[CLOSE] OSVDB ID : 21355 - Disclosed: 2002-01-31

Description:

(Description Provided by CVE) : Cross-site scripting (XSS) vulnerability in Jelsoft vBulletin 2.2.0 allows remote attackers to execute arbitrary script as other users by injecting script into a bulletin board message.

[CLOSE] OSVDB ID : 2038 - Disclosed: 2002-01-31

Description:

DCForum contains a flaw that allows a remote attacker to predict newly created account passwords. The issue is due to a flaw in the method retrieve_password.pl uses when generating passwords. New passwords are created based on user information and session ID information, which is easily predictable.

[CLOSE] OSVDB ID : 13434 - Disclosed: 2002-01-31

Description:

(Description Provided by CVE) : The MSDTC (Microsoft Distributed Transaction Service Coordinator) for Microsoft Windows 2000, Microsoft IIS 5.0 and SQL Server 6.5 through SQL 2000 0.0 allows remote attackers to cause a denial of service (crash or hang) via malformed (random) input.

[CLOSE] OSVDB ID : 59756 - Disclosed: 2002-01-31

Description:

(Description Provided by CVE) : Novell Netware 5.0 through 5.1 may allow local users to gain "Domain Admin" rights by logging into a Novell Directory Services (NDS) account, and executing "net use" on an NDS_ADM account that is not in the NT domain but has domain access rights, which allows the user to enter a null password.

[CLOSE] OSVDB ID : 831 - Disclosed: 2002-01-30

Description:

By default, Microsoft Site Server installs with a default password. The 'LDAP_Anonymous' account has a password of 'LdapPassword_1' which is publicly known and documented. This allows attackers to trivially access the system.

[CLOSE] OSVDB ID : 2037 - Disclosed: 2002-01-30

Description:

(Description Provided by CVE) : In Microsoft Windows NT and Windows 2000, a trusting domain that receives authorization information from a trusted domain does not verify that the trusted domain is authoritative for all listed SIDs, which allows remote attackers to gain Domain Administrator privileges on the trusting domain by injecting SIDs from untrusted domains into the authorization data that comes from from the trusted domain.

[CLOSE] OSVDB ID : 8848 - Disclosed: 2002-01-30

Description:

(Description Provided by CVE) : tac_plus Tacacs+ daemon F4.0.4.alpha, originally maintained by Cisco, creates files from the accounting directive with world-readable and writable permissions, which allows local users to access and modify sensitive files.

[CLOSE] OSVDB ID : 13046 - Disclosed: 2002-01-30

Description:

(Description Provided by CVE) : Infopop UBB.Threads 5.4 and Wired Community Software WWWThreads 5.0 through 5.0.9 allows remote attackers to upload arbitrary files by using a filename that contains an accepted extension, but ends in a different extension.

[CLOSE] OSVDB ID : 17652 - Disclosed: 2002-01-30

Description:

Microsoft Site Server contains a flaw that may lead to an unauthorized information disclosure.  The issue is triggered when using the 'LDAP_Anonymous' account and accessing the 'findserver.asp' script, which will disclose installed Site Server components resulting in a loss of confidentiality. While not considered critical, this information can lead to more focused and precise attacks.

[CLOSE] OSVDB ID : 17653 - Disclosed: 2002-01-30

Description:

Microsoft Site Server contains a flaw that may lead to an unauthorized information disclosure.  The issue is triggered when using the 'LDAP_Anonymous' account and accessing the 'domain.asp' script, which will disclose the server's involved domain names resulting in a loss of confidentiality. While not considered critical, this information can lead to more focused and precise attacks.

[CLOSE] OSVDB ID : 17654 - Disclosed: 2002-01-30

Description:

Microsoft Site Server contains a flaw that may lead to an unauthorized information disclosure.  The issue is triggered when using the 'LDAP_Anonymous' account and accessing the 'driver.asp' script, which will disclose installed ODBC drivers resulting in a loss of confidentiality. While not considered critical, this information can lead to more focused and precise attacks.

[CLOSE] OSVDB ID : 17655 - Disclosed: 2002-01-30

Description:

Microsoft Site Server contains a flaw that may lead to an unauthorized information disclosure.  The issue is triggered when using the 'LDAP_Anonymous' account and accessing the 'DSN.asp' script, which will disclose the Data Source Names (DSN) for selected ODBC drivers resulting in a loss of confidentiality. While not considered critical, this information can lead to more focused and precise attacks.

[CLOSE] OSVDB ID : 17656 - Disclosed: 2002-01-30

Description:

Microsoft Site Server contains a flaw that may allow a remote attacker to arbitrarily modify the LDAP configuration. The issue is triggered when using the 'LDAP_Anonymous' account and accessing the 'GroupManager.asp' script, which may allow a remote attacker to arbitrarily create, modify and/or delete LDAP groups resuling in a loss of integrity. While not considered critical, this information can lead to more focused and precise attacks.

[CLOSE] OSVDB ID : 17657 - Disclosed: 2002-01-30

Description:

Microsoft Site Server contains a flaw that may allow a remote attacker to arbitrarily modify the LDAP configuration. The issue is triggered when using the 'LDAP_Anonymous' account and accessing the 'UserManager.asp' script, which may allow a remote attacker to arbitrarily create, modify and/or delete LDAP users resulting in a loss of integrity. While not considered critical, this information can lead to more focused and precise attacks.

[CLOSE] OSVDB ID : 17658 - Disclosed: 2002-01-30

Description:

Microsoft Site Server contains a flaw that may lead to an unauthorized information disclosure.  The issue is triggered when using the 'LDAP_Anonymous' account and accessing the 'default.asp' script, which will disclose the LDAP search catalog configuration resulting in a loss of confidentiality. While not considered critical, this information can lead to more focused and precise attacks.

[CLOSE] OSVDB ID : 17659 - Disclosed: 2002-01-30

Description:

Microsoft Site Server contains a flaw that may lead to an unauthorized information disclosure.  The issue is triggered when using the 'LDAP_Anonymous' account and accessing the 'vs.asp' script, which will disclose certain LDAP service and back-end configuration parameters resulting in a loss of confidentiality. While not considered critical, this information can lead to more focused and precise attacks.

[CLOSE] OSVDB ID : 17660 - Disclosed: 2002-01-30

Description:

Microsoft Site Server contains a flaw that may lead to an unauthorized information disclosure.  The issue is triggered when using the 'LDAP_Anonymous' account and accessing the 'VsTmPr.asp' script, which will disclose certain LDAP service and back-end configuration parameters resulting in a loss of confidentiality. While not considered critical, this information can lead to more focused and precise attacks.

[CLOSE] OSVDB ID : 17661 - Disclosed: 2002-01-30

Description:

Microsoft Site Server contains a flaw that may lead to an unauthorized information disclosure.  The issue is triggered when using the 'LDAP_Anonymous' account and accessing the 'VsLsLpRd.asp' script, which will disclose certain LDAP service and back-end configuration parameters resulting in a loss of confidentiality. While not considered critical, this information can lead to more focused and precise attacks.

[CLOSE] OSVDB ID : 17662 - Disclosed: 2002-01-30

Description:

Microsoft Site Server contains a flaw that may lead to an unauthorized information disclosure.  The issue is triggered when using the 'LDAP_Anonymous' account and accessing the 'VsPrAuoEd.asp' script, which will disclose certain LDAP service and back-end configuration parameters resulting in a loss of confidentiality. While not considered critical, this information can lead to more focused and precise attacks.

[CLOSE] OSVDB ID : 17663 - Disclosed: 2002-01-30

Description:

Microsoft Site Server contains a flaw that may lead to an unauthorized information disclosure.  The issue is triggered when using the 'LDAP_Anonymous' account and accessing the 'auoconfig.asp' script, which will disclose the default AUO (LDAP) schema, including host and port resulting in a loss of confidentiality. While not considered critical, this information can lead to more focused and precise attacks.

[CLOSE] OSVDB ID : 17664 - Disclosed: 2002-01-30

Description:

Microsoft Site Server contains a flaw that may lead to an unauthorized information disclosure.  The issue is triggered when using the 'LDAP_Anonymous' account and accessing the 'remind.asp' script, which will disclose the password reminder for any LDAP user resulting in a loss of confidentiality. While not considered critical, this information can lead to more focused and precise attacks.

[CLOSE] OSVDB ID : 17667 - Disclosed: 2002-01-30

Description:

Microsoft Site Server contains a flaw that may lead to an unauthorized password exposure. It is possible to gain access to plaintext passwords when using the 'LDAP_Anonymous' account, which may lead to a loss of confidentiality.

[CLOSE] OSVDB ID : 17668 - Disclosed: 2002-01-30

Description:

Microsoft Site Server contains a flaw that may allow a remote denial of service. The issue is due to the /Sites/Publishing/Users/ directory which has write permissions by default. It is possible for a remote attacker with a valid NT account to arbitrarily upload overly large files and consume all available space on the system drive resulting in a loss of availability.

[CLOSE] OSVDB ID : 17669 - Disclosed: 2002-01-30

Description:

Microsoft Site Server contains a flaw that may allow a remote attacker to execute arbitrary ASP code. The issue is due to the 'cphost.dll' not properly sanitizing user input, specifically traversal style attacks (..). By specifying a specially crafted filename disposition parameter, a remote attacker can execute arbitrary ASP code resulting in a loss of integrity.

[CLOSE] OSVDB ID : 17670 - Disclosed: 2002-01-30

Description:

Microsoft Site Server contains a flaw that may allow a remote attacker to carry out a SQL injection attack. The issue is due to various scripts in the /clocktower/, /vc30/, /mspress30/, and /market/ directories not properly sanitizing user-supplied input. This may allow a remote attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 17671 - Disclosed: 2002-01-30

Description:

Microsoft Site Server contains a flaw that may lead to an unauthorized information disclosure.  The issue is triggered when accessing the 'viewcode.asp' script, which will disclose the source code resulting in a loss of confidentiality. While not considered critical, this information can lead to more focused and precise attacks.

[CLOSE] OSVDB ID : 60019 - Disclosed: 2002-01-30

Description:

(Description Provided by CVE) : Lotus Domino 5.0.8 web server returns different error messages when a valid or invalid user is provided in HTTP requests, which allows remote attackers to determine valid user names and makes it easier to conduct brute force attacks.

[CLOSE] OSVDB ID : 60021 - Disclosed: 2002-01-30

Description:

(Description Provided by CVE) : sastcpd in SAS/Base 8.0 might allow local users to gain privileges by setting the netencralg environment variable, which causes a segmentation fault.

[CLOSE] OSVDB ID : 60022 - Disclosed: 2002-01-30

Description:

(Description Provided by CVE) : sastcpd in SAS/Base 8.0 allows local users to execute arbitrary code by setting the authprog environment variable to reference a malicious program, which is then executed by sastcpd.

[CLOSE] OSVDB ID : 60048 - Disclosed: 2002-01-30

Description:

(Description Provided by CVE) : Compaq Tru64 4.0 d allows remote attackers to cause a denial of service in (1) telnet, (2) FTP, (3) ypbind, (4) rpc.lockd, (5) snmp, (6) ttdbserverd, and possibly other services via a TCP SYN scan, as demonstrated using nmap.

[CLOSE] OSVDB ID : 57324 - Disclosed: 2002-01-29

Description:

BadBlue contains a flaw that allows a remote attacker to access files outside of the web path. The issue is due to not properly sanitizing user input, specifically directory traversal style attacks (../../) supplied via the URI string.

[CLOSE] OSVDB ID : 86905 - Disclosed: 2002-01-29

Description:

Microsoft Windows contains a weakness related to the NTFS file system. The issue is triggered when using the ANSI version of the 'provide' or 'use' API functions, which may allow an attacker to create a file or a directory that bypasses the truncation feature in Windows. While this weakness does not pose a serious threat on its own, when it is coupled with third-party programs such as anti-virus software, this issue can be used to bypass security scanning features and allow files or directories to go undetected.

[CLOSE] OSVDB ID : 6703 - Disclosed: 2002-01-29

Description:

(Description Provided by CVE) : Etype Eserv 2.97 allows remote attackers to redirect traffic to other sites (aka FTP bounce) via the PORT command.

[CLOSE] OSVDB ID : 9287 - Disclosed: 2002-01-29

Description:

XOOPS Private Messaging System contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the javascript code entered in the Title Field or a Private Message Box. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 9288 - Disclosed: 2002-01-29

Description:

XOOPS Private Messaging System contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the javascript code entered in the Image Field upon submission to the pmlite.php script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 9392 - Disclosed: 2002-01-29

Description:

XOOPS contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'userinfo.php' script not properly sanitizing user-supplied input to the 'uid' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 12081 - Disclosed: 2002-01-29

Description:

(Description Provided by CVE) : Etype Eserv 2.97 allows remote attackers to cause a denial of service (resource exhaustion) via a large number of PASV commands that consume ports 1024 through 5000, which prevents the server from accepting valid PASV.

[CLOSE] OSVDB ID : 14329 - Disclosed: 2002-01-29

Description:

(Description Provided by CVE) : phpsmssend.php in PhpSmsSend 1.0 allows remote attackers to execute arbitrary commands via an SMS message containing shell metacharacters.

[CLOSE] OSVDB ID : 14330 - Disclosed: 2002-01-29

Description:

(Description Provided by CVE) : Format string vulnerability in (1) sastcpd in SAS/Base 8.0 and 8.1 or (2) objspawn in SAS/Integration Technologies 8.0 and 8.1 allows local users to execute arbitrary code via format specifiers in a command line argument.

[CLOSE] OSVDB ID : 14331 - Disclosed: 2002-01-29

Description:

(Description Provided by CVE) : Format string vulnerability in (1) sastcpd in SAS/Base 8.0 and 8.1 or (2) objspawn in SAS/Integration Technologies 8.0 and 8.1 allows local users to execute arbitrary code via format specifiers in a command line argument.