CVE List
| Id | CVE No. | Status | Description | Phase | Votes | Comments | Actions |
|---|---|---|---|---|---|---|---|
| 1819 | CVE-2000-0241 | Candidate | vqSoft vqServer stores sensitive information such as passwords in cleartext in the server.cfg file, which allows attackers to gain privileges. | Proposed (20000412) | ACCEPT(3) Baker, Frech, Levy | NOOP(2) Cole, Magdych | CHANGE> [Magdych changed vote from REVIEWING to NOOP] | View |
| 1820 | CVE-2000-0242 | Candidate | WindMail allows remote attackers to read arbitrary files or execute commands via shell metacharacters. | Proposed (20000412) | ACCEPT(2) Cole, Levy | NOOP(1) Baker | RECAST(1) Frech | REJECT(2) Christey, Magdych | Frech> Violation of fundamentum divisionis (that is, it"s more than one issue) and | a potential nitpick: | - windmail-fileread: allows remote attackers to read arbitrary files | - windmail-pipe-command: execute commands via shell metacharacters | - The conjunction "or" should be "and", if you decide to stick with one CAN. | Christey> As Andre basically said without naming content decisions, | CD:SF-LOC says this should be split. | | HOWEVER - the author of the product says that WindMail isn"t | supposed to be a CGI script, and says that the pipe | character problem is not related to Geocel. So should CVE | record when someone runs a program that wasn"t intended to | be a CGI? There may be a level of abstraction issue here. | Note that Perl and shell interpreters in CGI-BIN are | already mentioned in CVE-1999-0509. If we want to include | "using a program that wasn"t designed to be a CGI" as a | problem, we should have a separate candidate. | | See the author"s comments at: | http://www.securityfocus.com/templates/archive.pike?list=1&msg=3.0.5.32.20000331114325.013af680@mailhost.geocel.com | | which also claims that the original announcer hasn"t provided | any more details after the author was unable to reproduce the | problem. | CHANGE> [Magdych changed vote from REVIEWING to REJECT] | Magdych> After reviewing the author"s comments, I"m inclined to think that this is more of a misconfiguration than a vulnerability. | View |
| 1822 | CVE-2000-0244 | Candidate | The Citrix ICA (Independent Computing Architecture) protocol uses weak encryption (XOR) for user authentication. | Proposed (20000412) | ACCEPT(2) Levy, Magdych | MODIFY(1) Frech | NOOP(2) Baker, Cole | Frech> XF:citrix-encryption | View |
| 1792 | CVE-2000-0214 | Candidate | FTP Explorer uses weak encryption for storing the username, password, and profile of FTP sites. | Proposed (20000322) | ACCEPT(5) Armstrong, Baker, Cole, Levy, Ozancin | MODIFY(1) Frech | NOOP(3) Blake, LeBlanc, Wall | Frech> XF:ftp-explorer-weak-pwd(4038) | View |
| 1794 | CVE-2000-0216 | Candidate | Microsoft email clients in Outlook, Exchange, and Windows Messaging automatically respond to Read Receipt and Delivery Receipt tags, which could allow an attacker to flood a mail system with responses by forging a Read Receipt request that is redirected to a large distribution list. | Proposed (20000322) | ACCEPT(1) Cole | MODIFY(1) Frech | NOOP(2) Baker, Ozancin | REJECT(3) Blake, LeBlanc, Levy | REVIEWING(1) Wall | Blake> This is a configuration issue. Should the fact that NT can be configured | to accept a blank Admin password have a CVE entry? | LeBlanc> This is documented as bad practice - if you have a wide distribution | mailing list, you should only allow certain users to send mail to it. | I don"t think we want to start listing all possible admin errors as | vulnerabilities. | Frech> XF:microsoft-mail-client-dos(4893) | Levy> I agree with all the above comments. Furthermore the delivery status | notification RFC makes it clear that mailing list software should | strip messages from DSN headers. I assume Microsoft"s products are | using the DSN standard and not something else. | View |
Page 371 of 20943, showing 5 records out of 104715 total, starting on record 1851, ending on 1855
