Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:10
HistoryApr 04, 2000 - 12:00 a.m.

ISSalert: ISS Security Alert Summary: Volume 5 Number 3

2000-04-0400:00:00
vulners.com
76
JSON

ISS Security Alert Summary
April 1, 2000
Volume 5 Number 3

X-Force Vulnerability and Threat Database: http://xforce.iss.net/ To
receive these Alert Summaries, subscribe to the ISS Alert mailing list.
Send an email to [email protected], and within the body of the message
type: 'subscribe alert'.

Contents

33 Reported Vulnerabilities

  • windmail-pipe-command
  • windmail-fileread
  • simpleserver-exception-dos
  • linux-domain-socket-dos
  • linux-gpm-root
  • outlook-manipulate-hidden-drives
  • vqserver-dir-traverse
  • vqserver-passwd-plaintext
  • iis-chunked-encoding-dos
  • nav-email-gateway-dos
  • netscape-server-directory-indexing
  • mercur-webview-get-dos
  • officescan-admin-pw-plaintext
  • officescan-admin-access
  • linux-kreatecd-path
  • win-dos-devicename-dos
  • wmcdplay-bo
  • nt-registry-permissions
  • staroffice-scheduler-fileread
  • staroffice-scheduler-bo
  • iis-root-enum
  • mssql-query-abuse
  • clipart-cil-bo
  • oracle-installer
  • linux-rpm-query
  • thebat-mua-attach
  • irix-infosrch-fname
  • linux-dosemu-config
  • coldfusion-reveal-pathname
  • netscape-enterprise-command-bo
  • nmh-execute-code
  • htdig-remote-read
  • ie-html-shortcut

Risk Factor Key

Date Reported: 3/25/00
Vulnerability: windmail-pipe-command
Platforms Affected: WindMail 3.0
Risk Factor: High
Attack Type: Network Based

WindMail is a command-line email messenger for Windows that can create
mail forms for web sites from CGI scripts. By issuing an HTTP command that
includes the pipe character, an attacker could execute arbitrary commands
on the vulnerable system.

Reference:
Bugtraq Mailing List: "Windmail allow web user get any file" at:
http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-03-22&[email protected]

Date Reported: 3/25/00
Vulnerability: windmail-fileread
Platforms Affected: WindMail 3.0
Risk Factor: Medium
Attack Type: Network Based

WindMail is a command-line email messenger for Windows that can create
mail forms for web sites from CGI scripts. By sending a
specially-formatted URL, an attacker could retrieve any ASCII file on the
vulnerable system.

Reference:
Bugtraq Mailing List: "Windmail allow web user get any file" at:
http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-03-22&[email protected]

Date Reported: 3/25/00
Vulnerability: simpleserver-exception-dos
Platforms Affected: SimpleServer WWW 1.03
Risk Factor: Medium
Attack Type: Network/Host Based

AnalogX SimpleServer WWW is a standard web server for Windows. Version
1.03 is vulnerable to a simple denial of service attack. By requesting a
URL with exactly 8 characters following the /cgi-bin/ directory, an
attacker can crash the server, requiring it to be rebooted.

Reference:
Bugtraq Mailing List: "AnalogX SimpleServer 1.03 Remote Crash" at:
http://www.securityfocus.com/templates/archive.pike?list=1&[email protected]

Date Reported: 3/23/00
Vulnerability: linux-domain-socket-dos
Platforms Affected: RedHat Linux (6.1, 6.2)
Risk Factor: Medium
Attack Type: Network/Host Based

The Linux kernel is vulnerable to a denial of service attack due to
improper handling of Unix domain sockets. The Unix domain sockets ignore
limits set in wmem_max. A local attacker can crash the system by creating
successive Unix domain sockets, requiring the system to be rebooted.

Reference:
Bugtraq Mailing List: "Local Denial-of-Service attack against Linux" at:
http://www.securityfocus.com/templates/archive.pike?list=1&[email protected]

Date Reported: 3/22/00
Vulnerability: linux-gpm-root
Platforms Affected: Linux running Global Purpose Mouse
Risk Factor: Low
Attack Type: Host Based

The General Purpose Mouse (gpm) package is a tool to enable the mouse for
cutting and pasting on consoles, which ships with several Linux
distributions. Due to a design flaw in gpm-root, which causes the setgid
call to fail, a local user with console access can obtain the group id
that is running gpm-root (usually root).

Reference:
Bugtraq Mailing List: "gpm-root" at:
http://www.securityfocus.com/templates/archive.pike?list=1&[email protected]

Date Reported: 3/22/00
Vulnerability: outlook-manipulate-hidden-drives
Platforms Affected: Microsoft Outlook 98
Risk Factor: Medium
Attack Type: Host Based

Microsoft Outlook contains a vulnerability that would allow a local user
to view hidden drives. In Windows NT, an administrator can hide specific
drives using systems policies, so that they cannot be accessed using My
Computer, Windows NT Explorer, or the command prompt. However, the Insert
File option in Microsoft Outlook reveals the hidden drives, allowing a
user to copy, cut, paste, or delete files.

Reference:
Bugtraq Mailing List: "Hide Drives does not work with OUTLOOK 98" at:
http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-03-22&[email protected]

Date Reported: 3/21/00
Vulnerability: vqserver-dir-traverse
Platforms Affected: vqSoft's vqServer
Risk Factor: Medium
Attack Type: Network/Host Based

The vqServer program by vqSoft is a Java-based personal web server for
cross-platform environments. Version 1.9.9 of vqServer, and possibly
others, contains a vulnerability that would allow a user to traverse the
directories by appending /…/ to a URL, then submitting to the
server. This would allow a remote attacker to access any file on the
system.

Reference:
Bugtraq Mailing List: "vqserver /…/" at:
http://www.securityfocus.com/templates/archive.pike?list=1&[email protected]

Date Reported: 3/21/00
Vulnerability: vqserver-passwd-plaintext
Platforms Affected: vqSoft's vqServer
Risk Factor: High
Attack Type: Network/Host Based

The vqServer program by vqSoft is a Java-based personal web server for
cross-platform environments. Version 1.9.9 of vqServer, and possibly
others, stores server settings and passwords unencrypted. A remote user
could access the password file, via a directory transversal vulnerability
in the program, to obtain the administrator password and gain
administrative rights to the server.

Reference:
Bugtraq Mailing List: "vqserver /…/" at:
http://www.securityfocus.com/templates/archive.pike?list=1&[email protected]

Date Reported: 3/20/00
Vulnerability: iis-chunked-encoding-dos
Platforms Affected: Microsoft Internet Information Server 4.0
Risk Factor: Medium
Attack Type: Network/Host Based

Microsoft Internet Information Server (IIS) 4.0 contains a vulnerability
in its support for chunked encoding transfers, because it does not limit
the size of these transfers. An attacker could consume memory on the
server by requesting a buffer be reserved for an extremely large amount of
data, and then keeping the session open without sending the data. It is
possible for an attacker to consume enough memory to cause the server to
stop functioning properly. The server could be restored by stopping and
restarting the IIS service.

Reference:
Microsoft Security Bulletin (MS00-018): "Patch Available for 'Chunked
Encoding Post' Vulnerability" at:
http://www.microsoft.com/technet/security/bulletin/ms00-018.asp

Date Reported: 3/17/00
Vulnerability: nav-email-gateway-dos
Platforms Affected: Norton AntiVirus for Internet Email Gateways
Risk Factor: Medium
Attack Type: Network/Host Based

Norton AntiVirus for Internet Email Gateways is a SMTP agent that scans
email attachments for viruses. It includes an web-based management and
administration interface that uses an embedded web server in the product.
By sending a long URL to the server, a user will overflow a buffer and
crash the program.

Reference:
Bugtraq Mailing List: "DoS with NAVIEG" at:
http://www.securityfocus…com/templates/archive.pike?list=1&[email protected]

Date Reported: 3/17/00
Vulnerability: netscape-server-directory-indexing
Platforms Affected: Netscape Enterprise Server (3.0, 3.51, 3.6)
Risk Factor: Medium
Attack Type: Network/Host Based

Netscape Enterprise Server version 3.x contains a feature called Directory
Indexing. This feature, which is enabled by default, displays a directory
listing when the a user includes certain tags in a requested URL. This
could allow a remote attacker to gain unauthorized access to documents or
retrieve lists of file names (such as CGI scripts).

Reference:
Bugtraq Mailing List: "[SAFER 000317.EXP.1.5] Netscape Enterprise Server
and '?wp' tags" at:
http://www.securityfocus.com/templates/archive.pike?list=1&[email protected]

Date Reported: 3/16/00
Vulnerability: mercur-webview-get-dos
Platforms Affected: Mercur WebView WebMail-Client 1.0
Risk Factor: Medium
Attack Type: Network/Host Basde

MERCUR WebView WebMail-Client 1.0 is an add-on to the MERCUR 3.0 mail
server that allows users to read email via a web browser. Due to improper
bounds checking in the GET command on port 1080, a user can overflow a
buffer and cause the WebMail service to crash.

Reference:
Underground Security Systems Research: "Local / Remote DoS Attack in
MERCUR WebView WebMail-Client 1.0 for Windows 98/NT Vulnerability" at:
http://www.ussrback.com/labs36.html

Date Reported: 3/16/00
Vulnerability: officescan-admin-pw-plaintext
Platforms Affected: Trend Micro OfficeScan Corporate Edition
(3.0, 3.11, 3.13, 3.5)
Risk Factor: High
Attack Type: Network/Host Based

Trend Micro OfficeScan 3.51 and below transmits the administrator password
over the network in cleartext. OfficeScan is anti-virus software for
corporate networks. When configured in the web-based mode on a Windows NT
server, an attacker can use a sniffing program to intercept the
administrator password.

Reference:
Bugtraq Mailing List: "OfficeScan TrendMicro: admin for everybody!" at:
http://www.securityfocus.com/templates/archive.pike?list=1&[email protected]

Date Reported: 3/16/00
Vulnerability: officescan-admin-access
Platforms Affected: Trend Micro OfficeScan Corporate Edition
(3.0, 3.11, 3.13, 3.5)
Risk Factor: High
Attack Type: Network/Host Based

Trend Micro OfficeScan 3.51 and below allows users to perform
administrative tasks without authentication. OfficeScan is anti-virus
software for corporate networks. When configured in the web-based mode on
a Windows NT server, an unauthenticated attacker can use a web browser to
access and execute cgi scripts for administration of the software across
the network.

References:
Bugtraq Mailing List: "OfficeScan TrendMicro: admin for everybody!" at:
http://www.securityfocus.com/templates/archive.pike?list=1&[email protected]

Bugtraq Mailing List: "Trend Micro releases Patch for 'OfficeScan
Unauthenticated CGI Usage' vulnerability" at:
http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-03-22&msg=D129BBE1730AD2118A0300805FC1C2FE0650E8E6@209-76-212-10.trendmicro.com

Date Reported: 3/16/00
Vulnerability: linux-kreatecd-path
Platforms Affected: SUSE Linux (6.0, 6.1, 6.2, 6.3)
Risk Factor: High
Attack Type: Host Based

The kreatecd package is a graphical front end tool for the cdrecord
command that ships with several Linux distributions. The program is
installed setuid root and is designed to trust the configuration path to
cdrecord. A local attacker could use kreatecd to execute commands as root.

Reference:
Bugtraq Mailing List: "TESO & C-Skills development advisory – kreatecd" at:
http://www.securityfocus.com/templates/archive.pike?list=1&msg=ine.LNX.3.96.1000316143853.257E-200000@ati12.cs.uni-potsdam.de

Date Reported: 3/16/00
Vulnerability: win-dos-devicename-dos
Platforms Affected: Windows 95
Windows 98
Risk Factor: Medium
Attack Type: Network Based

Microsoft Windows 95 and 98 contain a vulnerability in the parsing of file
path names. DOS device names, such as COM1 or LPT1, are reserved words and
normally cannot be used as file or directory names. If a user attempts to
access a file path name that includes one DOS device name, it is treated
as invalid, and an error is returned. However, if the path name includes
multiple DOS device names, the machine will crash.

Reference:
Microsoft Security Bulletin (MS00-017): "Patch Available for 'DOS Device
in Path Name' Vulnerability" at:
http://www.microsoft.com/technet/security/bulletin/ms00-017.asp

Date Reported: 3/10/00
Vulnerability: wmcdplay-bo
Platforms Affected: wmcdplay
Risk Factor: High
Attack Type: Host Based

The wmcdplay CD player program is vulnerable to a buffer overflow attack.
An local attacker can pass an argument to overflow the stack, due to
insufficient bounds checking on calls to sprintf. The program is setuid
root, allowing an attacker to gain root privileges by overflowing the
stack and executing arbitrary code on the system.

Reference:
BugTraq mailing list: "wmcdplay Buffer Overflow Vulnerability" at:
http://www.securityfocus.com/templates/archive.pike?list=1&[email protected]

Date Reported: 3/9/00
Vulnerability: nt-registry-permissions
Platforms Affected: Microsoft Windows NT 4.0
Risk Factor: High
Attack Type: Host Based

Windows NT 4.0 including Workstation, Server, and Terminal Server
versions, have some registry permissions that are too permissive. A local
user with access to the machine could potentially increase their access
and cause code to be executed on the machine.

Reference:
Microsoft Security Bulletin (MS00-008): 'Patch Available for "Registry
Permissions' Vulnerability" at:
http://www.microsoft.com/technet/security/bulletin/ms00-008.asp

Date Reported: 3/9/00
Vulnerability: staroffice-scheduler-fileread
Platforms Affected: StarOffice 5.1
Risk Factor: Medium
Attack Type: Network Based

StarOffice is an office-productivity suite from Sun Microsystems. The
StarSchedule server, which controls the group scheduling component of
StarOffice, allows an attacker to read files on the server. A remote user
can traverse directories using "…/" paths to read any file on the server
through a browser.

Reference:
Bugtraq Mailing List: "[SAFER 000309.EXP.1.4] StarScheduler (StarOffice)
vulnerabilities" at:
http://www.securityfocus.com/templates/archive.pike?list=1&[email protected]

Date Reported: 3/9/00
Vulnerability: staroffice-scheduler-bo
Platforms Affected: StarOffice 5.1
Risk Factor: High
Attack Type: Network Based

StarOffice is an office-productivity suite from Sun Microsystems. The
StarSchedule server, which controls the group scheduling component of
StarOffice, is vulnerable to a buffer overflow attack. Sending a large
amount of data to the GET command will crash the server, and could allow
an attacker to execute arbitrary code as root.

Reference:
Bugtraq Mailing List: "[SAFER 000309.EXP.1.4] StarScheduler (StarOffice)
vulnerabilities" at:
http://www.securityfocus.com/templates/archive.pike?list=1&[email protected]

Date Reported: 3/8/00
Vulnerability: iis-root-enum
Platforms Affected: IIS (4.0, 5.0)
Risk Factor: Medium
Attack Type: Host Based

Microsoft Internet Information Server (IIS) 4.0 and 5.0 discloses paths of
network shares if configured incorrectly. Files of type IDQ, IDA, and HTX
cannot be served from a network share. If a web site administrator
attempts to serve these type of files from network shares, a user who
attempts to access them will receive an error message that discloses the
share path of the file.

Reference:
BugTraq mailing list: "Microsoft IIS UNC Path Disclosure Vulnerability" at:
http://www.securityfocus.com/templates/archive.pike?list=1&[email protected]

Date Reported: 3/8/00
Vulnerability: mssql-query-abuse
Platforms Affected: Microsoft SQL Server 7.0
Microsoft Data Engine 1.0
Risk Factor: High
Attack Type: Network Based

Microsoft SQL Server 7.0 and Microsoft Data Engine 1.0 are vulnerable to a
remote query problem. The server and engine do not perform sufficient
argument validation on particular types of SQL statements. A remote user
who has access to submit queries could take actions on the SQL database
and possibly perform actions on the server itself.

Reference:
Microsoft Security Bulletin (MS00-014): "Patch Available for 'SQL Query
Abuse' Vulnerability" at:
http://www.microsoft.com/technet/security/bulletin/ms00-014.asp

Date Reported: 3/6/00
Vulnerability: clipart-cil-bo
Platforms Affected: Microsoft Office 2000
Microsoft Works 2000
Risk Factor: High
Attack Type: Host Based

Microsoft Clip Art Gallery, shipped with such packages as Microsoft Office
2000 and Microsoft Works 2000, contains a possible buffer overflow in the
handling of CIL files. The CIL file format is used for downloading
additional clips for installation into the gallery. If a CIL file is
created with a long field embedded in it, it will overflow the buffer and
crash the Clip Gallery, which could result in the execution of arbitrary
code.

Reference:
Microsoft Security Bulletin (MS00-015): "Patch Available for 'Clip Art
Buffer Overrun' Vulnerability" at:
http://www.microsoft.com/technet/security/bulletin/ms00-015.asp

Date Reported: 3/5/00
Vulnerability: oracle-installer
Platforms Affected: Oracle 8.1.5i
Risk Factor: High
Attack Type: Host Based

The installation program for Oracle 8.1.5i contains a vulnerability that
could allow an attacker to gain root access. The Oracle installation
script creates the directory /tmp/orainstall, owned by oracle:dba, mode
711, containing the shell script orainstRoot.sh, mode 777. Then, the
installation program stops and asks the user to run the orainstRoot.sh
script. An attacker

JSON