OpenSSH disregards client configuration and allows server access to ssh-agent and/or X11 after session negotiation

Overview Versions of OpenSSH client prior to 2.3.0 do not properly enforce restrictions to the ssh-agent or X11 display. Description An OpenSSH client can be configured to prevent servers from accessing the client's ssh-agent or X11 display. However, versions of OpenSSH client prior to 2.3.0 fail...

Netscape fails to revalidate certificates if a user has previously acknowledged a certificate to be non-matching

Overview A flaw exists in Netscape Navigator that could allow an attacker to masquerade as a legitimate web site if the attacker can compromise the validity of certain DNS information. This is different from the problem reported in CERT Advisory CA-2000-05, but it has a similar impact. This...

Keys generated with PGP5i batch mode do not contain sufficient randomness on systems that use /dev/random

Overview Under certain circumstances, PGP v5.0 generates keys that are not sufficiently random, which may allow an attacker to predict keys and, hence, recover information encrypted with that key. Description Generating Randomness in PGP Keys In order to generate cryptographically secure keys, PG...

Microsoft Windows NT and 2000 Domain Name Servers allow non-authoritative RRs to be cached by default

Overview Microsoft Domain Name Servers hosted on Windows NT or Windows 2000 Server systems run with permissive DNS cache defaults. This may allow unauthorized remote intruders to redirect sites that rely on the vulnerable DNS servers for legitimate information. Description The Domain Name System,...

McAfee ASaP VirusScan service does not adequately validate input

Overview A vulnerability exists in McAfee ASaP VirusScan that permits intruders to access files outside of the web root. Description Quoting from the McAfee ASaP VirusScan FAQ, McAfee ASaP VirusScan is "a web-based, managed and updated anti-virus service for the entire desktop environment." McAfe...

phpSecurePages allows remote code execution

Overview There is an input validation vulnerability in phpSecurePages that may allow a remote intruder to execute arbitrary code with the privileges of the running web server. Description phpSecurePages is a tool for password protecting portions of websites on PHP enabled webservers. The...

Allaire ColdFusion Server contains vulnerability allowing templates to be overwritten by zero byte file of the same name

Overview A vulnerability exists in Allaire ColdFusion Server which allows an attacker to overwrite ColdFusion Server templates with zero byte files. Description A remotely exploitable vulnerability exists in the Allaire ColdFusion Server which could allow an attacker to overwrite ColdFusion Serve...

Microsoft Outlook View Control allows execution of arbitrary code and manipulation of user data

Overview A vulnerability exists in an ActiveX control supplied with Microsoft Outlook 2002 that could allow malicious code on a web page or in an HTML email message to manipulate Outlook data or execute arbitrary code as the user running Outlook. Description Microsoft Outlook 2002 installs an...

HPUX kmmodreg allows arbitrary file overwriting via symlink redirection of temporary file

Overview The kmmodreg program distributed with some HPUX versions creates two temporary files with predictable names. Due to insecure handling of these files, an intruder may use them to overwrite arbitrary files during system boot via a symbolic link attack. Description The kmmodreg program...

Allaire ColdFusion Server contains vulnerability allowing unauthorized user read/delete access to files

Overview A vulnerability exists in Allaire ColdFusion Server which allows an attacker to have unauthorized read and delete access to files on the target host. Description A remotely exploitable vulnerability exists in the Allaire ColdFusion Server which could allow an attacker to have unauthorize...

Cisco IOS vulnerable to DoS via crafted PPTP packet sent to port 1723/tcp

Overview Cisco IOS contains a vulnerability that allows an intruder to crash the router. Description By sending a specially crafted PPTP packet to port 1723, an intruder can crash a device running a vulnerable version of IOS. Quoting from the Cisco Advisory: By sending a crafted PPTP packet to a...

Curses library vulnerable to buffer overflow

Overview The curses library derived from System V contains a buffer overflow. A local user can execute a command that uses this library to exploit the vulnerability and gain elevated privileges. Description There is a buffer overflow in the curses library that could permit a local user to gain...

SCO UnixWare uuxqt contains buffer overflow via long string of characters sent as command line argument

Overview A buffer overflow in uuxqt, part of the UUCP package on SCO systems, can allow an intruder to gain elevated privileges. Description SCO UnixWare 7 ships with a utility package called UUCP. The UUCP package allows for the copying of files between different UNIX systems and the sending of...

SCO UnixWare uucico contains buffer overflow via long string of characters sent as command line argument

Overview A buffer overflow in uucico, part of the UUCP package on SCO systems, can allow an intruder to gain elevated privileges. Description SCO UnixWare 7 ships with a utility package called UUCP. The UUCP package allows for the copying of files between different UNIX systems and the sending of...

Multiple vendors' RADIUS implementations do not adequately validate user input thereby permitting DoS and arbitrary command execution via 'radiusd' daemon

Overview Vulnerabilities in various implementations of the Remote Authentication Dial-In User Server RADIUS 'radiusd' daemon can allow an attacker to disrupt services or obtain unauthorized access. Description Various implementations of the Remote Authentication Dial-In User Server RADIUS 'radius...

Caucho Technologies Resin vulnerable to Cross-Site Scripting via passing of user input directly to default error page

Overview Web servers that use the Resin Java Servlet Container, versions 1.2.3 and earlier, are vulnerable to a cross-site scripting vulnerability. A web site may inadvertently include malicious HTML tags or scriptJavaScript, VBScript, Java, etc. in a dynamically generated page based on unvalidat...

UUCP package contains multiple buffer overflows via long string of characters sent as command line argument

Overview Several Linux/Unix systems ship with a utility package called UUCP derived from System V. A buffer overflow in components of the UUCP package can allow an intruder to gain elevated privileges. Description Several Linux/Unix systems ship with a utility package called UUCP derived from...

SCO UnixWare bnuconvert contains buffer overflow via long string of characters sent as command line argument

Overview A buffer overflow in bnuconvert, part of the UUCP package on SCO systems, can allow an intruder to gain elevated privileges. Description SCO UnixWare 7 ships with a utility package called UUCP. The UUCP package allows for the copying of files between different UNIX systems and the sendin...

Allaire JRun Java Application Server vulnerable to Cross-Site Scripting via passing of user input directly to default error page

Overview Web Servers that use the Allaire JRun Java Servlet Container are vulnerable to a cross-site scripting vulnerability. A web site may inadvertently include malicious HTML tags or scriptJavaScript, VBScript, Java, etc. in a dynamically generated page based on unvalidated input from...

Lotus Domino Server R5 vulnerable to Cross-Site Scripting via passing of user input directly to default error page

Overview Lotus Domino R5 Servers are vulnerable to a cross-site scripting vulnerability. A web site may inadvertently include malicious HTML tags or scriptJavaScript, VBScript, Java, etc. in a dynamically generated page based on unvalidated input from untrustworthy sources. This can be a problem...

SCO UnixWare uux contains buffer overflow via long string of characters sent as command line argument

Overview A buffer overflow in uux, part of the UUCP package on SCO systems, can allow an intruder to gain elevated privileges. Description SCO UnixWare 7 ships with a utility package called UUCP. The UUCP package allows for the copying of files between different UNIX systems and the sending of...

SCO UnixWare uuxcmd contains buffer overflow via long string of characters sent as command line argument

Overview A buffer overflow in uuxcmd, part of the UUCP package on SCO systems, can allow an intruder to gain elevated privileges. Description SCO UnixWare 7 ships with a utility package called UUCP. The UUCP package allows for the copying of files between different UNIX systems and the sending of...

Multiple vendor telnet daemons vulnerable to buffer overflow via crafted protocol options

Overview The telnetd program is a server for the telnet remote virtual terminal protocol. There is a remotely exploitable buffer overflow in telnet daemons derived from BSD source code. This vulnerability can crash the server, or be leveraged to gain root access. Description There is a remotely...

Debian glibc 2 symlink issue could allow arbitrary file overwriting

Overview Some versions of ld.so, the loader for shared libraries in UNIX/LINUX, do not properly clear risky environment variables, allowing a symlink attack to overwrite arbitrary files. Description LDDEBUGOUTPUT specifies a directory in which ld.so creates a file with a predictable name based on...

SSH Secure Shell sshd2 does not adequately authenticate logins to accounts with encrypted password fields containing two or fewer characters

Overview A vulnerability exists in SSH Secure Shell that allows an intruder to log to an account which contains a stored encrypted password of two or fewer characters in length. An intruder may leverage the privileges of such an account to gain full control of the system. Description Certain Unix...

Microsoft Services for UNIX Network File System (NFS) server is vulnerable to denial of service via memory leak

Overview The NFS server included in the Microsoft Services for Unix package contains a denial-of-service vulnerability that may cause the system to become unstable or crash. Description The Network File System NFS server included in the Microsoft Services for Unix SFU package contains a memory le...

Microsoft Services for UNIX Telnet server is vulnerable to denial of service via memory leak

Overview The telnet server included in the Microsoft Services for Unix package contains a denial-of-service vulnerability that may cause the system to become unstable or crash. Description The telnet server included in the Microsoft Services for Unix SFU package contains a memory leak that can le...

klogd does not adequately handle NULL byte when parsing text using LogLine( )

Overview There is a denial-of-service vulnerability in certain distributions of the Linux kernel logging daemon klogd which could allow an attacker to cause klogd to hang. Description The Linux kernel logging daemon klogd can be forced to hang if it receives a null byte in a log message from the...

Lotus Domino vulnerable to DoS via crafted unicode GET request

Overview The Lotus Domino Web Server contains a flaw that could be exploited to cause a denial of service situation. Description Sending a crafted GET request containing numerous unicode characters can trigger a server exception that will crash the Domino server. If qnc.exe is removed from the...

Linux kernel contains race condition via ptrace/procfs/execve

Overview Unprivileged local users can use the ptrace function to take advantage of a privileged program, while that program is performing a privileged operation, to gain privileged access. Description Ptrace is a function, which is often used for debugging, that allows one process to attach to...

Linux kernel does not properly validate user input via sysctl for negative value

Overview Unprivileged local users can exploit the sysctl Linux kernel program to gain privileged access. Description A program called sysctl in the Linux kernel allows a privileged local user to read or write runtime system settings. Unprivileged local users are also allowed to use sysctl to read...

Symantec LiveUpdate stores proxy server passwords in plaintext in registry

Overview A vulnerability exists in the way Symantec LiveUpdate stores proxy server passwords which could allow local users to have read access to the key. Description LiveUpdate version 1.5 stores proxy server passwords in clear text in the registry, under...

Oracle Internet Directory contains multiple vulnerabilities in LDAP handling code

Overview The Oracle Internet Directory server contains vulnerabilities that may allow denial-of-service attacks, unauthorized privileged access, or both. These vulnerabilities were revealed using the PROTOS LDAPv3 test suite and are documented in CERT Advisory CA-2001-18. If your site uses this...

Lotus Domino R5 Server Family contains multiple vulnerabilities in LDAP handling code

Overview The Lotus Domino R5 Server Family contains vulnerabilities that may allow denial-of-service attacks, unauthorized privileged access, or both. These vulnerabilities were revealed using the PROTOS LDAPv3 test suite and are documented in CERT Advisory CA-2001-18. If your site uses this...

Microsoft Exchange LDAP Service is vulnerable to denial-of-service attacks

Overview The Microsoft Exchange LDAP Service contains vulnerabilities that may allow denial-of-service attacks. These vulnerabilities were revealed using the PROTOS LDAPv3 test suite and are documented in CERT Advisory CA-2001-18. If your site uses this product, the CERT/CC encourages you to foll...

iPlanet Directory Server contains multiple vulnerabilities in LDAP handling code

Overview The iPlanet Directory Server contains vulnerabilities that may allow denial-of-service attacks, unauthorized privileged access, or both. These vulnerabilities were revealed using the PROTOS LDAPv3 test suite and are documented in CERT Advisory CA-2001-18. If your site uses this product,...

Multiple versions of OpenLDAP are vulnerable to denial-of-service attacks

Overview Multiple versions of OpenLDAP contain vulnerabilities that may allow denial-of-service attacks. These vulnerabilities were revealed using the PROTOS LDAPv3 test suite and are documented in CERT Advisory CA-2001-18. If your site uses this product, the CERT/CC encourages you to follow the...

Network Associates PGP Keyserver contains multiple vulnerabilities in LDAP handling code

Overview The Network Associates PGP Keyserver contains vulnerabilities that may allow denial-of-service attacks, unauthorized privileged access, or both. These vulnerabilities were revealed using the PROTOS LDAPv3 test suite and are documented in CERT Advisory CA-2001-18. If your site uses this...

Teamware Office contains multiple vulnerabilities in LDAP handling code

Overview The Teamware Office suite contains vulnerabilities that may allow denial-of-service attacks, unauthorized privileged access, or both. These vulnerabilities were revealed using the PROTOS LDAPv3 test suite and are documented in CERT Advisory CA-2001-18. If your site uses this product, the...

Potential vulnerabilities in Qualcomm Eudora WorldMail Server LDAP handling code

Overview The Qualcomm Eudora WorldMail Server may contain vulnerabilities that allow denial-of-service attacks, unauthorized privileged access, or both. These vulnerabilities were revealed using the PROTOS LDAPv3 test suite and are documented in CERT Advisory CA-2001-18. If your site uses this...

IBM SecureWay Directory is vulnerable to denial-of-service attacks via LDAP handling code

Overview The IBM SecureWay Directory contains vulnerabilities that may allow denial-of-service attacks, unauthorized privileged access, or both. These vulnerabilities were revealed using the PROTOS LDAPv3 test suite and are documented in CERT Advisory CA-2001-18. If your site uses this product, t...

Lotus Domino vulnerable to DoS via large crafted URL request

Overview The Lotus Domino Web Server contains a flaw that could be exploited to cause a denial of service. Description HTTP requests to TCP port 80 consisting of multiple /'s, approximately 8k worth, will result in the consumption of the CPU 99-100%. Typically, 8k of the character "a" results in...

The Oracle Internet Directory LDAP (oidldapd) contains buffer overflow

Overview Oracle Internet Directory version 2.0.6, which ships with Oracle version 8i for Linux 8.1.6, contains a program, oidldapd, that is an LDAP Daemon. There is a buffer overflow in the LDAP Daemon that allows a local user to obtain the euid of the oidldapd process, typically user oracle...

Lotus Domino vulnerable to DoS via crafted HTTP header requests

Overview The Lotus Domino Web Server contains a flaw that could be exploited to cause a denial of service. Description HTTP requests with uniquely crafted headers using "Accept", "Accept-Charset", "Accept-Encoding", "Accept-Language" or "Content-Type" are not freed properly. This means that...

pgp4pine fails to properly check for expired public keys

Overview The program pgp4pine version 1.75.6 fails to properly identify expired keys when working with the Gnu Privacy Guard program GnuPG. This failure may result in the clear-text transmission of senstive information when used with the PINE mail reading package. Description The program pgp4pine...

Lotus Domino vulnerable to a denial of service via DOS device request

Overview The Lotus Domino Web Server contains a flaw that could be exploited to cause a denial-of-service situation on the Windows and OS/2 Platforms. Description With the Lotus Domino Web Server, you can access DOS-devices. If this is done through the cgi-bin directory, a ncgihttp.exe process wi...

Lotus Domino vulnerable to DoS via many large connects sent to 63148/TCP

Overview The Lotus Domino Web Server contains a flaw that could be exploited to cause a denial of service. Description A continuous stream of "connect" requests with a payload of 10K of data to TCP port 63148 DIIOP - CORBA will result in 100% CPU usage, the hard disk constantly being written to,...

Oracle Internet Directory LDAP Daemon does not check write permissions properly

Overview The Oracle LDAP Daemon oidldapd version 2.1.1.1, which ships with Oracle version 8i for Linux version 8.1.7, does not check write permissions properly. This can allow a local user to delete or write to any file on the system. Description The Oracle LDAP Daemon oidldapd version 2.1.1.1 do...

Check Point RDP Bypass Vulnerability

Overview Check Point VPN-1/FireWall-1 version 4.0 & 4.1 may allow an intruder to pass traffic through the firewall on port 259. Description Firewall-1 and VPN-1 include support for RDP, but do not provide adequate security controls for RDP data. By adding a faked RDP header to typical UDP traffic...

Various shells create temporary files insecurely when using << operator

Overview sh uses /tmp files of a predictable name in creating files for input redirection using the operator. Description When performing the "" redirection, /bin/sh creates a temporary file in /tmp with a name based on the process id, writes subsequent input out to that file, and then closes the...