Type of reportcfs5.tistory.com/upload_control/download.… · PPT file · Web view ·...

100
Sample collection Sample collection

Transcript of Type of reportcfs5.tistory.com/upload_control/download.… · PPT file · Web view ·...

Type of report(US : against TB-10yr, Korea : against TB-3yr)
Source : Korea – The Korea Securities Dealers Association.
US – Bloomberg.
Client Initial/0-0000/*
Company
Customer
Asks
(,
Sub heading
Sunset box
,
( )
bullet
the layouts can be
14 ,

Benchmarking
Gap

To-Be

the layouts can be
Client Initial/0-0000/*
Internet
Suppliers
Plants
Model





To-Be
Introduction of a new online HTS (ifLG
Trading) and aggressive marketing
resources
performance
2. Recovering brokerage M/S with improved operating capacity
Market share has increased behind the successful launch of the IfLG Trading System coupled with diverse marketing activities
7%
8%
9%
10%
11%
1Q01
2Q01
3Q01
4Q01
1Q02
LG
No.5
No.2
Samsung
2Q02
(end-May)
01
fund performance evaluation system
professional wealth advisors
FY01Performance
Increasing balance of BCs backed by emphasis on improving asset management business
3. Growing Asset Management Business
Balance of BCs*
ADVANCED BUSINESS LINK 0000-*
Maximize income from investment banking by utilizing competitive edge in new business areas
Shift from traditional corporate
areas
as privatization, restructuring, consulting,
and derivative related businesses
train existing employees in these areas
FY `99
FY `00
IB business breakdown
Foreign ABS of LG Card, LGCI rights offerings, etc.
Employed the largest number of IB professionals: 104
01
Oct 99
Eliminated potential losses by reserving a 61% provision for substandard assets at year-end
(Unit:Wbn)
2.89
2.33
5. Eliminated potential losses by sufficient provisioning
Asset and provisioning ratio
Asset Classification and Provision
been written off in FY 2001.
Mar 2001
 
The Milestones slide shows tasks scheduled and which of those have been accomplished. The information is derived from a Microsoft Project plan. Focus the view of the schedule on activities that are within the quarterly brief’s current time window. Use screen snaps from Microsoft Project to capture the image for transfer to the slide.
Guidance:
The Milestone chart serves as a snap shot of the overall progress being made on the project. The information on this chart will create a ‘first impression’ that will be amplified by the remaining viewgraphs. Visible late tasks will need justification in following slides to clarify issues underlying the schedule slip.
Client Initial/0-0000/*
 
This slide is intended to show the expenditures of funds relative to the original plan. The graph should include a line indicating current onboard funds to allow visibility of any impending problems that may cause a work stoppage.
Guidance:
Expenditures raising above the planned line is cause for concern and an explanation of the nature of the activities causing the deviation should accompany the presentation of the graph. Slides on size and stability are good examples of information that could reveal the cause of cost overruns. A more comprehensive measure of cost performance can be presented using an earned value approach as illustrated by Slide # 14, Cost/Schedule Performance.
Chart1
Jan
Jan
Jan
Feb
Feb
Feb
Mar
Mar
Mar
Apr
Apr
Apr
May
May
May
Jun
Jun
Jun
Planned
Actual
OnBoard
10000
10000
40000
20000
21000
40000
30000
33000
50000
40000
45000
50000
50000
50000
60000
50000
Sheet1
Planned
Actual
OnBoard
Jan
$10,000
$10,000
$40,000
Feb
$20,000
$21,000
$40,000
Mar
$30,000
$33,000
$50,000
Apr
$40,000
$45,000
$50,000
May
$50,000
$50,000
Jun
$60,000
$50,000
 
This slide is used to depict the magnitude of deliverable code and the status of code development on the project. Functional size is measured in terms of the requirements. The measure of the code production work necessary to implement the system is measured in terms of source lines of code, objects, functions points, software units, etc. Select the unit of measure that best fits the project’s implementation environment (e.g., language, code generation tools).
Guidance:
Reuse is a prevalent part of current implementation methodologies. As a consequence, it is useful to track what portion of the system is going to be implemented using reusable components and whether they come from a commercial vendor or from a maintained library. Tracking the level of reuse will aid in detecting a potential impact due to the reuse level falling below the planned level. Such an event would mean a rise in the amount of code that would need to be developed and would certainly have a negative impact on schedule and cost. In the sample above, the progress on code production is tracked in the channel between the level of reuse and the planned total amount of code to be delivered.
Chart1
Jan
Jan
Jan
Feb
Feb
Feb
Mar
Mar
Mar
Apr
Apr
Apr
May
May
May
Jun
Jun
Jun
Planned
Actual
Reused
SLOC
15000
10000
10000
15000
11500
10000
15000
12700
10000
15000
13500
10000
15000
10000
15000
10000
Sheet1
Planned
Actual
Reused
Jan
15000
10000
10000
Feb
15000
11500
10000
Mar
15000
12700
10000
Apr
15000
13500
10000
May
15000
10000
Jun
15000
10000
 
This slide would be employed starting with the integration test phase for each baseline development/update. Plotting Software Trouble Reports (STRs) Received versus Closed creates a build specific “Alligator” chart. What is plotted is the total of STRs Received and the total of STRs Closed. The number of STRs that are open at any given time is the delta between the jaws. Plotting the delta will help focus on the progress being made in closing STRs. The picture that you want to see is the STRs Open sloping toward zero. The details of the Open STRs could be discussed using Slide #12, Product Readiness (Fault Profiles). The overall readiness of the product in the context of requirements should be discussed using Slide #13, Product Readiness (Breadth of Testing)
Guidance:
Tracking the number of open STRs can help identify both the progress in maturing the product and provide a quantifiable measure of product readiness. For example, measuring the number of open STRs against the number of source lines of code would provide fault density that could serve as a gating factor for moving testing to the next level. In addition, using the Product Readiness (Fault Profile) information in Slide #12 will identify the origin and criticality of the STRs, and the Product Readiness (Breadth of Testing) Slide #13 will quantify the readiness of the product in terms of the requirements.
Chart1
Jan
Jan
Jan
Feb
Feb
Feb
Mar
Mar
Mar
Apr
Apr
Apr
May
May
May
Jun
Jun
Jun
Received
Closed
Open
STRs
10
4
6
22
9
13
34
18
16
42
31
11
Sheet1
Received
Closed
Open
Jan
10
4
6
Feb
22
9
13
Mar
34
18
16
Apr
42
31
11
May
Jun
 
This slide serves to demonstrate actual resource utilization relative to the planned figures controlling system reserve capacity. The data is derived from design documents, software development files, and analysis information associated with approved STRs and Software Change Proposals (SCPs) targeted for inclusion in the baseline.
Guidance:
This slide will help demonstrate the technical adequacy of the system under development. Exceeding resource capacities would negatively impact performance and therefore the information serves to identify the need for investigating possible changes in design or computer configuration.
Chart1
CPU
CPU
MEM
MEM
IO
IO
Planned
Current
% Utilization
0.8
0.74
0.8
0.65
0.8
0.92
Sheet1
Planned
Current
CPU
80%
74%
MEM
80%
65%
IO
80%
92%
  
The object of a slide on the status of requirements is to demonstrate the stability of the implementation effort. The slide should show the planned size of the software effort in terms of a requirements total, the current number of requirements baselined for inclusion in the build, the number of requirements satisfied in design, implementation, and supported by test cases.
Guidance:
Requirements volatility is the most probable high impact risk a project will encounter. Tracking the initial estimate of total requirements against a current number of baselined requirements will readily reveal any change of scope in the effort. Adding to the information the number of requirements satisfied in design, implementation via off-the-shelf or code development, and having verifying tests cases built will help to not only identify the project’s readiness to meet its requirements but also illustrate the scope of the impact of any proposed requirement changes. For example, it should be evident that if you increase the requirements you experience a regression in design, implementation, and test readiness progress.
Chart1
Jan
Jan
Jan
Jan
Jan
Feb
Feb
Feb
Feb
Feb
Mar
Mar
Mar
Mar
Mar
Apr
Apr
Apr
Apr
Apr
May
May
May
May
May
Jun
Jun
Jun
Jun
Jun
Planned
Baselined
Design
Implemented
 
The object of this slide is to illustrate management success in meeting staffing requirements for the software project. The planned curve is derived from the Software Project Planning effort. This data is plotted against the current staff total supporting the project.
Guidance:
Trained staff resources must be allocated to the project to meet production schedules. This graph illustrates success in meeting that need.
Chart1
Jan
Jan
Feb
Feb
Mar
Mar
Apr
Apr
May
May
Jun
Jun
Planned
Actual
 
The objective of this slide is present an overall picture of the comprehensiveness of the staff training. In the example, the columns are the required training subjects and the rows represents the project team members. The chart uses a color code, where ‘Green’ represents course completion, and ‘Blue’ represents a planned course that is yet to be completed. In addition, an ‘X’ marks mandatory training and an ‘O’ optional training.
Guidance:
Creating a matrix derived from the project’s training plan allows the software project manager to present the state of staff training. This information will help instill confidence in the sponsor that the staff is maintaining the requisite knowledge, skill, and abilities to perform their roles effectively.
Course
Category/
Name
SPM
SPIRIT/SME
 
The objective of this slide is to quantify the level of programmatic communication used to coordinate the activities involved in developing the current program baseline product. The columns reflect the count of the individual coordination activities performed during the reporting quarter and to date in the development of the current baseline. The rows of the tabular representation define the types of coordination activities. In the example, the types are drawn from the Microsoft Project Plan template, Attachment A to the sample Software Measurement Plan.
Guidance:
Providing a quantified picture of the coordination activities within the project communicates the level of software management integration and the participation of various software engineering groups in addressing work activities, customer requirements, planning, and other key issues necessary to project success.
Client Initial/0-0000/*
 
This series of slides serve to demonstrate both the scope of the software quality assurance effort and the status of the planned SQA events. The chart groups the SQA activities by phase of the project’s Life Cycle Strategy. The individual activities are selected from the SQA Plan. The ‘Status’ field uses a color code, where ‘Green’ represents activity completion and ‘Blue’ represents a planned activity yet to be completed as a means to communicate the progress on the SQA plan and its activities.
Guidance:
Providing status on the Software Quality Assurance plan educates the sponsor on the overall SQA effort and provide insight into the status of that plan. Providing a comprehensive SQA plan and status helps build the sponsor’s confidence that the project is being managed using a highly-mature software engineering process.
Phase Related SQA Activities
Peer Review the Software Quality Assurance Plan (SQAP)
Peer Review the Software Configuration Management Plan (SCMP)
Peer Review the Software Development Library CM (SDL CM) Procedure
Audit Requirement Management Process
Audit Intergroup Coordination Process
Audit Peer Review Process
Audit CM records to ensure SDP, SPP, SQAP, SCMP, SDL CM are under change control
SOFTWARE REQUIREMENT ANALYSIS PHASE
N/A
Audit Training Program Process
Audit Peer Review Process
Audit CM records to ensure SRS, IRS are under change control
Client Initial/0-0000/*
Phase Related SQA Activities
Peer Review Software Test Plan (STP)
N/A
Audit Software Project Tracking and Oversight Process
Audit Subcontractor Management Process
Audit Peer Review Process
Audit selected Software Development Files (SDFs) for CSU integration and testing content
Audit CM records to ensure SDD (Design Memos), STP, STD are placed under change control
CODING AND CSU TEST PHASE
Peer Review Code
Audit Software Product Engineering Process
Audit Code Review Process
Audit selected SDFs for CSU test procedures and test results
Audit Software Development Library (SDL) to ensure successfully tested CSU is under configuration control.
Audit CM records to ensure UTP is placed under change control
Client Initial/0-0000/*
Phase Related SQA Activities
Audit the Test Readiness Review (TRR)
Audit Configuration Management Process
Audit Software Product Engineering Process
Audit CM records to ensure that all source code updates entered into the developmental configuration are based on approved change requests
SYSTEM QUALIFICATION TEST PHASE
Peer Review Software Test Report (STR)
Peer Review Version Description Document (VDD)
Peer Review Software User Manual (SUM)
Audit Software Product Engineering Process
Audit CM records to ensure STR, VDD, SUM are placed under change control
Client Initial/0-0000/*
  
All open STRs by origin and priority are used to focus attention on the readiness of the product for delivery to either users or an external test organization. This slide would be added to the suite during Integration Test and/or Qualification Tests.
Guidance:
The nature of Open STRs, as depicted in this slide, when added to density information from Slide #5, constitutes a gauge to be used in determining if the product has met an acceptable level of quality. The values used to determine the limit for acceptance are dependent on negotiation with the sponsor as it is part of the acceptance criteria.
Chart1
Requirements
Requirements
Requirements
Requirements
Design
Design
Design
Design
Implementation
Implementation
Implementation
Implementation
 
The objective of this slide is to demonstrate the technical adequacy of the product in relation to its baseline requirements. The chart shows a line reflecting the scheduled rate of verifying requirements and lines for the percent tested and the percent having passed tests. This slide would be added to the basic suite during Integration Test and/or Qualification Tests.
Guidance:
Preparing the product for acceptance should be focused on the allocated requirements agreed to by the stakeholders at the start of the development cycle for the project. When combined with the density information from Slide #5, it helps measure success in terms of the requirements critical to product acceptance, and the suitability for delivery to an external test organization or a user community.
Chart1
Mar
Mar
Mar
Apr
Apr
Apr
May
May
May
Jun
Jun
Jun
Jul
Jul
Jul
Aug
Aug
Aug
Tested
Passed
Scheduled
% Requirements
0.1
0.1
0.1
0.25
0.2
0.2
0.4
0.6
0.8
1
Sheet1
Tested
Passed
Scheduled
Mar
10%
10%
10%
Apr
25%
20%
20%
May
40%
Jun
60%
Jul
80%
Aug
100%
Slide #14 COST/SCHEDULE PERFORMANCE
The use of cost and schedule performance information, also known as Earned Value management, is a technique that reflects the integration of cost, schedule and a measure of technical work accomplishment into one common view to establish the status of the project’s performance.
Guidance:
It is recommend that this slide be used instead of Slide # 3, Cost, to provide a more comprehensive look at cost performance. The slide implements an earned value approach that combines cost expenditures with schedule and product completion data. The following paragraphs define key terminology common to the discipline. The data is calculated by Microsoft Project.
Budgeted Cost of Work Scheduled (BCWS): The initial cost estimate for a work package scheduled to be completed within a given time period. This represents the original plan.
Budgeted Cost of Work Performed (BCWP): The dollar value of the work accomplished on a package during the current reporting period . If the project had planned to accomplish 100 units by the end of the current reporting period but had only accomplished 80 of those units then BCWP represents what it should have cost for the 80 units.
Actual Cost of Work Performed (ACWP): The actual cost incurred to complete a work package within a given time period. The actual cost incurred in the production of the 80 units the project was able to complete by the current reporting period. The degree that actual cost values (ACWP) correspond to the original planned values (BCWP) can be calculated over time. These derived values are the cost and schedule variances.
Cost Variance (CV) is the difference between the original estimate (BCWP) and actual cost (ACWP) for the work completed to date (i.e. 80 units).
Schedule Variance (SV) is the cost difference between the amount of work planned (BCWS) to be performed (i.e., 100 units) and the cost of the work (BCWP) that were actually completed.
Chart1
Jan
Jan
Jan
Jan
Jan
Feb
Feb
Feb
Feb
Feb
Mar
Mar
Mar
Mar
Mar
Apr
Apr
Apr
Apr
Apr
May
May
May
May
May
Jun
Jun
Jun
Jun
Jun
BCWP
BCWS
ACWP
CV
SV
K$
12
12
13
1
0
17
17
18
1
0
20
22
23
3
2
25
27
30
5
2
32
37
Sheet1
BCWP
BCWS
ACWP
CV
SV
Jan
12
12
13
1
0
Feb
17
17
18
1
0
Mar
20
22
23
3
2
Apr
25
27
30
5
2
May
32
Jun
37
Sheet1
Q4 2000
ELN/Z CMMI Early phases
How well describe major problems
Very well
No
11
Yes
0
Very well
Very well
Reasonably well
Very well
Generally well
Chart3
7
4
0
Sheet1
Q4 2000
ELN/Z CMMI Early phases
How well describe major problems
Very well
No
11
Yes
0
Very well
Very well
Reasonably well
Very well
Generally well
Chart4
5
6
0
Sheet1
Q4 2000
ELN/Z CMMI Early phases
How well describe major problems
Very well
No
11
Yes
0
Very well
Very well
Reasonably well
Very well
Generally well
Client Initial/0-0000/*
Install Y2K compatible chip in six computer controlled milling machines
Date _________________
Phone ________________
Justification (include impact if not implemented)
Reprogramming cost is higher than estimated, and risk of old chips failing is higher
than estimated. (Eliminating reprogramming cost is -$10,000. Cost of Y2K chips
installed is +$15,000)
COCOMO
Model
Project
Start
SRR
PDR
CDR
Acceptance
IPR Presentation to CIO/BIE Council
Decision Rev. Presentation to CIO/BIE Council
FRP Presentation to CIO/BIE Council
SSAA V1
Infra. Svcs Request (I)
Infrastructure Svcs Request (F)
BPA/BPR Report
Trade-off Studies
PM Charter
CM Plan
QA Plan
Activity
Product
< $2M Total Ownership Cost
3 = Performed by DFAS Resource Mgmt Office
4 = Not applicable to COTS
FOOTNOTES
Release
Review
SRR
IRR
PIR
FCA/PCA Checklists
IPR Presentation to CIO/BIE Council
Functional
Baseline
Allocated
Baseline
SAD
DBDD
SDD
Activity
Product
IPR Presentation to CIO/BIE Council
Functional
Baseline
Allocated
Baseline
SAD3
DBDD3
SDD3
Operation and Performance Oversight
Activity
Product
For Corporate-level Change Requests: Review and Approval by CIO/BIE Council
For Business Line-level Change Requests: Review and Approval by Business Line Management Board
For System-level Change Requests: Review and Approval by System CCB
Ongoing Operational / Customer Assessment
Infra. Svcs Request*
5/17/02
Changes to appropriate documentation are required at each review to keep baselines current
Test Scripts (F)
ADVANCED BUSINESS LINK 0000-*
I. The majority of banks in the EU is expected to apply the IRB Approach
* Source: „Deutsche Banken auf dem Weg zu Basel II“, Boston Consulting Group/Universität Witten/Herdecke, December 2002
1) Savings- and Landesbanks 2) Balance sheet < 50 billion € 3) Balance sheet > 50 billion €
1)
3)
2)
Still unclear
percentage
Which approach will be chosen by your bank? (Results of a recent enquiry at german banks)
Tabelle3
30,4
23,1
8,7
15,4
0
39,1
23,1
16,7
21,7
38,5
83,3
Kleine
Privatbanken
by Michael E. Porter
adverse government policies
10
1
0.1
Low
High
“One Transaction”
Risk Side
Stop-Loss Limit on Trading
1. Generated from bank’s unique ‘Risk Universe’
2. Whole range of capital allocation should be within ‘Risk Capital’
3. Limit type should not stick to simple volume.
Most of limit type is relating to ‘Risk Measure’.
4. Limit terms are related to ‘Risk Attribution’.
5. Limit monitoring should be set based on ‘Risk Attribution & ‘Risk Prioritization’.
Client Initial/0-0000/*
Customers
Marketing &
Customer
Management
Performance
Evaluation
& Remuneration
<< 300
Practically SBU’s position limit is allocated more than Bank-wide Risk Limit.
It accelerate limit bidding & resource acquiring process.
Real resource allocation is dependent on business prioritization.
Sometimes business unit can not use full allocated limit, because of bank-wide limit is already used by other business unit. However, if required, RMC can enlarge initial ‘Bankwide Risk Limit’.
Client Initial/0-0000/*

0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
Sheet3
0
0
0
0
0
0
0
0
0
0
0
0

IT
IT
IT
IT Vision
Elite Group
Staff
Client Initial/0-0000/*
0
0
0
0
0
0
CVE
CANDIDATE
Platform
DESCRIPTION
PHASE
REFERENCES
VOTES
COMMENTS
CAN-2002-0555
I
IBM Informix Web DataBlade 4.12 unescapes user input even if an application has escaped it, which could allow remote attackers to execute SQL code in a web form even when the developer has attempted to escape it.
Proposed (20020611)
ACCEPT(1) Frech | NOOP(4) Wall, Foat, Cole, Cox
CAN-2002-0554
I
webdriver in IBM Informix Web DataBlade 4.12 allows remote attackers to bypass user access levels or read arbitrary files via a SQL injection attack in an HTTP request.
Proposed (20020611)
CAN-2002-0120
M
Apple Palm Desktop 4.0b76 and 4.0b77 creates world-readable backup files and folders when a hotsync is performed, which could allow a local user to obtain sensitive information.
Proposed (20020315)
CAN-2002-0252
M
Buffer overflow in Apple QuickTime Player 5.01 and 5.02 allows remote web servers to execute arbitrary code via a response containing a long Content-Type MIME header.
Proposed (20020502)
ACCEPT(1) Frech | NOOP(5) Wall, Foat, Cole, Armstrong, Cox
CAN-2002-0676
M
SoftwareUpdate for MacOS 10.1.x does not use authentication when downloading a software update, which could allow remote attackers to execute arbitrary code by posing as the Apple update server via techniques such as DNS spoofing or cache poisoning, and s
Proposed (20020726)
ACCEPT(4) Balinsky, Baker, Cole, Armstrong | NOOP(4) Christey, Wall, Foat, Cox
Christey> XF:macos-softwareupdate-no-auth(9502) | URL:http://www.iss.net/security_center/static/9502.php | BID:5176 | URL:http://www.securityfocus.com/bid/5176 | Balinsky> Vendor addressed the vulnerable application. It isn't clear that
CAN-2002-1266
M
Mac OS X 10.2.2 allows local users to gain privileges by mounting a disk image file that was created on another system, aka "Local User Privilege Elevation via Disk Image File."
Assigned (20021104)
CAN-2002-1267
M
Mac OS X 10.2.2 allows remote attackers to cause a denial of service by accessing the CUPS Printing Web Administration utility, aka "CUPS Printing Web Administration is Remotely Accessible."
Assigned (20021104)
CAN-2002-1268
M
Mac OS X 10.2.2 allows local users to gain privileges via a mounted ISO 9600 CD, aka "User Privilege Elevation via Mounting an ISO 9600 CD."
Assigned (20021104)
CAN-2002-1269
M
Unknown vulnerability in NetInfo Manager application in Mac OS X 10.2.2 allows local users to access restricted parts of a filesystem.
Assigned (20021104)
CAN-2002-1270
M
Mac OS X 10.2.2 allows local users to read files that only allow write access via the map_fd() Mach system call.
Assigned (20021104)
CAN-2002-0996
N
Multiple buffer overflows in Novell NetMail (NIMS) 3.0.3 before 3.0.3C allows remote attackers to cause a denial of service and possibly execute arbitrary code via (1) WebAdmin or (2) ModWeb.
Proposed (20020830)
CAN-2002-1283
N
Buffer overflow in Novell iManager (eMFrame) before 1.5 allows remote attackers to cause a denial of service via an authentication request with a long Distinguished Name (DN) attribute.
Assigned (20021112)
None (candidate not yet proposed)
CAN-2002-0779
N
FTP proxy server for Novell BorderManager 3.6 SP 1a allows remote attackers to cause a denial of service (network connectivity loss) via a connection to port 21 with a large amount of random data.
Proposed (20020726)
VULNWATCH:20020508 [VulnWatch] cqure.net.20020412.bordermanager_36_mv1.a | URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0060.html | BUGTRAQ:20020508 cqure.net.20020412.bordermanager_36_mv1.a | URL:http://online.securityfocus.co
CAN-2002-0780
N
IP/IPX gateway for Novell BorderManager 3.6 SP 1a allows remote attackers to cause a denial of service via a connection to port 8225 with a large amount of random data, which causes ipipxgw.nlm to ABEND.
Proposed (20020726)
VULNWATCH:20020508 [VulnWatch] cqure.net.20020412.bordermanager_36_mv1.a | URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0060.html | BUGTRAQ:20020508 cqure.net.20020412.bordermanager_36_mv1.a | URL:http://online.securityfocus.co
CAN-2002-0781
N
RTSP proxy for Novell BorderManager 3.6 SP 1a allows remote attackers to cause a denial of service via a GET request to port 9090 followed by a series of carriage returns, which causes proxy.nlm to ABEND.
Proposed (20020726)
VULNWATCH:20020508 [VulnWatch] cqure.net.20020412.bordermanager_36_mv1.a | URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0060.html | BUGTRAQ:20020508 cqure.net.20020412.bordermanager_36_mv1.a | URL:http://online.securityfocus.co
CAN-2002-0929
N
Buffer overflows in the DHCP server for NetWare 6.0 SP1 allow remote attackers to cause a denial of service (reboot) via long DHCP requests.
Proposed (20020830)
VULNWATCH:20020625 [VulnWatch] cqure.net.20020604.netware_dhcpsrvr | URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0126.html | CONFIRM:http://support.novell.com/servlet/tidfinder/2962999 | BID:5097 | URL:http://www.securityf
CAN-2002-1010
N
Lotus Domino R4 allows remote attackers to bypass access restrictions for files in the web root via an HTTP request appended with a "?" character, which is treated as a wildcard character and bypasses the web handlers.
Proposed (20020830)
MODIFY(1) Frech | NOOP(4) Wall, Foat, Cole, Cox
Frech> XF:lotus-domino-url-bypass(10386)
CAN-2002-0037
N
Lotus Domino Servers 5.x, 4.6x, and 4.5x allows attackers to bypass the intended Reader and Author access list for a document's object via a Notes API call that directly accesses the object.
Proposed (20020502)
ACCEPT(3) Wall, Cole, Green | MODIFY(1) Frech | NOOP(4) Foat, Armstrong, Cox, Christey
Christey> Need to find some references for these... probably in | the CERT/CC vulnerability notes. | Frech> XF:lotus-domino-nsfdbreadobject(10095) | http://www.kb.cert.org/vuls/id/657899 | CONFIRM: | http://www-1.ibm.com/support/do
CAN-2002-1041
U
Unknown vulnerability in DCE (1) SMIT panels and (2) configuration commands, possibly related to relative pathnames.
Proposed (20020830)
AIXAPAR:IY23359 | URL:http://archives.neohapsis.com/archives/aix/2002-q3/0000.html | AIXAPAR:IY29579 | URL:http://archives.neohapsis.com/archives/aix/2002-q3/0000.html
Frech> XF:aix-smit-panels-insecure(10393)
CAN-2002-0790
U
clchkspuser and clpasswdremote in AIX expose an encrypted password in the cspoc.log file, which could allow local users to gain privileges.
Proposed (20020726)
CAN-2002-0742
U
Proposed (20020726)
AIXAPAR:IY28880 | URL:http://archives.neohapsis.com/archives/aix/2002-q2/0005.html
ACCEPT(3) Baker, Bollinger, Cole | NOOP(4) Cox, Wall, Foat, Armstrong
Bollinger> This is indeed a separate issue from CVE-2000-1123. Add AIX | 5.1 APAR IY29677 to the References for this candidate.
CAN-2002-0743
U
mail and mailx in AIX 4.3.3 core dump when called with a very long argument, an indication of a buffer overflow.
Proposed (20020726)
AIXAPAR:IY29516 | URL:http://archives.neohapsis.com/archives/aix/2002-q2/0005.html
ACCEPT(3) Baker, Bollinger, Cole | NOOP(4) Cox, Wall, Foat, Armstrong
Bollinger> IY29516 is the AIX 4.3 APAR for a variety of buffer | overflows in mail and mailx found during internal testing. (AIX 5.1 | APAR IY28170 needs to be added to the References.) I don't know if | this is similar to CAN-2002-0041
CAN-2002-0744
U
namerslv in AIX 4.3.3 core dumps when called with a very long argument, possibly as a result of a buffer overflow.
Proposed (20020726)
AIXAPAR:IY29517 | URL:http://archives.neohapsis.com/archives/aix/2002-q2/0005.html
CAN-2002-0745
U
Proposed (20020726)
AIXAPAR:IY29518 | URL:http://archives.neohapsis.com/archives/aix/2002-q2/0005.html
ACCEPT(3) Baker, Bollinger, Cole | NOOP(4) Cox, Wall, Foat, Armstrong
Bollinger> IY29518 is the AIX 4.3 APAR. AIX 5.1 APAR IY28158 needs to | be added to the References. This candidate only addressed long | arguments to uucp and uux but not the other commands listed in | CAN-2001-1164.
CAN-2002-0746
U
Vulnerability in template.dhcpo in AIX 4.3.3 related to an insecure linker argument.
Proposed (20020726)
AIXAPAR:IY29583 | URL:http://archives.neohapsis.com/archives/aix/2002-q2/0005.html
CAN-2002-0747
U
Proposed (20020726)
AIXAPAR:IY29589 | URL:http://archives.neohapsis.com/archives/aix/2002-q2/0005.html
ACCEPT(3) Baker, Bollinger, Cole | NOOP(4) Cox, Wall, Foat, Armstrong
Bollinger> This candidate is a buffer overflow; CAN-2001-1061 was a | metacharacter issue. Add AIX 5.1 APAR IY28586 to the References for | this candidate.
CAN-2002-1040
U
Unknown vulnerability in the WebSecure (DFSWeb) configuration utilities in AIX 4.x, possibly related to relative pathnames.
Proposed (20020830)
AIXAPAR:IY29749 | URL:http://archives.neohapsis.com/archives/aix/2002-q3/0000.html
Frech> XF:aix-dsfweb-scripts-insecure(10390)
CAN-2002-0386
U
The administration module for Oracle Web Cache in Oracle9iAS (9i Application Suite) 9.0.2 allows remote attackers to cause a denial of service (crash) via (1) an HTTP GET request containing a ".." (dot dot) sequence, or (2) a malformed HTTP GET request wi
Assigned (20020522)
CAN-2002-0666
U
IPSEC implementations including (1) FreeS/WAN and (2) KAME do not properly calculate the length of authentication data, which allows remote attackers to cause a denial of service (kernel panic) via spoofed, short Encapsulating Security Payload (ESP) packe
Assigned (20020708)
None (candidate not yet proposed)
CAN-2002-0887
U
scoadmin for Caldera/SCO OpenServer 5.0.5 and 5.0.6 allows local users to overwrite arbitrary files via a symlink attack on temporary log files.
Proposed (20020830)
ACCEPT(5) Cole, Armstrong, Frech, Alderson, Baker | MODIFY(1) Jones | NOOP(2) Cox, Foat
Jones> Suggest removing "log" from CVE description (i.e., "... on | temporary files."). Caldera indicates "temporary files", which could be | other than log files; log file was used by discoverer as a proof-of-concept, | but problem is ap
CAN-2002-0001
U
Vulnerability in RFC822 address parser in mutt before 1.2.5.1 and mutt 1.3.x before 1.3.25 allows remote attackers to execute arbitrary commands via an improperly terminated comment or phrase in the address list.
Modified (20020817-01)
ACCEPT(4) Wall, Baker, Cole, Green | MODIFY(1) Frech | NOOP(2) Foat, Christey
Christey> I need to review this for accuracy; is it just a buffer | overflow? See Mark Cox' comments in his "Chinese Whisper" | article. | Frech> XF:mutt-address-handling-bo(7759) | Christey> See Caldera advisory for a good, short descri
CAN-2002-0095
U
The default configuration of BSCW (Basic Support for Cooperative Work) 3.x and possibly version 4 enables user self registration, which could allow remote attackers to upload files and possibly join a user community that was intended to be closed.
Proposed (20020315)
CAN-2002-0094
U
config_converters.py in BSCW (Basic Support for Cooperative Work) 3.x and versions before 4.06 allows remote attackers to execute arbitrary commands via shell metacharacters in the file name during filename conversion.
Proposed (20020315)
CAN-2002-0570
U
The encrypted loop device in Linux kernel 2.4.10 and earlier does not authenticate the entity that is encrypting data, which allows local users to modify encrypted data without knowing the key.
Proposed (20020611)
ACCEPT(3) Cole, Frech, Alderson | MODIFY(1) Foat | NOOP(2) Wall, Cox
Foat> A local user can not modify the data. The user needs to root the box | first or at least get UNIX permission to write to the encrypted file system. | This is different than being a local user. | CHANGE> [Cox changed vote from REVIEWING
CAN-2002-0014
U
URL-handling code in Pine 4.43 and earlier allows remote attackers to execute arbitrary commands via a URL enclosed in single quotes and containing shell metacharacters (&).
Proposed (20020726)
ACCEPT(5) Wall, Baker, Cole, Armstrong, Cox | NOOP(2) Foat, Christey
Christey> Consider adding BID:3815
CAN-2002-0010
U
Bugzilla before 2.14.1 allows remote attackers to inject arbitrary SQL code and create files or gain privileges via (1) the sql parameter in buglist.cgi, (2) invalid field names from the "boolean chart" query in buglist.cgi, (3) the mybugslink parameter i
Proposed (20020131)
ACCEPT(3) Baker, Cole, Green | NOOP(2) Wall, Foat | REVIEWING(1) Frech
Frech> XF:bugzilla-buglist-modify-sql(7807) | XF:bugzilla-userprefs-change-groupset(7809) | XF:bugzilla-longlist-modify-sql(7811) | XF:bugzilla-editusers-change-groupset(7814) | XF:bugzilla-buglist-sql-logic(7813)
CAN-2002-0009
U
show_bug.cgi in Bugzilla before 2.14.1 allows a user with "Bugs Access" privileges to see other products that are not accessible to the user, by submitting a bug and reading the resulting Product pulldown menu.
Proposed (20020131)
Frech> XF:bugzilla-showbug-reveal-bugs(7802)
CAN-2002-0008
U
Bugzilla before 2.14.1 allows remote attackers to (1) spoof a user comment via an HTTP request process_bug.cgi using the "who" parameter, instead of the Bugzilla_login cookie, or (2) post a bug as another user by modifying the reporter parameter to enter_
Proposed (20020131)
Frech> XF:bugzilla-processbug-comment-spoofing(7805) | XF:bugzilla-postbug-report-spoofing(7804)
CAN-2002-0011
U
Information leak in doeditvotes.cgi in Bugzilla before 2.14.1 may allow remote attackers to more easily conduct attacks on the login.
Proposed (20020131)
Frech> XF:bugzilla-doeditvotes-login-information(7803)
CAN-2002-0103
U
An installer program for Oracle9iAS Web Cache 2.0.0.x creates executable and configuration files with insecure permissions, which allows local users to gain privileges by (1) running webcached or (2) obtaining the administrator password from webcache.xml.
Proposed (20020315)
ACCEPT(5) Wall, Foat, Cole, Ziese, Green | MODIFY(1) Frech
Frech> XF:oracle-appserver-webcached-privileges(7766) | XF:oracle-appserver-webcache-password(7768) | CHANGE> [Foat changed vote from NOOP to ACCEPT]
CAN-2002-0104
U
AFTPD 5.4.4 allows remote attackers to gain sensitive information via a CD (CWD) ~ (tilde) command, which causes a core dump.
Proposed (20020315)
ACCEPT(2) Frech, Green | NOOP(4) Wall, Foat, Cole, Ziese
CAN-2002-0105
U
CDE dtlogin in Caldera UnixWare 7.1.0, and possibly other operating systems, allows local users to gain privileges via a symlink attack on /var/dt/Xerrors since /var/dt is world-writable.
Proposed (20020315)
ACCEPT(2) Frech, Green | NOOP(5) Christey, Wall, Foat, Cole, Ziese
Christey> CALDERA:CSSA-2002-SCO.18 | XF:cde-dt-world-writable(9045) | URL:http://www.iss.net/security_center/static/9045.php | Note: the advisory sort-of implies that world-write | permissions were the key problem, so the fact that a
CAN-2002-0517
U
Buffer overflow in X11 library (libX11) on Caldera Open UNIX 8.0.0, UnixWare 7.1.1, and possibly other operating systems, allows local users to gain root privileges via a long -xrm argument to programs such as (1) dtterm or (2) xterm.
Proposed (20020611)
CAN-2002-0006
U
XChat 1.8.7 and earlier, including default configurations of 1.4.2 and 1.4.3, allows remote attackers to execute arbitrary IRC commands as other clients via encoded characters in a PRIVMSG command that calls CTCP PING, which expands the characters in the
Proposed (20020611)
ACCEPT(6) Wall, Baker, Cole, Frech, Cox, Alderson | NOOP(2) Foat, Christey
Christey> Consider adding BID:3830
CAN-2002-0311
U
Vulnerability in webtop in UnixWare 7.1.1 and Open UNIX 8.0.0 allows local and possibly remote attackers to gain root privileges via shell metacharacters in the -c argument for (1) in scoadminreg.cgi or (2) service_action.cgi.
Proposed (20020502)
CAN-2002-0145
U
chuid 1.2 and earlier does not properly verify the ownership of files that will be changed, which allows remote attackers to change files owned by other users, such as root.
Proposed (20020315)
ACCEPT(3) Balinsky, Cole, Green | MODIFY(1) Frech | NOOP(3) Wall, Foat, Ziese
Frech> XF:chuid-unauthorized-ownership-change(7976)
CAN-2002-0144
U
Directory traversal vulnerability in chuid 1.2 and earlier allows remote attackers to change the ownership of files outside of the upload directory via a .. (dot dot) attack.
Proposed (20020315)
CAN-2002-0204
U
Buffer overflow in GNU Chess (gnuchess) 5.02 and earlier, if modified or used in a networked capacity contrary to its own design as a single-user application, may allow local or remote attackers to execute arbitrary code via a long command.
Proposed (20020502)
NOOP(2) Foat, Cole | REJECT(1) Wall | REVIEWING(1) Green
Green> The issue of modifying code and/or using code for purposes other than intended raises the hypothetical (albeit ridiculous) prospect of having to classify vulnerabilities within gcc, since one could develop malicious code using the compiler.
CAN-2002-0203
U
ttawebtop.cgi in Tarantella Enterprise 3.20 on SPARC Solaris and Linux, and 3.1x and 3.0x including 3.11.903, allows remote attackers to view directory contents via an empty pg parameter.
Proposed (20020502)
ACCEPT(2) Cole, Green | NOOP(2) Wall, Foat
CAN-2002-0220
U
phpsmssend.php in PhpSmsSend 1.0 allows remote attackers to execute arbitrary commands via an SMS message containing shell metacharacters.
Proposed (20020502)
CAN-2002-0225
U
Proposed (20020502)
ACCEPT(1) Green | NOOP(3) Wall, Foat, Cole
CAN-2002-0230
U
Cross-site scripting vulnerability in fom.cgi of Faq-O-Matic 2.712 allows remote attackers to execute arbitrary Javascript on other clients via the cmd parameter, which causes the script to be inserted into an error message.
Proposed (20020502)
ACCEPT(2) Cole, Green | NOOP(2) Wall, Foat | RECAST(1) Christey
Christey> XF:faqomatic-cgi-css(8066) | URL:http://www.iss.net/security_center/static/8066.php | BID:4023 | URL:http://www.securityfocus.com/bid/4023 | | A similar issue was discovered a few months afterward in the | "file"
The default configuration of Oracle 9i Application Server 1.0.2.x allows remote anonymous users to access sensitive services without authentication, including Dynamic Monitoring Services.
Proposed (20020611)
ACCEPT(3) Baker, Cole, Alderson | MODIFY(1) Frech | NOOP(3) Wall, Foat, Cox
Frech> XF:oracle-appserver-apache-services(8455)
Oracle 9i Application Server stores XSQL and SOAP configuration files insecurely, which allows local users to obtain sensitive information including usernames and passwords by requesting (1) XSQLConfig.xml or (2) soapConfig.xml through a virtual directory
Proposed (20020611)
ACCEPT(4) Wall, Baker, Cole, Alderson | MODIFY(1) Frech | NOOP(2) Foat, Cox
Frech> XF:oracle-appserver-config-file-access(8453)
CAN-2002-0564
U
PL/SQL module 3.0.9.8.2 in Oracle 9i Application Server 1.0.2.x allows remote attackers to bypass authentication for a Database Access Descriptor (DAD) by modifying the URL to reference an alternate DAD that already has valid credentials.
Proposed (20020611)
ACCEPT(4) Wall, Baker, Cole, Alderson | MODIFY(1) Frech | NOOP(2) Foat, Cox
Frech> XF:oracle-appserver-alternate-dad-access(8456)
CAN-2002-0561
U
The default configuration of the PL/SQL Gateway web administration interface in Oracle 9i Application Server 1.0.2.x uses null authentication, which allows remote attackers to gain privileges and modify DAD settings.
Proposed (20020611)
ACCEPT(4) Wall, Baker, Cole, Alderson | MODIFY(1) Frech | NOOP(2) Foat, Cox
Frech> XF:oracle-appserver-plsql-web-interface(8452)
CAN-2002-0569
U
Oracle 9i Application Server allows remote attackers to bypass access restrictions for configuration files via a direct request to the XSQL Servlet (XSQLServlet).
Proposed (20020611)
ACCEPT(4) Wall, Baker, Cole, Alderson | MODIFY(1) Frech | NOOP(2) Foat, Cox
Frech> XF:oracle-appserver-config-file-access(8453)
CAN-2002-0560
U
PL/SQL module 3.0.9.8.2 in Oracle 9i Application Server 1.0.2.x allows remote attackers to obtain sensitive information via the OWA_UTIL stored procedures (1) OWA_UTIL.signature, (2) OWA_UTIL.listprint, or (3) OWA_UTIL.show_query_columns.
Proposed (20020611)
ACCEPT(3) Baker, Cole, Alderson | MODIFY(1) Frech | NOOP(3) Wall, Foat, Cox
Frech> XF:oracle-appserver-owautil-gain-information(8451)
CAN-2002-0565
U
Oracle 9iAS 1.0.2.x compiles JSP files in the _pages directory with world-readable permissions under the web root, which allows remote attackers to obtain sensitive information derived from the JSP code, including usernames and passwords, via a direct HTT
Proposed (20020611)
ACCEPT(5) Wall, Baker, Cole, Frech, Alderson | NOOP(2) Foat, Cox
CAN-2002-0562
U
The default configuration of Oracle 9i Application Server 1.0.2.x running Oracle JSP or SQLJSP stores globals.jsa under the web root, which allows remote attackers to gain sensitive information including usernames and passwords via a direct HTTP request t
Proposed (20020611)
ACCEPT(4) Wall, Baker, Cole, Alderson | MODIFY(1) Frech | NOOP(2) Foat, Cox
Frech> XF:oracle-appserver-oraclejsp-view-info(8100)
CAN-2002-0566
U
PL/SQL module 3.0.9.8.2 in Oracle 9i Application Server 1.0.2.x allows remote attackers to cause a denial of service (crash) via an HTTP Authorization header without an authentication type.
Proposed (20020611)
CAN-2002-0559
U
Buffer overflows in PL/SQL module 3.0.9.8.2 in Oracle 9i Application Server 1.0.2.x allow remote attackers to cause a denial of service or execute arbitrary code via (1) a long help page request without a dadname, which overflows the resulting HTTP Locati
Proposed (20020611)
ACCEPT(3) Baker, Cole, Alderson | MODIFY(1) Frech | NOOP(3) Wall, Foat, Cox
Frech> ADDREF XF:oracle-appserver-location-bo(8457)
CAN-2002-0567
U
Oracle 8i and 9i with PL/SQL package for External Procedures (EXTPROC) allows remote attackers to bypass authentication and execute arbitrary functions by using the TNS Listener to directly connect to the EXTPROC process.
Proposed (20020611)
ACCEPT(5) Wall, Baker, Cole, Frech, Alderson | NOOP(2) Foat, Cox
CAN-2002-0253
U
PHP, when not configured with the "display_errors = Off" setting in php.ini, allows remote attackers to obtain the physical path for an include file via a trailing slash in a request to a directly accessible PHP program, which modifies the base path, caus
Proposed (20020502)
ACCEPT(1) Frech | NOOP(4) Wall, Foat, Cole, Armstrong | REVIEWING(1) Cox
CAN-2002-0240
U
PHP, when installed with Apache and configured to search for index.php as a default web page, allows remote attackers to obtain the full pathname of the server via the HTTP OPTIONS method, which reveals the pathname in the resulting error message.
Proposed (20020502)
ACCEPT(2) Baker, Frech | MODIFY(1) Cox | NOOP(4) Wall, Foat, Cole, Armstrong
CHANGE> [Cox changed vote from REVIEWING to MODIFY] | Cox> Change to "....installed with Apache 2.0 for Windows"
CAN-2002-0246
U
Format string vulnerability in the message catalog library functions in UnixWare 7.1.1 allows local users to gain privileges by modifying the LC_MESSAGE environment variable to read other message catalogs containing format strings from setuid programs suc
Proposed (20020502)
CAN-2002-0274
U
Exim 3.34 and earlier may allow local users to gain privileges via a buffer overflow in long -C (configuration file) and other command line arguments.
Proposed (20020502)
ACCEPT(2) Cole, Cox | MODIFY(1) Frech | NOOP(3) Wall, Foat, Armstrong
Frech> XF:exim-config-arg-bo(8194) | CHANGE> [Cox changed vote from REVIEWING to ACCEPT]
CAN-2002-0272
U
Buffer overflows in mpg321 before 0.2.9 allows local and possibly remote attackers to execute arbitrary code via a long URL to (1) a command line option, (2) an HTTP request, or (3) an FTP request.
Proposed (20020502)
ACCEPT(2) Cole, Armstrong | MODIFY(1) Cox | NOOP(3) Christey, Wall, Foat | REVIEWING(1) Frech
Cox> "possibly" is vague. It can be exploited by remote attackers | if doing network streaming. | Christey> REDHAT:RHSA-2002:078
CAN-2002-0280
U
Buffer overflow in CodeBlue 4 and earlier, and possibly other versions, allows remote attackers to execute arbitrary code via a long string in an SMTP reply.
Proposed (20020502)
MODIFY(1) Frech | NOOP(5) Wall, Foat, Cole, Armstrong, Cox
Frech> May have been 'rediscovered' by VulnWatch Mailing List, Wed | Jul 24 2002 - 11:05:00 CDT, "Remote hole in Codeblue log scanner" at | http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0037.html. | If these are the same issue,
CAN-2002-0290
U
Buffer overflow in Netwin WebNews CGI program 1.1, Webnews.exe, allows remote attackers to execute arbitrary code via a long group argument.
Proposed (20020502)
ACCEPT(2) Cole, Armstrong | MODIFY(1) Frech | NOOP(3) Wall, Foat, Cox
Frech> XF:webnews-cgi-group-bo(8220)
CAN-2002-0307
U
Directory traversal vulnerability in ans.pl in Avenger's News System (ANS) 2.11 and earlier allows remote attackers to determine the existence of arbitrary files or execute any Perl program on the system via a .. (dot dot) in the p parameter, which reads
Proposed (20020502)
Frech> XF:ans-plugin-execute-commands(8256)
CAN-2002-0306
U
ans.pl in Avenger's News System (ANS) 2.11 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the p (plugin) parameter.
Proposed (20020502)
Frech> XF:ans-plugin-execute-commands(8256)
CAN-2002-0068
U
Squid 2.4 STABLE3 and earlier allows remote attackers to cause a denial of service (core dump) and possibly execute arbitrary code with a malformed ftp:// URL.
Modified (20020817-01)
BUGTRAQ:20020221 Squid HTTP Proxy Security Update Advisory 2002:1 | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101431040422095&w=2 | CONFIRM:http://www.squid-cache.org/Versions/v2/2.4/bugs/ | BUGTRAQ:20020222 Squid buffer overflow | URL
ACCEPT(4) Wall, Cole, Ziese, Green | MODIFY(2) Cox, Jones | NOOP(2) Foat, Christey
Christey> BUGTRAQ:20020221 Squid HTTP Proxy Security Update Advisory 2002:1 | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101431040422095&w=2 | Christey> BUGTRAQ:20020222 TSLSA-2002-0031 - squid | URL:http://marc.theaimsgroup.com/?l=bugtra
CAN-2002-0067
U
Squid 2.4 STABLE3 and earlier does not properly disable HTCP, even when "htcp_port 0" is specified in squid.conf, which could allow remote attackers to bypass intended access restrictions.
Modified (20020817-01)
BUGTRAQ:20020221 Squid HTTP Proxy Security Update Advisory 2002:1 | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101431040422095&w=2 | CONFIRM:http://www.squid-cache.org/Versions/v2/2.4/bugs/ | REDHAT:RHSA-2002:029 | URL:http://www.redhat
ACCEPT(4) Wall, Cole, Ziese, Green | MODIFY(2) Cox, Jones | NOOP(2) Foat, Christey
Christey> BUGTRAQ:20020221 Squid HTTP Proxy Security Update Advisory 2002:1 | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101431040422095&w=2 | Christey> BUGTRAQ:20020222 TSLSA-2002-0031 - squid | URL:http://marc.theaimsgroup.com/?l=bugtra
CAN-2002-0332
U
Buffer overflows in xtell (xtelld) 1.91.1 and earlier, and 2.x before 2.7, allows remote attackers to execute arbitrary code via (1) a long DNS hostname that is determined using reverse DNS lookups, (2) a long AUTH string, or (3) certain data in the xtell
Modified (20020817-01)
ACCEPT(3) Baker, Cole, Frech | NOOP(4) Christey, Wall, Foat, Cox
Christey> DELREF XF:xtell-tty-directory-traversal(8313) | ADDREF XF:xtell-bo(8312)
CAN-2002-0333
U
Directory traversal vulnerability in xtell (xtelld) 1.91.1 and earlier, and 2.x before 2.7, allows remote attackers to read files with short names, and local users to read more files using a symlink with a short name, via a .. in the TTY argument.
Proposed (20020502)
ACCEPT(3) Baker, Cole, Frech | NOOP(3) Wall, Foat, Cox
CAN-2002-0334
U
xtell (xtelld) 1.91.1 and earlier, and 2.x before 2.7, allows local users to modify files via a symlink attack on the .xtell-log file.
Proposed (20020502)
ACCEPT(3) Baker, Cole, Frech | NOOP(3) Wall, Foat, Cox
CAN-2002-0170
U
Zope 2.2.0 through 2.5.1 does not properly verify the access for objects with proxy roles, which could allow some users to access documents in violation of the intended configuration.
Proposed (20020502)
ACCEPT(4) Cole, Armstrong, Cox, Green | MODIFY(1) Frech | NOOP(2) Wall, Foat
Frech> XF:zope-proxy-role-privileges(8334)
CAN-2002-0414
U
KAME-derived implementations of IPsec on NetBSD 1.5.2, FreeBSD 4.5, and other operating systems, does not properly consult the Security Policy Database (SPD), which could cause a Security Gateway (SG) that does not use Encapsulating Security Payload (ESP)
Proposed (20020611)
ACCEPT(4) Baker, Cole, Frech, Alderson | NOOP(3) Wall, Foat, Cox
CAN-2002-0418
U
Proposed (20020611)
CAN-2002-0417
U
Directory traversal vulnerability in Endymion MailMan before 3.1 allows remote attackers to read arbitrary files via a .. (dot dot) and a null character in the ALTERNATE_TEMPLATES parameter for various mmstdo*.cgi programs.
Proposed (20020611)
CAN-2002-0423
U
Buffer overflow in efingerd 1.5 and earlier, and possibly up to 1.61, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a finger request from an IP address with a long hostname that is obtained via a reverse DNS
Proposed (20020611)
CAN-2002-0424
U
efingerd 1.61 and earlier, when configured without the -u option, executes .efingerd files as the efingerd user (typically "nobody"), which allows local users to gain privileges as the efingerd user by modifying their own .efingerd file and running finger
Proposed (20020611)
CAN-2002-0429
U
The iBCS routines in arch/i386/kernel/traps.c for Linux kernels 2.4.18 and earlier on x86 systems allow local users to kill arbitrary processes via a a binary compatibility interface (lcall).
Proposed (20020611)
ACCEPT(4) Baker, Cole, Cox, Alderson | MODIFY(1) Frech | NOOP(2) Wall, Foat
Frech> XF:linux-ibcs-lcall-process(8420) | CHANGE> [Cox changed vote from REVIEWING to ACCEPT] | Cox> Addref: RHSA-2002:158
CAN-2002-0431
U
XTux allows remote attackers to cause a denial of service (CPU consumption) via random inputs in the initial connection.
Proposed (20020611)
CAN-2002-0469
U
Ecartis (formerly Listar) 1.0.0 in snapshot 20020125 and earlier does not properly drop privileges when Ecartis is installed setuid-root, "lock-to-user" is not set, and ecartis is called by certain MTA's, which could allow local users to gain privileges.
Proposed (20020611)
CAN-2002-0467
U
Buffer overflows in Ecartis (formerly Listar) 1.0.0 before snapshot 20020125 allows remote attackers to execute arbitrary code via (1) address_match() of mystring.c or (2) other functions in tolist.c.
Proposed (20020611)
CAN-2002-0435
U
Race condition in the recursive (1) directory deletion and (2) directory move in GNU File Utilities (fileutils) 4.1 and earlier allows local users to delete directories as the user running fileutils by moving a low-level directory to a higher level as it
Modified (20020817-01)
ACCEPT(4) Green, Baker, Foat, Cole | NOOP(2) Christey, Wall | REVIEWING(1) Cox
Christey> MANDRAKE:MDKSA-2002:032
CAN-2002-0436
U
sscd_suncourier.pl CGI script in the Sun Sunsolve CD pack allows remote attackers to execute arbitrary commands via shell metacharacters in the email address parameter.
Proposed (20020611)
CAN-2002-0445
U
article.php in PHP FirstPost 0.1 allows allows remote attackers to obtain the full pathname of the server via an invalid post number in the post parameter, which leaks the pathname in an error message.
Proposed (20020611)
CAN-2002-0446
U
categorie.php3 in Black Tie Project (BTP) 0.4b through 0.5b allows remote attackers to determine the absolute path of the web server via an invalid category ID (cid) parameter, which leaks the pathname in an error message.
Proposed (20020611)
ACCEPT(1) Cole | NOOP(3) Wall, Foat, Cox | REVIEWING(1) Green
CAN-2002-0454
U
Qpopper (aka in.qpopper or popper) 4.0.3 and earlier allows remote attackers to cause a denial of service (CPU consumption) via a very large string, which causes an infinite loop.
Proposed (20020611)
Christey> CALDERA:CSSA-2002-SCO.20
Cross-site scripting vulnerability in Board-TNK 1.3.1 and earlier allows remote attackers to execute arbitrary Javascript via the WEB parameter.
Proposed (20020611)
CAN-2002-0458
U
Cross-site scripting vulnerability in News-TNK 1.2.1 and earlier allows remote attackers to execute arbitrary Javascript via the WEB parameter.
Proposed (20020611)
CAN-2002-0462
U
bigsam_guestbook.php for Big Sam (Built-In Guestbook Stand-Alone Module) 1.1.08 and earlier allows remote attackers to cause a denial of service (CPU consumption) or obtain the absolute path of the web server via an error message when PHP safe_mode is ena
Proposed (20020611)
CAN-2002-0471
U
PHPNetToolpack 0.1 allows remote attackers to execute arbitrary code via shell metacharacters in the a_query variable.
Proposed (20020611)
CAN-2002-0470
U
PHPNetToolpack 0.1 relies on its environment's PATH to find and execute the traceroute program, which could allow local users to gain privileges by inserting a Trojan horse program into the search path.
Proposed (20020611)
CAN-2002-0510
U
The UDP implementation in Linux 2.4.x kernels keeps the IP Identification field at 0 for all non-fragmented packets, which could allow remote attackers to determine that a target system is running Linux.
Proposed (20020611)
ACCEPT(2) Green, Foat | NOOP(3) Wall, Cole, Cox
CHANGE> [Cox changed vote from REVIEWING to NOOP] | Cox> So I asked some kernel guys about this - it's not considered | an issue. There are several other ways to identify Linux on | the wire and people who care about this kind of thing rewr
CAN-2002-0488
U
Linux Directory Penguin traceroute.pl CGI script 1.0 allows remote attackers to execute arbitrary code via shell metacharacters in the host parameter.
Proposed (20020611)
CAN-2002-0061
U
Apache for Win32 before 1.3.24, and 2.0.x before 2.0.34-beta, allows remote attackers to execute arbitrary commands via shell metacharacters (a | pipe character) provided as arguments to batch (.bat) or .cmd scripts, which are sent unfiltered to the shell
Proposed (20020611)
ACCEPT(5) Wall, Baker, Foat, Cole, Green | MODIFY(1) Cox | NOOP(1) Christey
Christey> Consider adding BID:4335 | Christey> XF:apache-dos-batch-command-execution(8589) | URL:http://www.iss.net/security_center/static/8589.php | Cox> ADDREF: http://www.apacheweek.com/issues/02-03-29#apache1324
CAN-2002-0489
U
Linux Directory Penguin NsLookup CGI script (nslookup.pl) 1.0 allows remote attackers to execute arbitrary code via shell metacharacters in the (1) query or (2) type parameters.
Proposed (20020611)
ACCEPT(1) Foat | NOOP(4) Green, Wall, Cole, Cox
CAN-2002-0499
U
The d_path function in Linux kernel 2.2.20 and earlier, and 2.4.18 and earlier, truncates long pathnames without generating an error, which could allow local users to force programs to perform inappropriate operations on the wrong directories.
Proposed (20020611)
ACCEPT(3) Foat, Cole, Frech | NOOP(3) Wall, Armstrong, Cox | REVIEWING(1) Christey
CHANGE> [Cox changed vote from REVIEWING to ACCEPT] | CHANGE> [Cox changed vote from ACCEPT to NOOP] | Christey> Need to investigate this more... is it the responsibility | of the kernel to address this, or the application | programmer?
CAN-2002-0162
U
LogWatch before 2.5 allows local users to execute arbitrary code via a symlink attack on the logwatch temporary directory.
Modified (20020817-01)
ACCEPT(4) Cole, Armstrong, Cox, Green | MODIFY(1) Frech | NOOP(3) Christey, Wall, Foat
Christey> Modify the desc: it's temporary *directory* creation. | | XF:logwatch-tmp-race-condition(8652) | URL:http://www.iss.net/security_center/static/8652.php | BID:4374 | URL:http://online.securityfocus.com/bid/4374 | Fre
CAN-2002-0382
U
XChat IRC client allows remote attackers to execute arbitrary commands via a /dns command on a host whose DNS reverse lookup contains shell metacharacters.
Modified (20020817-01)
ACCEPT(3) Baker, Armstrong, Frech | MODIFY(2) Foat, Cox | NOOP(3) Christey, Wall, Cole
Cox> Xchat should be XChat | Foat> Agree with Cox modification | Christey> MANDRAKE:MDKSA-2002:051 | Christey> CONECTIVA:CLA-2002:526
CAN-2002-0177
U
Buffer overflows in icecast 1.3.11 and earlier allows remote attackers to execute arbitrary code via a long HTTP GET request from an MP3 client.
Proposed (20020502)
ACCEPT(3) Cole, Cox, Green | MODIFY(1) Frech | NOOP(4) Christey, Wall, Foat, Armstrong
Christey> CALDERA:CSSA-2002-020.0 | Christey> Change "allows" to "allow," and add "as exploited through the | client_login function" (to facilitate matching). | REDHAT:RHSA-2002:063 | Frech> XF:icecast-clientlogin-bo(8741)
CAN-2002-0158
U
Buffer overflow in Xsun on Solaris 2.6 through 8 allows local users to gain root privileges via a long -co (color database) command line argument.
Modified (20020616-01)
ACCEPT(4) Baker, Foat, Armstrong, Green | MODIFY(1) Frech | NOOP(3) Christey, Cole, Cox | REVIEWING(1) Wall
Green> The documentation of this vulnerability is compelling | Christey> CONFIRM:http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fpatches%2F108652 | the description for patch 108652-52, bug 4661987, | explicitly references CAN-2002-0158. |
CAN-2002-0531
U
Directory traversal vulnerability in emumail.cgi in EMU Webmail 4.5.x and 5.1.0 allows remote attackers to read arbitrary files or list arbitrary directories via a .. (dot dot) in the type parameter.
Proposed (20020611)
CAN-2002-0165
U
LogWatch 2.5 allows local users to gain root privileges via a symlink attack, a different vulnerability than CAN-2002-0162.
Modified (20020817-01)
ACCEPT(4) Cole, Armstrong, Cox, Green | MODIFY(1) Frech | NOOP(3) Christey, Wall, Foat
Christey> XF:logwatch-tmp-race-condition(8652) | URL:http://www.iss.net/security_center/static/8652.php | CONFIRM:http://list.kaybee.org/archives/logwatch-announce/2002-March/000003.html | (notice how this is a different announcement than
CAN-2002-0536
U
PHPGroupware 0.9.12 and earlier, when running with the magic_quotes_gpc feature disabled, allows remote attackers to compromise the database via a SQL injection attack.
Proposed (20020611)
CAN-2002-0181
U
Cross-site scripting vulnerability in status.php3 for IMP 2.2.8 and HORDE 1.2.7 allows remote attackers to execute arbitrary web script and steal cookies of other IMP/HORDE users via the script parameter.
Modified (20020817-01)
ACCEPT(3) Cole, Armstrong, Green | MODIFY(2) Frech, Cox | NOOP(3) Christey, Wall, Foat
Cox> "execute script" sounds like local execution - it's just cross | site scripting | Christey> Try this desc: "Cross-site scripting vulnerability in | status.php3 for IMP 2.2.8 and HORDE 1.2.7 allows remote attackers to | execute arbi
CAN-2002-0558
U
Directory traversal vulnerability in TYPSoft FTP server 0.97.1 and earlier allows a remote authenticated user (possibly anonymous) to list arbitrary directories via a .. in a LIST (ls) command ending in wildcard *.* characters.
Proposed (20020611)
CAN-2002-0532
U
EMU Webmail allows local users to execute arbitrary programs via a .. (dot dot) in the HTTP Host header that points to a Trojan horse configuration file that contains a pageroot specifier that contains shell metacharacters.
Proposed (20020611)
CAN-2002-0542
U
mail in OpenBSD 2.9 and 3.0 processes a tilde (~) escape character in a message even when it is not in interactive mode, which could allow local users to gain root privileges via calls to mail in cron.
Proposed (20020611)
ACCEPT(3) Baker, Cole, Frech | NOOP(3) Wall, Foat, Cox
CAN-2002-0180
U
Buffer overflow in Webalizer 2.01-06, when configured to use reverse DNS lookups, allows remote attackers to execute arbitrary code by connecting to the monitored web server from an IP address that resolves to a long hostname.
Proposed (20020502)
BUGTRAQ:20020415 Remote buffer overflow in Webalizer | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101888467527673&w=2 | CONFIRM:http://www.mrunix.net/webalizer/news.html
ACCEPT(4) Baker, Cole, Cox, Green | MODIFY(2) Frech, Jones | NOOP(4) Christey, Wall, Foat, Armstrong
Cox> According to the author of Webalizer the issue is not remotely | exploitable, but this hasn't been confirmed by us yet. Needs | investigation. | | http://www.mrunix.net/webalizer/news.html | CHANGE> [Cox changed vote from MO
CAN-2002-0571
U
Oracle Oracle9i database server 9.0.1.x allows local users to access restricted data via a SQL query using ANSI outer join syntax.
Proposed (20020611)
ACCEPT(4) Wall, Baker, Cole, Frech | NOOP(2) Foat, Cox
CAN-2002-0737
U
Sambar web server before 5.2 beta 1 allows remote attackers to obtain source code of server-side scripts, or cause a denial of service (resource exhaustion) via DOS devices, using a URL that ends with a space and a null character.
Proposed (20020726)
ACCEPT(3) Baker, Cole, Armstrong | NOOP(3) Cox, Wall, Foat
CAN-2002-0389
U
Pipermail in Mailman stores private mail messages with predictable filenames in a world-executable directory, which allows local users to read private mailing list archives
Proposed (20020611)
ACCEPT(2) Baker, Cox | MODIFY(1) Frech | NOOP(4) Christey, Wall, Foat, Cole
Frech> XF: pipermail-view-archives(8874) | Christey> Add period to the end of the description.
CAN-2002-0752
U
CGIscript.net csMailto.cgi program exports feedback to a file that is accessible from the web document root, which could allow remote attackers to obtain sensitive information by directly accessing the file.
Proposed (20020726)
CAN-2002-0750
U
Proposed (20020726)
CAN-2002-0751
U
CGIscript.net csMailto.cgi program allows remote attackers to use csMailto as a "spam proxy" and send mail to arbitrary users via modified (1) form-to, (2) form-from, and (3) form-results parameters.
Proposed (20020726)
CAN-2002-0749
U
Proposed (20020726)
CAN-2002-0572
U
FreeBSD 4.5 and earlier, and possibly other BSA-based operating systems, allows local users to write to or read from restricted files by closing the file descriptors 0 (standard input), 1 (standard output), or 2 (standard error), which may then be reused
Modified (20020817-01)
ACCEPT(2) Baker, Cole | MODIFY(1) Frech | NOOP(4) Christey, Wall, Foat, Cox
Frech> XF:bsd-suid-apps-gain-privileges(8920) | Christey> BSA? Nope. BSD. | Take a closer look at XF:bsd-suid-apps-gain-privileges(8920), | which also references CAN-2002-0820.
CAN-2002-0600
U
Heap overflow in the KTH Kerberos 4 FTP client 4-1.1.1 allows remote malicious servers to execute arbitrary code on the client via a long response to a passive (PASV) mode request.
Proposed (20020611)
ACCEPT(1) Frech | NOOP(4) Wall, Foat, Cole, Cox
CAN-2002-0184
U
Heap overflow in sudo before 1.6.6 may allow local users to gain root privileges via special characters in the -p (prompt) argument, which are not properly expanded.
Modified (20020817-01)
ACCEPT(6) Wall, Foat, Cole, Armstrong, Cox, Green | MODIFY(1) Frech | NOOP(1) Christey
Christey> BUGTRAQ:20020429 TSLSA-2002-0046 - sudo | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102010164413135&w=2 | SUSE:SuSE-SA:2002:014 | Frech> XF:sudo-password-expansion-overflow(8936)
CAN-2002-0614
U
PHP-Survey 20000615 and earlier stores the global.inc file under the web root, which allows remote attackers to obtain sensitive information, including database credentials, if .inc files are not preprocessed by the server.
Proposed (20020611)
CAN-2002-0575
U
Buffer overflow in OpenSSH before 2.9.9, and 3.x before 3.2.1, with Kerberos/AFS support and KerberosTgtPassing or AFSTokenPassing enabled, allows remote and local authenticated users to gain privileges.
Proposed (20020611)
Christey> BUGTRAQ:20020419 OpenSSH 2.2.0 - 3.1.0 server contains a locally exploitable buffer overflow | URL:http://online.securityfocus.com/archive/1/268718 | VULN-DEV:20020419 OpenSSH 2.2.0 - 3.1.0 server contains a locally exploitable buffer
CAN-2002-0468
U
Buffer overflows in Ecartis (formerly Listar) 1.0.0 in snapshot 20020427 and earlier allow local users to gain privileges via (1) a long command line argument, which is not properly handled in core.c, or possibly via bad uses of sprintf() in (2) moderate.
Proposed (20020611)
ACCEPT(3) Green, Baker, Cole | NOOP(3) Wall, Foat, Cox
CAN-2002-0613
U
dnstools.php for DNSTools 2.0 beta 4 and earlier allows remote attackers to bypass authentication and gain privileges by setting the user_logged_in or user_dnstools_administrator parameters.
Proposed (20020611)
CAN-2002-0573
U
Format string vulnerability in RPC wall daemon (rpc.rwalld) for Solaris 2.5.1 through 8 allows remote attackers to execute arbitrary code via format strings in a message that is not properly provided to the syslog function when the wall command cannot be
Proposed (20020611)
ACCEPT(4) Baker, Foat, Cole, Frech | NOOP(2) Wall, Cox
CAN-2002-0354
U
The XMLHttpRequest object (XMLHTTP) in Netscape 6.1 and Mozilla 0.9.7 allows remote attackers to read arbitrary files and list directories on a client system by opening a URL that redirects the browser to the file on the client, then reading the result us
Proposed (20020502)
BUGTRAQ:20020430 Reading local files in Netscape 6 and Mozilla (GM#001-NS) | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102017952204097&w=2 | NTBUGTRAQ:20020430 Reading local files in Netscape 6 and Mozilla (GM#001-NS) | URL:http://marc.the
ACCEPT(3) Wall, Cole, Green | MODIFY(2) Frech, Cox | NOOP(3) Christey, Foat, Armstrong
CHANGE> [Cox changed vote from ACCEPT to MODIFY] | Cox> Mozilla 0.9.9 is also vulnerable | ADDREF: http://bugzilla.mozilla.org/show_bug.cgi?id=141061 | Christey> REDHAT:RHSA-2002:079 | Christey> BUGTRAQ:20020502 Fix for Mozilla XMLHttpReque
CAN-2002-0157
U
Nautilus 1.0.4 and earlier allows local users to overwrite arbitrary files via a symlink attack on the .nautilus-metafile.xml metadata file.
Proposed (20020611)
ACCEPT(5) Wall, Baker, Cole, Armstrong, Cox | MODIFY(1) Frech | NOOP(1) Foat
Frech> XF:nautilus-metafile-xml-symlink(8995)
CAN-2002-0033
U
Heap overflow in cfsd_calloc function of Solaris cachefsd allows remote attackers to execute arbitrary code via a request with a long directory and cache name.
Proposed (20020611)
ACCEPT(5) Wall, Baker, Foat, Cole, Armstrong | MODIFY(1) Frech | NOOP(2) Cox, Christey
Christey> Note: this is a different vulnerability than CAN-2002-0084. | However, if there are different patches for the 2 issues, then | they may need to be merged per CD:SF-LOC. | Frech> XF:solaris-cachefsd-name-bo(8999)
CAN-2002-0374
U
Format string vulnerability in the logging function for the pam_ldap PAM LDAP module before version 144 allows attackers to execute arbitrary code via format strings in the configuration file name.
Modified (20020817-01)
ACCEPT(5) Wall, Baker, Cole, Armstrong, Cox | MODIFY(1) Frech | NOOP(2) Christey, Foat
Christey> XF:pamldap-config-format-string(9018) | URL:http://www.iss.net/security_center/static/9018.php | BID:4679 | URL:http://online.securityfocus.com/bid/4679 | Frech> XF:pamldap-config-format-string(9018) | Christey> REDHAT:RHSA
Proposed (20020726)
ACCEPT(5) Cox, Wall, Baker, Cole, Armstrong | NOOP(1) Foat
CAN-2002-0702
U
Format string vulnerabilities in the logging routines for dynamic DNS code (print.c) of ISC DHCP daemon (DHCPD) 3 to 3.0.1rc8, with the NSUPDATE option enabled, allow remote malicious DNS servers to execute arbitrary code via format strings in a DNS serve
Proposed (20020726)
CAN-2002-0757
U
(1) Webmin 0.96 and (2) Usermin 0.90 with password timeouts enabled allow local and possibly remote attackers to bypass authentication and gain privileges via certain control characters in the authentication information, which can force Webmin or Usermin
Proposed (20020726)
Christey> This *might* be vendor acknowledgement: | URL:http://www.geocrawler.com/lists/3/SourceForge/12082/0/8595354/ | | However, the person who's credited by the vendor found *TWO* | authentication-related vulnerabilities at about
CAN-2002-0379
U
Buffer overflow in University of Washington imap server (uw-imapd) imap-2001 (imapd 2001.315) and imap-2001a (imapd 2001.315) with legacy RFC 1730 support, and imapd 2000.287 and earlier, allows remote authenticated users to execute arbitrary code via a l
Modified (20020817-01)
ACCEPT(5) Wall, Baker, Cole, Armstrong, Cox | MODIFY(1) Frech | NOOP(2) Christey, Foat
Christey> Add "long BODY request" to desc. | CONECTIVA:CLA-2002:487 | URL:http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000487 | HP:HPSBTL0205-043 | URL:http://online.securityfocus.com/advisories/4167 | CALDERA:CSSA-2002
CAN-2002-0377
U
Gaim 0.57 stores sensitive information in world-readable and group-writable files in the /tmp directory, which allows local users to access MSN web email accounts of other users who run Gaim by reading authentication information from the files.
Proposed (20020611)
ACCEPT(4) Baker, Cole, Armstrong, Cox | MODIFY(1) Frech | NOOP(3) Christey, Wall, Foat
Christey> VULN-DEV:20020511 Gaim abritary Email Reading | URL:http://archives.neohapsis.com/archives/vuln-dev/2002-q2/0584.html | Frech> XF:gaim-email-access(9061) | Christey> XF:gaim-email-access(9061) | URL:http://www.iss.net/security_c
CAN-2002-0884
U
Multiple format string vulnerabilities in in.rarpd (ARP server) on Solaris, Caldera UnixWare and Open UNIX, and possibly other operating systems, allows remote attackers to execute arbitrary code via format strings that are not properly handled in the fun
Proposed (20020830)
ACCEPT(5) Cole, Armstrong, Frech, Alderson, Baker | MODIFY(1) Jones | NOOP(3) Cox, Christey, Foat
Jones> Suggest description: "...allows remote attackers to execute | arbitrary code via the functions (1) syserr and | (2) error." | Christey> Correction: this is a RARP (Reverse Address Resolution | Protocol) server. | | A c
CAN-2002-0885
U
Multiple buffer overflows in in.rarpd (ARP server) on Solaris, and possibly other operating systems including Caldera UnixWare and Open UNIX, allow remote attackers to execute arbitrary code, possibly via the functions (1) syserr and (2) error.
Proposed (20020830)
ACCEPT(3) Cole, Frech, Baker | MODIFY(1) Alderson | NOOP(5) Armstrong, Cox, Jones, Christey, Foat
Jones> Need clarification/verification. | Alderson> Personally, since this one is not only vague, but extremely vague | and not even confirmed, I believe it should be lumped with the previous one | that has been confirmed and is much less va
CAN-2002-0910
U
Buffer overflows in netstd 3.07-17 package allows remote DNS servers to execute arbitrary code via a long FQDN reply, as observed in the utilities (1) linux-ftpd, (2) pcnfsd, (3) tftp, (4) traceroute, or (5) from/to.
Proposed (20020830)
ACCEPT(2) Foat, Frech | NOOP(5) Cole, Armstrong, Cox, Alderson, Jones
CAN-2002-0765
U
sshd in OpenSSH 3.2.2, when using YP with netgroups and under certain conditions, may allow users to successfully authenticate and log in with another user's password.
Proposed (20020726)
ACCEPT(4) Baker, Foat, Cole, Armstrong | NOOP(2) Cox, Wall
CAN-2002-0915
U
autorun in Xandros based Linux distributions allows local users to read the first line of arbitrary files via the -c parameter, which causes autorun to print the first line of the file.
Proposed (20020830)
CAN-2002-0401
U
SMB dissector in Ethereal 0.9.3 and earlier allows remote attackers to cause a denial of service (crash) or execute arbitrary code via malformed packets that cause Ethereal to dereference a NULL pointer.
Modified (20020817-01)
ACCEPT(4) Baker, Foat, Cole, Armstrong | MODIFY(2) Frech, Cox | NOOP(2) Christey, Wall
Cox> ADDREF: RHSA-2002:088 | Christey> Fix version: 0.9.3 is also affected (thanks to Mark Cox for | noticing this) | Christey> XF:ethereal-smb-dissector-dos(9204) | URL:http://www.iss.net/security_center/static/9204.php | CONECTIVA:
CAN-2002-0808
U
Bugzilla 2.14 before 2.14.2, and 2.16 before 2.16rc2, when performing a mass change, sets the groupset of all bugs to the groupset of the first bug, which could inadvertently cause insecure groupset permissions to be assigned to some bugs.
Proposed (20020830)
ACCEPT(3) Cole, Wall, Baker | MODIFY(1) Frech | NOOP(1) Foat
Frech> XF:bugzilla-masschange-change-groupset(9305)
CAN-2002-0811
U
Bugzilla 2.14 before 2.14.2, and 2.16 before 2.16rc2, may allow remote attackers to cause a denial of service or execute certain queries via a SQL injection attack on the sort order parameter to buglist.cgi.
Proposed (20020830)
ACCEPT(3) Cole, Wall, Baker | MODIFY(1) Frech | NOOP(1) Foat
Frech> XF:bugzilla-buglist-sql-injection(10144)
CAN-2002-0805
U
Bugzilla 2.14 before 2.14.2, and 2.16 before 2.16rc2, (1) creates new directories with world-writable permissions, and (2) creates the params file with world-writable permissions, which allows local users to modify the files and execute code.
Proposed (20020830)
ACCEPT(3) Cole, Wall, Baker | MODIFY(1) Frech | NOOP(1) Foat
Frech> XF:bugzilla-world-writable-dir(9302)
CAN-2002-0806
U
Bugzilla 2.14 before 2.14.2, and 2.16 before 2.16rc2, allows authenticated users with editing privileges to delete other users by directly calling the editusers.cgi script with the "del" option.
Proposed (20020830)
ACCEPT(3) Cole, Wall, Baker | MODIFY(1) Frech | NOOP(1) Foat
Frech> XF:bugzilla-edituser-user-delete(9303)
CAN-2002-0807
U
Cross-site scripting vulnerabilities in Bugzilla 2.14 before 2.14.2, and 2.16 before 2.16rc2, could allow remote attackers to execute script as other Bugzilla users via the full name (real name) field, which is not properly quoted by editusers.cgi.
Proposed (20020830)
ACCEPT(3) Cole, Wall, Baker | MODIFY(1) Frech | NOOP(1) Foat
Frech> XF:bugzilla-real-name-xss(9304)
CAN-2002-0809
U
Bugzilla 2.14 before 2.14.2, and 2.16 before 2.16rc2, does not properly handle URL-encoded field names that are generated by some browsers, which could cause certain fields to appear to be unset, which has the effect of removing group permissions on bugs
Proposed (20020830)
ACCEPT(3) Cole, Wall, Baker | MODIFY(1) Frech | NOOP(1) Foat
Frech> XF: bugzilla-group-permissions-removal(10141)
CAN-2002-0810
U
Bugzilla 2.14 before 2.14.2, and 2.16 before 2.16rc2, directs error messages from the syncshadowdb command to the HTML output, which could leak sensitive information, including plaintext passwords, if syncshadowdb fails.
Proposed (20020830)
ACCEPT(3) Cole, Wall, Baker | MODIFY(1) Frech | NOOP(1) Foat
Frech> XF:bugzilla-shadow-database-information(9306)
CAN-2002-0803
U
Bugzilla 2.14 before 2.14.2, and 2.16 before 2.16rc2, allows remote attackers to display restricted products and components via a direct HTTP request to queryhelp.cgi.
Proposed (20020830)
ACCEPT(3) Cole, Wall, Baker | MODIFY(1) Frech | NOOP(1) Foat
Frech> XF:bugzilla-queryhelp-obtain-information(9300)
CAN-2002-0804
U
Bugzilla 2.14 before 2.14.2, and 2.16 before 2.16rc2, when configured to perform reverse DNS lookups, allows remote attackers to bypass IP restrictions by connecting from a system with a spoofed reverse DNS hostname.
Proposed (20020830)
ACCEPT(3) Cole, Wall, Baker | MODIFY(1) Frech | NOOP(1) Foat
Frech> XF:bugzilla-reversedns-hostname-spoof(9301)
CAN-2002-0925
U
Format string vulnerability in mmsyslog function allows remote attackers to execute arbitrary code via (1) the USER command to mmpop3d for mmmail 0.0.13 and earlier, (2) the HELO command to mmsmtpd for mmmail 0.0.13 and earlier, or (3) the USER command to
Proposed (20020830)
ACCEPT(2) Cole, Green | NOOP(3) Foat, Cox, Wall
CAN-2002-0767
U
simpleinit on Linux systems does not close a read/write FIFO file descriptor before creating a child process, which allows the child process to cause simpleinit to execute arbitrary programs with root privileges.
Proposed (20020726)
CAN-2002-0359
U
xfsmd for IRIX 6.5 through 6.5.16 uses weak authentication, which allows remote attackers to call dangerous RPC functions, including those that can mount or unmount xfs file systems, to gain root privileges.
Proposed (20020726)
ACCEPT(2) Baker, Cole | NOOP(4) Christey, Wall, Foat, Cox
Christey> XF:irix-xfsmd-bypass-authentication(9401) | URL:http://www.iss.net/security_center/static/9401.php | BID:5072 | URL:http://www.securityfocus.com/bid/5072
CAN-2002-0652
U
xfsmd for IRIX 6.5 through 6.5.16 allows remote attackers to execute arbitrary code via shell metacharacters that are not properly filtered from several calls to the popen() function, such as export_fs().
Proposed (20020726)
ACCEPT(1) Baker | NOOP(5) Christey, Wall, Foat, Cole, Cox
Christey> XF:irix-xfsmd-execute-commands(9402) | URL:http://www.iss.net/security_center/static/9402.php | BID:5075 | URL:http://www.securityfocus.com/bid/5075
CAN-2002-0991
U
Buffer overflows in the cifslogin command for HP CIFS/9000 Client A.01.06 and earlier, based on the Sharity package, allows local users to gain root privileges via long (1) -U, (2) -D, (3) -P, (4) -S, (5) -N, or (6) -u parameters.
Proposed (20020830)
CAN-2002-0651
U
Buffer overflow in the DNS resolver code used in libc, glibc, and libbind, as derived from ISC BIND, allows remote malicious DNS servers to cause a denial of service and possibly execute arbitrary code via the stub resolvers.
Modified (20020817-01)
ACCEPT(5) Wall, Baker, Foat, Cole, Cox | NOOP(1) Christey
Christey> There are actually 2 closely related issues, one in | gethostbyname/etc. responses related to dn_expand(), and | another in the getnetbyX functions. The getnetby* functions | apparently don't affect BIND 8.x, so they should get
CAN-2002-0640
U
Buffer overflow in sshd in OpenSSH 2.3.1 through 3.3 may allow remote attackers to execute arbitrary code via a large number of responses during challenge response authentication when OpenBSD is using PAM modules with interactive keyboard authentication (
Modified (20020817-01)
ACCEPT(3) Baker, Foat, Cole | MODIFY(1) Cox | NOOP(2) Christey, Wall
Cox> ADDREF:RHSA-2002:131 | Christey> CALDERA:CSSA-2002-030.0 | URL:ftp://ftp.calder