piranha/secure/passwd.php3:
CVE 2000-0322
Piranha is a utility which comes with Red Hat Linux for administering the
Linux Virtual Server. It comes with a default backdoor password which
could allow unauthorized access to the Graphical User Interface (GUI).
By exploiting vulnerabilities in the tools that come with the GUI, an
attacker who knows the backdoor password could execute arbitrary commands
on the server. Any server which has piranha-gui 0.4.12 installed, which
is the default for Red Hat 6.2, is vulnerable.
cart32.exe:
This program is part of Cart 32, an E-Commerce Shopping Cart application.
By default, it has a backdoor password of "wemilo". An attacker who
knows this password could view a list of client passwords using an
undocumented URL such as http://hostname/scripts/cart32.exe/cart32clientlist.
The hashed client passwords could be used to execute arbitrary commands
on the server using a specially crafted URL.
emurl/RECMAN.dll:
CVE 2000-0397
SeattleLab's Emurl
2.0 and earlier versions authenticate users
with a simple ASCII encoding scheme based on the user's login name.
This makes it possible to read other users' mail, reconfigure their
accounts, or steal their POP passwords.
guestbook:
CVE 1999-0237
Selena Sol's guestbook CGI program could allow an
attacker to execute arbitrary commands on the server if
server side includes are enabled.
excite:
CVE 1999-0279
Excite for Web Servers
does not sufficiently check
queries for special characters before passing them to
a shell. It is possible for a remote attacker to execute
arbitrary commands on the server by exploiting this condition.
Excite 1.1 for either Unix or Windows NT is affected by this
vulnerability if patches have not been applied after 1/16/98.
site/eg/source.asp:
CVE 2000-0628
Apache::ASP
comes with a sample script which can be exploited to write
to files in the same directory as the script. Versions
prior to 1.95 are vulnerable.
w3-msql:
CVE 2000-0012
Mini SQL
has a buffer overflow condition which could allow a remote attacker
to execute arbitrary commands on the server. Versions 2.0.4.1 through
2.0.11 for Unix and Linux are affected by this vulnerability.
wais.pl:
This script is a web interface to the waisq
client. A vulnerability in wais.pl could allow a remote user
to set command-line options through input parameters, thereby
overwriting files on the server. This vulnerability also
exposes a buffer overflow condition in waisq.
ddicgi.exe:
This program is part of
Mobius DocumentDirect for Internet. A buffer overflow
condition could allow a remote attacker to execute
arbitrary code.
db2www:
CVE 2000-0677
This program is part of the Net.Data application, which
is used for web development. A buffer overflow in the processing
of the PATH_INFO environment variable could allow an attacker
to execute arbitrary code.
search97cgi/vtopic:
CVE 2000-1014
This file is the search function used by the SCO
UnixWare 7 scohelphttp web server. Due to a format string
vulnerability, an attacker could execute arbitrary commands
on the server with the privileges of the nobody user.
webplus:
This script is part of the Web+ web application
server. A vulnerability in the script could allow a remote
attacker to view the source code of WML files, and possibly ASP files, by
appending the string "::$DATA" to the URL.
Additionally, the webping sample script could allow a remote
attacker to view arbitrary files in the Linux version.
Big Brother:
CVE 2000-0639
CVE 2000-0978
A vulnerability in Big Brother could allow
a remote attacker to execute arbitrary commands on the server by
creating a file on the server and then going to the file
in a web browser. A second vulnerability could allow a
remote attacker to execute arbitrary code by sending
specially crafted input to the server.
Directory Services Gateway (dsgw):
A buffer overflow condition in Netscape/iPlanet
Directory Server 4.12 and
Certificate Management System 4.2 could allow a remote
attacker to execute arbitrary code or create a denial of service.
pbserver.dll:
CVE 2000-1089
Microsoft PhoneBook Server is an optional component
of IIS 4 and 5. A buffer overflow condition could allow
an attacker to execute arbitrary code with the privileges
of IUSR_machinename with IIS 4 or
IWAM_machinename with IIS 5.
statsconfig.pl:
This script comes with
OmniHTTPd. Due to a lack of parameter checking in the
cgibin and mostbrowsers
variables, a remote attacker could corrupt any file on
the system, or inject arbitrary code into /cgi-bin/stats.pl,
which can then be executed by calling the script from a
browser. OmniHTTPd version 2.07 and possibly other versions
are vulnerable.
wwwwais:
This script is a web interface to the popular WAIS
search engine. A buffer overflow condition could allow
a remote attacker to execute arbitrary code by sending
a specially crafted query string.
cart32.exe:
Using a hex editor, change the backdoor password (found at 0x6204h)
to something else. Also change the permissions on c32web.exe
so that it is only accessible by administrators. This will prevent
unauthorized users from executing arbitrary commands using a specially
crafted URL. Alternatively, apply the patch developed by
L0pht.
emurl/RECMAN.dll:
Replace Emurl
with a version higher than 2.0.
guestbook:
Disable server side includes. If this is not possible,
or for additional security protection, make the following changes
to the guestbook setup file:
excite:
Install the
patch.
site/eg/source.asp:
Either delete the script, or upgrade to
Apache::ASP
version 1.95 or higher.
w3-msql:
Apply the patch which can be found in the
X-Force
Advisory.
wais.pl:
In waisq.pl, change @query to $pquery
at the end of the line that begins with "open(WAISQ".
As an additional precaution,
recompile waisq with the following change
in the source code:
char pathname[MAX_FILENAME_LEN+1];to
char pathname[MAX_FILENAME_LEN*2+1];
ddicgi.exe:
Contact Mobius for
a patch.
db2www:
Download and install the
fix
for your operating system.
search97cgi/vtopic:
Disable the web server which runs on port 457, or apply
the workaround described in
Bugtraq.
webplus:
Upgrade to version 4.6, build 542 or higher. Remove all
sample scripts.
Big Brother:
The workaround
for the first vulnerability is to implement access
restrictions in the $BBHOME/etc/security file.
This file is not enabled by default. The solution for the
second vulnerability is to implement the workaround posted
to Bugtraq
or upgrade to Big Brother version 1.5c2 or higher.
Directory Services Gateway (dsgw):
Apply a patch when one becomes available.
pbserver.dll:
Apply a patch referenced in
Microsoft Security Bulletin MS 00-094.
statsconfig.pl:
Remove this script and any other unneeded scripts
in the cgi-bin directory.
wwwwais:
Remove this script or make the following changes
to wwwwais.c and re-compile:
strcpy(argstr, argp);
strncpy(argstr, argp, MAXSTRLEN);
strcpy(argstr, query_string);
strncpy(argstr, query_string, MAXSTRLEN);
cart32.exe:
See the
Cerberus Advisory.
emurl/RECMAN.dll:
See the
Bugtraq posting.
guestbook:
See the
X-Force Advisory.
excite:
See the
X-Force Advisory.
site/eg/source.asp:
See the
Bugtraq posting.
w3-msql:
See the
X-Force Advisory.
ddicgi.exe:
This vulnerability was discussed in an
advisory
from @stake.
db2www:
This vulnerability was discussed in an
X-Force
Advisory.
search97cgi/vtopic:
See the
Bugtraq posting.
webplus:
The
::$DATA problem and the
webping problem were both posted to Bugtraq.
Directory Services Gateway (dsgw):
See the CORE-SDI advisories on the
denial-of-service vulnerability and the
arbitrary code execution vulnerability.
pbserver.dll:
See the CORE-SDI
advisory and
Microsoft Security Bulletin MS 00-094.
statsconfig.pl:
See Bugtraq.
wwwwais.pl:
See Bugtraq.