Weekly Vulnerabilities Reports > December 11 to 17, 2000

Overview

81 new vulnerabilities reported during this period, including 22 critical vulnerabilities and 20 high severity vulnerabilities. This weekly summary report vulnerabilities in 58 products from 43 vendors including HP, Netscape, Microsoft, Cisco, and Freebsd. Vulnerabilities are notably categorized as .

  • 65 reported vulnerabilities are remotely exploitables.
  • 81 reported vulnerabilities are exploitable by an anonymous user.
  • HP has the most reported vulnerabilities, with 8 reported vulnerabilities.
  • Netscape has the most reported critical vulnerabilities, with 3 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

22 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2000-12-11 CVE-2000-1077 Iplanet Unspecified vulnerability in Iplanet web Server 4.X

Buffer overflow in the SHTML logging functionality of iPlanet Web Server 4.x allows remote attackers to execute arbitrary commands via a long filename with a .shtml extension.

10.0
2000-12-11 CVE-2000-1076 Netscape
SUN
Netscape (iPlanet) Certificate Management System 4.2 and Directory Server 4.12 stores the administrative password in plaintext, which could allow local and possibly remote attackers to gain administrative privileges on the server.
10.0
2000-12-11 CVE-2000-1074 Netscape Unspecified vulnerability in Netscape Iplanet Ical 2.1

csstart program in iCal 2.1 Patch 2 uses relative pathnames to install the libsocket and libnsl libraries, which could allow the icsuser account to gain root privileges by creating a Trojan Horse library in the current or parent directory.

10.0
2000-12-11 CVE-2000-1071 Netscape Unspecified vulnerability in Netscape Iplanet Ical 2.1

The GUI installation for iCal 2.1 Patch 2 disables access control for the X server using an "xhost +" command, which allows remote attackers to monitor X Windows events and gain privileges.

10.0
2000-12-11 CVE-2000-1068 CGI World Unspecified vulnerability in Cgi-World Poll IT and Poll IT PRO

pollit.cgi in Poll It 2.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the poll_options parameter.

10.0
2000-12-11 CVE-2000-1055 Cisco Unspecified vulnerability in Cisco Secure Access Control Server 2.1/2.3(3)/2.4(2)

Buffer overflow in CiscoSecure ACS Server 2.4(2) and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a large TACACS+ packet.

10.0
2000-12-11 CVE-2000-1054 Cisco Unspecified vulnerability in Cisco Secure Access Control Server 2.1/2.3(3)/2.4(2)

Buffer overflow in CSAdmin module in CiscoSecure ACS Server 2.4(2) and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a large packet.

10.0
2000-12-11 CVE-2000-1053 Macromedia Unspecified vulnerability in Macromedia Jrun 2.3.X

Allaire JRun 2.3.3 server allows remote attackers to compile and execute JSP code by inserting it via a cross-site scripting (CSS) attack and directly calling the com.livesoftware.jrun.plugins.JSP JSP servlet.

10.0
2000-12-11 CVE-2000-1047 Lotus Unspecified vulnerability in Lotus Domino Enterprise Server and Domino Mail Server

Buffer overflow in SMTP service of Lotus Domino 5.0.4 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long ENVID keyword in the "MAIL FROM" command.

10.0
2000-12-11 CVE-2000-1046 Lotus Unspecified vulnerability in Lotus Domino 5.0.2A/5.0.2C

Multiple buffer overflows in the ESMTP service of Lotus Domino 5.0.2c and earlier allow remote attackers to cause a denial of service and possibly execute arbitrary code via long (1) "RCPT TO," (2) "SAML FROM," or (3) "SOML FROM" commands.

10.0
2000-12-11 CVE-2000-1044 Suse Unspecified vulnerability in Suse Linux

Format string vulnerability in ypbind-mt in SuSE SuSE-6.2, and possibly other Linux operating systems, allows an attacker to gain root privileges.

10.0
2000-12-11 CVE-2000-1043 Mandrakesoft Unspecified vulnerability in Mandrakesoft Mandrake Linux 6.1/7.0/7.1

Format string vulnerability in ypserv in Mandrake Linux 7.1 and earlier, and possibly other Linux operating systems, allows an attacker to gain root privileges when ypserv is built without a vsyslog() function.

10.0
2000-12-11 CVE-2000-1042 Mandrakesoft Unspecified vulnerability in Mandrakesoft Mandrake Linux 6.1/7.0/7.1

Buffer overflow in ypserv in Mandrake Linux 7.1 and earlier, and possibly other Linux operating systems, allows an attacker to gain root privileges when ypserv is built without a vsyslog() function.

10.0
2000-12-11 CVE-2000-1041 Swen Thuemmler Unspecified vulnerability in Swen Thuemmler Ypbind 3.3

Buffer overflow in ypbind 3.3 possibly allows an attacker to gain root privileges.

10.0
2000-12-11 CVE-2000-1040 Suse Unspecified vulnerability in Suse Linux

Format string vulnerability in logging function of ypbind 3.3, while running in debug mode, leaks file descriptors and allows an attacker to cause a denial of service.

10.0
2000-12-11 CVE-2000-1035 Typsoft Remote DoS vulnerability in Typsoft 0.7X

Buffer overflows in TYPSoft FTP Server 0.78 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long USER, PASS, or CWD command.

10.0
2000-12-11 CVE-2000-1034 Microsoft Unspecified vulnerability in Microsoft Windows 2000

Buffer overflow in the System Monitor ActiveX control in Windows 2000 allows remote attackers to execute arbitrary commands via a long LogFileName parameter in HTML source code, aka the "ActiveX Parameter Validation" vulnerability.

10.0
2000-12-11 CVE-2000-1029 ISC Remote Buffer Overflow vulnerability in ISC Bind 8.1

Buffer overflow in host command allows a remote attacker to execute arbitrary commands via a long response to an AXFR query.

10.0
2000-12-11 CVE-2000-1026 LBL Unspecified vulnerability in LBL Tcpdump

Multiple buffer overflows in LBNL tcpdump allow remote attackers to execute arbitrary commands.

10.0
2000-12-11 CVE-2000-1024 Unify Unspecified vulnerability in Unify Ewave Servletexec 3.0C

eWave ServletExec 3.0C and earlier does not restrict access to the UploadServlet Java/JSP servlet, which allows remote attackers to upload files and execute arbitrary commands.

10.0
2000-12-11 CVE-2000-1010 Openbsd
Redhat
Format string vulnerability in talkd in OpenBSD and possibly other BSD-based OSes allows remote attackers to execute arbitrary commands via a user name that contains format characters.
10.0
2000-12-11 CVE-2000-0999 Openbsd Unspecified vulnerability in Openbsd Openssh 4.5

Format string vulnerabilities in OpenBSD ssh program (and possibly other BSD-based operating systems) allow attackers to gain root privileges.

10.0

20 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2000-12-16 CVE-2000-1211 Zope Unspecified vulnerability in Zope

Zope 2.2.0 through 2.2.4 does not properly perform security registration for legacy names of object constructors such as DTML method objects, which could allow attackers to perform unauthorized activities.

7.5
2000-12-11 CVE-2000-1056 Cisco Unspecified vulnerability in Cisco Secure Access Control Server 2.1/2.3(3)/2.4(2)

CiscoSecure ACS Server 2.4(2) and earlier allows remote attackers to bypass LDAP authentication on the server if the LDAP server allows null passwords.

7.5
2000-12-11 CVE-2000-1037 Checkpoint Unspecified vulnerability in Checkpoint Firewall-1 3.0/4.0/4.1

Check Point Firewall-1 session agent 3.0 through 4.1 generates different error messages for invalid user names versus invalid passwords, which allows remote attackers to determine valid usernames and guess a password via a brute force attack.

7.5
2000-12-11 CVE-2000-1033 CAT Soft Unspecified vulnerability in CAT Soft Serv-U 2.5X

Serv-U FTP Server allows remote attackers to bypass its anti-hammering feature by first logging on as a valid user (possibly anonymous) and then attempting to guess the passwords of other users.

7.5
2000-12-11 CVE-2000-1023 Alabanza Unspecified vulnerability in Alabanza Control Panel

The Alabanza Control Panel does not require passwords to access administrative commands, which allows remote attackers to modify domain name information via the nsManager.cgi CGI program.

7.5
2000-12-11 CVE-2000-1022 Cisco Unspecified vulnerability in Cisco PIX Firewall Software

The mailguard feature in Cisco Secure PIX Firewall 5.2(2) and earlier does not properly restrict access to SMTP commands, which allows remote attackers to execute restricted commands by sending a DATA command before sending the restricted commands.

7.5
2000-12-11 CVE-2000-1021 ALT N Unspecified vulnerability in Alt-N Mdaemon 3.1.1

Heap overflow in WebConfig in Mdaemon 3.1.1 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long URL.

7.5
2000-12-11 CVE-2000-1020 ALT N Unspecified vulnerability in Alt-N Mdaemon 3.1.1

Heap overflow in Worldclient in Mdaemon 3.1.1 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long URL.

7.5
2000-12-11 CVE-2000-1015 Open Source Development Network Unspecified vulnerability in Open Source Development Network Slashcode

The default configuration of Slashcode before version 2.0 Alpha has a default administrative password, which allows remote attackers to gain Slashcode privileges and possibly execute arbitrary commands.

7.5
2000-12-11 CVE-2000-1014 SCO Unspecified vulnerability in SCO Unixware 7.0

Format string vulnerability in the search97.cgi CGI script in SCO help http server for Unixware 7 allows remote attackers to execute arbitrary commands via format characters in the queryText parameter.

7.5
2000-12-11 CVE-2000-1001 Element N V Unspecified vulnerability in Element N.V Element Instantshop 1.0

add_2_basket.asp in Element InstantShop allows remote attackers to modify price information via the "price" hidden form variable.

7.5
2000-12-11 CVE-2000-1073 Netscape Unspecified vulnerability in Netscape Iplanet Ical 2.1

csstart program in iCal 2.1 Patch 2 searches for the cshttpd program in the current working directory, which allows local users to gain root privileges by creating a Trojan Horse cshttpd program in a directory and calling csstart from that directory.

7.2
2000-12-11 CVE-2000-1072 Netscape Unspecified vulnerability in Netscape Iplanet Ical 2.1

iCal 2.1 Patch 2 installs many files with world-writeable permissions, which allows local users to modify the iCal configuration and execute arbitrary commands by replacing the iplncal.sh program with a Trojan horse.

7.2
2000-12-11 CVE-2000-1059 Mandrakesoft Unspecified vulnerability in Mandrakesoft Mandrake Linux 7.0/7.1

The default configuration of the Xsession file in Mandrake Linux 7.1 and 7.0 bypasses the Xauthority access control mechanism with an "xhost + localhost" command, which allows local users to sniff X Windows events and gain privileges.

7.2
2000-12-11 CVE-2000-1028 HP Buffer Overflow vulnerability in HP HP-UX cu

Buffer overflow in cu program in HP-UX 11.0 may allow local users to gain privileges via a long -l command line argument.

7.2
2000-12-11 CVE-2000-1013 Freebsd Unspecified vulnerability in Freebsd

The setlocale function in FreeBSD 5.0 and earlier, and possibly other OSes, allows local users to read arbitrary files via the LANG environmental variable.

7.2
2000-12-11 CVE-2000-1012 Freebsd Unspecified vulnerability in Freebsd

The catopen function in FreeBSD 5.0 and earlier, and possibly other OSes, allows local users to read arbitrary files via the LANG environmental variable.

7.2
2000-12-11 CVE-2000-1011 Freebsd Unspecified vulnerability in Freebsd

Buffer overflow in catopen() function in FreeBSD 5.0 and earlier, and possibly other OSes, allows local users to gain root privileges via a long environmental variable.

7.2
2000-12-11 CVE-2000-1009 Redhat
Trustix
dump in Red Hat Linux 6.2 trusts the pathname specified by the RSH environmental variable, which allows local users to obtain root privileges by modifying the RSH variable to point to a Trojan horse program.
7.2
2000-12-11 CVE-2000-0998 Freebsd Unspecified vulnerability in Freebsd

Format string vulnerability in top program allows local attackers to gain root privileges via the "kill" or "renice" function.

7.2

36 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2000-12-11 CVE-2000-1069 CGI World Unspecified vulnerability in Cgi-World Poll IT and Poll IT PRO

pollit.cgi in Poll It 2.01 and earlier allows remote attackers to access administrative functions without knowing the real password by specifying the same value to the entered_password and admin_password parameters.

6.4
2000-12-11 CVE-2000-1061 Microsoft Unspecified vulnerability in Microsoft IE 4.X/5.X

Microsoft Virtual Machine (VM) in Internet Explorer 4.x and 5.x allows an unsigned applet to create and use ActiveX controls, which allows a remote attacker to bypass Internet Explorer's security settings and execute arbitrary commands via a malicious web page or email, aka the "Microsoft VM ActiveX Component" vulnerability.

5.1
2000-12-14 CVE-1999-1579 Microsoft Unspecified vulnerability in Microsoft Windows NT 4.0

The Cenroll ActiveX control (xenroll.dll) for Terminal Server Editions of Windows NT 4.0 and Windows NT Server 4.0 before SP6 allows remote attackers to cause a denial of service (resource consumption) by creating a large number of arbitrary files on the target machine.

5.0
2000-12-11 CVE-2000-1078 Mirabilis Unspecified vulnerability in Mirabilis ICQ web Front Windows9X

ICQ Web Front HTTPd allows remote attackers to cause a denial of service by requesting a URL that contains a "?" character.

5.0
2000-12-11 CVE-2000-1075 Netscape
SUN
Directory traversal vulnerability in iPlanet Certificate Management System 4.2 and Directory Server 4.12 allows remote attackers to read arbitrary files via a ..
5.0
2000-12-11 CVE-2000-1070 CGI World Unspecified vulnerability in Cgi-World Poll IT and Poll IT PRO

pollit.cgi in Poll It 2.01 and earlier uses data files that are located under the web document root, which allows remote attackers to access sensitive or private information.

5.0
2000-12-11 CVE-2000-1066 Freebsd Denial of Service vulnerability in Freebsd 4.0/4.1/4.1.1

The getnameinfo function in FreeBSD 4.1.1 and earlier, and possibly other operating systems, allows a remote attacker to cause a denial of service via a long DNS hostname.

5.0
2000-12-11 CVE-2000-1065 HP DoS vulnerability in HP Jetdirect X.08.04/X.08.05/X.08.20

Vulnerability in IP implementation of HP JetDirect printer card Firmware x.08.20 and earlier allows remote attackers to cause a denial of service (printer crash) via a malformed packet.

5.0
2000-12-11 CVE-2000-1064 HP DoS vulnerability in HP Jetdirect X.08.04/X.08.05/X.08.20

Buffer overflow in the LPD service in HP JetDirect printer card Firmware x.08.20 and earlier allows remote attackers to cause a denial of service.

5.0
2000-12-11 CVE-2000-1063 HP DoS vulnerability in HP Jetdirect X.08.04/X.08.05/X.08.20

Buffer overflow in the Telnet service in HP JetDirect printer card Firmware x.08.20 and earlier allows remote attackers to cause a denial of service.

5.0
2000-12-11 CVE-2000-1062 HP DoS vulnerability in HP Jetdirect X.08.04/X.08.05/X.08.20

Buffer overflow in the FTP service in HP JetDirect printer card Firmware x.08.20 and earlier allows remote attackers to cause a denial of service.

5.0
2000-12-11 CVE-2000-1058 HP Unspecified vulnerability in HP Openview Network Node Manager 4.11/5.01/6.1

Buffer overflow in OverView5 CGI program in HP OpenView Network Node Manager (NNM) 6.1 and earlier allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, in the SNMP service (snmp.exe), aka the "Java SNMP MIB Browser Object ID parsing problem."

5.0
2000-12-11 CVE-2000-1052 Macromedia Unspecified vulnerability in Macromedia Jrun 2.3.X

Allaire JRun 2.3 server allows remote attackers to obtain source code for executable content by directly calling the SSIFilter servlet.

5.0
2000-12-11 CVE-2000-1051 Macromedia Unspecified vulnerability in Macromedia Jrun 2.3.X

Directory traversal vulnerability in Allaire JRun 2.3 server allows remote attackers to read arbitrary files via the SSIFilter servlet.

5.0
2000-12-11 CVE-2000-1050 Macromedia Unspecified vulnerability in Macromedia Jrun 3.0

Allaire JRun 3.0 http servlet server allows remote attackers to directly access the WEB-INF directory via a URL request that contains an extra "/" in the beginning of the request (aka the "extra leading slash").

5.0
2000-12-11 CVE-2000-1049 Macromedia Unspecified vulnerability in Macromedia Jrun 3.0

Allaire JRun 3.0 http servlet server allows remote attackers to cause a denial of service via a URL that contains a long string of "." characters.

5.0
2000-12-11 CVE-2000-1048 Qbik Unspecified vulnerability in Qbik Wingate

Directory traversal vulnerability in the logfile service of Wingate 4.1 Beta A and earlier allows remote attackers to read arbitrary files via a ..

5.0
2000-12-11 CVE-2000-1038 IBM Unspecified vulnerability in IBM As400 Firewall R440

The web administration interface for IBM AS/400 Firewall allows remote attackers to cause a denial of service via an empty GET request.

5.0
2000-12-11 CVE-2000-1036 Extent Technologies Unspecified vulnerability in Extent Technologies RBS ISP 2.5

Directory traversal vulnerability in Extent RBS ISP web server allows remote attackers to read sensitive information via a ..

5.0
2000-12-11 CVE-2000-1032 Checkpoint Unspecified vulnerability in Checkpoint Firewall-1 3.0/4.0

The client authentication interface for Check Point Firewall-1 4.0 and earlier generates different error messages for invalid usernames versus invalid passwords, which allows remote attackers to identify valid usernames on the firewall.

5.0
2000-12-11 CVE-2000-1030 Csandt Unspecified vulnerability in Csandt Corporatetime FOR the web

CS&T CorporateTime for the Web returns different error messages for invalid usernames and invalid passwords, which allows remote attackers to determine valid usernames on the server.

5.0
2000-12-11 CVE-2000-1027 Cisco Unspecified vulnerability in Cisco PIX Firewall Software 5.2

Cisco Secure PIX Firewall 5.2(2) allows remote attackers to determine the real IP address of a target FTP server by flooding the server with PASV requests, which includes the real IP address in the response when passive mode is established.

5.0
2000-12-11 CVE-2000-1025 Unify Unspecified vulnerability in Unify Ewave Servletexec 3.0C

eWave ServletExec JSP/Java servlet engine, versions 3.0C and earlier, allows remote attackers to cause a denial of service via a URL that contains the "/servlet/" string, which invokes the ServletExec servlet and causes an exception if the servlet is already running.

5.0
2000-12-11 CVE-2000-1019 Inktomi Unspecified vulnerability in Inktomi Search Software 3.0/3.1.10

Search engine in Ultraseek 3.1 and 3.1.10 (aka Inktomi Search) allows remote attackers to cause a denial of service via a malformed URL.

5.0
2000-12-11 CVE-2000-1017 Webteacher Unspecified vulnerability in Webteacher Webdata

Webteachers Webdata allows remote attackers with valid Webdata accounts to read arbitrary files by posting a request to import the file into the WebData database.

5.0
2000-12-11 CVE-2000-1016 Suse Unspecified vulnerability in Suse Linux 6.3/6.4

The default configuration of Apache (httpd.conf) on SuSE 6.4 includes an alias for the /usr/doc directory, which allows remote attackers to read package documentation and obtain system configuration information via an HTTP request for the /doc/packages URL.

5.0
2000-12-11 CVE-2000-1007 Symantec Unspecified vulnerability in Symantec I-Gear 3.5/3.5.7

I-gear 3.5.7 and earlier does not properly process log entries in which a URL is longer than 255 characters, which allows an attacker to cause reporting errors.

5.0
2000-12-11 CVE-2000-1006 Microsoft Unspecified vulnerability in Microsoft Exchange Server 5.5

Microsoft Exchange Server 5.5 does not properly handle a MIME header with a blank charset specified, which allows remote attackers to cause a denial of service via a charset="" command, aka the "Malformed MIME Header" vulnerability.

5.0
2000-12-11 CVE-2000-1005 Extropia Unspecified vulnerability in Extropia Webstore 1.0/2.0

Directory traversal vulnerability in html_web_store.cgi and web_store.cgi CGI programs in eXtropia WebStore allows remote attackers to read arbitrary files via a ..

5.0
2000-12-11 CVE-2000-1002 Stalker Unspecified vulnerability in Stalker Communigate PRO 3.3.2

POP3 daemon in Stalker CommuniGate Pro 3.3.2 generates different error messages for invalid usernames versus invalid passwords, which allows remote attackers to determine valid email addresses on the server for SPAM attacks.

5.0
2000-12-11 CVE-2000-1000 AOL Unspecified vulnerability in AOL Instant Messenger 4.1.2010

Format string vulnerability in AOL Instant Messenger (AIM) 4.1.2010 allows remote attackers to cause a denial of service and possibly execute arbitrary commands by transferring a file whose name includes format characters.

5.0
2000-12-11 CVE-2000-1060 Xfree86 Project Unspecified vulnerability in Xfree86 Project Xfce 3.5.1

The default configuration of XFCE 3.5.1 bypasses the Xauthority access control mechanism with an "xhost + localhost" command in the xinitrc program, which allows local users to sniff X Windows traffic and gain privileges.

4.6
2000-12-11 CVE-2000-1057 HP Unspecified vulnerability in HP Openview Network Node Manager 4.11/5.01/6.1

Vulnerabilities in database configuration scripts in HP OpenView Network Node Manager (NNM) 6.1 and earlier allows local users to gain privileges, possibly via insecure permissions.

4.6
2000-12-11 CVE-2000-1031 HP Unspecified vulnerability in HP Hp-Ux and Tru64

Buffer overflow in dtterm in HP-UX 11.0 and HP Tru64 UNIX 4.0f through 5.1a allows local users to execute arbitrary code via a long -tn option.

4.6
2000-12-11 CVE-2000-1008 Palm Unspecified vulnerability in Palm OS

PalmOS 3.5.2 and earlier uses weak encryption to store the user password, which allows attackers with physical access to the Palm device to decrypt the password and gain access to the device.

4.6
2000-12-11 CVE-2000-1004 Openbsd Unspecified vulnerability in Openbsd

Format string vulnerability in OpenBSD photurisd allows local users to execute arbitrary commands via a configuration file directory name that contains formatting characters.

4.6

3 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2000-12-11 CVE-2000-1003 Microsoft Unspecified vulnerability in Microsoft Windows 95, Windows 98 and Windows 98Se

NETBIOS client in Windows 95 and Windows 98 allows a remote attacker to cause a denial of service by changing a file sharing service to return an unknown driver type, which causes the client to crash.

2.6
2000-12-11 CVE-2000-1018 Mendel Cooper Unspecified vulnerability in Mendel Cooper Shred 1.0

shred 1.0 file wiping utility does not properly open a file for overwriting or flush its buffers, which prevents shred from properly replacing the file's data and allows local users to recover the file.

2.1
2000-12-11 CVE-2000-1045 Padl Software Unspecified vulnerability in Padl Software NSS Ldap Build105/Build113/Build85

nss_ldap earlier than 121, when run with nscd (name service caching daemon), allows remote attackers to cause a denial of service via a flood of LDAP requests.

1.2