Author: jmm-guest Date: 2005-07-10 20:32:51 +0000 (Sun, 10 Jul 2005) New Revision: 1362 Modified: data/CAN/list Log: cacti and trac CANified two new minor issues lots of not-for-us on several high-quality web apps Modified: data/CAN/list ==================================================================--- data/CAN/list 2005-07-10 20:11:00 UTC (rev 1361) +++ data/CAN/list 2005-07-10 20:32:51 UTC (rev 1362) @@ -1,81 +1,83 @@ CAN-2005-XXXX [base-config log should not be world readable] - base-config 2.68 (low) -begin claimed by jmm CAN-2005-2169 (Directory traversal vulnerability in source.php in Quick & Dirty ...) - TODO: check + NOTE: not-for-us (PHPSource Printer) CAN-2005-2168 (delete.php in Plague News System 0.6 and earlier allows remote ...) - TODO: check + NOTE: not-for-us (Plague) CAN-2005-2167 (Cross-site scripting (XSS) vulnerability in index.php in Plague News ...) - TODO: check + NOTE: not-for-us (Plague) CAN-2005-2166 (SQL injection vulnerability in index.php in Plague News System 0.6 and ...) - TODO: check + NOTE: not-for-us (Plague) CAN-2005-2165 (read.cgi in GlobalNoteScript allows remote attackers to execute ...) - TODO: check + NOTE: not-for-us (GlobalNoteScript) CAN-2005-2164 (SQL injection vulnerability in Covide Groupware-CRM allows remote ...) - TODO: check + NOTE: not-for-us (Covide) CAN-2005-2163 (Cross-site scripting (XSS) vulnerability in index.php in AutoIndex PHP ...) - TODO: check + NOTE: not-for-us (AutoIndex PHP Script) CAN-2005-2162 (PHP remote file inclusion vulnerability in form.inc.php3 in ...) - TODO: check + NOTE: not-for-us (MyGuestbook) CAN-2005-2161 (Cross-site scripting (XSS) vulnerability in phpBB 2.0.16 allows remote ...) - TODO: check + NOTE: No bug for this, forwarded to maintainers + - phpbb2 (unfixed) (low) CAN-2005-2160 (IMail stores usernames and passwords in cleartext in a cookie, which ...) - TODO: check + NOTE: not-for-us (IMail) CAN-2005-2159 (mshftp.dll in PlanetDNS PlanetFileServer 2.0.1.3 allows remote ...) - TODO: check + NOTE: not-for-us (PlanetDNS) CAN-2005-2158 (A regression error in the embedded HSQLDB in JBoss jBPM 2.0 allows ...) - TODO: check + NOTE: not-for-us (JBoss) CAN-2005-2157 (PHP remote file inclusion vulnerability in survey.inc.php for nabopoll ...) - TODO: check + NOTE: not-for-us (nabopoll) CAN-2005-2156 (SQL injection vulnerability in news.php in PHPNews 1.2.5 allows remote ...) - TODO: check + NOTE: not-for-us (PHPNews) CAN-2005-2155 (PHP remote file inclusion vulnerability in EasyPHPCalendar 6.1.5 and ...) - TODO: check + NOTE: not-for-us (EasyPHPCalender) CAN-2005-2154 (PHP local file inclusion vulnerability in (1) view.php and (2) ...) - TODO: check + NOTE: not-for-us (osTicket) CAN-2005-2153 (SQL injection vulnerability in class.ticket.php in osTicket 1.3.1 beta ...) - TODO: check + NOTE: not-for-us (osTicket) CAN-2005-2152 (SQL injection vulnerability in Geeklog before 1.3.11 allows remote ...) - TODO: check + NOTE: not-for-us (Geeklog) CAN-2005-2151 (spf.c in Courier Mail Server does not properly handle DNS failures ...) - TODO: check + NOTE: testing/sid should be affected, but that''s a very minor issue and I''m + NOTE: currently too busy + - courier (unfixed) (low) CAN-2005-2150 NOTE: reserved CAN-2005-2149 (config.php in Cacti 0.8.6e and earlier allows remote attackers to set ...) - TODO: check + - cacti 0.8.6f-1 (high) CAN-2005-2148 (Cacti 0.8.6e and earlier does not perform proper input validation to ...) - TODO: check + - cacti 0.8.6f-1 (high) CAN-2005-2147 (Trac before 0.8.4 allows remote attackers to read or upload arbitrary ...) - TODO: check + TODO: Check, whether this was covered by DSA-739 as well + - trac 0.8.4-1 CAN-2005-2146 (SSH Tectia Server 4.3.1 and earlier, and SSH Secure Shell for Windows ...) - TODO: check + NOTE: not-for-us (SSH Tectia Server) CAN-2005-2145 (The kernel driver in Prevx Pro 2005 1.0 does not verify the source of ...) - TODO: check + NOTE: not-for-us (Prevx Pro) CAN-2005-2144 (Prevx Pro 2005 1.0 allows local users to bypass file protection and ...) - TODO: check + NOTE: not-for-us (Prevx Pro) CAN-2005-2143 (Microsoft Front Page allows attackers to cause a denial of service ...) - TODO: check + NOTE: not-for-us (Microsoft) CAN-2005-2142 (Directory traversal vulnerability in Golden FTP Server 2.60 allows ...) - TODO: check + NOTE: not-for-us (Golden FTP Server) CAN-2005-2141 (TCP Chat 1.0 allows remote attackers to cause a denial of service ...) - TODO: check + NOTE: not-for-us (TCP Chat) CAN-2005-2140 (Directory traversal vulnerability in default.asp for FSboard 2.0 ...) - TODO: check + NOTE: not-for-us (FSboard) CAN-2005-2139 (PHP remote file inclusion vulnerability in user_check.php for Pavsta ...) - TODO: check + NOTE: not-for-us (Pavsta) CAN-2005-2138 (Cross-site scripting (XSS) vulnerability in index.php in Comdev ...) - TODO: check + NOTE: not-for-us (Comdev eCommerce) CAN-2005-2137 (Unknown vulnerability in NateOn Messenger 3.0 allows remote attackers ...) - TODO: check + NOTE: not-for-us (NateOn Messenger) CAN-2005-2136 (Raritan Dominion SX (DSX) Console Servers DSX16, DSX32, DSX4, DSX8, ...) - TODO: check + NOTE: not-for-us (Raritan Dominion SX) CAN-2005-2135 (SQL injection vulnerability in verify.asp in EtoShop Dynamic Biz ...) - TODO: check + NOTE: not-for-us (EtoShop) CAN-2005-2134 (The (1) clcs and (2) emuxki drivers in NetBSD 1.6 through 2.0.2 allow ...) - TODO: check + NOTE: not-for-us (NetBSD) CAN-2005-2133 (The log4sh_readProperties function in log4sh allows local users to ...) - TODO: check -end claimed by jmm + NOTE: not-for-us (log4sh) CAN-2005-2132 NOTE: reserved CAN-2005-2131 @@ -112,8 +114,6 @@ - cupsys 1.1.20final+rc1-1 (low) CAN-2005-XXXX [Insecure tempfile generation in ekg] - ekg (unfixed; bug #317027; medium) -CAN-2005-XXXX [cacti: Multiple further SQL injection, auth bypass and remote command execution issues] - - cacti 0.8.6f-1 (high) CAN-2005-2116 (Unknown vulnerability in the third-party XML-RPC library in Drupal ...) NOTE: This will probably be re-organized by the CVE editor, but lets keep it for now, NOTE: as it''s the same issue