[Secure-testing-commits] r1362 - data/CAN

Moritz Muehlenhoff jmm-guest@costa.debian.org
Sun, 10 Jul 2005 20:32:54 +0000 

Author: jmm-guest
Date: 2005-07-10 20:32:51 +0000 (Sun, 10 Jul 2005)
New Revision: 1362

Modified:
   data/CAN/list
Log:
cacti and trac CANified
two new minor issues
lots of not-for-us on several high-quality web apps


Modified: data/CAN/list
===================================================================
--- data/CAN/list	2005-07-10 20:11:00 UTC (rev 1361)
+++ data/CAN/list	2005-07-10 20:32:51 UTC (rev 1362)
@@ -1,81 +1,83 @@
 CAN-2005-XXXX [base-config log should not be world readable]
 	- base-config 2.68 (low)
-begin claimed by jmm
 CAN-2005-2169 (Directory traversal vulnerability in source.php in Quick & Dirty ...)
-	TODO: check
+	NOTE: not-for-us (PHPSource Printer)
 CAN-2005-2168 (delete.php in Plague News System 0.6 and earlier allows remote ...)
-	TODO: check
+	NOTE: not-for-us (Plague)
 CAN-2005-2167 (Cross-site scripting (XSS) vulnerability in index.php in Plague News ...)
-	TODO: check
+	NOTE: not-for-us (Plague)
 CAN-2005-2166 (SQL injection vulnerability in index.php in Plague News System 0.6 and ...)
-	TODO: check
+	NOTE: not-for-us (Plague)
 CAN-2005-2165 (read.cgi in GlobalNoteScript allows remote attackers to execute ...)
-	TODO: check
+	NOTE: not-for-us (GlobalNoteScript)
 CAN-2005-2164 (SQL injection vulnerability in Covide Groupware-CRM allows remote ...)
-	TODO: check
+	NOTE: not-for-us (Covide)
 CAN-2005-2163 (Cross-site scripting (XSS) vulnerability in index.php in AutoIndex PHP ...)
-	TODO: check
+	NOTE: not-for-us (AutoIndex PHP Script)
 CAN-2005-2162 (PHP remote file inclusion vulnerability in form.inc.php3 in ...)
-	TODO: check
+	NOTE: not-for-us (MyGuestbook)
 CAN-2005-2161 (Cross-site scripting (XSS) vulnerability in phpBB 2.0.16 allows remote ...)
-	TODO: check
+	NOTE: No bug for this, forwarded to maintainers 
+	- phpbb2 (unfixed) (low)
 CAN-2005-2160 (IMail stores usernames and passwords in cleartext in a cookie, which ...)
-	TODO: check
+	NOTE: not-for-us (IMail)
 CAN-2005-2159 (mshftp.dll in PlanetDNS PlanetFileServer 2.0.1.3 allows remote ...)
-	TODO: check
+	NOTE: not-for-us (PlanetDNS)
 CAN-2005-2158 (A regression error in the embedded HSQLDB in JBoss jBPM 2.0 allows ...)
-	TODO: check
+	NOTE: not-for-us (JBoss)
 CAN-2005-2157 (PHP remote file inclusion vulnerability in survey.inc.php for nabopoll ...)
-	TODO: check
+	NOTE: not-for-us (nabopoll)
 CAN-2005-2156 (SQL injection vulnerability in news.php in PHPNews 1.2.5 allows remote ...)
-	TODO: check
+	NOTE: not-for-us (PHPNews)
 CAN-2005-2155 (PHP remote file inclusion vulnerability in EasyPHPCalendar 6.1.5 and ...)
-	TODO: check
+	NOTE: not-for-us (EasyPHPCalender)
 CAN-2005-2154 (PHP local file inclusion vulnerability in (1) view.php and (2) ...)
-	TODO: check
+	NOTE: not-for-us (osTicket)
 CAN-2005-2153 (SQL injection vulnerability in class.ticket.php in osTicket 1.3.1 beta ...)
-	TODO: check
+	NOTE: not-for-us (osTicket)
 CAN-2005-2152 (SQL injection vulnerability in Geeklog before 1.3.11 allows remote ...)
-	TODO: check
+	NOTE: not-for-us (Geeklog)
 CAN-2005-2151 (spf.c in Courier Mail Server does not properly handle DNS failures ...)
-	TODO: check
+	NOTE: testing/sid should be affected, but that's a very minor issue and I'm
+	NOTE: currently too busy 
+	- courier (unfixed) (low)
 CAN-2005-2150
 	NOTE: reserved
 CAN-2005-2149 (config.php in Cacti 0.8.6e and earlier allows remote attackers to set ...)
-	TODO: check
+	- cacti 0.8.6f-1 (high)
 CAN-2005-2148 (Cacti 0.8.6e and earlier does not perform proper input validation to ...)
-	TODO: check
+	- cacti 0.8.6f-1 (high)
 CAN-2005-2147 (Trac before 0.8.4 allows remote attackers to read or upload arbitrary ...)
-	TODO: check
+	TODO: Check, whether this was covered by DSA-739 as well
+	- trac 0.8.4-1
 CAN-2005-2146 (SSH Tectia Server 4.3.1 and earlier, and SSH Secure Shell for Windows ...)
-	TODO: check
+	NOTE: not-for-us (SSH Tectia Server)
 CAN-2005-2145 (The kernel driver in Prevx Pro 2005 1.0 does not verify the source of ...)
-	TODO: check
+	NOTE: not-for-us (Prevx Pro)
 CAN-2005-2144 (Prevx Pro 2005 1.0 allows local users to bypass file protection and ...)
-	TODO: check
+	NOTE: not-for-us (Prevx Pro)
 CAN-2005-2143 (Microsoft Front Page allows attackers to cause a denial of service ...)
-	TODO: check
+	NOTE: not-for-us (Microsoft)
 CAN-2005-2142 (Directory traversal vulnerability in Golden FTP Server 2.60 allows ...)
-	TODO: check
+	NOTE: not-for-us (Golden FTP Server)
 CAN-2005-2141 (TCP Chat 1.0 allows remote attackers to cause a denial of service ...)
-	TODO: check
+	NOTE: not-for-us (TCP Chat)
 CAN-2005-2140 (Directory traversal vulnerability in default.asp for FSboard 2.0 ...)
-	TODO: check
+	NOTE: not-for-us (FSboard)
 CAN-2005-2139 (PHP remote file inclusion vulnerability in user_check.php for Pavsta ...)
-	TODO: check
+	NOTE: not-for-us (Pavsta)
 CAN-2005-2138 (Cross-site scripting (XSS) vulnerability in index.php in Comdev ...)
-	TODO: check
+	NOTE: not-for-us (Comdev eCommerce)
 CAN-2005-2137 (Unknown vulnerability in NateOn Messenger 3.0 allows remote attackers ...)
-	TODO: check
+	NOTE: not-for-us (NateOn Messenger)
 CAN-2005-2136 (Raritan Dominion SX (DSX) Console Servers DSX16, DSX32, DSX4, DSX8, ...)
-	TODO: check
+	NOTE: not-for-us (Raritan Dominion SX)
 CAN-2005-2135 (SQL injection vulnerability in verify.asp in EtoShop Dynamic Biz ...)
-	TODO: check
+	NOTE: not-for-us (EtoShop)
 CAN-2005-2134 (The (1) clcs and (2) emuxki drivers in NetBSD 1.6 through 2.0.2 allow ...)
-	TODO: check
+	NOTE: not-for-us (NetBSD)
 CAN-2005-2133 (The log4sh_readProperties function in log4sh allows local users to ...)
-	TODO: check
-end claimed by jmm
+	NOTE: not-for-us (log4sh)
 CAN-2005-2132
 	NOTE: reserved
 CAN-2005-2131
@@ -112,8 +114,6 @@
 	- cupsys 1.1.20final+rc1-1 (low)
 CAN-2005-XXXX [Insecure tempfile generation in ekg]
 	- ekg (unfixed; bug #317027; medium)
-CAN-2005-XXXX [cacti: Multiple further SQL injection, auth bypass and remote command execution issues]
-	- cacti 0.8.6f-1 (high)
 CAN-2005-2116 (Unknown vulnerability in the third-party XML-RPC library in Drupal ...)
 	NOTE: This will probably be re-organized by the CVE editor, but lets keep it for now,
 	NOTE: as it's the same issue