. CVE-2001-0709 DESCRIPTION: Microsoft IIS 4.0 and before, when installed on a FAT partition, allows a remote attacker to obtain source code of ASP files via a URL encoded with Unicode. CVE-2001-0710 DESCRIPTION: NetBSD 1.5 and earlier and FreeBSD 4.3 and earlier allows a remote attacker to cause a denial of service by sending a large number of IP fragments to the machine, exhausting the mbuf pool. CVE-2001-0711 DESCRIPTION: Cisco IOS 11.x and 12.0 with ATM support allows attackers to cause a denial of service via the undocumented Interim Local Management Interface (ILMI) SNMP community string. CVE-2001-0712 DESCRIPTION: The rendering engine in Internet Explorer determines the MIME type independently of the type that is specified by the server, which allows remote servers to automatically execute script which is placed in a file whose MIME type does not normally support scripting, such as text (.txt), JPEG (.jpg), etc. CVE-2001-0713 DESCRIPTION: Sendmail before 8.12.1 does not properly drop privileges when the -C option is used to load custom configuration files, which allows local users to gain privileges via malformed arguments in the configuration file whose names contain characters with the high bit set, such as (1) macro names that are one character long, (2) a variable setting which is processed by the setoption function, or (3) a Modifiers setting which is processed by the getmodifiers function. CVE-2001-0714 DESCRIPTION: Sendmail before 8.12.1, without the RestrictQueueRun option enabled, allows local users to cause a denial of service (data loss) by (1) setting a high initial message hop count option (-h), which causes Sendmail to drop queue entries, (2) via the -qR option, or (3) via the -qS option. CVE-2001-0715 DESCRIPTION: Sendmail before 8.12.1, without the RestrictQueueRun option enabled, allows local users to obtain potentially sensitive information about the mail queue by setting debugging flags to enable debug mode. CVE-2001-0716 DESCRIPTION: Citrix MetaFrame 1.8 Server with Service Pack 3, and XP Server Service Pack 1 and earlier, allows remote attackers to cause a denial of service (crash) via a large number of incomplete connections to the server. CVE-2001-0717 DESCRIPTION: Format string vulnerability in ToolTalk database server rpc.ttdbserverd allows remote attackers to execute arbitrary commands via format string specifiers that are passed to the syslog function. CVE-2001-0718 DESCRIPTION: Vulnerability in (1) Microsoft Excel 2002 and earlier and (2) Microsoft PowerPoint 2002 and earlier allows attackers to bypass macro restrictions and execute arbitrary commands by modifying the data stream in the document. CVE-2001-0719 DESCRIPTION: Buffer overflow in Microsoft Windows Media Player 6.4 allows remote attackers to execute arbitrary code via a malformed Advanced Streaming Format (ASF) file. CVE-2001-0720 DESCRIPTION: Internet Explorer 5.1 for Macintosh on Mac OS X allows remote attackers to execute arbitrary commands by causing a BinHex or MacBinary file type to be downloaded, which causes the files to be executed if automatic decoding is enabled. CVE-2001-0721 DESCRIPTION: Universal Plug and Play (UPnP) in Windows 98, 98SE, ME, and XP allows remote attackers to cause a denial of service (memory consumption or crash) via a malformed UPnP request. CVE-2001-0722 DESCRIPTION: Internet Explorer 5.5 and 6.0 allows remote attackers to read and modify user cookies via Javascript in an about: URL, aka the "First Cookie Handling Vulnerability." CVE-2001-0723 DESCRIPTION: Internet Explorer 5.5 and 6.0 allows remote attackers to read and modify user cookies via Javascript, aka the "Second Cookie Handling Vulnerability." CVE-2001-0724 DESCRIPTION: Internet Explorer 5.5 allows remote attackers to bypass security restrictions via malformed URLs that contain dotless IP addresses, which causes Internet Explorer to process the page in the Intranet Zone, which may have fewer security restrictions, aka the "Zone Spoofing Vulnerability variant" of CVE-2001-0664. CVE-2001-0725 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2001-0726 DESCRIPTION: Outlook Web Access (OWA) in Microsoft Exchange 5.5 Server, when used with Internet Explorer, does not properly detect certain inline script, which can allow remote attackers to perform arbitrary actions on a user's Exchange mailbox via an HTML e-mail message. CVE-2001-0727 DESCRIPTION: Internet Explorer 6.0 allows remote attackers to execute arbitrary code by modifying the Content-Disposition and Content-Type header fields in a way that causes Internet Explorer to believe that the file is safe to open without prompting the user, aka the "File Execution Vulnerability." CVE-2001-0728 DESCRIPTION: Buffer overflow in Compaq Management Agents before 5.2, included in Compaq Web-enabled Management Software, allows local users to gain privileges. CVE-2001-0729 DESCRIPTION: Apache 1.3.20 on Windows servers allows remote attackers to bypass the default index page and list directory contents via a URL with a large number of / (slash) characters. CVE-2001-0730 DESCRIPTION: split-logfile in Apache 1.3.20 allows remote attackers to overwrite arbitrary files that end in the .log extension via an HTTP request with a / (slash) in the Host: header. CVE-2001-0731 DESCRIPTION: Apache 1.3.20 with Multiviews enabled allows remote attackers to view directory contents and bypass the index page via a URL containing the "M=D" query string. CVE-2001-0733 DESCRIPTION: The #sinclude directive in Embedded Perl (ePerl) 2.2.14 and earlier allows a remote attacker to execute arbitrary code by modifying the 'sinclude' file to point to another file that contains a #include directive that references a file that contains the code. CVE-2001-0734 DESCRIPTION: Hitachi Super-H architecture in NetBSD 1.5 and 1.4.1 allows a local user to gain privileges via modified Status Register contents, which are not properly handled by (1) the sigreturn system call or (2) the process_write_regs kernel routine. CVE-2001-0735 DESCRIPTION: Buffer overflow in cfingerd 1.4.3 and earlier with the ALLOW_LINE_PARSING option enabled allows local users to execute arbitrary code via a long line in the .nofinger file. CVE-2001-0736 DESCRIPTION: Vulnerability in (1) pine before 4.33 and (2) the pico editor, included with pine, allows local users local users to overwrite arbitrary files via a symlink attack. CVE-2001-0737 DESCRIPTION: A long 'synch' delay in Logitech wireless mice and keyboard receivers allows a remote attacker to hijack connections via a man-in-the-middle attack. CVE-2001-0738 DESCRIPTION: LogLine function in klogd in sysklogd 1.3 in various Linux distributions allows an attacker to cause a denial of service (hang) by causing null bytes to be placed in log messages. CVE-2001-0739 DESCRIPTION: Guardian Digital WebTool in EnGarde Secure Linux 1.0.1 allows restarted services to inherit some environmental variables, which could allow local users to gain root privileges. CVE-2001-0740 DESCRIPTION: 3COM OfficeConnect 812 and 840 ADSL Router 4.2, running OCR812 router software 1.1.9 and earlier, allows remote attackers to cause a denial of service via a long string containing a large number of "%s" strings, possibly triggering a format string vulnerability. CVE-2001-0741 DESCRIPTION: Cisco Hot Standby Routing Protocol (HSRP) allows local attackers to cause a denial of service by spoofing HSRP packets. CVE-2001-0742 DESCRIPTION: Buffer overflow in Computalynx CMail POP3 mail server 2.4.9 allows remote attackers to run arbitrary code via a long HELO command. CVE-2001-0743 DESCRIPTION: Paging function in O'Reilly WebBoard Pager 4.10 allows remote attackers to cause a denial of service via a message with an escaped ' character followed by JavaScript commands. CVE-2001-0744 DESCRIPTION: Horde IMP 2.2.4 and earlier allows local users to overwrite files via a symlink attack on a temporary file. CVE-2001-0745 DESCRIPTION: Netscape 4.7x allows remote attackers to obtain sensitive information such as the user's login, mailbox location and installation path via Javascript that accesses the mailbox: URL in the document.referrer property. CVE-2001-0746 DESCRIPTION: Buffer overflow in Web Publisher in iPlanet Web Server Enterprise Edition 4.1 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary code via a request for a long URI with (1) GETPROPERTIES, (2) GETATTRIBUTENAMES, or other methods. CVE-2001-0747 DESCRIPTION: Buffer overflow in iPlanet Web Server (iWS) Enterprise Edition 4.1, service packs 3 through 7, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long method name in an HTTP request. CVE-2001-0748 DESCRIPTION: Acme.Serve 1.7, as used in Cisco Secure ACS Unix and possibly other products, allows remote attackers to read arbitrary files by prepending several / (slash) characters to the URI. CVE-2001-0749 DESCRIPTION: Beck IPC GmbH IPC@CHIP Embedded-Webserver allows remote attackers to read arbitrary files via a webserver root directory set to system root. CVE-2001-0750 DESCRIPTION: Cisco IOS 12.1(2)T, 12.1(3)T allow remote attackers to cause a denial of service (reload) via a connection to TCP ports 3100-3999, 5100-5999, 7100-7999 and 10100-10999. CVE-2001-0751 DESCRIPTION: Cisco switches and routers running CBOS 2.3.8 and earlier use predictable TCP Initial Sequence Numbers (ISN), which allows remote attackers to spoof or hijack TCP connections. CVE-2001-0752 DESCRIPTION: Cisco CBOS 2.3.8 and earlier allows remote attackers to cause a denial of service via an ICMP ECHO REQUEST (ping) with the IP Record Route option set. CVE-2001-0753 DESCRIPTION: Cisco CBOS 2.3.8 and earlier stores the passwords for (1) exec and (2) enable in cleartext in the NVRAM and a configuration file, which could allow unauthorized users to obtain the passwords and gain privileges. CVE-2001-0754 DESCRIPTION: Cisco CBOS 2.3.8 and earlier allows remote attackers to cause a denial of service via a series of large ICMP ECHO REPLY (ping) packets, which cause it to enter ROMMON mode and stop forwarding packets. CVE-2001-0755 DESCRIPTION: Buffer overflow in ftp daemon (ftpd) 6.2 in Debian GNU/Linux allows attackers to cause a denial of service and possibly execute arbitrary code via a long SITE command. CVE-2001-0756 DESCRIPTION: CatalogMgr.pl in VirtualCatalog (incorrectly claimed to be in VirtualCart) allows remote attackers to execute arbitrary code via the template parameter. CVE-2001-0757 DESCRIPTION: Cisco 6400 Access Concentrator Node Route Processor 2 (NRP2) 12.1DC card does not properly disable access when a password has not been set for vtys, which allows remote attackers to obtain access via telnet. CVE-2001-0758 DESCRIPTION: Directory traversal vulnerability in Shambala 4.5 allows remote attackers to escape the FTP root directory via "CWD ..." command. CVE-2001-0759 DESCRIPTION: Buffer overflow in bctool in Jetico BestCrypt 0.8.1 and earlier allows local users to execute arbitrary code via a file or directory with a long pathname, which is processed during an unmount. CVE-2001-0760 DESCRIPTION: Citrix Nfuse 1.51 allows remote attackers to obtain the absolute path of the web root via a malformed request to launch.asp that does not provide the session field. CVE-2001-0761 DESCRIPTION: Buffer overflow in HttpSave.dll in Trend Micro InterScan WebManager 1.2 allows remote attackers to execute arbitrary code via a long value to a certain parameter. CVE-2001-0762 DESCRIPTION: Buffer overflow in su-wrapper 1.1.1 allows local users to execute arbitrary code via a long first argument. CVE-2001-0763 DESCRIPTION: Buffer overflow in Linux xinetd 2.1.8.9pre11-1 and earlier may allow remote attackers to execute arbitrary code via a long ident response, which is not properly handled by the svc_logprint function. CVE-2001-0764 DESCRIPTION: Buffer overflow in ntping in scotty 2.1.0 allows local users to execute arbitrary code via a long hostname as a command line argument. CVE-2001-0765 DESCRIPTION: BisonFTP V4R1 allows local users to access directories outside of their home directory by uploading .bdl files, which can then be linked to other directories. CVE-2001-0766 DESCRIPTION: Apache on MacOS X Client 10.0.3 with the HFS+ file system allows remote attackers to bypass access restrictions via a URL that contains some characters whose case is not matched by Apache's filters. CVE-2001-0767 DESCRIPTION: Directory traversal vulnerability in GuildFTPd 0.9.7 allows attackers to list or read arbitrary files and directories via a .. in (1) LS or (2) GET. CVE-2001-0768 DESCRIPTION: GuildFTPd 0.9.7 stores user names and passwords in plaintext in the default.usr file, which allows local users to gain privileges as other FTP users by reading the file. CVE-2001-0769 DESCRIPTION: Memory leak in GuildFTPd Server 0.97 allows remote attackers to cause a denial of service via a request containing a null character. CVE-2001-0770 DESCRIPTION: Buffer overflow in GuildFTPd Server 0.97 allows remote attacker to execute arbitrary code via a long SITE command. CVE-2001-0771 DESCRIPTION: Spytech SpyAnywhere 1.50 allows remote attackers to gain administrator access via a single character in the "loginpass" field. CVE-2001-0772 DESCRIPTION: Buffer overflows and other vulnerabilities in multiple Common Desktop Environment (CDE) modules in HP-UX 10.10 through 11.11 allow attackers to cause a denial of service and possibly gain additional privileges. CVE-2001-0773 DESCRIPTION: Cayman 3220-H DSL Router 1.0 allows remote attacker to cause a denial of service (crash) via a series of SYN or TCP connect requests. CVE-2001-0774 DESCRIPTION: Tripwire 1.3.1, 2.2.1 and 2.3.0 allows local users to overwrite arbitrary files and possible gain privileges via a symbolic link attack on temporary files. CVE-2001-0775 DESCRIPTION: Buffer overflow in xloadimage 4.1 (aka xli 1.16 and 1.17) in Linux allows remote attackers to execute arbitrary code via a FACES format image containing a long (1) Firstname or (2) Lastname field. CVE-2001-0776 DESCRIPTION: Buffer overflow in DynFX MailServer version 2.10 allows remote attackers to conduct a denial of service via a long username to the POP3 service. CVE-2001-0777 DESCRIPTION: Omnicron OmniHTTPd 2.0.8 allows remote attackers to cause a denial of service (memory exhaustion) via a series of requests for PHP scripts. CVE-2001-0778 DESCRIPTION: OmniHTTPd 2.0.8 and earlier allow remote attackers to obtain source code via a GET request with the URL-encoded symbol for a space (%20). CVE-2001-0779 DESCRIPTION: Buffer overflow in rpc.yppasswdd (yppasswd server) in Solaris 2.6, 7 and 8 allows remote attackers to gain root access via a long username. CVE-2001-0780 DESCRIPTION: Directory traversal vulnerability in cosmicpro.cgi in Cosmicperl Directory Pro 2.0 allows remote attackers to gain sensitive information via a .. (dot dot) in the SHOW parameter. CVE-2001-0781 DESCRIPTION: Buffer overflow in SpoonFTP 1.0.0.12 allows remote attackers to execute arbitrary code via a long argument to the commands (1) CWD or (2) LIST. CVE-2001-0782 DESCRIPTION: KDE ktvision 0.1.1-271 and earlier allows local attackers to gain root privileges via a symlink attack on a user configuration file. CVE-2001-0783 DESCRIPTION: Cisco TFTP server 1.1 allows remote attackers to read arbitrary files via a ..(dot dot) attack in the GET command. CVE-2001-0784 DESCRIPTION: Directory traversal vulnerability in Icecast 1.3.10 and earlier allows remote attackers to read arbitrary files via a modified .. (dot dot) attack using encoded URL characters. CVE-2001-0785 DESCRIPTION: Directory traversal in Webpaging interface in Internet Software Solutions Air Messenger LAN Server (AMLServer) 3.4.2 allows allows remote attackers to read arbitrary files via a .. (dot dot) attack. CVE-2001-0786 DESCRIPTION: Internet Software Solutions Air Messenger LAN Server (AMLServer) 3.4.2 stores user passwords in plaintext in the pUser.Dat file. CVE-2001-0787 DESCRIPTION: LPRng in Red Hat Linux 7.0 and 7.1 does not properly drop memberships in supplemental groups when lowering privileges, which could allow a local user to elevate privileges. CVE-2001-0788 DESCRIPTION: Internet Software Solutions Air Messenger LAN Server (AMLServer) 3.4.2 allows remote attackers to obtain an absolute path for the server directory by viewing the Location header. CVE-2001-0789 DESCRIPTION: Format string vulnerability in avpkeeper in Kaspersky KAV 3.5.135.2 for Sendmail allows remote attackers to cause a denial of service or possibly execute arbitrary code via a malformed mail message. CVE-2001-0790 DESCRIPTION: Specter IDS version 4.5 and 5.0 allows a remote attacker to cause a denial of service (CPU exhaustion) via a port scan, which causes the server to consume CPU while preparing alerts. CVE-2001-0791 DESCRIPTION: Trend Micro InterScan VirusWall for Windows NT allows remote attackers to make configuration changes by directly calling certain CGI programs, which do not restrict access. CVE-2001-0792 DESCRIPTION: Format string vulnerability in XChat 1.2.x allows remote attackers to execute arbitrary code via a malformed nickname. CVE-2001-0794 DESCRIPTION: Buffer overflow in A-FTP Anonymous FTP Server allows remote attackers to cause a denial of service via a long USER command. CVE-2001-0795 DESCRIPTION: Perception LiteServe 1.25 allows remote attackers to obtain source code of CGI scripts via URLs that contain MS-DOS conventions such as (1) upper case letters or (2) 8.3 file names. CVE-2001-0796 DESCRIPTION: SGI IRIX 6.5 through 6.5.12f and possibly earlier versions, and FreeBSD 3.0, allows remote attackers to cause a denial of service via a malformed IGMP multicast packet with a small response delay. CVE-2001-0797 DESCRIPTION: Buffer overflow in login in various System V based operating systems allows remote attackers to execute arbitrary commands via a large number of arguments through services such as telnet and rlogin. CVE-2001-0798 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2001. Notes: none. CVE-2001-0799 DESCRIPTION: Buffer overflows in lpsched in IRIX 6.5.13f and earlier allow remote attackers to execute arbitrary commands via a long argument. CVE-2001-0800 DESCRIPTION: lpsched in IRIX 6.5.13f and earlier allows remote attackers to execute arbitrary commands via shell metacharacters. CVE-2001-0801 DESCRIPTION: lpstat in IRIX 6.5.13f and earlier allows local users to gain root privileges by specifying a Trojan Horse nettype shared library. CVE-2001-0802 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2001. Notes: none. CVE-2001-0803 DESCRIPTION: Buffer overflow in the client connection routine of libDtSvc.so.1 in CDE Subprocess Control Service (dtspcd) allows remote attackers to execute arbitrary commands. CVE-2001-0804 DESCRIPTION: Directory traversal vulnerability in story.pl in Interactive Story 1.3 allows a remote attacker to read arbitrary files via a .. (dot dot) attack on the "next" parameter. CVE-2001-0805 DESCRIPTION: Directory traversal vulnerability in ttawebtop.cgi in Tarantella Enterprise 3.00 and 3.01 allows remote attackers to read arbitrary files via a .. (dot dot) in the pg parameter. CVE-2001-0806 DESCRIPTION: Apple MacOS X 10.0 and 10.1 allow a local user to read and write to a user's desktop folder via insecure default permissions for the Desktop when it is created in some languages. CVE-2001-0807 DESCRIPTION: Internet Explorer 5.0, and possibly other versions, may allow remote attackers (malicious web pages) to read known text files from a client's hard drive via a SCRIPT tag with a SRC value that points to the text file. CVE-2001-0808 DESCRIPTION: gnatsweb.pl in GNATS GnatsWeb 2.7 through 3.95 allows remote attackers to execute arbitrary commands via certain characters in the help_file parameter. CVE-2001-0809 DESCRIPTION: Vulnerability in CIFS/9000 Server (SAMBA) A.01.06 and earlier in HP-UX 11.0 and 11.11, when configured as a print server, allows local users to overwrite arbitrary files by modifying certain resources. CVE-2001-0810 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2001. Notes: none. CVE-2001-0811 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2001. Notes: none. CVE-2001-0812 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2001. Notes: none. CVE-2001-0813 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2001. Notes: none. CVE-2001-0814 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2001. Notes: none. CVE-2001-0815 DESCRIPTION: Buffer overflow in PerlIS.dll in Activestate ActivePerl 5.6.1.629 and earlier allows remote attackers to execute arbitrary code via an HTTP request for a long filename that ends in a .pl extension. CVE-2001-0816 DESCRIPTION: OpenSSH before 2.9.9, when running sftp using sftp-server and using restricted keypairs, allows remote authenticated users to bypass authorized_keys2 command= restrictions using sftp commands. CVE-2001-0817 DESCRIPTION: Vulnerability in HP-UX line printer daemon (rlpdaemon) in HP-UX 10.01 through 11.11 allows remote attackers to modify arbitrary files and gain root privileges via a certain print request. CVE-2001-0818 DESCRIPTION: A buffer overflow the '\s' console command in MDBMS 0.99b9 and earlier allows remote attackers to execute arbitrary commands by sending the command a large amount of data. CVE-2001-0819 DESCRIPTION: A buffer overflow in Linux fetchmail before 5.8.6 allows remote attackers to execute arbitrary code via a large 'To:' field in an email header. CVE-2001-0820 DESCRIPTION: Buffer overflows in GazTek ghttpd 1.4 allows a remote attacker to execute arbitrary code via long arguments that are passed to (1) the Log function in util.c, or (2) serveconnection in protocol.c. CVE-2001-0821 DESCRIPTION: The default configuration of DCShop 1.002 beta places sensitive files in the cgi-bin directory, which could allow remote attackers to read sensitive data via an HTTP GET request for (1) orders.txt or (2) auth_user_file.txt. CVE-2001-0822 DESCRIPTION: FPF kernel module 1.0 allows a remote attacker to cause a denial of service via fragmented packets. CVE-2001-0823 DESCRIPTION: The pmpost program in Performance Co-Pilot (PCP) before 2.2.1-3 allows a local user to gain privileges via a symlink attack on the NOTICES file in the PCP log directory (PCP_LOG_DIR). CVE-2001-0824 DESCRIPTION: Cross-site scripting vulnerability in IBM WebSphere 3.02 and 3.5 FP2 allows remote attackers to execute Javascript by inserting the Javascript into (1) a request for a .JSP file, or (2) a request to the webapp/examples/ directory, which inserts the Javascript into an error page. CVE-2001-0825 DESCRIPTION: Buffer overflow in internal string handling routines of xinetd before 2.1.8.8 allows remote attackers to execute arbitrary commands via a length argument of zero or less, which disables the length check. CVE-2001-0826 DESCRIPTION: Buffer overflows in CesarFTPD 0.98b allows remote attackers to execute arbitrary commands via long arguments to (1) HELP, (2) USER, (3) PASS, (4) PORT, (5) DELE, (6) REST, (7) RMD, or (8) MKD. CVE-2001-0827 DESCRIPTION: Cerberus FTP server 1.0 - 1.5 allows remote attackers to cause a denial of service (crash) via a large number of "PASV" requests. CVE-2001-0828 DESCRIPTION: A cross-site scripting vulnerability in Caucho Technology Resin before 1.2.4 allows a malicious webmaster to embed Javascript in a hyperlink that ends in a .jsp extension, which causes an error message that does not properly quote the Javascript. CVE-2001-0829 DESCRIPTION: A cross-site scripting vulnerability in Apache Tomcat 3.2.1 allows a malicious webmaster to embed Javascript in a request for a .JSP file, which causes the Javascript to be inserted into an error message. CVE-2001-0830 DESCRIPTION: 6tunnel 0.08 and earlier does not properly close sockets that were initiated by a client, which allows remote attackers to cause a denial of service (resource exhaustion) by repeatedly connecting to and disconnecting from the server. CVE-2001-0831 DESCRIPTION: Unknown vulnerability in Oracle Label Security in Oracle 8.1.7 and 9.0.1, when audit functionality, SET_LABEL, or SQL*Predicate is being used, allows local users to gain additional access. CVE-2001-0832 DESCRIPTION: Vulnerability in Oracle 8.0.x through 9.0.1 on Unix allows local users to overwrite arbitrary files, possibly via a symlink attack or incorrect file permissions in (1) the ORACLE_HOME/rdbms/log directory or (2) an alternate directory as specified in the ORACLE_HOME environmental variable, aka the "Oracle File Overwrite Security Vulnerability." CVE-2001-0833 DESCRIPTION: Buffer overflow in otrcrep in Oracle 8.0.x through 9.0.1 allows local users to execute arbitrary code via a long ORACLE_HOME environment variable, aka the "Oracle Trace Collection Security Vulnerability." CVE-2001-0834 DESCRIPTION: htsearch CGI program in htdig (ht://Dig) 3.1.5 and earlier allows remote attackers to use the -c option to specify an alternate configuration file, which could be used to (1) cause a denial of service (CPU consumption) by specifying a large file such as /dev/zero, or (2) read arbitrary files by uploading an alternate configuration file that specifies the target file. CVE-2001-0835 DESCRIPTION: Cross-site scripting vulnerability in Webalizer 2.01-06, and possibly other versions, allows remote attackers to inject arbitrary HTML tags by specifying them in (1) search keywords embedded in HTTP referrer information, or (2) host names that are retrieved via a reverse DNS lookup. CVE-2001-0836 DESCRIPTION: Buffer overflow in Oracle9iAS Web Cache 2.0.0.1 allows remote attackers to execute arbitrary code via a long HTTP GET request. CVE-2001-0837 DESCRIPTION: DeltaThree Pc-To-Phone 3.0.3 places sensitive data in world-readable locations in the installation directory, which allows local users to read the information in (1) temp.html, (2) the log folder, and (3) the PhoneBook folder. CVE-2001-0838 DESCRIPTION: Format string vulnerability in Network Solutions Rwhoisd 1.5.x allows remote attackers to execute arbitrary code via format string specifiers in the -soa command. CVE-2001-0839 DESCRIPTION: ibillpm.pl in iBill password management system generates weak passwords based on a client's MASTER_ACCOUNT, which allows remote attackers to modify account information in the .htpasswd file via brute force password guessing. CVE-2001-0840 DESCRIPTION: Buffer overflow in Compaq Insight Manager XE 2.1b and earlier allows remote attackers to execute arbitrary code via (1) SNMP and (2) DMI. CVE-2001-0841 DESCRIPTION: Directory traversal vulnerability in Search.cgi in Ikonboard ib219 and earlier allows remote attackers to overwrite files and gain privileges via .. (dot dot) sequences in the amembernamecookie cookie. CVE-2001-0842 DESCRIPTION: Directory traversal vulnerability in Search.cgi in Leoboard LB5000 LB5000II 1029 and earlier allows remote attackers to overwrite files and gain privileges via .. (dot dot) sequences in the amembernamecookie cookie. CVE-2001-0843 DESCRIPTION: Squid proxy server 2.4 and earlier allows remote attackers to cause a denial of service (crash) via a mkdir-only FTP PUT request. CVE-2001-0844 DESCRIPTION: Vulnerability in (1) Book of guests and (2) Post it! allows remote attackers to execute arbitrary code via shell metacharacters in the email parameter. CVE-2001-0845 DESCRIPTION: Vulnerability in DECwindows Motif Server on OpenVMS VAX or Alpha 6.2 through 7.3, and SEVMS VAX or Alpha 6.2, allows local users to gain access to unauthorized resources. CVE-2001-0846 DESCRIPTION: Lotus Domino 5.x allows remote attackers to read files or execute arbitrary code by requesting the ReplicaID of the Web Administrator template file (webadmin.ntf). CVE-2001-0847 DESCRIPTION: Lotus Domino Web Server 5.x allows remote attackers to gain sensitive information by accessing the default navigator $defaultNav via (1) URL encoding the request, or (2) directly requesting the ReplicaID. CVE-2001-0848 DESCRIPTION: join.cfm in e-Zone Media Fuse Talk allows a local user to execute arbitrary SQL code via a semi-colon (;) in a form variable. CVE-2001-0849 DESCRIPTION: viralator CGI script in Viralator 0.9pre1 and earlier allows remote attackers to execute arbitrary code via a URL for a file being downloaded, which is insecurely passed to a call to wget. CVE-2001-0850 DESCRIPTION: A configuration error in the libdb1 package in OpenLinux 3.1 uses insecure versions of the snprintf and vsnprintf functions, which could allow local or remote users to exploit those functions with a buffer overflow. CVE-2001-0851 DESCRIPTION: Linux kernel 2.0, 2.2 and 2.4 with syncookies enabled allows remote attackers to bypass firewall rules by brute force guessing the cookie. CVE-2001-0852 DESCRIPTION: TUX HTTP server 2.1.0-2 in Red Hat Linux allows remote attackers to cause a denial of service via a long Host: header. CVE-2001-0853 DESCRIPTION: Directory traversal vulnerability in Entrust GetAccess allows remote attackers to read arbitrary files via a .. (dot dot) in the locale parameter to (1) helpwin.gas.bat or (2) AboutBox.gas.bat. CVE-2001-0854 DESCRIPTION: PHP-Nuke 5.2 allows remote attackers to copy and delete arbitrary files by calling case.filemanager.php with admin.php as an argument, which sets the $PHP_SELF variable and makes it appear that case.filemanager.php is being called by admin.php instead of the user. CVE-2001-0855 DESCRIPTION: Buffer overflow in db_loader in ClearCase 4.2 and earlier allows local users to gain root privileges via a long TERM environment variable. CVE-2001-0856 DESCRIPTION: Common Cryptographic Architecture (CCA) in IBM 4758 allows an attacker with physical access to the system and Combine_Key_Parts permissions, to steal DES and 3DES keys by using a brute force attack to create a 3DES exporter key. CVE-2001-0857 DESCRIPTION: Cross-site scripting vulnerability in status.php3 in Imp Webmail 2.2.6 and earlier allows remote attackers to gain access to the e-mail of other users by hijacking session cookies via the message parameter. CVE-2001-0858 DESCRIPTION: Buffer overflow in pppattach and other linked PPP utilities in Caldera Open Unix 8.0 and UnixWare 7.1.0 and 7.1.1 allows local users to gain privileges. CVE-2001-0859 DESCRIPTION: 2.4.3-12 kernel in Red Hat Linux 7.1 Korean installation program sets the setting default umask for init to 000, which installs files with world-writeable permissions. CVE-2001-0860 DESCRIPTION: Terminal Services Manager MMC in Windows 2000 and XP trusts the Client Address (IP address) that is provided by the client instead of obtaining it from the packet headers, which allows clients to spoof their public IP address, e.g. through a Network Address Translation (NAT). CVE-2001-0861 DESCRIPTION: Cisco 12000 with IOS 12.0 and line cards based on Engine 2 and earlier allows remote attackers to cause a denial of service (CPU consumption) by flooding the router with traffic that generates a large number of ICMP Unreachable replies. CVE-2001-0862 DESCRIPTION: Cisco 12000 with IOS 12.0 and line cards based on Engine 2 does not block non-initial packet fragments, which allows remote attackers to bypass the ACL. CVE-2001-0863 DESCRIPTION: Cisco 12000 with IOS 12.0 and line cards based on Engine 2 does not handle the "fragment" keyword in a compiled ACL (Turbo ACL) for packets that are sent to the router, which allows remote attackers to cause a denial of service via a flood of fragments. CVE-2001-0864 DESCRIPTION: Cisco 12000 with IOS 12.0 and line cards based on Engine 2 does not properly handle the implicit "deny ip any any" rule in an outgoing ACL when the ACL contains exactly 448 entries, which can allow some outgoing packets to bypass access restrictions. CVE-2001-0865 DESCRIPTION: Cisco 12000 with IOS 12.0 and line cards based on Engine 2 does not support the "fragment" keyword in an outgoing ACL, which could allow fragmented packets in violation of the intended access. CVE-2001-0866 DESCRIPTION: Cisco 12000 with IOS 12.0 and lines card based on Engine 2 does not properly handle an outbound ACL when an input ACL is not configured on all the interfaces of a multi port line card, which could allow remote attackers to bypass the intended access controls. CVE-2001-0867 DESCRIPTION: Cisco 12000 with IOS 12.0 and line cards based on Engine 2 does not properly filter does not properly filter packet fragments even when the "fragment" keyword is used in an ACL, which allows remote attackers to bypass the intended access controls. CVE-2001-0868 DESCRIPTION: Red Hat Stronghold 2.3 to 3.0 allows remote attackers to retrieve system information via an HTTP GET request to (1) stronghold-info or (2) stronghold-status. CVE-2001-0869 DESCRIPTION: Format string vulnerability in the default logging callback function _sasl_syslog in common.c in Cyrus SASL library (cyrus-sasl) may allow remote attackers to execute arbitrary commands. CVE-2001-0870 DESCRIPTION: HTTP server in Alchemy Eye and Alchemy Network Monitor 1.9x through 2.6.18 is enabled without authentication by default, which allows remote attackers to obtain network monitoring logs with potentially sensitive information by directly requesting the eye.ini file. CVE-2001-0871 DESCRIPTION: Directory traversal vulnerability in HTTP server for Alchemy Eye and Alchemy Network Monitor allows remote attackers to execute arbitrary commands via an HTTP request containing (1) a .. in versions 2.0 through 2.6.18, or (2) a DOS device name followed by a .. in versions 2.6.19 through 3.0.10. CVE-2001-0872 DESCRIPTION: OpenSSH 3.0.1 and earlier with UseLogin enabled does not properly cleanse critical environment variables such as LD_PRELOAD, which allows local users to gain root privileges. CVE-2001-0873 DESCRIPTION: uuxqt in Taylor UUCP package does not properly remove dangerous long options, which allows local users to gain privileges by calling uux and specifying an alternate configuration file with the --config option. CVE-2001-0874 DESCRIPTION: Internet Explorer 5.5 and 6.0 allow remote attackers to read certain files via HTML that passes information from a frame in the client's domain to a frame in the web site's domain, a variant of the "Frame Domain Verification" vulnerability. CVE-2001-0875 DESCRIPTION: Internet Explorer 5.5 and 6.0 allows remote attackers to cause the File Download dialogue box to misrepresent the name of the file in the dialogue in a way that could fool users into thinking that the file type is safe to download. CVE-2001-0876 DESCRIPTION: Buffer overflow in Universal Plug and Play (UPnP) on Windows 98, 98SE, ME, and XP allows remote attackers to execute arbitrary code via a NOTIFY directive with a long Location URL. CVE-2001-0877 DESCRIPTION: Universal Plug and Play (UPnP) on Windows 98, 98SE, ME, and XP allows remote attackers to cause a denial of service via (1) a spoofed SSDP advertisement that causes the client to connect to a service on another machine that generates a large amount of traffic (e.g., chargen), or (2) via a spoofed SSDP announcement to broadcast or multicast addresses, which could cause all UPnP clients to send traffic to a single target system. CVE-2001-0878 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2001-0879 DESCRIPTION: Format string vulnerability in the C runtime functions in SQL Server 7.0 and 2000 allows attackers to cause a denial of service. CVE-2001-0880 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2001-0881 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2001-0882 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2001-0883 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2001-0884 DESCRIPTION: Cross-site scripting vulnerability in Mailman email archiver before 2.08 allows attackers to obtain sensitive information or authentication credentials via a malicious link that is accessed by other web users. CVE-2001-0885 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2001-0886 DESCRIPTION: Buffer overflow in glob function of glibc allows attackers to cause a denial of service (crash) and possibly execute arbitrary code via a glob pattern that ends in a brace "{" character. CVE-2001-0887 DESCRIPTION: xSANE 0.81 and earlier allows local users to modify files of other xSANE users via a symlink attack on temporary files. CVE-2001-0888 DESCRIPTION: Atmel Firmware 1.3 Wireless Access Point (WAP) allows remote attackers to cause a denial of service via a SNMP request with (1) a community string other than "public" or (2) an unknown OID, which causes the WAP to deny subsequent SNMP requests. CVE-2001-0889 DESCRIPTION: Exim 3.22 and earlier, in some configurations, does not properly verify the local part of an address when redirecting the address to a pipe, which could allow remote attackers to execute arbitrary commands via shell metacharacters. CVE-2001-0890 DESCRIPTION: Certain backend drivers in the SANE library 1.0.3 and earlier, as used in frontend software such as XSane, allows local users to modify files via a symlink attack on temporary files. CVE-2001-0891 DESCRIPTION: Format string vulnerability in NQS daemon (nqsdaemon) in NQE 3.3.0.16 for CRAY UNICOS and SGI IRIX allows a local user to gain root privileges by using qsub to submit a batch job whose name contains formatting characters. CVE-2001-0892 DESCRIPTION: Acme Thttpd Secure Webserver before 2.22, with the chroot option enabled, allows remote attackers to view sensitive files under the document root (such as .htpasswd) via a GET request with a trailing /. CVE-2001-0893 DESCRIPTION: Acme mini_httpd before 1.16 allows remote attackers to view sensitive files under the document root (such as .htpasswd) via a GET request with a trailing /. CVE-2001-0894 DESCRIPTION: Vulnerability in Postfix SMTP server before 20010228-pl07, when configured to email the postmaster when SMTP errors cause the session to terminate, allows remote attackers to cause a denial of service (memory exhaustion) by generating a large number of SMTP errors, which forces the SMTP session log to grow too large. CVE-2001-0895 DESCRIPTION: Multiple Cisco networking products allow remote attackers to cause a denial of service on the local network via a series of ARP packets sent to the router's interface that contains a different MAC address for the router, which eventually causes the router to overwrite the MAC address in its ARP table. CVE-2001-0896 DESCRIPTION: Inetd in OpenServer 5.0.5 allows remote attackers to cause a denial of service (crash) via a port scan, e.g. with nmap -PO. CVE-2001-0897 DESCRIPTION: Cross-site scripting vulnerability in Infopop Ultimate Bulletin Board (UBB) before 5.47e allows remote attackers to steal user cookies via an [IMG] tag that references an about: URL with an onerror field. CVE-2001-0898 DESCRIPTION: Opera 6.0 and earlier allows remote attackers to access sensitive information such as cookies and links for other domains via Javascript that uses setTimeout to (1) access data after a new window to the domain has been opened or (2) access data via about:cache. CVE-2001-0899 DESCRIPTION: Network Tools 0.2 for PHP-Nuke allows remote attackers to execute commands on the server via shell metacharacters in the $hostinput variable. CVE-2001-0900 DESCRIPTION: Directory traversal vulnerability in modules.php in Gallery before 1.2.3 allows remote attackers to read arbitrary files via a .. (dot dot) in the include parameter. CVE-2001-0901 DESCRIPTION: Hypermail allows remote attackers to execute arbitrary commands on a server supporting SSI via an attachment with a .shtml extension, which is archived on the server and can then be executed by requesting the URL for the attachment. CVE-2001-0902 DESCRIPTION: Microsoft IIS 5.0 allows remote attackers to spoof web log entries via an HTTP request that includes hex-encoded newline or form-feed characters. CVE-2001-0903 DESCRIPTION: Linear key exchange process in High-bandwidth Digital Content Protection (HDCP) System allows remote attackers to access data as plaintext, avoid device blacklists, clone devices, and create new device keyvectors by computing and using alternate key combinations for authentication. CVE-2001-0904 DESCRIPTION: Internet Explorer 5.5 and 6 with the Q312461 (MS01-055) patch modifies the HTTP_USER_AGENT (UserAgent) information that indicates that the patch has been installed, which could allow remote malicious web sites to more easily identify and exploit vulnerable clients. CVE-2001-0905 DESCRIPTION: Race condition in signal handling of procmail 3.20 and earlier, when running setuid, allows local users to cause a denial of service or gain root privileges by sending a signal while a signal handling routine is already running. CVE-2001-0906 DESCRIPTION: teTeX filter before 1.0.7 allows local users to gain privileges via a symlink attack on temporary files that are produced when printing .dvi files using lpr. CVE-2001-0907 DESCRIPTION: Linux kernel 2.2.1 through 2.2.19, and 2.4.1 through 2.4.10, allows local users to cause a denial of service via a series of deeply nested symlinks, which causes the kernel to spend extra time when trying to access the link. CVE-2001-0908 DESCRIPTION: CITRIX Metaframe 1.8 logs the Client Address (IP address) that is provided by the client instead of obtaining it from the packet headers, which allows clients to spoof their public IP address, e.g. through Network Address Translation (NAT). CVE-2001-0909 DESCRIPTION: Buffer overflow in helpctr.exe program in Microsoft Help Center for Windows XP allows remote attackers to execute arbitrary code via a long hcp: URL. CVE-2001-0910 DESCRIPTION: Legato Networker before 6.1 allows remote attackers to bypass access restrictions and gain privileges on the Networker interface by spoofing the admin server name and IP address and connecting to Networker from an IP address whose hostname can not be determined by a DNS reverse lookup. CVE-2001-0911 DESCRIPTION: PHP-Nuke 5.1 stores user and administrator passwords in a base-64 encoded cookie, which could allow remote attackers to gain privileges by stealing or sniffing the cookie and decoding it. CVE-2001-0912 DESCRIPTION: Packaging error for expect 8.3.3 in Mandrake Linux 8.1 causes expect to search for its libraries in the /home/snailtalk directory before other directories, which could allow a local user to gain root privileges. CVE-2001-0913 DESCRIPTION: Format string vulnerability in Network Solutions Rwhoisd 1.5.7.2 and earlier, when using syslog, allows remote attackers to corrupt memory and possibly execute arbitrary code via a rwhois request that contains format specifiers. CVE-2001-0914 DESCRIPTION: Linux kernel before 2.4.11pre3 in multiple Linux distributions allows local users to cause a denial of service (crash) by starting the core vmlinux kernel, possibly related to poor error checking during ELF loading. CVE-2001-0915 DESCRIPTION: Format string vulnerability in Berkeley parallel make (pmake) 2.1.33 and earlier allows a local user to gain root privileges via format specifiers in the check argument of a shell definition. CVE-2001-0916 DESCRIPTION: Buffer overflow in Berkeley parallel make (pmake) 2.1.33 and earlier allows a local user to gain root privileges via a long check argument of a shell definition. CVE-2001-0917 DESCRIPTION: Jakarta Tomcat 4.0.1 allows remote attackers to reveal physical path information by requesting a long URL with a .JSP extension. CVE-2001-0918 DESCRIPTION: Vulnerabilities in CGI scripts in susehelp in SuSE 7.2 and 7.3 allow remote attackers to execute arbitrary commands by not opening files securely. CVE-2001-0919 DESCRIPTION: Internet Explorer 5.50.4134.0100 on Windows ME with "Prompt to allow cookies to be stored on your machine" enabled does not warn a user when a cookie is set using Javascript. CVE-2001-0920 DESCRIPTION: Format string vulnerability in auto nice daemon (AND) 1.0.4 and earlier allows a local user to possibly execute arbitrary code via a process name containing a format string. CVE-2001-0921 DESCRIPTION: Netscape 4.79 and earlier for MacOS allows an attacker with access to the browser to obtain passwords from form fields by printing the document into which the password has been typed, which is printed in cleartext. CVE-2001-0922 DESCRIPTION: ndcgi.exe in Netdynamics 4.x through 5.x, and possibly earlier versions, allows remote attackers to steal session IDs and hijack user sessions by reading the SPIDERSESSION and uniqueValue variables from the login field, then using those variables after the next user logs in. CVE-2001-0923 DESCRIPTION: RPM Package Manager 4.0.x through 4.0.2.x allows an attacker to execute arbitrary code via corrupted data in the RPM file when the file is queried. CVE-2001-0924 DESCRIPTION: Directory traversal vulnerability in ifx CGI program in Informix Web DataBlade allows remote attackers to read arbitrary files via a .. (dot dot) in the LO parameter. CVE-2001-0925 DESCRIPTION: The default installation of Apache before 1.3.19 allows remote attackers to list directories instead of the multiview index.html file via an HTTP request for a path that contains many / (slash) characters, which causes the path to be mishandled by (1) mod_negotiation, (2) mod_dir, or (3) mod_autoindex. CVE-2001-0926 DESCRIPTION: SSIFilter in Allaire JRun 3.1, 3.0 and 2.3.3 allows remote attackers to obtain source code for Java server pages (.jsp) and other files in the web root via an HTTP request for a non-existent SSI page, in which the request's body has an #include statement. CVE-2001-0927 DESCRIPTION: Format string vulnerability in the permitted function of GNOME libgtop_daemon in libgtop 1.0.12 and earlier allows remote attackers to execute arbitrary code via an argument that contains format specifiers that are passed into the (1) syslog_message and (2) syslog_io_message functions. CVE-2001-0928 DESCRIPTION: Buffer overflow in the permitted function of GNOME gtop daemon (libgtop_daemon) in libgtop 1.0.13 and earlier may allow remote attackers to execute arbitrary code via long authentication data. CVE-2001-0929 DESCRIPTION: Cisco IOS Firewall Feature set, aka Context Based Access Control (CBAC) or Cisco Secure Integrated Software, for IOS 11.2P through 12.2T does not properly check the IP protocol type, which could allow remote attackers to bypass access control lists. CVE-2001-0930 DESCRIPTION: Sendpage.pl allows remote attackers to execute arbitrary commands via a message containing shell metacharacters. CVE-2001-0931 DESCRIPTION: Directory traversal vulnerability in Cooolsoft PowerFTP Server 2.03 allows attackers to list or read arbitrary files and directories via a .. (dot dot) in (1) LS or (2) GET. CVE-2001-0932 DESCRIPTION: Buffer overflow in Cooolsoft PowerFTP Server 2.03 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long command. CVE-2001-0933 DESCRIPTION: Cooolsoft PowerFTP Server 2.03 allows remote attackers to list the contents of arbitrary drives via a ls (LIST) command that includes the drive letter as an argument, e.g. "ls C:". CVE-2001-0934 DESCRIPTION: Cooolsoft PowerFTP Server 2.03 allows remote attackers to obtain the physical path of the server root via the pwd command, which lists the full pathname. CVE-2001-0935 DESCRIPTION: Vulnerability in wu-ftpd 2.6.0, and possibly earlier versions, which is unrelated to the ftpglob bug described in CVE-2001-0550. CVE-2001-0936 DESCRIPTION: Buffer overflow in Frox transparent FTP proxy 0.6.6 and earlier, with the local caching method selected, allows remote FTP servers to run arbitrary code via a long response to an MDTM request. CVE-2001-0937 DESCRIPTION: PGPMail.pl 1.31 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) recipient or (2) pgpuserid parameters. CVE-2001-0938 DESCRIPTION: Directory traversal vulnerability in AspUpload 2.1, in certain configurations, allows remote attackers to upload and read arbitrary files, and list arbitrary directories, via a .. (dot dot) in the Filename parameter in (1) UploadScript11.asp or (2) DirectoryListing.asp. CVE-2001-0939 DESCRIPTION: Lotus Domino 5.08 and earlier allows remote attackers to cause a denial of service (crash) via a SunRPC NULL command to port 443. CVE-2001-0940 DESCRIPTION: Buffer overflow in the GUI authentication code of Check Point VPN-1/FireWall-1 Management Server 4.0 and 4.1 allows remote attackers to execute arbitrary code via a long user name. CVE-2001-0941 DESCRIPTION: Buffer overflow in dbsnmp in Oracle 8.0.6 through 9.0.1 allows local users to execute arbitrary code via a long ORACLE_HOME environment variable. CVE-2001-0942 DESCRIPTION: dbsnmp in Oracle 8.1.6 and 8.1.7 uses the ORACLE_HOME environment variable to find and execute the dbsnmp program, which allows local users to execute arbitrary programs by pointing the ORACLE_HOME to an alternate directory that contains a malicious version of dbsnmp. CVE-2001-0943 DESCRIPTION: dbsnmp in Oracle 8.0.5 and 8.1.5, under certain conditions, trusts the PATH environment variable to find and execute the (1) chown or (2) chgrp commands, which allows local users to execute arbitrary code by modifying the PATH to point to Trojan Horse programs. CVE-2001-0944 DESCRIPTION: DDE in mIRC allows local users to launch applications under another user's account via a DDE message that executes a command, which may be executed by the other user's process. CVE-2001-0945 DESCRIPTION: Buffer overflow in Outlook Express 5.0 through 5.02 for Macintosh allows remote attackers to cause a denial of service via an e-mail message that contains a long line. CVE-2001-0946 DESCRIPTION: apmscript in Apmd in Red Hat 7.2 "Enigma" allows local users to create or change the modification dates of arbitrary files via a symlink attack on the LOW_POWER temporary file, which could be used to cause a denial of service, e.g. by creating /etc/nologin and disabling logins. CVE-2001-0947 DESCRIPTION: Forms.exe CGI program in ValiCert Enterprise Validation Authority (EVA) 3.3 through 4.2.1 allows remote attackers to determine the real pathname of the server by requesting an invalid extension, which produces an error page that includes the path. CVE-2001-0948 DESCRIPTION: Cross-site scripting (CSS) vulnerability in ValiCert Enterprise Validation Authority (EVA) 3.3 through 4.2.1 allows remote attackers to execute arbitrary code or display false information by including HTML or script in the certificate's description, which is executed when the certificate is viewed. CVE-2001-0949 DESCRIPTION: Buffer overflows in forms.exe CGI program in ValiCert Enterprise Validation Authority (EVA) Administration Server 3.3 through 4.2.1 allows remote attackers to execute arbitrary code via long arguments to the parameters (1) Mode, (2) Certificate_File, (3) useExpiredCRLs, (4) listenLength, (5) maxThread, (6) maxConnPerSite, (7) maxMsgLen, (8) exitTime, (9) blockTime, (10) nextUpdatePeriod, (11) buildLocal, (12) maxOCSPValidityPeriod, (13) extension, and (14) a particular combination of parameters associated with private key generation that form a string of a certain length. CVE-2001-0950 DESCRIPTION: ValiCert Enterprise Validation Authority (EVA) Administration Server 3.3 through 4.2.1 uses insufficiently random data to (1) generate session tokens for HSMs using the C rand function, or (2) generate certificates or keys using /dev/urandom instead of another source which blocks when the entropy pool is low, which could make it easier for local or remote attackers to steal tokens or certificates via brute force guessing. CVE-2001-0951 DESCRIPTION: Windows 2000 allows remote attackers to cause a denial of service (CPU consumption) by flooding Internet Key Exchange (IKE) UDP port 500 with packets that contain a large number of dot characters. CVE-2001-0952 DESCRIPTION: THQ Volition Red Faction Game allows remote attackers to cause a denial of service (hang) of a client or server via packets to UDP port 7755. CVE-2001-0953 DESCRIPTION: Kebi WebMail allows remote attackers to access the administrator menu and gain privileges via the /a/ hidden directory, which is installed under the web document root. CVE-2001-0954 DESCRIPTION: Lotus Domino 5.0.5 and 5.0.8, and possibly other versions, allows remote attackers to cause a denial of service (block access to databases that have not been previously accessed) via a URL that includes the . (dot) directory. CVE-2001-0955 DESCRIPTION: Buffer overflow in fbglyph.c in XFree86 before 4.2.0, related to glyph clipping for large origins, allows attackers to cause a denial of service and possibly gain privileges via a large number of characters, possibly through the web page search form of KDE Konqueror or from an xterm command with a long title. CVE-2001-0956 DESCRIPTION: speechd 0.54 and earlier, with the Festival or rsynth speech synthesis package, allows attackers to execute arbitrary commands via shell metacharacters. CVE-2001-0958 DESCRIPTION: Buffer overflows in eManager plugin for Trend Micro InterScan VirusWall for NT 3.51 and 3.51J allow remote attackers to execute arbitrary code via long arguments to the CGI programs (1) register.dll, (2) ContentFilter.dll, (3) SFNofitication.dll, (4) register.dll, (5) TOP10.dll, (6) SpamExcp.dll, and (7) spamrule.dll. CVE-2001-0959 DESCRIPTION: Computer Associates ARCserve for NT 6.61 SP2a and ARCserve 2000 7.0 creates a hidden share named ARCSERVE$, which allows remote attackers to obtain sensitive information and overwrite critical files. CVE-2001-0960 DESCRIPTION: Computer Associates ARCserve for NT 6.61 SP2a and ARCserve 2000 7.0 stores the backup agent user name and password in cleartext in the aremote.dmp file in the ARCSERVE$ hidden share, which allows local and remote attackers to gain privileges. CVE-2001-0961 DESCRIPTION: Buffer overflow in tab expansion capability of the most program allows local or remote attackers to execute arbitrary code via a malformed file that is viewed with most. CVE-2001-0962 DESCRIPTION: IBM WebSphere Application Server 3.02 through 3.53 uses predictable session IDs for cookies, which allows remote attackers to gain privileges of WebSphere users via brute force guessing. CVE-2001-0963 DESCRIPTION: Directory traversal vulnerability in SpoonFTP 1.1 allows local and sometimes remote attackers to access files outside of the FTP root via a ... (modified dot dot) in the CD (CWD) command. CVE-2001-0964 DESCRIPTION: Buffer overflow in client for Half-Life 1.1.0.8 and earlier allows malicious remote servers to execute arbitrary code via a long console command. CVE-2001-0965 DESCRIPTION: glFTPD 1.23 allows remote attackers to cause a denial of service (CPU consumption) via a LIST command with an argument that contains a large number of * (asterisk) characters. CVE-2001-0966 DESCRIPTION: Directory traversal vulnerability in Nudester 1.10 and earlier allows remote attackers to read or write arbitrary files via a .. (dot dot) in the CD (CWD) command. CVE-2001-0967 DESCRIPTION: Knox Arkeia server 4.2, and possibly other versions, uses a constant salt when encrypting passwords using the crypt() function, which makes it easier for an attacker to conduct brute force password guessing. CVE-2001-0968 DESCRIPTION: Knox Arkeia server 4.2, and possibly other versions, installs its root user with a null password by default, which allows local and remote users to gain privileges. CVE-2001-0969 DESCRIPTION: ipfw in FreeBSD does not properly handle the use of "me" in its rules when point to point interfaces are used, which causes ipfw to allow connections from arbitrary remote hosts. CVE-2001-0970 DESCRIPTION: Cross-site scripting vulnerability in TDForum 1.2 CGI script (tdforum12.cgi) allows remote attackers to execute arbitrary script on other clients via a forum message that contains the script. CVE-2001-0971 DESCRIPTION: Directory traversal vulnerability in ACI 4d webserver allows remote attackers to read arbitrary files via a .. (dot dot) or drive letter (e.g., C:) in an HTTP request. CVE-2001-0972 DESCRIPTION: Surf-Net ASP Forum before 2.30 uses easily guessable cookies based on the UserID, which allows remote attackers to gain administrative privileges by calculating the value of the admin cookie (UserID 1), i.e. "0888888." CVE-2001-0973 DESCRIPTION: BSCW groupware system 3.3 through 4.0.2 beta allows remote attackers to read or modify arbitrary files by uploading and extracting a tar file with a symlink into the data-bag space. CVE-2001-0974 DESCRIPTION: Format string vulnerabilities in Oracle Internet Directory Server (LDAP) 2.1.1.x and 3.0.1 allow remote attackers to execute arbitrary code, as demonstrated by the PROTOS LDAPv3 test suite. CVE-2001-0975 DESCRIPTION: Buffer overflow vulnerabilities in Oracle Internet Directory Server (LDAP) 2.1.1.x and 3.0.1 allow remote attackers to execute arbitrary code, as demonstrated by the PROTOS LDAPv3 test suite. CVE-2001-0976 DESCRIPTION: Vulnerability in HP Process Resource Manager (PRM) C.01.08.2 and earlier, as used by HP-UX Workload Manager (WLM), allows local users to gain root privileges via modified libraries or environment variables. CVE-2001-0977 DESCRIPTION: slapd in OpenLDAP 1.x before 1.2.12, and 2.x before 2.0.8, allows remote attackers to cause a denial of service (crash) via an invalid Basic Encoding Rules (BER) length field. CVE-2001-0978 DESCRIPTION: login in HP-UX 10.26 does not record failed login attempts in /var/adm/btmp, which could allow attackers to conduct brute force password guessing attacks without being detected or observed using the lastb program. CVE-2001-0979 DESCRIPTION: Buffer overflow in swverify in HP-UX 11.0, and possibly other programs, allows local users to gain privileges via a long command line argument. CVE-2001-0980 DESCRIPTION: docview before 1.0-15 allows remote attackers to execute arbitrary commands via shell metacharacters that are processed when converting a man page to a web page. CVE-2001-0981 DESCRIPTION: HP CIFS/9000 Server (SAMBA) A.01.07 and earlier with the "unix password sync" option enabled calls the passwd program without specifying the username of the user making the request, which could cause the server to change the password of a different user. CVE-2001-0982 DESCRIPTION: Directory traversal vulnerability in IBM Tivoli WebSEAL Policy Director 3.01 through 3.7.1 allows remote attackers to read arbitrary files or directories via encoded .. (dot dot) sequences containing "%2e" strings. CVE-2001-0983 DESCRIPTION: UltraEdit uses weak encryption to record FTP passwords in the uedit32.ini file, which allows local users who can read the file to decrypt the passwords and gain privileges. CVE-2001-0984 DESCRIPTION: Password Safe 1.7(1) leaves cleartext passwords in memory when a user copies the password to the clipboard and minimizes Password Safe with the "Clear the password when minimized" and "Lock password database on minimize and prompt on restore" options enabled, which could allow an attacker with access to the memory (e.g. an administrator) to read the passwords. CVE-2001-0985 DESCRIPTION: shop.pl in Hassan Consulting Shopping Cart 1.23 allows remote attackers to execute arbitrary commands via shell metacharacters in the "page" parameter. CVE-2001-0986 DESCRIPTION: SQLQHit.asp sample file in Microsoft Index Server 2.0 allows remote attackers to obtain sensitive information such as the physical path, file attributes, or portions of source code by directly calling sqlqhit.asp with a CiScope parameter set to (1) webinfo, (2) extended_fileinfo, (3) extended_webinfo, or (4) fileinfo. CVE-2001-0987 DESCRIPTION: Cross-site scripting vulnerability in CGIWrap before 3.7 allows remote attackers to execute arbitrary Javascript on other web clients by causing the Javascript to be inserted into error messages that are generated by CGIWrap. CVE-2001-0988 DESCRIPTION: Arkeia backup server 4.2.8-2 and earlier creates its database files with world-writable permissions, which could allow local users to overwrite the files or obtain sensitive information. CVE-2001-0989 DESCRIPTION: Buffer overflows in Pileup before 1.2 allows local users to gain root privileges via (1) long command line arguments, or (2) a long callsign. CVE-2001-0990 DESCRIPTION: Inter7 vpopmail 4.10.35 and earlier, when using the MySQL module, compiles authentication information in cleartext into the libvpopmail.a library, which allows local users to obtain the MySQL username and password by inspecting the vpopmail programs that use the library. CVE-2001-0991 DESCRIPTION: Cross-site scripting vulnerability in Proxomitron Naoko-4 BetaFour and earlier allows remote attackers to execute arbitrary script on other clients via an incorrect URL containing the malicious script, which is printed back in an error message. CVE-2001-0992 DESCRIPTION: shopplus.cgi in ShopPlus shopping cart allows remote attackers to execute arbitrary commands via shell metacharacters in the "file" parameter. CVE-2001-0993 DESCRIPTION: sendmsg function in NetBSD 1.3 through 1.5 allows local users to cause a denial of service (kernel trap or panic) via a msghdr structure with a large msg_controllen length. CVE-2001-0994 DESCRIPTION: Marconi ForeThought 7.1 allows remote attackers to cause a denial of service by causing both telnet sessions to be locked via unusual input (e.g., from a port scanner), which prevents others from logging into the device. CVE-2001-0995 DESCRIPTION: PHProjekt before 2.4a allows remote attackers to perform actions as other PHProjekt users by modifying the ID number in an HTTP request to PHProjekt CGI programs. CVE-2001-0996 DESCRIPTION: POP3Lite before 0.2.4 does not properly quote a . (dot) in an email message, which could allow a remote attacker to append arbitrary text to the end of an email message, which could then be interpreted by various mail clients as valid POP server responses or other input that could cause clients to crash or otherwise behave unexpectedly. CVE-2001-0997 DESCRIPTION: Textor Webmasters Ltd listrec.pl CGI program allows remote attackers to execute arbitrary commands via shell metacharacters in the TEMPLATE parameter. CVE-2001-0998 DESCRIPTION: IBM HACMP 4.4 allows remote attackers to cause a denial of service via a completed TCP connection to HACMP ports (e.g., using a port scan) that does not send additional data, which causes a failure in snmpd. CVE-2001-0999 DESCRIPTION: Outlook Express 6.00 allows remote attackers to execute arbitrary script by embedding SCRIPT tags in a message whose MIME content type is text/plain, contrary to the expected behavior that text/plain messages will not run script. CVE-2001-1000 DESCRIPTION: rlmadmin RADIUS management utility in Merit AAA Server 3.8M, 5.01, and possibly other versions, allows local users to read arbitrary files via a symlink attack on the rlmadmin.help file. CVE-2001-1002 DESCRIPTION: The default configuration of the DVI print filter (dvips) in Red Hat Linux 7.0 and earlier does not run dvips in secure mode when dvips is executed by lpd, which could allow remote attackers to gain privileges by printing a DVI file that contains malicious commands. CVE-2001-1003 DESCRIPTION: Respondus 1.1.2 for WebCT uses weak encryption to remember usernames and passwords, which allows local users who can read the WEBCT.SVR file to decrypt the passwords and gain additional privileges. CVE-2001-1004 DESCRIPTION: Cross-site scripting (CSS) vulnerability in gnut Gnutella client before 0.4.27 allows remote attackers to execute arbitrary script on other clients by sharing a file whose name contains the script tags. CVE-2001-1005 DESCRIPTION: Starfish Truesync Desktop 2.0b as used on the REX 5000 PDA uses weak encryption to store the user password in a registry key, which allows attackers who have access to the registry key to decrypt the password and gain privileges. CVE-2001-1006 DESCRIPTION: Starfish Truesync Desktop 2.0b as used on the REX 5000 PDA does not encrypt sensitive files and relies solely on its password feature to restrict access, which allows an attacker to read the files using a different application. CVE-2001-1007 DESCRIPTION: Starfish Truesync Desktop 2.0b as used on the REX 5000 PDA uses a small keyspace for device keys and does not impose a delay when an incorrect key is entered, which allows attackers to more quickly guess the key via a brute force attack. CVE-2001-1008 DESCRIPTION: Java Plugin 1.4 for JRE 1.3 executes signed applets even if the certificate is expired, which could allow remote attackers to conduct unauthorized activities via an applet that has been signed by an expired certificate. CVE-2001-1009 DESCRIPTION: Fetchmail (aka fetchmail-ssl) before 5.8.17 allows a remote malicious (1) IMAP server or (2) POP/POP3 server to overwrite arbitrary memory and possibly gain privileges via a negative index number as part of a response to a LIST request. CVE-2001-1010 DESCRIPTION: Directory traversal vulnerability in pagecount CGI script in Sambar Server before 5.0 beta 5 allows remote attackers to overwrite arbitrary files via a .. (dot dot) attack on the page parameter. CVE-2001-1011 DESCRIPTION: index2.php in Mambo Site Server 3.0.0 through 3.0.5 allows remote attackers to gain Mambo administrator privileges by setting the PHPSESSID parameter and providing the appropriate administrator information in other parameters. CVE-2001-1012 DESCRIPTION: Vulnerability in screen before 3.9.10, related to a multi-attach error, allows local users to gain root privileges when there is a subdirectory under /tmp/screens/. CVE-2001-1013 DESCRIPTION: Apache on Red Hat Linux with with the UserDir directive enabled generates different error codes when a username exists and there is no public_html directory and when the username does not exist, which could allow remote attackers to determine valid usernames on the server. CVE-2001-1014 DESCRIPTION: eshop.pl in WebDiscount(e)shop allows remote attackers to execute arbitrary commands via shell metacharacters in the seite parameter. CVE-2001-1015 DESCRIPTION: Buffer overflow in Snes9x 1.37, when installed setuid root, allows local users to gain root privileges via a long command line argument. CVE-2001-1016 DESCRIPTION: PGP Corporate Desktop before 7.1, Personal Security before 7.0.3, Freeware before 7.0.3, and E-Business Server before 7.1 does not properly display when invalid userID's are used to sign a message, which could allow an attacker to make the user believe that the document has been signed by a trusted third party by adding a second, invalid user ID to a key which has already been signed by the third party, aka the "PGPsdk Key Validity Vulnerability." CVE-2001-1017 DESCRIPTION: rmuser utility in FreeBSD 4.2 and 4.3 creates a copy of the master.passwd file with world-readable permissions while updating the original file, which could allow local users to gain privileges by reading the copied file while rmuser is running, obtain the password hashes, and crack the passwords. CVE-2001-1018 DESCRIPTION: Lotus Domino web server 5.08 allows remote attackers to determine the internal IP address of the server when NAT is enabled via a GET request that contains a long sequence of / (slash) characters. CVE-2001-1019 DESCRIPTION: Directory traversal vulnerability in view_item CGI program in sglMerchant 1.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the HTML_FILE parameter. CVE-2001-1020 DESCRIPTION: edit_image.php in Vibechild Directory Manager before 0.91 allows remote attackers to execute arbitrary commands via shell metacharacters in the userfile_name parameter, which is sent unfiltered to the PHP passthru function. CVE-2001-1021 DESCRIPTION: Buffer overflows in WS_FTP 2.02 allow remote attackers to execute arbitrary code via long arguments to (1) DELE, (2) MDTM, (3) MLST, (4) MKD, (5) RMD, (6) RNFR, (7) RNTO, (8) SIZE, (9) STAT, (10) XMKD, or (11) XRMD. CVE-2001-1022 DESCRIPTION: Format string vulnerability in pic utility in groff 1.16.1 and other versions, and jgroff before 1.15, allows remote attackers to bypass the -S option and execute arbitrary commands via format string specifiers in the plot command. CVE-2001-1023 DESCRIPTION: Xcache 2.1 allows remote attackers to determine the absolute path of web server documents by requesting a URL that is not cached by Xcache, which returns the full pathname in the Content-PageName header. CVE-2001-1024 DESCRIPTION: login.gas.bat and other CGI scripts in Entrust getAccess allow remote attackers to execute Java programs, and possibly arbitrary commands, by specifying an alternate -classpath argument. CVE-2001-1025 DESCRIPTION: PHP-Nuke 5.x allows remote attackers to perform arbitrary SQL operations by modifying the "prefix" variable when calling any scripts that do not already define the prefix variable (e.g., by including mainfile.php), such as article.php. CVE-2001-1026 DESCRIPTION: Trend Micro InterScan AppletTrap 2.0 does not properly filter URLs when they are modified in certain ways such as (1) using a double slash (//) instead of a single slash, (2) URL-encoded characters, (3) requesting the IP address instead of the domain name, or (4) using a leading 0 in an octet of an IP address. CVE-2001-1027 DESCRIPTION: Buffer overflow in WindowMaker (aka wmaker) 0.64 and earlier allows remote attackers to execute arbitrary code via a long window title. CVE-2001-1028 DESCRIPTION: Buffer overflow in ultimate_source function of man 1.5 and earlier allows local users to gain privileges. CVE-2001-1029 DESCRIPTION: libutil in OpenSSH on FreeBSD 4.4 and earlier does not drop privileges before verifying the capabilities for reading the copyright and welcome files, which allows local users to bypass the capabilities checks and read arbitrary files by specifying alternate copyright or welcome files. CVE-2001-1030 DESCRIPTION: Squid before 2.3STABLE5 in HTTP accelerator mode does not enable access control lists (ACLs) when the httpd_accel_host and http_accel_with_proxy off settings are used, which allows attackers to bypass the ACLs and conduct unauthorized activities such as port scanning. CVE-2001-1031 DESCRIPTION: Directory traversal vulnerability in Meteor FTP 1.0 allows remote attackers to read arbitrary files via (1) a .. (dot dot) in the ls/LIST command, or (2) a ... in the cd/CWD command. CVE-2001-1032 DESCRIPTION: admin.php in PHP-Nuke 5.2 and earlier, except 5.0RC1, does not check login credentials for upload operations, which allows remote attackers to copy and upload arbitrary files and read the PHP-Nuke configuration file by directly calling admin.php with an upload parameter and specifying the file to copy. CVE-2001-1033 DESCRIPTION: Compaq TruCluster 1.5 allows remote attackers to cause a denial of service via a port scan from a system that does not have a DNS PTR record, which causes the cluster to enter a "split-brain" state. CVE-2001-1034 DESCRIPTION: Format string vulnerability in Hylafax on FreeBSD allows local users to execute arbitrary code via format specifiers in the -h hostname argument for (1) faxrm or (2) faxalter. CVE-2001-1035 DESCRIPTION: Binary decoding feature of slrn 0.9 and earlier allows remote attackers to execute commands via shell scripts that are inserted into a news post. CVE-2001-1036 DESCRIPTION: GNU locate in findutils 4.1 on Slackware 7.1 and 8.0 allows local users to gain privileges via an old formatted filename database (locatedb) that contains an entry with an out-of-range offset, which causes locate to write to arbitrary process memory. CVE-2001-1037 DESCRIPTION: Cisco SN 5420 Storage Router 1.1(3) and earlier allows local users to access a developer's shell without a password and execute certain restricted commands without being logged. CVE-2001-1038 DESCRIPTION: Cisco SN 5420 Storage Router 1.1(3) and earlier allows remote attackers to cause a denial of service (reboot) via a series of connections to TCP port 8023. CVE-2001-1039 DESCRIPTION: The JetAdmin web interface for HP JetDirect does not set a password for the telnet interface when the admin password is changed, which allows remote attackers to gain access to the printer. CVE-2001-1040 DESCRIPTION: HP LaserJet, and possibly other JetDirect devices, resets the admin password when the device is turned off, which could allow remote attackers to access the device without the password. CVE-2001-1041 DESCRIPTION: oracle program in Oracle 8.0.x, 8.1.x and 9.0.1 allows local users to overwrite arbitrary files via a symlink attack on an Oracle log trace (.trc) file that is created in an alternate home directory identified by the ORACLE_HOME environment variable. CVE-2001-1042 DESCRIPTION: Transsoft Broker 5.9.5.0 allows remote attackers to read arbitrary files and directories by uploading a .lnk (link) file that points to the target file. CVE-2001-1043 DESCRIPTION: ArGoSoft FTP Server 1.2.2.2 allows remote attackers to read arbitrary files and directories by uploading a .lnk (link) file that points to the target file. CVE-2001-1044 DESCRIPTION: Basilix Webmail 0.9.7beta, and possibly other versions, stores *.class and *.inc files under the document root and does not restrict access, which could allows remote attackers to obtain sensitive information such as MySQL passwords and usernames from the mysql.class file. CVE-2001-1045 DESCRIPTION: Directory traversal vulnerability in basilix.php3 in Basilix Webmail 1.0.3beta and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the request_id[DUMMY] parameter. CVE-2001-1046 DESCRIPTION: Buffer overflow in qpopper (aka qpop or popper) 4.0 through 4.0.2 allows remote attackers to gain privileges via a long username. CVE-2001-1047 DESCRIPTION: Race condition in OpenBSD VFS allows local users to cause a denial of service (kernel panic) by (1) creating a pipe in one thread and causing another thread to set one of the file descriptors to NULL via a close, or (2) calling dup2 on a file descriptor in one process, then setting the descriptor to NULL via a close in another process that is created via rfork. CVE-2001-1048 DESCRIPTION: AWOL PHP script allows remote attackers to include arbitrary files from remote web sites via an HTTP request that sets the includedir variable. CVE-2001-1049 DESCRIPTION: Phorecast PHP script before 0.40 allows remote attackers to include arbitrary files from remote web sites via an HTTP request that sets the includedir variable. CVE-2001-1050 DESCRIPTION: CCCSoftware CCC PHP script allows remote attackers to include arbitrary files from remote web sites via an HTTP request that sets the includedir variable. CVE-2001-1051 DESCRIPTION: Dark Hart Portal (darkportal) PHP script allows remote attackers to include arbitrary files from remote web sites via an HTTP request that sets the includedir variable. CVE-2001-1052 DESCRIPTION: Empris PHP script allows remote attackers to include arbitrary files from remote web sites via an HTTP request that sets the includedir variable. CVE-2001-1053 DESCRIPTION: AdLogin.pm in AdCycle 1.15 and earlier allows remote attackers to bypass authentication and gain privileges by injecting SQL code in the $password argument. CVE-2001-1054 DESCRIPTION: PHPAdsNew PHP script allows remote attackers to include arbitrary files from remote web sites via an HTTP request that sets the includedir variable. CVE-2001-1055 DESCRIPTION: The Microsoft Windows network stack allows remote attackers to cause a denial of service (CPU consumption) via a flood of malformed ARP request packets with random source IP and MAC addresses, as demonstrated by ARPNuke. CVE-2001-1056 DESCRIPTION: IRC DCC helper in the ip_masq_irc IP masquerading module 2.2 allows remote attackers to bypass intended firewall restrictions by causing the target system to send a "DCC SEND" request to a malicious server which listens on port 6667, which may cause the module to believe that the traffic is a valid request and allow the connection to the port specified in the DCC SEND request. CVE-2001-1057 DESCRIPTION: The License Manager (mathlm) for Mathematica 4.0 and 4.1 allows remote attackers to cause a denial of service (resource exhaustion) by connecting to port 16286 and not disconnecting, which prevents users from making license requests. CVE-2001-1058 DESCRIPTION: The License Manager (mathlm) for Mathematica 4.0 and 4.1 allows remote attackers to bypass access control (specified by the -restrict argument) and steal a license via a client request that includes the name of a host that is allowed to obtain the license. CVE-2001-1059 DESCRIPTION: VMWare creates a temporary file vmware-log.USERNAME with insecure permissions, which allows local users to read or modify license information. CVE-2001-1060 DESCRIPTION: phpMyAdmin 2.2.0rc3 and earlier allows remote attackers to execute arbitrary commands by inserting them into (1) the strCopyTableOK argument in tbl_copy.php, or (2) the strRenameTableOK argument in tbl_rename.php. CVE-2001-1061 DESCRIPTION: Vulnerability in lsmcode in unknown versions of AIX, possibly related to a usage error. CVE-2001-1062 DESCRIPTION: Buffer overflow in mana in OpenServer 5.0.6a and earlier allows local users to execute arbitrary code. CVE-2001-1063 DESCRIPTION: Buffer overflow in uidadmin in Caldera Open Unix 8.0.0 and UnixWare 7 allows local users to gain root privileges via a long -S (scheme) command line argument. CVE-2001-1064 DESCRIPTION: Cisco 600 series routers running CBOS 2.0.1 through 2.4.2ap allows remote attackers to cause a denial of service via multiple connections to the router on the (1) HTTP or (2) telnet service, which causes the router to become unresponsive and stop forwarding packets. CVE-2001-1065 DESCRIPTION: Web-based configuration utility in Cisco 600 series routers running CBOS 2.0.1 through 2.4.2ap binds itself to port 80 even when web-based configuration services are disabled, which could leave the router open to attack. CVE-2001-1066 DESCRIPTION: ns6install installation script for Netscape 6.01 on Solaris, and other versions including 6.2.1 beta, allows local users to overwrite arbitrary files via a symlink attack. CVE-2001-1067 DESCRIPTION: Buffer overflow in AOLserver 3.0 allows remote attackers to cause a denial of service, and possibly execute arbitrary code, via an HTTP request with a long Authorization header. CVE-2001-1068 DESCRIPTION: qpopper 4.01 with PAM based authentication on Red Hat systems generates different error messages when an invalid username is provided instead of a valid name, which allows remote attackers to determine valid usernames on the system. CVE-2001-1069 DESCRIPTION: libCoolType library as used in Adobe Acrobat (acroread) on Linux creates the AdobeFnt.lst file with world-writable permissions, which allows local users to modify the file and possibly modify acroread's behavior. CVE-2001-1070 DESCRIPTION: Sage Software MAS 200 allows remote attackers to cause a denial of service by connecting to port 10000 and entering a series of control characters. CVE-2001-1071 DESCRIPTION: Cisco IOS 12.2 and earlier running Cisco Discovery Protocol (CDP) allows remote attackers to cause a denial of service (memory consumption) via a flood of CDP neighbor announcements. CVE-2001-1072 DESCRIPTION: Apache with mod_rewrite enabled on most UNIX systems allows remote attackers to bypass RewriteRules by inserting extra / (slash) characters into the requested path, which causes the regular expression in the RewriteRule to fail. CVE-2001-1073 DESCRIPTION: Webridge PX Application Suite allows remote attackers to obtain sensitive information via a malformed request that generates a server error message, which includes full pathname or internal IP address information in the variables (1) APPL_PHYSICAL_PATH, (2) PATH_TRANSLATED, and (3) LOCAL_ADDR. CVE-2001-1074 DESCRIPTION: Webmin 0.84 and earlier does not properly clear the HTTP_AUTHORIZATION environment variable when the web server is restarted, which makes authentication information available to all CGI programs and allows local users to gain privileges. CVE-2001-1075 DESCRIPTION: poprelayd script before 2.0 in Cobalt RaQ3 servers allows remote attackers to bypass authentication for relaying by causing a "POP login by user" string that includes the attacker's IP address to be injected into the maillog log file. CVE-2001-1076 DESCRIPTION: Buffer overflow in whodo in Solaris SunOS 5.5.1 through 5.8 allows local users to execute arbitrary code via a long (1) SOR or (2) CFIME environment variable. CVE-2001-1077 DESCRIPTION: Buffer overflow in tt_printf function of rxvt 2.6.2 allows local users to gain privileges via a long (1) -T or (2) -name argument. CVE-2001-1078 DESCRIPTION: Format string vulnerability in flog function of eXtremail 1.1.9 and earlier allows remote attackers to gain root privileges via format specifiers in the SMTP commands (1) HELO, (2) EHLO, (3) MAIL FROM, or (4) RCPT TO, and the POP3 commands (5) USER and (6) other commands that can be executed after POP3 authentication. CVE-2001-1079 DESCRIPTION: create_keyfiles in PSSP 3.2 with DCE 3.1 authentication on AIX creates keyfile directories with world-writable permissions, which could allow a local user to delete key files and cause a denial of service. CVE-2001-1080 DESCRIPTION: diagrpt in AIX 4.3.x and 5.1 uses the DIAGDATADIR environment variable to find and execute certain programs, which allows local users to gain privileges by modifying the variable to point to a Trojan horse program. CVE-2001-1081 DESCRIPTION: Format string vulnerabilities in Livingston/Lucent RADIUS before 2.1.va.1 may allow local or remote attackers to cause a denial of service and possibly execute arbitrary code via format specifiers that are injected into log messages. CVE-2001-1082 DESCRIPTION: Directory traversal vulnerability in Livingston/Lucent RADIUS before 2.1.va.1 may allow attackers to read arbitrary files via a .. (dot dot) attack. CVE-2001-1083 DESCRIPTION: Icecast 1.3.7, and other versions before 1.3.11 with HTTP server file streaming support enabled allows remote attackers to cause a denial of service (crash) via a URL that ends in . (dot), / (forward slash), or \ (backward slash). CVE-2001-1084 DESCRIPTION: Cross-site scripting vulnerability in Allaire JRun 3.0 and 2.3.3 allows a malicious webmaster to embed Javascript in a request for a .JSP, .shtml, .jsp10, .jrun, or .thtml file that does not exist, which causes the Javascript to be inserted into an error message. CVE-2001-1085 DESCRIPTION: Lmail 2.7 and earlier allows local users to overwrite arbitrary files via a symlink attack on a temporary file. CVE-2001-1086 DESCRIPTION: XDM in XFree86 3.3 and 3.3.3 generates easily guessable cookies using gettimeofday() when compiled with the HasXdmXauth option, which allows remote attackers to gain unauthorized access to the X display via a brute force attack. CVE-2001-1087 DESCRIPTION: The default configuration of the config.http.tunnel.allow_ports option on NetCache devices is set to +all, which allows remote attackers to connect to arbitrary ports on remote systems behind the device. CVE-2001-1088 DESCRIPTION: Microsoft Outlook 8.5 and earlier, and Outlook Express 5 and earlier, with the "Automatically put people I reply to in my address book" option enabled, do not notify the user when the "Reply-To" address is different than the "From" address, which could allow an untrusted remote attacker to spoof legitimate addresses and intercept email from the client that is intended for another user. CVE-2001-1089 DESCRIPTION: libnss-pgsql in nss-pgsql 0.9.0 and earlier allows remote attackers to execute arbitrary SQL queries by inserting SQL code into an HTTP request. CVE-2001-1090 DESCRIPTION: nss_postgresql 0.6.1 and before allows a remote attacker to execute arbitrary SQL queries by inserting SQL code into an HTTP request. CVE-2001-1091 DESCRIPTION: The (1) dump and (2) dump_lfs commands in NetBSD 1.4.x through 1.5.1 do not properly drop privileges, which could allow local users to gain privileges via the RCMD_CMD environment variable. CVE-2001-1092 DESCRIPTION: msgchk in Digital UNIX 4.0G and earlier allows a local user to read the first line of arbitrary files via a symlink attack on the .mh_profile file. CVE-2001-1093 DESCRIPTION: Buffer overflow in msgchk in Digital UNIX 4.0G and earlier allows local users to execute arbitrary code via a long command line argument. CVE-2001-1094 DESCRIPTION: NetOp School 1.5 allows local users to bypass access restrictions on the administration version by logging into the student version, closing the student version, then starting the administration version. CVE-2001-1095 DESCRIPTION: Buffer overflow in uuq in AIX 4 could allow local users to execute arbitrary code via a long -r parameter. CVE-2001-1096 DESCRIPTION: Buffer overflows in muxatmd in AIX 4 allows an attacker to cause a core dump and possibly execute code. CVE-2001-1097 DESCRIPTION: Cisco routers and switches running IOS 12.0 through 12.2.1 allows a remote attacker to cause a denial of service via a flood of UDP packets. CVE-2001-1098 DESCRIPTION: Cisco PIX firewall manager (PFM) 4.3(2)g logs the enable password in plaintext in the pfm.log file, which could allow local users to obtain the password by reading the file. CVE-2001-1099 DESCRIPTION: The default configuration of Norton AntiVirus for Microsoft Exchange 2000 2.x allows remote attackers to identify the recipient's INBOX file path by sending an email with an attachment containing malicious content, which includes the path in the rejection notice. CVE-2001-1100 DESCRIPTION: sendmessage.cgi in W3Mail 1.0.2, and possibly other CGI programs, allows remote attackers to execute arbitrary commands via shell metacharacters in any field of the 'Compose Message' page. CVE-2001-1101 DESCRIPTION: The Log Viewer function in the Check Point FireWall-1 GUI for Solaris 3.0b through 4.1 SP2 does not check for the existence of '.log' files when saving files, which allows (1) remote authenticated users to overwrite arbitrary files ending in '.log', or (2) local users to overwrite arbitrary files via a symlink attack. CVE-2001-1102 DESCRIPTION: Check Point FireWall-1 3.0b through 4.1 for Solaris allows local users to overwrite arbitrary files via a symlink attack on temporary policy files that end in a .cpp extension, which are set world-writable. CVE-2001-1103 DESCRIPTION: FTP Voyager ActiveX control before 8.0, when it is marked as safe for scripting (the default) or if allowed by the IObjectSafety interface, allows remote attackers to execute arbitrary commands. CVE-2001-1104 DESCRIPTION: SonicWALL SOHO uses easily predictable TCP sequence numbers, which allows remote attackers to spoof or hijack sessions. CVE-2001-1105 DESCRIPTION: RSA BSAFE SSL-J 3.0, 3.0.1 and 3.1, as used in Cisco iCND 2.0, caches session IDs from failed login attempts, which could allow remote attackers to bypass SSL client authentication and gain access to sensitive data by logging in after an initial failure. CVE-2001-1106 DESCRIPTION: The default configuration of Sambar Server 5 and earlier uses a symmetric key that is compiled into the binary program for encrypting passwords, which could allow local users to break all user passwords by cracking the key or modifying a copy of the sambar program to call the decryption procedure. CVE-2001-1107 DESCRIPTION: SnapStream PVS 1.2a stores its passwords in plaintext in the file SSD.ini, which could allow a remote attacker to gain privileges on the server. CVE-2001-1108 DESCRIPTION: Directory traversal vulnerability in SnapStream PVS 1.2a allows remote attackers to read arbitrary files via a .. (dot dot) attack in the requested URL. CVE-2001-1109 DESCRIPTION: Directory traversal vulnerability in EFTP 2.0.7.337 allows remote authenticated users to reveal directory contents via a .. (dot dot) in the (1) LIST, (2) QUOTE SIZE, and (3) QUOTE MDTM commands. CVE-2001-1110 DESCRIPTION: EFTP 2.0.7.337 allows remote attackers to obtain NETBIOS credentials by requesting information on a file that is in a network share, which causes the server to send the credentials to the host that owns the share, and allows the attacker to sniff the connection. CVE-2001-1111 DESCRIPTION: EFTP 2.0.7.337 stores user passwords in plaintext in the eftp2users.dat file. CVE-2001-1112 DESCRIPTION: Buffer overflow in EFTP 2.0.7.337 allows remote attackers to execute arbitrary code by uploading a .lnk file containing a large number of characters. CVE-2001-1113 DESCRIPTION: Buffer overflow in TrollFTPD 1.26 and earlier allows local users to execute arbitrary code by creating a series of deeply nested directories with long names, then running the ls -R (recursive) command. CVE-2001-1114 DESCRIPTION: book.cgi in NetCode NC Book 0.2b allows remote attackers to execute arbitrary commands via shell metacharacters in the "current" parameter. CVE-2001-1115 DESCRIPTION: generate.cgi in SIX-webboard 2.01 and before allows remote attackers to read arbitrary files via a dot dot (..) in the content parameter. CVE-2001-1116 DESCRIPTION: Identix BioLogon 2.03 and earlier does not lock secondary displays on a multi-monitor system running Windows 98 or ME, which allows an attacker with physical access to the system to bypass authentication through a secondary display. CVE-2001-1117 DESCRIPTION: LinkSys EtherFast BEFSR41 Cable/DSL routers running firmware before 1.39.3 Beta allows a remote attacker to view administration and user passwords by connecting to the router and viewing the HTML source for (1) index.htm and (2) Password.htm. CVE-2001-1118 DESCRIPTION: A module in Roxen 2.0 before 2.0.92, and 2.1 before 2.1.264, does not properly decode UTF-8, Mac and ISO-2202 encoded URLs, which could allow a remote attacker to execute arbitrary commands or view arbitrary files via an encoded URL. CVE-2001-1119 DESCRIPTION: cda in xmcd 3.0.2 and 2.6 in SuSE Linux allows local users to overwrite arbitrary files via a symlink attack. CVE-2001-1120 DESCRIPTION: Vulnerabilities in ColdFusion 2.0 through 4.5.1 SP 2 allow remote attackers to (1) read or delete arbitrary files, or (2) overwrite ColdFusion Server templates. CVE-2001-1121 DESCRIPTION: DEPRECATED. This entry has been deprecated. It is a duplicate of CVE-2001-1084. CVE-2001-1122 DESCRIPTION: Windows NT 4.0 SP 6a allows a local user with write access to winnt/system32 to cause a denial of service (crash in lsass.exe) by running the NT4ALL exploit program in 'SPECIAL' mode. CVE-2001-1123 DESCRIPTION: Vulnerability in Network Node Manager (NNM) 6.2 and earlier in HP OpenView allows a local user to execute arbitrary code, possibly via a buffer overflow in a long hostname or object ID. CVE-2001-1124 DESCRIPTION: rpcbind in HP-UX 11.00, 11.04 and 11.11 allows remote attackers to cause a denial of service (core dump) via a malformed RPC portmap requests, possibly related to a buffer overflow. CVE-2001-1125 DESCRIPTION: Symantec LiveUpdate before 1.6 does not use cryptography to ensure the integrity of download files, which allows remote attackers to execute arbitrary code via DNS spoofing of the update.symantec.com site. CVE-2001-1126 DESCRIPTION: Symantec LiveUpdate 1.4 through 1.6, and possibly later versions, allows remote attackers to cause a denial of service (flood) via DNS spoofing of the update.symantec.com site. CVE-2001-1127 DESCRIPTION: Buffer overflow in Progress database 8.3D and 9.1C could allow a local user to execute arbitrary code via (1) _proapsv, (2) _mprosrv, (3) _mprshut, (4) orarx, (5) sqlcpp, (6) _probrkr, (7) _sqlschema and (8) _sqldump. CVE-2001-1128 DESCRIPTION: Buffer overflow in Progress database 8.3D and 9.1C allows local users to execute arbitrary code via long entries in files that are specified by the (1) PROMSGS or (2) PROTERMCAP environment variables. CVE-2001-1129 DESCRIPTION: Format string vulnerabilities in (1) _probuild, (2) _dbutil, (3) _mprosrv, (4) _mprshut, (5) _proapsv, (6) _progres, (7) _proutil, (8) _rfutil and (9) prolib in Progress database 9.1C allows a local user to execute arbitrary code via format string specifiers in the file used by the PROMSGS environment variable. CVE-2001-1130 DESCRIPTION: Sdbsearch.cgi in SuSE Linux 6.0-7.2 could allow remote attackers to execute arbitrary commands by uploading a keylist.txt file that contains filenames with shell metacharacters, then causing the file to be searched using a .. in the HTTP referer (from the HTTP_REFERER variable) to point to the directory that contains the keylist.txt file. CVE-2001-1131 DESCRIPTION: Directory traversal vulnerability in WhitSoft Development SlimFTPd 2.2 allows an attacker to read arbitrary files and directories via a ... (modified dot dot) in the CD command. CVE-2001-1132 DESCRIPTION: Mailman 2.0.x before 2.0.6 allows remote attackers to gain access to list administrative pages when there is an empty site or list password, which is not properly handled during the call to the crypt function during authentication. CVE-2001-1133 DESCRIPTION: Vulnerability in a system call in BSDI 3.0 and 3.1 allows local users to cause a denial of service (reboot) in the kernel via a particular sequence of instructions. CVE-2001-1134 DESCRIPTION: Xerox DocuPrint N40 Printers allow remote attackers to cause a denial of service via malformed data, such as that produced by the Code Red worm. CVE-2001-1135 DESCRIPTION: ZyXEL Prestige 642R and 642R-I routers do not filter the routers' Telnet and FTP ports on the external WAN interface from inside access, allowing someone on an internal computer to reconfigure the router, if the password is known. CVE-2001-1136 DESCRIPTION: The libsecurity library in HP-UX 11.04 (VVOS) allows attackers to cause a denial of service. CVE-2001-1137 DESCRIPTION: D-Link DI-704 Internet Gateway firmware earlier than V2.56b6 allows remote attackers to cause a denial of service (reboot) via malformed IP datagram fragments. CVE-2001-1138 DESCRIPTION: Directory traversal vulnerability in r.pl (aka r.cgi) of Randy Parker Power Up HTML 0.8033beta allows remote attackers to read arbitrary files and possibly execute arbitrary code via a .. (dot dot) in the FILE parameter. CVE-2001-1139 DESCRIPTION: Directory traversal vulnerability in ASCII NT WinWrapper Professional allows remote attackers to read arbitrary files via a .. (dot dot) in the server request. CVE-2001-1140 DESCRIPTION: BadBlue Personal Edition v1.02 beta allows remote attackers to read source code for executable programs by appending a %00 (null byte) to the request. CVE-2001-1141 DESCRIPTION: The Pseudo-Random Number Generator (PRNG) in SSLeay and OpenSSL before 0.9.6b allows attackers to use the output of small PRNG requests to determine the internal state information, which could be used by attackers to predict future pseudo-random numbers. CVE-2001-1142 DESCRIPTION: ArGoSoft FTP Server 1.2.2.2 uses weak encryption for user passwords, which allows an attacker with access to the password file to gain privileges. CVE-2001-1143 DESCRIPTION: IBM DB2 7.0 allows a remote attacker to cause a denial of service (crash) via a single byte to (1) db2ccs.exe on port 6790, or (2) db2jds.exe on port 6789. CVE-2001-1144 DESCRIPTION: Directory traversal vulnerability in McAfee ASaP VirusScan agent 1.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the HTTP request. CVE-2001-1145 DESCRIPTION: fts routines in FreeBSD 4.3 and earlier, NetBSD before 1.5.2, and OpenBSD 2.9 and earlier can be forced to change (chdir) into a different directory than intended when the directory above the current directory is moved, which could cause scripts to perform dangerous actions on the wrong directories. CVE-2001-1146 DESCRIPTION: AllCommerce with debugging enabled in EnGarde Secure Linux 1.0.1 creates temporary files with predictable names, which allows local users to modify files via a symlink attack. CVE-2001-1147 DESCRIPTION: The PAM implementation in /bin/login of the util-linux package before 2.11 causes a password entry to be rewritten across multiple PAM calls, which could provide the credentials of one user to a different user, when used in certain PAM modules such as pam_limits. CVE-2001-1148 DESCRIPTION: Multiple buffer overflows in programs used by scoadmin and sysadmsh in SCO OpenServer 5.0.6a and earlier allow local users to gain privileges via a long TERM environment variable to (1) atcronsh, (2) auditsh, (3) authsh, (4) backupsh, (5) lpsh, (6) sysadm.menu, or (7) termsh. CVE-2001-1149 DESCRIPTION: Panda Antivirus Platinum before 6.23.00 allows a remore attacker to cause a denial of service (crash) when a user selects an action for a malformed UPX packed executable file. CVE-2001-1150 DESCRIPTION: Vulnerability in cgiWebupdate.exe in Trend Micro OfficeScan Corporate Edition (aka Virus Buster) 3.5.2 through 3.5.4 allows remote attackers to read arbitrary files. CVE-2001-1151 DESCRIPTION: Trend Micro OfficeScan Corporate Edition (aka Virus Buster) 3.53 allows remote attackers to access sensitive information from the hotdownload directory without authentication, such as the ofcscan.ini configuration file, which contains a weakly encrypted password. CVE-2001-1152 DESCRIPTION: Baltimore Technologies WEBsweeper 4.02, when used to manage URL blacklists, allows remote attackers to bypass blacklist restrictions and connect to unauthorized web servers by modifying the requested URL, including (1) a // (double slash), (2) a /SUBDIR/.. where the desired file is in the parentdir, (3) a /./, or (4) URL-encoded characters. CVE-2001-1153 DESCRIPTION: lpsystem in OpenUnix 8.0.0 allows local users to cause a denial of service and possibly execute arbitrary code via a long command line argument. CVE-2001-1154 DESCRIPTION: Cyrus 2.0.15, 2.0.16, and 1.6.24 on BSDi 4.2, with IMAP enabled, allows remote attackers to cause a denial of service (hang) using PHP IMAP clients. CVE-2001-1155 DESCRIPTION: TCP Wrappers (tcp_wrappers) in FreeBSD 4.1.1 through 4.3 with the PARANOID ACL option enabled does not properly check the result of a reverse DNS lookup, which could allow remote attackers to bypass intended access restrictions via DNS spoofing. CVE-2001-1156 DESCRIPTION: TYPSoft FTP 0.95 allows remote attackers to cause a denial of service (CPU consumption) via a "../../*" argument to (1) STOR or (2) RETR. CVE-2001-1157 DESCRIPTION: Baltimore Technologies WEBsweeper 4.0 and 4.02 does not properly filter Javascript from HTML pages, which could allow remote attackers to bypass the filtering via (1) an extra leading < and one or more characters before the SCRIPT tag, or (2) tags using Unicode. CVE-2001-1158 DESCRIPTION: Check Point VPN-1/FireWall-1 4.1 base.def contains a default macro, accept_fw1_rdp, which can allow remote attackers to bypass intended restrictions with forged RDP (internal protocol) headers to UDP port 259 of arbitrary hosts. CVE-2001-1159 DESCRIPTION: load_prefs.php and supporting include files in SquirrelMail 1.0.4 and earlier do not properly initialize certain PHP variables, which allows remote attackers to (1) view sensitive files via the config_php and data_dir options, and (2) execute arbitrary code by using options_order.php to upload a message that could be interpreted as PHP. CVE-2001-1160 DESCRIPTION: udirectory.pl in Microburst Technologies uDirectory 2.0 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the category_file field. CVE-2001-1161 DESCRIPTION: Cross-site scripting (CSS) vulnerability in Lotus Domino 5.0.6 allows remote attackers to execute script on other web clients via a URL that ends in Javascript, which generates an error message that does not quote the resulting script. CVE-2001-1162 DESCRIPTION: Directory traversal vulnerability in the %m macro in the smb.conf configuration file in Samba before 2.2.0a allows remote attackers to overwrite certain files via a .. in a NETBIOS name, which is used as the name for a .log file. CVE-2001-1163 DESCRIPTION: Buffer overflow in Munica Corporation NetSQL 1.0 allows remote attackers to execute arbitrary code via a long CONNECT argument to port 6500. CVE-2001-1164 DESCRIPTION: Buffer overflow in uucp utilities in UnixWare 7 allows local users to execute arbitrary code via long command line arguments to (1) uucp, (2) uux, (3) bnuconvert, (4) uucico, (5) uuxcmd, or (6) uuxqt. CVE-2001-1165 DESCRIPTION: Intego FileGuard 4.0 uses weak encryption to store user information and passwords, which allows local users to gain privileges by decrypting the information, e.g., with the Disengage tool. CVE-2001-1166 DESCRIPTION: linprocfs on FreeBSD 4.3 and earlier does not properly restrict access to kernel memory, which allows one process with debugging rights on a privileged process to read restricted memory from that process. CVE-2001-1167 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2001-0976. Reason: This candidate is a duplicate of CVE-2001-0976. Notes: CVE-2001-0976 should be used instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. CVE-2001-1168 DESCRIPTION: Directory traversal vulnerability in index.php in PhpMyExplorer before 1.2.1 allows remote attackers to read arbitrary files via a ..%2F (modified dot dot) in the chemin parameter. CVE-2001-1169 DESCRIPTION: keyinit in S/Key does not require authentication to initialize a one-time password sequence, which allows an attacker who has gained privileges to a user account to create new one-time passwords for use in other activities that may use S/Key authentication, such as sudo. CVE-2001-1170 DESCRIPTION: AmTote International homebet program stores the homebet.log file in the homebet/ virtual directory, which allows remote attackers to steal account and PIN numbers. CVE-2001-1171 DESCRIPTION: Check Point Firewall-1 3.0b through 4.0 SP1 follows symlinks and creates a world-writable temporary .cpp file when compiling Policy rules, which could allow local users to gain privileges or modify the firewall policy. CVE-2001-1172 DESCRIPTION: OmniSecure HTTProtect 1.1.1 allows a superuser without omnish privileges to modify a protected file by creating a symbolic link to that file. CVE-2001-1173 DESCRIPTION: Vulnerability in MasqMail before 0.1.15 allows local users to gain privileges via piped aliases. CVE-2001-1174 DESCRIPTION: Buffer overflow in Elm 2.5.5 and earlier allows remote attackers to execute arbitrary code via a long Message-ID header. CVE-2001-1175 DESCRIPTION: vipw in the util-linux package before 2.10 causes /etc/shadow to be world-readable in some cases, which would make it easier for local users to perform brute force password guessing. CVE-2001-1176 DESCRIPTION: Format string vulnerability in Check Point VPN-1/FireWall-1 4.1 allows a remote authenticated firewall administrator to execute arbitrary code via format strings in the control connection. CVE-2001-1177 DESCRIPTION: ml85p in Samsung ML-85G GDI printer driver before 0.2.0 allows local users to overwrite arbitrary files via a symlink attack on temporary files. CVE-2001-1178 DESCRIPTION: Buffer overflow in xman allows local users to gain privileges via a long MANPATH environment variable. CVE-2001-1179 DESCRIPTION: xman allows local users to gain privileges by modifying the MANPATH to point to a man page whose filename contains shell metacharacters. CVE-2001-1180 DESCRIPTION: FreeBSD 4.3 does not properly clear shared signal handlers when executing a process, which allows local users to gain privileges by calling rfork with a shared signal handler, having the child process execute a setuid program, and sending a signal to the child. CVE-2001-1181 DESCRIPTION: Dynamically Loadable Kernel Module (dlkm) static kernel symbol table in HP-UX 11.11 is not properly configured, which allows local users to gain privileges. CVE-2001-1182 DESCRIPTION: Vulnerability in login in HP-UX 11.00, 11.11, and 10.20 allows restricted shell users to bypass certain security checks and gain privileges. CVE-2001-1183 DESCRIPTION: PPTP implementation in Cisco IOS 12.1 and 12.2 allows remote attackers to cause a denial of service (crash) via a malformed packet. CVE-2001-1184 DESCRIPTION: wrshdsp.exe in Denicomp Winsock RSHD/NT 2.21.00 and earlier allows remote attackers to cause a denial of service (CPU consumption) via (1) in 2.20.00 and earlier, an invalid port number such as a negative number, which causes a connection attempt to that port and all ports below 1024, and (2) in 2.21.00, a port number of 1024. CVE-2001-1185 DESCRIPTION: Some AIO operations in FreeBSD 4.4 may be delayed until after a call to execve, which could allow a local user to overwrite memory of the new process and gain privileges. CVE-2001-1186 DESCRIPTION: Microsoft IIS 5.0 allows remote attackers to cause a denial of service via an HTTP request with a content-length value that is larger than the size of the request, which prevents IIS from timing out the connection. CVE-2001-1187 DESCRIPTION: csvform.pl 0.1 allows remote attackers to execute arbitrary commands via metacharacters in the file parameter. CVE-2001-1188 DESCRIPTION: mailto.exe in Brian Dorricott MAILTO 1.0.9 and earlier allows remote attackers to send SPAM e-mail through remote servers by modifying the sendto, email, server, subject, and resulturl hidden form fields. CVE-2001-1189 DESCRIPTION: IBM Websphere Application Server 3.5.3 and earlier stores a password in cleartext in the sas.server.props file, which allows local users to obtain the passwords via a JSP script. CVE-2001-1190 DESCRIPTION: The default PAM files included with passwd in Mandrake Linux 8.1 do not support MD5 passwords, which could result in a lower level of password security than intended. CVE-2001-1191 DESCRIPTION: WebSeal in IBM Tivoli SecureWay Policy Director 3.8 allows remote attackers to cause a denial of service (crash) via a URL that ends in %2e. CVE-2001-1192 DESCRIPTION: Citrix Independent Computing Architecture (ICA) Client for Windows 6.1 allows remote malicious web sites to execute arbitrary code via a .ICA file, which is downloaded and automatically executed by the client. CVE-2001-1193 DESCRIPTION: Directory traversal vulnerability in EFTP 2.0.8.346 allows local users to read directories via a ... (modified dot dot) in the CWD command. CVE-2001-1194 DESCRIPTION: Zyxel Prestige 681 and 1600 SDSL Routers allow remote attackers to cause a denial of service via malformed packets with (1) an IP length less than actual packet size, or (2) fragmented packets whose size exceeds 64 kilobytes after reassembly. CVE-2001-1195 DESCRIPTION: Novell Groupwise 5.5 and 6.0 Servlet Gateway is installed with a default username and password for the servlet manager, which allows remote attackers to gain privileges. CVE-2001-1196 DESCRIPTION: Directory traversal vulnerability in edit_action.cgi of Webmin Directory 0.91 allows attackers to gain privileges via a '..' (dot dot) in the argument. CVE-2001-1197 DESCRIPTION: klprfax_filter in KDE2 KDEUtils allows local users to overwrite arbitrary files via a symlink attack on the klprfax.filter temporary file. CVE-2001-1198 DESCRIPTION: RLPDaemon in HP-UX 10.20 and 11.0 allows local users to overwrite arbitrary files and gain privileges by specifying the target file in the -L option. CVE-2001-1199 DESCRIPTION: Cross-site scripting vulnerability in agora.cgi for Agora 3.0a through 4.0g, when debug mode is enabled, allows remote attackers to execute Javascript on other clients via the cart_id parameter. CVE-2001-1200 DESCRIPTION: Microsoft Windows XP allows local users to bypass a locked screen and run certain programs that are associated with Hot Keys. CVE-2001-1201 DESCRIPTION: Buffer overflow in wmcube-gdk for WMCube/GDK 0.98 allows local users to execute arbitrary code via long lines in the object description file. CVE-2001-1202 DESCRIPTION: Cross-site scripting vulnerability in DeleGate 7.7.0 and 7.7.1 does not quote scripting commands within a "403 Forbidden" error page, which allows remote attackers to execute arbitrary Javascript on other clients via a URL that generates an error. CVE-2001-1203 DESCRIPTION: Format string vulnerability in gpm-root in gpm 1.17.8 through 1.17.18 allows local users to gain root privileges. CVE-2001-1204 DESCRIPTION: Directory traversal vulnerability in phprocketaddin in Total PC Solutions PHP Rocket Add-in for FrontPage 1.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the page parameter. CVE-2001-1205 DESCRIPTION: Directory traversal vulnerability in lastlines.cgi for Last Lines 2.0 allows remote attackers to read arbitrary files via '..' sequences in the $error_log variable. CVE-2001-1206 DESCRIPTION: Matrix CGI vault Last Lines 2.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the $error_log variable. CVE-2001-1207 DESCRIPTION: Buffer overflows in DayDream BBS 2.9 through 2.13 allow remote attackers to possibly execute arbitrary code via the control codes (1) ~#MC, (2) ~#TF, or (3) ~#RA. CVE-2001-1208 DESCRIPTION: Format string vulnerability in DayDream BBS allows remote attackers to execute arbitrary code via format string specifiers in a file containing a ~#RA control code. CVE-2001-1209 DESCRIPTION: Directory traversal vulnerability in zml.cgi allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter. CVE-2001-1210 DESCRIPTION: Cisco ubr900 series routers that conform to the Data-over-Cable Service Interface Specifications (DOCSIS) standard must ship without SNMP access restrictions, which can allow remote attackers to read and write information to the MIB using arbitrary community strings. CVE-2001-1211 DESCRIPTION: Ipswitch IMail 7.0.4 and earlier allows attackers with administrator privileges to read and modify user alias and mailing list information for other domains hosted by the same server via the (1) aliasadmin or (2) listadm1 CGI programs, which do not properly verify that an administrator is the administrator for the target domain. CVE-2001-1212 DESCRIPTION: Cross-site scripting vulnerability in catgy.cgi for Aktivate 1.03 allows remote attackers to execute arbitrary Javascript via the desc parameter. CVE-2001-1213 DESCRIPTION: The default configuration of DataWizard FtpXQ 2.0 and 2.1 includes a default username and password, which allows remote attackers to read and write arbitrary files in the root folder. CVE-2001-1214 DESCRIPTION: manual.php in Marcus S. Xenakis Unix Manual 1.0 allows remote attackers to execute arbitrary code via a URL that contains shell metacharacters. CVE-2001-1215 DESCRIPTION: Format string vulnerability in PFinger 0.7.5 through 0.7.7 allows remote attackers to execute arbitrary code via format string specifiers in a .plan file. CVE-2001-1216 DESCRIPTION: Buffer overflow in PL/SQL Apache module in Oracle 9i Application Server allows remote attackers to execute arbitrary code via a long request for a help page. CVE-2001-1217 DESCRIPTION: Directory traversal vulnerability in PL/SQL Apache module in Oracle Oracle 9i Application Server allows remote attackers to access sensitive information via a double encoded URL with .. (dot dot) sequences. CVE-2001-1218 DESCRIPTION: Microsoft Internet Explorer for Unix 5.0SP1 allows local users to possibly cause a denial of service (crash) in CDE or the X server on Solaris 2.6 by rapidly scrolling Chinese characters or maximizing the window. CVE-2001-1219 DESCRIPTION: Microsoft Internet Explorer 6.0 and earlier allows malicious website operators to cause a denial of service (client crash) via JavaScript that continually refreshes the window via self.location. CVE-2001-1220 DESCRIPTION: D-Link DWL-1000AP Firmware 3.2.28 #483 Wireless LAN Access Point stores the administrative password in plaintext in the default Management Information Base (MIB), which allows remote attackers to gain administrative privileges. CVE-2001-1221 DESCRIPTION: D-Link DWL-1000AP Firmware 3.2.28 #483 Wireless LAN Access Point uses a default SNMP community string of 'public' which allows remote attackers to gain sensitive information. CVE-2001-1222 DESCRIPTION: Plesk Server Administrator (PSA) 1.0 allows remote attackers to obtain PHP source code via an HTTP request containing the target's IP address and a valid account name for the domain. CVE-2001-1223 DESCRIPTION: The web administration server for ELSA Lancom 1100 Office does not require authentication, which allows arbitrary remote attackers to gain administrative privileges by connecting to the server. CVE-2001-1224 DESCRIPTION: get_input in adrotate.pm for Les VanBrunt AdRotate Pro 2.0 allows remote attackers to modify the database and possibly execute arbitrary commands via a SQL code injection attack. CVE-2001-1225 DESCRIPTION: Hughes Technology Mini SQL 2.0.10 through 2.0.12 allows local users to cause a denial of service by creating a very large array in a table, which causes miniSQL to crash when the table is queried. CVE-2001-1226 DESCRIPTION: AdCycle 1.17 and earlier allow remote attackers to modify SQL queries, which are not properly sanitized before being passed to the MySQL database. CVE-2001-1227 DESCRIPTION: Zope before 2.2.4 allows partially trusted users to bypass security controls for certain methods by accessing the methods through the fmt attribute of dtml-var tags. CVE-2001-1228 DESCRIPTION: Buffer overflows in gzip 1.3x, 1.2.4, and other versions might allow attackers to execute code via a long file name, possibly remotely if gzip is run on an FTP server. CVE-2001-1229 DESCRIPTION: Buffer overflows in (1) Icecast before 1.3.9 and (2) libshout before 1.0.4 allow remote attackers to cause a denial of service (crash) and execute arbitrary code. CVE-2001-1230 DESCRIPTION: Buffer overflows in Icecast before 1.3.10 allow remote attackers to cause a denial of service (crash) and execute arbitrary code. CVE-2001-1231 DESCRIPTION: GroupWise 5.5 and 6 running in live remote or smart caching mode allows remote attackers to read arbitrary users' mailboxes by extracting usernames and passwords from sniffed network traffic, as addressed by the "Padlock" fix. CVE-2001-1232 DESCRIPTION: GroupWise WebAccess 5.5 with directory indexing enabled allows a remote attacker to view arbitrary directory contents via an HTTP request with a lowercase "get". CVE-2001-1233 DESCRIPTION: Netware Enterprise Web Server 5.1 running GroupWise WebAccess 5.5 with Novell Directory Services (NDS) enabled allows remote attackers to enumerate user names, group names and other system information by accessing ndsobj.nlm. CVE-2001-1234 DESCRIPTION: Bharat Mediratta Gallery PHP script before 1.2.1 allows remote attackers to execute arbitrary code by including files from remote web sites via an HTTP request that modifies the includedir variable. CVE-2001-1235 DESCRIPTION: pSlash PHP script 0.7 and earlier allows remote attackers to execute arbitrary code by including files from remote web sites, using an HTTP request that modifies the includedir variable. CVE-2001-1236 DESCRIPTION: myphpPagetool PHP script 0.4.3-1 and earlier allows remote attackers to execute arbitrary code by including files from remote web sites, using an HTTP request that modifies the includedir variable. CVE-2001-1237 DESCRIPTION: Phormation PHP script 0.9.1 and earlier allows remote attackers to execute arbitrary code by including files from remote web sites, using an HTTP request that modifies the phormationdir variable. CVE-2001-1238 DESCRIPTION: Task Manager in Windows 2000 does not allow local users to end processes with uppercase letters named (1) winlogon.exe, (2) csrss.exe, (3) smss.exe and (4) services.exe via the Process tab which could allow local users to install Trojan horses that cannot be stopped with the Task Manager. CVE-2001-1239 DESCRIPTION: PowerNet IX allows remote attackers to cause a denial of service via a port scan. CVE-2001-1240 DESCRIPTION: The default configuration of sudo in Engarde Secure Linux 1.0.1 allows any user in the admin group to run certain commands that could be leveraged to gain full root access. CVE-2001-1241 DESCRIPTION: Un-CGI 1.9 and earlier does not verify that a CGI script has the execution bits set before executing it, which allows remote attackers to execute arbitrary commands by directing Un-CGI to a document that begins with "#!" and the desired program name. CVE-2001-1242 DESCRIPTION: Directory traversal vulnerability in Un-CGI 1.9 and earlier allows remote attackers to execute arbitrary code via a .. (dot dot) in an HTML form. CVE-2001-1243 DESCRIPTION: Scripting.FileSystemObject in asp.dll for Microsoft IIS 4.0 and 5.0 allows local or remote attackers to cause a denial of service (crash) via (1) creating an ASP program that uses Scripting.FileSystemObject to open a file with an MS-DOS device name, or (2) remotely injecting the device name into ASP programs that internally use Scripting.FileSystemObject. CVE-2001-1244 DESCRIPTION: Multiple TCP implementations could allow remote attackers to cause a denial of service (bandwidth and CPU exhaustion) by setting the maximum segment size (MSS) to a very small number and requesting large amounts of data, which generates more packets with less TCP-level data that amplify network traffic and consume more server CPU to process. CVE-2001-1245 DESCRIPTION: Opera 5.0 for Linux does not properly handle malformed HTTP headers, which allows remote attackers to cause a denial of service, possibly with a header whose value is the same as a MIME header name. CVE-2001-1246 DESCRIPTION: PHP 4.0.5 through 4.1.0 in safe mode does not properly cleanse the 5th parameter to the mail() function, which allows local users and possibly remote attackers to execute arbitrary commands via shell metacharacters. CVE-2001-1247 DESCRIPTION: PHP 4.0.4pl1 and 4.0.5 in safe mode allows remote attackers to read and write files owned by the web server UID by uploading a PHP script that uses the error_log function to access the files. CVE-2001-1248 DESCRIPTION: vWebServer 1.2.0 allows remote attackers to view arbitrary ASP scripts via a request for an ASP script that ends with a URL-encoded space character (%20). CVE-2001-1249 DESCRIPTION: vWebServer 1.2.0 allows remote attackers to cause a denial of service via a URL that contains MS-DOS device names. CVE-2001-1250 DESCRIPTION: vWebServer 1.2.0 allows remote attackers to cause a denial of service (hang) via a small number of long URL requests, possibly due to a buffer overflow. CVE-2001-1251 DESCRIPTION: SmallHTTP 1.204 through 3.00 beta 8 allows remote attackers to cause a denial of service via multiple long URL requests. CVE-2001-1252 DESCRIPTION: Network Associates PGP Keyserver 7.0 allows remote attackers to bypass authentication and access the administrative web interface via URLs that directly access cgi-bin instead of keyserver/cgi-bin for the programs (1) console, (2) cs, (3) multi_config and (4) directory. CVE-2001-1253 DESCRIPTION: Alexis 2.0 and 2.1 in COM2001 InternetPBX stores voicemail passwords in plain text in the com2001.ini file, which could allow local users to make long distance calls as other users. CVE-2001-1254 DESCRIPTION: Web Access component for COM2001 Alexis 2.0 and 2.1 in InternetPBX sends username and voice mail passwords in the clear via a Java applet that sends the information to port 8888 of the server, which could allow remote attackers to steal the passwords via sniffing. CVE-2001-1255 DESCRIPTION: WinMySQLadmin 1.1 stores the MySQL password in plain text in the my.ini file, which allows local users to obtain unathorized access the MySQL database. CVE-2001-1256 DESCRIPTION: kmmodreg in HP-UX 11.11, 11.04 and 11.00 allows local users to create arbitrary world-writeable files via a symlink attack on the (1) /tmp/.kmmodreg_lock and (2) /tmp/kmpath.tmp temporary files. CVE-2001-1257 DESCRIPTION: Cross-site scripting vulnerability in Horde Internet Messaging Program (IMP) before 2.2.6 and 1.2.6 allows remote attackers to execute arbitrary Javascript embedded in an email. CVE-2001-1258 DESCRIPTION: Horde Internet Messaging Program (IMP) before 2.2.6 allows local users to read IMP configuration files and steal the Horde database password by placing the prefs.lang file containing PHP code on the server. CVE-2001-1259 DESCRIPTION: Avaya Argent Office allows remote attackers to cause a denial of service by sending UDP packets to port 53 with no payload. CVE-2001-1260 DESCRIPTION: Avaya Argent Office uses weak encryption (trivial encoding) for passwords, which allows remote attackers to gain administrator privileges by sniffing and decrypting the sniffing the passwords during a system reboot. CVE-2001-1261 DESCRIPTION: Avaya Argent Office 2.1 may allow remote attackers to change hold music by spoofing a legitimate server's response to a TFTP broadcast and providing an alternate HoldMusic file. CVE-2001-1262 DESCRIPTION: Avaya Argent Office 2.1 compares a user-provided SNMP community string with the correct string only up to the length of the user-provided string, which allows remote attackers to bypass authentication with a 0 length community string. CVE-2001-1263 DESCRIPTION: telnet95.exe in Pragma InterAccess 4.0 build 5 allows remote attackers to cause a denial of service (crash) via a large number of characters to port 23, possibly due to a buffer overflow. CVE-2001-1264 DESCRIPTION: Vulnerability in mkacct in HP-UX 11.04 running Virtualvault Operating System (VVOS) 4.0 and 4.5 allows attackers to elevate privileges. CVE-2001-1265 DESCRIPTION: Directory traversal vulnerability in IBM alphaWorks Java TFTP server 1.21 allows remote attackers to conduct unauthorized operations on arbitrary files via a .. (dot dot) attack. CVE-2001-1266 DESCRIPTION: Directory traversal vulnerability in Doug Neal's HTTPD Daemon (DNHTTPD) before 0.4.1 allows remote attackers to view arbitrary files via a .. (dot dot) attack using the dot hex code '%2E'. CVE-2001-1267 DESCRIPTION: Directory traversal vulnerability in GNU tar 1.13.19 and earlier allows local users to overwrite arbitrary files during archive extraction via a tar file whose filenames contain a .. (dot dot). CVE-2001-1268 DESCRIPTION: Directory traversal vulnerability in Info-ZIP UnZip 5.42 and earlier allows attackers to overwrite arbitrary files during archive extraction via a .. (dot dot) in an extracted filename. CVE-2001-1269 DESCRIPTION: Info-ZIP UnZip 5.42 and earlier allows attackers to overwrite arbitrary files during archive extraction via filenames in the archive that begin with the '/' (slash) character. CVE-2001-1270 DESCRIPTION: Directory traversal vulnerability in the console version of PKZip (pkzipc) 4.00 and earlier allows attackers to overwrite arbitrary files during archive extraction with the -rec (recursive) option via a .. (dot dot) attack on the archived files. CVE-2001-1271 DESCRIPTION: Directory traversal vulnerability in rar 2.02 and earlier allows attackers to overwrite arbitrary files during archive extraction via a .. (dot dot) attack on archived filenames. CVE-2001-1272 DESCRIPTION: wmtv 0.6.5 and earlier does not properly drop privileges, which allows local users to execute arbitrary commands via the -e (external command) option. CVE-2001-1273 DESCRIPTION: The "mxcsr P4" vulnerability in the Linux kernel before 2.2.17-14, when running on certain Intel CPUs, allows local users to cause a denial of service (system halt). CVE-2001-1274 DESCRIPTION: Buffer overflow in MySQL before 3.23.31 allows attackers to cause a denial of service and possibly gain privileges. CVE-2001-1275 DESCRIPTION: MySQL before 3.23.31 allows users with a MySQL account to use the SHOW GRANTS command to obtain the encrypted administrator password from the mysql.user table and possibly gain privileges via password cracking. CVE-2001-1276 DESCRIPTION: ispell before 3.1.20 allows local users to overwrite files of other users via a symlink attack on a temporary file. CVE-2001-1277 DESCRIPTION: makewhatis in the man package before 1.5i2 allows an attacker in group man to overwrite arbitrary files via a man page whose name contains shell metacharacters. CVE-2001-1278 DESCRIPTION: Zope before 2.2.4 allows partially trusted users to bypass security controls for certain methods by accessing the methods through the fmt attribute of dtml-var tags. CVE-2001-1279 DESCRIPTION: Buffer overflow in print-rx.c of tcpdump 3.x (probably 3.6x) allows remote attackers to cause a denial of service and possibly execute arbitrary code via AFS RPC packets with invalid lengths that trigger an integer signedness error, a different vulnerability than CVE-2000-1026. CVE-2001-1280 DESCRIPTION: POP3 Server for Ipswitch IMail 7.04 and earlier generates different responses to valid and invalid user names, which allows remote attackers to determine users on the system. CVE-2001-1281 DESCRIPTION: Web Messaging Server for Ipswitch IMail 7.04 and earlier allows remote authenticated users to change information for other users by modifying the olduser parameter in the "Change User Information" web form. CVE-2001-1282 DESCRIPTION: Ipswitch IMail 7.04 and earlier records the physical path of attachments in an e-mail message header, which could allow remote attackers to obtain potentially sensitive configuration information. CVE-2001-1283 DESCRIPTION: The webmail interface for Ipswitch IMail 7.04 and earlier allows remote authenticated users to cause a denial of service (crash) via a mailbox name that contains a large number of . (dot) or other characters to programs such as (1) readmail.cgi or (2) printmail.cgi, possibly due to a buffer overflow that may allow execution of arbitrary code. CVE-2001-1284 DESCRIPTION: Ipswitch IMail 7.04 and earlier uses predictable session IDs for authentication, which allows remote attackers to hijack sessions of other users. CVE-2001-1285 DESCRIPTION: Directory traversal vulnerability in readmail.cgi for Ipswitch IMail 7.04 and earlier allows remote attackers to access the mailboxes of other users via a .. (dot dot) in the mbx parameter. CVE-2001-1286 DESCRIPTION: Ipswitch IMail 7.04 and earlier stores a user's session ID in a URL, which could allow remote attackers to hijack sessions by obtaining the URL, e.g. via an HTML email that causes the Referrer to be sent to a URL under the attacker's control. CVE-2001-1287 DESCRIPTION: Buffer overflow in Web Calendar in Ipswitch IMail 7.04 and earlier allows remote attackers to execute arbitrary code via a long HTTP GET request. CVE-2001-1288 DESCRIPTION: Windows 2000 and Windows NT allows local users to cause a denial of service (reboot) by executing a command at the command prompt and pressing the F7 and enter keys several times while the command is executing, possibly related to an exception handling error in csrss.exe. CVE-2001-1289 DESCRIPTION: Quake 3 arena 1.29f and 1.29g allows remote attackers to cause a denial of service (crash) via a malformed connection packet that begins with several char-255 characters. CVE-2001-1290 DESCRIPTION: admin.cgi in Active Classifieds Free Edition 1.0, and possibly commercial versions, allows remote attackers to modify the configuration, gain privileges, and execute arbitrary Perl code via the table_width parameter. CVE-2001-1291 DESCRIPTION: The telnet server for 3Com hardware such as PS40 SuperStack II does not delay or disconnect remote attackers who provide an incorrect username or password, which makes it easier to break into the server via brute force password guessing. CVE-2001-1292 DESCRIPTION: Sambar Telnet Proxy/Server allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long password. CVE-2001-1293 DESCRIPTION: Buffer overflow in web server of 3com HomeConnect Cable Modem External with USB (#3CR29223) allows remote attackers to cause a denial of service (crash) via a long HTTP request. CVE-2001-1294 DESCRIPTION: Buffer overflow in A-V Tronics Inetserv 3.2.1 and earlier allows remote attackers to cause a denial of service (crash) in the Webmail interface via a long username and password. CVE-2001-1295 DESCRIPTION: Directory traversal vulnerability in Cerberus FTP Server 1.5 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the CD command. CVE-2001-1296 DESCRIPTION: More.groupware PHP script allows remote attackers to include arbitrary files from remote web sites via an HTTP request that sets the includedir variable. CVE-2001-1297 DESCRIPTION: PHP remote file inclusion vulnerability in Actionpoll PHP script before 1.1.2 allows remote attackers to execute arbitrary PHP code via a URL in the includedir parameter. CVE-2001-1298 DESCRIPTION: Webodex PHP script 1.0 and earlier allows remote attackers to include arbitrary files from remote web sites via an HTTP request that sets the includedir variable. CVE-2001-1299 DESCRIPTION: Zorbat Zorbstats PHP script before 0.9 allows remote attackers to include arbitrary files from remote web sites via an HTTP request that sets the includedir variable. CVE-2001-1300 DESCRIPTION: Directory traversal vulnerability in Dynu FTP server 1.05 and earlier allows remote attackers to read arbitrary files via a .. in the CD (CWD) command. CVE-2001-1301 DESCRIPTION: rcs2log, as used in Emacs 20.4, xemacs 21.1.10 and other versions before 21.4, and possibly other packages, allows local users to modify files of other users via a symlink attack on a temporary file. CVE-2001-1302 DESCRIPTION: The change password option in the Windows Security interface for Windows 2000 allows attackers to use the option to attempt to change passwords of other users on other systems or identify valid accounts by monitoring error messages, possibly due to a problem in the NetuserChangePassword function. CVE-2001-1303 DESCRIPTION: The default configuration of SecuRemote for Check Point Firewall-1 allows remote attackers to obtain sensitive configuration information for the protected network without authentication. CVE-2001-1304 DESCRIPTION: Buffer overflow in SHOUTcast Server 1.8.2 allows remote attackers to cause a denial of service (crash) via several HTTP requests with a long (1) user-agent or (2) host HTTP header. CVE-2001-1305 DESCRIPTION: ICQ 2001a Alpha and earlier allows remote attackers to automatically add arbitrary UINs to an ICQ user's contact list via a URL to a web page with a Content-Type of application/x-icq, which is processed by Internet Explorer. CVE-2001-1306 DESCRIPTION: iPlanet Directory Server 4.1.4 and earlier (LDAP) allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via invalid BER length of length fields, as demonstrated by the PROTOS LDAPv3 test suite. CVE-2001-1307 DESCRIPTION: Buffer overflows in iPlanet Directory Server 4.1.4 and earlier (LDAP) allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code, as demonstrated by the PROTOS LDAPv3 test suite. CVE-2001-1308 DESCRIPTION: Format string vulnerabilities in iPlanet Directory Server 4.1.4 and earlier (LDAP) allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code, as demonstrated by the PROTOS LDAPv3 test suite. CVE-2001-1309 DESCRIPTION: Buffer overflows in IBM SecureWay 3.2.1 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code, as demonstrated by the PROTOS LDAPv3 test suite. CVE-2001-1310 DESCRIPTION: IBM SecureWay 3.2.1 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code, via invalid encodings for the L field of a BER encoding, as demonstrated by the PROTOS LDAPv3 test suite. CVE-2001-1311 DESCRIPTION: Buffer overflows in Lotus Domino R5 before R5.0.7a allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code, as demonstrated by the PROTOS LDAPv3 test suite. CVE-2001-1312 DESCRIPTION: Format string vulnerabilities in Lotus Domino R5 before R5.0.7a allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code, as demonstrated by the PROTOS LDAPv3 test suite. CVE-2001-1313 DESCRIPTION: Lotus Domino R5 before R5.0.7a allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via miscellaneous packets with semi-valid BER encodings, as demonstrated by the PROTOS LDAPv3 test suite. CVE-2001-1314 DESCRIPTION: Buffer overflows in Critical Path (1) InJoin Directory Server or (2) LiveContent Directory allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code, as demonstrated by the PROTOS LDAPv3 test suite. CVE-2001-1315 DESCRIPTION: Critical Path (1) InJoin Directory Server or (2) LiveContent Directory allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via malformed BER encodings, as demonstrated by the PROTOS LDAPv3 test suite. CVE-2001-1316 DESCRIPTION: Buffer overflows in Teamware Office Enterprise Directory allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code, as demonstrated by the PROTOS LDAPv3 test suite. CVE-2001-1317 DESCRIPTION: Teamware Office Enterprise Directory allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code, via invalid encodings for certain BER object types, as demonstrated by the PROTOS LDAPv3 test suite. CVE-2001-1318 DESCRIPTION: Vulnerabilities in Qualcomm Eudora WorldMail Server may allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code, as demonstrated by the PROTOS LDAPv3 test suite. CVE-2001-1319 DESCRIPTION: Microsoft Exchange 5.5 2000 allows remote attackers to cause a denial of service (hang) via exceptional BER encodings for the LDAP filter type field, as demonstrated by the PROTOS LDAPv3 test suite. CVE-2001-1320 DESCRIPTION: Network Associates PGP Keyserver 7.0 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via exceptional BER encodings (possibly buffer overflows), as demonstrated by the PROTOS LDAPv3 test suite. CVE-2001-1321 DESCRIPTION: Oracle Internet Directory Server 2.1.1.x and 3.0.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via invalid encodings of BER OBJECT-IDENTIFIER values, as demonstrated by the PROTOS LDAPv3 test suite. CVE-2001-1322 DESCRIPTION: xinetd 2.1.8 and earlier runs with a default umask of 0, which could allow local users to read or modify files that are created by an application that runs under xinetd but does not set its own safe umask. CVE-2001-1323 DESCRIPTION: Buffer overflow in MIT Kerberos 5 (krb5) 1.2.2 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary code via base-64 encoded data, which is not properly handled when the radix_encode function processes file glob output from the ftpglob function. CVE-2001-1324 DESCRIPTION: cvmlogin and statfile in Paul Jarc idtools before 2001.06.27 do not properly check the return value of a call to the pathexec_env function, which could cause the setstate utility to setuid to the UID environment variable and allow local users to gain privileges. CVE-2001-1325 DESCRIPTION: Internet Explorer 5.0 and 5.5, and Outlook Express 5.0 and 5.5, allow remote attackers to execute scripts when Active Scripting is disabled by including the scripts in XML stylesheets (XSL) that are referenced using an IFRAME tag, possibly due to a vulnerability in Windows Scripting Host (WSH). CVE-2001-1326 DESCRIPTION: Eudora 5.1 allows remote attackers to execute arbitrary code when the "Use Microsoft Viewer" option is enabled and the "allow executables in HTML content" option is disabled, via an HTML email with a form that is activated from an image that the attacker spoofs as a link, which causes the user to execute the form and access embedded attachments. CVE-2001-1327 DESCRIPTION: pmake before 2.1.35 in Turbolinux 6.05 and earlier is installed with setuid root privileges, which could allow local users to gain privileges by exploiting vulnerabilities in pmake or programs that are used by pmake. CVE-2001-1328 DESCRIPTION: Buffer overflow in ypbind daemon in Solaris 5.4 through 8 allows remote attackers to execute arbitrary code. CVE-2001-1329 DESCRIPTION: Buffer overflow in rsh on AIX 4.2.0.0 may allow local users to gain root privileges via a long command line argument. CVE-2001-1330 DESCRIPTION: Buffer overflow in rsh on AIX 4.2.0.0 may allow local users to gain root privileges via a long command line argument. CVE-2001-1331 DESCRIPTION: mandb in the man-db package before 2.3.16-3 allows local users to overwrite arbitrary files via the command line options (1) -u or (2) -c, which do not drop privileges and follow symlinks. CVE-2001-1332 DESCRIPTION: Buffer overflows in Linux CUPS before 1.1.6 may allow remote attackers to execute arbitrary code. CVE-2001-1333 DESCRIPTION: Linux CUPS before 1.1.6 does not securely handle temporary files, possibly due to a symlink vulnerability that could allow local users to overwrite files. CVE-2001-1334 DESCRIPTION: Block_render_url.class in PHPSlash 0.6.1 allows remote attackers with PHPSlash administrator privileges to read arbitrary files by creating a block and specifying the target file as the source URL. CVE-2001-1335 DESCRIPTION: Directory traversal vulnerability in CesarFTP 0.98b and earlier allows remote authenticated users (such as anonymous) to read arbitrary files via a GET with a filename that contains a ...%5c (modified dot dot). CVE-2001-1336 DESCRIPTION: CesarFTP 0.98b and earlier stores usernames and passwords in plaintext in the settings.ini file, which allows attackers to gain privileges. CVE-2001-1337 DESCRIPTION: Beck IPC GmbH IPC@CHIP Embedded-Webserver allows remote attackers to cause a denial of service via a long HTTP request. CVE-2001-1338 DESCRIPTION: Beck IPC GmbH IPC@CHIP TelnetD server generates different responses when given valid and invalid login names, which allows remote attackers to determine accounts on the system. CVE-2001-1339 DESCRIPTION: Beck IPC GmbH IPC@CHIP telnet service does not delay or disconnect users from the service when bad passwords are entered, which makes it easier for remote attackers to conduct brute force password guessing attacks. CVE-2001-1340 DESCRIPTION: Beck GmbH IPC@Chip TelnetD service supports only one connection and does not disconnect a user who does not complete the login process, which allows remote attackers to lock out the administrator account by connecting to the service. CVE-2001-1341 DESCRIPTION: The Beck GmbH IPC@Chip embedded web server installs the chipcfg.cgi program by default, which allows remote attackers to obtain sensitive network information via a request to the program. CVE-2001-1342 DESCRIPTION: Apache before 1.3.20 on Windows and OS/2 systems allows remote attackers to cause a denial of service (GPF) via an HTTP request for a URI that contains a large number of / (slash) or other characters, which causes certain functions to dereference a null pointer. CVE-2001-1343 DESCRIPTION: ws_mail.cgi in WebStore 400/400CS 4.14 allows remote authenticated WebStore administrators to execute arbitrary code via shell metacharacters in the kill parameter. CVE-2001-1344 DESCRIPTION: WSSecurity.pl in WebStore allows remote attackers to bypass authentication by providing the program with a filename that exists, which is made easier by (1) inserting a null character or (2) .. (dot dot). CVE-2001-1345 DESCRIPTION: bctool in Jetico BestCrypt 0.7 and earlier trusts the user-supplied PATH to find and execute an fsck utility program, which allows local users to gain privileges by modifying the PATH to point to a Trojan horse program. CVE-2001-1346 DESCRIPTION: Computer Associates ARCserveIT 6.61 and 6.63 (also called ARCservIT) allows local users to overwrite arbitrary files via a symlink attack on the temporary files (1) asagent.tmp or (2) inetd.tmp. CVE-2001-1347 DESCRIPTION: Windows 2000 allows local users to cause a denial of service and possibly gain privileges by setting a hardware breakpoint that is handled using global debug registers, which could cause other processes to terminate due to an exception, and allow hijacking of resources such as named pipes. CVE-2001-1348 DESCRIPTION: TWIG 2.6.2 and earlier allows remote attackers to perform unauthorized database operations via a SQL injection attack on the id parameter. CVE-2001-1349 DESCRIPTION: Sendmail before 8.11.4, and 8.12.0 before 8.12.0.Beta10, allows local users to cause a denial of service and possibly corrupt the heap and gain privileges via race conditions in signal handlers. CVE-2001-1350 DESCRIPTION: Cross-site scripting vulnerability in namazu.cgi for Namazu 2.0.7 and earlier allows remote attackers to execute arbitrary Javascript as other web users via the lang parameter. CVE-2001-1351 DESCRIPTION: Cross-site scripting vulnerability in Namazu 2.0.8 and earlier allows remote attackers to execute arbitrary Javascript as other web users via the index file name that is displayed when displaying hit numbers. CVE-2001-1352 DESCRIPTION: Cross-site scripting vulnerability in Namazu 2.0.9 and earlier allows remote attackers to execute arbitrary Javascript as other web users via an error message that is returned when an invalid index file is specified in the idxname parameter. CVE-2001-1353 DESCRIPTION: ghostscript before 6.51 allows local users to read and write arbitrary files as the 'lp' user via the file operator, even with -dSAFER enabled. CVE-2001-1354 DESCRIPTION: NetWin Authentication module (NWAuth) 2.0 and 3.0b, as implemented in SurgeFTP, DMail, and possibly other packages, uses weak password hashing, which could allow local users to decrypt passwords or use a different password that has the same hash value as the correct password. CVE-2001-1355 DESCRIPTION: Buffer overflows in NetWin Authentication Module (NWAuth) 3.0b and earlier, as implemented in DMail, SurgeFTP, and possibly other packages, could allow attackers to execute arbitrary code via long arguments to (1) the -del command or (2) the -lookup command. CVE-2001-1356 DESCRIPTION: NetWin SurgeFTP 2.0f and earlier encrypts passwords using weak hashing, a fixed salt value and modulo 40 calculations, which allows remote attackers to conduct brute force password guessing attacks against the administrator account on port 7021. CVE-2001-1357 DESCRIPTION: Multiple vulnerabilities in phpMyChat before 0.14.5 exist in (1) input.php3, (2) handle_inputH.php3, or (3) index.lib.php3 with unknown consequences, possibly related to user spoofing or improperly initialized variables. CVE-2001-1358 DESCRIPTION: Vulnerabilities in phpMyChat before 0.14.4 allow local and possibly remote attackers to gain privileges by specifying an alternate library file in the L (localization) parameter. CVE-2001-1359 DESCRIPTION: Volution clients 1.0.7 and earlier attempt to contact the computer creation daemon (CCD) when an LDAP authentication failure occurs, which allows remote attackers to fully control clients via a Trojan horse Volution server. CVE-2001-1360 DESCRIPTION: Vulnerability in Scanner Access Now Easy (SANE) before 1.0.5, related to pnm and saned. CVE-2001-1361 DESCRIPTION: Vulnerability in The Web Information Gateway (TWIG) 2.7.1, possibly related to incorrect security rights and/or the generation of mailto links. CVE-2001-1362 DESCRIPTION: Vulnerability in the server for nPULSE before 0.53p4. CVE-2001-1363 DESCRIPTION: Vulnerability in phpWebSite before 0.7.9 related to running multiple instances in the same domain, which may allow attackers to gain administrative privileges. CVE-2001-1364 DESCRIPTION: Vulnerability in autodns.pl for AutoDNS before 0.0.4 related to domain names that are not fully qualified. CVE-2001-1365 DESCRIPTION: Vulnerability in IntraGnat before 1.4. CVE-2001-1366 DESCRIPTION: netscript before 1.6.3 parses dynamic variables, which could allow remote attackers to alter program behavior or obtain sensitive information. CVE-2001-1367 DESCRIPTION: The checkAccess function in PHPSlice 0.1.4, and all other versions between 0.1.1 and 0.1.6, does not properly verify the administrative access level, which could allow remote attackers to gain privileges. CVE-2001-1368 DESCRIPTION: Vulnerability in iPlanet Web Server 4 included in Virtualvault Operating System (VVOS) 4.0 running HP-UX 11.04 could allow attackers to corrupt data. CVE-2001-1369 DESCRIPTION: Leon J Breedt pam-pgsql before 0.5.2 allows remote attackers to execute arbitrary SQL code and bypass authentication or modify user account records by injecting SQL statements into user or password fields. CVE-2001-1370 DESCRIPTION: prepend.php3 in PHPLib before 7.2d, when register_globals is enabled for PHP, allows remote attackers to execute arbitrary scripts via an HTTP request that modifies $_PHPLIB[libdir] to point to malicious code on another server, as seen in Horde 1.2.5 and earlier, IMP before 2.2.6, and other packages that use PHPLib. CVE-2001-1371 DESCRIPTION: The default configuration of Oracle Application Server 9iAS 1.0.2.2 enables SOAP and allows anonymous users to deploy applications by default via urn:soap-service-manager and urn:soap-provider-manager. CVE-2001-1372 DESCRIPTION: Oracle 9i Application Server 1.0.2 allows remote attackers to obtain the physical path of a file under the server root via a request for a non-existent .JSP file, which leaks the pathname in an error message. CVE-2001-1373 DESCRIPTION: MailSafe in Zone Labs ZoneAlarm 2.6 and earlier and ZoneAlarm Pro 2.6 and 2.4 does not block prohibited file types with long file names, which allows remote attackers to send potentially dangerous attachments. CVE-2001-1374 DESCRIPTION: expect before 5.32 searches for its libraries in /var/tmp before other directories, which could allow local users to gain root privileges via a Trojan horse library that is accessed by mkpasswd. CVE-2001-1375 DESCRIPTION: tcl/tk package (tcltk) 8.3.1 searches for its libraries in the current working directory before other directories, which could allow local users to execute arbitrary code via a Trojan horse library that is under a user-controlled directory. CVE-2001-1376 DESCRIPTION: Buffer overflow in digest calculation function of multiple RADIUS implementations allows remote attackers to cause a denial of service and possibly execute arbitrary code via shared secret data. CVE-2001-1377 DESCRIPTION: Multiple RADIUS implementations do not properly validate the Vendor-Length of the Vendor-Specific attribute, which allows remote attackers to cause a denial of service (crash) via a Vendor-Length that is less than 2. CVE-2001-1378 DESCRIPTION: fetchmailconf in fetchmail before 5.7.4 allows local users to overwrite files of other users via a symlink attack on temporary files. CVE-2001-1379 DESCRIPTION: The PostgreSQL authentication modules (1) mod_auth_pgsql 0.9.5, and (2) mod_auth_pgsql_sys 0.9.4, allow remote attackers to bypass authentication and execute arbitrary SQL via a SQL injection attack on the user name. CVE-2001-1380 DESCRIPTION: OpenSSH before 2.9.9, while using keypairs and multiple keys of different types in the ~/.ssh/authorized_keys2 file, may not properly handle the "from" option associated with a key, which could allow remote attackers to login from unauthorized IP addresses. CVE-2001-1382 DESCRIPTION: The "echo simulation" traffic analysis countermeasure in OpenSSH before 2.9.9p2 sends an additional echo packet after the password and carriage return is entered, which could allow remote attackers to determine that the countermeasure is being used. CVE-2001-1383 DESCRIPTION: initscript in setserial 2.17-4 and earlier uses predictable temporary file names, which could allow local users to conduct unauthorized operations on files. CVE-2001-1384 DESCRIPTION: ptrace in Linux 2.2.x through 2.2.19, and 2.4.x through 2.4.9, allows local users to gain root privileges by running ptrace on a setuid or setgid program that itself calls an unprivileged program, such as newgrp. CVE-2001-1385 DESCRIPTION: The Apache module for PHP 4.0.0 through PHP 4.0.4, when disabled with the 'engine = off' option for a virtual host, may disable PHP for other virtual hosts, which could cause Apache to serve the source code of PHP scripts. CVE-2001-1386 DESCRIPTION: WFTPD 3.00 allows remote attackers to read arbitrary files by uploading a (link) file that ends in a ".lnk." extension, which bypasses WFTPD's check for a ".lnk" extension. CVE-2001-1387 DESCRIPTION: iptables-save in iptables before 1.2.4 records the "--reject-with icmp-host-prohibited" rule as "--reject-with tcp-reset," which causes iptables to generate different responses than specified by the administrator, possibly leading to an information leak. CVE-2001-1388 DESCRIPTION: iptables before 1.2.4 does not accurately convert rate limits that are specified on the command line, which could allow attackers or users to generate more or less traffic than intended by the administrator. CVE-2001-1389 DESCRIPTION: Multiple vulnerabilities in xinetd 2.3.0 and earlier, and additional variants until 2.3.3, may allow remote attackers to cause a denial of service or execute arbitrary code, primarily via buffer overflows or improper NULL termination. CVE-2001-1390 DESCRIPTION: Unknown vulnerability in binfmt_misc in the Linux kernel before 2.2.19, related to user pages. CVE-2001-1391 DESCRIPTION: Off-by-one vulnerability in CPIA driver of Linux kernel before 2.2.19 allows users to modify kernel memory. CVE-2001-1392 DESCRIPTION: The Linux kernel before 2.2.19 does not have unregister calls for (1) CPUID and (2) MSR drivers, which could cause a DoS (crash) by unloading and reloading the drivers. CVE-2001-1393 DESCRIPTION: Unknown vulnerability in classifier code for Linux kernel before 2.2.19 could result in denial of service (hang). CVE-2001-1394 DESCRIPTION: Signedness error in (1) getsockopt and (2) setsockopt for Linux kernel before 2.2.19 allows local users to cause a denial of service. CVE-2001-1395 DESCRIPTION: Unknown vulnerability in sockfilter for Linux kernel before 2.2.19 related to "boundary cases," with unknown impact. CVE-2001-1396 DESCRIPTION: Unknown vulnerabilities in strnlen_user for Linux kernel before 2.2.19, with unknown impact. CVE-2001-1397 DESCRIPTION: The System V (SYS5) shared memory implementation for Linux kernel before 2.2.19 could allow attackers to modify recently freed memory. CVE-2001-1398 DESCRIPTION: Masquerading code for Linux kernel before 2.2.19 does not fully check packet lengths in certain cases, which may lead to a vulnerability. CVE-2001-1399 DESCRIPTION: Certain operations in Linux kernel before 2.2.19 on the x86 architecture copy the wrong number of bytes, which might allow attackers to modify memory, aka "User access asm bug on x86." CVE-2001-1400 DESCRIPTION: Unknown vulnerabilities in the UDP port allocation for Linux kernel before 2.2.19 could allow local users to cause a denial of service (deadlock). CVE-2001-1401 DESCRIPTION: Bugzilla before 2.14 does not properly restrict access to confidential bugs, which could allow Bugzilla users to bypass viewing permissions via modified bug id parameters in (1) process_bug.cgi, (2) show_activity.cgi, (3) showvotes.cgi, (4) showdependencytree.cgi, (5) showdependencygraph.cgi, (6) showattachment.cgi, or (7) describecomponents.cgi. CVE-2001-1402 DESCRIPTION: Bugzilla before 2.14 does not properly escape untrusted parameters, which could allow remote attackers to conduct unauthorized activities via cross-site scripting (CSS) and possibly SQL injection attacks on (1) the product or output form variables for reports.cgi, (2) the voteon, bug_id, and user variables for showvotes.cgi, (3) an invalid email address in createaccount.cgi, (4) an invalid ID in showdependencytree.cgi, (5) invalid usernames and other fields in process_bug.cgi, and (6) error messages in buglist.cgi. CVE-2001-1403 DESCRIPTION: Bugzilla before 2.14 includes the username and password in URLs, which could allow attackers to gain privileges by reading the information from the web server logs, or by "shoulder-surfing" and observing the web browser's location bar. CVE-2001-1404 DESCRIPTION: Bugzilla before 2.14 stores user passwords in plaintext and sends password requests in an email message, which could allow attackers to gain privileges. CVE-2001-1405 DESCRIPTION: Bugzilla before 2.14 does not restrict access to sanitycheck.cgi, which allows local users to cause a denial of service (CPU consumption) via a flood of requests to sanitycheck.cgi. CVE-2001-1406 DESCRIPTION: process_bug.cgi in Bugzilla before 2.14 does not set the "groupset" bit when a bug is moved between product groups, which will cause the bug to have the old group's restrictions, which might not be as stringent. CVE-2001-1407 DESCRIPTION: Bugzilla before 2.14 allows Bugzilla users to bypass group security checks by marking a bug as the duplicate of a restricted bug, which adds the user to the CC list of the restricted bug and allows the user to view the bug. CVE-2001-1408 DESCRIPTION: Directory traversal vulnerability in readmsg.php in WebMail 2.0.1 in Cobalt Qube 3 allows remote attackers to read arbitrary files via a .. (dot dot) in the mailbox parameter. CVE-2001-1409 DESCRIPTION: dexconf in XFree86 Xserver 4.1.0-2 creates the /dev/dri directory with insecure permissions (666), which allows local users to replace or create files in the root file system. CVE-2001-1410 DESCRIPTION: Internet Explorer 6 and earlier allows remote attackers to create chromeless windows using the Javascript window.createPopup method, which could allow attackers to simulate a victim's display and conduct unauthorized activities or steal sensitive data via social engineering. CVE-2001-1411 DESCRIPTION: Format string vulnerability in gm4 (aka m4) on Mac OS X may allow local users to gain privileges if gm4 is called by setuid programs. CVE-2001-1412 DESCRIPTION: nidump on MacOS X before 10.3 allows local users to read the encrypted passwords from the password file by specifying passwd as a command line argument. CVE-2001-1413 DESCRIPTION: Stack-based buffer overflow in the comprexx function for ncompress 4.2.4 and earlier, when used in situations that cross security boundaries (such as FTP server), may allow remote attackers to execute arbitrary code via a long filename argument. CVE-2001-1414 DESCRIPTION: The Basic Security Module (BSM) for Solaris 2.5.1, 2.6, 7, and 8 does not log anonymous FTP access, which allows remote attackers to hide their activities, possibly when certain BSM audit files are not present under the FTP root. CVE-2001-1415 DESCRIPTION: vi.recover in OpenBSD before 3.1 allows local users to remove arbitrary zero-byte files such as device nodes. CVE-2001-1416 DESCRIPTION: Multiple cross-site scripting (XSS) vulnerabilities in the log messages in certain Alpha versions of AOL Instant Messenger (AIM) 4.4 allow remote attackers to execute arbitrary web script or HTML via an image in the (1) DATA, (2) STYLE, or (3) BINARY tags. CVE-2001-1417 DESCRIPTION: AOL Instant Messenger (AIM) 4.7 allows remote attackers to cause a denial of service (application hang or crash) via a buddy icon GIF file whose length and width values are larger than the actual image data. CVE-2001-1418 DESCRIPTION: AOL Instant Messenger (AIM) 4.7 allows remote attackers to cause a denial of service (application crash) via a malformed WAV file. CVE-2001-1419 DESCRIPTION: AOL Instant Messenger (AIM) 4.7.2480 and earlier allows remote attackers to cause a denial of service (application crash) via an instant message that contains a large amount of "" string in a CookieName argument to the login template, referred to as a "memory leak" in some reports. CVE-2003-0401 DESCRIPTION: Vignette StoryServer and Vignette V/5 allows remote attackers to obtain sensitive information via a request for the /vgn/style template. CVE-2003-0402 DESCRIPTION: The default login template (/vgn/login) in Vignette StoryServer 5 and Vignette V/5 generates different responses whether a user exists or not, which allows remote attackers to identify valid usernames via brute force attacks. CVE-2003-0403 DESCRIPTION: Vignette StoryServer 5 and Vignette V/5 allows remote attackers to read and modify license information, and cause a denial of service (service halt) by directly accessing the /vgn/license template. CVE-2003-0404 DESCRIPTION: Multiple Cross Site Scripting (XSS) vulnerabilities in Vignette StoryServer 4 and 5, and Vignette V/5 and V/6, allow remote attackers to insert arbitrary HTML and script via text variables, as demonstrated using the errInfo parameter of the default login template. CVE-2003-0405 DESCRIPTION: Vignette StoryServer 5 and Vignette V/6 allows remote attackers to execute arbitrary TCL code via (1) an HTTP query or cookie which is processed in the NEEDS command, or (2) an HTTP Referrer that is processed in the VALID_PATHS command. CVE-2003-0406 DESCRIPTION: PalmVNC 1.40 and earlier stores passwords in plaintext in the PalmVNCDB, which is backed up to PCs that the Palm is synchronized with, which could allow attackers to gain privileges. CVE-2003-0407 DESCRIPTION: Buffer overflow in gbnserver for Gnome Batalla Naval 1.0.4 allows remote attackers to execute arbitrary code via a long connection string. CVE-2003-0408 DESCRIPTION: Buffer overflow in Uptime Client (UpClient) 5.0b7, and possibly other versions, allows local users to gain privileges via a long -p argument. CVE-2003-0409 DESCRIPTION: Buffer overflow in BRS WebWeaver 1.04 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long HTTP (1) POST or (2) HEAD request. CVE-2003-0410 DESCRIPTION: Buffer overflow in AnalogX Proxy 4.13 allows remote attackers to execute arbitrary code via a long URL to port 6588. CVE-2003-0411 DESCRIPTION: Sun ONE Application Server 7.0 for Windows 2000/XP allows remote attackers to obtain JSP source code via a request that uses the uppercase ".JSP" extension instead of the lowercase .jsp extension. CVE-2003-0412 DESCRIPTION: Sun ONE Application Server 7.0 for Windows 2000/XP does not log the complete URI of a long HTTP request, which could allow remote attackers to hide malicious activities. CVE-2003-0413 DESCRIPTION: Cross-site scripting (XSS) vulnerability in the webapps-simple sample application for (1) Sun ONE Application Server 7.0 for Windows 2000/XP or (2) Sun Java System Web Server 6.1 allows remote attackers to insert arbitrary web script or HTML via an HTTP request that generates an "Invalid JSP file" error, which inserts the text in the resulting error message. CVE-2003-0414 DESCRIPTION: The installation of Sun ONE Application Server 7.0 for Windows 2000/XP creates a statefile with world-readable permissions, which allows local users to gain privileges by reading a plaintext password in the statefile. CVE-2003-0415 DESCRIPTION: Remote PC Access Server 2.2 allows remote attackers to cause a denial of service (crash) by receiving packets from the server and sending them back to the server. CVE-2003-0416 DESCRIPTION: Cross-site scripting (XSS) vulnerability in index.cgi for Bandmin 1.4 allows remote attackers to insert arbitrary HTML or script via (1) the year parameter in a showmonth action, (2) the month parameter in a showmonth action, or (3) the host parameter in a showhost action. CVE-2003-0417 DESCRIPTION: Directory traversal vulnerability in Son hServer 0.2 allows remote attackers to read arbitrary files via ".|." (modified dot-dot) sequences. CVE-2003-0418 DESCRIPTION: The Linux 2.0 kernel IP stack does not properly calculate the size of an ICMP citation, which causes it to include portions of unauthorized memory in ICMP error responses. CVE-2003-0419 DESCRIPTION: SMC Networks Barricade Wireless Cable/DSL Broadband Router SMC7004VWBR allows remote attackers to cause a denial of service via certain packets to PPTP port 1723 on the internal interface. CVE-2003-0420 DESCRIPTION: Information leak in dsimportexport for Apple Macintosh OS X Server 10.2.6 allows local users to obtain the username and password of the account running the tool. CVE-2003-0421 DESCRIPTION: Apple QuickTime / Darwin Streaming Server before 4.1.3f allows remote attackers to cause a denial of service (crash) via an MS-DOS device name (e.g. AUX) in a request to HTTP port 1220, a different vulnerability than CVE-2003-0502. CVE-2003-0422 DESCRIPTION: Apple QuickTime / Darwin Streaming Server before 4.1.3f allows remote attackers to cause a denial of service (crash) via a request to view_broadcast.cgi that does not contain the required parameters. CVE-2003-0423 DESCRIPTION: parse_xml.cgi in Apple QuickTime / Darwin Streaming Server before 4.1.3g allows remote attackers to obtain the source code for parseable files via the filename parameter. CVE-2003-0424 DESCRIPTION: Apple QuickTime / Darwin Streaming Server before 4.1.3f allows remote attackers to obtain the source code for scripts by appending encoded space (%20) or . (%2e) characters to an HTTP request for the script, e.g. view_broadcast.cgi. CVE-2003-0425 DESCRIPTION: Directory traversal vulnerability in Apple QuickTime / Darwin Streaming Server before 4.1.3f allows remote attackers to read arbitrary files via a ... (triple dot) in an HTTP request. CVE-2003-0426 DESCRIPTION: The installation of Apple QuickTime / Darwin Streaming Server before 4.1.3f starts the administration server with a "Setup Assistant" page that allows remote attackers to set the administrator password and gain privileges before the real administrator. CVE-2003-0427 DESCRIPTION: Buffer overflow in mikmod 3.1.6 and earlier allows remote attackers to execute arbitrary code via an archive file that contains a file with a long filename. CVE-2003-0428 DESCRIPTION: Unknown vulnerability in the DCERPC (DCE/RPC) dissector in Ethereal 0.9.12 and earlier allows remote attackers to cause a denial of service (memory consumption) via a certain NDR string. CVE-2003-0429 DESCRIPTION: The OSI dissector in Ethereal 0.9.12 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary code via invalid IPv4 or IPv6 prefix lengths, possibly triggering a buffer overflow. CVE-2003-0430 DESCRIPTION: The SPNEGO dissector in Ethereal 0.9.12 and earlier allows remote attackers to cause a denial of service (crash) via an invalid ASN.1 value. CVE-2003-0431 DESCRIPTION: The tvb_get_nstringz0 function in Ethereal 0.9.12 and earlier does not properly handle a zero-length buffer size, with unknown consequences. CVE-2003-0432 DESCRIPTION: Ethereal 0.9.12 and earlier does not handle certain strings properly, with unknown consequences, in the (1) BGP, (2) WTP, (3) DNS, (4) 802.11, (5) ISAKMP, (6) WSP, (7) CLNP, (8) ISIS, and (9) RMI dissectors. CVE-2003-0433 DESCRIPTION: Multiple buffer overflows in gnocatan 0.6.1 and earlier allow attackers to execute arbitrary code. CVE-2003-0434 DESCRIPTION: Various PDF viewers including (1) Adobe Acrobat 5.06 and (2) Xpdf 1.01 allow remote attackers to execute arbitrary commands via shell metacharacters in an embedded hyperlink. CVE-2003-0435 DESCRIPTION: Buffer overflow in net_swapscore for typespeed 0.4.1 and earlier allows remote attackers to execute arbitrary code. CVE-2003-0436 DESCRIPTION: Buffer overflow in search.cgi for mnoGoSearch 3.1.20 allows remote attackers to execute arbitrary code via a long ul parameter. CVE-2003-0437 DESCRIPTION: Buffer overflow in search.cgi for mnoGoSearch 3.2.10 allows remote attackers to execute arbitrary code via a long tmplt parameter. CVE-2003-0438 DESCRIPTION: eldav WebDAV client for Emacs, version 0.7.2 and earlier, allows local users to create or overwrite arbitrary files via a symlink attack on temporary files. CVE-2003-0439 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2003. Notes: none. CVE-2003-0440 DESCRIPTION: The (1) semi MIME library 1.14.5 and earlier, and (2) wemi 1.14.0 and possibly other versions, allows local users to overwrite arbitrary files via a symlink attack on temporary files. CVE-2003-0441 DESCRIPTION: Multiple buffer overflows in Orville Write (orville-write) 2.53 and earlier allow local users to gain privileges. CVE-2003-0442 DESCRIPTION: Cross-site scripting (XSS) vulnerability in the transparent SID support capability for PHP before 4.3.2 (session.use_trans_sid) allows remote attackers to insert arbitrary script via the PHPSESSID parameter. CVE-2003-0443 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2003-0444 DESCRIPTION: Heap-based buffer overflow in GTKSee 0.5 and 0.5.1 allows remote attackers to execute arbitrary code via a PNG image of certain color depths. CVE-2003-0445 DESCRIPTION: Buffer overflow in webfs before 1.17.1 allows remote attackers to execute arbitrary code via an HTTP request with a long Request-URI. CVE-2003-0446 DESCRIPTION: Cross-site scripting (XSS) in Internet Explorer 5.5 and 6.0, possibly in a component that is also used by other Microsoft products, allows remote attackers to insert arbitrary web script via an XML file that contains a parse error, which inserts the script in the resulting error message. CVE-2003-0447 DESCRIPTION: The Custom HTTP Errors capability in Internet Explorer 5.01, 5.5 and 6.0 allows remote attackers to execute script in the Local Zone via an argument to shdocvw.dll that causes a "javascript:" link to be generated. CVE-2003-0448 DESCRIPTION: Portmon 1.7 and possibly earlier versions allows local users to read and write arbitrary files via the (1) -c (host file) or (2) -l (log file) command line options. CVE-2003-0449 DESCRIPTION: Progress Database 9.1 to 9.1D06 trusts user input to find and load libraries using dlopen, which allows local users to gain privileges via (1) a PATH environment variable that points to malicious libraries, as demonstrated using libjutil.so in_proapsv, or (2) the -installdir command line parameter, as demonstrated using librocket_r.so in _dbagent. CVE-2003-0450 DESCRIPTION: Cistron RADIUS daemon (radiusd-cistron) 1.6.6 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary code via a large value in an NAS-Port attribute, which is interpreted as a negative number and causes a buffer overflow. CVE-2003-0451 DESCRIPTION: Multiple buffer overflows in xbl before 1.0k allow local users to gain privileges via certain long command line arguments. CVE-2003-0452 DESCRIPTION: Buffer overflows in osh before 1.7-11 allow local users to execute arbitrary code and bypass shell restrictions via (1) long environment variables or (2) long "file redirections." CVE-2003-0453 DESCRIPTION: traceroute-nanog 6.1.1 allows local users to overwrite unauthorized memory and possibly execute arbitrary code via certain "nprobes" and "max_ttl" arguments that cause an integer overflow that is used when allocating memory, which leads to a buffer overflow. CVE-2003-0454 DESCRIPTION: Multiple buffer overflows in xgalaga 2.0.34 and earlier allow local users to gain privileges via a long HOME environment variable. CVE-2003-0455 DESCRIPTION: The imagemagick libmagick library 5.5 and earlier creates temporary files insecurely, which allows local users to create or overwrite arbitrary files. CVE-2003-0456 DESCRIPTION: VisNetic WebSite 3.5 allows remote attackers to obtain the full pathname of the server via a request containing a folder that does not exist, which leaks the pathname in an error message, as demonstrated using _vti_bin/fpcount.exe. CVE-2003-0457 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2003-0458 DESCRIPTION: Unknown vulnerability in HP NonStop Server D40.00 through D48.03, and G01.00 through G06.20, allows local users to gain additional privileges. CVE-2003-0459 DESCRIPTION: KDE Konqueror for KDE 3.1.2 and earlier does not remove authentication credentials from URLs of the "user:password@host" form in the HTTP-Referer header, which could allow remote web sites to steal the credentials for pages that link to the sites. CVE-2003-0460 DESCRIPTION: The rotatelogs program on Apache before 1.3.28, for Windows and OS/2 systems, does not properly ignore certain control characters that are received over the pipe, which could allow remote attackers to cause a denial of service. CVE-2003-0461 DESCRIPTION: /proc/tty/driver/serial in Linux 2.4.x reveals the exact number of characters used in serial links, which could allow local users to obtain potentially sensitive information such as the length of passwords. CVE-2003-0462 DESCRIPTION: A race condition in the way env_start and env_end pointers are initialized in the execve system call and used in fs/proc/base.c on Linux 2.4 allows local users to cause a denial of service (crash). CVE-2003-0463 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none. CVE-2003-0464 DESCRIPTION: The RPC code in Linux kernel 2.4 sets the reuse flag when sockets are created, which could allow local users to bind to UDP ports that are used by privileged services such as nfsd. CVE-2003-0465 DESCRIPTION: The kernel strncpy function in Linux 2.4 and 2.5 does not %NUL pad the buffer on architectures other than x86, as opposed to the expected behavior of strncpy as implemented in libc, which could lead to information leaks. CVE-2003-0466 DESCRIPTION: Off-by-one error in the fb_realpath() function, as derived from the realpath function in BSD, may allow attackers to execute arbitrary code, as demonstrated in wu-ftpd 2.5.0 through 2.6.2 via commands that cause pathnames of length MAXPATHLEN+1 to trigger a buffer overflow, including (1) STOR, (2) RETR, (3) APPE, (4) DELE, (5) MKD, (6) RMD, (7) STOU, or (8) RNTO. CVE-2003-0467 DESCRIPTION: Unknown vulnerability in ip_nat_sack_adjust of Netfilter in Linux kernels 2.4.20, and some 2.5.x, when CONFIG_IP_NF_NAT_FTP or CONFIG_IP_NF_NAT_IRC is enabled, or the ip_nat_ftp or ip_nat_irc modules are loaded, allows remote attackers to cause a denial of service (crash) in systems using NAT, possibly due to an integer signedness error. CVE-2003-0468 DESCRIPTION: Postfix 1.1.11 and earlier allows remote attackers to use Postfix to conduct "bounce scans" or DDos attacks of other hosts via an email address to the local host containing the target IP address and service name followed by a "!" string, which causes Postfix to attempt to use SMTP to communicate with the target on the associated port. CVE-2003-0469 DESCRIPTION: Buffer overflow in the HTML Converter (HTML32.cnv) on various Windows operating systems allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via cut-and-paste operation, as demonstrated in Internet Explorer 5.0 using a long "align" argument in an HR tag. CVE-2003-0470 DESCRIPTION: Buffer overflow in the "RuFSI Utility Class" ActiveX control (aka "RuFSI Registry Information Class"), as used for the Symantec Security Check service, allows remote attackers to execute arbitrary code via a long argument to CompareVersionStrings. CVE-2003-0471 DESCRIPTION: Buffer overflow in WebAdmin.exe for WebAdmin allows remote attackers to execute arbitrary code via an HTTP request to WebAdmin.dll with a long USER argument. CVE-2003-0472 DESCRIPTION: The IPv6 capability in IRIX 6.5.19 allows remote attackers to cause a denial of service (hang) in inetd via port scanning. CVE-2003-0473 DESCRIPTION: Unknown vulnerability in the IPv6 capability in IRIX 6.5.19 causes snoop to process packets as the root user, with unknown implications. CVE-2003-0474 DESCRIPTION: Directory traversal vulnerability in iWeb Server allows remote attackers to read arbitrary files via an HTTP request containing .. sequences, a different vulnerability than CVE-2003-0475. CVE-2003-0475 DESCRIPTION: Directory traversal vulnerability in iWeb Server 2 allows remote attackers to read arbitrary files via an HTTP request containing URL-encoded .. sequences ("%5c%2e%2e"), a different vulnerability than CVE-2003-0474. CVE-2003-0476 DESCRIPTION: The execve system call in Linux 2.4.x records the file descriptor of the executable process in the file table of the calling process, which allows local users to gain read access to restricted file descriptors. CVE-2003-0477 DESCRIPTION: wzdftpd 0.1rc4 and earlier allows remote attackers to cause a denial of service (crash) via a PORT command without an argument. CVE-2003-0478 DESCRIPTION: Format string vulnerability in (1) Bahamut IRCd 1.4.35 and earlier, and other IRC daemons based on Bahamut including (2) digatech 1.2.1, (3) methane 0.1.1, (4) AndromedeIRCd 1.2.3-Release, and (5) ircd-RU, when running in debug mode, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a request containing format strings. CVE-2003-0479 DESCRIPTION: Cross-site scripting (XSS) vulnerability in the guestbook for WebBBS allows remote attackers to insert arbitrary web script via the (1) Name, (2) Email, or (3) Message fields. CVE-2003-0480 DESCRIPTION: VMware Workstation 4.0 for Linux allows local users to overwrite arbitrary files and gain privileges via "symlink manipulation." CVE-2003-0481 DESCRIPTION: Multiple cross-site scripting (XSS) vulnerabilities in TUTOS 1.1 allow remote attackers to insert arbitrary web script, as demonstrated using the msg parameter to file_select.php. CVE-2003-0482 DESCRIPTION: TUTOS 1.1 allows remote attackers to execute arbitrary code by uploading the code using file_new.php, then directly accessing the uploaded code via a request to the repository containing the code. CVE-2003-0483 DESCRIPTION: Cross-site scripting (XSS) vulnerabilities in XMB Forum 1.8 Partagium allow remote attackers to insert arbitrary script via (1) the member parameter to member.php or (2) the action parameter to buddy.php. CVE-2003-0484 DESCRIPTION: Cross-site scripting (XSS) vulnerability in viewtopic.php for phpBB allows remote attackers to insert arbitrary web script via the topic_id parameter. CVE-2003-0485 DESCRIPTION: Buffer overflow in Progress 4GL Compiler 9.1D06 and earlier allows attackers to execute arbitrary code via source code containing a long, invalid data type. CVE-2003-0486 DESCRIPTION: SQL injection vulnerability in viewtopic.php for phpBB 2.0.5 and earlier allows remote attackers to steal password hashes via the topic_id parameter. CVE-2003-0487 DESCRIPTION: Multiple buffer overflows in Kerio MailServer 5.6.3 allow remote authenticated users to cause a denial of service and possibly execute arbitrary code via (1) a long showuser parameter in the do_subscribe module, (2) a long folder parameter in the add_acl module, (3) a long folder parameter in the list module, and (4) a long user parameter in the do_map module. CVE-2003-0488 DESCRIPTION: Multiple cross-site scripting (XSS) vulnerabilities in Kerio MailServer 5.6.3 allow remote attackers to insert arbitrary web script via (1) the add_name parameter in the add_acl module, or (2) the alias parameter in the do_map module. CVE-2003-0489 DESCRIPTION: tcptraceroute 1.4 and earlier does not fully drop privileges after obtaining a file descriptor for capturing packets, which may allow local users to gain access to the descriptor via a separate vulnerability in tcptraceroute. CVE-2003-0490 DESCRIPTION: The installation of Dantz Retrospect Client 5.0.540 on MacOS X 10.2.6, and possibly other versions, creates critical directories and files with world-writable permissions, which allows local users to gain privileges as other users by replacing programs with malicious code. CVE-2003-0491 DESCRIPTION: The Tutorials 2.0 module in XOOPS and E-XOOPS allows remote attackers to execute arbitrary code by uploading a PHP file without a MIME image type, then directly accessing the uploaded file. CVE-2003-0492 DESCRIPTION: Cross-site scripting (XSS) vulnerability in search.asp for Snitz Forums 3.4.03 and earlier allows remote attackers to execute arbitrary web script via the Search parameter. CVE-2003-0493 DESCRIPTION: Snitz Forums 3.4.03 and earlier allows attackers to gain privileges as other users by stealing and replaying the encrypted password after obtaining a valid session ID. CVE-2003-0494 DESCRIPTION: password.asp in Snitz Forums 3.4.03 and earlier allows remote attackers to reset passwords and gain privileges as other users by via a direct request to password.asp with a modified member id. CVE-2003-0495 DESCRIPTION: Cross-site scripting (XSS) vulnerability in LedNews 0.7 allows remote attackers to insert arbitrary web script via a news item. CVE-2003-0496 DESCRIPTION: Microsoft SQL Server before Windows 2000 SP4 allows local users to gain privileges as the SQL Server user by calling the xp_fileexist extended stored procedure with a named pipe as an argument instead of a normal file. CVE-2003-0497 DESCRIPTION: Caché Database 5.x installs /cachesys/bin/cache with world-writable permissions, which allows local users to gain privileges by modifying cache and executing it via cuxs. CVE-2003-0498 DESCRIPTION: Caché Database 5.x installs the /cachesys/csp directory with insecure permissions, which allows local users to execute arbitrary code by adding server-side scripts that are executed with root privileges. CVE-2003-0499 DESCRIPTION: Mantis 0.17.5 and earlier stores its database password in cleartext in a world-readable configuration file, which allows local users to perform unauthorized database operations. CVE-2003-0500 DESCRIPTION: SQL injection vulnerability in the PostgreSQL authentication module (mod_sql_postgres) for ProFTPD before 1.2.9rc1 allows remote attackers to execute arbitrary SQL and gain privileges by bypassing authentication or stealing passwords via the USER name. CVE-2003-0501 DESCRIPTION: The /proc filesystem in Linux allows local users to obtain sensitive information by opening various entries in /proc/self before executing a setuid program, which causes the program to fail to change the ownership and permissions of those entries. CVE-2003-0502 DESCRIPTION: Apple QuickTime / Darwin Streaming Server before 4.1.3g allows remote attackers to cause a denial of service (crash) via a .. (dot dot) sequence followed by an MS-DOS device name (e.g. AUX) in a request to HTTP port 1220, a different vulnerability than CVE-2003-0421. CVE-2003-0503 DESCRIPTION: Buffer overflow in the ShellExecute API function of SHELL32.DLL in Windows 2000 before SP4 may allow attackers to cause a denial of service or execute arbitrary code via a long third argument. CVE-2003-0504 DESCRIPTION: Multiple cross-site scripting (XSS) vulnerabilities in Phpgroupware 0.9.14.003 (aka webdistro) allow remote attackers to insert arbitrary HTML or web script, as demonstrated with a request to index.php in the addressbook module. CVE-2003-0505 DESCRIPTION: Directory traversal vulnerability in Microsoft NetMeeting 3.01 2000 before SP4 allows remote attackers to read arbitrary files via "..\.." (dot dot) sequences in a file transfer request. CVE-2003-0506 DESCRIPTION: Microsoft NetMeeting 3.01 2000 before SP4 allows remote attackers to cause a denial of service (shutdown of NetMeeting conference) via malformed packets, as demonstrated via the chat conversation. CVE-2003-0507 DESCRIPTION: Stack-based buffer overflow in Active Directory in Windows 2000 before SP4 allows remote attackers to cause a denial of service (reboot) and possibly execute arbitrary code via an LDAP version 3 search request with a large number of (1) "AND," (2) "OR," and possibly other statements, which causes LSASS.EXE to crash. CVE-2003-0508 DESCRIPTION: Buffer overflow in the WWWLaunchNetscape function of Adobe Acrobat Reader (acroread) 5.0.7 and earlier allows remote attackers to execute arbitrary code via a .pdf file with a long mailto link. CVE-2003-0509 DESCRIPTION: SQL injection vulnerability in Cyberstrong eShop 4.2 and earlier allows remote attackers to steal authentication information and gain privileges via the ProductCode parameter in (1) 10expand.asp, (2) 10browse.asp, and (3) 20review.asp. CVE-2003-0510 DESCRIPTION: Format string vulnerability in ezbounce 1.0 through 1.50 allows remote attackers to execute arbitrary code via the "sessions" command. CVE-2003-0511 DESCRIPTION: The web server for Cisco Aironet AP1x00 Series Wireless devices running certain versions of IOS 12.2 allow remote attackers to cause a denial of service (reload) via a malformed URL. CVE-2003-0512 DESCRIPTION: Cisco IOS 12.2 and earlier generates a "% Login invalid" message instead of prompting for a password when an invalid username is provided, which allows remote attackers to identify valid usernames on the system and conduct brute force password guessing, as reported for the Aironet Bridge. CVE-2003-0513 DESCRIPTION: Microsoft Internet Explorer allows remote attackers to bypass intended cookie access restrictions on a web application via "%2e%2e" (encoded dot dot) directory traversal sequences in a URL, which causes Internet Explorer to send the cookie outside the specified URL subsets, e.g. to a vulnerable application that runs on the same server as the target application. CVE-2003-0514 DESCRIPTION: Apple Safari allows remote attackers to bypass intended cookie access restrictions on a web application via "%2e%2e" (encoded dot dot) directory traversal sequences in a URL, which causes Safari to send the cookie outside the specified URL subsets, e.g. to a vulnerable application that runs on the same server as the target application. CVE-2003-0515 DESCRIPTION: SQL injection vulnerabilities in the (1) PostgreSQL or (2) MySQL authentication modules for teapop 0.3.5 and earlier allow attackers to execute arbitrary SQL and possibly gain privileges. CVE-2003-0516 DESCRIPTION: cnd.c in mgetty 1.1.28 and earlier does not properly filter non-printable characters and quotes, which may allow remote attackers to execute arbitrary commands via shell metacharacters in (1) caller ID or (2) caller name strings. CVE-2003-0517 DESCRIPTION: faxrunqd.in in mgetty 1.1.28 and earlier allows local users to overwrite files via a symlink attack on JOB files. CVE-2003-0518 DESCRIPTION: The screen saver in MacOS X allows users with physical access to cause the screen saver to crash and gain access to the underlying session via a large number of characters in the password field, possibly triggering a buffer overflow. CVE-2003-0519 DESCRIPTION: Certain versions of Internet Explorer 5 and 6, in certain Windows environments, allow remote attackers to cause a denial of service (freeze) via a URL to C:\aux (MS-DOS device name) and possibly other devices. CVE-2003-0520 DESCRIPTION: Trillian 1.0 Pro and 0.74 Freeware allows remote attackers to cause a denial of service (crash) via a TypingUser message in which the "TypingUser" string has been modified. CVE-2003-0521 DESCRIPTION: Cross-site scripting (XSS) vulnerability in cPanel 6.4.2 allows remote attackers to insert arbitrary HTML and possibly gain cPanel administrator privileges via script in a URL that is logged but not properly quoted when displayed via the (1) Error Log or (2) Latest Visitors screens. CVE-2003-0522 DESCRIPTION: Multiple SQL injection vulnerabilities in ProductCart 1.5 through 2 allow remote attackers to (1) gain access to the admin control panel via the idadmin parameter to login.asp or (2) gain other privileges via the Email parameter to Custva.asp. CVE-2003-0523 DESCRIPTION: Cross-site scripting (XSS) vulnerability in msg.asp for certain versions of ProductCart allow remote attackers to execute arbitrary web script via the message parameter. CVE-2003-0524 DESCRIPTION: Qt in Knoppix 3.1 Live CD allows local users to overwrite arbitrary files via a symlink attack on the qt_plugins_3.0rc temporary file in the .qt directory. CVE-2003-0525 DESCRIPTION: The getCanonicalPath function in Windows NT 4.0 may free memory that it does not own and cause heap corruption, which allows attackers to cause a denial of service (crash) via requests that cause a long file name to be passed to getCanonicalPath, as demonstrated on the IBM JVM using a long string to the java.io.getCanonicalPath Java method. CVE-2003-0526 DESCRIPTION: Cross-site scripting (XSS) vulnerability in Microsoft Internet Security and Acceleration (ISA) Server 2000 allows remote attackers to inject arbitrary web script via a URL containing the script in the domain name portion, which is not properly cleansed in the default error pages (1) 500.htm for "500 Internal Server error" or (2) 404.htm for "404 Not Found." CVE-2003-0527 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2003-0528 DESCRIPTION: Heap-based buffer overflow in the Distributed Component Object Model (DCOM) interface in the RPCSS Service allows remote attackers to execute arbitrary code via a malformed RPC request with a long filename parameter, a different vulnerability than CVE-2003-0352 (Blaster/Nachi) and CVE-2003-0715. CVE-2003-0529 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2003-0530 DESCRIPTION: Buffer overflow in the BR549.DLL ActiveX control for Internet Explorer 5.01 SP3 through 6.0 SP1 allows remote attackers to execute arbitrary code. CVE-2003-0531 DESCRIPTION: Internet Explorer 5.01 SP3 through 6.0 SP1 allows remote attackers to access and execute script in the My Computer domain using the browser cache via crafted Content-Type and Content-Disposition headers, aka the "Browser Cache Script Execution in My Computer Zone" vulnerability. CVE-2003-0532 DESCRIPTION: Internet Explorer 5.01 SP3 through 6.0 SP1 does not properly determine object types that are returned by web servers, which could allow remote attackers to execute arbitrary code via an object tag with a data parameter to a malicious file hosted on a server that returns an unsafe Content-Type, aka the "Object Type" vulnerability. CVE-2003-0533 DESCRIPTION: Stack-based buffer overflow in certain Active Directory service functions in LSASRV.DLL of the Local Security Authority Subsystem Service (LSASS) in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, XP SP1, Server 2003, NetMeeting, Windows 98, and Windows ME, allows remote attackers to execute arbitrary code via a packet that causes the DsRolerUpgradeDownlevelServer function to create long debug entries for the DCPROMO.LOG log file, as exploited by the Sasser worm. CVE-2003-0534 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2003-0535 DESCRIPTION: Buffer overflow in xbl 1.0k and earlier allows local users to gain privileges via a long -display command line option. CVE-2003-0536 DESCRIPTION: Directory traversal vulnerability in phpSysInfo 2.1 and earlier allows attackers with write access to a local directory to read arbitrary files as the PHP user or cause a denial of service via .. (dot dot) sequences in the (1) template or (2) lng parameters. CVE-2003-0537 DESCRIPTION: The liece Emacs IRC client 2.0+0.20030527 and earlier creates temporary files insecurely, which could allow local users to overwrite arbitrary files as other users. CVE-2003-0538 DESCRIPTION: The mailcap file for mozart 1.2.5 and earlier causes Oz applications to be passed to the Oz interpreter, which allows remote attackers to execute arbitrary Oz programs in a MIME-aware client program. CVE-2003-0539 DESCRIPTION: skk (Simple Kana to Kanji conversion program) 12.1 and earlier, and the ddskk package which is based on skk, creates temporary files insecurely, which allows local users to overwrite arbitrary files. CVE-2003-0540 DESCRIPTION: The address parser code in Postfix 1.1.12 and earlier allows remote attackers to cause a denial of service (lock) via (1) a malformed envelope address to a local host that would generate a bounce and contains the ".!" string in the MAIL FROM or Errors-To headers, which causes nqmgr to lock up, or (2) via a valid MAIL FROM with a RCPT TO containing a ".!" string, which causes an instance of the SMTP listener to lock up. CVE-2003-0541 DESCRIPTION: gtkhtml before 1.1.10, as used in Evolution, allows remote attackers to cause a denial of service (crash) via a malformed message that causes a null pointer dereference. CVE-2003-0542 DESCRIPTION: Multiple stack-based buffer overflows in (1) mod_alias and (2) mod_rewrite for Apache before 1.3.29 allow attackers to create configuration files to cause a denial of service (crash) or execute arbitrary code via a regular expression with more than 9 captures. CVE-2003-0543 DESCRIPTION: Integer overflow in OpenSSL 0.9.6 and 0.9.7 allows remote attackers to cause a denial of service (crash) via an SSL client certificate with certain ASN.1 tag values. CVE-2003-0544 DESCRIPTION: OpenSSL 0.9.6 and 0.9.7 does not properly track the number of characters in certain ASN.1 inputs, which allows remote attackers to cause a denial of service (crash) via an SSL client certificate that causes OpenSSL to read past the end of a buffer when the long form is used. CVE-2003-0545 DESCRIPTION: Double free vulnerability in OpenSSL 0.9.7 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via an SSL client certificate with a certain invalid ASN.1 encoding. CVE-2003-0546 DESCRIPTION: up2date 3.0.7 and 3.1.23 does not properly verify RPM GPG signatures, which could allow remote attackers to cause unsigned packages to be installed from the Red Hat Network, if that network is compromised. CVE-2003-0547 DESCRIPTION: GDM before 2.4.1.6, when using the "examine session errors" feature, allows local users to read arbitrary files via a symlink attack on the ~/.xsession-errors file. CVE-2003-0548 DESCRIPTION: The X Display Manager Control Protocol (XDMCP) support for GDM before 2.4.1.6 allows attackers to cause a denial of service (daemon crash) when a chosen host expires, a different issue than CVE-2003-0549. CVE-2003-0549 DESCRIPTION: The X Display Manager Control Protocol (XDMCP) support for GDM before 2.4.1.6 allows attackers to cause a denial of service (daemon crash) via a short authorization key name. CVE-2003-0550 DESCRIPTION: The STP protocol, as enabled in Linux 2.4.x, does not provide sufficient security by design, which allows attackers to modify the bridge topology. CVE-2003-0551 DESCRIPTION: The STP protocol implementation in Linux 2.4.x does not properly verify certain lengths, which could allow attackers to cause a denial of service. CVE-2003-0552 DESCRIPTION: Linux 2.4.x allows remote attackers to spoof the bridge Forwarding table via forged packets whose source addresses are the same as the target. CVE-2003-0553 DESCRIPTION: Buffer overflow in the Client Detection Tool (CDT) plugin (npcdt.dll) for Netscape 7.02 allows remote attackers to execute arbitrary code via an attachment with a long filename. CVE-2003-0554 DESCRIPTION: NeoModus Direct Connect 1.0 build 9, and possibly other versions, allows remote attackers to cause a denial of service (connection and possibly memory exhaustion) via a flood of ConnectToMe requests containing arbitrary IP addresses and ports. CVE-2003-0555 DESCRIPTION: ImageMagick 5.4.3.x and earlier allows attackers to cause a denial of service (crash) and possibly execute arbitrary code via a "%x" filename, possibly triggering a format string vulnerability. CVE-2003-0556 DESCRIPTION: Polycom MGC 25 allows remote attackers to cause a denial of service (crash) via a large number of "user" requests to the control port 5003, as demonstrated using the blast TCP stress tester. CVE-2003-0557 DESCRIPTION: SQL injection vulnerability in login.asp for StoreFront 6.0, and possibly earlier versions, allows remote attackers to obtain sensitive user information via SQL statements in the password field. CVE-2003-0558 DESCRIPTION: Buffer overflow in LeapFTP 2.7.3.600 allows remote FTP servers to execute arbitrary code via a long IP address response to a PASV request. CVE-2003-0559 DESCRIPTION: mainfile.php in phpforum 2 RC-1, and possibly earlier versions, allows remote attackers to execute arbitrary PHP code by modifying the MAIN_PATH parameter to reference a URL on a remote web server that contains the code. CVE-2003-0560 DESCRIPTION: SQL injection vulnerability in shopexd.asp for VP-ASP allows remote attackers to gain administrator privileges via the id parameter. CVE-2003-0561 DESCRIPTION: Multiple buffer overflows in IglooFTP PRO 3.8 allow remote FTP servers to execute arbitrary code via (1) a long FTP banner, or long responses to the client commands (2) USER, (3) PASS, (4) ACCT, and possibly other commands. CVE-2003-0562 DESCRIPTION: Buffer overflow in the CGI2PERL.NLM PERL handler in Novell Netware 5.1 and 6.0 allows remote attackers to cause a denial of service (ABEND) via a long input string. CVE-2003-0563 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2003-0564 DESCRIPTION: Multiple vulnerabilities in multiple vendor implementations of the Secure/Multipurpose Internet Mail Extensions (S/MIME) protocol allow remote attackers to cause a denial of service and possibly execute arbitrary code via an S/MIME email message containing certain unexpected ASN.1 constructs, as demonstrated using the NISSC test suite. CVE-2003-0565 DESCRIPTION: Multiple vulnerabilities in multiple vendor implementations of the X.400 protocol allow remote attackers to cause a denial of service and possibly execute arbitrary code via an X.400 message containing certain unexpected ASN.1 constructs, as demonstrated using the NISSC test suite. CVE-2003-0566 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2003-0567 DESCRIPTION: Cisco IOS 11.x and 12.0 through 12.2 allows remote attackers to cause a denial of service (traffic block) by sending a particular sequence of IPv4 packets to an interface on the device, causing the input queue on that interface to be marked as full. CVE-2003-0568 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2003. Notes: none. CVE-2003-0569 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2003. Notes: none. CVE-2003-0570 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2003. Notes: none. CVE-2003-0571 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2003. Notes: none. CVE-2003-0572 DESCRIPTION: Unknown vulnerability in nsd in SGI IRIX 6.5.x through 6.5.20f, and possibly earlier versions, allows attackers to cause a denial of service (memory consumption). CVE-2003-0573 DESCRIPTION: The DNS callbacks in nsd in SGI IRIX 6.5.x through 6.5.20f, and possibly earlier versions, do not perform sufficient sanity checking, with unknown impact. CVE-2003-0574 DESCRIPTION: Unknown vulnerability in SGI IRIX 6.5.x through 6.5.20, and possibly earlier versions, allows local users to cause a core dump in scheme and possibly gain privileges via certain environment variables, a different vulnerability than CVE-2001-0797 and CVE-1999-0028. CVE-2003-0575 DESCRIPTION: Heap-based buffer overflow in the name services daemon (nsd) in SGI IRIX 6.5.x through 6.5.21f, and possibly earlier versions, allows attackers to gain root privileges via the AUTH_UNIX gid list. CVE-2003-0576 DESCRIPTION: Unknown vulnerability in the NFS daemon (nfsd) in SGI IRIX 6.5.19f and earlier allows remote attackers to cause a denial of service (kernel panic) via certain packets that cause XDR decoding errors, a different vulnerability than CVE-2003-0619. CVE-2003-0577 DESCRIPTION: mpg123 0.59r allows remote attackers to cause a denial of service and possibly execute arbitrary code via an MP3 file with a zero bitrate, which creates a negative frame size. CVE-2003-0578 DESCRIPTION: cci_dir in IBM U2 UniVerse 10.0.0.9 and earlier creates hard links and unlinks files as root, which allows local users to gain privileges by deleting and overwriting arbitrary files. CVE-2003-0579 DESCRIPTION: uvadmsh in IBM U2 UniVerse 10.0.0.9 and earlier trusts the user-supplied -uv.install command line option to find and execute the uv.install program, which allows local users to gain privileges by providing a pathname that is under control of the user. CVE-2003-0580 DESCRIPTION: Buffer overflow in uvadmsh in IBM U2 UniVerse 10.0.0.9 and earlier allows the uvadm user to execute arbitrary code via a long -uv.install command line argument. CVE-2003-0581 DESCRIPTION: X Fontserver for Truetype fonts (xfstt) 1.4 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a (1) FS_QueryXExtents8 or (2) FS_QueryXBitmaps8 packet, and possibly other types of packets, with a large num_ranges value, which causes an out-of-bounds array access. CVE-2003-0582 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2003-0504. Reason: This candidate is a duplicate of CVE-2003-0504. Notes: All CVE users should reference CVE-2003-0504 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. CVE-2003-0583 DESCRIPTION: Buffer overflow in Backup and Restore Utility for Unix (BRU) 17.0 and earlier, when running setuid, allows local users to execute arbitrary code via a long command line argument. CVE-2003-0584 DESCRIPTION: Format string vulnerability in Backup and Restore Utility for Unix (BRU) 17.0 and earlier, when running setuid, allows local users to execute arbitrary code via format string specifiers in a command line argument. CVE-2003-0585 DESCRIPTION: SQL injection vulnerability in login.asp of Brooky eStore 1.0.1 through 1.0.2b allows remote attackers to bypass authentication and execute arbitrary SQL code via the (1) user or (2) pass parameters. CVE-2003-0586 DESCRIPTION: Brooky eStore 1.0.1 through 1.0.2b allows remote attackers to obtain sensitive path information via a direct HTTP request to settings.inc.php. CVE-2003-0587 DESCRIPTION: Cross-site scripting (XSS) vulnerability in Infopop Ultimate Bulletin Board (UBB) 6.x allows remote authenticated users to execute arbitrary web script and gain administrative access via the "displayed name" attribute of the "ubber" cookie. CVE-2003-0588 DESCRIPTION: admin.php in Digi-news 1.1 allows remote attackers to bypass authentication via a cookie with the username set to the name of the administrator, which satisfies an improper condition in admin.php that does not require a correct password. CVE-2003-0589 DESCRIPTION: admin.php in Digi-ads 1.1 allows remote attackers to bypass authentication via a cookie with the username set to the name of the administrator, which satisfies an improper condition in admin.php that does not require a correct password. CVE-2003-0590 DESCRIPTION: Cross-site scripting (XSS) vulnerability in Splatt Forum allows remote attackers to insert arbitrary HTML and web script via the post icon (image_subject) field. CVE-2003-0591 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate is a duplicate number that was created during the refinement phase. Notes: All references and descriptions in this candidate have been removed to prevent accidental usage. CVE-2003-0592 DESCRIPTION: Konqueror in KDE 3.1.3 and earlier (kdelibs) allows remote attackers to bypass intended cookie access restrictions on a web application via "%2e%2e" (encoded dot dot) directory traversal sequences in a URL, which causes Konqueror to send the cookie outside the specified URL subsets, e.g. to a vulnerable application that runs on the same server as the target application. CVE-2003-0593 DESCRIPTION: Opera allows remote attackers to bypass intended cookie access restrictions on a web application via "%2e%2e" (encoded dot dot) directory traversal sequences in a URL, which causes Opera to send the cookie outside the specified URL subsets, e.g. to a vulnerable application that runs on the same server as the target application. CVE-2003-0594 DESCRIPTION: Mozilla allows remote attackers to bypass intended cookie access restrictions on a web application via "%2e%2e" (encoded dot dot) directory traversal sequences in a URL, which causes Mozilla to send the cookie outside the specified URL subsets, e.g. to a vulnerable application that runs on the same server as the target application. CVE-2003-0595 DESCRIPTION: Buffer overflow in WiTango Application Server and Tango 2000 allows remote attackers to execute arbitrary code via a long cookie to Witango_UserReference. CVE-2003-0596 DESCRIPTION: FDclone 2.00a, and other versions before 2.02a, creates temporary directories with predictable names and uses them if they already exist, which allows local users to read or modify files of other fdclone users by creating the directory ahead of time. CVE-2003-0597 DESCRIPTION: Unknown vulnerability in display of Merge before 5.3.23a in UnixWare 7.1.x allows local users to gain root privileges. CVE-2003-0598 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2003-0657. Reason: This candidate is a reservation duplicate of CVE-2003-0657. Notes: All CVE users should reference CVE-2003-0657 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. CVE-2003-0599 DESCRIPTION: Unknown vulnerability in the Virtual File System (VFS) capability for phpGroupWare 0.9.16preRC and versions before 0.9.14.004 with unknown implications, related to the VFS path being under the web document root. CVE-2003-0600 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2003-0601 DESCRIPTION: Workgroup Manager in Apple Mac OS X Server 10.2 through 10.2.6 does not disable a password for a new account before it is saved for the first time, which allows remote attackers to gain unauthorized access via the new account before it is saved. CVE-2003-0602 DESCRIPTION: Multiple cross-site scripting vulnerabilities (XSS) in Bugzilla 2.16.x before 2.16.3 and 2.17.x before 2.17.4 allow remote attackers to insert arbitrary HTML or web script via (1) multiple default German and Russian HTML templates or (2) ALT and NAME attributes in AREA tags as used by the GraphViz graph generation feature for local dependency graphs. CVE-2003-0603 DESCRIPTION: Bugzilla 2.16.x before 2.16.3, 2.17.x before 2.17.4, and earlier versions allows local users to overwrite arbitrary files via a symlink attack on temporary files that are created in directories with group-writable or world-writable permissions. CVE-2003-0604 DESCRIPTION: Windows Media Player (WMP) 7 and 8, as running on Internet Explorer and possibly other Microsoft products that process HTML, allows remote attackers to bypass zone restrictions and access or execute arbitrary files via an IFRAME tag pointing to an ASF file whose Content-location contains a File:// URL. CVE-2003-0605 DESCRIPTION: The RPC DCOM interface in Windows 2000 SP3 and SP4 allows remote attackers to cause a denial of service (crash), and local attackers to use the DoS to hijack the epmapper pipe to gain privileges, via certain messages to the __RemoteGetClassObject interface that cause a NULL pointer to be passed to the PerformScmStage function. CVE-2003-0606 DESCRIPTION: sup 1.8 and earlier does not properly create temporary files, which allows local users to overwrite arbitrary files. CVE-2003-0607 DESCRIPTION: Buffer overflow in xconq 7.4.1 allows local users to become part of the "games" group via the (1) USER or (2) DISPLAY environment variables. CVE-2003-0608 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2003-0609 DESCRIPTION: Stack-based buffer overflow in the runtime linker, ld.so.1, on Solaris 2.6 through 9 allows local users to gain root privileges via a long LD_PRELOAD environment variable. CVE-2003-0610 DESCRIPTION: Directory traversal vulnerability in ePO agent for McAfee ePolicy Orchestrator 3.0 allows remote attackers to read arbitrary files via a certain HTTP request. CVE-2003-0611 DESCRIPTION: Multiple buffer overflows in xtokkaetama 1.0 allow local users to gain privileges via a long (1) -display command line argument or (2) XTOKKAETAMADIR environment variable. CVE-2003-0612 DESCRIPTION: Multiple buffer overflows in main.c for Crafty 19.3 allow local users to gain group "games" privileges via long command line arguments to crafty.bin. CVE-2003-0613 DESCRIPTION: Buffer overflow in zblast-svgalib of zblast 1.2.1 and earlier allows local users to execute arbitrary code via the high score file. CVE-2003-0614 DESCRIPTION: Cross-site scripting (XSS) vulnerability in search.php of Gallery 1.1 through 1.3.4 allows remote attackers to insert arbitrary web script via the searchstring parameter. CVE-2003-0615 DESCRIPTION: Cross-site scripting (XSS) vulnerability in start_form() of CGI.pm allows remote attackers to insert web script via a URL that is fed into the form's action parameter. CVE-2003-0616 DESCRIPTION: Format string vulnerability in ePO service for McAfee ePolicy Orchestrator 2.0, 2.5, and 2.5.1 allows remote attackers to execute arbitrary code via a POST request with format strings in the computerlist parameter, which are used when logging a failed name resolution. CVE-2003-0617 DESCRIPTION: mindi 0.58 and earlier does not properly create temporary files, which allows local users to overwrite arbitrary files. CVE-2003-0618 DESCRIPTION: Multiple vulnerabilities in suidperl 5.6.1 and earlier allow a local user to obtain sensitive information about files for which the user does not have appropriate permissions. CVE-2003-0619 DESCRIPTION: Integer signedness error in the decode_fh function of nfs3xdr.c in Linux kernel before 2.4.21 allows remote attackers to cause a denial of service (kernel panic) via a negative size value within XDR data of an NFSv3 procedure call. CVE-2003-0620 DESCRIPTION: Multiple buffer overflows in man-db 2.4.1 and earlier, when installed setuid, allow local users to gain privileges via (1) MANDATORY_MANPATH, MANPATH_MAP, and MANDB_MAP arguments to add_to_dirlist in manp.c, (2) a long pathname to ult_src in ult_src.c, (3) a long .so argument to test_for_include in ult_src.c, (4) a long MANPATH environment variable, or (5) a long PATH environment variable. CVE-2003-0621 DESCRIPTION: The Administration Console for BEA Tuxedo 8.1 and earlier allows remote attackers to determine the existence of files outside the web root via modified paths in the INIFILE argument. CVE-2003-0622 DESCRIPTION: The Administration Console for BEA Tuxedo 8.1 and earlier allows remote attackers to cause a denial of service (hang) via pathname arguments that contain MS-DOS device names such as CON and AUX. CVE-2003-0623 DESCRIPTION: Cross-site scripting (XSS) vulnerability in the Administration Console for BEA Tuxedo 8.1 and earlier allows remote attackers to inject arbitrary web script via the INIFILE argument. CVE-2003-0624 DESCRIPTION: Cross-site scripting (XSS) vulnerability in InteractiveQuery.jsp for BEA WebLogic 8.1 and earlier allows remote attackers to inject malicious web script via the person parameter. CVE-2003-0625 DESCRIPTION: Off-by-one error in certain versions of xfstt allows remote attackers to read potentially sensitive memory via a malformed client request in the connection handshake, which leaks the memory in the server's response. CVE-2003-0626 DESCRIPTION: psdoccgi.exe in PeopleSoft PeopleTools 8.4 through 8.43 allows remote attackers to read arbitrary files via the (1) headername or (2) footername arguments. CVE-2003-0627 DESCRIPTION: psdoccgi.exe in PeopleSoft PeopleTools 8.4 through 8.43 allows remote attackers to cause a denial of service (application crash), possibly via the headername and footername arguments. CVE-2003-0628 DESCRIPTION: PeopleSoft Gateway Administration servlet (gateway.administration) in PeopleTools 8.43 and earlier allows remote attackers to obtain the full pathnames for server-side include (SSI) files via an HTTP request with an invalid value. CVE-2003-0629 DESCRIPTION: Cross-site scripting (XSS) vulnerability in PeopleSoft IScript environment for PeopleTools 8.43 and earlier allows remote attackers to insert arbitrary web script via a certain HTTP request to IScript. CVE-2003-0630 DESCRIPTION: Multiple buffer overflows in the atari800.svgalib setuid program of the Atari 800 emulator (atari800) before 1.2.2 allow local users to gain privileges via long command line arguments, as demonstrated with the -osa_rom argument. CVE-2003-0631 DESCRIPTION: VMware GSX Server 2.5.1 build 4968 and earlier, and Workstation 4.0 and earlier, allows local users to gain root privileges via certain enivronment variables that are used when launching a virtual machine session. CVE-2003-0632 DESCRIPTION: Buffer overflow in the Oracle Applications Web Report Review (FNDWRR) CGI program (FNDWRR.exe) of Oracle E-Business Suite 11.0 and 11.5.1 through 11.5.8 may allow remote attackers to execute arbitrary code via a long URL. CVE-2003-0633 DESCRIPTION: Multiple vulnerabilities in aoljtest.jsp of Oracle Applications AOL/J Setup Test Suite in Oracle E-Business Suite 11.5.1 through 11.5.8 allow a remote attacker to obtain sensitive information without authentication, such as the GUEST user password and the application server security key. CVE-2003-0634 DESCRIPTION: Stack-based buffer overflow in the PL/SQL EXTPROC functionality for Oracle9i Database Release 2 and 1, and Oracle 8i, allows authenticated database users, and arbitrary database users in some cases, to execute arbitrary code via a long library name. CVE-2003-0635 DESCRIPTION: Unknown vulnerability or vulnerabilities in Novell iChain 2.2 before Support Pack 1, with unknown impact, possibly related to unauthorized access to (1) NCPIP.NLM and (2) JSTCP.NLM. CVE-2003-0636 DESCRIPTION: Novell iChain 2.2 before Support Pack 1 does not properly verify that URL redirects match the DNS name of an accelerator, which allows attackers to redirect URLs to malicious web sites. CVE-2003-0637 DESCRIPTION: Novell iChain 2.2 before Support Pack 1 uses a shorter timeout for a non-existent user than a valid user, which makes it easier for remote attackers to guess usernames and conduct brute force password guessing. CVE-2003-0638 DESCRIPTION: Multiple buffer overflows in Novell iChain 2.1 before Field Patch 3, and iChain 2.2 before Field Patch 1a, allow attackers to cause a denial of service (ABEND) and possibly execute arbitrary code via (1) a long user name or (2) an unknown attack related to a "special script against login." CVE-2003-0639 DESCRIPTION: Unknown vulnerability in Novell iChain 2.2 before Support Pack 1 allows users to access restricted or secure pages without authentication. CVE-2003-0640 DESCRIPTION: BEA WebLogic Server and Express, when using NodeManager to start servers, provides Operator users with privileges to overwrite usernames and passwords, which may allow Operators to gain Admin privileges. CVE-2003-0641 DESCRIPTION: WatchGuard ServerLock for Windows 2000 before SL 2.0.3 allows local users to load arbitrary modules via the OpenProcess() function, as demonstrated using (1) a DLL injection attack, (2) ZwSetSystemInformation, and (3) API hooking in OpenProcess. CVE-2003-0642 DESCRIPTION: WatchGuard ServerLock for Windows 2000 before SL 2.0.4 allows local users to access kernel memory via a symlink attack on \Device\PhysicalMemory. CVE-2003-0643 DESCRIPTION: Integer signedness error in the Linux Socket Filter implementation (filter.c) in Linux 2.4.3-pre3 to 2.4.22-pre10 allows attackers to cause a denial of service (crash). CVE-2003-0644 DESCRIPTION: Kdbg 1.1.0 through 1.2.8 does not check permissions of the .kdbgrc file, which allows local users to execute arbitrary commands. CVE-2003-0645 DESCRIPTION: man-db 2.3.12 and 2.3.18 to 2.4.1 uses certain user-controlled DEFINE directives from the ~/.manpath file, even when running setuid, which could allow local users to gain privileges. CVE-2003-0646 DESCRIPTION: Multiple buffer overflows in ActiveX controls used by Trend Micro HouseCall 5.5 and 5.7, and Damage Cleanup Server 1.0, allow remote attackers to execute arbitrary code via long parameter strings. CVE-2003-0647 DESCRIPTION: Buffer overflow in the HTTP server for Cisco IOS 12.2 and earlier allows remote attackers to execute arbitrary code via an extremely long (2GB) HTTP GET request. CVE-2003-0648 DESCRIPTION: Multiple buffer overflows in vfte, based on FTE, before 0.50, allow local users to execute arbitrary code. CVE-2003-0649 DESCRIPTION: Buffer overflow in xpcd-svga for xpcd 2.08 and earlier allows local users to execute arbitrary code via a long HOME environment variable. CVE-2003-0650 DESCRIPTION: Directory traversal vulnerability in GSAPAK.EXE for GameSpy Arcade, possibly versions before 1.3e, allows remote attackers to overwrite arbitrary files and execute arbitrary code via .. (dot dot) sequences in filenames in a .APK (Zip) file. CVE-2003-0651 DESCRIPTION: Buffer overflow in the mylo_log logging function for mod_mylo 0.2.1 and earlier allows remote attackers to execute arbitrary code via a long HTTP GET request. CVE-2003-0652 DESCRIPTION: Buffer overflow in xtokkaetama allows local users to gain privileges via a long -nickname command line argument, a different vulnerability than CVE-2003-0611. CVE-2003-0653 DESCRIPTION: The OSI networking kernel (sys/netiso) in NetBSD 1.6.1 and earlier does not use a BSD-required "PKTHDR" mbuf when sending certain error responses to the sender of an OSI packet, which allows remote attackers to cause a denial of service (kernel panic or crash) via certain OSI packets. CVE-2003-0654 DESCRIPTION: Buffer overflow in autorespond may allow remote attackers to execute arbitrary code as the autorespond user via qmail. CVE-2003-0655 DESCRIPTION: rscsi in cdrtools 2.01 and earlier allows local users to overwrite arbitrary files and gain root privileges by specifying the target file as a command line argument, which is modified while rscsi is running with privileges. CVE-2003-0656 DESCRIPTION: eroaster before 2.2.0 allows local users to overwrite arbitrary files via a symlink attack on a temporary file that is used as a lockfile. CVE-2003-0657 DESCRIPTION: Multiple SQL injection vulnerabilities in the infolog module for phpgroupware 0.9.14 and earlier could allow remote attackers to conduct unauthorized database actions. CVE-2003-0658 DESCRIPTION: Docview before 1.1-18 in Caldera OpenLinux 3.1.1, SCO Linux 4.0, OpenServer 5.0.7, configures the Apache web server in a way that allows remote attackers to read arbitrary publicly readable files via a certain URL, possibly related to rewrite rules. CVE-2003-0659 DESCRIPTION: Buffer overflow in a function in User32.dll on Windows NT through Server 2003 allows local users to execute arbitrary code via long (1) LB_DIR messages to ListBox or (2) CB_DIR messages to ComboBox controls in a privileged application. CVE-2003-0660 DESCRIPTION: The Authenticode capability in Microsoft Windows NT through Server 2003 does not prompt the user to download and install ActiveX controls when the system is low on memory, which could allow remote attackers to execute arbitrary code without user approval. CVE-2003-0661 DESCRIPTION: The NetBT Name Service (NBNS) for NetBIOS in Windows NT 4.0, 2000, XP, and Server 2003 may include random memory in a response to a NBNS query, which could allow remote attackers to obtain sensitive information. CVE-2003-0662 DESCRIPTION: Buffer overflow in Troubleshooter ActiveX Control (Tshoot.ocx) in Microsoft Windows 2000 SP4 and earlier allows remote attackers to execute arbitrary code via an HTML document with a long argument to the RunQuery2 method. CVE-2003-0663 DESCRIPTION: Unknown vulnerability in the Local Security Authority Subsystem Service (LSASS) in Windows 2000 domain controllers allows remote attackers to cause a denial of service via a crafted LDAP message. CVE-2003-0664 DESCRIPTION: Microsoft Word 2002, 2000, 97, and 98(J) does not properly check certain properties of a document, which allows attackers to bypass the macro security model and automatically execute arbitrary macros via a malicious document. CVE-2003-0665 DESCRIPTION: Buffer overflow in the ActiveX control for Microsoft Access Snapshot Viewer for Access 97, 2000, and 2002 allows remote attackers to execute arbitrary code via long parameters to the control. CVE-2003-0666 DESCRIPTION: Buffer overflow in Microsoft Wordperfect Converter allows remote attackers to execute arbitrary code via modified data offset and data size parameters in a Corel WordPerfect file. CVE-2003-0667 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2003-0668 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2003-0669 DESCRIPTION: Unknown vulnerability in Solaris 2.6 through 9 causes a denial of service (system panic) via "a rare race condition" or an attack by local users. CVE-2003-0670 DESCRIPTION: Sustworks IPNetSentryX and IPNetMonitorX allow local users to sniff network packets via the setuid helper applications (1) RunTCPDump, which calls tcpdump, and (2) RunTCPFlow, which calls tcpflow. CVE-2003-0671 DESCRIPTION: Format string vulnerability in tcpflow, when used in a setuid context, allows local users to execute arbitrary code via the device name argument, as demonstrated in Sustworks IPNetSentryX and IPNetMonitorX the setuid program RunTCPFlow. CVE-2003-0672 DESCRIPTION: Format string vulnerability in pam-pgsql 0.5.2 and earlier allows remote attackers to execute arbitrary code via the username that isp rovided during authentication, which is not properly handled when recording a log message. CVE-2003-0676 DESCRIPTION: Directory traversal vulnerability in ViewLog for iPlanet Administration Server 5.1 (aka Sun ONE) allows remote attackers to read arbitrary files via "..%2f" (partially encoded dot dot) sequences. CVE-2003-0677 DESCRIPTION: Cisco CSS 11000 routers on the CS800 chassis allow remote attackers to cause a denial of service (CPU consumption or reboot) via a large number of TCP SYN packets to the circuit IP address, aka "ONDM Ping failure." CVE-2003-0678 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2003. Notes: none. CVE-2003-0679 DESCRIPTION: Unknown vulnerability in the libcpr library for the Checkpoint/Restart (cpr) system on SGI IRIX 6.5.21f and earlier allows local users to truncate or overwrite certain files. CVE-2003-0680 DESCRIPTION: Unknown vulnerability in NFS for SGI IRIX 6.5.21 and earlier may allow an NFS client to bypass read-only restrictions. CVE-2003-0681 DESCRIPTION: A "potential buffer overflow in ruleset parsing" for Sendmail 8.12.9, when using the nonstandard rulesets (1) recipient (2), final, or (3) mailer-specific envelope recipients, has unknown consequences. CVE-2003-0682 DESCRIPTION: "Memory bugs" in OpenSSH 3.7.1 and earlier, with unknown impact, a different set of vulnerabilities than CVE-2003-0693 and CVE-2003-0695. CVE-2003-0683 DESCRIPTION: NFS in SGI 6.5.21m and 6.5.21f does not perform access checks in certain configurations when an /etc/exports entry uses wildcards without any hostnames or groups, which could allow attackers to bypass intended restrictions. CVE-2003-0684 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2003. Notes: none. CVE-2003-0685 DESCRIPTION: Buffer overflow in Netris 0.52 and earlier, and possibly other versions, allows remote malicious Netris servers to execute arbitrary code on netris clients via a long server response. CVE-2003-0686 DESCRIPTION: Buffer overflow in PAM SMB module (pam_smb) 1.1.6 and earlier, when authenticating to a remote service, allows remote attackers to execute arbitrary code. CVE-2003-0687 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate has been revoked by its Candidate Numbering Authority (CNA) because it was internally assigned to a problem that was not reachable (the affected routine was not used by the software). Notes: none. CVE-2003-0688 DESCRIPTION: The DNS map code in Sendmail 8.12.8 and earlier, when using the "enhdnsbl" feature, does not properly initialize certain data structures, which allows remote attackers to cause a denial of service (process crash) via an invalid DNS response that causes Sendmail to free incorrect data. CVE-2003-0689 DESCRIPTION: The getgrouplist function in GNU libc (glibc) 2.2.4 and earlier allows attackers to cause a denial of service (segmentation fault) and execute arbitrary code when a user is a member of a large number of groups, which can cause a buffer overflow. CVE-2003-0690 DESCRIPTION: KDM in KDE 3.1.3 and earlier does not verify whether the pam_setcred function call succeeds, which may allow attackers to gain root privileges by triggering error conditions within PAM modules, as demonstrated in certain configurations of the MIT pam_krb5 module. CVE-2003-0691 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not associated with any specific security issue. Notes: none. CVE-2003-0692 DESCRIPTION: KDM in KDE 3.1.3 and earlier uses a weak session cookie generation algorithm that does not provide 128 bits of entropy, which allows attackers to guess session cookies via brute force methods and gain access to the user session. CVE-2003-0693 DESCRIPTION: A "buffer management error" in buffer_append_space of buffer.c for OpenSSH before 3.7 may allow remote attackers to execute arbitrary code by causing an incorrect amount of memory to be freed and corrupting the heap, a different vulnerability than CVE-2003-0695. CVE-2003-0694 DESCRIPTION: The prescan function in Sendmail 8.12.9 allows remote attackers to execute arbitrary code via buffer overflow attacks, as demonstrated using the parseaddr function in parseaddr.c. CVE-2003-0695 DESCRIPTION: Multiple "buffer management errors" in OpenSSH before 3.7.1 may allow attackers to cause a denial of service or execute arbitrary code using (1) buffer_init in buffer.c, (2) buffer_free in buffer.c, or (3) a separate function in channels.c, a different vulnerability than CVE-2003-0693. CVE-2003-0696 DESCRIPTION: The getipnodebyname() API in AIX 5.1 and 5.2 does not properly close sockets, which allows attackers to cause a denial of service (resource exhaustion). CVE-2003-0697 DESCRIPTION: Format string vulnerability in lpd in the bos.rte.printers fileset for AIX 4.3 through 5.2, with debug enabled, allows local users to cause a denial of service (crash) or gain root privileges. CVE-2003-0698 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2003-0743. Reason: This candidate is a duplicate of CVE-2003-0743. Notes: All CVE users should reference CVE-2003-0743 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. CVE-2003-0699 DESCRIPTION: The C-Media PCI sound driver in Linux before 2.4.21 does not use the get_user function to access userspace, which crosses security boundaries and may facilitate the exploitation of vulnerabilities, a different vulnerability than CVE-2003-0700. CVE-2003-0700 DESCRIPTION: The C-Media PCI sound driver in Linux before 2.4.22 does not use the get_user function to access userspace in certain conditions, which crosses security boundaries and may facilitate the exploitation of vulnerabilities, a different vulnerability than CVE-2003-0699. CVE-2003-0701 DESCRIPTION: Buffer overflow in Internet Explorer 6 SP1 for certain languages that support double-byte encodings (e.g., Japanese) allows remote attackers to execute arbitrary code via the Type property of an Object tag, a variant of CVE-2003-0344. CVE-2003-0702 DESCRIPTION: Unknown vulnerability in an ISAPI plugin for ISS Server Sensor 7.0 XPU 20.16, 20.18, and possibly other versions before 20.19, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code in Internet Information Server (IIS) via a certain URL through SSL. CVE-2003-0703 DESCRIPTION: KisMAC before 0.05d trusts user-supplied variables to load arbitrary kernels or kernel modules, which allows local users to gain privileges via the $DRIVER_KEXT environment variable as used in (1) viha_driver.sh, (2) macjack_load.sh, or (3) airojack_load.sh, or (4) via "similar techniques" using exchangeKernel.sh. CVE-2003-0704 DESCRIPTION: KisMAC before 0.05d trusts user-supplied variables when chown'ing files or directories, which allows local users to gain privileges via the $DRIVER_KEXT environment variable in (1) viha_driver.sh, (2) macjack_load.sh, (3) airojack_load.sh, (4) setuid_enable.sh, (5) setuid_disable.sh, and using a "similar technique" for (6) viha_prep.sh and (7) viha_unprep.sh. CVE-2003-0705 DESCRIPTION: Buffer overflow in mah-jong 1.5.6 and earlier allows remote attackers to execute arbitrary code. CVE-2003-0706 DESCRIPTION: Unknown vulnerability in mah-jong 1.5.6 and earlier allows remote attackers to cause a denial of service (tight loop). CVE-2003-0707 DESCRIPTION: Buffer overflow in LinuxNode (node) before 0.3.2 allows remote attackers to execute arbitrary code. CVE-2003-0708 DESCRIPTION: Format string vulnerability in LinuxNode (node) before 0.3.2 may allow attackers to cause a denial of service or execute arbitrary code. CVE-2003-0709 DESCRIPTION: Buffer overflow in the whois client, which is not setuid but is sometimes called from within CGI programs, may allow remote attackers to execute arbitrary code via a long command line option. CVE-2003-0710 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2003-0711 DESCRIPTION: Stack-based buffer overflow in the PCHealth system in the Help and Support Center function in Windows XP and Windows Server 2003 allows remote attackers to execute arbitrary code via a long query in an HCP URL. CVE-2003-0712 DESCRIPTION: Cross-site scripting (XSS) vulnerability in the HTML encoding for the Compose New Message form in Microsoft Exchange Server 5.5 Outlook Web Access (OWA) allows remote attackers to execute arbitrary web script. CVE-2003-0713 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2003-0714 DESCRIPTION: The Internet Mail Service in Exchange Server 5.5 and Exchange 2000 allows remote attackers to cause a denial of service (memory exhaustion) by directly connecting to the SMTP service and sending a certain extended verb request, possibly triggering a buffer overflow in Exchange 2000. CVE-2003-0715 DESCRIPTION: Heap-based buffer overflow in the Distributed Component Object Model (DCOM) interface in the RPCSS Service allows remote attackers to execute arbitrary code via a malformed DCERPC DCOM object activation request packet with modified length fields, a different vulnerability than CVE-2003-0352 (Blaster/Nachi) and CVE-2003-0528. CVE-2003-0716 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2003-0717 DESCRIPTION: The Messenger Service for Windows NT through Server 2003 does not properly verify the length of the message, which allows remote attackers to execute arbitrary code via a buffer overflow attack. CVE-2003-0718 DESCRIPTION: The WebDAV Message Handler for Internet Information Services (IIS) 5.0, 5.1, and 6.0 allows remote attackers to cause a denial of service (memory and CPU exhaustion, application crash) via a PROPFIND request with an XML message containing XML elements with a large number of attributes. CVE-2003-0719 DESCRIPTION: Buffer overflow in the Private Communications Transport (PCT) protocol implementation in the Microsoft SSL library, as used in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, XP SP1, Server 2003, NetMeeting, Windows 98, and Windows ME, allows remote attackers to execute arbitrary code via PCT 1.0 handshake packets. CVE-2003-0720 DESCRIPTION: Buffer overflow in PINE before 4.58 allows remote attackers to execute arbitrary code via a malformed message/external-body MIME type. CVE-2003-0721 DESCRIPTION: Integer signedness error in rfc2231_get_param from strings.c in PINE before 4.58 allows remote attackers to execute arbitrary code via an email that causes an out-of-bounds array access using a negative number. CVE-2003-0722 DESCRIPTION: The default installation of sadmind on Solaris uses weak authentication (AUTH_SYS), which allows local and remote attackers to spoof Solstice AdminSuite clients and gain root privileges via a certain sequence of RPC packets. CVE-2003-0723 DESCRIPTION: Buffer overflow in gkrellmd for gkrellm 2.1.x before 2.1.14 may allow remote attackers to execute arbitrary code. CVE-2003-0724 DESCRIPTION: ssh on HP Tru64 UNIX 5.1B and 5.1A does not properly handle RSA signatures when digital certificates and RSA keys are used, which could allow local and remote attackers to gain privileges. CVE-2003-0725 DESCRIPTION: Buffer overflow in the RTSP protocol parser for the View Source plug-in (vsrcplin.so or vsrcplin3260.dll) for RealNetworks Helix Universal Server 9 and RealSystem Server 8, 7 and RealServer G2 allows remote attackers to execute arbitrary code. CVE-2003-0726 DESCRIPTION: RealOne player allows remote attackers to execute arbitrary script in the "My Computer" zone via a SMIL presentation with a URL that references a scripting protocol, which is executed in the security context of the previously loaded URL, as demonstrated using a "javascript:" URL in the area tag. CVE-2003-0727 DESCRIPTION: Multiple buffer overflows in the XML Database (XDB) functionality for Oracle 9i Database Release 2 allow local users to cause a denial of service or hijack user sessions. CVE-2003-0728 DESCRIPTION: Horde before 2.2.4 allows remote malicious web sites to steal session IDs and read or create arbitrary email by stealing the ID from a referrer URL. CVE-2003-0729 DESCRIPTION: Buffer overflow in Tellurian TftpdNT 1.8 allows remote attackers to execute arbitrary code via a TFTP request with a long filename. CVE-2003-0730 DESCRIPTION: Multiple integer overflows in the font libraries for XFree86 4.3.0 allow local or remote attackers to cause a denial of service or execute arbitrary code via heap-based and stack-based buffer overflow attacks. CVE-2003-0731 DESCRIPTION: CiscoWorks Common Management Foundation (CMF) 2.1 and earlier allows the guest user to gain administrative privileges via a certain POST request to com.cisco.nm.cmf.servlet.CsAuthServlet, possibly involving the "cmd" parameter with a modifyUser value and a modified "priviledges" parameter. CVE-2003-0732 DESCRIPTION: CiscoWorks Common Management Foundation (CMF) 2.1 and earlier allows the guest user to obtain restricted information and possibly gain administrative privileges by changing the "guest" user to the Admin user on the Modify or delete users pages. CVE-2003-0733 DESCRIPTION: Multiple cross-site scripting (XSS) vulnerabilities in WebLogic Integration 7.0 and 2.0, Liquid Data 1.1, and WebLogic Server and Express 5.1 through 7.0, allow remote attackers to execute arbitrary web script and steal authentication credentials via (1) a forward instruction to the Servlet container or (2) other vulnerabilities in the WebLogic Server console application. CVE-2003-0734 DESCRIPTION: Unknown vulnerability in the pam_filter mechanism in pam_ldap before version 162, when LDAP based authentication is being used, allows users to bypass host-based access restrictions and log onto the system. CVE-2003-0735 DESCRIPTION: SQL injection vulnerability in the Calendar module of phpWebSite 0.9.x and earlier allows remote attackers to execute arbitrary SQL queries, as demonstrated using the year parameter. CVE-2003-0736 DESCRIPTION: Multiple cross-site scripting (XSS) vulnerabilities in phpWebSite 0.9.x and earlier allow remote attackers to execute arbitrary web script via (1) the day parameter in the calendar module, (2) the fatcat_id parameter in the fatcat module, (3) the PAGE_id parameter in the pagemaster module, (4) the PDA_limit parameter in the search, and (5) possibly other parameters in the calendar, fatcat, and pagemaster modules. CVE-2003-0737 DESCRIPTION: The calendar module in phpWebSite 0.9.x and earlier allows remote attackers to obtain the full pathname of phpWebSite via an invalid year, which generates an error from localtime() in TimeZone.php of the Pear library. CVE-2003-0738 DESCRIPTION: The calendar module in phpWebSite 0.9.x and earlier allows remote attackers to cause a denial of service (crash) via a long year parameter. CVE-2003-0739 DESCRIPTION: VMware Workstation 4.0.1 for Linux, build 5289 and earlier, allows local users to delete arbitrary files via a symlink attack. CVE-2003-0740 DESCRIPTION: Stunnel 4.00, and 3.24 and earlier, leaks a privileged file descriptor returned by listen(), which allows local users to hijack the Stunnel server. CVE-2003-0741 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2003. Notes: none. CVE-2003-0742 DESCRIPTION: SCO Internet Manager (mana) allows local users to execute arbitrary programs by setting the REMOTE_ADDR environment variable to cause menu.mana to run as if it were called from ncsa_httpd, then modifying the PATH environment variable to point to a malicious "hostname" program. CVE-2003-0743 DESCRIPTION: Heap-based buffer overflow in smtp_in.c for Exim 3 (exim3) before 3.36 and Exim 4 (exim4) before 4.21 may allow remote attackers to execute arbitrary code via an invalid (1) HELO or (2) EHLO argument with a large number of spaces followed by a NULL character and a newline, which is not properly trimmed before the "(no argument given)" string is appended to the buffer. CVE-2003-0744 DESCRIPTION: The fetchnews NNTP client in leafnode 1.9.3 to 1.9.41 allows remote attackers to cause a denial of service (process hang and termination) via certain malformed Usenet news articles that cause fetchnews to hang while waiting for input. CVE-2003-0745 DESCRIPTION: SNMPc 6.0.8 and earlier performs authentication to the server on the client side, which allows remote attackers to gain privileges by decrypting the password that is returned by the server. CVE-2003-0746 DESCRIPTION: Various Distributed Computing Environment (DCE) implementations, including HP OpenView, allow remote attackers to cause a denial of service (process hang or termination) via certain malformed inputs, as triggered by attempted exploits against the vulnerabilities CVE-2003-0352 or CVE-2003-0605, such as the Blaster/MSblast/LovSAN worm. CVE-2003-0747 DESCRIPTION: wgate.dll in SAP Internet Transaction Server (ITS) 4620.2.0.323011 allows remote attackers to obtain potentially sensitive information such as directory structure and operating system via incorrect parameters (1) ~service, (2) ~templatelanguage, (3) ~language, (4) ~theme, or (5) ~template, which leaks the information in the resulting error message. CVE-2003-0748 DESCRIPTION: Directory traversal vulnerability in wgate.dll for SAP Internet Transaction Server (ITS) 4620.2.0.323011 allows remote attackers to read arbitrary files via ..\ (dot-dot backslash) sequences in the ~theme parameter and a ~template parameter with a filename followed by space characters, which can prevent SAP from effectively adding a .html extension to the filename. CVE-2003-0749 DESCRIPTION: Cross-site scripting (XSS) vulnerability in wgate.dll for SAP Internet Transaction Server (ITS) 4620.2.0.323011 allows remote attackers to insert arbitrary web script and steal cookies via the ~service parameter. CVE-2003-0750 DESCRIPTION: secure.php in PY-Membres 4.2 and earlier allows remote attackers to bypass authentication by setting the adminpy parameter. CVE-2003-0751 DESCRIPTION: SQL injection vulnerability in pass_done.php for PY-Membres 4.2 and earlier allows remote attackers to execute arbitrary SQL queries via the email parameter. CVE-2003-0752 DESCRIPTION: SQL injection vulnerability in global.php3 of AttilaPHP 3.0, and possibly earlier versions, allows remote attackers to bypass authentication via a modified cook_id parameter. CVE-2003-0753 DESCRIPTION: nphpd.php in newsPHP 216 and earlier allows remote attackers to read arbitrary files via a full pathname to the target file in the nphp_config[LangFile] parameter. CVE-2003-0754 DESCRIPTION: nphpd.php in newsPHP 216 and earlier allows remote attackers to bypass authentication via an HTTP request with a modified nphp_users array, which is used for authentication. CVE-2003-0755 DESCRIPTION: Buffer overflow in sys_cmd.c for gtkftpd 1.0.4 and earlier allows remote attackers to execute arbitrary code by creating long directory names and listing them with a LIST command. CVE-2003-0756 DESCRIPTION: Directory traversal vulnerability in sitebuilder.cgi in SiteBuilder 1.4 allows remote attackers to read arbitrary files via .. (dot dot) sequences in the selectedpage parameter. CVE-2003-0757 DESCRIPTION: Check Point FireWall-1 4.0 and 4.1 before SP5 allows remote attackers to obtain the IP addresses of internal interfaces via certain SecuRemote requests to TCP ports 256 or 264, which leaks the IP addresses in a reply packet. CVE-2003-0758 DESCRIPTION: Buffer overflow in db2dart in IBM DB2 Universal Data Base 7.2 before Fixpak 10 allows local users to gain root privileges via a long command line argument. CVE-2003-0759 DESCRIPTION: Buffer overflow in db2licm in IBM DB2 Universal Data Base 7.2 before Fixpak 10a allows local users to gain root privileges via a long command line argument. CVE-2003-0760 DESCRIPTION: Blubster 2.5 allows remote attackers to cause a denial of service (crash) via a flood of connections to UDP port 701. CVE-2003-0761 DESCRIPTION: Buffer overflow in the get_msg_text of chan_sip.c in the Session Initiation Protocol (SIP) protocol implementation for Asterisk releases before August 15, 2003, allows remote attackers to execute arbitrary code via certain (1) MESSAGE or (2) INFO requests. CVE-2003-0762 DESCRIPTION: Buffer overflow in (1) foxweb.dll and (2) foxweb.exe of Foxweb 2.5 allows remote attackers to execute arbitrary code via a long URL (PATH_INFO value). CVE-2003-0763 DESCRIPTION: Cross-site scripting (XSS) vulnerability in Escapade Scripting Engine (ESP) allows remote attackers to inject arbitrary script via the method parameter, as demonstrated using the PAGE parameter. CVE-2003-0764 DESCRIPTION: Escapade Scripting Engine (ESP) allows remote attackers to obtain sensitive path information via a malformed request, which leaks the information in an error message, as demonstrated using the PAGE parameter. CVE-2003-0765 DESCRIPTION: The IN_MIDI.DLL plugin 3.01 and earlier, as used in Winamp 2.91, allows remote attackers to execute arbitrary code via a MIDI file with a large "Track data size" value. CVE-2003-0766 DESCRIPTION: Multiple heap-based buffer overflows in FTP Desktop client 3.5, and possibly earlier versions, allow remote malicious servers to execute arbitrary code via (1) a long FTP banner, (2) a long response to a USER command, or (3) a long response to a PASS command. CVE-2003-0767 DESCRIPTION: Buffer overflow in RogerWilco graphical server 1.4.1.6 and earlier, dedicated server 0.32a and earlier for Windows, and 0.27 and earlier for Linux and BSD, allows remote attackers to cause a denial of service and execute arbitrary code via a client request with a large length value. CVE-2003-0768 DESCRIPTION: Microsoft ASP.Net 1.1 allows remote attackers to bypass the Cross-Site Scripting (XSS) and Script Injection protection feature via a null character in the beginning of a tag name. CVE-2003-0769 DESCRIPTION: Cross-site scripting (XSS) vulnerability in the ICQ Web Front guestbook (guestbook.html) allows remote attackers to insert arbitrary web script and HTML via the message field. CVE-2003-0770 DESCRIPTION: FUNC.pm in IkonBoard 3.1.2a and earlier, including 3.1.1, does not properly cleanse the "lang" cookie when it contains illegal characters, which allows remote attackers to execute arbitrary code when the cookie is inserted into a Perl "eval" statement. CVE-2003-0771 DESCRIPTION: Gallery.pm in Apache::Gallery (aka A::G) uses predictable temporary filenames when running Inline::C, which allows local users to execute arbitrary code by creating and modifying the files before Apache::Gallery does. CVE-2003-0772 DESCRIPTION: Multiple buffer overflows in WS_FTP 3 and 4 allow remote authenticated users to cause a denial of service and possibly execute arbitrary code via long (1) APPE (append) or (2) STAT (status) arguments. CVE-2003-0773 DESCRIPTION: saned in sane-backends 1.0.7 and earlier does not check the IP address of the connecting host during the SANE_NET_INIT RPC call, which allows remote attackers to use that call even if they are restricted in saned.conf. CVE-2003-0774 DESCRIPTION: saned in sane-backends 1.0.7 and earlier does not quickly handle connection drops, which allows remote attackers to cause a denial of service (segmentation fault) when invalid memory is accessed. CVE-2003-0775 DESCRIPTION: saned in sane-backends 1.0.7 and earlier calls malloc with an arbitrary size value if a connection is dropped before the size value has been sent, which allows remote attackers to cause a denial of service (memory consumption or crash). CVE-2003-0776 DESCRIPTION: saned in sane-backends 1.0.7 and earlier does not properly "check the validity of the RPC numbers it gets before getting the parameters," with unknown consequences. CVE-2003-0777 DESCRIPTION: saned in sane-backends 1.0.7 and earlier, when debug messages are enabled, does not properly handle dropped connections, which can prevent strings from being null terminated and cause a denial of service (segmentation fault). CVE-2003-0778 DESCRIPTION: saned in sane-backends 1.0.7 and earlier, and possibly later versions, does not properly allocate memory in certain cases, which could allow attackers to cause a denial of service (memory consumption). CVE-2003-0779 DESCRIPTION: SQL injection vulnerability in the Call Detail Record (CDR) logging functionality for Asterisk allows remote attackers to execute arbitrary SQL via a CallerID string. CVE-2003-0780 DESCRIPTION: Buffer overflow in get_salt_from_password from sql_acl.cc for MySQL 4.0.14 and earlier, and 3.23.x, allows attackers with ALTER TABLE privileges to execute arbitrary code via a long Password field. CVE-2003-0781 DESCRIPTION: Unknown vulnerability in ecartis before 1.0.0 does not properly validate user input, which allows attackers to obtain mailing list passwords. CVE-2003-0782 DESCRIPTION: Multiple buffer overflows in ecartis before 1.0.0 allow attackers to cause a denial of service and possibly execute arbitrary code. CVE-2003-0783 DESCRIPTION: Multiple buffer overflows in hztty 2.0 allow local users to gain root privileges. CVE-2003-0784 DESCRIPTION: Format string vulnerability in tsm for the bos.rte.security fileset on AIX 5.2 allows remote attackers to gain root privileges via login, and local users to gain privileges via login, su, or passwd, with a username that contains format string specifiers. CVE-2003-0785 DESCRIPTION: ipmasq before 3.5.12, in certain configurations, may forward packets to the external interface even if the packets are not associated with an established connection, which could allow remote attackers to bypass intended filtering. CVE-2003-0786 DESCRIPTION: The SSH1 PAM challenge response authentication in OpenSSH 3.7.1 and 3.7.1p1, when Privilege Separation is disabled, does not check the result of the authentication attempt, which can allow remote attackers to gain privileges. CVE-2003-0787 DESCRIPTION: The PAM conversation function in OpenSSH 3.7.1 and 3.7.1p1 interprets an array of structures as an array of pointers, which allows attackers to modify the stack and possibly gain privileges. CVE-2003-0788 DESCRIPTION: Unknown vulnerability in the Internet Printing Protocol (IPP) implementation in CUPS before 1.1.19 allows remote attackers to cause a denial of service (CPU consumption from a "busy loop") via certain inputs to the IPP port (TCP 631). CVE-2003-0789 DESCRIPTION: mod_cgid in Apache before 2.0.48, when using a threaded MPM, does not properly handle CGI redirect paths, which could cause Apache to send the output of a CGI program to the wrong client. CVE-2003-0790 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: the reported issue is not a vulnerability or exposure. Notes: This candidate was assigned to a "head-reading" bug in a component of fetchmail 6.2.4 and earlier, which was claimed to allow a denial of service. However, the bug is in a broken component of fetchmail that is not "reachable" by any execution path, so it cannot be triggered by any sort of attack and is not exploitable. CVE-2003-0791 DESCRIPTION: The Script.prototype.freeze/thaw functionality in Mozilla 1.4 and earlier allows attackers to execute native methods by modifying the string used as input to the script.thaw JavaScript function, which is then deserialized and executed. CVE-2003-0792 DESCRIPTION: Fetchmail 6.2.4 and earlier does not properly allocate memory for long lines, which allows remote attackers to cause a denial of service (crash) via a certain email. CVE-2003-0793 DESCRIPTION: GDM 2.4.4.x before 2.4.4.4, and 2.4.1.x before 2.4.1.7, does not restrict the size of input, which allows attackers to cause a denial of service (memory consumption). CVE-2003-0794 DESCRIPTION: GDM 2.4.4.x before 2.4.4.4, and 2.4.1.x before 2.4.1.7, does not limit the number or duration of commands and uses a blocking socket connection, which allows attackers to cause a denial of service (resource exhaustion) by sending commands and not reading the results. CVE-2003-0795 DESCRIPTION: The vty layer in Quagga before 0.96.4, and Zebra 0.93b and earlier, does not verify that sub-negotiation is taking place when processing the SE marker, which allows remote attackers to cause a denial of service (crash) via a malformed telnet command to the telnet CLI port, which may trigger a null dereference. CVE-2003-0796 DESCRIPTION: Unknown vulnerability in rpc.mountd SGI IRIX 6.5.18 through 6.5.22 allows remote attackers to mount from unprivileged ports even with the -n option disabled. CVE-2003-0797 DESCRIPTION: Unknown vulnerability in rpc.mountd in SGI IRIX 6.5 through 6.5.22 allows remote attackers to cause a denial of service (process death) via unknown attack vectors. CVE-2003-0798 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2003. Notes: none. CVE-2003-0799 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2003. Notes: none. CVE-2003-0800 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2003. Notes: none. CVE-2003-0801 DESCRIPTION: Cross-site scripting (XSS) vulnerability in Nokia Electronic Documentation (NED) 5.0 allows remote attackers to execute arbitrary web script and steal cookies via a URL to the docs/ directory that contains the script. CVE-2003-0802 DESCRIPTION: Nokia Electronic Documentation (NED) 5.0 allows remote attackers to obtain a directory listing of the WebLogic web root, and the physical path of the NED server, via a "retrieve" action with a location parameter of . (dot). CVE-2003-0803 DESCRIPTION: Nokia Electronic Documentation (NED) 5.0 allows remote attackers to use NED as an open HTTP proxy via a URL in the location parameter, which NED accesses and returns to the user. CVE-2003-0804 DESCRIPTION: The arplookup function in FreeBSD 5.1 and earlier, Mac OS X before 10.2.8, and possibly other BSD-based systems, allows remote attackers on a local subnet to cause a denial of service (resource starvation and panic) via a flood of spoofed ARP requests. CVE-2003-0805 DESCRIPTION: Multiple buffer overflows in UMN gopher daemon (gopherd) 2.x and 3.x before 3.0.6 allows attackers to execute arbitrary code via (1) a long filename as a result of a LIST command, and (2) the GSisText function, which calculates the view-type. CVE-2003-0806 DESCRIPTION: Buffer overflow in the Windows logon process (winlogon) in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, and XP SP1, when a member of a domain, allows remote attackers to execute arbitrary code. CVE-2003-0807 DESCRIPTION: Buffer overflow in the COM Internet Services and in the RPC over HTTP Proxy components for Microsoft Windows NT Server 4.0, NT 4.0 Terminal Server Edition, 2000, XP, and Server 2003 allows remote attackers to cause a denial of service via a crafted request. CVE-2003-0808 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2003-0809 DESCRIPTION: Internet Explorer 5.01 through 6.0 does not properly handle object tags returned from a Web server during XML data binding, which allows remote attackers to execute arbitrary code via an HTML e-mail message or web page. CVE-2003-0810 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2003-0811 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2003-0812 DESCRIPTION: Stack-based buffer overflow in a logging function for Windows Workstation Service (WKSSVC.DLL) allows remote attackers to execute arbitrary code via RPC calls that cause long entries to be written to a debug log file ("NetSetup.LOG"), as demonstrated using the NetAddAlternateComputerName API. CVE-2003-0813 DESCRIPTION: A multi-threaded race condition in the Windows RPC DCOM functionality with the MS03-039 patch installed allows remote attackers to cause a denial of service (crash or reboot) by causing two threads to process the same RPC request, which causes one thread to use memory after it has been freed, a different vulnerability than CVE-2003-0352 (Blaster/Nachi), CVE-2003-0715, and CVE-2003-0528, and as demonstrated by certain exploits against those vulnerabilities. CVE-2003-0814 DESCRIPTION: Internet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and execute Javascript by setting the window's "href" to the malicious Javascript, then calling execCommand("Refresh") to refresh the page, aka BodyRefreshLoadsJPU or the "ExecCommand Cross Domain" vulnerability. CVE-2003-0815 DESCRIPTION: Internet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and read arbitrary files by (1) modifying the createTextRange method and using CreateLink, as demonstrated using LinkillerSaveRef, LinkillerJPU, and Linkiller, or (2) modifying the createRange method and using the FIND dialog to select text, as demonstrated using Findeath, aka the "Function Pointer Override Cross Domain" vulnerability. CVE-2003-0816 DESCRIPTION: Internet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions by (1) using the NavigateAndFind method to load a file: URL containing Javascript, as demonstrated by NAFfileJPU, (2) using the window.open method to load a file: URL containing Javascript, as demonstrated using WsOpenFileJPU, (3) setting the href property in the base tag for the _search window, as demonstrated using WsBASEjpu, (4) loading the search window into an Iframe, as demonstrated using WsFakeSrc, (5) caching a javascript: URL in the browser history, then accessing that URL in the same frame as the target domain, as demonstrated using WsOpenJpuInHistory, NAFjpuInHistory, BackMyParent, BackMyParent2, and RefBack, aka the "Script URLs Cross Domain" vulnerability. CVE-2003-0817 DESCRIPTION: Internet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions and read arbitrary files via an XML object. CVE-2003-0818 DESCRIPTION: Multiple integer overflows in Microsoft ASN.1 library (MSASN1.DLL), as used in LSASS.EXE, CRYPT32.DLL, and other Microsoft executables and libraries on Windows NT 4.0, 2000, and XP, allow remote attackers to execute arbitrary code via ASN.1 BER encodings with (1) very large length fields that cause arbitrary heap data to be overwritten, or (2) modified bit strings. CVE-2003-0819 DESCRIPTION: Buffer overflow in the H.323 filter of Microsoft Internet Security and Acceleration Server 2000 allows remote attackers to execute arbitrary code in the Microsoft Firewall Service via certain H.323 traffic, as demonstrated by the NISCC/OUSPG PROTOS test suite for the H.225 protocol. CVE-2003-0820 DESCRIPTION: Microsoft Word 97, 98(J), 2000, and 2002, and Microsoft Works Suites 2001 through 2004, do not properly check the length of the "Macro names" data value, which could allow remote attackers to execute arbitrary code via a buffer overflow attack. CVE-2003-0821 DESCRIPTION: Microsoft Excel 97, 2000, and 2002 allows remote attackers to execute arbitrary code via a spreadsheet with a malicious XLM (Excel 4) macro that bypasses the macro security model. CVE-2003-0822 DESCRIPTION: Buffer overflow in the debug functionality in fp30reg.dll of Microsoft FrontPage Server Extensions (FPSE) 2000 and 2002 allows remote attackers to execute arbitrary code via a crafted chunked encoded request. CVE-2003-0823 DESCRIPTION: Internet Explorer 6 SP1 and earlier allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by calling the window.moveBy method, aka HijackClick, a different vulnerability than CVE-2003-1027. CVE-2003-0824 DESCRIPTION: Unknown vulnerability in the SmartHTML interpreter (shtml.dll) in Microsoft FrontPage Server Extensions 2000 and 2002, and Microsoft SharePoint Team Services 2002, allows remote attackers to cause a denial of service (response failure) via a certain request. CVE-2003-0825 DESCRIPTION: The Windows Internet Naming Service (WINS) for Microsoft Windows Server 2003, and possibly Windows NT and Server 2000, does not properly validate the length of certain packets, which allows attackers to cause a denial of service and possibly execute arbitrary code. CVE-2003-0826 DESCRIPTION: lsh daemon (lshd) does not properly return from certain functions in (1) read_line.c, (2) channel_commands.c, or (3) client_keyexchange.c when long input is provided, which could allow remote attackers to execute arbitrary code via a heap-based buffer overflow attack. CVE-2003-0827 DESCRIPTION: The DB2 Discovery Service for IBM DB2 before FixPak 10a allows remote attackers to cause a denial of service (crash) via a long packet to UDP port 523. CVE-2003-0828 DESCRIPTION: Buffer overflow in freesweep in Debian GNU/Linux 3.0 allows local users to gain "games" group privileges when processing environment variables. CVE-2003-0829 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2003-0830 DESCRIPTION: Buffer overflow in marbles 1.0.2 and earlier allows local users to gain privileges via a long HOME environment variable. CVE-2003-0831 DESCRIPTION: ProFTPD 1.2.7 through 1.2.9rc2 does not properly translate newline characters when transferring files in ASCII mode, which allows remote attackers to execute arbitrary code via a buffer overflow using certain files. CVE-2003-0832 DESCRIPTION: Directory traversal vulnerability in webfs before 1.20 allows remote attackers to read arbitrary files via .. (dot dot) sequences in a Hostname header. CVE-2003-0833 DESCRIPTION: Stack-based buffer overflow in webfs before 1.20 allows attackers to execute arbitrary code by creating directories that result in a long pathname. CVE-2003-0834 DESCRIPTION: Buffer overflow in CDE libDtHelp library allows local users to execute arbitrary code via (1) a modified DTHELPUSERSEARCHPATH environment variable and the Help feature, (2) DTSEARCHPATH, or (3) LOGNAME. CVE-2003-0835 DESCRIPTION: Multiple buffer overflows in asf_http_request of MPlayer before 0.92 allows remote attackers to execute arbitrary code via an ASX header with a long hostname. CVE-2003-0836 DESCRIPTION: Stack-based buffer overflow in IBM DB2 Universal Data Base 7.2 before Fixpak 10 and 10a, and 8.1 before Fixpak 2, allows attackers with "Connect" privileges to execute arbitrary code via a LOAD command. CVE-2003-0837 DESCRIPTION: Stack-based buffer overflow in IBM DB2 Universal Data Base 7.2 for Windows, before Fixpak 10a, allows attackers with "Connect" privileges to execute arbitrary code via the INVOKE command. CVE-2003-0838 DESCRIPTION: Internet Explorer allows remote attackers to bypass zone restrictions to inject and execute arbitrary programs by creating a popup window and inserting ActiveX object code with a "data" tag pointing to the malicious code, which Internet Explorer treats as HTML or Javascript, but later executes as an HTA application, a different vulnerability than CVE-2003-0532, and as exploited using the QHosts Trojan horse (aka Trojan.Qhosts, QHosts-1, VBS.QHOSTS, or aolfix.exe). CVE-2003-0839 DESCRIPTION: Directory traversal vulnerability in the "Shell Folders" capability in Microsoft Windows Server 2003 allows remote attackers to read arbitrary files via .. (dot dot) sequences in a "shell:" link. CVE-2003-0840 DESCRIPTION: Buffer overflow in dtprintinfo on HP-UX 11.00, and possibly other operating systems, allows local users to gain root privileges via a long DISPLAY environment variable. CVE-2003-0841 DESCRIPTION: The grid option in PeopleSoft 8.42 stores temporary .xls files in guessable directories under the web document root, which allows remote attackers to steal search results by directly accessing the files via a URL request. CVE-2003-0842 DESCRIPTION: Stack-based buffer overflow in mod_gzip_printf for mod_gzip 1.3.26.1a and earlier, and possibly later official versions, when running in debug mode, allows remote attackers to execute arbitrary code via a long filename in a GET request with an "Accept-Encoding: gzip" header. CVE-2003-0843 DESCRIPTION: Format string vulnerability in mod_gzip_printf for mod_gzip 1.3.26.1a and earlier, and possibly later official versions, when running in debug mode and using the Apache log, allows remote attackers to execute arbitrary code via format string characters in an HTTP GET request with an "Accept-Encoding: gzip" header. CVE-2003-0844 DESCRIPTION: mod_gzip 1.3.26.1a and earlier, and possibly later official versions, when running in debug mode without the Apache log, allows local users to overwrite arbitrary files via (1) a symlink attack on predictable temporary filenames on Unix systems, or (2) an NTFS hard link on Windows systems when the "Strengthen default permissions of internal system objects" policy is not enabled. CVE-2003-0845 DESCRIPTION: Unknown vulnerability in the HSQLDB component in JBoss 3.2.1 and 3.0.8 on Java 1.4.x platforms, when running in the default configuration, allows remote attackers to conduct unauthorized activities and possibly execute arbitrary code via certain SQL statements to (1) TCP port 1701 in JBoss 3.2.1, and (2) port 1476 in JBoss 3.0.8. CVE-2003-0846 DESCRIPTION: SuSEconfig.javarunt in the javarunt package on SuSE Linux 7.3Pro allows local users to overwrite arbitrary files via a symlink attack on the .java_wrapper temporary file. CVE-2003-0847 DESCRIPTION: SuSEconfig.susewm in the susewm package on SuSE Linux 8.2Pro allows local users to overwrite arbitrary files via a symlink attack on the susewm.$$ temporary file. CVE-2003-0848 DESCRIPTION: Heap-based buffer overflow in main.c of slocate 2.6, and possibly other versions, may allow local users to gain privileges via a modified slocate database that causes a negative "pathlen" value to be used. CVE-2003-0849 DESCRIPTION: Buffer overflow in net.c for cfengine 2.x before 2.0.8 allows remote attackers to execute arbitrary code via certain packets with modified length values, which is trusted by the ReceiveTransaction function when using a buffer provided by the BusyWithConnection function. CVE-2003-0850 DESCRIPTION: The TCP reassembly functionality in libnids before 1.18 allows remote attackers to cause "memory corruption" and possibly execute arbitrary code via "overlarge TCP packets." CVE-2003-0851 DESCRIPTION: OpenSSL 0.9.6k allows remote attackers to cause a denial of service (crash via large recursion) via malformed ASN.1 sequences. CVE-2003-0852 DESCRIPTION: Format string vulnerability in send_message.c for Sylpheed-claws 0.9.4 through 0.9.6 allows remote SMTP servers to cause a denial of service (crash) in sylpheed via format strings in an error message. CVE-2003-0853 DESCRIPTION: An integer overflow in ls in the fileutils or coreutils packages may allow local users to cause a denial of service or execute arbitrary code via a large -w value, which could be remotely exploited via applications that use ls, such as wu-ftpd. CVE-2003-0854 DESCRIPTION: ls in the fileutils or coreutils packages allows local users to consume a large amount of memory via a large -w value, which can be remotely exploited via applications that use ls, such as wu-ftpd. CVE-2003-0855 DESCRIPTION: Pan 0.13.3 and earlier allows remote attackers to cause a denial of service (crash) via a news post with a long author email address. CVE-2003-0856 DESCRIPTION: iproute 2.4.7 and earlier allows local users to cause a denial of service via spoofed messages as other users to the kernel netlink interface. CVE-2003-0857 DESCRIPTION: The (1) ipq_read and (2) ipulog_read functions in iptables allow local users to cause a denial of service by sending spoofed messages as other users to the kernel netlink interface. CVE-2003-0858 DESCRIPTION: Zebra 0.93b and earlier, and quagga before 0.95, allows local users to cause a denial of service by sending spoofed messages as other users to the kernel netlink interface. CVE-2003-0859 DESCRIPTION: The getifaddrs function in GNU libc (glibc) 2.2.4 and earlier allows local users to cause a denial of service by sending spoofed messages as other users to the kernel netlink interface. CVE-2003-0860 DESCRIPTION: Buffer overflows in PHP before 4.3.3 have unknown impact and unknown attack vectors. CVE-2003-0861 DESCRIPTION: Integer overflows in (1) base64_encode and (2) the GD library for PHP before 4.3.3 have unknown impact and unknown attack vectors. CVE-2003-0862 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2003-0813. Reason: This candidate is a duplicate of CVE-2003-0813. Notes: All CVE users should reference CVE-2003-0813 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. CVE-2003-0863 DESCRIPTION: The php_check_safe_mode_include_dir function in fopen_wrappers.c of PHP 4.3.x returns a success value (0) when the safe_mode_include_dir variable is not specified in configuration, which differs from the previous failure value and may allow remote attackers to exploit file include vulnerabilities in PHP applications. CVE-2003-0864 DESCRIPTION: Buffer overflow in m_join in channel.c for IRCnet IRCD 2.10.x to 2.10.3p3 allows remote attackers to cause a denial of service. CVE-2003-0865 DESCRIPTION: Heap-based buffer overflow in readstring of httpget.c for mpg123 0.59r and 0.59s allows remote attackers to execute arbitrary code via a long request. CVE-2003-0866 DESCRIPTION: The Catalina org.apache.catalina.connector.http package in Tomcat 4.0.x up to 4.0.3 allows remote attackers to cause a denial of service via several requests that do not follow the HTTP protocol, which causes Tomcat to reject later requests. CVE-2003-0867 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2003-0662. Reason: This candidate is a duplicate of CVE-2003-0662. Notes: All CVE users should reference CVE-2003-0662 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. CVE-2003-0868 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2003. Notes: none. CVE-2003-0869 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2003. Notes: none. CVE-2003-0870 DESCRIPTION: Heap-based buffer overflow in Opera 7.11 and 7.20 allows remote attackers to execute arbitrary code via an HREF with a large number of escaped characters in the server name. CVE-2003-0871 DESCRIPTION: Unknown vulnerability in QuickTime Java in Mac OS X v10.3 and Mac OS X Server 10.3 allows attackers to gain "unauthorized access to a system." CVE-2003-0872 DESCRIPTION: Certain scripts in OpenServer before 5.0.6 allow local users to overwrite files and conduct other unauthorized activities via a symlink attack on temporary files. CVE-2003-0873 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2003. Notes: none. CVE-2003-0874 DESCRIPTION: Multiple SQL injection vulnerabilities in DeskPRO 1.1.0 and earlier allow remote attackers to insert arbitrary SQL and conduct unauthorized activities via (1) the cat parameter in faq.php, (2) the article parameter in faq.php, (3) the tickedid parameter in view.php, and (4) the Password entry on the logon screen. CVE-2003-0875 DESCRIPTION: Symbolic link vulnerability in the slpd script slpd.all_init for OpenSLP before 1.0.11 allows local users to overwrite arbitrary files via the route.check temporary file. CVE-2003-0876 DESCRIPTION: Finder in Mac OS X 10.2.8 and earlier sets global read/write/execute permissions on directories when they are dragged (copied) from a mounted volume such as a disk image (DMG), which could cause the directories to have less restrictive permissions than intended. CVE-2003-0877 DESCRIPTION: Mac OS X before 10.3 with core files enabled allows local users to overwrite arbitrary files and read core files via a symlink attack on core files that are created with predictable names in the /cores directory. CVE-2003-0878 DESCRIPTION: slpd daemon in Mac OS X before 10.3 allows local users to overwrite arbitrary files via a symlink attack on a temporary file, a different vulnerability than CVE-2003-0875. CVE-2003-0879 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2003-0518. Reason: This candidate is a reservation duplicate of CVE-2003-0518. Notes: All CVE users should reference CVE-2003-0518 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. CVE-2003-0880 DESCRIPTION: Unknown vulnerability in Mac OS X before 10.3 allows local users to access Dock functions from behind Screen Effects when Full Keyboard Access is enabled using the Keyboard pane in System Preferences. CVE-2003-0881 DESCRIPTION: Mail in Mac OS X before 10.3, when configured to use MD5 Challenge Response, uses plaintext authentication if the CRAM-MD5 hashed login fails, which could allow remote attackers to gain privileges by sniffing the password. CVE-2003-0882 DESCRIPTION: Mac OS X before 10.3 initializes the TCP timestamp with a constant number, which allows remote attackers to determine the system's uptime via the ID field in a TCP packet. CVE-2003-0883 DESCRIPTION: The System Preferences capability in Mac OS X before 10.3 allows local users to access secure Preference Panes for a short period after an administrator has authenticated to the system. CVE-2003-0884 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2003-0885 DESCRIPTION: Xscreensaver 4.14 contains certain debugging code that should have been omitted, which causes Xscreensaver to create temporary files insecurely in the (1) apple2, (2) xanalogtv, and (3) pong screensavers, and allows local users to overwrite arbitrary files via a symlink attack. CVE-2003-0886 DESCRIPTION: Format string vulnerability in hfaxd for Hylafax 4.1.7 and earlier allows remote attackers to execute arbitrary code. CVE-2003-0887 DESCRIPTION: ez-ipupdate 3.0.11b7 and earlier creates insecure temporary cache files, which allows local users to conduct unauthorized operations via a symlink attack on the ez-ipupdate.cache file. CVE-2003-0888 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2003-0889 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2003-0890 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2003-0891 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2003-0892 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2003-0893 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2003-0894 DESCRIPTION: Buffer overflow in the (1) oracle and (2) oracleO programs in Oracle 9i Database 9.0.x and 9.2.x before 9.2.0.4 allows local users to execute arbitrary code via a long command line argument. CVE-2003-0895 DESCRIPTION: Buffer overflow in the Mac OS X kernel 10.2.8 and earlier allows local users, and possibly remote attackers, to cause a denial of service (crash), access portions of memory, and possibly execute arbitrary code via a long command line argument (argv[]). CVE-2003-0896 DESCRIPTION: The loadClass method of the sun.applet.AppletClassLoader class in the Java Virtual Machine (JVM) in Sun SDK and JRE 1.4.1_03 and earlier allows remote attackers to bypass sandbox restrictions and execute arbitrary code via a loaded class name that contains "/" (slash) instead of "." (dot) characters, which bypasses a call to the Security Manager's checkPackageAccess method. CVE-2003-0897 DESCRIPTION: "Shatter" vulnerability in CommCtl32.dll in Windows XP may allow local users to execute arbitrary code by sending (1) BCM_GETTEXTMARGIN or (2) BCM_SETTEXTMARGIN button control messages to privileged applications. CVE-2003-0898 DESCRIPTION: IBM DB2 7.2 before FixPak 10a, and earlier versions including 7.1, allows local users to overwrite arbitrary files and gain privileges via a symlink attack on (1) db2job and (2) db2job2. CVE-2003-0899 DESCRIPTION: Buffer overflow in defang in libhttpd.c for thttpd 2.21 to 2.23b1 allows remote attackers to execute arbitrary code via requests that contain '<' or '>' characters, which trigger the overflow when the characters are expanded to "<" and ">" sequences. CVE-2003-0900 DESCRIPTION: Perl 5.8.1 on Fedora Core does not properly initialize the random number generator when forking, which makes it easier for attackers to predict random numbers. CVE-2003-0901 DESCRIPTION: Buffer overflow in to_ascii for PostgreSQL 7.2.x, and 7.3.x before 7.3.4, allows remote attackers to execute arbitrary code. CVE-2003-0902 DESCRIPTION: Unknown vulnerability in minimalist mailing list manager 2.4, 2.2, and possibly other versions, allows remote attackers to execute arbitrary commands. CVE-2003-0903 DESCRIPTION: Buffer overflow in a component of Microsoft Data Access Components (MDAC) 2.5 through 2.8 allows remote attackers to execute arbitrary code via a malformed UDP response to a broadcast request. CVE-2003-0904 DESCRIPTION: Microsoft Exchange 2003 and Outlook Web Access (OWA), when configured to use NTLM authentication, does not properly reuse HTTP connections, which can cause OWA users to view mailboxes of other users when Kerberos has been disabled as an authentication method for IIS 6.0, e.g. when SharePoint Services 2.0 is installed. CVE-2003-0905 DESCRIPTION: Unknown vulnerability in Windows Media Station Service and Windows Media Monitor Service components of Windows Media Services 4.1 allows remote attackers to cause a denial of service (disallowing new connections) via a certain sequence of TCP/IP packets. CVE-2003-0906 DESCRIPTION: Buffer overflow in the rendering for (1) Windows Metafile (WMF) or (2) Enhanced Metafile (EMF) image formats in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, and XP SP1 allows remote attackers to execute arbitrary code via a malformed WMF or EMF image. CVE-2003-0907 DESCRIPTION: Help and Support Center in Microsoft Windows XP SP1 does not properly validate HCP URLs, which allows remote attackers to execute arbitrary code via quotation marks in an hcp:// URL, which are not quoted when constructing the argument list to HelpCtr.exe. CVE-2003-0908 DESCRIPTION: The Utility Manager in Microsoft Windows 2000 executes winhlp32.exe with system privileges, which allows local users to execute arbitrary code via a "Shatter" style attack using a Windows message that accesses the context sensitive help button in the GUI, as demonstrated using the File Open dialog in the Help window, a different vulnerability than CVE-2004-0213. CVE-2003-0909 DESCRIPTION: Windows XP allows local users to execute arbitrary programs by creating a task at an elevated privilege level through the eventtriggers.exe command-line tool or the Task Scheduler service, aka "Windows Management Vulnerability." CVE-2003-0910 DESCRIPTION: The NtSetLdtEntries function in the programming interface for the Local Descriptor Table (LDT) in Windows NT 4.0 and Windows 2000 allows local attackers to gain access to kernel memory and execute arbitrary code via an expand-down data segment descriptor descriptor that points to protected memory. CVE-2003-0911 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2003-0912 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2003-0913 DESCRIPTION: Unknown vulnerability in the Terminal application for Mac OS X 10.3 (Client and Server) may allow "unauthorized access." CVE-2003-0914 DESCRIPTION: ISC BIND 8.3.x before 8.3.7, and 8.4.x before 8.4.3, allows remote attackers to poison the cache via a malicious name server that returns negative responses with a large TTL (time-to-live) value. CVE-2003-0915 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2003-0916 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2003-0917 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2003. Notes: none. CVE-2003-0918 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2003. Notes: none. CVE-2003-0919 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2003. Notes: none. CVE-2003-0920 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2003. Notes: none. CVE-2003-0921 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2003. Notes: none. CVE-2003-0922 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2003. Notes: none. CVE-2003-0923 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2003. Notes: none. CVE-2003-0924 DESCRIPTION: netpbm 9.25 and earlier does not properly create temporary files, which allows local users to overwrite arbitrary files. CVE-2003-0925 DESCRIPTION: Buffer overflow in Ethereal 0.9.15 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary code via a malformed GTP MSISDN string. CVE-2003-0926 DESCRIPTION: Ethereal 0.9.15 and earlier, and Tethereal, allows remote attackers to cause a denial of service (crash) via certain malformed (1) ISAKMP or (2) MEGACO packets. CVE-2003-0927 DESCRIPTION: Heap-based buffer overflow in Ethereal 0.9.15 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the SOCKS dissector. CVE-2003-0928 DESCRIPTION: Clearswift MAILsweeper before 4.3.15 does not properly detect and filter RAR 3.20 encoded files, which allows remote attackers to bypass intended policy. CVE-2003-0929 DESCRIPTION: Clearswift MAILsweeper before 4.3.15 does not properly detect and filter ZIP 6.0 encoded files, which allows remote attackers to bypass intended policy. CVE-2003-0930 DESCRIPTION: Clearswift MAILsweeper before 4.3.15 does not properly detect filenames in BinHex (HQX) encoded files, which allows remote attackers to bypass intended policy. CVE-2003-0931 DESCRIPTION: Sygate Enforcer 4.0 earlier allows remote attackers to cause a denial of service (service hang) by replaying a malformed discovery packet to UDP port 39999. CVE-2003-0932 DESCRIPTION: Buffer overflow in omega-rpg 0.90 allows local users to execute arbitrary code via a long (1) command line or (2) environment variable. CVE-2003-0933 DESCRIPTION: Buffer overflow in conquest 7.2 and earlier may allow a local user to execute arbitrary code via a long environment variable. CVE-2003-0934 DESCRIPTION: Symbol Access Portable Data Terminal (PDT) 8100 does not hide the default WEP keys if they are not changed, which could allow attackers to retrieve the keys and gain access to the wireless network. CVE-2003-0935 DESCRIPTION: Net-SNMP before 5.0.9 allows a user or community to access data in MIB objects, even if that data is not allowed to be viewed. CVE-2003-0936 DESCRIPTION: Symantec PCAnywhere 10.x and 11, when started as a service, allows attackers to gain SYSTEM privileges via the help interface using AWHOST32.exe. CVE-2003-0937 DESCRIPTION: SCO UnixWare 7.1.1, 7.1.3, and Open UNIX 8.0.0 allows local users to bypass protections for the "as" address space file for a process ID (PID) by obtaining a procfs file descriptor for the file and calling execve() on a setuid or setgid program, which leaves the descriptor open to the user. CVE-2003-0938 DESCRIPTION: vos24u.c in SAP database server (SAP DB) 7.4.03.27 and earlier allows local users to gain SYSTEM privileges via a malicious "NETAPI32.DLL" in the current working directory, which is found and loaded by SAP DB before the real DLL, as demonstrated using the SQLAT stored procedure. CVE-2003-0939 DESCRIPTION: eo420_GetStringFromVarPart in veo420.c for SAP database server (SAP DB) 7.4.03.27 and earlier may allow remote attackers to execute arbitrary code via a connect packet with a 256 byte segment to the niserver (aka serv.exe) process on TCP port 7269, which prevents the server from NULL terminating the string and leads to a buffer overflow. CVE-2003-0940 DESCRIPTION: Directory traversal vulnerability in sqlfopenc for web-tools in SAP DB before 7.4.03.30 allows remote attackers to read arbitrary files via .. (dot dot) sequences in a URL. CVE-2003-0941 DESCRIPTION: web-tools in SAP DB before 7.4.03.30 allows remote attackers to access the Web Agent Administration pages and modify configuration via a direct request to waadmin.wa. CVE-2003-0942 DESCRIPTION: Buffer overflow in Web Agent Administration service in web-tools for SAP DB before 7.4.03.30 allows remote attackers to execute arbitrary code via a long Name parameter to waadmin.wa. CVE-2003-0943 DESCRIPTION: web-tools in SAP DB before 7.4.03.30 installs several services that are enabled by default, which could allow remote attackers to obtain potentially sensitive information or redirect attacks against internal databases via (1) waecho, (2) Web SQL Interface (websql), or (3) Web Database Manager (webdbm). CVE-2003-0944 DESCRIPTION: Buffer overflow in the WAECHO default service in web-tools in SAP DB before 7.4.03.30 allows remote attackers to execute arbitrary code via a URL with a long requestURI. CVE-2003-0945 DESCRIPTION: The Web Database Manager in web-tools for SAP DB before 7.4.03.30 generates predictable session IDs, which allows remote attackers to conduct unauthorized activities. CVE-2003-0946 DESCRIPTION: Format string vulnerability in clamav-milter for Clam AntiVirus 0.60 through 0.60p, and other versions before 0.65, allows remote attackers to cause a denial of service and possibly execute arbitrary code via format string specifiers in the email address argument of a "MAIL FROM" command. CVE-2003-0947 DESCRIPTION: Buffer overflow in iwconfig, when installed setuid, allows local users to execute arbitrary code via a long OUT environment variable. CVE-2003-0948 DESCRIPTION: Buffer overflow in iwconfig allows local users to execute arbitrary code via a long HOME environment variable. CVE-2003-0949 DESCRIPTION: xsok 1.02 does not properly drop privileges before finding and executing the "gunzip" program, which allows local users to execute arbitrary commands. CVE-2003-0950 DESCRIPTION: PeopleSoft PeopleTools 8.1x, 8.2x, and 8.4x allows remote attackers to execute arbitrary commands by uploading a file to the IClient Servlet, guessing the insufficiently random (system time) name of the directory used to store the file, and directly requesting that file. CVE-2003-0951 DESCRIPTION: Partition Manager (parmgr) in HP-UX B.11.23 does not properly validate certificates that are provided by the cimserver, which allows attackers to obtain sensitive data or gain privileges. CVE-2003-0952 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2003. Notes: none. CVE-2003-0953 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2003. Notes: none. CVE-2003-0954 DESCRIPTION: Buffer overflow in rcp for AIX 4.3.3, 5.1 and 5.2 allows local users to gain privileges. CVE-2003-0955 DESCRIPTION: OpenBSD kernel 3.3 and 3.4 allows local users to cause a denial of service (kernel panic) and possibly execute arbitrary code in 3.4 via a program with an invalid header that is not properly handled by (1) ibcs2_exec.c in the iBCS2 emulation (compat_ibcs2) or (2) exec_elf.c, which leads to a stack-based buffer overflow. CVE-2003-0956 DESCRIPTION: Multiple race conditions in the handling of O_DIRECT in Linux kernel prior to version 2.4.22 could cause stale data to be returned from the disk when handling sparse files, or cause incorrect data to be returned when a file is truncated as it is being read, which might allow local users to obtain sensitive data that was originally owned by other users, a different vulnerability than CVE-2003-0018. CVE-2003-0957 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2003-0958 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2003-0959 DESCRIPTION: Multiple integer overflows in the 32bit emulation for AMD64 architectures in Linux 2.4 kernel before 2.4.21 allows attackers to cause a denial of service or gain root privileges via unspecified vectors that trigger copy_from_user function calls with improper length arguments. CVE-2003-0960 DESCRIPTION: OpenCA before 0.9.1.4 does not use the correct certificate in a chain to check the serial, which could cause OpenCA to accept revoked or expired certificates. CVE-2003-0961 DESCRIPTION: Integer overflow in the do_brk function for the brk system call in Linux kernel 2.4.22 and earlier allows local users to gain root privileges. CVE-2003-0962 DESCRIPTION: Heap-based buffer overflow in rsync before 2.5.7, when running in server mode, allows remote attackers to execute arbitrary code and possibly escape the chroot jail. CVE-2003-0963 DESCRIPTION: Buffer overflows in (1) try_netscape_proxy and (2) try_squid_eplf for lftp 2.6.9 and earlier allow remote HTTP servers to execute arbitrary code via long directory names that are processed by the ls or rels commands. CVE-2003-0964 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: N/A. Notes: none. CVE-2003-0965 DESCRIPTION: Cross-site scripting (XSS) vulnerability in the admin CGI script for Mailman before 2.1.4 allows remote attackers to steal session cookies and conduct unauthorized activities. CVE-2003-0966 DESCRIPTION: Buffer overflow in the frm command in elm 2.5.6 and earlier, and possibly later versions, allows remote attackers to execute arbitrary code via a long Subject line. CVE-2003-0967 DESCRIPTION: rad_decode in FreeRADIUS 0.9.2 and earlier allows remote attackers to cause a denial of service (crash) via a short RADIUS string attribute with a tag, which causes memcpy to be called with a -1 length argument, as demonstrated using the Tunnel-Password attribute. CVE-2003-0968 DESCRIPTION: Stack-based buffer overflow in SMB_Logon_Server of the rlm_smb experimental module for FreeRADIUS 0.9.3 and earlier allows remote attackers to execute arbitrary code via a long User-Password attribute. CVE-2003-0969 DESCRIPTION: mpg321 0.2.10 allows remote attackers to overwrite memory and possibly execute arbitrary code via an mp3 file that passes certain strings to the printf function, possibly triggering a format string vulnerability. CVE-2003-0970 DESCRIPTION: The Network Management Port on Sun Fire B1600 systems allows remote attackers to cause a denial of service (packet loss) via ARP packets, which cause all ports to become temporarily disabled. CVE-2003-0971 DESCRIPTION: GnuPG (GPG) 1.0.2, and other versions up to 1.2.3, creates ElGamal type 20 (sign+encrypt) keys using the same key component for encryption as for signing, which allows attackers to determine the private key from a signature. CVE-2003-0972 DESCRIPTION: Integer signedness error in ansi.c for GNU screen 4.0.1 and earlier, and 3.9.15 and earlier, allows local users to execute arbitrary code via a large number of ";" (semicolon) characters in escape sequences, which leads to a buffer overflow. CVE-2003-0973 DESCRIPTION: Unknown vulnerability in mod_python 3.0.x before 3.0.4, and 2.7.x before 2.7.9, allows remote attackers to cause a denial of service (httpd crash) via a certain query string. CVE-2003-0974 DESCRIPTION: Applied Watch Command Center allows remote attackers to conduct unauthorized activities without authentication, such as (1) add new users to a console, as demonstrated using appliedsnatch.c, or (2) add spurious IDS rules to sensors, as demonstrated using addrule.c. CVE-2003-0975 DESCRIPTION: Apple Safari 1.0 through 1.1 on Mac OS X 10.3.1 and Mac OS X 10.2.8 allows remote attackers to steal user cookies from another domain via a link with a hex-encoded null character (%00) followed by the target domain. CVE-2003-0976 DESCRIPTION: NFS Server (XNFS.NLM) for Novell NetWare 6.5 does not properly enforce sys:\etc\exports when hostname aliases from sys:etc\hosts file are used, which could allow users to mount file systems when XNFS should deny the host. CVE-2003-0977 DESCRIPTION: CVS server before 1.11.10 may allow attackers to cause the CVS server to create directories and files in the file system root directory via malformed module requests. CVE-2003-0978 DESCRIPTION: Format string vulnerability in gpgkeys_hkp (experimental HKP interface) for the GnuPG (gpg) client 1.2.3 and earlier, and 1.3.3 and earlier, allows remote attackers or a malicious keyserver to cause a denial of service (crash) and possibly execute arbitrary code during key retrieval. CVE-2003-0979 DESCRIPTION: FreeScripts VisitorBook LE (visitorbook.pl) does not properly escape line breaks in input, which allows remote attackers to (1) use VisitorBook as an open mail relay, when $mailuser is 1, via extra headers in the email field, or (2) cause the guestbook database to be deleted via a large number of line breaks that exceeds the $max_posts variable. CVE-2003-0980 DESCRIPTION: Cross-site scripting (XSS) vulnerability in FreeScripts VisitorBook LE (visitorbook.pl) allows remote attackers to inject arbitrary HTML or web script via (1) the "do" parameter, (2) via the "user" parameter from a host with a malicious reverse DNS name, (3) via quote marks or ampersands in other parameters. CVE-2003-0981 DESCRIPTION: FreeScripts VisitorBook LE (visitorbook.pl) logs the reverse DNS name of a visiting host, which allows remote attackers to spoof the origin of their incoming requests and facilitate cross-site scripting (XSS) attacks. CVE-2003-0982 DESCRIPTION: Buffer overflow in the authentication module for Cisco ACNS 4.x before 4.2.11, and 5.x before 5.0.5, allows remote attackers to execute arbitrary code via a long password. CVE-2003-0983 DESCRIPTION: Cisco Unity on IBM servers is shipped with default settings that should have been disabled by the manufacturer, which allows local or remote attackers to conduct unauthorized activities via (1) a "bubba" local user account, (2) an open TCP port 34571, or (3) when a local DHCP server is unavailable, a DHCP server on the manufacturer's test network. CVE-2003-0984 DESCRIPTION: Real time clock (RTC) routines in Linux kernel 2.4.23 and earlier do not properly initialize their structures, which could leak kernel data to user space. CVE-2003-0985 DESCRIPTION: The mremap system call (do_mremap) in Linux kernel 2.4.x before 2.4.21, and possibly other versions before 2.4.24, does not properly perform bounds checks, which allows local users to cause a denial of service and possibly gain privileges by causing a remapping of a virtual memory area (VMA) to create a zero length VMA, a different vulnerability than CAN-2004-0077. CVE-2003-0986 DESCRIPTION: Various routines for the ppc64 architecture on Linux kernel 2.6 prior to 2.6.2 and 2.4 prior to 2.4.24 do not use the copy_from_user function when copying data from userspace to kernelspace, which crosses security boundaries and allows local users to cause a denial of service. CVE-2003-0987 DESCRIPTION: mod_digest for Apache before 1.3.31 does not properly verify the nonce of a client response by using a AuthNonce secret. CVE-2003-0988 DESCRIPTION: Buffer overflow in the VCF file information reader for KDE Personal Information Management (kdepim) suite in KDE 3.1.0 through 3.1.4 allows attackers to execute arbitrary code via a VCF file. CVE-2003-0989 DESCRIPTION: tcpdump before 3.8.1 allows remote attackers to cause a denial of service (infinite loop) via certain ISAKMP packets, a different vulnerability than CVE-2004-0057. CVE-2003-0990 DESCRIPTION: The parseAddress code in (1) SquirrelMail 1.4.0 and (2) GPG Plugin 1.1 allows remote attackers to execute commands via shell metacharacters in the "To:" field. CVE-2003-0991 DESCRIPTION: Unknown vulnerability in the mail command handler in Mailman before 2.0.14 allows remote attackers to cause a denial of service (crash) via malformed e-mail commands. CVE-2003-0992 DESCRIPTION: Cross-site scripting (XSS) vulnerability in the create CGI script for Mailman before 2.1.3 allows remote attackers to steal cookies of other users. CVE-2003-0993 DESCRIPTION: mod_access in Apache 1.3 before 1.3.30, when running big-endian 64-bit platforms, does not properly parse Allow/Deny rules using IP addresses without a netmask, which could allow remote attackers to bypass intended access restrictions. CVE-2003-0994 DESCRIPTION: The GUI functionality for an interactive session in Symantec LiveUpdate 1.70.x through 1.90.x, as used in Norton Internet Security 2001 through 2004, SystemWorks 2001 through 2004, and AntiVirus and Norton AntiVirus Pro 2001 through 2004, AntiVirus for Handhelds v3.0, allows local users to gain SYSTEM privileges. CVE-2003-0995 DESCRIPTION: Buffer overflow in the Microsoft Message Queue Manager (MSQM) allows remote attackers to cause a denial of service (RPC service crash) via a queue registration request. CVE-2003-0996 DESCRIPTION: Unknown "System Security Vulnerability" in Computer Associates (CA) Unicenter Remote Control (URC) 6.0 allows attackers to gain privileges via the help interface. CVE-2003-0997 DESCRIPTION: Unknown "Denial of Service Attack" vulnerability in Computer Associates (CA) Unicenter Remote Control (URC) 6.0 allows attackers to cause a denial of service (CPU consumption in URC host service). CVE-2003-0998 DESCRIPTION: Unknown "potential system security vulnerability" in Computer Associates (CA) Unicenter Remote Control 5.0 through 5.2, and ControlIT 5.0 and 5.1, may allow attackers to gain privileges to the local system account. CVE-2003-0999 DESCRIPTION: Unknown multiple vulnerabilities in (1) lpstat and (2) the libprint library in Solaris 2.6 through 9 may allow attackers to execute arbitrary code or read or write arbitrary files. CVE-2003-1000 DESCRIPTION: xchat 2.0.6 allows remote attackers to cause a denial of service (crash) via a passive DCC request with an invalid ID number, which causes a null dereference. CVE-2003-1001 DESCRIPTION: Buffer overflow in the Cisco Firewall Services Module (FWSM) in Cisco Catalyst 6500 and 7600 series devices allows remote attackers to cause a denial of service (crash and reload) via HTTP auth requests for (1) TACACS+ or (2) RADIUS authentication. CVE-2003-1002 DESCRIPTION: Cisco Firewall Services Module (FWSM) in Cisco Catalyst 6500 and 7600 series devices allows remote attackers to cause a denial of service (crash and reload) via an SNMPv3 message when snmp-server is set. CVE-2003-1003 DESCRIPTION: Cisco PIX firewall 5.x.x, and 6.3.1 and earlier, allows remote attackers to cause a denial of service (crash and reload) via an SNMPv3 message when snmp-server is set. CVE-2003-1004 DESCRIPTION: Cisco PIX firewall 6.2.x through 6.2.3, when configured as a VPN Client, allows remote attackers to cause a denial of service (dropped IPSec tunnel connection) via an IKE Phase I negotiation request to the outside interface of the firewall. CVE-2003-1005 DESCRIPTION: The PKI functionality in Mac OS X 10.2.8 and 10.3.2 allows remote attackers to cause a denial of service (service crash) via malformed ASN.1 sequences. CVE-2003-1006 DESCRIPTION: Buffer overflow in cd9660.util in Apple Mac OS X 10.0 through 10.3.2 and Apple Mac OS X Server 10.0 through 10.3.2 may allow local users to execute arbitrary code via a long command line parameter. CVE-2003-1007 DESCRIPTION: AppleFileServer (AFS) in Apple Mac OS X 10.2.8 and 10.3.2 does not properly handle certain malformed requests, with unknown impact. CVE-2003-1008 DESCRIPTION: Unknown vulnerability in Mac OS X 10.2.8 and 10.3.2 allows local users to bypass the screen saver login window and write a text clipping to the desktop or another application. CVE-2003-1009 DESCRIPTION: Directory Services in Apple Mac OS X 10.0.2, 10.0.3, 10.2.8, 10.3.2 and Apple Mac OS X Server 10.2 through 10.3.2 accepts authentication server information from unknown LDAP or NetInfo sources as provided by a malicious DHCP server, which allows remote attackers to gain privileges. CVE-2003-1010 DESCRIPTION: Unknown vulnerability in fs_usage in Mac OS X 10.2.8 and 10.3.2 and Mac OS X Server 10.2.8 and 10.3.2 allows local users to gain privileges via unknown attack vectors. CVE-2003-1011 DESCRIPTION: Apple Mac OS X 10.0 through 10.2.8 allows local users with a USB keyboard to gain unauthorized access by holding down the CTRL and C keys when the system is booting, which crashes the init process and leaves the user in a root shell. CVE-2003-1012 DESCRIPTION: The SMB dissector in Ethereal before 0.10.0 allows remote attackers to cause a denial of service via a malformed SMB packet that triggers a segmentation fault during processing of Selected packets. CVE-2003-1013 DESCRIPTION: The Q.931 dissector in Ethereal before 0.10.0, and Tethereal, allows remote attackers to cause a denial of service (crash) via a malformed Q.931, which triggers a null dereference. CVE-2003-1014 DESCRIPTION: Multiple content security gateway and antivirus products allow remote attackers to bypass content restrictions via MIME messages that use multiple MIME fields with the same name, which may be interpreted differently by mail clients. CVE-2003-1015 DESCRIPTION: Multiple content security gateway and antivirus products allow remote attackers to bypass content restrictions via MIME messages that use whitespace in an unusual fashion, which may be interpreted differently by mail clients. CVE-2003-1016 DESCRIPTION: Multiple content security gateway and antivirus products allow remote attackers to bypass content restrictions via MIME messages that use malformed quoting in MIME headers, parameters, and values, including (1) fields that should not be quoted, (2) duplicate quotes, or (3) missing leading or trailing quote characters, which may be interpreted differently by mail clients. CVE-2003-1017 DESCRIPTION: Macromedia Flash Player before 7,0,19,0 stores a Flash data file in a predictable location that is accessible to web browsers such as Internet Explorer and Opera, which allows remote attackers to read restricted files via vulnerabilities in web browsers whose exploits rely on predictable names. CVE-2003-1018 DESCRIPTION: Format string vulnerability in enq command in AIX 4.3, 5.1, and 5.2 allows local users with rintq group privileges to gain privileges via unknown attack vectors. CVE-2003-1019 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2003-1020 DESCRIPTION: The format_send_to_gui function in formats.c for irssi before 0.8.9 allows remote IRC users to cause a denial of service (crash). CVE-2003-1021 DESCRIPTION: The scosession program in OpenServer 5.0.6 and 5.0.7 allows local users to gain privileges via crafted strings on the commandline. CVE-2003-1022 DESCRIPTION: Directory traversal vulnerability in fsp before 2.81.b18 allows remote users to access files outside the FSP root directory. CVE-2003-1023 DESCRIPTION: Stack-based buffer overflow in vfs_s_resolve_symlink of vfs/direntry.c for Midnight Commander (mc) 4.6.0 and earlier, and possibly later versions, allows remote attackers to execute arbitrary code during symlink conversion. CVE-2003-1024 DESCRIPTION: Unknown vulnerability in the ls-F builtin function in tcsh on Solaris 8 allows local users to create or delete files as other users, and gain privileges. CVE-2003-1025 DESCRIPTION: Internet Explorer 5.01 through 6 SP1 allows remote attackers to spoof the domain of a URL via a "%01" character before an @ sign in the user@domain portion of the URL, which hides the rest of the URL, including the real site, in the address bar, aka the "Improper URL Canonicalization Vulnerability." CVE-2003-1026 DESCRIPTION: Internet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions via a javascript protocol URL in a sub-frame, which is added to the history list and executed in the top window's zone when the history.back (back) function is called, as demonstrated by BackToFramedJpu, aka the "Travel Log Cross Domain Vulnerability." CVE-2003-1027 DESCRIPTION: Internet Explorer 5.01 through 6 SP1 allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by using method caching (SaveRef) to access the window.moveBy method, which is otherwise inaccessible, as demonstrated by HijackClickV2, a different vulnerability than CVE-2003-0823, aka the "Function Pointer Drag and Drop Vulnerability." CVE-2003-1028 DESCRIPTION: The download function of Internet Explorer 6 SP1 allows remote attackers to obtain the cache directory name via an HTTP response with an invalid ContentType and a .htm file, which could allow remote attackers to bypass security mechanisms that rely on random names, as demonstrated by threadid10008. CVE-2003-1029 DESCRIPTION: The L2TP protocol parser in tcpdump 3.8.1 and earlier allows remote attackers to cause a denial of service (infinite loop and memory consumption) via a packet with invalid data to UDP port 1701, which causes l2tp_avp_print to use a bad length value when calling print_octets. CVE-2003-1030 DESCRIPTION: Buffer overflow in DameWare Mini Remote Control before 3.73 allows remote attackers to execute arbitrary code via a long pre-authentication request to TCP port 6129. CVE-2003-1031 DESCRIPTION: Cross-site scripting (XSS) vulnerability in register.php for vBulletin 3.0 Beta 2 allows remote attackers to inject arbitrary HTML or web script via optional fields such as (1) "Interests-Hobbies", (2) "Biography", or (3) "Occupation." CVE-2003-1032 DESCRIPTION: Pi3Web web server 2.0.2 Beta 1, when the Directory Index is configured to use the "Name" column and sort using the column title as a hyperlink, allows remote attackers to cause a denial of service (crash) via a malformed URL to the web server, possibly involving a buffer overflow. CVE-2003-1033 DESCRIPTION: The (1) instdbmsrv and (2) instlserver programs in SAP DB Development Tools 7.x trust the user-provided INSTROOT environment variable as a path when assigning setuid permissions to the lserver program, which allows local users to gain root privileges via a modified INSTROOT that points to a malicious dbmsrv or lserver program. CVE-2003-1034 DESCRIPTION: The RPM installation of SAP DB 7.x creates the (1) dbmsrv or (2) lserver programs with world-writable permissions, which allows local users to gain privileges by modifying those programs. CVE-2003-1035 DESCRIPTION: The default installation of SAP R/3 46C/D allows remote attackers to bypass account locking by using the RFC API instead of the SAPGUI to conduct a brute force password guessing attack, which does not lock out the account like the SAPGUI does. CVE-2003-1036 DESCRIPTION: Multiple buffer overflows in the AGate component for SAP Internet Transaction Server (ITS) allow remote attackers to execute arbitrary code via long (1) ~command, (2) ~runtimemode, or (3) ~session parameters, or (4) a long HTTP Content-Type header. CVE-2003-1037 DESCRIPTION: Format string vulnerability in the WGate component for SAP Internet Transaction Server (ITS) allows remote attackers to execute arbitrary code via a high "trace level." CVE-2003-1038 DESCRIPTION: The AGate component for SAP Internet Transaction Server (ITS) allows remote attackers to obtain sensitive information via a ~command parameter with an AgateInstallCheck value, which provides a list of installed DLLs and full pathnames. CVE-2003-1039 DESCRIPTION: Multiple buffer overflows in the mySAP.com architecture for SAP allow remote attackers to execute arbitrary code via a long HTTP Host header to (1) Message Server, (2) Web Dispatcher, or (3) Application Server. CVE-2003-1040 DESCRIPTION: kmod in the Linux kernel does not set its uid, suid, gid, or sgid to 0, which allows local users to cause a denial of service (crash) by sending certain signals to kmod. CVE-2003-1041 DESCRIPTION: Internet Explorer 5.x and 6.0 allows remote attackers to execute arbitrary programs via a modified directory traversal attack using a URL containing ".." (dot dot) sequences and a filename that ends in "::" which is treated as a .chm file even if it does not have a .chm extension. NOTE: this bug may overlap CVE-2004-0475. CVE-2003-1042 DESCRIPTION: SQL injection vulnerability in collectstats.pl for Bugzilla 2.16.3 and earlier allows remote authenticated users with editproducts privileges to execute arbitrary SQL via the product name. CVE-2003-1043 DESCRIPTION: SQL injection vulnerability in Bugzilla 2.16.3 and earlier, and 2.17.1 through 2.17.4, allows remote authenticated users with editkeywords privileges to execute arbitrary SQL via the id parameter to editkeywords.cgi. CVE-2003-1044 DESCRIPTION: editproducts.cgi in Bugzilla 2.16.3 and earlier, when usebuggroups is enabled, does not properly remove group add privileges from a group that is being deleted, which allows users with those privileges to perform unauthorized additions to the next group that is assigned with the original group ID. CVE-2003-1045 DESCRIPTION: votes.cgi in Bugzilla 2.16.3 and earlier, and 2.17.1 through 2.17.4, allows remote attackers to read a user's voting page when that user has voted on a restricted bug, which allows remote attackers to read potentially sensitive voting information by modifying the who parameter. CVE-2003-1046 DESCRIPTION: describecomponents.cgi in Bugzilla 2.17.3 and 2.17.4 does not properly verify group membership when bug entry groups are used, which allows remote attackers to list component descriptions for otherwise restricted products. CVE-2003-1047 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2004-0540. Reason: This candidate is a duplicate of CVE-2004-0540. Notes: All CVE users should reference CVE-2004-0540 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. CVE-2003-1048 DESCRIPTION: Double free vulnerability in mshtml.dll for certain versions of Internet Explorer 6.x allows remote attackers to cause a denial of service (application crash) via a malformed GIF image. CVE-2003-1049 DESCRIPTION: IBM DB2 Universal Database 7 before FixPak 12 creates certain DMS directories with insecure permissions (777), which allows local users to modify or delete certain DB2 files. CVE-2003-1050 DESCRIPTION: Multiple buffer overflows in IBM DB2 Universal Database 8.1 may allow local users to execute arbitrary code via long command line arguments to (1) db2start, (2) db2stop, or (3) db2govd. CVE-2003-1051 DESCRIPTION: Multiple format string vulnerabilities in IBM DB2 Universal Database 8.1 may allow local users to execute arbitrary code via certain command line arguments to (1) db2start, (2) db2stop, or (3) db2govd. CVE-2003-1052 DESCRIPTION: IBM DB2 7.1 and 8.1 allow the bin user to gain root privileges by modifying the shared libraries that are used in setuid root programs. CVE-2003-1053 DESCRIPTION: Multiple buffer overflows in XShisen allow attackers to execute arbitrary code via a long (1) -KCONV command line option or (2) XSHISENLIB environment variable. CVE-2003-1054 DESCRIPTION: mod_access_referer 1.0.2 allows remote attackers to cause a denial of service (crash) via a malformed Referer header that is missing a hostname, as parsed by the ap_parse_uri_components function in Apache, which triggers a null dereference. CVE-2003-1055 DESCRIPTION: Buffer overflow in the nss_ldap.so.1 library for Sun Solaris 8 and 9 may allow local users to gain root access via a long hostname in an LDAP lookup. CVE-2003-1056 DESCRIPTION: The ed editor for Sun Solaris 2.6, 7, and 8 allows local users to create or overwrite arbitrary files via a symlink attack on temporary files. CVE-2003-1057 DESCRIPTION: Unknown vulnerability in CDE Print Viewer (dtprintinfo) for Sun Solaris 2.6 through 9 may allow local users to execute arbitrary code. CVE-2003-1058 DESCRIPTION: The Xsun server for Sun Solaris 2.6 through 9, when running in Direct Graphics Access (DGA) mode, allows local users to cause a denial of service (Xsun crash) or to create or overwrite arbitrary files on the system, probably via a symlink attack on temporary server files. CVE-2003-1059 DESCRIPTION: Unknown vulnerability in the libraries for the PGX32 frame buffer in Solaris 2.5.1 and 2.6 through 9 allows local users to gain root access. CVE-2003-1060 DESCRIPTION: The NFS Server for Solaris 7, 8, and 9 allows remote attackers to cause a denial of service (UFS panic) via certain invalid UFS requests, which triggers a null dereference. CVE-2003-1061 DESCRIPTION: Race condition in Solaris 2.6 through 9 allows local users to cause a denial of service (kernel panic), as demonstrated via the namefs function, pipe, and certain STREAMS routines. CVE-2003-1062 DESCRIPTION: Unknown vulnerability in the sysinfo system call for Solaris for SPARC 2.6 through 9, and Solaris for x86 2.6, 7, and 8, allows local users to read kernel memory. CVE-2003-1063 DESCRIPTION: The patches (1) 105693-13, (2) 108800-02, (3) 105694-13, and (4) 108801-02 for cachefs on Solaris 2.6 and 7 overwrite the inetd.conf file, which may silently reenable services and allow remote attackers to bypass the intended security policy. CVE-2003-1064 DESCRIPTION: Solaris 8 with IPv6 enabled allows remote attackers to cause a denial of service (kernel panic) via a crafted IPv6 packet. CVE-2003-1065 DESCRIPTION: Unknown vulnerability in patches 108993-14 through 108993-19 and 108994-14 through 108994-19 for Solaris 8 may allow local users to cause a denial of service (automountd crash). CVE-2003-1066 DESCRIPTION: Buffer overflow in the syslog daemon for Solaris 2.6 through 9 allows remote attackers to cause a denial of service (syslogd crash) and possibly execute arbitrary code via long syslog UDP packets. CVE-2003-1067 DESCRIPTION: Multiple buffer overflows in the (1) dbm_open function, as used in ndbm and dbm, and the (2) dbminit function in Solaris 2.6 through 9 allow local users to gain root privileges via long arguments to Xsun or other programs that use these functions. CVE-2003-1068 DESCRIPTION: Buffer overflow in utmp_update for Solaris 2.6 through 9 allows local users to gain root privileges, as identified by Sun BugID 4659277, a different vulnerability than CVE-2003-1082. CVE-2003-1069 DESCRIPTION: The Telnet daemon (in.telnetd) for Solaris 2.6 through 9 allows remote attackers to cause a denial of service (CPU consumption by infinite loop). CVE-2003-1070 DESCRIPTION: Unknown vulnerability in rpcbind for Solaris 2.6 through 9 allows remote attackers to cause a denial of service (rpcbind crash). CVE-2003-1071 DESCRIPTION: rpc.walld (wall daemon) for Solaris 2.6 through 9 allows local users to send messages to logged on users that appear to come from arbitrary user IDs by closing stderr before executing wall, then supplying a spoofed from header. CVE-2003-1072 DESCRIPTION: Memory leak in lofiadm in Solaris 8 allows local users to cause a denial of service (kernel memory consumption). CVE-2003-1073 DESCRIPTION: A race condition in the at command for Solaris 2.6 through 9 allows local users to delete arbitrary files via the -r argument with .. (dot dot) sequences in the job name, then modifying the directory structure after at checks permissions to delete the file and before the deletion actually takes place. CVE-2003-1074 DESCRIPTION: Unknown vulnerability in newtask for Solaris 9 allows local users to gain root privileges. CVE-2003-1075 DESCRIPTION: Unknown vulnerability in the FTP server (in.ftpd) for Solaris 2.6 through 9 allows remote attackers to cause a denial of service (temporary FTP server hang), which affects other active mode FTP clients. CVE-2003-1076 DESCRIPTION: Unknown vulnerability in sendmail for Solaris 7, 8, and 9 allows local users to cause a denial of service (unknown impact) and possibly gain privileges via certain constructs in a .forward file. CVE-2003-1077 DESCRIPTION: Unknown vulnerability in UFS for Solaris 9 for SPARC, with logging enabled, allows local users to cause a denial of service (UFS file system hang). CVE-2003-1078 DESCRIPTION: The FTP client for Solaris 2.6, 7, and 8 with the debug (-d) flag enabled displays the user password on the screen during login. CVE-2003-1079 DESCRIPTION: Unknown vulnerability in UDP RPC for Solaris 2.5.1 through 9 for SPARC, and 2.5.1 through 8 for x86, allows remote attackers to cause a denial of service (memory consumption) via certain arguments in RPC calls that cause large amounts of memory to be allocated. CVE-2003-1080 DESCRIPTION: Unknown vulnerability in mail for Solaris 2.6 through 9 allows local users to read the email of other users. CVE-2003-1081 DESCRIPTION: Aspppls for Solaris 8 allows local users to overwrite arbitrary files via a symlink attack on the .asppp.fifo temporary file. CVE-2003-1082 DESCRIPTION: Buffer overflow in utmp_update for Solaris 2.6 through 9 allows local users to gain root privileges, as identified by Sun BugID 4705891, a different vulnerability than CVE-2003-1068. CVE-2003-1083 DESCRIPTION: Stack-based buffer overflow in Monit 1.4 to 4.1 allows remote attackers to execute arbitrary code via a long HTTP request. CVE-2003-1084 DESCRIPTION: Monit 1.4 to 4.1 allows remote attackers to cause a denial of service (daemon crash) via an HTTP POST request with a negative Content-Length field. CVE-2003-1085 DESCRIPTION: The HTTP server in the Thomson TWC305, TWC315, and TCW690 cable modem ST42.03.0a allows remote attackers to cause a denial of service (unstable service) via a long GET request, possibly caused by a buffer overflow. CVE-2003-1086 DESCRIPTION: PHP remote file inclusion vulnerability in pm/lib.inc.php in pMachine Free and pMachine Pro 2.2 and 2.2.1 allows remote attackers to execute arbitrary PHP code by modifying the pm_path parameter to reference a URL on a remote web server that contains the code. CVE-2003-1087 DESCRIPTION: Unknown vulnerability in diagmond and possibly other applications in HP9000 Series 700/800 running HP-UX B.11.00, B.11.04, B.11.11, and B.11.22 allows remote attackers to cause a denial of service (program failure) via certain network traffic. CVE-2003-1088 DESCRIPTION: Cross-site scripting (XSS) vulnerability in index.php for Zorum 3.4 and 3.5 allows remote attackers to inject arbitrary web script or HTML via the method parameter. CVE-2003-1089 DESCRIPTION: index.php for Zorum 3.4 allows remote attackers to determine the full path of the web root via invalid parameter names, which reveals the path in a PHP error message. CVE-2003-1090 DESCRIPTION: Buffer overflow in AbsoluteTelnet before 2.12 RC10 allows remote attackers to execute arbitrary code via a long window title. CVE-2003-1091 DESCRIPTION: Integer overflow in MP3Broadcaster for Apple QuickTime/Darwin Streaming Server 4.1.3 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via malformed ID3 tags in MP3 files. CVE-2003-1092 DESCRIPTION: Unknown vulnerability in the "Automatic File Content Type Recognition (AFCTR) Tool version of the file package before 3.41, related to "a memory allocation problem," has unknown impact. CVE-2003-1093 DESCRIPTION: BEA WebLogic Server 6.1, 7.0 and 7.0.0.1, when routing messages to a JMS target domain that is inaccessible, may leak the user's password when it throws a ResourceAllocationException. CVE-2003-1094 DESCRIPTION: BEA WebLogic Server and Express version 7.0 SP3 may follow certain code execution paths that result in an incorrect current user, such as in the frequent use of JNDI initial contexts, which could allow remote authenticated users to gain privileges. CVE-2003-1095 DESCRIPTION: BEA WebLogic Server and Express 7.0 and 7.0.0.1, when using "memory" session persistence for web applications, does not clear authentication information when a web application is redeployed, which could allow users of that application to gain access without having to re-authenticate. CVE-2003-1096 DESCRIPTION: The Cisco LEAP challenge/response authentication mechanism uses passwords in a way that is susceptible to dictionary attacks, which makes it easier for remote attackers to gain privileges via brute force password guessing attacks. CVE-2003-1097 DESCRIPTION: Buffer overflow in rexec on HP-UX B.10.20, B.11.00, and B.11.04, when setuid root, may allow local users to gain privileges via a long -l option. CVE-2003-1098 DESCRIPTION: The Xserver for HP-UX 11.22 was not properly built, which introduced a vulnerability that allows local users to gain privileges. CVE-2003-1099 DESCRIPTION: shar on HP-UX B.11.00, B.11.04, and B.11.11 creates temporary files with predictable names in /tmp, which allows local users to cause a denial of service and possibly execute arbitrary code via a symlink attack. CVE-2003-1100 DESCRIPTION: Multiple cross-site scripting (XSS) vulnerabilities in Hummingbird CyberDOCS 3.5.1, 3.9, and 4.0 allow remote attackers to inject arbitrary web script or HTML via certain vectors. CVE-2003-1101 DESCRIPTION: Hummingbird CyberDOCS 3.5.1, 3.9, and 4.0 allows remote attackers to obtain the full path of the DM Web Server via invalid login credentials, which reveals the path in an error message. CVE-2003-1102 DESCRIPTION: Hummingbird CyberDOCS 3.5, 3.9, and 4.0, when running on IIS, uses insecure permissions for script source code files, which allows remote attackers to read the source code. CVE-2003-1103 DESCRIPTION: SQL injection vulnerability in loginact.asp for Hummingbird CyberDOCS before 3.9 allows remote attackers to execute arbitrary SQL commands. CVE-2003-1104 DESCRIPTION: Buffer overflow in IBM Tivoli Firewall Toolbox (TFST) 1.2 allows remote attackers to execute arbitrary code via unknown vectors. CVE-2003-1105 DESCRIPTION: Unknown vulnerability in Internet Explorer 5.01 SP3 through 6.0 SP1 allows remote attackers to cause a denial of service (browser or Outlook Express crash) via HTML with certain input tags that are not properly rendered. CVE-2003-1106 DESCRIPTION: The SMTP service in Microsoft Windows 2000 before SP4 allows remote attackers to cause a denial of service (crash or hang) via an e-mail message with a malformed time stamp in the FILETIME attribute. CVE-2003-1107 DESCRIPTION: The DHTML capability in Microsoft Windows Media Player (WMP) 6.4, 7.0, 7.1, and 9 may run certain URL commands from a security zone that is less trusted than the current zone, which allows attackers to bypass intended access restrictions. CVE-2003-1108 DESCRIPTION: The Session Initiation Protocol (SIP) implementation in Alcatel OmniPCX Enterprise 5.0 Lx allows remote attackers to cause a denial of service and possibly execute arbitrary code via crafted INVITE messages, as demonstrated by the OUSPG PROTOS c07-sip test suite. CVE-2003-1109 DESCRIPTION: The Session Initiation Protocol (SIP) implementation in multiple Cisco products including IP Phone models 7940 and 7960, IOS versions in the 12.2 train, and Secure PIX 5.2.9 to 6.2.2 allows remote attackers to cause a denial of service and possibly execute arbitrary code via crafted INVITE messages, as demonstrated by the OUSPG PROTOS c07-sip test suite. CVE-2003-1110 DESCRIPTION: The Session Initiation Protocol (SIP) implementation in Columbia SIP User Agent (sipc) 1.74 and other versions before sipc 2.0 build 2003-02-21 allows remote attackers to cause a denial of service or execute arbitrary code via crafted INVITE messages, as demonstrated by the OUSPG PROTOS c07-sip test suite. CVE-2003-1111 DESCRIPTION: The Session Initiation Protocol (SIP) implementation in multiple dynamicsoft products including y and certain demo products for AppEngine allows remote attackers to cause a denial of service or execute arbitrary code via crafted INVITE messages, as demonstrated by the OUSPG PROTOS c07-sip test suite. CVE-2003-1112 DESCRIPTION: The Session Initiation Protocol (SIP) implementation in Ingate Firewall and Ingate SIParator before 3.1.3 allows remote attackers to cause a denial of service and possibly execute arbitrary code via crafted INVITE messages, as demonstrated by the OUSPG PROTOS c07-sip test suite. CVE-2003-1113 DESCRIPTION: The Session Initiation Protocol (SIP) implementation in IPTel SIP Express Router 0.8.9 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary code via crafted INVITE messages, as demonstrated by the OUSPG PROTOS c07-sip test suite. CVE-2003-1114 DESCRIPTION: The Session Initiation Protocol (SIP) implementation in Mediatrix Telecom VoIP Access Devices and Gateways running SIPv2.4 and SIPv4.3 firmware allows remote attackers to cause a denial of service or execute arbitrary code via crafted INVITE messages, as demonstrated by the OUSPG PROTOS c07-sip test suite. CVE-2003-1115 DESCRIPTION: The Session Initiation Protocol (SIP) implementation in Nortel Networks Succession Communication Server 2000, when using SIP-T, allows remote attackers to cause a denial of service and possibly execute arbitrary code via crafted INVITE messages, as demonstrated by the OUSPG PROTOS c07-sip test suite. CVE-2003-1116 DESCRIPTION: The communications protocol for the Report Review Agent (RRA), aka FND File Server (FNDFS) program, in Oracle E-Business Suite 10.7, 11.0, and 11.5.1 to 11.5.8 allows remote attackers to bypass authentication and obtain sensitive information from the Oracle Applications Concurrent Manager by spoofing requests to the TNS Listener. CVE-2003-1117 DESCRIPTION: Buffer overflow in RealSystem Server 6.x, 7.x and 8.x, and RealSystem Proxy 8.x, related to URL error handling, allows remote attackers to cause a denial of service and possibly execute arbitrary code. CVE-2003-1118 DESCRIPTION: Buffer overflow in the SETI@home client 3.03 and other versions allows remote attackers to cause a denial of service (client crash) and execute arbitrary code via a spoofed server response containing a long string followed by a \n (newline) character. CVE-2003-1119 DESCRIPTION: SSH Secure Shell before 3.2.9 allows remote attackers to cause a denial of service via malformed BER/DER packets. CVE-2003-1120 DESCRIPTION: Race condition in SSH Tectia Server 4.0.3 and 4.0.4 for Unix, when the password change plugin (ssh-passwd-plugin) is enabled, allows local users to obtain the server's private key. CVE-2003-1121 DESCRIPTION: Services in ScriptLogic 4.01, and possibly other versions before 4.14, process client requests at raised privileges, which allows remote attackers to (1) modify arbitrary registry entries via the ScriptLogic RPC service (SLRPC) or (2) modify arbitrary configuration via the RunAdmin services (SLRAserver.exe and SLRAclient.exe). CVE-2003-1122 DESCRIPTION: ScriptLogic 4.01, and possibly other versions before 4.14, uses insecure permissions for the LOGS$ share, which allows users to modify log records and possibly execute arbitrary code. CVE-2003-1123 DESCRIPTION: Sun Java Runtime Environment (JRE) and SDK 1.4.0_01 and earlier allows untrusted applets to access certain information within trusted applets, which allows attackers to bypass the restrictions of the Java security model. CVE-2003-1124 DESCRIPTION: Unknown vulnerability in Sun Management Center (SunMC) 2.1.1, 3.0, and 3.0 Revenue Release (RR), when installed and run by root, allows local users to create or modify arbitrary files. CVE-2003-1125 DESCRIPTION: Unknown vulnerability in ns-ldapd for Sun ONE Directory Server 4.16, 5.0, and 5.1 allows LDAP clients to cause a denial of service (service halt). CVE-2003-1126 DESCRIPTION: Unknown vulnerability in SunOne/iPlanet Web Server SP3 through SP5 on Windows platforms allows remote attackers to cause a denial of service. CVE-2003-1127 DESCRIPTION: Whale Communications e-Gap 2.5 on Windows 2000 allows remote attackers to obtain the source code for the login page via the HTTP TRACE method, which bypasses the preprocessor. CVE-2003-1128 DESCRIPTION: XMMS.pm in X2 XMMS Remote, as obtained from the vendor server between 4 AM 11 AM PST on May 7, 2003, allows remote attackers to execute arbitrary commands via shell metacharacters in a request to TCP port 8086. CVE-2003-1129 DESCRIPTION: Buffer overflow in the Yahoo! Audio Conferencing (aka Voice Chat) ActiveX control before 1,0,0,45 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a URL with a long hostname to Yahoo! Messenger or Yahoo! Chat. CVE-2003-1130 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2003-1071. Reason: This candidate is a duplicate of CVE-2003-1071. Notes: All CVE users should reference CVE-2003-1071 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. CVE-2003-1131 DESCRIPTION: PHP remote file inclusion vulnerability in index.php in KnowledgeBuilder, referred to as KnowledgeBase, allows remote attackers to execute arbitrary PHP code by modifying the page parameter to reference a URL on a remote web server that contains the code. CVE-2003-1132 DESCRIPTION: The DNS server for Cisco Content Service Switch (CSS) 11000 and 11500, when prompted for a nonexistent AAAA record, responds with response code 3 (NXDOMAIN or "Name Error") instead of response code 0 ("No Error"), which allows remote attackers to cause a denial of service (inaccessible domain) by forcing other DNS servers to send and cache a request for a AAAA record to the vulnerable server. CVE-2003-1133 DESCRIPTION: Rit Research Labs The Bat! 1.0.11 through 2.0 creates new accounts with insecure ACLs, which allows local users to read other users' email messages. CVE-2003-1134 DESCRIPTION: Sun Java 1.3.1, 1.4.1, and 1.4.2 allows local users to cause a denial of service (JVM crash), possibly by calling the ClassDepth function with a null parameter, which causes a crash instead of generating a null pointer exception. CVE-2003-1135 DESCRIPTION: Buffer overflow in Yahoo! Messenger 5.6 allows remote attackers to cause a denial of service (crash) via a file send request (sendfile) with a large number of "%" (percent) characters after the Yahoo ID. CVE-2003-1136 DESCRIPTION: Cross-site scripting (XSS) vulnerability in Chi Kien Uong Guestbook 1.51 allows remote attackers to inject arbitrary web script or HTML via (1) HTML in a posted message or (2) Javascript in an onmouseover attribute in an e-mail address or URL. CVE-2003-1137 DESCRIPTION: Charles Steinkuehler sh-httpd 0.3 and 0.4 allows remote attackers to read files or execute arbitrary CGI scripts via a GET request that contains an asterisk (*) wildcard character. CVE-2003-1138 DESCRIPTION: The default configuration of Apache 2.0.40, as shipped with Red Hat Linux 9.0, allows remote attackers to list directory contents, even if auto indexing is turned off and there is a default web page configured, via a GET request containing a double slash (//). CVE-2003-1139 DESCRIPTION: Musicqueue 1.2.0 allows local users to overwrite arbitrary files by triggering a segmentation fault and using a symlink attack on the resulting musicqueue.crash file. CVE-2003-1140 DESCRIPTION: Buffer overflow in Musicqueue 1.2.0 allows local users to execute arbitrary code via a long language variable in the configuration file. CVE-2003-1141 DESCRIPTION: Buffer overflow in NIPrint 4.10 allows remote attackers to execute arbitrary code via a long string to TCP port 515. CVE-2003-1142 DESCRIPTION: Help in NIPrint LPD-LPR Print Server 4.10 and earlier executes Windows Explorer with SYSTEM privileges, which allows local users to gain privileges. CVE-2003-1143 DESCRIPTION: Croteam Serious Sam demo test 2 2.1a, Serious Sam: the First Encounter 1.05, and Serious Sam: the Second Encounter 1.05 allow remote attackers to cause a denial of service (crash or freeze) via a TCP packet with an invalid first parameter. CVE-2003-1144 DESCRIPTION: Buffer overflow in the log viewing interface in Perception LiteServe 1.25 through 2.2 allows remote attackers to execute arbitrary code via a GET request with a long file name. CVE-2003-1145 DESCRIPTION: Cross-site scripting (XSS) vulnerability in friendmail.php in OpenAutoClassifieds 1.0 allows remote attackers to inject arbitrary web script or HTML via the listing parameter. CVE-2003-1146 DESCRIPTION: Cross-site scripting (XSS) vulnerability in John Beatty Easy PHP Photo Album 1.0 allows remote attackers to inject arbitrary web script or HTML via the dir parameter. CVE-2003-1147 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2003-0955. Reason: This candidate is a duplicate of CVE-2003-0955. Notes: All CVE users should reference CVE-2003-0955 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. CVE-2003-1148 DESCRIPTION: Multiple PHP remote file inclusion vulnerabilities in J-Pierre DEZELUS Les Visiteurs 2.0.1, as used in phpMyConferences (phpMyConference) 8.0.2 and possibly other products, allow remote attackers to execute arbitrary PHP code via a URL in the lvc_include_dir parameter to (1) config.inc.php or (2) new-visitor.inc.php in common/visiteurs/include/. CVE-2003-1149 DESCRIPTION: Cross-site scripting (XSS) vulnerability in Symantec Norton Internet Security 2003 6.0.4.34 allows remote attackers to inject arbitrary web script or HTML via a URL to a blocked site, which is displayed on the blocked sites error page. CVE-2003-1150 DESCRIPTION: Buffer overflow in the portmapper service (PMAP.NLM) in Novell NetWare 6 SP3 and ZenWorks for Desktops 3.2 SP2 through 4.0.1 allows remote attackers to cause a denial of service and possibly execute arbitrary code via unknown attack vectors. CVE-2003-1151 DESCRIPTION: Cross-site scripting (XSS) vulnerability in Fastream NETFile Server 6.0.3.588 allows remote attackers to inject arbitrary web script or HTML via the URL, which is displayed on a "404 Not Found" error page. CVE-2003-1152 DESCRIPTION: WebTide 7.04 allows remote attackers to list arbitrary directories via an HTTP request for %3f.jsp (encoded "?"). CVE-2003-1153 DESCRIPTION: byteHoard 0.7 and 0.71 allows remote attackers to list arbitrary files and directories via a direct request to files.inc.php. CVE-2003-1154 DESCRIPTION: MAILsweeper for SMTP 4.3 allows remote attackers to bypass virus protection via a mail message with a malformed zip attachment, as exploited by certain MIMAIL virus variants. CVE-2003-1155 DESCRIPTION: X-CD-Roast 0.98 alpha10 through alpha14 allows local users to overwrite arbitrary files via a symlink attack on an unknown file. CVE-2003-1156 DESCRIPTION: Java Runtime Environment (JRE) and Software Development Kit (SDK) 1.4.2 through 1.4.2_02 allows local users to overwrite arbitrary files via a symlink attack on (1) unpack.log, as created by the unpack program, or (2) .mailcap1 and .mime.types1, as created by the RPM program. CVE-2003-1157 DESCRIPTION: Cross-site scripting (XSS) vulnerability in login.asp in Citrix MetaFrame XP Server 1.0 allows remote attackers to inject arbitrary web script or HTML via the NFuse_Message parameter. CVE-2003-1158 DESCRIPTION: Multiple buffer overflows in the FTP service in Plug and Play Web Server 1.0002c allow remote attackers to cause a denial of service (crash) via long (1) dir, (2) ls, (3) delete, (4) mkdir, (5) DELE, (6) RMD, or (7) MKD commands. CVE-2003-1159 DESCRIPTION: Plug and Play Web Server Proxy 1.0002c allows remote attackers to cause a denial of service (server crash) via an invalid URI in an HTTP GET request to TCP port 8080. CVE-2003-1160 DESCRIPTION: FlexWATCH Network video server 132 allows remote attackers to bypass authentication and gain administrative privileges via an HTTP request to aindex.htm that contains double leading slashes (//). CVE-2003-1161 DESCRIPTION: exit.c in Linux kernel 2.6-test9-CVS, as stored on kernel.bkbits.net, was modified to contain a backdoor, which could allow local users to elevate their privileges by passing __WCLONE|__WALL to the sys_wait4 function. CVE-2003-1162 DESCRIPTION: index.php in Tritanium Bulletin Board 1.2.3 allows remote attackers to read and reply to arbitrary messages by modifying the thread_id, forum_id, and sid parameters. CVE-2003-1163 DESCRIPTION: hash.c in Ganglia gmond 2.5.3 allows remote attackers to cause a denial of service (segmentation fault) via a UDP packet that contains a single-byte name string, which is used as an out-of-bounds array index. CVE-2003-1164 DESCRIPTION: Cross-site scripting (XSS) vulnerability in Mldonkey 2.5-4 allows remote attackers to inject arbitrary web script or HTML via the URI, which is injected into the HTML error page. CVE-2003-1165 DESCRIPTION: Buffer overflow in BRS WebWeaver 1.06 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via an HTTP request with a long User-Agent header. CVE-2003-1166 DESCRIPTION: Directory traversal vulnerability in (1) Openfile.aspx and (2) Html.aspx in HTTP Commander 4.0 allows remote attackers to view arbitrary files via a .. (dot dot) in the file parameter. CVE-2003-1167 DESCRIPTION: misc.cpp in KPopup 0.9.1 trusts the PATH variable when executing killall, which allows local users to elevate their privileges by modifying the PATH variable to reference a malicious killall program. CVE-2003-1168 DESCRIPTION: HTTP Commander 4.0 allows remote attackers to obtain sensitive information via an HTTP request that contains a . (dot) in the file parameter, which reveals the installation path in an error message. CVE-2003-1169 DESCRIPTION: DATEV Nutzungskontrolle 2.1 and 2.2 has insecure write permissions for critical registry keys, which allows local users to bypass access restrictions by importing NukoInfo values in certain DATEV keys, which disables Nutzungskontrolle. CVE-2003-1170 DESCRIPTION: Format string vulnerability in main.cpp in kpopup 0.9.1 and 0.9.5pre2 allows local users to cause a denial of service (segmentation fault) and possibly execute arbitrary code via format string specifiers in command line arguments. CVE-2003-1171 DESCRIPTION: Heap-based buffer overflow in the sec_filter_out function in mod_security 1.7RC1 through 1.7.1 in Apache 2 allows remote attackers to execute arbitrary code via a server side script that sends a large amount of data. CVE-2003-1172 DESCRIPTION: Directory traversal vulnerability in the view-source sample file in Apache Software Foundation Cocoon 2.1 and 2.2 allows remote attackers to access arbitrary files via a .. (dot dot) in the filename parameter. CVE-2003-1173 DESCRIPTION: Centrinity FirstClass 7.1 allows remote attackers to access sensitive information by appending search to the end of the URL and checking all of the search option checkboxes and leaving the text field blank, which will return all files in the searched directory. CVE-2003-1174 DESCRIPTION: Buffer overflow in NullSoft Shoutcast Server 1.9.2 allows local users to cause a denial of service via (1) icy-name followed by a long server name or (2) icy-url followed by a long URL. CVE-2003-1175 DESCRIPTION: Cross-site scripting (XSS) vulnerability in index.php in Sympoll 1.5 allows remote attackers to inject arbitrary web script or HTML via the vo parameter. CVE-2003-1176 DESCRIPTION: post_message_form.asp in Web Wiz Forums 6.34 through 7.5, when quote mode is used, allows remote attackers to read or write to private forums by modifying the FID (forum ID) parameter. CVE-2003-1177 DESCRIPTION: Buffer overflow in the base64 decoder in MERCUR Mailserver 4.2 before SP3a allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long (1) AUTH command to the POP3 server or (2) AUTHENTICATE command to the IMAP server. CVE-2003-1178 DESCRIPTION: Eval injection vulnerability in comments.php in Advanced Poll 2.0.2 allows remote attackers to execute arbitrary PHP code via the (1) id, (2) template_set, or (3) action parameter. CVE-2003-1179 DESCRIPTION: Multiple PHP remote file inclusion vulnerabilities in Advanced Poll 2.0.2 allow remote attackers to execute arbitrary PHP code via the include_path parameter in (1) booth.php, (2) png.php, (3) poll_ssi.php, or (4) popup.php, the (5) base_path parameter to common.inc.php. CVE-2003-1180 DESCRIPTION: Directory traversal vulnerability in Advanced Poll 2.0.2 allows remote attackers to read arbitrary files or inject arbitrary local PHP files via .. sequences in the base_path or pollvars[lang] parameters to the admin files (1) index.php, (2) admin_tpl_new.php, (3) admin_tpl_misc_new.php, (4) admin_templates_misc.php, (5) admin_templates.php, (6) admin_stats.php, (7) admin_settings.php, (8) admin_preview.php, (9) admin_password.php, (10) admin_logout.php, (11) admin_license.php, (12) admin_help.php, (13) admin_embed.php, (14) admin_edit.php, or (15) admin_comment.php. CVE-2003-1181 DESCRIPTION: Advanced Poll 2.0.2 allows remote attackers to obtain sensitive information via an HTTP request to info.php, which invokes the phpinfo() function. CVE-2003-1182 DESCRIPTION: Cross-site scripting (XSS) vulnerability in MPM Guestbook 1.2 allows remote attackers to inject arbitrary web script or HTML via the lng parameter. CVE-2003-1183 DESCRIPTION: The WebCache component in Oracle Files 9.0.3.1.0, 9.0.3.2.0, and 9.0.3.3.0 of Oracle Collaboration Suite Release 1 caches files despite the cacheability rules imposed by Oracle Files, which allows local users to gain access. CVE-2003-1184 DESCRIPTION: Multiple cross-site scripting (XSS) vulnerabilities in ThWboard Beta 2.8 and 2.81 allow remote attackers to inject arbitrary web script or HTML via (1) time in board.php, (2) the profile Homepage-Feld, (3) pictures, and (4) other "Diverse XSS Bugs." CVE-2003-1185 DESCRIPTION: Multiple SQL injection vulnerabilities in ThWboard before Beta 2.8.2 allow remote attackers to inject arbitrary SQL commands via various vectors including (1) Admin-Center, (2) Announcements, (3) admin/calendar.php, and (4) showevent.php. CVE-2003-1186 DESCRIPTION: Buffer overflow in TelCondex SimpleWebServer 2.12.30210 Build3285 allows remote attackers to execute arbitrary code via a long HTTP Referer header. CVE-2003-1187 DESCRIPTION: Cross-site scripting (XSS) vulnerability in include.php in PHPKIT 1.6.02 and 1.6.03 allows remote attackers to inject arbitrary web script or HTML via the contact_email parameter. CVE-2003-1188 DESCRIPTION: Unichat allows remote attackers to cause a denial of service (crash) by adding extra chat characters (avatars) and logging in to a chat room, as demonstrated using duplicate ACTOR entries in u2res000.rit. CVE-2003-1189 DESCRIPTION: Unknown vulnerability in Nokia IPSO 3.7, configured as IP Clusters, allows remote attackers to cause a denial of service via unknown attack vectors. CVE-2003-1190 DESCRIPTION: Cross-site scripting (XSS) vulnerability in PHPRecipeBook 1.24 through 2.17 allows remote attackers to inject arbitrary web script or HTML via a recipe. CVE-2003-1191 DESCRIPTION: chatbox.php in e107 0.554 and 0.603 allows remote attackers to cause a denial of service (pages fail to load) via HTML in the Name field, which prevents the main.php form from being loaded. CVE-2003-1192 DESCRIPTION: Stack-based buffer overflow in IA WebMail Server 3.1.0 allows remote attackers to execute arbitrary code via a long GET request. CVE-2003-1193 DESCRIPTION: Multiple SQL injection vulnerabilities in the Portal DB (1) List of Values (LOVs), (2) Forms, (3) Hierarchy, and (4) XML components packages in Oracle Oracle9i Application Server 9.0.2.00 through 3.0.9.8.5 allow remote attackers to execute arbitrary SQL commands via the URL. CVE-2003-1194 DESCRIPTION: Cross-site scripting (XSS) vulnerability in Booby .1 through 0.2.3 allows remote attackers to inject arbitrary web script or HTML via the error message. CVE-2003-1195 DESCRIPTION: SQL injection vulnerability in getmember.asp in VieBoard 2.6 Beta 1 allows remote attackers to execute arbitrary SQL commands via the msn variable. CVE-2003-1196 DESCRIPTION: SQL injection vulnerability in viewtopic.asp in VieBoard 2.6 allows remote attackers to execute arbitrary SQL commands via the forumid parameter. CVE-2003-1197 DESCRIPTION: Cross-site scripting (XSS) vulnerability in index.php for Ledscripts.com LedForums Beta 1 allows remote attackers to inject arbitrary web script or HTML via the (1) top_message parameter or (2) topic field of a new thread. CVE-2003-1198 DESCRIPTION: connection.c in Cherokee web server before 0.4.6 allows remote attackers to cause a denial of service via an HTTP POST request without a Content-Length header field. CVE-2003-1199 DESCRIPTION: Cross-site scripting (XSS) vulnerability in MyProxy 20030629 allows remote attackers to inject arbitrary web script or HTML via the URL. CVE-2003-1200 DESCRIPTION: Stack-based buffer overflow in FORM2RAW.exe in Alt-N MDaemon 6.5.2 through 6.8.5 allows remote attackers to execute arbitrary code via a long From parameter to Form2Raw.cgi. CVE-2003-1201 DESCRIPTION: ldbm_back_exop_passwd in the back-ldbm backend in passwd.c for OpenLDAP 2.1.12 and earlier, when the slap_passwd_parse function does not return LDAP_SUCCESS, attempts to free an uninitialized pointer, which allows remote attackers to cause a denial of service (segmentation fault). CVE-2003-1202 DESCRIPTION: The checklogin function in omail.pl for omail webmail 0.98.4 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in a (1) password, (2) domainname, or (3) username. CVE-2003-1203 DESCRIPTION: Cross-site scripting (XSS) vulnerability in index.php for Mambo Site Server 4.0.10 allows remote attackers to execute script on other clients via the ?option parameter. CVE-2003-1204 DESCRIPTION: Multiple cross-site scripting (XSS) vulnerabilities in Mambo Site Server 4.0.12 BETA and earlier allow remote attackers to execute script on other clients via (1) the link parameter in sectionswindow.php, the directory parameter in (2) gallery.php, (3) navigation.php, or (4) uploadimage.php, the path parameter in (5) view.php, (6) the choice parameter in upload.php, (7) the sitename parameter in mambosimple.php, (8) the type parameter in upload.php, or the id parameter in (9) emailarticle.php, (10) emailfaq.php, or (11) emailnews.php. CVE-2003-1205 DESCRIPTION: Crob FTP Server 2.60.1 allows remote authenticated users to cause a denial of service (crash) by renaming a file to the "con" MS-DOS device name. CVE-2003-1206 DESCRIPTION: Format string vulnerability in Crob FTP Server 2.60.1 allows remote attackers to cause a denial of service (crash) via "%s" or "%n" sequences in (1) the username during login, or other FTP commands such as (2) dir. CVE-2003-1207 DESCRIPTION: Crob FTP Server 3.5.1 allows remote authenticated users to cause a denial of service (crash) via a dir command with a large number of "." characters followed by a "/*" string. CVE-2003-1208 DESCRIPTION: Multiple buffer overflows in Oracle 9i 9 before 9.2.0.3 allow local users to execute arbitrary code by (1) setting the TIME_ZONE session parameter to a long value, or providing long parameters to the (2) NUMTOYMINTERVAL, (3) NUMTODSINTERVAL or (4) FROM_TZ functions. CVE-2003-1209 DESCRIPTION: The Post_Method function in Monkey HTTP Daemon before 0.6.2 allows remote attackers to cause a denial of service (crash) via a POST request without a Content-Type header. CVE-2003-1210 DESCRIPTION: Multiple SQL injection vulnerabilities in the Downloads module for PHP-Nuke 5.x through 6.5 allow remote attackers to execute arbitrary SQL commands via the (1) lid parameter to the getit function or the (2) min parameter to the search function. CVE-2003-1211 DESCRIPTION: Cross-site scripting (XSS) vulnerability in search.asp for MaxWebPortal 1.30 and possibly earlier versions allows remote attackers to inject arbitrary web script or HTML via the Search parameter. CVE-2003-1212 DESCRIPTION: MaxWebPortal 1.30 allows remote attackers to perform unauthorized actions by modifying hidden form fields, such as the (1) news, (2) lock, or (3) allmem fields in the 'start new topic' HTML page. CVE-2003-1213 DESCRIPTION: The default installation of MaxWebPortal 1.30 stores the portal database under the web document root with insecure access control, which allows remote attackers to obtain sensitive information via a direct request to database/db2000.mdb. CVE-2003-1214 DESCRIPTION: Unknown vulnerability in the server login for VisualShapers ezContents 2.02 and earlier allows remote attackers to bypass access restrictions and gain access to restricted functions. CVE-2003-1215 DESCRIPTION: SQL injection vulnerability in groupcp.php for phpBB 2.0.6 and earlier allows group moderators to perform unauthorized activities via the sql_in parameter. CVE-2003-1216 DESCRIPTION: SQL injection vulnerability in search.php for phpBB 2.0.6 and earlier allows remote attackers to execute arbitrary SQL and gain privileges via the search_id parameter. CVE-2003-1217 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2003. Notes: none. CVE-2003-1218 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2003. Notes: none. CVE-2003-1219 DESCRIPTION: Cross-site scripting (XSS) vulnerability in the tep_href_link function in html_output.php for osCommerce before 2.2-MS3 allows remote attackers to inject arbitrary web script or HTML via the osCsid parameter. CVE-2003-1220 DESCRIPTION: BEA WebLogic Server proxy plugin for BEA Weblogic Express and Server 6.1 through 8.1 SP 1 allows remote attackers to cause a denial of service (proxy plugin crash) via a malformed URL. CVE-2003-1221 DESCRIPTION: BEA WebLogic Express and Server 7.0 through 8.1 SP 1, under certain circumstances when a request to use T3 over SSL (t3s) is made to the insecure T3 port, may use a non-SSL connection for the communication, which could allow attackers to sniff sessions. CVE-2003-1222 DESCRIPTION: BEA Weblogic Express and Server 8.0 through 8.1 SP 1, when using a foreign Java Message Service (JMS) provider, echoes the password for the foreign provider to the console and stores it in cleartext in config.xml, which could allow attackers to obtain the password. CVE-2003-1223 DESCRIPTION: The Node Manager for BEA WebLogic Express and Server 6.1 through 8.1 SP 1 allows remote attackers to cause a denial of service (Node Manager crash) via malformed data to the Node Manager's port, as demonstrated by nmap. CVE-2003-1224 DESCRIPTION: Weblogic.admin for BEA WebLogic Server and Express 7.0 and 7.0.0.1 displays the JDBCConnectionPoolRuntimeMBean password to the screen in cleartext, which allows attackers to read a user's password by physically observing ("shoulder surfing") the screen. CVE-2003-1225 DESCRIPTION: The default CredentialMapper for BEA WebLogic Server and Express 7.0 and 7.0.0.1 stores passwords in cleartext on disk, which allows local users to extract passwords. CVE-2003-1226 DESCRIPTION: BEA WebLogic Server and Express 7.0 and 7.0.0.1 stores certain secrets concerning password encryption insecurely in config.xml, filerealm.properties, and weblogic-rar.xml, which allows local users to learn those secrets and decrypt passwords. CVE-2003-1227 DESCRIPTION: PHP remote file include vulnerability in index.php for Gallery 1.4 and 1.4-pl1, when running on Windows or in Configuration mode on Unix, allows remote attackers to inject arbitrary PHP code via a URL in the GALLERY_BASEDIR parameter, a different vulnerability than CVE-2002-1412. NOTE: this issue might be exploitable only during installation, or if the administrator has not run a security script after installation. CVE-2003-1228 DESCRIPTION: Buffer overflow in the prepare_reply function in request.c for Mathopd 1.2 through 1.5b13, and possibly earlier versions, allows remote attackers to cause a denial of service (server crash) and possibly execute arbitrary code via an HTTP request with a long path. CVE-2003-1229 DESCRIPTION: X509TrustManager in (1) Java Secure Socket Extension (JSSE) in SDK and JRE 1.4.0 through 1.4.0_01, (2) JSSE before 1.0.3, (3) Java Plug-in SDK and JRE 1.3.0 through 1.4.1, and (4) Java Web Start 1.0 through 1.2 incorrectly calls the isClientTrusted method when determining server trust, which results in improper validation of digital certificate and allows remote attackers to (1) falsely authenticate peers for SSL or (2) incorrectly validate signed JAR files. CVE-2003-1230 DESCRIPTION: The implementation of SYN cookies (syncookies) in FreeBSD 4.5 through 5.0-RELEASE-p3 uses only 32-bit internal keys when generating syncookies, which makes it easier for remote attackers to conduct brute force ISN guessing attacks and spoof legitimate traffic. CVE-2003-1231 DESCRIPTION: Cross-site scripting (XSS) vulnerability in index.php in ECW-Shop 5.5 allows remote attackers to inject arbitrary web script or HTML via the cat parameter. CVE-2003-1232 DESCRIPTION: Emacs 21.2.1 does not prompt or warn the user before executing Lisp code in the local variables section of a text file, which allows user-assisted attackers to execute arbitrary commands, as demonstrated using the mode-name variable. CVE-2003-1233 DESCRIPTION: Pedestal Software Integrity Protection Driver (IPD) 1.3 and earlier allows privileged attackers, such as rootkits, to bypass file access restrictions to the Windows kernel by using the NtCreateSymbolicLinkObject function to create a symbolic link to (1) \Device\PhysicalMemory or (2) to a drive letter using the subst command. CVE-2003-1234 DESCRIPTION: Integer overflow in the f_count counter in FreeBSD before 4.2 through 5.0 allows local users to cause a denial of service (crash) and possibly execute arbitrary code via multiple calls to (1) fpathconf and (2) lseek, which do not properly decrement f_count through a call to fdrop. CVE-2003-1235 DESCRIPTION: BRW WebWeaver 1.03 allows remote attackers to obtain sensitive server environment information via a URL request for testcgi.exe, which lists the values of environment variables and the current working directory. CVE-2003-1236 DESCRIPTION: Multiple format string vulnerabilities in the logger function in netzio.c for Tanne 0.6.17 allows remote attackers to execute arbitrary code via format string specifiers in syslog. CVE-2003-1237 DESCRIPTION: Cross-site scripting vulnerability (XSS) in WWWBoard 2.0A2.1 and earlier allows remote attackers to inject arbitrary HTML or web script via a message post. CVE-2003-1238 DESCRIPTION: Cross-site scripting vulnerability (XSS) in Nuked-Klan 1.3 beta and earlier allows remote attackers to steal authentication information via cookies by injecting arbitrary HTML or script into op of the (1) Team, (2) News, and (3) Liens modules. CVE-2003-1239 DESCRIPTION: Directory traversal vulnerability in sendphoto.php in WihPhoto 0.86 allows remote attackers to read arbitrary files via .. specifiers in the album parameter, and the target filename in the pic parameter. CVE-2003-1240 DESCRIPTION: PHP remote file inclusion vulnerability in CuteNews 0.88 allows remote attackers to execute arbitrary PHP code via a URL in the cutepath parameter in (1) shownews.php, (2) search.php, or (3) comments.php. CVE-2003-1241 DESCRIPTION: Cross-site scripting vulnerability (XSS) in (1) admin_index.php, (2) admin_pass.php, (3) admin_modif.php, and (4) admin_suppr.php in MyGuestbook 3.0 allows remote attackers to execute arbitrary PHP code by modifying the location parameter to reference a URL on a remote web server that contains file.php via script injected into the pseudo, email, and message parameters. CVE-2003-1242 DESCRIPTION: Sage 1.0 b3 allows remote attackers to obtain the root web server path via a URL request for a non-existent module, which returns the path in an error message. CVE-2003-1243 DESCRIPTION: Cross-site scripting vulnerability (XSS) in Sage 1.0 b3 allows remote attackers to insert arbitrary HTML or web script via the mod parameter. CVE-2003-1244 DESCRIPTION: SQL injection vulnerability in page_header.php in phpBB 2.0, 2.0.1 and 2.0.2 allows remote attackers to brute force user passwords and possibly gain unauthorized access to forums via the forum_id parameter to index.php. CVE-2003-1245 DESCRIPTION: index2.php in Mambo 4.0.12 allows remote attackers to gain administrator access via a URL request where session_id is set to the MD5 hash of a session cookie. CVE-2003-1246 DESCRIPTION: NtCreateSymbolicLinkObject in ntdll.dll in Integrity Protection Driver (IPD) 1.2 and 1.3 allows local users to create and overwrite arbitrary files via a symlink attack on \winnt\system32\drivers using the subst command. CVE-2003-1247 DESCRIPTION: Multiple buffer overflows in H-Sphere WebShell 2.3 allow remote attackers to execute arbitrary code via (1) a long URL content type in CGI::readFile, (2) a long path in diskusage, and (3) a long fname in flist. CVE-2003-1248 DESCRIPTION: H-Sphere WebShell 2.3 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) mode and (2) zipfile parameters in a URL request. CVE-2003-1249 DESCRIPTION: WebIntelligence 2.7.1 uses guessable user session cookies, which allows remote attackers to hijack sessions. CVE-2003-1250 DESCRIPTION: Efficient Networks 5861 DSL router, when running firmware 5.3.80 configured to block incoming TCP SYN, packets allows remote attackers to cause a denial of service (crash) via a flood of TCP SYN packets to the WAN interface using a port scanner such as nmap. CVE-2003-1251 DESCRIPTION: The (1) menu.inc.php, (2) datasets.php and (3) mass_operations.inc.php (mistakenly referred to as mass_opeations.inc.php) scripts in N/X 2002 allow remote attackers to execute arbitrary PHP code via a c_path that references a URL on a remote web server that contains the code. CVE-2003-1252 DESCRIPTION: register.php in S8Forum 3.0 allows remote attackers to execute arbitrary PHP commands by creating a user whose name ends in a .php extension and entering the desired commands into the E-mail field, which creates a web-accessible .php file that can be called by the attacker, as demonstrated using a "system($cmd)" E-mail address with a "any_name.php" username. CVE-2003-1253 DESCRIPTION: PHP remote file inclusion vulnerability in Bookmark4U 1.8.3 allows remote attackers to execute arbitrary PHP code viaa URL in the prefix parameter to (1) dbase.php, (2) config.php, or (3) common.load.php. CVE-2003-1254 DESCRIPTION: Active PHP Bookmarks (APB) 1.1.01 allows remote attackers to execute arbitrary PHP code via (1) head.php, (2) apb_common.php, or (3) apb_view_class.php by modifying the APB_SETTINGS parameter to reference a URL on a remote web server that contains the code. CVE-2003-1255 DESCRIPTION: add_bookmark.php in Active PHP Bookmarks (APB) 1.1.01 allows remote attackers to add arbitrary bookmarks as other users using a modified auth_user_id parameter. CVE-2003-1256 DESCRIPTION: aff_liste_langue.php in E-theni allows remote attackers to execute arbitrary PHP code by modifying the rep_include parameter to reference a URL on a remote web server that contains para_langue.php. CVE-2003-1257 DESCRIPTION: find_theni_home.php in E-theni allows remote attackers to obtain sensitive system information via a URL request which executes phpinfo. CVE-2003-1258 DESCRIPTION: activate.php in versatileBulletinBoard (vBB) 0.9.5 and 0.9.6 allows remote attackers to gain unauthorized administrative access via a URL request with the uid parameter set to the webmaster uid. CVE-2003-1259 DESCRIPTION: Buffer overflow in CuteFTP 4.2 and 5.0 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long FTP server banner. CVE-2003-1260 DESCRIPTION: Buffer overflow in CuteFTP 5.0 allows remote attackers to execute arbitrary code via a long response to a LIST command. CVE-2003-1261 DESCRIPTION: Buffer overflow in CuteFTP 5.0 and 5.0.1 allows local users to cause a denial of service (crash) by copying a long URL into a clipboard. CVE-2003-1262 DESCRIPTION: Buffer overflow in the http_fetch function of HTTP Fetcher 1.0.0 and 1.0.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a URL request via a long (1) host, (2) referer, or (3) userAgent value. CVE-2003-1263 DESCRIPTION: ICAL.EXE in iCal 3.7 allows remote attackers to cause a denial of service (crash) via a malformed HTTP request, possibly due to an invalid method name. CVE-2003-1264 DESCRIPTION: TFTP server in Longshine Wireless Access Point (WAP) LCS-883R-AC-B, and in D-Link DI-614+ 2.0 which is based on it, allows remote attackers to obtain the WEP secret and gain administrator privileges by downloading the configuration file (config.img) and other files without authentication. CVE-2003-1265 DESCRIPTION: Netscape 7.0 and Mozilla 5.0 do not immediately delete messages in the trash folder when users select the 'Empty Trash' option, which could allow local users to access deleted messages. CVE-2003-1266 DESCRIPTION: The (1) FTP, (2) POP3, (3) SMTP, and (4) NNTP servers in EServer 2.92 through 2.97, and possibly 2.98, allow remote attackers to cause a denial of service (crash) via a large amount of data. CVE-2003-1267 DESCRIPTION: GuildFTPd 0.999 allows remote attackers to cause a denial of service (crash) via a GET request for MS-DOS device names such as lpt1. CVE-2003-1268 DESCRIPTION: Multiple SQL injection vulnerabilities in (1) addcustomer.asp, (2) addprod.asp, and (3) process.asp in a.shopKart 2.0.3 allow remote attackers to execute arbitrary SQL and obtain sensitive information via the zip, state, country, phone, and fax parameters. CVE-2003-1269 DESCRIPTION: AN HTTP 1.41e allows remote attackers to obtain the root web server path via an HTTP request with a long argument to a script, which leaks the path in an error message. CVE-2003-1270 DESCRIPTION: AN HTTP 1.41e allows remote attackers to cause a denial of service (borken pipe) via an HTTP request to aux.cgi with a long argument, possibly triggering a buffer overflow or MS-DOS device vulnerability. CVE-2003-1271 DESCRIPTION: Cross-site scripting vulnerability (XSS) in AN HTTP 1.41e allows remote attackers to execute arbitrary web script or HTML as other users via a URL containing the script. CVE-2003-1272 DESCRIPTION: Multiple buffer overflows in Winamp 3.0 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a .b4s file containing (1) a long playlist name or (2) a long path in a file: argument to the Playstring parameter. CVE-2003-1273 DESCRIPTION: Winamp 3.0 allows remote attackers to cause a denial of service (crash) via a .b4s file with a playlist name that contains some non-English characters, e.g. Cyrillic characters. CVE-2003-1274 DESCRIPTION: Winamp 3.0 allows remote attackers to cause a denial of service (crash) via .b4s file with a file: argument to the Playstring parameter that contains MS-DOS device names such as aux. CVE-2003-1275 DESCRIPTION: Pocket Internet Explorer (PIE) 3.0 allows remote attackers to cause a denial of service (crash) via a Javascript function that uses the object.innerHTML function to recursively call that function. CVE-2003-1276 DESCRIPTION: Netfone.exe of NetTelephone 3.5.6 uses weak encryption for user PIN's and stores user account numbers in plaintext in the HKEY_CURRENT_USER\Software\MediaRing.com\SDK\NetTelephone\settings registry key, which could allow local users to gain unauthorized access to NetTelephone accounts. CVE-2003-1277 DESCRIPTION: Cross-site scripting (XSS) vulnerabilities in Yet Another Bulletin Board (YaBB) 1.5.0 allow remote attackers to execute arbitrary script as other users and possibly steal authentication information via cookies by injecting arbitrary HTML or script into (1) news_icon of news_template.php, and (2) threadid and subject of index.html CVE-2003-1278 DESCRIPTION: Cross-site scripting vulnerability (XSS) in OpenTopic 2.3.1 allows remote attackers to execute arbitrary script as other users and possibly steal authentication information via cookies by injecting arbitrary HTML or script into IMG tags. CVE-2003-1279 DESCRIPTION: S-PLUS 6.0 allows local users to overwrite arbitrary files and possibly elevate privileges via a symlink attack on (1) /tmp/__F8499 by Sqpe, (2) /tmp/PRINT.$$.out by PRINT, (3) /tmp/SUBST$PID.TXT and /tmp/ed.cmds$PID by mustfix.hlinks, (4) /tmp/file.1 and /tmp/file.2 by sas_get, (5) /tmp/file.1 by sas_vars, and (6) /tmp/sgml2html$$tmp /tmp/sgml2html$$tmp1 /tmp/sgml2html$$tmp2 by sglm2html. CVE-2003-1280 DESCRIPTION: Directory traversal vulnerability in cgihtml 1.69 allows remote attackers to overwrite and create arbitrary files via a .. (dot dot) in multipart/form-data uploads. CVE-2003-1281 DESCRIPTION: cgihtml 1.69 allows local users to overwrite arbitrary files via a symlink attack on certain temporary files. CVE-2003-1282 DESCRIPTION: IBM Net.Data allows remote attackers to obtain sensitive information such as path names, server names and possibly user names and passwords by causing the (1) $(DTW_CURRENT_FILENAME), (2) $(DATABASE), (3) $(LOGIN), (4) $(PASSWORD), and possibly other predefined variables that can be echoed back to the user via a web form. CVE-2003-1283 DESCRIPTION: KaZaA Media Desktop (KMD) 2.0 launches advertisements in the Internet Explorer (IE) local security zone, which could allow remote attackers to view local files and possibly execute arbitrary code. CVE-2003-1284 DESCRIPTION: Sambar Server before 6.0 beta 6 allows remote attackers to obtain sensitive information via direct requests to the default scripts (1) environ.pl and (2) testcgi.exe. CVE-2003-1285 DESCRIPTION: Multiple cross-site scripting (XSS) vulnerabilities in Sambar Server before 6.0 beta 6 allow remote attackers to inject arbitrary web script or HTML via the query string to (1) isapi/testisa.dll, (2) testcgi.exe, (3) environ.pl, (4) the query parameter to samples/search.dll, (5) the price parameter to mortgage.pl, (6) the query string in dumpenv.pl, (7) the query string to dumpenv.pl, and (8) the E-Mail field of the guestbook script (book.pl). CVE-2003-1286 DESCRIPTION: HTTP Proxy in Sambar Server before 6.0 beta 6, when security.ini lacks a 127.0.0.1 proxydeny entry, allows remote attackers to send proxy HTTP requests to the Sambar Server's administrative interface and external web servers, by making a "Connection: keep-alive" request before the proxy requests. CVE-2003-1287 DESCRIPTION: Sambar Server before 6.0 beta 3 allows attackers with physical access to execute arbitrary code via a request with an MS-DOS device name such as com1.pl, con.pl, or aux.pl, which causes Perl to read the code from the associated device. CVE-2003-1288 DESCRIPTION: Multiple race conditions in Linux-VServer 1.22 with Linux kernel 2.4.23 and SMP allow local users to cause a denial of service (kernel oops) via unknown attack vectors related to the (1) s_info and (2) ip_info data structures and the (a) forget_original_parent, (b) goodness, (c) schedule, (d) update_process_times, and (e) vc_new_s_context functions. CVE-2003-1289 DESCRIPTION: The iBCS2 system call translator for statfs in NetBSD 1.5 through 1.5.3 and FreeBSD 4 up to 4.8-RELEASE-p2 and 5 up to 5.1-RELEASE-p1 allows local users to read portions of kernel memory (memory disclosure) via a large length parameter, which copies additional kernel memory into userland memory. CVE-2003-1290 DESCRIPTION: BEA WebLogic Server and WebLogic Express 6.1, 7.0, and 8.1, with RMI and anonymous admin lookup enabled, allows remote attackers to obtain configuration information by accessing MBeanHome via the Java Naming and Directory Interface (JNDI). CVE-2003-1291 DESCRIPTION: VMware ESX Server 1.5.2 before Patch 4 allows local users to execute arbitrary programs as root via certain modified VMware ESX Server environment variables. CVE-2003-1292 DESCRIPTION: PHP remote file include vulnerability in Derek Ashauer ashNews 0.83 allows remote attackers to include and execute arbitrary remote files via a URL in the pathtoashnews parameter to (1) ashnews.php and (2) ashheadlines.php. CVE-2003-1293 DESCRIPTION: Multiple cross-site scripting (XSS) vulnerabilities in NukedWeb GuestBookHost allow remote attackers to inject arbitrary web script or HTML via the (1) Name, (2) Email and (3) Message fields when signing the guestbook. CVE-2003-1294 DESCRIPTION: Xscreensaver before 4.15 creates temporary files insecurely in (1) driver/passwd-kerberos.c, (2) driver/xscreensaver-getimage-video, (3) driver/xscreensaver.kss.in, and the (4) vidwhacker and (5) webcollage screensavers, which allows local users to overwrite arbitrary files via a symlink attack. CVE-2003-1295 DESCRIPTION: Unspecified vulnerability in xscreensaver 4.12, and possibly other versions, allows attackers to cause xscreensaver to crash via unspecified vectors "while verifying the user-password." CVE-2003-1296 DESCRIPTION: Easy File Sharing (EFS) Web Server 1.2 allows remote authenticated users to cause a denial of service via (1) an "empty symbol" in the Title field or (2) certain data in the Your Message field, possibly a long argument. CVE-2003-1297 DESCRIPTION: Easy File Sharing (EFS) Web Server 1.2 stores the (1) option.ini (aka options.ini) file and (2) log directory under the web root with insufficient access control, which allows remote attackers to obtain sensitive information including an SMTP account username and password hash, the server configuration, and server log files. CVE-2003-1298 DESCRIPTION: Multiple directory traversal vulnerabilities in siteman.php3 in AnyPortal(php) 12 MAY 00 allow remote attackers to (1) create, (2) delete, (3) save, and (4) upload files by navigating to the root directory and entering a filename beginning with "./.." (dot slash dot dot). CVE-2003-1299 DESCRIPTION: Directory traversal vulnerability in Baby FTP Server 1.2, and possibly other versions before May 31, 2003 allows remote authenticated users to list arbitrary directories and possibly read files via "..." (triple dot) manipulations to the CWD command. CVE-2003-1300 DESCRIPTION: Baby FTP Server (BabyFTP) 1.2, and possibly other versions before May 31, 2003, allows remote attackers to cause a denial of service via a large number of connections from the same IP address, which triggers an access violation. CVE-2003-1301 DESCRIPTION: Sun Java Runtime Environment (JRE) 1.x before 1.4.2_11 and 1.5.x before 1.5.0_06, and as used in multiple web browsers, allows remote attackers to cause a denial of service (application crash) via deeply nested object arrays, which are not properly handled by the garbage collector and trigger invalid memory accesses. CVE-2003-1302 DESCRIPTION: The IMAP functionality in PHP before 4.3.1 allows remote attackers to cause a denial of service via an e-mail message with a (1) To or (2) From header with an address that contains a large number of "\" (backslash) characters. CVE-2003-1303 DESCRIPTION: Buffer overflow in the imap_fetch_overview function in the IMAP functionality (php_imap.c) in PHP before 4.3.3 allows remote attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a long e-mail address in a (1) To or (2) From header. CVE-2003-1304 DESCRIPTION: EarlyImpact ProductCart 1.0 through 2.0 stores database/EIPC.mdb under the web root with insufficient access control, which allows remote attackers to obtain sensitive database information via a direct request. CVE-2003-1305 DESCRIPTION: Microsoft Internet Explorer allows remote attackers to cause a denial of service (resource consumption) via a Javascript src attribute that recursively loads the current web page. CVE-2003-1306 DESCRIPTION: Microsoft URLScan 2.5, with the RemoveServerHeader option enabled, allows remote attackers to obtain sensitive information (server name and version) via an HTTP request that generates certain errors such as 400 "Bad Request," which leak the Server header in the response. CVE-2003-1307 DESCRIPTION: ** DISPUTED ** The mod_php module for the Apache HTTP Server allows local users with write access to PHP scripts to send signals to the server's process group and use the server's file descriptors, as demonstrated by sending a STOP signal, then intercepting incoming connections on the server's TCP port. NOTE: the PHP developer has disputed this vulnerability, saying "The opened file descriptors are opened by Apache. It is the job of Apache to protect them ... Not a bug in PHP." CVE-2003-1308 DESCRIPTION: CRLF injection vulnerability in fvwm-menu-directory for fvwm 2.5.x before 2.5.10 and 2.4.x before 2.4.18 allows local users to execute arbitrary commands via carriage returns in a filename. CVE-2003-1309 DESCRIPTION: The DeviceIoControl function in the TrueVector Device Driver (VSDATANT) in ZoneAlarm before 3.7.211, Pro before 4.0.146.029, and Plus before 4.0.146.029 allows local users to gain privileges via certain signals (aka "Device Driver Attack"). CVE-2003-1310 DESCRIPTION: The DeviceIoControl function in the Norton Device Driver (NAVAP.sys) in Symantec Norton AntiVirus 2002 allows local users to gain privileges by overwriting memory locations via certain control codes (aka "Device Driver Attack"). CVE-2003-1311 DESCRIPTION: siteminderagent/SmMakeCookie.ccc in Netegrity SiteMinder does not ensure that the TARGET parameter names a valid redirection resource, which allows remote attackers to construct a URL that might trick users into visiting an arbitrary web site referenced by this parameter. CVE-2003-1312 DESCRIPTION: siteminderagent/SmMakeCookie.ccc in Netegrity SiteMinder places a session ID string in the value of the SMSESSION parameter in a URL, which might allow remote attackers to obtain the ID by sniffing, reading Referer logs, or other methods. CVE-2003-1313 DESCRIPTION: Multiple PHP remote file inclusion vulnerabilities in EternalMart Mailing List Manager (EMLM) 1.32 allow remote attackers to execute arbitrary PHP code via a URL in (1) the emml_admin_path parameter to admin/auth.php or (2) the emml_path parameter to emml_email_func.php. CVE-2003-1314 DESCRIPTION: PHP remote file inclusion vulnerability in admin/auth.php in EternalMart Guestbook (EMGB) 1.1 allows remote attackers to execute arbitrary PHP code via a URL in the emgb_admin_path parameter. CVE-2003-1315 DESCRIPTION: SQL injection vulnerability in auth.php in Land Down Under (LDU) v601 and earlier allows remote attackers to execute arbitrary SQL commands. CVE-2003-1316 DESCRIPTION: mod.php in eNdonesia 8.2 allows remote attackers to obtain sensitive information via a ' (quote) value in the lng parameter, which reveals the path in an error message. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information. CVE-2003-1317 DESCRIPTION: Cross-site scripting (XSS) vulnerability in mod.php in eNdonesia 8.2 allows remote attackers to inject arbitrary web script or HTML via the mod parameter. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information. CVE-2003-1318 DESCRIPTION: Twilight Webserver 1.3.3.0 allows remote attackers to cause a denial of service (application crash) via a GET request for a long URI, a different vulnerability than CVE-2004-2376. CVE-2003-1319 DESCRIPTION: Multiple buffer overflows in SmartFTP 1.0.973, and other versions before 1.0.976, allow remote attackers to execute arbitrary code via (1) a long response to a PWD command, which triggers a stack-based overflow, and (2) a long line in a response to a file LIST command, which triggers a heap-based overflow. CVE-2003-1320 DESCRIPTION: SonicWALL firmware before 6.4.0.1 allows remote attackers to cause a denial of service and possibly execute arbitrary code via crafted Internet Key Exchange (IKE) response packets, possibly including (1) a large Security Parameter Index (SPI) field, (2) a large number of payloads, or (3) a long payload. CVE-2003-1321 DESCRIPTION: Buffer overflow in Avant Browser 8.02 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long URL in an HTTP request. CVE-2003-1322 DESCRIPTION: Multiple stack-based buffer overflows in Atrium MERCUR IMAPD in MERCUR Mailserver before 4.2.15.0 allow remote attackers to execute arbitrary code via a long (1) EXAMINE, (2) DELETE, (3) SUBSCRIBE, (4) RENAME, (5) UNSUBSCRIBE, (6) LIST, (7) LSUB, (8) STATUS, (9) LOGIN, (10) CREATE, or (11) SELECT command. CVE-2003-1323 DESCRIPTION: Elm ME+ 2.4 before PL109S, when installed setgid mail and the operating system lacks POSIX saved ID support, allows local users to read and modify certain files with the privileges of the mail group via unspecified vectors. CVE-2003-1324 DESCRIPTION: Race condition in the can_open function in Elm ME+ 2.4, when installed setgid mail and the operating system lacks POSIX saved ID support, allows local users to read and modify certain files with the privileges of the mail group. CVE-2003-1325 DESCRIPTION: The SV_CheckForDuplicateNames function in Valve Software Half-Life CSTRIKE Dedicated Server 1.1.1.0 and earlier allows remote authenticated users to cause a denial of service (infinite loop and daemon hang) via a certain connection string to UDP port 27015 that represents "absence of player informations," a related issue to CVE-2006-0734. CVE-2003-1326 DESCRIPTION: Microsoft Internet Explorer 5.5 and 6.0 allows remote attackers to bypass the cross-domain security model to run malicious script or arbitrary programs via dialog boxes, aka "Improper Cross Domain Security Validation with dialog box." CVE-2003-1327 DESCRIPTION: Buffer overflow in the SockPrintf function in wu-ftpd 2.6.2 and earlier, when compiled with MAIL_ADMIN option enabled on a system that supports very long pathnames, might allow remote anonymous users to execute arbitrary code by uploading a file with a long pathname, which triggers the overflow when wu-ftpd constructs a notification message to the administrator. CVE-2003-1328 DESCRIPTION: The showHelp() function in Microsoft Internet Explorer 5.01, 5.5, and 6.0 supports certain types of pluggable protocols that allow remote attackers to bypass the cross-domain security model and execute arbitrary code, aka "Improper Cross Domain Security Validation with ShowHelp functionality." CVE-2003-1329 DESCRIPTION: ftpd.c in wu-ftpd 2.6.2, when running on "operating systems that only allow one non-connected socket bound to the same local address," does not close failed connections, which allows remote attackers to cause a denial of service. CVE-2003-1330 DESCRIPTION: Clearswift MAILsweeper for SMTP 4.3.6 SP1 does not execute custom "on strip unsuccessful" hooks, which allows remote attackers to bypass e-mail attachment filtering policies via an attachment that MAILsweeper can detect but not remove. CVE-2003-1331 DESCRIPTION: Stack-based buffer overflow in the mysql_real_connect function in the MySql client library (libmysqlclient) 4.0.13 and earlier allows local users to execute arbitrary code via a long socket name, a different vulnerability than CVE-2001-1453. CVE-2003-1332 DESCRIPTION: Stack-based buffer overflow in the reply_nttrans function in Samba 2.2.7a and earlier allows remote attackers to execute arbitrary code via a crafted request, a different vulnerability than CVE-2003-0201. CVE-2003-1333 DESCRIPTION: Unspecified vulnerability in the Cache' Server Page (CSP) implementation in InterSystems Cache' 4.0.3 through 5.0.5 allows remote attackers to "gain complete control" of a server. CVE-2003-1334 DESCRIPTION: Cross-site scripting (XSS) vulnerability in Kai Blankenhorn Bitfolge simple and nice index file (aka snif) before 1.2.7 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. CVE-2003-1335 DESCRIPTION: Directory traversal vulnerability in Kai Blankenhorn Bitfolge simple and nice index file (aka snif) before 1.2.5 allows remote attackers to download files from locations above the snif directory. CVE-2003-1336 DESCRIPTION: Buffer overflow in mIRC before 6.11 allows remote attackers to execute arbitrary code via a long irc:// URL. CVE-2003-1337 DESCRIPTION: Heap-based buffer overflow in Aprelium Abyss Web Server 1.1.2 and earlier allows remote attackers to execute arbitrary code via a long HTTP GET request. CVE-2003-1338 DESCRIPTION: CRLF injection vulnerability in Aprelium Abyss Web Server 1.1.2 and earlier allows remote attackers to inject arbitrary HTTP headers and possibly conduct HTTP Response Splitting attacks via CRLF sequences in the Location header. CVE-2003-1339 DESCRIPTION: Stack-based buffer overflow in eZnet.exe, as used in eZ (a) eZphotoshare, (b) eZmeeting, (c) eZnetwork, and (d) eZshare allows remote attackers to cause a denial of service (crash) or execute arbitrary code, as demonstrated via (1) a long GET request and (2) a long operation or autologin parameter to SwEzModule.dll. CVE-2003-1340 DESCRIPTION: Multiple SQL injection vulnerabilities in Francisco Burzi PHP-Nuke 5.6 and 6.5 allow remote authenticated users to execute arbitrary SQL commands via (1) a uid (user) cookie to modules.php; and allow remote attackers to execute arbitrary SQL commands via an aid (admin) cookie to the Web_Links module in a (2) viewlink, (3) MostPopular, or (4) NewLinksDate action, different vectors than CVE-2003-0279. CVE-2003-1341 DESCRIPTION: The default installation of Trend Micro OfficeScan 3.0 through 3.54 and 5.x allows remote attackers to bypass authentication from cgiChkMasterPasswd.exe and gain access to the web management console via a direct request to cgiMasterPwd.exe. CVE-2003-1342 DESCRIPTION: Trend Micro Virus Control System (TVCS) 1.8 running with IIS allows remote attackers to cause a denial of service (memory consumption) in IIS via multiple URL requests for ActiveSupport.exe. CVE-2003-1343 DESCRIPTION: Trend Micro ScanMail for Exchange (SMEX) before 3.81 and before 6.1 might install a back door account in smg_Smxcfg30.exe, which allows remote attackers to gain access to the web management interface via the vcc parameter, possibly "3560121183d3". CVE-2003-1344 DESCRIPTION: Trend Micro Virus Control System (TVCS) Log Collector allows remote attackers to obtain usernames, encrypted passwords, and other sensitive information via a URL request for getservers.exe with the action parameter set to "selects1", which returns log files. CVE-2003-1345 DESCRIPTION: Directory traversal vulnerability in s.dll in WebCollection Plus 5.00 allows remote attackers to view arbitrary files in c:\ via a full pathname in the d parameter. CVE-2003-1346 DESCRIPTION: D-Link wireless access point DWL-900AP+ 2.2, 2.3 and possibly 2.5 allows remote attackers to set factory default settings by upgrading the firmware using AirPlus Access Point Manager. CVE-2003-1347 DESCRIPTION: Multiple cross-site scripting (XSS) vulnerabilities in Geeklog 1.3.7 allow remote attackers to inject arbitrary web script or HTML via the (1) cid parameter to comment.php, (2) uid parameter to profiles.php, (3) uid to users.php, and (4) homepage field. CVE-2003-1348 DESCRIPTION: Cross-site scripting (XSS) vulnerability in guestbook.cgi in ftls.org Guestbook 1.1 allows remote attackers to inject arbitrary web script or HTML via the (1) comment, (2) name, or (3) title field. CVE-2003-1349 DESCRIPTION: Directory traversal vulnerability in NITE ftp-server (NiteServer) 1.83 allows remote attackers to list arbitrary directories via a "\.." (backslash dot dot) in the CD (CWD) command. CVE-2003-1350 DESCRIPTION: List Site Pro 2.0 allows remote attackers to hijack user accounts by inserting a "|" (pipe), which is used as a field delimiter, into the bannerurl field. CVE-2003-1351 DESCRIPTION: Directory traversal vulnerability in edittag.cgi in EditTag 1.1 allows remote attackers to read arbitrary files via a "%2F.." (encoded slash dot dot) in the file parameter. CVE-2003-1352 DESCRIPTION: Gabber 0.8.7 sends an email to a specific address during user login and logout, which allows remote attackers to obtain user session activity and Gabber version number by sniffing. CVE-2003-1353 DESCRIPTION: Multiple cross-site scripting (XSS) vulnerabilities in Outreach Project Tool (OPT) 0.946b allow remote attackers to inject arbitrary web script or HTML, as demonstrated using the news field. CVE-2003-1354 DESCRIPTION: Multiple GameSpy 3D 2.62 compatible gaming servers generate very large UDP responses to small requests, which allows remote attackers to use the servers as an amplifier in DDoS attacks with spoofed UDP query packets, as demonstrated using Battlefield 1942. CVE-2003-1355 DESCRIPTION: Buffer overflow in the remote console (rcon) in Battlefield 1942 1.2 and 1.3 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long user name and password. CVE-2003-1356 DESCRIPTION: The "file handling" in sort in HP-UX 10.01 through 10.20, and 11.00 through 11.11 is "incorrect," which allows attackers to gain access or cause a denial of service via unknown vectors. CVE-2003-1357 DESCRIPTION: ProxyView has a default administrator password of Administrator for Embedded Windows NT, which allows remote attackers to gain access. CVE-2003-1358 DESCRIPTION: rs.F300 for HP-UX 10.0 through 11.22 uses the PATH environment variable to find and execute programs such as rm while operating at raised privileges, which allows local users to gain privileges by modifying the path to point to a malicious rm program. CVE-2003-1359 DESCRIPTION: Buffer overflow in stmkfont utility of HP-UX 10.0 through 11.22 allows local users to gain privileges via a long command line argument. CVE-2003-1360 DESCRIPTION: Buffer overflow in the setupterm function of (1) lanadmin and (2) landiag programs of HP-UX 10.0 through 10.34 allows local users to execute arbitrary code via a long TERM environment variable. CVE-2003-1361 DESCRIPTION: Unknown vulnerability in VERITAS Bare Metal Restore (BMR) of Tivoli Storage Manager (TSM) 3.1.0 through 3.2.1 allows remote attackers to gain root privileges on the BMR Main Server. CVE-2003-1362 DESCRIPTION: Bastille B.02.00.00 of HP-UX 11.00 and 11.11 does not properly configure the (1) NOVRFY and (2) NOEXPN options in the sendmail.cf file, which could allow remote attackers to verify the existence of system users and expand defined sendmail aliases. CVE-2003-1363 DESCRIPTION: The remote web management interface of Aprelium Technologies Abyss Web Server 1.1.2 and earlier does not log connection attempts to the web management port (9999), which allows remote attackers to mount brute force attacks on the administration console without detection. CVE-2003-1364 DESCRIPTION: Aprelium Technologies Abyss Web Server 1.1.2, and possibly other versions before 1.1.4, allows remote attackers to cause a denial of service (crash) via an HTTP GET message with empty (1) Connection or (2) Range fields. CVE-2003-1365 DESCRIPTION: The escape_dangerous_chars function in CGI::Lite 2.0 and earlier does not correctly remove special characters including (1) "\" (backslash), (2) "?", (3) "~" (tilde), (4) "^" (carat), (5) newline, or (6) carriage return, which could allow remote attackers to read or write arbitrary files, or execute arbitrary commands, in shell scripts that rely on CGI::Lite to filter such dangerous inputs. CVE-2003-1366 DESCRIPTION: chpass in OpenBSD 2.0 through 3.2 allows local users to read portions of arbitrary files via a hard link attack on a temporary file used to store user database information. CVE-2003-1367 DESCRIPTION: The which_access variable for Majordomo 2.0 through 1.94.4, and possibly earlier versions, is set to "open" by default, which allows remote attackers to identify the email addresses of members of mailing lists via a "which" command. CVE-2003-1368 DESCRIPTION: Buffer overflow in the 32bit FTP client 9.49.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long FTP server banner. CVE-2003-1369 DESCRIPTION: Buffer overflow in ByteCatcher FTP client 1.04b allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long FTP server banner. CVE-2003-1370 DESCRIPTION: Multiple cross-site scripting (XSS) vulnerabilities in Nuked-Klan 1.2b allow remote attackers to inject arbitrary HTML or web script via (1) the Author field in the Guestbook module, (2) the Titre or Pseudo fields in the Forum module, or (3) "La Tribune Libre" in the Shoutbox module. CVE-2003-1371 DESCRIPTION: Nuked-Klan 1.3b, and possibly earlier versions, allows remote attackers to obtain sensitive server information via an op parameter set to phpinfo for the (1) Team, (2) News, or (3) Liens modules. CVE-2003-1372 DESCRIPTION: Cross-site scripting (XSS) vulnerability in links.php script in myPHPNuke 1.8.8, and possibly earlier versions, allows remote attackers to inject arbitrary HTML and web script via the (1) ratenum or (2) query parameters. CVE-2003-1373 DESCRIPTION: Directory traversal vulnerability in auth.php for PhpBB 1.4.0 through 1.4.4 allows remote attackers to read and include arbitrary files via .. (dot dot) sequences followed by NULL (%00) characters in CGI parameters, as demonstrated using the lang parameter in prefs.php. CVE-2003-1374 DESCRIPTION: Buffer overflow in disable of HP-UX 11.0 may allow local users to execute arbitrary code via a long argument to the (1) -r or (2)-c options. CVE-2003-1375 DESCRIPTION: Buffer overflow in wall for HP-UX 10.20 through 11.11 may allow local users to execute arbitrary code by calling wall with a large file as an argument. CVE-2003-1376 DESCRIPTION: WinZip 8.0 uses weak random number generation for password protected ZIP files, which allows local users to brute force the encryption keys and extract the data from the zip file by guessing the state of the stream coder. CVE-2003-1377 DESCRIPTION: Buffer overflow in the reverse DNS lookup of Smart IRC Daemon (SIRCD) 0.4.0 and 0.4.4 allows remote attackers to execute arbitrary code via a client with a long hostname. CVE-2003-1378 DESCRIPTION: Microsoft Outlook Express 6.0 and Outlook 2000, with the security zone set to Internet Zone, allows remote attackers to execute arbitrary programs via an HTML email with the CODEBASE parameter set to the program, a vulnerability similar to CAN-2002-0077. CVE-2003-1379 DESCRIPTION: clarkconnectd in ClarkConnect Linux 1.2 allows remote attackers to obtain sensitive information about the server via the characters (1) A, which reveals the date and time, (2) F, (3) M, which reveals 'ifconfig' information, (4) P, which lists the processes, (5) Y, which reveals the snort log files, or (6) b, which reveals /var/log/messages. CVE-2003-1380 DESCRIPTION: Directory traversal vulnerability in BisonFTP Server 4 release 2 allows remote attackers to (1) list directories above the root via an 'ls @../' command, or (2) list files above the root via a "mget @../FILE" command. CVE-2003-1381 DESCRIPTION: Format string vulnerability in AMX 0.9.2 and earlier, a plugin for Valve Software's Half-Life Server, allows remote attackers to execute arbitrary commands via format string specifiers in the amx_say command. CVE-2003-1382 DESCRIPTION: Buffer overflow in ISMail 1.4.3 and earlier allow remote attackers to execute arbitrary code via long domain names in (1) MAIL FROM or (2) RCPT TO fields. CVE-2003-1383 DESCRIPTION: WEB-ERP 0.1.4 and earlier allows remote attackers to obtain sensitive information via an HTTP request for the logicworks.ini file, which contains the MySQL database username and password. CVE-2003-1384 DESCRIPTION: Cross-site scripting (XSS) vulnerability in index.php in PY-Livredor 1.0 allows remote attackers to insert arbitrary web script or HTML via the (1) titre, (2) Votre pseudo, (3) Votre e-mail, or (4) Votre message fields. CVE-2003-1385 DESCRIPTION: ipchat.php in Invision Power Board 1.1.1 allows remote attackers to execute arbitrary PHP code, if register_globals is enabled, by modifying the root_path parameter to reference a URL on a remote web server that contains the code. CVE-2003-1386 DESCRIPTION: AXIS 2400 Video Server 2.00 through 2.33 allows remote attackers to obtain sensitive information via an HTTP request to /support/messages, which displays the server's /var/log/messages file. CVE-2003-1387 DESCRIPTION: Buffer overflow in Opera 6.05 and 6.06, and possibly other versions, allows remote attackers to execute arbitrary code via a URL with a long username. CVE-2003-1388 DESCRIPTION: Buffer overflow in Opera 7.02 Build 2668 allows remote attackers to crash Opera via a long HTTP request ending in a .ZIP extension. CVE-2003-1389 DESCRIPTION: RTS CryptoBuddy 1.2 and earlier truncates long passphrases without warning the user, which may make it easier to conduct certain brute force guessing attacks. CVE-2003-1390 DESCRIPTION: RTS CryptoBuddy 1.2 and earlier stores bytes 53 through 55 of a 55-byte passphrase in plaintext, which makes it easier for local users to guess the passphrase. CVE-2003-1391 DESCRIPTION: RTS CryptoBuddy 1.0 and 1.2 uses a weak encryption algorithm for the passphrase and generates predictable keys, which makes it easier for attackers to guess the passphrase. CVE-2003-1392 DESCRIPTION: CryptoBuddy 1.0 and 1.2 does not use the user-supplied passphrase to encrypt data, which could allow local users to use their own passphrase to decrypt the data. CVE-2003-1393 DESCRIPTION: Buffer overflow in Gupta SQLBase 8.1.0 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long EXECUTE command. CVE-2003-1394 DESCRIPTION: CoffeeCup Software Password Wizard 4.0 stores sensitive information such as usernames and passwords in a .apw file under the web document root with insufficient access control, which allows remote attackers to obtain that information via a direct request for the file. CVE-2003-1395 DESCRIPTION: Buffer overflow in KaZaA Media Desktop 2.0 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a response to the ad server. CVE-2003-1396 DESCRIPTION: Heap-based buffer overflow in Opera 6.05 through 7.10 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a filename with a long extension. CVE-2003-1397 DESCRIPTION: The PluginContext object of Opera 6.05 and 7.0 allows remote attackers to cause a denial of service (crash) via an HTTP request containing a long string that gets passed to the ShowDocument method. CVE-2003-1398 DESCRIPTION: Cisco IOS 12.0 through 12.2, when IP routing is disabled, accepts false ICMP redirect messages, which allows remote attackers to cause a denial of service (network routing modification). CVE-2003-1399 DESCRIPTION: eject 2.0.10, when installed setuid on systems such as SuSE Linux 7.3, generates different error messages depending on whether a specified file exists or not, which allows local users to obtain sensitive information. CVE-2003-1400 DESCRIPTION: Cross-site scripting (XSS) vulnerability in the Your_Account module for PHP-Nuke 5.0 through 6.0 allows remote attackers to inject arbitrary web script or HTML via the user_avatar parameter. CVE-2003-1401 DESCRIPTION: login.php in php-Board 1.0 stores plaintext passwords in $username.txt with insufficient access control under the web document root, which allows remote attackers to obtain sensitive information via a direct request. CVE-2003-1402 DESCRIPTION: PHP remote file inclusion vulnerability in hit.php for Kietu 2.0 and 2.3 allows remote attackers to execute arbitrary PHP code via the url_hit parameter, a different vulnerability than CVE-2006-5015. CVE-2003-1403 DESCRIPTION: foo.php3 in DotBr 0.1 allows remote attackers to obtain sensitive information via a direct request, which calls the phpinfo function. CVE-2003-1404 DESCRIPTION: DotBr 0.1 stores config.inc with insufficient access control under the web document root, which allows remote attackers to obtain sensitive information such as SQL usernames and passwords. CVE-2003-1405 DESCRIPTION: DotBr 0.1 allows remote attackers to execute arbitrary shell commands via the cmd parameter to (1) exec.php3 or (2) system.php3. CVE-2003-1406 DESCRIPTION: PHP remote file inclusion vulnerability in D-Forum 1.00 through 1.11 allows remote attackers to execute arbitrary PHP code via a URL in the (1) my_header parameter to header.php3 or (2) my_footer parameter to footer.php3. CVE-2003-1407 DESCRIPTION: Buffer overflow in cmd.exe in Windows NT 4.0 may allow local users to execute arbitrary code via a long pathname argument to the cd command. CVE-2003-1408 DESCRIPTION: Lotus Domino Server 5.0 and 6.0 allows remote attackers to read the source code for files via an HTTP request with a filename with a trailing dot. CVE-2003-1409 DESCRIPTION: TOPo 1.43 allows remote attackers to obtain sensitive information by sending an HTTP request with an invalid parameter to (1) in.php or (2) out.php, which reveals the path to the TOPo directory in the error message. CVE-2003-1410 DESCRIPTION: PHP remote file inclusion vulnerability in email.php (aka email.php3) in Cedric Email Reader 0.2 and 0.3 allows remote attackers to execute arbitrary PHP code via the cer_skin parameter. CVE-2003-1411 DESCRIPTION: PHP remote file inclusion vulnerability in emailreader_execute_on_each_page.inc.php in Cedric Email Reader 0.4 allows remote attackers to execute arbitrary PHP code via the emailreader_ini parameter. CVE-2003-1412 DESCRIPTION: PHP remote file inclusion vulnerability in index.php for GONiCUS System Administrator (GOsa) 1.0 allows remote attackers to execute arbitrary PHP code via the plugin parameter to (1) 3fax/1blocklists/index.php; (2) 6departamentadmin/index.php, (3) 5terminals/index.php, (4) 4mailinglists/index.php, (5) 3departaments/index.php, and (6) 2groupd/index.php in 2administration/; or (7) the base parameter to include/help.php. CVE-2003-1413 DESCRIPTION: parse_xml.cgi in Apple Darwin Streaming Server 4.1.1 allows remote attackers to determine the existence of arbitrary files by using ".." sequences in the filename parameter and comparing the resulting error messages. CVE-2003-1414 DESCRIPTION: Directory traversal vulnerability in parse_xml.cg Apple Darwin Streaming Server 4.1.2 and Apple Quicktime Streaming Server 4.1.1 allows remote attackers to read arbitrary files via a ... (triple dot) in the filename parameter. CVE-2003-1415 DESCRIPTION: NetCharts XBRL Server 4.0.0 allows remote attackers to obtain sensitive information via an HTTP request with an invalid chunked transfer encoding specification. CVE-2003-1416 DESCRIPTION: BisonFTP Server 4 release 2 allows remote attackers to cause a denial of service (CPU consumption) via a long (1) ls or (2) cwd command. CVE-2003-1417 DESCRIPTION: nCipher Support Software 6.00, when using generatekey KeySafe to import keys, does not delete the temporary copies of the key, which may allow local users to gain access to the key by reading the (1) key.pem or (2) key.der files. CVE-2003-1418 DESCRIPTION: Apache HTTP Server 1.3.22 through 1.3.27 on OpenBSD allows remote attackers to obtain sensitive information via (1) the ETag header, which reveals the inode number, or (2) multipart MIME boundary, which reveals child process IDs (PID). CVE-2003-1419 DESCRIPTION: Netscape 7.0 allows remote attackers to cause a denial of service (crash) via a web page with an invalid regular expression argument to the JavaScript reformatDate function. CVE-2003-1420 DESCRIPTION: Cross-site scripting (XSS) vulnerability in Opera 6.0 through 7.0 with automatic redirection disabled allows remote attackers to inject arbitrary web script or HTML via the HTTP Location header. CVE-2003-1421 DESCRIPTION: Unspecified vulnerability in mod_mysql_logger shared object in SuckBot 0.006 allows remote attackers to cause a denial of service (seg fault) via unknown attack vectors. CVE-2003-1422 DESCRIPTION: Multiple unspecified vulnerabilities in the installer for SYSLINUX 2.01, when running setuid root, allow local users to gain privileges via unknown vectors. CVE-2003-1423 DESCRIPTION: Petitforum stores the liste.txt data file under the web document root with insufficient access control, which allows remote attackers to obtain sensitive information such as e-mail addresses and encrypted passwords. CVE-2003-1424 DESCRIPTION: message.php in Petitforum does not properly authenticate users, which allows remote attackers to impersonate forum users via a modified connect cookie. CVE-2003-1425 DESCRIPTION: guestbook.cgi in cPanel 5.0 allows remote attackers to execute arbitrary commands via the template parameter. CVE-2003-1426 DESCRIPTION: Openwebmail in cPanel 5.0, when run using suid Perl, adds the directory in the SCRIPT_FILENAME environment variable to Perl's @INC include array, which allows local users to execute arbitrary code by modifying SCRIPT_FILENAME to reference a directory containing a malicious openwebmail-shared.pl executable. CVE-2003-1427 DESCRIPTION: Directory traversal vulnerability in the web configuration interface in Netgear FM114P 1.4 allows remote attackers to read arbitrary files, such as the netgear.cfg configuration file, via a hex-encoded (%2e%2e%2f) ../ (dot dot slash) in the port parameter. CVE-2003-1428 DESCRIPTION: Gallery 1.3.3 creates directories with insecure permissions, which allows local users to read, modify, or delete photos. CVE-2003-1429 DESCRIPTION: Buffer overflow in Proxomitron Naoko 4.4 allows remote attackers to execute arbitrary code via a long request. CVE-2003-1430 DESCRIPTION: Directory traversal vulnerability in Unreal Tournament Server 436 and earlier allows remote attackers to access known files via a ".." (dot dot) in an unreal:// URL. CVE-2003-1431 DESCRIPTION: Buffer overflow in Epic Games Unreal Engine 226f through 436 allows remote attackers to cause a denial of service (crash) via a long host string in the Unreal URL. CVE-2003-1432 DESCRIPTION: Epic Games Unreal Engine 226f through 436 allows remote attackers to cause a denial of service (CPU consumption or crash) and possibly execute arbitrary code via (1) a packet with a negative size value, which is treated as a large positive number during memory allocation, or (2) a negative size value in a package file. CVE-2003-1433 DESCRIPTION: Epic Games Unreal Engine 226f through 436 does not validate the challenge key, which allows remote attackers to exhaust the player limit by joining the game multiple times. CVE-2003-1434 DESCRIPTION: login_ldap 3.1 and 3.2 allows remote attackers to initiate unauthenticated bind requests if (1) bind_anon_dn is on, which allows a bind with no password provided, (2) bind_anon_cred is on, which allows a bind with no DN, or (3) bind_anon is on, which allows a bind with no DN or password. CVE-2003-1435 DESCRIPTION: SQL injection vulnerability in PHP-Nuke 5.6 and 6.0 allows remote attackers to execute arbitrary SQL commands via the days parameter to the search module. CVE-2003-1436 DESCRIPTION: PHP remote file inclusion vulnerability in nukebrowser.php in Nukebrowser 2.1 to 2.5 allows remote attackers to execute arbitrary PHP code via the filhead parameter. CVE-2003-1437 DESCRIPTION: BEA WebLogic Express and WebLogic Server 7.0 and 7.0.0.1, stores passwords in plaintext when a keystore is used to store a private key or trust certificate authorities, which allows local users to gain access. CVE-2003-1438 DESCRIPTION: Race condition in BEA WebLogic Server and Express 5.1 through 7.0.0.1, when using in-memory session replication or replicated stateful session beans, causes the same buffer to be provided to two users, which could allow one user to see session data that was intended for another user. CVE-2003-1439 DESCRIPTION: Secure Internet Live Conferencing (SILC) 0.9.11 and 0.9.12 stores passwords and sessions in plaintext in memory, which could allow local users to obtain sensitive information. CVE-2003-1440 DESCRIPTION: SpamProbe 0.8a allows remote attackers to cause a denial of service (crash) via HTML e-mail with newline characters within an href tag, which is not properly handled by certain regular expressions. CVE-2003-1441 DESCRIPTION: Posadis 0.50.4 through 0.50.8 allows remote attackers to cause a denial of service (crash) via a DNS message without a question section, which triggers null dereference. CVE-2003-1442 DESCRIPTION: The web administration page for the Ericsson HM220dp ADSL modem does not require authentication, which could allow remote attackers to gain access from the LAN side. CVE-2003-1443 DESCRIPTION: Kaspersky Antivirus (KAV) 4.0.9.0 does not detect viruses in files with MS-DOS device names in their filenames, which allows local users to bypass virus protection, as demonstrated using aux.vbs and aux.com. CVE-2003-1444 DESCRIPTION: Kaspersky Antivirus (KAV) 4.0.9.0 allows local users to cause a denial of service (CPU consumption or crash) and prevent malicious code from being detected via a file with a long pathname. CVE-2003-1445 DESCRIPTION: Stack-based buffer overflow in Far Manager 1.70beta1 and earlier allows local users to cause a denial of service (crash) and possibly execute arbitrary code via a long pathname. CVE-2003-1446 DESCRIPTION: Buffer overflow in the save_into_file function in save.c for Rogue 5.2-2 allows local users to execute arbitrary code with games group privileges by setting a long HOME environment variable and invoking the save game function with a ~ (tilde). CVE-2003-1447 DESCRIPTION: IBM WebSphere Advanced Server Edition 4.0.4 uses a weak encryption algorithm (XOR and base64 encoding), which allows local users to decrypt passwords when the configuration file is exported to XML. CVE-2003-1448 DESCRIPTION: Memory leak in the Windows 2000 kernel allows remote attackers to cause a denial of service (SMB request hang) via a NetBIOS continuation packet. CVE-2003-1449 DESCRIPTION: Aladdin Knowlege Systems eSafe Gateway 3.5.126.0 does not check the entire stream of Content Vectoring Protocol (CVP) data, which allows remote attackers to bypass virus protection. CVE-2003-1450 DESCRIPTION: BitchX 75p3 and 1.0c16 through 1.0c20cvs allows remote attackers to cause a denial of service (segmentation fault) via a malformed RPL_NAMREPLY numeric 353 message. CVE-2003-1451 DESCRIPTION: Buffer overflow in Symantec Norton AntiVirus 2002 allows remote attackers to execute arbitrary code via an e-mail attachment with a compressed ZIP file that contains a file with a long filename. CVE-2003-1452 DESCRIPTION: Untrusted search path vulnerability in Qualcomm qpopper 4.0 through 4.05 allows local users to execute arbitrary code by modifying the PATH environment variable to reference a malicious smbpasswd program. CVE-2003-1453 DESCRIPTION: Cross-site scripting (XSS) vulnerability in the MytextSanitizer function in XOOPS 1.3.5 through 1.3.9 and XOOPS 2.0 through 2.0.1 allows remote attackers to inject arbitrary web script or HTML via a javascript: URL in an IMG tag. CVE-2003-1454 DESCRIPTION: Invision Power Services Invision Board 1.0 through 1.1.1, when a forum is password protected, stores the administrator password in a cookie in plaintext, which could allow remote attackers to gain access. CVE-2003-1455 DESCRIPTION: Multiple buffer overflows in the launch_bcrelay function in pptpctrl.c in PoPToP 1.1.4-b1 through PoPToP 1.1.4-b3 allow local users to execute arbitrary code. CVE-2003-1456 DESCRIPTION: Album.pl 6.1 allows remote attackers to execute arbitrary commands, when an alternative configuration file is used, via unknown attack vectors. CVE-2003-1457 DESCRIPTION: Auerswald COMsuite CTI ControlCenter 3.1 creates a default "runasositron" user account with an easily guessable password, which allows local users or remote attackers to gain access. CVE-2003-1458 DESCRIPTION: SQL injection vulnerability in Profile.php in ttCMS 2.2 and ttForum allows remote attackers to execute arbitrary SQL commands via the member name. CVE-2003-1459 DESCRIPTION: Multiple PHP remote file inclusion vulnerabilities in ttCMS 2.2 and ttForum allow remote attackers to execute arbitrary PHP code via the (1) template parameter in News.php or (2) installdir parameter in install.php. CVE-2003-1460 DESCRIPTION: Worker Filemanager 1.0 through 2.7 sets the permissions on the destination directory to world-readable and executable while copying data, which could allow local users to obtain sensitive information. CVE-2003-1461 DESCRIPTION: Buffer overflow in rwrite for HP-UX 11.0 could allow local users to execute arbitrary code via a long argument. NOTE: the vendor was unable to reproduce the problem on a system that had been patched for an lp vulnerability (CVE-2002-1473). CVE-2003-1462 DESCRIPTION: mod_survey 3.0.0 through 3.0.15-pre6 does not check whether a survey exists before creating a subdirectory for it, which allows remote attackers to cause a denial of service (disk consumption and possible crash). CVE-2003-1463 DESCRIPTION: Absolute path traversal vulnerability in Alt-N Technologies WebAdmin 2.0.0 through 2.0.2 allows remote attackers with administrator privileges to (1) determine the installation path by reading the contents of the Name parameter in a link, and (2) read arbitrary files via an absolute path in the Name parameter. CVE-2003-1464 DESCRIPTION: Buffer overflow in Siemens 45 series mobile phones allows remote attackers to cause a denial of service (disconnect and unavailable inbox) via a Short Message Service (SMS) message with a long image name. CVE-2003-1465 DESCRIPTION: Directory traversal vulnerability in download.php in Phorum 3.4 through 3.4.2 allows remote attackers to read arbitrary files. CVE-2003-1466 DESCRIPTION: Unspecified vulnerability in Phorum 3.4 through 3.4.2 allows remote attackers to use Phorum as a connection proxy to other sites via (1) register.php or (2) login.php. CVE-2003-1467 DESCRIPTION: Multiple cross-site scripting (XSS) vulnerabilities in (1) login.php, (2) register.php, (3) post.php, and (4) common.php in Phorum before 3.4.3 allow remote attackers to inject arbitrary web script or HTML via unknown attack vectors. CVE-2003-1468 DESCRIPTION: The Web_Links module in PHP-Nuke 6.0 through 6.5 final allows remote attackers to obtain the full web server path via an invalid cid parameter that is non-numeric or null, which leaks the pathname in an error message. CVE-2003-1469 DESCRIPTION: The default configuration of ColdFusion MX has the "Enable Robust Exception Information" option selected, which allows remote attackers to obtain the full path of the web server via a direct request to CFIDE/probe.cfm, which leaks the path in an error message. CVE-2003-1470 DESCRIPTION: Buffer overflow in IMAP service in MDaemon 6.7.5 and earlier allows remote authenticated users to cause a denial of service (crash) and execute arbitrary code via a CREATE command with a long mailbox name. CVE-2003-1471 DESCRIPTION: MDaemon POP server 6.0.7 and earlier allows remote authenticated users to cause a denial of service (crash) via a (1) DELE or (2) UIDL with a negative number. CVE-2003-1472 DESCRIPTION: Buffer overflow in 3D-FTP client 4.0 allows remote FTP servers to cause a denial of service (crash) and possibly execute arbitrary code via a long banner. CVE-2003-1473 DESCRIPTION: Buffer overflow in LTris 1.0.1 of FreeBSD Ports Collection 2003-02-25 and earlier allows local users to execute arbitrary code with gid "games" permission via a long HOME environment variable. CVE-2003-1474 DESCRIPTION: slashem-tty in the FreeBSD Ports Collection is installed with write permissions for the games group, which allows local users with group games privileges to modify slashem-tty and execute arbitrary code as other users, as demonstrated using a separate vulnerability in LTris. CVE-2003-1475 DESCRIPTION: Netbus 1.5 through 1.7 allows more than one client to be connected at the same time, but only prompts the first connection for authentication, which allows remote attackers to gain access. CVE-2003-1476 DESCRIPTION: Cerberus FTP Server 2.1 stores usernames and passwords in plaintext, which could allow local users to gain access. CVE-2003-1477 DESCRIPTION: MAILsweeper for SMTP 4.3.6 and 4.3.7 allows remote attackers to cause a denial of service (CPU consumption) via a PowerPoint attachment that either (1) is corrupt or (2) contains "embedded objects." CVE-2003-1478 DESCRIPTION: Konqueror in KDE 3.0.3 allows remote attackers to cause a denial of service (core dump) via a web page that begins with a "xFFxFE" byte sequence and a large number of CRLF sequences, as demonstrated using freeze.htm. CVE-2003-1479 DESCRIPTION: Cross-site scripting (XSS) vulnerability in webcamXP 1.02.432 and 1.02.535 allows remote attackers to inject arbitrary web script or HTML via the message field. CVE-2003-1480 DESCRIPTION: MySQL 3.20 through 4.1.0 uses a weak algorithm for hashed passwords, which makes it easier for attackers to decrypt the password via brute force methods. CVE-2003-1481 DESCRIPTION: CommuniGate Pro 3.1 through 4.0.6 sends the session ID in the referer field for an HTTP request for an image, which allows remote attackers to hijack mail sessions via an e-mail with an IMG tag that references a malicious URL that captures the referer. CVE-2003-1482 DESCRIPTION: The backup configuration file for Microsoft MN-500 wireless base station stores administrative passwords in plaintext, which allows local users to gain access. CVE-2003-1483 DESCRIPTION: FlashFXP 1.4 uses a weak encryption algorithm for user passwords, which allows attackers to decrypt the passwords and gain access. CVE-2003-1484 DESCRIPTION: Microsoft Internet Explorer 6.0 SP1 allows remote attackers to cause a denial of service (crash) by creating a DHTML link that uses the AnchorClick "A" object with a blank href attribute. CVE-2003-1485 DESCRIPTION: Clearswift MAILsweeper 4.0 through 4.3.7 allows remote attackers to bypass filtering via a file attachment that contains "multiple extensions combined with large blocks of white space." CVE-2003-1486 DESCRIPTION: Phorum 3.4 through 3.4.2 allows remote attackers to obtain the full path of the web server via an incorrect HTTP request to (1) smileys.php, (2) quick_listrss.php, (3) purge.php, (4) news.php, (5) memberlist.php, (6) forum_listrss.php, (7) forum_list_rdf.php, (8) forum_list.php, or (9) move.php, which leaks the information in an error message. CVE-2003-1487 DESCRIPTION: Multiple "command injection" vulnerabilities in Phorum 3.4 through 3.4.2 allow remote attackers to execute arbitrary commands and modify the Phorum configuration files via the (1) UserAdmin program, (2) Edit user profile, or (3) stats program. CVE-2003-1488 DESCRIPTION: The (1) verif_admin.php and (2) check_admin.php scripts in Truegalerie 1.0 allow remote attackers to gain administrator access via a request to admin.php without the connect parameter and with the loggedin parameter set to any value, such as 1. CVE-2003-1489 DESCRIPTION: upload.php in Truegalerie 1.0 allows remote attackers to read arbitrary files by specifying the target filename in the file cookie in form.php, then downloading the file from the image gallery. CVE-2003-1490 DESCRIPTION: SonicWall Pro running firmware 6.4.0.1 allows remote attackers to cause a denial of service (device reset) via a long HTTP POST to the internal interface, possibly due to a buffer overflow. CVE-2003-1491 DESCRIPTION: Kerio Personal Firewall (KPF) 2.1.4 has a default rule to accept incoming packets from DNS (UDP port 53), which allows remote attackers to bypass the firewall filters via packets with a source port of 53. CVE-2003-1492 DESCRIPTION: Netscape Navigator 7.0.2 and Mozilla allows remote attackers to access cookie information in a different domain via an HTTP request for a domain with an extra . (dot) at the end. CVE-2003-1493 DESCRIPTION: Memory leak in HP OpenView Network Node Manager (NNM) 6.2 and 6.4 allows remote attackers to cause a denial of service (memory exhaustion) via crafted TCP packets. CVE-2003-1494 DESCRIPTION: Unspecified vulnerability in HP OpenView Network Node Manager (NNM) 6.2 and 6.4 allows remote attackers to cause a denial of service (CPU consumption) via a crafted TCP packet. CVE-2003-1495 DESCRIPTION: Unspecified vulnerability in the non-SSL web agent in various HP Management Agent products allows local users or remote attackers to gain privileges or cause a denial of service via unknown attack vectors. CVE-2003-1496 DESCRIPTION: Unspecified vulnerability in CDE dtmailpr of HP Tru64 4.0F through 5.1B allows local users to gain privileges via unknown attack vectors. NOTE: due to lack of details in the vendor advisory, it is not clear whether this is the same issue as CVE-1999-0840. CVE-2003-1497 DESCRIPTION: Buffer overflow in the system log viewer of Linksys BEFSX41 1.44.3 allows remote attackers to cause a denial of service via an HTTP request with a long Log_Page_Num variable. CVE-2003-1498 DESCRIPTION: Cross-site scripting (XSS) vulnerability in search.php for WRENSOFT Zoom Search Engine 2.0 Build 1018 and earlier allows remote attackers to inject arbitrary web script or HTML via the zoom_query parameter. CVE-2003-1499 DESCRIPTION: Directory traversal vulnerability in index.php in Bytehoard 0.7 allows remote attackers to read arbitrary files via a .. (dot dot) in the infolder parameter. CVE-2003-1500 DESCRIPTION: PHP remote file inclusion vulnerability in _functions.php in cpCommerce 0.5f allows remote attackers to execute arbitrary code via the prefix parameter. CVE-2003-1501 DESCRIPTION: Directory traversal vulnerability in the file upload CGI of Gast Arbeiter 1.3 allows remote attackers to write arbitrary files via a .. (dot dot) in the req_file parameter. CVE-2003-1502 DESCRIPTION: mod_throttle 3.0 allows local users with Apache privileges to access shared memory that points to a file that is writable by the apache user, which could allow local users to gain privileges. CVE-2003-1503 DESCRIPTION: Buffer overflow in AOL Instant Messenger (AIM) 5.2.3292 allows remote attackers to execute arbitrary code via an aim:getfile URL with a long screen name. CVE-2003-1504 DESCRIPTION: SQL injection vulnerability in variables.php in Goldlink 3.0 allows remote attackers to execute arbitrary SQL commands via the (1) vadmin_login or (2) vadmin_pass cookie in a request to goldlink.php. CVE-2003-1505 DESCRIPTION: Microsoft Internet Explorer 6.0 allows remote attackers to cause a denial of service (crash) by creating a web page or HTML e-mail with a textarea in a div element whose scrollbar-base-color is modified by a CSS style, which is then moved. CVE-2003-1506 DESCRIPTION: Cross-site scripting (XSS) vulnerability in dansguardian.pl in Adelix CensorNet 3.0 through 3.2 allows remote attackers to execute arbitrary script as other users by injecting arbitrary HTML or script into the DENIEDURL parameter. CVE-2003-1507 DESCRIPTION: Planet Technology WGSD-1020 and WSW-2401 Ethernet switches use a default "superuser" account with the "planet" password, which allows remote attackers to gain administrative access. CVE-2003-1508 DESCRIPTION: Buffer overflow in mIRC 6.12, when the DCC get dialog window has been minimized and the user opens the minimized window, allows remote attackers to cause a denial of service (crash) via a long filename. CVE-2003-1509 DESCRIPTION: Real Networks RealOne Enterprise Desktop 6.0.11.774, RealOne Player 2.0, and RealOne Player 6.0.11.818 through RealOne Player 6.0.11.853 allows remote attackers to execute arbitrary script in the local security zone by embedding script in a temp file before the temp file is executed by the default web browser. CVE-2003-1510 DESCRIPTION: TinyWeb 1.9 allows remote attackers to cause a denial of service (CPU consumption) via a ".%00." in an HTTP GET request to the cgi-bin directory. CVE-2003-1511 DESCRIPTION: Cross-site scripting (XSS) vulnerability in Bajie Java HTTP Server 0.95 through 0.95zxv4 allows remote attackers to inject arbitrary web script or HTML via (1) the query string to test.txt, (2) the guestName parameter to the custMsg servlet, or (3) the cookiename parameter to the CookieExample servlet. CVE-2003-1512 DESCRIPTION: Buffer overflow in mIRC 6.1 and 6.11 allows remote attackers to cause a denial of service (crash) via a long DCC SEND request. CVE-2003-1513 DESCRIPTION: Multiple cross-site scripting (XSS) vulnerabilities in example scripts in Caucho Technology Resin 2.0 through 2.1.2 allow remote attackers to inject arbitrary web script or HTML via (1) env.jsp, (2) form.jsp, (3) session.jsp, (4) the move parameter to tictactoe.jsp, or the (5) name or (6) comment fields to guestbook.jsp. CVE-2003-1514 DESCRIPTION: eMule 0.29c allows remote attackers to cause a denial of service (crash) via a long password, possibly due to a buffer overflow. CVE-2003-1515 DESCRIPTION: Origo ASR-8100 ADSL Router 3.21 has an administration service running on port 254 that does not require a password, which allows remote attackers to cause a denial of service by restoring the factory defaults. CVE-2003-1516 DESCRIPTION: The org.apache.xalan.processor.XSLProcessorVersion class in Java Plug-in 1.4.2_01 allows signed and unsigned applets to share variables, which violates the Java security model and could allow remote attackers to read or write data belonging to a signed applet. CVE-2003-1517 DESCRIPTION: cart.pl in Dansie shopping cart allows remote attackers to obtain the installation path via an invalid db parameter, which leaks the path in an error message. CVE-2003-1518 DESCRIPTION: Adiscon WinSyslog 4.21 SP1 allows remote attackers to cause a denial of service (CPU consumption) via a long syslog message. CVE-2003-1519 DESCRIPTION: Cross-site scripting (XSS) vulnerability in Vivisimo clustering engine allows remote attackers to inject arbitrary web script or HTML via the query parameter to the search program. CVE-2003-1520 DESCRIPTION: SQL injection vulnerability in FuzzyMonkey My Classifieds 2.11 allows remote attackers to execute arbitrary SQL commands via the email parameter. CVE-2003-1521 DESCRIPTION: Sun Java Plug-In 1.4 through 1.4.2_02 allows remote attackers to repeatedly access the floppy drive via the createXmlDocument method in the org.apache.crimson.tree.XmlDocument class, which violates the Java security model. CVE-2003-1522 DESCRIPTION: Cross-site scripting (XSS) vulnerability in PSCS VPOP3 Web Mail server 2.0e and 2.0f allows remote attackers to inject arbitrary web script or HTML via the redirect parameter to the admin/index.html page. CVE-2003-1523 DESCRIPTION: SQL injection vulnerability in the IMAP daemon in dbmail 1.1 allows remote attackers to execute arbitrary SQL commands via the (1) login username, (2) mailbox name, and possibly other attack vectors. CVE-2003-1524 DESCRIPTION: PGPi PGPDisk 6.0.2i does not unmount a PGP partition when the switch user function in Windows XP is used, which could allow local users to access data on another user's PGP partition. CVE-2003-1525 DESCRIPTION: Unspecified vulnerability in My Photo Gallery 3.5, and possibly earlier versions, has unknown impact and attack vectors. CVE-2003-1526 DESCRIPTION: PHP-Nuke 7.0 allows remote attackers to obtain the installation path via certain characters such as (1) ", (2) ', or (3) > in the search field, which reveals the path in an error message. CVE-2003-1527 DESCRIPTION: BlackICE Defender 2.9.cap and Server Protection 3.5.cdf, when configured to automatically block attacks, allows remote attackers to block IP addresses and cause a denial of service via spoofed packets. CVE-2003-1528 DESCRIPTION: nsr_shutdown in Fujitsu Siemens NetWorker 6.0 allows local users to overwrite arbitrary files via a symlink attack on the nsrsh[PID] temporary file. CVE-2003-1529 DESCRIPTION: Directory traversal vulnerability in Seagull Software Systems J Walk application server 3.2C9, and other versions before 3.3c4, allows remote attackers to read arbitrary files via a ".%252e" (encoded dot dot) in the URL. CVE-2003-1530 DESCRIPTION: SQL injection vulnerability in privmsg.php in phpBB 2.0.3 and earlier allows remote attackers to execute arbitrary SQL commands via the mark[] parameter. CVE-2003-1531 DESCRIPTION: Cross-site scripting (XSS) vulnerability in testcgi.exe in Lilikoi Software Ceilidh 2.70 and earlier allows remote attackers to inject arbitrary web script or HTML via the query string. CVE-2003-1532 DESCRIPTION: SQL injection vulnerability in compte.php in PhpMyShop 1.00 allows remote attackers to execute arbitrary SQL commands via the (1) identifiant and (2) password parameters. CVE-2003-1533 DESCRIPTION: SQL injection vulnerability in accesscontrol.php in PhpPass 2 allows remote attackers to execute arbitrary SQL commands via the (1) uid and (2) pwd parameters. CVE-2003-1534 DESCRIPTION: Cross-site scripting (XSS) vulnerability in jgb.php3 in Justice Guestbook 1.3 allows remote attackers to inject arbitrary web script or HTML via the (1) name, (2) homepage, (3) aim, (4) yim, (5) location, and (6) comment variables. CVE-2003-1535 DESCRIPTION: Justice Guestbook 1.3 allows remote attackers to obtain the full installation path via a direct request to cfooter.php3, which leaks the path in an error message. CVE-2003-1536 DESCRIPTION: Multiple cross-site scripting (XSS) vulnerabilities in Codeworx Technologies DCP-Portal 5.3.1 allow remote attackers to inject arbitrary web script or HTML via (1) the q parameter to search.php and (2) the year parameter to calendar.php. CVE-2003-1537 DESCRIPTION: Directory traversal vulnerability in PostNuke 0.723 and earlier allows remote attackers to include arbitrary files named theme.php via the theme parameter to index.php. CVE-2003-1538 DESCRIPTION: susehelp in SuSE Linux 8.1, Enterprise Server 8, Office Server, and Openexchange Server 4 does not properly filter shell metacharacters, which allows remote attackers to execute arbitrary commands via CGI queries. CVE-2003-1539 DESCRIPTION: Cross-site scripting (XSS) vulnerability in ONEdotOH Simple File Manager (SFM) before 0.21 allows remote attackers to inject arbitrary web script or HTML via (1) file names and (2) directory names. CVE-2003-1540 DESCRIPTION: WF-Chat 1.0 Beta stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain authentication information via a direct request to (1) !pwds.txt and (2) !nicks.txt. CVE-2003-1541 DESCRIPTION: PlanetMoon Guestbook tr3.a stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain the admin script password, and other passwords, via a direct request to files/passwd.txt. CVE-2003-1542 DESCRIPTION: Directory traversal vulnerability in plugins/file.php in phpWebFileManager before 0.4.4 allows remote attackers to read arbitrary files via a .. (dot dot) in the fm_path parameter. CVE-2003-1543 DESCRIPTION: Cross-site scripting (XSS) vulnerability in Bajie Http Web Server 0.95zxe, 0.95zxc, and possibly others, allows remote attackers to inject arbitrary web script or HTML via the query string, which is reflected in an error message. CVE-2003-1544 DESCRIPTION: Unrestricted critical resource lock in Terminal Services for Windows 2000 before SP4 and Windows XP allows remote authenticated users to cause a denial of service (reboot) by obtaining a read lock on msgina.dll, which prevents msgina.dll from being loaded. CVE-2003-1545 DESCRIPTION: Absolute path traversal vulnerability in nukestyles.com viewpage.php addon for PHP-Nuke allows remote attackers to read arbitrary files via a full pathname in the file parameter. NOTE: This was originally reported as an issue in PHP-Nuke 6.5, but this is an independent addon. CVE-2003-1546 DESCRIPTION: Cross-site scripting (XSS) vulnerability in gbook.php in Filebased guestbook 1.1.3 allows remote attackers to inject arbitrary web script or HTML via the comment section. CVE-2003-1547 DESCRIPTION: Cross-site scripting (XSS) vulnerability in block-Forums.php in the Splatt Forum module for PHP-Nuke 6.x allows remote attackers to inject arbitrary web script or HTML via the subject parameter. CVE-2003-1548 DESCRIPTION: MyABraCaDaWeb 1.0.2 and earlier allows remote attackers to obtain sensitive information via an invalid IDAdmin or other parameter, which reveals the installation path in an error message. CVE-2003-1549 DESCRIPTION: Cross-site scripting (XSS) vulnerability in header.php in MyABraCaDaWeb 1.0.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the ma_kw parameter. CVE-2003-1550 DESCRIPTION: XOOPS 2.0, and possibly earlier versions, allows remote attackers to obtain sensitive information via an invalid xoopsOption parameter, which reveals the installation path in an error message. CVE-2003-1551 DESCRIPTION: Unspecified vulnerability in Novell GroupWise 6 SP3 WebAccess before Revision F has unknown impact and attack vectors related to "malicious script." CVE-2003-1552 DESCRIPTION: Unrestricted file upload vulnerability in uploader.php in Uploader 1.1 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in uploads/. CVE-2003-1553 DESCRIPTION: Haakon Nilsen Simple Internet Publishing System (SIPS) 0.2.2 stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain password and other user information via a direct request to a user-specific configuration directory. CVE-2003-1554 DESCRIPTION: Cross-site scripting (XSS) vulnerability in scozbook/add.php in ScozNet ScozBook 1.1 BETA allows remote attackers to inject arbitrary web script or HTML via the (1) username, (2) useremail, (3) aim, (4) msn, (5) sitename and (6) siteaddy variables. CVE-2003-1555 DESCRIPTION: ScozNet ScozBook 1.1 BETA allows remote attackers to obtain sensitive information via an invalid PG parameter in view.php, which reveals the installation path in an error message. CVE-2003-1556 DESCRIPTION: Cross-site scripting (XSS) vulnerability in cc_guestbook.pl in CGI City CC GuestBook allows remote attackers to inject arbitrary web script or HTML via the (1) name and (2) homepage_title (webpage title) parameters. CVE-2003-1557 DESCRIPTION: Off-by-one buffer overflow in spamc of SpamAssassin 2.40 through 2.43, when using BSMTP mode ("-B"), allows remote attackers to execute arbitrary code via email containing headers with leading "." characters. CVE-2003-1558 DESCRIPTION: Buffer overflow in httpd.c of fnord 1.6 allows remote attackers to create a denial of service (crash) and possibly execute arbitrary code via a long CGI request passed to the do_cgi function. CVE-2003-1559 DESCRIPTION: Microsoft Internet Explorer 5.22, and other 5 through 6 SP1 versions, sends Referer headers containing https:// URLs in requests for http:// URLs, which allows remote attackers to obtain potentially sensitive information by reading Referer log data. CVE-2003-1560 DESCRIPTION: Netscape 4 sends Referer headers containing https:// URLs in requests for http:// URLs, which allows remote attackers to obtain potentially sensitive information by reading Referer log data. CVE-2003-1561 DESCRIPTION: Opera, probably before 7.50, sends Referer headers containing https:// URLs in requests for http:// URLs, which allows remote attackers to obtain potentially sensitive information by reading Referer log data. CVE-2003-1562 DESCRIPTION: sshd in OpenSSH 3.6.1p2 and earlier, when PermitRootLogin is disabled and using PAM keyboard-interactive authentication, does not insert a delay after a root login attempt with the correct password, which makes it easier for remote attackers to use timing differences to determine if the password step of a multi-step authentication is successful, a different vulnerability than CVE-2003-0190. CVE-2003-1563 DESCRIPTION: Sun Cluster 2.2 through 3.2 for Oracle Parallel Server / Real Application Clusters (OPS/RAC) allows local users to cause a denial of service (cluster node panic or abort) by launching a daemon listening on a TCP port that would otherwise be used by the Distributed Lock Manager (DLM), possibly involving this daemon responding in a manner that spoofs a cluster reconfiguration. CVE-2003-1564 DESCRIPTION: libxml2, possibly before 2.5.0, does not properly detect recursion during entity expansion, which allows context-dependent attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, aka the "billion laughs attack." CVE-2003-1565 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2002-1565. Reason: This candidate is a duplicate of CVE-2002-1565. Notes: All CVE users should reference CVE-2002-1565 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. CVE-2003-1566 DESCRIPTION: Microsoft Internet Information Services (IIS) 5.0 does not log requests that use the TRACK method, which allows remote attackers to obtain sensitive information without detection. CVE-2003-1567 DESCRIPTION: The undocumented TRACK method in Microsoft Internet Information Services (IIS) 5.0 returns the content of the original request in the body of the response, which makes it easier for remote attackers to steal cookies and authentication credentials, or bypass the HttpOnly protection mechanism, by using TRACK to read the contents of the HTTP headers that are returned in the response, a technique that is similar to cross-site tracing (XST) using HTTP TRACE. CVE-2003-1568 DESCRIPTION: GoAhead WebServer before 2.1.6 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an invalid URL, related to the websSafeUrl function. CVE-2003-1569 DESCRIPTION: GoAhead WebServer before 2.1.5 on Windows 95, 98, and ME allows remote attackers to cause a denial of service (daemon crash) via an HTTP request with a (1) con, (2) nul, (3) clock$, or (4) config$ device name in a path component, different vectors than CVE-2001-0385. CVE-2003-1570 DESCRIPTION: The server in IBM Tivoli Storage Manager (TSM) 5.1.x, 5.2.x before 5.2.1.2, and 6.x before 6.1 does not require credentials to observe the server console in some circumstances, which allows remote authenticated administrators to monitor server operations by establishing a console mode session, related to "session exposure." CVE-2003-1571 DESCRIPTION: Web Wiz Guestbook 6.0 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download the database and obtain sensitive information via a direct request for database/WWGguestbook.mdb. NOTE: it was later reported that 8.21 is also affected. CVE-2003-1572 DESCRIPTION: Sun Java Media Framework (JMF) 2.1.1 through 2.1.1c allows unsigned applets to cause a denial of service (JVM crash) and read or write unauthorized memory locations via the ReadEnv class, as demonstrated by reading environment variables using modified .data and .size fields. CVE-2003-1573 DESCRIPTION: The PointBase 4.6 database component in the J2EE 1.4 reference implementation (J2EE/RI) allows remote attackers to execute arbitrary programs, conduct a denial of service, and obtain sensitive information via a crafted SQL statement, related to "inadequate security settings and library bugs in sun.* and org.apache.* packages." CVE-2003-1574 DESCRIPTION: TikiWiki 1.6.1 allows remote attackers to bypass authentication by entering a valid username with an arbitrary password, possibly related to the Internet Explorer "Remember Me" feature. NOTE: some of these details are obtained from third party information. CVE-2003-1575 DESCRIPTION: VERITAS File System (VxFS) 3.3.3, 3.4, and 3.5 before MP1 Rolling Patch 02 for Sun Solaris 2.5.1 through 9 does not properly implement inheritance of default ACLs in certain circumstances related to the characteristics of a directory inode, which allows local users to bypass intended file permissions by accessing a file on a VxFS filesystem. CVE-2003-1576 DESCRIPTION: Buffer overflow in pamverifier in Change Manager (CM) 1.0 for Sun Management Center (SunMC) 3.0 on Solaris 8 and 9 on the sparc platform allows remote attackers to execute arbitrary code via unspecified vectors. CVE-2003-1577 DESCRIPTION: Sun ONE (aka iPlanet) Web Server 4.1 through SP12 and 6.0 through SP5, when DNS resolution is enabled for client IP addresses, allows remote attackers to inject arbitrary text into log files, and conduct cross-site scripting (XSS) attacks involving the iPlanet Log Analyzer, via an HTTP request in conjunction with a crafted DNS response, related to an "Inverse Lookup Log Corruption (ILLC)" issue, a different vulnerability than CVE-2002-1315 and CVE-2002-1316. CVE-2003-1578 DESCRIPTION: Sun ONE (aka iPlanet) Web Server 4.1 through SP12 and 6.0 through SP5, when DNS resolution is enabled for client IP addresses, allows remote attackers to hide HTTP requests from the log-preview functionality by accompanying the requests with crafted DNS responses specifying a domain name beginning with a "format=" substring, related to an "Inverse Lookup Log Corruption (ILLC)" issue. CVE-2003-1579 DESCRIPTION: Sun ONE (aka iPlanet) Web Server 6 on Windows, when DNS resolution is enabled for client IP addresses, uses a logging format that does not identify whether a dotted quad represents an unresolved IP address, which allows remote attackers to spoof IP addresses via crafted DNS responses containing numerical top-level domains, as demonstrated by a forged 123.123.123.123 domain name, related to an "Inverse Lookup Log Corruption (ILLC)" issue. CVE-2003-1580 DESCRIPTION: The Apache HTTP Server 2.0.44, when DNS resolution is enabled for client IP addresses, uses a logging format that does not identify whether a dotted quad represents an unresolved IP address, which allows remote attackers to spoof IP addresses via crafted DNS responses containing numerical top-level domains, as demonstrated by a forged 123.123.123.123 domain name, related to an "Inverse Lookup Log Corruption (ILLC)" issue. CVE-2003-1581 DESCRIPTION: The Apache HTTP Server 2.0.44, when DNS resolution is enabled for client IP addresses, allows remote attackers to inject arbitrary text into log files via an HTTP request in conjunction with a crafted DNS response, as demonstrated by injecting XSS sequences, related to an "Inverse Lookup Log Corruption (ILLC)" issue. CVE-2003-1582 DESCRIPTION: Microsoft Internet Information Services (IIS) 6.0, when DNS resolution is enabled for client IP addresses, allows remote attackers to inject arbitrary text into log files via an HTTP request in conjunction with a crafted DNS response, as demonstrated by injecting XSS sequences, related to an "Inverse Lookup Log Corruption (ILLC)" issue. CVE-2003-1583 DESCRIPTION: Cross-site scripting (XSS) vulnerability in WebTrends allows remote attackers to inject arbitrary web script or HTML via a crafted client domain name, related to an "Inverse Lookup Log Corruption (ILLC)" issue. CVE-2003-1584 DESCRIPTION: Cross-site scripting (XSS) vulnerability in SurfStats allows remote attackers to inject arbitrary web script or HTML via a crafted client domain name, related to an "Inverse Lookup Log Corruption (ILLC)" issue. CVE-2003-1585 DESCRIPTION: Cross-site scripting (XSS) vulnerability in WebLogExpert allows remote attackers to inject arbitrary web script or HTML via a crafted client domain name, related to an "Inverse Lookup Log Corruption (ILLC)" issue. CVE-2003-1586 DESCRIPTION: Cross-site scripting (XSS) vulnerability in WebExpert allows remote attackers to inject arbitrary web script or HTML via a crafted User-Agent HTTP header. CVE-2003-1587 DESCRIPTION: Cross-site scripting (XSS) vulnerability in LoganPro allows remote attackers to inject arbitrary web script or HTML via a crafted User-Agent HTTP header. CVE-2003-1588 DESCRIPTION: Sun Cluster 2.2, when HA-Oracle or HA-Sybase DBMS services are used, stores database credentials in cleartext in a cluster configuration file, which allows local users to obtain sensitive information by reading this file. CVE-2003-1589 DESCRIPTION: Unspecified vulnerability in Sun ONE (aka iPlanet) Web Server 4.1 before SP13 and 6.0 before SP6 on Windows allows attackers to cause a denial of service (daemon crash) via unknown vectors. CVE-2003-1590 DESCRIPTION: Unspecified vulnerability in Sun ONE (aka iPlanet) Web Server 6.0 SP3 through SP5 on Windows allows remote attackers to cause a denial of service (daemon crash) via unknown vectors. CVE-2003-1591 DESCRIPTION: NWFTPD.nlm in the FTP server in Novell NetWare 6.0 before SP4 and 6.5 before SP1 allows user-assisted remote attackers to cause a denial of service (console hang) via a large number of FTP sessions, which are not properly handled during an NLM unload. CVE-2003-1592 DESCRIPTION: Multiple buffer overflows in NWFTPD.nlm in the FTP server in Novell NetWare 6.0 before SP4 and 6.5 before SP1 allow remote attackers to cause a denial of service (abend) via a long (1) username or (2) password. CVE-2003-1593 DESCRIPTION: NWFTPD.nlm in the FTP server in Novell NetWare 6.0 before SP4 and 6.5 before SP1 does not enforce domain-name login restrictions, which allows remote attackers to bypass intended access control via an FTP connection. CVE-2003-1594 DESCRIPTION: NWFTPD.nlm before 5.04.05 in the FTP server in Novell NetWare 6.5 does not properly enforce FTPREST.TXT settings, which allows remote attackers to bypass intended access restrictions via an FTP session. CVE-2003-1595 DESCRIPTION: NWFTPD.nlm before 5.04.05 in the FTP server in Novell NetWare 6.5 does not properly perform "intruder detection," which has unspecified impact and attack vectors. CVE-2003-1596 DESCRIPTION: NWFTPD.nlm before 5.03.12 in the FTP server in Novell NetWare does not properly restrict filesystem use by anonymous users with NFS Gateway home directories, which allows remote attackers to bypass intended access restrictions via an FTP session. CVE-2003-1597 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2003-1598 DESCRIPTION: SQL injection vulnerability in log.header.php in WordPress 0.7 and earlier allows remote attackers to execute arbitrary SQL commands via the posts variable. CVE-2003-1599 DESCRIPTION: PHP remote file inclusion vulnerability in wp-links/links.all.php in WordPress 0.70 allows remote attackers to execute arbitrary PHP code via a URL in the $abspath variable. CVE-2003-1600 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2003-1601 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2003-1602 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2003-1603 DESCRIPTION: GE Healthcare Discovery VH has a default password of (1) interfile for the ftpclient user of the Interfile server or (2) "2" for the LOCAL user of the FTP server for the Codonics printer, which has unspecified impact and attack vectors. CVE-2003-1604 DESCRIPTION: The redirect_target function in net/ipv4/netfilter/ipt_REDIRECT.c in the Linux kernel before 2.6.0 allows remote attackers to cause a denial of service (NULL pointer dereference and OOPS) by sending packets to an interface that has a 0.0.0.0 IP address, a related issue to CVE-2015-8787. CVE-2004-0001 DESCRIPTION: Unknown vulnerability in the eflags checking in the 32-bit ptrace emulation for the Linux kernel on AMD64 systems allows local users to gain privileges. CVE-2004-0002 DESCRIPTION: The TCP MSS (maximum segment size) functionality in netinet allows remote attackers to cause a denial of service (resource exhaustion) via (1) a low MTU, which causes a large number of small packets to be produced, or (2) via a large number of packets with a small TCP payload, which cause a large number of calls to the resource-intensive sowakeup function. CVE-2004-0003 DESCRIPTION: Unknown vulnerability in Linux kernel before 2.4.22 allows local users to gain privileges, related to "R128 DRI limits checking." CVE-2004-0004 DESCRIPTION: The libCheckSignature function in crypto-utils.lib for OpenCA 0.9.1.6 and earlier only compares the serial of the signer's certificate and the one in the database, which can cause OpenCA to incorrectly accept a signature if the certificate's chain is trusted by OpenCA's chain directory, allowing remote attackers to spoof requests from other users. CVE-2004-0005 DESCRIPTION: Multiple buffer overflows in Gaim 0.75 allow remote attackers to cause a denial of service and possibly execute arbitrary code via (1) octal encoding in yahoo_decode that causes a null byte to be written beyond the buffer, (2) octal encoding in yahoo_decode that causes a pointer to reference memory beyond the terminating null byte, (3) a quoted printable string to the gaim_quotedp_decode MIME decoder that causes a null byte to be written beyond the buffer, and (4) quoted printable encoding in gaim_quotedp_decode that causes a pointer to reference memory beyond the terminating null byte. CVE-2004-0006 DESCRIPTION: Multiple buffer overflows in Gaim 0.75 and earlier, and Ultramagnetic before 0.81, allow remote attackers to cause a denial of service and possibly execute arbitrary code via (1) cookies in a Yahoo web connection, (2) a long name parameter in the Yahoo login web page, (3) a long value parameter in the Yahoo login page, (4) a YMSG packet, (5) the URL parser, and (6) HTTP proxy connect. CVE-2004-0007 DESCRIPTION: Buffer overflow in the Extract Info Field Function for (1) MSN and (2) YMSG protocol handlers in Gaim 0.74 and earlier, and Ultramagnetic before 0.81, allows remote attackers to cause a denial of service and possibly execute arbitrary code. CVE-2004-0008 DESCRIPTION: Integer overflow in Gaim 0.74 and earlier, and Ultramagnetic before 0.81, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a directIM packet that triggers a heap-based buffer overflow. CVE-2004-0009 DESCRIPTION: Apache-SSL 1.3.28+1.52 and earlier, with SSLVerifyClient set to 1 or 3 and SSLFakeBasicAuth enabled, allows remote attackers to forge a client certificate by using basic authentication with the "one-line DN" of the target user. CVE-2004-0010 DESCRIPTION: Stack-based buffer overflow in the ncp_lookup function for ncpfs in Linux kernel 2.4.x allows local users to gain privileges. CVE-2004-0011 DESCRIPTION: Buffer overflow in fsp before 2.81.b18 allows remote users to execute arbitrary code. CVE-2004-0012 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2004. Notes: none. CVE-2004-0013 DESCRIPTION: jabber 1.4.2, 1.4.2a, and possibly earlier versions, does not properly handle SSL connections, which allows remote attackers to cause a denial of service (crash). CVE-2004-0014 DESCRIPTION: Multiple buffer overflows in the nd WebDAV interface 0.8.2 and earlier allows remote web servers to execute arbitrary code via certain long strings. CVE-2004-0015 DESCRIPTION: vbox3 0.1.8 and earlier does not properly drop privileges before executing a user-provided TCL script, which allows local users to gain privileges. CVE-2004-0016 DESCRIPTION: The calendar module for phpgroupware 0.9.14 does not enforce the "save extension" feature for holiday files, which allows remote attackers to create and execute PHP files. CVE-2004-0017 DESCRIPTION: Multiple SQL injection vulnerabilities in the (1) calendar and (2) infolog modules for phpgroupware 0.9.14 allow remote attackers to perform unauthorized database operations. CVE-2004-0018 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2004-0019 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2004-0020 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2004-0021 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2004-0022 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2004-0023 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2004-0024 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2004-0025 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2004-0026 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2004-0027 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2004-0028 DESCRIPTION: jitterbug 1.6.2 does not properly sanitize inputs, which allows remote authenticated users to execute arbitrary commands. CVE-2004-0029 DESCRIPTION: Lotus Notes Domino 6.0.2 on Linux installs the notes.ini configuration file with world-writable permissions, which allows local users to modify the Notes configuration and gain privileges. CVE-2004-0030 DESCRIPTION: PHP remote file inclusion vulnerability in (1) functions.php, (2) authentication_index.php, and (3) config_gedcom.php for PHPGEDVIEW 2.61 allows remote attackers to execute arbitrary PHP code by modifying the PGV_BASE_DIRECTORY parameter to reference a URL on a remote web server that contains the code. CVE-2004-0031 DESCRIPTION: PHPGEDVIEW 2.61 allows remote attackers to reinstall the software and change the administrator password via a direct HTTP request to editconfig.php. CVE-2004-0032 DESCRIPTION: Cross-site scripting (XSS) vulnerability in search.php in PHPGEDVIEW 2.61 allows remote attackers to inject arbitrary HTML and web script via the firstname parameter. CVE-2004-0033 DESCRIPTION: admin.php in PHPGEDVIEW 2.61 allows remote attackers to obtain sensitive information via an action parameter with a phpinfo command. CVE-2004-0034 DESCRIPTION: Multiple cross-site scripting (XSS) vulnerabilities in Phorum 3.4.5 and earlier allow remote attackers to inject arbitrary HTML or web script via (1) the phorum_check_xss function in common.php, (2) the EditError variable in profile.php, and (3) the Error variable in login.php. CVE-2004-0035 DESCRIPTION: SQL injection vulnerability in register.php for Phorum 3.4.5 and earlier allows remote attackers to execute arbitrary SQL commands via the hide_email parameter. CVE-2004-0036 DESCRIPTION: SQL injection vulnerability in calendar.php for vBulletin Forum 2.3.x before 2.3.4 allows remote attackers to steal sensitive information via the eventid parameter. CVE-2004-0037 DESCRIPTION: FirstClass Desktop Client 7.1 allows remote attackers to execute arbitrary commands via hyperlinks in FirstClass RTF messages. CVE-2004-0038 DESCRIPTION: McAfee ePolicy Orchestrator (ePO) 2.5.1 Patch 13 and 3.0 SP2a Patch 3 allows remote attackers to execute arbitrary commands via certain HTTP POST requests to the spipe/file handler on ePO TCP port 81. CVE-2004-0039 DESCRIPTION: Multiple format string vulnerabilities in HTTP Application Intelligence (AI) component in Check Point Firewall-1 NG-AI R55 and R54, and Check Point Firewall-1 HTTP Security Server included with NG FP1, FP2, and FP3 allows remote attackers to execute arbitrary code via HTTP requests that cause format string specifiers to be used in an error message, as demonstrated using the scheme of a URI. CVE-2004-0040 DESCRIPTION: Stack-based buffer overflow in Check Point VPN-1 Server 4.1 through 4.1 SP6 and Check Point SecuRemote/SecureClient 4.1 through 4.1 build 4200 allows remote attackers to execute arbitrary code via an ISAKMP packet with a large Certificate Request packet. CVE-2004-0041 DESCRIPTION: The mod_auth_shadow module 1.4 and earlier does not properly enforce the expiration of a user account and password, which could allow remote authenticated users to bypass intended access restrictions. CVE-2004-0042 DESCRIPTION: vsftpd 1.1.3 generates different error messages depending on whether or not a valid username exists, which allows remote attackers to identify valid usernames. CVE-2004-0043 DESCRIPTION: Buffer overflow in Yahoo Instant Messenger 5.6.0.1351 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long filename in the download feature. CVE-2004-0044 DESCRIPTION: Cisco Personal Assistant 1.4(1) and 1.4(2) disables password authentication when "Allow Only Cisco CallManager Users" is enabled and the Corporate Directory settings refer to the directory service being used by Cisco CallManager, which allows remote attackers to gain access with a valid username. CVE-2004-0045 DESCRIPTION: Buffer overflow in the ARTpost function in art.c in the control message handling code for INN 2.4.0 may allow remote attackers to execute arbitrary code. CVE-2004-0046 DESCRIPTION: Cross-site scripting (XSS) vulnerability in SnapStream PVS LITE allows remote attackers to inject arbitrary web script or HTML via a GET request containing a terminating '"' (double quote) character. CVE-2004-0047 DESCRIPTION: Multiple programs in trr19 1.0 do not properly drop privileges before executing a system command, which could allow local users to gain privileges. CVE-2004-0048 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2004-0049 DESCRIPTION: Helix Universal Server/Proxy 9 and Mobile Server 10 allow remote attackers to cause a denial of service via certain HTTP POST messages to the Administration System port. CVE-2004-0050 DESCRIPTION: Verity Ultraseek before 5.2.2 allows remote attackers to obtain the full pathname of the document root via an MS-DOS device name in the web search option, such as (1) NUL, (2) CON, (3) AUX, (4) COM1, (5) COM2, and others. CVE-2004-0051 DESCRIPTION: Multiple content security gateway and antivirus products allow remote attackers to bypass content restrictions via MIME messages that use non-standard but frequently supported Content-Transfer-Encoding values such as (1) uuencode, (2) mac-binhex40, and (3) yenc, which may be interpreted differently by mail clients. CVE-2004-0052 DESCRIPTION: Multiple content security gateway and antivirus products allow remote attackers to bypass content restrictions via MIME messages that use non-standard separator characters, or use standard separators incorrectly, within MIME headers, fields, parameters, or values, which may be interpreted differently by mail clients. CVE-2004-0053 DESCRIPTION: Multiple content security gateway and antivirus products allow remote attackers to bypass content restrictions via MIME messages that use fields that use RFC2047 encoding, which may be interpreted differently by mail clients. CVE-2004-0054 DESCRIPTION: Multiple vulnerabilities in the H.323 protocol implementation for Cisco IOS 11.3T through 12.2T allow remote attackers to cause a denial of service and possibly execute arbitrary code, as demonstrated by the NISCC/OUSPG PROTOS test suite for the H.225 protocol. CVE-2004-0055 DESCRIPTION: The print_attr_string function in print-radius.c for tcpdump 3.8.1 and earlier allows remote attackers to cause a denial of service (segmentation fault) via a RADIUS attribute with a large length value. CVE-2004-0056 DESCRIPTION: Multiple vulnerabilities in the H.323 protocol implementation for Nortel Networks Business Communications Manager (BCM), Succession 1000 IP Trunk and IP Peer Networking, and 802.11 Wireless IP Gateway allow remote attackers to cause a denial of service and possibly execute arbitrary code, as demonstrated by the NISCC/OUSPG PROTOS test suite for the H.225 protocol. CVE-2004-0057 DESCRIPTION: The rawprint function in the ISAKMP decoding routines (print-isakmp.c) for tcpdump 3.8.1 and earlier allows remote attackers to cause a denial of service (segmentation fault) via malformed ISAKMP packets that cause invalid "len" or "loc" values to be used in a loop, a different vulnerability than CVE-2003-0989. CVE-2004-0058 DESCRIPTION: Antivir / Linux 2.0.9-9, and possibly earlier versions, allows local users to overwrite arbitrary files via a symlink attack on the .pid_antivir_$$ temporary file. CVE-2004-0059 DESCRIPTION: Directory traversal vulnerability in upload capability of WWW File Share Pro 2.42 and earlier allows remote attackers to overwrite arbitrary files via .. (dot dot) sequences in the filename parameter of a Content-Disposition: header. CVE-2004-0060 DESCRIPTION: WWW File Share Pro 2.42 and earlier allows remote attackers to cause a denial of service (crash) via a large POST request. CVE-2004-0061 DESCRIPTION: WWW File Share Pro 2.42 and earlier allows remote attackers to bypass directory access restrictions via (1) a URL with a trailing . (dot), or (2) a URI with a leading slash or backslash character. CVE-2004-0062 DESCRIPTION: Integer overflow in the rnd arithmetic rounding function for various versions of FishCart before 3.1 allows remote attackers to "cause negative totals" via an order with a large quantity. CVE-2004-0063 DESCRIPTION: The SPP_VerifyPVV function in nCipher payShield SPP library 1.3.12, 1.5.18 and 1.6.18 returns a Status_OK value even if the HSM returns a different status code, which could cause applications to make incorrect security-critical decisions, e.g. by accepting an invalid PIN number. CVE-2004-0064 DESCRIPTION: The SuSEconfig.gnome-filesystem script for YaST in SuSE 9.0 allows local users to overwrite arbitrary files via a symlink attack on files within the tmp.SuSEconfig.gnome-filesystem.$RANDOM temporary directory. CVE-2004-0065 DESCRIPTION: Multiple SQL injection vulnerabilities in phpGedView before 2.65 allow remote attackers to execute arbitrary SQL via (1) timeline.php and (2) placelist.php. CVE-2004-0066 DESCRIPTION: phpGedView before 2.65 allows remote attackers to obtain the absolute path of the web server via malformed parameters to (1) indilist.php, (2) famlist.php, (3) placelist.php, (4) imageview.php, (5) timeline.php, (6) clippings.php, (7) login.php, and (8) gdbi.php. CVE-2004-0067 DESCRIPTION: Multiple cross-site scripting (XSS) vulnerabilities in phpGedView before 2.65 allow remote attackers to inject arbitrary HTML or web script via (1) descendancy.php, (2) index.php, (3) individual.php, (4) login.php, (5) relationship.php, (6) source.php, (7) imageview.php, (8) calendar.php, (9) gedrecord.php, (10) login.php, and (11) gdbi_interface.php. NOTE: some aspects of vector 10 were later reported to affect 4.1. CVE-2004-0068 DESCRIPTION: PHP remote file inclusion vulnerability in config.php for PhpDig 1.6.5 and earlier allows remote attackers to execute arbitrary PHP code by modifying the $relative_script_path parameter to reference a URL on a remote web server that contains the code. CVE-2004-0069 DESCRIPTION: Format string vulnerability in HD Soft Windows FTP Server 1.6 and earlier allows remote attackers to execute arbitrary code via format string specifiers in the username, which is processed by the wscanf function. CVE-2004-0070 DESCRIPTION: PHP remote file inclusion vulnerability in module.php for ezContents allows remote attackers to execute arbitrary PHP code by modifying the link parameter to reference a URL on a remote web server that contains the code. CVE-2004-0071 DESCRIPTION: Directory traversal vulnerability in buildManPage in class.manpagelookup.php for PHP Man Page Lookup 1.2.0 allows remote attackers to read arbitrary files via the command parameter ($cmd variable) to index.php. CVE-2004-0072 DESCRIPTION: Directory traversal vulnerability in Accipiter Direct Server 6.0 allows remote attackers to read arbitrary files via encoded \.. (backslash .., "%5c%2e%2e") sequences in an HTTP request. CVE-2004-0073 DESCRIPTION: PHP remote file inclusion vulnerability in (1) config.php and (2) config_page.php for EasyDynamicPages 2.0 allows remote attackers to execute arbitrary PHP code by modifying the edp_relative_path parameter to reference a URL on a remote web server that contains a malicious serverdata.php script. CVE-2004-0074 DESCRIPTION: Multiple buffer overflows in xsok 1.02 allows local users to gain privileges via (1) a long LANG environment variable, or (2) a long -xsokdir command line argument, a different vulnerability than CVE-2003-0949. CVE-2004-0075 DESCRIPTION: The Vicam USB driver in Linux before 2.4.25 does not use the copy_from_user function when copying data from userspace to kernel space, which crosses security boundaries and allows local users to cause a denial of service. CVE-2004-0076 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was removed from consideration by its Candidate Numbering Authority. Notes: none. CVE-2004-0077 DESCRIPTION: The do_mremap function for the mremap system call in Linux 2.2 to 2.2.25, 2.4 to 2.4.24, and 2.6 to 2.6.2, does not properly check the return value from the do_munmap function when the maximum number of VMA descriptors is exceeded, which allows local users to gain root privileges, a different vulnerability than CAN-2003-0985. CVE-2004-0078 DESCRIPTION: Buffer overflow in the index menu code (menu_pad_string of menu.c) for Mutt 1.4.1 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via certain mail messages. CVE-2004-0079 DESCRIPTION: The do_change_cipher_spec function in OpenSSL 0.9.6c to 0.9.6k, and 0.9.7a to 0.9.7c, allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that triggers a null dereference. CVE-2004-0080 DESCRIPTION: The login program in util-linux 2.11 and earlier uses a pointer after it has been freed and reallocated, which could cause login to leak sensitive data. CVE-2004-0081 DESCRIPTION: OpenSSL 0.9.6 before 0.9.6d does not properly handle unknown message types, which allows remote attackers to cause a denial of service (infinite loop), as demonstrated using the Codenomicon TLS Test Tool. CVE-2004-0082 DESCRIPTION: The mksmbpasswd shell script (mksmbpasswd.sh) in Samba 3.0.0 and 3.0.1, when creating an account but marking it as disabled, may overwrite the user password with an uninitialized buffer, which could enable the account with a more easily guessable password. CVE-2004-0083 DESCRIPTION: Buffer overflow in ReadFontAlias from dirfile.c of XFree86 4.1.0 through 4.3.0 allows local users and remote attackers to execute arbitrary code via a font alias file (font.alias) with a long token, a different vulnerability than CVE-2004-0084 and CVE-2004-0106. CVE-2004-0084 DESCRIPTION: Buffer overflow in the ReadFontAlias function in XFree86 4.1.0 to 4.3.0, when using the CopyISOLatin1Lowered function, allows local or remote authenticated users to execute arbitrary code via a malformed entry in the font alias (font.alias) file, a different vulnerability than CVE-2004-0083 and CVE-2004-0106. CVE-2004-0085 DESCRIPTION: Unknown vulnerability in the Mail application for Mac OS X 10.1.5 and 10.2.8 with unknown impact, a different vulnerability than CVE-2004-0086. CVE-2004-0086 DESCRIPTION: Unknown vulnerability in the Mail application for Mac OS X 10.3.2 has unknown impact and attack vectors, a different vulnerability than CVE-2004-0085. CVE-2004-0087 DESCRIPTION: The System Configuration subsystem in Mac OS 10.2.8 and 10.3.2 allows local users to modify network settings, a different vulnerability than CVE-2004-0088. CVE-2004-0088 DESCRIPTION: The System Configuration subsystem in Mac OS 10.2.8 allows local users to modify network settings, a different vulnerability than CVE-2004-0087. CVE-2004-0089 DESCRIPTION: Buffer overflow in TruBlueEnvironment in Mac OS X 10.3.x and 10.2.x allows local users to gain privileges via a long environment variable. CVE-2004-0090 DESCRIPTION: Unknown vulnerability in Windows File Sharing for Mac OS X 10.1.5 through 10.3.2 does not "shutdown properly," which has unknown impact and attack vectors. CVE-2004-0091 DESCRIPTION: ** DISPUTED ** NOTE: this issue has been disputed by the vendor. Cross-site scripting (XSS) vulnerability in register.php for unknown versions of vBulletin allows remote attackers to inject arbitrary HTML or web script via the reg_site (or possibly regsite) parameter. NOTE: the vendor has disputed this issue, saying "There is no hidden field called 'reg_site', nor any $reg_site variable anywhere in the vBulletin 2 or vBulletin 3 source code or templates, nor has it ever existed. We can only assume that this vulnerability was found in a site running code modified from that supplied by Jelsoft." CVE-2004-0092 DESCRIPTION: Unknown vulnerability in Safari web browser in Mac OS X 10.2.8 and 10.3.2, with unknown impact. CVE-2004-0093 DESCRIPTION: XFree86 4.1.0 allows remote attackers to cause a denial of service and possibly execute arbitrary code via an out-of-bounds array index when using the GLX extension and Direct Rendering Infrastructure (DRI). CVE-2004-0094 DESCRIPTION: Integer signedness errors in XFree86 4.1.0 allow remote attackers to cause a denial of service and possibly execute arbitrary code when using the GLX extension and Direct Rendering Infrastructure (DRI). CVE-2004-0095 DESCRIPTION: McAfee ePolicy Orchestrator agent allows remote attackers to cause a denial of service (memory consumption and crash) and possibly execute arbitrary code via an HTTP POST request with an invalid Content-Length value, possibly triggering a buffer overflow. CVE-2004-0096 DESCRIPTION: Unknown vulnerability in mod_python 2.7.9 allows remote attackers to cause a denial of service (httpd crash) via a certain query string, a variant of CAN-2003-0973. CVE-2004-0097 DESCRIPTION: Multiple vulnerabilities in PWLib before 1.6.0 allow remote attackers to cause a denial of service and possibly execute arbitrary code, as demonstrated by the NISCC/OUSPG PROTOS test suite for the H.225 protocol. CVE-2004-0098 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2004. Notes: none. CVE-2004-0099 DESCRIPTION: mksnap_ffs in FreeBSD 5.1 and 5.2 only sets the snapshot flag when creating a snapshot for a file system, which causes default values for other flags to be used, possibly disabling security-critical settings and allowing a local user to bypass intended access restrictions. CVE-2004-0100 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2004-0101 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2004-0102 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2004-0103 DESCRIPTION: crawl before 4.0.0 beta23 does not properly "apply a size check" when copying a certain environment variable, which may allow local users to gain privileges, possibly as a result of a buffer overflow. CVE-2004-0104 DESCRIPTION: Multiple format string vulnerabilities in Metamail 2.7 and earlier allow remote attackers to execute arbitrary code. CVE-2004-0105 DESCRIPTION: Multiple buffer overflows in Metamail 2.7 and earlier allow remote attackers to execute arbitrary code. CVE-2004-0106 DESCRIPTION: Multiple unknown vulnerabilities in XFree86 4.1.0 to 4.3.0, related to improper handling of font files, a different set of vulnerabilities than CVE-2004-0083 and CVE-2004-0084. CVE-2004-0107 DESCRIPTION: The (1) post and (2) trigger scripts in sysstat 4.0.7 and earlier allow local users to overwrite arbitrary files via symlink attacks on temporary files, a different vulnerability than CVE-2004-0108. CVE-2004-0108 DESCRIPTION: The isag utility, which processes sysstat data, allows local users to overwrite arbitrary files via a symlink attack on temporary files, a different vulnerability than CAN-2004-0107. CVE-2004-0109 DESCRIPTION: Buffer overflow in the ISO9660 file system component for Linux kernel 2.4.x, 2.5.x and 2.6.x, allows local users with physical access to overflow kernel memory and execute arbitrary code via a malformed CD containing a long symbolic link entry. CVE-2004-0110 DESCRIPTION: Buffer overflow in the (1) nanohttp or (2) nanoftp modules in XMLSoft Libxml 2 (Libxml2) 2.6.0 through 2.6.5 allow remote attackers to execute arbitrary code via a long URL. CVE-2004-0111 DESCRIPTION: gdk-pixbuf before 0.20 allows attackers to cause a denial of service (crash) via a malformed bitmap (BMP) file. CVE-2004-0112 DESCRIPTION: The SSL/TLS handshaking code in OpenSSL 0.9.7a, 0.9.7b, and 0.9.7c, when using Kerberos ciphersuites, does not properly check the length of Kerberos tickets during a handshake, which allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that causes an out-of-bounds read. CVE-2004-0113 DESCRIPTION: Memory leak in ssl_engine_io.c for mod_ssl in Apache 2 before 2.0.49 allows remote attackers to cause a denial of service (memory consumption) via plain HTTP requests to the SSL port of an SSL-enabled server. CVE-2004-0114 DESCRIPTION: The shmat system call in the System V Shared Memory interface for FreeBSD 5.2 and earlier, NetBSD 1.3 and earlier, and OpenBSD 2.6 and earlier, does not properly decrement a shared memory segment's reference count when the vm_map_find function fails, which could allow local users to gain read or write access to a portion of kernel memory and gain privileges. CVE-2004-0115 DESCRIPTION: VirtualPC_Services in Microsoft Virtual PC for Mac 6.0 through 6.1 allows local attackers to truncate and overwrite arbitrary files, and execute arbitrary code, via a symlink attack on the VPCServices_Log temporary file. CVE-2004-0116 DESCRIPTION: An Activation function in the RPCSS Service involved with DCOM activation for Microsoft Windows 2000, XP, and 2003 allows remote attackers to cause a denial of service (memory consumption) via an activation request with a large length field. CVE-2004-0117 DESCRIPTION: Unknown vulnerability in the H.323 protocol implementation in Windows 98, Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code. CVE-2004-0118 DESCRIPTION: The component for the Virtual DOS Machine (VDM) subsystem in Windows NT 4.0 and Windows 2000 does not properly validate system structures, which allows local users to access protected kernel memory and execute arbitrary code. CVE-2004-0119 DESCRIPTION: The Negotiate Security Software Provider (SSP) interface in Windows 2000, Windows XP, and Windows Server 2003, allows remote attackers to cause a denial of service (crash from null dereference) or execute arbitrary code via a crafted SPNEGO NegTokenInit request during authentication protocol selection. CVE-2004-0120 DESCRIPTION: The Microsoft Secure Sockets Layer (SSL) library, as used in Windows 2000, Windows XP, and Windows Server 2003, allows remote attackers to cause a denial of service via malformed SSL messages. CVE-2004-0121 DESCRIPTION: Argument injection vulnerability in Microsoft Outlook 2002 does not sufficiently filter parameters of mailto: URLs when using them as arguments when calling OUTLOOK.EXE, which allows remote attackers to use script code in the Local Machine zone and execute arbitrary programs. CVE-2004-0122 DESCRIPTION: Microsoft MSN Messenger 6.0 and 6.1 does not properly handle certain requests, which allows remote attackers to read arbitrary files. CVE-2004-0123 DESCRIPTION: Double free vulnerability in the ASN.1 library as used in Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003, allows remote attackers to cause a denial of service and possibly execute arbitrary code. CVE-2004-0124 DESCRIPTION: The DCOM RPC interface for Microsoft Windows NT 4.0, 2000, XP, and Server 2003 allows remote attackers to cause network communications via an "alter context" call that contains additional data, aka the "Object Identity Vulnerability." CVE-2004-0125 DESCRIPTION: The jail system call in FreeBSD 4.x before 4.10-RELEASE does not verify that an attempt to manipulate routing tables originated from a non-jailed process, which could allow local users to modify the routing table. CVE-2004-0126 DESCRIPTION: The jail_attach system call in FreeBSD 5.1 and 5.2 changes the directory of a calling process even if the process doesn't have permission to change directory, which allows local users to gain read/write privileges to files and directories within another jail. CVE-2004-0127 DESCRIPTION: Directory traversal vulnerability in editconfig_gedcom.php for phpGedView 2.65.1 and earlier allows remote attackers to read arbitrary files or execute arbitrary PHP programs on the server via .. (dot dot) sequences in the gedcom_config parameter. CVE-2004-0128 DESCRIPTION: PHP remote file inclusion vulnerability in the GEDCOM configuration script for phpGedView 2.65.1 and earlier allows remote attackers to execute arbitrary PHP code by modifying the PGV_BASE_DIRECTORY parameter to reference a URL on a remote web server that contains a malicious theme.php script. CVE-2004-0129 DESCRIPTION: Directory traversal vulnerability in export.php in phpMyAdmin 2.5.5 and earlier allows remote attackers to read arbitrary files via .. (dot dot) sequences in the what parameter. CVE-2004-0130 DESCRIPTION: login.php in phpGedView 2.65 and earlier allows remote attackers to obtain sensitive information via an HTTP request to login.php that does not contain the required username or password parameters, which causes the information to be leaked in an error message. CVE-2004-0131 DESCRIPTION: The rad_print_request function in logger.c for GNU Radius daemon (radiusd) before 1.2 allows remote attackers to cause a denial of service (crash) via a UDP packet with an Acct-Status-Type attribute without a value and no Acct-Session-Id attribute, which causes a null dereference. CVE-2004-0132 DESCRIPTION: Multiple PHP remote file inclusion vulnerabilities in ezContents 2.0.2 and earlier allow remote attackers to execute arbitrary PHP code from a remote web server, as demonstrated using (1) the GLOBALS[rootdp] parameter to db.php, or (2) the GLOBALS[language_home] parameter to archivednews.php, and a malicious version of lang_admin.php. CVE-2004-0133 DESCRIPTION: The XFS file system code in Linux 2.4.x has an information leak in which in-memory data is written to the device for the XFS file system, which allows local users to obtain sensitive information by reading the raw device. CVE-2004-0134 DESCRIPTION: cpr (libcpr) in SGI IRIX before 6.5.25 allows local users to gain privileges by loading a user provided library while restarting the checkpointed process. CVE-2004-0135 DESCRIPTION: The syssgi SGI_IOPROBE system call in IRIX 6.5.20 through 6.5.24 allows local users to gain privileges by reading and writing to kernel memory. CVE-2004-0136 DESCRIPTION: The mapelf32exec function call in IRIX 6.5.20 through 6.5.24 allows local users to cause a denial of service (system crash) via a "corrupted binary." CVE-2004-0137 DESCRIPTION: Unknown vulnerability in init for IRIX 6.5.20 through 6.5.24 allows local users to cause a denial of service (system panic) as a result of "page invalidation issues." CVE-2004-0138 DESCRIPTION: The ELF loader in Linux kernel 2.4 before 2.4.25 allows local users to cause a denial of service (crash) via a crafted ELF file with an interpreter with an invalid arch (architecture), which triggers a BUG() when an invalid VMA is unmapped. CVE-2004-0139 DESCRIPTION: Unknown vulnerability in the bsd.a kernel networking for SGI IRIX 6.5.22 through 6.5.25, and possibly earlier versions, in which "t_unbind changes t_bind's behavior," has unknown impact and attack vectors. CVE-2004-0140 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2004. Notes: none. CVE-2004-0141 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2004. Notes: none. CVE-2004-0142 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2004. Notes: none. CVE-2004-0143 DESCRIPTION: Multiple vulnerabilities in Nokia 6310(i) Mobile phones allow remote attackers to cause a denial of service (reset) via malformed Bluetooth OBject EXchange (OBEX) messages, probably triggering buffer overflows. CVE-2004-0144 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2004. Notes: none. CVE-2004-0145 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2004. Notes: none. CVE-2004-0146 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2004. Notes: none. CVE-2004-0147 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2004. Notes: none. CVE-2004-0148 DESCRIPTION: wu-ftpd 2.6.2 and earlier, with the restricted-gid option enabled, allows local users to bypass access restrictions by changing the permissions to prevent access to their home directory, which causes wu-ftpd to use the root directory instead. CVE-2004-0149 DESCRIPTION: Multiple buffer overflows in xboing before 2.4 allow local users to gain privileges. CVE-2004-0150 DESCRIPTION: Buffer overflow in the getaddrinfo function in Python 2.2 before 2.2.2, when IPv6 support is disabled, allows remote attackers to execute arbitrary code via an IPv6 address that is obtained using DNS. CVE-2004-0151 DESCRIPTION: Unknown vulnerability in xitalk 1.1.11 and earlier allows local users to execute arbitrary commands. CVE-2004-0152 DESCRIPTION: Multiple stack-based buffer overflows in (1) the encode_mime function, (2) the encode_uuencode function, (3) or the decode_uuencode function for emil 2.1.0 and earlier allow remote attackers to execute arbitrary code via e-mail messages containing attachments with filenames. CVE-2004-0153 DESCRIPTION: Multiple format string vulnerabilities in emil 2.1.0 and earlier may allow remote attackers to execute arbitrary code by triggering certain error messages. CVE-2004-0154 DESCRIPTION: rpc.mountd in nfs-utils after 1.0.3 and before 1.0.6 allows attackers to cause a denial of service (crash) via an NFS mount of a directory from a client whose reverse DNS lookup name is different from the forward lookup name. CVE-2004-0155 DESCRIPTION: The KAME IKE Daemon Racoon, when authenticating a peer during Phase 1, validates the X.509 certificate but does not verify the RSA signature authentication, which allows remote attackers to establish unauthorized IP connections or conduct man-in-the-middle attacks using a valid, trusted X.509 certificate. CVE-2004-0156 DESCRIPTION: Format string vulnerabilities in the (1) die or (2) log_event functions for ssmtp before 2.50.6 allow remote mail relays to cause a denial of service and possibly execute arbitrary code. CVE-2004-0157 DESCRIPTION: x11.c in xonix 1.4 and earlier uses the current working directory to find and execute the rmail program, which allows local users to execute arbitrary code by modifying the path to point to a malicious rmail program. CVE-2004-0158 DESCRIPTION: Buffer overflow in lbreakout2 allows local users to gain 'games' group privileges via a large HOME environment variable to (1) editor.c, (2) theme.c, (3) manager.c, (4) config.c, (5) game.c, (6) levels.c, or (7) main.c. CVE-2004-0159 DESCRIPTION: Format string vulnerability in hsftp 1.11 allows remote authenticated users to cause a denial of service and possibly execute arbitrary code via file names containing format string characters that are not properly handled when executing an "ls" command. CVE-2004-0160 DESCRIPTION: Synaesthesia 2.2 and earlier allows local users to execute arbitrary code via a symlink attack on the configuration file. CVE-2004-0161 DESCRIPTION: Multiple content security gateway and antivirus products allow remote attackers to bypass content restrictions via MIME messages that use RFC2231 encoding, which may be interpreted differently by mail clients. CVE-2004-0162 DESCRIPTION: Multiple content security gateway and antivirus products allow remote attackers to bypass content restrictions via MIME encapsulation that uses RFC822 comment fields, which may be interpreted as other fields by mail clients. CVE-2004-0163 DESCRIPTION: Sygate Secure Enterprise (SSE) 3.5MR3 and earlier does not change the key used to encrypt data, which allows remote attackers to cause a denial of service (resource exhaustion) by capturing a session and repeatedly replaying the session. CVE-2004-0164 DESCRIPTION: KAME IKE daemon (racoon) does not properly handle hash values, which allows remote attackers to delete certificates via (1) a certain delete message that is not properly handled in isakmp.c or isakmp_inf.c, or (2) a certain INITIAL-CONTACT message that is not properly handled in isakmp_inf.c. CVE-2004-0165 DESCRIPTION: Format string vulnerability in Point-to-Point Protocol (PPP) daemon (pppd) 2.4.0 for Mac OS X 10.3.2 and earlier allows remote attackers to read arbitrary pppd process data, including PAP or CHAP authentication credentials, to gain privileges. CVE-2004-0166 DESCRIPTION: Unknown vulnerability in Safari web browser for Mac OS X 10.2.8 related to "the display of URLs in the status bar." CVE-2004-0167 DESCRIPTION: DiskArbitration in Mac OS X 10.2.8 and 10.3.2 does not properly initialize writeable removable media. CVE-2004-0168 DESCRIPTION: Unknown vulnerability in CoreFoundation for Mac OS X 10.3.2, related to "notification logging." CVE-2004-0169 DESCRIPTION: QuickTime Streaming Server in MacOS X 10.2.8 and 10.3.2 allows remote attackers to cause a denial of service (crash) via DESCRIBE requests with long User-Agent fields, which causes an Assert error to be triggered in the BufferIsFull function. CVE-2004-0170 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2004-0171 DESCRIPTION: FreeBSD 5.1 and earlier, and Mac OS X before 10.3.4, allows remote attackers to cause a denial of service (resource exhaustion of memory buffers and system crash) via a large number of out-of-sequence TCP packets, which prevents the operating system from creating new connections. CVE-2004-0172 DESCRIPTION: Heap-based buffer overflow in the search_for_command function of ltrace 0.3.10, if it is installed setuid, could allow local users to execute arbitrary code via a long filename. NOTE: It is unclear whether there are any packages that install ltrace as a setuid program, so this candidate might be REJECTed. CVE-2004-0173 DESCRIPTION: Directory traversal vulnerability in Apache 1.3.29 and earlier, and Apache 2.0.48 and earlier, when running on Cygwin, allows remote attackers to read arbitrary files via a URL containing "..%5C" (dot dot encoded backslash) sequences. CVE-2004-0174 DESCRIPTION: Apache 1.4.x before 1.3.30, and 2.0.x before 2.0.49, when using multiple listening sockets on certain platforms, allows remote attackers to cause a denial of service (blocked new connections) via a "short-lived connection on a rarely-accessed listening socket." CVE-2004-0175 DESCRIPTION: Directory traversal vulnerability in scp for OpenSSH before 3.4p1 allows remote malicious servers to overwrite arbitrary files. NOTE: this may be a rediscovery of CVE-2000-0992. CVE-2004-0176 DESCRIPTION: Multiple buffer overflows in Ethereal 0.8.13 to 0.10.2 allow remote attackers to cause a denial of service and possibly execute arbitrary code via the (1) NetFlow, (2) IGAP, (3) EIGRP, (4) PGM, (5) IrDA, (6) BGP, (7) ISUP, or (8) TCAP dissectors. CVE-2004-0177 DESCRIPTION: The ext3 code in Linux 2.4.x before 2.4.26 does not properly initialize journal descriptor blocks, which causes an information leak in which in-memory data is written to the device for the ext3 file system, which allows privileged users to obtain portions of kernel memory by reading the raw device. CVE-2004-0178 DESCRIPTION: The OSS code for the Sound Blaster (sb16) driver in Linux 2.4.x before 2.4.26, when operating in 16 bit mode, does not properly handle certain sample sizes, which allows local users to cause a denial of service (crash) via a sample with an odd number of bytes. CVE-2004-0179 DESCRIPTION: Multiple format string vulnerabilities in (1) neon 0.24.4 and earlier, and other products that use neon including (2) Cadaver, (3) Subversion, and (4) OpenOffice, allow remote malicious WebDAV servers to execute arbitrary code. CVE-2004-0180 DESCRIPTION: The client for CVS before 1.11 allows a remote malicious CVS server to create arbitrary files using certain RCS diff files that use absolute pathnames during checkouts or updates, a different vulnerability than CVE-2004-0405. CVE-2004-0181 DESCRIPTION: The JFS file system code in Linux 2.4.x has an information leak in which in-memory data is written to the device for the JFS file system, which allows local users to obtain sensitive information by reading the raw device. CVE-2004-0182 DESCRIPTION: Mailman before 2.0.13 allows remote attackers to cause a denial of service (crash) via an email message with an empty subject field. CVE-2004-0183 DESCRIPTION: TCPDUMP 3.8.1 and earlier allows remote attackers to cause a denial of service (crash) via ISAKMP packets containing a Delete payload with a large number of SPI's, which causes an out-of-bounds read, as demonstrated by the Striker ISAKMP Protocol Test Suite. CVE-2004-0184 DESCRIPTION: Integer underflow in the isakmp_id_print for TCPDUMP 3.8.1 and earlier allows remote attackers to cause a denial of service (crash) via an ISAKMP packet with an Identification payload with a length that becomes less than 8 during byte order conversion, which causes an out-of-bounds read, as demonstrated by the Striker ISAKMP Protocol Test Suite. CVE-2004-0185 DESCRIPTION: Buffer overflow in the skey_challenge function in ftpd.c for wu-ftp daemon (wu-ftpd) 2.6.2 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a s/key (SKEY) request with a long name. CVE-2004-0186 DESCRIPTION: smbmnt in Samba 2.x and 3.x on Linux 2.6, when installed setuid, allows local users to gain root privileges by mounting a Samba share that contains a setuid root program, whose setuid attributes are not cleared when the share is mounted. CVE-2004-0187 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2004-0185. Reason: This candidate is a reservation duplicate of CVE-2004-0185. Notes: All CVE users should reference CVE-2004-0185 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. CVE-2004-0188 DESCRIPTION: Heap-based buffer overflow in Calife 2.8.5 and earlier may allow local users to execute arbitrary code via a long password. CVE-2004-0189 DESCRIPTION: The "%xx" URL decoding function in Squid 2.5STABLE4 and earlier allows remote attackers to bypass url_regex ACLs via a URL with a NULL ("%00") character, which causes Squid to use only a portion of the requested URL when comparing it against the access control lists. CVE-2004-0190 DESCRIPTION: Symantec FireWall/VPN Appliance model 200 records a cleartext password for the password administration page, which may be cached on the administrator's local system or in a proxy, which allows attackers to steal the password and gain privileges. CVE-2004-0191 DESCRIPTION: Mozilla before 1.4.2 executes Javascript events in the context of a new page while it is being loaded, allowing it to interact with the previous page (zombie document) and enable cross-domain and cross-site scripting (XSS) attacks, as demonstrated using onmousemove events. CVE-2004-0192 DESCRIPTION: Cross-site scripting (XSS) vulnerability in the Management Service for Symantec Gateway Security 2.0 allows remote attackers to steal cookies and hijack a management session via a /sgmi URL that contains malicious script, which is not quoted in the resulting error page. CVE-2004-0193 DESCRIPTION: Heap-based buffer overflow in the ISS Protocol Analysis Module (PAM), as used in certain versions of RealSecure Network 7.0 and Server Sensor 7.0, Proventia A, G, and M Series, RealSecure Desktop 7.0 and 3.6, RealSecure Guard 3.6, RealSecure Sentry 3.6, BlackICE PC Protection 3.6, and BlackICE Server Protection 3.6, allows remote attackers to execute arbitrary code via an SMB packet containing an authentication request with a long username. CVE-2004-0194 DESCRIPTION: Stack-based buffer overflow in the OutputDebugString function for Adobe Acrobat Reader 5.1 allows remote attackers to execute arbitrary code via a PDF document with XML Forms Data Format (XFDF) data. CVE-2004-0195 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2004-0196 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2004-0197 DESCRIPTION: Buffer overflow in Microsoft Jet Database Engine 4.0 allows remote attackers to execute arbitrary code via a specially-crafted database query. CVE-2004-0198 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2004-0199 DESCRIPTION: Help and Support Center in Microsoft Windows XP and Windows Server 2003 SP1 does not properly validate HCP URLs, which allows remote attackers to execute arbitrary code, as demonstrated using certain hcp:// URLs that access the DVD Upgrade capability (dvdupgrd.htm). CVE-2004-0200 DESCRIPTION: Buffer overflow in the JPEG (JPG) parsing engine in the Microsoft Graphic Device Interface Plus (GDI+) component, GDIPlus.dll, allows remote attackers to execute arbitrary code via a JPEG image with a small JPEG COM field length that is normalized to a large integer length before a memory copy operation. CVE-2004-0201 DESCRIPTION: Heap-based buffer overflow in the HtmlHelp program (hh.exe) in HTML Help for Microsoft Windows 98, Me, NT 4.0, 2000, XP, and Server 2003 allows remote attackers to execute arbitrary commands via a .CHM file with a large length field, a different vulnerability than CVE-2003-1041. CVE-2004-0202 DESCRIPTION: IDirectPlay4 Application Programming Interface (API) of Microsoft DirectPlay 7.0a thru 9.0b, as used in Windows Server 2003 and earlier allows remote attackers to cause a denial of service (application crash) via a malformed packet. CVE-2004-0203 DESCRIPTION: Cross-site scripting (XSS) vulnerability in Outlook Web Access for Exchange Server 5.5 Service Pack 4 allows remote attackers to insert arbitrary script and spoof content in HTML email or web caches via an HTML redirect query. CVE-2004-0204 DESCRIPTION: Directory traversal vulnerability in the web viewers for Business Objects Crystal Reports 9 and 10, and Crystal Enterprise 9 or 10, as used in Visual Studio .NET 2003 and Outlook 2003 with Business Contact Manager, Microsoft Business Solutions CRM 1.2, and other products, allows remote attackers to read and delete arbitrary files via ".." sequences in the dynamicimag argument to crystalimagehandler.aspx. CVE-2004-0205 DESCRIPTION: Buffer overflow in Microsoft Internet Information Server (IIS) 4.0 allows local users to execute arbitrary code via the redirect function. CVE-2004-0206 DESCRIPTION: Network Dynamic Data Exchange (NetDDE) services for Microsoft Windows 98, Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows attackers to remotely execute arbitrary code or locally gain privileges via a malicious message or application that involves an "unchecked buffer," possibly a buffer overflow. CVE-2004-0207 DESCRIPTION: "Shatter" style vulnerability in the Window Management application programming interface (API) for Microsoft Windows 98, Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows local users to gain privileges by using certain API functions to change properties of privileged programs using the SetWindowLong and SetWIndowLongPtr API functions. CVE-2004-0208 DESCRIPTION: The Virtual DOS Machine (VDM) subsystem of Microsoft Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows local users to access kernel memory and gain privileges via a malicious program that modified some system structures in a way that is not properly validated by privileged operating system functions. CVE-2004-0209 DESCRIPTION: Unknown vulnerability in the Graphics Rendering Engine processes of Microsoft Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code via (1) Windows Metafile (WMF) or (2) Enhanced Metafile (EMF) image formats that involve "an unchecked buffer." CVE-2004-0210 DESCRIPTION: The POSIX component of Microsoft Windows NT and Windows 2000 allows local users to execute arbitrary code via certain parameters, possibly by modifying message length values and causing a buffer overflow. CVE-2004-0211 DESCRIPTION: The kernel for Microsoft Windows Server 2003 does not reset certain values in CPU data structures, which allows local users to cause a denial of service (system crash) via a malicious program. CVE-2004-0212 DESCRIPTION: Stack-based buffer overflow in the Task Scheduler for Windows 2000 and XP, and Internet Explorer 6 on Windows NT 4.0, allows local or remote attackers to execute arbitrary code via a .job file containing long parameters, as demonstrated using Internet Explorer and accessing a .job file on an anonymous share. CVE-2004-0213 DESCRIPTION: Utility Manager in Windows 2000 launches winhlp32.exe while Utility Manager is running with raised privileges, which allows local users to gain system privileges via a "Shatter" style attack that sends a Windows message to cause Utility Manager to launch winhlp32 by directly accessing the context sensitive help and bypassing the GUI, then sending another message to winhlp32 in order to open a user-selected file, a different vulnerability than CVE-2003-0908. CVE-2004-0214 DESCRIPTION: Buffer overflow in Microsoft Internet Explorer and Explorer on Windows XP SP1, WIndows 2000, Windows 98, and Windows Me may allow remote malicious servers to cause a denial of service (application crash) and possibly execute arbitrary code via long share names, as demonstrated using Samba. CVE-2004-0215 DESCRIPTION: Microsoft Outlook Express 5.5 and 6 allows attackers to cause a denial of service (application crash) via a malformed e-mail header. CVE-2004-0216 DESCRIPTION: Integer overflow in the Install Engine (inseng.dll) for Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via a malicious website or HTML email with a long .CAB file name, which triggers the integer overflow when calculating a buffer length and leads to a heap-based buffer overflow. CVE-2004-0217 DESCRIPTION: The LiveUpdate capability (liveupdate.sh) in Symantec AntiVirus Scan Engine 4.0 and 4.3 for Red Hat Linux allows local users to create or append to arbitrary files via a symlink attack on /tmp/LiveUpdate.log. CVE-2004-0218 DESCRIPTION: isakmpd in OpenBSD 3.4 and earlier allows remote attackers to cause a denial of service (infinite loop) via an ISAKMP packet with a zero-length payload, as demonstrated by the Striker ISAKMP Protocol Test Suite. CVE-2004-0219 DESCRIPTION: isakmpd in OpenBSD 3.4 and earlier allows remote attackers to cause a denial of service (crash) via an ISAKMP packet with a malformed IPSEC SA payload, as demonstrated by the Striker ISAKMP Protocol Test Suite. CVE-2004-0220 DESCRIPTION: isakmpd in OpenBSD 3.4 and earlier allows remote attackers to cause a denial of service via an ISAKMP packet with a malformed Cert Request payload, which causes an integer underflow that is used in a malloc operation that is not properly handled, as demonstrated by the Striker ISAKMP Protocol Test Suite. CVE-2004-0221 DESCRIPTION: isakmpd in OpenBSD 3.4 and earlier allows remote attackers to cause a denial of service (crash) via an ISAKMP packet with a delete payload containing a large number of SPIs, which triggers an out-of-bounds read error, as demonstrated by the Striker ISAKMP Protocol Test Suite. CVE-2004-0222 DESCRIPTION: Multiple memory leaks in isakmpd in OpenBSD 3.4 and earlier allow remote attackers to cause a denial of service (memory exhaustion) via certain ISAKMP packets, as demonstrated by the Striker ISAKMP Protocol Test Suite. CVE-2004-0223 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2004-0224 DESCRIPTION: Multiple buffer overflows in (1) iso2022jp.c or (2) shiftjis.c for Courier-IMAP before 3.0.0, Courier before 0.45, and SqWebMail before 4.0.0 may allow remote attackers to execute arbitrary code "when Unicode character is out of BMP range." CVE-2004-0225 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2004-0226 DESCRIPTION: Multiple buffer overflows in Midnight Commander (mc) before 4.6.0 may allow attackers to cause a denial of service or execute arbitrary code. CVE-2004-0227 DESCRIPTION: Buffer overflow in the zms script in ZoneMinder before 1.19.2 may allow a remote attacker to execute arbitrary code via a long query string. CVE-2004-0228 DESCRIPTION: Integer signedness error in the cpufreq proc handler (cpufreq_procctl) in Linux kernel 2.6 allows local users to gain privileges. CVE-2004-0229 DESCRIPTION: The framebuffer driver in Linux kernel 2.6.x does not properly use the fb_copy_cmap function, with unknown impact. CVE-2004-0230 DESCRIPTION: TCP, when using a large Window Size, makes it easier for remote attackers to guess sequence numbers and cause a denial of service (connection loss) to persistent TCP connections by repeatedly injecting a TCP RST packet, especially in protocols that use long-lived connections, such as BGP. CVE-2004-0231 DESCRIPTION: Multiple vulnerabilities in Midnight Commander (mc) before 4.6.0, with unknown impact, related to "Insecure temporary file and directory creations." CVE-2004-0232 DESCRIPTION: Multiple format string vulnerabilities in Midnight Commander (mc) before 4.6.0 may allow attackers to cause a denial of service or execute arbitrary code. CVE-2004-0233 DESCRIPTION: Utempter allows device names that contain .. (dot dot) directory traversal sequences, which allows local users to overwrite arbitrary files via a symlink attack on device names in combination with an application that trusts the utmp or wtmp files. CVE-2004-0234 DESCRIPTION: Multiple stack-based buffer overflows in the get_header function in header.c for LHA 1.14, as used in products such as Barracuda Spam Firewall, allow remote attackers or local users to execute arbitrary code via long directory or file names in an LHA archive, which triggers the overflow when testing or extracting the archive. CVE-2004-0235 DESCRIPTION: Multiple directory traversal vulnerabilities in LHA 1.14 allow remote attackers or local users to create arbitrary files via an LHA archive containing filenames with (1) .. sequences or (2) absolute pathnames with double leading slashes ("//absolute/path"). CVE-2004-0236 DESCRIPTION: SQL injection vulnerability in login.asp in thePHOTOtool allows remote attackers to gain unauthorized access via the password field. CVE-2004-0237 DESCRIPTION: Directory traversal vulnerability in index.php in Aprox PHP Portal allows remote attackers to read arbitrary files via a full pathname in the show parameter. CVE-2004-0238 DESCRIPTION: Multiple buffer overflows in Overkill (0verkill) 0.15pre3 might allow local users to execute arbitrary code in the client via a long HOME environment variable in the (1) load_cfg and (2) save_cfg functions; possibly allow remote attackers to execute arbitrary code via long strings to (3) the send_message function; and, in the server, via (4) the parse_command_line function. CVE-2004-0239 DESCRIPTION: SQL injection vulnerability in showphoto.php in PhotoPost PHP Pro 4.6 and earlier allows remote attackers to gain unauthorized access via the photo variable. CVE-2004-0240 DESCRIPTION: Directory traversal vulnerability in X-Cart 3.4.3 allows remote attackers to view arbitrary files via a .. (dot dot) in the shop_closed_file argument to auth.php. CVE-2004-0241 DESCRIPTION: X-Cart 3.4.3 allows remote attackers to execute arbitrary commands via the perl_binary argument in (1) upgrade.php or (2) general.php. CVE-2004-0242 DESCRIPTION: X-Cart 3.4.3 allows remote attackers to gain sensitive information via a mode parameter with (1) phpinfo command or (2) perlinfo command. CVE-2004-0243 DESCRIPTION: AIX 4.3.3 through AIX 5.1, when direct remote login is disabled, displays a different message if the password is correct, which allows remote attackers to guess the password via brute force methods. CVE-2004-0244 DESCRIPTION: Cisco 6000, 6500, and 7600 series systems with Multilayer Switch Feature Card 2 (MSFC2) and a FlexWAN or OSM module allow local users to cause a denial of service (hang or reset) by sending a layer 2 frame packet that encapsulates a layer 3 packet, but has inconsistent length values with that packet. CVE-2004-0245 DESCRIPTION: Web Crossing 4.x and 5.x allows remote attackers to cause a denial of service (crash) by sending a HTTP POST request with a large or negative Content-Length, which causes an integer divide-by-zero. CVE-2004-0246 DESCRIPTION: Multiple PHP remote file inclusion vulnerabilities in (1) fonctions.lib.php, (2) derniers_commentaires.php, and (3) admin.php in Les Commentaires 2.0 allow remote attackers to execute arbitrary PHP code via the rep parameter. CVE-2004-0247 DESCRIPTION: The client and server of Chaser 1.50 and earlier allow remote attackers to cause a denial of service (crash via exception) via a UDP packet with a length field that is greater than the actual data length, which causes Chaser to read unexpected memory. CVE-2004-0248 DESCRIPTION: Cross-site scripting vulnerability (XSS) in PHPX 3.2.3 allows remote attackers to execute arbitrary script as other users by injecting arbitrary HTML or script into (1) keywords argument of main.inc.php, (2) body argument of help.inc.php, or (3) the subject field in Personal Messages and Forum. CVE-2004-0249 DESCRIPTION: PHPX 2.0 through 3.2.4 allows remote attackers to gain access to other accounts by modifying the cookie's PXL variable to reference another userID. CVE-2004-0250 DESCRIPTION: SQL injection vulnerability in PhotoPost PHP Pro 4.6 and earlier allows remote attackers to gain privileges via (1) the product parameter in showproduct.php or (2) the cat parameter in showcat.php. CVE-2004-0251 DESCRIPTION: Cross-site scripting (XSS) vulnerability in rxgoogle.cgi allows remote attackers to execute arbitrary script as other users via the query parameter. CVE-2004-0252 DESCRIPTION: TYPSoft FTP Server 1.10 allows remote attackers to cause a denial of service (CPU consumption) via an empty USER name. CVE-2004-0253 DESCRIPTION: IBM Cloudscape 5.1 running jdk 1.4.2_03 allows remote attackers to execute arbitrary programs or cause a denial of service via certain SQL code, possibly due to a SQL injection vulnerability. CVE-2004-0254 DESCRIPTION: Cross-site scripting (XSS) vulnerability in Discuz! Board 2.x and 3.x allows remote attackers to execute arbitrary script as other users via an img tag. CVE-2004-0255 DESCRIPTION: Xlight 1.52, with log to screen enabled, allows remote attackers to cause a denial of service by requesting a long directory consisting of . (dot) and / (slash) characters, which causes the server to crash when the administrator views the log file, possibly triggering a buffer overflow. CVE-2004-0256 DESCRIPTION: GNU libtool before 1.5.2, during compile time, allows local users to overwrite arbitrary files via a symlink attack on libtool directories in /tmp. CVE-2004-0257 DESCRIPTION: OpenBSD 3.4 and NetBSD 1.6 and 1.6.1 allow remote attackers to cause a denial of service (crash) by sending an IPv6 packet with a small MTU to a listening port and then issuing a TCP connect to that port. CVE-2004-0258 DESCRIPTION: Multiple buffer overflows in RealOne Player, RealOne Player 2.0, RealOne Enterprise Desktop, and RealPlayer Enterprise allow remote attackers to execute arbitrary code via malformed (1) .RP, (2) .RT, (3) .RAM, (4) .RPM or (5) .SMIL files. CVE-2004-0259 DESCRIPTION: The check_referer() function in Formmail.php 5.0 and earlier allows remote attackers to bypass access restrictions via an empty or spoofed HTTP Referer, as demonstrated using an application on the same web server that contains a cross-site scripting (XSS) issue. CVE-2004-0260 DESCRIPTION: The AddToMailingList function in CactuSoft CactuShop 5.0 Lite contains a backdoor that allows remote attackers to delete arbitrary files via an email address that starts with |||. CVE-2004-0261 DESCRIPTION: oj.cgi in OpenJournal 2.0 through 2.0.5 allows remote attackers to bypass authentication and access the control panel via a 0 in the uid parameter. CVE-2004-0262 DESCRIPTION: Stack-based buffer overflow in The Palace 3.5 and earlier client allows remote attackers to execute arbitrary code via a link to a palace:// url followed by a long server address string. CVE-2004-0263 DESCRIPTION: PHP 4.3.4 and earlier in Apache 1.x and 2.x (mod_php) can leak global variables between virtual hosts that are handled by the same Apache child process but have different settings, which could allow remote attackers to obtain sensitive information. CVE-2004-0264 DESCRIPTION: palmhttpd for PalmOS allows remote attackers to cause a denial of service (crash) by establishing two simultaneous HTTP connections, which exceeds the PalmOS accept queue. CVE-2004-0265 DESCRIPTION: Cross-site scripting (XSS) vulnerability in modules.php for Php-Nuke 6.x-7.1.0 allows remote attackers to execute arbitrary script as other users via URL-encoded (1) title or (2) fname parameters in the News or Reviews modules. CVE-2004-0266 DESCRIPTION: SQL injection vulnerability in the "public message" capability (public_message) for Php-Nuke 6.x to 7.1.0 allows remote attackers to obtain the administrator password via the c_mid parameter. CVE-2004-0267 DESCRIPTION: The (1) inoregupdate, (2) uniftest, or (3) unimove scripts in eTrust InoculateIT for Linux 6.0 allow local users to overwrite arbitrary files via a symlink attack on files in /tmp. CVE-2004-0268 DESCRIPTION: Multiple buffer overflows in EvolutionX 3921 and 3935 allow remote attackers to cause a denial of service (hang) via (1) a long cd command to the FTP server, or (2) a long dir command to the telnet server. CVE-2004-0269 DESCRIPTION: SQL injection vulnerability in PHP-Nuke 6.9 and earlier, and possibly 7.x, allows remote attackers to inject arbitrary SQL code and gain sensitive information via (1) the category variable in the Search module or (2) the admin variable in the Web_Links module. CVE-2004-0270 DESCRIPTION: libclamav in Clam AntiVirus 0.65 allows remote attackers to cause a denial of service (crash) via a uuencoded e-mail message with an invalid line length (e.g., a lowercase character), which causes an assert error in clamd that terminates the calling program. CVE-2004-0271 DESCRIPTION: Multiple cross-site scripting vulnerabilities (XSS) in MaxWebPortal allow remote attackers to execute arbitrary web script as other users via (1) the sub_name parameter of dl_showall.asp, (2) the SendTo parameter in Personal Messages, (3) the HTTP_REFERER for down.asp, or (4) the image name of an Avatar in the register form. CVE-2004-0272 DESCRIPTION: SQL injection vulnerability in MaxWebPortal allows remote attackers to inject arbitrary SQL code and gain sensitive information via the SendTo parameter in Personal Messages. CVE-2004-0273 DESCRIPTION: Directory traversal vulnerability in RealOne Player, RealOne Player 2.0, and RealOne Enterprise Desktop allows remote attackers to upload arbitrary files via an RMP file that contains .. (dot dot) sequences in a .rjs skin file. CVE-2004-0274 DESCRIPTION: Share.mod in Eggheads Eggdrop IRC bot 1.6.10 through 1.6.15 can mistakenly assign STAT_OFFERED status to a bot that is not a sharebot, which allows remote attackers to use STAT_OFFERED to promote a bot to a sharebot and conduct unauthorized activities. CVE-2004-0275 DESCRIPTION: SQL injection vulnerability in calendar_download.php in BosDates 3.2 and earlier allows remote attackers to obtain sensitive information and gain access via the calendar parameter. CVE-2004-0276 DESCRIPTION: The get_real_string function in Monkey HTTP Daemon (monkeyd) 0.8.1 and earlier allows remote attackers to cause a denial of service (crash) via an HTTP request with a sequence of "%" characters and a missing Host field. CVE-2004-0277 DESCRIPTION: Format string vulnerability in Dream FTP 1.02 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via format string specifiers in the username. CVE-2004-0278 DESCRIPTION: Ratbag game engine, as used in products such as Dirt Track Racing, Leadfoot, and World of Outlaws Spring Cars, allows remote attackers to cause a denial of service (CPU consumption) via a TCP packet that specifies the length of data to read and then sends a second TCP packet that contains less data than specified, which causes Ratbag to repeatedly check the socket for more data. CVE-2004-0279 DESCRIPTION: AIM Sniff (aimSniff.pl) 0.9b allows local users to overwrite arbitrary files via a symlink attack on /tmp/AS.log. CVE-2004-0280 DESCRIPTION: Caucho Technology Resin 2.1.12 allows remote attackers to view JSP source via an HTTP request to a .jsp file that ends in a "%20" (encoded space character), e.g. index.jsp%20. CVE-2004-0281 DESCRIPTION: Caucho Technology Resin 2.1.12 allows remote attackers to gain sensitive information and view the contents of the /WEB-INF/ directory via an HTTP request for "WEB-INF..", which is equivalent to "WEB-INF" in Windows. CVE-2004-0282 DESCRIPTION: Crob FTP daemon 3.5.2 allows remote attackers to cause a denial of service (crash) by repeatedly connecting to and disconnecting from the server. CVE-2004-0283 DESCRIPTION: Mailmgr 1.2.3 allows local users to overwrite arbitrary files via a symlink attack on (1) /tmp/mailmgr.unsort, (2) /tmp/mailmgr.tmp, or (3) /tmp/mailmgr.sort. CVE-2004-0284 DESCRIPTION: Microsoft Internet Explorer 6.0, Outlook 2002, and Outlook 2003 allow remote attackers to cause a denial of service (CPU consumption), if "Do not save encrypted pages to disk" is disabled, via a web site or HTML e-mail that contains two null characters (%00) after the host name. CVE-2004-0285 DESCRIPTION: PHP remote file inclusion vulnerabilities in include/footer.inc.php in (1) AllMyVisitors, (2) AllMyLinks, and (3) AllMyGuests allow remote attackers to execute arbitrary PHP code via a URL in the _AMVconfig[cfg_serverpath] parameter. CVE-2004-0286 DESCRIPTION: Buffer overflow in RobotFTP 1.0 and 2.0 beta 1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long username. CVE-2004-0287 DESCRIPTION: Xlight FTP server 1.52 allows remote authenticated users to cause a denial of service (crash) via a RETR command with a long argument containing a large number of / (slash) characters, possibly triggering a buffer overflow. CVE-2004-0288 DESCRIPTION: Buffer overflow in the UdmDocToTextBuf function in mnoGoSearch 3.2.13 through 3.2.15 could allow remote attackers to execute arbitrary code by indexing a large document. CVE-2004-0289 DESCRIPTION: Buffer overflow in sdbscan in SignatureDB 0.1.1 allows local users to cause a denial of service (segmentation fault) via a database file that contains a large key parameter. CVE-2004-0290 DESCRIPTION: Buffer overflow in Purge Jihad 2.0.1 and earlier allows remote game servers to execute arbitrary code via an information packet that contains large (1) battle type and (2) map name fields. CVE-2004-0291 DESCRIPTION: SQL injection vulnerability in post.php for YaBB SE 1.5.4 and 1.5.5 allows remote attackers to obtain hashed passwords via the quote parameter. CVE-2004-0292 DESCRIPTION: Buffer overflow in KarjaSoft Sami HTTP Server 1.0.4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long HTTP GET request. CVE-2004-0293 DESCRIPTION: Directory traversal vulnerability in ShopCartCGI 2.3 allows remote attackers to retrieve arbitrary files via a .. (dot dot) in a HTTP request to (1) gotopage.cgi or (2) genindexpage.cgi. CVE-2004-0294 DESCRIPTION: YaBB 1 SP 1.3.1 displays different error messages when a user exists or not, which makes it easier for remote attackers to identify valid users and conduct a brute force password guessing attack. CVE-2004-0295 DESCRIPTION: TsFtpSrv.exe in Broker FTP 6.1.0.0 allows remote attackers to cause a denial of service (CPU consumption) via an open idle connection. CVE-2004-0296 DESCRIPTION: TsFtpSrv.exe in Broker FTP 6.1.0.0 allows remote attackers to cause a TsFtpSrv.exe to exit with an exception by opening and immediately closing a connection. CVE-2004-0297 DESCRIPTION: Buffer overflow in the Lightweight Directory Access Protocol (LDAP) daemon (iLDAP.exe 3.9.15.10) in Ipswitch IMail Server 8.03 allows remote attackers to cause a denial of service (crash) and execute arbitrary code via an LDAP message with a large tag length. CVE-2004-0298 DESCRIPTION: CesarFTP 0.99e allows remote attackers to cause a denial of service (CPU consumption) via a long RETR parameter. CVE-2004-0299 DESCRIPTION: Buffer overflow in smallftpd 0.99 allows local users to cause a denial of service (crash) via an FTP request with a large number of "/" (slash) characters. CVE-2004-0300 DESCRIPTION: SQL injection vulnerability in Online Store Kit 3.0 allows remote attackers to inject arbitrary SQL and gain unauthorized access via (1) the cat parameter in shop.php, (2) the id parameter in more.php, (3) the cat_manufacturer parameter in shop_by_brand.php, or (4) the id parameter in listing.php. CVE-2004-0301 DESCRIPTION: Cross-site scripting (XSS) vulnerability in more.php for Online Store Kit 3.0 allows remote attackers to inject arbitrary HTML via the id parameter. CVE-2004-0302 DESCRIPTION: Directory traversal vulnerability in OWLS 1.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the (1) file parameter in index.php, (2) editfile in glossary.php, or (3) editfile in newmultiplechoice.php. CVE-2004-0303 DESCRIPTION: OWLS 1.0 allows remote attackers to retrieve arbitrary files via absolute pathnames in (1) the file parameter in /glossaries/index.php, (2) the filename parameter in /readings/index.php, or (3) the filename parameter in /multiplechoice/resultsignore.php, as demonstrated using /etc/passwd. CVE-2004-0304 DESCRIPTION: SQL injection vulnerability in browse_items.asp in WebCortex WebStores 2000 6.0 allows remote attackers to gain unauthorized access and execute arbitrary commands via the Search_Text parameter. CVE-2004-0305 DESCRIPTION: Cross-site scripting (XSS) vulnerability in error.asp in WebCortex WebStores 2000 6.0 allows remote attackers to execute arbitrary script as other users and steal session IDs via the Message_id parameter. CVE-2004-0306 DESCRIPTION: Cisco ONS 15327 before 4.1(3), ONS 15454 before 4.6(1), ONS 15454 SD before 4.1(3), and Cisco ONS 15600 before 1.3(0) enable TFTP service on UDP port 69 by default, which allows remote attackers to GET or PUT ONS system files on the current active TCC in the /flash0 or /flash1 directories. CVE-2004-0307 DESCRIPTION: Cisco ONS 15327 before 4.1(3), ONS 15454 before 4.6(1), and ONS 15454 SD before 4.1(3) allows remote attackers to cause a denial of service (reset) by not sending the ACK portion of the TCP three-way handshake and sending an invalid response instead. CVE-2004-0308 DESCRIPTION: Unknown vulnerability in Cisco ONS 15327 before 4.1(3), ONS 15454 before 4.6(1), ONS 15454 SD before 4.1(3), and Cisco ONS15600 before 1.3(0) allows a superuser whose account is locked out, disabled, or suspended to gain unauthorized access via a Telnet connection to the VxWorks shell. CVE-2004-0309 DESCRIPTION: Stack-based buffer overflow in the SMTP service support in vsmon.exe in Zone Labs ZoneAlarm before 4.5.538.001, ZoneLabs Integrity client 4.0 before 4.0.146.046, and 4.5 before 4.5.085, allows remote attackers to execute arbitrary code via a long RCPT TO argument. CVE-2004-0310 DESCRIPTION: Cross-site scripting (XSS) vulnerability in LiveJournal 1.0 and 1.1 allows remote attackers to execute Javascript as other users via the stylesheet, which does not strip the semicolon or parentheses, as demonstrated using a background:url. CVE-2004-0311 DESCRIPTION: American Power Conversion (APC) Web/SNMP Management SmartSlot Card 3.0 through 3.0.3 and 3.21 are shipped with a default password of TENmanUFactOryPOWER, which allows remote attackers to gain unauthorized access. CVE-2004-0312 DESCRIPTION: Linksys WAP55AG 1.07 allows remote attackers with access to an SNMP read only community string to gain access to read/write communtiy strings via a query for OID 1.3.6.1.4.1.3955.2.1.13.1.2. CVE-2004-0313 DESCRIPTION: Buffer overflow in PSOProxy 0.91 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long HTTP request, as demonstrated using a long (1) GET argument or (2) method name. CVE-2004-0314 DESCRIPTION: Cross-site scripting (XSS) vulnerability in done.jsp in WebzEdit 1.9 and earlier allows remote attackers to execute arbitrary script as other users via the message parameter. CVE-2004-0315 DESCRIPTION: Buffer overflow in Avirt Voice 4.0 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long GET request on port 1080. CVE-2004-0316 DESCRIPTION: Buffer overflow in Avirt Soho 4.3 allows remote attackers to cause a denial of service (crash) via (1) a large GET request to port 1080 or (2) a large GET request of % characters to port 8080. CVE-2004-0317 DESCRIPTION: Buffer overflow in eauth in Load Sharing Facility 4.x, 5.x, and 6.x allows local users or remote attackers within the LSF cluster to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a long LSF_From_PC parameter. CVE-2004-0318 DESCRIPTION: Load Sharing Facility (LSF) 4.x, 5.x, and 6.x uses the LSF_EAUTH_UID environment variable, if it exists, instead of the real UID of the user, which could allow remote attackers within the local cluster to gain privileges. CVE-2004-0319 DESCRIPTION: Cross-site scripting (XSS) vulnerability in the font tag in ezBoard 7.3u allows remote attackers to execute arbitrary script as other users, as demonstrated using the background:url in a (1) font color or (2) font face argument. CVE-2004-0320 DESCRIPTION: Unknown vulnerability in nCipher Hardware Security Modules (HSM) 1.67.x through 1.99.x allows local users to access secrets stored in the module's run-time memory via certain sequences of commands. CVE-2004-0321 DESCRIPTION: Team Factor 1.25 and earlier allows remote attackers to cause a denial of service (crash) via a packet that uses a negative number to specify the size of the data block that follows, which causes Team Factor to read unallocated memory. CVE-2004-0322 DESCRIPTION: Multiple cross-site scripting (XSS) vulnerabilities in XMB 1.8 Final SP2 allow remote attackers to execute arbitrary script as other users via the (1) member parameter in member.php, (2) uid parameter in u2uadmin.php, (3) user parameter in editprofile.php, (4) an onmouseover event in an align tag when bbcode is allowed, or (5) img tag where bbcode is allowed. CVE-2004-0323 DESCRIPTION: Multiple SQL injection vulnerabilities in XMB 1.8 Final SP2 allow remote attackers to inject arbitrary SQL and gain privileges via the (1) ppp parameter in viewthread.php, (2) desc parameter in misc.php, (3) tpp parameter in forumdisplay.php, (4) ascdesc parameter in forumdisplay.php, or (5) the addon parameter in stats.php. NOTE: it has also been shown that item (3) is also in XMB 1.9 beta. CVE-2004-0324 DESCRIPTION: Confirm 0.62 and earlier could allow remote attackers to execute arbitrary code via an e-mail header that contains shell metacharacters such as ", `, |, ;, or $. CVE-2004-0325 DESCRIPTION: TYPSoft FTP Server 1.10 allows remote authenticated users to cause a denial of service (CPU consumption) via "//../" arguments to (1) mkd, (2) xmkd, (3) dele, (4) size, (5) retr, (6) stor, (7) appe, (8) rnfr, (9) rnto, (10) rmd, or (11) xrmd, as demonstrated using "//../qwerty". CVE-2004-0326 DESCRIPTION: Buffer overflow in the web proxy for GateKeeper Pro 4.7 allows remote attackers to execute arbitrary code via a long GET request. CVE-2004-0327 DESCRIPTION: Directory traversal vulnerability in functions.php in PhpNewsManager 1.46 allows remote attackers to retrieve arbitrary files via .. (dot dot) sequences in the clang parameter. CVE-2004-0328 DESCRIPTION: Gigabyte Gn-B46B 2.4Ghz wireless broadband router firmware 1.003.00 allows local users on the same local network as the router to bypass authentication by using a copy of the router's html menu on a separate system. CVE-2004-0329 DESCRIPTION: FreeChat 1.1.1a allows remote attackers to cause a denial of service (crash) via certain unexpected strings, as demonstrated using "aaaaa". CVE-2004-0330 DESCRIPTION: Buffer overflow in Serv-U ftp before 5.0.0.4 allows remote authenticated users to execute arbitrary code via a long time zone argument to the MDTM command. CVE-2004-0331 DESCRIPTION: Heap-based buffer overflow in Dell OpenManage Web Server 3.4.0 allows remote attackers to cause a denial of service (crash) via a HTTP POST with a long application variable. CVE-2004-0332 DESCRIPTION: Extremail 1.5.9 does not check passwords correctly when they are all digits or begin with a digit, which allows remote attackers to gain privileges. CVE-2004-0333 DESCRIPTION: Buffer overflow in the UUDeview package, as used in WinZip 6.2 through WinZip 8.1 SR-1, and possibly other packages, allows remote attackers to execute arbitrary code via a MIME archive with certain long MIME parameters. CVE-2004-0334 DESCRIPTION: InnoMedia VideoPhone allows remote attackers to bypass Basic Authorization via an HTTP request to (1) videophone_admindetail.asp, (2) videophone_syscfg.asp, (3) videophone_upgrade.asp, or (4) videophone_sysctrl.asp that contains a trailing / (slash). NOTE: the original report mentioned AXIS 2100 Network Camera, but this was likely a cut-and-paste error. CVE-2004-0335 DESCRIPTION: LAN SUITE Web Mail 602Pro, when configured to use the "Directory browsing" feature, allows remote attackers to obtain a directory listing via an HTTP request to (1) index.html, (2) cgi-bin/, or (3) users/. CVE-2004-0336 DESCRIPTION: LAN SUITE Web Mail 602Pro allows remote attackers to gain sensitive information via the mail login form, which contains the path to the mail directory. CVE-2004-0337 DESCRIPTION: Cross-site scripting (XSS) vulnerability in LAN SUITE Web Mail 602Pro allows remote attackers to execute arbitrary script or HTML as other users via a URL to index.html, followed by a / (slash) and the desired script. NOTE: the vendor states that this bug could not be reproduced, so this issue may be REJECTed in the future. CVE-2004-0338 DESCRIPTION: SQL injection vulnerability in search.php for Invision Board Forum allows remote attackers to execute arbitrary SQL queries via the st parameter. CVE-2004-0339 DESCRIPTION: Cross-site scripting (XSS) vulnerability in ViewTopic.php in phpBB, possibly 2.0.6c and earlier, allows remote attackers to execute arbitrary script or HTML as other users via the postorder parameter. CVE-2004-0340 DESCRIPTION: Stack-based buffer overflow in WFTPD Pro Server 3.21 Release 1, Pro Server 3.20 Release 2, Server 3.21 Release 1, and Server 3.10 allows local users to execute arbitrary code via long (1) LIST, (2) NLST, or (3) STAT commands. CVE-2004-0341 DESCRIPTION: WFTPD Pro Server 3.21 Release 1 allocates memory for a command until a 0Ah byte (newline) is sent, which allows local users to cause a denial of service (CPU consumption) by continuing to send a long command that does not contain a newline. CVE-2004-0342 DESCRIPTION: WFTPD Pro Server 3.21 Release 1, with the XeroxDocutech option enabled, allows local users to cause a denial of service (crash) via a (1) MKD or (2) XMKD command that causes an absolute path of 260 characters to be used, which overwrites a cookie with a null character, possibly due to an off-by-one error. CVE-2004-0343 DESCRIPTION: Multiple SQL injection vulnerabilities in YaBB SE 1.5.4 through 1.5.5b allow remote attackers to execute arbitrary SQL via (1) the msg parameter in ModifyMessage.php or (2) the postid parameter in ModifyMessage.php. CVE-2004-0344 DESCRIPTION: Directory traversal vulnerability in ModifyMessage.php in YaBB SE 1.5.4 through 1.5.5b allows remote attackers to delete arbitrary files via a .. (dot dot) in the attachOld parameter. CVE-2004-0345 DESCRIPTION: Buffer overflow in Red Faction client 1.20 and earlier allows remote servers to execute arbitrary code via a long server name. CVE-2004-0346 DESCRIPTION: Off-by-one buffer overflow in _xlate_ascii_write() in ProFTPD 1.2.7 through 1.2.9rc2p allows local users to gain privileges via a 1024 byte RETR command. CVE-2004-0347 DESCRIPTION: Cross-site scripting (XSS) vulnerability in delhomepage.cgi in NetScreen-SA 5000 Series running firmware 3.3 Patch 1 (build 4797) allows remote authenticated users to execute arbitrary script as other users via the row parameter. CVE-2004-0348 DESCRIPTION: SQL injection vulnerability in viewCart.asp in SpiderSales shopping cart software allows remote attackers to execute arbitrary SQL via the userId parameter. CVE-2004-0349 DESCRIPTION: Directory traversal vulnerability in GWeb HTTP Server 0.6 allows remote attackers to view arbitrary files via a .. (dot dot) in the URL. CVE-2004-0350 DESCRIPTION: SpiderSales shopping cart does not enforce a minimum length for the private key, which can make it easier for local users to obtain the private key by factoring. CVE-2004-0351 DESCRIPTION: Spider Sales shopping cart stores the private key in the same database and table as the public key, which allows local users with access to the database to decrypt data. CVE-2004-0352 DESCRIPTION: Cisco 11000 Series Content Services Switches (CSS) running WebNS 5.0(x) before 05.0(04.07)S, and 6.10(x) before 06.10(02.05)S allow remote attackers to cause a denial of service (device reset) via a malformed packet to UDP port 5002. CVE-2004-0353 DESCRIPTION: Multiple buffer overflows in auth_ident() function in auth.c for GNU Anubis 3.6.0 through 3.6.2, 3.9.92 and 3.9.93 allow remote attackers to gain privileges via a long string. CVE-2004-0354 DESCRIPTION: Multiple format string vulnerabilities in GNU Anubis 3.6.0 through 3.6.2, 3.9.92 and 3.9.93 allow remote attackers to execute arbitrary code via format string specifiers in strings passed to (1) the info function in log.c, (2) the anubis_error function in errs.c, or (3) the ssl_error function in ssl.c. CVE-2004-0355 DESCRIPTION: Invision Power Board 1.3 Final allows remote attackers to gain sensitive information by selecting a file for "Personal Photo" that is not an image file, which displays the installation path in an error message. CVE-2004-0356 DESCRIPTION: Stack-based buffer overflow in Supervisor Report Center in SL Mail Pro 2.0.9 and earlier allows remote attackers to execute arbitrary code via an HTTP request with a long HTTP sub-version. CVE-2004-0357 DESCRIPTION: Stack-based buffer overflows in SL Mail Pro 2.0.9 allow remote attackers to execute arbitrary code via (1) user.dll, (2) loadpageadmin.dll or (3) loadpageuser.dll. CVE-2004-0358 DESCRIPTION: Cross-site scripting (XSS) vulnerability in VirtuaNews Admin Panel Pro 1.0.3 allows remote attackers to execute arbitrary script as other users via (1) the mainnews parameter in admin.php, (2) the expand parameter in admin.php, (3) the id parameter in admin.php, (4) the catid parameter in admin.php, or (5) an unnamed parameter during the newslogo_upload action in admin.php. CVE-2004-0359 DESCRIPTION: Cross-site scripting (XSS) vulnerability in index.php for Invision Power Board 1.3 final allows remote attackers to execute arbitrary script as other users via the (1) c, (2) f, (3) showtopic, (4) showuser, or (5) username parameters. CVE-2004-0360 DESCRIPTION: Unknown vulnerability in passwd(1) in Solaris 8.0 and 9.0 allows local users to gain privileges via unknown attack vectors. CVE-2004-0361 DESCRIPTION: The Javascript engine in Safari 1.2 and earlier allows remote attackers to cause a denial of service (segmentation fault) by creating a new Array object with a large size value, then writing into that array. CVE-2004-0362 DESCRIPTION: Multiple stack-based buffer overflows in the ICQ parsing routines of the ISS Protocol Analysis Module (PAM) component, as used in various RealSecure, Proventia, and BlackICE products, allow remote attackers to execute arbitrary code via a SRV_MULTI response containing a SRV_USER_ONLINE response packet and a SRV_META_USER response packet with long (1) nickname, (2) firstname, (3) lastname, or (4) email address fields, as exploited by the Witty worm. CVE-2004-0363 DESCRIPTION: Stack-based buffer overflow in the SymSpamHelper ActiveX component (symspam.dll) in Norton AntiSpam 2004, as used in Norton Internet Security 2004, allows remote attackers to execute arbitrary code via a long parameter to the LaunchCustomRuleWizard method. CVE-2004-0364 DESCRIPTION: The WrapNISUM ActiveX component (WrapUM.dll) in Norton Internet Security 2004 is marked safe for scripting, which allows remote attackers to execute arbitrary programs via the LaunchURL method. CVE-2004-0365 DESCRIPTION: The dissect_attribute_value_pairs function in packet-radius.c for Ethereal 0.8.13 to 0.10.2 allows remote attackers to cause a denial of service (crash) via a malformed RADIUS packet that triggers a null dereference. CVE-2004-0366 DESCRIPTION: SQL injection vulnerability in the libpam-pgsql library before 0.5.2 allows attackers to execute arbitrary SQL statements. CVE-2004-0367 DESCRIPTION: Ethereal 0.10.1 to 0.10.2 allows remote attackers to cause a denial of service (crash) via a zero-length Presentation protocol selector. CVE-2004-0368 DESCRIPTION: Double free vulnerability in dtlogin in CDE on Solaris, HP-UX, and other operating systems allows remote attackers to execute arbitrary code via a crafted XDMCP packet. CVE-2004-0369 DESCRIPTION: Buffer overflow in Entrust LibKmp ISAKMP library, as used by Symantec Enterprise Firewall 7.0 through 8.0, Gateway Security 5300 1.0, Gateway Security 5400 2.0, and VelociRaptor 1.5, allows remote attackers to execute arbitrary code via a crafted ISAKMP payload. CVE-2004-0370 DESCRIPTION: The setsockopt call in the KAME Project IPv6 implementation, as used in FreeBSD 5.2, does not properly handle certain IPv6 socket options, which could allow attackers to read kernel memory and cause a system panic. CVE-2004-0371 DESCRIPTION: Heimdal 0.6.x before 0.6.1 and 0.5.x before 0.5.3 does not properly perform certain consistency checks for cross-realm requests, which allows remote attackers with control of a realm to impersonate others in the cross-realm trust path. CVE-2004-0372 DESCRIPTION: xine allows local users to overwrite arbitrary files via a symlink attack on a bug report email that is generated by the (1) xine-bugreport or (2) xine-check scripts. CVE-2004-0373 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2004-0374 DESCRIPTION: Interchange before 5.0.1 allows remote attackers to "expose the content of arbitrary variables" and read or modify sensitive SQL information via an HTTP request ending with the "__SQLUSER__" string. CVE-2004-0375 DESCRIPTION: SYMNDIS.SYS in Symantec Norton Internet Security 2003 and 2004, Norton Personal Firewall 2003 and 2004, Client Firewall 5.01 and 5.1.1, and Client Security 1.0 and 1.1 allow remote attackers to cause a denial of service (infinite loop) via a TCP packet with (1) SACK option or (2) Alternate Checksum Data option followed by a length of zero. CVE-2004-0376 DESCRIPTION: oftpd 0.3.6 and earlier allows remote attackers to cause a denial of service (crash) via a PORT command with a large value. CVE-2004-0377 DESCRIPTION: Buffer overflow in the win32_stat function for (1) ActiveState's ActivePerl and (2) Larry Wall's Perl before 5.8.3 allows local or remote attackers to execute arbitrary commands via filenames that end in a backslash character. CVE-2004-0378 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2004. Notes: none. CVE-2004-0379 DESCRIPTION: Multiple cross-site scripting (XSS) vulnerabilities in Microsoft SharePoint Portal Server 2001 allow remote attackers to process arbitrary web content and steal cookies via certain server scripts. CVE-2004-0380 DESCRIPTION: The MHTML protocol handler in Microsoft Outlook Express 5.5 SP2 through Outlook Express 6 SP1 allows remote attackers to bypass domain restrictions and execute arbitrary code, as demonstrated on Internet Explorer using script in a compiled help (CHM) file that references the InfoTech Storage (ITS) protocol handlers such as (1) ms-its, (2) ms-itss, (3) its, or (4) mk:@MSITStore, aka the "MHTML URL Processing Vulnerability." CVE-2004-0381 DESCRIPTION: mysqlbug in MySQL allows local users to overwrite arbitrary files via a symlink attack on the failed-mysql-bugreport temporary file. CVE-2004-0382 DESCRIPTION: Unknown vulnerability in the CUPS printing system in Mac OS X 10.3.3 and Mac OS X 10.2.8 with unknown impact, possibly related to a configuration file setting. CVE-2004-0383 DESCRIPTION: Unknown vulnerability in Mail for Mac OS X 10.3.3 and 10.2.8, with unknown impact, related to "the handling of HTML-formatted email." CVE-2004-0384 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2004-0385 DESCRIPTION: Heap-based buffer overflow in Oracle 9i Application Server Web Cache 9.0.4.0.0, 9.0.3.1.0, 9.0.2.3.0, and 9.0.0.4.0 allows remote attackers to execute arbitrary code via a long HTTP request method header to the Web Cache listener. NOTE: due to the vagueness of the Oracle advisory, it is not clear whether there are additional issues besides this overflow, although the advisory alludes to multiple "vulnerabilities." CVE-2004-0386 DESCRIPTION: Buffer overflow in the HTTP parser for MPlayer 1.0pre3 and earlier, 0.90, and 0.91 allows remote attackers to execute arbitrary code via a long Location header. CVE-2004-0387 DESCRIPTION: Stack-based buffer overflow in the RT3 plugin, as used in RealPlayer 8, RealOne Player, RealOne Player 10 beta, and RealOne Player Enterprise, allows remote attackers to execute arbitrary code via a malformed .R3T file. CVE-2004-0388 DESCRIPTION: The mysqld_multi script in MySQL allows local users to overwrite arbitrary files via a symlink attack. CVE-2004-0389 DESCRIPTION: RealNetworks Helix Universal Server 9.0.1 and 9.0.2 allows remote attackers to cause a denial of service (crash) via malformed requests that trigger a null dereference, as demonstrated using (1) GET_PARAMETER or (2) DESCRIBE requests. CVE-2004-0390 DESCRIPTION: SCO OpenServer 5.0.5 through 5.0.7 only supports Xauthority style access control when users log in using scologin, which allows remote attackers to gain unauthorized access to an X session via other X login methods. CVE-2004-0391 DESCRIPTION: Cisco Wireless LAN Solution Engine (WLSE) 2.0 through 2.5 and Hosting Solution Engine (HSE) 1.7 through 1.7.3 have a hardcoded username and password, which allows remote attackers to add new users, modify existing users, and change configuration. CVE-2004-0392 DESCRIPTION: racoon before 20040407b allows remote attackers to cause a denial of service (infinite loop and dropped connections) via an IKE message with a malformed Generic Payload Header containing invalid (1) "Security Association Next Payload" and (2) "RESERVED" fields. CVE-2004-0393 DESCRIPTION: Format string vulnerability in the msg function for rlpr daemon (rlprd) 2.0.4 allows remote attackers to execute arbitrary code via format string specifiers in a buffer that can not be resolved, which is provided to the syslog function. CVE-2004-0394 DESCRIPTION: A "potential" buffer overflow exists in the panic() function in Linux 2.4.x, although it may not be exploitable due to the functionality of panic. CVE-2004-0395 DESCRIPTION: The xatitv program in the gatos package does not properly drop root privileges when the configuration file does not exist, which allows local users to execute arbitrary commands via shell metacharacters in a system call. CVE-2004-0396 DESCRIPTION: Heap-based buffer overflow in CVS 1.11.x up to 1.11.15, and 1.12.x up to 1.12.7, when using the pserver mechanism allows remote attackers to execute arbitrary code via Entry lines. CVE-2004-0397 DESCRIPTION: Stack-based buffer overflow during the apr_time_t data conversion in Subversion 1.0.2 and earlier allows remote attackers to execute arbitrary code via a (1) DAV2 REPORT query or (2) get-dated-rev svn-protocol command. CVE-2004-0398 DESCRIPTION: Heap-based buffer overflow in the ne_rfc1036_parse date parsing function for the neon library (libneon) 0.24.5 and earlier, as used by cadaver before 0.22, allows remote WebDAV servers to execute arbitrary code on the client. CVE-2004-0399 DESCRIPTION: Stack-based buffer overflow in Exim 3.35, and other versions before 4, when the sender_verify option is true, allows remote attackers to cause a denial of service and possibly execute arbitrary code during sender verification. CVE-2004-0400 DESCRIPTION: Stack-based buffer overflow in Exim 4 before 4.33, when the headers_check_syntax option is enabled, allows remote attackers to cause a denial of service and possibly execute arbitrary code during the header check. CVE-2004-0401 DESCRIPTION: Unknown vulnerability in libtasn1 0.1.x before 0.1.2, and 0.2.x before 0.2.7, related to the DER parsing functions. CVE-2004-0402 DESCRIPTION: Buffer overflow in xpcd-svga in xpcd before 2.08, and possibly other versions, may allow local users to execute arbitrary code. CVE-2004-0403 DESCRIPTION: Racoon before 20040408a allows remote attackers to cause a denial of service (memory consumption) via an ISAKMP packet with a large length field. CVE-2004-0404 DESCRIPTION: logcheck before 1.1.1 allows local users to overwrite arbitrary files via a symlink attack on a temporary directory in /var/tmp. CVE-2004-0405 DESCRIPTION: CVS before 1.11 allows CVS clients to read arbitrary files via .. (dot dot) sequences in filenames via CVS client requests, a different vulnerability than CVE-2004-0180. CVE-2004-0406 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2004. Notes: none. CVE-2004-0407 DESCRIPTION: The HTML form upload capability in ColdFusion MX 6.1 does not reclaim disk space if an upload is interrupted, which allows remote attackers to cause a denial of service (disk consumption) by repeatedly uploading files and interrupting the uploads before they finish. CVE-2004-0408 DESCRIPTION: Buffer overflow in the child_service function in the ident2 ident daemon allows remote attackers to execute arbitrary code. CVE-2004-0409 DESCRIPTION: Stack-based buffer overflow in the Socks-5 proxy code for XChat 1.8.0 to 2.0.8, with socks5 traversal enabled, allows remote attackers to execute arbitrary code. CVE-2004-0410 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none. CVE-2004-0411 DESCRIPTION: The URI handlers in Konqueror for KDE 3.2.2 and earlier do not properly filter "-" characters that begin a hostname in a (1) telnet, (2) rlogin, (3) ssh, or (4) mailto URI, which allows remote attackers to manipulate the options that are passed to the associated programs, possibly to read arbitrary files or execute arbitrary code. CVE-2004-0412 DESCRIPTION: Mailman before 2.1.5 allows remote attackers to obtain user passwords via a crafted email request to the Mailman server. CVE-2004-0413 DESCRIPTION: libsvn_ra_svn in Subversion 1.0.4 trusts the length field of (1) svn://, (2) svn+ssh://, and (3) other svn protocol URL strings, which allows remote attackers to cause a denial of service (memory consumption) and possibly execute arbitrary code via an integer overflow that leads to a heap-based buffer overflow. CVE-2004-0414 DESCRIPTION: CVS 1.12.x through 1.12.8, and 1.11.x through 1.11.16, does not properly handle malformed "Entry" lines, which prevents a NULL terminator from being used and may lead to a denial of service (crash), modification of critical program data, or arbitrary code execution. CVE-2004-0415 DESCRIPTION: Linux kernel does not properly convert 64-bit file offset pointers to 32 bits, which allows local users to access portions of kernel memory. CVE-2004-0416 DESCRIPTION: Double free vulnerability for the error_prog_name string in CVS 1.12.x through 1.12.8, and 1.11.x through 1.11.16, may allow remote attackers to execute arbitrary code. CVE-2004-0417 DESCRIPTION: Integer overflow in the "Max-dotdot" CVS protocol command (serve_max_dotdot) for CVS 1.12.x through 1.12.8, and 1.11.x through 1.11.16, may allow remote attackers to cause a server crash, which could cause temporary data to remain undeleted and consume disk space. CVE-2004-0418 DESCRIPTION: serve_notify in CVS 1.12.x through 1.12.8, and 1.11.x through 1.11.16, does not properly handle empty data lines, which may allow remote attackers to perform an "out-of-bounds" write for a single byte to execute arbitrary code or modify critical program data. CVE-2004-0419 DESCRIPTION: XDM in XFree86 opens a chooserFd TCP socket even when DisplayManager.requestPort is 0, which could allow remote attackers to connect to the port, in violation of the intended restrictions. CVE-2004-0420 DESCRIPTION: The Windows Shell application in Windows 98, Windows ME, Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code by spoofing the type of a file via a CLSID specifier in the filename, as demonstrated using Internet Explorer 6.0.2800.1106 on Windows XP. CVE-2004-0421 DESCRIPTION: The Portable Network Graphics library (libpng) 1.0.15 and earlier allows attackers to cause a denial of service (crash) via a malformed PNG image file that triggers an error that causes an out-of-bounds read when creating the error message. CVE-2004-0422 DESCRIPTION: flim before 1.14.3 creates temporary files insecurely, which allows local users to overwrite arbitrary files of the Emacs user via a symlink attack. CVE-2004-0423 DESCRIPTION: The log_event function in ssmtp 2.50.6 and earlier allows local users to overwrite arbitrary files via a symlink attack on the ssmtp.log temporary log file. CVE-2004-0424 DESCRIPTION: Integer overflow in the ip_setsockopt function in Linux kernel 2.4.22 through 2.4.25 and 2.6.1 through 2.6.3 allows local users to cause a denial of service (crash) or execute arbitrary code via the MCAST_MSFILTER socket option. CVE-2004-0425 DESCRIPTION: Heap-based buffer overflow in SiteMinder Affiliate Agent 4.x allows remote attackers to execute arbitrary code via a large SMPROFILE cookie. CVE-2004-0426 DESCRIPTION: rsync before 2.6.1 does not properly sanitize paths when running a read/write daemon without using chroot, which allows remote attackers to write files outside of the module's path. CVE-2004-0427 DESCRIPTION: The do_fork function in Linux 2.4.x before 2.4.26, and 2.6.x before 2.6.6, does not properly decrement the mm_count counter when an error occurs after the mm_struct for a child process has been activated, which triggers a memory leak that allows local users to cause a denial of service (memory exhaustion) via the clone (CLONE_VM) system call. CVE-2004-0428 DESCRIPTION: Unknown vulnerability in CoreFoundation in Mac OS X 10.3.3 and Mac OS X 10.3.3 Server, related to "the handling of an environment variable," has unknown attack vectors and unknown impact. CVE-2004-0429 DESCRIPTION: Unknown vulnerability related to "the handling of large requests" in RAdmin for Apple Mac OS X 10.3.3 and Mac OS X 10.2.8 may allow attackers to have unknown impact via unknown attack vectors. CVE-2004-0430 DESCRIPTION: Stack-based buffer overflow in AppleFileServer for Mac OS X 10.3.3 and earlier allows remote attackers to execute arbitrary code via a LoginExt packet for a Cleartext Password User Authentication Method (UAM) request with a PathName argument that includes an AFPName type string that is longer than the associated length field. CVE-2004-0431 DESCRIPTION: Integer overflow in Apple QuickTime (QuickTime.qts) before 6.5.1 allows attackers to execute arbitrary code via a large "number of entries" field in the sample-to-chunk table data for a .mov movie file, which leads to a heap-based buffer overflow. CVE-2004-0432 DESCRIPTION: ProFTPD 1.2.9 treats the Allow and Deny directives for CIDR based ACL entries as if they were AllowAll, which could allow FTP clients to bypass intended access restrictions. CVE-2004-0433 DESCRIPTION: Multiple buffer overflows in the Real-Time Streaming Protocol (RTSP) client for (1) MPlayer before 1.0pre4 and (2) xine lib (xine-lib) before 1-rc4, when playing Real RTSP (realrtsp) streams, allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via (a) long URLs, (b) long Real server responses, or (c) long Real Data Transport (RDT) packets. CVE-2004-0434 DESCRIPTION: k5admind (kadmind) for Heimdal allows remote attackers to execute arbitrary code via a Kerberos 4 compatibility administration request whose framing length is less than 2, which leads to a heap-based buffer overflow. CVE-2004-0435 DESCRIPTION: Certain "programming errors" in the msync system call for FreeBSD 5.2.1 and earlier, and 4.10 and earlier, do not properly handle the MS_INVALIDATE operation, which leads to cache consistency problems that allow a local user to prevent certain changes to files from being committed to disk. CVE-2004-0436 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2004-0437 DESCRIPTION: Titan FTP Server version 3.01 build 163, and possibly other versions before build 169, allows remote authenticated users to cause a denial of service (crash) by disconnecting from the system during a "LIST -L" command, which causes Titan to access an invalid socket. CVE-2004-0438 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2004-0439 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2004-0440 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2004-0441 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2004-0442 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2004-0443 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2004-0444 DESCRIPTION: Multiple vulnerabilities in SYMDNS.SYS for Symantec Norton Internet Security and Professional 2002 through 2004, Norton Personal Firewall 2002 through 2004, Norton AntiSpam 2004, Client Firewall 5.01 and 5.1.1, and Client Security 1.0 through 2.0 allow remote attackers to cause a denial of service or execute arbitrary code via (1) a manipulated length byte in the first-level decoding routine for NetBIOS Name Service (NBNS) that modifies an index variable and leads to a stack-based buffer overflow, (2) a heap-based corruption problem in an NBNS response that is missing certain RR fields, and (3) a stack-based buffer overflow in the DNS component via a Resource Record (RR) with a long canonical name (CNAME) field composed of many smaller components. CVE-2004-0445 DESCRIPTION: The SYMDNS.SYS driver in Symantec Norton Internet Security and Professional 2002 through 2004, Norton Personal Firewall 2002 through 2004, Norton AntiSpam 2004, Client Firewall 5.01 and 5.1.1, and Client Security 1.0 through 2.0 allows remote attackers to cause a denial of service (CPU consumption from infinite loop) via a DNS response with a compressed name pointer that points to itself. CVE-2004-0446 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2004-0447 DESCRIPTION: Unknown vulnerability in Linux before 2.4.26 for IA64 allows local users to cause a denial of service, with unknown impact. NOTE: due to a typo, this issue was accidentally assigned CVE-2004-0477. This is the proper candidate to use for the Linux local DoS. CVE-2004-0448 DESCRIPTION: Format string vulnerability in the log function for jftpgw 0.13.4 and earlier allows remote authenticated users to execute arbitrary code via format string specifiers in certain syslog messages. CVE-2004-0449 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2004. Notes: none. CVE-2004-0450 DESCRIPTION: Format string vulnerability in the printlog function in log2mail before 0.2.5.2 allows local users or remote attackers to execute arbitrary code via format string specifiers in a logfile monitored by log2mail. CVE-2004-0451 DESCRIPTION: Multiple format string vulnerabilities in the (1) logquit, (2) logerr, or (3) loginfo functions in Software Upgrade Protocol (SUP) allows remote attackers to execute arbitrary code via format string specifiers in messages that are logged by syslog. CVE-2004-0452 DESCRIPTION: Race condition in the rmtree function in the File::Path module in Perl 5.6.1 and 5.8.4 sets read/write permissions for the world, which allows local users to delete arbitrary files and directories, and possibly read files and directories, via a symlink attack. CVE-2004-0453 DESCRIPTION: Format string vulnerability in the monitor "memory dump" command in VICE 1.6 to 1.14 allows local users to cause a denial of service (emulator crash) and possibly execute arbitrary code via format string specifiers in an output string. CVE-2004-0454 DESCRIPTION: Buffer overflow in the msg function for rlpr daemon (rlprd) 2.04 allows local users to execute arbitrary code. CVE-2004-0455 DESCRIPTION: Buffer overflow in cgi.c in www-sql before 0.5.7 allows local users to execute arbitrary code via a web page that is processed by www-sql. CVE-2004-0456 DESCRIPTION: Stack-based buffer overflow in pavuk 0.9pl28, 0.9pl27, and possibly other versions allows remote web sites to execute arbitrary code via a long HTTP Location header. CVE-2004-0457 DESCRIPTION: The mysqlhotcopy script in mysql 4.0.20 and earlier, when using the scp method from the mysql-server package, allows local users to overwrite arbitrary files via a symlink attack on temporary files. CVE-2004-0458 DESCRIPTION: mah-jong before 1.6.2 allows remote attackers to cause a denial of service (server crash) via a missing argument, which triggers a null pointer dereference. CVE-2004-0459 DESCRIPTION: The Clear Channel Assessment (CCA) algorithm in the IEEE 802.11 wireless protocol, when using DSSS transmission encoding, allows remote attackers to cause a denial of service via a certain RF signal that causes a channel to appear busy (aka "jabber"), which prevents devices from transmitting data. CVE-2004-0460 DESCRIPTION: Buffer overflow in the logging capability for the DHCP daemon (DHCPD) for ISC DHCP 3.0.1rc12 and 3.0.1rc13 allows remote attackers to cause a denial of service (server crash) and possibly execute arbitrary code via multiple hostname options in (1) DISCOVER, (2) OFFER, (3) REQUEST, (4) ACK, or (5) NAK messages, which can generate a long string when writing to a log file. CVE-2004-0461 DESCRIPTION: The DHCP daemon (DHCPD) for ISC DHCP 3.0.1rc12 and 3.0.1rc13, when compiled in environments that do not provide the vsnprintf function, uses C include files that define vsnprintf to use the less safe vsprintf function, which can lead to buffer overflow vulnerabilities that enable a denial of service (server crash) and possibly execute arbitrary code. CVE-2004-0462 DESCRIPTION: The built-in web servers for multiple networking devices do not set the Secure attribute for sensitive cookies in HTTPS sessions, which could cause the user agent to send those cookies in plaintext over an HTTP session with the same server. CVE-2004-0463 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2004. Notes: none. CVE-2004-0464 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2004. Notes: none. CVE-2004-0465 DESCRIPTION: Directory traversal vulnerability in jretest.html in WebConnect 6.5 and 6.4.4, and possibly earlier versions, allows remote attackers to read keys within arbitrary INI formatted files via "..//" sequences in the WCP_USER parameter. CVE-2004-0466 DESCRIPTION: WebConnect 6.5, 6.4.4, and possibly earlier versions allows remote attackers to cause a denial of service (hang) via a URL containing an MS-DOS device name such as (1) AUX, (2) CON, (3) PRN, (4) COM1, or (5) LPT1. CVE-2004-0467 DESCRIPTION: Juniper JUNOS 5.x through JUNOS 7.x allows remote attackers to cause a denial of service (routing disabled) via a large number of MPLS packets, which are not filtered or verified before being sent to the Routing Engine, which reduces the speed at which other packets are processed. CVE-2004-0468 DESCRIPTION: Memory leak in Juniper JUNOS Packet Forwarding Engine (PFE) allows remote attackers to cause a denial of service (memory exhaustion and device reboot) via certain IPv6 packets. CVE-2004-0469 DESCRIPTION: Buffer overflow in the ISAKMP functionality for Check Point VPN-1 and FireWall-1 NG products, before VPN-1/FireWall-1 R55 HFA-03, R54 HFA-410 and NG FP3 HFA-325, or VPN-1 SecuRemote/SecureClient R56, may allow remote attackers to execute arbitrary code during VPN tunnel negotiation. CVE-2004-0470 DESCRIPTION: BEA WebLogic Server and WebLogic Express 7.0 through SP5 and 8.1 through SP2, when editing weblogic.xml using WebLogic Builder or the SecurityRoleAssignmentMBean.toXML method, inadvertently removes security-role-assignment tags when weblogic.xml does not have a principal-name tag, which can remove intended access restrictions for the associated web application. CVE-2004-0471 DESCRIPTION: BEA WebLogic Server and WebLogic Express 7.0 through SP5 and 8.1 through SP2 does not enforce site restrictions for starting and stopping servers for users in the Admin and Operator security roles, which allows unauthorized users to cause a denial of service (service shutdown). CVE-2004-0472 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate is a reservation duplicate of CVE-2004-0434. Notes: All CVE users should reference CVE-2004-0434 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. CVE-2004-0473 DESCRIPTION: Argument injection vulnerability in Opera before 7.50 does not properly filter "-" characters that begin a hostname in a telnet URI, which allows remote attackers to insert options to the resulting command line and overwrite arbitrary files via (1) the "-f" option on Windows XP or (2) the "-n" option on Linux. CVE-2004-0474 DESCRIPTION: Help Center (HelpCtr.exe) may allow remote attackers to read or execute arbitrary files via an "http://" or "file://" argument to the topic parameter in an hcp:// URL. NOTE: since the initial report of this problem, several researchers have been unable to reproduce this issue. CVE-2004-0475 DESCRIPTION: The showHelp function in Internet Explorer 6 on Windows XP Pro allows remote attackers to execute arbitrary local .CHM files via a double backward slash ("\\") before the target CHM file, as demonstrated using an "ms-its" URL to ntshared.chm. NOTE: this bug may overlap CVE-2003-1041. CVE-2004-0476 DESCRIPTION: Buffer overflow in 3Com OfficeConnect Remote 812 ADSL Router 1.1.9.4 allows remote attackers to cause a denial of service (reboot or packet loss) via a long string containing Telnet escape characters to the Telnet port. CVE-2004-0477 DESCRIPTION: Unknown vulnerability in 3Com OfficeConnect Remote 812 ADSL Router allows remote attackers to bypass authentication via repeated attempts using any username and password. NOTE: this identifier was inadvertently re-used for another issue due to a typo; that issue was assigned CVE-2004-0447. This candidate is ONLY for the ADSL router bypass. CVE-2004-0478 DESCRIPTION: Unknown versions of Mozilla allow remote attackers to cause a denial of service (high CPU/RAM consumption) using Javascript with an infinite loop that continues to add input to a form, possibly as the result of inserting control characters, as demonstrated using an embedded ctrl-U. CVE-2004-0479 DESCRIPTION: Internet Explorer 6 allows remote attackers to cause a denial of service (crash) via Javascript that creates a new popup window and disables the imagetoolbar functionality with a META tag, which triggers a null dereference. CVE-2004-0480 DESCRIPTION: Argument injection vulnerability in IBM Lotus Notes 6.0.3 and 6.5 allows remote attackers to execute arbitrary code via a notes: URI that uses a UNC network share pathname to provide an alternate notes.ini configuration file to notes.exe. CVE-2004-0481 DESCRIPTION: The logging feature in kcms_configure in the KCMS package on Solaris 8 and 9, and possibly other versions, allows local users to corrupt arbitrary files via a symlink attack on the KCS_ClogFile file. CVE-2004-0482 DESCRIPTION: Multiple integer overflows in (1) procfs_cmdline.c, (2) procfs_fpregs.c, (3) procfs_linux.c, (4) procfs_regs.c, (5) procfs_status.c, and (6) procfs_subr.c in procfs for OpenBSD 3.5 and earlier allow local users to read sensitive kernel memory and possibly perform other unauthorized activities. CVE-2004-0483 DESCRIPTION: Unknown vulnerability in rpc.mountd for SGI IRIX 6.5.24 allows remote attackers to cause a denial of service (infinite loop) via certain RPC requests. CVE-2004-0484 DESCRIPTION: mshtml.dll in Microsoft Internet Explorer 6.0.2800 allows remote attackers to cause a denial of service (crash) via a table containing a form that crosses multiple td elements, and whose "float: left" class is defined in a link to a CSS stylesheet after the end of the table, which may trigger a null dereference. CVE-2004-0485 DESCRIPTION: The default protocol helper for the disk: URI on Mac OS X 10.3.3 and 10.2.8 allows remote attackers to write arbitrary files by causing a disk image file (.dmg) to be mounted as a disk volume. CVE-2004-0486 DESCRIPTION: HelpViewer in Mac OS X 10.3.3 and 10.2.8 processes scripts that it did not initiate, which can allow attackers to execute arbitrary code, an issue that was originally reported as a directory traversal vulnerability in the Safari web browser using the runscript parameter in a help: URI handler. CVE-2004-0487 DESCRIPTION: A certain ActiveX control in Symantec Norton AntiVirus 2004 allows remote attackers to cause a denial of service (resource consumption) and possibly execute arbitrary programs. CVE-2004-0488 DESCRIPTION: Stack-based buffer overflow in the ssl_util_uuencode_binary function in ssl_util.c for Apache mod_ssl, when mod_ssl is configured to trust the issuing CA, may allow remote attackers to execute arbitrary code via a client certificate with a long subject DN. CVE-2004-0489 DESCRIPTION: Argument injection vulnerability in the SSH URI handler for Safari on Mac OS 10.3.3 and earlier allows remote attackers to (1) execute arbitrary code via the ProxyCommand option or (2) conduct port forwarding via the -R option. CVE-2004-0490 DESCRIPTION: cPanel, when compiling Apache 1.3.29 and PHP with the mod_phpsuexec option, does not set the --enable-discard-path option, which causes php to use the SCRIPT_FILENAME variable to find and execute a script instead of the PATH_TRANSLATED variable, which allows local users to execute arbitrary PHP code as other users via a URL that references the attacker's script after the user's script, which executes the attacker's script with the user's privileges, a different vulnerability than CVE-2004-0529. CVE-2004-0491 DESCRIPTION: The linux-2.4.21-mlock.patch in Red Hat Enterprise Linux 3 does not properly maintain the mlock page count when one process unlocks pages that belong to another process, which allows local users to mlock more memory than specified by the rlimit. CVE-2004-0492 DESCRIPTION: Heap-based buffer overflow in proxy_util.c for mod_proxy in Apache 1.3.25 to 1.3.31 allows remote attackers to cause a denial of service (process crash) and possibly execute arbitrary code via a negative Content-Length HTTP header field, which causes a large amount of data to be copied. CVE-2004-0493 DESCRIPTION: The ap_get_mime_headers_core function in Apache httpd 2.0.49 allows remote attackers to cause a denial of service (memory exhaustion), and possibly an integer signedness error leading to a heap-based buffer overflow on 64 bit systems, via long header lines with large numbers of space or tab characters. CVE-2004-0494 DESCRIPTION: Multiple extfs backend scripts for GNOME virtual file system (VFS) before 1.0.1 may allow remote attackers to perform certain unauthorized actions via a gnome-vfs URI. CVE-2004-0495 DESCRIPTION: Multiple unknown vulnerabilities in Linux kernel 2.4 and 2.6 allow local users to gain privileges or access kernel memory, as found by the Sparse source code checking tool. CVE-2004-0496 DESCRIPTION: Multiple unknown vulnerabilities in Linux kernel 2.6 allow local users to gain privileges or access kernel memory, a different set of vulnerabilities than those identified in CVE-2004-0495, as found by the Sparse source code checking tool. CVE-2004-0497 DESCRIPTION: Unknown vulnerability in Linux kernel 2.x may allow local users to modify the group ID of files, such as NFS exported files in kernel 2.4. CVE-2004-0498 DESCRIPTION: The H.323 protocol agent in StoneSoft firewall engine 2.2.8 and earlier allows remote attackers to cause a denial of service (crash) via crafted H.323 packets. CVE-2004-0499 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none. CVE-2004-0500 DESCRIPTION: Buffer overflow in the MSN protocol plugins (1) object.c and (2) slp.c for Gaim before 0.82 allows remote attackers to cause a denial of service and possibly execute arbitrary code via MSNSLP protocol messages that are not properly handled in a strncpy call. CVE-2004-0501 DESCRIPTION: Outlook 2003 allows remote attackers to bypass intended access restrictions and cause Outlook to request a URL from a remote site via an HTML e-mail message containing a Vector Markup Language (VML) entity whose src parameter points to the remote site, which could allow remote attackers to know when a message has been read, verify valid e-mail addresses, and possibly leak other information. CVE-2004-0502 DESCRIPTION: Outlook 2003, when replying to an e-mail message, stores certain files in a predictable location for the "src" of an img tag of the original message, which allows remote attackers to bypass zone restrictions and exploit other issues that rely on predictable locations, as demonstrated using a shell: URI. CVE-2004-0503 DESCRIPTION: Microsoft Outlook 2003 allows remote attackers to bypass the default zone restrictions and execute script within media files via a Rich Text Format (RTF) message containing an OLE object for the Windows Media Player, which bypasses Media Player's setting to disallow scripting and may lead to unprompted installation of an executable when exploited in conjunction with predictable-file-location exposures such as CVE-2004-0502. CVE-2004-0504 DESCRIPTION: Ethereal 0.10.3 allows remote attackers to cause a denial of service (crash) via certain SIP messages between Hotsip servers and clients. CVE-2004-0505 DESCRIPTION: The AIM dissector in Ethereal 0.10.3 allows remote attackers to cause a denial of service (assert error) via unknown attack vectors. CVE-2004-0506 DESCRIPTION: The SPNEGO dissector in Ethereal 0.9.8 to 0.10.3 allows remote attackers to cause a denial of service (crash) via unknown attack vectors that cause a null pointer dereference. CVE-2004-0507 DESCRIPTION: Buffer overflow in the MMSE dissector for Ethereal 0.10.1 to 0.10.3 allows remote attackers to cause a denial of service and possibly execute arbitrary code. CVE-2004-0508 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2004-0509 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2004-0510 DESCRIPTION: Multiple buffer overflows in MMDF on OpenServer 5.0.6 and 5.0.7, and possibly other operating systems, may allow attackers to execute arbitrary code, as demonstrated via the execmail program. CVE-2004-0511 DESCRIPTION: Multiple unknown vulnerabilities in MMDF on OpenServer 5.0.6 and 5.0.7, and possibly other operating systems, may allow attackers to cause a denial of service by triggering a null dereference. CVE-2004-0512 DESCRIPTION: Multiple unknown vulnerabilities in MMDF on OpenServer 5.0.6 and 5.0.7, and possibly other operating systems, may allow attackers to cause a denial of service by triggering a core dump. CVE-2004-0513 DESCRIPTION: Unspecified vulnerability in Mac OS X before 10.3.4 has unknown impact and attack vectors related to "logging when tracing system calls." CVE-2004-0514 DESCRIPTION: Unknown vulnerability in LoginWindow for Mac OS X 10.3.4, related to "handling of directory services lookups." CVE-2004-0515 DESCRIPTION: Unknown vulnerability in LoginWindow for Mac OS X 10.3.4, related to "handling of console log files." CVE-2004-0516 DESCRIPTION: Unknown vulnerability in Mac OS X 10.3.4, related to "package installation scripts," a different vulnerability than CVE-2004-0517. CVE-2004-0517 DESCRIPTION: Unknown vulnerability in Mac OS X 10.3.4, related to "handling of process IDs during package installation," a different vulnerability than CVE-2004-0516. CVE-2004-0518 DESCRIPTION: Unknown vulnerability in AppleFileServer for Mac OS X 10.3.4, related to "the use of SSH and reporting errors," has unknown impact and attack vectors. CVE-2004-0519 DESCRIPTION: Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail 1.4.2 allow remote attackers to execute arbitrary script as other users and possibly steal authentication information via multiple attack vectors, including the mailbox parameter in compose.php. CVE-2004-0520 DESCRIPTION: Cross-site scripting (XSS) vulnerability in mime.php for SquirrelMail before 1.4.3 allows remote attackers to insert arbitrary HTML and script via the content-type mail header, as demonstrated using read_body.php. CVE-2004-0521 DESCRIPTION: SQL injection vulnerability in SquirrelMail before 1.4.3 RC1 allows remote attackers to execute unauthorized SQL statements, with unknown impact, probably via abook_database.php. CVE-2004-0522 DESCRIPTION: Gallery 1.4.3 and earlier allows remote attackers to bypass authentication and obtain Gallery administrator privileges. CVE-2004-0523 DESCRIPTION: Multiple buffer overflows in krb5_aname_to_localname for MIT Kerberos 5 (krb5) 1.3.3 and earlier allow remote attackers to execute arbitrary code as root. CVE-2004-0524 DESCRIPTION: Buffer overflow in the chpasswd command in the Change_passwd plugin before 4.0, as used in SquirrelMail, allows local users to gain root privileges via a long user name. CVE-2004-0525 DESCRIPTION: HP Integrated Lights-Out (iLO) 1.10 and other versions before 1.55 allows remote attackers to cause a denial of service (hang) by accessing iLO using the TCP/IP reserved port zero. CVE-2004-0526 DESCRIPTION: Unknown versions of Internet Explorer and Outlook allow remote attackers to spoof a legitimate URL in the status bar via A HREF tags with modified "alt" values that point to the legitimate site, combined with an image map whose href points to the malicious site, which facilitates a "phishing" attack. CVE-2004-0527 DESCRIPTION: KDE Konqueror 2.1.1 and 2.2.2 allows remote attackers to spoof a legitimate URL in the status bar via A HREF tags with modified "alt" values that point to the legitimate site, combined with an image map whose href points to the malicious site, which facilitates a "phishing" attack. CVE-2004-0528 DESCRIPTION: Netscape Navigator 7.1 allows remote attackers to spoof a legitimate URL in the status bar via A HREF tags with modified "alt" values that point to the legitimate site, combined with an image map whose href points to the malicious site, which facilitates a "phishing" attack. CVE-2004-0529 DESCRIPTION: The modified suexec program in cPanel, when configured for mod_php and compiled for Apache 1.3.31 and earlier without mod_phpsuexec, allows local users to execute untrusted shared scripts and gain privileges, as demonstrated using untainted scripts such as (1) proftpdvhosts or (2) addalink.cgi, a different vulnerability than CVE-2004-0490. CVE-2004-0530 DESCRIPTION: The PHP package in Slackware 8.1, 9.0, and 9.1, when linked against a static library, includes /tmp in the search path, which allows local users to execute arbitrary code as the PHP user by inserting shared libraries into the appropriate path. CVE-2004-0531 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2004-0532 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2004-0533 DESCRIPTION: Business Objects WebIntelligence 2.7.0 through 2.7.4 only enforces access controls on the client, which allows remote authenticated users to delete arbitrary files on the server via a crafted delete request using the InfoView web client. CVE-2004-0534 DESCRIPTION: Cross-site scripting (XSS) vulnerability in Business Objects InfoView 5.1.4 through 5.1.8 for WebIntelligence 2.7.0 through 2.7.4 allows remote attackers to inject arbitrary web script or HTML via document names when uploading a document. CVE-2004-0535 DESCRIPTION: The e1000 driver for Linux kernel 2.4.26 and earlier does not properly initialize memory before using it, which allows local users to read portions of kernel memory. NOTE: this issue was originally incorrectly reported as a "buffer overflow" by some sources. CVE-2004-0536 DESCRIPTION: Format string vulnerability in Tripwire commercial 4.0.1 and earlier, including 2.4, and open source 2.3.1 and earlier, allows local users to gain privileges via format string specifiers in a file name, which is used in the generation of an email report. CVE-2004-0537 DESCRIPTION: Opera 7.50 and earlier allows remote web sites to provide a "Shortcut Icon" (favicon) that is wider than expected, which could allow the web sites to spoof a trusted domain and facilitate phishing attacks using a wide icon and extra spaces. CVE-2004-0538 DESCRIPTION: LaunchServices in Mac OS X 10.3.4 and 10.2.8 automatically registers and executes new applications, which could allow attackers to execute arbitrary code without warning the user. CVE-2004-0539 DESCRIPTION: The "Show in Finder" button in the Safari web browser in Mac OS X 10.3.4 and 10.2.8 may execute downloaded applications, which could allow remote attackers to execute arbitrary code. CVE-2004-0540 DESCRIPTION: Microsoft Windows 2000, when running in a domain whose Fully Qualified Domain Name (FQDN) is exactly 8 characters long, does not prevent users with expired passwords from logging on to the domain. CVE-2004-0541 DESCRIPTION: Buffer overflow in the ntlm_check_auth (NTLM authentication) function for Squid Web Proxy Cache 2.5.x and 3.x, when compiled with NTLM handlers enabled, allows remote attackers to execute arbitrary code via a long password ("pass" variable). CVE-2004-0542 DESCRIPTION: PHP before 4.3.7 on Win32 platforms does not properly filter all shell metacharacters, which allows local or remote attackers to execute arbitrary code, overwrite files, and access internal environment variables via (1) the "%", "|", or ">" characters to the escapeshellcmd function, or (2) the "%" character to the escapeshellarg function. CVE-2004-0543 DESCRIPTION: Multiple SQL injection vulnerabilities in Oracle Applications 11.0 and Oracle E-Business Suite 11.5.1 through 11.5.8 allow remote attackers to execute arbitrary SQL procedures and queries. CVE-2004-0544 DESCRIPTION: Multiple buffer overflows in LVM for AIX 5.1 and 5.2 allow local users to gain privileges via the (1) putlvcb or (2) getlvcb commands. CVE-2004-0545 DESCRIPTION: LVM for AIX 5.1 and 5.2 allows local users to overwrite arbitrary files via a symlink attack. CVE-2004-0546 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2004-0547 DESCRIPTION: Buffer overflow in the ODBC driver for PostgreSQL before 7.2.1 allows remote attackers to cause a denial of service (crash). CVE-2004-0548 DESCRIPTION: Multiple stack-based buffer overflows in the word-list-compress functionality in compress.c for Aspell allow local users to execute arbitrary code via a long entry in the wordlist that is not properly handled when using the (1) "c" compress option or (2) "d" decompress option. CVE-2004-0549 DESCRIPTION: The WebBrowser ActiveX control, or the Internet Explorer HTML rendering engine (MSHTML), as used in Internet Explorer 6, allows remote attackers to execute arbitrary code in the Local Security context by using the showModalDialog method and modifying the location to execute code such as Javascript, as demonstrated using (1) delayed HTTP redirect operations, and an HTTP response with a Location: header containing a "URL:" prepended to a "ms-its" protocol URI, or (2) modifying the location attribute of the window, as exploited by the Download.ject (aka Scob aka Toofer) using the ADODB.Stream object. CVE-2004-0550 DESCRIPTION: Buffer overflow in Real Networks RealPlayer 10 allows remote attackers to execute arbitrary code via a URL with a large number of "." (period) characters. CVE-2004-0551 DESCRIPTION: Cisco CatOS 5.x before 5.5(20) through 8.x before 8.2(2) and 8.3(2)GLX, as used in Catalyst switches, allows remote attackers to cause a denial of service (system crash and reload) by sending invalid packets instead of the final ACK portion of the three-way handshake to the (1) Telnet, (2) HTTP, or (3) SSH services, aka "TCP-ACK DoS attack." CVE-2004-0552 DESCRIPTION: Sophos Small Business Suite 1.00 on Windows does not properly handle files whose names contain reserved MS-DOS device names such as (1) LPT1, (2) COM1, (3) AUX, (4) CON, or (5) PRN, which can allow malicious code to bypass detection when it is installed, copied, or executed. CVE-2004-0553 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2004-0554 DESCRIPTION: Linux kernel 2.4.x and 2.6.x for x86 allows local users to cause a denial of service (system crash), possibly via an infinite loop that triggers a signal handler with a certain sequence of fsave and frstor instructions, as originally demonstrated using a "crash.c" program. CVE-2004-0555 DESCRIPTION: Buffer overflow in (1) queue.c and (2) queued.c in queue before 1.30.1 may allow remote attackers to execute arbitrary code. CVE-2004-0556 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2004. Notes: none. CVE-2004-0557 DESCRIPTION: Multiple buffer overflows in the st_wavstartread function in wav.c for Sound eXchange (SoX) 12.17.2 through 12.17.4 allow remote attackers to execute arbitrary code via certain WAV file header fields. CVE-2004-0558 DESCRIPTION: The Internet Printing Protocol (IPP) implementation in CUPS before 1.1.21 allows remote attackers to cause a denial of service (service hang) via a certain UDP packet to the IPP port. CVE-2004-0559 DESCRIPTION: The maketemp.pl script in Usermin 1.070 and 1.080 allows local users to overwrite arbitrary files at install time via a symlink attack on the /tmp/.usermin directory. CVE-2004-0560 DESCRIPTION: Integer overflow in gopher daemon (gopherd) 3.0.3 allows remote attackers to cause a denial of service and possibly execute arbitrary code via crafted content of a certain size that triggers the overflow. CVE-2004-0561 DESCRIPTION: Format string vulnerability in the log routine for gopher daemon (gopherd) 3.0.3 allows remote attackers to cause a denial of service and possibly execute arbitrary code. CVE-2004-0562 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2004. Notes: none. CVE-2004-0563 DESCRIPTION: The tspc.conf configuration file in freenet6 before 0.9.6 and before 1.0 on Debian Linux has world readable permissions, which could allow local users to gain sensitive information, such as a username and password. CVE-2004-0564 DESCRIPTION: Roaring Penguin pppoe (rp-ppoe), if installed or configured to run setuid root contrary to its design, allows local users to overwrite arbitrary files. NOTE: the developer has publicly disputed the claim that this is a vulnerability because pppoe "is NOT designed to run setuid-root." Therefore this identifier applies *only* to those configurations and installations under which pppoe is run setuid root despite the developer's warnings. CVE-2004-0565 DESCRIPTION: Floating point information leak in the context switch code for Linux 2.4.x only checks the MFH bit but does not verify the FPH owner, which allows local users to read register values of other processes by setting the MFH bit. CVE-2004-0566 DESCRIPTION: Integer overflow in imgbmp.cxx for Windows 2000 allows remote attackers to execute arbitrary code via a BMP image with a large bfOffBits value. CVE-2004-0567 DESCRIPTION: The Windows Internet Naming Service (WINS) in Windows NT Server 4.0 SP 6a, NT Terminal Server 4.0 SP 6, Windows 2000 Server SP3 and SP4, and Windows Server 2003 does not properly validate the computer name value in a WINS packet, which allows remote attackers to execute arbitrary code or cause a denial of service (server crash), which results in an "unchecked buffer" and possibly triggers a buffer overflow, aka the "Name Validation Vulnerability." CVE-2004-0568 DESCRIPTION: HyperTerminal application for Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 does not properly validate the length of a value that is saved in a session file, which allows remote attackers to execute arbitrary code via a malicious HyperTerminal session file (.ht), web site, or Telnet URL contained in an e-mail message, triggering a buffer overflow. CVE-2004-0569 DESCRIPTION: The RPC Runtime Library for Microsoft Windows NT 4.0 allows remote attackers to read active memory or cause a denial of service (system crash) via a malicious message, possibly related to improper length values. CVE-2004-0570 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2004-0571 DESCRIPTION: Microsoft Word for Windows 6.0 Converter does not properly validate certain data lengths, which allows remote attackers to execute arbitrary code via a .wri, .rtf, and .doc file sent by email or malicious web site, aka "Table Conversion Vulnerability," a different vulnerability than CVE-2004-0901. CVE-2004-0572 DESCRIPTION: Buffer overflow in the Windows Program Group Converter (grpconv.exe) may allow remote attackers to execute arbitrary code via a shell: URL with a long filename and a .grp extension, which is not properly handled when the shell capability launches grpconv.exe. CVE-2004-0573 DESCRIPTION: Buffer overflow in the converter for Microsoft WordPerfect 5.x on Office 2000, Office XP, Office 2003, and Works Suites 2001 through 2004 allows remote attackers to execute arbitrary code via a malicious document or website. CVE-2004-0574 DESCRIPTION: The Network News Transfer Protocol (NNTP) component of Microsoft Windows NT Server 4.0, Windows 2000 Server, Windows Server 2003, Exchange 2000 Server, and Exchange Server 2003 allows remote attackers to execute arbitrary code via XPAT patterns, possibly related to improper length validation and an "unchecked buffer," leading to off-by-one and heap-based buffer overflows. CVE-2004-0575 DESCRIPTION: Integer overflow in DUNZIP32.DLL for Microsoft Windows XP, Windows XP 64-bit Edition, Windows Server 2003, and Windows Server 2003 64-bit Edition allows remote attackers to execute arbitrary code via compressed (zipped) folders that involve an "unchecked buffer" and improper length validation. CVE-2004-0576 DESCRIPTION: The radius daemon (radiusd) for GNU Radius 1.1, when compiled with the -enable-snmp option, allows remote attackers to cause a denial of service (server crash) via malformed SNMP messages containing an invalid OID. CVE-2004-0577 DESCRIPTION: WinGate 5.2.3 build 901 and 6.0 beta 2 build 942, and other versions such as 5.0.5, allows remote attackers to read arbitrary files from the root directory via a URL request to the wingate-internal directory. CVE-2004-0578 DESCRIPTION: WinGate 5.2.3 build 901 and 6.0 beta 2 build 942, and other versions such as 5.0.5, allows remote attackers to read arbitrary files via leading slash (//) characters in a URL request to the wingate-internal directory. CVE-2004-0579 DESCRIPTION: Format string vulnerability in super before 3.23 allows local users to execute arbitrary code as root. CVE-2004-0580 DESCRIPTION: DHCP on Linksys BEFSR11, BEFSR41, BEFSR81, and BEFSRU31 Cable/DSL Routers, firmware version 1.45.7, does not properly clear previously used buffer contents in a BOOTP reply packet, which allows remote attackers to obtain sensitive information. CVE-2004-0581 DESCRIPTION: ksymoops-gznm script in Mandrake Linux 9.1 through 10.0, and Corporate Server 2.1, allows local users to delete arbitrary files via a symlink attack on files in /tmp. CVE-2004-0582 DESCRIPTION: Unknown vulnerability in Webmin 1.140 allows remote attackers to bypass access control rules and gain read access to configuration information for a module. CVE-2004-0583 DESCRIPTION: The account lockout functionality in (1) Webmin 1.140 and (2) Usermin 1.070 does not parse certain character strings, which allows remote attackers to conduct a brute force attack to guess user IDs and passwords. CVE-2004-0584 DESCRIPTION: Unknown vulnerability in Horde IMP 3.2.3 and earlier, before a "security fix," does not properly validate input, which allows remote attackers to execute arbitrary script as other users via script or HTML in an e-mail message, possibly triggering a cross-site scripting (XSS) vulnerability. CVE-2004-0585 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2004-0589. Reason: This candidate is a duplicate of CVE-2004-0589. Notes: All CVE users should reference CVE-2004-0589 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. CVE-2004-0586 DESCRIPTION: acpRunner ActiveX 1.2.5.0 allows remote attackers to execute arbitrary code via the (1) DownLoadURL, (2) SaveFilePath, and (3) Download ActiveX methods. CVE-2004-0587 DESCRIPTION: Insecure permissions for the /proc/scsi/qla2300/HbaApiNode file in Linux allows local users to cause a denial of service. CVE-2004-0588 DESCRIPTION: Cross-site scripting (XSS) vulnerability in the web mail module for Usermin 1.070 allows remote attackers to insert arbitrary HTML and script via e-mail messages. CVE-2004-0589 DESCRIPTION: Cisco IOS 11.1(x) through 11.3(x) and 12.0(x) through 12.2(x), when configured for BGP routing, allows remote attackers to cause a denial of service (device reload) via malformed BGP (1) OPEN or (2) UPDATE messages. CVE-2004-0590 DESCRIPTION: FreeS/WAN 1.x and 2.x, and other related products including superfreeswan 1.x, openswan 1.x before 1.0.6, openswan 2.x before 2.1.4, and strongSwan before 2.1.3, allows remote attackers to authenticate using spoofed PKCS#7 certificates in which a self-signed certificate identifies an alternate Certificate Authority (CA) and spoofed issuer and subject. CVE-2004-0591 DESCRIPTION: Cross-site scripting (XSS) vulnerability in the print_header_uc function for SqWebMail 4.0.4 and earlier, and possibly 3.x, allows remote attackers to inject arbitrary web script or HRML via (1) e-mail headers or (2) a message with a "message/delivery-status" MIME Content-Type. CVE-2004-0592 DESCRIPTION: The tcp_find_option function of the netfilter subsystem for IPv6 in the SUSE Linux 2.6.5 kernel with USAGI patches, when using iptables and TCP options rules, allows remote attackers to cause a denial of service (CPU consumption by infinite loop) via a large option length that produces a negative integer after a casting operation to the char type, a similar flaw to CVE-2004-0626. CVE-2004-0593 DESCRIPTION: Sygate Enforcer 3.5MR1 and earlier passes broadcast traffic before authentication, which could allow remote attackers to bypass filtering rules. CVE-2004-0594 DESCRIPTION: The memory_limit functionality in PHP 4.x up to 4.3.7, and 5.x up to 5.0.0RC3, under certain conditions such as when register_globals is enabled, allows remote attackers to execute arbitrary code by triggering a memory_limit abort during execution of the zend_hash_init function and overwriting a HashTable destructor pointer before the initialization of key data structures is complete. CVE-2004-0595 DESCRIPTION: The strip_tags function in PHP 4.x up to 4.3.7, and 5.x up to 5.0.0RC3, does not filter null (\0) characters within tag names when restricting input to allowed tags, which allows dangerous tags to be processed by web browsers such as Internet Explorer and Safari, which ignore null characters and facilitate the exploitation of cross-site scripting (XSS) vulnerabilities. CVE-2004-0596 DESCRIPTION: The Equalizer Load-balancer for serial network interfaces (eql.c) in Linux kernel 2.6.x up to 2.6.7 allows local users to cause a denial of service via a non-existent device name that triggers a null dereference. CVE-2004-0597 DESCRIPTION: Multiple buffer overflows in libpng 1.2.5 and earlier, as used in multiple products, allow remote attackers to execute arbitrary code via malformed PNG images in which (1) the png_handle_tRNS function does not properly validate the length of transparency chunk (tRNS) data, or the (2) png_handle_sBIT or (3) png_handle_hIST functions do not perform sufficient bounds checking. CVE-2004-0598 DESCRIPTION: The png_handle_iCCP function in libpng 1.2.5 and earlier allows remote attackers to cause a denial of service (application crash) via a certain PNG image that triggers a null dereference. CVE-2004-0599 DESCRIPTION: Multiple integer overflows in the (1) png_read_png in pngread.c or (2) png_handle_sPLT functions in pngrutil.c or (3) progressive display image reading capability in libpng 1.2.5 and earlier allow remote attackers to cause a denial of service (application crash) via a malformed PNG image. CVE-2004-0600 DESCRIPTION: Buffer overflow in the Samba Web Administration Tool (SWAT) in Samba 3.0.2 to 3.0.4 allows remote attackers to execute arbitrary code via an invalid base-64 character during HTTP basic authentication. CVE-2004-0601 DESCRIPTION: distcc before 2.16, when running on 64-bit platforms, does not interpret IP-based access control rules correctly, which could allow remote attackers to bypass intended restrictions. CVE-2004-0602 DESCRIPTION: The binary compatibility mode for FreeBSD 4.x and 5.x does not properly handle certain Linux system calls, which could allow local users to access kernel memory to gain privileges or cause a system panic. CVE-2004-0603 DESCRIPTION: gzexe in gzip 1.3.3 and earlier will execute an argument when the creation of a temp file fails instead of exiting the program, which could allow remote attackers or local users to execute arbitrary commands, a different vulnerability than CVE-1999-1332. CVE-2004-0604 DESCRIPTION: The HTTP client and server in giFT-FastTrack 0.8.6 and earlier allows remote attackers to cause a denial of service (crash), possibly via an empty search query, which triggers a NULL dereference. CVE-2004-0605 DESCRIPTION: Non-registered IRC users using (1) ircd-hybrid 7.0.1 and earlier, (2) ircd-ratbox 1.5.1 and earlier, or (3) ircd-ratbox 2.0rc6 and earlier do not have a rate-limit imposed, which could allow remote attackers to cause a denial of service by repeatedly making requests, which are slowly dequeued. CVE-2004-0606 DESCRIPTION: Cross-site scripting (XSS) vulnerability in Infoblox DNS One running firmware 2.4.0-8 and earlier allows remote attackers to execute arbitrary scripts as other users via the (1) CLIENTID or (2) HOSTNAME option of a DHCP request. CVE-2004-0607 DESCRIPTION: The eay_check_x509cert function in KAME Racoon successfully verifies certificates even when OpenSSL validation fails, which could allow remote attackers to bypass authentication. CVE-2004-0608 DESCRIPTION: The Unreal Engine, as used in DeusEx 1.112fm and earlier, Devastation 390 and earlier, Mobile Forces 20000 and earlier, Nerf Arena Blast 1.2 and earlier, Postal 2 1337 and earlier, Rune 107 and earlier, Tactical Ops 3.4.0 and earlier, Unreal 1 226f and earlier, Unreal II XMP 7710 and earlier, Unreal Tournament 451b and earlier, Unreal Tournament 2003 2225 and earlier, Unreal Tournament 2004 before 3236, Wheel of Time 333b and earlier, and X-com Enforcer, allows remote attackers to execute arbitrary code via a UDP packet containing a secure query with a long value, which overwrites memory. CVE-2004-0609 DESCRIPTION: rssh 2.0 through 2.1.x expands command line arguments before entering a chroot jail, which allows remote authenticated users to determine the existence of files in a directory outside the jail. CVE-2004-0610 DESCRIPTION: The Web administration interface in Microsoft MN-500 Wireless Router allows remote attackers to cause a denial of service (connection refusal) via a large number of open HTTP connections. CVE-2004-0611 DESCRIPTION: Web-Based Administration in Netgear FVS318 VPN Router allows remote attackers to cause a denial of service (no new connections) via a large number of open HTTP connections. CVE-2004-0612 DESCRIPTION: The Mobile Code filter in ZoneAlarm Pro 5.0.590.015 does not filter mobile code within an SSL encrypted session, which could allow remote attackers to bypass the mobile code filtering. NOTE: it has been disputed by the vendor that this behavior is required by the SSL specification. CVE-2004-0613 DESCRIPTION: osTicket allows remote attackers to view sensitive uploaded files and possibly execute arbitrary code via an HTTP request that uploads a PHP file to the ticket attachments directory. CVE-2004-0614 DESCRIPTION: osTicket trusts a hidden form field in the submit form to limit the upload size of a document, which could allow remote attackers to upload a file of any size. CVE-2004-0615 DESCRIPTION: Cross-site scripting (XSS) vulnerability in D-Link DI-614+ SOHO router running firmware 2.30, and DI-704 SOHO router running firmware 2.60B2, and DI-624, allows remote attackers to inject arbitrary script or HTML via the DHCP HOSTNAME option in a DHCP request. CVE-2004-0616 DESCRIPTION: The BT Voyager 2000 Wireless ADSL Router has a default public SNMP community name, which allows remote attackers to obtain sensitive information such as the password, which is stored in plaintext. CVE-2004-0617 DESCRIPTION: Cross-site scripting (XSS) vulnerability in ArbitroWeb 0.6 allows remote attackers to inject arbitrary script or HTML via the rawURL parameter. CVE-2004-0618 DESCRIPTION: FreeBSD 5.1 for the Alpha processor allows local users to cause a denial of service (crash) via an execve system call with an unaligned memory address as an argument. CVE-2004-0619 DESCRIPTION: Integer overflow in the ubsec_keysetup function for Linux Broadcom 5820 cryptonet driver allows local users to cause a denial of service (crash) and possibly execute arbitrary code via a negative add_dsa_buf_bytes variable, which leads to a buffer overflow. CVE-2004-0620 DESCRIPTION: Cross-site scripting (XSS) vulnerability in (1) newreply.php or (2) newthread.php in vBulletin 3.0.1 allows remote attackers to inject arbitrary HTML or script as other users via the Edit-panel. CVE-2004-0621 DESCRIPTION: admin.php in Newsletter ZWS allows remote attackers to gain administrative privileges via a list_user operation with the ulevel parameter set to 1 (administrator level), which lists all users and their passwords. CVE-2004-0622 DESCRIPTION: Apple Mac OS X 10.3.4, 10.4, 10.5, and possibly other versions does not properly clear memory for login (aka Loginwindow.app), Keychain, or FileVault passwords, which could allow the root user or an attacker with physical access to obtain sensitive information by reading memory. CVE-2004-0623 DESCRIPTION: Format string vulnerability in misc.c in GNU GNATS 4.00 may allow remote attackers to execute arbitrary code via format string specifiers in a string that gets logged by syslog. CVE-2004-0624 DESCRIPTION: PHP remote file inclusion vulnerability in index.php for Artmedic links 5.0 (artmedic_links5) allows remote attackers to execute arbitrary PHP code by modifying the id parameter to reference a URL on a remote web server that contains the code. CVE-2004-0625 DESCRIPTION: SQL injection vulnerability in Infinity WEB 1.0 allows remote attackers to bypass authentication and gain privileges via the login page. CVE-2004-0626 DESCRIPTION: The tcp_find_option function of the netfilter subsystem in Linux kernel 2.6, when using iptables and TCP options rules, allows remote attackers to cause a denial of service (CPU consumption by infinite loop) via a large option length that produces a negative integer after a casting operation to the char type. CVE-2004-0627 DESCRIPTION: The check_scramble_323 function in MySQL 4.1.x before 4.1.3, and 5.0, allows remote attackers to bypass authentication via a zero-length scrambled string. CVE-2004-0628 DESCRIPTION: Stack-based buffer overflow in MySQL 4.1.x before 4.1.3, and 5.0, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long scramble string. CVE-2004-0629 DESCRIPTION: Buffer overflow in the ActiveX component (pdf.ocx) for Adobe Acrobat 5.0.5 and Acrobat Reader, and possibly other versions, allows remote attackers to execute arbitrary code via a URI for a PDF file with a null terminator (%00) followed by a long string. CVE-2004-0630 DESCRIPTION: The uudecoding feature in Adobe Acrobat Reader 5.0.5 and 5.0.6 for Unix and Linux, and possibly other versions including those before 5.0.9, allows remote attackers to execute arbitrary code via shell metacharacters ("`" or backtick) in the filename of the PDF file that is provided to the uudecode command. CVE-2004-0631 DESCRIPTION: Buffer overflow in the uudecoding feature for Adobe Acrobat Reader 5.0.5 and 5.0.6 for Unix and Linux, and possibly other versions including those before 5.0.9, allows remote attackers to execute arbitrary code via a long filename for the PDF file that is provided to the uudecode command. CVE-2004-0632 DESCRIPTION: Adobe Reader 6.0 does not properly handle null characters when splitting a filename path into components, which allows remote attackers to execute arbitrary code via a file with a long extension that is not normally handled by Reader, triggering a buffer overflow. CVE-2004-0633 DESCRIPTION: The iSNS dissector for Ethereal 0.10.3 through 0.10.4 allows remote attackers to cause a denial of service (process abort) via an integer overflow. CVE-2004-0634 DESCRIPTION: The SMB SID snooping capability in Ethereal 0.9.15 to 0.10.4 allows remote attackers to cause a denial of service (process crash) via a handle without a policy name, which causes a null dereference. CVE-2004-0635 DESCRIPTION: The SNMP dissector in Ethereal 0.8.15 through 0.10.4 allows remote attackers to cause a denial of service (process crash) via a (1) malformed or (2) missing community string, which causes an out-of-bounds read. CVE-2004-0636 DESCRIPTION: Buffer overflow in the goaway function in the aim:goaway URI handler for AOL Instant Messenger (AIM) 5.5, including 5.5.3595, allows remote attackers to execute arbitrary code via a long Away message. CVE-2004-0637 DESCRIPTION: Oracle Database Server 8.1.7.4 through 9.2.0.4 allows local users to execute commands with additional privileges via the ctxsys.driload package, which is publicly accessible. CVE-2004-0638 DESCRIPTION: Buffer overflow in the KSDWRTB function in the dbms_system package (dbms_system.ksdwrt) for Oracle 9i Database Server Release 2 9.2.0.3 and 9.2.0.4, 9i Release 1 9.0.1.4 and 9.0.1.5, and 8i Release 1 8.1.7.4, allows remote authorized users to execute arbitrary code via a long second argument. CVE-2004-0639 DESCRIPTION: Multiple cross-site scripting (XSS) vulnerabilities in Squirrelmail 1.2.10 and earlier allow remote attackers to inject arbitrary HTML or script via (1) the $mailer variable in read_body.php, (2) the $senderNames_part variable in mailbox_display.php, and possibly other vectors including (3) the $event_title variable or (4) the $event_text variable. CVE-2004-0640 DESCRIPTION: Format string vulnerability in the SSL_set_verify function in telnetd.c for SSLtelnet daemon (SSLtelnetd) 0.13 allows remote attackers to execute arbitrary code. CVE-2004-0641 DESCRIPTION: Thomson SpeedTouch 510 ADSL Router with firmware GV8BAA3.270, and possibly earlier versions, generates predictable TCP Initial Sequence Numbers (ISNs), which allows remote attackers to spoof or hijack TCP connections. CVE-2004-0642 DESCRIPTION: Double free vulnerabilities in the error handling code for ASN.1 decoders in the (1) Key Distribution Center (KDC) library and (2) client library for MIT Kerberos 5 (krb5) 1.3.4 and earlier may allow remote attackers to execute arbitrary code. CVE-2004-0643 DESCRIPTION: Double free vulnerability in the krb5_rd_cred function for MIT Kerberos 5 (krb5) 1.3.1 and earlier may allow local users to execute arbitrary code. CVE-2004-0644 DESCRIPTION: The asn1buf_skiptail function in the ASN.1 decoder library for MIT Kerberos 5 (krb5) 1.2.2 through 1.3.4 allows remote attackers to cause a denial of service (infinite loop) via a certain BER encoding. CVE-2004-0645 DESCRIPTION: Buffer overflow in the wvHandleDateTimePicture function in wv library (wvWare) 0.7.4 through 0.7.6 and 1.0.0 allows remote attackers to execute arbitrary code via a document with a long DateTime field. CVE-2004-0646 DESCRIPTION: Buffer overflow in the WriteToLog function for JRun 3.0 through 4.0 web server connectors, such as (1) mod_jrun and (2) mod_jrun20 for Apache, with verbose logging enabled, allows remote attackers to execute arbitrary code via a long HTTP header Content-Type field or other fields. CVE-2004-0647 DESCRIPTION: shorewall 1.4.10c and earlier, and 2.0.x before 2.0.3a, allows local users to overwrite arbitrary files via a symlink attack on the chains-$$ temporary file. CVE-2004-0648 DESCRIPTION: Mozilla (Suite) before 1.7.1, Firefox before 0.9.2, and Thunderbird before 0.7.2 allow remote attackers to launch arbitrary programs via a URI referencing the shell: protocol. CVE-2004-0649 DESCRIPTION: Buffer overflow in write_packet in control.c for l2tpd may allow remote attackers to execute arbitrary code. CVE-2004-0650 DESCRIPTION: UploadServlet in Cisco Collaboration Server (CCS) running ServletExec before 3.0E allows remote attackers to upload and execute arbitrary files via a direct call to the UploadServlet URL. CVE-2004-0651 DESCRIPTION: Unknown vulnerability in Sun Java Runtime Environment (JRE) 1.4.2 through 1.4.2_03 allows remote attackers to cause a denial of service (virtual machine hang). CVE-2004-0652 DESCRIPTION: BEA WebLogic Server and WebLogic Express 7.0 through 7.0 Service Pack 4, and 8.1 through 8.1 Service Pack 2, allows attackers to obtain the username and password for booting the server by directly accessing certain internal methods. CVE-2004-0653 DESCRIPTION: Solaris 9, when configured as a Kerberos client with patch 112908-12 or 115168-03 and using pam_krb5 as an "auth" module with the debug feature enabled, records passwords in plaintext, which could allow local users to gain other user's passwords by reading log files. CVE-2004-0654 DESCRIPTION: Unknown vulnerability in the Basic Security Module (BSM), when configured to audit either the Administrative (ad) or the System-Wide Administration (as) audit class in Solaris 7, 8, and 9, allows local users to cause a denial of service (kernel panic). CVE-2004-0655 DESCRIPTION: eupdatedb in esearch 0.6.1 and earlier allows local users to create arbitrary files via a symlink attack on the esearchdb.py.tmp temporary file. CVE-2004-0656 DESCRIPTION: The accept_client function in PureFTPd 1.0.18 and earlier allows remote attackers to cause a denial of service by exceeding the maximum number of connections. CVE-2004-0657 DESCRIPTION: Integer overflow in the NTP daemon (NTPd) before 4.0 causes the NTP server to return the wrong date/time offset when a client requests a date/time that is more than 34 years away from the server's time. CVE-2004-0658 DESCRIPTION: Integer overflow in the hpsb_alloc_packet function (incorrectly reported as alloc_hpsb_packet) in IEEE 1394 (Firewire) driver 2.4 and 2.6 allows local users to cause a denial of service (crash) and possibly execute arbitrary code via the functions (1) raw1394_write, (2) state_connected, (3) handle_remote_request, or (4) hpsb_make_writebpacket. CVE-2004-0659 DESCRIPTION: Buffer overflow in TranslateFilename for common.c in MPlayer 1.0pre4 allows remote attackers to execute arbitrary code via a long file name. CVE-2004-0660 DESCRIPTION: Cross-site scripting (XSS) vulnerability in (1) show_archives.php, (2) show_news.php, and possibly other php files in CuteNews 1.3.1 allows remote attackers to inject arbitrary script or HTML via the id parameter. CVE-2004-0661 DESCRIPTION: Integer signedness error in D-Link AirPlus DI-614+ running firmware 2.30 and earlier allows remote attackers to cause a denial of service (IP lease depletion) via a DHCP request with the LEASETIME option set to -1, which makes the DHCP lease valid for thirteen or more years. CVE-2004-0662 DESCRIPTION: PowerPortal 1.x allows remote attackers to gain sensitive information via invalid or missing parameters in HTTP requests to (1) resize.php or (2) modules.php, which reveals the path in an error message. CVE-2004-0663 DESCRIPTION: Cross-site scripting (XSS) vulnerability in modules.php in PowerPortal 1.x allows remote attackers to inject arbitrary script or HTML via the (1) id parameter to the (a) private_messages module; (2) search parameter to the (b) links and (c) content modules; and (3) files parameter to the gallery module. CVE-2004-0664 DESCRIPTION: Directory traversal vulnerability in modules.php in PowerPortal 1.x allows remote attackers to list arbitrary directories via a .. (dot dot) in the files parameter. CVE-2004-0665 DESCRIPTION: csFAQ.cgi in csFAQ allows remote attackers to gain sensitive information via an invalid database parameter, which reveals the path to the web server in an error message. CVE-2004-0666 DESCRIPTION: Off-by-one error in the POP3_readmsg function in popclient 3.0b6 allows remote attackers to cause a denial of service (application crash) via an e-mail message with a certain line length, which leads to a buffer overflow. CVE-2004-0667 DESCRIPTION: Rule Set Based Access Control (RSBAC) 1.2.2 through 1.2.3 allows access to sys_creat, sys_open, and sys_mknod inside jails, which could allow local users to gain elevated privileges. CVE-2004-0668 DESCRIPTION: Web Access in Lotus Domino 6.5.1 allows remote attackers to cause a denial of service (server crash) via a large e-mail message, as demonstrated using a large image attachment. CVE-2004-0669 DESCRIPTION: Lotus Domino 6.5.0 and 6.5.1, with IMAP enabled, allows remote authenticated users to change their quota by using the IMAP setquota command. CVE-2004-0670 DESCRIPTION: Prestige 650HW-31 running Rompager 4.7 software allows remote attackers to cause a denial of service (device reboot) via a long password. CVE-2004-0671 DESCRIPTION: Brightmail Spamfilter 6.0 and earlier beta releases allows remote attackers to read mail from other users by modifying the id parameter in a viewMsgDetails.do request. CVE-2004-0672 DESCRIPTION: Multiple cross-site scripting (XSS) vulnerabilities in the primary and management web interfaces in Netegrity IdentityMinder Web Edition 5.6 allows remote attackers to execute script as other users via (1) script that starts with %00 in the numOfExpressions parameter or (2) the mobjtype parameter. CVE-2004-0673 DESCRIPTION: Cross-site scripting (XSS) vulnerability in SCI Photo Chat Server 3.4.9 allows remote attackers to execute arbitrary web script as other users via an invalid request that is echoed in the resulting error message. CVE-2004-0674 DESCRIPTION: Enterasys XSR-1800 series Security Routers, when running firmware 7.0.0.0 and using Policy-Based Routing, allow remote attackers to cause a denial of service (crash) via a packet with the IP record route option set. CVE-2004-0675 DESCRIPTION: Cross-site scripting (XSS) vulnerability in (1) cart32.exe or (2) c32web.exe in Cart32 shopping cart allows remote attackers to execute arbitrary web script via the cart32 parameter to a GetLatestBuilds command. CVE-2004-0676 DESCRIPTION: Directory traversal vulnerability in Fastream NETFile FTP/Web Server 6.7.2.1085 and earlier allows remote attackers to create or delete arbitrary files via .. (dot dot) and // (double slash) sequences in the filename parameter. CVE-2004-0677 DESCRIPTION: Fastream NETFile FTP Server 6.7.2.1085 and earlier allows remote attackers to cause a denial of service (temporary hang) via the cd command with an unusual argument, possibly due to multiple leading slashes and/or an access to the floppy drive ("A"). CVE-2004-0678 DESCRIPTION: Cross-site scripting (XSS) in one2planet.infolet.InfoServlet in 12Planet Chat Server 2.9 allows remote attackers to execute arbitrary script as other users via the page parameter. CVE-2004-0679 DESCRIPTION: The IP cloaking feature (cloak.c) in UnrealIRCd 3.2, and possibly other versions, uses a weak hashing scheme to hide IP addresses, which could allow remote attackers to use brute force methods to gain other user's IP addresses. CVE-2004-0680 DESCRIPTION: Zoom X3 ADSL modem has a terminal running on port 254 that can be accessed using the default HTML management password, even if the password has been changed for the HTTP interface, which could allow remote attackers to gain unauthorized access. CVE-2004-0681 DESCRIPTION: Multiple cross-site scripting (XSS) vulnerabilities in (1) comersus_customerAuthenticateForm.asp, (2) comersus_backoffice_message.asp, (3) comersus_supportError.asp, or (4) comersus_message.asp in Comersus Cart 5.09 allow remote attackers to execute web script as other users via the message parameter. CVE-2004-0682 DESCRIPTION: comersus_gatewayPayPal.asp in Comersus Cart 5.09, and possibly other versions before 5.098, allows remote attackers to change the prices of items by directly modifying them in the URL. CVE-2004-0683 DESCRIPTION: Symantec Norton AntiVirus 2002 and 2003 allows remote attackers to cause a denial of service (CPU consumption) via a compressed archive that contains a large number of directories. CVE-2004-0684 DESCRIPTION: WebSphere Edge Component Caching Proxy in WebSphere Edge Server 5.02, with the JunctionRewrite directive enabled, allows remote attackers to cause a denial of service via an HTTP GET request without any parameters. CVE-2004-0685 DESCRIPTION: Certain USB drivers in the Linux 2.4 kernel use the copy_to_user function on uninitialized structures, which could allow local users to obtain sensitive information by reading memory that was not cleared from previous usage. CVE-2004-0686 DESCRIPTION: Buffer overflow in Samba 2.2.x to 2.2.9, and 3.0.0 to 3.0.4, when the "mangling method = hash" option is enabled in smb.conf, has unknown impact and attack vectors. CVE-2004-0687 DESCRIPTION: Multiple stack-based buffer overflows in (1) xpmParseColors in parse.c, (2) ParseAndPutPixels in create.c, and (3) ParsePixels in parse.c for libXpm before 6.8.1 allow remote attackers to execute arbitrary code via a malformed XPM image file. CVE-2004-0688 DESCRIPTION: Multiple integer overflows in (1) the xpmParseColors function in parse.c, (2) XpmCreateImageFromXpmImage, (3) CreateXImage, (4) ParsePixels, and (5) ParseAndPutPixels for libXpm before 6.8.1 may allow remote attackers to execute arbitrary code via a malformed XPM image file. CVE-2004-0689 DESCRIPTION: KDE before 3.3.0 does not properly handle when certain symbolic links point to "stale" locations, which could allow local users to create or truncate arbitrary files. CVE-2004-0690 DESCRIPTION: The DCOPServer in KDE 3.2.3 and earlier allows local users to gain unauthorized access via a symlink attack on DCOP files in the /tmp directory. CVE-2004-0691 DESCRIPTION: Heap-based buffer overflow in the BMP image format parser for the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code. CVE-2004-0692 DESCRIPTION: The XPM parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0693. CVE-2004-0693 DESCRIPTION: The GIF parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0692. CVE-2004-0694 DESCRIPTION: Buffer overflow in LHA 1.14 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown vectors related to "command line processing," a different vulnerability than CVE-2004-0771. NOTE: this issue may be REJECTED if there are not any cases in which LHA is setuid or is otherwise used across security boundaries. CVE-2004-0695 DESCRIPTION: Stack-based buffer overflow in the FTP service for 4D WebSTAR 5.3.2 and earlier allows remote attackers to execute arbitrary code via a long FTP command. CVE-2004-0696 DESCRIPTION: The ShellExample.cgi script in 4D WebSTAR 5.3.2 and earlier allows remote attackers to list arbitrary directories via a URL with the desired path and a "*" (asterisk) character. CVE-2004-0697 DESCRIPTION: Unknown vulnerability in 4D WebSTAR 5.3.2 and earlier allows remote attackers to read the php.ini configuration file and possibly obtain sensitive information. CVE-2004-0698 DESCRIPTION: 4D WebSTAR 5.3.2 and earlier allows local users to read and modify arbitrary files via a symlink attack. CVE-2004-0699 DESCRIPTION: Heap-based buffer overflow in ASN.1 decoding library in Check Point VPN-1 products, when Aggressive Mode IKE is implemented, allows remote attackers to execute arbitrary code by initiating an IKE negotiation and then sending an IKE packet with malformed ASN.1 data. CVE-2004-0700 DESCRIPTION: Format string vulnerability in the mod_proxy hook functions function in ssl_engine_log.c in mod_ssl before 2.8.19 for Apache before 1.3.31 may allow remote attackers to execute arbitrary messages via format string specifiers in certain log messages for HTTPS that are handled by the ssl_log function. CVE-2004-0701 DESCRIPTION: Sun Ray Server Software (SRSS) 1.3 and 2.0 for Solaris 2.6, 7 and 8 does not properly detect a smartcard removal when the card is quickly removed, reinserted, and removed again, which could cause a user session to stay logged in and allow local users to gain unauthorized access. CVE-2004-0702 DESCRIPTION: DBI in Bugzilla 2.17.1 through 2.17.7 displays the database password in an error message when the SQL server is not running, which could allow remote attackers to gain sensitive information. CVE-2004-0703 DESCRIPTION: Unknown vulnerability in the administrative controls in Bugzilla 2.17.1 through 2.17.7 allows users with "grant membership" privileges to grant memberships to groups that the user does not control. CVE-2004-0704 DESCRIPTION: Unknown vulnerability in (1) duplicates.cgi and (2) buglist.cgi in Bugzilla 2.16.x before 2.16.6, 2.18 before 2.18rc1, when configured to hide products, allows remote attackers to view hidden products. CVE-2004-0705 DESCRIPTION: Multiple cross-site scripting (XSS) vulnerabilities in (1) editcomponents.cgi, (2) editgroups.cgi, (3) editmilestones.cgi, (4) editproducts.cgi, (5) editusers.cgi, and (6) editversions.cgi in Bugzilla 2.16.x before 2.16.6, and 2.18 before 2.18rc1, allow remote attackers to execute arbitrary JavaScript as other users via a URL parameter. CVE-2004-0706 DESCRIPTION: Bugzilla 2.17.5 through 2.17.7 embeds the password in an image URL, which could allow local users to view the password in the web server log files. CVE-2004-0707 DESCRIPTION: SQL injection vulnerability in editusers.cgi in Bugzilla 2.16.x before 2.16.6, and 2.18 before 2.18rc1, allows remote attackers with privileges to grant membership to any group to execute arbitrary SQL. CVE-2004-0708 DESCRIPTION: MoinMoin 1.2.1 and earlier allows remote attackers to gain privileges by creating a user with the same name as an existing group that has higher privileges. CVE-2004-0709 DESCRIPTION: HP OpenView Select Access 5.0 through 6.0 does not correctly decode UTF-8 encoded unicode characters in a URL, which could allow remote attackers to bypass access restrictions. CVE-2004-0710 DESCRIPTION: IP Security VPN Services Module (VPNSM) in Cisco Catalyst 6500 Series Switch and the Cisco 7600 Series Internet Routers running IOS before 12.2(17b)SXA, before 12.2(17d)SXB, or before 12.2(14)SY03 could allow remote attackers to cause a denial of service (device crash and reload) via a malformed Internet Key Exchange (IKE) packet. CVE-2004-0711 DESCRIPTION: The URL pattern matching feature in BEA WebLogic Server 6.x matches illegal patterns ending in "*" as wildcards as if they were the legal "/*" pattern, which could cause WebLogic 7.x to allow remote attackers to bypass intended access restrictions because the illegal patterns are properly rejected. CVE-2004-0712 DESCRIPTION: The configuration tools (1) config.sh in Unix or (2) config.cmd in Windows for BEA WebLogic Server 8.1 through SP2 create a log file that contains the administrative username and password in cleartext, which could allow local users to gain privileges. CVE-2004-0713 DESCRIPTION: The remove method in a stateful Enterprise JavaBean (EJB) in BEA WebLogic Server and WebLogic Express version 8.1 through SP2, 7.0 through SP4, and 6.1 through SP6, does not properly check EJB permissions before unexporting a bean, which allows remote authenticated users to remove EJB objects from remote views before the security exception is thrown. CVE-2004-0714 DESCRIPTION: Cisco Internetwork Operating System (IOS) 12.0S through 12.3T attempts to process SNMP solicited operations on improper ports (UDP 162 and a randomly chosen UDP port), which allows remote attackers to cause a denial of service (device reload and memory corruption). CVE-2004-0715 DESCRIPTION: The WebLogic Authentication provider for BEA WebLogic Server and WebLogic Express 8.1 through SP2 and 7.0 through SP4 does not properly clear member relationships when a group is deleted, which can cause a new group with the same name to have the members of the old group, which allows group members to gain privileges. CVE-2004-0716 DESCRIPTION: Buffer overflow in the DCE daemon (DCED) for the DCE endpoint mapper (epmap) on HP-UX 11 allows remote attackers to execute arbitrary code via a request with a small fragment length and a large amount of data. CVE-2004-0717 DESCRIPTION: Opera 7.51 for Windows and 7.50 for Linux does not properly prevent a frame in one domain from injecting content into a frame that belongs to another domain, which facilitates web site spoofing and other attacks, aka the frame injection vulnerability. CVE-2004-0718 DESCRIPTION: The (1) Mozilla 1.6, (2) Firebird 0.7, (3) Firefox 0.8, and (4) Netscape 7.1 web browsers do not properly prevent a frame in one domain from injecting content into a frame that belongs to another domain, which facilitates web site spoofing and other attacks, aka the frame injection vulnerability. CVE-2004-0719 DESCRIPTION: Internet Explorer for Mac 5.2.3, Internet Explorer 6 on Windows XP, and possibly other versions, does not properly prevent a frame in one domain from injecting content into a frame that belongs to another domain, which facilitates web site spoofing and other attacks, aka the frame injection vulnerability. CVE-2004-0720 DESCRIPTION: Safari 1.2.2 does not properly prevent a frame in one domain from injecting content into a frame that belongs to another domain, which facilitates web site spoofing and other attacks, aka the frame injection vulnerability. CVE-2004-0721 DESCRIPTION: Konqueror 3.1.3, 3.2.2, and possibly other versions does not properly prevent a frame in one domain from injecting content into a frame that belongs to another domain, which facilitates web site spoofing and other attacks, aka the frame injection vulnerability. CVE-2004-0722 DESCRIPTION: Integer overflow in the SOAPParameter object constructor in (1) Netscape version 7.0 and 7.1 and (2) Mozilla 1.6, and possibly earlier versions, allows remote attackers to execute arbitrary code. CVE-2004-0723 DESCRIPTION: Microsoft Java virtual machine (VM) 5.0.0.3810 allows remote attackers to bypass sandbox restrictions to read or write certain data between applets from different domains via the "GET/Key" and "PUT/Key/Value" commands, aka "cross-site Java." CVE-2004-0724 DESCRIPTION: The Half-Life engine before July 7 2004 allows remote attackers to cause a denial of service (server or client crash) via an empty fragmented packet. CVE-2004-0725 DESCRIPTION: Cross-site scripting (XSS) vulnerability in help.php in Moodle 1.3.2 and 1.4 dev allows remote attackers to inject arbitrary web script or HTML via the file parameter. CVE-2004-0726 DESCRIPTION: The Windows Media Player control in Microsoft Windows 2000 allows remote attackers to execute arbitrary script in the local computer zone via an ASX filename that contains javascript, which is executed in the local context in a preview panel. CVE-2004-0727 DESCRIPTION: Microsoft Internet Explorer 6.0.2800.1106 on Microsoft Windows XP SP2, and other versions including 5.01 and 5.5, allows remote web servers to bypass zone restrictions and execute arbitrary code in the local computer zone by redirecting a function to another function with the same name, as demonstrated by SimilarMethodNameRedir, aka the "Similar Method Name Redirection Cross Domain Vulnerability." CVE-2004-0728 DESCRIPTION: The Remote Control Client service in Microsoft's Systems Management Server (SMS) 2.50.2726.0 allows remote attackers to cause a denial of service (crash) via a data packet to TCP port 2702 that causes the server to read or write to an invalid memory address. CVE-2004-0729 DESCRIPTION: PhpBB 2.0.8 allows remote attackers to gain sensitive information via an invalid (1) category_rows parameter to index.php, (2) faq parameter to faq.php, or (3) ranksrow parameter to profile.php, which reveal the full path in an error message. CVE-2004-0730 DESCRIPTION: Multiple cross-site scripting (XSS) vulnerabilities in PhpBB 2.0.8 allow remote attackers to inject arbitrary web script or HTML via (1) the cat_title parameter in index.php, (2) the faq[0][0] parameter in lang_faq.php as accessible from faq.php, or (3) the faq[0][0] parameter in lang_bbcode.php as accessible from faq.php. CVE-2004-0731 DESCRIPTION: Cross-site scripting (XSS) vulnerability in index.php in the Search module for Php-Nuke allows remote attackers to inject arbitrary script as other users via the input field. CVE-2004-0732 DESCRIPTION: SQL injection vulnerability in index.php in the Search module for Php-Nuke allows remote attackers to execute arbitrary SQL statements via the instory parameter. CVE-2004-0733 DESCRIPTION: Format string vulnerability in OllyDbg 1.10 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via format string specifiers that are directly provided to the OutputDebugString function call. CVE-2004-0734 DESCRIPTION: Web_Store.cgi allows remote attackers to execute arbitrary commands via shell metacharacters in the page parameter. CVE-2004-0735 DESCRIPTION: Buffer overflow in Medal of Honor (1) Allied Assault 1.11v9 and earlier, (2) Breakthrough 2.40b and earlier, and (3) Spearhead 2.15 and earlier, when playing on a Local Area Network (LAN), allows remote attackers to execute arbitrary code via vectors such as (1) the getinfo query, (2) the connect packet, and other unknown vectors. CVE-2004-0736 DESCRIPTION: The search module in Php-Nuke allows remote attackers to gain sensitive information via the (1) "**" or (2) "+" search patterns, which reveals the path in an error message. CVE-2004-0737 DESCRIPTION: Multiple cross-site scripting vulnerabilities in index.php in the Search module for Php-Nuke allows remote attackers to inject arbitrary web script or HTML via the (1) sid, (2) max, (3) sel1, (4) sel2, (5) sel3, (6) sel4, (7) sel5, (8) match, (9) mod1, (10) mod2, or (11) mod3 parameters. CVE-2004-0738 DESCRIPTION: Multiple SQL injection vulnerabilities in the Search module in Php-Nuke allow remote attackers to execute arbitrary SQL via the (1) min or (2) categ parameters. CVE-2004-0739 DESCRIPTION: Buffer overflow in Whisper FTP Surfer 1.0.7 allows remote FTP servers to cause a denial of service (client crash) and possibly execute arbitrary code via a long filename. CVE-2004-0740 DESCRIPTION: The HTTP server in Lexmark T522 and possibly other models allows remote attackers to cause a denial of service (server crash, reload, or hang) via an HTTP header with a long Host field, possibly triggering a buffer overflow. CVE-2004-0741 DESCRIPTION: LionMax Software WWW File Share Pro 2.60 allows remote attackers to cause a denial of service (crash or hang) via a long URL, possibly triggering a buffer overflow. CVE-2004-0742 DESCRIPTION: Sun Java System Portal Server 6.2 (formerly Sun ONE) allows remote authenticated users to obtain Calendar Server privileges and modify Calendar data by changing the display options to a non-default view. CVE-2004-0743 DESCRIPTION: Safari in Mac OS X before 10.3.5, after sending form data using the POST method, may re-send the data to a GET method URL if that URL is redirected after the POST data and the user uses the forward or backward buttons, which may cause an information leak. CVE-2004-0744 DESCRIPTION: The TCP/IP Networking component in Mac OS X before 10.3.5 allows remote attackers to cause a denial of service (memory and resource consumption) via a "Rose Attack" that involves sending a subset of small IP fragments that do not form a complete, larger packet. CVE-2004-0745 DESCRIPTION: LHA 1.14 and earlier allows attackers to execute arbitrary commands via a directory with shell metacharacters in its name. CVE-2004-0746 DESCRIPTION: Konqueror in KDE 3.2.3 and earlier allows web sites to set cookies for country-specific top-level domains, such as .ltd.uk, .plc.uk and .firm.in, which could allow remote attackers to perform a session fixation attack and hijack a user's HTTP session. CVE-2004-0747 DESCRIPTION: Buffer overflow in Apache 2.0.50 and earlier allows local users to gain apache privileges via a .htaccess file that causes the overflow during expansion of environment variables. CVE-2004-0748 DESCRIPTION: mod_ssl in Apache 2.0.50 and earlier allows remote attackers to cause a denial of service (CPU consumption) by aborting an SSL connection in a way that causes an Apache child process to enter an infinite loop. CVE-2004-0749 DESCRIPTION: The mod_authz_svn module in Subversion 1.0.7 and earlier does not properly restrict access to all metadata on unreadable paths, which could allow remote attackers to gain sensitive information via (1) svn log -v, (2) svn propget, or (3) svn blame, and other commands that follow renames. CVE-2004-0750 DESCRIPTION: Unknown vulnerability in redhat-config-nfs before 1.0.13, when shares are exported to multiple hosts, can produce incorrect permissions and prevent the all_squash option from being applied. CVE-2004-0751 DESCRIPTION: The char_buffer_read function in the mod_ssl module for Apache 2.x, when using reverse proxying to an SSL server, allows remote attackers to cause a denial of service (segmentation fault). CVE-2004-0752 DESCRIPTION: OpenOffice (OOo) 1.1.2 creates predictable directory names with insecure permissions during startup, which may allow local users to read or list files of other users. CVE-2004-0753 DESCRIPTION: The BMP image processor for (1) gdk-pixbuf before 0.22 and (2) gtk2 before 2.2.4 allows remote attackers to cause a denial of service (infinite loop) via a crafted BMP file. CVE-2004-0754 DESCRIPTION: Integer overflow in Gaim before 0.82 allows remote attackers to cause a denial of service and possibly execute arbitrary code via the size variable in Groupware server messages. CVE-2004-0755 DESCRIPTION: The FileStore capability in CGI::Session for Ruby before 1.8.1, and possibly PStore, creates files with insecure permissions, which can allow local users to steal session information and hijack sessions. CVE-2004-0756 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2004. Notes: none. CVE-2004-0757 DESCRIPTION: Heap-based buffer overflow in the SendUidl in the POP3 capability for Mozilla before 1.7, Firefox before 0.9, and Thunderbird before 0.7, may allow remote POP3 mail servers to execute arbitrary code. CVE-2004-0758 DESCRIPTION: Mozilla 1.5 through 1.7 allows a CA certificate to be imported even when their DN is the same as that of the built-in CA root certificate, which allows remote attackers to cause a denial of service to SSL pages because the malicious certificate is treated as invalid. CVE-2004-0759 DESCRIPTION: Mozilla before 1.7 allows remote web servers to read arbitrary files via Javascript that sets the value of an tag. CVE-2004-0760 DESCRIPTION: Mozilla allows remote attackers to cause Mozilla to open a URI as a different MIME type than expected via a null character (%00) in an FTP URI. CVE-2004-0761 DESCRIPTION: Mozilla before 1.7, Firefox before 0.9, and Thunderbird before 0.7, allow remote attackers to use certain redirect sequences to spoof the security lock icon that makes a web page appear to be encrypted. CVE-2004-0762 DESCRIPTION: Mozilla before 1.7, Firefox before 0.9, and Thunderbird before 0.7, allow remote web sites to install arbitrary extensions by using interactive events to manipulate the XPInstall Security dialog box. CVE-2004-0763 DESCRIPTION: Mozilla Firefox 0.9.1 and 0.9.2 allows remote web sites to spoof certificates of trusted web sites via redirects and Javascript that uses the "onunload" method. CVE-2004-0764 DESCRIPTION: Mozilla before 1.7, Firefox before 0.9, and Thunderbird before 0.7, allow remote web sites to hijack the user interface via the "chrome" flag and XML User Interface Language (XUL) files. CVE-2004-0765 DESCRIPTION: The cert_TestHostName function in Mozilla before 1.7, Firefox before 0.9, and Thunderbird before 0.7, only checks the hostname portion of a certificate when the hostname portion of the URI is not a fully qualified domain name (FQDN), which allows remote attackers to spoof trusted certificates. CVE-2004-0766 DESCRIPTION: NGSEC StackDefender 2.0 allows attackers to cause a denial of service (system crash) via an invalid address for the BaseAddress parameter to the hooks for the (1) ZwAllocateVirtualMemory or (2) ZwProtectVirtualMemory functions. CVE-2004-0767 DESCRIPTION: NGSEC StackDefender 1.10 allows attackers to cause a denial of service (system crash) via an invalid address for the ObjectAttribues parameter to the hooks for the (1) ZwCreateFile or (2) ZwOpenFile functions. CVE-2004-0768 DESCRIPTION: libpng 1.2.5 and earlier does not properly calculate certain buffer offsets, which could allow remote attackers to execute arbitrary code via a buffer overflow attack. CVE-2004-0769 DESCRIPTION: Buffer overflow in LHA allows remote attackers to execute arbitrary code via long pathnames in LHarc format 2 headers for a .LHZ archive, as originally demonstrated using the "x" option but also exploitable through "l" and "v", and fixed in header.c, a different issue than CVE-2004-0771. CVE-2004-0770 DESCRIPTION: romload.c in DGen Emulator 1.23 and earlier allows local users to overwrite arbitrary files via a symlink attack on temporary files during decompression of (1) gzip or (2) bzip ROM files. CVE-2004-0771 DESCRIPTION: Buffer overflow in the extract_one function from lhext.c in LHA may allow attackers to execute arbitrary code via a long w (working directory) command line option, a different issue than CVE-2004-0769. NOTE: this issue may be REJECTED if there are not any cases in which LHA is setuid or is otherwise used across security boundaries. CVE-2004-0772 DESCRIPTION: Double free vulnerabilities in error handling code in krb524d for MIT Kerberos 5 (krb5) 1.2.8 and earlier may allow remote attackers to execute arbitrary code. CVE-2004-0773 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2004-0774 DESCRIPTION: RealNetworks Helix Universal Server 9.0.2 for Linux and 9.0.3 for Windows allows remote attackers to cause a denial of service (CPU and memory exhaustion) via a POST request with a Content-Length header set to -1. CVE-2004-0775 DESCRIPTION: Buffer overflow in WIDCOMM Bluetooth Connectivity Software, as used in products such as BTStackServer 1.3.2.7 and 1.4.2.10, Windows XP and Windows 98 with MSI Bluetooth Dongles, and HP IPAQ 5450 running WinCE 3.0, allows remote attackers to execute arbitrary code via certain service requests. CVE-2004-0776 DESCRIPTION: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2004-0777 DESCRIPTION: Format string vulnerability in the auth_debug function in Courier-IMAP 1.6.0 through 2.2.1 and 3.x through 3.0.3, when login debugging (DEBUG_LOGIN) is enabled, allows remote attackers to execute arbitrary code. CVE-2004-0778 DESCRIPTION: CVS 1.11.x before 1.11.17, and 1.12.x before 1.12.9, allows remote attackers to determine the existence of arbitrary files and directories via the -X command for an alternate history file, which causes different error messages to be returned. CVE-2004-0779 DESCRIPTION: The (1) Mozilla 1.6, (2) Firebird 0.7 and (3) Firefox 0.8 web browsers do not properly verify that cached passwords for SSL encrypted sites are only sent via SSL encrypted sessions to the site, which allows a remote attacker to cause a cached password to be sent in cleartext to a spoofed site. CVE-2004-0780 DESCRIPTION: Buffer overflow in uustat in Sun Solaris 8 and 9 allows local users to execute arbitrary code via a long -S command line argument. CVE-2004-0781 DESCRIPTION: Cross-site scripting (XSS) vulnerability in list.cgi in the Icecast internal web server (icecast-server) 1.3.12 and earlier allows remote attackers to inject arbitrary web script via the UserAgent parameter. CVE-2004-0782 DESCRIPTION: Integer overflow in pixbuf_create_from_xpm (io-xpm.c) in the XPM image decoder for gtk+ 2.4.4 (gtk2) and earlier, and gdk-pixbuf before 0.22, allows remote attackers to execute arbitrary code via certain n_col and cpp values that enable a heap-based buffer overflow. NOTE: this identifier is ONLY for gtk+. It was incorrectly referenced in an advisory for a different issue (CVE-2004-0687). CVE-2004-0783 DESCRIPTION: Stack-based buffer overflow in xpm_extract_color (io-xpm.c) in the XPM image decoder for gtk+ 2.4.4 (gtk2) and earlier, and gdk-pixbuf before 0.22, may allow remote attackers to execute arbitrary code via a certain color string. NOTE: this identifier is ONLY for gtk+. It was incorrectly referenced in an advisory for a different issue (CVE-2004-0688). CVE-2004-0784 DESCRIPTION: The smiley theme functionality in Gaim before 0.82 allows remote attackers to execute arbitrary commands via shell metacharacters in the filename of the tar file that is dragged to the smiley selector. CVE-2004-0785 DESCRIPTION: Multiple buffer overflows in Gaim before 0.82 allow remote attackers to cause a denial of service and possibly execute arbitrary code via (1) Rich Text Format (RTF) messages, (2) a long hostname for the local system as obtained from DNS, or (3) a long URL that is not properly handled by the URL decoder. CVE-2004-0786 DESCRIPTION: The IPv6 URI parsing routines in the apr-util library for Apache 2.0.50 and earlier allow remote attackers to cause a denial of service (child process crash) via a certain URI, as demonstrated using the Codenomicon HTTP Test Tool. CVE-2004-0787 DESCRIPTION: Cross-site scripting (XSS) vulnerability in the web frontend in OpenCA 0.9.1-8 and earlier, and 0.9.2 RC6 and earlier, allows remote attackers to inject arbitrary web script or HTML via the form input fields. CVE-2004-0788 DESCRIPTION: Integer overflow in the ICO image decoder for (1) gdk-pixbuf before 0.22 and (2) gtk2 before 2.2.4 allows remote attackers to cause a denial of service (application crash) via a crafted ICO file. CVE-2004-0789 DESCRIPTION: Multiple implementations of the DNS protocol, including (1) Poslib 1.0.2-1 and earlier as used by Posadis, (2) Axis Network products before firmware 3.13, and (3) Men & Mice Suite 2.2x before 2.2.3 and 3.5.x before 3.5.2, allow remote attackers to cause a denial of service (CPU and network bandwidth consumption) by triggering a communications loop via (a) DNS query packets with localhost as a spoofed source address, or (b) a response packet that triggers a response packet. CVE-2004-0790 DESCRIPTION: Multiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (reset TCP connections) via spoofed ICMP error messages, aka the "blind connection-reset attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities. CVE-2004-0791 DESCRIPTION: Multiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (network throughput reduction for TCP connections) via a blind throughput-reduction attack using spoofed Source Quench packets, aka the "ICMP Source Quench attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities. CVE-2004-0792 DESCRIPTION: Directory traversal vulnerability in the sanitize_path function in util.c for rsync 2.6.2 and earlier, when chroot is disabled, allows attackers to read or write certain files. CVE-2004-0793 DESCRIPTION: The calendar program in bsdmainutils 6.0 through 6.0.14 does not drop root privileges when executed with the -a flag, which allows attackers to execute arbitrary commands via a calendar event file. CVE-2004-0794 DESCRIPTION: Multiple signal handler race conditions in lukemftpd (aka tnftpd before 20040810) allow remote authenticated attackers to cause a denial of service or execute arbitrary code. CVE-2004-0795 DESCRIPTION: DB2 8.1 remote command server (DB2RCMD.EXE) executes the db2rcmdc.exe program as the db2admin administrator, which allows local users to gain privileges via the DB2REMOTECMD named pipe. CVE-2004-0796 DESCRIPTION: SpamAssassin 2.5x, and 2.6x before 2.64, allows remote attackers to cause a denial of service via certain malformed messages. CVE-2004-0797 DESCRIPTION: The error handling in the (1) inflate and (2) inflateBack functions in ZLib compression library 1.2.x allows local users to cause a denial of service (application crash). CVE-2004-0798 DESCRIPTION: Buffer overflow in the _maincfgret.cgi script for Ipswitch WhatsUp Gold before 8.03 Hotfix 1 allows remote attackers to execute arbitrary code via a long instancename parameter. CVE-2004-0799 DESCRIPTION: The HTTP daemon in Ipswitch WhatsUp Gold 8.03 and 8.03 Hotfix 1 allows remote attackers to cause a denial of service (server crash) via a GET request containing an MS-DOS device name, as demonstrated using "prn.htm". CVE-2004-0800 DESCRIPTION: Format string vulnerability in CDE Mailer (dtmail) on Solaris 8 and 9 allows local users to gain privileges via format strings in the argv[0] value. CVE-2004-0801 DESCRIPTION: Unknown vulnerability in foomatic-rip in Foomatic before 3.0.2 allows local users or remote attackers with access to CUPS to execute arbitrary commands. CVE-2004-0802 DESCRIPTION: Buffer overflow in the BMP loader in imlib2 before 1.1.2 allows remote attackers to execute arbitrary code via a specially-crafted BMP image, a different vulnerability than CVE-2004-0817. CVE-2004-0803 DESCRIPTION: Multiple vulnerabilities in the RLE (run length encoding) decoders for libtiff 3.6.1 and earlier, related to buffer overflows and integer overflows, allow remote attackers to execute arbitrary code via TIFF files. CVE-2004-0804 DESCRIPTION: Vulnerability in tif_dirread.c for libtiff allows remote attackers to cause a denial of service (application crash) via a TIFF image that causes a divide-by-zero error when the number of row bytes is zero, a different vulnerability than CVE-2005-2452. CVE-2004-0805 DESCRIPTION: Buffer overflow in layer2.c in mpg123 0.59r and possibly mpg123 0.59s allows remote attackers to execute arbitrary code via a certain (1) mp3 or (2) mp2 file. CVE-2004-0806 DESCRIPTION: cdrecord in the cdrtools package before 2.01, when installed setuid root, does not properly drop privileges before executing a program specified in the RSH environment variable, which allows local users to gain privileges. CVE-2004-0807 DESCRIPTION: Samba 3.0.6 and earlier allows remote attackers to cause a denial of service (infinite loop and memory exhaustion) via certain malformed requests that cause new processes to be spawned and enter an infinite loop. CVE-2004-0808 DESCRIPTION: The process_logon_packet function in the nmbd server for Samba 3.0.6 and earlier, when domain logons are enabled, allows remote attackers to cause a denial of service via a SAM_UAS_CHANGE request with a length value that is larger than the number of structures that are provided. CVE-2004-0809 DESCRIPTION: The mod_dav module in Apache 2.0.50 and earlier allows remote attackers to cause a denial of service (child process crash) via a certain sequence of LOCK requests for a location that allows WebDAV authoring access. CVE-2004-0810 DESCRIPTION: Buffer overflow in Netopia Timbuktu 7.0.3 allows remote attackers to cause a denial of service (server process crash) via a certain data string that is sent to multiple simultaneous client connections to TCP port 407. CVE-2004-0811 DESCRIPTION: Unknown vulnerability in Apache 2.0.51 prevents "the merging of the Satisfy directive," which could allow attackers to obtain access to restricted resources contrary to the specified authentication configuration. CVE-2004-0812 DESCRIPTION: Unknown vulnerability in the Linux kernel before 2.4.23, on the AMD AMD64 and Intel EM64T architectures, associated with "setting up TSS limits," allows local users to cause a denial of service (crash) and possibly execute arbitrary code. CVE-2004-0813 DESCRIPTION: Unknown vulnerability in the SG_IO functionality in ide-cd allows local users to bypass read-only access and perform unauthorized write and erase operations. CVE-2004-0814 DESCRIPTION: Multiple race conditions in the terminal layer in Linux 2.4.x, and 2.6.x before 2.6.9, allow (1) local users to obtain portions of kernel data via a TIOCSETD ioctl call to a terminal interface that is being accessed by another thread, or (2) remote attackers to cause a denial of service (panic) by switching from console to PPP line discipline, then quickly sending data that is received during the switch. CVE-2004-0815 DESCRIPTION: The unix_clean_name function in Samba 2.2.x through 2.2.11, and 3.0.x before 3.0.2a, trims certain directory names down to absolute paths, which could allow remote attackers to bypass the specified share restrictions and read, write, or list arbitrary files via "/.////" style sequences in pathnames. CVE-2004-0816 DESCRIPTION: Integer underflow in the firewall logging rules for iptables in Linux before 2.6.8 allows remote attackers to cause a denial of service (application crash) via a malformed IP packet. CVE-2004-0817 DESCRIPTION: Multiple heap-based buffer overflows in the imlib BMP image handler allow remote attackers to execute arbitrary code via a crafted BMP file. CVE-2004-0818 DESCRIPTION: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2004. Notes: none. CVE-2004-0819 DESCRIPTION: The bridge functionality in OpenBSD 3.4 and 3.5, when running a gateway configured as a bridging firewall with the link2 option for IPSec enabled, allows remote attackers to cause a denial of service (crash) via an ICMP echo (ping) packet. CVE-2004-0820 DESCRIPTION: Winamp before 5.0.4 allows remote attackers to execute arbitrary script in the Local computer zone via script in HTML files that are referenced from XML files contained in a .wsz skin file. CVE-2004-0821 DESCRIPTION: The CFPlugIn in Core Foundation framework in Mac OS X allows user supplied libraries to be loaded, which could allow local users to gain privileges. CVE-2004-0822 DESCRIPTION: Buffer overflow in The Core Foundation framework (CoreFoundation.framework) in Mac OS X 10.2.8, 10.3.4, and 10.3.5 allows local users to execute arbitrary code via a certain environment variable. CVE-2004-0823 DESCRIPTION: OpenLDAP 1.0 through 2.1.19, as used in Apple Mac OS 10.3.4 and 10.3.5 and possibly other operating systems, may allow certain authentication schemes to use hashed (crypt) passwords in the userPassword attribute as if they were plaintext passwords, which allows remote attackers to re-use hashed passwords without decrypting them. CVE-2004-0824 DESCRIPTION: PPPDialer for Mac OS X 10.2.8 through 10.3.5 allows local users to overwrite system files via a symlink attack on PPPDialer log files. CVE-2004-0825 DESCRIPTION: QuickTime Streaming Server in Mac OS X Server 10.2.8, 10.3.4, and 10.3.5 allows remote attackers to cause a denial of service (application deadlock) via a certain sequence of operations. CVE-2004-0826 DESCRIPTION: Heap-based buffer overflow in Netscape Network Security Services (NSS) library allows remote attackers to execute arbitrary code via a modified record length field in an SSLv2 client hello message. CVE-2004-0827 DESCRIPTION: Multiple buffer overflows in the ImageMagick graphics library 5.x before 5.4.4, and 6.x before 6.0.6.2, allow remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via malformed (1) AVI, (2) BMP, or (3) DIB files. CVE-2004-0828 DESCRIPTION: The ctstrtcasd program in RSCT 2.3.0.0 and earlier on IBM AIX 5.2 and 5.3 does not properly drop privileges before executing the -f option, which allows local users to modify or create arbitrary files. CVE-2004-0829 DESCRIPTION: smbd in Samba before 2.2.11 allows remote attackers to cause a denial of service (daemon crash) by sending a FindNextPrintChangeNotify request without a previous FindFirstPrintChangeNotify, as demonstrated by the SMB client in Windows XP SP2. CVE-2004-0830 DESCRIPTION: The Content Scanner Server in F-Secure Anti-Virus for Microsoft Exchange 6.21 and earlier, F-Secure Anti-Virus for Microsoft Exchange 6.01 and earlier, and F-Secure Internet Gatekeeper 6.32 and earlier allow remote attackers to cause a denial of service (service crash due to unhandled exception) via a certain malformed packet. CVE-2004-0831 DESCRIPTION: McAfee VirusScan 4.5.1 does not drop SYSTEM privileges before allowing users to browse for files via the "System Scan" properties of the System Tray applet, which could allow local users to gain privileges. CVE-2004-0832 DESCRIPTION: The (1) ntlm_fetch_string and (2) ntlm_get_string functions in Squid 2.5.6 and earlier, with NTLM authentication enabled, allow remote attackers to cause a denial of service (application crash) via an NTLMSSP packet that causes a negative value to be passed to memcpy. CVE-2004-0833 DESCRIPTION: Sendmail before 8.12.3 on Debian GNU/Linux, when using sasl and sasl-bin, uses a Sendmail configuration script with a fixed username and password, which could allow remote attackers to use Sendmail as an open mail relay and send spam messages. CVE-2004-0834 DESCRIPTION: Format string vulnerability in Speedtouch USB driver before 1.3.1 allows local users to execute arbitrary code via (1) modem_run, (2) pppoa2, or (3) pppoa3. CVE-2004-0835 DESCRIPTION: MySQL 3.x before 3.23.59, 4.x before 4.0.19, 4.1.x before 4.1.2, and 5.x before 5.0.1, checks the CREATE/INSERT rights of the original table instead of the target table in an ALTER TABLE RENAME operation, which could allow attackers to conduct unauthorized activities. CVE-2004-0836 DESCRIPTION: Buffer overflow in the mysql_real_connect function in MySQL 4.x before 4.0.21, and 3.x before 3.23.49, allows remote DNS servers to cause a denial of service and possibly execute arbitrary code via a DNS response with a large address length (h_length). CVE-2004-0837 DESCRIPTION: MySQL 4.x before 4.0.21, and 3.x before 3.23.49, allows attackers to cause a denial of service (crash or hang) via multiple threads that simultaneously alter MERGE table UNIONs. CVE-2004-0838 DESCRIPTION: Lexar Safe Guard for JumpDrive Secure 1.0 stores the password insecurely in memory using XOR encryption, which allows local users to read the password directly from the device and access the password protected part of the drive. CVE-2004-0839 DESCRIPTION: Internet Explorer in Windows XP SP2, and other versions including 5.01 and 5.5, allows remote attackers to install arbitrary programs via a web page that uses certain styles and the AnchorClick behavior, popup windows, and drag-and-drop capabilities to drop the program in the local startup folder, as demonstrated by "wottapoop.html". CVE-2004-0840 DESCRIPTION: The SMTP (Simple Mail Transfer Protocol) component of Microsoft Windows XP 64-bit Edition, Windows Server 2003, Windows Server 2003 64-bit Edition, and the Exchange Routing Engine component of Exchange Server 2003, allows remote attackers to execute arbitrary code via a malicious DNS response message containing length values that are not properly validated. CVE-2004-0841 DESCRIPTION: Internet Explorer 6.x allows remote attackers to install arbitrary programs via mousedown events that call the Popup.show method and use drag-and-drop actions in a popup window, aka "HijackClick 3" and the "Script in Image Tag File Download Vulnerability." CVE-2004-0842 DESCRIPTION: Internet Explorer 6.0 SP1 and earlier, and possibly other versions, allows remote attackers to cause a denial of service (application crash from "memory corruption") via certain malformed Cascading Style Sheet (CSS) elements that trigger heap-based buffer overflows, as demonstrated using the "