piranha/secure/passwd.php3:
CVE 2000-0322
Piranha is a utility which comes with Red Hat Linux for administering the
Linux Virtual Server. It comes with a default backdoor password which
could allow unauthorized access to the Graphical User Interface (GUI).
By exploiting vulnerabilities in the tools that come with the GUI, an
attacker who knows the backdoor password could execute arbitrary commands
on the server. Any server which has piranha-gui 0.4.12 installed, which
is the default for Red Hat 6.2, is vulnerable.
cart32.exe:
This program is part of Cart 32, an E-Commerce Shopping Cart application.
By default, it has a backdoor password of "wemilo". An attacker who
knows this password could view a list of client passwords using an
undocumented URL such as http://hostname/scripts/cart32.exe/cart32clientlist.
The hashed client passwords could be used to execute arbitrary commands
on the server using a specially crafted URL.
emurl/RECMAN.dll:
CVE 2000-0397
SeattleLab's Emurl
2.0 and earlier versions authenticate users
with a simple ASCII encoding scheme based on the user's login name.
This makes it possible to read other users' mail, reconfigure their
accounts, or steal their POP passwords.
guestbook:
CVE 1999-0237
Selena Sol's guestbook CGI program could allow an
attacker to execute arbitrary commands on the server if
server side includes are enabled.
excite:
CVE 1999-0279
Excite for Web Servers
does not sufficiently check
queries for special characters before passing them to
a shell. It is possible for a remote attacker to execute
arbitrary commands on the server by exploiting this condition.
Excite 1.1 for either Unix or Windows NT is affected by this
vulnerability if patches have not been applied after 1/16/98.
site/eg/source.asp:
CVE 2000-0628
Apache::ASP
comes with a sample script which can be exploited to write
to files in the same directory as the script. Versions
prior to 1.95 are vulnerable.
w3-msql:
CVE 2000-0012
Mini SQL
has a buffer overflow condition which could allow a remote attacker
to execute arbitrary commands on the server. Versions 2.0.4.1 through
2.0.11 for Unix and Linux are affected by this vulnerability.
wais.pl:
This script is a web interface to the waisq
client. A vulnerability in wais.pl could allow a remote user
to set command-line options through input parameters, thereby
overwriting files on the server. This vulnerability also
exposes a buffer overflow condition in waisq.
ddicgi.exe:
This program is part of
Mobius DocumentDirect for Internet. A buffer overflow
condition could allow a remote attacker to execute
arbitrary code.
db2www:
CVE 2000-0677
This program is part of the Net.Data application, which
is used for web development. A buffer overflow in the processing
of the PATH_INFO environment variable could allow an attacker
to execute arbitrary code.
search97cgi/vtopic:
CVE 2000-1014
This file is the search function used by the SCO
UnixWare 7 scohelphttp web server. Due to a format string
vulnerability, an attacker could execute arbitrary commands
on the server with the privileges of the nobody user.
webplus:
This script is part of the Web+ web application
server. A vulnerability in the script could allow a remote
attacker to view the source code of WML files, and possibly ASP files, by
appending the string "::$DATA" to the URL.
Additionally, the webping sample script could allow a remote
attacker to view arbitrary files in the Linux version.
Big Brother:
CVE 2000-0639
CVE 2000-0978
A vulnerability in Big Brother could allow
a remote attacker to execute arbitrary commands on the server by
creating a file on the server and then going to the file
in a web browser. A second vulnerability could allow a
remote attacker to execute arbitrary code by sending
specially crafted input to the server.
Directory Services Gateway (dsgw):
CVE 2000-1075
A buffer overflow condition in Netscape/iPlanet
Directory Server 4.12 and
Certificate Management System 4.2 could allow a remote
attacker to execute arbitrary code or create a denial of service.
A separate buffer overflow in Directory Server 4.11 and 4.12 could
also allow a remote attacker to execute arbitrary code or create a
denial of service.
pbserver.dll:
CVE 2000-1089
Microsoft PhoneBook Server is an optional component
of IIS 4 and 5. A buffer overflow condition could allow
an attacker to execute arbitrary code with the privileges
of IUSR_machinename with IIS 4 or
IWAM_machinename with IIS 5.
statsconfig.pl:
This script comes with
OmniHTTPd. Due to a lack of parameter checking in the
cgidir and mostbrowsers
variables, a remote attacker could corrupt any file on
the system, or inject arbitrary code into /cgi-bin/stats.pl,
which can then be executed by calling the script from a
browser. OmniHTTPd version 2.07 and possibly other versions
are vulnerable.
wwwwais:
This script is a web interface to the popular WAIS
search engine. A buffer overflow condition could allow
a remote attacker to execute arbitrary code by sending
a specially crafted query string.
pi:
This script is part of the PlanetIntra
software. A buffer overflow could allow a remote attacker to
execute arbitrary commands on the server.
post-query:
This is a simple C program for processing POST
data from HTML forms. A buffer overflow
condition could allow a remote attacker to execute arbitrary
code on the server.
However, in order for this vulnerability to be exploited
there would need to be a large amount
of physical or virtual memory on the server, and the operating
system would need to allow the program to allocate the needed
memory.
ncommerce3/*:
IBM's Net.Commerce and WebSphere applications encrypt
user passwords using TripleDES. Unless the encryption
key was changed from the default, these passwords can be
easily decrypted. Furthermore, users can be enumerated and
encrypted passwords can be retrieved using specially crafted
queries. The combination of the above vulnerabilities could allow
a remote attacker to gain access with administrator privileges.
All Net.Commerce 3.1 and 3.2 versions and WebSphere Commerce Suite version 4.1 are affected by this vulnerability if the MERCHANT_KEY has not been changed from the default. Versions 5.1 and later are not affected.
websync.exe:
This script is part of the CyberScheduler
package. Due to insufficient checking of the length of the Time Zone
variable, a remote attacker could create a buffer overflow
attack, resulting in the ability to execute arbitrary commands.
globals.pl, process_bug.cgi:
These scripts are part of the Bugzilla
bug tracking application. The first, globals.pl, could
reveal sensitive information such as path names and database passwords.
The second, process_bug.cgi, could allow a remote attacker
to execute arbitrary commands if the attacker registers with Bugzilla
with a specially crafted e-mail address containing shell commands.
query.asp, query.idq:
This file is the search script for Microsoft Index Server.
There are two vulnerabilities. The first is
a buffer overflow, which could allow an attacker to crash the service
or execute arbitrary commands with Local System privileges. An
attacker would need to be able to authenticate to the server in
order to exploit the vulnerability. This vulnerability only affects
Index Server 2.0 which comes with Windows NT 4.0 Option Pack, and
is not enabled by default.
CVE 2000-0097
The second vulnerability affects Index Server's hit-highlighting
feature. Due to insufficient parameter checking, this feature
could be exploited to view any file on the same logical drive as
the web server. This vulnerability affects Index Server 2.0 and
Indexing Services for Windows 2000.
FtpSaveCSP.dll, FtpSaveCVP.dll:
These are administrative programs for the
Trend Micro
InterScan VirusWall for Windows NT. Due to a buffer
overflow, it is possible for a remote attacker to execute
arbitrary commands with System privileges. Trend
Micro 3.51 is affected by this vulnerability.
cart32.exe:
Using a hex editor, change the backdoor password (found at 0x6204h)
to something else. Also change the permissions on c32web.exe
so that it is only accessible by administrators. This will prevent
unauthorized users from executing arbitrary commands using a specially
crafted URL. Alternatively, apply the patch developed by
L0pht.
emurl/RECMAN.dll:
Replace Emurl
with a version higher than 2.0.
guestbook:
Disable server side includes. If this is not possible,
or for additional security protection, make the following changes
to the guestbook setup file:
excite:
Install the
patch.
site/eg/source.asp:
Either delete the script, or upgrade to
Apache::ASP
version 1.95 or higher.
w3-msql:
Apply the patch which can be found in the
X-Force
Advisory.
wais.pl:
In waisq.pl, change @query to $pquery
at the end of the line that begins with "open(WAISQ".
As an additional precaution,
recompile waisq with the following change
in the source code:
char pathname[MAX_FILENAME_LEN+1];to
char pathname[MAX_FILENAME_LEN*2+1];
ddicgi.exe:
Contact Mobius for
a patch.
db2www:
Download and install the
fix
for your operating system.
search97cgi/vtopic:
Disable the web server which runs on port 457, or apply
the workaround described in
Bugtraq.
webplus:
Upgrade to version 4.6, build 542 or higher. Remove all
sample scripts.
Big Brother:
The workaround
for the first vulnerability is to implement access
restrictions in the $BBHOME/etc/security file.
This file is not enabled by default. The solution for the
second vulnerability is to implement the workaround posted
to Bugtraq
or upgrade to Big Brother version 1.5c2 or higher.
Directory Services Gateway (dsgw):
Upgrade to Directory Server 4.13 through the
iPlanet Support Channel.
pbserver.dll:
Apply a patch referenced in
Microsoft Security Bulletin MS 00-094.
statsconfig.pl:
Remove this script and any other unneeded scripts
in the cgi-bin directory.
wwwwais:
Remove this script or make the following changes
to wwwwais.c and re-compile:
strcpy(argstr, argp);
strncpy(argstr, argp, MAXSTRLEN);
strcpy(argstr, query_string);
strncpy(argstr, query_string, MAXSTRLEN);
pi:
Contact PlanetIntra
for a patch.
post-query:
Remove cgi-bin/post-query from the
web server. It is a sample program which serves no
practical purpose.
ncommerce3/*:
websync.exe:
Install the patch released by Crosswind
or upgrade to any version released after February, 2001.
globals.pl, process_bug.cgi:
Download Bugzilla 2.12
or higher.
query.asp, query.idq:
Apply the patches recommended in Microsoft Security Bulletins
00-006 and
01-025.
FtpSaveCSP.dll, FtpSaveCVP.dll:
At the time of this writing, there is no patch for
this vulnerability. Access to the server by non-administrative
users should be denied until a fix can be applied.
cart32.exe:
See the
Cerberus Advisory.
emurl/RECMAN.dll:
See the
Bugtraq posting.
guestbook:
See the
X-Force Advisory.
excite:
See the
X-Force Advisory.
site/eg/source.asp:
See the
Bugtraq posting.
w3-msql:
See the
X-Force Advisory.
ddicgi.exe:
This vulnerability was discussed in an
advisory
from @stake.
db2www:
This vulnerability was discussed in an
X-Force
Advisory.
search97cgi/vtopic:
See the
Bugtraq posting.
webplus:
The
::$DATA problem and the
webping problem were both posted to Bugtraq.
Directory Services Gateway (dsgw):
See the CORE-SDI advisories on the
denial-of-service vulnerability and the
arbitrary code execution vulnerability. See the @stake advisory
for information on the second vulnerability.
pbserver.dll:
See the CORE-SDI
advisory and
Microsoft Security Bulletin MS 00-094.
statsconfig.pl:
See Bugtraq.
wwwwais.pl:
See Bugtraq.
pi:
See S.A.F.E.R. Bulletin
010125.EXP.1.12.
post-query:
See Bugtraq.
ncommerce3/*:
See WebSphere Commerce Suite Security Issue 2.
websync.exe:
This vulnerability was reported in Defcom Labs Advisory def-2001-18.
globals.pl, process_bug.cgi:
This vulnerability was reported in
@stake advisory 04.30.01.
query.asp, query.idq:
See Microsoft Security Bulletins
00-006 and
01-025.
FtpSaveCSP.dll, FtpSaveCVP.dll:
See SNS
Advisory 31.