CVE Cross Reference 2000
The information on this page may be obsolete. For the current documentation, please log into the mySAINT portal using your customer login and password.
Current CVEs
| CVE Description | SAINT®® Tutorial | SAINT®® Vuln. ID | SANS Top 20 | ||
 |
WebWho+ whois.cgi program allows remote attackers to execute commands via shell metacharacters in the TLD parameter. |
http cgi access |
web_prog_cgi_webwho | ||
 |
Buffer overflow in w3-msql CGI program in miniSQL package allows remote attackers to execute commands. |
http potential problems |
web_prog_cgi_w3msql | ||
|
Denial of service in Savant web server via a null character in the requested URL. |
Savant vulnerabilities |
web_server_savant | ||
|
Buffer overflow in Internet Anywhere POP3 Mail Server allows remote attackers to cause a denial of service or execute commands via a long username. |
Internet Anywhere vulnerabilities |
mail_pop_iaemailserver mail_smtp_iaemailserver |
||
|
Buffer overflow in UnixWare i2odialogd daemon allows remote attackers to gain root access via a long username/password authorization string. |
UnixWare i2odialogd |
misc_i2o | ||
|
AltaVista search engine allows remote attackers to read files above the document root via a .. (dot dot) in the query.cgi CGI program. |
http cgi access |
web_prog_cgi_query | ||
|
The DTML implementation in the Z Object Publishing Environment (Zope) allows remote attackers to conduct unauthorized activities. |
Zope vulnerabilities |
web_dev_zope | ||
|
Buffer overflow in InetServ 3.0 allows remote attackers to execute commands via a long GET request. |
Inetserv vulnerabilities |
mail_web_inetserv | ||
|
The WebHits ISAPI filter in Microsoft Index Server allows remote attackers to read arbitrary files, aka the "Malformed Hit-Highlighting Argument" vulnerability. |
http potential problems |
web_prog_asp_queryasp web_prog_asp_queryidq |
||
|
A system has a distributed denial of service (DDOS) attack master, agent, or zombie installed, such as (1) Trinoo, (2) Tribe Flood Network (TFN), (3) Tribe Flood Network 2000 (TFN2K), (4) stacheldraht, (5) mstream, or (6) shaft. |
distributed denial of service |
misc_ddos_mstream misc_ddos_mstreamhandler misc_ddos_shaft misc_ddos_shafthandler misc_ddos_stacheldraht misc_ddos_stachhandler misc_ddos_tfn misc_ddos_trinity misc_ddos_trinoo misc_ddos_trinoomaster |
||
|
Internet Anywhere POP3 Mail Server allows local users to cause a denial of service via a malformed RETR command. |
Internet Anywhere vulnerabilities |
mail_pop_iaemailserver | ||
|
Internet Anywhere POP3 Mail Server allows remote attackers to cause a denial of service via a large number of connections. |
Internet Anywhere vulnerabilities |
mail_smtp_iaemailserver | ||
|
snmpd in SCO OpenServer has an SNMP community string that is writable by default, which allows local attackers to modify the host's configuration. |
Guessable Write Community |
net_snmp_write | ||
|
Zeus web server allows remote attackers to view the source code for CGI programs via a null character (%00) at the end of a URL. |
Zeus vulnerabilities |
web_server_zeus | ||
|
Buffer overflow in MMDF server allows remote attackers to gain privileges via a long MAIL FROM command to the SMTP daemon. |
MMDF vulnerability |
mail_smtp_mmdf | ||
|
Sample web sites on Microsoft Site Server 3.0 Commerce Edition do not validate an identification number, which allows remote attackers to execute SQL commands. |
http cgi access |
web_prog_sql_product | ||
|
The default configuration of Serv-U 2.5d and earlier allows remote attackers to determine the real pathname of the server by requesting a URL for a directory or file that does not exist. |
Serv U vulnerabilities |
ftp_servu | ||
|
HP OpenView OmniBack 2.55 allows remote attackers to cause a denial of service via a large number of connections to port 5555. |
HP Omniback vulnerabilities |
net_omniback | ||
|
Buffer overflow in POP3 and IMAP servers in the MERCUR mail server suite allows remote attackers to cause a denial of service. |
MERCUR vulnerabilities |
mail_smtp_mercur | ||
|
When a new SQL Server is registered in Enterprise Manager for Microsoft SQL Server 7.0 and the "Always prompt for login name and password" option is not set, then the Enterprise Manager uses weak encryption to store the login ID and password. |
Microsoft SQL Server Note: Authentication is recommended to improve the accuracy of this check |
database_mssql_mssql | ||
|
Microsoft SQL Server 7.0 and Microsoft Data Engine (MSDE) 1.0 allow remote attackers to gain privileges via a malformed Select statement in an SQL query. |
Microsoft SQL Server Note: Authentication is recommended to improve the accuracy of this check |
database_mssql_mssql | ||
|
SGI InfoSearch CGI program infosrch.cgi allows remote attackers to execute commands via shell metacharacters. |
http cgi access |
web_prog_cgi_infosrch | ||
|
The htdig (ht://Dig) CGI program htsearch allows remote attackers to read arbitrary files by enclosing the file name with backticks (`) in parameters to htsearch. |
http cgi access |
web_prog_cgi_htsearch | ||
|
The installation for Windows 2000 does not activate the Administrator password until the system has rebooted, which allows remote attackers to connect to the ADMIN$ share without a password until the reboot occurs. |
open SMB shares |
win_rwshare win_share |
||
|
IIS 4.0 allows attackers to cause a denial of service by requesting a large buffer in a POST or PUT command which consumes memory, aka the "Chunked Transfer Encoding Buffer Overflow Vulnerability." |
http IIS access Note: Authentication is recommended to improve the accuracy of this check |
web_server_iis_iis | ||
 |
The default configuration of Cobalt RaQ2 and RaQ3 as specified in access.conf allows remote attackers to view sensitive contents of a .htaccess file. |
htaccess file access |
web_security_htaccess | ||
|
Netscape Enterprise Server with Directory Indexing enabled allows remote attackers to list server directories via web publishing tags such as ?wp-ver-info and ?wp-cs-dump. |
Netscape vulnerabilities |
web_server_netscape_wp | ||
|
Buffer overflow in the MERCUR WebView WebMail server allows remote attackers to cause a denial of service via a long mail_user parameter in the GET request. |
MERCUR vulnerabilities |
mail_smtp_mercur | ||
|
Vulnerability in SGI IRIX objectserver daemon allows remote attackers to create user accounts. |
objectserver vulnerability |
misc_object | ||
|
The web GUI for the Linux Virtual Server (LVS) software in the Red Hat Linux Piranha package has a backdoor password that allows remote attackers to execute arbitrary commands. |
http potential problems |
web_prog_php_piranha | ||
|
The dansie shopping cart application cart.pl allows remote attackers to execute commands via a shell metacharacters in a form variable. |
vulnerable web program |
web_prog_cgi_dansiecartver | ||
|
The dansie shopping cart application cart.pl allows remote attackers to modify sensitive purchase information via hidden form fields. |
vulnerable web program |
web_prog_cgi_dansiecartver | ||
|
The dansie shopping cart application cart.pl allows remote attackers to obtain the shopping cart database and configuration information via a URL that references either the env, db, or vars form variables. |
vulnerable web program |
web_prog_cgi_dansiecartinfo | ||
|
Buffer overflow in the dvwssr.dll DLL in Microsoft Visual Interdev 1.0 allows users to cause a denial of service or execute commands, aka the "Link View Server-Side Component" vulnerability. |
Visual Interdev vulnerability |
web_dev_interdev | ||
|
Buffer overflow in the RealNetworks RealPlayer client versions 6 and 7 allows remote attackers to cause a denial of service via a long Location URL. |
RealPlayer vulnerabilities Note: Authentication is required to detect this vulnerability |
misc_reallinux misc_realplayer |
||
|
TalentSoft webpsvr daemon in the Web+ shopping cart application allows remote attackers to read arbitrary files via a .. (dot dot) attack on the webplus CGI program. |
http cgi access |
web_prog_cgi_webplus | ||
|
The default installation of IRIX Performance Copilot allows remote attackers to access sensitive system information via the pmcd daemon. |
Performance Copilot |
misc_copilot | ||
|
The BizDB CGI script bizdb-search.cgi allows remote attackers to execute arbitrary commands via shell metacharacters in the dbname parameter. |
http potential problems |
web_prog_cgi_bizdb1 | ||
|
The default encryption method of PcAnywhere 9.x uses weak encryption, which allows remote attackers to sniff and decrypt PcAnywhere or NT domain accounts. |
pcAnywhere encryption |
misc_pcanywhereclear misc_pcanywhereweak |
||
|
Buffer overflow in calserver in SCO OpenServer allows remote attackers to gain root access via a long message. |
OpenServer calserver |
misc_calserver | ||
|
mail.local in Sendmail 8.10.x does not properly identify the .\n string which identifies the end of message text, which allows a remote attacker to cause a denial of service or corrupt mailboxes via a message line that is 2047 characters long and ends in .\n. |
Sendmail vulnerabilities Note: Authentication is recommended to improve the accuracy of this check |
mail_smtp_sendmail | ||
|
The passwd.php3 CGI script in the Red Hat Piranha Virtual Server Package allows local users to execute arbitrary commands via shell metacharacters. |
http potential problems |
web_prog_php_piranha | ||
|
Windows NT 4.0 generates predictable random TCP initial sequence numbers (ISN), which allows remote attackers to perform spoofing and session hijacking. |
TCP sequence number prediction |
misc_tcpseq | ||
|
Buffer overflow in Trivial HTTP (THTTPd) allows remote attackers to cause a denial of service or execute arbitrary commands via a long If-Modified-Since header. |
thttpd vulnerabilities |
web_server_thttpd | ||
 |
The IOS HTTP service in Cisco routers and switches running IOS 11.1 through 12.1 allows remote attackers to cause a denial of service by requesting a URL that contains a %% string. |
Cisco web interface access |
net_cisco_webdos | ||
|
Buffer overflow in krb_rd_req function in Kerberos 4 and 5 allows remote attackers to gain root privileges. |
Kerberos detected Note: Authentication is required to detect this vulnerability |
misc_kerberospkg | ||
|
Buffer overflow in krb425_conv_principal function in Kerberos 5 allows remote attackers to gain root privileges. |
Kerberos detected Note: Authentication is required to detect this vulnerability |
misc_kerberospkg | ||
|
Buffer overflow in krshd in Kerberos 5 allows remote attackers to gain root privileges. |
Kerberos detected Note: Authentication is required to detect this vulnerability |
misc_kerberospkg | ||
|
The EMURL web-based email account software encodes predictable identifiers in user session URLs, which allows a remote attacker to access a user's email account. |
http potential problems |
web_prog_cgi_recman | ||
|
The Mixed Mode authentication capability in Microsoft SQL Server 7.0 stores the System Administrator (sa) account in plaintext in a log file which is readable by any user, aka the "SQL Server 7.0 Service Pack Password" vulnerability. |
Microsoft SQL Server Note: Authentication is recommended to improve the accuracy of this check |
database_mssql_mssql | ||
|
The gnapster and knapster clients for Napster do not properly restrict access only to MP3 files, which allows remote attackers to read arbitrary files from the client by specifying the full pathname for the file. |
peer to peer file sharing |
misc_p2p_gnapster | ||
|
The CGI counter 4.0.7 by George Burgyan allows remote attackers to execute arbitrary commands via shell metacharacters. |
http cgi access |
web_prog_cgi_counterfiglet | ||
|
A backdoor password in Cart32 3.0 and earlier allows remote attackers to execute arbitrary commands. |
http potential problems |
web_prog_cgi_cart32pass | ||
|
The calender.pl and the calendar_admin.pl calendar scripts by Matt Kruse allow remote attackers to execute arbitrary commands via shell metacharacters. |
http cgi access |
web_prog_cgi_calendaradmin | ||
|
Buffer overflow in the CyberPatrol daemon "cyberdaemon" used in gauntlet and WebShield allows remote attackers to cause a denial of service or execute arbitrary commands. |
Gauntlet WebShield cyberdaemon |
net_cyberd | ||
|
Qpopper 2.53 and earlier allows local users to gain privileges via a formatting string in the From: header, which is processed by the euidl command. |
pop version |
mail_pop_qpop | ||
|
The web interface server in HP Web JetAdmin 5.6 allows remote attackers to read arbitrary files via a .. (dot dot) attack. |
JetAdmin vulnerabilities |
web_tool_jetadmin | ||
|
HP Web JetAdmin 6.0 allows remote attackers to cause a denial of service via a malformed URL to port 8000. |
JetAdmin vulnerabilities |
web_tool_jetadmindos | ||
|
Buffer overflow in innd 2.2.2 allows remote attackers to execute arbitrary commands via a cancel request containing a long message ID. |
innd vulnerabilities |
misc_innd | ||
|
The DocumentTemplate package in Zope 2.2 and earlier allows a remote attacker to modify DTMLDocuments or DTMLMethods without authorization. |
Zope vulnerabilities |
web_dev_zope | ||
|
Microsoft SQL Server allows local users to obtain database passwords via the Data Transformation Service (DTS) package Properties dialog, aka the "DTS Password" vulnerability. |
Microsoft SQL Server Note: Authentication is recommended to improve the accuracy of this check |
database_mssql_mssql | ||
|
Savant web server allows remote attackers to read source code of CGI scripts via a GET request that does not include the HTTP version number. |
Savant vulnerabilities |
web_server_savant | ||
|
OpenSSH does not properly drop privileges when the UseLogin option is enabled, which allows local users to execute arbitrary commands by providing the command to the ssh daemon. |
OpenSSH vulnerabilities Note: Authentication is recommended to improve the accuracy of this check |
shell_ssh_openssh | ||
|
Buffer overflow in the web interface for Cmail 2.4.7 allows remote attackers to cause a denial of service by sending a large user name to the user dialog running on port 8002. |
http Cmail access |
mail_web_cmail | ||
|
Buffer overflow in the web interface for Cmail 2.4.7 allows remote attackers to execute arbitrary commands via a long GET request. |
http Cmail access |
mail_web_cmail | ||
|
Buffer overflow in HP Openview Network Node Manager 6.1 allows remote attackers to execute arbitrary commands via the Alarm service (OVALARMSRV) on port 2345. |
HP Openview vulnerabilities |
net_ovnodemgr | ||
|
FirstClass Internet Services server 5.770, and other versions before 6.1, allows remote attackers to cause a denial of service by sending an email with a long To: mail header. |
FirstClass HTTP Server |
web_server_firstclass | ||
|
The lreply function in wu-ftpd 2.6.0 and earlier does not properly cleanse an untrusted format string, which allows remote attackers to execute arbitrary commands via the SITE EXEC command. |
HP UX FTP vulnerabilities FTP vulnerabilities ProFTPD vulnerabilities |
ftp_hpux ftp_netbsd ftp_openbsd ftp_proftpold ftp_wuftpold |
||
|
FTP servers such as OpenBSD ftpd, NetBSD ftpd, ProFTPd and Opieftpd do not properly cleanse untrusted format strings that are used in the setproctitle function (sometimes called by set_proc_title), which allows remote attackers to cause a denial of service or execute arbitrary commands. |
HP UX FTP vulnerabilities FTP vulnerabilities ProFTPD vulnerabilities |
ftp_hpux ftp_hpuxten ftp_netbsd ftp_openbsd ftp_proftpold ftp_wuftpold |
||
|
SSH 1.2.27 with Kerberos authentication support stores Kerberos tickets in a file which is created in the current directory of the user who is logging in, which could allow remote attackers to sniff the ticket cache if the home directory is installed on NFS. |
SSH vulnerabilities |
shell_ssh_ssh | ||
|
Poll It 2.0 CGI script allows remote attackers to read arbitrary files by specifying the file name in the data_dir parameter. |
http cgi access |
web_prog_cgi_pollit | ||
|
Fortech Proxy+ allows remote attackers to bypass access restrictions for to the administration service by redirecting their connections through the telnet proxy. |
Open telnet proxy |
shell_telnet_proxy | ||
|
Microsoft SQL Server 7.0 allows a local user to bypass permissions for stored procedures by referencing them via a temporary stored procedure, aka the "Stored Procedure Permissions" vulnerability. |
Microsoft SQL Server Note: Authentication is recommended to improve the accuracy of this check |
database_mssql_mssql | ||
|
Buffer overflow in Webfind CGI program in O'Reilly WebSite Professional web server 2.x allows remote attackers to execute arbitrary commands via a URL containing a long "keywords" parameter. |
http Website Pro |
web_server_websitepro | ||
|
Buffer overflow in O'Reilly WebSite Professional web server 2.4 and earlier allows remote attackers to execute arbitrary commands via a long GET request or Referrer header. |
http Website Pro |
web_server_websitepro | ||
|
The source.asp example script in the Apache ASP module Apache::ASP 1.93 and earlier allows remote attackers to modify files. |
http potential problems |
web_prog_asp_egsource | ||
|
The default configuration of the Sun Java web server 2.0 and earlier allows remote attackers to execute arbitrary commands by uploading Java code to the server via board.html, then directly calling the JSP compiler servlet. |
http cgi access |
web_prog_jsp_bboard | ||
|
bb-hostsvc.sh in Big Brother 1.4h1 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) attack on the HOSTSVC parameter. |
http cgi access |
web_prog_cgi_bbhostsvc | ||
|
The default configuration of Big Brother 1.4h2 and earlier does not include proper access restrictions, which allows remote attackers to execute arbitrary commands by using bbd to upload a file whose extension will cause it to be executed as a CGI script by the web server. |
http potential problems |
web_tool_bbd | ||
|
Savant web server allows remote attackers to execute arbitrary commands via a long GET request. |
Savant vulnerabilities |
web_server_savant | ||
|
IIS 4.0 allows remote attackers to obtain the internal IP address of the server via an HTTP 1.0 request for a web page which is protected by basic authentication and has no realm defined. |
http header vulnerabilities |
web_security_internalip | ||
|
Buffer overflow in AnalogX proxy server 4.04 and earlier allows remote attackers to cause a denial of service via a long USER command in the FTP protocol. |
AnalogX vulnerabilities |
web_proxy_analogx | ||
|
Buffer overflow in AnalogX proxy server 4.04 and earlier allows remote attackers to cause a denial of service via a long HELO command in the SMTP protocol. |
AnalogX vulnerabilities |
web_proxy_analogx | ||
|
Buffer overflow in AnalogX proxy server 4.04 and earlier allows remote attackers to cause a denial of service via a long USER command in the POP3 protocol. |
AnalogX vulnerabilities |
web_proxy_analogx | ||
|
Buffer overflow in AnalogX proxy server 4.04 and earlier allows remote attackers to cause a denial of service via a long user ID in a SOCKS4 CONNECT request. |
AnalogX vulnerabilities |
web_proxy_analogx | ||
|
The registry entry for the Windows Shell executable (Explorer.exe) in Windows NT and Windows 2000 uses a relative path name, which allows local users to execute arbitrary commands by inserting a Trojan Horse named Explorer.exe into the %Systemdrive% directory, aka the "Relative Shell Path" vulnerability. |
Windows updates needed Note: Authentication is required to detect this vulnerability |
win_patch_shellpath | ||
|
rpc.statd in the nfs-utils package in various Linux distributions does not properly cleanse untrusted format strings, which allows remote attackers to gain root privileges. |
rpc statd access |
rpc_statd | ||
|
The default configuration of Jakarta Tomcat does not restrict access to the /admin context, which allows remote attackers to read arbitrary files by directly calling the administrative servlets to add a context for the root directory. |
Apache Tomcat vulnerabilities Note: Authentication is recommended to improve the accuracy of this check |
web_dev_tomcatver | ||
|
Buffer overflow in IBM Net.Data db2www CGI program allows remote attackers to execute arbitrary commands via a long PATH_INFO environmental variable. |
http potential problems |
web_prog_cgi_db2www | ||
|
BEA WebLogic 5.1.x allows remote attackers to read source code for parsed pages by inserting /ConsoleHelp/ into the URL, which invokes the FileServlet. |
WebLogic vulnerabilities Note: Authentication is recommended to improve the accuracy of this check |
web_dev_weblogic | ||
|
BEA WebLogic 5.1.x allows remote attackers to read source code for parsed pages by inserting /*.shtml/ into the URL, which invokes the SSIServlet. |
WebLogic vulnerabilities Note: Authentication is recommended to improve the accuracy of this check |
web_dev_weblogic | ||
|
BEA WebLogic 5.1.x does not properly restrict access to the JSPServlet, which could allow remote attackers to compile and execute Java JSP code by directly invoking the servlet on any source file. |
WebLogic vulnerabilities Note: Authentication is recommended to improve the accuracy of this check |
web_dev_weblogic | ||
|
BEA WebLogic 5.1.x does not properly restrict access to the PageCompileServlet, which could allow remote attackers to compile and execute Java JHTML code by directly invoking the servlet on any source file. |
WebLogic vulnerabilities Note: Authentication is recommended to improve the accuracy of this check |
web_dev_weblogic | ||
|
The administration interface for the dwhttpd web server in Solaris AnswerBook2 does not properly authenticate requests to its supporting CGI scripts, which allows remote attackers to add user accounts to the interface by directly calling the admin CGI script. |
AnswerBook vulnerabilities |
web_tool_answerbook | ||
|
The administration interface for the dwhttpd web server in Solaris AnswerBook2 allows interface users to remotely execute commands via shell metacharacters. |
AnswerBook vulnerabilities |
web_tool_answerbook | ||
|
Format string vulnerability in ftpd in HP-UX 10.20 allows remote attackers to cause a denial of service or execute arbitrary commands via format strings in the PASS command. |
HP UX FTP vulnerabilities |
ftp_hpuxten | ||
|
ntop running in web mode allows remote attackers to read arbitrary files via a .. (dot dot) attack. |
ntop server vulnerability |
web_tool_ntop | ||
|
Buffer overflows in ntop running in web mode allows remote attackers to execute arbitrary commands. |
ntop server vulnerability |
web_tool_ntop | ||
|
PCCS MySQLDatabase Admin Tool Manager 1.2.4 and earlier installs the file dbconnect.inc within the web root, which allows remote attackers to obtain sensitive information such as the administrative password. |
http cgi access |
web_prog_file_dbconnect | ||
|
Zope before 2.2.1 does not properly restrict access to the getRoles method, which allows users who can edit DTML to add or modify roles by modifying the roles list that is included in a request. |
Zope vulnerabilities |
web_dev_zope | ||
|
Telnetd telnet server in IRIX 5.2 through 6.1 does not properly cleans user-injected format strings, which allows remote attackers to execute arbitrary commands via a long RLD variable in the IAC-SB-TELOPT_ENVIRON request. |
IRIX telnetd |
shell_telnet_irix | ||
|
Directory traversal vulnerability in strong.exe program in NAI Net Tools PKI server 1.0 before HotFix 3 allows remote attackers to read arbitrary files via a .. (dot dot) attack in an HTTPS request to the enrollment server. |
Net Tools PKI Server |
misc_nettools | ||
|
Buffer overflow in strong.exe program in NAI Net Tools PKI server 1.0 before HotFix 3 allows remote attackers to execute arbitrary commands via a long URL in the HTTPS port. |
Net Tools PKI Server |
misc_nettools | ||
|
Format string vulnerability in strong.exe program in NAI Net Tools PKI server 1.0 before HotFix 3 allows remote attackers to execute arbitrary code via format strings in a URL with a .XUDA extension. |
Net Tools PKI Server |
misc_nettools | ||
|
Buffer overflow in University of Minnesota (UMN) gopherd 2.x allows remote attackers to execute arbitrary commands via a DES key generation request (GDESkey) that contains a long ticket value. |
gopher vulnerabilities |
misc_gopherbo | ||
|
Vulnerability in HP OpenView Network Node Manager (NMM) version 6.1 related to passwords. |
HP Openview vulnerabilities |
net_ovnodemgr | ||
|
Jakarta Tomcat 3.1 under Apache reveals physical path information when a remote attacker requests a URL that does not exist, which generates an error message that includes the physical path. |
Apache Tomcat vulnerabilities Note: Authentication is recommended to improve the accuracy of this check |
web_dev_tomcatver | ||
|
The Snoop servlet in Jakarta Tomcat 3.1 and 3.0 under Apache reveals sensitive system information when a remote attacker requests a nonexistent URL with a .snp extension. |
Apache Tomcat vulnerabilities Note: Authentication is recommended to improve the accuracy of this check |
web_dev_tomcatver | ||
|
O'Reilly WebSite Pro 2.3.7 installs the uploader.exe program with execute permissions for all users, which allows remote attackers to create and execute arbitrary files by directly calling uploader.exe. |
http cgi access |
web_prog_cgi_uploader | ||
|
IIS 4.0 and 5.0 does not properly restrict access to certain types of files when their parent folders have less restrictive permissions, which could allow remote attackers to bypass access restrictions to some files, aka the "File Permission Canonicalization" vulnerability. |
http IIS access Note: Authentication is recommended to improve the accuracy of this check |
web_server_iis_iis | ||
|
IIS 5.0 allows remote attackers to obtain source code for .ASP files and other scripts via an HTTP GET request with a "Translate: f" header, aka the "Specialized Header" vulnerability. |
IIS WebDAV vulnerabilities |
web_server_iis_header | ||
|
netauth.cgi program in Netwin Netauth 4.2e and earlier allows remote attackers to read arbitrary files via a .. (dot dot) attack. |
http cgi access |
web_prog_cgi_netauth | ||
|
String parsing error in rpc.kstatd in the linuxnfs or knfsd packages in SuSE and possibly other Linux systems allows remote attackers to gain root privileges. |
rpc statd access |
rpc_statd | ||
|
The administration module in Sun Java web server allows remote attackers to execute arbitrary commands by uploading Java code to the module and invoke the com.sun.server.http.pagecompile.jsp92.JspServlet by requesting a URL that begins with a /servlet/ tag. |
http cgi access |
web_prog_jsp_bboard | ||
|
Buffer overflow in ddicgi.exe program in Mobius DocumentDirect for the Internet 1.2 allows remote attackers to execute arbitrary commands via a long GET request. |
http potential problems |
web_prog_cgi_ddicgi | ||
|
Buffer overflow in the web authorization form of Mobius DocumentDirect for the Internet 1.2 allows remote attackers to cause a denial of service or execute arbitrary commands via a long username. |
http potential problems |
web_prog_cgi_ddicgi | ||
|
Buffer overflow in ddicgi.exe in Mobius DocumentDirect for the Internet 1.2 allows remote attackers to execute arbitrary commands via a long User-Agent parameter. |
http potential problems |
web_prog_cgi_ddicgi | ||
|
Htgrep CGI program allows remote attackers to read arbitrary files by specifying the full pathname in the hdr parameter. |
http cgi access |
web_prog_cgi_htgrep | ||
|
FTP Serv-U 2.5e allows remote attackers to cause a denial of service by sending a large number of null bytes. |
Serv U vulnerabilities |
ftp_servu | ||
|
The search97cgi/vtopic" in the UnixWare 7 scohelphttp webserver allows remote attackers to read arbitrary files via a .. (dot dot) attack. |
http cgi access |
web_prog_cgi_vtopic | ||
|
YaBB Bulletin Board 9.1.2000 allows remote attackers to read arbitrary files via a .. (dot dot) attack. |
http cgi access |
web_prog_cgi_yabb | ||
|
Mailman 1.1 allows list administrators to execute arbitrary commands via shell metacharacters in the %(listname) macro expansion. |
Mailman vulnerabilities Note: Authentication is recommended to improve the accuracy of this check |
mail_misc_mailman | ||
|
IIS 4.0 and 5.0 allows remote attackers to read documents outside of the web root, and possibly execute arbitrary commands, via malformed URLs that contain UNICODE encoded characters, aka the "Web Server Folder Traversal" vulnerability. |
http IIS access |
web_server_iis_unicode | ||
|
IIS 5.0 allows remote attackers to execute arbitrary commands via a malformed request for an executable file whose name is appended with operating system commands, aka the "Web Server File Request Parsing" vulnerability. |
http IIS access |
web_server_iis_inspection | ||
|
named in BIND 8.2 through 8.2.2-P6 allows remote attackers to cause a denial of service by making a compressed zone transfer (ZXFR) request and performing a name service query on an authoritative record that is not cached, aka the "zxfr bug." |
DNS vulnerabilities Note: Authentication is recommended to improve the accuracy of this check |
dns_bindbo dns_potential |
||
|
named in BIND 8.2 through 8.2.2-P6 allows remote attackers to cause a denial of service by sending an SRV record to the server, aka the "srv bug." |
DNS vulnerabilities Note: Authentication is recommended to improve the accuracy of this check |
dns_bindbo dns_potential |
||
|
Directory traversal vulnerability in ssi CGI program in thttpd 2.19 and earlier allows remote attackers to read arbitrary files via a "%2e%2e" string, a variation of the .. (dot dot) attack. |
http cgi access |
web_prog_cgi_ssi | ||
|
Horde library 1.02 allows attackers to execute arbitrary commands via shell metacharacters in the "from" address. |
Horde IMP vulnerabilities Note: Authentication is recommended to improve the accuracy of this check |
mail_web_imp | ||
|
IMP 2.2 and earlier allows attackers to read and delete arbitrary files by modifying the attachment_name hidden form variable, which causes IMP to send the file to the attacker as an attachment. |
Horde IMP vulnerabilities Note: Authentication is recommended to improve the accuracy of this check |
mail_web_imp | ||
|
MultiHTML CGI script allows remote attackers to read arbitrary files and possibly execute arbitrary commands by specifying the file name to the "multi" parameter. |
http cgi access |
web_prog_cgi_multihtml | ||
|
fingerd in FreeBSD 4.1.1 allows remote attackers to read arbitrary files by specifying the target file name instead of a regular user name. |
finger vulnerabilities |
misc_finger_fileread | ||
|
FreeBSD 4.1.1 and earlier, and possibly other BSD-based OSes, uses an insufficient random number generator to generate initial TCP sequence numbers (ISN), which allows remote attackers to spoof TCP connections. |
TCP sequence number prediction |
misc_tcpseq | ||
|
Format string vulnerability in use_syslog() function in LPRng 3.6.24 allows remote attackers to execute arbitrary commands. |
LPRng vulnerability |
printer_lprng | ||
|
Directory traversal vulnerability in BOA web server 0.94.8.2 and earlier allows remote attackers to read arbitrary files via a modified .. (dot dot) attack in the GET HTTP request that uses a "%2E" instead of a "." |
Boa web server vulnerabilities http server read access |
web_server_boa web_server_read |
||
|
Kootenay Web KW Whois 1.0 CGI program allows remote attackers to execute arbitrary commands via shell metacharacters in the "whois" parameter. |
http cgi access |
web_prog_cgi_whois | ||
|
Buffer overflow in bftp daemon (bftpd) 1.0.11 allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long USER command. |
bftpd vulnerabilities |
ftp_bftpd | ||
|
The web configuration interface for Catalyst 3500 XL switches allows remote attackers to execute arbitrary commands without authentication when the enable password is not set, via a URL containing the /exec/ directory. |
Cisco Catalyst access |
net_cisco_webcmd | ||
|
Format string vulnerability in cfd daemon in GNU CFEngine before 1.6.0a11 allows attackers to execute arbitrary commands via format characters in the CAUTH command. |
CFEngine detected Note: Authentication is required to detect this vulnerability |
misc_cfengine | ||
|
bbd server in Big Brother System and Network Monitor before 1.5c2 allows remote attackers to execute arbitrary commands via the "&" shell metacharacter. |
http potential problems |
web_tool_bbd | ||
|
Format string vulnerability in talkd in OpenBSD and possibly other BSD-based OSes allows remote attackers to execute arbitrary commands via a user name that contains format characters. |
talk vulnerabilities |
misc_talk | ||
|
Format string vulnerability in the search97.cgi CGI script in SCO help http server for Unixware 7 allows remote attackers to execute arbitrary commands via format characters in the queryText parameter. |
http potential problems |
web_prog_cgi_search97 | ||
|
Buffer overflow in host command allows a remote attacker to execute arbitrary commands via a long response to an AXFR query. |
DNS vulnerabilities Note: Authentication is recommended to improve the accuracy of this check |
dns_bindver | ||
|
Buffer overflows in TYPSoft FTP Server 0.78 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long USER, PASS, or CWD command. |
TYPSoft FTP vulnerabilities |
ftp_typsoft | ||
|
Multiple buffer overflows in the ESMTP service of Lotus Domino 5.0.2c and earlier allow remote attackers to cause a denial of service and possibly execute arbitrary code via long (1) "RCPT TO," (2) "SAML FROM," or (3) "SOML FROM" commands. |
Lotus Domino SMTP vulnerability |
mail_smtp_domino | ||
|
Buffer overflow in SMTP service of Lotus Domino 5.0.4 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long ENVID keyword in the "MAIL FROM" command. |
Lotus Domino SMTP vulnerability |
mail_smtp_domino | ||
|
Allaire JRun 3.0 http servlet server allows remote attackers to directly access the WEB-INF directory via a URL request that contains an extra "/" in the beginning of the request (aka the "extra leading slash"). |
JRun vulnerabilities |
web_dev_jrun_webinf | ||
|
Directory traversal vulnerability in Allaire JRun 2.3 server allows remote attackers to read arbitrary files via the SSIFilter servlet. |
JRun vulnerabilities |
web_dev_jrun_ssi | ||
|
Allaire JRun 2.3 server allows remote attackers to obtain source code for executable content by directly calling the SSIFilter servlet. |
JRun vulnerabilities |
web_dev_jrun_ssi | ||
|
Allaire JRun 2.3.3 server allows remote attackers to compile and execute JSP code by inserting it via a cross-site scripting (CSS) attack and directly calling the com.livesoftware.jrun.plugins.JSP JSP servlet. |
JRun vulnerabilities |
web_dev_jrun_ssi | ||
|
Vulnerabilities in database configuration scripts in HP OpenView Network Node Manager (NNM) 6.1 and earlier allows local users to gain privileges, possibly via insecure permissions. |
HP Openview vulnerabilities |
net_ovnodemgr | ||
|
Buffer overflow in OverView5 CGI program in HP OpenView Network Node Manager (NNM) 6.1 and earlier allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, in the SNMP service (snmp.exe), aka the "Java SNMP MIB Browser Object ID parsing problem." |
HP Openview vulnerabilities |
net_ovnodemgr | ||
|
The GUI installation for iCal 2.1 Patch 2 disables access control for the X server using an "xhost +" command, which allows remote attackers to monitor X Windows events and gain privileges. |
unrestricted X server access |
misc_xhost | ||
|
Directory traversal vulnerability in iPlanet Certificate Management System 4.2 and Directory Server 4.12 allows remote attackers to read arbitrary files via a .. (dot dot) attack in the Agent, End Entity, or Administrator services. |
http potential problems |
web_prog_cgi_dsgw | ||
|
Buffer overflow in the SHTML logging functionality of iPlanet Web Server 4.x allows remote attackers to execute arbitrary commands via a long filename with a .shtml extension. |
iPlanet vulnerabilities |
web_server_netscape_iplanet | ||
|
The xp_displayparamstmt function in SQL Server and Microsoft SQL Server Desktop Engine (MSDE) does not properly restrict the length of a buffer before calling the srv_paraminfo function in the SQL Server API for Extended Stored Procedures (XP), which allows an attacker to cause a denial of service or execute arbitrary commands, aka the "Extended Stored Procedure Parameter Parsing" vulnerability. |
Microsoft SQL Server Note: Authentication is recommended to improve the accuracy of this check |
database_mssql_mssql | ||
|
The xp_enumresultset function in SQL Server and Microsoft SQL Server Desktop Engine (MSDE) does not properly restrict the length of a buffer before calling the srv_paraminfo function in the SQL Server API for Extended Stored Procedures (XP), which allows an attacker to cause a denial of service or execute arbitrary commands, aka the "Extended Stored Procedure Parameter Parsing" vulnerability. |
Microsoft SQL Server Note: Authentication is recommended to improve the accuracy of this check |
database_mssql_mssql | ||
|
The xp_showcolv function in SQL Server and Microsoft SQL Server Desktop Engine (MSDE) does not properly restrict the length of a buffer before calling the srv_paraminfo function in the SQL Server API for Extended Stored Procedures (XP), which allows an attacker to cause a denial of service or execute arbitrary commands, aka the "Extended Stored Procedure Parameter Parsing" vulnerability. |
Microsoft SQL Server Note: Authentication is recommended to improve the accuracy of this check |
database_mssql_mssql | ||
|
The xp_updatecolvbm function in SQL Server and Microsoft SQL Server Desktop Engine (MSDE) does not properly restrict the length of a buffer before calling the srv_paraminfo function in the SQL Server API for Extended Stored Procedures (XP), which allows an attacker to cause a denial of service or execute arbitrary commands, aka the "Extended Stored Procedure Parameter Parsing" vulnerability. |
Microsoft SQL Server Note: Authentication is recommended to improve the accuracy of this check |
database_mssql_mssql | ||
|
The xp_peekqueue function in Microsoft SQL Server 2000 and SQL Server Desktop Engine (MSDE) does not properly restrict the length of a buffer before calling the srv_paraminfo function in the SQL Server API for Extended Stored Procedures (XP), which allows an attacker to cause a denial of service or execute arbitrary commands, aka the "Extended Stored Procedure Parameter Parsing" vulnerability. |
Microsoft SQL Server Note: Authentication is recommended to improve the accuracy of this check |
database_mssql_mssql | ||
|
The xp_printstatements function in Microsoft SQL Server 2000 and SQL Server Desktop Engine (MSDE) does not properly restrict the length of a buffer before calling the srv_paraminfo function in the SQL Server API for Extended Stored Procedures (XP), which allows an attacker to cause a denial of service or execute arbitrary commands, aka the "Extended Stored Procedure Parameter Parsing" vulnerability. |
Microsoft SQL Server Note: Authentication is recommended to improve the accuracy of this check |
database_mssql_mssql | ||
|
The xp_proxiedmetadata function in Microsoft SQL Server 2000 and SQL Server Desktop Engine (MSDE) does not properly restrict the length of a buffer before calling the srv_paraminfo function in the SQL Server API for Extended Stored Procedures (XP), which allows an attacker to cause a denial of service or execute arbitrary commands, aka the "Extended Stored Procedure Parameter Parsing" vulnerability. |
Microsoft SQL Server Note: Authentication is recommended to improve the accuracy of this check |
database_mssql_mssql | ||
|
The xp_SetSQLSecurity function in Microsoft SQL Server 2000 and SQL Server Desktop Engine (MSDE) does not properly restrict the length of a buffer before calling the srv_paraminfo function in the SQL Server API for Extended Stored Procedures (XP), which allows an attacker to cause a denial of service or execute arbitrary commands, aka the "Extended Stored Procedure Parameter Parsing" vulnerability. |
Microsoft SQL Server Note: Authentication is recommended to improve the accuracy of this check |
database_mssql_mssql | ||
|
Buffer overflow in Microsoft Phone Book Service allows local users to execute arbitrary commands, aka the "Phone Book Service Buffer Overflow" vulnerability. |
http potential problems |
web_prog_cgi_pbserver | ||
|
Buffer overflow in RegAPI.DLL used by Windows NT 4.0 Terminal Server allows remote attackers to execute arbitrary commands via a long username, aka the "Terminal Server Login Buffer Overflow" vulnerability. |
Microsoft Terminal Server Note: Authentication is recommended to improve the accuracy of this check |
misc_msterminal | ||
|
WinVNC installs the WinVNC3 registry key with permissions that give Special Access (read and modify) to the Everybody group, which allows users to read and modify sensitive information such as passwords and gain access to the system. |
VNC detected Note: Authentication is recommended to improve the accuracy of this check |
misc_vnc | ||
|
Directory traversal vulnerability in YaBB search.pl CGI script allows remote attackers to read arbitrary files via a .. (dot dot) attack in the "catsearch" form field. |
http cgi access |
web_prog_cgi_yabbsearch | ||
|
Buffer overflow in phf CGI program allows remote attackers to execute arbitrary commands by specifying a large number of arguments and including a long MIME header. |
http cgi access |
web_prog_cgi_phf | ||
|
Argosoft FRP server 1.0 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long string to the (1) USER or (2) CWD commands. |
ArGoSoft FTP vulnerabilities |
ftp_argosoft | ||
|
Windows NT allows remote attackers to list all users in a domain by obtaining the domain SID with the LsaQueryInformationPolicy policy function via a null session and using the SID to list the users. |
Linux NetBIOS vulnerability Null sessions |
misc_linuxnetbios win_domainsid win_null |
||
|
The "sa" account is installed with a default null password on (1) Microsoft SQL Server 2000, (2) SQL Server 7.0, and (3) Data Engine (MSDE) 1.0, including third party packages that use these products such as (4) Tumbleweed Secure Mail (MMS) (5) Compaq Insight Manager, and (6) Visio 2000, which allows remote attackers to gain privileges, as exploited by worms such as Voyager Alpha Force and Spida. |
MS SQL Server default password |
database_mssql_sa | ||
|
Directory traversal vulnerability in source.jsp of Apache Tomcat before 3.1 allows remote attackers to read arbitrary files via a .. (dot dot) in the argument to source.jsp. |
Apache Tomcat vulnerabilities http cgi info Note: Authentication is recommended to improve the accuracy of this check |
web_dev_tomcatver web_prog_jsp_source |
||
|
The line printer daemon (lpd) in the lpr package in multiple Linux operating systems allows local users to gain root privileges by causing sendmail to execute with arbitrary command line arguments, as demonstrated using the -C option to specify a configuration file. |
Linux lpd |
printer_linuxlpd | ||
|
The line printer daemon (lpd) in the lpr package in multiple Linux operating systems authenticates by comparing the reverse-resolved hostname of the local machine to the hostname of the print server as returned by gethostname, which allows remote attackers to bypass intended access controls by modifying the DNS for the attacking IP. |
Linux lpd |
printer_linuxlpd | ||
|
The default configurations of (1) the port listener and (2) modplsql in Oracle Internet Application Server (IAS) 3.0.7 and earlier allow remote attackers to view privileged database information via HTTP requests for Database Access Descriptor (DAD) files. |
Oracle vulnerabilities Note: Authentication is recommended to improve the accuracy of this check |
database_oracle_ias | ||
|
SQL injection vulnerability in mod_sql in Oracle Internet Application Server (IAS) 3.0.7 and earlier allows remote attackers to execute arbitrary SQL commands via the query string of the URL. |
Oracle vulnerabilities Note: Authentication is recommended to improve the accuracy of this check |
database_oracle_ias |
: A dangerous check is available for this vulnerability.