CVE List
| Id | CVE No. | Status | Description | Phase | Votes | Comments | Actions |
|---|---|---|---|---|---|---|---|
| 10566 | CVE-2004-2140 | Candidate | CRLF injection vulnerability in YaBB 1 Gold before 1.3.2 allows remote attackers to modify text file contents via the subject variable. | Assigned (20050630) | REVIEWING(1) Christey | Christey> likely dupe with CVE-2004-1982 | View |
| 1595 | CVE-2000-0017 | Candidate | Buffer overflow in Linux linuxconf package allows remote attackers to gain root privileges via a long parameter. | Proposed (20000111) | NOOP(4) Armstrong, Baker, Christey, Stracener | REJECT(2) Frech, Levy | Christey> It"s not certain whether this is exploitable or not. An | expert (the linuxconf author?) wasn"t able to duplicate the | bug - see http://lwn.net/1999/1223/a/linuxconfresponse.html | | The original posting with example exploit was | http://marc.theaimsgroup.com/?l=bugtraq&m=94580196627059&w=2 | | However - GIAC and the Security Focus incidents list have | consistently reported that scans are taking place for | linuxconf, so do the hackers know more than we do? | Frech> Unless vendor or other confirmation occurs, there has been no corroboration | of this issue in public forums. | CHANGE> [Armstrong changed vote from ACCEPT to NOOP] | View |
| 380 | CVE-1999-0381 | Candidate | super 3.11.6 and other versions have a buffer overflow in the syslog utility which allows a local user to gain root access. | Proposed (19990726) | ACCEPT(7) Baker, Blake, Cole, Frech, Landfield, Levy, Ozancin | MODIFY(1) Bishop | NOOP(2) Armstrong, Wall | REVIEWING(1) Christey | Christey> Is this the same as CVE-1999-0373? They both have the same | X-Force reference. | | BID:342 suggests that there are two. | | http://www.debian.org/security/1999/19990215a suggests | that there are two. However, CVE-1999-0373 is written up in | a fashion that is too general; and both XF:linux-super-bo and | XF:linux-super-logging-bo refer to CVE-1999-0373. | CVE-1999-0373 may need to be split. | | Frech> From what I can surmise, ISS released the original advisory (attached to | linux-super-bo), and Sekure SDI expanded on it by releasing another related | overflow in syslog (which is linux-super-logging-bo). | | When I was originally assigning these issues, I placed both XF references | and the ISS advisory on the -0373 candidate, since there was nothing else | available. Based on the information above, I"d request that | XF:linux-super-logging-bo be removed from CVE-1999-0373. | Christey> Given Andre"s feedback, these are different issues. | CVE-1999-0373 does not need to be split because the ISS | reference is sufficient to distinguish that CVE from this | candidate; however, the CVE-1999-0373 description should | probably be modified slightly. | Bishop> (as indicated by Christey) | CHANGE> [Cole changed vote from NOOP to ACCEPT] | CHANGE> [Christey changed vote from NOOP to REVIEWING] | Christey> There are 2 bugs, as confirmed by the super author at: | BUGTRAQ:19990226 Buffer Overflow in Super (new) | http://www.securityfocus.com/archive/1/12713 | BID:397 also seems to cover this one, and it may cover | CVE-1999-0373 as well. | View |
| 4645 | CVE-2002-0253 | Candidate | PHP, when not configured with the "display_errors = Off" setting in php.ini, allows remote attackers to obtain the physical path for an include file via a trailing slash in a request to a directly accessible PHP program, which modifies the base path, causes the include directive to fail, and produces an error message that contains the path. | Proposed (20020502) | ACCEPT(1) Frech | NOOP(6) Armstrong, Christey, Cole, Cox, Foat, Wall | Christey> Is this another case when PHP leaks path information by design, | as supported by "display_errors" option? Then the | vulnerability (rather, exposure) would be in the use of the | display_errors option itself, whose implications may include | this particular scenario. | CHANGE> [Cox changed vote from REVIEWING to NOOP] | View |
| 4869 | CVE-2002-0477 | Candidate | Standalone Macromedia Flash Player 5.0 before 5,0,30,2 allows remote attackers to execute arbitrary programs via a .SWF file containing the "exec" FSCommand. | Proposed (20020611) | ACCEPT(5) Baker, Cole, Frech, Green, Wall | NOOP(2) Cox, Foat | REVIEWING(1) Christey | Christey> Is swf_clear.html *really* related to standalone_update.htm? | Or is the former really talking about a third issue related to | a virus? standalone_update.htm is clearly fscommand ("exec"). | It has an "Additional information" statement that says: | "For a description of the potential issue with the previous | stand-alone player, please refer to [swf_clear.htm]" | | I interpret "the previous stand-alone player" as meaning "the player | that we are updating with this advisory." Since we know that | standalone_update.htm is exec, this implies that swf_clear.htm is | really the exec issue. However, swf_clear.html doesn"t | mention fscommand ("exec") AT ALL, which casts doubt or at | least uncertainty as to my conclusions. | | swf_clear.html links back to standalone_update.htm, so at | least the references are circular. | | At least it"s pretty clear that this issue is different from | CVE-2002-0476. | | Email inquiry sent to Macromedia on June 13, 2002. | View |
Page 303 of 20943, showing 5 records out of 104715 total, starting on record 1511, ending on 1515
